VACL Configuration Examples
You can use a VLAN access control lists (VACLs), which are used to mirror ports, for cases when your switch supports only a limited number of in-use SPAN ports. This section includes the following examples:
VACL configuration varies based upon device and software version number. For details, see the documentation specific to your device and software version.
VACL Port Mirroring Configuration on Cisco 6500 Running CatOS
The following example shows VACL port mirroring configuration for a Cisco Catalyst 6500 running CatOS. Apply the configuration to the switch only; there is no MSFC component. Connect the capture port where the NetShark or the NetExpress are monitoring interfaces to trunk ports.
To configure VACL port mirroring on a Cisco Catalyst 6500 running CatOS
1. Enter the following commands to create the VACL and specify it as a capture VACL:
> set security acl ip SteelCentralMonitor permit any any capture
> show security acl info SteelCentralMonitor editbuffer
2. Enter the following command to commit the VACL to NVRAM:
> commit security acl SteelCentralMonitor
3. Enter the following command to map the VACL to all VLANs you want to monitor:
> set security acl map SteelCentralMonitor vlan1,vlan2,vlan3
4. Enter the following commands to specify the capture port on which you have connected the NetShark or NetExpress monitoring port (enables for normal switching and creates a copy on the capture port):
> set security acl capture-ports 5/3
> show security acl capture-ports
VACL Port Mirroring Configuration on Cisco Catalyst 6500 Running Cisco IOS Software
The following example shows VACL port mirroring configuration for Cisco Catalyst 6500 running Cisco IOS software. Apply the configuration to the switch only; there is no MSFC component.
To configure VACL port mirroring on a Cisco Catalyst 6500 running Cisco IOS software
1. From the switch CLI, enter the following commands to create the VACL:
Switch# configure terminal
Switch(config)# ip access-list SteelCentralMonitor
Switch(config-access-list)# permit ip any any
Switch(config-access-list)# exit
Switch(config)#
2. Enter the following commands to configure the assigned capture or monitoring port as a trunk port (interface 5/3):
Switch(config)# interface GE5/3
Switch(config-if)# no ip address
Switch(config-if)# switchport
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1q
3. Enter the following commands to define the VLAN access map:
Switch(conf)# vlan access-map <map-name-seq#>
Switch(conf-map_name)#
4. Enter the following commands to configure the action clause as capture for the access map:
Switch(conf-map_name)# match ip address SteelCentralMonitor
Switch(conf-map_name)# action forward
or
Switch \(conf-map_name)# action forward capture
Switch(conf-map_name)# exit
5. Enter the following commands to apply the access map to all VLANs that you want to monitor:
Switch (conf)# vlan filter map_name vlan-list 1-10,15,16...
6. Enter the following commands to specify the capture port (previously configured trunk port):
Switch (conf)# interface GE5/3
Switch (config-if)# switchport capture