Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VACL Capture Question

Can a VACL Capture port be any port on a switch (Cat 6000) or can it only be a port on an IDSM blade?

Regards, Jeff

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VACL Capture Question

Any Ethernet, Fast Ethernet, or Gig Ethernet port should work as a VACL Capture port. We regularly use this for testing with external appliance sensors.

3 REPLIES
Cisco Employee

Re: VACL Capture Question

Any Ethernet, Fast Ethernet, or Gig Ethernet port should work as a VACL Capture port. We regularly use this for testing with external appliance sensors.

New Member

Re: VACL Capture Question

What are the pros/cons of using that technique versus using a span port for and external appliance sensor?

Cisco Employee

Re: VACL Capture Question

3 methods to consider:

Use span, use VACL Capture when MSFC is not routing, use VACL Capture when MSFC is routing.

The MSFC interacts with VACL Capture and can change how you deploy your sensors so I will talk about VACL Capture with and with the MSFC.

-----------------------------------

SPAN:

Cons:

Span is limited to only 2 Span sessions in most cases with a Cat 6000 (documentation mentions that more sessions can be used, but is very dependant on the types of sessions being used, so in general I say 2 span sessions)

You have to understand how your network is wired to know whether to use a "tx" span, a "rx" span, or a "both" span. A "both" span can easily result in duplicate packets, and the "tx" and "rx" spans can result in not seeing enough packets if not properly configured.

Pros:

Span (and the span commands) are fairly well understood by most switch users.

You can quickly setup a "both" span session for a specific port to monitor all traffic in and out of that port. (Typical for monitoring your Firewall or Internet connection).

-----------------------------------------

VACL Capture when MSFC is not routing:

NOTE: Only switches that have either an MSFC or PFC can have VACLs.

Cons:

VACLs are fairly new, and sometimes confusing for new users. (I've seen cases where new users have blocked traffic unkowingly because of a bad VACL configuration.)

Pros:

The limit of VACL Capture ports (when MSFC is not routing) is only limited by the number of vlans. You can have a separate sensor monitor each vlan.

You can simulate a vlan span by simply setting up a VACL that captures all IP packets.

The VACL will let you specify which packets you wanted monitored (prevent the sensor from spending cycles on traffic you don't care about).

You can keep your span ports open for other trouble shooting (or deploying additional IDS sensors)

-----------------------------

VACL Capture when MSFC is routing:

Cons:

Because of the way the MSFC interacts with the VACLs, in order for a sensor to monitor correctly the sensor has to be the capture port for all of the vlans being routed. For example: You might apply a VACL to vlan 10, but because the MSFC routes between vlan 10 and 1000 other vlans, the sensor has to be a capture port for all 1001 vlans. This limits you to just a single sensor for monitoring the traffic. (Since one sensor has to be the capture port for all the vlans, then adding a second sensor would just force both sensors to be capture ports for all the vlans resulting in both sensors seeing the same traffic.)

VACLs are fairly new, and sometimes confusing for new users. (I've seen cases where new users have blocked traffic unkowingly because of a bad VACL configuration.)

Pros:

The VACL will let you specify which packets you wanted monitored (prevent the sensor from spending cycles on traffic you don't care about).

You can keep your span ports open for other trouble shooting (or deploying additional IDS sensors)

-------------------------------------

So if the MSFC is NOT routing then the VACL Capture feature is the most flexible and allows you to have a sensor for each vlan.

But once the MSFC starts routing then the Span has an advantage since you can have 2 span sessions verses the 1 capture session. You may consider using both Span and the VACL Capture to maybe get you up to 3 sensors in these situations.

193
Views
10
Helpful
3
Replies