Policy ACL blocked by default

I can’t block all traffic except ping…

qos enable
policy action ACCEPT disposition accept
policy action DENY disposition deny

policy condition C_ANY-ANY source ip any destination ip any
policy rule "DENY C_ANY-ANY" precedence 200 condition C_ANY-ANY action DENY
qos apply

→ all traffic is blocked : OK

policy condition C_PING icmptype 8
policy rule "ACCEPT C_PING" precedence 1000 condition C_PING action ACCEPT
qos apply

→ no response to ping while the icmp echo request is allowed with higher priority ! why ??? I don’t understand the logic… :face_with_raised_eyebrow:

Thank you in advance for your help. :slightly_smiling_face:

Your rules seem correct…

Can you do a little test? if you delete the DENY C_ANY-ANY rule, are you able to ping then?


no policy rule "DENY C_ANY-ANY"
qos apply

yes the ping echo request respond :face_exhaling:

I found the solution ! :grinning: :grinning: :grinning:
in fact it was obvious… the switch lets the ping echo request (icmptype 8) pass but not the responses (icmptype 0)!
It’s OK with :

policy condition C_PING-ECHOREQUEST icmptype 8
policy condition C_PING-ECHOREPLY icmptype 0
policy rule "ACCEPT C_PING-ECHOREQUEST" precedence 1000 condition C_PING-ECHOREQUEST action ACCEPT
policy rule "ACCEPT C_PING-ECHOREPLY" precedence 1000 condition C_PING-ECHOREPLY action ACCEPT
qos apply

or :

policy condition C_ICMP ip-protocol 1
policy rule "ACCEPT C_ICMP" precedence 2000 condition C_ICMP action ACCEPT
qos apply

on the other hand with my tests, I realize that it does not work with the switch! because it does not respond to ARP requests! :roll_eyes:
how to do ?

solution : ethertype 0x806 :grinning:

example :

policy condition C_ARP ethertype 0x806
policy rule "ACCEPT_ARP" precedence 1000 condition C_ARP action ACCEPT
qos apply

then the ideal would be to add source criteria (network group or vlan id)… :wink: