Solution to Problems Occuring When an ACL-based Traffic Policy Is Used to Control Inter-VLAN Traffic in a Switch Interconnection Scenario

Publication Date:  2015-11-02 Views:  2122 Downloads:  0
Issue Description
As shown in Figure , two switches are interconnected through trunk interfaces, and the trunk interfaces allow packets from all VLANs to pass through. The switches connect to downstream PCs through access interfaces.

Figure  Applying an ACL-based policy to control inter-VLAN traffic in a switch interconnection scenario



The customer requires that only traffic in VLAN 20 be transmitted in VLAN 30. Assume that the IP address segments of VLANs 10, 20, and 30 are 10.0.0.0/24, 20.0.0.0/24, and 30.0.0.0/24, respectively.

For details about the interface configuration, see Figure.

The key configuration relevant to traffic control on Switch2 is as follows:

#
acl name vlan30_inbound
rule 5 permit ip source 20.0.0.0 0.0.0.255 destination 30.0.0.0 0.0.0.255
rule 10 deny ip
#
traffic classifier vlan30_inbound
if-match acl vlan30_inbound 
#
traffic behavior vlan30_inbound
permit

traffic policy vlan30_inbound match-order config 
classifier vlan30_inbound behavior vlan30_inbound
#
vlan 30
traffic-policy vlan30_inbound inbound
#

After the configuration is complete, the test result is as follows:

1. VLAN 30 allows only traffic from VLAN 20.

2. Traffic from VLAN 10 on Switch1 cannot be transmitted in VLAN 20 on Switch2.
Handling Process
An ACL-based traffic policy in a VLAN is valid for all physical interfaces in the VLAN. The preceding configuration on a single switch can meet the requirement. When multiple switches are connected, the preceding configuration cannot meet requirements. Though VLAN 30 allows only traffic from VLAN 20, traffic from VLAN 10 on Switch1 cannot be transmitted in VLAN 20 on Switch2.

The causes are as follows:

1. When switches are connected through trunk interfaces, interconnected trunk interfaces allow packets from all VLANs to pass through.

2. The traffic policy defining packet filtering is configured only on Switch2 and applied to VLAN 30. This traffic policy takes effect on the access interface in VLAN 30 and also on the
interconnected trunk interface in VLAN 30.

The problem therefore occurs.
Solution
Huawei switches use the preceding VLAN-based packet control mechanism. To solve the preceding problem, create another traffic policy that defines packet filtering and allows all traffic, and apply the traffic policy to the interconnected trunk interface. A traffic policy on a physical interface takes precedence over a traffic policy in a VLAN, so traffic passing the interconnected interface is not affected by the traffic policy in the VLAN.

The detailed configuration on Switch2 is as follows:

#
acl 2000
rule permit ip
#
traffic classifier inter-permit
if-match acl 2000
#
traffic behavior inter-permit
permit
#
traffic policy inter-permit
classifier inter-permit behavior inter-permit
#
interface Eth-trunk 1  //interconnected interface between switches
traffic-policy inter-permit inbound
#
Suggestions
After a customer uses Huawei switches to replace devices of vendor C, the problem occurs during implementation of packet filtering. This is because devices of Huawei and vendor C use different configurations and implementations. In the same networking, devices of vendor C can meet the requirement. To use Huawei devices to meet the customer's requirement, apply an ACL to VLANIF 30 on Switch2. When using an ACL on a Huawei switch to implement inter-VLAN traffic control, focus on the interface where the ACL takes effect. Perform configuration design and verification by referring to the product documentation.

END