#me60

this is customer network topo, when customer ping server address 172.28.127.78 from pc address 172.18.222.52, found there is packet loss from time to time.

Alarm Information

#Oct 26 2017 08:56:32+08:00 S9303-1 L2IFPPI/4/MFLPVLANALARM:OID 1.3.6.1.4.1.2011.5.25.160.3.7 MAC move detected, VlanId = 975, MacAddress = 0000-5e00-014b, Original-Port = Eth-Trunk1, Flapping port = GE2/1/7. Please check the network accessed to flapping port.

Handling Process

1. according to customer feedback topo, we have checked that haven't found packet loss on ME60,

2. then we deploy traffic statistic on interface Eth-Trunk2 and G2/1/7 of S9303, 

3. customer ping 172.28.127.78 from pc with 33 packets, found just pass 18 packets and lost 15 packets,

4. then we checked the traffic statistic on S9303, found 33 packets passed inbound and outbound direction on interface Eth-Trunk2, but on interface G2/1/7, found there is 33 packets passed inbound direction and just 18 packets passed outbound direction, it is same as the result which is on PC ping.

5. we checked on S9303, found there is mac flapping on interface G2/1/7 and Eth-Trunk1

6. we checked with customer, the Eth-Trunk1 connect NE40 device, and there is a same vrid on NE40, so S9303 will learn same mac address from two different interface, so will appear mac flapping

Root Cause

there are  two same vrid connect S9303, so S9303 will learn same mac address from two different interface, so will appear mac flapping, so when ping server address from pc will appear packet loss.

Solution

modify the vrid value to 175 on ME60 for not same as other device in customer network

An ME60 is configured with the BAS function and an ACL is configured to define the permitted pre-authentication domain resources. Terminal users use RADIUS authentication and accounting. The ping operation on pre-authentication resources, such as the DNS server, gateway, RADIUS server, and portal server, fails. The authentication on these resources also fails.

The simplified network topology is as follows:

The ME60 and RADIUS server are attached to the S12708. However, after policy-based routing is 

implemented on the users' authentication traffic imported from the S12708, the traffic is imported to the BAS interface of the ME60 for authentication. After the authentication is complete, the ME60 exchanges authentication packets with the RADIUS server. Details are as follows:

It is found that only the administrative domain user exists in the pre-authentication domain and post-authentication domain.

  [ME60]dis domain

  ------------------------------------------------------------------------------

  Domain name           State        CAR Access-limit   Online  BODNum RptVSMNum

  ------------------------------------------------------------------------------

  default0              Active         0       283648        0       0         0

  default1              Active         0       283648        0       0         0

  default_admin         Active         0       283648        1       0         0

  net                   Active         0       283648        0       0         0

  pre_web               Active         0       283648        0       0         0

  ------------------------------------------------------------------------------

Handling Process

1. Check the structure and traffic direction of the customer network.

2. Ping all the servers. It is found that the ping operation fails.

3. Check whether the configuration file is correct.

sysname ME60

#

 user-group huawei  //Configure a user group.

#

radius-server group net  //Configure authentication and accounting with the RADIUS server.

 radius-server authentication 10.0.0.13 1812

 radius-server accounting 10.0.0.13 1813

 radius-server shared-key huawei2123

 radius-server source interface GigabitEthernet4/0/4

#

radius-server authorization 10.0.0.13 shared-key huawei@123  //Configure authorization with the RADIUS server.

#

For details about ACP policy configuration, see the related ME60 manual.

.....

#

traffic policy web

 share-mode

 classifier web_permit behavior web_permit

 classifier web_deny behavior web_deny    

traffic policy web_out

 share-mode

 classifier web_permit behavior web_permit

 classifier web_out behavior web_out

#

aaa

 http-redirect enable           

 domain net  //Configure a post-authentication domain and bind RADIUS authentication and accounting to the RADIUS server group.

  authentication-scheme net

  accounting-scheme net

  radius-server group net

 domain pre_web  //Configure a pre-authentication domain that uses none authentication and non-accounting to access the portal server.

  authentication-scheme mm

  accounting-scheme mm

  user-group huawei

  web-server 10.0.0.12

  web-server url http://10.0.0.12/index_2.html

 #                                        

#

interface GigabitEthernet4/0/5  //Specifies the BAS interface for authentication.

 description TO_S12708_X5/0/8

 undo shutdown

 ip address 172.31.206.10 255.255.255.248

 bas

 access-type layer3-subscriber default-domain pre-authentication pre_web authentication net  //Enable Layer 3 authentication on the BAS interface and bind the interface to the pre-authentication domain and post-authentication domain.

 #

#

 traffic-policy web inbound  //Globally enable policy-based routing.

 traffic-policy web_out outbound

#

 web-auth-server source interface GigabitEthernet4/0/4

 web-auth-server version v2

 web-auth-server 10.0.0.12 port 2000 key simple huawei@123  //Configure authentication of the portal server.

#

It is found that the basic configuration of the customer network is correct, but a command is missing. The customer supposed that some servers in the pre-authentication domain can be accessed so long as traffic resources are permitted. However, a command needs to be run to control the pre-authentication domain access permissions.

Root Cause

The configuration file does not contain the command for configuring the pre-authentication domain access permissions.

This command is run globally to allow grant access permissions for the resources in the bound domain (pre_web in this example). After this configuration is performed, resources in the pre_web authentication domain can be accessed at IP addresses in the network segment 172.100.0.0. This command can be used together with other domains to achieve none authentication for some network segments. Details are not provided here.