Have you run out of traffic spanning sessions on your Cisco switches, are you treating them like gold because of their scarcity? If so, you should take a good look at VACL capture, a feature that provides you with a virtually unlimited number of SPAN sessions.
VACL capture works with most of the newer Cisco switches including the 6500, 4500, 4900, 3750E, 3750, 3560E, and the 3560. To find out if your switch supports this feature take a look at the Cisco Catalyst Switch Guide.
VACL stands for VLAN Access Control List. It operates like a typical port based ACL but instead of being enabled on a per port or L3 interface level it is enabled on a VLAN bases. A VACL is an extended ACL that controls traffic that enters or exists a VLAN. The VACL capture feature adds a keyword capture to the end of an ACL entry. The capture keyword tells the switch to make a copy of any matching packets and send them to a configured capture destination port. Because the VACL feature controls traffic flow just like an ACL would you must always be sure to configure a permit rule to allow traffic that is not already being captured. This is to deal with the implicit deny that exists at the end of any ACL. If you don’t then you’ll end up capturing and forwarding traffic for your capture command but then denying all other non-captured traffic in that VLAN because of the implicit deny at the end of all ACLs.
Here is a simple configuration example to illustrate how this works:
1. Define the interesting traffic you want to be captured
IOS(config)#ip access-list extended Capture_HTTPandUDP
IOS(config-ext-nacl)#permit tcp 10.10.10.128 0.0.0.127 host 20.10.10.1 eq 80
IOS(config-ext-nacl)#permit udp any any2. Define an permit ACL that will allow all other traffic to flow in/out of the VLAN.
IOS(config)#ip access-list extended Allow_ALL_TRAFFIC
IOS(config-ext-nacl)#permit ip any any
3. Define the VLAN access map, in this case it is called Capture_MAP.
IOS(config)#vlan access-map Capture_MAP 10
IOS(config-access-map)#match ip address Capture_HTTPandUDP
IOS(config-access-map)#action forward capture
IOS(config)#vlan access-map Capture_MAP 20
IOS(config-access-map)#match ip address Allow_ALL_TRAFFIC
IOS(config-access-map)#action forward
4. Apply the VLAN access map to the appropriate VLANs, in this case VLAN 100.
IOS(config)#vlan filter Capture_MAP vlan-list 100
5. Configure the Capture Port. This is where captured traffic will be sent.
IOS(config)#int gig2/1
IOS(config-if)#switchport capture allowed vlan ?WORD VLAN IDs of the allowed VLANs
add add VLANs to the current list
all all VLANs
except all VLANs except the following
remove remove VLANs from the current listIOS(config-if)#switchport capture allowed vlan 100
IOS(config-if)#switchport capture
!This enables the feature.
As you can see from the example config, VACL capture provides you with more granularity of what you are capturing than SPAN traditionally has. It also provides you with an unlimited number of capture sources and destinations. This should help you cut down on the use of external network taps and SPAN expanders which were necessary given the limited number of SPAN sessions on Cisco Switches. Another thing to note is that VACL capture is done in hardware on many Cisco switches so it won’t affect performance.
For those that have switched from SPAN to VACL capture, do you have any insights to share with others?
For more information on VACL Capture see
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_e...
The opinions and information presented here are my personal views and not those of my employer.
More from Jamey Heary:
* iPhone raises Privacy concerns: it records screenshots every time you hit the home button
* Cisco enters the crowded AV and DLP client market
*Cisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhere
* Cisco targets Symantec, McAfee with its new antivirus client
* Google's Chrome raises security concerns and tastes like chicken feet a>Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.
Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years.
|
|
Limitation of One VACL Per Protocol
The following should be mentioned:
"VACLs overcome the session limitation imposed on SPAN ports because they capture traffic that matches a specified flow. This traffic can be from multiple VLANS and defined with a high degree of granularity with respect to specifying the interesting traffic that you want to capture. VACLS, however, do have a limitation. You are allowed to have only one VACL per protocol. This means that you can have only one VACL defined for capturing IP traffic. This one VACL, however, can be applied to multiple VLANS."
Limitation mentioned is not accurate
Hi reader,
The limitation you mention is not accurate on recent switches. I'm not aware of this ever being a limitation, but it could have been a while back I suppose. But on today's switches this limitation does not exist. You can have multiple VACLs on the switch. here is a config snapshot taken from my lab showing 3 IP based VACLs.
denlab-6509a#sh vlan access-m
Vlan access-map "vacl2" 10
match: ip address vacl2
action: forward capture
Vlan access-map "vacl2" 20
match: ip address all_traffic
action: forward
Vlan access-map "vacl1" 10
match: ip address vacl1
action: forward capture
Vlan access-map "vacl1" 20
match: ip address all_traffic
action: forward
Vlan access-map "VLAN-VACL-CAPTURE-MAP" 10
match: ip address VACL-CAPTURE-ALL
action: forward capture
denlab-6509a#
Dont forget, VACL capture only captures what goes INTO the vlan
Because VACL capturing only supports traffic in the EGRESS direction when it's being routed between vlans.
In other words if your applying a VACL between vlans 207 and any other vlan such as 200 (for example), when you apply the VACL capture feature to an L2 port assigned to vlan 207, you'll only see captured traffic FROM vlan 200 to vlan 207. Never in the opposite direction.
are you sure the VACL
are you sure the VACL capture is available for Catalyst 3750 ? i check my C3750 (with Advanced ip service image) and it seems there is no support for VACL capture.my old C6509 (SUP2-MSFC2) support it even with old (native IOS) ios.further more you post a real useful article again.thanks
A sample VACL we set up on 6509 sup2-msfc2 running catos
We don't have anymore of these but we would capture a vlan by name with a VACL on catos non-E versions of the 6509's with this syntax which was different than the IOS VACL syntax.
1. set security acl ip int_dmz permit any any capture
(int_dmz being set as the acl name)
2. commit security acl int_dmz
(applying the acl to nvram)
3. set security acl map int_dmz 508
4. set security acl capture-ports 11/x
VACL on 3750, 3560, and 4500
As far as I can tell, there is no "switchport capture" command on the 3560, 3750, or 4500. Although the Cisco Catalyst Switch guide does indicate that VACL capture/logging is available on the 3560, 3750, and 4500, I don't see a way to do it. I thought it was because I was running regular IP Services, instead of Advanced IP Services, but as you indicate, it does not work on Advanced IP Services either. Does anyone know what code level you need for this?
Post new comment