Configuring VACLs for Catalyst 6500 Traffic Capture
| [ LiB ] |
The Catalyst 6500 switch allows you to capture traffic using the SPAN and RSPAN commands as well as VACLs . This section guides you through the configuration tasks when using VACLs to capture traffic from a Catalyst 6500 Switch to a Sensor's monitoring port. First, we go through the configuration steps for a switch running Catalyst OS, and then, we cover the steps for IOS.
Catalyst OS VACL Configuration Tasks
To configure the Catalyst 6500 switch running Catalyst OS to capture traffic for IDS analysis, you use a series of set security acl commands and a commit security acl command. The steps for this configuration follow:
- Create the VACL using the set security acl ip command to capture interesting traffic.
- Commit a VACL to memory with the commit security acl command.
- Map the VACL to VLANs using the set security acl map command.
- Assign the Sensor's monitoring port as the VACL capture port using the set security acl capture-ports command.
1. Create the VACL Using the set security acl ip Command to Capture Interesting Traffic
This command creates a VACL called SMART_ACL to capture all IP traffic for IDS analysis:
switch>(enable) set security acl ip SMART_ACL permit ip any any capture
You need to use the keyword capture to designate which traffic will be captured and sent to the Sensor's monitoring port. Use the clear security acl command to remove one or all ACL entries (ACEs) from a VACL.
The complete syntax for the set security acl ip command is detailed here:
set security acl ip acl_name [permitdeny] src_ip_spec set security acl ip acl_name [permitdeny] [ip] src_ip_spec dest_ip_spec [fragment] [capture] set security acl ip acl_name [permitdeny] [icmp1] src_ip_spec dest_ip_spec [ icmp_type ] [ icmp_code [ icmp_message ] [capture] set security acl ip acl_name [permitdeny] [tcp6] src_ip_spec [ operator port [ port ]] dest_ip_spec [ operator port [ port ]] [established] [capture] set security acl ip acl_name [permitdeny] [udp17] src_ip_spec [ operator port [ port ]] dest_ip_spec [ operator port [ port ]] [capture]
Table 4.7 lists and describes the command syntax for the set security acl ip command.
Table 4.7. Command Syntax for the set security acl ip Command
| Command Syntax | Description |
|---|---|
| acl_name | Unique name that identifies the lists to which the entry belongs. |
| permit | Keyword to allow traffic from the source IP address. |
| deny | Keyword to deny traffic from the source IP address. |
| src_ip_spec | Source IP address and the source mask. |
| ip | (Optional) Keyword or number to match any IP packets. |
| dest_ip_spec | Destination IP address and the destination mask. |
| icmp1 | (Optional) Keyword or number to match Internet Control Message Protocol (ICMP) packets. |
| icmp-type | (Optional) ICMP message type name or number. |
| icmp-code | (Optional) ICMP message code name or a number. |
| icmp-message | ICMP message type name or ICMP message type and code name. |
| tcp6 | (Optional) Keyword or number to match TCP packets. |
| operator | (Optional) Operands. Valid values include: lt (less than), gt (greater than), eq (equals), neq (not equal to), and range (inclusive range). |
| port | (Optional) Number or name of a TCP or User Datagram Protocol (UDP) port. Valid port numbers are 065,535. |
| established | (Optional) Keyword to specify an established connection. Used only for TCP protocol. |
| udp17 | (Optional) Keyword or number to match UDP packets. |
It's very important that you pay attention to the order of ACEs within the VACL. Each packet entering a mapped VLAN is checked against the first ACE in the VACL. If a match is found, the packet is denied or permitted accordingly (and optionally captured); the VACL is no longer processed . If there is no match, the packet is checked against the next ACE in the list. If no ACEs match, the packet is implicitly denied (dropped).
2. Commit the VACL to Memory
After you've created your VACL to capture interesting traffic, you need to commit your VACL to memory, which you do quite simply using this command:
switch>(enable) commit security acl SMART_ACL
The complete syntax for the commit security acl command is
commit security acl acl_name all Table 4.8 lists and describes the command syntax for the commit security acl command.
Table 4.8. Command Syntax for the commit security acl Command
| Command Syntax | Description |
|---|---|
| acl_name | Name that identifies the VACL whose ACEs are to be committed |
| all | Keyword to commit ACEs for all the ACLs |
All changes to ACLs are stored temporarily in an edit buffer, so it's key that you use the commit command to commit all ACEs to nonvolatile RAM (NVRAM). Committed ACLs with no ACEs are deleted.
3. Map the VACL to VLANs
This command maps the VACL to VLANs:
switch>(enable) set security acl map SMART_ACL 1969
This sample command uses the set security acl map command to map the VACL called SMART_ACL , now committed to NVRAM, to VLAN 1969. The clear security acl map command allows you to remove a VACL-to-VLAN mapping. The syntax for the set security acl command is
set security acl map acl_name vlan Table 4.9 lists and describes the command syntax for the set security acl map command.
Table 4.9. Command Syntax for the set security acl map Command
| Command Syntax | Description |
|---|---|
| acl_name | Name that identifies the list to which the entry belongs |
| vlan | Number of the VLAN to be mapped to the VACL |
4. Assign the Sensor's Monitoring Port as the VACL Capture Port
Finally, use the set security acl capture-ports command to set the destination ports to receive the captured traffic that you specified in the VACL you created back in Step 1. The following example assigns the Sensor's monitoring port 3/1 as the capture port:
switch>(enable) set security acl capture-ports 3/1
 | Take care not to confuse this command with the set security acl ip command, which uses the capture keyword to capture interesting traffic to the VACL. |
Use the clear security acl capture-ports command to remove a port from the capture port list. The syntax for the set security acl capture-ports command is as follows :
set security acl capture-ports < mod/ports >[, < mod/ports >...]
The mod/ports variable is where you provide the module and port numbers.
IOS VACL Configuration Tasks
Now, we go into the commands you need to configure VACLs on a Catalyst 6500 switch running IOS software. Unfortunately, there are a few more steps for IOS than there are for Catalyst OS:
- Configure ACLs to define interesting traffic.
- Define a VLAN access map.
- Configure the match clause in the VLAN access map using ACLs.
- Configure the action clause in the VLAN access map using the capture option.
- Apply the VLAN access map to the specified VLANs.
- Select an interface.
- Enable the capture function on the interface.
Please refer to the section later in this chapter, "Create the ACL to Capture Interesting Traffic," which covers the ACL configuration step and command syntax in detail.
 | It's very important to know this command sequence and to be able to distinguish it from the command sequence for configuring VACLs on a Catalyst 6500 running Catalyst OS software. |
The following sections describe the configuration steps in detail.
Create a VLAN Access Map
A VLAN access map consists of one or more map sequences, each of which has one match clause and one action clause. The match clause specifies an ACL, whereas the action clause specifies the action to be taken when a match in the ACL occurs. The following command creates an access map called capture_http and puts you in config-access-map mode so that you can configure the match and action clauses:
Router(config)# vlan access-map capture_http Router(config-access-map)#
Here is the syntax for the vlan access-map command:
vlan access-map name [ seq #]
Table 4.10 lists and describes the command syntax for the vlan access-map command.
Table 4.10. Command Syntax for the vlan access-map Command
| Command Syntax | Description |
|---|---|
| name | The VLAN access map name. |
| seq# | (Optional) Map sequence number. Valid values are from 0 to 65,535. |
Configure the Match Clause in the VLAN Access Map Using ACLs
Now that you're in config-access-map mode, you can configure both the match and the action clauses. The following command selects ACL 125 for the VLAN access map sequence:
Router(config-access-map)# match ip address 125
Following is the syntax for the match command:
match {ip address{ acl-number acl-name }} Table 4.11 lists and describes the command syntax for the match command.
Table 4.11. Command Syntax for the match Command
| Command Syntax | Description |
|---|---|
| ip address acl-number | Selects one or more IP ACLs for a VLAN access map sequence. Valid values are from 1300 to 2699. |
| ip address acl-name | Selects an IP ACL by name. |
Configure the Action Clause in the VLAN Access Map Using the capture Option
While still in config-access-map mode, you configure the VACL to capture traffic by using the action clause. This command configures the VACL to capture traffic that matches the match clause from the previous statement:
Router(config-access-map)# action forward capture
The complete syntax is
Action {{drop[log]} {forward[capture]}} {redirect {interface interface-number }} 
{port-channel channel-id } {interface interface-number } {port-channel channel-id } ...} Table 4.12 lists and describes the command syntax for the action command.
Table 4.12. Command Syntax of the action Command
| Command Syntax | Description |
|---|---|
| drop | Drops the packets. |
| log | (Optional) Logs the dropped packets in software. |
| forward | Forwards (switched by hardware) packets to their destinations. |
| capture | (Optional) Sets the capture bit of forwarded packets so that ports with the capture function enabled also receive the packets. |
| redirect interface | Redirects packets to the specified interfaces; possible valid values are ethernet, fastethernet , gigabitethernet , tengigabitethernet, pos, atm , and ge-wan . |
| interface-number | Module and port number; refer to the Usage Guidelines for valid values. |
| port-channel channel-id | Port channel to redirect traffic; refer to the Usage Guidelines section for valid values. |
Apply the VLAN Access Map to the Specified VLANs
After you configure the match and action clauses for your access map, exit the config-access-map mode back to global configuration mode, from which you apply your access map to VLANs using the vlan filter command. Use the no form of the vlan filter command to clear VLAN access maps from VLANs or interfaces. The following command applies the VLAN access map capture_http to VLANS 125 to 831:
Router(config)#vlan filter capture_http vlan-list 125-831
The following is the complete syntax for the vlan filter command:
vlan filter map-name {vlan-list vlan-list interface interface-number }
Table 4.13 lists and describes the command syntax for the vlan filter command.
Table 4.13. Command Syntax for the vlan filter Command
| Command Syntax | Description |
|---|---|
| map-name | VLAN access map tag. |
| vlan-list | VLAN list. Refer to the Usage Guidelines for valid values. |
| interface | Specifies the WAN interface type. Valid options are pos, atm , or serial . |
| number | Interface number. The interface-number format can be mod/port or slot/port_adapter/port . It can include a subinterface or channel group descriptor. |
You can apply the VLAN access map to one or more VLANs, but you can only map one VLAN access map to each VLAN or WAN interface.
Select an Interface
Now it's time to enter interface configuration mode by selecting an interface where you enable the capture function:
Router(config)# interface fastethernet 2/5 Router(config-if)#
You should already be very familiar with this command syntax:
interface type number Table 4.14 lists and describes the command syntax for the interface command.
Table 4.14. Command Syntax for the interface Command
| Command Syntax | Description |
|---|---|
| type | Type of interface to be configured |
| number | Module and port number |
Enable the Capture Function on the Interface
Finally, the last step for configuring VACLs on Catalyst IOS is to enable the capture function on the previously selected interface. You do so using the switchport capture command. The no form of this command disables the capture mode on the port. This command configures the interface ( fastethernet 2/5 from the last step) to capture VACL-filtered traffic:
Router(config-if)# switchport capture
| | Use the switchport capture command to enable the capture function on an interface when configuring VACL traffic capture on a Catalyst 6500 running IOS software. Remember this information as you prepare for the exam. |
Appending the allowed vlan keywords to the switchport capture command allows you to restrict capture to specific VLANs.
This step then transforms the port from its originally configured mode to monitor mode, meaning that the port no longer belongs to any VLANs and does not allow incoming traffic. The port preserves Interswitch Link (ISL) or dot1q encapsulation if the capture port is a trunk port. If the port is an access port, there will be no encapsulation. Make sure that you set the required encapsulation type and mode on the capture port before entering the switchport capture command.
| [ LiB ] |
