Using the mls ip ids Command for Catalyst 6500 Traffic Capture
| [ LiB ] |
Using the mls ip ids Command for Catalyst 6500 Traffic Capture
If you're running the Cisco IOS Firewall on the Multilayer Switch Feature Card (MSFC), you won't be able to use VACLs to capture traffic for the IDSM because VACLs can't be applied to a VLAN that has an ip inspect rule for the IOS Firewall applied to it. In this case, you need to use the mls ip ids command to designate which packets are captured.
 | Packets permitted by the ACL are captured and those denied are not captured; the permit/deny parameter only determines capture and doesn't affect forwarding to destination ports. In other words, packets that are denied are neither captured nor dropped. |
Catalyst OS Configuration Tasks
You need to perform the following tasks to capture traffic using the mls ip ids feature on a Catalyst 6500 running Catalyst OS:
- Create the ACL to capture interesting traffic.
- Select the VLAN interface.
- Apply the ACL to the interface.
- Assign the Sensor's monitoring port as the VACL capture port.
Create the ACL to Capture Interesting Traffic
To create the ACL to capture interesting traffic, use this syntax:
Router(config)# ip access-list extended IOS_ACL permit ip any any
Use the ip access-list command to create a named IP extended ACL to specify the traffic to be captured for IDS analysis. The syntax for this command is
ip access-list extended acl_name [denypermit] protocol source source-wildcard destination destination-wildcard
Table 4.15 lists and describes the command syntax for the ip access-list extended command.
Table 4.15. Command Syntax for the ip access-list extended Command
| Command Syntax | Description |
|---|---|
| acl_name | Name of the ACL. |
| permit | Keyword to allow access if conditions match. |
| deny | Keyword to deny access if conditions match. |
| protocol | Name or number of an IP protocol. The name can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipnip, nos, ospf, pim, tcp , or udp . It may also be an integer in the range of 0 to 255 representing the IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip . Some protocols allow further qualifiers described here. |
| source | Number of the network or host from which the packet is being sent. Use the keyword any for a source with IP address 0.0.0.0 or a source wildcard with IP address 255.255.255.255 . Use the host source for a source or source wildcard with a source IP address of 0.0.0.0 . |
| source-wildcard | Wildcard bits to be applied to a source. Each wildcard bit set to 0 means that an exact match is needed for this bit position. Each wildcard bit set to 1 means that the bit in this position may be set to either 0 or 1. Use the keyword any for a source with IP address 0.0.0.0 or a source wildcard with IP address 255.255.255.255 . Use the host source for a source or source wildcard with a source IP address of 0.0.0.0 . |
| destination | Number of the network or host to which the packet is being sent. Use the keyword any for a destination with IP address 0.0.0.0 or a destination wildcard with IP address 255.255.255.255 . Use the host destination for a destination or destination wildcard with a destination IP address of 0.0.0.0 . |
| destination-wildcard | Wildcard bits to apply to the destination. Use 1s in the bit positions where an exact match isn't needed. Use the keyword any for a destination with IP address 0.0.0.0 or a destination wildcard with IP address 255.255.255.255 . Use the host destination as an abbreviation for a destination or destination wildcard with a destination IP address of 0.0.0.0 . |
 | Use the ip access-list command to create an access list when using the mls ip ids command on a Catalyst 6500 MSFC running Cisco IOS Firewall. Remember this information when preparing for the exam. |
Select the VLAN Interface
Again, you use the very familiar interface vlan command to enter interface configuration mode and to create or access a VLAN interface:
Router(config)# interface vlan 1970 Router(config-if)#
Apply the ACL to the Interface with the mls ip ids Command
Continuing from the interface vlan command in interface configuration mode, you use the mls ip ids command to apply the ACL, in this case called MLS_ACL , to the VLAN interface:
Router(config-if)# mls ip ids MLS_ACL
As previously mentioned, packets permitted by the ACL are captured and those denied are not captured; the permit/deny parameter only determines capture and doesn't affect forwarding to destination ports. Therefore, denied packets are passed through and are neither dropped nor captured.
Assign the Sensor's Monitoring Port as the VACL Capture Port
Finally, you complete the configuration by assigning switch ACL capture ports with the set security acl capture-ports command. The following example assigns port 3/1 as a capture port:
Switch>(enable)set security acl capture-ports 3/1
The clear security acl capture-ports command removes a port from the capture port list. The full syntax is as follows :
set security acl capture-ports < mod / ports >[< mod / ports >...]
IOS Configuration Tasks
The tasks to configure capture for the Catalyst 6500 running IOS using the mls ip ids command are similar to those for the Catalyst OS:
- Use the IOS ip access-list command to configure an ACL to specify traffic to be captured.
- Select the VLAN interface with the interface vlan command.
- Apply the ACL to the interface with the mls ip ids command.
- Use the switchport capture command to enable the capture function on the interface so that packets with the capture bit set are received by the interface.
Each of these tasks is covered in detail in previous sections, so you don't need the examples and syntax repeated again here.
| [ LiB ] |
