This is a "new" instrumentation techinque on IOS that combines RSPAN and VACL, with the "redirect" feature coming into play.
! Create an extended ACL to match traffic that needs analysis
ip access-list extended traffic_to_analyze
permit tcp any any eq telnet
permit tcp any eq telnet any
!
! Create new RSPAN VLAN to copy traffic before we filter and capture
vlan 901
remote-span
!
! Define traditional SPAN monitor sessions to mirror all traffic to RSPAN VLAN
Monitor session 3 source interface vlan 100 both
Monitor session 3 destination remote vlan 901
!
! specify SPAN session details - Gi1/24 here goes to an analyzer
monitor session 4 source vlan 901
monitor session 4 destination interface Gi1/24
!
! Define VLAN access map with action redirect which bypasses traditional L2 forwarding
vlan access-map filter1 10
match ip address traffic_to_analyze
action redirect Gi1/24
!
! Apply VACL to RSPAN VLAN
vlan filter filter1 vlan-list 901
!
That's it! You can take a deep breath and relax knowing fully well that all the action is occurring on a copy of the traffic (in VLAN 901 here).
Note that although that this feature is supported generally with 12.2SX releases, this example was tested under 12.2(33)SXH2a
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment