Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member




I just want to know the use of the below access-list rule which is created on my working environment. This network is configured on same device you can find log below.

What is the use of giving below rule like src and dst network are same, That is applied on same subnet interface.

C6509#sh access-lists Vlan152-out | in deny      
    20 deny ip (8303 matches)


C6509#sh run interface tenGigabitEthernet 9/4.152
Building configuration...

Current configuration : 462 bytes
interface TenGigabitEthernet9/4.152
 encapsulation dot1Q 152
 vrf forwarding RDS:MSN:0002
 ip address
 ip access-group Vlan152-out out
 ip helper-address
 ip helper-address
 no ip redirects
 no ip proxy-arp
 standby 156 ip
 standby 156 priority 150
 standby 156 preempt
 standby 156 track 1 decrement 11
 standby 156 track 2 decrement 100


C6509#sh version
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)SY2, RELEASE SOFTWARE (fc3)

ROM: System Bootstrap, Version 12.2(17r)S4, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)SY2, RELEASE SOFTWARE (fc3)

 88-6nx-int-1a uptime is 17 weeks, 1 day, 22 hours, 47 minutes

cisco WS-C6509-E (R7000) processor (revision 1.3) with 458720K/65536K bytes of memory.
Processor board ID SMG1112N52M
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from s/w reset
2 Virtual Ethernet interfaces
50 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
1917K bytes of non-volatile configuration memory.



Neelesh. M


Everyone's tags (2)
Hall of Fame Super Silver

Neelesh. M The

Neelesh. M


The straightforward answer to your question is that the access list entry denies traffic being forwarded to the subnet whose source address is in that subnet. The fairly obvious explanation is that it would catch spoofed source addresses. But I am surprised to see that there are 8303 matches. Either there is a significant ongoing attempt to spoof the source address or something else is happening. Seeing that this is a 6509 and that HSRP is configured makes me wonder if some packets are sourced from the other HSRP member and forwarded to this switch or something like that.