Why testing a traffic-policy applied on S5720 fails?

Latest reply: Dec 25, 2018 03:32:49 211 2 0 0
Device: S5720S-28X-LI-24S-AC


Issue Description

Customer claims that traffic-policy configured on S5720 does not take effect.

When customer pings a public IP address (e.g 8.8.8.8) using as a source local interface of S5720(e.g. 10.10.10.1), he receives a reply even if acl 3002 is configured to deny it.

 

acl number 3002

rule 10 permit ip destination 10.10.10.0  0.0.0.255 logging

rule 20 permit ip destination 10.20.10.0 0.0.0.255 logging

rule 30 deny ip logging

#

traffic classifier c1 operator and

if-match acl 3002

#

traffic behavior b1

permit

#

traffic policy p1

classifier c1 behavior b1

#

vlan 50

traffic-policy p1 inbound

transparent.gif Handling Process

When the peer device replies an ICMP reply packet, the destination IP will be 10.10.10.1.

10.10.10.1 will match ACL 3002(rule 30), but the traffic policy will not take effect because the packet destination IP is interface address of the switch.

There is a default ACL which is used to “catch” ICMP packets (whose destination IP is the IP address of the switch) to CPU.

The priority of the default ACL is higher than the configured traffic-policy. So the packets will not be dropped by traffic policy.

Note that the default ACL mentioned above only takes effect for ICMP packets whose final destination is the switch. For pass-by packets, the configured traffic-policy will take effect.

transparent.gif Solution

When we want to test a traffic-policy, we need to use a device connected behind the switch configured with the traffic-policy.

  • x
  • convention:

xiaomumu
Created Dec 24, 2018 01:34:48 Helpful(0) Helpful(0)

Learn more, great
  • x
  • convention:

4am
Created Dec 25, 2018 03:32:49 Helpful(0) Helpful(0)

acl number 3002
rule 10 permit ip destination 10.10.10.0 0.0.0.255 logging
rule 20 permit ip destination 10.20.10.0 0.0.0.255 logging
rule 30 deny ip logging
The packet with the destination address 10.10.10.1 is preferentially matched with the rule 10 but not the rule 30. Therefore, the ICMP reply packet can be received.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login