Cisco – Force VLAN traffic through specified interfaces

bridgeciscofirewalltrunkvlan

I have two VLANs, VLAN1 for "clients" and VLAN2 for (web)servers. Both VLANs have two ports in etherchannel (one Cisco switch). I would like to put transparent (WAF) device in bridge mode between the VLANs in order to monitor/block traffic. What could be the method in order to accomplish this in case of Cisco device (or eliminate this kind of problem).

For example if I use two physical switches, and connect the trunk ports (and bonded) via the transparent device bridge interfaces I can see the traffic.

Im curios about, is it possible to do in one switch between VLANs, if yes what the name or method i should search for?

Thank you!

Best Answer

As Ron Trunk pointed out, bridging VLANs can be problematic in the results. Cisco offers SPAN for network monitoring. You can mirror the traffic from on or more interfaces or VLANs to an interface to which you connect your monitoring equipment. There is also RSPAN that lets you transport the the mirrored traffic across layer-2 to a different switch, and ERSPAN (for select equipment) that will encapsulate the mirrored traffic so that it can cross layer-3.

Understanding SPAN,RSPAN,and ERSPAN

Local SPAN: Mirrors traffic from one or more interface on the switch to one or more interfaces on the same switch.

Remote SPAN (RSPAN): An extension of SPAN called remote SPAN or RSPAN. RSPAN allows you to monitor traffic from source ports distributed over multiple switches, which means that you can centralize your network capture devices. RSPAN works by mirroring the traffic from the source ports of an RSPAN session onto a VLAN that is dedicated for the RSPAN session. This VLAN is then trunked to other switches, allowing the RSPAN session traffic to be transported across multiple switches. On the switch that contains the destination port for the session, traffic from the RSPAN session VLAN is simply mirrored out the destination port.

Encapsulated remote SPAN (ERSPAN): encapsulated Remote SPAN (ERSPAN), as the name says, brings generic routing encapsulation (GRE) for all captured traffic and allows it to be extended across Layer 3 domains.

ERSPAN is a Cisco proprietary feature and is available only to Catalyst 6500, 7600, Nexus, and ASR 1000 platforms to date. The ASR 1000 supports ERSPAN source (monitoring) only on Fast Ethernet, Gigabit Ethernet, and port-channel interfaces.

To control traffic between the VLANs, you use something like an ACL on the router that routes traffic between the VLANs.

Related Solutions

Cisco – Passing Traffic through Traffic Management Device in transparent mode

If all traffic needs to go from gi0/4 to gi0/3 and from gi0/2 to gi0/1 you could use layer 2 local switching. Configuration would be about:

connect Router1-TM GigabitEthernet0/4 GigabitEthernet0/3 
connect Router2-TM GigabitEthernet0/1 GigabitEthernet0/2

If your linecards do not support layer 2 local connect, then consider bridge-groups:

bridge irb
interface range GigabitEthernet0/4 , GigabitEthernet0/3
 bridge-group 1
interface range GigabitEthernet0/1 - 2
 bridge-group 2
!
bridge 1 protocol ieee
bridge 1 priority 128
bridge 2 protocol ieee
bridge 2 priority 128

However I'm dubious if bridge is actually in PFC, not at least up-to PFC3, I'm not sure about PFC4 (SUP2T).

Finally you have option to use QinQ:

interface range GigabitEthernet0/4 , GigabitEthernet0/3
 switchport
 switchport access vlan 42
 switchport mode dot1q-tunnel
 switchport nonegotiate
!
interface range GigabitEthernet0/1 - 2
 switchport
 switchport access vlan 43
 switchport mode dot1q-tunnel
 switchport nonegotiate
!

In this option VLAN 123 that comes from Router1, gets VLAN 42 on top of it [ 42 123 ], MAC addresses from ALL Router1 VLANs are populated in VLAN 42 mac-address-table. So then MAC lookup is done against VLAN 42 where we only have traffic-manager, once we send the frame out to traffic-manager, we pop VLAN 42 out.
Now after traffic manager send it OUT, again in VLAN 123, it gets VLAN 43 on top of it [ 43 123 ], and as previously MAC lookup is done for table 43, where we only have Router2, frame is sent out towards Router2 and VLAN 43 is popped out.

By default STP is not tunneled like rest of the traffic, but STP BPDU is directly visible to the switch, and switch will react to it normally, this is often undesirable. If STP BPDU needs to be tunneled as well you need feature called 'Layer 2 Protocol Tunnel' or L2PT.
L2PT is fancy word for DMAC address rewrite, when incoming frame has DMAC identifying the frame as special BPDU, such as STP, you rewrite the DMAC to some non-special address, for STP BPDU DMAC is written ingress to 01-00-0c-cd-cd-d0 then in egress the 01-00-0c-cd-cd-d0 DMAC id again rewritten back to STP DMAC.
Configuration is as follows:

 l2protocol-tunnel cdp
 l2protocol-tunnel lldp
 l2protocol-tunnel stp
 l2protocol-tunnel vtp

You can use 'show l2protocol-tunnel interface giga0/1' to see counters for both directions of the MAC rewrite 'encap' means real DMAC was written to 01-00-0c-cd-cd-d0 and 'decap' means 01-00-0c-cd-cd-d0 was written back to real DMAC.

switch#show l2protocol-tunnel  interface giga1/0/6
COS for Encapsulated Packets: 5

Port       Protocol Shutdown  Drop      Encapsulation Decapsulation Drop
                    Threshold Threshold Counter       Counter       Counter
---------- -------- --------- --------- ------------- ------------- -------------
Gi1/0/6    cdp           ----      ----       2674827        263832            0

Vlan – Is it possible to access more than one VLAN

You could access the two VLANs via a 802.1q trunk on the switchport connected to the computer. The NIC would have to be able to tag packets and recognize tagged packets.

The L2 switch by itself will not allow you to communicate between the two VLANs. You would need a router.

Best Answer

Related Solutions

Cisco – Passing Traffic through Traffic Management Device in transparent mode

Vlan – Is it possible to access more than one VLAN

Related Topic