Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

access list anomaly

I have an inbound ACL on an interface yet see packets being denied as coming from that interface that is not in that direction, it's across a WAN link. Any ideas? Thanks.

6 REPLIES
New Member

Re: access list anomaly

Could it be packets with a spoofed source address, or do you have redundant or load-balanced links? what type of traffic is it? Unicast, multicast, udp, tcp? Can you describe the network in more detail?

New Member

Re: access list anomaly

This particular network is simply a 3825 with a FR interworking link out as its WAN port, and a g0/1 facing a LAN. On that LAN is (among other things) IP address range x.y.142.0/23. In the inbound ACL I have a line "permit ip x.y.142.0 0.0.1.255 any" (among others). Now when I look at my log... I see a deny statment from that ACL from IP address x.y.200.18 which is across the WAN out the FR interworking network. It never matches anything so it falls through a "deny ip any any log" at the end. Thanks.

New Member

Re: access list anomaly

I take it that's the source address?

Has a device been moved to this site recently from another site within that network address and the IP address hasn't been changed? Can you find out that MAC address of where it's coming from?

New Member

Re: access list anomaly

That was my thought at first also. I confirmed however that the device is in fact across the WAN by going to the other end of the link and tracing it. I trace from this router in question also and it confirms that it goes out the WAN and the last hop is the other end of the WAN. I can't query the MAC address from either router. "show mac-address-table interface giXYZ" reveals no output on 3825. This is really odd. Thanks for your input.

New Member

Re: access list anomaly

The only way you can find out the MAC it's coming from is to put a sniffer on the wire as it's on the wrong subnet; what's the chances of that happening?

New Member

Re: access list anomaly

I might be able to arrange it. Good suggestion. I'll check.

Thanks again.

Frank

109
Views
0
Helpful
6
Replies