Filter
Top Products
51-14
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 51 Configuring SPAN and RSPAN
Access List Filtering
• When no ACLs are applied to packets exiting a SPAN destination interface, all traffic is permitted
regardless of the PACLs, VACLs, or RACLs that have been previously applied to the destination
interface or VLAN to which the SPAN destination interface belongs.
• If an ACL is removed from a SPAN session, all traffic is permitted once again.
• If SPAN configuration is removed from the SPAN session, all rules associated with the SPAN
destination interface are applied once again.
• If a SPAN destination port is configured as a trunk port and the VLANs to which it belongs have
ACLs associated with them, the traffic is not subjected to the VACLs.
• ACL configuration applies normally to the RSPAN VLAN and to trunk ports carrying the RSPAN
VLAN. This configuration enables you to apply VACLs on RSPAN VLANs. If a user attempts to
configure an ACL on a SPAN session with the destination port as an RSPAN VLAN, the
configuration is rejected.
• If CAM resources are exhausted and packets are passed to the CPU for lookup, any output port ACLs
associated with a SPAN session are not applied.
• If a named IP ACL is configured on a SPAN session before an ACL is created, the configuration is
accepted, and the software creates an empty ACL with no ACEs. (An empty ACL permits all
packets.) Subsequently, the rules can be added to the ACL.
• The ACLs associated with a SPAN session are applied on the destination interface on output.
• No policing is allowed on traffic exiting SPAN ports.
• Only IP ACLs are supported on SPAN sessions.
Configuring Access List Filtering
To configure access list filtering, perform this task:
Note IP access lists must be created in configuration mode as described in the chapter “Configuring Network
Security with ACLs.”
Command Purpose
Switch(config)# [no] monitor session
{session_number} filter {ip access-group
[name | id] }{vlan vlan_IDs [, | - ] } |
{packet-type {good | bad}} |
{address-type {unicast | multicast |
broadcast} [rx | tx | both]}
Specifies filter sniffing based on the access list.
For session_number, specify the session number
identified with this SPAN session (1 through 6).
You can specify either a name or a numeric ID for the
access list.
For name, specify the IP access list name.
For id, specify a standard (1 to 199) or extended
(1300-2699) IP access list.