Capture pass through traffic using VACL

kamranhanif · ‎06-01-2009

Hi all,

Here I attach the diagram that demonstrates my setup in which Cat6500 Supervisor Engine, Internet Router and provider Edge Router are in vlan-2. All devices making OSPF neighbor relationship to each other and both routers are directly connected to Cat6500.

I want to capture traffic coming from internet passes through Cat6500 and going towards 10.1.1.0/24 which is connected to PE router and rest of the traffic forward only. For this I have setup Anomaly Detector which will monitor the traffic. I suggested the following configuration to capture traffic:

Sup (config)# ip access-list extended ACL-1

Sup (config-ext-nacl)#permit ip any 10.1.1.0 0.0.0.255

Sup (config)# anomaly-detector module 7 data-port 1 capture

Sup (config)# anomaly-detector module 7 data-port 1 capture allowed-vlan 2

Sup (config-ext-vacl)# vlan access-map Detector_capture 10

Sup (config-ext-vacl)# match ip address ACL-1

Sup (config-ext-vacl)# action forward capture

Sup (config-ext-vacl)# vlan access-map Detector_capture 20

Sup (config-ext-vacl)# action forward

Sup (config-ext-vacl)# exit

Sup (config)# vlan filter Detector_capture vlan-list 2

Will this configuration works correctly according to my query??

Please provide me feedback.

aghaznavi · ‎06-05-2009

You must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module. The Detector module analyses the network traffic passing through it and monitors it for evolving attack patterns.

Verify the Detector module configuration on the supervisor engine, type the following command at the supervisor engine prompt:

Show anomaly-detector module slot_number {management-port | data-port port_number} [state | traffic]