Security Incidents mailing list archives
Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only
From: "AJ Cochenour" <ajc () mytcpip net>
Date: Tue, 11 Apr 2006 08:07:48 -0700 (PDT)
Use the following in conjuction with any host capable of running tcpdump, ethereal, etc. (assuming CatOS): 'set span 1,6 1/2 rx inpkts disable learning enable multicast enable create' Broken down: 'set span <SRC VLAN N..M> <DST Interface> <Direction> <Enable inband packets to sensor interface disabled> <MAC Address learing enabled> <Multicast eligible frame destination enabled> <create new SPAN session>' In the example given all frames received by the supervisor for (native) VLAN 1 and those tagged for VLAN 6 will be forwarded to the destination port '1/2'. AJC ajc () mytcpip net
On Apr 10, 2006, at 4:04 AM, Stef wrote:Thanks to all who answered - basically the suggestions revolved around the same type of solution I assumed originally to be needed (span/mirror/monitor ports, one at a time, to a probe machine - whether done via a script on the switch, itself, or controlled remotely). The above solution is different (saving tons of work), and it is in fact something I have tried in the past, but never been able to get to work properly [the entire traffic]. I am thankful for the reminder, as I could give it another shot.I've found tcpdump -e to be useful, too - didn't think of that, good suggestion. Doing it the other way at the console isn't a lot of work (*not* one port at a time - one blade at a time via port-ranges for the SPAN source, then narrowing down the port ranges), it's about 5 minutes or so, max, FYI. Here's some documentation on SPAN/RSPN for the 4500 series: http://www.cisco.com/en/US/products/hw/switches/ps663/ products_configuration_guide_chapter09186a0080176332.html Good luck! ---------------------------------------------------------------------- Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice Everything has been said. But nobody listens. -- Roger Shattuck
Current thread:
- Bogon IPs traffic only seen by netflow, confined within a VLAN only Stef (Apr 09)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Roland Dobbins (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Valdis . Kletnieks (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Roland Dobbins (Apr 10)
- <Possible follow-ups>
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Stef (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Roland Dobbins (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only AJ Cochenour (Apr 11)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Roland Dobbins (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only stcroix111 (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only tsteeves (Apr 12)
- RE: Bogon IPs traffic only seen by netflow, confined within a VLAN only David Gillett (Apr 12)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Lupe Christoph (Apr 13)
- RE: Bogon IPs traffic only seen by netflow, confined within a VLAN only David Gillett (Apr 12)