Access Control Does Not Take Effect Due to the Incorrect Direction of a Traffic Policy
Fault Description
As shown in Figure 1, the departments of an enterprise are connected through the Switch. GE0/0/4 on the Switch is connected to the salary query server. The enterprise allows only the president office to access the salary query server, but prevents other departments (such as R&D and marketing departments) from accessing the salary query server. Therefore, the administrator configures an ACL and a traffic policy that uses the ACL on the Switch, and applies the traffic policy to the inbound direction of GE0/0/4. The traffic policy is applied to an incorrect direction, so access control does not take effect.
Procedure
- Run the display traffic policy interface [ interface-type interface-number ] command in any view to
check the traffic policy configuration on the interface.
The traffic policy p1 has been applied to the inbound direction of GE0/0/4.
Interface: GigabitEthernet0/0/4 Direction: Inbound Policy: p1 ......
- Run the display traffic-applied interface [ interface-type interface-number ] inbound verbose command in any view to check information
about the ACL used by the traffic policy on the interface and the
direction to which the traffic policy is applied.
The traffic policy p1 uses ACL 3001, and the traffic policy is applied to the inbound direction of the interface.
----------------------------------------------------------- Policy applied inbound interface GigabitEthernet0/0/4 Interface: GigabitEthernet0/0/4 Direction: Inbound Policy: p1 Classifier: c1 Operator: OR Rule(s) : if-match acl 3001 Behavior: b1 Deny -----------------------------------------------------------
- Run the display this command in the view of advanced ACL
3001 to check the ACL rule configuration.
ACL 3001 contains the following rules:
acl number 3001 rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 10.164.9.9 0 //Allow the president office to access the server. rule 10 deny ip destination 10.164.9.9 0 //Prevent other departments from accessing the server.
The source IP address is the network segment where the president office resides, and the destination IP address is the salary query server's address. The ACL rules meet the packet filtering requirement, so the ACL configuration is correct.
- Check the direction to which the traffic policy is applied.
As shown in Step 2, the traffic policy is applied to the inbound direction of the interface. However, packets from each department do not enter the Switch through GE0/0/4 but through other interfaces, and the packets are sent out through GE0/0/4. (The Switch searches for a route after receiving the packets, and sends the packets out through GE0/0/4.)
Therefore, when the traffic policy using the ACL is applied to the inbound direction of GE0/0/4, access control does not take effect. To make access control effective, apply the traffic policy to the outbound direction or apply the traffic policy globally, to the VLANs of the departments, or to the inbound direction of each interface connecting to each department.
- Change the direction to which the traffic policy is applied.
Run the traffic-policy policy-name outbound command in the view of GE0/0/4 to apply the traffic policy to the outbound direction.