I needed to limit traffic on an Ethernet connection coming from another agency so I only saw the IP addresses I wanted. I put an inbound ACL on the interface on my 3750. Now I want to verify the ACL effectiveness, so I spanned traffic from that port to another to feed to my Wireshark for analysis. I do not see the unwanted traffic, but I wasn't certain if the was the ACL's work or there just wasn't any traffic.
So here's the question: does the span take place before or after the ACL enforcement? I've been looking for a diagram that shows the flow thru the 3750 (e.g. first ACL then NAT the Span then...) but I haven't ben able to find one. Any ideas?