基本组网
测试故障现象
interface Vlan-interface12
description IT
ip address 10.249.2.1 255.255.255.0
packet-filter 3000 inbound
dhcp select relay
dhcp relay server-address 10.249.1.47
portal enable method direct
portal bas-ip 10.249.2.1
portal apply web-server myportal fail-permit
#
radius session-control enable
#
radius scheme imc
primary authentication 10.249.125.48
primary accounting 10.249.125.48
key authentication cipher $c$3$bJCEm0nlHcBxUcz4b1DQjdbxX37FjQY=
key accounting cipher $c$3$oQwuXCtskHZJgnJ87YO4RVuILWL35UQ=
nas-ip 10.249.127.3
#
domain tportal
authorization-attribute idle-cut 30 10240000
authentication portal radius-scheme imc
authorization portal radius-scheme imc
accounting portal radius-scheme imc
#
portal free-rule 10 source ip any destination ip 10.249.1.59 255.255.255.255
portal free-rule 20 source mac 10e7-c62b-1e85
portal free-rule 21 source mac 907e-ba50-e3b7
portal free-rule 22 source mac 907e-ba50-e402
portal free-rule 23 source mac 5803-fb96-1062
portal free-rule 24 source mac 5803-fb96-1082
portal free-rule 25 source mac 5803-fb96-107e
portal free-rule 26 source mac 5803-fb96-1241
portal free-rule 27 source mac 5803-fb96-12dc
portal free-rule 28 source mac bcad-28dc-2557
portal free-rule 29 source mac 00e3-4f68-0ce7
portal free-rule 30 source mac 7af6-7aa7-b968
portal free-rule 31 source mac 0017-61c7-8ca1
portal free-rule 32 source mac 0017-61c7-0eea
portal free-rule 33 source mac d8ca-e5d2-cad2
portal free-rule 34 source mac d811-1130-1130
portal free-rule 35 source mac d8f6-e5d2-f6d2
portal free-rule 36 source mac f80d-acd4-fc5d
portal free-rule 37 source mac 9883-e5d2-83d2
portal free-rule 38 source mac 982b-1130-2b30
portal free-rule 39 source mac c465-16e0-a51a
portal free-rule 40 source mac d857-e5d2-57d2
portal free-rule 41 source mac d4ea-0e8e-65f2
portal free-rule 42 source mac 5820-b1f3-768e
portal free-rule 43 source mac 0017-6110-b140
portal free-rule 44 source mac d8b9-1130-b930
portal free-rule 45 source mac 74d4-35de-a5b4
portal free-rule 46 source mac 00e0-4f68-9417
portal free-rule 47 source mac 0017-6110-cb44
portal free-rule 48 source mac 0017-6111-f05b
portal free-rule 49 source mac 00e1-4f68-0339
portal free-rule 50 source mac 00e0-6f68-08ea
portal free-rule 51 source mac 1868-cb10-a3d8
portal free-rule 52 source mac 8ce7-4848-492c
portal free-rule 53 source mac ccf9-54aa-9145
portal free-rule 54 source mac 0017-6110-7d43
portal free-rule 55 source mac f439-09b9-627d
portal free-rule 56 source mac dcbd-7a10-a41d
portal free-rule 57 source mac 702e-d96f-4ed7
portal free-rule 58 source ip 10.249.2.3 255.255.255.255
#
portal web-server myportal
url http://10.249.125.48:8080/portal
#
portal server myportal
ip 10.249.125.48 key cipher $c$3$RvNH7Ge8b5P5znrUWUbqr4myelAAZw==
server-detect timeout 40 log
#
portal mac-trigger-server mtsp
ip 10.249.125.48
#
http-redirect https-port 8888
#
关于portal的基本配置没什么问题,portal free rule也没有放通专线对端的业务网段地址,终端的source mac也没用放通测试的终端mac地址
再次检查配置发现,在网关接口不仅仅配置portal认证,也配置了包过滤
interface Vlan-interface12
description IT
ip address 10.249.2.1 255.255.255.0
packet-filter 3000 inbound
dhcp select relay
dhcp relay server-address 10.249.1.47
portal enable method direct
portal bas-ip 10.249.2.1
portal apply web-server myportal fail-permit
查看对应包过滤的acl规则,最后是有全放通的
acl advanced 3000
.....
rule 882 permit ip source 10.249.2.0 0.0.0.15 destination 10.249.177.3 0
rule 900 deny ip destination 10.249.0.0 0.0.255.255
rule 1000 permit ip
查看设备常规底层acl优先级
[H3C-probe]debug qacl show acl-prioinfo slot 1
--------------------------Qacl Type Priority Info---------------------------
32 Portal Free FALSE 4 12
33 Portal User FALSE 4 11
34 Portal Redirect FALSE 4 9
35 Portal Deny FALSE 4 8
68 Portal User ACL FALSE 4 10
....
94 PktFilter Eth_Mac on PORT FALSE 8 28
95 PktFilter IP on PORT FALSE 8 27
96 PktFilter IP on VRF FALSE 8 6
97 PktFilter Eth_Mac on VRF FALSE 8 7
98 PktFilter IP on VSIPORT FALSE 8 39
99 PktFilter Eth_Mac on VSIPORT FALSE 8 40
100 PktFilter VSI DEFAULT MAC FALSE 8 35
101 PktFilter VRF DEFAULT MAC FALSE 8 1
102 PktFilter PORT DEFAULT MAC FALSE 8 22
可见基本的QACL包过滤的主优先级是比portal的主优先级要高的,按理报文会先匹配包过滤,无法匹配portal的acl去阻断流量
在设备的隐藏视图通过命令查看QACL详细信息
debug qacl show 1 0 verbose 0
debug qacl show 1 0 verbose 20
debug qacl show 1 0 verbose 40
debug qacl show 1 0 verbose 60
(每20 一个步长,一直收集到没有显示内容为止)
========
Acl-Type PktFilter IPV4 on VRF, Stage IFP, Group 3[3], EntryID 1944, Active
Health 1, PoolFree 0, PoolID 0, Prio_Mjr 517, Prio_Sub 52,Slice 2,SliceIdx 34
ACL GroupNo : 3000, RuleID : 1000
Rule Match --------
Ports: 0x03ffffffc, 0x03fffffff
Lookup: STP forwarding, L2 dst L3 bit, 0x118, 0x118
Outer Vlan: 0x136, 0xfff
IP Type: Any IPv4 packet
Actions --------
Permit
========
========
Acl-Type Portal 2, Stage IFP, Group 3[3], EntryID 639, Inactive
Health 1, PoolFree 0, PoolID 1, Prio_Mjr 517, Prio_Sub 38,Slice 2,SliceIdx 35
Rule Match --------
Ports: 0x003fffffc, 0x03fffffff
Source mac: 0000-0000-0000, 0000-0000-0000
Outer Vlan: 0x6e, 0xfff
Source IP: 21.32.0.0, 255.255.0.0
IP Type: Any IPv4 packet
SRC TRUNK : Don"t care( 0 0)
Actions --------
Redirect do NOT
Copy_to_cpu : No
Permit
Remark DSCP 0
Red Permit
Yel Permit
========
从收集的信息来看,包过滤和portal的acl是下在同一个slice中的,且两者主优先级一致,包过滤的子优先级是52,高于portal 2的38,所有ipv4报文匹配优先级更高的包过滤直接permit了,而portal对放通网关的优先级比包过滤要更高,所以网关不通。
删除包过滤后portal业务恢复正常
应该把包过滤掉用在上行接口,不要和portal使能在同一接口,否则流量优先匹配包过滤影响portal正常业务