Access Control List (ACL) capture provides you the ability to selectively capture traffic on an interface or virtual local area network (VLAN) When you enable the capture option for an ACL rule, packets that match this rule are either forwarded or dropped based on the specified permit or deny action and can also be copied to an alternate destination port for further analysis. An ACL rule with the capture option can be applied:
- In a VLAN,
- In the ingress direction on all interfaces,
- In the egress direction on all Layer 3 interfaces.
This feature is supported from Nexus 7000 NX-OS Release 5.2 and later. This document provides an example as a quick reference guide on how to configure this feature.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
- Nexus 7000 with Release 5.2.x and later.
- M1 series line card.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for information on document conventions.
ACL Configuration Example
Here is an example configuration of ACL capture applied to a VLAN, also known as virtual LAN Access Control List (VACL) capture. Ten gigabit snifers designated may not be feasible for all scenerios. Selective traffic capture can be very useful in such scenerios especially during troubleshooting when traffic volumes are high.
!! Global command required to enable ACL-capture feature (on default VDC)
hardware access-list capture
monitor session 1 type acl-capture
destination interface ethernet 2/1
ip access-list TEST_ACL
10 permit ip 18.104.22.168/27 any capture session 1
20 permit ip 22.214.171.124/24 any capture session 1
30 permit ip 126.96.36.199/16 any capture session 1
40 permit ip any any
!! Note: Capture session ID matches with the monitor session ID
vlan access-map VACL_TEST 10
match ip address TEST_ACL
vlan filter VACL_TEST vlan-list 500
You can also check the ternary content addressable memory (TCAM) programming of the access list. This output is for the VLAN 500 for Module 1.
N7k2-VPC1# show system internal access-list vlan 500 input statistics
Tcam 1 resource usage:
Label_b = 0x802
Netflow profile: 0
Netflow deny profile: 0
[Index] Entry [Stats]
[0006:0005:0005] permit ip 188.8.131.52/27 0.0.0.0/0 capture 
[0009:0008:0008] permit ip 184.108.40.206/24 0.0.0.0/0 capture 
[000b:000a:000a] permit ip 220.127.116.11/16 0.0.0.0/0 capture 
[000c:000b:000b] permit ip 0.0.0.0/0 0.0.0.0/0 
[000d:000c:000c] deny ip 0.0.0.0/0 0.0.0.0/0 
- Only one ACL capture session can be active at any given time in the system across virtual device contexts (VDCs).
- Nexus 7000 F1 Series modules do not support ACL capture.
- Nexus 7000 F2 Series modules do not currently support ACL capture, but this might be in the roadmap.
- ACL capture on Nexus 7000 M2-Series modules is supported with Cisco NX-OS Release 6.1(1) and later.
- ACL capture on Nexus 7000 M1-Series modules is supported with Cisco NX-OS Release 5.2(1) and later.
- ACL capture is not compatible with ACL logging. Therefore, if you have ACLs with a log keyword, these do not work after you have globally entered hardware access-list capture.
- Because of bug CSCug20139, the example in this document is documented with a capture session per ACE instead of per ACL, until the bug is resolved.