No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.

Knowledge Base

Packet Filtering Does Not Take Effect When the External Network Is Pinged on the AR

Publication Date:  2015-04-01  |   Views:  937  |   Downloads:  0  |   Document ID:  EKB1000072027


Issue Description


Figure 1 Networking diagram for an AR used as a gateway

Main configuration on the AR:

# acl number 3301 rule 5 deny icmp destination 0 rule 10 permit ip # interface GigabitEthernet0/0/1 traffic-filter outbound acl 3301 #

Fault Symptom:

Run the traffic-filter outbound acl 3301 command on an AR interface to block ping packets with destination address When destination address is pinged on the AR, the ping operation succeeds but packet filtering does not take effect.

Handling Process

The ping command cannot be executed on a PC but can be executed on the AR.

The ping command executed on the AR is directly sent from the protocol stack to the outbound interface without entering the forwarding plane. Traffic filtering applies to the forwarding plane without involving the QoS process, so packets cannot be filtered. This is a normal situation that destination address can be pinged on the AR.


The AR software includes the control and forwarding planes. The differences are as follows:
  • The forwarding panel forwards packets destined for another device. Generally, packets with inbound and outbound physical interfaces are called packets destined for another device.
  • Packets sent by the control plane do not enter the forwarding plane. Most of these packets are irrelevant to services deployed on the forwarding plane.