Router IP Traffic Export (RITE)

Lesson Contents

Router IP Traffic Export (RITE) which is also known as IP Traffic Export is useful to export IP packets to an interface or VLAN of choice. This is very useful when you have an IDS (Intrusion Detection System) and want to inspect your traffic.

RITE is similar to SPAN on the Cisco Catalyst Switches. In this lesson, I will explain how to configure RITE so you can export your IP packets.

This is the topology I will use:

Cisco RITE Configuration example lab

At the bottom we have a router that will simulate a client device that is accessing the Internet. On the right side you see a router called “IDS” which simulates our Intrusion Detection System. Whenever the client accesses the Internet, the router in the middle called “RITE” will export the IP packets towards the IDS. Let’s start with the configuration.

Configuration

When you configure Router IP Traffic Export you have to specify a name:

RITE(config)#ip traffic-export profile MY_RITE
RITE(conf-rite)#

This takes you to the main RITE configuration. There are a couple of options here:

RITE(conf-rite)#?
IP traffic export profile configuration commands
  bidirectional  Enable bidirectional traffic export
  exit           Exit from ip traffic export profile sub mode
  incoming       Configure incoming IP traffic export
  interface      Specify outgoing interface for exporting traffic
  mac-address    Specify ethernet address of destination host
  no             Negate or set default values of a command
  outgoing       Configure outgoing IP traffic export

First, I will specify the interface where we want to export the IP packets to. This will be FastEthernet 0/1 which is connected to the IDS:

RITE(conf-rite)#interface fastEthernet 0/1

If there are multiple devices behind the outgoing interface, then you should configure a destination MAC address. We’ll have to check the MAC address of the IDS first:

IDS#show interfaces fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up 
  Hardware is Gt96k FE, address is c204.3bcc.0000

And we’ll configure it in the RITE configuration:

RITE(conf-rite)#mac-address c204.3bcc.0000

You can choose if you want to export inbound, outbound or both directions…I’ll pick both:

RITE(conf-rite)#bidirectional

Instead of copying all IP packets, we can also configure sampling. This means you will only export 1 out of X packets. Here’s an example:

RITE(conf-rite)#incoming sample one-in-every 5
RITE(conf-rite)#outgoing sample one-in-every 5

Only 1 out of 5 IP packets will now be exported. The configuration is ready, but we still have the RITE profile on the interface where we want to capture traffic:

RITE(config)#interface FastEthernet 1/0
RITE(config-if)#ip traffic-export apply MY_RITE

This will capture traffic from the interface that is connected to the client. On your console, you’ll see something like this:

RITE#
%RITE-5-ACTIVATE: Activated IP traffic export on interface FastEthernet1/0

That’s all there is to it. The only thing left to do is verify if it’s working…

Verification

To test RITE, I’ll enable a debug on the IDS router so we can see all incoming packets:

IDS#debug ip packet 
IP packet debugging is on

Now, we’ll generate some packets from the client, and if everything is configured correctly, some of these packets will be forwarded to the IDS router:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 799 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

565 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,


Forum Replies

  1. Hi Rene,

    I think the interfaces on your diagram are wrong on the Router RITE cause you mentioned f0/1 but there is none.

    Thanks

  2. Hello Rene, thanks for the explanation. The question I have is: should returned traffic be inspected or forwarded to the IDS, instead of the client’s traffic? We assume internal traffic is trusted, right?

  3. Hi Jose,

    If you want to use RITE to forward traffic to an IDS/IPS then yes, it’s probably the traffic from outside to inside that you want to forward and inspect.

    We don’t always trust internal traffic 100% btw. For example, a few weeks ago I used an ASA with firepower that is used to inspect all outgoing traffic. It can be used to drop certain traffic that the hosts are not allowed to use.

    Rene

  4. Hello Rene,

    Nice. Is there any option to Monitor Traffic Remotely like RSPAN on Router port ??

    br//
    zaman

3 more replies! Ask a question or join the discussion by visiting our Community Forum