Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How to log whats hitting a default route
- Thread starter CPaul123
- Start date
- Thread starter
- #3
It depends on where the router is in the network...is this an edge router? If it goes to the internet, then everything that uses the internet uses it. If not, it still needs the default route to get beyond anyway, because nodes going to, say Google, would get stopped at that router, unless it had a static route to Google. That's one of millions of addresses that it won't know about without a default route.
Burt
Burt
- Thread starter
- #6
jneiberger
Technical User
There a few ways I can think of. Here are some ideas.
1. Turn on netflow switching, wait a while, and then type "show ip cache flow". Look for destination IP addresses that are not in your routing table.
2. Turn on IP accounting, wait a while, look in "show ip accounting" for destinations not in your routing table.
3. Turn off logging to the console and then turn on ip packet debugging (debug ip packet). This can be VERY hard on your router and could cause it to lock up. Use at your own discretion. However, if you don't have a huge amount of traffic, it will show you the routing decisions being made on a per-packet basis. You can lessen the load on your router by creating an access list that discards information about your internal network and then apply that access list to the debug command. Do a google search for "debug ip packet" for details. It's pretty simple. If you filter on information about your internal networks, all that will show up are packets being routed to external destinations.
4. Consider the applications and devices in use at this site. Do any of them access the Internet directly? Does that router have a complete view of your internal network, or is there a chance that it is missing some routes? If you're using a dynamic routing protocol, it should know about your network. If you're using static routes, verify that it has all the routes it needs
5. Here's one that may or may not work. I've never tried it. Create a loopback interface then change your default route to point toward your loopback interface. I suspect that if your traffic counters increase on that interface then that means that the default route is being used. You may even be able to turn on ip accounting or netflow on the loopback address to get more information. I've never tried this so I can't verify that it will work. It would be an interesting experiment, though.
1. Turn on netflow switching, wait a while, and then type "show ip cache flow". Look for destination IP addresses that are not in your routing table.
2. Turn on IP accounting, wait a while, look in "show ip accounting" for destinations not in your routing table.
3. Turn off logging to the console and then turn on ip packet debugging (debug ip packet). This can be VERY hard on your router and could cause it to lock up. Use at your own discretion. However, if you don't have a huge amount of traffic, it will show you the routing decisions being made on a per-packet basis. You can lessen the load on your router by creating an access list that discards information about your internal network and then apply that access list to the debug command. Do a google search for "debug ip packet" for details. It's pretty simple. If you filter on information about your internal networks, all that will show up are packets being routed to external destinations.
4. Consider the applications and devices in use at this site. Do any of them access the Internet directly? Does that router have a complete view of your internal network, or is there a chance that it is missing some routes? If you're using a dynamic routing protocol, it should know about your network. If you're using static routes, verify that it has all the routes it needs
5. Here's one that may or may not work. I've never tried it. Create a loopback interface then change your default route to point toward your loopback interface. I suspect that if your traffic counters increase on that interface then that means that the default route is being used. You may even be able to turn on ip accounting or netflow on the loopback address to get more information. I've never tried this so I can't verify that it will work. It would be an interesting experiment, though.
jneiberger
Technical User
Oh, I forgot one other idea. Create access lists that looks something like this:
access-list 100 permit ip any <internal network 1>
access-list 100 permit ip any <internal network 2>
and so on...
at the end of the list, do this:
access-list 100 permit ip any any log
Then just look at your logs later. If you have all of your internal networks added to the list specifically, those packets shouldn't generate log entries. You should see traffic to other networks in your log.
access-list 100 permit ip any <internal network 1>
access-list 100 permit ip any <internal network 2>
and so on...
at the end of the list, do this:
access-list 100 permit ip any any log
Then just look at your logs later. If you have all of your internal networks added to the list specifically, those packets shouldn't generate log entries. You should see traffic to other networks in your log.
- Status
Similar threads
- Locked
- Helpful tip
- Locked
- Question