Hi,
We have a situation where we need to intercept certain IP traffic
that is somewhere within a link of 300Mbit/s of traffic (GigabitEthernet).
The setup that we built is as follows:
router
^
> GE
>
fiber tap -------> cisco catalyst 3550
>
> GE
v
switch
The catalyst 3350 is receiving the traffic from router to switch
and vice versa. Now, we'd like to filter all but certain IP's on the
3350 and switch this traffic to a FE port on that same 3550. Currently
we've put the FE interface in SPAN mode, but that fills up the
FE port completely (obviously). Is there any way to accomplish this?
Regards,
Stefan
Stefan,
I think you're confusing your OSI layers here, routers route and
switches switch.
If you're spanning 300 megabits per second, what you'll need is a
gigabit card for the span port on the 3550 (or directly connected to
the passive tap you've installed).
---Rico
You might be able to do what yo want by hard-coding the CAM entries in the
catalyst so that it forwards the MAC addresses you're concerned about to
the port in question, but, that may or may not achieve what you want, depending
on the makeup of the MAC addresses in the 300mbps traffic and whether there
is a limited number of MAC addresses that apply only to the traffic that
interests you (destination field only).
Otherwise, you really need to feed this off to anothger GE interface and
use libpcap (snoop, tcpdump, ethereal) to filter stuff into a file.
Owen
The catalyst 3350 is receiving the traffic from router to switch
and vice versa.
Can we assume the 3550 port attached to the tap is GE?
Now, we'd like to filter all but certain IP's on the
3350 and switch this traffic to a FE port on that same 3550. Currently
we've put the FE interface in SPAN mode, but that fills up the
FE port completely (obviously). Is there any way to accomplish this?
It might be possible to assign a VLAN to the 3550 port and set up a VACL
(VLAN ACL) to filter, capture, and direct the data to another 3550 port. I
did this two years ago while evaluating an IDS blade in a 6500 chassis,
and wanted to reduce the number of false positives. In that case the
output was directed to the IDS module, but it may be possible to direct it
to a physical port.
I haven't messed with VACLs since then, and thus cannot provide specific
syntax for doing this, so I'd suggest you go to www.cisco.com and search
on: vacl ids
Good luck,
- SLS
Thanks for all the replies. The best solution was by Boyan Krosnov who
suggested the following:
Configure the GE port where the traffic comes in from the fiber tap in a
separate new vlan A, access mode.
Configure fastethernet X to be in access mode for vlan A.
Configure a static mac entry for vlan A pointing the destination mac
address of the router where the traffic heads to to fastethernet X.
Connect your sniffer on Fastethernet X.
-- at this stage all traffic going to that router will be dumped to the
sniffer. Not precisely what you want.
-- now comes the trick
Configure a VLAN access-map
http://www.cisco.com/en/US/products/hw/switches/ps646/products_command_r
eference_chapter09186a008021145c.html
ip access-list ext acl1
permit ip host x.x.x.x any
permit ip any host x.x.x.x
vlan access-map alabala
match ip address acl1
action forward
vlan filter alabala vlan-list A
This works for my case. Boyan: thanks a lot.
Stefan