01-28-2010 06:47 AM - edited 03-06-2019 09:29 AM
I needed to limit traffic on an Ethernet connection coming from another agency so I only saw the IP addresses I wanted. I put an inbound ACL on the interface on my 3750. Now I want to verify the ACL effectiveness, so I spanned traffic from that port to another to feed to my Wireshark for analysis. I do not see the unwanted traffic, but I wasn't certain if the was the ACL's work or there just wasn't any traffic.
So here's the question: does the span take place before or after the ACL enforcement? I've been looking for a diagram that shows the flow thru the 3750 (e.g. first ACL then NAT the Span then...) but I haven't ben able to find one. Any ideas?
01-28-2010 06:57 AM
rhague wrote:
I needed to limit traffic on an Ethernet connection coming from another agency so I only saw the IP addresses I wanted. I put an inbound ACL on the interface on my 3750. Now I want to verify the ACL effectiveness, so I spanned traffic from that port to another to feed to my Wireshark for analysis. I do not see the unwanted traffic, but I wasn't certain if the was the ACL's work or there just wasn't any traffic.
So here's the question: does the span take place before or after the ACL enforcement? I've been looking for a diagram that shows the flow thru the 3750 (e.g. first ACL then NAT the Span then...) but I haven't ben able to find one. Any ideas?
Span on ingress (rx) will send copies of all packets to the span destination port even if that packet is subsequently dropped by an interface acl.
Span on egress (tx) will process the acl on the packet and if it is allowed will then send a copy to the SPAN destination port.
See this link for more details -
Jon
01-28-2010 07:47 AM
Answered my question completely. Thank you for your assistance.
-Ray
01-28-2010 07:50 AM
No problem, glad to have helped.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide