Why testing a traffic-policy applied on S5720 fails?

Created Nov 06, 2018 18:49:21Latest reply Dec 25, 2018 11:32:49 137 2 0 0
Device: S5720S-28X-LI-24S-AC


Issue Description

Customer claims that traffic-policy configured on S5720 does not take effect.

When customer pings a public IP address (e.g 8.8.8.8) using as a source local interface of S5720(e.g. 10.10.10.1), he receives a reply even if acl 3002 is configured to deny it.

 

acl number 3002

rule 10 permit ip destination 10.10.10.0  0.0.0.255 logging

rule 20 permit ip destination 10.20.10.0 0.0.0.255 logging

rule 30 deny ip logging

#

traffic classifier c1 operator and

if-match acl 3002

#

traffic behavior b1

permit

#

traffic policy p1

classifier c1 behavior b1

#

vlan 50

traffic-policy p1 inbound

transparent.gif Handling Process

When the peer device replies an ICMP reply packet, the destination IP will be 10.10.10.1.

10.10.10.1 will match ACL 3002(rule 30), but the traffic policy will not take effect because the packet destination IP is interface address of the switch.

There is a default ACL which is used to “catch” ICMP packets (whose destination IP is the IP address of the switch) to CPU.

The priority of the default ACL is higher than the configured traffic-policy. So the packets will not be dropped by traffic policy.

Note that the default ACL mentioned above only takes effect for ICMP packets whose final destination is the switch. For pass-by packets, the configured traffic-policy will take effect.

transparent.gif Solution

When we want to test a traffic-policy, we need to use a device connected behind the switch configured with the traffic-policy.

  • x
  • convention:

xiaomumu  Novice   Created Dec 24, 2018 09:34:48 Helpful(0) Helpful(0)

Learn more, great
  • x
  • convention:

4am  Novice   Created Dec 25, 2018 11:32:49 Helpful(0) Helpful(0)

acl number 3002
rule 10 permit ip destination 10.10.10.0 0.0.0.255 logging
rule 20 permit ip destination 10.20.10.0 0.0.0.255 logging
rule 30 deny ip logging
The packet with the destination address 10.10.10.1 is preferentially matched with the rule 10 but not the rule 30. Therefore, the ICMP reply packet can be received.
  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top