Topology: NE40E------CISCO7609------S3300-------Internet café or leased-line PC
The devices are connected through Layer 3 interfaces. The user gateway is the S3300.
Version: S3300 V100R002C02B181SPC001 (the newly released universal version)
Symptom: The internal PC cannot ping the external PC, but the online services are running properly.
The leased-line PC can ping the other PCs that are directly connected to the leased-line PC. The problem does not lie in the leased-line PC. Check the configurations on all participating devices. There are no configurations that prevent ICMP packets from being transmitted. Perform segment-by segment ping test and find that the NE40E and CISCO7609 can forward the ICMP packets normally. The ICMP packets that pass through the S3300 are discarded. However, no ACL or traffic policy is configured on the S3300.
Run the display acl resource command and find that the S3300 automatically delivers two ACLs.
The S3300 running V100R002C02B181SPC001 supports ICMP automatic protection. By default, ICMP automatic protection is enabled. If a GE interface receives more than 20 ICMP packets that are sent to the CPU each second or an FE interface receives more than 10 ICMP packets that are sent to the CPU, the SS3300 automatically delivers ACLs to its interfaces to forbid the ICMP packets to pass. (Note: Only the ICMP packets sent to the CPU of the S3300 can trigger automatic protection. The ICMP packets forwarded through another switch cannot trigger automatic protection. However, after an ACL is delivered to the interface, all ICMP packets that traverse this interface are affected.)
Based on the analysis of the captured packets, some ICMP packets from outside network are sent to the S3300 with the destination address the S3300's own address. As a result, the upstream interface on the S3300 delivers an ACL to forbid the ICMP packets from the outside network.
After ICMP automatic protection is disabled using the undo icmp rate-limit enable command, the ping operation is performed successfully.
configuration is wrong.
Use the undo icmp rate-limit enable command to disable ICMP automatic protection, and the ping operation is performed successfully.