Nov
27
2012

Switchport capture: a good alternative to SPAN port

Do you remember the article “How to analyze traffic with SPAN feature“? The SPAN port is a feature that mirror traffic (on physical or virtual port) to a specific port. In general, behind this ‘destination’ port can be a traffic analyzer (wireshark, ntop and so on…), an IDS or other appliances.

The SPAN feature is a good tool but it has two limitations:

  • The number of SPAN sessions that can be configured is limited.
  • A destination port receives copies of sent and received traffic for all monitored source ports. If a destination port is oversubscribed, it can become congested. This congestion can affect traffic forwarding on one or more of the source ports.

The VACL Capture Port feature can help to overcome some of these limitations. VACLs are primarily not designed to monitor traffic, but, with a wide range of capability to classify the traffic, the Capture Port feature was introduced so that network traffic analysis can become much simpler. These are the advantages of VACL Capture Port usage over SPAN:

  • Granular Traffic Analysis: VACLs can match based on source IP address, destination IP address, Layer 4 protocol type, source and destination Layer 4 ports, and other information. This capability makes VACLs very useful for granular traffic identification and filtering.
  • Number of Sessions: VACLs are enforced in hardware; the number of Access Control Entries (ACE) that can be created depends upon the TCAM available in the switches.
  • Destination Port Oversubscription: Granular traffic identification reduces the number of frames to be forwarded to the destination port and thereby minimizes the probability of their oversubscription.
  • Performance: VACLs are enforced in hardware; there is no performance penalty for the application of VACLs to a VLAN on the Cisco Catalyst 6500 Series Switches

Below an example to understand how to configure the switchport capture feature.

Example
Suppose that you want classify the http and https traffic between clients on vlan100 / vlan200 and ServerA / ServerB on vlan10.

The steps are:

  1. Define the interesting traffic to be caputured and sent to analysis
  2. Define an ACL to map all other traffic
  3. Define the VLAN access map
  4. Apply the VLAN access map to the appropriate VLANs
  5. Configure the Capture Port
  6. Verify the configuration

1. Define the interesting traffic to be caputured and sent to analysis

Ciscozine(config)#ip access-list extended Traffic-to-server
Ciscozine(config-ext-nacl)#permit tcp 10.0.1.0 0.0.0.255 host 192.168.10.100 eq 80 443
Ciscozine(config-ext-nacl)#permit tcp 10.0.1.0 0.0.0.255 host 192.168.10.101 eq 80 443
Ciscozine(config-ext-nacl)#permit tcp 10.0.2.0 0.0.0.255 host 192.168.10.100 eq 80 443
Ciscozine(config-ext-nacl)#permit tcp 10.0.2.0 0.0.0.255 host 192.168.10.101 eq 80 443
Ciscozine(config-ext-nacl)#permit tcp host host 192.168.10.100 eq 80 443 tcp 10.0.1.0 0.0.0.255
Ciscozine(config-ext-nacl)#permit tcp host host 192.168.10.101 eq 80 443 tcp 10.0.1.0 0.0.0.255
Ciscozine(config-ext-nacl)#permit tcp host host 192.168.10.100 eq 80 443 tcp 10.0.2.0 0.0.0.255
Ciscozine(config-ext-nacl)#permit tcp host host 192.168.10.101 eq 80 444 tcp 10.0.2.0 0.0.0.255

Remember: You must define the ‘back’ ACL. For instance, if you want capture all the http/https flows between vlan100 and ServerA, it isn’t sufficient the entry:

permit tcp 10.0.1.0 0.0.0.255 host 192.168.10.100 eq 80 443

Indeed, you must define the “back” ACL:

permit tcp host 192.168.10.100 eq 80 443 10.0.1.0 0.0.0.255

2. Define an ACL to map all other traffic

Ciscozine(config)#ip access-list extended ALL_TRAFFIC
Ciscozine(config-ext-nacl)#permit ip any any

3. Define the VLAN access map

In this step you must define what traffic must be copied/forwarded

Ciscozine(config)#vlan access-map Traffic-to-server-map 10
Ciscozine(config-access-map)#match ip address Traffic-to-server
Ciscozine(config-access-map)#action forward capture

and what traffic must be only forwarded

Ciscozine(config)#vlan access-map Traffic-to-server-map 20
Ciscozine(config-access-map)#match ip address ALL_TRAFFIC
Ciscozine(config-access-map)#action forward

4. Apply the VLAN access map to the appropriate VLANs

Ciscozine(config)#vlan filter Traffic-to-server-map vlan-list 10

5. Configure the Capture Port

Ciscozine(config)#int Gi1/1
Ciscozine(config-if)#switchport capture allowed vlan 10
Ciscozine(config-if)#switchport capture
6. Verify the configuration

To verify the configuration, you can use these two commands:

show vlan access-map: Displays the contents of the VLAN Access Maps.

Ciscozine#show vlan access-map HTTP_UDP_MAP
Vlan access-map "HTTP_UDP_MAP" 10
match: ip address HTTP_UDP_TRAFFIC
action: forward capture
Vlan access-map "HTTP_UDP_MAP" 20
match: ip address ALL_TRAFFIC
action: forward

show vlan filter: Displays information about the VLAN Filters.

Ciscozine#show vlan filter
VLAN Map HTTP_UDP_MAP:
Configured on VLANs: 10
Active on VLANs: 10

Remember:

  • VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type.
  • If an empty or undefined ACL is specified in a VACL, any packets will match the ACL, and the associated action is taken.
  • To find out if your switch supports this feature take a look at the Cisco Catalyst Switch Guide.
Note:

The step #4 and #5 can be changed into:

Ciscozine(config)#vlan filter Traffic-to-server-map vlan-list 100,200
Ciscozine(config)#int Gi1/1
Ciscozine(config-if)#switchport capture allowed vlan 100,200
Ciscozine(config-if)#switchport capture

References:

Summary
Article Name
Switchport capture: a good alternative to SPAN port
Description
The VACL Capture Port feature can help to overcome some of these limitations. VACLs are primarily not designed to monitor traffic, but, with a wide range of capability to classify the traffic, the Capture Port feature was introduced so that network traffic analysis can become much simpler.
Author
  • vaibhav

    Really neat – but you know whats cooler – theres Wireshark to do all your pcap captures and analysis right ON the Catalyst 4500 switch itself – no need to span or redirect anything

  • NickDanger

    The switch guide says the 4500 is supported, however I do not have the switchport capture command available. Running cat4500e-universalk9.SPA.03.05.03.E.152-1.E3.bin. with a Sup7-E. Is this supported or is the command setup different on the 4500

  • From this guide, Cisco says that the switchport capture is supported on 4500. I can’t help you because I have never configured this feature on this device.

  • Leo Xu

    Looks like a built-in TAP solution with filter. It is amazing. Thank you for sharing this.

  • Exactly! A low cost TAP solution ;)