Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VACL vs SPAN: What's better for IDSM captures

I have just added a 6381 IDSM module to my existing IDS system. The 6509 where it resides includes an MSFC2 and PFC2. This switch is being installed as the center piece of a new campus backbone. I intend to run multiple VLANs accross multiple buildings via fiber trunks.

With the above information in mind, does someone out there with experience have an opinion regarding VACL vs SPAN for capturing packets for the IDSM?

New Member

Re: VACL vs SPAN: What's better for IDSM captures

I don't have very much exprience with VACL's, but I have had a lot of success with my IDSM blades on my 6500's by spanning the vlans. The command is: set span <(vlan)23,24,25> .One problem that I did run accross spanning vlans is if you include a shutdown vlan the span will not work for any of the vlans. With the IDSM modules you will want to span the vlans to the virtual port on the backplane. For example the IDSM will set up two virtual ports on the backplane of a 6509 and the IDSM is in the 9th slot, 9/1 would be the port the vlans are piped to, and 9/2 will be your management port for the blade. This will give you the ability to monitor between 170-190 Mbps of traffic.

A great source of informatin on the IDSM and CSPM is the Cisco Press book Cisco Secure Intrusion Detection System by Earl Carter.

New Member

Re: VACL vs SPAN: What's better for IDSM captures

Thanks very much for responding Carl. I really appreciate the input!

I have the Earl Carter text and your absolutely right about it. It's invaluable!

Thanks again,

Steve Gransden

Cisco Employee

Re: VACL vs SPAN: What's better for IDSM captures


Both VACL and SPAN have their pros and cons. Which to use is a decision you'll have to make in light of your needs. I've used both and listed some of the pros/cons that I've run across.


- finer control of which packet streams are being inspected.

- can use multiple, different VACL statements on differnt VLANS. You are restricted to one VACL per VLAN, but can tailor each VACL to each VLAN

- large number of capture output ports...easy to implement redundancy..good for testing.


- only one capture port list...all ports get all the traffic from all capture VACLs. Have to use native VLAN coloring/trunk filtering to parse traffic when load sharing across multiple IDSM modules

- in the presence of an MSFC doing routing, getting the VACLs correct to capture both directions of a full duplex connection can be difficult (mind-bending). One key idea is that VACLs conceptually apply on "egress".

- ACL syntax means you have all the hangups of entering and maintaining ACLs


- simple, easy-to-understand context and syntax

- easy to track and maintain (don't have to synthesize the state from 2 or 3 config lines)


- rare resource...Cat6K w/ CatOS have 2 full duplex or 4 uni-direction spans available.

- Bandwidth doubling affecting performance of span and IDS. When you span multiple VLANs in the presence of a router, you have the potential for getting double packets spanned. Consider if you have VLAN 23 and 25 spanned; a packet originating on vlan 23 gets copied for span, the original packet gets routed to vlan25, the routed packet gets copied for span again on vlan 25.

Hope this gives you some things to think about.

Scott Cothrell

CreatePlease to create content