Re: VACL on 3560 switch from Hammer on 2009-07-29 (Ccielab archives 07/2009)

From: Hammer <bhmccie_at_gmail.com>
Date: Wed, 29 Jul 2009 10:14:22 -0500

RSPAN?

-Hammer

On Wed, Jul 29, 2009 at 10:01 AM, Marcio Costa <marcioacosta_at_gmail.com>wrote:

> Ok Ram, but the problem is I just get the "switchport capture" on the 6500
> switch not on 3560 switches.
>
> Here is my scenario,
>
> SW1 ---Etherchannel --- SW2
> |
> |
> NIDS
>
> The NIDS just have connection to one switch not to the other switch and I
> want to monitor all vlan 19 traffic on both switches, Is that possible ??
> That's why I thought to use the VACL, but I don't have the "switchport
> capture" on the 3560 switches.
>
> Thanks all your quick answers so far!!
>
> Marcio
>
> On Wed, Jul 29, 2009 at 11:40 AM, Ram Shummoogum <rshummoo_at_ca.ibm.com
> >wrote:
>
> >
> >
> > He meant VACL capture:
> >
> > The action is forward capture
> >
> > Look at this example
> >
> >
> >
> >
> >
> > 1. Define the interesting traffic you want to be captured
> > IOS(config)#ip access-list extended Capture_HTTPandUDP
> > IOS(config-ext-nacl)#permit tcp 10.10.10.128 0.0.0.127 host 20.10.10.1 eq
> > 80
> > IOS(config-ext-nacl)#permit udp any any
> > 2. Define an permit ACL that will allow all other traffic to flow in/out
> of
> > the VLAN.
> > IOS(config)#ip access-list extended Allow_ALL_TRAFFIC
> > IOS(config-ext-nacl)#permit ip any any
> > 3. Define the VLAN access map, in this case it is called Capture_MAP.
> > IOS(config)#vlan access-map Capture_MAP 10
> > IOS(config-access-map)#match ip address Capture_HTTPandUDP
> > IOS(config-access-map)#action forward capture
> > IOS(config)#vlan access-map Capture_MAP 20
> > IOS(config-access-map)#match ip address Allow_ALL_TRAFFIC
> > IOS(config-access-map)#action forward
> > 4. Apply the VLAN access map to the appropriate VLANs, in this case VLAN
> > 100.
> > IOS(config)#vlan filter Capture_MAP vlan-list 100
> > 5. Configure the Capture Port. This is where captured traffic will be
> sent.
> > IOS(config)#int gig2/1
> > IOS(config-if)#switchport capture allowed vlan ?
> > WORD VLAN IDs of the allowed VLANs
> > add add VLANs to the current list
> > all all VLANs
> > except all VLANs except the following
> > remove remove VLANs from the current list
> > IOS(config-if)#switchport capture allowed vlan 100
> > IOS(config-if)#switchport capture
> > !This enables the feature.
> >
> >
> >
> >
> >
> >
> > *Ryan West <rwest_at_zyedge.com>*
> > Sent by: nobody_at_groupstudy.com
> >
> > 07/29/2009 10:22 AM
> > Please respond to
> > Ryan West <rwest_at_zyedge.com>
> >
> > To
> > Marcio Costa <marcioacosta_at_gmail.com>, "ccielab_at_groupstudy.com" <
> > ccielab_at_groupstudy.com> cc
> > Subject
> > RE: VACL on 3560 switch
> >
> >
> >
> >
> > I think you're looking for a SPAN port and not a VACL.
> >
> > Monitor session 1 source vlan 19 rx
> > Monitor session 1 dest f0/2
> >
> > -ryan
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > Marcio Costa
> > Sent: Wednesday, July 29, 2009 10:06 AM
> > To: ccielab_at_groupstudy.com
> > Subject: VACL on 3560 switch
> >
> > Hi Experts,
> >
> > How the switch (3560) will know which interface it should forward the
> > captured traffic to the NIDS or host w/ Wireshark with this VACL config
> > below?
> >
> > interface FastEthernet0/2 (the interface I want to connect the NIDS)
> > switchport
> > switchport host
> > switchport access vlan 19
> > speed 100
> > duplex full
> > no shutdown
> > !
> > exit
> > !
> > ip access-list extended ALLOWED_TRAFFIC
> > permit ip any any
> > !
> > exit
> > !
> > vlan access-map VLAN19_FILTER 10
> > match ip address ALLOWED_TRAFFIC
> > action forward
> > !
> > exit
> > !
> > vlan filter VLAN19_FILTER vlan-list 19
> >
> > Is there anything missed ??
> >
> > Thanks in advanced,
> > Marcio A. Costa
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 29 2009 - 10:14:22 ART

This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:23 ART