★ Experience case of handling the problem that switch packet filtering does not take effect on traffic accessing the local address

PC (10.1.12.48)----SW (10.1.58.1)-----Internal host (10.1.58.151)

The packet filtering configuration is delivered to the interface. The deny rule in the rule is as follows. The test can successfully deny the matching passing packets. However, the test packets sent to the CPU cannot be denied and can pass.

Advanced IPv4 ACL named deny_ssid_dev, 2 rules, 

ACL's step is 5, start ID is 0 

 rule 9 permit ip source 10.1.46.150 0 

 rule 10 deny ip destination 10.0.0.0 0.255.255.255 

 #

interface Vsi-interface3 

  description SDN_VSI_Interface_3 

  ip binding vpn-instance SQLS-WJ 

  ip address 10.1.12.1 255.255.255.0 

  mac-address 0000-0000-0001

  local-proxy-arp enable 

  packet-filter name deny_ssid_dev inbound 

 #

Specific business flow:

10.1.12.48——10.1.58.1 (SW local) is accessible

10.1.12.48——10.1.58.1——10.1.58.151 (passing) is blocked

1. Collect all ACL delivery status of the corresponding board bottom layer in the probe view.

debug qacl show cha 1 slot 0 chip 0 verbose 20

debug qacl show cha 1 slot 0 chip 0 verbose 40

debug qacl show cha 1 slot 0 chip 0 verbose 60

…………. (every 20 steps, collected until no content is displayed)

2. It is found that the ACL system priority of the ICMP delivered by the system and sent to the CPU is greater than the packet filtering deny. Therefore, the ping packets from the device are directly sent to the CPU for processing and cannot be filtered out.

========

Acl-Type PktFilter IP on L3 VSI, Stage IFP, Pipe 0, OuterPort, Installed, Active

Prio Mjr/Sub 523/503185397, Group 5 [5], Slice/Idx 5/2, Entry 5015, IntraDb: 3842/4610---------- The larger the Prio Mjr value, the higher the priority.

ACL GroupNo : 637534210, RuleID : 10

Rule Match --------

        Lookup: STP forwarding, L2 dst L3 bit[y], 0x118, 0x118

        Dest IP: 10.0.0.0, 255.0.0.0

        IP Type: Any IPv4 packet

        L3IIF: 0x100f L3IIFMask: 0xffffffff

        NO_HG

Actions --------

        Deny

========

========      

Acl-Type RX IPv4 Middle, Stage IFP, Pipe 0, Global, Installed, Active

Prio Mjr/Sub 527/24, Group 1 [1], Slice/Idx 0/147, Entry 3514, Triple: 147/915/1683

Rule Match --------

        Ports: 0x01fffffe0007ffffe; 0x21ffffffe1fffffff

        Lookup: VLAN ID valid[y], STP forwarding, 0x1c, 0x1c

        IP protocol: icmp

        IP Type: Any IPv4 packet

        Dest Port: CPU

        DropBit: 0x0, Mask : 0x1

        SysmRule Index : 44

        L3 Dest Class id: 0x3, 0x3ff

        My Station Hit

Actions --------

        CAR cir 0x200, cbs 0x800, pir 0x200, pbs 0x800, mode srTCM color blind,Bytes

        Account mode  packets,  green and non-green

        Redirect and copy to cpu

        Change CPU pkt COS 22

        Permit

        Red Deny

        Red_Copy_to_cpu : No

        Yel Deny

        Yel_Copy_to_cpu : No

MatchedName:44, ICMP

Generally speaking, the priority of the rules sent to the CPU in the inbound direction is higher than the user-configured packet filtering, PBR, and MQC rules, causing the user-configured deny filtering rules to fail to take effect.

Configure local PBR to discard packets processed by CPU, rules in ACL need to match specific details to prevent impact on normal packets. Testing with the following script can filter successfully, and the terminal cannot ping the device.

Specifying a policy for local PBR

About this task

Perform this task to specify a policy for local PBR to guide the forwarding of locally generated packets.

Restrictions and guidelines

You can specify only one policy for local PBR and must make sure the specified policy already exists. Before you apply a new policy, you must first remove the current policy.

Local PBR might affect local services such as ping and Telnet. When you use local PBR, make sure you fully understand its impact on local services of the device.

Procedure

1.     Enter system view.

system-view

2.     Specify a policy for local PBR.

ip local policy-based-route policy-name

By default, local PBR is not enabled.

For example:

 #

interface Vlan-interface50

ip address 50.0.0.1 255.255.0.0

#

acl number 3999

rule 0 permit icmp source 50.0.0.1 0 destination 50.0.0.5 0

#

policy-based-route cc permit node 10

if-match acl 3999

apply output-interface NULL0

#

ip local policy-based-route cc

#