No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Incorrect Traffic Calculating becuse wrong acl configuration on ME60

Publication Date:  2012-07-27 Views:  41 Downloads:  0
Issue Description
I have meet urgent problem in one site with incorrect traffic calculating. Customer call center receives many complaints from subscribers that they can't visit external recourses, but in the end of the month they receive bills with high external traffic. Customer has checked this situation with test subscriber and found that great part of internal traffic is counted as external.


Alarm Information
Subscribers receive extra bill for Internet in the end of months.
Handling Process
Acl 6011 does not contain any rule whose source and destination are both user-groups (1-group). When users in 1-group access each other, for example, a subscriber starts a BT application that has multiple processes, the ME60 match the traffic between the users with the acl's.
acl 6001 is the matching one.
#
acl number 6001
 description === internet ===
 rule 5 permit ip source any
 rule 10 permit ip destination any
#
This acl permits all types of traffic, so the packets matching the acl can reach the external network.
Now we know that traffic with 1-group matches acl 6001. look at the following information to find the tariff level corresponding to acl 6001.
#
traffic classifier cs_inet operator or                                         
 if-match acl 6001
#                                                                    
traffic policy daa_policy                                                      
 classifier cs_webcam behavior bh_t5                                           
 classifier cs_game behavior bh_t6                                             
 classifier cs_vtsam behavior bh_t7                                            
 classifier cs_inet behavior bh_t8       //level8, the tariff level for the traffic to the Internet
accounting-service-policy daa_policy                                           
#
In summary, the system counts the traffic in the internal network as the external traffic because of incorrect acl configuration.

Root Cause

I have analyzed the symptom described in the email from the customer and made a conclusion that the problem is caused by incorrect acl configuration. As described by customer, the subscribers do not access external recourses but the traffic statistics on the radius server show that they receive bills with high external traffic. The following is the process of locating the problem:
The acl for the external network is:
#
acl number 6001
 description === Internet ===
 rule 5 permit ip source any
 rule 10 permit ip destination any
#
The acl for the internal network is (the tariff level is 8):                           
#
acl number 6011
description === Local_Network===
 rule 5 deny ip source user-group 1-group destination ip-address 62.213.0.11 0
 rule 10 deny ip source user-group 1-group destination ip-address 62.213.0.13 0
 rule 15 deny ip source ip-address 62.213.0.11 0  destination user-group 1-group
 rule 20 deny ip source ip-address 62.213.0.13 0  destination user-group 1-group
 rule 25 permit ip source user-group 1-group destination ip-address 62.213.0.0 0.0.31.255
 rule 35 permit ip source user-group 1-group destination ip-address 212.32.192.0 0.0.31.255
 rule 45 permit ip source user-group 1-group destination ip-address 85.112.32.0 0.0.31.255
 rule 55 permit ip source user-group 1-group destination ip-address 88.200.128.0 0.0.127.255
 rule 70 permit ip source ip-address 62.213.0.0 0.0.31.255 destination user-group 1-group
 rule 75 permit ip source ip-address 212.32.192.0 0.0.31.255 destination user-group 1-group
 rule 80 permit ip source ip-address 85.112.32.0 0.0.31.255 destination user-group 1-group
 rule 85 permit ip source ip-address 88.200.128.0 0.0.127.255 destination user-group 1-group
 rule 90 permit ip source user-group 1-group destination ip-address 80.234.0.0 0.0.127.255
 rule 95 permit ip source ip-address 80.234.0.0 0.0.127.255 destination user-group 1-group
#
I have found a problem in the configuration after looking through the configuration file. If the users in user-group 1-group access each other, which acl will be matched?
acl 6001 or acl 6011?
When users in the same user-group access each other, the me60 searches for the user-group that the users belong to, and then matches the source and destination with the acl rules.
For the traffic from a user to the network, the source is a user-group and the destination is an ip address. for the traffic from the network to a user, the source is an ip address and the destination is a user-group.
If user a access user b whose ip address is 2.2.2.2, and a rule is as follows:
#
rule 5  permit ip source user-group group destination ip 2.2.2.2        
#
Does the traffic match this rule?
The answer is definitely no, because the ME60 does not apply this rule although the ip address of user b is 2.2.2.2. when users access each other, the me60 searches for the rules whose source and destination are both user-groups.
How about the following rule?
#
rule 5 permit ip source any                                
#
This rule applies to the user-group because the any keyword is used. now we have known the acl matching rule for the traffic between users and the cause of the problem can be easily located.

 


Suggestions
Be carefull with acl and traffic policy configuration, it can affect on user lost big money.

END