Issue Description
Customer claims that traffic-policy configured on Huawei S5720 switch does not take effect.
When customer pings a public IP address (e.g 8.8.8.8) using as a source local interface of S5720(e.g. 10.10.10.1), he receives a reply even if acl 3002 is configured to deny it.
acl number 3002
rule 10 permit ip destination 10.10.10.0 0.0.0.255 logging
rule 20 permit ip destination 10.20.10.0 0.0.0.255 logging
rule 30 deny ip logging
#
traffic classifier c1 operator and
if-match acl 3002
#
traffic behavior b1
permit
#
traffic policy p1
classifier c1 behavior b1
#
vlan 50
traffic-policy p1 inbound
Handling Process
When the peer device replies an ICMP reply packet, the destination IP will be 10.10.10.1.
10.10.10.1 will match ACL 3002(rule 30), but the traffic policy will not take effect because the packet destination IP is interface address of the switch.
There is a default ACL which is used to “catch” ICMP packets (whose destination IP is the IP address of the switch) to CPU.
The priority of the default ACL is higher than the configured traffic-policy. So the packets will not be dropped by traffic policy.
Note that the default ACL mentioned above only takes effect for ICMP packets whose final destination is the switch. For pass-by packets, the configured traffic-policy will take effect.
Solution
When we want to test a traffic-policy, we need to use a device connected behind the switch configured with the traffic-policy.
No comments:
Post a Comment