Monitoring external traffic - Pseudo Device


#1

The question came up recently of whether it would be possible to break out traffic that is leaving the premises separately from all other sources of traffic.

I believe that using Pseudo devices there is a way to do that.

What we did was to create a single Pseudo device that contains all non local/private IP address. (Example of how to find these can be found here… http://serverfault.com/questions/304781/cidr-ranges-for-everything-except-rfc1918)

We assigned all of those CIDR blocks the same MAC address. Once we hit save, and traffic started to be assigned to that MAC address, we just renamed it ‘The Internet’ for our purposes… and what we were left with was a good representation of all traffic leaving and returning to the local premises.

Here is an example of the Pseudo Device portion of the running config if you want to give it a try.

“pseudo_device”: { “16.0.0.0/4”: “02:AA:00:5B:8D:D4”, “11.0.0.0/8”: “02:AA:00:5B:8D:D4”, “192.169.0.0/16”: “02:AA:00:5B:8D:D4”, “192.128.0.0/11”: “02:AA:00:5B:8D:D4”, “172.0.0.0/12”: “02:AA:00:5B:8D:D4”, “64.0.0.0/2”: “02:AA:00:5B:8D:D4”, “173.0.0.0/8”: “02:AA:00:5B:8D:D4”, “192.170.0.0/15”: “02:AA:00:5B:8D:D4”, “0.0.0.0/5”: “02:AA:00:5B:8D:D4”, “208.0.0.0/4”: “02:AA:00:5B:8D:D4”, “200.0.0.0/5”: “02:AA:00:5B:8D:D4”, “160.0.0.0/5”: “02:AA:00:5B:8D:D4”, “192.0.0.0/9”: “02:AA:00:5B:8D:D4”, “128.0.0.0/3”: “02:AA:00:5B:8D:D4”, “172.32.0.0/11”: “02:AA:00:5B:8D:D4”, “172.128.0.0/9”: “02:AA:00:5B:8D:D4”, “194.0.0.0/7”: “02:AA:00:5B:8D:D4”, “12.0.0.0/6”: “02:AA:00:5B:8D:D4”, “174.0.0.0/7”: “02:AA:00:5B:8D:D4”, “168.0.0.0/6”: “02:AA:00:5B:8D:D4”, “172.64.0.0/10”: “02:AA:00:5B:8D:D4”, “192.160.0.0/13”: “02:AA:00:5B:8D:D4”, “8.0.0.0/7”: “02:AA:00:5B:8D:D4”, “192.176.0.0/12”: “02:AA:00:5B:8D:D4”, “32.0.0.0/3”: “02:AA:00:5B:8D:D4”, “196.0.0.0/6”: “02:AA:00:5B:8D:D4”, “193.0.0.0/8”: “02:AA:00:5B:8D:D4”, “176.0.0.0/4”: “02:AA:00:5B:8D:D4”, “192.192.0.0/10”: “02:AA:00:5B:8D:D4”, “192.172.0.0/14”: “02:AA:00:5B:8D:D4” }


#2

My SE and I did that to see all the traffic going between my infrastructure and a particular url. Created a custom device (in settings) on the node where the majority of the traffic was being sent from, and all the traffic re: that IP is logged as a device in ehop.