The ACL used by a traffic policy cannot filter the protocol packets to be sent to the CPU.
VRRP protocol packets use multicast address 224.0.0.18 as the destination address. The VRRP protocol packets are sent to the CPU for processing; therefore, the ACL in a traffic policy does not take effect on these packets. Member switches in a VRRP group negotiate the master switch using the VRRP protocol packets.
DHCP clients exchange DHCP packets with the DHCP server to obtain valid IP addresses. The DHCP packets are sent to the CPU for processing; therefore, the ACL in a traffic policy does not take effect on these packets. The device cannot use ACLs to prevent users connected to interfaces from obtaining IP addresses through DHCP.
When a host pings a device, the ICMP packet is sent to the CPU of the device for processing; therefore, the ACL in a traffic policy does not take effect on the ICMP packet. The device cannot use ACLs to block ping packets from hosts.
To filter the protocol packets to be sent to the CPU, you can apply an ACL to the blacklist configured in the local attack defense policy. The configuration procedure is as follows:
Run the cpu-defend policy policy-name command in the system view to create an attack defense policy.
Run the blacklist blacklist-id acl acl-number command to create a blacklist.
Run the cpu-defend-policy policy-name [ global ] command in the system view or run the cpu-defend-policy policy-name command in the slot view to apply the attack defense policy.