Re: VACL on 3560 switch from Roy Waterman on 2009-07-30 (Ccielab archives 07/2009)

From: Roy Waterman <roy.waterman_at_gmail.com>
Date: Thu, 30 Jul 2009 20:52:43 +0100

That wont work Marcio.

As far as I am aware, you cannot mix n match different span types under the
same span session...the session is either rspan or vspan or span

Switch(config-vlan)# remote-span
Switch(config-vlan)#!
Switch(config-vlan)#monitor session 10 source remote vlan 190
Switch(config)#monitor session 10 source vlan 19
% Cannot add VLANs as source for session 10 - a RSPAN Destination session
<-------------------------
Switch(config)#monitor session 10 destination interface F0/2

Unfortunately you cannot create a new vspan session using the same
destination interface f0/2 either:

Switch(config)#monitor session 11 source vlan 19
Switch(config)#monitor session 11 destination int f0/2
% Interface(s) Fa0/2 already configured as monitor destinations in other
monitor sessions <----------------

Regards
Roy

2009/7/30 Marcio Costa <marcioacosta_at_gmail.com>

> Thanks for the replies..
>
> Here is my scenario,
>
> SW1 ---Etherchannel --- SW2
> |
> |
> NIDS
>
> PS: There is traffic on vlan 19 are on both switches
>
> So the configuration should be this one below ?
>
> SW2
>
> vlan 190
> remote-span
> !
> monitor session 10 source vlan 19
> monitor session 10 destination remote vlan 190
>
> SW1
>
> vlan 190
> remote-span
> !
> monitor session 10 source remote vlan 190 -> monitor captured traffic on
> vlan 19 of the remote switch
> monitor session 10 source vlan 19 -> monitor also the traffic on vlan 19 of
> this switch
> monitor session 10 destination interface F0/2 -> where the NIDS is
> connected
>
> Thanks all,
> Marcio A. Costa
>
>
>
>
> On Wed, Jul 29, 2009 at 12:14 PM, Hammer <bhmccie_at_gmail.com> wrote:
>
> > RSPAN?
> >
> > -Hammer
> >
> >
> > On Wed, Jul 29, 2009 at 10:01 AM, Marcio Costa
> <marcioacosta_at_gmail.com>wrote:
> >
> >> Ok Ram, but the problem is I just get the "switchport capture" on the
> 6500
> >> switch not on 3560 switches.
> >>
> >> Here is my scenario,
> >>
> >> SW1 ---Etherchannel --- SW2
> >> |
> >> |
> >> NIDS
> >>
> >> The NIDS just have connection to one switch not to the other switch and
> I
> >> want to monitor all vlan 19 traffic on both switches, Is that possible
> ??
> >> That's why I thought to use the VACL, but I don't have the "switchport
> >> capture" on the 3560 switches.
> >>
> >> Thanks all your quick answers so far!!
> >>
> >> Marcio
> >>
> >>
> >> On Wed, Jul 29, 2009 at 11:40 AM, Ram Shummoogum <rshummoo_at_ca.ibm.com
> >> >wrote:
> >>
> >> >
> >> >
> >> > He meant VACL capture:
> >> >
> >> > The action is forward capture
> >> >
> >> > Look at this example
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > 1. Define the interesting traffic you want to be captured
> >> > IOS(config)#ip access-list extended Capture_HTTPandUDP
> >> > IOS(config-ext-nacl)#permit tcp 10.10.10.128 0.0.0.127 host 20.10.10.1
> >> eq
> >> > 80
> >> > IOS(config-ext-nacl)#permit udp any any
> >> > 2. Define an permit ACL that will allow all other traffic to flow
> in/out
> >> of
> >> > the VLAN.
> >> > IOS(config)#ip access-list extended Allow_ALL_TRAFFIC
> >> > IOS(config-ext-nacl)#permit ip any any
> >> > 3. Define the VLAN access map, in this case it is called Capture_MAP.
> >> > IOS(config)#vlan access-map Capture_MAP 10
> >> > IOS(config-access-map)#match ip address Capture_HTTPandUDP
> >> > IOS(config-access-map)#action forward capture
> >> > IOS(config)#vlan access-map Capture_MAP 20
> >> > IOS(config-access-map)#match ip address Allow_ALL_TRAFFIC
> >> > IOS(config-access-map)#action forward
> >> > 4. Apply the VLAN access map to the appropriate VLANs, in this case
> VLAN
> >> > 100.
> >> > IOS(config)#vlan filter Capture_MAP vlan-list 100
> >> > 5. Configure the Capture Port. This is where captured traffic will be
> >> sent.
> >> > IOS(config)#int gig2/1
> >> > IOS(config-if)#switchport capture allowed vlan ?
> >> > WORD VLAN IDs of the allowed VLANs
> >> > add add VLANs to the current list
> >> > all all VLANs
> >> > except all VLANs except the following
> >> > remove remove VLANs from the current list
> >> > IOS(config-if)#switchport capture allowed vlan 100
> >> > IOS(config-if)#switchport capture
> >> > !This enables the feature.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > *Ryan West <rwest_at_zyedge.com>*
> >> > Sent by: nobody_at_groupstudy.com
> >> >
> >> > 07/29/2009 10:22 AM
> >> > Please respond to
> >> > Ryan West <rwest_at_zyedge.com>
> >> >
> >> > To
> >> > Marcio Costa <marcioacosta_at_gmail.com>, "ccielab_at_groupstudy.com" <
> >> > ccielab_at_groupstudy.com> cc
> >> > Subject
> >> > RE: VACL on 3560 switch
> >> >
> >> >
> >> >
> >> >
> >> > I think you're looking for a SPAN port and not a VACL.
> >> >
> >> > Monitor session 1 source vlan 19 rx
> >> > Monitor session 1 dest f0/2
> >> >
> >> > -ryan
> >> >
> >> > -----Original Message-----
> >> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of
> >> > Marcio Costa
> >> > Sent: Wednesday, July 29, 2009 10:06 AM
> >> > To: ccielab_at_groupstudy.com
> >> > Subject: VACL on 3560 switch
> >> >
> >> > Hi Experts,
> >> >
> >> > How the switch (3560) will know which interface it should forward the
> >> > captured traffic to the NIDS or host w/ Wireshark with this VACL
> config
> >> > below?
> >> >
> >> > interface FastEthernet0/2 (the interface I want to connect the NIDS)
> >> > switchport
> >> > switchport host
> >> > switchport access vlan 19
> >> > speed 100
> >> > duplex full
> >> > no shutdown
> >> > !
> >> > exit
> >> > !
> >> > ip access-list extended ALLOWED_TRAFFIC
> >> > permit ip any any
> >> > !
> >> > exit
> >> > !
> >> > vlan access-map VLAN19_FILTER 10
> >> > match ip address ALLOWED_TRAFFIC
> >> > action forward
> >> > !
> >> > exit
> >> > !
> >> > vlan filter VLAN19_FILTER vlan-list 19
> >> >
> >> > Is there anything missed ??
> >> >
> >> > Thanks in advanced,
> >> > Marcio A. Costa
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Regards
Roy
Blogs and organic groups at http://www.ccie.net

Received on Thu Jul 30 2009 - 20:52:43 ART

This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:23 ART