1700 series router logging question

[pirateclem]

Is there a way to log traffic on a 1700 series router?? I have a connection which is being periodically flooded (from external source) and am interested in the IP that the traffic is either coming from outside of my network or being requested from inside my network. Any advice appreciated.

 

[rtfmdude]

well, you could create an access-list that allows everything & includes the 'log' keyword, then disable console logging and log to a syslog server. That seems entirely scummy though, and I can only imagine what your cpu utilization would be after that(by running all the packets through the access-list, it drops all packets into process-switching instead of fast or cef switching).

I guess you could also use netflow switching to log and perform later analysis, but I don't know anything about netflow and how to analyze it - it looks like it's supported on later IOS:

http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/nfwhite.htm

 

[pirateclem]

After additional research it seems I am especially interested in external smtp traffic hitting this connection currently. Any other ideas?

 

[rtfmdude]

oh, well that should be easy, but still might impact performance.

something like:

conf t
no logging console
!(disable console logging, saves cpu)
logging trap debug
!(set the logging level)
logging x.x.x.x
!(ip address of syslog server)
!(alternatively, you could do 'logging buffered' and 'logging buffered 100000' - do a 'show logg' to see the !contents if you don't expect THAT many entries
!
access-list 100 permit tcp any any eq smtp log-input
access-list 100 permit ip any any
interface serial0/0
!(or whatever your outside interface is)
ip access-group 100 in
!

I haven't actually done this before, but I think this should work