ONS-ML100-12 card

anasubra_2 · ‎04-01-2009

Hi All,

We are trying to log the no.of hits for a permit ACL statement ,which is applied to an interface on a ML100 card but couldn't see any hits.So we are tring to capture the port traffic and send to a port where a sniffer is connected but couldn't find a monitor session command.Is there a way to acheive this ?

Any help is really appreciated.

Thanks

Regards

Anantha Subramanian Natarajan

chris-hart · ‎04-02-2009

I think the ML100 card is just a Catalyst Switch on a blade so you just configure a monitor port (SPAN in Cisco speak) which mirrors the traffic on the port you want to analyse to the port you have your analyser connected to. The link below is to a document that explain it enough to get you going. Don't forget that when you are configuring the ML100 card pressing the "?" key will show you the available options for the command.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#topic1

I guess you already know that show access-lists displays all the ACL's configured and also the number of hits each one has had, you can also just display the ACL you are interested in by entering show access-lists {ACL #}. You could also use the debug ip access-lists command to write them to the log file in real time and if you enter terminal monitor they will display on the screen if you are connected via a Telnet session.

Hope this helps

PS I'm English so analyse and analyser is spelt correctly!

anasubra_2 · ‎04-02-2009

Hi Chris,

Thanks for the email and the link reference.We tried to find the monitor session command to span but seems not available on the ML card.Also seems port monitor command works only for VLAN interfaces and the port we are trying to monitor is a routed port.

Will try to use the debug ip access-list,is it processor intensive ?

Thanks

Regards

Anantha Subramanian Natarajan

chris-hart · ‎04-02-2009

I wouldn't think it is very processor intensive, its got to process the access list anyway so its just adding counters which it also does anyway and you can see these with the command show ip access-lists.

I'm really surprised it doesn't allow you to create a SPAN port that doesn't make sense to strip that functionality out, perhaps some else will be able to throw some light on why that bits missing.

anasubra_2 · ‎04-02-2009

Hi Chris,

Thanks for the email and response.

Regards

Anantha Subramanian Natarajan

Marvin Rhoads · ‎04-02-2009

Have you tried acl logging?

see

http://www.cisco.com/web/about/security/intelligence/acl-logging.html

and

http://www.cisco.com/en/US/docs/ios/11_3/feature/guide/stdlog.html

for more information and examples.

Hope this helps. Please rate this post if it does.

anasubra_2 · ‎04-02-2009

Hi Mklemovitch,

Thanks for the response and seems acl logging is not supported on ML card.

If you know any other ideas,please let us know

Thanks

Regards

Anantha Subramanian Natarajan

Marvin Rhoads · ‎04-03-2009

Hmm,

I thought maybe there might be an SNMP MIV that would allow you to do this, but in looking at the supported MIBs (see:

http://tools.cisco.com/ITDIT/MIBS/MainServlet?ReleaseSel=2290&PlatformSel=248&fsSel=1086 )

nothing jumps out at me.

The configuration guide ( http://www.cisco.com/en/US/docs/optical/15000r9_0/ethernet/454/guide/45490a_configacl.html ) wasn't any help either.

If indeed it's not possible to do this natively using the ML100T card's software, the other thing you could put in as a temporary hack would be to put a router inline with the physical feed of the Ethernet traffic into your SONET system. Put the acl on the router (with acl logging enabled)T and ten use acl logging on the router to establish the answer to your question.