06-01-2009 03:23 AM - edited 03-06-2019 06:01 AM
Hi all,
Here I attach the diagram that demonstrates my setup in which Cat6500 Supervisor Engine, Internet Router and provider Edge Router are in vlan-2. All devices making OSPF neighbor relationship to each other and both routers are directly connected to Cat6500.
I want to capture traffic coming from internet passes through Cat6500 and going towards 10.1.1.0/24 which is connected to PE router and rest of the traffic forward only. For this I have setup Anomaly Detector which will monitor the traffic. I suggested the following configuration to capture traffic:
Sup (config)# ip access-list extended ACL-1
Sup (config-ext-nacl)#permit ip any 10.1.1.0 0.0.0.255
Sup (config)# anomaly-detector module 7 data-port 1 capture
Sup (config)# anomaly-detector module 7 data-port 1 capture allowed-vlan 2
Sup (config-ext-vacl)# vlan access-map Detector_capture 10
Sup (config-ext-vacl)# match ip address ACL-1
Sup (config-ext-vacl)# action forward capture
Sup (config-ext-vacl)# vlan access-map Detector_capture 20
Sup (config-ext-vacl)# action forward
Sup (config-ext-vacl)# exit
Sup (config)# vlan filter Detector_capture vlan-list 2
Will this configuration works correctly according to my query??
Please provide me feedback.
06-05-2009 06:33 AM
You must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module. The Detector module analyses the network traffic passing through it and monitors it for evolving attack patterns.
Verify the Detector module configuration on the supervisor engine, type the following command at the supervisor engine prompt:
Show anomaly-detector module slot_number {management-port | data-port port_number} [state | traffic]
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide