I have analyzed the symptom described in the email from the customer and made a conclusion that the problem is caused by incorrect acl configuration. As described by customer, the subscribers do not access external recourses but the traffic statistics on the radius server show that they receive bills with high external traffic. The following is the process of locating the problem:
The acl for the external network is:
acl number 6001
description === Internet ===
rule 5 permit ip source any
rule 10 permit ip destination any
The acl for the internal network is (the tariff level is 8):
acl number 6011
description === Local_Network===
rule 5 deny ip source user-group 1-group destination ip-address 188.8.131.52 0
rule 10 deny ip source user-group 1-group destination ip-address 184.108.40.206 0
rule 15 deny ip source ip-address 220.127.116.11 0 destination user-group 1-group
rule 20 deny ip source ip-address 18.104.22.168 0 destination user-group 1-group
rule 25 permit ip source user-group 1-group destination ip-address 22.214.171.124 0.0.31.255
rule 35 permit ip source user-group 1-group destination ip-address 126.96.36.199 0.0.31.255
rule 45 permit ip source user-group 1-group destination ip-address 188.8.131.52 0.0.31.255
rule 55 permit ip source user-group 1-group destination ip-address 184.108.40.206 0.0.127.255
rule 70 permit ip source ip-address 220.127.116.11 0.0.31.255 destination user-group 1-group
rule 75 permit ip source ip-address 18.104.22.168 0.0.31.255 destination user-group 1-group
rule 80 permit ip source ip-address 22.214.171.124 0.0.31.255 destination user-group 1-group
rule 85 permit ip source ip-address 126.96.36.199 0.0.127.255 destination user-group 1-group
rule 90 permit ip source user-group 1-group destination ip-address 188.8.131.52 0.0.127.255
rule 95 permit ip source ip-address 184.108.40.206 0.0.127.255 destination user-group 1-group
I have found a problem in the configuration after looking through the configuration file. If the users in user-group 1-group access each other, which acl will be matched?
acl 6001 or acl 6011?
When users in the same user-group access each other, the me60 searches for the user-group that the users belong to, and then matches the source and destination with the acl rules.
For the traffic from a user to the network, the source is a user-group and the destination is an ip address. for the traffic from the network to a user, the source is an ip address and the destination is a user-group.
If user a access user b whose ip address is 220.127.116.11, and a rule is as follows:
rule 5 permit ip source user-group group destination ip 18.104.22.168
Does the traffic match this rule?
The answer is definitely no, because the ME60 does not apply this rule although the ip address of user b is 22.214.171.124. when users access each other, the me60 searches for the rules whose source and destination are both user-groups.
How about the following rule?
rule 5 permit ip source any
This rule applies to the user-group because the any keyword is used. now we have known the acl matching rule for the traffic between users and the cause of the problem can be easily located.