I just want to know the use of the below access-list rule which is created on my working environment. This network 10.206.130.0/23 is configured on same device you can find log below.
What is the use of giving below rule like src and dst network are same, That is applied on same subnet interface.
C6509#sh access-lists Vlan152-out | in deny 20 deny ip 10.206.130.0 0.0.1.255 10.206.130.0 0.0.1.255 (8303 matches)
C6509#sh run interface tenGigabitEthernet 9/4.152 Building configuration...
Current configuration : 462 bytes ! interface TenGigabitEthernet9/4.152 description 10.206.130.0/23:VLAN152 encapsulation dot1Q 152 vrf forwarding RDS:MSN:0002 ip address 10.206.130.2 255.255.254.0 ip access-group Vlan152-out out ip helper-address 10.206.168.4 ip helper-address 10.20.204.28 no ip redirects no ip proxy-arp standby 156 ip 10.206.130.1 standby 156 priority 150 standby 156 preempt standby 156 track 1 decrement 11 standby 156 track 2 decrement 100 end
C6509#sh version Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)SY2, RELEASE SOFTWARE (fc3)
ROM: System Bootstrap, Version 12.2(17r)S4, RELEASE SOFTWARE (fc1) BOOTLDR: Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)SY2, RELEASE SOFTWARE (fc3)
The straightforward answer to your question is that the access list entry denies traffic being forwarded to the subnet whose source address is in that subnet. The fairly obvious explanation is that it would catch spoofed source addresses. But I am surprised to see that there are 8303 matches. Either there is a significant ongoing attempt to spoof the source address or something else is happening. Seeing that this is a 6509 and that HSRP is configured makes me wonder if some packets are sourced from the other HSRP member and forwarded to this switch or something like that.
If you found this post helpful, please let the community know by clicking the helpful button! By doing so, and until end of January, you are helping Doctors Without Borders
Hi!Need to find network devices but not want to open SSH and do show cdp nei, show lldp nei and then need to sh cdp nei gig0/1 det and more.... ?Now You can do from PowerShell.\cdplldp.exe -v v3 -u <SNMPv3 user> -a SHA -w <SNMPv3 authkey> -pp ...
Community Live slides- Getting to know Cisco SD-WAN
(Live event - formerly known as Webcast- Wednesday December 11, 2019 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris)
This event had place on Wednesday 11th, December 2019 at 10hrs PDT
To participate in this event, please use the button to ask your questions
This topic is a chance to clarify your questions about the Cisco Software-Defined WAN (SD-WAN) solution, its historical roo...
Starting from NFVIS 3.12 versions, the deploy option does not depict all the SR-IOV VFs(Virtual Functions) available in a physical interface. This change is introduced as (i) the number of VFs of ENCS platform on LANs side is increased to 24 and (ii) the...