Cisco 3350 - VACL and capture port not seeing ARP?

bkajikami · ‎12-27-2005

Hi All,

We have a site that has setup their Cisco 3350 with a VACL (using ios v5) with a capture port. Although they have enabled ARP through the VACL, they are not seeing ARP through the capture port. Does a capture port filter out protocols like ARP (or others) by default? If so, how can we allow these protocols to come through.

Many thanks and happy holidays!

Bob

Georg Pauwen · ‎12-27-2005

Hello Bob,

it depends on how you have your VACL configured. Make sure that you allow Ethertype 0x806 in addition to IP. Your VACL should look like this (assuming that you aplly it VLAN 2, which might be different in your case, so change the last statement accordingly):

ip access-list extended IP

permit ip any any

!

mac access-list extended ARP

permit any any 0x806 0x0

!

vlan access-map IP_AND_ARP 10

action forward

match ip address IP

!

vlan access-map IP_AND_ARP 20

action forward

match mac-address ARP

!

vlan access-map IP_AND_ARP 30

action drop

!

vlan filter IP_AND_ARP vlan-list 2

Regards,

GP

bkajikami · ‎12-27-2005

Hi GP!

Thank you very much for the response. We will check with our site.

They are claiming that when they perform a tcpdump, they can see ARP packets through ports on the switch (setup as a VACL), but not through the "capture" port for the VACL.

In any case, we will compare configurations (unless you have heard of issues or anomolies where "capture" ports will filter ARP out(?)).

Cheers!

Bob