S5720-36C-EIV200R007C00SPC500动态ACL不生效

发布时间:  2016-12-22 浏览次数:  1154 下载次数:  0
问题描述

S5720-36C-EI-AC  S5720 V200R007C00SPC500,设备连接PC物理端口配置dot1x认证,用户认证成功同时Agile controller动态下发acl后,两个PC互相无法ping通。

 

处理过程

(1) 查看设备组网和用户状态信息;

如下信息,上线了两个用户PC1(10.150.210.56 GE0/0/1接入)和PC2(10.150.210.59 GE0/0/5接入),controller动态下发acl
<HTWB-GAPCOCC-SW-5700-2>   display access-user
------------------------------------------------------------------------------
UserID Username                IP address       MAC            Status
------------------------------------------------------------------------------
388                            10.150.210.57    ecb1-d738-cb78 Pre-authen     
389                            10.150.210.58    ecb1-d73b-6f16 Pre-authen     
392    monitor-1               10.150.210.56    ecb1-d740-18a8 Success        
393    monitor-1               10.150.210.59    ecb1-d73b-6ee6 Success 
       
394                            10.150.210.55    ecb1-d738-cb7b Pre-authen     
------------------------------------------------------------------------------
Total: 5, printed: 5
<HTWB-GAPCOCC-SW-5700-2>display access-user user-id 392

Basic:
  User ID                         : 392
  User name                       : monitor-1
  Domain-name                     : default                        
  User MAC                        : ecb1-d740-18a8
  User IP address                 : 10.150.210.56
  User access Interface           : GigabitEthernet0/0/1
  User vlan event                 : Success       
  QinQVlan/UserVlan               : 0/100
  User access time                : 2015/11/17 10:38:30
  User accounting session ID      : HTWB-GA00001000000100f5d8e8000392
  Option82 information            : -
  User access type                : 802.1x
  Terminal Device Type            : Data Terminal 
  Dynamic ACL desc(Effective)     :
   No. 0: acl 10001 dest-ip 10.150.210.12 dest-ipmask 32 permit
   No. 1: acl 10002 dest-ip 10.150.210.13 dest-ipmask 32 tcp-dstport 443 permit
   No. 2: acl 10006 dest-ip 10.150.210.14 dest-ipmask 32 tcp-dstport 443 permit
   No. 3: acl 10051 dest-ip 10.150.210.32 dest-ipmask 27 permit
   No. 4: acl 10089 dest-ip 0.0.0.0 dest-ipmask 0 deny


AAA:
  User authentication type        : 802.1x authentication
  Current authentication method   : RADIUS
  Current authorization method    : -
  Current accounting method       : RADIUS
PC1 ping PC2不通,PC1上学不到PC2的ARP,在交换机端口针对ARP报文做流统计,PC1发给PC2的ARP报文进入GE0/0/1,没有从GE0/0/5发出去;
<HTWB-GAPCOCC-SW-5700-2>display traffic policy statistics interface GigabitEthernet 0/0/1 inbound verbose rule-base

Interface: GigabitEthernet0/0/1
Traffic policy inbound: icmp
Rule number: 4
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Classifier: icmp operator and
Behavior: icmp
Board : 0
rule 5 permit l2-protocol arp destination-mac ffff-ffff-ffff source-mac ecb1-d740-18a8 vlan-id 100
---------------------------------------------------------------------
Passed           |      Packets:                         9,773
                  |      Bytes:                         625,472
                  |      Rate(pps):                           1
                  |      Rate(bps):                         512
---------------------------------------------------------------------
Dropped          |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0

<HTWB-GAPCOCC-SW-5700-2>display traffic policy statistics interface GigabitEthernet 0/0/5 outbound verbose rule-base

Interface: GigabitEthernet0/0/5
Traffic policy outbound: icmp
Rule number: 4
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Classifier: icmp operator and
Behavior: icmp
Board : 0
rule 5 permit l2-protocol arp destination-mac ffff-ffff-ffff source-mac ecb1-d740-18a8 vlan-id 100
---------------------------------------------------------------------
Passed           |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
Dropped          |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------

在Agile controller上修改acl策略,删除最后一条“No. 4: acl 10089 dest-ip 0.0.0.0 dest-ipmask 0 deny”后,PC1可以ping通PC2,初步分析应为acl策略相关因素引起;
将此问题的现象和测试过程和结果反馈求助,问题原因为由于处理机制原因,ARP报文无法匹配目的策略中的目的IP所以无法命中目的IP网段的permit策略,所以最终命中了最后一条deny策略造成报文被丢弃;

(2) 为了解决这一问题,通过如下配置放通ARP报文,业务可通
[HTWB-GAPCOCC-SW-5700-2]traffic classifier icmp
[HTWB-GAPCOCC-SW-5700-2-classifier-icmp]display  this
#
traffic classifier icmp operator and
if-match l2-protocol arp
#
return
[HTWB-GAPCOCC-SW-5700-2-classifier-icmp]q
[HTWB-GAPCOCC-SW-5700-2]traffic behavior icmp
[HTWB-GAPCOCC-SW-5700-2-behavior-icmp]display  this
#
traffic behavior icmp
permit
#
return
[HTWB-GAPCOCC-SW-5700-2-trafficpolicy-icmp]display  this
#
traffic policy icmp match-order config
classifier icmp behavior icmp
#
return
[HTWB-GAPCOCC-SW-5700-2-GigabitEthernet0/0/1]display  this
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
traffic-policy icmp inbound
authentication dot1x
dot1x authentication-method eap
#
return
[HTWB-GAPCOCC-SW-5700-2-GigabitEthernet0/0/1]q
[HTWB-GAPCOCC-SW-5700-2]interface GigabitEthernet 0/0/5
[HTWB-GAPCOCC-SW-5700-2-GigabitEthernet0/0/5]display  this
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 100
traffic-policy icmp inbound
authentication dot1x
dot1x authentication-method eap   

根因

由于芯片acl处理机制原因,ARP报文无法匹配permit策略中的目的IP,造成ARP报文命中deny策略,报文在交换机丢弃。

解决方案

终端接入端口配置ARP报文放通策略解决问题。

END