Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Capture Capability with VACLs on Low end Switches.

There is a feature on Cisco High End Switches (Catalyst 6500/7600) that allows you to "mirror" traffic from a source to a destination using ACLs to further filter out only required traffic i.e. when port bandwidth is restrictive or for security reasons.

http://www.cisco.com/application/pdf/paws/89962/vacl_capture.pdf

I was wondering if this feature could also be achived on Cisco 4500 or 3750 series switches perhaps following a different method.

Regards.

Everyone's tags (3)
7 REPLIES

Re: Capture Capability with VACLs on Low end Switches.

There is a feature on Cisco High End Switches (Catalyst 6500/7600) that allows you to "mirror" traffic from a source to a destination using ACLs to further filter out only required traffic i.e. when port bandwidth is restrictive or for security reasons.

http://www.cisco.com/application/pdf/paws/89962/vacl_capture.pdf

I was wondering if this feature could also be achived on Cisco 4500 or 3750 series switches perhaps following a different method.

Regards.

Hi ,

VACL capture works with most of the newer Cisco switches including the 6500, 4500, 4900, 3750E, 3750, 3560E, and the 3560. To find out if your switch supports this feature take a look at the below link for more information.

http://www.cisco.com/en/US/prod/switches/ps5718/ps708/networking_solutions_products_genericcontent0900aecd805f0955.pdf

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Re: Capture Capability with VACLs on Low end Switches.

Sorry, but I've tried on C3750 to configure VACL and it's not possible. Then I thought that my IOS is old and I tried with Cisco Software Advisory to find a IOS to support VACL. I couldn't find one. When you type VACL, or Vlan ACL or any other combination there is no result.

With C6500, when I have typed VACL in the advisory feature field, the term was recognized immediately.

Are you sure about C3750 supporting VACLs?

Re: Capture Capability with VACLs on Low end Switches.

Hi!

I think you can achieve similar results using the "filter" parameter on SPAN or RSPAN:

sw1-c3750(config)#monitor session 1 filter ?

  ip    Specify IP Access control rules

  mac   Specify MAC Access control rules

  vlan  SPAN filter VLAN

E.g. I have tried on the c3750 a SPAN configureation with source one vlan, and in this vlan only http traffic to destination X. It worked fine, but I didn't had the time to go into more detailed tests.

Let me know if this helps you.

New Member

Re: Capture Capability with VACLs on Low end Switches.

I tried to find in feature navigatr this feature (VACL Capture) but is only listed for Cisco Catalyst 6500/7600.

On the other hand, in the Cisco Catalyst Switch Guide, it says that VACL Capture is also present into the Low End Switches.

Moreover I came accross to this article by networdwold: http://www.networkworld.com/community/node/33617

which also mentions that is supported on the Low End.

I tried the commands my self and they do not seem to exist. Again perhaps s a software or feature (EI) issue.

I would test further and let you know.

New Member

Re: Capture Capability with VACLs on Low end Switches.

Can you confirm the version and model number of the c3750 that the

"monitor destination <1-6> filter ip " command exists, because I cannot find it on our switches (not even in cisco documentation for the latest release). I could only find it in the Cisco 4500 Series http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25ew/configuration/guide/span.html

Regards.

Re: Capture Capability with VACLs on Low end Switches.

I cannot find that command either, but the filter parameter is related to monitor session and to source or destination:

sw1-c3750(config)#monitor session 1 filter ip access-group ?
  <1-199>      IP access list (standard or extended)
  <1300-2699>  IP expanded access list (standard or extended)
  WORD         Access-list name

on C3750 with c3750-ipservicesk9-mz.122-46.SE.bin

I saw now that on C3750E you have the possibility to support VACL, but not capture with VACL.

New Member

Re: Capture Capability with VACLs on Low end Switches.

Ok. Thanks.

I could find the commands on some c3570 Gigabit Switches, but not on some older 10/100Mb. That's weird.

2772
Views
0
Helpful
7
Replies