The purpose of this document is to explain quickly how to capture packets on the trunk between the ACE ad the Catalyst hosting the module.
This one of the most used procedures used by TAC to troubleshoot what enters and exits the module.
Traffic should be captured from the backplane port connecting to the ACE module. Ideally, the captured traffic should be sent to a port configured as trunk to ensure VLAN tags are preserved. Note that some network adapters or drivers strip the VLAN tag before sending it to the capture application.
The sniff can be done by filtering just the vlan of interest. This way we just keep off the capture the intra VLAN traffic that does not travere the ACE module and in whch we are not interested.
Packet Capture Limitations
When using a capture application, the following settings can limit the amount of storage required to capture the traffic:
Limit the capture packet length
Use a fixed capture file size
Rotate between a number of capture files
Configure Packet Capture
The few steps are:
1) to identify the source of the sniffing, meaning the ACE and its slot. Let's say the ACE module is settled in the slot 5;
2) to identify the destination of the sniffing wher the sniffing device is connected, let's say Ge 7/29; the port will have precise settings to preserve the VLAN settings, i.e. it will be a trunk; This is a MUST when doing a sniff in a bridge-mode environment if the IP addresses do not change in traversing the ACE;
3) to identify the VLAN of interest, let's say VLAN 100 and 200. (optional)
The number of files to rotate the captures depends on the amount of storage available.
An alternative method of limiting the captured traffic is to use VACLs or VLAN ACLs. An IP access-list can be used to specify traffic to capture.
ip access-list extended ALL_TRAFFIC
permit ip any any
ip access-list extended CAPTURE-HTTP
permit tcp any any eq www
vlan access-map HTTP_MAP 10
match ip address CAPTURE-HTTP
action forward capture
vlan access-map HTTP_MAP 20
match ip address ALL_TRAFFIC
vlan filter HTTP_MAP vlan-list 803-804
switchport trunk encapsulation dot1q
switchport mode trunk
switchport capture allowed vlan 803,804
no ip address
NOTE 1: Please note that on the packet trace tool (WireShark, Ethereal, SnifferPro) the frame snap size should be set to unlimited otherwise, only the first 68 bytes of each frame may be captured.
NOTE 2: The monitor session will span the entire packet and hence the throughput of each VLAN you filter will be summed up to the bandwidth available on the destination port.
Local SPAN, RSPAN, and ERSPAN sessions allow you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports. A local SPAN session is an association of source ports and source VLANs with one or more destination ports. You configure a local SPAN session on a single switch. Local SPAN does not have separate source and destination sessions. RSPAN supports source ports, source VLANs, and destination ports on different switches, which provides remote monitoring of multiple switches across your network. RSPAN consists of an RSPAN source session, an RSPAN VLAN, and an RSPAN destination session. ERSPAN supports source ports, source VLANs, and destination ports on different switches, which provides remote monitoring of multiple switches across your network. ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE-encapsulated traffic, and an ERSPAN destination session.
Hi allMy system have 1 LogRhythm Monitor application version: 126.96.36.199 (use 1 port IP: 172.27.6.37). We have configed ERSPAN to IP 172.27.6.36 with source (IP: 172.27.9.111 OOB MGMT APIC).--> But at the time. The LogRhythm not recived any tr...
HI,Our Nexus Switches encountered some problems when converging the OSPF protocol.We have two N5600s as upstream devices, and multiple N9Ks connected downstream. OSPF protocol is established between them. The topology is in the attachment192.168.x.x and 1...
Good Day I have Cisco UCS (6 blades - all boot from SAN) connected to NetApp Storage FC Mode thorugh MDS 9000 SAN Switch Everything works smoothly, but I recently decided to use Blade 6 for testing purposes without touching the current LUN ...
i would like to ensure some topics below ,from my side is not mandatory for core switches security best practices implementations and may used for acces layer switches . ----Filtering IP Fragments----URPF could you advise...