cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1432
Views
0
Helpful
3
Replies

Port Mirror on Nexus 7k - Filter not working

Travis-Fleming
Level 1
Level 1

Hello. I have the below setup for a mirrored port going to a laptop with wireshark. I have the access-list\monitor filter setup, but it's still showing all traffic and is generating a 100 MB file every minute, which is too much. What am I missing? I only want to see traffic from the 172.17.15.0/24 subnet going to 172.17.60.0/24 subnet.

 

ip access-list 2ndwestvoice
10 permit ip 172.17.15.0/24 172.17.60.0/24
20 deny ip any any

!

monitor session 1
source interface Ethernet1/3 both
rate-limit auto
destination interface Ethernet1/8 primary
filter filter-list 2ndwestvoice
no shut

!
monitor filter-list 2ndwestvoice
permit filter 2ndwestvoice

1 Accepted Solution

Accepted Solutions

Travis-Fleming
Level 1
Level 1

I opened a TAC case, and that engineer could not figure it out either. However we just put the filter on the live wireshark capture as apposed to on the Nexus itself. That worked for us.

View solution in original post

3 Replies 3

Sergiu.Daniluk
VIP Alumni
VIP Alumni

Hi @Travis-Fleming 

As far as I remember, the "permit" and "deny" actions in ACL are ignored, when you apply it to a monitor filter list, and the action in the monitor filter will take action.

In other words, in your scenario will "permit" both entries from your ACL.

Try removing the "deny ip any any" from ACL and test again.

Alternativly, you can configure this inside the monitor session config:

switch(config-monitor)# filter frame-type ip src-ip 172.17.15.0/24 dst-ip 172.17.60.0/24

 

Stay safe,

Sergiu

I tried removing the deny line in my ip access-list and it still captures everything. I got a little closer with your suggestion of the filter frame-type within the monitor session, but it was only getting traffic in one direction. Cisco TAC is needing a packet capture in both directions.

Travis-Fleming
Level 1
Level 1

I opened a TAC case, and that engineer could not figure it out either. However we just put the filter on the live wireshark capture as apposed to on the Nexus itself. That worked for us.

Review Cisco Networking for a $25 gift card