VACL capture provides Cisco customers an unlimited number of SPAN ports

Have you run out of traffic spanning sessions on your Cisco switches, are you treating them like gold because of their scarcity? If so, you should take a good look at VACL capture, a feature that provides you with a virtually unlimited number of SPAN sessions. VACL capture works with most of the newer Cisco switches including the 6500, 4500, 4900, 3750E, 3750, 3560E, and the 3560. To find out if your switch supports this feature take a look at the Cisco Catalyst Switch Guide. VACL stands for VLAN Access Control List. It operates like a typical port based ACL but instead of being enabled on a per port or L3 interface level it is enabled on a VLAN bases. A VACL is an extended ACL that controls traffic that enters or exists a VLAN. The VACL capture feature adds a keyword capture to the end of an ACL entry. The capture keyword tells the switch to make a copy of any matching packets and send them to a configured capture destination port. Because the VACL feature controls traffic flow just like an ACL would you must always be sure to configure a permit rule to allow traffic that is not already being captured. This is to deal with the implicit deny that exists at the end of any ACL. If you don’t then you’ll end up capturing and forwarding traffic for your capture command but then denying all other non-captured traffic in that VLAN because of the implicit deny at the end of all ACLs. Here is a simple configuration example to illustrate how this works:

1. Define the interesting traffic you want to be captured IOS(config)#ip access-list extended Capture_HTTPandUDP IOS(config-ext-nacl)#permit tcp 10.10.10.128 0.0.0.127 host 20.10.10.1 eq 80 IOS(config-ext-nacl)#permit udp any any 2. Define an permit ACL that will allow all other traffic to flow in/out of the VLAN. IOS(config)#ip access-list extended Allow_ALL_TRAFFIC IOS(config-ext-nacl)#permit ip any any 3. Define the VLAN access map, in this case it is called Capture_MAP. IOS(config)#vlan access-map Capture_MAP 10 IOS(config-access-map)#match ip address Capture_HTTPandUDP IOS(config-access-map)#action forward capture IOS(config)#vlan access-map Capture_MAP 20 IOS(config-access-map)#match ip address Allow_ALL_TRAFFIC IOS(config-access-map)#action forward 4. Apply the VLAN access map to the appropriate VLANs, in this case VLAN 100. IOS(config)#vlan filter Capture_MAP vlan-list 100 5. Configure the Capture Port. This is where captured traffic will be sent. IOS(config)#int gig2/1 IOS(config-if)#switchport capture allowed vlan ? WORD VLAN IDs of the allowed VLANs add add VLANs to the current list all all VLANs except all VLANs except the following remove remove VLANs from the current list IOS(config-if)#switchport capture allowed vlan 100 IOS(config-if)#switchport capture !This enables the feature.
As you can see from the example config, VACL capture provides you with more granularity of what you are capturing than SPAN traditionally has. It also provides you with an unlimited number of capture sources and destinations. This should help you cut down on the use of external network taps and SPAN expanders which were necessary given the limited number of SPAN sessions on Cisco Switches. Another thing to note is that VACL capture is done in hardware on many Cisco switches so it won’t affect performance. For those that have switched from SPAN to VACL capture, do you have any insights to share with others? For more information on VACL Capture see http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808122ac.shtml#vacl_config

The opinions and information presented here are my personal views and not those of my employer.

More from Jamey Heary: iPhone raises Privacy concerns: it records screenshots every time you hit the home button Cisco enters the crowded AV and DLP client marketCisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google's Chrome raises security concerns and tastes like chicken feet a>Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.

*

*

*

*

*

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)