Here are a couple ways you can monitor traffic with a Cisco Switch. We’ll discuss how to configure and properly use this techniques to effectively monitor traffic in your Cisco network.
- Monitor Session
- VLAN access maps
Lets cover Monitor Session and VLAN access maps configuration and use below. Recommended reading list to further expand your brain on this subject:
- Wireshark & Ethereal Network Protocol Analyzer Toolkit
- Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems
Monitor Session
If you’re to the point you must monitor traffic on your network chances are you need some easy to follow instructions to make your analysis go as smoothly as possible. Monitor Session can be done on just about all Cisco switches however there is a limit to the number of monitor session you can use at any given moment. The number behind the session, in this example, represents the session number and must match for both source and destination interfaces. After you choose your source and destination port you can monitor the traffic and analyze it by plugging in your laptop into the chosen destination port (fa0/3 below) and start sniffing with wireshark.org
- monitor session 1 source interface fastethernet 0/2
- monitor session 1 destination interface fastethernet 0/3
VLAN Access Maps
VLAN access maps are pretty cool. They allow for more granular control over your sniff and take place at wire speed. VLAN Access maps also don’t hit the switches CPU near as hard as monitor sessions. The commands to use for your access map are listed below. Further down I’ll explain the commands more in depth. In this example we will not monitor SSH traffic from certain hosts but will monitor everything else.
vlan access-map part1 5
match ip address MONEY
action forward
vlan access-map part1 10
match ip address EVERYTHINGELSE
action forward capture
vlan filter part1 vlan-list 1-5,9-10
ip access-list extended MONEY
permit tcp host 10.90.12.24 host 10.90.24.7 eq ssh
permit tcp host 10.90.12.24 host 10.90.24.5 eq ssh
permit tcp host 10.70.24.7 host 10.90.24.24 eq ssh
permit tcp host 10.70.224.5 host 10.90.27.24 eq ssh
permit tcp 192.168.20.0 0.0.0.255 host 10.91.4.7 eq ssh
ip access-list extended EVERYTHINGELSE
permit ip any any
# vlan 999
# remote-span
# interface vlan 999
# exit
# vlan filter FILTER vlan-list 999
# interface gi9/32
# switchport access vlan 999
How to use this VLAN access map to sniff or monitor network traffic
The part1 used below is just an index or name for this sniff. The VLAN Access map will act upon “part1” in ascending order based on the number next to the index “part1”. Since “5” is the lowest number the access map will action forward the packets based on which packets match access list MONEY.
vlan access-map part1 5
match ip address MONEY
action forward
Now vlan access map part1 is going to act on number “10” since it is the next highest number after”5″ used in this access map. The switch will forward and capture the packets which match the packets identified in access list EVERYTHINGELSE. The packets from the previous ACL have already been forwarded (because they got forwarded at sequence #5) therefore they will not be captured.
vlan access-map part1 10
match ip address EVERYTHINGELSE
action forward capture
vlan filter part1 vlan-list 1-5,9-10 (these are the VLANs which carry the traffic you want to sniff / capture / monitor)
ip access-list extended MONEY (this is traffic you DON’T want to monitor)
permit tcp host 10.90.12.24 host 10.90.24.7 eq ssh
now apply the VACL filter to your RSPAN vlan
# vlan 999
# remote-span
# interface vlan 999
# exit
# vlan filter FILTER vlan-list 999
Now put your IPS interface into the RSPAN vlan
# interface gi9/32
# switchport access vlan 999
Now plug your Cisco IPS, SNORT, Wireshark or whatever monitoring device you have into interface gi9/32 and let the packet capture being. Are you tired of having to google search every time you need to configure your switch or router? Take your CISCO skills to the next level in short order with Transcender. They offer free practice exams and an exam pass guarantee. Transcender helped me obtain my CCNA.
Filtering out traffic can also be done by using “deny” and then permit in the access list for the first access map entry and then a “permit any” to make sure the traffic that you did denies on gets forwarded.