No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Traffic Policy Configured on the S5700 Does Not Take Effect

Publication Date:  2019-04-08 Views:  84 Downloads:  0
Issue Description

As shown in the network topology, the interfaces on all the switches are part of the same VLAN.

https://support.huawei.com/enterprisecase/product/images/6d9db9cfb2054927a39baa45961ec3fe

According to the networking requirements, the server can be pinged on all PCs, but the PCs cannot access the server using FTP, remote desktop, or other methods. Only PC1 whose MAC address is permitted in ACL4000 can access the server using other methods.

Symptom after the following traffic policy is configured:

The server cannot be accessed and pinged on the PCs whose MAC addresses are not permitted in ACL4000. The server can be accessed and pinged on the PC whose MAC address is permitted in ACL4000.

Delete the configuration and re-configure the traffic policy on GigabitEthernet0/0/12. The symptom still exists. The key configuration is as follows:

#

acl number 3000  

rule 5 permit icmp 

#

acl number 4000  

rule 5 permit source-mac c81f-ffff-6197

rule 300 deny

#

traffic classifier tc1 operator and

if-match acl 3000

traffic classifier tc2 operator and

if-match acl 4000

#

traffic behavior tb1

permit

traffic behavior tb2

permit

#

traffic policy tp1 match-order config

classifier tc1 behavior tb1

classifier tc2 behavior tb2

#

interface GigabitEthernet0/0/12

port link-type access

port default vlan 10

traffic-policy tp1 inbound

#

Handling Process

The switch can learn ARP entries and MAC address entries correctly. .

[HUAWEI]display arp

IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE 

VLAN/CEVLAN 

------------------------------------------------------------------------------

192.168.1.10    9c71-ffff-d83b            I -         Vlanif10       

192.168.1.1     ec38-ffff-28cd  16        D-0         GE0/0/12       

10/-      

192.168.1.5     c81f-ffff-6197  16        D-0         GE0/0/12       

10/-      

192.168.1.26    044f-ffff-100b  16        D-0         GE0/0/12       

10/-      

192.168.1.33    501a-ffff-d55a  16        D-0         GE0/0/12       

10/-      

------------------------------------------------------------------------------

Total:5         Dynamic:4       Static:0     Interface:1  

[HUAWEI]display mac-address

------------------------------------------------------------------------------- 

MAC Address          VLAN/VSI                    Learned-From          Type       

-------------------------------------------------------------------------------

c81f-ffff-6197       10/-                        GE0/0/12              dynamic 

501a-ffff-d55a       10/-                        GE0/0/12              dynamic 

044f-ffff-100b       10/-                        GE0/0/12              dynamic 

ec38-ffff-28cd       10/-                        GE0/0/24              dynamic 

-------------------------------------------------------------------------------

Total items displayed = 4

 

Check the ARP entries of the PCs and server. It is found that the server and the PC that is not permitted in ACL4000 cannot learn ARP entries from each other.

 

Check the traffic policy again. It is found that ACL3000 permits the ping packet. However, because ACL4000 only permits the source MAC address, the ARP packets of other MAC addresses cannot pass through. As a result, the MAC address of the server is not learned, and therefore the server cannot be pinged.

Modify the traffic classifier to permit matching ARP packets. The problem is solved.

<HUAWEI>sys

[HUAWEI]traffic classifier tc1 operator or

[HUAWEI]if-match acl 3000

[HUAWEI]if-match l2-protocol arp

Root Cause

The traffic policy does not permit ARP packets. As a result, the ping operation fails.

Solution

Modify the traffic classifier to permit matching ARP packets.

 

END