MKguy
Virtuoso
Virtuoso

I haven't played with dvSwitch ACLs myself yet, but this seems pretty self-explanatory if you ever had to do with firewalling rules. Packets are matched against the rule base in order until the first rule applies.

If you only have the first rule, it does not apply to pinging .254. So the implicit default rule is used to decide what to do. In this case with ACLs it's a default "allow any" rule and the packet is forwarded.

Now if you implement the 2nd rule, which denies any traffic, it will also drop what was previously allowed by the implicit "allow any" rule because this rule is checked before the implicit rule. Obviously you won't be able to communicate via ICMP pings (or any other traffic) anymore because this rule drops everything.

What you need is an explicit rule allowing pings to .254, that comes before the drop all rule in your rule base. Change the first rule to "allow" and the destination to .254 (without negation).

-- http://alpacapowered.wordpress.com
Reply
0 Kudos