Packet Filtering Does Not Take Effect When the External Network Is Pinged on the AR

Publication Date:  2015-04-01 Views:  338 Downloads:  0
Issue Description
Networking:

Figure 1 Networking diagram for an AR used as a gateway



Main configuration on the AR:

# acl number 3301 rule 5 deny icmp destination 8.8.8.8 0 rule 10 permit ip # interface GigabitEthernet0/0/1 traffic-filter outbound acl 3301 #

Fault Symptom:

Run the traffic-filter outbound acl 3301 command on an AR interface to block ping packets with destination address 8.8.8.8. When destination address 8.8.8.8 is pinged on the AR, the ping operation succeeds but packet filtering does not take effect.



Handling Process
The ping 8.8.8.8 command cannot be executed on a PC but can be executed on the AR.

The ping 8.8.8.8 command executed on the AR is directly sent from the protocol stack to the outbound interface without entering the forwarding plane. Traffic filtering applies to the forwarding plane without involving the QoS process, so packets cannot be filtered. This is a normal situation that destination address 8.8.8.8 can be pinged on the AR.

Suggestions
The AR software includes the control and forwarding planes. The differences are as follows:
  • The forwarding panel forwards packets destined for another device. Generally, packets with inbound and outbound physical interfaces are called packets destined for another device.
  • Packets sent by the control plane do not enter the forwarding plane. Most of these packets are irrelevant to services deployed on the forwarding plane.

END