Version: independent of version
Symptom: The system is configured with ACL to limit users to access some web site, but users cannot access any web site then.
1.In configurations of system, ACL is configured as follows:
acl number 100
rule 3 net-user permit ip source 22.214.171.124 0 destination 10
rule 4 net-user permit ip source 126.96.36.199 0 destination 10
rule 0 user-net permit ip source 10 destination 188.8.131.52 0
rule 1 user-net deny ip source 10
rule 2 user-net permit ip source 10 destination 184.108.40.206 0
ACL is defined with correct rules, but the matching order of the ACL is that of configuration, and "rule 1 user-net deny ip source 10" of ucl-group 10 is defined as rule 1, so all the rules behind rule1 will not take effect, failing the users to access the web sites permitted in ACL.
2. The problem is solved by configuring "rule 1 user-net deny ip source 10" to rule 5 in ACL.
Users cannot access some web sites, and the possible reasons include:
1. Routes are not reachable;
2. ACL limit.
Services for user is normal before the configuration of ACL, but users cannot access the web sites permitted in ACL after the configuration, so its configuration is problematic.
It is recommended to use match-order auto in ACL to avoid problems alike.