No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


FAQ-Why Cannot Block traffic sent to one TCP port by one section of ip-pool suscribers in ME60

Publication Date:  2012-07-27 Views:  117 Downloads:  0

Issue Description

Q: why cannot block just One ADSL Suscribers Section to send packets to some TCP. (we want block just one section in one ip-pool, the other remaining sections can still send traffic to that TCP Port)

Alarm Information


Handling Process


if the ip-pool for ADSL is like this:

ip pool ADSL bas local
section 0
section 1
section 2

If we want to block just section 0 suscribers to send Traffic to TCP Port 25 (smtp), and in same time keep section 1 and section 2 still can send traffic to TCP Port 25:
So if we do this solution : configure UCL that specify ip-addresses of section 0 + Configure Traffic Policy binded with that UCL.
So that solution cannot work !

acl number 6005
rule 5 permit tcp source ip-address destination-port eq smtp

traffic classifier anti-virus operator or
if-match acl 6005

traffic policy suspension-inbound
classifier anti-virus behavior deny

traffic-policy suspension-inbound inbound

The reason of this is that, the ip-ranges of ip pools cannot be specified in ucl 6005, because ucl cant specify just user-group and because those users belong to ip-pool so they have a User Profil on the bras, so even the command ip-address source can be putted, but it will not work

Therefore, as a solution, it's better to use the section 0 with another user-group and manipulate the ucl with user-group not with ip-address range

Root Cause