04-12-2011 01:09 PM - edited 03-06-2019 04:35 PM
I tried to mirror a port, say g0/1 to g0/2, using a monitor session. I wanted to use an ACL to filter certain traffic prior to catching it off of g0/2. I made g0/2 a layer 3 interface so that I could use an ACL on the out side of the interface. No matter what I tried, the filter would not get applied.
After doing some research, I beleive that I have discovered that traffic being placed on a source port of a monitor session could not be filtered. Can someone varify weather or not this is true?
Also, when you set up a monitor session on the same switch, does Cisco refer to this as a span. And if the source interface is on a different switch, is that refered to as an rspan? If you want to set-up an rspan, do you have to use an rspan vlan? What exactly does an rspan vlan do that a normal vlan doesn't?
Thanks for the help,
Solved! Go to Solution.
04-12-2011 08:23 PM
hi Mark,
When the source and destination are on the same switch that is refered as Local SPAN. When the soruce and Destination are on different switches we called it Remote SPAN (RSPAN). The difference for RSPAN vlan is that it isued and intermediate VLAN and it is specified as RSPAN vlan because all the traffic in it is broadcasted. Because of that you need to allow the vlan only on the trunks where it is need to prevent link utilization on links where the vlan is anyway not needed.
you can use RSPAN with VACL filter. Below is configuration example:
you can use standard and extended ACLs.
vlan 999
remote-span
monitor session 1 source interface g0/1
monitor session 1 destination vlan 999
monitor session 2 source vlan 999
monitor session 2 destination interface g0/2
ip access-list extended NotIntestingTraffic
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.169.0.0 0.0.255.255 192.168.0.0 0.0.255.255
ip access-list InterestingTraffic
permit ip 192.190.0.0 0.0.255.255 192.190.0.0 0.0.255.255
permit ip 192.191.0.0 0.0.255.255 192.191.0.0 0.0.255.255
vlan access-map VACLRSPAN 10
match ip address NotIntestingTraffic
action drop
vlan access-map VACLRSPAN 20
match ip address IntestingTraffic
action forward
vlan filter VACLRSPAN vlan-list 999
make sure that Vlan 999 is not trunked on any of the interfaces.
@Eugine,
VACL capture will support only egress packet capture which is something that might make the use of VACL capture not useful here.
Mark please let me know if that configuration worked for you. Inconvinece will be that per switch you have maximun two SPAN sessions. with the above configuration you will use both of them and if you need to sniff an interface with troubleshooting purpose one of the RSPAN sessions should be rmeoved
-Dimitar
04-12-2011 07:33 PM
Hey Mark,
What product do you need to implement this on?
Some products support VACL captures - using a VLAN ACL, you redirect traffic to the capture port.
Eugene.
04-12-2011 08:23 PM
hi Mark,
When the source and destination are on the same switch that is refered as Local SPAN. When the soruce and Destination are on different switches we called it Remote SPAN (RSPAN). The difference for RSPAN vlan is that it isued and intermediate VLAN and it is specified as RSPAN vlan because all the traffic in it is broadcasted. Because of that you need to allow the vlan only on the trunks where it is need to prevent link utilization on links where the vlan is anyway not needed.
you can use RSPAN with VACL filter. Below is configuration example:
you can use standard and extended ACLs.
vlan 999
remote-span
monitor session 1 source interface g0/1
monitor session 1 destination vlan 999
monitor session 2 source vlan 999
monitor session 2 destination interface g0/2
ip access-list extended NotIntestingTraffic
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.169.0.0 0.0.255.255 192.168.0.0 0.0.255.255
ip access-list InterestingTraffic
permit ip 192.190.0.0 0.0.255.255 192.190.0.0 0.0.255.255
permit ip 192.191.0.0 0.0.255.255 192.191.0.0 0.0.255.255
vlan access-map VACLRSPAN 10
match ip address NotIntestingTraffic
action drop
vlan access-map VACLRSPAN 20
match ip address IntestingTraffic
action forward
vlan filter VACLRSPAN vlan-list 999
make sure that Vlan 999 is not trunked on any of the interfaces.
@Eugine,
VACL capture will support only egress packet capture which is something that might make the use of VACL capture not useful here.
Mark please let me know if that configuration worked for you. Inconvinece will be that per switch you have maximun two SPAN sessions. with the above configuration you will use both of them and if you need to sniff an interface with troubleshooting purpose one of the RSPAN sessions should be rmeoved
-Dimitar
04-22-2011 07:43 AM
Dimitar,
Sorry for the slow reponse. The configuration you provided wouldn't work exactly for my situatin as I would need the ability to create more monitor sessions than is possible.
The information you gave did get me in the right direction to finding a solution that would work.
Thanks for your help!!
04-13-2011 05:47 AM
Eugene,
I have a 3560G.
Dimitar,
I will try your config and get back with you.
Thanks!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide