I have an esoft internet gateway appliance that is producing this message :
Feb 25 00:00:21 System martian source 192.168.1.255 from 192.168.1.135, on dev br0
Feb 25 00:00:21 System ll header: 00:01:4e:01:7a:b4:00(Destination - E-soft App):1e:f7:ae:b6:c0:08:00(Source Router at 10.x.x.x)
Our network scheme is 10.x.x.x, with no 192.168.*.* subnets on the local lan. However, for some reason the router behind this gateway is still forwarding traffic from 192.168.1.* to the gateway. My router has 3 interfaces, 10.x.x.x; 10.x.x.x, and 72.x.x.x. Not sure how traffic is even getting to the router, let alone being forwarded.
From the switch I can identify the the devices by the mac's using "show mac address-table", but I cannot determine the source of the traffic from the other side of the router.
How do I track down the source of this traffic?
Apologies but i gave some misleading info. To log port numbers your acl must match on port numbers so can you make your acl -
access-list 151 permit tcp 192.168.1.0 0.0.0.255 any range 1 65535 log
access-list 151 permit udp 192.168.1.0 0.0.0.255 any range 1 65535 log
access-list 151 permit icmp 192.168.1.0 0.0.0.255 any log
access-list 151 permit ip any any
then apply this acl to the interface that connect to your MPLS network.
Note that the router will buffer the logs so you may only see one entry for multiple hits.
So, the only two connections from the 3845 are the Gateway and the MPLS Switch.
We know that the internal network has no 192.168.x.x
What about the MPLS network?
You mentioned the 3845 has no route to 192.168.x.x, but it has a default gateway pointing to the Gateway (because you said that a traceroute to 192.168.x.x goes from the 3845 to the gateway).
Are those messages in the Gateway recent and constant messages?
Because as you describe it, there's no sign of 192.168.x.x inside the Gateway.
Somebody could be spoofing IPs and that's why it shows on the Gateway, but it seems the router does not see that.
You can try the following:
Since the Gateway claims that the 192.168.x.x comes from the 3845, you can do an ACL on the 3845:
access-list test permit ip host 192.168.0.0 0.0.255.255 any
access-list permit ip any any
Apply the ACL to the interface of the 3845 connected to the Gateway, so we'll see if the ACL shows hitcounts when this happen again.
This will prove if the path to 192.168.x.x is indeed passing through the 3845.