Hi, We have a situation where we need to intercept certain IP traffic that is somewhere within a link of 300Mbit/s of traffic (GigabitEthernet). The setup that we built is as follows: router ^ | GE | fiber tap -------> cisco catalyst 3550 | | GE v switch The catalyst 3350 is receiving the traffic from router to switch and vice versa. Now, we'd like to filter all but certain IP's on the 3350 and switch this traffic to a FE port on that same 3550. Currently we've put the FE interface in SPAN mode, but that fills up the FE port completely (obviously). Is there any way to accomplish this? Regards, Stefan -- Stefan Baltus <stefan.baltus@xbn.nl> XB Networks B.V. Manager Engineering Televisieweg 2 telefoon: +31 36 5462400 1322 AC Almere fax: +31 36 5462424 The Netherlands
Stefan, I think you're confusing your OSI layers here, routers route and switches switch. If you're spanning 300 megabits per second, what you'll need is a gigabit card for the span port on the 3550 (or directly connected to the passive tap you've installed). ---Rico On Wed, 11 Aug 2004 16:37:24 +0200, Stefan Baltus <stefan.baltus@xbn.nl> wrote:
Hi,
We have a situation where we need to intercept certain IP traffic that is somewhere within a link of 300Mbit/s of traffic (GigabitEthernet). The setup that we built is as follows:
router ^ | GE | fiber tap -------> cisco catalyst 3550 | | GE v switch
The catalyst 3350 is receiving the traffic from router to switch and vice versa. Now, we'd like to filter all but certain IP's on the 3350 and switch this traffic to a FE port on that same 3550. Currently we've put the FE interface in SPAN mode, but that fills up the FE port completely (obviously). Is there any way to accomplish this?
Regards,
Stefan
-- Stefan Baltus <stefan.baltus@xbn.nl> XB Networks B.V. Manager Engineering Televisieweg 2 telefoon: +31 36 5462400 1322 AC Almere fax: +31 36 5462424 The Netherlands
You might be able to do what yo want by hard-coding the CAM entries in the catalyst so that it forwards the MAC addresses you're concerned about to the port in question, but, that may or may not achieve what you want, depending on the makeup of the MAC addresses in the 300mbps traffic and whether there is a limited number of MAC addresses that apply only to the traffic that interests you (destination field only). Otherwise, you really need to feed this off to anothger GE interface and use libpcap (snoop, tcpdump, ethereal) to filter stuff into a file. Owen
On Wed, 11 Aug 2004, Stefan Baltus wrote:
The catalyst 3350 is receiving the traffic from router to switch and vice versa.
Can we assume the 3550 port attached to the tap is GE?
Now, we'd like to filter all but certain IP's on the 3350 and switch this traffic to a FE port on that same 3550. Currently we've put the FE interface in SPAN mode, but that fills up the FE port completely (obviously). Is there any way to accomplish this?
It might be possible to assign a VLAN to the 3550 port and set up a VACL (VLAN ACL) to filter, capture, and direct the data to another 3550 port. I did this two years ago while evaluating an IDS blade in a 6500 chassis, and wanted to reduce the number of false positives. In that case the output was directed to the IDS module, but it may be possible to direct it to a physical port. I haven't messed with VACLs since then, and thus cannot provide specific syntax for doing this, so I'd suggest you go to www.cisco.com and search on: vacl ids Good luck, - SLS ------------------------------------------------------------------------- Scott L. Stursa 850/645-2397 Network Security Assessment stursa@mailer.fsu.edu User Services/Office of Technology Integration Florida State University The Internet? Yeah, I remember that. Well, all I can say is that it seemed like a good idea at the time... - Any Number of People, circa 2020
Thanks for all the replies. The best solution was by Boyan Krosnov who suggested the following: Configure the GE port where the traffic comes in from the fiber tap in a separate new vlan A, access mode. Configure fastethernet X to be in access mode for vlan A. Configure a static mac entry for vlan A pointing the destination mac address of the router where the traffic heads to to fastethernet X. Connect your sniffer on Fastethernet X. -- at this stage all traffic going to that router will be dumped to the sniffer. Not precisely what you want. -- now comes the trick Configure a VLAN access-map http://www.cisco.com/en/US/products/hw/switches/ps646/products_command_r eference_chapter09186a008021145c.html ip access-list ext acl1 permit ip host x.x.x.x any permit ip any host x.x.x.x vlan access-map alabala match ip address acl1 action forward vlan filter alabala vlan-list A This works for my case. Boyan: thanks a lot. Stefan On Wed, Aug 11, 2004 at 04:37:24PM +0200, Stefan Baltus wrote:
Hi,
We have a situation where we need to intercept certain IP traffic that is somewhere within a link of 300Mbit/s of traffic (GigabitEthernet). The setup that we built is as follows:
router ^ | GE | fiber tap -------> cisco catalyst 3550 | | GE v switch
The catalyst 3350 is receiving the traffic from router to switch and vice versa. Now, we'd like to filter all but certain IP's on the 3350 and switch this traffic to a FE port on that same 3550. Currently we've put the FE interface in SPAN mode, but that fills up the FE port completely (obviously). Is there any way to accomplish this?
Regards,
Stefan
-- Stefan Baltus <stefan.baltus@xbn.nl> XB Networks B.V. Manager Engineering Televisieweg 2 telefoon: +31 36 5462400 1322 AC Almere fax: +31 36 5462424 The Netherlands
-- Stefan Baltus <stefan.baltus@xbn.nl> XB Networks B.V. Manager Engineering Televisieweg 2 telefoon: +31 36 5462400 1322 AC Almere fax: +31 36 5462424 The Netherlands
participants (5)
-
Joe Abley -
Owen DeLong -
Ricardo "Rick" Gonzalez -
Scott Stursa -
Stefan Baltus