Is it possible that a shunning router will leak normally blocked inbound packets? Possibly when the acl numbers are changed on the inbound shunning interface? We're seeing a few packets get through that should be blocked by the pre-shun acl, and were blocked 100% before shunning was enabled. We've confirmed the pre and post shun are correctly in the active shunning acl.
If it can't happen, where should I be looking for the problem?
Considering also applying the pre-shun to opposite interface outbound for a workaround?