Re: Span before or after ACL enforcment

rhague · ‎01-28-2010

I needed to limit traffic on an Ethernet connection coming from another agency so I only saw the IP addresses I wanted. I put an inbound ACL on the interface on my 3750. Now I want to verify the ACL effectiveness, so I spanned traffic from that port to another to feed to my Wireshark for analysis. I do not see the unwanted traffic, but I wasn't certain if the was the ACL's work or there just wasn't any traffic.

So here's the question: does the span take place before or after the ACL enforcement? I've been looking for a diagram that shows the flow thru the 3750 (e.g. first ACL then NAT the Span then...) but I haven't ben able to find one. Any ideas?

Jon Marshall · ‎01-28-2010

rhague wrote:

I needed to limit traffic on an Ethernet connection coming from another agency so I only saw the IP addresses I wanted. I put an inbound ACL on the interface on my 3750. Now I want to verify the ACL effectiveness, so I spanned traffic from that port to another to feed to my Wireshark for analysis. I do not see the unwanted traffic, but I wasn't certain if the was the ACL's work or there just wasn't any traffic.

So here's the question: does the span take place before or after the ACL enforcement? I've been looking for a diagram that shows the flow thru the 3750 (e.g. first ACL then NAT the Span then...) but I haven't ben able to find one. Any ideas?

Span on ingress (rx) will send copies of all packets to the span destination port even if that packet is subsequently dropped by an interface acl.

Span on egress (tx) will process the acl on the packet and if it is allowed will then send a copy to the SPAN destination port.

See this link for more details -

3750 SPAN traffic

Jon

rhague · ‎01-28-2010

Answered my question completely. Thank you for your assistance.

-Ray

Jon Marshall · ‎01-28-2010

No problem, glad to have helped.

Jon