North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Legal intercept - 3550

  • From: Burton, Chris
  • Date: Wed Aug 11 20:43:24 2004

	You could setup a Linux/Solaris (or other) device (It would need
to be GigE capable) and span all of the data to that port and then use
either iptables/ipchains to log the data and drop what don't need or use
ethereal/tcpdump to capture the data using filters to weed out the
information you do not need.  Also as mentioned in a previous reply you
could use the VLAN ACL features depending on your IOS version.  There
are several ways to achieve what you are looking to do; it just depends
on your level of comfort with configuring the methods mentioned and of
course cost.

Chris Burton
Network Engineer
Walt Disney Internet Group: Network Services

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above. If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
e-mail in error, please contact Walt Disney Internet Group at
206-664-4000.





-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
Stefan Baltus
Sent: Wednesday, August 11, 2004 12:05 PM
To: [email protected]
Subject: Re: Legal intercept - 3550



Thanks for all the replies. The best solution was by Boyan Krosnov who
suggested the following:

Configure the GE port where the traffic comes in from the fiber tap in a
separate new vlan A, access mode. Configure fastethernet X to be in
access mode for vlan A. Configure a static mac entry for vlan A pointing
the destination mac address of the router where the traffic heads to to
fastethernet X. 
Connect your sniffer on Fastethernet X. 
-- at this stage all traffic going to that router will be dumped to the
sniffer. Not precisely what you want. 
-- now comes the trick 
Configure a VLAN access-map
http://www.cisco.com/en/US/products/hw/switches/ps646/products_command_r
eference_chapter09186a008021145c.html
  ip access-list ext acl1
    permit ip host x.x.x.x any
    permit ip any host x.x.x.x
  vlan access-map alabala
   match ip address acl1 
   action forward
  vlan filter alabala vlan-list A

This works for my case. Boyan: thanks a lot.

Stefan

On Wed, Aug 11, 2004 at 04:37:24PM +0200, Stefan Baltus wrote:
> 
> Hi,
> 
> We have a situation where we need to intercept certain IP traffic that

> is somewhere within a link of 300Mbit/s of traffic (GigabitEthernet). 
> The setup that we built is as follows:
> 
> router 
>   ^
>   | GE
>   |
> fiber tap -------> cisco catalyst 3550
>   |
>   | GE
>   v
> switch
> 
> 
> The catalyst 3350 is receiving the traffic from router to switch and 
> vice versa. Now, we'd like to filter all but certain IP's on the 3350 
> and switch this traffic to a FE port on that same 3550. Currently 
> we've put the FE interface in SPAN mode, but that fills up the FE port

> completely (obviously). Is there any way to accomplish this?
> 
> Regards,
> 
> Stefan
> 
> -- 
> Stefan Baltus <[email protected]>        XB Networks B.V. 
> Manager Engineering                         Televisieweg 2
> telefoon: +31 36 5462400                    1322 AC  Almere
> fax: +31 36 5462424                         The Netherlands

-- 
Stefan Baltus <[email protected]>        XB Networks B.V. 
Manager Engineering                         Televisieweg 2
telefoon: +31 36 5462400                    1322 AC  Almere
fax: +31 36 5462424                         The Netherlands