Re: VACL on 3560 switch from Marcio Costa on 2009-07-30 (Ccielab archives 07/2009)

From: Marcio Costa <marcioacosta_at_gmail.com>
Date: Thu, 30 Jul 2009 00:22:27 -0300

Thanks for the replies..

Here is my scenario,

SW1 ---Etherchannel --- SW2
|
|
NIDS

PS: There is traffic on vlan 19 are on both switches

So the configuration should be this one below ?

SW2

vlan 190
remote-span
!
monitor session 10 source vlan 19
monitor session 10 destination remote vlan 190

SW1

vlan 190
remote-span
!
monitor session 10 source remote vlan 190 -> monitor captured traffic on
vlan 19 of the remote switch
monitor session 10 source vlan 19 -> monitor also the traffic on vlan 19 of
this switch
monitor session 10 destination interface F0/2 -> where the NIDS is connected

Thanks all,
Marcio A. Costa

On Wed, Jul 29, 2009 at 12:14 PM, Hammer <bhmccie_at_gmail.com> wrote:

> RSPAN?
>
> -Hammer
>
>
> On Wed, Jul 29, 2009 at 10:01 AM, Marcio Costa
<marcioacosta_at_gmail.com>wrote:
>
>> Ok Ram, but the problem is I just get the "switchport capture" on the 6500
>> switch not on 3560 switches.
>>
>> Here is my scenario,
>>
>> SW1 ---Etherchannel --- SW2
>> |
>> |
>> NIDS
>>
>> The NIDS just have connection to one switch not to the other switch and I
>> want to monitor all vlan 19 traffic on both switches, Is that possible ??
>> That's why I thought to use the VACL, but I don't have the "switchport
>> capture" on the 3560 switches.
>>
>> Thanks all your quick answers so far!!
>>
>> Marcio
>>
>>
>> On Wed, Jul 29, 2009 at 11:40 AM, Ram Shummoogum <rshummoo_at_ca.ibm.com
>> >wrote:
>>
>> >
>> >
>> > He meant VACL capture:
>> >
>> > The action is forward capture
>> >
>> > Look at this example
>> >
>> >
>> >
>> >
>> >
>> > 1. Define the interesting traffic you want to be captured
>> > IOS(config)#ip access-list extended Capture_HTTPandUDP
>> > IOS(config-ext-nacl)#permit tcp 10.10.10.128 0.0.0.127 host 20.10.10.1
>> eq
>> > 80
>> > IOS(config-ext-nacl)#permit udp any any
>> > 2. Define an permit ACL that will allow all other traffic to flow in/out
>> of
>> > the VLAN.
>> > IOS(config)#ip access-list extended Allow_ALL_TRAFFIC
>> > IOS(config-ext-nacl)#permit ip any any
>> > 3. Define the VLAN access map, in this case it is called Capture_MAP.
>> > IOS(config)#vlan access-map Capture_MAP 10
>> > IOS(config-access-map)#match ip address Capture_HTTPandUDP
>> > IOS(config-access-map)#action forward capture
>> > IOS(config)#vlan access-map Capture_MAP 20
>> > IOS(config-access-map)#match ip address Allow_ALL_TRAFFIC
>> > IOS(config-access-map)#action forward
>> > 4. Apply the VLAN access map to the appropriate VLANs, in this case VLAN
>> > 100.
>> > IOS(config)#vlan filter Capture_MAP vlan-list 100
>> > 5. Configure the Capture Port. This is where captured traffic will be
>> sent.
>> > IOS(config)#int gig2/1
>> > IOS(config-if)#switchport capture allowed vlan ?
>> > WORD VLAN IDs of the allowed VLANs
>> > add add VLANs to the current list
>> > all all VLANs
>> > except all VLANs except the following
>> > remove remove VLANs from the current list
>> > IOS(config-if)#switchport capture allowed vlan 100
>> > IOS(config-if)#switchport capture
>> > !This enables the feature.
>> >
>> >
>> >
>> >
>> >
>> >
>> > *Ryan West <rwest_at_zyedge.com>*
>> > Sent by: nobody_at_groupstudy.com
>> >
>> > 07/29/2009 10:22 AM
>> > Please respond to
>> > Ryan West <rwest_at_zyedge.com>
>> >
>> > To
>> > Marcio Costa <marcioacosta_at_gmail.com>, "ccielab_at_groupstudy.com" <
>> > ccielab_at_groupstudy.com> cc
>> > Subject
>> > RE: VACL on 3560 switch
>> >
>> >
>> >
>> >
>> > I think you're looking for a SPAN port and not a VACL.
>> >
>> > Monitor session 1 source vlan 19 rx
>> > Monitor session 1 dest f0/2
>> >
>> > -ryan
>> >
>> > -----Original Message-----
>> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> > Marcio Costa
>> > Sent: Wednesday, July 29, 2009 10:06 AM
>> > To: ccielab_at_groupstudy.com
>> > Subject: VACL on 3560 switch
>> >
>> > Hi Experts,
>> >
>> > How the switch (3560) will know which interface it should forward the
>> > captured traffic to the NIDS or host w/ Wireshark with this VACL config
>> > below?
>> >
>> > interface FastEthernet0/2 (the interface I want to connect the NIDS)
>> > switchport
>> > switchport host
>> > switchport access vlan 19
>> > speed 100
>> > duplex full
>> > no shutdown
>> > !
>> > exit
>> > !
>> > ip access-list extended ALLOWED_TRAFFIC
>> > permit ip any any
>> > !
>> > exit
>> > !
>> > vlan access-map VLAN19_FILTER 10
>> > match ip address ALLOWED_TRAFFIC
>> > action forward
>> > !
>> > exit
>> > !
>> > vlan filter VLAN19_FILTER vlan-list 19
>> >
>> > Is there anything missed ??
>> >
>> > Thanks in advanced,
>> > Marcio A. Costa
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 30 2009 - 00:22:27 ART

This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:23 ART