[c-nsp] VACL capture - is this supposed to work

Ramcharan, Vijay A vijay.ramcharan at verizonbusiness.com
Fri Feb 6 13:03:32 EST 2009 

Phil I have a similar config on a few 6500 switches running SXF10 and it
appears to be doing its job. My config is quite similar to yours sans
MPLS. These same switches also do local SPAN to a couple of 10G ports. 

C6506E with Sup720-3BXL running 12.2(18)SXF10

vlan access-map VLAN110-MAP 10
 match ip address VIP-TRAFFIC
 action forward capture
 
vlan access-map VLAN110-MAP 15
 match ip address ANY-VLAN110-TRAFFIC
 action forward

ip access-list extended VIP-TRAFFIC
 permit ip any 1.2.3.0 0.0.0.127
 permit ip 1.2.3.0 0.0.0.127 any

ip access-list extended ANY-VLAN110-TRAFFIC
 permit ip any any

vlan filter VLAN110-MAP vlan-list 110

interface GigabitEthernet1/1
 description PRI-CAPTURE-PORT
 switchport
 switchport access vlan 999
 switchport mode access
 switchport capture
 switchport capture allowed vlan 110
 no ip address
 spanning-tree portfast

swp10#sh int g1/1 | inc rate
  Queueing strategy: fifo
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 181007000 bits/sec, 27250 packets/sec
swp10#


 
Vijay Ramcharan 
  
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
Sent: February 06, 2009 03:41
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VACL capture - is this supposed to work

We have this config on a 6500/sup720

int Vlan3799
  description upstream
  ip address ...
int Vlan4000
  descripion core
  ip address ...
  mpls ip

vlan filter CAPTURE_HTTP vlan 3799

int Gi9/1
  switchport
  switchport mode access
  switchport access vlan 3799
  switchport capture
  switchport capture allowed vlan 3799

...and the the CAPTURE_HTTP map does:

 1. tcp port 80, capture & forward
 2. ip any any, forward

The intent is to capture inbound and outbound HTTP traffic, and log it 
with urlsnarf for legal compliance reasons.

This *HAS* been working for months. However, we did a recent upgrade of 
this router to 12.2(33)SXI and it stopped working - the VACL capture 
only seems to capture packets outbound i.e. input on Vl4000, out on 
Vl3799. It does capture any CPU-punt packets in the other direction.

At first I thought it was a bug in SXI, but we failed our default route 
over to another 6500 running SXF9 with the same config, and it suffers 
the same problem.

I had wondered if the problem was that the inbound traffic next-hop has 
an MPLS label imposed, but the other router is 1 hop away so uses 
plain-old IP, and it suffers the same.

So I'm baffled - we have a router that was running SXF10 for months with

this config, no problem. Another with SXF9 doesn't work, nor does the 
original router with 12.2(33)SXI.

So, question: exactly what traffic should VACL capture actually 
*capture*? Is my config supported?

I have a TAC case open, but we're getting desperate - we need that URL 
logging, and a "normal" SPAN port generates way, way too much traffic - 
having the ACL to filter a sub-set is important.

sh tcam int vl3799 acl in/out ip det

...shows appropriate TCAM entries with the CAP flag set.

Any pointers gratefully received.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list