Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12872
Views
0
Helpful
4
Replies

ACL with a monitor session

Go to solution
mark.jeffers
Level 1
Level 1

‎04-12-2011 01:09 PM - edited ‎03-06-2019 04:35 PM

I tried to mirror a port, say g0/1 to g0/2, using a monitor session. I wanted to use an ACL to filter certain traffic prior to catching it off of g0/2. I made g0/2 a layer 3 interface so that I could use an ACL on the out side of the interface. No matter what I tried, the filter would not get applied.

After doing some research, I beleive that I have discovered that traffic being placed on a source port of a monitor session could not be filtered. Can someone varify weather or not this is true?

Also, when you set up a monitor session on the same switch, does Cisco refer to this as a span. And if the source interface is on a different switch, is that refered to as an rspan? If you want to set-up an rspan, do you have to use an rspan vlan? What exactly does an rspan vlan do that a normal vlan doesn't?

Thanks for the help,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dhristov
Cisco Employee
Cisco Employee
In response to Eugene Lau

‎04-12-2011 08:23 PM

hi Mark,

When the source and destination are on the same switch that is refered as Local SPAN. When the soruce and Destination are on different switches we called it Remote SPAN (RSPAN). The difference for RSPAN vlan is that it isued and intermediate VLAN and it is specified as RSPAN vlan because all the traffic in it is broadcasted. Because of that you need to allow the vlan only on the trunks where it is need to prevent link utilization on links where the vlan is anyway not needed.

you can use RSPAN with VACL filter. Below is configuration example:

you can use standard and extended ACLs.

vlan 999

  remote-span

monitor session 1 source interface g0/1

monitor session 1 destination vlan 999

monitor session 2 source vlan 999

monitor session 2 destination interface g0/2

ip access-list extended NotIntestingTraffic

  permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

  permit ip 192.169.0.0 0.0.255.255 192.168.0.0 0.0.255.255

ip access-list InterestingTraffic

  permit ip 192.190.0.0 0.0.255.255 192.190.0.0 0.0.255.255

  permit ip 192.191.0.0 0.0.255.255 192.191.0.0 0.0.255.255

vlan access-map VACLRSPAN 10

  match ip address NotIntestingTraffic

  action drop

vlan access-map VACLRSPAN 20

  match ip address IntestingTraffic

  action forward

vlan filter  VACLRSPAN vlan-list 999

make sure that Vlan 999 is not trunked on any of the interfaces.

@Eugine,

VACL capture will support only egress packet capture which is something that might make the use of VACL capture not useful here.

Mark please let me know if that configuration worked for you. Inconvinece will be that per switch you have maximun two SPAN sessions. with the above configuration you will use both of them and if you need to sniff an interface with troubleshooting purpose one of the RSPAN sessions should be rmeoved

-Dimitar

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Eugene Lau
Cisco Employee
Cisco Employee

‎04-12-2011 07:33 PM

Hey Mark,

What product do you need to implement this on?

Some products support VACL captures - using a VLAN ACL, you redirect traffic to the capture port.

Eugene.

0 Helpful

Go to solution
dhristov
Cisco Employee
Cisco Employee
In response to Eugene Lau

‎04-12-2011 08:23 PM

hi Mark,

When the source and destination are on the same switch that is refered as Local SPAN. When the soruce and Destination are on different switches we called it Remote SPAN (RSPAN). The difference for RSPAN vlan is that it isued and intermediate VLAN and it is specified as RSPAN vlan because all the traffic in it is broadcasted. Because of that you need to allow the vlan only on the trunks where it is need to prevent link utilization on links where the vlan is anyway not needed.

you can use RSPAN with VACL filter. Below is configuration example:

you can use standard and extended ACLs.

vlan 999

  remote-span

monitor session 1 source interface g0/1

monitor session 1 destination vlan 999

monitor session 2 source vlan 999

monitor session 2 destination interface g0/2

ip access-list extended NotIntestingTraffic

  permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

  permit ip 192.169.0.0 0.0.255.255 192.168.0.0 0.0.255.255

ip access-list InterestingTraffic

  permit ip 192.190.0.0 0.0.255.255 192.190.0.0 0.0.255.255

  permit ip 192.191.0.0 0.0.255.255 192.191.0.0 0.0.255.255

vlan access-map VACLRSPAN 10

  match ip address NotIntestingTraffic

  action drop

vlan access-map VACLRSPAN 20

  match ip address IntestingTraffic

  action forward

vlan filter  VACLRSPAN vlan-list 999

make sure that Vlan 999 is not trunked on any of the interfaces.

@Eugine,

VACL capture will support only egress packet capture which is something that might make the use of VACL capture not useful here.

Mark please let me know if that configuration worked for you. Inconvinece will be that per switch you have maximun two SPAN sessions. with the above configuration you will use both of them and if you need to sniff an interface with troubleshooting purpose one of the RSPAN sessions should be rmeoved

-Dimitar

0 Helpful

Go to solution
mark.jeffers
Level 1
Level 1
In response to dhristov

‎04-22-2011 07:43 AM

Dimitar,

Sorry for the slow reponse. The configuration you provided wouldn't work exactly for my situatin as I would need the ability to create more monitor sessions than is possible.

The information you gave did get me in the right direction to finding a solution that would work.

Thanks for your help!!

0 Helpful

Go to solution
mark.jeffers
Level 1
Level 1
In response to Eugene Lau

‎04-13-2011 05:47 AM

Eugene,

I have a 3560G.

Dimitar,

I will try your config and get back with you.

Thanks!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card