RE: VACL on 3560 switch from Ram Shummoogum on 2009-07-29 (Ccielab archives 07/2009)

From: Ram Shummoogum <rshummoo_at_ca.ibm.com>
Date: Wed, 29 Jul 2009 10:40:51 -0400

He meant VACL capture:

The action is forward capture

Look at this example

1. Define the interesting traffic you want to be captured
IOS(config)#ip access-list extended Capture_HTTPandUDP
IOS(config-ext-nacl)#permit tcp 10.10.10.128 0.0.0.127 host 20.10.10.1 eq
80
IOS(config-ext-nacl)#permit udp any any
2. Define an permit ACL that will allow all other traffic to flow in/out
of the VLAN.
IOS(config)#ip access-list extended Allow_ALL_TRAFFIC
IOS(config-ext-nacl)#permit ip any any
3. Define the VLAN access map, in this case it is called Capture_MAP.
IOS(config)#vlan access-map Capture_MAP 10
IOS(config-access-map)#match ip address Capture_HTTPandUDP
IOS(config-access-map)#action forward capture
IOS(config)#vlan access-map Capture_MAP 20
IOS(config-access-map)#match ip address Allow_ALL_TRAFFIC
IOS(config-access-map)#action forward
4. Apply the VLAN access map to the appropriate VLANs, in this case VLAN
100.
IOS(config)#vlan filter Capture_MAP vlan-list 100
5. Configure the Capture Port. This is where captured traffic will be
sent.
IOS(config)#int gig2/1
IOS(config-if)#switchport capture allowed vlan ?
WORD VLAN IDs of the allowed VLANs
add add VLANs to the current list
all all VLANs
except all VLANs except the following
remove remove VLANs from the current list
IOS(config-if)#switchport capture allowed vlan 100
IOS(config-if)#switchport capture
!This enables the feature.

Ryan West <rwest_at_zyedge.com>
Sent by: nobody_at_groupstudy.com
07/29/2009 10:22 AM
Please respond to
Ryan West <rwest_at_zyedge.com>

To
Marcio Costa <marcioacosta_at_gmail.com>, "ccielab_at_groupstudy.com"
<ccielab_at_groupstudy.com>
cc

Subject
RE: VACL on 3560 switch

I think you're looking for a SPAN port and not a VACL.

Monitor session 1 source vlan 19 rx
Monitor session 1 dest f0/2

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Marcio Costa
Sent: Wednesday, July 29, 2009 10:06 AM
To: ccielab_at_groupstudy.com
Subject: VACL on 3560 switch

Hi Experts,

How the switch (3560) will know which interface it should forward the
captured traffic to the NIDS or host w/ Wireshark with this VACL config
below?

interface FastEthernet0/2 (the interface I want to connect the NIDS)
switchport
switchport host
switchport access vlan 19
speed 100
duplex full
no shutdown
!
exit
!
ip access-list extended ALLOWED_TRAFFIC
permit ip any any
!
exit
!
vlan access-map VLAN19_FILTER 10
match ip address ALLOWED_TRAFFIC
action forward
!
exit
!
vlan filter VLAN19_FILTER vlan-list 19

Is there anything missed ??

Thanks in advanced,
Marcio A. Costa

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 29 2009 - 10:40:51 ART

This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:23 ART