[c-nsp] VACL Question
Andriy Bilous
andriy.bilous at gmail.com
Thu Dec 19 11:36:20 EST 2013
They do in fact have 'magic' VLAN number. You can see it with 'show vlan
internal usage' though if I understood documentation right that shouldn't
be an issue...
On Thu, Dec 19, 2013 at 5:24 PM, Randy <amps at djlab.com> wrote:
> Hi,
>
> Indeed, I've mirrored all the ACL entries. That isn't the issue.
>
> The problem is when you have egress traffic over a physical L3 interface
> rather than another VLAN.
>
> Let's say I've got only VLAN's 2 - 250 active and configured for hosts
> with WAN ports on physical L3 interfaces and I want to monitor all traffic
> between VLAN 91 and the internet (L3 WAN ports) and my ACL's are correct.
>
> The following show only inbound traffic from WAN->VLAN:
>
> (config-if)#switchport capture allowed vlan 91
>
> (config-if)#switchport capture allowed vlan 2-250
>
> (config-if)#switchport capture allowed vlan 1-1000
>
>
> Auto-magically, the 'all' statement includes L3 WAN ports and now you get both sides of the traffic:
>
>
> (config-if)#switchport capture allowed vlan all
>
> So, the L3 ports have some 'magic' VLAN number or is this a bug/feature of
> the 'all' statement?
>
> Sadly, if I understand it correctly, the 'all' keyword means I can only
> have a single ACL active -- no ability to set up another capture port with
> a different VACL.
>
> ~Randy
>
>
>
> On 12/19/2013 6:45 am, Andriy Bilous wrote:
>
> Could it be that you're using only one direction in IP ACLs bound to
> VACL? E.g.
>
> permit any 10.0.0.0
>
> instead of
>
> permit 10.0.0.0 any
> permit any 10.0.0.0
>
>
More information about the cisco-nsp
mailing list