1. According to checkup for the configuration of routes, MA5200F connects to the upper layer equipment (L3 Lanswitch) through a default route.
2. Check the configurations of L3 Lanswitch, and it is configured with a static route to MA5200F and address pool network segment at MA5200F; also, the static route is imported to OSPF.
3. Check the uplink equipments of L3 Lanswitch, and they could learn the routes with MA5200F as destination and the address pool through OSPF.
4. A host with public network IP could tracert MA5200F, and it is reachable. On the contrary, MA5200F cannot ping through the IP of the host.
5. MA5200F could ping through to the interface of L3 switch connected directly, but it fails to ping through to the loopback address of the switch.
6. Only the address in network of carrier in ER could telnet MA5200F, and MA5200F could also ping through to the host in ER.
7.The interact between MA5200F and host in ER passes a lot of equipments, but MA5200F cannot ping through these addresses, so we conclude that the equipments may be configured with access control.
8. After careful checkup for ACL of all network equipments, we find the reason: engineers of carrier imports a piece of ACL that restricts telnet login globally.
The wrong configuration is:
acl number 2000 match-order auto
rule 1 permit source 220.127.116.11 0 \\Interface address of L3 switch
rule 2 permit source 18.104.22.168 0.0.0.255 \\network segment of host in ER
rule 4 deny
access-group 2000 \\here is the wrong configuration
The correct configuration should be:
acl number 1 match-order auto
rule 1 permit source 22.214.171.124 0
rule 2 permit source 126.96.36.199 0.0.0.255
rule 4 deny
#Set attributes of telnet #
user-interface vty 0 4
acl 2000 inbound \\The engineers of carrier import ACL to global falsely, resulting in the problem above.
authentication-mode scheme default
user privilege level 3