How to split incoming span traffic on switch

[Jason.White]

I have a scenario in which I receive 10gbps fibre cable from a 'span port' of a 'switch1'.

 

Now I want to set this fibre cable to one of the port of another 'switch2' as incoming traffic and then I want to filter this incoming traffic as I want to set port 1 to output only http traffic, port 2 to output only https traffic, port 3 to output only whatsapp traffic, and drop all other packet which may contain packets such as flash data,video, netflix,etc.

 

So by which I will set tcpdump to receive http packets from port1 on machine 1, https packets from port 2 on machine 2, whatsapp packets from port 3 on machine 3, and rest of the packets will be dropped.

 

So will cisco nexus 3524 switch support such capabilities and if not which cisco switch will support such capabilities.

And how can this be done on SWITCH 2.

[+BudMan MVC]

huh??  Not sure where you go the idea that a span port could pick and choose what protocol to spit out??  There is no switch that I am aware of that would have such capabilities.

[sc302 Veteran]

You have it all go to one port and you filter it on your sniffing device.  You could create a capture at your firewall level for that and possibly split it into 3 or 4 different captures/files.  You may only be able to capture one set of rules at a time though. 

 

 

Imo, you are better off just capturing it all and filtering as needed on your capture device/computer.  Or create rules to only capture the protocols you want then filter out what you need to see. 

[+BudMan MVC]

^ exactly..  If you only want to capture http, https and whatsapp you can for sure tell your sniffer to only capture that traffic.  You could then save it out to ind cap files that only contain the specific traffic.

 

What exactly are you trying to accomplish if you don't mind me asking??  Why can you not just capture it all, what are you looking for?

[Anibal P]

Sounds like a bad way to do either traffic management or traffic monitoring 

[+BudMan MVC]

If just interested in traffic monitoring??  Just connect that span port to a ntopng and there you go   Or if looking for bad ######, connect it security onion or something.  Happy to help him solve his problem but need to know exactly what it is...  If there was some switch that could only spit out specific protocols from a span port.. That would sure be news to me..  It just doesn't work that way..

[Jason.White]

Just want to know first that can switch 2 receive and forward traffic to its other ports and filter based on ip.

Secondly, can Cisco Firepower 9300 work on this scenario.

I want to filter using switch as it would save processing time of a server for packet filtering.

[+BudMan MVC]

Normally a span port spits out everything it see's but you can do some IP filtering,  vlan filtering sure.  Your first post was asking about ports, you can apply IP ACLs to span ports and to that you need switch that supports that specific feature set, with the correct lic, etc.

 

You can configure ACLs on a SPAN session. Use these guidelines for ACL/SPAN sessions:

•If an ACL is associated with a SPAN session, the rules associated with that ACL are applied against all packets exiting the SPAN destination interface. Rules pertaining to other VACLs or RACLs previously associated with the SPAN destination interface are not applied.

•Only one ACL can be associated with a SPAN session.

•When no ACLs are applied to packets exiting a SPAN destination interface, all traffic is permitted regardless of the PACLs, VACLs, or RACLs that have been previously applied to the destination interface or VLAN to which the SPAN destination interface belongs.

•If an ACL is removed from a SPAN session, all traffic is permitted once again.

•If SPAN configuration is removed from the SPAN session, all rules associated with the SPAN destination interface are applied once again.

•If a SPAN destination port is configured as a trunk port and the VLANs to which it belongs have ACLs associated with them, the traffic is not subjected to the VACLs.

•ACL configuration applies normally to the RSPAN VLAN and to trunk ports carrying the RSPAN VLAN. This configuration enables the user to apply VACLs on RSPAN VLANs. If a user attempts to configure an ACL on a SPAN session with the destination port as an RSPAN VLAN, the configuration is rejected.

•If CAM resources are exhausted and packets are passed to the CPU for lookup, any output port ACLs associated with a SPAN session are not applied.

•If a named IP ACL is configured on a SPAN session before an ACL is created, the configuration is accepted, and the software creates an empty ACL with no ACEs. (An empty ACL permits all packets.) Subsequently, the rules can be added to the ACL.

•The ACLs associated with a SPAN session are applied on the destination interface on output.

•No policing is allowed on traffic exiting SPAN ports.

•Only IP ACLs are supported on SPAN sessions.

 

What IOS are you running?  3524 No I don't believe you can do it something that lowend..  You would need a 4500, 3850, 3650...

 

Keep in mind that a capture filter that is only set to capture say http, other traffic wouldn't be overloading the cpu on the capture device.  While sure you have limits to the port speeds and prob have limits on feeding the capture device from a firehose, etc.  But filtering at the capture device is normally how its done..  Now you can filter on say unicast or multicast/broadcast for your span.  So you prob don't want to see broadcast traffic that sort of thing.

 

  Quote

save processing time of a server for packet filtering.

Expand  

 

Can you be a bit more specific - so you mean a firewall?  And you only want to send the firewall http traffic??  That it would be allowing vs sending it packets it wouldn't be allowing??  I am not sure I get what your wanting to do.. Sure the firewall is going to see stuff normally say on your wan that you do not want to allow..  If its not allowed its just dropped.  It doesn't cost the firewall any processing time in the big picture..  Dropped packets, unless your LOGGING them don't really cost the firewall any cpu.. And logging them isn't all that cpu intensive..  Now if you were under a volumetric dos, not logging might buy you a bit more cpu..  But the issue that your pipe is full is going to be the killer no matter what your firewall cpu is doing..

[Jason.White]

I have no access to switch1 so I only get a cable from switch 1 span port to connect to my switch port. So now can filtering be done on switch 2 to receive and forward network traffic based on filtering

[+BudMan MVC]

Well switch2 doesn't have a clue that traffic its sees on some port is real traffic or a span port traffic... So sure if you want to span that to another port on your switch, and it supports ACL on your SPAN  you could do that sure.

 

Still not understanding the point of this??  Why not feed your span port into whatever it is direct.. If you need to filter this traffic, then you would filter it on that something not your switch..  Your 3524 can not do ACL on span anyway.. Do you have a 4500 laying around with sup 8-E?  I would suggest you head over the feature set search on cisco and find out what supports ACL on SPAN..  Then again this only filters on IP..  Not on protocol..

 

http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp

[Jason.White]

So you mean to say I can filter based on IP but not based or protocol such as port 80, 443 based

[sc302 Veteran]

That completely depends on if the switch is capable of it or not. He is stating your switch is not capable. 

 

Use wireshark filters to only accept 443, 80, and whatever other port you want. Then from there you can filter further for a specific tcp/udp port. That will get your filtering.  

 

What you want requires a specific feature set. Not all Cisco switches support the same feature set. 

[+John Teacake MVC]

  On 21/11/2016 at 11:22, BudMan said:

huh??  Not sure where you go the idea that a span port could pick and choose what protocol to spit out??  There is no switch that I am aware of that would have such capabilities.

Expand  

You could choose which VLAN to span but yeah....

[+BudMan MVC]

I am not aware of any cisco switch that allow for filtering a SPAN on port like 80, 443.  While you can filter on unicast or multicast/broadcast or error or good packet, etc.   There is filtering for vlan and or IP that can be done based upon the feature set of your switch..  I would think you need to be running atleast a nexus 5k or 7k to get these sorts of features if your talking the nx-os line of switches.  You can prob filter on mac as well as IP in the nx-os line..

 

I just really don't get what you think this buys you, even if you could do it??  Span the traffic to your box, capture only the traffic your interested in.. To be honest sounds like your sending this to a firewall.. If your firewall can not handle the full speed of the port its connected too, its clearly undersized!!!

 

 

[Jason.White]

I created it using the following scenario:

en

conf t

monitor session 1 source interface Gi1/0/1 both

monitor session 1 destination interface Gi1/0/21-24

end

show monitor session 1

wr

conf t

access-list 112 permit tcp any any eq 80

interface Gi1/0/24

ip access-group 112 out

end

wr

 

 

Edited November 26, 2016 by Jason.White

[Jason.White]

and I tried it working it different way as this one-worked only:

en

conf t

monitor session 1 source interface Gi1/0/1 both

monitor session 1 destination interface Gi1/0/24

end

conf t

access-list 104 permit tcp any any eq 443

access-list 104 permit udp any any eq 443

monitor session 1 filter ip access-group 104

end

wr

 

And this one worked.

But if I configure 4 ports like from 21-24

this acl will be applied to whole session 1 but I can't specify it to just only one of the destination ports.

[+BudMan MVC]

So your saying your only see 443 traffic no other traffic..  But your doing a IP filter?  Maybe that IP is only sending 443???  Or maybe if dest IP, again there is only 443 dest for that IP..

 

If what your saying is working...  Then send your span down 4 times, or as many times as you need to filter on your ports.

 

Still see ZERO use for something like this - ZERO!!  If all you want to see or allow is 443, then only capture 443 in your packet capture software, or if this is going to a firewall.  Only allow 443, etc.

[Jason.White]

Can anybody let me know how can I create packet content type acl in switch. Eg. A packet content type is video/MP2T or say it is internet media type of that packet so how can I create acl to block such traffic on my switch.

[sc302 Veteran]

That is web filtering. A switch cannot do that.  It is a next gen firewall, proxy, or web filter feature. That is not handled on layer 3. 

[+BudMan MVC]

While you can get some layer 4 stuff with a L3 switch..  And say ACL different ports or protocols.. What your talking about is layer 7 filtering..  The device has to do a dpi into the packet to know what it is.. I can move video over lots of different ports and lots of different protocols even.  UDP or TCP, Muticast, etc.

 

How would a switch figure that out?  You could create a ACL to block port 80 and 443..  But now no websites work, etc.