topic VACL - Asynchronous Data Capture? in Network Security

VACL - Asynchronous Data Capture?

rm2017 — Sun, 10 Mar 2019 09:31:05 GMT

What is the best way to configure a VACL for packet capture on a pair of switches running HSRP for a respective VLAN? If you have the same VACL on both switches and a capture port on each connected to a different monitoring port on a Cisco IPS Appliance, isn't it possible for the Sensor not to see the whole traffic flow? Would the sensor would view such flows as dropped packets?

Re: VACL - Asynchronous Data Capture?

marcabal — Tue, 28 Jun 2005 21:44:37 GMT

If you use an appliance like a IPS-4240 or IPS-4255 that have more than one sniffing interface then you can connect one interface to the first switch, and connect a second interface to the second switch.

Configure the sensor to monitor both of the interfaces.

Configure each switch to span or VACL Capture the desired traffic to the port connected to the sensor.

The single sensor will recieve packets from both switches, and monitor the traffic from both the switches.

So long as both the client and server traffic flows through one switch or the other or even client and one and server on the other you will be fine. Assuming your VACL has also been configured to capture both the client and server traffic, or your span will span both tx and rx traffic.

The sensor will combine the packets from the 1st switch (1st port) and the packets from the 2nd switch (2nd port) and treat the packets as if they are on the same network.

So if incoming client packets are on switch 1, and outgoing server packets are on switch 2; it will see both sets of packets and be able to reconstruct the complete TCP connection.

Re: VACL - Asynchronous Data Capture?

g.raymakers — Fri, 08 Jul 2005 12:18:36 GMT

Is the "reconstruct of assymetric routed packets" a feature that is implemented as of a specific software release or general available for a while?