Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Yasser Auda CCIEv5 EPC Overview

    Enviado por

    Quang Anh
    117 visualizações5 páginas
    Yasser Auda CCIEv5 EPC Overview

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    Yasser Auda CCIEv5 EPC Overview

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    117 visualizações5 páginas

    Yasser Auda CCIEv5 EPC Overview

    Enviado por

    Quang Anh
    Yasser Auda CCIEv5 EPC Overview

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 5

    CCIEv5 EPC Overview By CCSI: Yasser Auda

    1

    Embedded Packet Capture (EPC) is a packet capture tool capture packets flowing to, through, and from
    the device then we can analyze them locally or save as packet capture (PCAP) file and export it for
    offline analysis by using a tool such as Wireshark.

    This tool is configured in exec mode , packets captured are stored within a buffer in DRAM , As a result
    the tool configuration is not stored within the router configuration and will not remain in place after a
    system reload. (Your EPC configurations are kept temporary in the router )

    To configure EPC you to define two things and gives them a names: buffer point & capture point then
    attach the buffer point to your capture point .

    Buffer Point: Define temporary buffer in your DRAM that the captured packets are stored within.

    Capture Point: Define defines the location where the capture occurs. also defines whether the capture
    occurs for IPv4 or IPv6 and in which switching path (process versus cef).

    Notes from Cisco TAC:
    In releases earlier than Cisco IOS Release 15.0(1)M, the buffer size was limited to 512K.
    In releases earlier than Cisco IOS Release 15.0(1)M, the captured packet size was limited to 1024 bytes.
    The packet buffer is stored in DRAM and will not persist through reloads.
    The capture configuration is not stored in NVRAM and will not persist through reloads.
    The capture point can be defined to capture in the cef or process switching paths.
    The capture point can be defined to capture only on an interface or globally.
    When the capture buffer is exported in PCAP format, L2 information (such as Ethernet encapsulation) is
    not preserved

    Two types of data are stored in a capture buffer: Meta Data and Packet Data.
    Meta Data (which helps in filtering too) contains:
    A timestamp of when it is added to a buffer.
    Direction, egress or ingress.
    The switch path it captured.
    Encapsulation type corresponding to input/output interface to allow the decoding of L2.
    Offset to network start, to facilitate the decoding of L3, if complete L2 decoders are unavailable.
    L3 protocol ID, to facilitate the decoding of L3, if complete L2 decoders are unavailable.














    CCIEv5 EPC Overview By CCSI: Yasser Auda

    2

    Configuring EPC commands

    1-Create buffer point:
    R1#monitor capture buffer MYBUFFER size 512 max-size 1024 linear
    size is the size of this buffer in KB
    Max-size is number of bytes to capture per packet & can be limited to save space
    linear or circular is type of buffer:
    A linear buffer will stop capturing automatically when full.
    A circular buffer will continue to capture packet data (overwriting old data with newer as it fills.

    Optionally we can enable rate limit to
    Specify a max capture rate (in packets per second).
    Capture every "nth" packet.
    Or automatic limit criteria can be defined to:
    Stop the capture after a specified time interval.
    Stop the capture after capturing a given number of packets.

    R1#monitor capture buffer MYBUFFER limit?
    allow-nth-pak Allow every nth packet through
    duration Duration of capture
    packet-count Limit total Number of packets captured
    packets-per-sec Limit number of packets copied per sec

    Optionally a filter can also be applied to limit the capture to desired traffic. Define an Access Control
    List (ACL) within config mode and apply the filter to the buffer:
    ip access-list extended BUF-FILTER
    permit ip host 192.168.1.1 host 172.16.1.1
    permit ip host 172.16.1.1 host 192.168.1.1
    R1#monitor capture buffer MYBUFFER filter access-list BUF-FILTER

    2-Create capture point:
    We define four things in capture point , protocols IPv4 or IPv6 Traffic , Forwarding method CEF or
    process switching , which interface and which traffic Direction under this interface :
    In (meaning capture at ingress)
    Out (meaning capture at egress)
    Both
    R1#monitor capture point ip process-switched MYPOINT

    3- Associate or attach your buffer point to your capture point
    R1#monitor capture point associate MYPOINT MYBUFFER

    We can associate more than one capture points to single capture buffer
    For example we can create one capture point for OSPF traffic and one for BGP traffic (ACL will help you
    to do that)

    Verification:
    R1#sh monitor capture point all
    R1#sh monitor capture buffer all parameters
    CCIEv5 EPC Overview By CCSI: Yasser Auda

    3

    4-Start & Stop capturing traffic
    R1#monitor capture point start MYPOINT
    R1#monitor capture point stop MYPOINT

    5-To view what you captured locally
    Show monitor capture buffer MYBUFFER dump

    6-To save what you captured as pcap file and export to analyze with wireshark
    Monitor capture buffer MYBUFFER export tftp://10.1.1.1/capture.pcap

    EPC Lab


    R1 & R4 running OSPF process id 100 , area 0
    R1 s1/0 10.1.14.1/24 loop 0 1.1.1.1/32
    R4 s1/0 10.1.14.4/24 loop 0 4.4.4.4/32

    1-Create space called MYBUFFER in your R1 volatile memory to store packets captured .with following
    requirements:
    -volatile memory space size is 1024KB
    -max packet size to capture 1024KB
    -volatile memory space must continue to capture packets even if buffer full.
    -capturing data should remain for 15 minutes duration.
    Create general ACL to be used later by network administrator in case he would like to capture
    specific type of protocols or ports.

    2- You will capture CEF -IPv4 packets ingress or egress interface serial 1/0 (capture point name will be
    MYPOINT) and associate it to your buffer point.
    3- Start capturing data and ping 4.4.4.4, all you captured data must be saved as Yasser.pcap then
    exported to tftp server 10.1.15.5
    CCIEv5 EPC Overview By CCSI: Yasser Auda

    4

    Answer:
    1-
    R1(config)#ip access-list ext 101
    R1(config-ext-nacl)#permit ospf any any
    R1(config-ext-nacl)#exit
    R1(config)#exit

    R1#monitor capture buffer MYBUFFER size 1024 max-size 1024 circular
    R1#monitor capture buffer MYBUFFER limit duration 900
    R1#monitor capture buffer MYBUFFER filter access-list 101

    2-
    R1#monitor capture point ip cef MYPOINT serial 1/0 both
    R1#monitor capture point associate MYPOINT MYBUFFER



    3-
    R1#monitor capture point start MYPOINT
    R1#ping 4.4.4.4
    R1#monitor capture point stop MYPOINT

    R1#monitor capture buffer MYBUFFER export tftp://10.1.14.4/yasser.pcap

    CCIEv5 EPC Overview By CCSI: Yasser Auda

    5




    Good Luck
    CCSI: Yasser Auda
    https://www.facebook.com/YasserRamzyAuda
    https://learningnetwork.cisco.com/people/yasser.r.a?view=documents
    https://www.youtube.com/user/yasserramzyauda

    Você também pode gostar