Re: Re: Ip snooping in cisco routers [7:74708]
thanks for all for your inputs ramesh dre wrote: Reimer, Fred wrote in message ... gt; E gads! All hacks because even at this time Cisco can't manage to write the gt; little code necessary to create a buffer in memory where packets can be gt; stored, and then transferred via TFTP. With today's routers that have more gt; than enough processing power and memory, there's just no excuse, IMO. I, personally, prefer ERSPAN to most other methods. Being able to have an encapsulated stream of capture data available from any available IP routed path (could be the whole Internet), and able to export to your personal workstation, e.g., running tcpdump or Ethereal, is definitely the proper way to be sniffing. OTOH, Junipers should be able to do what you are talking about in some (but not all) cases. Depends on how much traffic you are talking about. The RSPAN+VACL method described on CCO is just as valid as anything else, but requires Cisco Catalyst switches with some type of Layer-3 functionality (e.g. Cat3550, some Cat6k, some Cat4k, others). In the case of a 6500 it requires a PFC card, of which all Sup2 and Sup720 modules include. Sup1/Sup1a needs PFC to do RSPAN. -dre **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com Buy The Best In BOOKS at http://www.bestsellers.indiatimes.com Bid for Air Tickets on Air Sahara Flights at Prices Lower Than Before. Just log on to http://airsahara.indiatimes.com and Bid Now ! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74775t=74708 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Ip snooping in cisco routers [7:74708]
Cisco routers don't have the ability to capture packets. However, you can use an ACL and the debug ip packet command to get some limited information. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: ramesh_cisco [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 8:46 AM To: [EMAIL PROTECTED] Subject: Ip snooping in cisco routers [7:74708] friends , Any one can give me clue on how to configure ip snooping in cisco routers??? thanks ramesh Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com Buy The Best In BOOKS at http://www.bestsellers.indiatimes.com Bid for Air Tickets on Air Sahara Flights at Prices Lower Than Before. Just log on to http://airsahara.indiatimes.com and Bid Now ! **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74710t=74708 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Ip snooping in cisco routers [7:74708]
Reimer, Fred wrote in message ... Cisco routers don't have the ability to capture packets. However, you can use an ACL and the debug ip packet command to get some limited information. Well, you can do debug ip packet dump and get the full payload in both hex and ASCII (like tcpdump). Or, even better, if the device supports SPAN, RSPAN or ERSPAN, you can mirror the traffic from x ports/vlans to y ports/vlans. Or, you can setup a GRE tunnel that copies all traffic from the Cisco to a nearby Unix machine. https://www.phrack.com/show.php?p=56a=10 There are also many other ways to accomplish this, which rely on changing the ways the protocols normally operate. For example, using a tool such a (but clearly not limited to) dsniff or irpas, one can easily create a MITM gateway based on modification of ARP, ICMP redirect, IRDP, STP, HSRP, PBR (using interface, next-hop, etc), or even using generalized proxies (IP NAT, MAC address translation). -dre Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74718t=74708 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Ip snooping in cisco routers [7:74708]
E gads! All hacks because even at this time Cisco can't manage to write the little code necessary to create a buffer in memory where packets can be stored, and then transferred via TFTP. With today's routers that have more than enough processing power and memory, there's just no excuse, IMO. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: dre [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 12:37 PM To: [EMAIL PROTECTED] Subject: Re: Ip snooping in cisco routers [7:74708] Reimer, Fred wrote in message ... Cisco routers don't have the ability to capture packets. However, you can use an ACL and the debug ip packet command to get some limited information. Well, you can do debug ip packet dump and get the full payload in both hex and ASCII (like tcpdump). Or, even better, if the device supports SPAN, RSPAN or ERSPAN, you can mirror the traffic from x ports/vlans to y ports/vlans. Or, you can setup a GRE tunnel that copies all traffic from the Cisco to a nearby Unix machine. https://www.phrack.com/show.php?p=56a=10 There are also many other ways to accomplish this, which rely on changing the ways the protocols normally operate. For example, using a tool such a (but clearly not limited to) dsniff or irpas, one can easily create a MITM gateway based on modification of ARP, ICMP redirect, IRDP, STP, HSRP, PBR (using interface, next-hop, etc), or even using generalized proxies (IP NAT, MAC address translation). -dre **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74730t=74708 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Ip snooping in cisco routers [7:74708]
Just to make sure you're aware, debug ip packet with its options is generally frowned upon in production environments, if you are not specific enough with the debug or hit enter prematurely, well thats a good way to draw the wrath of your coworkers. Brian The path to a desireable destination is often more difficult than the path to stay where you are. On Wed, 3 Sep 2003, dre wrote: Reimer, Fred wrote in message ... Cisco routers don't have the ability to capture packets. However, you can use an ACL and the debug ip packet command to get some limited information. Well, you can do debug ip packet dump and get the full payload in both hex and ASCII (like tcpdump). Or, even better, if the device supports SPAN, RSPAN or ERSPAN, you can mirror the traffic from x ports/vlans to y ports/vlans. Or, you can setup a GRE tunnel that copies all traffic from the Cisco to a nearby Unix machine. https://www.phrack.com/show.php?p=56a=10 There are also many other ways to accomplish this, which rely on changing the ways the protocols normally operate. For example, using a tool such a (but clearly not limited to) dsniff or irpas, one can easily create a MITM gateway based on modification of ARP, ICMP redirect, IRDP, STP, HSRP, PBR (using interface, next-hop, etc), or even using generalized proxies (IP NAT, MAC address translation). -dre **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74738t=74708 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Ip snooping in cisco routers [7:74708]
Reimer, Fred wrote in message ... E gads! All hacks because even at this time Cisco can't manage to write the little code necessary to create a buffer in memory where packets can be stored, and then transferred via TFTP. With today's routers that have more than enough processing power and memory, there's just no excuse, IMO. I, personally, prefer ERSPAN to most other methods. Being able to have an encapsulated stream of capture data available from any available IP routed path (could be the whole Internet), and able to export to your personal workstation, e.g., running tcpdump or Ethereal, is definitely the proper way to be sniffing. OTOH, Junipers should be able to do what you are talking about in some (but not all) cases. Depends on how much traffic you are talking about. The RSPAN+VACL method described on CCO is just as valid as anything else, but requires Cisco Catalyst switches with some type of Layer-3 functionality (e.g. Cat3550, some Cat6k, some Cat4k, others). In the case of a 6500 it requires a PFC card, of which all Sup2 and Sup720 modules include. Sup1/Sup1a needs PFC to do RSPAN. -dre Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74748t=74708 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
