Fault Symptom
Two ACL rules in a traffic policy is configured in sequence on GE 1/0/0 of the router to implement the following functions:
· Discards UDP packets with the destination address being 10.1.1.1/30 and interface numbers smaller than 1023.
· Applies a CAR policy to other packets with the destination address being 10.1.1.1/30 and interface numbers equal to or larger than 1023 to limit the transmission rate to 400 Mbit/s.
After the configurations, the router applies the CAP policy to the UDP packets with the destination address being 10.1.1.1/30, thus implementing traffic control; however, it does not discards the UDP packets with the destination address being 10.1.1.1/30 and interface numbers smaller than 1023.
Fault Analysis
1. Run the display current-configuration command to check the global configurations of acl and traffic policy. The configurations are as follows:
acl 3010 match-order auto
rule 5 permit ip destination 10.1.1.1 0.0.0.3
acl 3011
rule 5 permit udp destination 10.1.1.1 0.0.0.3 destination-port lt 1023
traffic classifier c1 operator or
if-match acl 3010
traffic classifier c2 operator or
if-match acl 3011
traffic behavior b1
car cir 400000 cbs 400000 pbs 0 green pass yellow pass red discard
traffic behavior b2
deny
traffic policy tp
classifier c1 behavior b1
classifier c2 behavior b2
interface gigabitethernet 1/0/0
traffic-policy tc inbound
2. The command output shows that UDP packets first attempt to match the ACL rule associated with the classifier that is first configured in a traffic policy. After the UDP packets match the ACL rule, the packets do not match the other ACL rule. In this case, the UDP packets with the destination address being 10.1.1.1/30 and the interface number smaller than 1023 match ACL 3010, allowing the traffic limit to take effect on the packets. After this, the UDP packets, however, do not match the other ACL rule and therefore are not discarded.
Procedure
1. Run the undo traffic-policy inbound command in the interface view to delete the associated policy applied to an interface.
2. Run the system-view command to enter the system view.
3. Run the undo traffic policy tp command to delete the traffic policy.
4. Run the traffic policy tp command to create a traffic policy and enter the traffic policy view.
5. Run the classifier c2 behavior b2 command and then the classifier c1 behavior b1 command to change the sequence for applying ACL rules in the traffic policy.
6. Run the traffic-policy policy-name inbound command to apply the associated policy on the interface.
After the preceding operations, the UDP packets with the destination address being 10.1.1.1/30 and the interface numbers smaller than 1023 are discarded, traffic control is performed on other packets with the destination address being 10.1.1.1/30. The fault is then rectified.
Summary
The sequence for applying ACL rules must be correct. During traffic classification, packets match the ACL rules in the sequence from an ACL associated with the classifier that is first configured in a traffic policy. If the packets match an ACL rule, the packets are processed based on the ACL rule and do not match other ACL rules.
When configuring a traffic policy, ensure that the sequence in which traffic classifiers are applied is correct.
