Nexus 7000 ACL Capture/ VACL Support & Limitations FAQ

Introduction

This document describes the Access Control List (ACL) capture feature, which is used in order to selectively monitor traffic on an interface or VLAN. When you enable the capture option for an ACL rule, packets that match this rule are either forwarded or dropped based on the specified action and might also be copied to an alternate destination port for further analysis.

Q. What is the use case of ACL capture?

A. This feature is analogous to the VLAN Access Control List (VACL) capture feature supported on Catalyst 6000 Series Switch platforms. You can configure an ACL capture in order to selectively monitor traffic on an interface or VLAN. When you enable the capture option for an ACL rule, packets that match this rule are either forwarded or dropped based on the specified permit or deny action and might also be copied to an alternate destination port for further analysis.

Q. How many ACL capture sessions can be configured on a Nexus 7000 switch?

A. Only one ACL capture session can be active at any given time in the system across Virtual Device Contexts (VDCs). The ACL Ternary Content Addressable Memory (TCAM) can have as many Application Control Engines (ACEs) in the VACL as can fit.

Q. Do M1 modules support ACL capture?

A. Yes. ACL capture on M1 modules is supported in Cisco NX-OS Release 5.2(1) and later.

Q. Do M2 modules support ACL capture?

A. Yes. ACL capture on M2 modules is supported in Cisco NX-OS Release 6.1(1) and later.

Q. Do F1 modules support ACL capture?

A. F1-Series modules do not support ACL capture.

Q. Do F2 modules support ACL capture?

A. F2-Series modules do not support ACL capture as of now, but this may be in the roadmap. Consult the Business Unit (BU) to confirm.

Q. On which interfaces and directions can an ACL capture be applied?

A. An ACL rule with the capture option can be applied:

• On a VLAN
• In the ingress direction on all interfaces
• In the egress direction on all Layer 3 interfaces

Q. Are there any notable limitations with the ACL capture feature?

A. Yes. Some limitations with the ACL capture feature are:

• An ACL capture is a hardware-assisted feature and is not supported for the management interface or for control packets that originate in the supervisor. It is also not supported for software ACLs such as SNMP community ACLs and vty ACLs.
• Port channels and supervisor in-band ports are not supported as a destination for ACL capture.
• ACL capture session destination interfaces do not support ingress forwarding and ingress MAC learning. If a destination interface is configured with these options, the monitor keeps the ACL capture session down. Use the show monitor session all command to determine if ingress forwarding and MAC learning are enabled.
• The source port of the packet and the ACL capture destination port cannot be part of the same packet replication ASIC. If both ports belong to the same ASIC, the packet is not captured. The show monitor session command lists all the ports that are attached to the same ASIC as the ACL capture destination port.
• If you configure an ACL capture monitor session before you enter the hardware access-list capture command, you must shut down the monitor session and bring it back up in order to start the session.
• When ACL capture is enabled, the ability to log ACL for all VDCs and use the rate limiter is disabled.

Q. Can you perform an ACL capture and have certain traffic go out destination interface X, certain traffic go out destination interface Y, and other traffic go out destination interface Z?

A. No. The destination can only be one interface configured with the hardware access-list capture command.

Q. Can you have the ACL capture applied to more than a single source VLAN?

A. Yes. Multiple VLANs can be specified in a VLAN-list. For example:

       vlan access-map acl-vlan-first
          match ip address acl-ipv4-first
          match mac address acl-mac-first
          action forward
          statistics per-entry
          vlan filter acl-vlan-first vlan-list 1,2,3

  

Q. How many active L2 VACLs can be configured on a Nexus 7010?

A.  The maximum number of supported IP ACL entries is 64,000 for devices without an XL line card and 128,000 for devices with an XL line card.

Q. How does VACL capture work for routed traffic?

A. VACL capture occurs after a rewrite, so frames ingressing VLAN X and egressing VLAN Y is captured in VLAN Y.

Q. Does a mixture of M1 and M2 cards in the chassis impact the use of VACLs?

A. A mix of M1 and M2 cards in the chassis should not have any impact on the use of VACLs.

Q. What are some sample configurations for the ACL capture feature on Nexus 7000?

A. ACL-capture guidelines can be viewed in the Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x.

This example shows how to enable an ACL capture in the default VDC and configure a destination for ACL capture packets:

hardware access-list capture
     monitor session 1 type acl-capture
     destination interface ethernet 2/1
     no shut
     exit
     show ip access-lists capture session 1

This example shows how to enable a capture session for an ACL's ACEs, and then apply the ACL to an interface:

ip access-list acl1
       permit tcp any any capture session 1
       exit
       interface ethernet 1/11
       ip access-group acl1 in
       no shut
       show running-config aclmgr

This example shows how to apply an ACL with capture session ACEs to a VLAN:

vlan access-map acl-vlan-first
       match ip address acl-ipv4-first
       match mac address acl-mac-first
       action foward
       statistics per-entry
       vlan filter acl-vlan-first vlan-list 1
       show running-config vlan 1

This example shows how to enable a capture session for the whole ACL and then apply the ACL to an interface:

ip access-list acl2
       capture session 2
       exit
       interface ethernet 7/1
       ip access-group acl1 in
       no shut
       show running-config aclmg

Related Information

• Technical Support & Documentation - Cisco Systems