[c-nsp] VACL Question
Randy
amps at djlab.com
Thu Dec 19 11:24:15 EST 2013
Hi,
Indeed, I've mirrored all the ACL entries. That isn't the issue.
The problem is when you have egress traffic over a physical L3 interface
rather than another VLAN.
Let's say I've got only VLAN's 2 - 250 active and configured for hosts
with WAN ports on physical L3 interfaces and I want to monitor all
traffic between VLAN 91 and the internet (L3 WAN ports) and my ACL's are
correct.
The following show only inbound traffic from WAN->VLAN:
(config-if)#switchport capture allowed vlan 91
(config-if)#switchport capture allowed vlan 2-250
(config-if)#switchport capture allowed vlan 1-1000
Auto-magically, the 'all' statement includes L3 WAN ports and now you
get both sides of the traffic:
(config-if)#switchport capture allowed vlan all
So, the L3 ports have some 'magic' VLAN number or is this a bug/feature
of the 'all' statement?
Sadly, if I understand it correctly, the 'all' keyword means I can only
have a single ACL active -- no ability to set up another capture port
with a different VACL.
~Randy
On 12/19/2013 6:45 am, Andriy Bilous wrote:
> Could it be that you're using only one direction in IP ACLs bound to VACL? E.g.
>
> permit any 10.0.0.0
> instead of
>
> permit 10.0.0.0 any permit any 10.0.0.0
More information about the cisco-nsp
mailing list