[c-nsp] Monitoring HTTP / url access @10gig

Phil Mayers p.mayers at imperial.ac.uk
Mon Oct 5 10:11:29 EDT 2009


Ge Moua wrote:
> What code are you running on the Sup720 (3bxl ? I assume) ??


12.2(33)SXI, but we've seen other problems on other versions; I don't 
have an exhaustive list, to hand.

The config is something along the lines of:

vlan access-map v6_Capture 10
  match mac address PERMIT_ANY
  action forward capture

vlan access-map v4_capture 10
  match ip address WEB_TRAFFIC
  action forward capture

vlan access-map v4_capture 20
  match ip address PERMIT_ANY
  action forward

vlan filter v6_capture vlan-list 4000
vlan filter v4_capture vlan-list 4001

int Vlan4000
   description ipv6 upstream
   ipv6 address 2001:db8:100::1/126

int Vlan4001
   description ipv4 upstream
   ipv6 address 192.0.2.1 255.255.255.252

int Te1/1
   switchport mode trunk
   switchport trunk allowed vlan 4000,4001


...now, this all *used* to work when we had:

int Vlan4000
   description layer2 only vlan, goes to ipv6 router
   no ip address
   mac packet-classify

...that latter line is *ABSOLUTELY* necessary, as is the no-IP SVI. Once 
we moved the routing onto the 6500, no combination of config would make 
VACL capture the ipv6.


More information about the cisco-nsp mailing list