Руководство По Устранению Ошибки для Cisco Cisco Identity Services Engine 1.0.4

When you try to ping any host, you should receive a response because that traffic is not redirected. In order to
confirm, run this debug:

For each ICMP packet sent by the client, the debugs should present:

Jan 9 09:13:07.861: epm−redirect:IDB=GigabitEthernet1/0/2: In

epm_host_ingress_traffic_qualify ...

Jan 9 09:13:07.861: epm−redirect:epm_redirect_cache_gen_hash:

IP=192.168.1.201 Hash=562

Jan 9 09:13:07.861: epm−redirect:IP=192.168.1.201: CacheEntryGet Success

Jan 9 09:13:07.861: epm−redirect:IP=192.168.1.201: Ingress packet on

[idb= GigabitEthernet1/0/2] didn't match with [acl=REDIRECT_POSTURE]

In order to confirm, examine the ACL:

bsns−3750−5#show ip access−lists REDIRECT_POSTURE

Extended IP access list REDIRECT_POSTURE

    10 deny ip any host 10.48.66.74 (153 matches)

    20 deny udp any any eq domain

    40 permit tcp any any eq www (78 matches)

    50 permit tcp any any eq 443

When you initiate the traffic to the IP address that is directly Layer 3 (L3) reachable by the switch (the
network for the switch has an SVI interface), here is what happens:

The client initiates an Address Resolution Protocol (ARP) resolution request for the destination host
(192.168.1.20) in the same VLAN and receives a response (ARP traffic is never redirected).

1. 

The switch intercepts that session, even when the destination IP address is not configured on that
switch. TCP handshaking between the client and the switch is finished. At this stage, no other packets
are sent outside of the switch. In this scenario, the client (192.168.1.201) has initiated a TCP session
with the other host that exists in that VLAN (192.168.1.20) and for which the switch has an SVI
interface UP (with the IP address of 192.168.1.10):

2.