VACL Configuration Examples You can use a VLAN access control lists (VACLs), which are used to mirror ports, for cases when your switch supports only a limited number of in-use SPAN ports. This section includes the following examples: VACL Port Mirroring Configuration on Cisco 6500 Running CatOS VACL Port Mirroring Configuration on Cisco Catalyst 6500 Running Cisco IOS Software VACL configuration varies based upon device and software version number. For details, see the documentation specific to your device and software version. VACL Port Mirroring Configuration on Cisco 6500 Running CatOS The following example shows VACL port mirroring configuration for a Cisco Catalyst 6500 running CatOs. Apply the configuration to the switch only; there is no MSFC component. Connect the capture port where the NetShark or the NetExpress are monitoring interfaces to trunk ports. To configure VACL port mirroring on a Cisco Catalyst 6500 running CatOs 1. Enter the following commands to create the VACL and specify it as a capture VACL: > set security acl ip SteelCentralMonitor permit any any capture > show security acl info SteelCentralMonitor editbuffer 2. Enter the following command to commit the VACL to NVRAM: > commit security acl SteelCentralMonitor 3. Enter the following command to map the VACL to all VLANs you want to monitor: > set security acl map SteelCentralMonitor vlan1,vlan2,vlan3 4. Enter the following commands to specify the capture port on which you have connected the NetShark or NetExpress monitoring port (enables for normal switching and creates a copy on the capture port): > set security acl capture-ports 5/3 > show security acl capture-ports VACL Port Mirroring Configuration on Cisco Catalyst 6500 Running Cisco IOS Software The following example shows VACL port mirroring configuration for Cisco Catalyst 6500 running Cisco IOS software. Apply the configuration to the switch only; there is no MSFC component. To configure VACL port mirroring on a Cisco Catalyst 6500 running Cisco IOS software 1. From the switch CLI, enter the following commands to create the VACL: Switch# configure terminal Switch(config)# ip access-list SteelCentralMonitor Switch(config-access-list)# permit ip any any Switch(config-access-list)# exit Switch(config)# 2. Enter the following commands to configure the assigned capture or monitoring port as a trunk port (interface 5/3): Switch(config)# interface GE5/3 Switch(config-if)# no ip address Switch(config-if)# switchport Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk encapsulation dot1q 3. Enter the following commands to define the VLAN access map: Switch(conf)# vlan access-map <map-name-seq#> Switch(conf-map_name)# 4. Enter the following commands to configure the action clause as capture for the access map: Switch(conf-map_name)# match ip address SteelCentralMonitor Switch(conf-map_name)# action forward or Switch \(conf-map_name)# action forward capture Depending on Cisco IOS rev Switch(conf-map_name)# exit 5. Enter the following commands to apply the access map to all VLANs that you want to monitor: Switch (conf)# vlan filter map_name vlan-list 1-10,15,16... 6. Enter the following commands to specify the capture port (previously configured trunk port): Switch (conf)# interface GE5/3 Switch (config-if)# switchport capture
