Got it

The blacklist does not take effect

65 0 1 0

Hello,

This case describes the problem that the blacklist configured on the S7700 does not take effect.

Problem Description

We would like to deny ICMP-reply packets to 192.168.1.0/24

According to the documentation, we have configured the following:

#

acl 3100

  rule 5 deny IP source xx.xx.xx.xx 0.0.0.255 destination 192.168.1.0 0.0.20.255

#

cpu-defend policy test

blacklist 1 acl 3100

auto-defend alarm enable

auto-defend action deny

#

cpu-defend-policy test global

cpu-defend-policy main-board

cpu-defend dynamic-car arp enable

 #

After the configuration is complete, the device still responds to the ping requests to these addresses.

Root cause

The switch uses the X2E card. By default, the fast ICMP reply function is enabled on the device. In this case, the LPU can reply with ICMP packets without sending them to the CPU. Therefore, the blacklist does not take effect.

Solution

After fast ICMP reply function fast is disabled, packets are sent to the CPU and the blacklist takes effect.  

[HUAWEI] undo icmp-reply fast

Suggestion

If the fast ICMP  reply function is enabled, the blacklist function takes effect only when all LPUs except the X2E and X1E series LPUs use the CPU to send ICMP reply packets.


I hope this helps.

  • x
  • convention:

Comment

Comment
You need to log in to comment to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

My Followers

Login and enjoy all the member benefits

Login

Huawei Enterprise Support Community
Huawei Enterprise Support Community
Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.