No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FAQ-S9300 can't discard inbound icmp packets using ACL

Publication Date:  2012-07-27 Views:  38 Downloads:  0
Issue Description
version:S9300 V100R002C00SPC200

Topology: PC1[1.1.1.3] <---> S9306[Vlan10 1.1.1.1]
 

acl number 2001                                                                
 rule 5 permit source 1.1.1.3 0                                                
#                                                                              
traffic classifier ping_block operator or precedence 5                              
 if-match acl 2001                                                             
#                                                                              
traffic behavior ping_block                                                         
 deny                                                                          
#                                                                              
traffic policy ping_block                                                          
 classifier ping_block behavior ping_block                                               

interface GigabitEthernet2/0/12                                                
 port link-type access                                                         
 port default vlan 10                                                          
 traffic-policy ping_block inbound        
#
interface Vlanif10                                                             
 ip address 1.1.1.1 255.255.255.0   
#                                          

ping from PC:
=============
C:\Documents and Settings\Administrator>ping 1.1.1.1
Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time<1ms TTL=128
Reply from 1.1.1.1: bytes=32 time<1ms TTL=128

2. Configuring ACL with Netwrok
===============================
sysname S9306
#                                                                              
acl number 2001                                                                
 rule 5 permit source 1.1.1.0 0.0.0.255                                                  
#                                             

ping from PC:
=============
C:\Documents and Settings\Administrator>ping 1.1.1.1

Pinging 1.1.1.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.


Alarm Information
none
Handling Process
none
Root Cause
when we try to ping S9300, the icmp packet is sent to CPU by a default ACL,this acl has much higher privilige
than the user-defined acl. the acl only works in outbound direction

Suggestions
none

END