No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FAQ-Why Cannot Block traffic sent to one TCP port by one section of ip-pool suscribers in ME60

Publication Date:  2012-07-27 Views:  48 Downloads:  0
Issue Description
Q: why cannot block just One ADSL Suscribers Section to send packets to some TCP. (we want block just one section in one ip-pool, the other remaining sections can still send traffic to that TCP Port)



Alarm Information
Null

Handling Process
A:

if the ip-pool for ADSL is like this:

ip pool ADSL bas local
gateway 41.140.32.1 255.255.240.0
section 0 41.140.32.1 41.140.32.255
section 1 41.140.36.0 41.140.39.255
section 2 41.140.40.0 41.140.43.255

If we want to block just section 0 suscribers to send Traffic to TCP Port 25 (smtp), and in same time keep section 1 and section 2 still can send traffic to TCP Port 25:
So if we do this solution : configure UCL that specify ip-addresses of section 0 + Configure Traffic Policy binded with that UCL.
So that solution cannot work !


acl number 6005
rule 5 permit tcp source ip-address
41.140.32.1 255.255.255.0 destination-port eq smtp

traffic classifier anti-virus operator or
if-match acl 6005


traffic policy suspension-inbound
classifier anti-virus behavior deny


traffic-policy suspension-inbound inbound


The reason of this is that, the ip-ranges of ip pools cannot be specified in ucl 6005, because ucl cant specify just user-group and because those users belong to ip-pool so they have a User Profil on the bras, so even the command ip-address source can be putted, but it will not work
.

Therefore, as a solution, it's better to use the section 0 with another user-group and manipulate the ucl with user-group not with ip-address range



Root Cause
Null

Suggestions
Null

END