No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FAQ - S9300 doesn't support Inbound Ping blocking

Publication Date:  2012-07-27 Views:  29 Downloads:  0
Issue Description
S9300 doesn't support Inbound Ping blocking. Customer want to block inbound ping for PAT test case. When we try to block ping from PC to Switch S9306 then it failed to block ping. Because It is a major security issue because a rouge user can generate ICMP flood which can cause service degradation or outage in wasting critical resources of the device such as CPU, Memory or Forwarding performance.


Alarm Information
Null

Handling Process

When we try to ping S9300, the icmp packet is sent to CPU by a default ACL,this acl has much higher privilige, than the user-defined acl ,such as ACL 2001. Default ACL permits the traffic,and user-defined deny so ACL 2001 doesn't work! We have a conclution we try to configure the acl to block the ping.

such as PC1[10.10.10.2] <---> S9306[Vlan10 10.10.10.1]

1.The acl only works in outbound direction ,reason is explained above.

2. Outbound direction ACL permit source could be both single HOST (10.10.10.2 0) or network (10.10.10.0 0.0.0.255).

And on other conditions like the topology PC1-S9306-PC2, we try to block the ping packets(PC2) whose destination is not S9306,the acl will work both inbound & outbound direction. Because the S9306 doen't process the icmp but only transfer it to next hop.

 


Root Cause

1. Create acl and traffic policy to block the ping from single host. Then apply traffic policy in outbound direction in the interface. Result ping is blocked.

PC1[10.10.10.2] <---> S9306[Vlan10 10.10.10.1]

[S9306-1]int vlan 10

[S9306-1-Vlanif10]dis th

#

interface Vlanif10

ip address 10.10.10.1 255.255.255.0

#

return

[S9306-1-Vlanif10]q

[S9306-1]acl 2001

[S9306-1-acl-basic-2001]rule permit source 10.10.10.1 0

[S9306-1-acl-basic-2001]q

[S9306-1]traffic classifier test /// classfier test

[S9306-1-classifier-test]if-match acl 2001

[S9306-1-classifier-test]q

[S9306-1]traffic behavior test ///behavior test

[S9306-1-behavior-test]deny

[S9306-1-behavior-test]q

[S9306-1]traffic policy test ///binding the policy

[S9306-1-trafficpolicy-test]classifier test behavior test

[S9306-1-trafficpolicy-test]q

[S9306-1]int giga 1/0/31

[S9306-1-GigabitEthernet1/0/31]traffic-policy test outbound

Processing..DONE!

[S9306-1-GigabitEthernet1/0/31]ping 10.10.10.2

PING 10.10.10.2: 56 data bytes, press CTRL_C to break

Request time out

Request time out

Request time out

Request time out

Request time out

--- 10.10.10.2 ping statistics ---

5 packet(s) transmitted

0 packet(s) received

100.00% packet loss


2. After that apply traffic policy in inbound direction in the interface. Result ping is not blocked.

[S9306-1-GigabitEthernet1/0/31]traffic-policy test in

Processing..DONE!

[S9306-1-GigabitEthernet1/0/31]ping 10.10.10.2

PING 10.10.10.2: 56 data bytes, press CTRL_C to break

Reply from 10.10.10.2: bytes=56 Sequence=1 ttl=128 time=2 ms

Reply from 10.10.10.2: bytes=56 Sequence=2 ttl=128 time=2 ms

Reply from 10.10.10.2: bytes=56 Sequence=3 ttl=128 time=2 ms

Reply from 10.10.10.2: bytes=56 Sequence=4 ttl=128 time=2 ms

Reply from 10.10.10.2: bytes=56 Sequence=5 ttl=128 time=2 ms

--- 10.10.10.2 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 2/2/2 ms

3. Create acl and traffic policy to block the ping for a network. Then apply traffic policy in outbound direction in the interface. Result ping is blocked.

[S9306-1-GigabitEthernet1/0/31]undo traffic-policy in

Processing..DONE!

[S9306-1-GigabitEthernet1/0/31]q

[S9306-1]acl 2001

[S9306-1-acl-basic-2001]rule 5 permit source 10.10.10.0 0.0.0.255 ///create acl that permit network

[S9306-1-acl-basic-2001]dis th

#

acl number 2001

rule 5 permit source 10.10.10.0 0.0.0.255

rule 10 permit source 10.10.10.1 0

#

return

[S9306-1-acl-basic-2001]undo rule 10

[S9306-1-acl-basic-2001]dis th

#

acl number 2001

rule 5 permit source 10.10.10.0 0.0.0.255

#

return

[S9306-1-acl-basic-2001]q

 

#

return

[S9306-1-GigabitEthernet1/0/31]traffic-policy test out /// apply the acl to outbound direction .DISCARD the icmp!!!

Processing..DONE!

[S9306-1-GigabitEthernet1/0/31]ping 10.10.10.2

PING 10.10.10.2: 56 data bytes, press CTRL_C to break

Request time out

Request time out

Request time out

Request time out

Request time out

--- 10.10.10.2 ping statistics ---

5 packet(s) transmitted

0 packet(s) received

100.00% packet loss

4. After that apply traffic policy in inbound direction in the interface. Result ping is not blocked.

[S9306-1-GigabitEthernet1/0/31]undo traffic-policy out

Processing..DONE!

[S9306-1-GigabitEthernet1/0/31]traffic-policy test in /// apply the acl to inbound direction.ACL DOESN'T work!!!

Processing..DONE!

[S9306-1-GigabitEthernet1/0/31]ping 10.10.10.2

PING 10.10.10.2: 56 data bytes, press CTRL_C to break

Reply from 10.10.10.2: bytes=56 Sequence=1 ttl=128 time=2 ms

Reply from 10.10.10.2: bytes=56 Sequence=2 ttl=128 time=3 ms

Reply from 10.10.10.2: bytes=56 Sequence=3 ttl=128 time=2 ms

Reply from 10.10.10.2: bytes=56 Sequence=4 ttl=128 time=3 ms

Reply from 10.10.10.2: bytes=56 Sequence=5 ttl=128 time=2 ms

--- 10.10.10.2 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 2/2/3 ms


Suggestions
Null

END