No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FAQ-Why Does the ACL Rule Not Take Effect on the Broadcast and Unknown Unicast in the Outbound Direction of the Port

Publication Date:  2012-07-25 Views:  49 Downloads:  0
Issue Description
Q:
Why does the ACL rule not take effect on the broadcast and unknown unicast in the outbound direction of the port? 
 
Alarm Information
Null
Handling Process

A:
The configuration of the ACL rule on the upstream ports or in the slots of the board functions in the inbound direction of the ports. In the outbound direction of the ports, however, the ACL rule does not take effect on the broadcast and unknown unicast.
For example:
MA5600T(config)#acl 4000
MA5600T(config-acl-link-4000)# rule 1 deny source 1234-5678-1234 ffff-ffff-ffff //for a certain
MA5600T(config)#packet-filter outbound link-group 4000 rule 1 port 0/5/0
Here, although the ACL4000 rule is applied in the outbound direction of port 0/5/0, the command of applying the ACL4000 rule is also issued to all the inbound ports. The only difference is that the fields used for identifying the packets are added to the outbound port 0/5/0. That is, the inbound ports identify the packets based on both the rules defined by ACL4000 rule 1 and the ID of the outbound port to which the ACL4000 rule 1 is issued. Therefore, the packet-filter command can be executed on the packets that accord with these two conditions. However, in the broadcast and the unknown unicast, only the former condition is matched, so the ACL rule does not take effect on the broadcast and unknown unicast in the outbound direction of the port. The reason is as follows: Even if the ACL rule is issued to the outbound port and all the inbound ports, the LAN switch does not know from which outbound port the packets are transmitted because no hardware can forward the broadcast and unknown unicast packets, which results in the failure of the packet-filter command. 

 

Root Cause
Null
Suggestions
For the broadcast and the unknown unicast, the ACL rule should be issued to the inbound direction of the port. 

END