https://community.cisco.com/t5/network-security/shun-interface/m-p/1075354#M913802 <HTML><HEAD></HEAD><BODY><P>Thanks. I found a static entry that should have been a class C but instead referenced a class B.</P></BODY></HTML> Fri, 29 Aug 2008 11:32:39 GMT rmeans 2008-08-29T11:32:39Z https://community.cisco.com/t5/network-security/shun-interface/m-p/1075352#M913800 <P>When shunning, how is the interface decided?</P><P></P><P>show shun</P><P>shun (outside) 1.1.1.1 0.0.0.0 0 0 0</P><P>shun (inside) 2.2.2.2 0.0.0.0 0 0 0</P><P></P><P>I believe both IP addresses should be shunned on the outside interface.</P> Mon, 11 Mar 2019 13:37:22 GMT https://community.cisco.com/t5/network-security/shun-interface/m-p/1075352#M913800 rmeans 2019-03-11T13:37:22Z https://community.cisco.com/t5/network-security/shun-interface/m-p/1075353#M913801 <HTML><HEAD></HEAD><BODY><P>As per my understanding</P><P></P><P>The decision order is as follows</P><P></P><P>1. Static NAT entry</P><P> All static entries are checked to see if there is an entry with the global IP as the shunned IP. If there is then the actual shunned IP would be the local IP and the interface would be the local interface.</P><P></P><P>2. check the global addresses in the xlate and same process as above</P><P></P><P>3. If there is still no match, then a route lookup to figure out the source interface for this address and apply the shun to the interface returned by the route lookup.</P><P></P><P>Syed Iftekhar Ahmed</P></BODY></HTML> Thu, 28 Aug 2008 20:51:36 GMT https://community.cisco.com/t5/network-security/shun-interface/m-p/1075353#M913801 Syed Iftekhar Ahmed 2008-08-28T20:51:36Z https://community.cisco.com/t5/network-security/shun-interface/m-p/1075354#M913802 <HTML><HEAD></HEAD><BODY><P>Thanks. I found a static entry that should have been a class C but instead referenced a class B.</P></BODY></HTML> Fri, 29 Aug 2008 11:32:39 GMT https://community.cisco.com/t5/network-security/shun-interface/m-p/1075354#M913802 rmeans 2008-08-29T11:32:39Z