05-13-2007 06:44 AM - edited 03-10-2019 03:36 AM
Hi friends,
I have enabled capture on the IDSM data-port 1 (Gig0/7). Now, i want to use data port 2 (Gig 0/8) also to capture another segment.
A snippet of my current config is as follows:
ip access-list extended MATCHALL
permit ip any any
vlan access-map CAPTUREALL 10
match address MATCHALL
action forward capture
vlan-filter CAPTUREALL vlan-list x
intrusion-detection module 3 management-port access-vlan 5
intrusion-detection module 3 data-port 1 capture
intrusion-detection module 3 data-port 1 capture allowed-vlan 1-4094
intrusion-detection module 3 data-port 1 autostate include
intrusion-detection module 3 data-port 1 portfast enable
My question is:
If i enable data port 2, then how do i bind a VACL to data port 2 only?
Thanks a lot
Gautam
05-14-2007 06:29 AM
You can't bind a VACL to a particular data port.
You can only tell a capture port what vlans to monitor. The capture port will monitor all captured packets from those vlans regardless of what VACL was used to mark those packets as capture packets.
Your data-port 1 is already monitoring all 4094 vlans so there are no additional vlans that data-port 2 would need to capture packets for.
If your switch does routing then your configuration is correct. Even though the VACL is applied to a limited set of a vlan-list X, the packets marked for capture could wind up being routed to any vlan and so all vlans have to be monitored.
NOW you could add additional vlans to your exising vlan-list, or even create another VACL and apply it to a separate vlan list. BUT in either case your data-port 1 would already be configured for monitoring them.
If your switch is NOT doing routing (pretty rare these days), then you do have an alternative. You can change the "capture allowed-vlan" list for data-port 1 to be the same "vlan-list X" that your VACL is assigned to. Then you can create a new VACL and assign it to a list Y, and configure data-port 2 to be a capture port for allowed-vlan list Y.
But this really doesn't gain you a whole lot. You could just simply add vlan list Y to data-port 1 and still monitor everything with data-port 1.
Data-port 2 doesn't really gain you much as you as a 2nd capture port.
Where data-port 2 comes in handy is when you want to do a different type of monitoring.
Data-port 2 could be setup as a Span or Rspan destination port.
OR data-port 2 coudl be setup for InLine monitoring with InLine Vlan Pairs.
It is only when you need the second type of monitoring that you can really make use of data-port 2.
For capturing traffic on additional vlans you can just continue to use data-port 1.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide