This article applies to:
Question:
- What should I do if my switch mirrors both incoming and outgoing packets?
- How to set the R3000 to not filter incoming traffic.
Information:
In an ideal setup, the R3000's listening interface should only see outgoing traffic, as you only want the R3000 to filter outgoing requests. Filtering incoming requests is not what the R3000 is designed for and needs to be avoided. That is why you should only set the port span session to mirror outgoing web traffic to the R3000's listening interface. Usually this is the "egress" option in most switches. This setting will generate less noise on the NIC and will make the R3000 operate more efficiently.
If your switch does not give you the option to distinguish egress and ingress, then you must define the "Range to Detect" on the R3000, else the R3000 will filter incoming packets. This setting is in Group tab > Global Group > Range to Detect. The general idea is you define the "source include" as the subnets you will filter (i.e. internal networks, workstations, etc). The "source exclude" would be any subnets or workstations that you do not want filtered, like email servers, SNMP servers, etc.
So even though the R3000 can still "see" incoming packets on its listening interface, it will not handle/filter them since the source IP of incoming packets will not be defined within "Source Include" of the Range to Detect. The fact that the listening interface will see bidirectional traffic will obviously bring more noise to that NIC, but it might not be too much cause for concern depending on the size of your network.
