I have an interesting challenge. I have an existing monitor session set up as below for monitoring on a 6509. I have a single monitor session with multiple egress interfaces based on the VLAN. This solution works very well for feeding specific VLANs to specific monitoring applications.
In most situations, unique VLANs are sent out each egress. There may be more than one VLAN dumped on a per egress, but you get the point. VLAN 401 (referenced above) is different. It is a "consolidation" VLAN where multiple application flows pass thru in the clear and are monitored by our security infrastructure. The issue is, we are feeding them too much "white noise" and the filtering they are running is taxing the CPU. So, I was asked if I could filter the traffic.
I cannot filter on MAC. The MACs for different applications are the same. Long story. Only the IPs are unique.
I need to filter on destination IP. That is my only option.
I need the filter to only be applied on a specific egress. So 401 may be going out several egress interfaces. But the filter needs to be applied to a specific port for the VLAN in question.
Router ACL won't work. The port is L2
Switch ACL won't work. Need L3
VACL won't work cause it filters the VLAN regardless of port
MACL won't work cause I only have unique IPs for my filter config
Are there any options anyone knows of for accomplishing this on the 6500s? Again, I need an IP destination ACL on VLAN 401 but ONLY for a specific egress interface.
1. Log into CLI of DNAC:
ssh maglev@< DNAC appliance IP> -p 2222
2. Run this curl command to get token to get member id:
curl -X POST -u admin:<admin user password> -H -V https://<CLUSTER-IP>/api/system/v1/identitymgmt/token
Enterprise Switching Business Unit is glad to announce Beta release 16.12.2 for all Catalyst 9200/9300/9400/9500/9600 and Catalyst 3650/3850 Platforms. This release is made available to allow users to test, evaluate and share fee...
Purpose of the document
This document describes the general recommendations or best practices when designing and deploying the Cisco SD-Access technology. The document assumes that the reader has a general overview of Cisco's SD-Access for Distributed C...
Do you currently have hands-on networking experience? If you do, we'd love to hear from you!
Your feedback will be reviewed and analyzed by our team to directly influence a networking management and monitoring product.
Take the 20-min or les...