Q: why cannot block just One ADSL Suscribers Section to send packets to some TCP. (we want block just one section in one ip-pool, the other remaining sections can still send traffic to that TCP Port)
if the ip-pool for ADSL is like this:
ip pool ADSL bas local
gateway 188.8.131.52 255.255.240.0
section 0 184.108.40.206 220.127.116.11
section 1 18.104.22.168 22.214.171.124
section 2 126.96.36.199 188.8.131.52
If we want to block just section 0 suscribers to send Traffic to TCP Port 25 (smtp), and in same time keep section 1 and section 2 still can send traffic to TCP Port 25:
So if we do this solution : configure UCL that specify ip-addresses of section 0 + Configure Traffic Policy binded with that UCL.
So that solution cannot work !
acl number 6005
rule 5 permit tcp source ip-address 184.108.40.206 255.255.255.0 destination-port eq smtp
traffic classifier anti-virus operator or
if-match acl 6005
traffic policy suspension-inbound
classifier anti-virus behavior deny
traffic-policy suspension-inbound inbound
The reason of this is that, the ip-ranges of ip pools cannot be specified in ucl 6005, because ucl cant specify just user-group and because those users belong to ip-pool so they have a User Profil on the bras, so even the command ip-address source can be putted, but it will not work.
Therefore, as a solution, it's better to use the section 0 with another user-group and manipulate the ucl with user-group not with ip-address range