A common usage for VACLs is to block backup traffic from being sent to Application Delivery Analysis. To deny specific traffic, create the access map and ACLs differently than in Filtering Captured Traffic. When you deny traffic to and from a backup server and then use the permit ip any any command in an ACL, the access map both denies and permits the same traffic. In an access map, each packet is verified against each entry in the ACL before being discarded.
Instead, create an ACL that matches traffic going to or from the backup servers and a pass-through filter, as shown in the following example:
(config)# access-list 101 permit ip host 192.168.1.1 any (config)# access-list 101 permit ip any host 192.168.1.1 (config)# access-list 101 permit ip host 192.168.1.2 any (config)# access-list 101 permit ip any host 192.168.1.2 ! (config)# access-list 102 permit ip any any ! (config)# vlan access-map sa_cap 30 (config)# match ip address 101 (config)# action forward ! (config)# vlan access-map sa_cap 40 (config)# match ip address 102 (config)# action forward capture ! (config)# vlan filter sa_cap vlan-list 10 ! (config)# interface gig2/13 (config)# switchport capture
In this example, the backup traffic is matched first and forwarded, but not captured. All other traffic is forwarded and captured. With this concept, you can create a filter that performs the following tasks:
This configuration requires three ACLs.
Tip: Use this configuration to capture traffic from your production application server IP addresses without sending server backups to Application Delivery Analysis. Sending the backups to Application Delivery Analysis can overwork its collection devices.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|