Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Filter L3 traffic on L2 egress w/o VACL?

All,

     I have an interesting challenge. I have an existing monitor session set up as below for monitoring on a 6509. I have a single monitor session with multiple egress interfaces based on the VLAN. This solution works very well for feeding specific VLANs to specific monitoring applications.

############################################################

monitor session 13 type local
description GLOBAL MONITOR SESSION FOR ALL VLANS
source vlan 1 - 4094
destination interface Gi9/37 , Gi9/40 , Gi9/42 , Gi9/44 - 46

interface GigabitEthernet9/40
description MONITOR SESSION 13 - REPEATER V401
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 401
switchport mode trunk
switchport nonegotiate


##############################################################

In most situations, unique VLANs are sent out each egress. There may be more than one VLAN dumped on a per egress, but you get the point. VLAN 401 (referenced above) is different. It is a "consolidation" VLAN where multiple application flows pass thru in the clear and are monitored by our security infrastructure. The issue is, we are feeding them too much "white noise" and the filtering they are running is taxing the CPU. So, I was asked if I could filter the traffic.

I cannot filter on MAC. The MACs for different applications are the same. Long story. Only the IPs are unique.

I need to filter on destination IP. That is my only option.

I need the filter to only be applied on a specific egress. So 401 may be going out several egress interfaces. But the filter needs to be applied to a specific port for the VLAN in question.

Router ACL won't work. The port is L2

Switch ACL won't work. Need L3

VACL won't work cause it filters the VLAN regardless of port

MACL won't work cause I only have unique IPs for my filter config

Are there any options anyone knows of for accomplishing this on the 6500s? Again, I need an IP destination ACL on VLAN 401 but ONLY for a specific egress interface.

--Charles

Everyone's tags (7)
1 REPLY
Community Member

Re: Filter L3 traffic on L2 egress w/o VACL?

ALSO

TCAM ACL won't work for the same reason VACL won't work. The ACL can't be contained to a particular egress interface.

566
Views
0
Helpful
1
Replies
CreatePlease to create content