Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2751
Views
10
Helpful
3
Replies

Packet capture and ACL order.

Go to solution
PeterFranca
Level 1
Level 1

‎05-24-2020 07:08 PM

Hi all, 

I was wondering if anyone here would know if the packet capture occurs prior or after of an ACL being applied? 
I'm wondering this because I'm working with an ACL to block all external DNS queries and using the packet capture to see if the traffic is being reject or not. When I log the DNS rule entry I can see the traffic being reject but when I look at the packet capture from the router I can still see the DNS queries from outside.

If anyone here knows, is it possible to point me where in the documentation is this mentioned? 

Below is my ACL and which interface and direction it's being applied. 

interface GigabitEthernet0/0/0.1001
 description external internet
 encapsulation dot1Q 1001
 ip address XX.XX.XX.XX XX.XX.XX.XX
 ip nat outside
 ip access-group WAN_IN in
==============================================
ip access-list extended WAN_IN
 remark --- PERMIT_BUSINESS_TRAFFIC
 permit tcp any any established
 remark --- PERMIT_VOCUS_PUBLIC_IP
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 remark --- PERMIT_IINET_PUBLIC_IP
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 remark --- PERMIT_DNS_QUERIES
 permit udp any eq domain any gt 1023
 remark --- PERMIT_AWS_VPN_TUN1
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 remark --- PERMIT_AWS_VPN_TUN2
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 remark --- DENY_ALL
 deny   ip any any log

Cheers all. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
omz
VIP Alumni
VIP Alumni
In response to PeterFranca

‎05-26-2020 10:44 PM

Glad to help @PeterFranca 

Yes I believe this applies to switches and routers. 

View solution in original post

3 Replies 3

Go to solution
omz
VIP Alumni
VIP Alumni

‎05-25-2020 12:48 AM

Hi

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_44_se/configuration/guide/scg/swspan.html#wp1204187


Receive (Rx) SPAN 

Features that can cause a packet to be dropped during receive processing have no effect on ingress SPAN; the destination port receives a copy of the packet even if the actual incoming packet is dropped. These features include IP standard and extended input access control lists (ACLs), ingress QoS policing, VLAN ACLs, and egress QoS policing.

 

Transmit (Tx) SPAN 

Features that can cause a packet to be dropped during transmit processing also affect the duplicated copy for SPAN. These features include IP standard and extended output ACLs and egress QoS policing.

 

Hope this helps

Go to solution
PeterFranca
Level 1
Level 1
In response to omz

‎05-26-2020 06:37 PM

Thanks for the link @omz, it make sense now that I was seeing all the traffic getting in my WAN interface even though they were being dropped.
I guess the same method applies for the router right? The link explains well about the SPAN for switches.
Do you reckon that the same pipeline applies to the routers as in a copy of the income packet will be captured before the ACL being applied?

Cheers,
PeterF   

0 Helpful

Go to solution
omz
VIP Alumni
VIP Alumni
In response to PeterFranca

‎05-26-2020 10:44 PM

Glad to help @PeterFranca 

Yes I believe this applies to switches and routers. 

Customers Also Viewed These Support Documents