Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3456
Views
0
Helpful
2
Replies

Using Span with VACLs, without a monitor session to a destination Port

Nick Cutting
Level 1
Level 1

‎04-13-2012 01:57 AM - edited ‎03-07-2019 06:06 AM

Good morning,

2 x 6509 12.2 (33)SXH2a

I am trying a configuration that I cannot find docuemented anywhere.  I started follwing this whitepaper: However I can only use ONE span session.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008017b753.shtml

We are using VALCS already and have FWSM and ACE modules, in both switches.

Am I right in thinking that whether capturing on 1 VACLs or 10 VACLs will use one monitoring session (that you cannot see with show mon)?

Does the ACE and FWSM share a monitor session in the background, but does NOT count towards the 2 session source limit? That you can see:

Session 1

---------

Type                   : Service Module Session

Modules allowed        : 1-9

Modules active         : 1-2

BPDUs allowed          : Yes

Is it the VACLs or the service module session that is "wasting" one of my precios SPAN sessions?

Ultimately we need to capture traffic from 2 vlans on both 6509's to 2 ports on each switch. Each of the 4 destination ports needs a copy of all of the data in both vlans, from both switches.

I cannot configure something like this due to monitor session source limits

monitor session 2 source vlan1,vlan2

monitor session 2 destination remote vlan 3

monitor session 3 source vlan 3

monitor session 3 destination interface gi8/2, 8/3

________________________________________

Here is the config I have in place. Notice the use of only one span session, and the vacl capture attempting to "grab" the RSPAN vlan directly:

vlan 3

remote-span

interface Vlan3

no ip address

shutdown

end

monitor session 2 source vlan 1 , 2

monitor session 2  destination remote vlan 3

vlan filter  CaptureFilter vlan-list 3

vlan access-map CaptureFiltermatch ip address ALL_TRAFFIC
action forward  capture

interface  Gi8/2
description Destination Monitor Port 1
switchport
switchport  capture
switchport capture allowed vlan 3

interface Gi8/3
description Destination Monitor Port  2
switchport
switchport capture
switchport capture allowed vlan 3

This config is on both switches, and I see traffic on all 4 ports, but there is more traffic on some of the ports...I thought there would be equal traffic on all 4 ports?  I do not know enough about 6k series switch architecture to find out what is going on here - or whether this will work.
Are there any other possible work arounds for the 2 span source limitation I am facing to get all the traffic from both vlans from both switches?

Labels:
0 Helpful
2 Replies 2

krahmani323
Level 3
Level 3

‎04-13-2012 06:53 PM

Hello Nick,

Please find some elements about your questions :

I am trying a configuration that I cannot find docuemented anywhere.  I started follwing this whitepaper: However I can only use ONE span session.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008017b753.shtml

yes in fact this document is pretty old. It refers to the possible configuration of RSPAN in conjunction with the VACL for the granularity it offers for the type of traffic to monitor.

Indeed, the link does not mention VACL with the "capture" or "redirect" option which has been introduced in SUP720. Indeed the link is based on an old model of supervisor (SUP 2) and does not refer to the 'action capture/redirect' or 'switchport capture' options.

You should look for the configuration details for VACL caputre example :

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808122ac.shtml#vacl_config

Am I right in thinking that whether capturing on 1 VACLs or 10 VACLs will use one monitoring session (that you cannot see with show mon)?

The previous link refers also to the advantages of VACL captures compared to vlan SPAN solutions.

One of them is that you can use a virtually unlimited number of capture sessions. So using either 1 or 10 VACL w/capture option will virtually allow unlimited capture interface.

Note also that VACL is totally done in hardware by the SUP720, so no worries about the system load. 

Here, as the VACL capture is applied on the created RSPAN vlan (reprensenting vlan 1 & 2), so yes it is associated to this session.  

Does the ACE and FWSM share a monitor session in the background, but does NOT count towards the 2 session source limit? That you can see:
Session 1
---------
Type                   : Service Module Session
Modules allowed        : 1-9
Modules active         : 1-2
BPDUs allowed          : Yes
Is it the VACLs or the service module session that is "wasting" one of my precios SPAN sessions?

The precious session 1 that is used here is only due to the presence of the FWSM service module.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#FWSM

When you use Supervisor Engine 720 with an FWSM in the chassis that runs Cisco Native IOS, by default a SPAN session is used

This session is automatically installed for the  support of hardware multicast replication because an FWSM cannot  replicate multicast streams.

If you have a multicast source that generates a multicast stream from behind the FWSM, you need the SPAN reflector.

You can use the no monitor session service module command in order to disable the SPAN reflector.

 Ultimately we need to capture traffic from 2 vlans on both 6509's to 2 ports on each switch. Each of the 4 destination ports needs a copy of all of the data in both vlans, from both switches.
I cannot configure something like this due to monitor session source limits

Looking at the configuration there is a mixture of RSPAN with VACL & capture options. I do not really now what is exactly captured (acl for the vlan access-map ..) in this context (I suppose the VACL capture configuration is allowing the capture from RSPAN vlan 3 on both Gig interfaces). 

This config is on both switches, and I see traffic on all 4 ports, but there is more traffic on some of the ports...I thought there would be equal traffic on all 4 ports?  I do not know enough about 6k series switch architecture to find out what is going on here - or whether this will work.

Maybe beacause there is an HSRP or VRRP configuration with ACTIVE / STANDBY router states where the ACTIVE is handling more traffic than the secondary ? Depending also on the differents L2 uplinks load share.. 

 
Are there any other possible work arounds for the 2 span source limitation I am facing to get all the traffic from both vlans from both switches?

Honestly I really don't know if it possible to catch all flows from vlan 1 and vlan 2 from both switch switches and replicate them on sniffers connected to each of them => Maybe issues with some traffic replicated twice...and so on..

Otherwise we can take a look at this very intersting link where your scenario is described. The flows from both switches for both vlans could be captured but the sniffer are only attached to switch 1 (switch 2 just using RSPAN to send the flows to switch 1)

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ServerFarmSec_2.1/7_VACL.html#wp1089726

The  difference being that the sensors are only connected to Switch 1 only - with one monitor session used - RSPAN with vacl redirect.

Hope that helps....

Regards.

Karim

0 Helpful

Nick Cutting
Level 1
Level 1
In response to krahmani323

‎05-16-2012 06:47 AM

For the record this configuration does work.  You can capture straight out of the RSPAN vlan without a seperate destination session.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card