Cisco 2960XR Switch – Consoles

Here are a few ways you can use a Cisco Switch to track traffic. Traffic monitoring is like packing up a packet. Get more info about WS-C3750X-48PF-L.

Monitor Session VLAN access maps Monitor Session can be done on just about all Cisco switches but the number of monitor sessions you can use at any given time is limited. In this example , the number behind the session represents the session number, and must match both the source and the destination interfaces. Plug your laptop into any source port and use wireshark.org to start sniffing packets

Monitor session 1 fastethernet 0/2 monitor session source interface 1 fastethernet 0/3 destination interface

VLAN Maps for the access

VLAN access maps are fantastically cool. They require more granular control over the capture of your packet, and take place at wire speed. Also, VLAN Control maps do not reach CPU switches nearly as hard as display sessions.

Here are the commands you should use .. I’ll explain the commands further down in greater depth. We WON’T cpature SSH traffic from certain hosts in this example but will monitor everything else.

Vlan access-map part1 5 match ip address Action MONEY

Vlan access-map part1 10 match ip address TO Catch Action Forward

Part 1 of vlan filter vlan-list 1-5,9-10

ip access list expanded MONEY permit tcp host 10.90.12.24 host 10.90.24.7 eq ssh permit tcp host 10.90.12.24 host 10.90.24.5 eq ssh permit tcp host 10.70.24.7 host 10.90.24.24 eq ssh permit tcp host 10.70.224.5 host 10.90.27.24 host 10.90.27.24 eq ssh permit tcp 192.168.20.0 0.0.0.255 host 10.91.4.7 eq ssh ip access list expanded EVERYTHINGELSE allow ip to access any

# vlan 999 # vlan 999 # vlan 999 # exit # vlan filter FILTER vlan-list 999 # gi9/32 # vlan 999 vlan 999 switchport access interface

How to sniff or track network traffic using this VLAN Control Map

The part1 used below is merely an index or name for capturing this packet. The VLAN Control map will function in ascending order based on the number next to the index “part1′′ on” part1′′. Because “5′′ is the lowest number the access map will redirect the packets based on which packets match MONEY access list.

Vlan access-map part1 5 match ip address Action MONEY

Now vlan access map part1 will act on number “10′′ as it is the next highest number after” 5′′ used in this access map. The switch will forward and capture the packets that match the packets identified in the access list EVERYTHINGELSE. Therefore, the packets from the previous ACL have already been forwarded (because they have been forwarded in sequence # 5) so they are not captured.

Related Post