Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1245
Views
0
Helpful
3
Replies

Port Mirror on Nexus 7k - Filter not working

Go to solution
Travis-Fleming
Level 1
Level 1

‎10-01-2021 01:40 PM

Hello. I have the below setup for a mirrored port going to a laptop with wireshark. I have the access-list\monitor filter setup, but it's still showing all traffic and is generating a 100 MB file every minute, which is too much. What am I missing? I only want to see traffic from the 172.17.15.0/24 subnet going to 172.17.60.0/24 subnet.

 

ip access-list 2ndwestvoice
10 permit ip 172.17.15.0/24 172.17.60.0/24
20 deny ip any any

!

monitor session 1
source interface Ethernet1/3 both
rate-limit auto
destination interface Ethernet1/8 primary
filter filter-list 2ndwestvoice
no shut

!
monitor filter-list 2ndwestvoice
permit filter 2ndwestvoice

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Travis-Fleming
Level 1
Level 1

‎10-05-2021 08:38 AM

I opened a TAC case, and that engineer could not figure it out either. However we just put the filter on the live wireshark capture as apposed to on the Nexus itself. That worked for us.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎10-03-2021 01:34 AM - edited ‎10-03-2021 01:37 AM

Hi @Travis-Fleming 

As far as I remember, the "permit" and "deny" actions in ACL are ignored, when you apply it to a monitor filter list, and the action in the monitor filter will take action.

In other words, in your scenario will "permit" both entries from your ACL.

Try removing the "deny ip any any" from ACL and test again.

Alternativly, you can configure this inside the monitor session config:

switch(config-monitor)# filter frame-type ip src-ip 172.17.15.0/24 dst-ip 172.17.60.0/24

 

Stay safe,

Sergiu

0 Helpful

Go to solution
Travis-Fleming
Level 1
Level 1
In response to Sergiu.Daniluk

‎10-04-2021 06:13 AM

I tried removing the deny line in my ip access-list and it still captures everything. I got a little closer with your suggestion of the filter frame-type within the monitor session, but it was only getting traffic in one direction. Cisco TAC is needing a packet capture in both directions.

0 Helpful

Go to solution
Travis-Fleming
Level 1
Level 1

‎10-05-2021 08:38 AM

I opened a TAC case, and that engineer could not figure it out either. However we just put the filter on the live wireshark capture as apposed to on the Nexus itself. That worked for us.

0 Helpful
Customers Also Viewed These Support Documents