Filtering Captured Traffic

What is a VACL? › Using VACLs to Capture Traffic › Filtering Captured Traffic

Filtering Captured Traffic

The following example shows how to use a VACL to filter the traffic that is captured in a VLAN.

The first ACL in the access map (ACL 101) specifies that TCP traffic is forwarded to its destination and captured.
The second ACL (ACL 102) specifies that traffic that does not meet ACL 102 is retained.
Interface fa2/13 is configured as a capture port.

The example filters out non-TCP traffic, which is useful when capturing data for Application Delivery Analysis. Using ACLs, you can limit traffic to specific ports or IP addresses.

Note: If the second ACL is configured improperly, production traffic that does not meet the first ACL is dropped. We recommend that multiple people review VACL configurations. The review helps to prevent a misconfiguration that can result in dropped traffic. We also recommend that you test a VACL in a lab environment before applying it to a production environment.

Diagram showing how to use VLANs to filter captured data

The following commands represent the configuration in the illustration:

(config)# access-list 101 permit tcp any any 
!
(config)# access-list 102 permit ip any any 
!
(config)# vlan access-map sa_cap 30
(config)# match ip address 101
(config)# action forward capture
!
(config)# vlan access-map sa_cap 40
(config)# match ip address 102
(config)# action forward
!
(config)#vlan filter sa_cap vlan-list 10
!
(config)#interface gig2/13
(config)#switchport capture