Network Topology
AC bypass core, both local forwarding and centralized forwarding service templates exist
Problem Description
The operation and maintenance personnel at a university site check the AC current configuration every weekday. On a certain Monday, they suddenly discovered a new vlan 336 added to the AC and needed to find out why this vlan was added.
Process Analysis
1. Due to the weekend holiday, AC was not checked. First, inspect the configuration of AC from last Friday (saved via operation log) and found no VLAN 336, indicating this VLAN was newly added today.
2. On the AC, use the command: display history-command all. However, since many view commands were executed on the AC today, the earliest results only record up to a certain time on Sunday. Within the displayed time-range (TRANGE), no command related to vlan 336 was found configured on the AC. Therefore, it can only be concluded that no new configuration for vlan 336 was performed on the AC during this time-range (TRANGE). Whether such an operation was conducted from Sunday to Friday evening cannot be determined through the display history-command all query.
3. The operations team inquired several personnel with relevant accounts, all of whom stated they did not perform the operation of adding vlan 336 on AC. The operations team also checked the operation records of the past week and found no record of adding vlan 336.
4. The on-site AC has been connected to the Cloudnet platform (cloudnet.h3c.com). To check whether the configuration was delivered via Cloudnet, navigate to network management -> messages -> operation logs in Cloudnet. Currently, Cloudnets mechanism ensures that operation logs are generated regardless of whether configurations are manually delivered (front end or back end) or automatically by the platform. However, querying recent logs revealed no relevant operation records.
5. The on-site AC is managed by the log server, which can record the logbuffer on the AC for the past week. No operation records or command echoes related to the new vlan 336 were found. However, searching the log for vlan 336 revealed that on Saturday night, a terminal connected to the SSID eduroam service template passed 802.1x authentication and obtained a record of going online in vlan 336, but this terminal stayed for only about 1 min before going offline.
This eduroam is a service template of the university alliance. A shared account and password can be used to access the wireless network within the alliance universities. It was found that the current AC has indeed added this service template, and this service template uses 802.1x authentication. Therefore, it is possible that the terminal connected to this service template and obtained the assigned VLAN 336 authorization from the secondary server, resulting in the automatic creation of VLAN 336 on the AC.
The AC indeed has such mechanisms: ① In local forwarding mode, if the VLAN assigned by the server to the terminal after authentication does not previously exist on the AP, the AP will automatically create this VLAN, while the AC will not; ② In centralized forwarding mode, if the VLAN assigned by the server to the terminal after authentication does not previously exist on the AC, the AC will automatically create this VLAN, while the AP will not.
However, upon reviewing the current configuration of the eduroam site, it was found to be local forwarding. According to the aforementioned mechanism, VLAN 336 should be created on the AP instead of the AC.
However, note that this configuration is client forwarding-location ap vlan 113. The uniqueness of this setup lies in the fact that when a terminal connects to this service template and obtains VLAN 113, it uses local forwarding; if it obtains any other VLAN, centralized forwarding will be applied!
This terminal obtained authorization for VLAN 336 through the server (the precedence of authorized VLAN is higher than that specified by the service template or the VLAN specified when binding the service template to the AP radio). Therefore, after this terminal passed dot1x authentication and obtained authorization for VLAN 336, centralized forwarding was used. According to the aforementioned mechanism, the AC automatically created VLAN 336, which did not exist before.
#
wlan service-template wifi_union
ssid eduroam
client forwarding-location ap vlan 113
akm mode dot1x
cipher-suite ccmp
security-ie rsn
client-security authentication-mode dot1x
dot1x domain eduroam
service-template enable
#
Solution
Explain the reason.