Cisco WS-C6506 Software Manual page 453

Chapter 15 Configuring Access Control
This example shows how to display VACL management information:
Console> (enable) show security acl resource-usage
ACL resource usage:
ACL storage (mask/value): 0.29%/0.10%
ACL to switch interface mapping table: 0.39%
ACL layer 4 port operators: 0.0%
Console (enable)
Capturing Traffic Flows on Specified Ports
You can enter the capture keyword in the set security acl (ip, ipx, and mac) commands to specify that
the packets that match the specified flows are captured and transmitted out of the capture ports. You can
specify the capture ports using the set security acl capture-ports mod/ports... command. When you use
the capture keyword, the packets that match the specified flows are captured in parallel and transmitted
out of the capture ports. The capture ports do not send out all the captured traffic; they send out only the
traffic belonging to the VLANs of the captured port.
Configuration Guidelines
This section describes the guidelines for configuring the capture ports:
•
•
•
•
•
•
•
OL-8978-04
The capture port cannot be part of an EtherChannel.
The capture port cannot be an ATM port.
The capture port must be in the spanning-tree forwarding state for the VLAN.
You can specify any number of switch ports as capture ports. The capture ports are added to a capture
port list, and the configuration is saved in NVRAM.
Only permit traffic is captured. If a packet is dropped due to an ACL, the packet cannot be captured.
The capture ports do not transmit out all captured traffic. They transmit only traffic belonging to the
capture port VLAN. To capture the traffic going to many VLANs, the capture port should be a trunk
carrying the required VLANs.
For the routed traffic, the capture ports transmit the packets only after they are Layer 3 switched;
the packets are transmitted out of a port only if the output VLAN of the Layer 3-switched flow is
the same as the capture port VLAN. For example, assume that you have flows from VLAN 10 to
VLAN 20, you add a VACL on one of the VLANs permitting these flows, and you specify a capture
port. This traffic gets transmitted out of the capture port only if it belongs to VLAN 20 or if the port
is a trunk carrying VLAN 20. If the capture port is in VLAN 10, it does not transmit any traffic.
Whether a capture port transmits the traffic or not is independent of the VLAN on which you placed
the VACL.
If you want to capture the traffic from one VLAN going to many VLANs, the capture port has to be
a trunk carrying all the output VLANs.
For the bridged traffic, because all the traffic remains in the same VLAN, ensure that the capture
port is in the same VLAN as the bridged traffic.
To capture the traffic, you can configure one ACL and map it to a group of VLANs or you can
configure a number of ACLs and map each to one VLAN. Configure as many ACEs per ACL as
necessary to capture the desired traffic.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Configuring VACLs
15-57