Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
0
Helpful
6
Replies

what is real cases for Traffic Copy ?

Go to solution
Ahmed Tarek
Level 3
Level 3

‎11-08-2023 01:58 AM

hi all,

i checkout 3 options for traffic policy

Traffic Copy Policies  - Traffic Copy Destination  - Traffic Copy Contract 

i found it is usual for monitoring traffic for security check

i need more info for them and what is real cases in our environment that we can use this options ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Torbjørn
Spotlight
Spotlight
In response to Ahmed Tarek

‎11-09-2023 03:37 AM

No problem @Ahmed Tarek.

The traffic copy destination must be an interface of a Cisco router in your inventory(ASR4k, Cat 8k, ISR1k). So you would configure the destination to be an interface on your a router that you can connect to anything you want, including a VM running Wireshark or similar packet/traffic analysis tools.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Torbjørn
Spotlight
Spotlight

‎11-08-2023 03:22 AM - edited ‎11-08-2023 04:03 AM

Traffic copy is actually just ERSPAN. Policies, Destinations and contracts are different parts of traffic-copy configuration, not 3 separate ways to achieve traffic copy. You would use Traffic copy in the same scenarios as you would any other SPAN, usually troubleshooting or copying traffic for IDS/traffic analysis/packet capture.

A Traffic Copy Policy defines which traffic flows you are interested in(source tag, destination tag), and can be associated with a traffic copy contract. A traffic copy contract is mapped to a traffic copy destination, such that when you choose a traffic-contract for your policy you choose which destination to use. 

To configure traffic copy you would use the following procedure:

  1. Create Traffic Copy Destination
  2. Create Traffic Copy Contract mapped to your desired destination
  3. Create Traffic Copy Policy that defines desired traffic flows for copying and associate this with your traffic copy contract.

You can read more about this here: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-3/user_guide/b_cisco_dna_center_ug_2_3_3/m_configure-traffic-copy-policies.html#id_52079 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Go to solution
Ahmed Tarek
Level 3
Level 3
In response to Torbjørn

‎11-08-2023 04:59 AM

thanks @Torbjørn for your reply,

i think i got the point for usage for this feature, but sorry what is the point in real environment, for me i did not need it for now as there is a there solution i already used like Cisco stealwatch or firewall

0 Helpful

Go to solution
Torbjørn
Spotlight
Spotlight

‎11-08-2023 06:20 AM

Traffic Copy differs quite a bit from stealthwatch and firewalls. It copies all packets that are matched by the policy and sends them to a device for analysis.

  • Stealthwatch is a cloud tool that analyses network telemetry data, which is metadata/data about the traffic and not the actual traffic itself.
  • A firewall can often function as an IDS solution(analyses traffic to detect "intusion"/malicious traffic) but is most often used to filter/block traffic that is forwarded through it based on a firewall policy/ruleset.

Traffic copy allows you to inspect the packets that are forwarded through your network. If you are having an issue with an application you can have the traffic forwarded to your machine to inspect the packets. If your network is undergoing an security audit you can have traffic forwarded to an appliance for packet capture/analysis. If you wish to run an IDS within your campus network this feature will allow you to send your IDS applianc the traffic you wish to. These are the most common real-life production uses for traffic copy/ERSPAN.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Go to solution
Ahmed Tarek
Level 3
Level 3
In response to Torbjørn

‎11-09-2023 02:53 AM - edited ‎11-09-2023 03:15 AM

thanks @Torbjørn for your reply and help,

my last question , can i set a VM with third party program ( as destination)  like wireshark to deep inspection packet ? or other similar program ?

i mean

src ip is switch port ( trunk )

destination is port connected to VM with wireshark to deep inspection packet

0 Helpful

Go to solution
Torbjørn
Spotlight
Spotlight
In response to Ahmed Tarek

‎11-09-2023 03:37 AM

No problem @Ahmed Tarek.

The traffic copy destination must be an interface of a Cisco router in your inventory(ASR4k, Cat 8k, ISR1k). So you would configure the destination to be an interface on your a router that you can connect to anything you want, including a VM running Wireshark or similar packet/traffic analysis tools.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Go to solution
Ahmed Tarek
Level 3
Level 3

‎11-09-2023 05:22 AM

thanks my friend,

really appreciated!

0 Helpful
Customers Also Viewed These Support Documents