UNP users loosing connections

Cristek · Post by **Cristek** » 28 Apr 2025 16:17

Hello everyone.
I'm experiencing an issue on a 2360 that I havent seen before (but I'm still fairly new to ALE gear) and since I'm not getting anywhere with this maybe you guys can help. The issue I'm experiencing is that users connected to UNP ports sometimes loose conectivity, and some other times the user doesnt populate in the 'sh unp user' table at all.
When I disable UNP and manually move the devices to the correct vlan then I have no issues at all.
Below is my config. Does anyone have any suggestions that might help?

Code: Select all

something-> 
something-> 
something-> wr t
! Chassis:
system name "something"

! Configuration:
configuration error-file-limit 2

! Capability Manager:
! Virtual Flow Control:
! Interface:
interfaces port 1/1/47 alias "meraki-lan4"
interfaces port 2/1/47 alias "meraki-lan5"
interfaces port 1/1/49 admin-state disable
interfaces port 1/1/50 admin-state disable
interfaces port 2/1/49 admin-state disable
interfaces port 2/1/50 admin-state disable

! Port_Manager: 
violation recovery-maximum infinite
violation recovery-time 600

! Link Aggregate:
linkagg lacp agg 51 size 2 admin-state enable 
linkagg lacp agg 51 name "to-cabA-25/26"
linkagg lacp agg 51 actor admin-key 51
linkagg lacp agg 52 size 2 admin-state enable 
linkagg lacp agg 52 name "to-cabB-25/26"
linkagg lacp agg 52 actor admin-key 52
linkagg lacp port 1/1/51 actor admin-key 51
linkagg lacp port 2/1/51 actor admin-key 51
linkagg lacp port 1/1/52 actor admin-key 52
linkagg lacp port 2/1/52 actor admin-key 52

! VLAN:
vlan 1 admin-state enable
vlan 10 admin-state enable
vlan 10 name "scanners"
vlan 20 admin-state enable
vlan 20 name "admin"
vlan 30 admin-state enable
vlan 30 name "printers"
vlan 40 admin-state enable
vlan 40 name "-reserved-"
vlan 50 admin-state enable
vlan 50 name "guest"
vlan 20 members port 1/1/1-40 untagged
vlan 20 members port 2/1/1-40 untagged
vlan 10 members port 1/1/41-48 tagged
vlan 10 members port 2/1/41-48 tagged
vlan 10 members linkagg 51-52 tagged
vlan 20 members port 1/1/41-48 tagged
vlan 20 members port 2/1/41-48 tagged
vlan 20 members linkagg 51-52 tagged
vlan 30 members port 1/1/41-48 tagged
vlan 30 members port 2/1/41-48 tagged
vlan 30 members linkagg 51-52 tagged
vlan 40 members port 1/1/41-48 tagged
vlan 40 members port 2/1/41-48 tagged
vlan 40 members linkagg 51-52 tagged
vlan 50 members port 1/1/41-48 tagged
vlan 50 members port 2/1/41-48 tagged
vlan 50 members linkagg 51-52 tagged

! Spanning Tree:
spantree mode flat 
spantree cist priority 4096 
spantree vlan 1 admin-state enable 
spantree vlan 10 admin-state enable 
spantree vlan 20 admin-state enable 
spantree vlan 30 admin-state enable 
spantree vlan 40 admin-state enable 
spantree vlan 50 admin-state enable 
spantree cist port 1/1/1 root-guard enable 
spantree cist port 1/1/2 root-guard enable 
spantree cist port 1/1/3 root-guard enable 
spantree cist port 1/1/4 root-guard enable 
spantree cist port 1/1/5 root-guard enable 
spantree cist port 1/1/6 root-guard enable 
spantree cist port 1/1/7 root-guard enable 
spantree cist port 1/1/8 root-guard enable 
spantree cist port 1/1/9 root-guard enable 
spantree cist port 1/1/10 root-guard enable 
spantree cist port 1/1/11 root-guard enable 
spantree cist port 1/1/12 root-guard enable 
spantree cist port 1/1/13 root-guard enable 
spantree cist port 1/1/14 root-guard enable 
spantree cist port 1/1/15 root-guard enable 
spantree cist port 1/1/16 root-guard enable 
spantree cist port 1/1/17 root-guard enable 
spantree cist port 1/1/18 root-guard enable 
spantree cist port 1/1/19 root-guard enable 
spantree cist port 1/1/20 root-guard enable 
spantree cist port 1/1/21 root-guard enable 
spantree cist port 1/1/22 root-guard enable 
spantree cist port 1/1/23 root-guard enable 
spantree cist port 1/1/24 root-guard enable 
spantree cist port 1/1/25 root-guard enable 
spantree cist port 1/1/26 root-guard enable 
spantree cist port 1/1/27 root-guard enable 
spantree cist port 1/1/28 root-guard enable 
spantree cist port 1/1/29 root-guard enable 
spantree cist port 1/1/30 root-guard enable 
spantree cist port 1/1/31 root-guard enable 
spantree cist port 1/1/32 root-guard enable 
spantree cist port 1/1/33 root-guard enable 
spantree cist port 1/1/34 root-guard enable 
spantree cist port 1/1/35 root-guard enable 
spantree cist port 1/1/36 root-guard enable 
spantree cist port 1/1/37 root-guard enable 
spantree cist port 1/1/38 root-guard enable 
spantree cist port 1/1/39 root-guard enable 
spantree cist port 1/1/40 root-guard enable 
spantree cist port 1/1/41 root-guard enable 
spantree cist port 1/1/42 root-guard enable 
spantree cist port 1/1/43 root-guard enable 
spantree cist port 1/1/44 root-guard enable 
spantree cist port 1/1/45 root-guard enable 
spantree cist port 1/1/47 root-guard enable 
spantree cist port 1/1/47 restricted-tcn enable 
spantree cist port 2/1/1 root-guard enable 
spantree cist port 2/1/2 root-guard enable 
spantree cist port 2/1/3 root-guard enable 
spantree cist port 2/1/4 root-guard enable 
spantree cist port 2/1/5 root-guard enable 
spantree cist port 2/1/6 root-guard enable 
spantree cist port 2/1/7 root-guard enable 
spantree cist port 2/1/8 root-guard enable 
spantree cist port 2/1/9 root-guard enable 
spantree cist port 2/1/10 root-guard enable 
spantree cist port 2/1/11 root-guard enable 
spantree cist port 2/1/12 root-guard enable 
spantree cist port 2/1/13 root-guard enable 
spantree cist port 2/1/14 root-guard enable 
spantree cist port 2/1/15 root-guard enable 
spantree cist port 2/1/16 root-guard enable 
spantree cist port 2/1/17 root-guard enable 
spantree cist port 2/1/18 root-guard enable 
spantree cist port 2/1/19 root-guard enable 
spantree cist port 2/1/20 root-guard enable 
spantree cist port 2/1/21 root-guard enable 
spantree cist port 2/1/22 root-guard enable 
spantree cist port 2/1/23 root-guard enable 
spantree cist port 2/1/24 root-guard enable 
spantree cist port 2/1/25 root-guard enable 
spantree cist port 2/1/26 root-guard enable 
spantree cist port 2/1/27 root-guard enable 
spantree cist port 2/1/28 root-guard enable 
spantree cist port 2/1/29 root-guard enable 
spantree cist port 2/1/30 root-guard enable 
spantree cist port 2/1/31 root-guard enable 
spantree cist port 2/1/32 root-guard enable 
spantree cist port 2/1/33 root-guard enable 
spantree cist port 2/1/34 root-guard enable 
spantree cist port 2/1/35 root-guard enable 
spantree cist port 2/1/36 root-guard enable 
spantree cist port 2/1/37 root-guard enable 
spantree cist port 2/1/38 root-guard enable 
spantree cist port 2/1/39 root-guard enable 
spantree cist port 2/1/40 root-guard enable 
spantree cist port 2/1/41 root-guard enable 
spantree cist port 2/1/42 root-guard enable 
spantree cist port 2/1/43 root-guard enable 
spantree cist port 2/1/44 root-guard enable 
spantree cist port 2/1/45 root-guard enable 
spantree cist port 2/1/47 root-guard enable 
spantree cist port 2/1/47 restricted-tcn enable 

! DA-UNP:
unp profile "admin" 
unp profile "printers" 
unp profile "scanners" 
unp profile "admin" map vlan 20 
unp profile "printers" map vlan 30 
unp profile "scanners" map vlan 10 
unp port-template "auto-vlan" direction both default-profile "admin" classification ap-mode admin-state enable
unp port 1/1/1-40 port-type bridge
unp port 1/1/1-40 port-template "auto-vlan"
unp port 2/1/1-40 port-type bridge
unp port 2/1/1-40 port-template "auto-vlan"
unp classification ip-address 10.0.10.0 mask 255.255.255.0 profile1 "scanners"
unp classification ip-address 10.0.30.0 mask 255.255.255.0 profile1 "printers"
unp classification lldp med-endpoint ip-phone  profile1 "admin" 

! Bridging:
! Port Mirroring:
! Port Mapping:
! IP:
ip service ftp admin-state disable
ip service telnet admin-state disable
ip interface "management" address 192.168.17.231 mask 255.255.255.0 vlan 1 ifindex 1

! IPv6:
! IPMS:
ip multicast admin-state enable
ip multicast version 3
ip multicast querier-forwarding enable

! AAA:
aaa authentication default "local" 
aaa authentication console "local" 
aaa authentication http "local" 

user password-policy min-nonalpha 0

! NTP:
ntp server clock0.ovcirrus.com
ntp server clock1.ovcirrus.com
ntp server clock2.ovcirrus.com
ntp server clock3.ovcirrus.com
ntp server pool.ntp.org
ntp client admin-state enable

! QOS:
qos user-port shutdown bpdu dhcp-server
policy network group "legit lan" 10.0.0.0 mask 255.255.192.0 192.168.17.0 mask 255.255.255.0
policy network group "rogue lan" 0.0.0.0 mask 0.0.0.0
policy port group "UserPorts" 1/1/1-45  2/1/1-45 
policy condition "legit lan" source port group "UserPorts" source network group "legit lan"
policy condition "rogue lan" source port group "UserPorts" source network group "rogue lan"
policy action "allow" 
policy action "deny" disposition deny 
policy rule "accept lan" precedence 65000 condition "legit lan" action "allow" 
policy rule "deny rogue" precedence 64000 condition "rogue lan" action "deny" 
qos apply

! Policy Manager:
! ERP:
! MVRP:
! LLDP:
lldp nearest-bridge chassis tlv management port-description enable system-name enable system-description enable
lldp nearest-bridge chassis tlv management management-address enable
lldp nearest-bridge chassis tlv dot1 vlan-name enable port-vlan enable
lldp nearest-bridge chassis tlv dot3 mac-phy enable power-via-mdi enable power-via-mdi-measurements enable
lldp nearest-bridge chassis tlv med capability enable ext-power-via-mdi enable network-policy enable
lldp nearest-bridge chassis tlv application enable
lldp nearest-bridge chassis tlv proprietary enable
lldp nearest-bridge port 1/1/1-45 lldpdu rx
lldp nearest-bridge port 1/1/47 lldpdu rx
lldp nearest-bridge port 2/1/1-45 lldpdu rx
lldp nearest-bridge port 2/1/47 lldpdu rx

! UDLD:
udld enable
udld port 1/1/49 enable
udld port 1/1/49 mode aggressive
udld port 1/1/50 enable
udld port 1/1/50 mode aggressive
udld port 1/1/51 enable
udld port 1/1/51 mode aggressive
udld port 1/1/52 enable
udld port 1/1/52 mode aggressive
udld port 2/1/49 enable
udld port 2/1/49 mode aggressive
udld port 2/1/50 enable
udld port 2/1/50 mode aggressive
udld port 2/1/51 enable
udld port 2/1/51 mode aggressive
udld port 2/1/52 enable
udld port 2/1/52 mode aggressive

! Session Manager:
session cli timeout 15
session ftp timeout 15
session http timeout 15
session prompt default "something->"
session login-timeout 50
session login-attempt 5

! Web:
! Trap Manager:
! Health Monitor:
! System Service:
swlog output tty enable
swlog appid AGCMM subapp 1 level event
ip name-server 8.8.8.8 4.2.2.2
ip domain-lookup
system timezone BST

! SNMP:
! IP Route Manager:
ip static-route 0.0.0.0/0 gateway 192.168.17.254 metric 1 

! VRRP:
! RIP:
! OSPF:
! RIPng:
! OSPF3:
! LAN Power:
lanpower slot 1/1 fpoe disable
lanpower slot 1/1 ppoe disable
lanpower slot 1/1 class-detection enable
lanpower slot 2/1 fpoe disable
lanpower slot 2/1 ppoe disable
lanpower slot 2/1 class-detection enable

! DHCPv6 Relay:
! DHCPv6 Snooping:
! Virtual Chassis Split Protection:
! DHCP Snooping:
dhcp-snooping admin-state enable
dhcp-snooping binding admin-state enable
dhcp-snooping port 1/1/46-48 trust
dhcp-snooping port 2/1/46-48 trust
dhcp-snooping linkagg 51-52 trust

! DHCP Server:
! Loopback Detection:
loopback-detection enable
loopback-detection transmission-timer 10
loopback-detection autorecovery-timer 600
loopback-detection port 1/1/1 enable
loopback-detection port 1/1/2 enable
loopback-detection port 1/1/3 enable
loopback-detection port 1/1/4 enable
loopback-detection port 1/1/5 enable
loopback-detection port 1/1/6 enable
loopback-detection port 1/1/7 enable
loopback-detection port 1/1/8 enable
loopback-detection port 1/1/9 enable
loopback-detection port 1/1/10 enable
loopback-detection port 1/1/11 enable
loopback-detection port 1/1/12 enable
loopback-detection port 1/1/13 enable
loopback-detection port 1/1/14 enable
loopback-detection port 1/1/15 enable
loopback-detection port 1/1/16 enable
loopback-detection port 1/1/17 enable
loopback-detection port 1/1/18 enable
loopback-detection port 1/1/19 enable
loopback-detection port 1/1/20 enable
loopback-detection port 1/1/21 enable
loopback-detection port 1/1/22 enable
loopback-detection port 1/1/23 enable
loopback-detection port 1/1/24 enable
loopback-detection port 1/1/25 enable
loopback-detection port 1/1/26 enable
loopback-detection port 1/1/27 enable
loopback-detection port 1/1/28 enable
loopback-detection port 1/1/29 enable
loopback-detection port 1/1/30 enable
loopback-detection port 1/1/31 enable
loopback-detection port 1/1/32 enable
loopback-detection port 1/1/33 enable
loopback-detection port 1/1/34 enable
loopback-detection port 1/1/35 enable
loopback-detection port 1/1/36 enable
loopback-detection port 1/1/37 enable
loopback-detection port 1/1/38 enable
loopback-detection port 1/1/39 enable
loopback-detection port 1/1/40 enable
loopback-detection port 1/1/41 enable
loopback-detection port 1/1/42 enable
loopback-detection port 1/1/43 enable
loopback-detection port 1/1/44 enable
loopback-detection port 1/1/45 enable
loopback-detection port 2/1/1 enable
loopback-detection port 2/1/2 enable
loopback-detection port 2/1/3 enable
loopback-detection port 2/1/4 enable
loopback-detection port 2/1/5 enable
loopback-detection port 2/1/6 enable
loopback-detection port 2/1/7 enable
loopback-detection port 2/1/8 enable
loopback-detection port 2/1/9 enable
loopback-detection port 2/1/10 enable
loopback-detection port 2/1/11 enable
loopback-detection port 2/1/12 enable
loopback-detection port 2/1/13 enable
loopback-detection port 2/1/14 enable
loopback-detection port 2/1/15 enable
loopback-detection port 2/1/16 enable
loopback-detection port 2/1/17 enable
loopback-detection port 2/1/18 enable
loopback-detection port 2/1/19 enable
loopback-detection port 2/1/20 enable
loopback-detection port 2/1/21 enable
loopback-detection port 2/1/22 enable
loopback-detection port 2/1/23 enable
loopback-detection port 2/1/24 enable
loopback-detection port 2/1/25 enable
loopback-detection port 2/1/26 enable
loopback-detection port 2/1/27 enable
loopback-detection port 2/1/28 enable
loopback-detection port 2/1/29 enable
loopback-detection port 2/1/30 enable
loopback-detection port 2/1/31 enable
loopback-detection port 2/1/32 enable
loopback-detection port 2/1/33 enable
loopback-detection port 2/1/34 enable
loopback-detection port 2/1/35 enable
loopback-detection port 2/1/36 enable
loopback-detection port 2/1/37 enable
loopback-detection port 2/1/38 enable
loopback-detection port 2/1/39 enable
loopback-detection port 2/1/40 enable
loopback-detection port 2/1/41 enable
loopback-detection port 2/1/42 enable
loopback-detection port 2/1/43 enable
loopback-detection port 2/1/44 enable
loopback-detection port 2/1/45 enable

! OVC:
! IP DHCP RELAY:
! LOOPBACK TEST:
! MGMT AGENT:

something-> 
something-> 
something->

Any ideas of what might be causing this issue? Switch is fully updated to the latest version.

Post by **silvio** » 04 May 2025 09:17

First of all: this is a very nice configuration (maybe for this cheap switch to much).
But I think you have a problem with silent devices (becauses your unp-profile name printers and scanners I assume this).
Printer f.e. don't sent out any packets - so the switch forgetts its mac and ip addresses. Thats why the classification do not work anymore and the devices are in your default-profile "admin" with wrong vlan.

With the both lines you can allow outgoing traffic to this devices, so that the unp-port can learn the profile correct with the next incomming packet.
> unp port-template "auto-vlan" vlan 30
> unp port-template "auto-vlan" vlan 10

Try it. I hope this is possible at the 2x60 serie.
BR Silvio

Cristek · Post by **Cristek** » 04 May 2025 15:37

Hello Silvio, many thanks for the tips. I didn't consider that. To be fair, I kinda forgot that option when I read the manual

Ok, some follow up:
All devices in vlan 10 and 30 have a static IP (that's how the IT company is doing it) but I'm guessing you got that part from the config alone.
I checked and I can do the command you suggested for both vlan 10 and 30. And even for vlan 20 as well. For anyone reading this, it is supported in the 2x60 series as well!
Is there a problem if I do it for more than 1 vlan? (in this case if I do it 3 times for 10 20 and 30)? Do you foresee any issues with this?

Why 20? Because this issue also happens in vlan 20 as well (the default even, yes I know...) and I'm kinda stumped with this one but I think my lack of experience with ALE OS is playing tricks on me.
I had to disable all UNP and manually assign vlans and I have no issues on any of the vlans doing it this way!

Here's an example (copy paste snip of the logs from that day) of the issue happening in vlan 20 with a windows 11 PC.
Please note how port 2/1/18 is working and then not:

Code: Select all

something-> 
something-> 
something-> sh unp user
                                               User                                                                           
Port    Username             Mac address       IP              Vlan Profile                          Type         Status      
-------+--------------------+-----------------+---------------+----+--------------------------------+------------+-----------
1/1/6   38:63:bb:d8:47:79    38:63:bb:d8:47:79 10.0.20.7       20   admin                            Bridge       Active      
	(output trimmed down)
2/1/18  ec:b1:d7:67:ab:f3    ec:b1:d7:67:ab:f3 10.0.20.35      20   admin                            Bridge       Active      
	(output trimmed down)
2/1/40  a4:ae:12:7f:94:91    a4:ae:12:7f:94:91 10.0.20.11      20   admin                            Bridge       Active      

Total users : 41

something-> 
Sat Apr 26 13:55:32 : intfCmm Mgr INFO message:
+++ Link 1/1/10 operationally up

Sat Apr 26 13:55:33 : intfCmm Mgr INFO message:
+++ Link 1/1/10 operationally down

Sat Apr 26 13:59:28 : intfCmm Mgr INFO message:
+++ Link 2/1/18 operationally down

Sat Apr 26 13:59:34 : intfCmm Mgr INFO message:
+++ Link 2/1/18 operationally up

Sat Apr 26 13:59:38 : intfCmm Mgr INFO message:
+++ Link 2/1/18 operationally down

Sat Apr 26 13:59:41 : intfCmm Mgr INFO message:
+++ Link 2/1/18 operationally up

something-> 
something-> sh unp user
                                               User                                                                           
Port    Username             Mac address       IP              Vlan Profile                          Type         Status      
-------+--------------------+-----------------+---------------+----+--------------------------------+------------+-----------
1/1/6   38:63:bb:d8:47:79    38:63:bb:d8:47:79 10.0.20.7       20   admin                            Bridge       Active      
	(output trimmed down again, but port 2/1/18 was NOT listed here even after waiting a few minutes)
2/1/40  a4:ae:12:7f:94:91    a4:ae:12:7f:94:91 10.0.20.11      20   admin                            Bridge       Active      

Total users : 40

something-> 
something->

Now, looking at this log, I just noticed that this port physically came down and then came back up, but still, I did a few 'sh unp user' and that port never came up logically in the UNP feature.
I also tried "mac-learning aging-time 999" that same day, but didn't seem to have any effect on the issue, not for better or worse.

I'll try those commands you suggested and reading on them, this is the description on the CLI guide:
When this command is used to assign a VLAN to a UNP bridge port, the port goes into a forwarding state for egress traffic associated with the VLANs assigned to the port. This automatically occurs even when there is no MAC address learned on the UNP port in the assigned VLANs and regardless of the direction value (in or both) set for the port
So based on what I just read, why not have this all the time for all vlans? What am I missing?

Anyhow, any additional ideas are very much appreciated!

Post by **silvio** » 06 May 2025 03:59

Hi,
you can use this command for more than one vlan. This allows outgoing traffic (also broadcast) in this vlans at the unp ports - also if the port is actual in another profile (other vlan). So the client wake up and sent out traffic to classificate at the unp port in the correct vlan/profile.
If you have a lot of vlans with a lot of clients than all this traffic will be forwarded there. To avoid this you can activate the vlan only at the ports to the silent devices instead via template at all unp ports.
Increase of the mac aging time is generally not a good idea (in my opinion).
BR Silvio

Cristek · Post by **Cristek** » 06 May 2025 06:11

The MAC aging to 999 was just to test if it made any difference. It didn't so I changed it back.

I'll test this next time I am onsite but it might be just what I am looking for. Thanks!

Alcatel Unleashed

UNP users loosing connections

UNP users loosing connections

Re: UNP users loosing connections

Re: UNP users loosing connections

Re: UNP users loosing connections

Re: UNP users loosing connections