Hello,
The config guide* for the 3560 states:
"You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets. Specify these ACLs on the RSPAN VLAN in the RSPAN source switches."
Unless I'm misreading it, this should mean that I can configure a SPAN session from an interface to a remote-span vlan, then use vlan access-map to filter which packets get sent on that vlan. Thus, I should be able to configure a switchport to carry the RSPAN VLAN, and only packets matching the VACL will get sent out.
Unfortunately, this doesn't seem to be the case. No matter what combination of ACLs I try, I am unable to get any filtering to apply to the RSPAN VLAN. The output simply acts as if it's completely unfiltered.
The 3560 does not support VACL "action forward capture", nor does it support FSPAN (monitor session x filter ip ...). Additionally, no traffic is passed if you configure 2 sessions (from interface to rspan vlan, from rspan vlan to dest interface), unlike the 6500 (the "Using RSPAN with VACLs for Granular Traffic Analysis" won't work).
Is the documentation just incorrect? Any other ideas on how to apply an ACL so as to filter a 1G+ port/vlan to 100M or 10G to 1G?
Thanks.
* http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swspan.html