routing tapped IP traffic

Discussion in 'Cisco' started by Patrick Arguello, Oct 11, 2004.

  1. I have what should be a relatively simple problem that I am having
    trouble with --

    I am tapping three separate GigE links which I want to aggregate in a
    single router-switch and route by destination address. The problem
    seems to be that the interfaces for the tapped traffic reject the
    packets at the L3 level presumably because they appear to be destined
    to unknown MACs. (I have ip routes set up for all possible
    destination addresses).

    Is there any relatively painless way of doing this on a Cisco L3
    switch? One possibility appears to be the use of IBR (integrated
    bridging and routing) but I thought I will check with folks in the
    know as to (a) why the sniffed traffic isnt being routed and (b) how
    it can be routed.

    Thanks

    - Patrick A.
    Patrick Arguello, Oct 11, 2004
    #1
    1. Advertising

  2. Patrick Arguello

    Ben Guest

    Checkout the SPAN feature. It is a bit limited in the number of interfaces
    you can SPAN but at least it is designed for what you are trying to do.

    "Patrick Arguello" <> wrote in message
    news:...
    > I have what should be a relatively simple problem that I am having
    > trouble with --
    >
    > I am tapping three separate GigE links which I want to aggregate in a
    > single router-switch and route by destination address. The problem
    > seems to be that the interfaces for the tapped traffic reject the
    > packets at the L3 level presumably because they appear to be destined
    > to unknown MACs. (I have ip routes set up for all possible
    > destination addresses).
    >
    > Is there any relatively painless way of doing this on a Cisco L3
    > switch? One possibility appears to be the use of IBR (integrated
    > bridging and routing) but I thought I will check with folks in the
    > know as to (a) why the sniffed traffic isnt being routed and (b) how
    > it can be routed.
    >
    > Thanks
    >
    > - Patrick A.
    Ben, Oct 11, 2004
    #2
    1. Advertising

  3. With the SPAN feature, one is limited to a Gig but more importantly
    there is no way to make a L3 switch accept the packets at the L3 level
    and route by destination or such. It is almost like L3 part of the
    switch refuses (presumably by design) to route a packet whose mac
    address is alien to it (even if the L2 switch were to accept it).

    "Ben" <> wrote in message news:<IRuad.22245$>...
    > Checkout the SPAN feature. It is a bit limited in the number of interfaces
    > you can SPAN but at least it is designed for what you are trying to do.
    >
    > "Patrick Arguello" <> wrote in message
    > news:...
    > > I have what should be a relatively simple problem that I am having
    > > trouble with --
    > >
    > > I am tapping three separate GigE links which I want to aggregate in a
    > > single router-switch and route by destination address. The problem
    > > seems to be that the interfaces for the tapped traffic reject the
    > > packets at the L3 level presumably because they appear to be destined
    > > to unknown MACs. (I have ip routes set up for all possible
    > > destination addresses).
    > >
    > > Is there any relatively painless way of doing this on a Cisco L3
    > > switch? One possibility appears to be the use of IBR (integrated
    > > bridging and routing) but I thought I will check with folks in the
    > > know as to (a) why the sniffed traffic isnt being routed and (b) how
    > > it can be routed.
    > >
    > > Thanks
    > >
    > > - Patrick A.
    Patrick Arguello, Oct 11, 2004
    #3
  4. Patrick Arguello

    AnyBody43 Guest

    (Patrick Arguello) wrote
    > I am tapping three separate GigE links which I want to aggregate in a
    > single router-switch and route by destination address. The problem
    > seems to be that the interfaces for the tapped traffic reject the
    > packets at the L3 level presumably because they appear to be destined
    > to unknown MACs. (I have ip routes set up for all possible
    > destination addresses).
    >
    > Is there any relatively painless way of doing this on a Cisco L3
    > switch? One possibility appears to be the use of IBR (integrated
    > bridging and routing) but I thought I will check with folks in the
    > know as to (a) why the sniffed traffic isnt being routed and (b) how
    > it can be routed.


    I guess that you are tapping the traffic using dedicated tap devices.

    You seem a bit confused. You say "reject ... at the L3 level" and
    "unknown MACs". These are conflicting statements.

    The packets will have the wrong destination MAC address and
    will be rejected by the router at L2. Additionally they will not
    be bridged (L2 forwarded).

    There are a few possibilities that I can see:-

    1.
    Remote SPAN.
    http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12113ea1/3550scg/swspan.htm#1036704
    Support is platform dependent.
    This works by Trunking the traffic over a seperate (dedicated)
    VLAN. You need L2 end to end connectivity.

    2a.
    If you are tapping point to point router links then there
    will only be a few MACs and maybe
    you could add the relevant mac addresses to the router's
    interface.

    interface Ethernet0
    mac-address 0001.0002.0003 <---
    ip address 192.168.1.30 255.255.255.224
    standby 1 mac-address 0004.0005.0006 <---
    standby 2 mac-address 0005.0006.0007 <---


    Some hardware does not support many HSRP groups.
    Above config segment is NOT necessarily complete,
    more might be needed to persuade the router to really bring up
    the hsrp 'interfaces'. e.g.
    standby 1 ip any.old.crap
    standby 2 ip any.other.crap


    I think that this should work however you would then need to
    route the traffic over your (seperate?) management network. Oh, I
    guess that maybe you could do policy routing based on the source
    interface and avoid a seperate network as such. At GBE speeds you
    would need hardware support for the policy routing. I have _no idea_
    if that is available.


    2b.
    Similarly you could add static CAM entries to a layer 2 device. This
    may not be needed if the addresses are "Unknown" and therefore
    flooded.
    The latter would be the case of the destination MACs were never seen
    as source addresses. This would not (usually) be the case if you were
    SPANning both directions of a conversation.

    If you post more details and maybe some ASCII art then perhaps
    someone can be of more help.

    Please post your design, if it works:))

    Good luck, I think that you will need it:)


    (Patrick Arguello)
    > With the SPAN feature, one is limited to a Gig but more importantly
    > there is no way to make a L3 switch accept the packets at the L3 level
    > and route by destination or such. It is almost like L3 part of the
    > switch refuses (presumably by design) to route a packet whose mac
    > address is alien to it (even if the L2 switch were to accept it).


    As I already said, but you of course haven't seen, this is a L2
    problem (as you describe).
    "It is almost like L3 part of the switch refuses (presumably by
    design) to route a packet whose mac address is alien to it"
    Exactly. You need to fix up L2. Maybe the standby mac trick might do
    it.
    AnyBody43, Oct 12, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Hypno999

    traffic-shaping limit ftp traffic

    Hypno999, Oct 7, 2005, in forum: Cisco
    Replies:
    5
    Views:
    3,614
  2. Skybuck Flying
    Replies:
    0
    Views:
    4,807
    Skybuck Flying
    Jan 19, 2006
  3. Replies:
    0
    Views:
    3,195
  4. Jeff
    Replies:
    11
    Views:
    3,014
  5. Evolution
    Replies:
    1
    Views:
    835
    Walter Roberson
    Feb 27, 2007
Loading...

Share This Page