Traffic classifier match mode configuration failure lead to PPPOE user cannot be on-line

Publication Date:  2012-10-23 Views:  567 Downloads:  0
Issue Description
There are 2 kinds of business in client current network: PPPOE (data business) and IPTV business. client use mac-ACL and vlanid to limit IPTV set-top box visit validity. But after business cutting over, PPPOE user cannot on-line normally, IPTV business is nrmal. Topology is as follows:
MA5200G(PPPOE business)   T64G(IPTV business)
                \           /
                 \         /       
                    S9300
                      |
                   UA5000
                    /   \
                   /     \
                 PC     STB
Alarm Information
NULL
Handling Process
classfier match rule is or, the specification:
traffic classifier STB operator and precedence 5                                
if-match vlan-id 3072 to 4031                                                 
if-match acl 4000                                                             
traffic classifier ITMS operator and precedence 10                              
if-match vlan-id 3072 to 4031                                                 
if-match acl 4010
PPPOE business is normal
Root Cause
1. Username and code failure
2. MA5200G sub interface BRAS business configuration failure
3. The difference of QinQ range and PPPOE packet under MA5200G sub interface.
4. S9300 configuration failure, PPPOE packets cannot forward to MA5200G.
This time, cutting over problem is lies in reason 4, notice these parts of S9300 device configuration.
acl number 4000                                                                
rule 0 permit source-mac 00e0-8e00-0000 ffff-ff00-0000                        
rule 1 permit source-mac 00c0-8c00-0000 ffff-ff00-0000                        
rule 2 permit source-mac 0007-ba00-0000 ffff-ff00-0000                        
rule 3 permit source-mac 001e-4000-0000 ffff-ff00-0000                        
rule 4 permit source-mac 001d-b000-0000 ffff-ff00-0000
#                                                                              
acl number 4010                                                                
rule 1 permit source-mac 00d0-f800-0000 ffff-ff00-0000                        
rule 2 permit source-mac 00d0-d000-0000 ffff-ff00-0000                        
rule 3 permit source-mac 0019-c600-0000 ffff-ff00-0000                        
rule 4 permit source-mac 0015-eb00-0000 ffff-ff00-0000                        
rule 5 permit source-mac 0008-5c00-0000 ffff-ff00-0000                        
rule 6 permit source-mac 0003-0f00-0000 ffff-ff00-0000                        
rule 7 permit source-mac 0615-eb00-0000 ffff-ff00-0000                        
rule 8 permit source-mac 001e-7300-0000 ffff-ff00-0000                        
rule 9 permit source-mac 0022-9300-0000 ffff-ff00-0000                        
rule 10 permit source-mac 001e-1000-0000 ffff-ff00-0000                       
rule 11 permit source-mac 000a-c200-0000 ffff-ff00-0000                       
rule 99 deny      //
Notice the match rule of the following classifier is or, i.e. if one of the 2 condition was matched, it will access to classifier.

traffic classifier STB operator or precedence 5                                
if-match vlan-id 3072 to 4031                                                 
if-match acl 4000                                                             
traffic classifier ITMS operator or precedence 10                              
if-match vlan-id 3072 to 4031                                                 
if-match acl 4010
#                                                                              
traffic behavior PermitMAC                                                     
#                                                                              
traffic policy PermitMAC                                                       
classifier STB behavior PermitMAC                                             
classifier ITMS behavior PermitMAC
interface Eth-Trunk1 //downstream interface
traffic-policy PermitMAC inbound
MAC address of ACL is legal, STB set-top box MAC address segment, PPPOE uers’ MAC is not in permit list, so it can match to final rule 99 deny rule, because classifier match rule is or, so if only match anyone of them, it can fill the flow classifier, use policy forwarding, packet was deny, cause the PPPOE business abnormal.
Suggestions
It need acl and vlan conditions matched to access after configure as “and”, classifier make the flow policy forwarding,  PPPOE business is in vlan of IPTV, only match on acl rule, so it cannot access to classifier, cannot forward by flow policy. Use general packet forwarding process, PPPOE packet forward normally.
Unlawful STB set-top box is in the vlan of IPTV and match the acl, so it access to the classifier, use policy to forward, so it was denyed finally. It protects the legal IPTV user’s resource.

END