Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco 3350 - VACL and capture port not seeing ARP?

Hi All,

We have a site that has setup their Cisco 3350 with a VACL (using ios v5) with a capture port. Although they have enabled ARP through the VACL, they are not seeing ARP through the capture port. Does a capture port filter out protocols like ARP (or others) by default? If so, how can we allow these protocols to come through.

Many thanks and happy holidays!


VIP Purple

Re: Cisco 3350 - VACL and capture port not seeing ARP?

Hello Bob,

it depends on how you have your VACL configured. Make sure that you allow Ethertype 0x806 in addition to IP. Your VACL should look like this (assuming that you aplly it VLAN 2, which might be different in your case, so change the last statement accordingly):

ip access-list extended IP

permit ip any any


mac access-list extended ARP

permit any any 0x806 0x0


vlan access-map IP_AND_ARP 10

action forward

match ip address IP


vlan access-map IP_AND_ARP 20

action forward

match mac-address ARP


vlan access-map IP_AND_ARP 30

action drop


vlan filter IP_AND_ARP vlan-list 2



Community Member

Re: Cisco 3350 - VACL and capture port not seeing ARP?

Hi GP!

Thank you very much for the response. We will check with our site.

They are claiming that when they perform a tcpdump, they can see ARP packets through ports on the switch (setup as a VACL), but not through the "capture" port for the VACL.

In any case, we will compare configurations (unless you have heard of issues or anomolies where "capture" ports will filter ARP out(?)).



CreatePlease to create content