No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Traffic Policy Configured on the S5700 Does Not Take Effect

Publication Date:  2019-04-08 Views:  302 Downloads:  0

Issue Description

As shown in the network topology, the interfaces on all the switches are part of the same VLAN.

According to the networking requirements, the server can be pinged on all PCs, but the PCs cannot access the server using FTP, remote desktop, or other methods. Only PC1 whose MAC address is permitted in ACL4000 can access the server using other methods.

Symptom after the following traffic policy is configured:

The server cannot be accessed and pinged on the PCs whose MAC addresses are not permitted in ACL4000. The server can be accessed and pinged on the PC whose MAC address is permitted in ACL4000.

Delete the configuration and re-configure the traffic policy on GigabitEthernet0/0/12. The symptom still exists. The key configuration is as follows:


acl number 3000  

rule 5 permit icmp 


acl number 4000  

rule 5 permit source-mac c81f-ffff-6197

rule 300 deny


traffic classifier tc1 operator and

if-match acl 3000

traffic classifier tc2 operator and

if-match acl 4000


traffic behavior tb1


traffic behavior tb2



traffic policy tp1 match-order config

classifier tc1 behavior tb1

classifier tc2 behavior tb2


interface GigabitEthernet0/0/12

port link-type access

port default vlan 10

traffic-policy tp1 inbound


Handling Process

The switch can learn ARP entries and MAC address entries correctly. .

[HUAWEI]display arp



------------------------------------------------------------------------------    9c71-ffff-d83b            I -         Vlanif10     ec38-ffff-28cd  16        D-0         GE0/0/12       

10/-     c81f-ffff-6197  16        D-0         GE0/0/12       

10/-    044f-ffff-100b  16        D-0         GE0/0/12       

10/-    501a-ffff-d55a  16        D-0         GE0/0/12       



Total:5         Dynamic:4       Static:0     Interface:1  

[HUAWEI]display mac-address


MAC Address          VLAN/VSI                    Learned-From          Type       


c81f-ffff-6197       10/-                        GE0/0/12              dynamic 

501a-ffff-d55a       10/-                        GE0/0/12              dynamic 

044f-ffff-100b       10/-                        GE0/0/12              dynamic 

ec38-ffff-28cd       10/-                        GE0/0/24              dynamic 


Total items displayed = 4


Check the ARP entries of the PCs and server. It is found that the server and the PC that is not permitted in ACL4000 cannot learn ARP entries from each other.


Check the traffic policy again. It is found that ACL3000 permits the ping packet. However, because ACL4000 only permits the source MAC address, the ARP packets of other MAC addresses cannot pass through. As a result, the MAC address of the server is not learned, and therefore the server cannot be pinged.

Modify the traffic classifier to permit matching ARP packets. The problem is solved.


[HUAWEI]traffic classifier tc1 operator or

[HUAWEI]if-match acl 3000

[HUAWEI]if-match l2-protocol arp

Root Cause

The traffic policy does not permit ARP packets. As a result, the ping operation fails.


Modify the traffic classifier to permit matching ARP packets.