Cisco Systems 7600 SERIES Configuring a Capture Port

23-16

Cisco7600 Series Router Cisco IOS Software Configuration Guide—12.1E

78-14064-04

Chapter23 Con figuring Network Security

Configuring VLAN ACLs

This example shows how to define and apply a VLAN access map to forward IP packets. In this example,

IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop

action. The map is applied to VLAN 12 to 16.

Router(config)# vlan access-map thor 10

Router(config-access-map)# match ip address net_10

Router(config-access-map)# action forward

Router(config-access-map)# exit

Router(config)# vlan filter thor vlan-list 12-16

This example shows how to define and apply a VLAN access map to drop and log IP packets. In this

example, IP traffic matching net_10 is dropped and logged and all other IP packets are forwarded:

Router(config)# vlan access-map ganymede 10

Router(config-access-map)# match ip address net_10

Router(config-access-map)# action drop log

Router(config-access-map)# exit

Router(config)# vlan access-map ganymede 20

Router(config-access-map)# match ip address any_host

Router(config-access-map)# action forward

Router(config-access-map)# exit

Router(config)# vlan filter ganymede vlan-list 7-9

This example shows how to define and apply a VLAN access map to forward and capture IP packets. In

this example, IP traffic matching net_10 is forwarded and captured and all other IP packets are dropped:

Router(config)# vlan access-map mordred 10

Router(config-access-map)# match ip address net_10

Router(config-access-map)# action forward capture

Router(config-access-map)# exit

Router(config)# vlan filter mordred vlan-list 2, 4-6

Configuring a Capture Port

A port configured to capture VACL-filtered traffic is called a capture port.

Note To apply IEEE 802.1Q or ISL tags to the captured traffic, configure the capture port to trunk

unconditionally (see the “Configuring the Layer 2 Switching Port as an ISL or 802.1Q Trunk” section

on page 7-8 and the “Configuring the Layer 2 Trunk Not to Use DTP” section on page 7-9).

To configure a capture port, perform this task:

Command Purpose

Step1 Router(config)# interface {{type1slot/port}

1. type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet

Specifies the interface to configure.

Step2 Router(config-if)# switchport capture allowed

vlan {add | all | except | remove} vlan_list

(Optional) With Release 12.1(13)E and later releases,

filters the captured traffic on a per-destination-VLAN

basis. The default is all.

Router(config-if)# no switchport capture allowed

vlan

Clears the configured destination VLAN list and returns

to the default value (all).

Step3 Router(config-if)# switchport capture Configures the port to capture VACL-filtered traffic.

Router(config-if)# no switchport capture Disables the capture function on the interface.