Wednesday, January 22, 2014

Doing a port capture IOS-XR ASR9K

In this blog, we will look at a basic port capture-method & than a ACL based-method monitor. You have a host of option to include acl-specific filter, and directional.

port-capture method

1st we define the global named "monitor" session. If you remember within IOS, they typically use a  monitor session ID#. Here we use a name instead.



NOTE: a very basic monitor and by default we've defined a full monitor for the both direction & to destination port of  gi 2/0/0/1

2nd we apply the monitor under the interface to be monitored


NOTE: The mirror first 128, captures the 1st 128bytes of traffic, ideal if you don't need full payload inspection and only need upto layer 4 headers.






3rd we monitor the session for active ( here it is down since my tool port was admin down )


Optional

 To set direction, we can modify our monitor session for the direction of interest;



For ACL monitoring you will need to do the following;


Define a ACL for the interface using the wording of  "capture" prepended to  any lines that you want to capture;

e.g ( a basic ACL )


Next, you modify the  monitor-session to include  "acl" and if any acl has been applied for that interface and with the wording "capture" you will capture only traffic that matches that ACE ( access control entries ).


By limiting the number of ACEs within capture, you can effectively capture only traffic of interest.



This above practice helps with filtering within your monitor session and prevention of over-running the destination port if your link(s) that are being monitor are bigger than the tool port. Ideally a physical tap is always better than a monitor-session.



Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   ^   ^  )=
          o
       /     \




No comments:

Post a Comment