No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

On ME60 two user-group can't comunicate with each other with DAA policy

Publication Date:  2012-07-27 Views:  53 Downloads:  0
Issue Description
Customer submit problem, that on ME60 traffic between two user-groups “region” and “internet” don’t pass through, although special acl configured. Also customer notice that subscribers of user-group “region” receives private ip-address from radius, but “internet” subscribers take real ip-address from ip-pool. All other resources (like Internet) are reachable from both user-groups. users belong two user-group can't ping each other.

#
acl number 6014
 description -=== ptp reg-inet ===- 
 rule 5 permit ip source user-group reg destination user-group inet
 rule 10 permit ip source user-group inet destination user-group reg
#
 traffic policy daa
 classifier default_service behavior bh_t1
 classifier free behavior bh_t2
 classifier region_mail behavior daa_deny
 classifier regional behavior bh_t3
 classifier internet behavior bh_t4
 classifier permit_all behavior daa_deny
classifiers:
traffic classifier regional operator or
 if-match acl 6013
 if-match acl 6014
traffic classifier internet operator or
 if-match acl 6004
 if-match acl 6014
 behaviors:
traffic behavior bh_t3
 traffic-statistic summary
 car
 tariff-level 3
traffic behavior bh_t4
 tariff-level 4
 traffic-statistic summary
 car
#


Alarm Information
none
Handling Process
As described by the customer, user-groups “region” and “internet” cannot ping through each other.
First i find the daa service policy and the tariff-level used for user-group region.
The configuration is as follows:
#                                                                              
acl number 6014                                                                
 description -==== ptp reg-inet ===-                                                
 rule 5 permit ip source user-group reg destination user-group inet            
 rule 10 permit ip source user-group inet destination user-group reg           
#
Traffic from user-group region to user-group internet matches this acl. traffic from user-group internet to user-group region also matches this acl.
You can find the tariff-levels corresponding to this acl from the following information:
(1)
#
traffic classifier regional operator or                                        
 if-match acl 6013                                                              
 if-match acl 6014  
classifier regional behavior bh_t3
traffic behavior bh_t3                                                         
 traffic-statistic summary                                                     
 car                                                                            
 tariff-level 3
#
(2)
#
traffic classifier internet operator or                                        
 if-match acl 6004                                                             
 if-match acl 6014    
classifier internet behavior bh_t4 
traffic behavior bh_t4                                                         
 tariff-level 4                                                                
 traffic-statistic summary                                                      
 car
#
The preceding information shows that the ping packets between user-groups region and internet match acl 6014 and the corresponding tariff-levels are 3 and 4.
In this case, user-groups region and internet can ping through each other only if tariff-level 3 and tariff-level 4 are both configured in the value-added service policy.
But when you view the following configuration:
#
value-added-service policy reg_2048k daa
 accounting-scheme radius
 tariff-level 1 qos-profile 256k-256k
 tariff-level 2 qos-profile 1024k-512k
 tariff-level 3 qos-profile 2048k-512k
#
or
#
value-added-service policy inet_6144k daa
 accounting-scheme radius
 tariff-level 1 qos-profile 256k-256k
 tariff-level 2 qos-profile 1024k-512k
 tariff-level 4 qos-profile 6144k-512k
#
In configuration tariff-level 3 and tariff-level 4 are not configured in the same value-added service policy. Therefore, user-groups region and internet cannot ping through each other.

Root Cause
Failure of the ping operation between user groups caused by incorrect acl configuration often occurs in the DAA service. So, after receiving the report from customer, i have checked the acl configuration.
Before checking the configuration, I should know that the following configurations cause failure of the ping operation:
(1) in the accounting profile of the daa service, the tariff-levels are not bound to any qos profile, or the car of the bound qos profile is 0.
Configuration is as follows:
#
value-added-service policy statist daa                                         
 accounting-scheme jay_daa                                                      
 tariff-level 1 qos-profile block                                              
 tariff-level 2 qos-profile block
#
  qos-profile block
    scheduler-profile block
#
 scheduler-profile block
  car cir 0 upstream
#
No configuration is made on the qos profile named block. That is, when daa service policy statist is used, the qos function is disabled for tariff-level 1 and tariff-level 2. in other words, the ME60 denies the packets corresponding to tariff-level 1 and tariff-level 2.
The tariff-level corresponding to the acl that matches the destination address and the qos profile are not configured in the value-added service policy. In another word, the destination address does not match any tariff-level. By default, the ME60 denies the access to this destination address.
The configuration is as follows:
#
value-added-service policy statist daa
 accounting-scheme jay_daa
 tariff-level 1 qos-profile 128k
#
The user accesses destination address 7.7.7.7, and the value-added service policy for the user is statist.
(2) the destination address matches acl 6015, which maps tariff-level 2. But the configuration specifies that the user using policy statist can access only the destination mapping the tariff-level 1. The access to the destination mapping tariff-level 2 is denied.
The following are features of the acl matching rule for the DAA service. 
  • The matching rule takes effect globally. That is, the system matches all the acls based on their priorities instead of matching them based on the sequence of configuring the traffic classifiers.
  • The difference between the daa acl and common acl is: after the me60 finds the matching daa acl, it can perform only tariff level mapping, traffic control (car), and traffic statistics; after finding the matching common acl, the ME60 can perform other behaviors, such as permit, deny, redirect, and remark. If traffic behaviors other than tariff level mapping, traffic control (car), and traffic statistics are configured in the value-added service policy, the system displays a message indicating that an error occurs in the configuration.

Suggestions
Don't forget DAA scenario.

END