Re: VACL on 3560 switch from S Malik on 2009-07-31 (Ccielab archives 07/2009)

From: S Malik <ccie.09_at_gmail.com>
Date: Fri, 31 Jul 2009 10:03:55 -0400

You may create a different span session with different destination though
(if needed).

On Thu, Jul 30, 2009 at 3:52 PM, Roy Waterman <roy.waterman_at_gmail.com>wrote:

> That wont work Marcio.
>
> As far as I am aware, you cannot mix n match different span types under the
> same span session...the session is either rspan or vspan or span
>
> Switch(config-vlan)# remote-span
> Switch(config-vlan)#!
> Switch(config-vlan)#monitor session 10 source remote vlan 190
> Switch(config)#monitor session 10 source vlan 19
> % Cannot add VLANs as source for session 10 - a RSPAN Destination session
> <-------------------------
> Switch(config)#monitor session 10 destination interface F0/2
>
> Unfortunately you cannot create a new vspan session using the same
> destination interface f0/2 either:
>
> Switch(config)#monitor session 11 source vlan 19
> Switch(config)#monitor session 11 destination int f0/2
> % Interface(s) Fa0/2 already configured as monitor destinations in other
> monitor sessions <----------------
>
> Regards
> Roy
>
>
> 2009/7/30 Marcio Costa <marcioacosta_at_gmail.com>
>
> > Thanks for the replies..
> >
> > Here is my scenario,
> >
> > SW1 ---Etherchannel --- SW2
> > |
> > |
> > NIDS
> >
> > PS: There is traffic on vlan 19 are on both switches
> >
> > So the configuration should be this one below ?
> >
> > SW2
> >
> > vlan 190
> > remote-span
> > !
> > monitor session 10 source vlan 19
> > monitor session 10 destination remote vlan 190
> >
> > SW1
> >
> > vlan 190
> > remote-span
> > !
> > monitor session 10 source remote vlan 190 -> monitor captured traffic on
> > vlan 19 of the remote switch
> > monitor session 10 source vlan 19 -> monitor also the traffic on vlan 19
> of
> > this switch
> > monitor session 10 destination interface F0/2 -> where the NIDS is
> > connected
> >
> > Thanks all,
> > Marcio A. Costa
> >
> >
> >
> >
> > On Wed, Jul 29, 2009 at 12:14 PM, Hammer <bhmccie_at_gmail.com> wrote:
> >
> > > RSPAN?
> > >
> > > -Hammer
> > >
> > >
> > > On Wed, Jul 29, 2009 at 10:01 AM, Marcio Costa
> > <marcioacosta_at_gmail.com>wrote:
> > >
> > >> Ok Ram, but the problem is I just get the "switchport capture" on the
> > 6500
> > >> switch not on 3560 switches.
> > >>
> > >> Here is my scenario,
> > >>
> > >> SW1 ---Etherchannel --- SW2
> > >> |
> > >> |
> > >> NIDS
> > >>
> > >> The NIDS just have connection to one switch not to the other switch
> and
> > I
> > >> want to monitor all vlan 19 traffic on both switches, Is that possible
> > ??
> > >> That's why I thought to use the VACL, but I don't have the "switchport
> > >> capture" on the 3560 switches.
> > >>
> > >> Thanks all your quick answers so far!!
> > >>
> > >> Marcio
> > >>
> > >>
> > >> On Wed, Jul 29, 2009 at 11:40 AM, Ram Shummoogum <rshummoo_at_ca.ibm.com
> > >> >wrote:
> > >>
> > >> >
> > >> >
> > >> > He meant VACL capture:
> > >> >
> > >> > The action is forward capture
> > >> >
> > >> > Look at this example
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > 1. Define the interesting traffic you want to be captured
> > >> > IOS(config)#ip access-list extended Capture_HTTPandUDP
> > >> > IOS(config-ext-nacl)#permit tcp 10.10.10.128 0.0.0.127 host
> 20.10.10.1
> > >> eq
> > >> > 80
> > >> > IOS(config-ext-nacl)#permit udp any any
> > >> > 2. Define an permit ACL that will allow all other traffic to flow
> > in/out
> > >> of
> > >> > the VLAN.
> > >> > IOS(config)#ip access-list extended Allow_ALL_TRAFFIC
> > >> > IOS(config-ext-nacl)#permit ip any any
> > >> > 3. Define the VLAN access map, in this case it is called
> Capture_MAP.
> > >> > IOS(config)#vlan access-map Capture_MAP 10
> > >> > IOS(config-access-map)#match ip address Capture_HTTPandUDP
> > >> > IOS(config-access-map)#action forward capture
> > >> > IOS(config)#vlan access-map Capture_MAP 20
> > >> > IOS(config-access-map)#match ip address Allow_ALL_TRAFFIC
> > >> > IOS(config-access-map)#action forward
> > >> > 4. Apply the VLAN access map to the appropriate VLANs, in this case
> > VLAN
> > >> > 100.
> > >> > IOS(config)#vlan filter Capture_MAP vlan-list 100
> > >> > 5. Configure the Capture Port. This is where captured traffic will
> be
> > >> sent.
> > >> > IOS(config)#int gig2/1
> > >> > IOS(config-if)#switchport capture allowed vlan ?
> > >> > WORD VLAN IDs of the allowed VLANs
> > >> > add add VLANs to the current list
> > >> > all all VLANs
> > >> > except all VLANs except the following
> > >> > remove remove VLANs from the current list
> > >> > IOS(config-if)#switchport capture allowed vlan 100
> > >> > IOS(config-if)#switchport capture
> > >> > !This enables the feature.
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > *Ryan West <rwest_at_zyedge.com>*
> > >> > Sent by: nobody_at_groupstudy.com
> > >> >
> > >> > 07/29/2009 10:22 AM
> > >> > Please respond to
> > >> > Ryan West <rwest_at_zyedge.com>
> > >> >
> > >> > To
> > >> > Marcio Costa <marcioacosta_at_gmail.com>, "ccielab_at_groupstudy.com" <
> > >> > ccielab_at_groupstudy.com> cc
> > >> > Subject
> > >> > RE: VACL on 3560 switch
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > I think you're looking for a SPAN port and not a VACL.
> > >> >
> > >> > Monitor session 1 source vlan 19 rx
> > >> > Monitor session 1 dest f0/2
> > >> >
> > >> > -ryan
> > >> >
> > >> > -----Original Message-----
> > >> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
> Behalf
> > Of
> > >> > Marcio Costa
> > >> > Sent: Wednesday, July 29, 2009 10:06 AM
> > >> > To: ccielab_at_groupstudy.com
> > >> > Subject: VACL on 3560 switch
> > >> >
> > >> > Hi Experts,
> > >> >
> > >> > How the switch (3560) will know which interface it should forward
> the
> > >> > captured traffic to the NIDS or host w/ Wireshark with this VACL
> > config
> > >> > below?
> > >> >
> > >> > interface FastEthernet0/2 (the interface I want to connect the NIDS)
> > >> > switchport
> > >> > switchport host
> > >> > switchport access vlan 19
> > >> > speed 100
> > >> > duplex full
> > >> > no shutdown
> > >> > !
> > >> > exit
> > >> > !
> > >> > ip access-list extended ALLOWED_TRAFFIC
> > >> > permit ip any any
> > >> > !
> > >> > exit
> > >> > !
> > >> > vlan access-map VLAN19_FILTER 10
> > >> > match ip address ALLOWED_TRAFFIC
> > >> > action forward
> > >> > !
> > >> > exit
> > >> > !
> > >> > vlan filter VLAN19_FILTER vlan-list 19
> > >> >
> > >> > Is there anything missed ??
> > >> >
> > >> > Thanks in advanced,
> > >> > Marcio A. Costa
> > >> >
> > >> >
> > >> > Blogs and organic groups at http://www.ccie.net
> > >> >
> > >> >
> > _______________________________________________________________________
> > >> > Subscription information may be found at:
> > >> > http://www.groupstudy.com/list/CCIELab.html
> > >> >
> > >> >
> > >> > Blogs and organic groups at http://www.ccie.net
> > >> >
> > >> >
> > _______________________________________________________________________
> > >> > Subscription information may be found at:
> > >> > http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >>
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Regards
> Roy
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jul 31 2009 - 10:03:55 ART

This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:23 ART