Topology: See the attachment
Symptoms: Users under MA5200F cannot access network normally. PC in ER of the carrier could telnet to MA5200F. However, the equipment cannot ping to the external network (radius server and DNS server, etc.), but it could ping to the address of interface of L3 switch being connected directly. A host with public network IP (non-ER network) could tracert to MA5200F, but it fails.
1. Check the route configurations of MA5200F, and it is destined to the upper layer equipment through a default route (L3 switch).
2. Check the configuration of L3 switch, and it is configured with static route to MA5200F and the address pool segment of MA5200F. Also, it is imported into OSPF.
3. Check the upstream equipment of L3 switch, and it could learn that the destination address is MA5200F through OSPF, and the routing information of address pool.
4. From the host with public network IP, tracert the MA5200F and it is reachable. However, MA5200F fails to ping through the IP of the host.
5. From MA5200F, ping the interface of L3 switch, and it is reachable; however, it fails to ping through the loopback address of L3 switch.
6. Only the address from network in ER of a carrier could telnet to MA5200F, and MA5200F could ping through the host in ER.
7. There are a lot of devices along the connection from MA5200F to host in ER, but MA5200F could ping to these addresses. It is concluded that the network element is configured with ACL.
8. Check the ACL configurations of each network element. The engineer of carrier imports the ACL limiting telnet login globally by mistakes.
The correct configuration should be:
acl number 1 match-order auto
rule 1 permit source 22.214.171.124 0 //interface address of L3 switch
rule 2 permit source 126.96.36.199 0.0.0.255 //network segment of host in ER
rule 4 deny
#Set the telnet attribute#
user-interface vty 0 4
acl 1 inbound //ACL is imported to restrict the telnet login address, and the customer imports globally by falts.
authentication-mode scheme default
user privilege level 3
1. MA5200F cannot communicate with external network because the configurations for route of upstream equipment is changed (without return route, etc).
2. The upstream optical interface of MA5200F is problematic.
3. MA5200F has problematic configurations.