I have a 6500 [IOS 12.1(19)E1] with a NAM module [3.1(1a) w/ Patch 4]. I am trying to use an IP extended VACL to prefilter a capture stream being recieved from an external RSPAN source (since the filtering capability in the NAM is very limited).
The commands for this in the switch/router are:
analysis module 6 data-port 1 capture allowed-vlan 600
vlan access-map map-fwsm 100
match ip address acl-fwsm
action forward capture
!
vlan filter map-fwsm vlan-list 600
When the access list "acl-fwsm" is very simple, this seems to work fine. When a more complex ACL is used, this seem to break down and foward more than the desired traffic.
I have a document on VACLs in general (CATOS oriented), but maybe I am missing something. I thought I could pretty much filter on IP addresses and/or TCP/UDP ports in the VACL like any other IOS ACL.
Are there limitations I need to be aware of or is this a bug?
This filter seems to work fine:
ip access-list extended acl-fwsm
deny ip any host 224.0.0.2
deny ip any host 224.0.0.10
deny udp any any eq ntp
deny tcp any 192.168.250.198 0.0.0.1 eq www
deny tcp any 192.168.250.198 0.0.0.1 eq 443
permit ip any any