Eacl rule doesn't take effect although it can be seen by using display current-configuration command. all the configuration look correct.
The version is :
Huawei Versatile Routing Platform Software
VRP (R) software, Version 3.10, RELEASE 2229
Copyright (C) 1997-2003 HUAWEI TECH CO., LTD.
the eacl configuration is listed as follows
rule-map intervlan hz tcp any equal ftp 192.168.200.1 0.0.0.0
eacl hz intervlan-any deny
then get into the corresponded interface under layer 2 FE interfaces board, input the following command to apply it.
access-group switch eacl hz vlan all
tried to ftp this device on another router found it was still accessiable. The Eacl didn't take effect.
no special alarm !
1. First of all doubted the layer 2 board doesn't support eacl feature, but it's the basic function and confirmed it supports.
2.The physical port belongs to a individual vlan is configured for routing between two NE40 routers by using property routing command. I cound't apply the eacl rule in vlan interface.
3. it's very hard to troubleshoot the cause. I deleted the configuration then put the same back, it was still the same issue.
4. used display current- configuration command and found exact it was there as what I've inputted. it seemed it works.
5. Ocationally I tried to delete all eacl relevant configurations, then I made the rule-map again, then I tried to change another sytax sequence to make the same rule. I did the rule-map in this way: rule-map intervlan hz tcp any 192.168.200.1 0.0.0.0 equal ftp.
6. Then I applied it to the interface, tested it and found it worked.
It seemed the eacl doesn't work at all. neither the physical ports or configuration has problems. since the customer was using layer 2 FE board for routing between two NE40 , checked with HQ and confirmed the board is ok to support the basic eal feature.
It must be configuration problem but it seemed normal by using display current-configuration command.
Be cautioned to the rule-map syntax sequence. we got used to using ? when inputting command. so it's pretty easy to make a mistake in this way. Be aware of the correct syntax should be ended with EQUAL with a specific protocol. don't mess the sequence. That's two hours work spent on this POINT.