VACL configuration question

[scobecben]

I am currently trying to initiate VACL's on my 6509-e in order to forward and capture traffic for all of my vlan's. I am seeing that the traffic being captured is only inbound to the vlan and none of it outbound from the vlan. Is there a way to capture inbound as well as outbound traffic to/from each vlan?

Example:
Vlan access-map "CAPTURE_INTERNAL" 10
match: ip address MATCH_INTERNAL
action: forward capture

Extended IP access list MATCH_INTERNAL
10 permit ip any any

VLAN Map CAPTURE_INTERNAL:
Configured on VLANs: 10-13
Active on VLANs: 10-13

 

[burtsbees]

SPAN/RSPAN, not VACLs

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[scobecben]

I already have 1 SPAN of a possible 2 running. With the SPAN I can capture ingress and egress traffic per vlan but it takes a lot of resources away from my core switch. So, for resource sake, I wanted to utilize the VACL scenario but i am thinking that its an inbound only capture. The capture port goes direct to an ISS Proventia.

So my question is based on the premise of what can I do to capture inbound as well as outbound traffic on a vlan basis utilizing the 'at-wire-speed' vacl technology.

I appreciate your reply burtsbees.

 

[scobecben]

And I have included one of my VACL's here

Vlan access-map "CAPTURE_INTERNAL" 10
match: ip address MATCH_INTERNAL
action: forward capture

Extended IP access list MATCH_INTERNAL
10 permit ip any any

VLAN Map CAPTURE_INTERNAL:
Configured on VLANs: 10-13
Active on VLANs: 10-13

interface GigabitEthernet1/15
 description INTERNAL CAPTURE TO JYO-A-FI-1
 switchport
 switchport capture
 switchport capture allowed vlan 10-13

 

[burtsbees]

When matching the ip address (referencing an extended acl), just make 2 ACE's...

10 permit ip 10.1.1.0 0.0.0.255 any
20 permit ip any 10.1.1.0 0.0.0.255

Can we see the whole config, including the ACL(s)?

We'll figure something out from there...I am not familiar with this method of capturing, I'm just trying to use my head. What does the config on the interface do---is it the port that the capture server is on?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[scobecben]

In a nutshell, we are utilizing the vacl config to cut down on the resource pounding that using the SPAN sessions creates. I have 1 SPAN on my core at this time.

So, I have 2 ISS Proventia's passively connected to my core switch. One of them is capturing our dmz traffic and the other one is capturing internal traffic. My config, the one I placed above, is capturing the internal traffic.

What I am seeing happen with this vacl config is the following:

With the current config I am capruting only inbound traffic or reply traffic but none of the outbound traffic. Needless to say, seeing only half of the traffic is not what we want.

With a different config (The last line of "switchport capture allowed vlan 10-13" is deleted), I am seeing both sides of the traffic.

The issue is that we are trying to see only specific traffic monitored on each proventia to reduce the load: hence the issue with taking that command out of the int config.

 

[scobecben]

The answer i figured out was that i cannot use the vacl's in the manner that I was trying. So thanks to those that posted.