Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only

["AJ Cochenour" <ajc () mytcpip net>]

Use the following in conjuction with any host capable of running tcpdump,
ethereal, etc. (assuming CatOS):

'set span 1,6 1/2 rx inpkts disable learning enable multicast enable create'

Broken down:

'set span <SRC VLAN N..M> <DST Interface> <Direction> <Enable inband
packets to sensor interface disabled> <MAC Address learing enabled>
<Multicast eligible frame destination enabled> <create new SPAN session>'

In the example given all frames received by the supervisor for (native)
VLAN 1 and those tagged for VLAN 6 will be forwarded to the destination
port '1/2'.


AJC
ajc () mytcpip net

> On Apr 10, 2006, at 4:04 AM, Stef wrote:
>
> > Thanks to all who answered - basically the suggestions revolved around
> > the same type of solution I assumed originally to be needed
> > (span/mirror/monitor ports, one at a time, to a probe machine -
> > whether done via a script on the switch, itself, or controlled
> > remotely). The above solution is different (saving tons of work), and
> > it is in fact something I have tried in the past, but never been able
> > to get to work properly [the entire traffic]. I am thankful for the
> > reminder, as I could give it another shot.
>
> I've found tcpdump -e to be useful, too - didn't think of that, good
> suggestion.  Doing it the other way at the console isn't a lot of
> work (*not* one port at a time - one blade at a time via port-ranges
> for the SPAN source, then narrowing down the port ranges), it's about
> 5 minutes or so, max, FYI.
>
> Here's some documentation on SPAN/RSPN for the 4500 series:
>
> http://www.cisco.com/en/US/products/hw/switches/ps663/
> products_configuration_guide_chapter09186a0080176332.html
>
> Good luck!
>
> ----------------------------------------------------------------------
> Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice
>
>       Everything has been said.  But nobody listens.
>
>                     -- Roger Shattuck