06-17-2009 09:19 AM - edited 03-06-2019 06:19 AM
I just want to capture 4 vlans. I want to capture all the traffic on those vlans. Since I can only have two span sources I thought I would look into VACLs. I can't seem to make sense of the documentation. Will I not see all the traffic on the vlan?
Anyhow I have this all typed up. Will this work?
1. Define interesting traffic.
ip access-list extended vlan_11
permit ip 192.168.11.0 0.0.0.255 host any
ip access-list extended vlan_12
permit ip 192.168.12.0 0.0.0.255 host any
ip access-list extended vlan_13
permit ip 192.168.13.0 0.0.0.255 host any
ip access-list extended vlan_14
permit ip 192.168.14.0 0.0.0.255 host any
2. all other traffic.
ip access-list extended all_traffic
permit ip any any
3. Vlan access maps.
vlan access-map vlan_11_map 10
match ip address vlan_11
action forward capture
vlan access-map vlan_11_map 20
match ip address all_traffic
action forward
vlan access-map vlan_12_map 10
match ip address vlan_12
action forward capture
vlan access-map vlan_12_map 20
match ip address all_traffic
action forward
vlan access-map vlan_13_map 10
match ip address vlan_13
action forward capture
vlan access-map vlan_13_map 20
match ip address all_traffic
action forward
vlan access-map vlan_14_map 10
match ip address vlan_14
action forward capture
vlan access-map vlan_14_map 20
match ip address all_traffic
action forward
4. Apply the vlan access map to VLAN.
vlan filter vlan_11_map vlan 11
vlan filter vlan_12_map vlan 12
vlan filter vlan_13_map vlan 13
vlan filter vlan_14_map vlan 14
5 Configure capture port.
int g9/7
switchport capture allowed vlan 11
switchport capture
int g9/8
switchport capture allowed vlan 12
switchport capture
int g9/9
switchport capture allowed vlan 13
switchport capture
int g9/10
switchport capture allowed vlan 14
switchport capture
BTW there is a really nice tool called NER "Network Exchanges Reporter" Super easy to get working and does application performance monitoring as well as alerts. That is why I need to monitor multiple vlans, I want to see how fast/slow our servers are working.
Thanks,
Joe
06-17-2009 01:09 PM
Joe-
Even though the switch limits the number of SPANs, a single SPAN can source multiple VLANs.
monitor session 1 source vlan 1 - 4 both
What platform of switch are you using?
06-17-2009 02:13 PM
I have a 6509 but I am using a linux server to do the monitoring, I wanted the traffic across multiple network cards since one vlan will occasionally have over 600mbps on it.
06-17-2009 02:42 PM
Your config looks ok. You still may not capture all the traffic. Here is why. When you capture with a VACL or a SPAN you usually capture both directions Rx and Tx. Gigabit is full duplex. You can send and receive 1Gpbs at the same time. Usually you don't, but now you are trying to send all of that out a 1 Gbps port. If you have more than 1Gbps total you will drop packets. So if you are send 500Mbps and receiving 523Mbps, you will drop 23Mbps worth of packets. Also, if your capture port has flowcontrol on, your Linux box may try to throttle some more of it. It may not be capable of receiving it all anyway.
06-17-2009 03:34 PM
Oh yeah, no problem there, I have ~20mpbs per vlan average so I just want to make it easy on the recorder to seperate traffic. So as long as I see most the traffic I will get some good statistics.
I will double check my configuration with my peers and give it a shot.
Just incase others are interested in Application Performance Monitoring...
The NER program is desinged such that 1 interface can easily represent 1 vlan. When selecting a report select the named interface you want the report from. So I named the interface vlan12.
Here is what a capture looks like for response time on vlan 12 for the file server. Should give you something to laugh about :) I just want to add the other 3 server vlans to the NER server. I configured alerts for 15ms and every 15 minutes and got 2 emails for the 2 high marks on the graph. NER setup time for 1 vlan is about an hour if you have a Linux box ready...
There are quite a few reports, it can also filter on protocol and bandwidth to name a couple.
06-23-2009 07:38 AM
I put the following on my switch to capture traffic on vlan 11 and I don't see any routed traffic to and from vlan 11. What am I missing?
ip access-list extended vlan_11
permit ip 192.168.11.0 0.0.0.255 any
ip access-list extended all_traffic
permit ip any any
vlan access-map vlan_11_map 10
match ip address vlan_11
action forward capture
vlan access-map vlan_11_map 20
match ip address all_traffic
action forward
vlan filter vlan_11_map vlan 11
int g9/7
switchport capture allowed vlan 11
switchport capture
Thanks,
Joe
06-23-2009 08:02 AM
Found in the ciscowiki - K96565950
If you want to capture the traffic from one VLAN that goes to many VLANs, the capture port has to be a trunk that carries all the output VLANs because VACL capture cannot send traffic to an interface when a VACL has been applied to several VLANs.
Bleh, Most my vlans are remote networks on the other side of routed links. Going to have to think about this for a bit or get some fiber taps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide