Capture Port specifications:
- This is the destination port for all copied packets.
- There is no limit on number of Capture Ports. The Capture Ports MUST be in the forwarding state
- Capture Ports do no transmit out all traffic that is captured. They only transmit traffic in the VLAN the Capture Port belongs to. To capture traffic belonging to multiple VLANs, the Capture Port needs to be configured as a trunk.
Caveats:
- VACL can be applied to all packets, whether routed or switched, and can be configured on any VLAN.
- All packets entering a VLAN are checked against VACL, regardless of direction.
- VACLs can be applied to certain WAN interfaces (requires IOS 12.1(13)E) - Supported on POS, ATM, and serial interfaces.
- VACLs and Context Based Access Control (CBAC) cannot be configured on the same interfaces. If CBAC is in use, please refer to the commands to enable 'mls ip ids'
IMPORTANT: Be aware that VACLs apply to all traffic on a VLAN, not just traffic being captured. This can potentially interrupt traffic with poorly written VACL. For this reason, placing any deny statements into the ACL will cause traffic to be dropped at the switch. Also an ACL has an implicit deny all at the end, so a permit any any will be required to assure that the rest of the traffic not being captured gets forwarded correctly.
In addition, be aware that interaction with RACL (router ACLs) varies greatly depending on hardware used.
- With EARL5, L2 and L3 packets are captured on ingress rather than egress. However, on a shortcut packet (going through the PFC rather than MSFC), the packet is captured on egress instead. Packets denied by a RACL are not captured.
- With EARL6, L2 and L3 packets are captured on egress. Packets denied by RACL are captured.
With EARL7, L2 and L3 packets are captured on egress. Packets denied by input RACL are not captured. If packet is denied by output RACL on output VLAN, packet is not captured. If packet is denied by output RACL on input VLAN, packet is captured.
Set-Based Switching:
In order to create a valid VACL, use the following commands.
- Define the traffic to capture.
- Commit Security ACL.
- Map Security ACL to VLANs
- Specify the Capture Port.
VACL Capture on Cat6k with CatOS
Simple Example:
Capture all traffic on VLANs 100 & 101 and send to 3/1
c6509 (enable) set security acl ip MyCap permit ip any any capture
MyCap editbuffer modified. Use 'commit' command to apply changes.
c6509 (enable) commit security acl MyCap
ACL commit in progress.
ACL 'MyCap' successfully committed.
c6509 (enable) set security acl map MyCap 100,101
Mapping in progress...
ACL MyCap successfully mapped to VLAN 100.
ACL MyCap successfully mapped to VLAN 101.
c6509 (enable) set security acl capture-ports 3/1
Successfully set 3/1 to capture ACL traffic.
Capturing all traffic on two VLANs is potentially far too much to fit into the output capacity of the span port, and more than necessary to send to a SuperAgent Collector. In order to limit the amount of traffic that is sent to the SuperAgent, we can redefine the security ACL to capture only particular kinds of traffic. The easiest way to do this is by TCP port number. REMEMBER: a VACL is a filtering mechanism for a VLAN. Putting deny statements in the VACL will cause interruptions in the network.
For example, HTTP traffic has been configured in SuperAgent to be monitored.
c6509 (enable) set security acl ip MyCap permit tcp any any eq 80 capture
MyCap editbuffer modified. Use 'commit' command to apply changes.
c6509 (enable) set security acl ip MyCap permit ip any any
MyCap editbuffer modified. Use 'commit' command to apply changes.
c6509 (enable) commit security acl MyCap
ACL commit in progress.
ACL 'MyCap' successfully committed.
c6509 (enable) set security acl map MyCap 100,101
Mapping in progress...
ACL MyCap successfully mapped to VLAN 100.
ACL MyCap successfully mapped to VLAN 101.
c6509 (enable) set security acl capture-ports 3/1
Successfully set 3/1 to capture ACL traffic.
In the event that the above commands were mis-typed or caused undesirable side-effects, here is the command to remove the VACL.
c6509 (enable) clear security acl MyCap
MyCap editbuffer modified. Use 'commit' command to save changes.
c6509 (enable) commit security acl MyCap
ACL commit in progress.
ACL 'MyCap' successfully deleted.
If modifications are made to the ACL itself and rollback to the last security commit are required:
c6509 (enable) rollback security acl MyCap
Editbuffer for `MyCap' rolled back to last commit state.
IOS Based Switches:
Capturing Traffic with IOS based Switches:
- Define the Traffic to be captured.
- Create Access-Map to link access-list with VACL name and action
- Specify VLANs which VACL should be applied to
- Define capture destination
Simple Example to capture all traffic on VLANs 200 and 201 and send to port 3/1.
c6509(config)# access-list 100 permit ip any any
c6509(config)# vlan access-map MyCap 10
c6509(config-access-map)# match ip address 100
c6509(config-access-map)# action forward capture
c6509(config)# vlan filter MyCap vlan-list 200 , 201
c6509(config)# interface gi3/1
c6509(config-if)# switchport capture
Extended Example to monitor HTTP traffic.
c6509(config)# access-list 100 permit tcp any any eq 80
c6509(config)# access-list 101 permit ip any any
c6509(config)# vlan access-map MyCap 10
c6509(config-access-map)# match ip address 101
c6509(config-access-map)# action forward
c6509(config)# vlan access-map MyCap 20
c6509(config-access-map)# match ip address 100
c6509(config-access-map)# action forward capture
c6509(config)# vlan filter MyCap vlan-list 200 , 201
c6509(config)# interface gi3/1
c6509(config-if)# switchport capture
RSPAN with VACL
RSPAN(Remote SPAN) is a monitoring method primarily used for capturing traffic on one or more switches. However, it also works on a single switch as an alternate to SPAN. RSPAN works by directing all traffic to a specified destination VLAN rather than port. We can use VACLs to restrict the traffic passing on the traffic passing on the RSPAN destination VLAN. RSPAN with VACL will also remove 802.1q VLAN tags. This provides similar capabilities as VACL but will support more platforms. VACL capture will only work on 6000 series switches.
Platform Specifications:
- Catalyst 6000 Series with IOS or CatOS
- Catalyst 4000 Series with IOS or CatOS
- Catalyst 3550 Switches
Steps to configuring RSPAN with VACL
- Local or Remote RSPAN session is configured.
- VACL is applied to RSPAN destination VLAN.
Catalyst 6000 with CatOS
Configuration to capture HTTP traffic on VLANs 200 and 201 and send to 3/1
c6509 (enable) set vlan 100 rspan name SA_CAPTURE state active
c6509 (enable) set security acl ip MyACL permit tcp any any eq 80
c6509 (enable) commit security acl MyACL
c6509 (enable) set security acl map MyACL 100
c6509 (enable) set rspan source 200,201 100 both multicast enable create
c6509 (enable) set rspan destination 3/1 100 create
Catalyst 3550
Configuration to capture HTTP traffic on VLAN 20 and send to fa0/24.
c3550(config)#vlan access-map RSPAN-VACL 10
c3550(config-access-map)#action forward
c3550(config-access-map)#match ip address SA-TRAFFIC
c3550(config-access-map)#vlan filter RSPAN-VACL vlan-list 100
c3550(config)#interface vlan100
c3550(config-if)#description RSPAN Destination VLAN
c3550(config-if)#no ip address
c3550(config-if)#ip access-list extended SA-TRAFFIC
c3550(config-ext-nacl)#permit tcp any any eq 80
c3550(config)#monitor session 1 source vlan 20 rx
c3550(config)#monitor session 1 destination remote vlan 100 reflector-port fa0/24
MLS IP IDS
VACL capture will not work on a Catalyst 6000 switch with IOS firewall (CBAC). An alternative capture method is using the 'mls ip ids' command. This uses an Access Control List (ACL) to define interesting traffic, and then it is captured by applying the command 'mls ip ids' to VLAN interfaces. When monitoring multiple VLANs or interfaces, you need to apply the commands to each interface in order to see bi-directional traffic. This will provide similar capabilities as the VACL Capture. The ACL will specify only traffic to be captured. It will not impede traffic to the original destination. As with the VACL Capture, the capture port needs to be configured as a trunk port in order to capture all of the data. Packets permitted by the ACL will be captured. Those denied will not be captured.
MLS IP IDS on Catalyst 6000 with IOS.
Simple Configuration.
Capture all IP traffic on VLANs 200 and 201 and send to 3/1
c6509(config)#ip access-list extended SA-Capture
c6509(config-ext-nacl)#permit ip any any
c6509(config-ext-nacl)#exit
c6509(config)#int vlan 200
c6509(config-if)#mls ip ids SA-Capture
c6509(config)#int vlan 201
c6509(config-if)#mls ip ids SA-Capture
c6509(config-if)#int gig3/1
c6509(config-if)#switchport capture
Configuration of Http traffic on VLANs 200 and 201 sent to 3/1.
c6509(config)#ip access-list extended SA-Capture
c6509(config-ext-nacl)# permit tcp any any eq 80
c6509(config-ext-nacl)#exit
c6509(config)#int vlan 200
c6509(config-if)#mls ip ids SA-Capture
c6509(config)#int vlan 201
c6509(config-if)#mls ip ids SA-Capture
c6509(config-if)#int gig3/1
c6509(config-if)#switchport capture
Catalyst 6000 Series Switch in Hybrid Mode (set based)
Simple configuration.
Capture all IP traffic on VLANs 200 and 201 and send to 3/1
C6509-msfc(config)#ip access-list extended IDS-Capture
C6509-msfc(config-ext-nacl)#permit ip any any
C6509-msfc(config-ext-nacl)#exit
C6509-msfc(config)#int vlan 200
C6509-msfc(config-if)#mls ip ids IDS-Capture
C6509-msfc(config)#int vlan 201
C6509-msfc(config-if)#mls ip ids IDS-Capture
c6509 (enable) set security acl capture-ports 3/1
Capture all HTTP traffic on VLAN 200 and 201 and send to 3/1.
C6509-msfc(config)#ip access-list extended IDS-Capture
C6509-msfc(config-ext-nacl)#permit tcp any any eq 80
C6509-msfc(config-ext-nacl)#exit
C6509-msfc(config)#int vlan 200
C6509-msfc(config-if)#mls ip ids IDS-Capture
C6509-msfc(config)#int vlan 201
C6509-msfc(config-if)#mls ip ids IDS-Capture
c6509 (enable) set security acl capture-ports 3/1
Source: http://www.flukenetworks.com/
Tutorials 
