Unlimited Capture on Switches


  1. Define the interesting traffic you want to be captured


IOS(config)#ip access-list extended Capture_HTTPandUDP
IOS(config-ext-nacl)#permit tcp 10.10.10.128 0.0.0.127 host 20.10.10.1 eq 80
IOS(config-ext-nacl)#permit udp any any


2. Define an permit ACL that will allow all other traffic to flow in/out of the VLAN.


IOS(config)#ip access-list extended Allow_ALL_TRAFFIC
IOS(config-ext-nacl)#permit ip any any


3. Define the VLAN access map, in this case it is called Capture_MAP.


IOS(config)#vlan access-map Capture_MAP 10
IOS(config-access-map)#match ip address Capture_HTTPandUDP
IOS(config-access-map)#action forward capture
IOS(config)#vlan access-map Capture_MAP 20
IOS(config-access-map)#match ip address Allow_ALL_TRAFFIC
IOS(config-access-map)#action forward


4. Apply the VLAN access map to the appropriate VLANs, in this case VLAN 100.


IOS(config)#vlan filter Capture_MAP vlan-list 100


5. Configure the Capture Port. This is where captured traffic will be sent.


IOS(config)#int gig2/1
IOS(config-if)#switchport capture allowed vlan ?

WORD VLAN IDs of the allowed VLANs
add add VLANs to the current list
all all VLANs
except all VLANs except the following
remove remove VLANs from the current list


IOS(config-if)#switchport capture allowed vlan 100
IOS(config-if)#switchport capture


!This enables the feature.