Traffic analysis on Cisco 35x0 switches

M

MetallicAt2012-12-17 13:06:03

Cisco

MetallicAt, 2012-12-17 13:06:03

There is a task - to find an alternative to Netflow for L3 switches Cisco 3550, 3560 and the like.
At the moment, the leading idea is port mirroring + Capsa .
Is there any better solution?

Thanks in advance.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

J

JDima, 2012-12-17
@JDima

Yes, as if nothing else comes to mind ...
It depends on what kind of analysis is needed. If you fix the presence of pre-known packages, then you can hang up a permitting ACL (if you know in advance that there are very few packages, you can even try with the word "log", but it's better without it).

S

Sergey, 2012-12-17
@bondbig

SPAN is a rather resource-intensive thing, it is not suitable at all in case of an attack.
You can put a specialized TAP device ( example ) and send a copy of the traffic to any traffic analyzer (the same Fluke also has software and hardware traffic analyzers, up to the application level) or to any NBA (network behavior analysis) system.

N

Nikolai Turnaviotov, 2012-12-18
@foxmuldercp

There is NBAR on tsiska, but it does not catch some of the traffic.