cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10798
Views
5
Helpful
3
Comments
amacuz
Level 1
Level 1

 

 

Introduction

The purpose of this document is to explain quickly how to capture packets on the trunk between the ACE ad the Catalyst hosting the module.

 

This one of the most used procedures used by TAC to troubleshoot what enters and exits the module.

 

Traffic should be captured from the backplane port connecting to the ACE module. Ideally, the captured traffic should be sent to a port configured as trunk to ensure VLAN tags are preserved. Note that some network adapters or drivers strip the VLAN tag before sending it to the capture application.

 

The sniff can be done by filtering just the vlan of interest. This way we just keep off the capture the intra VLAN traffic that does not travere the ACE module and in whch we are not interested.

 

Packet Capture Limitations

 

When using a capture application, the following settings can limit the amount of storage required to capture the traffic:

 

  • Limit the capture packet length
  • Use a fixed capture file size
  • Rotate between a number of capture files

 

Configure Packet Capture

The few steps are: 

  • 1) to identify the source of  the sniffing, meaning the ACE and its slot. Let's say the ACE module is settled in the slot 5;
  • 2) to identify the destination of  the sniffing wher the sniffing device is connected, let's say Ge 7/29; the port will have precise settings to preserve the VLAN settings, i.e. it will be a trunk;
    This is a MUST when doing a sniff in a bridge-mode environment if the IP addresses do not change in traversing the ACE;
  • 3) to identify the VLAN of interest, let's say VLAN 100 and 200. (optional)

 

Router(config)#monitor session 1 source interface TenGigabitEthernet 5/1 both
Router(config)#monitor session 1 destination interface GigabitEthernet 7/29
Router(config)#monitor session 1 filter vlan 100,200  <<<< (optional)

 

Configure the destination port as a trunk port so that the VLAN IDs will be preserved:

 

Router(config)#interface GigabitEthernet7/29
Router(config-if)#switchport
Router(config-if)#switchport trunk encapsulation dot1q
Router(config-if)#switchport mode trunk
Router(config-if)#switchport nonegotiate

 

NOTE: When connecting to GigabitEthernet 7/29 be sure to use a network  capture device that can monitor VLAN tagging (a trunked port).

 

In this way, VLAN tags will be preserved, and we will be able to clearly  see which VLAN a packet arrived on, and which VLAN it exited on.

 

The following links are useful to preserve the VLAN tags for different operating systems:

 

http://wiki.wireshark.org/CaptureSetup/VLAN

 

The number of files to rotate the captures depends on the amount of storage available.

 

 

An alternative method of limiting the captured traffic is to use VACLs or VLAN ACLs. An IP access-list can be used to specify traffic to capture.

 

ip access-list extended ALL_TRAFFIC

permit ip any any

 

ip access-list extended CAPTURE-HTTP

permit tcp any any eq www

 

vlan access-map HTTP_MAP 10

match ip address CAPTURE-HTTP

action forward capture

 

vlan access-map HTTP_MAP 20

match ip address ALL_TRAFFIC

action forward

 

vlan filter HTTP_MAP vlan-list 803-804

 

interface FastEthernet8/10

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

switchport capture

switchport capture allowed vlan 803,804

no ip address

 

 

NOTE 1: Please note that on the packet trace tool (WireShark, Ethereal, SnifferPro) the frame snap size should be set to unlimited otherwise,  only the first 68 bytes of each frame may be captured.

 

NOTE 2: The monitor session will span the entire packet and hence the throughput of each VLAN you filter will be summed up to the bandwidth available on the destination port.

 

SPAN

Local SPAN, RSPAN, and ERSPAN sessions allow you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports. A local SPAN session is an association of source ports and source VLANs with one or more destination ports. You configure a local SPAN session on a single switch. Local SPAN does not have separate source and destination sessions. RSPAN supports source ports, source VLANs, and destination ports on different switches, which provides remote monitoring of multiple switches across your network. RSPAN consists of an RSPAN source session, an RSPAN VLAN, and an RSPAN destination session. ERSPAN supports source ports, source VLANs, and destination ports on different switches, which provides remote monitoring of multiple switches across your network. ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE-encapsulated traffic, and an ERSPAN destination session.

 

More info regarding the configuring the SPAN:

 

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/span.html

 

Intel cards:
http://www.intel.com/support/network/sb/CS-005897.htm

 

Related Information

Load Balance Multiple Networks on ACE Sharing a Common VLAN
Insert WWW in the URL of client request using ACE

Comments
Surya ARBY
Level 4
Level 4

Hello.

on some platforms there is the "monitor session 1 destination interface GigabitEthernet xx/yy encapsulation replicate" option. Is it mandatory to configure the destination port as an explicit 802.1q trunk ?

amacuz
Level 1
Level 1

Hi Surya,

on the 6500 is mandatory since on that platform I'm not aware of the option you mentioned.

The options above in the document make sure we are able in the captures to access the vlan identification used on the trunk between the ACE and the Catalyst.

The "encapsulation replicate" should replicate all kind of tags included ISL tags and available on lower platform than 6500.

As long as the option "encapsulation dot1q" is available and used on the destination port is available, this should preserve the VLAN tags.

I hope this answers your question.

Alessandro

Marvin Rhoads
Hall of Fame
Hall of Fame

Thanks, Alessandro, for this useful write up.

We were scratching our heads over how to effectively span ACE traffic befroe finding this. I had forgotten that the ACE module actually has an internal 10 Gbps port on the Catalyst chassis.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: