66-13
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 66 Configuring SPAN and RSPAN
Access List Filtering
This example shows how to configure a destination port with 802.1q encapsulation and ingress packets
using native VLAN 7:
Switch(config)# monitor session 1 destination interface fastethernet 5/48
encapsulation dot1q ingress vlan 7
With this configuration, traffic from SPAN sources associated with session 1 would be copied out of
interface Fast Ethernet 5/48, with 802.1q encapsulation. Incoming traffic would be accepted and
switched, with untagged packets being classified into VLAN 7.
Access List Filtering
When configuring a SPAN session, you can apply access list filtering. Access list filtering applies to all
packets passing through a SPAN destination port that might be sniffed in the egress or ingress direction.
Access list filters are allowed on local SPAN sessions only. If the SPAN destination is an RSPAN VLAN,
the access list filter is rejected.
Note Access list filtering is available in Cisco IOS Release 12.2(20)EW and later releases.
ACL Configuration Guidelines
You can configure ACLs on a SPAN session. Use these guidelines for ACL/SPAN sessions:
• If an ACL is associated with a SPAN session, the rules associated with that ACL are applied against
all packets exiting the SPAN destination interface. Rules pertaining to other VACLs or RACLs
previously associated with the SPAN destination interface are not applied.
• Only one IP named ACL and one IPv6 ACL can be associated with a SPAN session.
• When no ACLs are applied to packets exiting a SPAN destination interface, all traffic is permitted
regardless of the PACLs, VACLs, or RACLs that have been previously applied to the destination
interface or VLAN to which the SPAN destination interface belongs.
• If an ACL is removed from a SPAN session, all traffic is permitted once again.
• If SPAN configuration is removed from the SPAN session, all rules associated with the SPAN
destination interface are applied once again.
• If a SPAN destination port is configured as a trunk port and the VLANs to which it belongs have
ACLs associated with them, the traffic is not subjected to the VACLs.
• ACL configuration applies normally to the RSPAN VLAN and to trunk ports carrying the RSPAN
VLAN. This configuration enables you to apply VACLs on RSPAN VLANs. If a user attempts to
configure an ACL on a SPAN session with the destination port as an RSPAN VLAN, the
configuration is rejected.
• If CAM resources are exhausted and packets are passed to the CPU for lookup, any output port ACLs
associated with a SPAN session are not applied.
• If a named IP ACL or IPv6 ACL is configured on a SPAN session before an ACL is created, the
configuration is accepted, and the software creates an empty ACL with no ACEs. (An empty ACL
permits all packets.) Subsequently, the rules can be added to the ACL.
• The ACLs associated with a SPAN session are applied on the destination interface on output.
• No policing is allowed on traffic exiting SPAN ports.
To Next Page
Loading...
