Re: VACL on 3560 switch

Ok Ram, but the problem is I just get the "switchport capture" on the 6500
switch not on 3560 switches.

Here is my scenario,

SW1 ---Etherchannel --- SW2
 |
 |
NIDS

The NIDS just have connection to one switch not to the other switch and I
want to monitor all vlan 19 traffic on both switches, Is that possible ??
That's why I thought to use the VACL, but I don't have the "switchport
capture" on the 3560 switches.

Thanks all your quick answers so far!!

Marcio

On Wed, Jul 29, 2009 at 11:40 AM, Ram Shummoogum <rshummoo_at_ca.ibm.com>wrote:

>
>
> He meant VACL capture:
>
> The action is forward capture
>
> Look at this example
>
>
>
>
>
> 1. Define the interesting traffic you want to be captured
> IOS(config)#ip access-list extended Capture_HTTPandUDP
> IOS(config-ext-nacl)#permit tcp 10.10.10.128 0.0.0.127 host 20.10.10.1 eq
> 80
> IOS(config-ext-nacl)#permit udp any any
> 2. Define an permit ACL that will allow all other traffic to flow in/out of
> the VLAN.
> IOS(config)#ip access-list extended Allow_ALL_TRAFFIC
> IOS(config-ext-nacl)#permit ip any any
> 3. Define the VLAN access map, in this case it is called Capture_MAP.
> IOS(config)#vlan access-map Capture_MAP 10
> IOS(config-access-map)#match ip address Capture_HTTPandUDP
> IOS(config-access-map)#action forward capture
> IOS(config)#vlan access-map Capture_MAP 20
> IOS(config-access-map)#match ip address Allow_ALL_TRAFFIC
> IOS(config-access-map)#action forward
> 4. Apply the VLAN access map to the appropriate VLANs, in this case VLAN
> 100.
> IOS(config)#vlan filter Capture_MAP vlan-list 100
> 5. Configure the Capture Port. This is where captured traffic will be sent.
> IOS(config)#int gig2/1
> IOS(config-if)#switchport capture allowed vlan ?
> WORD VLAN IDs of the allowed VLANs
> add add VLANs to the current list
> all all VLANs
> except all VLANs except the following
> remove remove VLANs from the current list
> IOS(config-if)#switchport capture allowed vlan 100
> IOS(config-if)#switchport capture
> !This enables the feature.
>
>
>
>
>
>
> *Ryan West <rwest_at_zyedge.com>*
> Sent by: nobody_at_groupstudy.com
>
> 07/29/2009 10:22 AM
> Please respond to
> Ryan West <rwest_at_zyedge.com>
>
> To
> Marcio Costa <marcioacosta_at_gmail.com>, "ccielab_at_groupstudy.com" <
> ccielab_at_groupstudy.com> cc
> Subject
> RE: VACL on 3560 switch
>
>
>
>
> I think you're looking for a SPAN port and not a VACL.
>
> Monitor session 1 source vlan 19 rx
> Monitor session 1 dest f0/2
>
> -ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Marcio Costa
> Sent: Wednesday, July 29, 2009 10:06 AM
> To: ccielab_at_groupstudy.com
> Subject: VACL on 3560 switch
>
> Hi Experts,
>
> How the switch (3560) will know which interface it should forward the
> captured traffic to the NIDS or host w/ Wireshark with this VACL config
> below?
>
> interface FastEthernet0/2 (the interface I want to connect the NIDS)
> switchport
> switchport host
> switchport access vlan 19
> speed 100
> duplex full
> no shutdown
> !
> exit
> !
> ip access-list extended ALLOWED_TRAFFIC
> permit ip any any
> !
> exit
> !
> vlan access-map VLAN19_FILTER 10
> match ip address ALLOWED_TRAFFIC
> action forward
> !
> exit
> !
> vlan filter VLAN19_FILTER vlan-list 19
>
> Is there anything missed ??
>
> Thanks in advanced,
> Marcio A. Costa
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 29 2009 - 12:01:46 ART