Requirement:The usual method to capture the controller's traffic on the uplink port is by port monitor. However there are scenarios where the mobility controller is not physically accessible, all the ports on the controller are in use, uplink is a port channel, etc, where we cannot do a port monitoring. In such cases we can capture the traffic on a port or port-channel by mirroring the traffic using a port-acl.
Solution:The solution to capture the packets in these scenarios is to configure a port ACL with mirroring set. In this setup, the controllers's IP address on VLAN 20 is 20.20.20.2. The uplink switch IP address is 20.20.20.20. Port channel is configured between the controller and the uplink switch. We'll be capturing the traffic between the IP addresses 20.20.20.2 and 20.20.20.20.
(Rajaguru-3400) (config) #show ip interface brief
Interface IP Address / IP Netmask Admin Protocol
vlan 1 10.17.170.4 / 255.255.255.224 up up
vlan 10 10.10.10.1 / 255.255.255.0 up up
vlan 20 20.20.20.2 / 255.255.255.0 up up
loopback unassigned / unassigned up up
mgmt unassigned / unassigned down down
(Rajaguru-3400) #show interface port-channel 1
Port-Channel 1 is administratively up
Hardware is Port-Channel, address is 00:0B:86:6D:22:4C (bia 00:0B:86:6D:22:4C)
Description: Link Aggregate
Spanning Tree is disabled
Switchport priority: 0
Member port:
GE 1/3, Admin is up, line protocol is up
GE 1/2, Admin is up, line protocol is up
Last clearing of "show interface" counters 0 day 5 hr 32 min 30 sec
link status last changed 0 day 5 hr 29 min 8 sec
93 packets input, 8388 bytes
Received 18 broadcasts, 0 runts, 0 giants, 0 throttles
0 input error bytes, 0 CRC, 0 frame
5 multicast, 75 unicast
69 packets output, 7590 bytes
0 output errors bytes, 0 deferred
0 collisions, 0 late collisions, 0 throttles
Port-Channel 1 is TRUSTED
(Rajaguru-3400) #show vlan
VLAN CONFIGURATION
------------------
VLAN Description Ports AAA Profile
---- ----------- ----- -----------
1 Default GE1/0-1 Pc0 Pc2-7 N/A
10 VLAN0010 N/A
20 VLAN0020 Pc1 N/A
Configuration:
Step 1: Set packet-capture destination on the controller. The destination can be internal or a computer on which you run the packet capturing tool, e.g Wireshark.
(Rajaguru-3400) #packet-capture destination ip-address 10.20.25.29
(Rajaguru-3400) #show packet-capture
Active Capture Destination
--------------------------
Destination IP 10.20.25.29
Active Capture (Controlpath)
----------------------------
Interprocess Disabled
Sysmsg Disabled
TCP Disabled
UDP Disabled
Other Disabled
Active Capture (Datapath)
-------------------------
Wifi-Client Disabled
Ipsec Disabled
Step 2: Configure a session ACL with mirroring enabled.
(Rajaguru-3400) (config) #ip access-list session Mirroring-Port-ACL
(Rajaguru-3400) (config-sess-Mirroring-Port-ACL)#host 20.20.20.20 host 20.20.20.2 any permit mirror <<--- (Ingress traffic with mirroring set)
(Rajaguru-3400) (config-sess-Mirroring-Port-ACL)#any any any permit <<--- (Make sure that you allow the other required traffic)
(Rajaguru-3400) (config-sess-Mirroring-Port-ACL)#exit
Step 3: Map the Mirroring ACL to the port-channel interface.
(Rajaguru-3400) (config-channel)#interface port-channel 1
(Rajaguru-3400) (config-channel)#ip access-group Mirroring-Port-ACL session
(Rajaguru-3400) (config-channel)#exit
VerificationNow, you can see M flag set on the datapath session between the IP addresses 20.20.20.20 and 20.20.20.2 when any traffic is initiated by 20.20.20.20.
(Rajaguru-3400) #show datapath session table 20.20.20.20
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- ----- ---- --- --- ----------- ---- --------- --------- ---------------
20.20.20.20 20.20.20.2 1 5 2048 0/0 0 0 0 pc1 4 1 128 FMCI
20.20.20.20 20.20.20.2 1 4 2048 0/0 0 0 0 pc1 4 1 128 FMCI
20.20.20.20 20.20.20.2 1 1 2048 0/0 0 0 0 pc1 4 1 128 FMCI
20.20.20.20 20.20.20.2 1 3 2048 0/0 0 0 0 pc1 4 1 128 FMCI
20.20.20.20 20.20.20.2 1 2 2048 0/0 0 0 0 pc1 4 1 128 FMCI
20.20.20.2 20.20.20.20 1 1 0 0/0 0 0 0 pc1 4 1 128 FMI
20.20.20.2 20.20.20.20 1 3 0 0/0 0 0 0 pc1 4 1 128 FMI
20.20.20.2 20.20.20.20 1 2 0 0/0 0 0 0 pc1 4 1 128 FMI
20.20.20.2 20.20.20.20 1 5 0 0/0 0 0 0 pc1 4 1 128 FMI
20.20.20.2 20.20.20.20 1 4 0 0/0 0 0 0 pc1 4 1 128 FMI
Run Wireshark on the computer that is set as the packet-capture destination. You can see the mirrored packets encapsulated in GRE between the controller's IP and the computer's IP.
Caveats:
The traffic can be mirrored i.e, M flag will be set in the datapath traffic only when the session is created by an ingress traffic to the controller.
If the datapath session is created by an egress traffic from the controller, the M flag will not be set and the traffic cannot be captured.
Before applying the Mirroring ACL, make sure that the old datapath sessions are gone (aged out). Else M flag will not be set on the session.
Note:
1. Make sure that the computer's IP address is routable from the controller.
2. If this IP address is on the user-table, make sure that there are no ACLs blocking the traffic to the computer.
3. Make sure that there is ample bandwidth in the network path b/w the Controller and the wireshark device.