I'm trying to deny reachability from 10.1.2.4 over to 10.1.2.3 with the following rule (below) applied to SwitchA, however it seems as though I can still ping from .4 to .3 - I was expecting this rule to work since it seems it would drop all packets, but for some reason it isn't. Thanks in advance!
The topology of the lab is:
-A OUTPUT -o swp5 -s 10.1.2.4/32 -d 10.1.2.3/32 -j DROP
Here you go Sean...
iface lo inet loopback
iface eth0 inet dhcp
alias to Cumulus VX SW2 SWP1
bridge-access 100 1 2
up ip route add 0.0.0.0/0 via 10.1.1.2
bridge-ports swp1 swp2 swp5
bridge-vids 100 200 300 1
bond-slaves regex swp[3-4]
preform an ifreload -a, then try the ping again. Let me know the results.
- try tcpdump on the switch. Normal in HW this would be data-plane but this is all SW so we can see the packet. Its possible the subnet you are pinging 'from' is different than what you think you are...
- try removing the -o swp5.... maybe there is an issue with iptables and specifying a specific interface with our renaming script on VX (this is not a problem on real hw...) this is a wild guess and most likely not the issue
- use the -I with ping to specify a specific IP address to force the IP out a certain way...
- can you ping the SVI (bridge.2) that we made from the 10.1.2.3/24? I have a another guess that traffic is bypassing the device with the iptables rule on it (possibly).