[case] A revelation caused by a glitch,the route policy configured doesn't take effect Highlighted

Latest reply: Dec 24, 2018 09:34:35 470 8 4 0

A simulation topology shows as below,all the devices are in the same VLAN

[case] A revelation caused by a glitch,the route policy configured doesn't take effect-2781501-1

The customer wants that except those specific devices can access server without restricts,the rest part of devices can only ping the server.

We have two ways to achieve this requirement,one is using traffic policy,another is VACL.


let's start with traffic policy.

#
acl number 3001
rule 5 permit icmp
#
acl number 4001
rule 5 permit source-mac 5489-98c9-014f
rule 10 deny
#
traffic classifier res operator and
if-match acl 3001
traffic classifier res2 operator and
if-match acl 4001
#
traffic behavior res
permit
#
traffic policy res
classifier res behavior res
classifier res2 behavior res
#

#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
traffic-policy res inbound
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
traffic-policy res inbound
#
After confgiured switch,none teminal PCs,except those specified,can access the server

since the devices access VLAN 4001 works normally,so we can learn that hardware works fine.
let's find the problem step by step:

first,check the interfaces status on the switch
[case] A revelation caused by a glitch,the route policy configured doesn't take effect-2781501-2

[case] A revelation caused by a glitch,the route policy configured doesn't take effect-2781501-3
all the interfaces are with PHY up protocol up,link is OK.

then,check the ACL we just configured,
all is good,

then where the problem is?

let's back to the ve****eginning and confirm how the ping works.

  1. input command ping on the client,
  2. client package the data,
  3. consider on network layer,client checks the destination-IP,find that destination-IP on the same network segment,so,it wouldn't search the routing-table and will package the data with source-ip:client's IP address,destination-IP:server's IP address,
  4. client delivers data segments to data-link layer.On the data-link layer,client adds source-MAC address:client's MAC address,destination-MAC address:server's MAC.client searches the ARP table,and fill the destination-MAC with server's MAC.If client can't find the corresponding item,it will broadcast a ARP message to learn server's MAC.
  5. It broadcast a ARP message out,the message reaches the switch,switch checks the traffic policy to determine whether the message should be forwarded or abandoned.with traffic policy configured on the interface,switch only forward the ICMP message and other messages with specified MAC address,then,switch will abandon the ARP messages.

here we find the problem!

we configured the ACL with denied the ARP messages,so,clients can't get the MAC address of the server,it will broadcast the ARP query packet all the time,and wouldn't send a ICMP packet.

with the problem be found,make some changes with traffic policy,

traffic classifier tc1 operator or
 if-match acl 3000
 if-match l2-protocol arp

and then do some test,all works fine.
[case] A revelation caused by a glitch,the route policy configured doesn't take effect-2781501-4


with the experience of dealing the last question,we can implement VACL with the following command.
#
acl name res1 3001
 rule 5 permit icmp
#
acl name res2 4001
 rule 5 permit source-mac 5489-98c9-014f
 rule 10 deny
#
acl name res3 number 23001
 rule 5 permit request
 rule 10 permit reply
#

#
traffic-filter vlan 10 inbound acl name res1
traffic-filter vlan 10 inbound acl name res2
traffic-filter vlan 10 inbound acl name res3
#
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 10
#
But,s5700 on eNSP doesn't support arp-based ACL,so I tried on CE12800,new problem is CE12800 can't apply ACL on VLAN...[case] A revelation caused by a glitch,the route policy configured doesn't take effect-2781501-5
plz,someone with test conditions can feedback the reslut,it should be effective.:)

During troubleshooting,when all configuration seems fine but there is network problem.We can follow the traffic step by step,device by device,every singel interface on the forwarding path, to find if the packets been forwarded as we planed.

And someone with new ideas to solve this porblem,plz shares your solutions.:) 
From group: Switch

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

Created Oct 22, 2018 16:43:29 Helpful(0) Helpful(0)

ooooooh,this is very helpful,I seach this answer for a looooog time,it is so cooooooool!.[case] A revelation caused by a glitch,the route policy configured doesn't take effect-2782895-1
  • x
  • convention:

Created Oct 23, 2018 11:45:05 Helpful(0) Helpful(0)

Thanks for sharing...
  • x
  • convention:

chenhui Created Nov 9, 2018 09:13:03
hope you like this  
If you think my post/reply is useful, please click the Helpful button and flag my post as a BEST ANSWER. Thanks
Created Oct 30, 2018 17:39:52 Helpful(0) Helpful(0)

Good Case, very clear, for the network checking and verify, better to use the physical device to do it, because the eNSP maybe not support some feature, so if meet some issue when using eNSP, we need to think about that maybe the issue is from eNSP
  • x
  • convention:

chenhui Created Nov 9, 2018 09:12:25
Good suggestion,hope eNSP can provide more functions with less bugs.  
Created Nov 6, 2018 11:38:54 Helpful(0) Helpful(0)


But,s5700 on eNSP doesn't support arp-based ACL,so I tried on CE12800,new problem is CE12800 can't apply ACL on VLAN...

hi author can you test on real device and tell us the result? we hope to konw this[case] A revelation caused by a glitch,the route policy configured doesn't take effect-2795643-1
  • x
  • convention:

chenhui Created Nov 9, 2018 09:10:00
I'll try my best to see if I can find the available equipment.  
Created Dec 24, 2018 09:34:35 Helpful(0) Helpful(0)

Learn more, great
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top