Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
304
Views
0
Helpful
1
Replies

Access-List

Neelesh M
Level 1
Level 1

‎10-25-2014 05:25 PM - edited ‎03-07-2019 09:14 PM

Hi ALL,

 

I just want to know the use of the below access-list rule which is created on my working environment. This network 10.206.130.0/23 is configured on same device you can find log below.

What is the use of giving below rule like src and dst network are same, That is applied on same subnet interface.

C6509#sh access-lists Vlan152-out | in deny      
    20 deny ip 10.206.130.0 0.0.1.255 10.206.130.0 0.0.1.255 (8303 matches)

 

C6509#sh run interface tenGigabitEthernet 9/4.152
Building configuration...

Current configuration : 462 bytes
!
interface TenGigabitEthernet9/4.152
 description 10.206.130.0/23:VLAN152
 encapsulation dot1Q 152
 vrf forwarding RDS:MSN:0002
 ip address 10.206.130.2 255.255.254.0
 ip access-group Vlan152-out out
 ip helper-address 10.206.168.4
 ip helper-address 10.20.204.28
 no ip redirects
 no ip proxy-arp
 standby 156 ip 10.206.130.1
 standby 156 priority 150
 standby 156 preempt
 standby 156 track 1 decrement 11
 standby 156 track 2 decrement 100
end

 

C6509#sh version
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)SY2, RELEASE SOFTWARE (fc3)
 

ROM: System Bootstrap, Version 12.2(17r)S4, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)SY2, RELEASE SOFTWARE (fc3)

 88-6nx-int-1a uptime is 17 weeks, 1 day, 22 hours, 47 minutes
 

cisco WS-C6509-E (R7000) processor (revision 1.3) with 458720K/65536K bytes of memory.
Processor board ID SMG1112N52M
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from s/w reset
2 Virtual Ethernet interfaces
50 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
1917K bytes of non-volatile configuration memory.

 

Thanks,

Neelesh. M

 

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎10-25-2014 07:26 PM

Neelesh. M

 

The straightforward answer to your question is that the access list entry denies traffic being forwarded to the subnet whose source address is in that subnet. The fairly obvious explanation is that it would catch spoofed source addresses. But I am surprised to see that there are 8303 matches. Either there is a significant ongoing attempt to spoof the source address or something else is happening. Seeing that this is a 6509 and that HSRP is configured makes me wonder if some packets are sourced from the other HSRP member and forwarded to this switch or something like that.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card