Re: VACL on 3560 switch from S Malik on 2009-07-29 (Ccielab archives 07/2009)

From: S Malik <ccie.09_at_gmail.com>
Date: Wed, 29 Jul 2009 18:21:05 -0400

What Ryan has mentioned, I use it some times and it works (of course I see
traffic which is permitted through VACL).

I did not see traffic generated by router itself though, sniffer showed me
traffic from PCs connected to the switch only.

On Wed, Jul 29, 2009 at 11:14 AM, Hammer <bhmccie_at_gmail.com> wrote:

> RSPAN?
>
> -Hammer
>
>
> On Wed, Jul 29, 2009 at 10:01 AM, Marcio Costa <marcioacosta_at_gmail.com
> >wrote:
>
> > Ok Ram, but the problem is I just get the "switchport capture" on the
> 6500
> > switch not on 3560 switches.
> >
> > Here is my scenario,
> >
> > SW1 ---Etherchannel --- SW2
> > |
> > |
> > NIDS
> >
> > The NIDS just have connection to one switch not to the other switch and I
> > want to monitor all vlan 19 traffic on both switches, Is that possible ??
> > That's why I thought to use the VACL, but I don't have the "switchport
> > capture" on the 3560 switches.
> >
> > Thanks all your quick answers so far!!
> >
> > Marcio
> >
> > On Wed, Jul 29, 2009 at 11:40 AM, Ram Shummoogum <rshummoo_at_ca.ibm.com
> > >wrote:
> >
> > >
> > >
> > > He meant VACL capture:
> > >
> > > The action is forward capture
> > >
> > > Look at this example
> > >
> > >
> > >
> > >
> > >
> > > 1. Define the interesting traffic you want to be captured
> > > IOS(config)#ip access-list extended Capture_HTTPandUDP
> > > IOS(config-ext-nacl)#permit tcp 10.10.10.128 0.0.0.127 host 20.10.10.1
> eq
> > > 80
> > > IOS(config-ext-nacl)#permit udp any any
> > > 2. Define an permit ACL that will allow all other traffic to flow
> in/out
> > of
> > > the VLAN.
> > > IOS(config)#ip access-list extended Allow_ALL_TRAFFIC
> > > IOS(config-ext-nacl)#permit ip any any
> > > 3. Define the VLAN access map, in this case it is called Capture_MAP.
> > > IOS(config)#vlan access-map Capture_MAP 10
> > > IOS(config-access-map)#match ip address Capture_HTTPandUDP
> > > IOS(config-access-map)#action forward capture
> > > IOS(config)#vlan access-map Capture_MAP 20
> > > IOS(config-access-map)#match ip address Allow_ALL_TRAFFIC
> > > IOS(config-access-map)#action forward
> > > 4. Apply the VLAN access map to the appropriate VLANs, in this case
> VLAN
> > > 100.
> > > IOS(config)#vlan filter Capture_MAP vlan-list 100
> > > 5. Configure the Capture Port. This is where captured traffic will be
> > sent.
> > > IOS(config)#int gig2/1
> > > IOS(config-if)#switchport capture allowed vlan ?
> > > WORD VLAN IDs of the allowed VLANs
> > > add add VLANs to the current list
> > > all all VLANs
> > > except all VLANs except the following
> > > remove remove VLANs from the current list
> > > IOS(config-if)#switchport capture allowed vlan 100
> > > IOS(config-if)#switchport capture
> > > !This enables the feature.
> > >
> > >
> > >
> > >
> > >
> > >
> > > *Ryan West <rwest_at_zyedge.com>*
> > > Sent by: nobody_at_groupstudy.com
> > >
> > > 07/29/2009 10:22 AM
> > > Please respond to
> > > Ryan West <rwest_at_zyedge.com>
> > >
> > > To
> > > Marcio Costa <marcioacosta_at_gmail.com>, "ccielab_at_groupstudy.com" <
> > > ccielab_at_groupstudy.com> cc
> > > Subject
> > > RE: VACL on 3560 switch
> > >
> > >
> > >
> > >
> > > I think you're looking for a SPAN port and not a VACL.
> > >
> > > Monitor session 1 source vlan 19 rx
> > > Monitor session 1 dest f0/2
> > >
> > > -ryan
> > >
> > > -----Original Message-----
> > > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of
> > > Marcio Costa
> > > Sent: Wednesday, July 29, 2009 10:06 AM
> > > To: ccielab_at_groupstudy.com
> > > Subject: VACL on 3560 switch
> > >
> > > Hi Experts,
> > >
> > > How the switch (3560) will know which interface it should forward the
> > > captured traffic to the NIDS or host w/ Wireshark with this VACL config
> > > below?
> > >
> > > interface FastEthernet0/2 (the interface I want to connect the NIDS)
> > > switchport
> > > switchport host
> > > switchport access vlan 19
> > > speed 100
> > > duplex full
> > > no shutdown
> > > !
> > > exit
> > > !
> > > ip access-list extended ALLOWED_TRAFFIC
> > > permit ip any any
> > > !
> > > exit
> > > !
> > > vlan access-map VLAN19_FILTER 10
> > > match ip address ALLOWED_TRAFFIC
> > > action forward
> > > !
> > > exit
> > > !
> > > vlan filter VLAN19_FILTER vlan-list 19
> > >
> > > Is there anything missed ??
> > >
> > > Thanks in advanced,
> > > Marcio A. Costa
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 29 2009 - 18:21:05 ART

This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:23 ART