Thursday, September 24, 2015

Embedded packet capture and interface ACLs and Zone Based Firewall

Cisco IOS Embedded packet capture is a great tool for trouble shooting. Very similar to the ASA capture command.

It could be better, as it won't parse the packets as good as tpcdump, but it is way better than nothing.

However I couldn't figure out what the order of operation, with regards to ACLs and ZBF.

So I labbed it up, with IOU 15.4, and here are the results:

  • For incoming ACL, packets are captured before ACL is evaluated
  • For incoming ZBF policy, packets are captured before the policy is checked.

So it looks like the embedded packet capture is placed at the right place, right before incoming ACL/ZBF check. However more testing needed to be done: NAT, outgoing ACL/ZBF, IPS drops,  encryption, sanity checks

I wish Cisco would have published an official and full "order of operation". Here is the best I have found so far.