VACL - Asynchronous Data Capture?

rm2017 · ‎06-28-2005

What is the best way to configure a VACL for packet capture on a pair of switches running HSRP for a respective VLAN? If you have the same VACL on both switches and a capture port on each connected to a different monitoring port on a Cisco IPS Appliance, isn't it possible for the Sensor not to see the whole traffic flow? Would the sensor would view such flows as dropped packets?

marcabal · ‎06-28-2005

If you use an appliance like a IPS-4240 or IPS-4255 that have more than one sniffing interface then you can connect one interface to the first switch, and connect a second interface to the second switch.

Configure the sensor to monitor both of the interfaces.

Configure each switch to span or VACL Capture the desired traffic to the port connected to the sensor.

The single sensor will recieve packets from both switches, and monitor the traffic from both the switches.

So long as both the client and server traffic flows through one switch or the other or even client and one and server on the other you will be fine. Assuming your VACL has also been configured to capture both the client and server traffic, or your span will span both tx and rx traffic.

The sensor will combine the packets from the 1st switch (1st port) and the packets from the 2nd switch (2nd port) and treat the packets as if they are on the same network.

So if incoming client packets are on switch 1, and outgoing server packets are on switch 2; it will see both sets of packets and be able to reconstruct the complete TCP connection.

g.raymakers · ‎07-08-2005

Is the "reconstruct of assymetric routed packets" a feature that is implemented as of a specific software release or general available for a while?