Thursday, December 29, 2011

RSPAN capture with VACL redirect

This is a "new" instrumentation techinque on IOS that combines RSPAN and VACL, with the "redirect" feature coming into play.

! Create an extended ACL to match traffic that needs analysis
ip access-list extended traffic_to_analyze
permit tcp any any eq telnet
permit tcp any eq telnet any
! Create new RSPAN VLAN to copy traffic before we filter and capture
vlan 901
! Define traditional SPAN monitor sessions to mirror all traffic to RSPAN VLAN
Monitor session 3 source interface vlan 100 both
Monitor session 3 destination remote vlan 901
! specify SPAN session details - Gi1/24 here goes to an analyzer
monitor session 4 source vlan 901
monitor session 4 destination interface Gi1/24
! Define VLAN access map with action redirect which bypasses traditional L2 forwarding
vlan access-map filter1 10
match ip address traffic_to_analyze
action redirect Gi1/24
vlan filter filter1 vlan-list 901

That's it! You can take a deep breath and relax knowing fully well that all the action is occurring on a copy of the traffic (in VLAN 901 here).

Note that although that this feature is supported generally with 12.2SX releases, this example was tested under 12.2(33)SXH2a

No comments:

Post a Comment