I have just moved away from SPAN to VACL's due to the more granular nature of VACL's, but am missing one major filtering feature that SPAN gave me. I have 20 interfaces in the VLAN that I am capturing, but I do not want to include the traffic from the trunk link. Is there a way to stop capturing the traffic if it was recieved from the trunk within the VACL?
From my digging around CCO, I dont think it is possible, but I have faith in the skills and experience of the Netpro guys/girls.
I'm not sure I really understand the use of VACLs as an alternative to SPAN. VACLs are about filtering data traffic on a VLAN - what is allowed and what is not allowed. SPAN is about monitoring traffic, and should not affect the data on the VLAN..
In answer to your immediate question: No, VACLs affect all traffic on the VLAN, irrespective of direction, and irrespective of which port it arrives on.
ACLs on a VLAN interface (SVI), on the other hand, affect traffic going into, or coming out of the VLAN, but have no affect on traffic staying within the VLAN.
Could you explain what you are trying to achieve because I think we may be talking at cross-purposes?
I appreciate that VACL's are not just a replacement for SPAN sessions, but are definitely a lot better than monitor sessions for data capture, in fact Cisco recommend using them instead of monitor sessions these days.
I will try to simplify my situation to get my need across.
1 server in this vlan
An etherchannel between the switches carrying vlan 100
An SVI as the default gateway for the server on the switch with HSRP configured.
I have a 2 switches with a server using a teamed setup, a NIC on each switch. I have a VACL configured on each switch that captures the traffic for VLAN 100 and forwards it onto a flow analyzer. Unfortuntely the software cannot cope with duplicate packets being recieved, which happens sometimes. To mitigate this, I wanted to remove the trunk port from the VACL, (but not hte trunk ;-) ) configuration so only the server interface on each switch will have the traffic captured and forwarded on.
Like I said, I dont think this is possible but wanted confirmation. If not, I will have to go back to the dreaded monitor sessions :-s
mac access-list extended VACL-TEST-MAC permit any any
ip access-list extended VACL-TEST-IP permit ip any any
vlan access-map TEST 10 match ip address VACL-TEST-IP action forward capture vlan access-map TEST 20 match mac address VACL-TEST-MAC action forward capture
Interface connected to the analyzer
interface GigabitEthernetx/x description an switchport switchport capture switchport capture allowed vlan 100 speed 1000 duplex full end
OK, I was not aware of the capture feature, which is why I was a bit puzzled. It looks really useful; unfortunately I don't think we have it on 4500s. . As far as I can see, it is a 6500 special. So I read about it in
But I could not see any way of being selective on a per-port basis. I guess that makes sense when you consider what VACLs were originally intended for: you have switchport input and output ACL for port specific stuff, SVI input and outpuut ACLs for stuff joining or leaving the VLAN, and then VACLs for the central forwarding engine, and VACLs take no account of the direction of the traffic.
Sorry not to be able to answer your question authoritatively, but thank you for introducing me to a new feature!