Services are Blocked Because MA5200F Imports ACL Falsely in Global Mode

Latest reply: Feb 25, 2016 20:42:15 1120 1 0 0

Users under MA5200F cannot access network normally, but the PC in ER of carrier could telnet to MA5200F. However, it cannot ping through to the external network (radius and DNS servers, etc.), but to the port address of L3 Lanswitch connected directly. One host with public network IP (non-ER network) could tracer MA5200F, but it cannot ping through.

  • x
  • convention:

Created Feb 25, 2016 20:42:15 Helpful(0) Helpful(0)

Handling Process

1. According to checkup for the configuration of routes, MA5200F connects to the upper layer equipment (L3 Lanswitch) through a default route. 
2. Check the configurations of L3 Lanswitch, and it is configured with a static route to MA5200F and address pool network segment at MA5200F; also, the static route is imported to OSPF. 
3. Check the uplink equipments of L3 Lanswitch, and they could learn the routes with MA5200F as destination and the address pool through OSPF.
4. A host with public network IP could tracert MA5200F, and it is reachable. On the contrary, MA5200F cannot ping through the IP of the host. 
5. MA5200F could ping through to the interface of L3 switch connected directly, but it fails to ping through to the loopback address of the switch. 
6. Only the address in network of carrier in ER could telnet MA5200F, and MA5200F could also ping through to the host in ER. 
7.The interact between MA5200F and host in ER passes a lot of equipments, but MA5200F cannot ping through these addresses, so we conclude that the equipments may be configured with access control. 
8. After careful checkup for ACL of all network equipments, we find the reason: engineers of carrier imports a piece of ACL that restricts telnet login globally.
The wrong configuration is:
#ACL #
acl number 2000 match-order auto
 rule 1 permit source 0                \\Interface address of L3 switch 
 rule 2 permit source  \\network segment of host in ER 
 rule 4 deny
access-group 2000   \\here is the wrong configuration

The correct configuration should be: 
#ACL #
acl number 1 match-order auto
 rule 1 permit source 0                
 rule 2 permit source  
 rule 4 deny
#Set attributes of telnet #
user-interface vty 0 4
 acl 2000 inbound      \\The engineers of carrier import ACL to global falsely, resulting in the problem above. 
 authentication-mode scheme default
 user privilege level 3

Root Cause
1. MA5200F cannot communicate well with the external network because of changes (without response route, etc) )to routes of uplink equipment. 
2. The uplink port of MA5200F is problematic. 
3. MA5200F itself is configured falsely. 

  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits