VACL capture provides Cisco customers an unlimited number of SPAN ports
By jheary on Sun, 10/05/08 - 4:37pm.Have you run out of traffic spanning sessions on your Cisco switches, are you treating them like gold because of their scarcity? If so, you should take a good look at VACL capture, a feature that provides you with a virtually unlimited number of SPAN sessions.
VACL capture works with most of the newer Cisco switches including the 6500, 4500, 4900, 3750E, 3750, 3560E, and the 3560. To find out if your switch supports this feature take a look at the Cisco Catalyst Switch Guide.
VACL stands for VLAN Access Control List. It operates like a typical port based ACL but instead of being enabled on a per port or L3 interface level it is enabled on a VLAN bases. A VACL is an extended ACL that controls traffic that enters or exists a VLAN. The VACL capture feature adds a keyword capture to the end of an ACL entry. The capture keyword tells the switch to make a copy of any matching packets and send them to a configured capture destination port. Because the VACL feature controls traffic flow just like an ACL would you must always be sure to configure a permit rule to allow traffic that is not already being captured. This is to deal with the implicit deny that exists at the end of any ACL. If you don’t then you’ll end up capturing and forwarding traffic for your capture command but then denying all other non-captured traffic in that VLAN because of the implicit deny at the end of all ACLs.
Here is a simple configuration example to illustrate how this works:
1. Define the interesting traffic you want to be captured
IOS(config)#ip access-list extended Capture_HTTPandUDP
IOS(config-ext-nacl)#permit tcp 10.10.10.128 0.0.0.127 host 20.10.10.1 eq 80
IOS(config-ext-nacl)#permit udp any any2. Define an permit ACL that will allow all other traffic to flow in/out of the VLAN.
IOS(config)#ip access-list extended Allow_ALL_TRAFFIC
IOS(config-ext-nacl)#permit ip any any
3. Define the VLAN access map, in this case it is called Capture_MAP.
IOS(config)#vlan access-map Capture_MAP 10
IOS(config-access-map)#match ip address Capture_HTTPandUDP
IOS(config-access-map)#action forward capture
IOS(config)#vlan access-map Capture_MAP 20
IOS(config-access-map)#match ip address Allow_ALL_TRAFFIC
IOS(config-access-map)#action forward
4. Apply the VLAN access map to the appropriate VLANs, in this case VLAN 100.
IOS(config)#vlan filter Capture_MAP vlan-list 100
5. Configure the Capture Port. This is where captured traffic will be sent.
IOS(config)#int gig2/1
IOS(config-if)#switchport capture allowed vlan ?WORD VLAN IDs of the allowed VLANs
add add VLANs to the current list
all all VLANs
except all VLANs except the following
remove remove VLANs from the current listIOS(config-if)#switchport capture allowed vlan 100
IOS(config-if)#switchport capture
!This enables the feature.
As you can see from the example config, VACL capture provides you with more granularity of what you are capturing than SPAN traditionally has. It also provides you with an unlimited number of capture sources and destinations. This should help you cut down on the use of external network taps and SPAN expanders which were necessary given the limited number of SPAN sessions on Cisco Switches. Another thing to note is that VACL capture is done in hardware on many Cisco switches so it won’t affect performance.
For those that have switched from SPAN to VACL capture, do you have any insights to share with others?
For more information on VACL Capture see
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_e...
The opinions and information presented here are my personal views and not those of my employer.
More from Jamey Heary:
* iPhone raises Privacy concerns: it records screenshots every time you hit the home button
* Cisco enters the crowded AV and DLP client market
*Cisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhere
* Cisco targets Symantec, McAfee with its new antivirus client
* Google's Chrome raises security concerns and tastes like chicken feet a>Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.
- About Cisco Security Expert
Jamey Heary, CCIE #7680, sits on the PCI Security Standards Council- Board of Advisors where he provides strategic and technical guidance for future PCI standards. Jamey is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access. (Check out all of Jamey Heary's books from Cisco Press.) He also has a patent pending on a new DDoS mitigation technique.
Jamey sits on several security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. He is an experienced speaker who is recognized as an expert in network security architecture, regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and he is a Certified HIPAA Security Professional. He has been working in the IT field for 15 years and in IT security for 10 years. Jamey is currently a Distinguished Systems Engineer at Cisco Systems.
Most Discussed Posts
-
Network World, Inc
The Connected Enterprise