cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
486
Views
0
Helpful
6
Replies

access list anomaly

frankdegregorio
Level 1
Level 1

I have an inbound ACL on an interface yet see packets being denied as coming from that interface that is not in that direction, it's across a WAN link. Any ideas? Thanks.

6 Replies 6

FiLeinster
Level 1
Level 1

Could it be packets with a spoofed source address, or do you have redundant or load-balanced links? what type of traffic is it? Unicast, multicast, udp, tcp? Can you describe the network in more detail?

This particular network is simply a 3825 with a FR interworking link out as its WAN port, and a g0/1 facing a LAN. On that LAN is (among other things) IP address range x.y.142.0/23. In the inbound ACL I have a line "permit ip x.y.142.0 0.0.1.255 any" (among others). Now when I look at my log... I see a deny statment from that ACL from IP address x.y.200.18 which is across the WAN out the FR interworking network. It never matches anything so it falls through a "deny ip any any log" at the end. Thanks.

I take it that's the source address?

Has a device been moved to this site recently from another site within that network address and the IP address hasn't been changed? Can you find out that MAC address of where it's coming from?

That was my thought at first also. I confirmed however that the device is in fact across the WAN by going to the other end of the link and tracing it. I trace from this router in question also and it confirms that it goes out the WAN and the last hop is the other end of the WAN. I can't query the MAC address from either router. "show mac-address-table interface giXYZ" reveals no output on 3825. This is really odd. Thanks for your input.

The only way you can find out the MAC it's coming from is to put a sniffer on the wire as it's on the wrong subnet; what's the chances of that happening?

I might be able to arrange it. Good suggestion. I'll check.

Thanks again.

Frank

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: