https://community.cisco.com/t5/network-security/idsm-2-capture-configuration/m-p/809542#M86753 <HTML><HEAD></HEAD><BODY><P>You can't bind a VACL to a particular data port.</P><P></P><P>You can only tell a capture port what vlans to monitor. The capture port will monitor all captured packets from those vlans regardless of what VACL was used to mark those packets as capture packets.</P><P></P><P>Your data-port 1 is already monitoring all 4094 vlans so there are no additional vlans that data-port 2 would need to capture packets for.</P><P></P><P>If your switch does routing then your configuration is correct. Even though the VACL is applied to a limited set of a vlan-list X, the packets marked for capture could wind up being routed to any vlan and so all vlans have to be monitored.</P><P>NOW you could add additional vlans to your exising vlan-list, or even create another VACL and apply it to a separate vlan list. BUT in either case your data-port 1 would already be configured for monitoring them.</P><P></P><P>If your switch is NOT doing routing (pretty rare these days), then you do have an alternative. You can change the "capture allowed-vlan" list for data-port 1 to be the same "vlan-list X" that your VACL is assigned to. Then you can create a new VACL and assign it to a list Y, and configure data-port 2 to be a capture port for allowed-vlan list Y.</P><P>But this really doesn't gain you a whole lot. You could just simply add vlan list Y to data-port 1 and still monitor everything with data-port 1.</P><P></P><P></P><P>Data-port 2 doesn't really gain you much as you as a 2nd capture port.</P><P></P><P>Where data-port 2 comes in handy is when you want to do a different type of monitoring.</P><P>Data-port 2 could be setup as a Span or Rspan destination port.</P><P>OR data-port 2 coudl be setup for InLine monitoring with InLine Vlan Pairs.</P><P></P><P>It is only when you need the second type of monitoring that you can really make use of data-port 2. </P><P>For capturing traffic on additional vlans you can just continue to use data-port 1.</P></BODY></HTML> Mon, 14 May 2007 13:29:20 GMT marcabal 2007-05-14T13:29:20Z https://community.cisco.com/t5/network-security/idsm-2-capture-configuration/m-p/809541#M86752 <P>Hi friends,</P><P></P><P>I have enabled capture on the IDSM data-port 1 (Gig0/7). Now, i want to use data port 2 (Gig 0/8) also to capture another segment.</P><P></P><P>A snippet of my current config is as follows:</P><P></P><P>ip access-list extended MATCHALL</P><P>permit ip any any</P><P>vlan access-map CAPTUREALL 10</P><P>match address MATCHALL</P><P>action forward capture</P><P></P><P>vlan-filter CAPTUREALL vlan-list x</P><P>intrusion-detection module 3 management-port access-vlan 5</P><P>intrusion-detection module 3 data-port 1 capture</P><P>intrusion-detection module 3 data-port 1 capture allowed-vlan 1-4094</P><P>intrusion-detection module 3 data-port 1 autostate include</P><P>intrusion-detection module 3 data-port 1 portfast enable</P><P></P><P>My question is:</P><P></P><P>If i enable data port 2, then how do i bind a VACL to data port 2 only?</P><P></P><P>Thanks a lot</P><P>Gautam</P><P></P><P></P> Sun, 10 Mar 2019 10:36:18 GMT https://community.cisco.com/t5/network-security/idsm-2-capture-configuration/m-p/809541#M86752 gautamzone 2019-03-10T10:36:18Z https://community.cisco.com/t5/network-security/idsm-2-capture-configuration/m-p/809542#M86753 <HTML><HEAD></HEAD><BODY><P>You can't bind a VACL to a particular data port.</P><P></P><P>You can only tell a capture port what vlans to monitor. The capture port will monitor all captured packets from those vlans regardless of what VACL was used to mark those packets as capture packets.</P><P></P><P>Your data-port 1 is already monitoring all 4094 vlans so there are no additional vlans that data-port 2 would need to capture packets for.</P><P></P><P>If your switch does routing then your configuration is correct. Even though the VACL is applied to a limited set of a vlan-list X, the packets marked for capture could wind up being routed to any vlan and so all vlans have to be monitored.</P><P>NOW you could add additional vlans to your exising vlan-list, or even create another VACL and apply it to a separate vlan list. BUT in either case your data-port 1 would already be configured for monitoring them.</P><P></P><P>If your switch is NOT doing routing (pretty rare these days), then you do have an alternative. You can change the "capture allowed-vlan" list for data-port 1 to be the same "vlan-list X" that your VACL is assigned to. Then you can create a new VACL and assign it to a list Y, and configure data-port 2 to be a capture port for allowed-vlan list Y.</P><P>But this really doesn't gain you a whole lot. You could just simply add vlan list Y to data-port 1 and still monitor everything with data-port 1.</P><P></P><P></P><P>Data-port 2 doesn't really gain you much as you as a 2nd capture port.</P><P></P><P>Where data-port 2 comes in handy is when you want to do a different type of monitoring.</P><P>Data-port 2 could be setup as a Span or Rspan destination port.</P><P>OR data-port 2 coudl be setup for InLine monitoring with InLine Vlan Pairs.</P><P></P><P>It is only when you need the second type of monitoring that you can really make use of data-port 2. </P><P>For capturing traffic on additional vlans you can just continue to use data-port 1.</P></BODY></HTML> Mon, 14 May 2007 13:29:20 GMT https://community.cisco.com/t5/network-security/idsm-2-capture-configuration/m-p/809542#M86753 marcabal 2007-05-14T13:29:20Z