An S series switch applies a traffic policy in which the ACL rule is configured as permit, but some permitted packets are counted as CPCAR dropped packets. Why

5

When S series fixed switches match received packets against rules, the priority of a traffic policy is higher than the priority of CPCAR. If both the CPCAR rate limit action and the permit action in a traffic policy take effect, a switch permits the matched packets and does not perform rate limitation on the packets.
A switch matches packets against both traffic policy rules and CPCAR and then takes the action of the highest priority. Therefore, permitted packets may be counted as CPCAR dropped packets during the rule matching phase.

Other related questions:
Which packets cannot be filtered by the ACL used by a traffic policy on an S series switch
For S series switches, ACLs used by traffic policies cannot filter the protocol packets to be sent to the CPU. For example:
�?VRRP protocol packets use the multicast address of 224.0.0.18 as the destination address. The VRRP protocol packets are sent to the CPU for processing. The ACL in a traffic policy does not take effect on these packets. Member switches in a VRRP group negotiate the master switch using the VRRP protocol packets.
�?DHCP clients exchange DHCP packets with the DHCP server to obtain valid IP addresses. The DHCP packets are sent to the CPU for processing. The ACL in a traffic policy does not take effect on these packets. Switches cannot use ACLs to prevent users connected to interfaces from obtaining IP addresses through DHCP.
�?When a host pings a switch, an ICMP packet is sent to the CPU of the switch for processing. The ACL in a traffic policy does not take effect on the ICMP packet. The switch cannot use ACLs to block ping packets from hosts.

To filter the protocol packets to be sent to the CPU, apply an ACL to the blacklist configured in the local attack defense policy. The configuration procedure is as follows:
1. Run the cpu-defend policy <policy-name> command in the system view to enter the attack defense policy view.
2. Run the blacklist <blacklist-id> acl <acl-number> command to create a blacklist.
3. Run the cpu-defend-policy <policy-name> [ global ] command in the system view or run the cpu-defend-policy <policy-name> command in the slot view to apply the attack defense policy.

How does deny/permit for an ACL rule mean in different service modules
The meaning of deny/permit for an ACL rule varies with service modules. For details, see the URL: .

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top