Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1274
Views
0
Helpful
5
Replies

VLAN SPAN

Go to solution
cxo-179682
Level 1
Level 1

‎07-26-2018 04:28 PM - edited ‎07-29-2018 05:53 PM

I've been tasked to gather what are the 'conversation' between VLANs to build an ACL.

As it's a standard Core/Distribution and Access environment, as the core/distribution switch are configured with HSRP and only L2 on the access switches (trunk to the dist/core). There are a total of 5 VLAN (10, 20, 30, 40, 50 for instance) that i would need to SPAN, my question are :

1- Will it be sufficient to perform local VLAN SPAN on the HSRP active switch only ? (only interested with intervlan traffic for eg, between Vlan 10 and Vlan 20 for instance)

2- Will be pre-configuring the monitor session without wireshark connected affecting the CPU utilization ? 

3- ACL Logging not recommended as we do not want to risk the CPU utilisation spiking and causing the network goes down.

4- Netflow not supported on the L3 device (Catalyst 3750 without SM)

 

Thanks in advance,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to cxo-179682

‎07-27-2018 07:32 PM

Ok then here are my answers on your questions:
1. With hsrp, the layer 3 will go on active router then yes you can span there.
2. As destination port will be down, the impact would minimal.
3. Yes logging isn't the best one as it impact cpu but depending on your platform and traffic you can active it in the deny statement for example.

You'll be able to see netflow output on the switch.

Last suggestion: you can use ip accounting feature to see what source communicate with what destination.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎07-26-2018 09:26 PM - edited ‎07-26-2018 09:26 PM

Hi

Not sure you'll be satisfied with span. I mean you need to have a solid device receiving all the traffic.

I would suggest to use netflow capabilities. You'll have src and dst ip and based on this you'll be able to tell which Vlans communicate together.

What type of device you've?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
cxo-179682
Level 1
Level 1
In response to Francesco Molino

‎07-26-2018 09:38 PM

Unfortunately we dont have any netflow device, hence not an option. We will be using wireshark to capture the traffic, and it's just the normal servers to client communication we are trying to lock down in ACL..
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to cxo-179682

‎07-27-2018 07:32 PM

Ok then here are my answers on your questions:
1. With hsrp, the layer 3 will go on active router then yes you can span there.
2. As destination port will be down, the impact would minimal.
3. Yes logging isn't the best one as it impact cpu but depending on your platform and traffic you can active it in the deny statement for example.

You'll be able to see netflow output on the switch.

Last suggestion: you can use ip accounting feature to see what source communicate with what destination.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
cxo-179682
Level 1
Level 1
In response to Francesco Molino

‎07-29-2018 05:27 PM

Hi Francesco,

Thanks for your reply, didnt think of ip accounting feature, but would that be CPU intensive ? Is there any document where i can get to validate the minimal impact on the destination port being down. (cant find any)

Btw, most of our L3 device are running on catalyst 3750, hence netflow not an option for this activity.

Rgds.
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to cxo-179682

‎07-29-2018 06:51 PM

Ok now i know your devices which are 3750 and ip accounting isn't supported.

You need to go with vlan span.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents