Invalid ACL to Layer-4 Ports

Publication Date:  2012-07-27 Views:  111 Downloads:  0
Issue Description
Networking: WIN2kServer?OUTER?A5200F?2?C Version: MA5200 MA2.10-7127 Description: Set an ACL on the MA5200F to make the downstream routers use the well-known ports such as httpFTPTELNETSNMP only and to disable other ports. A PC still can remotly control the WIN2kServer through Port 3589.
Alarm Information
Handling Process
1) Check the ACL configuration. dis acl all Display the ACL: permit, 12 rules, rule 1 net-user permit ip destination 1 rule 8 net-user deny tcp destination 1 rule 9 net-user deny udp destination 1 rule 0 user-net permit ip source 1 rule 2 user-net permit tcp source-port eq www rule 3 user-net permit tcp source-port eq ftp rule 4 user-net permit tcp source-port eq smtp rule 5 user-net permit tcp source-port eq telnet rule 6 user-net permit udp source-port eq dns rule 7 user-net permit udp source-port eq tftp rule 10 user-net deny tcp source 1 rule 11 user-net deny udp source 1 2) From the above information, the configuration is correct and no time range is configured. 3) The match sequence is set to the configuration sequence and the first rule rule 0 takes effect because rule 0 allows all IP packets. So the rest of ACL rules are not used and the subscriber can still use TCP/UDP port applications. 4) Modify the match sequence of the ACL to auto. The fault is cleared.
Root Cause
There are some possible reasons for the ACL failure. 1) The ACL configuration is wrong. 2) The ACL is not applied to the according access. 3) The ACL is configured to match based on configuration sequence. In this case, once the first rule is matched, the match will stop. 4) The ACL is configured with a time range and the case is not included in the time range.