[c-nsp] VACL capture - is this supposed to work
Phil Mayers
p.mayers at imperial.ac.uk
Fri Feb 6 03:41:23 EST 2009
We have this config on a 6500/sup720
int Vlan3799
description upstream
ip address ...
int Vlan4000
descripion core
ip address ...
mpls ip
vlan filter CAPTURE_HTTP vlan 3799
int Gi9/1
switchport
switchport mode access
switchport access vlan 3799
switchport capture
switchport capture allowed vlan 3799
...and the the CAPTURE_HTTP map does:
1. tcp port 80, capture & forward
2. ip any any, forward
The intent is to capture inbound and outbound HTTP traffic, and log it
with urlsnarf for legal compliance reasons.
This *HAS* been working for months. However, we did a recent upgrade of
this router to 12.2(33)SXI and it stopped working - the VACL capture
only seems to capture packets outbound i.e. input on Vl4000, out on
Vl3799. It does capture any CPU-punt packets in the other direction.
At first I thought it was a bug in SXI, but we failed our default route
over to another 6500 running SXF9 with the same config, and it suffers
the same problem.
I had wondered if the problem was that the inbound traffic next-hop has
an MPLS label imposed, but the other router is 1 hop away so uses
plain-old IP, and it suffers the same.
So I'm baffled - we have a router that was running SXF10 for months with
this config, no problem. Another with SXF9 doesn't work, nor does the
original router with 12.2(33)SXI.
So, question: exactly what traffic should VACL capture actually
*capture*? Is my config supported?
I have a TAC case open, but we're getting desperate - we need that URL
logging, and a "normal" SPAN port generates way, way too much traffic -
having the ACL to filter a sub-set is important.
sh tcam int vl3799 acl in/out ip det
...shows appropriate TCAM entries with the CAP flag set.
Any pointers gratefully received.
More information about the cisco-nsp
mailing list