NPM Drop reason "L3 drop policy"

Article Id: 168078

Status: Published

Updated On: 13-05-2017 11:19

Legacy Id: TECH244512

Products:

Control Compliance Suite Netware XOS

Issue/Introduction:

Traffic matching the internal control network is dropped by NPM.Traffic is dropped by an NPM and the Drop reason is "L3 drop policy", e.g:

CBS# show flow active proto 1

This command may take a few minutes. Do you want to continue? <Y or N> [Y]:

Module                     Source                Destination       Prot   Dom    TTI/MAX
np1                         1.1.10.1:0              1.1.10.2:0        1
1 00:30/00:30
    Drop(L3 drop policy)
    rx circuit 1026     Master np1    Fast Path Y    rx packets 0

Cause:

An NPM drops traffic with the reason "L3 drop policy" if the inbound packets match a flow rule defined with the action Drop.

If no user-defined flow rule exists with action Drop, you should compare the source and destination address with the configured system internal network. In the above example, traffic matches the default internal network 1.1.0.0/16. To protect the control plane, the NPM always implements a default IP flow rule, which drops all packets that conflict with the system internal network.

Resolution:

If the dropped traffic is valid, you may need to set the internal network to another unused network.

To list default IP flow rules run show default-ip-flow-rule.

To display the configured internal network run show system-internal-network.

Workaround

N/A