Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
852
Views
0
Helpful
1
Replies

Filter L3 traffic on L2 egress w/o VACL?

chenson
Level 1
Level 1

‎11-02-2010 09:34 AM - edited ‎03-06-2019 01:51 PM

All,

     I have an interesting challenge. I have an existing monitor session set up as below for monitoring on a 6509. I have a single monitor session with multiple egress interfaces based on the VLAN. This solution works very well for feeding specific VLANs to specific monitoring applications.

############################################################

monitor session 13 type local
description GLOBAL MONITOR SESSION FOR ALL VLANS
source vlan 1 - 4094
destination interface Gi9/37 , Gi9/40 , Gi9/42 , Gi9/44 - 46

interface GigabitEthernet9/40
description MONITOR SESSION 13 - REPEATER V401
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 401
switchport mode trunk
switchport nonegotiate


##############################################################

In most situations, unique VLANs are sent out each egress. There may be more than one VLAN dumped on a per egress, but you get the point. VLAN 401 (referenced above) is different. It is a "consolidation" VLAN where multiple application flows pass thru in the clear and are monitored by our security infrastructure. The issue is, we are feeding them too much "white noise" and the filtering they are running is taxing the CPU. So, I was asked if I could filter the traffic.

I cannot filter on MAC. The MACs for different applications are the same. Long story. Only the IPs are unique.

I need to filter on destination IP. That is my only option.

I need the filter to only be applied on a specific egress. So 401 may be going out several egress interfaces. But the filter needs to be applied to a specific port for the VLAN in question.

Router ACL won't work. The port is L2

Switch ACL won't work. Need L3

VACL won't work cause it filters the VLAN regardless of port

MACL won't work cause I only have unique IPs for my filter config

Are there any options anyone knows of for accomplishing this on the 6500s? Again, I need an IP destination ACL on VLAN 401 but ONLY for a specific egress interface.

--Charles

Labels:
0 Helpful
1 Reply 1

chenson
Level 1
Level 1

‎11-02-2010 11:49 AM

ALSO

TCAM ACL won't work for the same reason VACL won't work. The ACL can't be contained to a particular egress interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card