FiLeinster Thu, 10/16/2008 - 12:13
User Badges:

Could it be packets with a spoofed source address, or do you have redundant or load-balanced links? what type of traffic is it? Unicast, multicast, udp, tcp? Can you describe the network in more detail?

frankdegregorio Thu, 10/16/2008 - 12:23
User Badges:

This particular network is simply a 3825 with a FR interworking link out as its WAN port, and a g0/1 facing a LAN. On that LAN is (among other things) IP address range x.y.142.0/23. In the inbound ACL I have a line "permit ip x.y.142.0 any" (among others). Now when I look at my log... I see a deny statment from that ACL from IP address x.y.200.18 which is across the WAN out the FR interworking network. It never matches anything so it falls through a "deny ip any any log" at the end. Thanks.

FiLeinster Thu, 10/16/2008 - 12:27
User Badges:

I take it that's the source address?

Has a device been moved to this site recently from another site within that network address and the IP address hasn't been changed? Can you find out that MAC address of where it's coming from?

frankdegregorio Thu, 10/16/2008 - 12:34
User Badges:

That was my thought at first also. I confirmed however that the device is in fact across the WAN by going to the other end of the link and tracing it. I trace from this router in question also and it confirms that it goes out the WAN and the last hop is the other end of the WAN. I can't query the MAC address from either router. "show mac-address-table interface giXYZ" reveals no output on 3825. This is really odd. Thanks for your input.

FiLeinster Thu, 10/16/2008 - 12:38
User Badges:

The only way you can find out the MAC it's coming from is to put a sniffer on the wire as it's on the wrong subnet; what's the chances of that happening?

frankdegregorio Thu, 10/16/2008 - 12:41
User Badges:

I might be able to arrange it. Good suggestion. I'll check.

Thanks again.



This Discussion