1st we define the global named "monitor" session. If you remember within IOS, they typically use a monitor session ID#. Here we use a name instead.
NOTE: a very basic monitor and by default we've defined a full monitor for the both direction & to destination port of gi 2/0/0/1
2nd we apply the monitor under the interface to be monitored
NOTE: The mirror first 128, captures the 1st 128bytes of traffic, ideal if you don't need full payload inspection and only need upto layer 4 headers.
3rd we monitor the session for active ( here it is down since my tool port was admin down )
To set direction, we can modify our monitor session for the direction of interest;
For ACL monitoring you will need to do the following;
Define a ACL for the interface using the wording of "capture" prepended to any lines that you want to capture;
e.g ( a basic ACL )
Next, you modify the monitor-session to include "acl" and if any acl has been applied for that interface and with the wording "capture" you will capture only traffic that matches that ACE ( access control entries ).
By limiting the number of ACEs within capture, you can effectively capture only traffic of interest.
This above practice helps with filtering within your monitor session and prevention of over-running the destination port if your link(s) that are being monitor are bigger than the tool port. Ideally a physical tap is always better than a monitor-session.
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
=( ^ ^ )=