Why ICMP packets used to ping a host cannot be discarded using a traffic policy on an S series modular switch

18

An S series modular switch sends ICMP packets to the CPU based on an ACL and discards ICMP packets based on an ACL in a traffic policy. The two ACLs are used for packet sending to the CPU and packet discarding respectively, and the ACL with a higher priority takes effect. The ACL for sending ICMP packets to the CPU has a higher priority. Therefore, ICMP packets cannot be discarded by configuring a traffic policy. To discard the ICMP packets, configure a blacklist.
If the switch sends ICMP packets to the CPU through a route, you can configure a traffic policy to discard ICMP packets.

Other related questions:
Reason for ping packet loss on S series switch
For S series modular switches: Ping packets sent from other devices to a switch are processed by the switch as fib-hit packets. The switch sends fib-hit packets to the CPU at the default CAR value to protect the CPU from being attacked by these packets. If the rate of ping packets sent to the CPU exceeds the CAR value, the switch discards the excess packets. To resolve the problem, set a larger CAR value for fib-hit packets.

Which packets cannot be filtered by the ACL used by a traffic policy on an S series switch
For S series switches, ACLs used by traffic policies cannot filter the protocol packets to be sent to the CPU. For example:
�?VRRP protocol packets use the multicast address of 224.0.0.18 as the destination address. The VRRP protocol packets are sent to the CPU for processing. The ACL in a traffic policy does not take effect on these packets. Member switches in a VRRP group negotiate the master switch using the VRRP protocol packets.
�?DHCP clients exchange DHCP packets with the DHCP server to obtain valid IP addresses. The DHCP packets are sent to the CPU for processing. The ACL in a traffic policy does not take effect on these packets. Switches cannot use ACLs to prevent users connected to interfaces from obtaining IP addresses through DHCP.
�?When a host pings a switch, an ICMP packet is sent to the CPU of the switch for processing. The ACL in a traffic policy does not take effect on the ICMP packet. The switch cannot use ACLs to block ping packets from hosts.

To filter the protocol packets to be sent to the CPU, apply an ACL to the blacklist configured in the local attack defense policy. The configuration procedure is as follows:
1. Run the cpu-defend policy <policy-name> command in the system view to enter the attack defense policy view.
2. Run the blacklist <blacklist-id> acl <acl-number> command to create a blacklist.
3. Run the cpu-defend-policy <policy-name> [ global ] command in the system view or run the cpu-defend-policy <policy-name> command in the slot view to apply the attack defense policy.

Why does an S series switch properly transmit small ping packets but discard large ping packets
A small MTU value on an interface of an S series switch may make the switch properly transmit small ping packets and discard large ping packets. You can run the ping -f command to measure the maximum packet length supported by the interface, and then check the MTU value on the interface. Note: The ping command uses ICMP packets. The packet size in the ping command output is the payload length of ICMP packets, excluding the length of the IP and ICMP packet headers. The length of the IP packet header is 20 bytes and that of the ICMP packet header is 8 bytes.

Why are a large number of packets discarded on an inbound interface of an S series modular switch
S9300 series switches running V100R001 and V100R002 send protocol packets to the CPU for processing and discard the packets at the hardware layer. The number of these discarded protocol packets is counted on inbound interfaces, which does not comply with RFC 2863. For switches running V100R002, patches in V100R002SPH009 and later versions can be installed to fix this problem. According to RFC 2863 and industry norms, only packets discarded due to buffer overflows is counted as discarded packets.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top