Hi all,

I'm trying to configure ACL to filter (permit) specific subnets to be replicated and drop others. However, the following limitation seems to be making an ACL useless, unless I misunderstand what they are trying to say:
From the "Guidelines and Limitations for SPAN" section the following is stated:
"Traffic that is denied by an ACL may still reach the SPAN destination port because SPAN replication
is performed on the ingress side prior to the ACL enforcement (ACL dropping traffic)"
So if denied traffic can still reach the destination interface, what is the point of using ACL in the first place? The idea is to limit the traffic that is replicated to the probing system.
Pls help me understand what I'm missing.

I guess I could use a separate ACL on the destination interface to drop those unwanted subnets, and I may not need the ACL on the SPAN session at all.
The second issue is, I can define several sources in the same monitoring session but can only define a single filter (which could be an access-group containing several ACLs or vlan filters). But documentation states the following: "Cisco Nexus 9300 platform switches support multiple ACL filters on the same source."  What is "same source" in this context? If I defined two sources, one being a range of vlans, and one being a physical interface, which of the sources the filter applies to? Or does it consider all sources of a single monitoring session as being a single source?
Does the Nexus apply all the ACLs in the accss-group on all ingress traffic on the sources I defined?