Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Andrzejek on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Monitor Session versus VACLs - Pros & Cons

Status
Not open for further replies.
dane775

dane775

Technical User
Oct 28, 2004
151
CA
How do you folks capture data for application analysis and troubleshooting - "monitors session" or VACLs??..(inline taps seems to be the best way but that can get very expensive).

Please correct me if I make any inaccurate statements.

Scenario: Two Cisco 6909s in HA mode - we want to be able to capture any traffic going through these switches. I have a port on each 6509 going to our monitoring equipment.

If I setup "monitor session" for all VLANs that seems to do the trick - but I get TONs of duplicate frames that max out my port at times...and it can be very cumbersome to remove them. In addition, only 2 mon sessions can be set up per switch.

If I setup VACLs for all the VLANs.....I miss traffic that gets routed *out* of that VLAN unless it's going to another VLAN that's being captured....i.e. if it goes to a port that's not in a VLAN - a routed port - I miss that data. I get traffic routed into that VLAN but not traffic routed out.

I don't know of any way to get all of the data with a VACL, and mon sessions have their previously mentioned limitations.

How would you approach this? Am I wrong about any of this?

Thanks in advance for any comments or suggestions.
 
Sort by date Sort by votes
I'm not sure if you're using the 6509s as cores and then you have an agg layer... but if you did...

Run span or remote span on the agg layer and run a separate cable back to your 6509 or even another switch where you can run your monitoring. In the case of span, just send it out that port or remote span just make that port the only one for that VLAN on the switch.

This splits up the traffic over multiple ports (hence no congestion)without having to worry about the number of monitor sessions available and you still can capture all of the data. I'm assuming this is for an IDS or something similar?
 
Upvote 0 Downvote
It's dual purpose...it's for IDS and Network Operations troubleshooting.

We use the Cisco 3 layer topo......access, distribution, core and these are our distribution switches.

I like the sound of this...need to refresh myself on rspans but this sounds promising.

Thanks much for responding....appreciate the assist.

Dane
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

inlsp05
  • Locked
  • Question
2811&2960 48 volts wiring diagram
Replies
1
Views
200
BOKA
BOKA
bmiller23
  • Locked
  • Question
Issues Between Cisco Network & NVT Phybridge POLRE 8 Port Extender
Replies
13
Views
339
VinceWhirlwind
VinceWhirlwind
CAROST
  • Locked
  • Question
Cisco 2911 and AT&T 3xT1 issues
Replies
5
Views
132
burtsbees
burtsbees
macphoneguy
  • Locked
  • Question
cisco & FXS & FXO
Replies
1
Views
92
HmmG3
HmmG3
moose4me
  • Locked
  • Question
Session Border Controller
Replies
1
Views
93
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top