SPAN with ACL - ASR9K

From DocWiki

Jump to: navigation, search

Contents

Configuration

Find and Replace makes this easy.

Interface to Apply SPAN ......... : TenGigE1/0/0/1
Interface to Destination for SPAN : TenGigE1/0/2/2
Host 1 .......................... : 10.1.2.3
Host 2 .......................... : 10.1.2.4

Create the ACL

  • List both directions so the ACL can be applied on ingress and ingress
  • The capture keyword is necessary for ACL based SPAN to work

** IMPORTANT ** REMEMBER PERMIT IPV4 ANY ANY OR TRAFFIC WILL BE DROPPED.

ipv4 access-list SPAN_ACL
 10 permit ipv4 host 10.1.2.3 host 10.1.2.4 capture
 20 permit ipv4 host 10.1.2.4 host 10.1.2.3 capture
 30 permit ipv4 any any

Install ACL on Interface

  • Place the ACL on the interface traffic will be captured on
  • Place the ACL for what direction is desired
interface TenGigE1/0/0/1
 ipv4 access-group SPAN_ACL ingress
 ipv4 access-group SPAN_ACL egress

Place ACL based SPAN on the interface traffic will be captured on

interface TenGigE1/0/0/1
monitor-session SESSION_1 ethernet
  acl

Specify the interface to receive SPAN traffic

monitor-session SESSION_1 ethernet
 destination interface TenGigE1/0/2/2

Verification

SPAN Is Operational

RP/1/RSP0/CPU0:ASR9001-A# show monitor-session SESSION_1 status           
Monitor-session SESSION_1
Destination interface TenGigE1/0/1/1
================================================================================
Source Interface      Dir   Status
--------------------- ----  ----------------------------------------------------
Te1/0/0/1             Both  Operational

Sending Traffic

RP/1/RSP0/CPU0:ASR9001-A# ping 10.1.2.4 count 100 timeout 1        
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.1.2.4, timeout is 1 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/2 ms

Counters Increment

RP/1/RSP0/CPU0:ASR9001-A# show monitor-session SESSION_1 counters
Monitor-session SESSION_1
  TenGigE1/0/0/1
    Rx replicated: 100 packets, 11800 octets
    Tx replicated: 100 packets, 11800 octets
    Non-replicated: 0 packets, 0 octets

Destination Interface sees output

RP/1/RSP0/CPU0:ASR9000# show interfaces tenGigE 1/0/2/2 | i output
     211 packets output, 23939 bytes, 0 total output drops

Linecard ACL increments

RP/1/RSP0/CPU0:ASR9001-A# show access-lists SPAN_ACL hardware ingress location 1/0/CPU0
ipv4 access-list SPAN_ACL
 10 permit ipv4 host 10.1.2.3 host 10.1.2.4 capture
 20 permit ipv4 host 10.1.2.4 host 10.1.2.3 capture (200 hw matches)
 30 permit ipv4 any any
RP/1/RSP0/CPU0:ASR9001-A# show access-lists SPAN_ACL hardware egress location 1/0/CPU0
ipv4 access-list SPAN_ACL
 10 permit ipv4 host 10.1.2.3 host 10.1.2.4 capture (200 hw matches)
 20 permit ipv4 host 10.1.2.4 host 10.1.2.3 capture
 30 permit ipv4 any any

Rating: 5.0/5 (2 votes cast)

Personal tools