Capturing traffic...
Can someone walk me through the process needed to build a signature or modify an existing signature to capture certain traffic? I am interesting in being able to view the contents of traffic triggering Instant Messaging and IRC related signatures, so either a method for capuring traffic triggered by the existing signatures, or creating a signature to capture any traffic on 5190 or 6667 for example, would be sufficient.
This is a VMS server version 2.2 monitoring IDS 4.x sensors....
thanks.
If they access it via a VPN then your ASA will show the connection to their VPN device and not the connections within that SSL VPN - those would all be encapsulated in the tunnel.
If they were accessing the remote server directly (not via a VPN) then yes you would see the server address in your "show conn" output.
I assume you use 10.10.10.1 as a made-up example as that private IP address would never be routed freely on the Internet - only within a private network or tunneled within a VPN.
Similar Messages
-
Hi Guys,
I have a request to capture traffic on the LAN and deliver it to a virtual server in a ESX VMware enviroment.
Has anyone tried this?
The topology is this:
WAN--Gateway--LAN--6500s--portchannel---Server with ESX (virtual server)
Data coming from the WAN entering the LAN on a specific port, needs to be captured, and sent to a specific virtual server.
Do you think this is possible?
Thanks.
AdrianIf you put the ESX servers VMNIC port as destination it should be possible. You need to configure SPAN in Vmware though to send it to specific virtual machine. See if this link helps:
http://blogs.vmware.com/vsphere/2013/02/vsphere-5-1-vds-feature-enhancements-port-mirroring-part-3.html
Daniel Dib
CCIE #37149 -
Capturing traffic in cisco devices.
Hi all,
Id like to ask how I can capture traffic
in Cisco routers? Something like in Cisco PIX firewalls. It is very nice in Cisco PIXs when I can troubleshoot outgoing and incoming traffic throught some interface of PIX. With capture capability.
Any idea?
BR
jlTry to use: debug ip packet command with access-list parameter. Be careful! Do not start just debug ip packet, it can be very difficult for your router.
Example here: http://cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml#debugtraffic -
SCE does not capture traffic snmp get-request
Hi,
We have SCE 2000 3.5.5.
I have a problem to capture some snmp traffic.
From a server To a router, our SCE captures traffic snmp "GET-NEXT-REQUEST". I can see these traffic in RDR (Transaction RDR and Subscriber RDR).
but, From the same server To the same router, "GET-REQUEST" doesn't.
I have checked these packets using sniffer software, and the difference of these is only "GET-NEXT-REQUEST" or "GET-REQUEST".
What could cause this situation??
Help me!Hi, Tom.
I have controlled that the port is 161 and these packets go through the same SCE.
I changed the service configuration as you said, but SCE didn't caputured the packets "snmp-get". I write the way that I have done.
1. Open "New Service Configuration"
2. Add 161 to "UDP ports for which flow should be opened on first packet"
3. "RDR Settings" - "Transaction Usage RDRs" - check "select ALL"
4. Apply a SCE device
5. command "Snmpget" from a pc
6. Control RDRs with tag "4042323000" --> No record from the pc
7. mib-browser from the same pc
8. Control RDRs with tag "4042323000" --> find the record from the pc
I hope i can resolve it soon. -
Unable to capture traffic with Ethanalyzer on N5K-5548
Version - 5.0(2)N2(1)
My understanding is that we need
1) Access-List defined, with statistics configured to get matched traffic onto control plane
2) Access-List applied to an interface, via command "ip port access-group mycap in"
3) ethanalyzer command, ex; "ethanalyzer local interface mgmt capture-filter "net 1.1.1.0/24" (also tried interfaces inbound-hi & inbound-low)
I see matches on the access-list, but not seeing anything captured.
What am I missing?
ip access-list mycap
statistics per-entry
10 permit ip any 1.1.1.0/24
20 permit ip 1.1.1.0/24 any
30 permit ip any anyjust fyi.. on a similar sidenote we are going to enchance the capability of capture filter to collect the necessary statistics via the following enhancement
CSCsz99277 - ethanalyzer capture filter broken
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz99277 -
Hi,
I have an Customized Portal application which needs voice/video/authentication traffic to pass from inside natted server to outside...
Opening the required ports didnt help.
If I remove the access-list for inside network it works....
Can someonehelp to give the capture commands .... so that I could capture the traffic and get the required ports....
Or some-other means to get the required ports.....
ThanksHi
use this command
capture capture_name [access-list acl_id][buffer bytes] [ethernet-type type][interface name] [packet-length bytes]
to view
show capture [capture_name] [access-list acl_id] [detail] [dump]
For additional information check this link
http://www.cisco.com/en/US/docs/security/pix/pix62/command/reference/c.html#wpxref65943
HTH
Raj -
Hello,
I am trying to troubleshoot all traffic related to backend servers (behind CSS) from input and output interfaces of CSS, could anybody help my in capturing this kind of traffic? with support guide or commands?
Thanks,
MoYou can use a CSS port as Span port. Connect a sniffer at that port and you will get the packets.
Command to use
setspan src_port number dest_port number copyBoth|copyTxOnly|copyRxOnly
More details at
http://cco.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.20/configuration/administration/guide/Intface.html#wp1099686
Syed Iftekhar Ahmed -
We cannot capture GPIB traffic using GPIB-USB-HS
We are trying to monitor a GPIB bus using the GPIB-USB-HS device. The version of MAX we have is v4.5 and the version of GPIB Analyze is v2.6. I have attached some screenshots that may aid in a resolution.
The first screenshot (GPIB Analyzer Error) shows the error that comes up when we start the GPIB Analyzer tool whether we have the GPIB-USB-HS plugged into the pc or not.
The second screenshot (Unknown GPIB+Card) shows that the Analyzer tool does not recognize the GPIB-USB-HS device and has disabled all of the controls/indicators.
The third screenshot (Instrument Not Found) shows that MAX indicates that it sees the GPIB-USB-HS device but has an error message in the bottom of the screen indicating that "Instruments not Found".
We are using NI Spy (version v2.6) to capture traffic and cannot see the traffic on a GPIB bus and are not sure what to do at this point. Please advise.
Thanks,
Steven
Attachments:
GPIB_Error.xls 109 KBThe first error really explains it well. The only supported cards for the GPIB Analyzer are the "+" series of cards. Obviously, you do not have one of those.
If an instrument is not found, then I would recomend that you try a different instrument and a different cable.
In the future, you would also want to post to the correct board. This does not have anything to do with the program called "Measure". -
Traffic Capture ISSUE!!!
I need to capture traffic on a voice vlan using wireshark. How do I get the switch to let me access that traffic with out it putting my PC on the Data vlan? Right now the switch is configured to only let cisco phones access the voice vlan. I also have bduguard enabled.
If you want the entire VLAN you won't get this information. If you just want the information for broadcast and unicast to the PC and phone, this should work without additional configuration.
If this is CUCM, you need to go to the phone webpage and enable "SPAN To PC Port" and then save and reset the phone. Settings->Device Settings->Ethernet Information->Span to PC port = true
Then it should work as described.
-nick -
ASR 9000 traffic capture - no monitor command
Hello,
unable to capture traffic on asr 9000 (5.1.3) - no 'monitor' command is available.
what software packed need to be installed and activated on asr router to solve this problem?
thanks,
PiotrHello Ahmed,
You may want to have a look at below article. The below article has all the things which we require to check and configure the NETFLOW.
https://supportforums.cisco.com/document/113076/asr9000xr-netflow-architecture-and-overview
Below is from CCO suggesting limitations as well.
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/netflow/configuration/guide/b_netflow_cg42asr/b_netflow_cg42asr_chapter_00.html#con_1068018
HTH,
Nikhil -
Unable to allow traffic from remote office - Cisco RV220W
Hi there,
I have just bought the RV220W Cisco router firewall because my DLINK-1600 got broken and now I am unable to allow access to the machines located behind this router from the machines located at a remote office. Any help would be much appreciated!!
This is the situation:
1. Two remote offices A and B connected by a VPN tunnel (this connection is managed by an external provider and it is properly functioning)
2. IP range A office: 192.168.236.0/24
3. IP range B office: 192.168.237.0/24
4. Office A: CISCO RV220W router/firewall (the one that I´ve just bought as the old dlink has broken). This RV220W is connected to a cisco router (managed by provider) that is the one with the VPN tunnel to the other office. The CISCO router does not do NAT. On the other end (Office B) there is another CISCO router managed by the provider.
5. Everything was working smoothly until our old router/firewall got broken and that is when I bought the rv220w. I have set up the CISCO RV220W at office A and the machines can ping the machines located at office B and can browse the internet, i.e., the traffic going out is OK and in that sense everything works smoothly.
6. The problem is that the machines located at office B cannot access the machines located behind the CISCO RV220W and I know it is a problem of the firewall as if I capture traffic coming from office B, I can see that it is dropped by the CISCO RV220W.
7. I have tried to enable an access rule in the firewall to allow traffic from office B (see picture below) but it does not seem to work. In the field, Send to Local Server (DNAT IP) I have entered the WAN IP of my router (you cannot leave it blank) … this rule does not work at all. I think that is not properly configured but I don´t know how to do it.
8. As you see, the problem is that I don´t know how to set up a rule to allow specific traffic coming from the WAN (traffic from remote office – 192.168.237.0/24) to the LAN at office A - 192.168.236.0/24.
In the old router/firewall I just had to create a rule specifying the source interface (WAN) and network (Office B) and the destination interdace (LANOfficeA) and network (Office A). It does not seem that here I can do the same. i mean, you always have to point to a server ip inside the LAN??
I know it has to be a very easy thing to do but at this moment I am completely stuck. If anyone can give me some advice would be great.
Thanks a lot for your help in advanced!
EvaHi Eva, the default inbound policy cannot be changed. It will block all inbound traffic. To my knowledge there is not a way around this. Access rules are the only way to 'poke' a hole through the firewall but as you note, it is for a specific host. Values such as .0 and .255 do not work.
-Tom
Please mark answered for helpful posts -
ASA 5505 9.1(2) NAT/return traffic problems
As part of an office move we upgraded our ASA to 9.1(2) and have been having what seem to be NAT problems with some services ever since. These problems manifest themselves with return traffic. For example, network time sync (NTP, port 123) works fine from the ASA, but hosts on the inside network cannot access external NTP servers (ntpq -pe shows all servers stuck in .INIT. status), creating problems with drifting clocks. Services like XBox Live also do not work; the XBox device can contact the internet, but return traffic from the service never gets back to the device.
For NTP specifically, I've tried allowing NTP 123 through the firewall, but it doesn't help. Conceptually, this should not be required since an inside host is initiating the connection and the NAT rules "should" allow the return packets. To further muddy the waters around NTP, a Linux VM CAN get NTP if it's network adapter is in NAT mode (so it's NAT'ing through the host workstation, then through the Cisco) but CAN NOT get NTP if the adapter is running in bridged mode (so the VM is talking directly to the ASA as if it were just another machine on the inside network).
I've stripped down the ASA config to the basics level, but still can't get this resolved. The main symptom of the problem is that if I disable the access-list rules around ICMP, I'll see lots of ICMP warnings in the ASA logs, which seems to indicate that there are traffic problems communiating with the inside hosts. I've narrowed the problem down to the ASA since replacing the device with a simple Netgear consumer-grade "firewall" lets all this traffic flow just fine.
Network is extremely basic:
DHCP ASSIGNED IP from ISP <----------> ASA <-----------------> inside (192.168.50.X)
^
|----------------------- guest vlan (10.0.1.X)
show running-config:
Result of the command: "show running-config"
: Saved
ASA Version 9.1(2)
hostname border
domain-name mydomain.com
enable password aaa encrypted
passwd bbb encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Guest-VLAN
security-level 10
ip address 10.0.1.1 255.255.255.0
boot system disk0:/asa912-k8.bin
boot system disk0:/asa911-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.104.2.36
domain-name domain
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 255.255.255.0
object network Guest-WLAN
subnet 0.0.0.0 255.255.255.0
description Interent access for guest Wireless
object network xbox-nat-tcp3074
host 192.168.50.54
object network xbox-nat-udp3074
host 192.168.50.54
object network xbox-nat-udp88
host 192.168.50.54
object service xbox-live-88
service udp destination eq 88
object network xbox
host 192.168.50.54
object network obj-inside
subnet 192.168.50.0 255.255.255.0
object network obj-xbox
host 192.168.50.54
object network plex-server
host 192.168.50.5
object network ubuntu-server
host 192.168.50.5
description Ubuntu Linux Server
object network ntp
host 192.168.50.5
object network plex
host 192.168.50.5
object network INTERNET
subnet 0.0.0.0 0.0.0.0
object-group service xbox-live-3074 tcp-udp
port-object eq 3074
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service plex-server-32400 tcp
description Plex Media Server
port-object eq 32400
access-list outside_access_in extended permit object-group TCPUDP any object xbox object-group xbox-live-3074 log alerts
access-list outside_access_in extended permit object xbox-live-88 any object xbox log alerts
access-list outside_access_in extended permit tcp any any eq echo
access-list outside_access_in remark Plex Live access
access-list outside_access_in extended permit tcp any object plex-server object-group plex-server-32400
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network xbox-nat-tcp3074
nat (inside,outside) static interface service tcp 3074 3074
object network xbox-nat-udp3074
nat (inside,outside) static interface service udp 3074 3074
object network xbox-nat-udp88
nat (inside,outside) static interface service udp 88 88
object network plex
nat (inside,outside) static interface service tcp 32400 32400
object network INTERNET
nat (inside,outside) dynamic interface
nat (Guest-VLAN,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=border
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxxx
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate xxxx
quit
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 60
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.50.5-192.168.50.132 inside
dhcpd address 10.0.1.50-10.0.1.100 Guest-VLAN
dhcpd dns 208.104.244.45 208.104.2.36 interface Guest-VLAN
dhcpd lease 86400 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.50.0 255.255.255.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 152.19.240.5 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
username xxx password xxx/ encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr [email protected]
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:xxx
: endHi,
Configuration seems fine.
With regards to the ICMP, you could also add this
class inspection_default
inspect icmp error
I would probably start by trying out some other software level on the ASA
Maybe some 8.4(x) software or 9.0(x) software. See if it some bug perhaps.
One option is ofcourse to capture traffic directly on the ASA or on the hosts behind the ASA. And go through the information with Wireshark.
- Jouni -
Netflow not reporting Egress traffic on 6509 Vlan
Hi...
We have a pair of 6509 working in a VSS configuration (IOS 12.2(33)SX5). The 6509s connect to a pair of ASAs (7.2 code) running in an Active/Standby setup. These ASAs in turn connect to routers going to remote sites. I have configured Netflow on the following VLANS,
VLAN 10 - Servers Vlan
VLAN 9 - Transit/ASA VLAN (connects ASAs to 6509s). All traffic originating from any VLAN on the 6509 crosses this VLAN in order to reach remote sites and vice versa
I configured the netflow source VLAN 11 although I am not collecing any netflow from it.
Although I have been getting lots of Netflow info, I noticed that netflow for traffic originating from any user VLAN on the 6509s going to any remote site via TRANSIT/ASA VLAN(9) does not get reported, I even tested with 4 GB traffic but no result. Only reverse traffic (i.e. from remote site to user VLAN) is reported as it traverses the Transit VLAN (9).
I read somewhere that egress netflow is not supported in 6500, but isnt traffic originating from a user vlan to a remote site via the transit VLAN (9) considered ingress with respect to the transit VLAN (9)?
I would like to know whether bidirectional Netflow is supported on 6500 VLANS. I have mimimum control on routers beyond the ASAs, and since these ASAs run 7.2 code netflow is not supported, and Monitoring this Transit Vlan gives me extremely useful info.
I do get netflow biderectional traffic from the Server Vlan 10, but I think it is correlated by the netflow collector from vlans 9 and 10
Below is a show run | inc flow
ip flow-cache timeout active 1
ip flow ingress layer2-switched vlan 9,10
mls netflow interface
mls flow ip interface-full
interface vlan 9
ip flow ingress
ip flow egress
interface vla 10
ip flow ingress
ip flow egress
ip flow-export source vlan11
ip flow-export version 9
ip flow-export destination 10.10.10.10 2055
All help is appreciated.
ThanksHi,
So if I want to capture traffic out only one specific interface is there any option to do that in catalyst 6500.
If I made only that specific interface in another vlan and if under the interface vlan , I give "ip flow ingress" will this capture the outgoing traffic through the interface while it is doing intervlan routing. Also is it must to give ip address in that vlan interface ? Please clarify. -
Hi guys,
Couldn't really get into logic of bridge-domain and hsrp coexistence. How traffic will be flooded?
Imagine following topology:
Bridge-domain and hsrp is running between ASR1 and ASR2.
Host C has two network adapters. Both are in UP state, but only one of them is forwarding traffic.
I am curious, what path traffic will take from host A to host C and from B to C in situation when :
1) net.adapter #1 is active
2) net.adapter #2 is active
p.s. active router for hsrp remains the same.
We have captured traffic on the devices, and it was a bit confusing to me that standby hsrp router was forwarding traffic from host B out of g0/0/0/0 and pw 3
I would appriciate any help...Okay, that really make sence. Thank You very much for the explanation!
Yes, You are right, that's RNC.
Theoretically the MAC address should be flushed away from the memory when the switchover of the network card appears, because, the connection for some seconds goes down.
Could You please tak a look on the following output:
As I understand, both ASR's do know where 0040.4384.8260 (This is RNC NPGEP mac address) is. So basically there should not be any flooding..
RP/0/RSP1/CPU0:ASR9k-1#sh l2vpn forwarding bridge-domain RNC:RNC3_TEST mac-address detail location 0/0/CPU0
Mon Dec 2 21:05:25.639 EET
Bridge-domain name: RNC:RNC3_TEST, id: 20, state: up
MAC learning: enabled
MAC port down flush: enabled
Flooding:
Broadcast & Multicast: enabled
Unknown unicast: enabled
MAC aging time: 300 s, Type: inactivity
MAC limit: 4000, Action: none, Notification: syslog
MAC limit reached: no
MAC Secure: disabled, Logging: disabled
DHCPv4 snooping: profile not known on this node
Dynamic ARP Inspection: disabled, Logging: disabled
IP Source Guard: disabled, Logging: disabled
IGMP snooping: disabled, flooding: enabled
Routed interface: BVI3, Xconnect id: 0x8000001f, state: up
IRB platform data: {0x14000a, 0x1, 0x0, 0x80000000}, len: 16
Bridge MTU: 1500 bytes
Number of bridge ports: 2
Number of MAC addresses: 2
Multi-spanning tree instance: 0
Mac Address: 0000.0c07.ac03, LC learned: N/A
Resync Age: N/A, Flag: static, BVI
Mac Address: 6c9c.ed0a.2e3d, LC learned: N/A
Resync Age: N/A, Flag: static, BVI
GigabitEthernet0/0/0/0, state: oper up
Number of MAC: 1
Statistics:
packets: received 48765801690, sent 309298266072
bytes: received 33416543382293, sent 54307173696538
Storm control drop counters:
packets: broadcast 0, multicast 0, unknown unicast 0
bytes: broadcast 0, multicast 0, unknown unicast 0
Dynamic arp inspection drop counters:
packets: 0, bytes: 0
IP source guard drop counters:
packets: 0, bytes: 0
Mac Address: 0040.4384.8260, LC learned: 0/0/CPU0
Resync Age: 0d 0h 0m 0s, Flag: local
Nbor 10.9.9.253 pw-id 3
Number of MAC: 1
Statistics:
packets: received 19771488146, sent 198111062527
bytes: received 10977874479587, sent 50825792902418
Storm control drop counters:
packets: broadcast 0, multicast 0, unknown unicast 0
bytes: broadcast 0, multicast 0, unknown unicast 0
Dynamic arp inspection drop counters:
packets: 0, bytes: 0
IP source guard drop counters:
packets: 0, bytes: 0
Mac Address: 6c9c.ed0a.9ced, LC learned: 0/0/CPU0
Resync Age: 0d 0h 0m 0s, Flag: global
L3 encapsulation Vlan: 2558
RP/0/RSP1/CPU0:ASR9k-2#sh l2vpn forwarding bridge-domain RNC:RNC3_TEST mac-address detail location 0/0/CPU0
Mon Dec 2 21:05:49.504 EET
Bridge-domain name: RNC:RNC3_TEST, id: 15, state: up
MAC learning: enabled
MAC port down flush: enabled
Flooding:
Broadcast & Multicast: enabled
Unknown unicast: enabled
MAC aging time: 300 s, Type: inactivity
MAC limit: 4000, Action: none, Notification: syslog
MAC limit reached: no
MAC Secure: disabled, Logging: disabled
DHCPv4 snooping: profile not known on this node
Dynamic ARP Inspection: disabled, Logging: disabled
IP Source Guard: disabled, Logging: disabled
IGMP snooping: disabled, flooding: enabled
Routed interface: BVI3, Xconnect id: 0x8000001a, state: up
IRB platform data: {0xf000a, 0x1, 0x0, 0x80000000}, len: 16
Bridge MTU: 1500 bytes
Number of bridge ports: 2
Number of MAC addresses: 3
Multi-spanning tree instance: 0
To Resynchronize MAC table from the Network Processors, use the command...
l2vpn resynchronize forwarding mac-address-table location
GigabitEthernet0/0/0/0, state: oper up
Number of MAC: 0
Statistics:
packets: received 782133119087, sent 620642426712
bytes: received 514958352902308, sent 107302134940298
Storm control drop counters:
packets: broadcast 0, multicast 0, unknown unicast 0
bytes: broadcast 0, multicast 0, unknown unicast 0
Dynamic arp inspection drop counters:
packets: 0, bytes: 0
IP source guard drop counters:
packets: 0, bytes: 0
Nbor 10.9.9.254 pw-id 3
Number of MAC: 3
Statistics:
packets: received 297905813562, sent 17722149746
bytes: received 68165206300571, sent 10642920750826
Storm control drop counters:
packets: broadcast 0, multicast 0, unknown unicast 0
bytes: broadcast 0, multicast 0, unknown unicast 0
Dynamic arp inspection drop counters:
packets: 0, bytes: 0
IP source guard drop counters:
packets: 0, bytes: 0
Mac Address: 0000.0c07.ac03, LC learned: 0/0/CPU0
Resync Age: 0d 0h 0m 0s, Flag: global
L3 encapsulation Vlan: 510
Mac Address: 0040.4384.8260, LC learned: 0/0/CPU0
Resync Age: 0d 0h 0m 0s, Flag: global
L3 encapsulation Vlan: 510
Mac Address: 6c9c.ed0a.2e3d, LC learned: 0/0/CPU0
Resync Age: 0d 0h 0m 0s, Flag: global
L3 encapsulation Vlan: 3582 -
Hi friends,
I have enabled capture on the IDSM data-port 1 (Gig0/7). Now, i want to use data port 2 (Gig 0/8) also to capture another segment.
A snippet of my current config is as follows:
ip access-list extended MATCHALL
permit ip any any
vlan access-map CAPTUREALL 10
match address MATCHALL
action forward capture
vlan-filter CAPTUREALL vlan-list x
intrusion-detection module 3 management-port access-vlan 5
intrusion-detection module 3 data-port 1 capture
intrusion-detection module 3 data-port 1 capture allowed-vlan 1-4094
intrusion-detection module 3 data-port 1 autostate include
intrusion-detection module 3 data-port 1 portfast enable
My question is:
If i enable data port 2, then how do i bind a VACL to data port 2 only?
Thanks a lot
GautamYou can't bind a VACL to a particular data port.
You can only tell a capture port what vlans to monitor. The capture port will monitor all captured packets from those vlans regardless of what VACL was used to mark those packets as capture packets.
Your data-port 1 is already monitoring all 4094 vlans so there are no additional vlans that data-port 2 would need to capture packets for.
If your switch does routing then your configuration is correct. Even though the VACL is applied to a limited set of a vlan-list X, the packets marked for capture could wind up being routed to any vlan and so all vlans have to be monitored.
NOW you could add additional vlans to your exising vlan-list, or even create another VACL and apply it to a separate vlan list. BUT in either case your data-port 1 would already be configured for monitoring them.
If your switch is NOT doing routing (pretty rare these days), then you do have an alternative. You can change the "capture allowed-vlan" list for data-port 1 to be the same "vlan-list X" that your VACL is assigned to. Then you can create a new VACL and assign it to a list Y, and configure data-port 2 to be a capture port for allowed-vlan list Y.
But this really doesn't gain you a whole lot. You could just simply add vlan list Y to data-port 1 and still monitor everything with data-port 1.
Data-port 2 doesn't really gain you much as you as a 2nd capture port.
Where data-port 2 comes in handy is when you want to do a different type of monitoring.
Data-port 2 could be setup as a Span or Rspan destination port.
OR data-port 2 coudl be setup for InLine monitoring with InLine Vlan Pairs.
It is only when you need the second type of monitoring that you can really make use of data-port 2.
For capturing traffic on additional vlans you can just continue to use data-port 1.
Maybe you are looking for
-
Displaying images in an application frame
I'm trying to display a .gif in a frame. The first challenge is to turn the file(local) into an Image class. I don't know how to do that. Second is taking that Image and using Graphics to draw it. Alas, made necessary are "ImageObserver", "ImagerCons
-
When you make a blog, the Inspector gives you the option to specify how many posts are shown on the "blog summary page". Older posts are then only viewable in the Archive page. Is there a way to have older posts pushed to a "Page 2" (and then Page 3,
-
I'm trying to get Extensions Panel for CC but I only find for CS5. I want to get the Russel Brown Paper Texture plug-in. I am subscribed to CC for Lightroom and Photoshop.
-
HT2736 How can I gift an iTunes item across different regions?
I live in the US and my iTunes account is set-up in this region. Is it possible to gift something from iTunes to someone living in the UK who has a British iTunes account and British-bought iPhone?
-
i have a video-text syncing program that is supposedly a java-based application. how do i tell if it has the "JNI" library issue that would cause it not to run on my mpb that i am waiting on?