VLAN ACL interface filtering

Unanswered Question
Mar 3rd, 2010

Hi All

I have just moved away from SPAN to VACL's due to the more granular nature of VACL's, but am missing one major filtering feature that SPAN gave me.  I have 20 interfaces in the VLAN that I am capturing, but I do not want to include the traffic from the trunk link.  Is there a way to stop capturing the traffic if it was recieved from the trunk within the VACL?

From my digging around CCO, I dont think it is possible, but I have faith in the skills and experience of the Netpro guys/girls.

Thnaks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kevin Dorrell Wed, 03/03/2010 - 02:51

I'm not sure I really understand the use of VACLs as an alternative to SPAN.  VACLs are about filtering data traffic on a VLAN - what is allowed and what is not allowed.  SPAN is about monitoring traffic, and should not affect the data on the VLAN..

In answer to your immediate question: No, VACLs affect all traffic on the VLAN, irrespective of direction, and irrespective of which port it arrives on.

ACLs on a VLAN interface (SVI), on the other hand, affect traffic going into, or coming out of the VLAN, but have no affect on traffic staying within the VLAN.

Could you explain what you are trying to achieve because I think we may be talking at cross-purposes?

Kevin Dorrell

Luxembourg

adamclarkuk_2 Wed, 03/03/2010 - 03:16

Hi Kevin

I appreciate that VACL's are not just a replacement for SPAN sessions, but are definitely a lot better than monitor sessions for data capture, in fact Cisco recommend using them instead of monitor sessions these days.

I will try to simplify my situation to get my need across.

VLAN 100

1 server in this vlan

An etherchannel between the switches carrying vlan 100

An SVI as the default gateway for the server on the switch with HSRP configured.

I have a 2 switches with a server using a teamed setup, a NIC on each switch. I have a VACL configured on each switch that captures the traffic for VLAN 100 and forwards it onto a flow analyzer. Unfortuntely the software cannot cope with duplicate packets being recieved, which happens sometimes.  To mitigate this, I wanted to remove the trunk port from the VACL, (but not hte trunk ;-) ) configuration so only the server interface on each switch will have the traffic captured and forwarded on.

Like I said, I dont think this is possible but wanted confirmation.  If not, I will have to go back to the dreaded monitor sessions :-s

Regards

Adam

VACL config

mac access-list extended VACL-TEST-MAC
permit any any

ip access-list extended VACL-TEST-IP
permit ip any any

vlan access-map TEST 10
match ip address VACL-TEST-IP
action forward capture
vlan access-map TEST 20
match mac address VACL-TEST-MAC
action forward capture

Interface connected to the analyzer

interface GigabitEthernetx/x
description an switchport
switchport capture
switchport capture allowed vlan 100
speed 1000
duplex full
end

Kevin Dorrell Thu, 03/04/2010 - 01:04

OK, I was not aware of the capture feature, which is why I was a bit puzzled.  It looks really useful; unfortunately I don't think we have it on 4500s.  . As far as I can see, it is a 6500 special.  So I read about it in

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808122ac.shtml

But I could not see any way of being selective on a per-port basis.  I guess that makes sense when you consider what VACLs were originally intended for: you have switchport input and output ACL for port specific stuff, SVI input and outpuut ACLs for stuff joining or leaving the VLAN, and then VACLs for the central forwarding engine, and VACLs take no account of the direction of the traffic.

Sorry not to be able to answer your question authoritatively, but thank you for introducing me to a new feature!

Kevin Dorrell

Luxembourg

Actions

This Discussion

Related Content