Cisco Systems NAM, 5 manual Configuring Vacl on a WAN Interface, Sample Configuration

Chapter 2 Setting Up The NAM Traffic Analyzer

Traffic

•aa.bb.cc.dd is the IP address defined at the destination

You can now connect to the NAM to monitor and capture traffic of the Data Port 2 data source.

Sending ERSPAN Data Directly to the NAM Management Interface

To send the data directly to the NAM management IP address (management-port), configure the ERSPAN source session. No ERSPAN destination session configuration is required. After performing this configuration on the Catalyst 6500 switch or Cisco 7600 series router, when ERSPAN packets are sent to the NAM, it will automatically create a data source for that packet stream. If the auto-create feature is not enabled, you will have to manually create the data source for this ERSPAN stream of traffic (see Creating ERSPAN Data Sources Using the Web GUI, page 2-12).

Note This method causes the ERSPAN traffic to arrive on the NAM management port. If the traffic level is high, this could have negative impact on the NAM’s performance and IP connectivity.

Sample Configuration

monitor session 1 type erspan-source no shut

source interface Fa3/47 destination

erspan-id Y

ip address aa.bb.cc.dd

origin ip address ee.ff.gg.hh

Where:

•Interface fa3/47 is a local interface on the erspan-source switch to be monitored

•Y is any valid span session number

•aa.bb.cc.dd is the management IP address of the NAM

•ee.ff.gg.hh is the source IP address of the ERSPAN traffic

VACL

A VLAN access control (VACL) list can forward traffic from either a WAN interface or VLANs to a data port on the NAM. A VACL provides an alternative to using SPAN; a VACL can provide access control based on Layer 3 addresses for IP and IPX protocols. The unsupported protocols are access controlled through the MAC addresses. A MAC VACL cannot be used to access control IP or IPX addresses.

Configuring VACL on a WAN Interface

Because WAN interfaces do not support the SPAN function, you must use the switch CLI to manually configure a VACL in order to monitor WAN traffic with the NAM. This feature only works for IP traffic over the WAN interface.

VACL can also be used of there is no available SPAN session to direct traffic to the NAM. In this case, a VACL can be set up in place of a SPAN for monitoring VLAN traffic.

The following example shows how to configure a VACL on an ATM WAN interface and forward both ingress and egress traffic to the NAM. These commands are for switches running Cisco IOS version 12.1(13)E1 or higher. For more information on using these features, see your accompanying switch documentation.

Cat6509#config terminal

Cat6509(config)# access-list 100 permit ip any any