Using VACL instead of monitor session.

Unanswered Question
Jun 17th, 2009
User Badges:

I just want to capture 4 vlans. I want to capture all the traffic on those vlans. Since I can only have two span sources I thought I would look into VACLs. I can't seem to make sense of the documentation. Will I not see all the traffic on the vlan?


Anyhow I have this all typed up. Will this work?


1. Define interesting traffic.


ip access-list extended vlan_11

permit ip 192.168.11.0 0.0.0.255 host any

ip access-list extended vlan_12

permit ip 192.168.12.0 0.0.0.255 host any

ip access-list extended vlan_13

permit ip 192.168.13.0 0.0.0.255 host any

ip access-list extended vlan_14

permit ip 192.168.14.0 0.0.0.255 host any


2. all other traffic.


ip access-list extended all_traffic

permit ip any any


3. Vlan access maps.


vlan access-map vlan_11_map 10

match ip address vlan_11

action forward capture

vlan access-map vlan_11_map 20

match ip address all_traffic

action forward

vlan access-map vlan_12_map 10

match ip address vlan_12

action forward capture

vlan access-map vlan_12_map 20

match ip address all_traffic

action forward

vlan access-map vlan_13_map 10

match ip address vlan_13

action forward capture

vlan access-map vlan_13_map 20

match ip address all_traffic

action forward

vlan access-map vlan_14_map 10

match ip address vlan_14

action forward capture

vlan access-map vlan_14_map 20

match ip address all_traffic

action forward

4. Apply the vlan access map to VLAN.


vlan filter vlan_11_map vlan 11

vlan filter vlan_12_map vlan 12

vlan filter vlan_13_map vlan 13

vlan filter vlan_14_map vlan 14


5 Configure capture port.


int g9/7

switchport capture allowed vlan 11

switchport capture

int g9/8

switchport capture allowed vlan 12

switchport capture

int g9/9

switchport capture allowed vlan 13

switchport capture

int g9/10

switchport capture allowed vlan 14

switchport capture



BTW there is a really nice tool called NER "Network Exchanges Reporter" Super easy to get working and does application performance monitoring as well as alerts. That is why I need to monitor multiple vlans, I want to see how fast/slow our servers are working.


Thanks,

Joe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Wed, 06/17/2009 - 13:09
User Badges:
  • Purple, 4500 points or more

Joe-


Even though the switch limits the number of SPANs, a single SPAN can source multiple VLANs.


monitor session 1 source vlan 1 - 4 both


What platform of switch are you using?

jbarger Wed, 06/17/2009 - 14:13
User Badges:

I have a 6509 but I am using a linux server to do the monitoring, I wanted the traffic across multiple network cards since one vlan will occasionally have over 600mbps on it.

bofawcett Wed, 06/17/2009 - 14:42
User Badges:

Your config looks ok. You still may not capture all the traffic. Here is why. When you capture with a VACL or a SPAN you usually capture both directions Rx and Tx. Gigabit is full duplex. You can send and receive 1Gpbs at the same time. Usually you don't, but now you are trying to send all of that out a 1 Gbps port. If you have more than 1Gbps total you will drop packets. So if you are send 500Mbps and receiving 523Mbps, you will drop 23Mbps worth of packets. Also, if your capture port has flowcontrol on, your Linux box may try to throttle some more of it. It may not be capable of receiving it all anyway.

jbarger Wed, 06/17/2009 - 15:34
User Badges:

Oh yeah, no problem there, I have ~20mpbs per vlan average so I just want to make it easy on the recorder to seperate traffic. So as long as I see most the traffic I will get some good statistics.


I will double check my configuration with my peers and give it a shot.


Just incase others are interested in Application Performance Monitoring...


The NER program is desinged such that 1 interface can easily represent 1 vlan. When selecting a report select the named interface you want the report from. So I named the interface vlan12.


Here is what a capture looks like for response time on vlan 12 for the file server. Should give you something to laugh about :) I just want to add the other 3 server vlans to the NER server. I configured alerts for 15ms and every 15 minutes and got 2 emails for the 2 high marks on the graph. NER setup time for 1 vlan is about an hour if you have a Linux box ready...


There are quite a few reports, it can also filter on protocol and bandwidth to name a couple.




jbarger Tue, 06/23/2009 - 07:38
User Badges:

I put the following on my switch to capture traffic on vlan 11 and I don't see any routed traffic to and from vlan 11. What am I missing?


ip access-list extended vlan_11

permit ip 192.168.11.0 0.0.0.255 any


ip access-list extended all_traffic

permit ip any any

vlan access-map vlan_11_map 10

match ip address vlan_11

action forward capture

vlan access-map vlan_11_map 20

match ip address all_traffic

action forward


vlan filter vlan_11_map vlan 11


int g9/7

switchport capture allowed vlan 11

switchport capture


Thanks,

Joe

jbarger Tue, 06/23/2009 - 08:02
User Badges:

Found in the ciscowiki - K96565950


If you want to capture the traffic from one VLAN that goes to many VLANs, the capture port has to be a trunk that carries all the output VLANs because VACL capture cannot send traffic to an interface when a VACL has been applied to several VLANs.


Bleh, Most my vlans are remote networks on the other side of routed links. Going to have to think about this for a bit or get some fiber taps.

Actions

This Discussion