Académique Documents
Professionnel Documents
Culture Documents
Maintenance Guide
Issue
02
Date
2015-01-20
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website:
http://enterprise.huawei.com
Issue 02 (2015-01-20)
Applicable Versions
This document is applicable to V200R003 and earlier versions of the S series switches.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Conventions
Symbol
Description
Indicates an imminently hazardous situation which, if not
avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, may result in minor or moderate injury.
Issue 02 (2015-01-20)
ii
Symbol
Description
Indicates a potentially hazardous situation which, if not
avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to
personal injury.
Calls attention to important information, best practices and
tips.
NOTE is used to address information not related to
personal injury, equipment damage, and environment
deterioration.
Change History
Changes between document issues are cumulative. The latest document issue contains all the
changes made in earlier issues.
Issue 02 (2015-01-20)
Issue
Release Date
Description
02
2015-01-20
01
2014-10-30
iii
1 FAQ
FAQ
1.1 Hardware
1.1.1 How Do I View the Transmit and Receive Optical Power of an Optical Module?
1.1.2 How Do I Identify Combo Interfaces of a Switch?
1.1.3 Why Are Only Two Optical Interfaces Displayed After a 4-Port Front subcard Is Installed
in an S5300?
1.1.4 When and How Should a Surge Protector Be Used on a Fixed Switch?
1.1.5 What Are Similarities and Differences Between Console and Mini USB Interfaces?
1.1.6 Are Subcards of Fixed Switches Hot Swappable?
1.1.7 Can AC and DC Power Supplies Be Installed on the same Switch?
1.1.8 Can a 10GE Optical Interface Use a GE Optical Module?
1.1.9 Can a GE Optical Interface Use a 100M Optical Module?
1.1.10 Can a GE Optical Interface Use a 10GE Optical Module?
1.1.11 Which Product Models Support Copper Transceiver Modules?
1.1.12 Can a GE Optical Interface Be Manually Configured as a 100M Interface to Work with
Another 100M Optical Interface?
1.1.13 Can Two GE Interfaces Be Connected Using a 100M Network Cable?
1 FAQ
Threshold(V)
Threshold(V)
Threshold(V)
Threshold(V)
:3.26
:3.70
:2.90
:3.90
:2.70
Bias
Bias
Bias
Bias
Bias
Threshold(mA)
Threshold(mA)
Threshold(mA)
Threshold(mA)
:23.78
:70.00
:4.00
:80.00
:2.00
Current(mA)
High Warning
Low Warning
High Alarm
Low Alarm
RX Power(dBM)
Issue 02 (2015-01-20)
:-31.10
1 FAQ
RX
RX
RX
RX
Power
Power
Power
Power
High
Low
High
Low
Warning
Warning
Alarm
Alarm
Threshold(dBM)
Threshold(dBM)
Threshold(dBM)
Threshold(dBM)
:-1.00
:-20.00
:0.75
:-23.97
TX Power(dBM)
:-5.78
TX Power High Warning Threshold(dBM) :-1.00
TX Power Low Warning Threshold(dBM) :-11.50
TX Power High Alarm
Threshold(dBM) :0.99
TX Power Low Alarm
Threshold(dBM) :-13.50
-------------------------------------------------------------
Issue 02 (2015-01-20)
1 FAQ
------------------------------------------------------------Common information:
Transceiver Type
:OC3_INTER_REACH_SFP
Connector Type
:LC
Wavelength(nm)
:1310
Transfer Distance(m)
:15000(9um)
Digital Diagnostic Monitoring :YES
Vendor Name
:HUAWEI
Vendor Part Number
:34060358
Ordering Name
:
------------------------------------------------------------Manufacture information:
Manu. Serial Number
:EH1048220807
Manufacturing Date
:2010-12-06
Vendor Name
:HUAWEI
------------------------------------------------------------Alarm information:
RX loss of signal
RX power low
------------------------------------------------------------Diagnostic information:
Temperature(C)
:18
Voltage(V)
:3.32
Bias Current(mA)
:8.12
Bias High Threshold(mA)
:27.34
Bias Low Threshold(mA)
:2.17
Current Rx Power(dBM)
:-30.00
Default Rx Power High Threshold(dBM) :0.00
Default Rx Power Low Threshold(dBM) :-16.99
Current Tx Power(dBM)
:-4.42
Default Tx Power High Threshold(dBM) :0.00
Default Tx Power Low Threshold(dBM) :-9.50
User Set Rx Power High Threshold(dBM) :0.00
User Set Rx Power Low Threshold(dBM) :-16.99
User Set Tx Power High Threshold(dBM) :0.00
User Set Tx Power Low Threshold(dBM) :-9.50
-------------------------------------------------------------
Issue 02 (2015-01-20)
1 FAQ
Issue 02 (2015-01-20)
1 FAQ
NOTE
In V100R003 and earlier versions, a combo interface works as an optical interface by default.
In V100R005 and later versions, a combo interface works in auto mode by default and automatically
determines the interface type depending on whether the optical interface has an optical module installed:
l If the optical interface has no optical module installed and the electrical interface has no network cable
connected, the interface type depends on which interface is connected first. If the electrical interface
is connected by a network cable first, the electrical interface is used for data switching. If the optical
interface has an optical module installed first, the optical interface is used for data switching.
l If the electrical interface has a network cable connected and is in Up state, the electrical interface is
still used for data switching when the optical interface has an optical module installed.
l If the optical interface has an optical module installed, it is still used for data switching when the
electrical interface has a network cable connected, regardless of whether the optical interface is in Up
state.
l If the optical interface has an optical module installed (with optical fibers connected) and the electrical
interface has a network cable connected, the optical interface is used for data switching after the switch
restarts.
You can use the combo-port command to configure a combo interface to work as an electrical or optical
interface.
You can use the following methods to identify a combo interface on a switch:
l
Identify a combo interface based on the interface identifier on the switch panel. If two
interfaces have the same ID but connect to different transmission media, the two interfaces
are multiplexed as a combo interface. As shown in Figure 1-1, interfaces 1 and 2 are combo
interfaces.
Figure 1-1 Combo interfaces on a switch
Run the display interface command to check whether an interface is a combo interface.
<HUAWEI> display interface gigabitethernet 1/0/1
...
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0025-9e80-2494
Port Mode: COMBO AUTO
Speed : 100, Loopback: NONE
1.1.3 Why Are Only Two Optical Interfaces Displayed After a 4-Port
Front subcard Is Installed in an S5300?
This is because no extended channel rear card is installed in the switch.
An S5300SI or S5300EI switch can provide only two optical interfaces for front subcard. If a
4-port front subcard is installed, the switch must use an ES5D00ETPB00 extended channel rear
subcard to provide the other two interfaces. Without an extended channel rear subcard, only two
optical interfaces are displayed.
l
Issue 02 (2015-01-20)
1 FAQ
If a 4-port 10GE front subcard (LS5D00E4XY01) and an ES5D00ETPC00 rear stack card
(working normally) are used together in a switch, only the first and third interfaces on the
front subcard can work normally, and the other two interfaces cannot be used.
NOTE
The available interfaces on the LS5D00E4XY01 front subcard are displayed as XGigabitEthernet */1/1
and XGigabitEthernet */1/2 on the CLI, corresponding to physical interfaces 1 and 3 on the front subcard.
* indicates a slot ID on the switch.
If power cables of a switch are routed overhead in an outdoor environment, lightning strikes
may burn the power supplies.
Ensure that the ground cable is connected to a ground bar or a ground point on the cabinet.
To protect network interfaces against lightning, use 8-line surge protectors (or Huawei
certified 4-line surge protectors).
When installing a network interface surge protector, connect the IN end to terminals and
the OUT end to network interfaces of the switch.
If a fixed switch is installed in a network box, as shown in Figure 1-2, follow the instructions :
l
Connect the ground cables of the switch and surge protectors to the ground bar in the
network box.
The maximum length of a ground cable cannot exceed 40 cm, and a length of smaller than
15 cm is recommended.
If the network box is located outdoors and power cables are routed aerially over a long
distance (more than 300 m) to the network box, it is recommended that you install a power
Issue 02 (2015-01-20)
1 FAQ
supply surge protector in the network box. The decoupled power cable must be at least 3
m long.
Figure 1-2 Cable connection in a network box
Issue 02 (2015-01-20)
1 FAQ
Model
S3300/S5300/S6300
S3326C-HI
Yes
S5310-28C-EI
Yes
S5310-52C-EI
Yes
S5328C-HI
Yes
S5328C-HI-24S
Yes
S3300-52P-EI
Yes
S5300-EI (non-PoE)
No
S5300-SI (non-PoE)
No
S6300
No
Modular Switches
AC and DC power supplies cannot be installed in the slots of the same type on the same switch,
and the power supplies of different power cannot be installed on the same switch.
S2300
Not supported
NA
S2350
S3300
Issue 02 (2015-01-20)
1 FAQ
Series
S5300-LI
Supported
S5300-SI
Supported
S5300-EI
Not supported
S5300-HI
Supported
S5310-EI
Supported
S6300
Supported
On the S6300 of V100R006C00SPC800,
when a GE optical module is installed on a
10GE optical interface, the interface speed
automatically changes to 1000 Mbit/s and the
interface works in non-auto-negotiation
mode. If the 10GE interface connects to a GE
interface, the GE interface must also work in
non-auto-negotiation mode. Otherwise, the
two interfaces cannot go Up. After patch
V100R006SPH005 is loaded, the 10GE
optical interface with a GE optical module
installed can be switched to the autonegotiation mode using the negotiation
auto command. The interface can then
communicate with an optical interface that
works at 1000 Mbit/s in auto-negotiation
mode.
In versions later than
V100R006C00SPC800, a 10GE interface
automatically works at 1000 Mbit/s in autonegotiation mode after a GE optical module
is installed.
Modular Switches
10GE interfaces on the following cards support GE optical modules:
Issue 02 (2015-01-20)
10
1 FAQ
You are not advised to install a low-speed optical module on a high-speed optical interface.
S2300
S2350
S3300
S5300-LI
S5300-SI
S5300-HI
S5310-EI
S6300
Not supported
S5300-EI
Modular Switches
All GE optical interfaces on modular switches support 100M optical modules.
NOTE
You are not advised to install a low-speed optical module on a high-speed optical interface.
Issue 02 (2015-01-20)
11
1 FAQ
S2300
Not supported
S2350
S3300
Not supported
S5300-LI
S5300-SI
S5300-EI
S5300-HI
Issue 02 (2015-01-20)
12
1 FAQ
Series
S5310-EI
S6300
Modular Switches
GE copper transceiver modules can be used on all GE optical interface cards and the 10GE
optical interface cards that support GE optical modules.
GE optical interface cards of modular switches support only Huawei-certified copper transceiver
modules. When non-Huawei-certified copper transceiver modules are installed on interfaces of
Huawei switches, the interfaces still work as optical interfaces.
1.2 DHCP
1.2.1 What are functions of DHCP?
1.2.2 How Do I Configure a DHCP Server?
1.2.3 How Do I Configure the DHCP Relay Agent?
1.2.4 How Do I Configure DHCP Snooping?
1.2.5 How Do I Maintain DHCP?
1.2.6 How Can I Use the Extended DHCP Functions?
1.2.7 How Does a Switch Support DHCP?
13
1 FAQ
parameters from a DHCP server, and the DHCP server returns the parameters (including IP
addresses, subnet masks, and default gateway addresses) according to configured policies.
DHCP supports Option fields. For details about Option fields, see RFC2132.
The DHCP protocol structure involves the following roles:
l
DHCP Server
A DHCP server processes requests for address allocation, address renewal, and address release
from DHCP clients or DHCP relay agents, and allocates IP addresses and other network
configuration parameters to DHCP clients.
l
DHCP Relay
A DHCP relay agent forwards DHCP packets between clients and server to help the them
complete address configuration. The request packets sent by DHCP clients are broadcast on the
network. If the server and client are located on different links, the DHCP relay agent is required
to forward packets between the server and client. It is unnecessary to deploy a DHCP server on
each network segment. Therefore, network deployment costs are reduced and centralized device
management is implemented.
The DHCP relay agent is optional in a DHCP protocol structure. It is required only when DHCP
clients and server are on different network segments.
l
DHCP Client
DHCP clients obtain IP addresses and other network configuration parameters by exchanging
DHCP packets with the DHCP server. After the DHCP client function is configured on an
interface, the interface can function as a DHCP client to dynamically obtain configuration
parameters such as an IP address from a DHCP server. This facilitates device configurations and
centralized management.
An IP address pool is created in the system view on a DHCP server. In the interface view, the
server is configured to allocate IP addresses, gateway addresses, and DNS server addresses to
clients based on the global address pool.
l
An IP address pool is created in the interface view on a DHCP server. In the interface view, the
server is configured to allocate IP addresses, gateway addresses, and DNS server addresses to
clients based on the interface address pool.
NOTE
In the preceding configurations, the interface can be a VLANIF interface or a physical interface working
in Layer 3 mode. Since V200R005C00, the physical interfaces working in Layer 3 mode have supported
the preceding configurations.
Depending on creation methods, address pools are classified into interface address pools and
global address pools.
Issue 02 (2015-01-20)
14
1 FAQ
As shown in Figure 1-3, the switch functions as a DHCP server to allocate IP addresses and
DNS address to the PC. Both the global and interface address pools can be used in this scenario.
Figure 1-3 A switch functions as a DHCP server
2.
3.
Enable DHCP server on VLANIF10 and configure the server to use the global address
pool.
[HUAWEI] interface vlanif10 //Enter the VLANIF interface view.
[HUAWEI-Vlanif10] ip address 10.10.10.1 255.255.255.0 //Configure IP
addresses.
[HUAWEI-Vlanif10] dhcp select global //Configure the DHCP server to use
the global address pool.
l
Issue 02 (2015-01-20)
15
1 FAQ
1.
2.
Enable DHCP server on VLANIF10 and configure the server to use the interface
address pool.
NOTICE
Before running the dhcp select interface command, allocate an IP address to the
VLANIF interface.
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] ip address 10.10.10.1 255.255.255.0 //Configure a
network segment.
[HUAWEI-Vlanif10] dhcp select global //Configure the DHCP server to use
the interface address pool.
[HUAWEI-Vlanif10] dhcp server dns-list 10.8.8.8 //Configure a DNS server
address.
[HUAWEI-Vlanif10] dhcp server excluded-ip-address 10.10.10.10
10.10.10.50 //Configure a reserved IP address.
[HUAWEI-Vlanif10] dhcp server lease day 0 hour 8 minute 0 //Configure the
lease period.
[HUAWEI-Vlanif10] quit
Before configuring a DHCP relay agent, ensure that reachable routes exist between clients and the DHCP
server.
2.
3.
vlanif 100
ip address 10.20.20.1 24
dhcp select relay
dhcp relay server-select group1
quit
16
1 FAQ
binding table contains the MAC address, IP address, lease, binding type, VLAN ID, and interface
information.
The DHCP snooping binding entries are dynamically generated based on the DHCP ACK
packets received by trusted interfaces. The entries record the mappings between clients' IP
addresses and MAC addresses. DHCP snooping is equivalent to a firewall between DHCP clients
and the DHCP server to prevent DHCP Denial of Service (DoS) attacks, bogus DHCP server
attacks, and bogus DHCP request packet attacks, and ensure that only authorized users can access
the network.
Figure 1-4 Prevention against bogus DHCP server attack
In the scenario shown in Figure 1-4, the procedure for configuring bogus DHCP server attack
is as follows:
1.
<Quidway> system-view
[Quidway] dhcp enable
[Quidway] dhcp snooping enable
2.
3.
0/0/2
snooping enable
0/0/3
snooping enable
Run the ping ip-address command to test whether an IP address is allocated to a client. If the
ping operation is successful, the IP address has been allocated. If the ping operation fails, the IP
address is idle.
Issue 02 (2015-01-20)
17
2.
1 FAQ
Run the display ip pool name ip-pool-name used command on the DHCP server to check
allocated IP addresses.
3.
Reclaim IP addresses.
Run the reset ip pool { interface pool-name | name ip-pool-name } { start-ip-address [ endip-address ] | all | conflict | expired | used } command in the user view to manually reclaim IP
addresses in the address pool.
If an IP address has been manually bound to a MAC address, the binding is still valid after this
command is executed and the IP address cannot be allocated to other clients. To unbind the IP
address from the MAC address, run the following commands as required:
l
The IP address to be bound to a specified MAC address cannot be occupied. If the IP address is being
occupied, run the reset ip pool { interface pool-name | name ip-pool-name } { start-ip-address
[ end-ip-address ] | all | conflict | expired | used } command in the user view to reclaim the IP address
in the address pool.
Issue 02 (2015-01-20)
18
1 FAQ
At least two attributes among IP address, MAC address, interface, and VLAN need to be
specified in a static binding entry. The effect varies depending on the bound attributes. At
most four attributes can be bound.
After the static binding entries are configured, authorized users with static IP addresses can
go online. If a static user changes the IP address, the user cannot go online because the
device has neither the dynamic nor static DHCP snooping binding entry of the user.
Modular switch
All models and versions support DHCP server, DHCP relay, and DHCP snooping. The
DHCP client has been supported since V200R005C00.
Fixed switch
In the versions earlier than V200R005C00, S2300SI, S2300EI, S5306LI, and
S5300LI support only DHCP client, but do not support DHCP server or DHCP relay.
In the versions later than V200R005C00, all models except S5306LI, support DHCP
server, DHCP relay, and DHCP client. The S5306LI supports only DHCP client.
All models except S2300SI support DHCP snooping.
1.3 PoE
1.3.1 How Much Power Does a PoE Power Module Provide?
1.3.2 Which Switch Models Support the PoE Function?
1.3.3 Why Can't a PoE Card Be Registered?
Fixed switch
Fixed switches support 250 W (sales part number 02130878), 500 W (sales part number
02130879) PoE power modules. The actual available power of a 250 W PoE power module is
around 120 W (measured 123.2 W). The actual available power of a 500 W PoE power module
is around 370 W (measured 369.6 W).
A 250 W PoE power module can provide 802.3af full power on 8 interfaces or 802.3at full power
on 4 interfaces.
A 500 W PoE power module can provide 802.3af full power on 24 interfaces or 802.3at full
power on 12 interfaces.
Issue 02 (2015-01-20)
19
1 FAQ
Modular switch
Table 1-4 lists the PoE power modules supported by the S9300 series switches and the available
power they can provide.
NOTICE
Different types of power modules cannot be used in the same switch.
Table 1-4 PoE power modules supported by the S9300 series switches and their available power
PoE Power Module Supported
Maximum Available
Power
800 W
2200 W
Table 1-5 lists the PoE power that the S9300 series switches can provide and the number of PoE
interfaces they support.
Table 1-5 PoE power provided by the S9300 series switches and the number of PoE interfaces
supported
Chassis
Number of PoE
Power Modules
Supported
Maximum Power
S9303
2200 W
144
S9306
8800 W
288
S9312
576
If the product name contains PWR, this switch model supports the PoE function.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
20
1 FAQ
If the product name does not contain PWR, this switch model does not support the PoE
function.
Modular switches
Among modular switches, only the S9300 series switches support the PoE function. The PoE
card of an S9300 is LE0DG48VEA00.
1.4 NAT
1.4.1 Do Huawei Switches Support NAT?
1.4.2 How Do I Configure Outbound NAT to Enable Private Network Users to Access the
Internet?
1.4.3 How Do I Configure NAT Server to Enable Internet Users to Access Private Servers?
Networking Requirements
The SPU is installed in slot 5 of the Switch in Figure 1-5. Hosts on the internal networks of
company A and company B use private IP addresses. Company A has 100 hosts and 101 idle
public IP addresses (202.169.10.100 to 202.169.10.200). Hosts in company B are on a VPN and
company B does not have idle public IP addresses.
Company A and company B require that internal hosts access the Internet.
Issue 02 (2015-01-20)
21
1 FAQ
Figure 1-5 Configuring outbound NAT to allow private network users to access the Internet
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
On the Switch, configure outbound NAT with an address pool for hosts in company A. The
Switch maps each private IP address to a public IP address so that hosts in company A can
successfully access the Internet.
3.
On the Switch, configure Easy IP without an address pool for hosts in company B. The
Switch maps each private IP address to the public IP address of the outbound interface so
that hosts in company B can successfully access the Internet.
1.
Configure Layer 2 flow import to direct flows from the Switch to the SPU. GE2/0/1 and
GE2/0/3 are inbound interfaces, and GE2/0/2 is the outbound interface.
Procedure
Issue 02 (2015-01-20)
22
1 FAQ
[Switch-XGigabitEthernet5/0/0] eth-trunk 1
[Switch-XGigabitEthernet5/0/0] quit
[Switch] interface xgigabitethernet 5/0/1
[Switch-XGigabitEthernet5/0/1] eth-trunk 1
[Switch-XGigabitEthernet5/0/1] quit
# On the SPU, configure IP addresses for interfaces and add interfaces to VLANs.
<HUAWEI> system-view
[HUAWEI] sysname SPU
[SPU] interface eth-trunk 1
[SPU-Eth-Trunk1] quit
[SPU] interface eth-trunk 1.1
[SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination
[SPU-Eth-Trunk1.1] dot1q termination vid 101
[SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0
[SPU-Eth-Trunk1.1] arp broadcast enable
[SPU-Eth-Trunk1.1] quit
[SPU] interface eth-trunk 1.2
[SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination
[SPU-Eth-Trunk1.2] dot1q termination vid 102
[SPU-Eth-Trunk1.2] ip address 202.169.10.1 255.255.255.0
[SPU-Eth-Trunk1.2] arp broadcast enable
[SPU-Eth-Trunk1.2] quit
[SPU] ip vpn-instance vpn_b
[SPU-vpn-instance-vpn_b] route-distinguisher 0:1
[SPU-vpn-instance-vpn_b] quit
[SPU] interface eth-trunk 1.3
[SPU-Eth-Trunk1.3] control-vid 103 dot1q-termination
[SPU-Eth-Trunk1.3] dot1q termination vid 103
[SPU-Eth-Trunk1.3] ip binding vpn-instance vpn_b
[SPU-Eth-Trunk1.3] ip address 10.0.0.1 255.255.255.0
[SPU-Eth-Trunk1.3] arp broadcast enable
[SPU-Eth-Trunk1.3] quit
[SPU] ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 eth-trunk 1.2
202.169.10.2
[SPU] interface xgigabitethernet 0/0/1
[SPU-XGigabitEthernet0/0/1] eth-trunk 1
[SPU-XGigabitEthernet0/0/1] quit
[SPU] interface xgigabitethernet 0/0/2
[SPU-XGigabitEthernet0/0/2] eth-trunk 1
[SPU-XGigabitEthernet0/0/2] quit
2.
3.
Run the display nat outbound interface eth-trunk 1.2 command on the SPU to view the
outbound NAT configuration.
[SPU] display nat outbound interface eth-trunk 1.2
NAT Outbound
Information:
--------------------------------------------------------------------------
Issue 02 (2015-01-20)
23
1 FAQ
Interface
Type
Acl
Address-group/IP/Interface
-------------------------------------------------------------------------Eth-Trunk1.2
pat
Eth-Trunk1.2
easyip
2000
2001
202.169.10.1
no-
-------------------------------------------------------------------------Total : 2
After the configuration is complete, hosts in company A and company B can access the Internet.
Take company A as an example. On the host with the private IP address 192.168.20.2, ping the
public IP address 202.169.10.2 on the Internet. The ping succeeds.
Run the display nat session destination 202.169.10.2 command on the SPU to view the source
IP address before and after the NAT operation.
[SPU] display nat session destination 202.169.10.2
The operation may take a few minutes, please
wait...
NAT Session Table
Information:
Protocol
: ICMP
(1)
SrcAddr
192.168.20.2
Vpn
DestAddr
202.169.10.2
Vpn
: 8
NATInfo
New SrcAddr
202.169.10.100
New DestAddr
New IcmpId
----
----
Total : 1
Take company B as an example. On the host with the private IP address 10.0.0.2, ping the public
IP address 202.169.10.2 on the Internet. The ping succeeds.
Run the display nat session destination 202.169.10.2 command on the SPU to view the source
IP address before and after the NAT operation.
[SPU] display nat session destination 202.169.10.2
The operation may take a few minutes, please
wait...
NAT Session Table
Issue 02 (2015-01-20)
24
1 FAQ
Information:
Protocol
: ICMP
(1)
SrcAddr
vpn_b
DestAddr
202.169.10.2
Vpn
: 10.0.0.2
Vpn
: 8
NATInfo
New SrcAddr
202.169.10.1
New DestAddr
New IcmpId
----
10240
Total : 1
Configuration Files
l
Issue 02 (2015-01-20)
25
1 FAQ
arp broadcast enable
#
interface XGigabitEthernet0/0/1
eth-trunk 1
#
interface XGigabitEthernet0/0/2
eth-trunk 1
#
ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk1.2 202.169.10.2
#
return
Networking Requirements
The SPU is installed in slot 5 of the Switch in Figure 1-6. Company A provides a web server
for Internet users to access. The private IP address of the web server is 192.168.20.2:8080 and
its public IP address is 202.169.10.5. Company B provides an FTP server on the VPN for Internet
users to access. The private IP address of the FTP server is 10.0.0.3 and its public IP address is
202.169.10.33.
Internet users need to access company A's web server and company B's FTP server using public
IP addresses.
Issue 02 (2015-01-20)
26
1 FAQ
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure the NAT server function so that Internet users can access company A's web
server and company B's FTP server using public IP addresses.
3.
Enable the NAT ALG function to implement address translation for FTP packets.
1.
Configure Layer 2 flow import to direct flows from the Switch to the SPU. GE2/0/2 is the
inbound interface, and GE2/0/1 and GE2/0/3 are outbound interfaces.
Procedure
Issue 02 (2015-01-20)
27
1 FAQ
# On the SPU, configure IP addresses for interfaces and add interfaces to VLANs.
<SPU> system-view
[SPU] interface eth-trunk 1
[SPU-Eth-Trunk1] quit
[SPU] interface eth-trunk 1.1
[SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination
[SPU-Eth-Trunk1.1] dot1q termination vid 101
[SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0
[SPU-Eth-Trunk1.1] arp broadcast enable
[SPU-Eth-Trunk1.1] quit
[SPU] interface eth-trunk 1.2
[SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination
[SPU-Eth-Trunk1.2] dot1q termination vid 102
[SPU-Eth-Trunk1.2] ip address 202.169.10.1 255.255.255.0
[SPU-Eth-Trunk1.2] arp broadcast enable
[SPU-Eth-Trunk1.2] quit
[SPU] ip vpn-instance vpn_b
[SPU-vpn-instance-vpn_b] route-distinguisher 0:1
[SPU-vpn-instance-vpn_b] quit
[SPU] interface eth-trunk 1.3
[SPU-Eth-Trunk1.3] control-vid 103 dot1q-termination
[SPU-Eth-Trunk1.3] dot1q termination vid 103
[SPU-Eth-Trunk1.3] ip binding vpn-instance vpn_b
[SPU-Eth-Trunk1.3] ip address 10.0.0.1 255.255.255.0
[SPU-Eth-Trunk1.3] arp broadcast enable
[SPU-Eth-Trunk1.3] quit
[SPU] ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 eth-trunk 1.2
202.169.10.2
[SPU] interface xgigabitethernet 0/0/1
[SPU-XGigabitEthernet0/0/1] eth-trunk 1
[SPU-XGigabitEthernet0/0/1] quit
[SPU] interface xgigabitethernet 0/0/2
[SPU-XGigabitEthernet0/0/2] eth-trunk 1
[SPU-XGigabitEthernet0/0/2] quit
2.
3.
4.
: 202.169.10.33/21(ftp)
: 10.0.0.3/21(ftp)
: vpn_b
After the configuration is complete, Internet users can access company A's web server and
company B's FTP server using public IP addresses.
Issue 02 (2015-01-20)
28
1 FAQ
Configuration Files
l
Issue 02 (2015-01-20)
29
1 FAQ
#
interface XGigabitEthernet5/0/1
eth-trunk 1
#
return
1.5.1 How Do I Obtain a Web File and Configure the Web System?
Obtaining a Web File
The web file is released with the system software package and varies depending on software
versions. The following uses S9300V200R003 as an example to describe how to obtain a web
file.
Step 1 Open the Internet Explorer and enter http://enterprise.huawei.com/en/ in the address box.
NOTE
You must have a permission to obtain the web file. To obtain the permission, choose My Huawei >
Permissions.
Before loading a web file, upload the web file to the switch through FTP, SFTP, or TFTP. The web file
must be loaded to the root directory of the switch's storage medium; otherwise, the web file cannot be
loaded.
Step 3 Run the http secure-server enable command to enable the HTTPS server function.
Step 4 Run the http server enable command to enable the HTTP server function.
Issue 02 (2015-01-20)
30
1 FAQ
HTTP users of level 3 or higher can manage the switch on the web system, whereas HTTP users of level
2 or lower can only view the switch configuration.
Step 8 Run the local-useruser-nameservice-type http command to set the service type to HTTP.
----End
The IP address is the management address of a device, and can be an IPv4 or IPv6 address depending on
the HTTPS type (HTTPS IPv4 or IPv6) you have selected.
To ensure compatibility, the system converts http://IP address you entered into https://IP address.
Step 2 Enter the HTTP user name, password, and verification code, and select a language for the web
system.
Step 3 Click Login or press Enter. The web system home page is displayed.
----End
You can manage and maintain the switch after logging in to the web system.
1.6 NAC
1.6.1 What Is the Difference Between 802.1x and DOT1x?
1.6.2 Must a Shared Key Be Configured for Portal Authentication?
1.6.3 Why Does a User Go Offline 10 Seconds After Passing 802.1x Authentication?
1.6.4 Why 802.1x or MAC Address Authentication Does Not Take Effect After Being Enabled
and the Configuration Is Displayed in the Configuration File?
1.6.5 Which VLAN Do DHCP Users Connected to a Switch Interface Obtain IP Addresses From
If MAC Address Authentication Is Enabled and a Guest VLAN Is Configured on the Interface?
Issue 02 (2015-01-20)
31
1 FAQ
32
1 FAQ
1.7.4 What Is the Default Interval for Sending LBDT Packets on an Interface?
1.7.5 How Do I Differentiate LBDT Packets Sent by Different Interfaces
Usage Scenario
Generally, single-interface loop detection is used on downlink interfaces of newly deployed
switches to help field engineers discover incorrect cable connections.
It is recommended that you set the action for interfaces with loops to block.
Configuration Procedure
After you enable loop detection globally, this function is enabled on all interfaces.
[Quidway] loopback-detect enable
Modular switches of V200R001 and later versions support loop detection in eight VLANs on
an interface.
Fixed switches of V100R005 and later versions support loop detection in eight VLANs on an
interface. In addition to trap, shutdown, and block, the action for interfaces with loops can be
set to nolearn (stop learning MAC addresses).
The following configuration is performed on fixed switches:
[Quidway-Ethernet0/0/1] loopback-detect packet vlan 20 21 22 23 24 25 26 27
[Quidway-Ethernet0/0/1] loopback-detect action nolearn
Modular switches of V200R001 and later versions and fixed switches of V100R005 and later
versions can generate loop traps, and the traps contain VLANs where loops have occurred.
The following is an example of loop trap:
#Jan 1 2008 06:43:54-08:00 Quidway LDT/4/Porttrap:OID1.3.6.1.4.1.2011.5.25.174.3.3
Loopback does exist on interface(5) Ethernet0/0/1 ( VLAN 20 ) , loopback detect status: 4.
(1:normal; 2:block;3:shutdown; 4:trap; 5:nolearn)
Precautions
Loop detection is an auxiliary tool and consumes system resources. When loop detection is
complete, run the undo loopback-detect enable command to disable this function.
Issue 02 (2015-01-20)
33
1 FAQ
The alarm information includes the interface number, VLAN ID, and time. The system can
display consecutive alarms and specific MAC addresses where flapping occurs.
#Jan 1 2008 06:53:12-08:00 Quidway L2IFPPI/4/
MFLPIFRESUME:OID1.3.6.1.4.1.2011.5.25.160.3.2 Loop does not exist in vlan 3,
Interface Ethernet0/0/1 resumed, block-time is 30 for mac-flapping disappeared.
#Jan 1 2008 06:52:22-08:00 Quidway L2IFPPI/4/
MFLPIFBLOCK:OID1.3.6.1.4.1.2011.5.25.160.3.1 Loop exist in vlan 3,
InterfaceEthernet0/0/1 blocked, block-time is 30 for mac-flapping, Mac Address is
00e0-fc22-765a.
In V200R003 and later versions, a switch considers that a loop has occurred on the network
connected to an interface if detection packets sent from the interface are sent back to another
interface. This mechanism can also be used for multi-interface loop detection.
V100R006 and later versions: The default interval for sending LBDTpackets is 5s.
NOTE
A shorter interval indicates that the system sends more LBDT packets in a given period and detects loops
more accurately. However, more system resources are consumed.
LBDT packets are sent frequently; therefore, the CPU usage will increase if the LBDT function is enabled
on all interfaces.
l
Issue 02 (2015-01-20)
V100R005
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
34
1 FAQ
LBDT packets sent by different interfaces are distinguished by the protocol ID. By default,
the system assigns a protocol ID to each interface in ascending order.
You can run the loopback-detect protocol protocol-id command to configure a protocol
ID in LBDT packets.
NOTE
l The protocol ID in LBDT packets can be configured only when LBDT is disabled.
l The protocol ID in LBDT packets must be unique on an interface.
1.9 VLAN
1.9.1 How Do I Change the Link Type of an Interface?
1.9.2 Which VLAN Assignment Methods Do S Series Switches Support?
1.9.3 The Link Type of an Interface Cannot Be Changed from Hybrid to Access. How Is This
Problem Solved?
Issue 02 (2015-01-20)
35
1 FAQ
Access
[Quidway-GigabitEthernet1/0/1] port link-type access
[Quidway-GigabitEthernet1/0/1] port default vlan 10
The preceding configuration changes the link type of the interface to access.
An access interface processes packets as follows:
l When receiving an untagged packet, the interface accepts the packet and tags it with
the default VLAN ID.
l When receiving a tagged packet:
If the VLAN ID of the packet is the same as the default VLAN ID of the interface, the
interface accepts the packet.
If the VLAN ID of the packet is different from the default VLAN ID of the interface,
the interface drops the packet.
l Before sending a packet, the interface removes the VLAN tag from the packet.
2.
Trunk
[Quidway-GigabitEthernet1/0/1] port link-type trunk
[Quidway-GigabitEthernet1/0/1] port trunk pvid vlan 20
[Quidway-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 10 20
The preceding configuration changes the link type of the interface to trunk.
A trunk interface processes packets as follows:
l When receiving an untagged packet:
The interface tags the packet with the default VLAN ID. If the default VLAN ID is in
the list of allowed VLAN IDs, the interface accepts the packet.
The interface tags the packet with the default VLAN ID. If the default VLAN ID is not
in the list of allowed VLAN IDs, the interface drops the packet.
l When receiving a tagged packet:
If the VLAN ID of the packet is in the list of allowed VLAN IDs, the interface accepts
the packet.
If the VLAN ID of the packet is not in the list of allowed VLAN IDs, the interface drops
the packet.
l When sending a packet:
If the VLAN ID of the packet is the same as the default VLAN and is in the list of
allowed VLAN IDs, the interface removes the tag from the packet and sends the packet.
If the VLAN ID of the packet is different from the default VLAN and is in the list of
allowed VLAN IDs, the interface retains the tag and sends the packet.
3.
Hybrid
[Quidway-GigabitEthernet1/0/1]
[Quidway-GigabitEthernet1/0/1]
[Quidway-GigabitEthernet1/0/1]
[Quidway-GigabitEthernet1/0/1]
port
port
port
port
link-type hybrid
hybrid pvid vlan 10
hybrid untagged vlan 2 10
hybrid tagged vlan 20
The preceding configuration changes the link type of the interface to hybrid.
A hybrid interface processes packets as follows:
Issue 02 (2015-01-20)
36
1 FAQ
Dot1q-tunnel
[Quidway-GigabitEthernet1/0/1] port link-type dot1q-tunnel
[Quidway-GigabitEthernet1/0/1] port default vlan 20
The preceding configuration changes the link type of the interface to dot1q-tunnel. A dot1qtunnel interface adds a VLAN tag to packets before forwarding them, regardless of the
original VLAN IDs of the packets. Before sending a packet, a dot1q-tunnel interface
removes the tag with the default VLAN ID from the packet.
V100R006C03
V100R006C05
V200R001/
V200R002/
V200R003
Supported by all
models
Supported by all
models
Supported by all
models
Supported by all
models
Supported by all
models
Not supported
Supported by all
models
Issue 02 (2015-01-20)
37
1 FAQ
Run the port hybrid untagged vlan 1 and undo port hybrid tagged vlan 10 commands to
restore the default configuration of the interface. Then change the link type of the interface.
1.10 Password
1.10.1 Which Are the Default Passwords Used on S Series Switches?
1.10.2 How Can I Delete a Console Login Password?
When you log in a a switch through a console port, no default user name or password is
provided. The system asks you to set the user name and password when you log in to the
switch for the first time.
When you log in to a switch through web, your default user level is 0: visit level.
By default, the console login password, BootROM password, and Telnet password are case-sensitive.
Issue 02 (2015-01-20)
38
1 FAQ
Type
Version
BootROM
Password
Web User
Name and
Password
S9300/
S9300E
S9300
V100R001&V100R0
02
7800
V100R003
9300
admin/admin
9300
If you forget the
password, use the
super password
7800 to log in to
the switch.
V200R001&V200R0
02
V200R003 and later
versions
S9300E
Issue 02 (2015-01-20)
All versions
Admin@huawei.
com
After the system
software is
upgraded, the
default password
may be changed to
9300 or 7800.
Admin@huawei.
com
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
Web login is not
supported.
39
1 FAQ
Series
Type
Version
BootROM
Password
Web User
Name and
Password
S2300
S2352EI/
S2300EI/
S2300SI
V100R002V100R006
(C00&C01)
huawei
admin/admin
V100R006C03
Admin@huawei.
com
V100R006C05
S3300
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
S2350EI
All versions
Admin@huawei.
com
admin/
admin@huawe
i.com
S3300HI
V100R006
(C00&C01)
huawei
admin/admin
V200R001
Admin@huawei.
com
Issue 02 (2015-01-20)
40
Series
1 FAQ
Type
Version
BootROM
Password
Web User
Name and
Password
S3300EI/
S3300SI
V100R001V100R006
(C00&C01)
huawei
admin/admin
V100R006C03
Admin@huawei.
com
V100R006C05
S5300
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
S5320EI
All versions
Admin@huawei.
com
admin/
admin@huawe
i.com
S5310EI
V200R002
Admin@huawei.
com
admin/admin
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
S5300LI
Issue 02 (2015-01-20)
V200R001&V200R0
02
Admin@huawei.
com
admin/admin
41
Series
1 FAQ
Type
Version
BootROM
Password
Web User
Name and
Password
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
S5300EI
V100R002V100R006
huawei
V200R001&V200R0
02
Admin@huawei.
com
S5300SI
admin/admin
V100R003V100R006
huawei
V200R001&V200R0
02
Admin@huawei.
com
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
admin/admin
Issue 02 (2015-01-20)
42
Series
1 FAQ
Type
Version
BootROM
Password
Web User
Name and
Password
may be changed to
huawei.
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
S5306LI/
S5300HI
V100R006
N/A
admin/admin
S6300EI
huawei
V100R006
Admin@huawei.
com
After the system
software is
upgraded, the
default password
may be changed to
huawei.
huawei
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
admin/admin
Admin@huawei.
com
After the system
software is
upgraded, the
default password
Issue 02 (2015-01-20)
43
1 FAQ
Series
Type
Version
BootROM
Password
Web User
Name and
Password
may be changed to
huawei.
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
Restart the switch. When the BootROM menu is displayed, choose option "5.Enter
filesystem submenu" to display the file system submenu.
2.
When the file system submenu is displayed, choose option "4.Rename file from flash" to
rename the default configuration file vrpcfg.zip. For example, change the file name to
vrptest.zip.
3.
Log in to the switch after the restart. The system uses the factory settings now.
4.
Decompress the vrptest file and name the decompressed file vrpcfg.bat.
<Quidway> unzip vrptest vrpcfg.bat
5.
Run the execute command to invoke the original configuration and delete the console login
password.
<Quidway> system-view
[Quidway] execute vrpcfg.bat
[Quidway] user-interface console 0
[Quidway-ui-console0] undo authentication-mode
[Quidway-ui-console0] quit
[Quidway] quit
6.
7.
Issue 02 (2015-01-20)
After the switch restarts, the console login password is deleted, and the original service
configurations are retained.
44
1 FAQ
After you enter the correct BootROM password, the following BootROM menu is displayed:
BOOTROM
MENU
Choose option "7 .Clear password for console user" and then choose option "1. Boot with default
mode." The console login password is then deleted.
NOTICE
After clearing the console login password, choose option "1. Boot with default mode" in the
BootROM menu to restart the system. Do not choose option "8. Reboot" or power off the switch.
Otherwise, the configuration will be lost.
Restart the switch. When the BootROM menu is displayed, press CTRL+Z to display the
hidden menu.
2.
Choose option "8-Rename file in CFCard" to rename the default configuration file
vrpcfg.zip. For example, change the file name to vrptest.zip.
3.
Log in to the switch after the restart. The system uses the factory settings now.
4.
Decompress the vrptest file and name the decompressed file vrpcfg.bat.
<Quidway> unzip vrptest vrpcfg.bat
5.
Issue 02 (2015-01-20)
Run the execute command to invoke the original configuration and delete the console login
password.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
45
1 FAQ
<Quidway> system-view
[Quidway] execute vrpcfg.bat
[Quidway] user-interface console 0
[Quidway-ui-console0] undo authentication-mode
[Quidway-ui-console0] quit
[Quidway] quit
6.
7.
After the switch restarts, the console login password is deleted, and the original service
configurations are retained.
MENU
NOTICE
After clearing the console login password, choose option "1. Boot with default mode" in the
BootROM menu to restart the system. Do not choose option "9. Reboot" or power off the switch.
Otherwise, the configuration will be lost.
Issue 02 (2015-01-20)
46
1 FAQ
1.11 Eth-Trunk
1.11.1 What Is Eth-Trunk?
1.11.2 What Are the Types of Eth-Trunk Load Balancing?
1.11.3 What Are the Types of Eth-Trunks?
1.11.4 How Long Is the LACP Timeout Period?
1.11.5 How Do I Check Interface Negotiation Information When the Eth-Trunk Interface Works
in LACP Mode?
1.11.6 Which Measures Can Be Taken to Fix the Eth-Trunk Unidirectional Communication
Fault?
Increasing Bandwidth
The maximum bandwidth of a link aggregation interface is the total bandwidth of member
interfaces.
Improving Reliability
When an active link fails, traffic on the link is switched to another member link, ensuring
high reliability of the link aggregation interface.
Load Balancing
In a link aggregation group, traffic is load balanced among active member links.
47
1 FAQ
You can set the load balancing mode based on the network condition. When a parameter in traffic
changes frequently, you can set the load balancing mode based on this parameter to ensure that
the traffic is load balanced evenly.
For known unicast packets, the switch supports the following load balancing modes:
l
dst-ip mode
The system obtains the specified three bits from each of the destination IP address and
destination TCP or UDP port number to perform the Exclusive-OR calculation, and selects
the outbound interface from the Eth-Trunk table according to the calculation result.
src-ip mode
The system obtains the specified three bits from each of the source IP address and source
TCP or UDP port number to perform the Exclusive-OR calculation, and selects the
outbound interface from the Eth-Trunk table according to the calculation result.
src-dst-ip mode
The system uses the calculation results of the dst-ip and src-ip modes to perform the
Exclusive-OR calculation, and selects the outbound interface from the Eth-Trunk table
according to the calculation result.
dst-mac mode
The system obtains the specified three bits from each of the destination MAC address,
VLAN ID, Ethernet type, and inbound interface information to perform the Exclusive-OR
calculation, and selects the outbound interface from the Eth-Trunk table according to the
calculation result.
src-mac mode
The system obtains the specified three bits from each of the source MAC address, VLAN
ID, Ethernet type, and inbound interface information to perform the Exclusive-OR
calculation, and selects the outbound interface from the Eth-Trunk table according to the
calculation result.
src-dst-mac mode
The system obtains the specified three bits from each of the source MAC address,
destination MAC address, VLAN ID, Ethernet type, and inbound interface information to
perform the Exclusive-OR calculation, and selects the outbound interface from the EthTrunk table according to the calculation result.
Enhanced mode
The system uses an enhanced load balancing profile to select outbound interfaces for
different packets.
NOTE
Modular switches: All cards, excluding the SA series cards, support enhanced load balancing mode.
Fixed switches:
V200R001C01: Only the S5300HI supports enhanced load balancing mode.
V200R002: Only the S5310EI and S5300HI support enhanced load balancing mode.
V200R003: Only the S5310EI and S5300HI support enhanced load balancing mode.
By default, unknown unicast packets are load balanced based on the source and destination MAC
addresses. To configure the load balancing mode for unknown unicast packets, run the
unknown-unicast load-balance { dmac | smac | smacxordmac | enhanced } command in the
system view.
Issue 02 (2015-01-20)
48
1 FAQ
[Quidway]unknown-unicast loadbalance ?
dmac
Destination MAC hash
arithmetic
enhanced
Enhanced hash
arithmetic
smac
arithmetic
smacxordmac
The LACP timeout period is three times the interval for sending LACPDUs:
l
When the fast keyword is specified, the LACP timeout period is 3 seconds.
When the slow keyword is specified, the LACP timeout period is 90 seconds.
You can set different timeout periods on the two ends. To facilitate maintenance, you are advised
to set the same LACP timeout period on the two ends.
Issue 02 (2015-01-20)
49
1 FAQ
Local device information is displayed in the Local section, and the peer device information is
displayed in the Partner section (the interface name is displayed as the corresponding local
interface name). The PortState field contains the following information:
50
1 FAQ
EFM: tests link connectivity continuously. When the unidirectional communication fault
occurs, the two ends of the Eth-Trunk can keep consistent status.
LACP: The two ends of the Eth-Trunk can keep consistent status by exchanging LACPDUs.
When a unidirectional communication fault occurs, LACP can detect the fault in a timely
manner and transfer the selected status to the other side, thus solving the traffic loss
problem.
NOTE
In V100R005 and later versions, DLDP can monitor the link status of optical fibers or copper twisted-pair
cables. If DLDP detects a unidirectional link, it automatically shuts down the port on the unidirectional
link or requests users to manually shut down the port, to prevent a traffic forwarding interruption.
After the switch restarts, the factory settings are restored. You can configure the switch based
on new service requirements.
NOTE
If you configure a new switch or a restarted switch without any configuration, enter Y twice according to
the command output displayed on the CLI to save the new configuration. The command output displayed
on the CLI is as follows:
<Quidway> save
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
Info: Please input the file name ( *.cfg, *.zip ) [vrpcfg.zip]:
flash:/vrpcfg.zip exists, overwrite?[Y/N]:y
Now saving the current configuration to the slot 0.
Save the configuration successfully.
Issue 02 (2015-01-20)
51
1 FAQ
[Slot_0]
/$[Board Integration Version]
/$BoardIntegrationVersion=3.0
[Main_Board]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
[Board Properties]
BoardType=CX22EFGEA
BarCode=2102351820109C000451
Item=02351820
In a standalone switch:
Log in to the switch through Telnet or the console interface, and then run the display elabel
backplane command in the user view to display the electronic label information. The
BarCode field in the command output shows the chassis serial number.
<Quidway> display elabel backplane
Info: It is executing, please wait...
[BackPlane_1]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
[Board Properties]
BoardType=EH02BAKK
BarCode=2102113089P0BB000881
Item=02113089
Issue 02 (2015-01-20)
52
1 FAQ
In a cluster:
Log in to the master switch through Telnet or the console interface, and then run the display
elabel backplane chassis chassis-id command (chassis-id specifies the CSS ID of a
member chassis) in the user view to display the electronic label information. The
BarCode field in the command output shows the serial number of the specified chassis.
<Quidway> display elabel backplane chassis ?
INTEGER<1-2> Chassis
ID
<Quidway> display elabel backplane chassis 2
Info: It is executing, please
wait...
[BackPlane_2]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
[Board
Properties]
BoardType=EH02BAKK
BarCode=2102113089P0BB000881
Item=02113549
NOTE
The command syntax may differ in different software versions. You can enter a question mark (?)
to obtain help information about the command and set the chassis ID according to the help
information.
[Slot_6]
/$[Board Integration Version]
/$BoardIntegrationVersion=3.0
[Main_Board]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
[Board Properties]
BoardType=ET1D2S08SX1E
BarCode=020LVF6TBB000043
Issue 02 (2015-01-20)
53
1 FAQ
Item=03020LVF
NOTE
The command syntax may differ in different software versions. You can enter a question mark (?) to obtain
help information about the command and set the slot ID according to the help information.
<CMU1>
<PWR1-PWR4>
[Slot_21]
/$[Board Integration Version]
/$BoardIntegrationVersion=3.0
[Main_Board]
DATE=13_02_08
SN=A664A0212080086V0.9A
NOTE
The command syntax may differ in different software versions. You can enter a question mark (?) to obtain
help information about the command and set the power module ID according to the help information.
<CMU1>
<PWR1-PWR4>
[Slot_18]
/$[Board Integration Version]
/$BoardIntegrationVersion=3.0
[Main_Board]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
Issue 02 (2015-01-20)
54
1 FAQ
[Board Properties]
BoardType=LE02FCMC
BarCode=2103010JTF0123456789
Item=02120995
NOTE
The command syntax may differ in different software versions. You can enter a question mark (?) to obtain
help information about the command and set the fan module ID according to the help information.
Maxi
mum
Num
ber of
Mem
bers
Ports
Supporting
Stack
Stack Cable
Remarks
S5300-EI
Two ports on
a stack card
l 1 m PCIe cable
Any models of
the S5300-EI
series can set up
a stack.
Two ports on
a stack card
l 1 m PCIe cable
S5300-SI
Issue 02 (2015-01-20)
Any models of
the S5300-SI
series can set up
a stack.
55
1 FAQ
Issue 02 (2015-01-20)
Series
Max
imu
m
Nu
mbe
r of
Me
mbe
rs
Ports Supporting
Stack
Stack Cable
Remarks
S2352P
S3328TP
S3352P
S2350
(V200R00
3 and later
versions)
l 1 m passive SFP
+ cable
NOTE
Only the third and forth
service ports counted
from the right can be
configured as physical
member ports of a stack
port.
l 10 m active SFP
+ cable
l 3 m, 10 m AOC
cable
l 6GE stack
optical module
(SFP-6GE-LR)
and optical fiber
56
1 FAQ
Series
Max
imu
m
Nu
mbe
r of
Me
mbe
rs
Ports Supporting
Stack
Stack Cable
Remarks
S5300-PLI (with
GE uplink
ports)
l V200R001: last
two SFP ports
l 1 m passive SFP
+ cable
l V200R002 and
later versions: last
four SFP ports
l 10 m active SFP
+ cable
l V200R001: A switch
supports at most two
logical stack ports,
and each logical
stack port can have
only one physical
member port. Each
switch can use a
maximum of two
service ports as
physical member
ports.
l 3 m, 10 m AOC
cables
(applicable in
V200R003C00
and later
versions)
Issue 02 (2015-01-20)
57
Series
1 FAQ
Max
imu
m
Nu
mbe
r of
Me
mbe
rs
Ports Supporting
Stack
Stack Cable
Remarks
NOTE
S5300-10P-LI-AC,
S5300-28P-LI-BAT, and
S5300-28P-LI-24S-BAT
cannot set up a stack.
S5300-XLI (with
10GE
uplink
ports)
l 1 m passive SFP
+ cable
l 3 m passive SFP
+ cable
l 10 m active SFP
+ cable
l 3 m, 10 m AOC
cables
(applicable in
V200R003C00
and later
versions)
l 10GE SFP+
optical module
and optical fiber
A switch supports at
most two logical stack
ports, and each logical
stack port can have at
most two physical
member ports. Each
switch can use a
maximum of four
service ports as physical
member ports. When
two physical member
ports are included in a
logical stack port, either
stack ports 1 and 2 or
stack ports 3 and 4 can
be included.
Any models of the
S5300-X-LI series can
set up a stack, but
S5300-P-LI models
cannot set up a stack
with S5300-X-LI
models.
Issue 02 (2015-01-20)
58
Series
Max
imu
m
Nu
mbe
r of
Me
mbe
rs
Ports Supporting
Stack
Stack Cable
Remarks
S5310-EI
l 1 m passive SFP
+ cable
A switch supports at
most two logical stack
ports, and each logical
stack port can have at
most four physical
member ports. Each
switch can use a
maximum of eight
service ports as physical
member ports.
NOTE
Each logical stack port
can have a maximum of
four physical member
ports. Ports on different
rear cards can be added
to the same logical
stack port, but ports on
a rear card and fixed
ports on the front panel
cannot be added to the
same logical stack port.
l 10GE SFP+
optical module
and optical fiber
l 1 m passive SFP
+ cable
NOTE
After a front subcard is
replaced, the stack
becomes invalid and
needs to be
reconfigured.
l 10GE SFP+
optical module
and optical fiber
S5300-HI
Issue 02 (2015-01-20)
1 FAQ
l 3 m passive SFP
+ cable
l 10 m active SFP
+ cable
l 3 m, 10 m AOC
cables
(applicable in
V200R003C00
and later
versions)
l 3 m passive SFP
+ cable
l 10 m active SFP
+ cable
l 3 m, 10 m AOC
cable
59
1 FAQ
Series
Max
imu
m
Nu
mbe
r of
Me
mbe
rs
Ports Supporting
Stack
Stack Cable
Remarks
S6300
l 1 m passive SFP
+ cable
NOTE
A maximum of eight
service ports can be
used as physical
member ports. Four
ports with contiguous
IDs must be configured
together, and the last ID
of the service ports
must be a multiple of 4.
For example, ports 1 to
4, or 5 to 8 can be
configured as physical
member ports together,
but ports 2 to 5 cannot.
l 3 m passive SFP
+ cable
l 10 m passive
SFP+ cable
l 10 m active SFP
+ cable
(supported in
V200R001C00
and later
versions)
l 3 m, 10 m AOC
cables
(applicable in
V200R003C00
and later
versions)
l 10GE SFP+
optical module
and optical fiber
S5306TPLI-AC
Stacking incapable
60
1 FAQ
Table 1-10 Software and hardware requirements for CSS card clustering
l S9306
Device Model
l S9312
Software Version
License Required
No
LE0D0VSTSA00
Hot Swapping
Hardware Configuration
Copper cable:
l 3 m QSFP+ high-speed cable
l 10 m QSFP+ high-speed cable
Optical module and fiber:
40G QSFP+ optical module. The required
optical fiber depends on the optical module
used. When OM3 optical fibers are used, the
maximum transmission distance is 100 m.
When OM4 optical fibers are used, the
maximum transmission distance is 150 m.
Issue 02 (2015-01-20)
61
1 FAQ
Table 1-11 Software and hardware requirements for service port clustering
Device Model
Service Card
Model
l S9306
l S9306E
l S9312
l S9312E
l LE2D2X08
SED4
l LE2D2X08
SED5
l LE2D2X08
SED5
(available in
V200R003)
LE1D2L02QFC
0
l LH2D2X08
SED4
l LE2D2X08
SED4
(available in
V200R003)
l LE0DX12X
SA00
l LE2D2X08
SED5
(available in
V200R003)
l LE0DX16S
FC00
l LH2D2X12
SSA0
l LE0DX40S
FC00
l LE0DX12X
SA00
(available in
V200R003)
LH2D2L02QF
C0 and
LE1D2L02QFC
0 (available in
V200R003)
l LE0DX16S
FC00
l LE0DX40S
FC00
Issue 02 (2015-01-20)
62
Pluggable
Modules on
Service Ports
1 FAQ
Cooper cable:
Cooper cable:
Cooper cable:
Cooper cable:
l 1 m SFP+
high-speed
cable
l 1 m QSFP+
high-speed
cable
l 1 m SFP+
high-speed
cable
l 1 m QSFP+
high-speed
cable
l 3 m SFP+
high-speed
cable
l 3 m QSFP+
high-speed
cable
l 3 m SFP+
high-speed
cable
l 3 m QSFP+
high-speed
cable
l 10 m SFP+
active highspeed cable
l 5 m QSFP+
high-speed
cable
l 10 m SFP+
active highspeed cable
l 5 m QSFP+
high-speed
cable
NOTE
The
LE0DX12XSA
00 does not
support the 3 m
SFP+ highspeed cable.
Optical module
and fiber: 40G
QSFP+ optical
module. The
required optical
fiber depends on
the optical
module used
and the
maximum
transmission
distance is 10
km.
NOTE
LH2D2X12SSA
0 and
LE0DX12XSA
00 (available
only in
V200R003)
Optical module
and fiber: 40G
QSFP+ optical
module. The
required optical
fiber depends on
the optical
module used
and the
maximum
transmission
distance is 10
km.
Active optical
cable:
Optical module
and fiber:
Active optical
cable:
Not supported
10G SFP+
optical module.
The required
optical fiber
depends on the
optical module
used and the
maximum
transmission
distance is 80
km.
Not supported
Optical module
and fiber: 10G
SFP+ optical
module. The
required optical
fiber depends on
the optical
module used
and the
maximum
transmission
distance is 80
km.
Active optical
cable:
l SFP-10GA0C3M
l SFP-10GA0C10M
The
LH2D2X12SSA
0 and
LE0DX12XSA
00 do not
support the 3 m
SFP+ highspeed cable.
Active optical
cable:
l SFP-10GA0C3M
l SFP-10GA0C10M
Issue 02 (2015-01-20)
63
Constraints
1 FAQ
l On the
LE2D2X08
SED4 and
LE2D2X08
SED5, at
most four
ports can be
configured
as CSS
physical
member
ports. The
four physical
member
ports must
be the first
four ports
(numbered 0
to 3) or the
last four
ports
(numbered 4
to 7) on the
LPUs.
l On an
LE0DX16S
FC00 or
LE0DX40S
FC00, a
group of four
ports must
be
configured
as CSS
physical
member
ports
together.
The start
port number
must be 4*N
and the end
port number
must be 4*N
+3 (N = 0, 1,
2...). For
example,
service ports
0 to 3 or 4 to
7 can be
Issue 02 (2015-01-20)
The
interconnected
CSS physical
member ports
on the two
member
switches must
be both 40GE
ports. 10GE
ports derived
from a 40GE
port cannot be
added to a
logical CSS
port.
l On the
LH2D2X08
SED4,
LE2D2X08
SED4
(available
only in
V200R003),
or
LE2D2X08
SED5 at
most four
ports can be
configured
as CSS
physical
member
ports. The
four physical
member
ports must
be the first
four ports
(numbered 0
to 3) or the
last four
ports
(numbered 4
to 7) on the
LPUs.
The
interconnected
CSS physical
member ports
on the two
member
switches must
be both 40GE
ports. 10GE
ports derived
from a 40GE
port cannot be
added to a
logical CSS
port.
l On an
LE0DX16S
FC00 or
LE0DX40S
FC00, a
group of four
ports must
be
configured
as CSS
physical
member
ports
together.
The start
port number
must be 4*N
and the end
port number
must be 4*N
64
1 FAQ
configured
as CSS
physical
member
ports
together, but
service ports
2 to 5 cannot
be
configured
together.
When any
service port
in a group is
configured
as a CSS
physical
member
port, the
other three
service ports
in the group
must also be
configured
as CSS
physical
member
ports. The
LE0DX40S
FC00 allows
a maximum
of 32
member
ports in a
logical CSS
port.
Issue 02 (2015-01-20)
+3 (N = 0, 1,
2...). For
example,
service ports
0 to 3 or 4 to
7 can be
configured
as CSS
physical
member
ports
together, but
service ports
2 to 5 cannot
be
configured
together.
When any
service port
in a group is
configured
as a CSS
physical
member
port, the
other three
service ports
in the group
must also be
configured
as CSS
physical
member
ports. The
LE0DX40S
FC00 allows
a maximum
of 32 ports to
be added to a
logical CSS
port.
Requirement
on MPU
Software
Version
65
1 FAQ
License
Required
Yes
Yes
Hardware
Configuration
66
1 FAQ
You can configure unidirectional port isolation in the following situation: Multiple hosts connect
to a device through different interfaces. One of the hosts may send a large number of broadcast
packets to other hosts, causing security risks. You can configure unidirectional port isolation to
isolate the risky host from other hosts.
As show in Figure 1-8, PC4 may threaten network security by sending a large number of
broadcast packets to other hosts. You can configure unidirectional port isolation on GE1/0/4
connected to PC4 to block packets sent from this interface to GE1/0/5 and GE1/0/6. In this way,
broadcast packets sent from PC4 cannot reach PC5 or PC6, but broadcast packets sent from PC5
and PC6 can reach PC4.
Issue 02 (2015-01-20)
67
1 FAQ
To configure unidirectional port isolation, run the am isolate { interface-type interfacenumber }&<1-8> or am isolate interface-type interface-number1 [ to interface-number2 ]
command in the interface view. For example, configure unidirectional isolation on
GigabitEthernet1/0/1 and GigabitEthernet1/0/2:
[Quidway] interface gigabitethernet 1/0/1
[Quidway-GigabitEthernet1/0/1] am isolate gigabitethernet 1/0/2
Port isolation applies only to interfaces of the same device and cannot isolate interfaces on
different devices.
Interfaces in a port isolation group are isolated from each other, but interfaces in different
port isolation groups can communicate. If group-id is not specified, an interface is added
to port isolation group 1.
Issue 02 (2015-01-20)
68
1 FAQ
After the bpdu enable command is run on an interface, the interface sends received BPDUs
to the CPU for processing.
The local device determines whether to process BPDUs of a protocol depending on whether
the protocol is enabled. For example, whether STP BPDUs on an interface are sent to the
CPU depends on whether STP has been enabled on the interface using the stp enable
command.
After the bpdu disable command is run on an interface, the interface discards BPDUs.
NOTICE
The files deleted from the recycle bin cannot be recovered.
To delete files from the recycle bin in the specified path, run the reset recycle-bin [ filename ]
command in the user view.
Issue 02 (2015-01-20)
69
1 FAQ
Run the command-privilege level level view view-name command-key command with the
command-key parameter specified.
When performing the tracert operation, a network device sends UDP packets. The UDP
port number of the three UDP packets starts from 33434 and is incremented by 1 every
time the packets pass a hop. When one node on the path has equal-cost routes, the node
performs a hash operation based on flows. Therefore, the UDP packets are distributed to
different routes, and a maximum of three IP addresses on the equal-cost routes are shown
each time.
The following figure shows information about tracert packets sent by a network device.
The first hop has only one route, so only one next-hop 192.168.2.1 is displayed. The second
hop has two next hops (192.168.11.2 and 192.168.21.2), so the three packets are distributed
to two links.
Issue 02 (2015-01-20)
70
1 FAQ
When performing a tracert operation, a PC sends ICMP packets, which are irrelevant to
port numbers. If a network device on the path has equal-cost routes, the ICMP packets are
distributed to only one link, and only one next-hop IP address is displayed. However, if the
network device performs load balancing based on packets, the ICMP packets are distributed
to different links.
The following figure shows information about the tracert packets sent by a PC. Three
packets arrive at each hop together. For example, three packets have TTL 5.
71
1 FAQ
2. In V200R001C00 and later versions, you can run the clear configuration interface
GigabitEthernet 1/0/2 command in the system view to clear all interface configurations.
However, this command will shut down the interface. To enable the interface, run the undo
shutdown command in the interface view.
In the port group view, you can configure interface attributes and interface services.
Issue 02 (2015-01-20)
72
1 FAQ
1.21 MIB
1.21.1 Which MIB Objects Correspond to CPU Usage and Entity Memory Usage?
OID
CPU usage
hwEntityCpuUsage
1.3.6.1.4.1.2011.5.25.31.1.1.
1.1.5
hwEntityMemUsage
1.3.6.1.4.1.2011.5.25.31.1.1.
1.1.7
Disable the DSA module in the Console information channel from sending traps.
<HUAWEI> system-view
[HUAWEI] info-center source dsa channel console trap level warning state off
Disable display of logs, traps, and debugging message output for user terminals.
<HUAWEI> undo terminal monitor
NOTE
Issue 02 (2015-01-20)
73
1 FAQ
1.23 MAC
1.23.1 What Is the Purpose of the Function of ARP Update upon MAC Entry Changes?
1.23.2 Does a Switch Support MAC Address Flapping Detection?
Configuration Impact
After this command is executed, the gratuitous ARP function becomes ineffective.
Precautions
The mac-address update arp command takes effect only for dynamic ARP entries. Static ARP
entries are not updated when the corresponding MAC address entries change.
The mac-address update arp command does not take effect after ARP anti-spoofing is enabled
using the arp anti-attack entry-check enable command.
After the mac-address update arp command is run, the switch updates an ARP entry only if
the outbound interface in the corresponding MAC address entry changes.
Example
# Enable a switch to update outbound interfaces in ARP entries when outbound interfaces in
MAC address entries change.
Issue 02 (2015-01-20)
74
1 FAQ
<Quidway> system-view
[Quidway] mac-address update arp
Modular switches
In V100R002, the switch supports global MAC address flapping detection on all LPUs
except the S series. After global detection is enabled, the switch can only send traps if MAC
address flapping is detected.
In V100R002, run the mac-flapping alarm enable command to enable MAC address
flapping detection.
Compared with V100R002, V100R003 and later versions also support VLAN-based MAC
address flapping detection and actions performed when MAC address flapping is detected.
In V100R003 and later versions, the loop-detect eth-loop alarm-only command can be
run in the system or VLAN view to enable MAC address flapping detection.
By default, global MAC address flapping detection is disabled in V100R003 and enabled
in V100R006 and later versions.
Since V200R001, switches have supported global MAC address flapping detection, VLAN
whitelist, and quit-vlan action.
Fixed switches
Fixed switches (excluding S2300) of V100R003 and later versions do not support global
MAC address flapping detection. They support only VLAN-based MAC address flapping
detection and actions such as sending traps and blocking interfaces when MAC address
flapping is detected.
Run the following command in the VLAN view to enable MAC address flapping detection:
loop-detect eth-loop alarm-only
Since V200R001, switches have supported global MAC address flapping detection, VLAN
whitelist, and quit-vlan action.
Issue 02 (2015-01-20)
75
Issue 02 (2015-01-20)
Chec
k
Item
Command
Expected Result
Result
Confirmatio
n
Softw
are
versio
n
The software
version and file are
the same as the
target software
version and file.
Passed
Patch
versio
n
Passed
Rema
rks
Failed
Not
involved
Failed
Not
involved
76
Chec
k
Item
Command
Expected Result
Result
Confirmatio
n
Config
uratio
n file
<HUAWEI> compare
configuration
If there is no
command line
difference between
the two versions, the
command lines
before and after the
upgrade are the
same.
Passed
Rema
rks
Failed
Not
involved
If the command
lines are different,
find the difference
and run the save
command to save
the current
configuration.
Syste
m time
The difference
between the
device's system
time and the PC's
system time is no
more than 5
minutes.
Passed
Failed
Not
involved
NOTE
Convert the device's
system time to
Greenwich Mean
Time (GMT) for
check.
Issue 02 (2015-01-20)
Ethern
et
interfa
ce
Optica
l
interfa
ce
Passed
Passed
Failed
Not
involved
Failed
Not
involved
77
Chec
k
Item
Command
Expected Result
Result
Confirmatio
n
Statisti
cs on
an
interfa
ce
Passed
Devic
e
runnin
g
status
Passed
Power
modul
e
status
Passed
Fan
modul
e
status
Tempe
rature
<HUAWEI> display
temperature all
CPU
usage
Rema
rks
Failed
Not
involved
Failed
Not
involved
Failed
Not
involved
Passed
Each card is in
Normal state and
the temperature is
5C lower than the
upper threshold.
Passed
Passed
Failed
Not
involved
Failed
Not
involved
Failed
Not
involved
BGP
peer
status
Issue 02 (2015-01-20)
Passed
Failed
Not
involved
78
Issue 02 (2015-01-20)
Chec
k
Item
Command
Expected Result
Result
Confirmatio
n
OSPF
neighb
or
status
The OSPF
neighbors must stay
in Full or 2 WAY
state, and the
neighbor
relationship is kept
for no less than one
day.
Passed
IS-IS
neighb
or
status
Passed
Increa
se in
the
numbe
r of
OSPF
error
packet
s
Passed
VRRP
runnin
g
status
CPCA
R
traffic
statisti
cs
In the CPCAR
traffic statistics, the
count of dropped
packets is 0.
Rema
rks
Failed
Not
involved
Failed
Not
involved
Failed
Not
involved
If the number of
OSPF error packets
is more than 500 and
does not increase
within 5 minutes,
this item fails the
check.
Passed
Failed
Not
involved
79
3 Troubleshooting Guide
Troubleshooting Guide
The card registration process lasts a long time, and the RUN/ALM indicator of the card is
steady yellow.
In the display device command output, the Register field displays Unregistered.
Possible Causes
This fault is commonly caused by one of the following:
l
The card is not hot swappable but it has been hot swapped, causing card damage.
Issue 02 (2015-01-20)
80
3 Troubleshooting Guide
Troubleshooting Procedure
Step 1 Check whether the card is properly installed. If not, reinstall the card. If the card is properly
installed, go to Step 2.
Step 2 If the card is a flexible service unit or CSS card, check whether it has been hot swapped. If so,
go to Step 7. If not, go to Step 3.
Step 3 Run the display alarm command to check alarms about all cards or specify the slot ID to check
alarms about the problematic card. If the command output contains alarms about electronic
components on the card, go to Step 7. If not, go to Step 4.
Step 4 Run the display power system command to check the power of the system and card. If the
available system power is insufficient, go to Step 7. If the available system power is sufficient,
go to Step 5.
NOTE
An LE0DG48VEA00 card can start and register only when the following conditions are met:
l A dual in-line memory module (DIMM) has been installed in the DIMM slot of the card.
l The card is installed in a PoE chassis.
l The PoE power modules are supplying power to the chassis.
Step 5 Run the display version command to check whether the model and version of the card match
the chassis. If not, replace the card with a card matching the chassis. If the card matches the
chassis, go to Step 6.
Version
Mapping
For the mapping between card models, versions, and switches, see the
"Version Support for Components" in the Hardware Description.
Use
Constraints
Card
Installation
and Removal
Issue 02 (2015-01-20)
81
3 Troubleshooting Guide
Step 6 Check the card connector and then reinstall the card or install it in another slot to check whether
it works normally.
Remove the card from the slot and check the card connector. If the card connector is intact,
install the card in the original slot. If the card still fails to register after several attempts of
reinstallation, install it in another slot. If the problem persists, go to Step 7.
If there are idle pin holes on the card connector, use a flashlight to illuminate the card connector
and check whether any pins are bent. If some pins are bent, go to Step 7.
Step 7 Ask for technical support.
----End
Fault Description
After Cluster Switch System (CSS) configuration is completed and the two switches restart, the
display css status command is executed to display the CSS status. The CSS status field displays
-- or single (single-chassis cluster), indicating that the two switches fail to set up a cluster.
Possible Causes
This fault is commonly caused by one of the following:
l
Troubleshooting Procedure
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Step 1 Run the terminal monitor and terminal trapping commands in the user view to enable the
alarm function. Check whether there are any alarms on incorrect cluster cable connections. (The
alarms for LE0D0VSTSA00 CSS cards are 1.3.6.1.4.1.2011.5.25.183.3.3.2.4
hwCssConnectError and 1.3.6.1.4.1.2011.5.25.183.3.3.2.19 hwCssPhyCardConnectError.
l If no such alarm is displayed, go to Step 2.
l If such alarms are displayed, connect cluster cables correctly according to the alarm
messages.
Issue 02 (2015-01-20)
82
3 Troubleshooting Guide
NOTE
If alarms on incorrect cluster cable connections are displayed, you can confirm that the CSS function
is enabled on the switches and the CSS cards are working properly. Otherwise, the CSS management
module cannot detect the cluster cable connections.
The message indicates that CSS port 2/13/3 (CSS ID/slot ID/port number) is incorrectly
connected to CSS port 1/14/2. CSS port 2/13/3 should be connected to CSS port 1/13/2.
Rectify the fault according to the following table.
Error Shown in
Alarm Message
Cause
Solution
A cluster cable is
connected to ports
with different CSS
IDs, for example,
"2/13 CSS port 3
link to 1/14 port 2."
A cluster cable is
connected to ports
with the same CSS
ID, for example
"2/13 CSS port 3
link to 2/14 port 2."
If the cluster still cannot be set up, perform either of the following operations:
l If there are other alarm messages on incorrect cluster cable connections, repeat this step until
all alarms are cleared.
l If no such alarm is displayed, go to Step 3.
Step 2 Check that the CSS function is enabled on the switches.
Run the display css status command on the switches to check whether the CSS function is
enabled.
Issue 02 (2015-01-20)
83
3 Troubleshooting Guide
l If the CSS Enable field in the command output displays Off, the CSS function is not enabled.
Run the css enable command to enable this function, and then restart the switch.
l If the CSS Enable field displays On, the CSS function is enabled. Go to Step 3.
Step 3 Check the status of the CSS cards.
NOTICE
To remove a CSS card, remove the MPU with the CSS card from the switch. Do not hot swap
the CSS card directly.
If the cluster cannot be set up after you enable the CSS function, set the correct CSS IDs, and
correctly connect all the cluster cables, check indicators on the CSS cards to determine the CSS
card status. Check the CSS card indicators and rectify the fault according to Table 3-1.
Table 3-1 CSS card indicators and troubleshooting methods
Indicator
Description
Troubleshooting Method
RUN/ALM
CSS ID
Issue 02 (2015-01-20)
84
3 Troubleshooting Guide
Indicator
Description
Troubleshooting Method
LINK (S9300/
LE0D0VSTS
A00)
NOTE
The LINK indicator only shows the
link status on a CSS port and cannot
determine whether the CSS port is
transmitting data.
Step 4 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, logs, and alarms of the switches
----End
Fault Description
Indicators on CSS cards of cluster member switches are in abnormal states or cluster switch
system management (CSSM) alarms are generated.
Possible Causes
This fault is commonly caused by one of the following:
l
Troubleshooting Procedure
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
85
3 Troubleshooting Guide
Step 2 Check indicators on CSS cards of the two switches to determine whether the CSS cards are
working normally.
NOTICE
To remove a CSS card, remove the MPU with the CSS card from the switch. Do not hot swap
the CSS card directly.
Check the CSS card indicators and rectify the fault according to Table 3-2.
Table 3-2 CSS card indicators and troubleshooting methods
Indicator
Description
Troubleshooting Method
RUN/ALM
CSS ID
NOTE
The LINK indicator only shows the
link status on a CSS port and cannot
determine whether the CSS port is
transmitting data.
Step 3 If the cluster cannot be set up after you replace the faulty cluster cable, CSS card, or MPU, see
3.1.1.2.1 Two Chassis Fail to Set Up a Cluster to rectify the fault.
Issue 02 (2015-01-20)
86
3 Troubleshooting Guide
Step 4 If the fault persists, collect the following information and contact Huawei technical support
personnel:
l Results of the preceding troubleshooting procedure
l Configuration files, logs, and alarms of the switches
----End
Fault Description
A switch restarts unexpectedly and displays the following information during startup (the restart
may repeat):
Press Ctrl+B to enter BOOTROM menu ... 0
Auto-booting...
Please confirm app file typeID[0x0]!
Invalid package file!
Or:
program
Exception current instruction address: 0x08080804
Machine Status Register: 0x0008b032
Condition Register: 0x20000048
Task: 0x53f9e18 "root"
Possible Causes
The software package is incorrect or missing.
Troubleshooting Procedure
Step 1 Load the software package according to the upgrade guide.
----End
87
3 Troubleshooting Guide
3.1.2.2.1 Transmit Power of an Optical Module Is Smaller Than the Nominal Value
3.1.2.2.1 Transmit Power of an Optical Module Is Smaller Than the Nominal Value
Fault Description
Many low transmit power traps are recorded in logs. Measured by an optical power meter, the
transmit power of the optical module is smaller than the nominal value.
The low transmit power trap is as follows:
ENTITYTRAP_1.3.6.1.4.1.2011.5.25.219.2.4.5 hwOpticalInvalid 136194
ENTITYTRAP/3/OPTICALINVALID: OID [oid] Optical Module is invalid.(Index=
[INTEGER], EntityPhysicalIndex=[INTEGER], PhysicalName="[OCTET]",
EntityTrapFaultID=[INTEGER])
Possible Causes
l
Troubleshooting Procedure
Step 1 Check optical bores of the optical module. If they are contaminated, use a cotton swab to clean
the optical bores. Use a dust-proof cap to protect unused optical modules from contamination.
Step 2 If the transmit power of the optical module is still abnormal, install the optical module on another
optical port. If the fault persists, the optical module is faulty. Replace the optical module and
send back the faulty one for repair or contact Huawei technical support personnel.
----End
Fault Description
After two electrical interfaces are connected using a network cable, they cannot go Up.
Issue 02 (2015-01-20)
88
3 Troubleshooting Guide
Troubleshooting Flowchart
Figure 3-1 Troubleshooting flowchart
Troubleshooting Procedure
NOTICE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to
correct the fault, you will have a record of your actions to provide Huawei technical support
personnel.
Step 1 Check whether the interfaces have been shut down or whether the cable between them is loose
or removed. If an interface is shut down, run the undo shutdown command to restore the
interface.
Step 2 Check configurations on the two interfaces and ensure that:
l The two interfaces work at the same speed and duplex mode.
l The two interfaces both work in auto-negotiation or non-auto-negotiation mode.
NOTICE
If the remote device is a non-Huawei device and its interface cannot transition to link up state
through auto-negotiation, forcibly configure the interface speed and duplex mode on the two
ends.
l The media delivery index (MDI) mode is properly set on the two interfaces. The MDI mode
determines whether an interface supports crossover cables. Three MDI modes are available:
normal, across, and auto. If the network cable type is unknown, set the MDI mode to auto
on the two interfaces. Table 3-3 and Table 3-4 describe the interface states in the three MDI
modes.
Issue 02 (2015-01-20)
89
3 Troubleshooting Guide
Interface A
Interface B
Interface A
Interface B
GE electrical interface
(auto)
GE electrical interface
(auto)
Up
Up
FE electrical interface
(auto)
FE electrical interface
(auto)
Up
Up
FE electrical interface
(auto)
FE electrical interface
(normal)
Up
Up
FE electrical interface
(auto)
FE electrical interface
(across)
Up
Up
FE electrical interface
(across)
FE electrical interface
(normal)
Up
Up
FE electrical interface
(across)
FE electrical interface
(across)
Down
Down
FE electrical interface
(normal)
FE electrical interface
(normal)
Down
Down
Issue 02 (2015-01-20)
Interface A
Interface B
Interface A
Interface B
GE electrical interface
(auto)
GE electrical interface
(auto)
Up
Up
FE electrical interface
(auto)
FE electrical interface
(auto)
Up
Up
FE electrical interface
(auto)
FE electrical interface
(normal)
Up
Up
FE electrical interface
(auto)
FE electrical interface
(across)
Up
Up
FE electrical interface
(normal)
FE electrical interface
(normal)
Down
Down
FE electrical interface
(across)
FE electrical interface
(normal)
Up
Up
90
3 Troubleshooting Guide
crossover Cable
FE electrical interface
(across)
FE electrical interface
(across)
Up
Up
NOTICE
This command will cause Up/Down state transitions on an interface.
If the interfaces can go Up but you suspect that they cannot receive or transmit packets,
run the test-packet start interfaceinterface-type interface-number -c command on the
two interfaces to display packet statistics. Check whether the interfaces can send and
receive packets normally.
[Quidway] test-packet start interface Ethernet 0/0/1 ?
-c
The number of packet
-s
The packet size
<cr>
Step 4 If the fault persists, collect the following information and contact Huawei technical support
personnel:
l Results of the preceding troubleshooting procedure
l Configuration files, logs, and alarms of the switches
l Related commands: display this interface, display logbuffer, display this
----End
Issue 02 (2015-01-20)
91
3 Troubleshooting Guide
Fault Description
After two optical interfaces are connected, they cannot go Up.
Troubleshooting flowchart
Figure 3-2 Troubleshooting flowchart
Troubleshooting Procedure
NOTICE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to
correct the fault, you will have a record of your actions to provide Huawei technical support
personnel.
Step 1 Check whether the interfaces have been shut down or whether the optical fiber between them is
loose or removed. If an interface is shut down, run the undo shutdown command to restore the
interface.
Step 2 Check configurations on the two interfaces and ensure that:
l The two interfaces work at the same speed.
l The two interfaces use the same negotiation mode.
Issue 02 (2015-01-20)
92
3 Troubleshooting Guide
Step 3 Check whether the optical modules used on the optical interfaces are Huawei-certified optical
modules. If a non-Huawei-certified optical module is used, replace it with a Huawei-certified
optical module.
Step 4 Check whether the optical fiber matches the optical modules at both ends.
l Multimode optical fibers must be used with multimode optical modules.
l Single-mode optical fibers must be used with single-mode optical modules.
NOTE
Step 5 Run the display transceiver interface interface-type interface-numberverbose command with
the problematic interface specified in the system view to check whether the optical modules on
the two ends have the same wavelength.
<Quidway> display transceiver interface GigabitEthernet 0/1/1 verbose
GigabitEthernet0/1/1 transceiver information:
------------------------------------------------------------Common information:
Transceiver Type
:1000_BASE_SX_SFP
Vendor PN
:FTLF8519P3BTL-HW
Connector Type
:LC
Wavelength(nm)
:850
Transfer Distance(m)
:500(50um),300(62.5um)
Digital Diagnostic Monitoring :YES
Vendor Name
:FINISAR CORP.
Ordering Name
:
------------------------------------------------------------Diagnostic information:
Temperature( )
:27.00
Temp High Threshold( )
:90.00
Temp Low Threshold( )
:-20.00
Voltage(V)
:3.27
Volt High Threshold(V)
:3.70
Volt Low Threshold(V)
:2.90
Bias Current(mA)
:6.94
Bias High Threshold(mA)
:24.01
Bias Low Threshold(mA)
:1.75
RX Power(dBM)
:-28.54
RX Power High Threshold(dBM) :0.00
RX Power Low Threshold(dBM) :-16.99
TX Power(dBM)
:-4.99
TX Power High Threshold(dBM) :0.00
TX Power Low Threshold(dBM) :-9.50
-------------------------------------------------------------
Step 6 Check whether the optical modules match the optical interfaces. If not, for example, if a 1000M
optical module is installed on a 100M optical interface, replace the optical module.
Step 7 Check whether the transmit power and receive power of the optical modules are within the
allowed range. If the receive or transmit power is excessively high or low, the optical interfaces
cannot go Up. The excessively long transmission distance or low optical fiber quality may also
be the reason why interfaces cannot go Up.
Step 8 Perform a loopback test if the preceding items are normal. Connect an optical fiber to the bores
of the same optical module and check whether the optical interface can go Up.
Step 9 Replace the optical modules or fiber if the problem cannot be located.
Step 10 If the fault persists, collect the following information and contact Huawei technical support
personnel:
Issue 02 (2015-01-20)
93
3 Troubleshooting Guide
Issue 02 (2015-01-20)
94
3 Troubleshooting Guide
Troubleshooting Flowchart
Figure 3-3 PoE troubleshooting flowchart
Troubleshooting Procedure
Step 1 Collect information about the switch and PD, and confirm the model, power, and standard
compliance (802.3af or 802.3at) of the PD.
Issue 02 (2015-01-20)
95
3 Troubleshooting Guide
Step 2 Check that the switch and the power modules of the switch support the PoE function.
Step 3 Check that the PD and the network cable connected to the PD work normally.
Step 4 Check whether the PD is an AP using non-isolated power supply. If so, replace the AP.
Step 5 Check whether the PoE function of the switch is normal. If not, send the switch to the Huawei
agent or Huawei for repair.
Check whether the PD is a standard PD. If it is a non-standard PD using 48 V power supply,
forcibly power on the PoE interface connected to the PD. If the non-standard PD does not use
-48 V power supply, contact Huawei Technical Assistant Center.
----End
Procedure
NOTE
Collect the following information and send the collected information as well as numbers of the interfaces
connected to PDs to Huawei technical support personnel.
Step 1 Run the display poe power-state command to check the power supply state of an interface.
<HUAWEI> display poe power-state interface gigabitethernet 0/0/3
Port legacy detect
: disable
Port power enabled
: enable
Port power ON/OFF
: on
Port power status
: Powered
Port PD class
: 3
Port reference power(mW)
: 15400
Port power priority
: Low
Port max power(mW)
: 15400
Port current power(mW)
: 2794
Port peak power(mW)
: 2794
Port average power(mW)
: 2741
Port current(mA)
: 52.73
Port voltage(V)
: 53.00
Step 2 Run the display poe power command to check power information on an interface.
<HUAWEI> display poe power interface gigabitethernet 0/0/3
Port PD power(mW)
: 3710
Port PD class
: 2
Port PD reference power(mW) : 7000
Port user set max power(mW) : 15400
Port PD peak power(mW)
: 3816
Port PD average power(mW)
: 3487
Step 3 Run the display poe information command to check current PoE running information.
<HUAWEI> display poe information
PSE Information of slot 0:
User Set Max Power(mW)
:
POE Power Supply(mW)
:
Available Total Power(mW) :
Total Power Consumption(mW):
Power Peak Value(mW)
:
Power-Management Mode
:
Power High Inrush
:
739200
369600
369600
0
0
auto
disable
Step 4 Run the display poe-power command to check PoE power information.
Issue 02 (2015-01-20)
96
3 Troubleshooting Guide
Balance
Balance
Balance
Balance
Balance
Balance
Step 5 Run the display interface brief command to check interface states and brief information.
<HUAWEI> display interface brief
PHY: Physical
*down: administratively down
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface
PHY
Protocol InUti OutUti
GigabitEthernet0/0/1
up
up
0.06%
100%
GigabitEthernet0/0/2
up
up
100%
100%
GigabitEthernet0/0/3
up
up
0%
100%
GigabitEthernet0/0/4
up
up
100%
100%
GigabitEthernet0/0/5
up
up
99%
100%
GigabitEthernet0/0/6
down down
0%
0%
GigabitEthernet0/0/7
down down
0%
0%
GigabitEthernet0/0/8
down down
0%
0%
GigabitEthernet0/0/9
down down
0%
0%
GigabitEthernet0/0/10
down down
0%
0%
GigabitEthernet0/0/11
down down
0%
0%
GigabitEthernet0/0/12
down down
0%
0%
GigabitEthernet0/0/13
down down
0%
0%
GigabitEthernet0/0/14
down down
0%
0%
GigabitEthernet0/0/15
down down
0%
0%
GigabitEthernet0/0/16
down down
0%
0%
Issue 02 (2015-01-20)
inErrors
0
0
0
0
0
10
12
0
0
0
0
0
0
0
0
0
outErrors
21217388
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
97
3 Troubleshooting Guide
GigabitEthernet0/0/17
GigabitEthernet0/0/18
GigabitEthernet0/0/19
GigabitEthernet0/0/20
GigabitEthernet0/0/21
GigabitEthernet0/0/22
GigabitEthernet0/0/23
GigabitEthernet0/0/24
MEth0/0/1
NULL0
down
down
down
down
down
down
down
down
down
up
down
down
down
down
down
down
down
down
down
up(s)
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
----End
If the product name contains PWR, this product model supports the PoE function.
If the product name does not contain PWR, this product model does not support the PoE
function.
Check the name label attached on the power module. If the name label shows that the DC
output is -53.5 V, the power module is a PoE power module. If "-53.5V" is not displayed
on the name label, the power module is a non-PoE power module.
Check the appearance of the power module. All non-PoE power modules have no fans, as
shown in Figure 3-4, Figure 3-5. All PoE power modules have fans, as shown in Figure
3-6, Figure 3-7.
Figure 3-4 150 W AC power module (LS5M100PWA00)
Issue 02 (2015-01-20)
98
3 Troubleshooting Guide
Issue 02 (2015-01-20)
Check the appearance of the power module. All non-PoE power modules have no fans, as
shown in Figure 3-8Figure 3-9. All PoE power modules have fans, as shown in Figure
3-10, Figure 3-11.
99
3 Troubleshooting Guide
Issue 02 (2015-01-20)
100
3 Troubleshooting Guide
The poe force-power command enables a switch to power on a PD without PD detection and classification.
Card Name
Applicable
Product Series
Version Support
Front card
LS5D00E2XX00
l S5300C-SI
V100R002 to V200R003C00
LS5D00E2XY00
l S5300-EI
LS5D00E4XY01
V100R005 to V200R003C00
LS5D00E4GF01
S5300-EI
V100R002 to V200R003C00
LS5D0E4GFA00
S5300C-SI
V100R003 to V200R003C00
LS5D00X2SA00
l S5300-HI
V100R006C00 to
V200R003C00
l S5310-EI
Issue 02 (2015-01-20)
V100R005 to V200R003C00
101
Card Type
3 Troubleshooting Guide
Card Name
Applicable
Product Series
LS5D00X4SA00
S5300-HI
Version Support
LS5D00G4SC00
Rear card
LS5D21G08S00
S5310-EI
V200R002C00 to
V200R003C00
l S5300-SI
V100R003 to V200R003C00
LS5D21G08T00
ES5D00ETPC00
l S5300-EI
ES5D00ETPB00
l S5300C-SI
V100R002 to V200R003C00
l S5300-EI
LS5M100PWA00 (purple
grey)
LS5M100PWD00 (purple
grey)
S5328C-SI, S5352C-SI,
S5328C-EI, S5328C-EI-24S,
S5352C-EI
W0PSA1700
LS5M0PSD1700
W0PSA2500
W0PSA5000
15 A rectifier module
LS5W2PSA0870
RPS1800
S5300-HI
102
3 Troubleshooting Guide
Issue 02 (2015-01-20)
Command
Description
display ip routing-table
display fib
103
3 Troubleshooting Guide
Command
Description
Troubleshooting Procedure
Step 1 Check whether MAC address flapping or ARP entry flapping occurs.
Issue 02 (2015-01-20)
104
3 Troubleshooting Guide
When the outbound interface of a route changes or an IP address conflict occurs on a switch,
ARP entry flapping or MAC address flapping occurs. In this case, ping packets from downstream
devices may be lost.
Run the following commands to check whether the route, ARP entry, and MAC address of the
outbound interface frequently change:
display ip routing-table
display arp
display mac-address
If ARP entry flapping or MAC address flapping occurs, a loop exists on the network. Remove
the loop by referring to 3.2.8 Layer 2 Loop Troubleshooting.
Step 2 Check whether large ping packets are dropped because of CAR exceeding.
For example, when a 9000-byte ping packet is sent and three packets are sent per second (devices
of most vendors send ping packets at a higher speed), the rate for sending packets is 216 kbps.
However, the default CIR of a modular switch is 192 kbps and that of a fixed switch is 128 kbps.
As a result, the switch discards ICMP packets because of CAR exceeding.
Use the following commands to check whether packets are dropped because of CAR exceeding.
If the value of Drop increases, packets are dropped because of CAR exceeding. Increase the
CAR value properly and perform the ping operation again. Restore the CAR value after the fault
is rectified.
l For modular switches of V100R002 and fixed switches of V100R005, run the display cpudefend icmp statistics all command.
l For modular switches of V100R003 and later versions and fixed switches of V100R006 and
later versions, run the display cpu-defend statistics packet-type icmp all command.
You can check the CAR value using the following commands:
l For modular switches of V100R002 and fixed switches of V100R005, run the display cpudefend icmp configuration all command.
l For modular switches of V100R003 and later versions and fixed switches of V100R006 and
later versions, run the display cpu-defend configuration packet-type icmp all command.
You can modify the CIR as follows:
[HUAWEI] cpu-defend policy 1
[HUAWEI-cpu-defend-policy-1] car packet-type icmp cir 256
[HUAWEI-cpu-defend-policy-1] quit
[HUAWEI] cpu-defend-policy 1 global
105
3 Troubleshooting Guide
By default, ping packet suppression is enabled for fixed switches of V100R003. When the
number of ICMP packets received by an interface per second exceeds the specified threshold,
the interface suppresses ICMP packets for 2 minutes. During this period, the interface does not
process the received ICMP packets.
Non-Huawei devices send ping packets at high rates. When such a non-Huawei device pings a
Huawei fixed switch of V100R003, packets are normally received and then are not processed.
After about 2 minutes, the ping operation succeeds. To rectify the fault, run the undo icmp ratelimit enable command on Huawei switch.
Step 5 If the fault persists, collect information and contact Huawei technical support personnel.
----End
Issue 02 (2015-01-20)
106
3 Troubleshooting Guide
Troubleshooting Procedure
Step 1 Locate the device where packets are lost.
Configure traffic statistics collection on the inbound and outbound interfaces of the switch based
on the packet forwarding path. Compare the collected traffic statistics to determine whether
Issue 02 (2015-01-20)
107
3 Troubleshooting Guide
packets are discarded on the switch. For example, packets with source IP address 1.1.1.1 and
destination IP address 2.2.2.2 are lost. The packets are received on GE2/0/1and sent out from
GE5/0/10 on the switch.
The configuration is as follows:
#
acl 3999
rule permit ip source 1.1.1.1 0 destination 2.2.2.2 0
#
traffic classifier test
if-match acl 3999
#
traffic behavior test
statistic enable
#
traffic policy test
classfier test behavior test
#
interface GigabitEthernet 2/0/1
traffic-policy test inbound
#
interface GigabitEthernet 5/0/10
traffic-policy test outbound
Check the collected statistics. If the number of inbound packets is equal to the number of
outbound packets, packet loss does not occur on the switch. If the number of inbound packets
is greater than the number of outbound packets, packet loss occurs on the switch.
View traffic statistics using the following commands:
display traffic policy statistics interface GigabitEthernet 2/0/1 inbound
display traffic policy statistics interface GigabitEthernet 5/0/10 outbound
You can delete traffic statistics using the following commands:
reset traffic policy statistics interface GigabitEthernet 2/0/1 inbound
reset traffic policy statistics interface GigabitEthernet 5/0/10 outbound
NOTE
For non-IP packets, collect traffic statistics based on the source MAC address, destination MAC address,
or VLAN. Compare the traffic statistics to check whether packets are forwarded through the switch.
108
3 Troubleshooting Guide
Trap Information
V100R002
Global
detection
L2IF/4/MAC_FLAPPING_ALARM:OID
1.3.6.1.4.1.2011.5.25.42.2.1.7.12The mac-address has
flap value . (BaseTrapSeverity=0, BaseTrapProbableCause=0, BaseTrapEventType=4, L2IfPort=549,entPhysicalIndex=1, MacAdd=0000-0000-002b,vlanid=1001,
FormerIfDescName=Ethernet3/0/2,CurrentIfDescName=
Ethernet3/0/3,DeviceName=S9306-169)
VLANbased
detection
Not supported.
Global
detection
L2IFPPI/4/MAC_FLAPPING_ALARM:OID
1.3.6.1.4.1.2011.5.25.42.2.1.7.12The mac-address has
flap value . (L2IfPort=0,entPhysicalIndex=0,
BaseTrapSeverity=4, BaseTrapProbableCause=549,
BaseTrapEventType=1, MacAdd=00e0fc00-4447,vlanid=1001,
FormerIfDescName=GigabitEthernet6/0/6,CurrentIfDesc
Name=GigabitEthernet6/0/7,DeviceName=9306-222.159)
V100R003
Issue 02 (2015-01-20)
109
3 Troubleshooting Guide
Version
Trap Information
V100R006
V200R001,
V200R002,
and
V200R003
VLANbased
detection
L2IFPPI/4/MFLPVLANALARM:OID
1.3.6.1.4.1.2011.5.25.160.3.7 Loop exist in vlan 1001, for
mac-flapping.
Global
detection
L2IFPPI/4/MAC_FLAPPING_ALARM:OID
1.3.6.1.4.1.2011.5.25.42.2.1.7.12The mac-address has
flap value. (L2IfPort=0,entPhysicalIndex=0,
BaseTrapSeverity=4, BaseTrapProbableCause=549,
BaseTrapEventType=1, MacAdd=0025-9e6e-1c55,vlanid=1001,
FormerIfDescName=GigabitEthernet2/1/23,CurrentIfDes
cName=GigabitEthernet2/1/22,DeviceName=9303-222.157)
VLANbased
detection
L2IFPPI/4/MFLPVLANALARM:OID
1.3.6.1.4.1.2011.5.25.160.3.7 Loop exists in vlan 1001, for
flapping mac-address 0025-9e6e-1c55 between port
GE2/1/23 and port GE2/1/22.
loop-detect
eth-loop
L2IFPPI/4/MAC_FLAPPING_ALARM:OID
1.3.6.1.4.1.2011.5.25.42.2.1.7.12 The mac-address has
flap value. (L2IfPort=0,entPhysicalIndex=0,
BaseTrapSeverity=4, BaseTrapProbableCause=549,
BaseTrapEventType=1,
MacAdd=0000-0000-0050,vlanid=10,FormerIfDescNam
e=GigabitEthernet6/0/0,CurrentIfDescName=GigabitEth
ernet6/0/23,DeviceName=S9312_106)
MAC
address
flapping
detection
L2IFPPI/4/
MFLPVLANALARM:OID1.3.6.1.4.1.2011.5.25.160.3.7
MAC move detected, VlanId = 10, MacAddress =
0000-0000-0050, Original-Port = GE6/0/0, Flapping port
= GE6/0/23. Please check the network accessed to flapping
port.
l Fixed switches
Fixed switches (excluding the S2300 series) of V100R003 and later do not support global
MAC address flapping detection. They support only VLAN-based MAC address flapping
detection and actions such as sending traps and blocking interfaces when MAC address
flapping is detected.
Run the following command in the VLAN view to enable MAC address flapping detection:
loop-detect eth-loop alarm-only
Starting from V200R001, switches support global MAC address flapping detection, VLAN
whitelist, and quit-vlan action.
Table 3-9 describes MAC address flapping detection traps in different versions.
Issue 02 (2015-01-20)
110
3 Troubleshooting Guide
Table 3-9 MAC address flapping detection traps on fixed switches of different versions
Version
Trap Information
V100R003
V100R005
L2IFPPI/4/MFLPVLANALARM:OID 1.3.6.1.4.1.2011.5.25.160.3.7
Loop exists in vlan 1001, for flapping mac-address 0000-0000-002b
between port GE0/0/24 and port GE0/0/23.
V100R006
L2IFPPI/4/MFLPVLANALARM:OID 1.3.6.1.4.1.2011.5.25.160.3.7
Loop exists in vlan 1001, for flapping mac-address 0000-0000-002b
between port GE0/0/24 and port GE0/0/23.
V200R001,
V200R002,
and
V200R003
L2IFPPI/4/MFLPVLANALARM:OID
1.3.6.1.4.1.2011.5.25.160.3.7MAC move detected, VlanId = 1001,
flapping mac-address 0000-0000-002b between port GE0/0/24 and port
GE0/0/23. Please check the network accessed to flapping port.
If MAC address flapping is detected, a loop exists on the network. Remove the loop by referring
to 3.2.8 Layer 2 Loop Troubleshooting.
Step 5 Check whether congestion occurs.
View traffic statistics. If the number of discarded outbound packets increases, congestion occurs.
The following provides a command output example:
[Switch] display interface gigabitEthernet 0/0/2
GigabitEthernet0/0/2 current state : UP
Line protocol current state : UP
Description:mav-3550-12G_0_4
Switch Port, PVID :
1, TPID : 8100(Hex), The Maximum Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is e024-7f03-5730
Port Mode: COMMON FIBER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi
: NORMAL
Last 300 seconds input rate 46795760 bits/sec, 10279 packets/sec
Last 300 seconds output rate 82925816 bits/sec, 12317 packets/sec
Input peak rate 330618568 bits/sec, Record time: 2012-05-28 15:54:32
Output peak rate 256751464 bits/sec, Record time: 2012-05-29 07:34:24
Input: 1364418188 packets, 590098536948 bytes
Unicast:
1348575035, Multicast:
5742574
Broadcast:
6573364, Jumbo:
3527215
Discard:
0, Total Error:
0
CRC:
0, Giants:
0
Jabbers:
0, Fragments:
0
Runts:
0, DropEvents:
0
Alignments:
0, Symbols:
0
Ignoreds:
0, Frames:
0
Output: 1775192399 packets, 1431792826655 bytes
Unicast:
1764324430, Multicast:
Broadcast:
5453339, Jumbo:
Discard:
819924, Total Error:
Collisions:
0, ExcessiveCollisions:
Issue 02 (2015-01-20)
3364531
2050099
0
0
111
3 Troubleshooting Guide
Late Collisions:
Buffers Purged:
0,
0
Deferreds:
If congestion occurs, run the qos burst-mode enhanced command to enable enhanced burst
traffic buffering on the interface. If the fault persists or the device does not support the qos burstmode command, expand the capabilities of the device.
Step 6 Mirroring
If a small amount of traffic is transmitted on the interface, configure port mirroring according
to Table 3-10.
If a large amount of traffic is transmitted on the interface, configure traffic mirroring according
to Table 3-11.
Table 3-10 Procedure for configuring port mirroring
Step
Command
Configure an
observing port.
Run the observe-port port-number interface interface-type interfacenumber command to configure an observing port.
Configure port
mirroring.
Issue 02 (2015-01-20)
Step
Command
Configure an
observing port.
112
3 Troubleshooting Guide
Step
Command
Configure an ACL to
define the traffic to
be mirrored.
Configure a traffic
behavior.
Configure a traffic
policy.
You can analyze the mirrored packets to check the sent and received packets and check the
VLAN ID, destination MAC address, checksum of the IP header, and ICMP checksum of the
packets.
Issue 02 (2015-01-20)
113
3 Troubleshooting Guide
Step 7 If the fault persists, collect information and contact Huawei technical support personnel.
----End
Whether traffic arrives at the inbound interface of the switch and whether packets are lost
on the upstream device
2.
Whether traffic is forwarded to the outbound interface of the switch. If all traffic is
transmitted to the outbound interface, no packet is lost.
3.
Whether the Layer 2 and Layer 3 information of traffic on the inbound interface of the
switch is correct. If the information is correct, the upstream device has correctly
encapsulated and forwarded packets.
4.
Whether the Layer 2 and Layer 3 information of traffic on the outbound interface of the
switch is correct. If the information is correct, the switch has correctly encapsulated and
forwarded packets.
5.
Whether traffic is unstable because of MAC address flapping, route change, or IP address
conflict.
The switch can collect statistics on incoming and outgoing traffic globally or based on interfaces.
The switch use the traffic policy function to collect traffic statistics. When a traffic policy is
applied to an interface, the switch collects statistics about only incoming or outgoing traffic on
this interface; when a traffic policy is applied globally, the switch collects statistics about
incoming or outgoing traffic on all interfaces.
NOTE
The traffic policy configured in an interface view takes precedence of that configured in the system view.
When traffic matches the traffic policy on an interface, the traffic cannot match the global traffic policy.
Therefore, traffic statistics are not displayed.
When you set the relationship between rules in a traffic policy to and, you can add information such as ifmatch vlan-id to each rule in the specified ACL. In this way, you can check whether Layer 2 information
about an IP address is correct and whether packets are correctly encapsulated on the upstream device and
local device.
Issue 02 (2015-01-20)
114
3 Troubleshooting Guide
Step 3 If traffic is not forwarded through the expected interface, the reason may not be packet loss. You
should check whether traffic flapping occurs. When traffic flapping occurs, traffic is forwarded
through an unexpected interface.
Traffic flapping may be caused by MAC address flapping, route changes, or IP address conflicts.
The specified inbound and outbound interfaces are bound to a traffic policy, and the traffic policy
is globally applied to both inbound and outbound directions. The traffic policy configured in the
interface view takes precedence of that configured in the system view, so the global traffic
statistics should not be obtained. If the global traffic traffics are obtained, traffic flapping occurs.
Step 4 If the fault persists, collect information and contact Huawei technical support personnel.
The collected information includes:
l Symptom
l Networking diagram, including interface numbers
l Procedure:
1.
2.
Which operations have been performed after the fault occurs and information that has
been collected
----End
115
3 Troubleshooting Guide
Figure 3-14 shows an example of Eth-Trunk. Two switches are connected through three
interfaces. The three interfaces are bundled into an Eth-Trunk to increase bandwidth and improve
reliability.
Figure 3-14 Eth-Trunk networking
The manual load balancing mode is a basic link aggregation mode. In manual load balancing
mode, you must create an Eth-Trunk, add interfaces to the Eth-Trunk, and specify active
interfaces. LACP is not required in this mode.
All active member interfaces forward data and load balance traffic. Traffic is evenly distributed
to the member interfaces. If an active link fails, the remaining active links share the traffic evenly.
l
LACP mode
In LACP mode, you must create an Eth-Trunk and add interfaces to the Eth-Trunk. Unlike the
manual load balancing mode, the LACP mode selects active interfaces by sending LACP data
units (LACPDUs). When a group of interfaces is added to an Eth-Trunk, the devices at both
ends exchange LACPDUs to determine active and inactive interfaces.
The LACP mode is called M:N mode, which implements both load balancing and link backup.
M active links in the link aggregation group (LAG) are responsible for data forwarding and load
balancing, whereas the other N inactive links are backup ones and do not forward data. If one
of the M links is faulty, the link with the highest priority among the N links replaces the faulty
link. This link enters the active state and starts to forward data.
Issue 02 (2015-01-20)
Command
Description
display eth-trunk
116
3 Troubleshooting Guide
Command
Description
display load-balance-profile
display e-trunk
Run the display eth-trunk command to check the working mode of an Eth-Trunk. If
WorkingMode is NORMAL, the Eth-Trunk works in manual load balancing mode.
<Quidway> display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL
Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 3 Max Bandwidth-affected-linknumber: 8
Operate status: down
Number Of Up Port In Trunk: 1
--------------------------------------------------------------------------------
Issue 02 (2015-01-20)
117
3 Troubleshooting Guide
PortName
GigabitEthernet1/0/0
GigabitEthernet1/0/1
Status
Up
Down
Weight
1
1
Troubleshooting Procedure
Step 1 Check whether Eth-Trunk member interfaces are Up.
The physical status of Eth-Trunk member interfaces must be Up so that the Eth-Trunk can work
properly.
Run the display eth-trunk command to check information about Eth-Trunk member interfaces.
If the Eth-Trunk member interface status is Down, run the display interface command to check
the physical status of the member interfaces. If the physical status of the member interfaces is
Down, check their link status. For details, see 3.1.2.3 Interface Troubleshooting.
Step 2 Check the configuration of the Eth-Trunk.
Run the display eth-trunk command to check whether the lower threshold for the number of
active interfaces in the Eth-Trunk is configured. If the number of Eth-Trunk member interfaces
in Up state is less than the lower threshold, the Eth-Trunk goes Down.
<Quidway> display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL
Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 3 Max Bandwidth-affected-linknumber: 8
Operate status: down
Number Of Up Port In Trunk: 1
-------------------------------------------------------------------------------PortName
Status
Weight
GigabitEthernet1/0/0
Up
1
GigabitEthernet1/0/1
Down
1
The default lower threshold for the number of active interfaces in an Eth-Trunk is 1. You can
run the least active-linknumberlink-number command to configure the lower threshold. The
default upper threshold for the number of active interfaces in an Eth-Trunk is 8. You can run
the max active-linknumberlink-number command to configure the upper threshold.
Step 3 If the fault persists, collect information and contact Huawei technical support personnel.
----End
Issue 02 (2015-01-20)
118
3 Troubleshooting Guide
Check the working mode of an Eth-Trunk using either of the following methods:
Method 1: Check the WorkingMode field in the display eth-trunk command output.
l
In V100R006C03, V100R006C05, and V200R001, if WorkingMode is STATIC, the EthTrunk works in LACP mode.
119
3 Troubleshooting Guide
In V200R002 and V200R003, if mode lacp is configured, the Eth-Trunk works in LACP
mode.
Troubleshooting Procedure
Step 1 Check whether Eth-Trunk member interfaces are Up.
The physical status of Eth-Trunk member interfaces must be Up so that the Eth-Trunk can work
properly.
Run the display eth-trunk command to check information about Eth-Trunk member interfaces.
If the Eth-Trunk member interface status is Down, run the display interface command to check
the physical status of the member interfaces. If the physical status of the member interfaces is
Down, check their link status. For details, see 3.1.2.3 Interface Troubleshooting.
Step 2 Check the configuration of the Eth-Trunk.
Check whether the configuration on two ends of the Eth-Trunk is consistent. Both ends must
work in LACP mode because the two devices need to perform LACPDU negotiation. It is
recommended that other settings on the two ends of the Eth-Trunk be consistent.
Run the display eth-trunk command to check whether the lower and upper thresholds for the
number of active interfaces in the Eth-Trunk are configured. If the number of Eth-Trunk member
interfaces in Up state is less than the lower threshold, the Eth-Trunk goes Down.
<Quidway> display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1
WorkingMode: STATIC
Preempt Delay: Disabled
Hash arithmetic: According to SIP-XOR-DIP
System Priority: 32768
System ID: 4cb1-6c3b-aaf5
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: down
Number Of Up Port In Trunk: 0
-------------------------------------------------------------------------------ActorPortName
Status
PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet1/0/1
Unselect 1GE
32768
1
1329
10100010 1
GigabitEthernet1/0/2
Unselect 1GE
32768
2
1329
10100010 1
Partner:
-------------------------------------------------------------------------------ActorPortName
SysPri
SystemID
PortPri PortNo PortKey PortState
GigabitEthernet1/0/1
0
0000-0000-0000 0
0
0
10100011
GigabitEthernet1/0/2
0
0000-0000-0000 0
0
0
10100011
The default lower threshold for the number of active interfaces in an Eth-Trunk is 1. You can
run the least active-linknumberlink-number command to configure the lower threshold. The
default upper threshold for the number of active interfaces in an Eth-Trunk is 8. You can run
the max active-linknumberlink-number command to configure the upper threshold.
If the least active-linknumber command has been configured before you run the max activelinknumberlink-number command, ensure that the upper threshold for the number of active
interfaces is larger than or equal to the lower threshold for the number of active interfaces.
Step 3 Check whether Eth-Trunk member interfaces normally send and receive LACPDUs.
Run the display lacp statistics eth-trunk command to check statistics about LACPDUs sent
and received by Eth-Trunk member interfaces.
<Quidway> display lacp statistics eth-trunk 1
Eth-Trunk1's PDU statistic is:
Issue 02 (2015-01-20)
120
3 Troubleshooting Guide
-----------------------------------------------------------------------------Port
LacpRevPdu
LacpSentPdu MarkerRevPdu MarkerSentPdu
GigabitEthernet1/0/1
100
100
0
0
The increase in the number of LACPDUs is relevant to the packet timeout interval configured
on the Eth-Trunk.
[Quidway-Eth-Trunk1] lacp timeout slow/fast
In fast mode, the remote end sends LACPDUs at an interval of 1 second. In slow mode, the
remote end sends LACPDUs at an interval of 30 seconds. The fast mode ensures quicker response
but consumes more system resources than the slow mode. The timeout intervals configured at
the two ends can be different. You are advised to set the same LACPDU timeout interval on
both ends to facilitate maintenance.
If the increase in the number of received LACPDUs is incorrect, check whether the remote end
does not send LACPDUs or the local end discards the received LACPDUs. If the number of
LACPDUs received on the local end is incorrect, locate the reason why the local interface does
not receive LACPDUs.
For the S2300, S3300SI, S3300EI, S5300EI, and S5300SI, if the remote end sends LACPDUs
but the local end does not receive the LACPDUs, check whether bpdu enable is configured on
the Eth-Trunk.
Step 4 If the fault persists, collect information and contact Huawei technical support personnel.
----End
Issue 02 (2015-01-20)
121
3 Troubleshooting Guide
Troubleshooting Procedure
Step 1 Check the packet type (known or unknown unicast packets).
The forwarding processes and the default hash algorithms are different for known and unknown
unicast packets.
Step 2 Check the hash algorithm of the Eth-Trunk.
Issue 02 (2015-01-20)
122
3 Troubleshooting Guide
l For known unicast packets, run the display eth-trunk command to check the hash mode in
the Hash arithmetic field. Alternatively, you can check the Eth-Trunk configuration to
confirm the hash mode.
<Quidway> display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1
WorkingMode: STATIC
Preempt Delay: Disabled
Hash arithmetic: According to SIP-XOR-DIP
System Priority: 32768
System ID: 4cb1-6c3b-aaf5
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: down
Number Of Up Port In Trunk: 0
------------------------------------------------------------------------------ActorPortName
Status
PortType PortPri PortNo PortKey PortState
Weight
GigabitEthernet1/0/1
Unselect 1GE
32768
1
1329
10100010 1
GigabitEthernet1/0/2
Unselect 1GE
32768
2
1329
10100010 1
Partner:
------------------------------------------------------------------------------ActorPortName
SysPri
SystemID
PortPri PortNo PortKey
PortState
GigabitEthernet1/0/1
0
0000-0000-0000 0
0
0
10100011
GigabitEthernet1/0/2
0
0000-0000-0000 0
0
0
10100011
V100R006C03/V100R006C05
src-dst-mac
V200R001
src-dst-mac for the S5300SI and S5300EI, and rcdst-ip for other models
V200R002/V200R003
src-dst-mac for the S5300SI and S5300EI, and rcdst-ip for other models
l For broadcast and multicast packets, run the unknown-unicast load-balance { dmac |
smac | smacxordmac | enhanced } command in the system view to configure a load
balancing mode.
NOTE
Modular switches: V200R001, V200R002, and V200R003 all support this command.
Fixed switches:
V100R006C03: Only the S2352EI and S3300 support this command, but do not support the
enhanced parameter.
V100R006C05: Only the S2352P-EI and S3300 support this command, but do not support the
enhanced parameter.
V200R001: Only the S5300EI and S5300HI support this command.
V200R002: Only the S5310EI, S5300EI, and S5300HI support this command, and only the S5310EI
and S5300HI support the enhanced parameter.
V200R003: Only the S5310EI, S5300EI, and S5300HI support this command, and only the S5310EI
and S5300HI support the enhanced parameter.
l If load balancing using an enhanced load balancing profile is configured, run the display
load-balance-profile command to check the hash mode of each type of packets. There is
Issue 02 (2015-01-20)
123
3 Troubleshooting Guide
only one global enhanced load balancing profile. This profile takes effect on both known and
unknown unicast packets, and uses different fields for calculation based on the packet type.
NOTE
Modular switches: All cards except the SA series cards support load balancing using an enhanced load
balancing profile.
Fixed switches:
V200R001C01: Only the S5300HI supports load balancing using an enhanced load balancing profile.
V200R002: Only the S5310EI and S5300HI support load balancing using an enhanced load balancing
profile.
V200R003: Only the S5310EI and S5300HI support load balancing using an enhanced load balancing
profile.
[Quidway-load-balance-profile-a] display load-balance-profile a
Load-balance-profile: a
Packet
HashField
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IPV4
sip
dip
IPV6
sip
dip
L2
smac
dmac
MPLS
top-label
2nd-label
Step 3 Check whether characteristics of forwarded packets match the configured hash mode.
Check whether the characteristics of packets forwarded on an Eth-Trunk match the configured
hash mode. If the characteristics of packets forwarded on an Eth-Trunk do not match the
configured hash mode, for example, MAC addresses of forwarded packets are changed but the
hash mode is src-ip, traffic cannot be evenly load balanced.
In each hash mode, the system performs the hash calculation based on specified bits in fields.
If the changed bits in the source IP address or MAC address field are used in the hash calculation,
traffic cannot be evenly load balanced even if the characteristics of the forwarded packets match
the hash mode. In this case, use an enhanced load balancing profile. In addition, an enhanced
load balancing profile needs to be used for transmission of some special packets such as MPLS
packets.
Step 4 Check the number of selected Eth-Trunk member interfaces.
l Assume that the number of Eth-Trunk member interfaces is X. If known or unknown unicast
packets are forwarded and the common load balancing mode is used, traffic is evenly load
balanced when traffic of different characteristics is even, X is an exponential multiple of 2,
and the number of packet changes is an integer multiple of X.
l If load balancing using an enhanced load balancing profile is configured, the port number is
also used in the hash algorithm to achieve even load balancing.
Step 5 If the fault persists, collect information and contact Huawei technical support personnel.
----End
124
3 Troubleshooting Guide
Issue 02 (2015-01-20)
The ICMP Echo Request packet is transmitted to the IP layer along the protocol stack.
Then the IP header (including the source and destination IP addresses) is encapsulated
into the ICMP Echo Request packet.
125
3 Troubleshooting Guide
During encapsulation, the IP layer determines that the source and destination IP
addresses are located on different network segments according to the IP addresses and
masks in the ICMP packet.
b.
The ICMP Echo Request packet is then transmitted to the link layer. The ICMP Echo
Request packet cannot be encapsulated with the Ethernet frame header because the
destination MAC address is unknown.
c.
PC 1 searches for the next hop in the FIB table because the source and destination IP
addresses are located on different network segments.
(1) If the next hop is not found, the IP or MAC address of the next hop cannot be
obtained. Therefore, the ICMP Echo Request packet cannot be encapsulated with the
Ethernet frame header. The ping operation fails.
(2) If the next hop is found, the IP address of the next hop is obtained. However, the
MAC address of the next hop is unknown. PC 1 sends an ARP request packet to request
the MAC address of the next hop.
2.
After the next-hop port a (10.1.1.2/24) of the switch receives the ARP request packet, it
finds that the destination of the ARP request packet is itself. Then port a responds with a
unicast ARP reply packet that contains the MAC address mapping 10.1.1.2/24 to PC 1.
3.
When receiving the ARP reply packet, PC 1 obtains the MAC address of the next hop. Then
PC 1 encapsulates the ICMP Echo Request packet into an Ethernet frame and sends the
Ethernet frame to the switch.
When sending the ARP request packet to the switch, PC 1 has filled the mapping between
its own IP address and MAC address into the packet. The switch fills the address mapping
of PC 1 into the local ARP cache. This improves efficiency of subsequent communication
between the switch and PC 1 and reduces communication data.
4.
After receiving the ICMP Echo Request packet, the switch removes the Ethernet frame
header, and sends the packet to the IP layer. The IP layer finds that the destination
(11.1.1.2/24) is not itself, so it searches the routing table and re-encapsulates the packet.
The switch does not know the destination MAC address (MAC address matching
11.1.1.2/24), so the switch sends a broadcast ARP request packet.
5.
PC 2 receives the ARP request packet and finds that the destination of the packet is itself,
so PC 2 returns a unicast ARP reply packet that contains the MAC address matching
11.1.1.2/24.
In addition, PC 2 records the mapping between the IP address and MAC address of switch's
port b into the local ARP cache.
6.
The switch obtains the MAC address of PC 2 from the ARP reply packet, encapsulates an
Ethernet frame header into the packet, and sends the packet to PC 2.
7.
After receiving the ARP reply packet, PC 2 removes the Ethernet frame header. PC 2 finds
that the packet is an ICMP Echo Request packet, so PC 2 sends an ICMP reply packet to
PC 1. In this ICMP reply packet, the source IP address is PC 2's IP address (11.1.1.2/24)
and the destination IP address is PC 1's IP address (10.1.1.1/24).
Since the source and destination IP addresses are located on different network segments,
PC 2 searches the FIB table for the next hop. The next hop is switch's port b (11.1.1.1/24).
As mentioned in preceding steps, PC 2 has recorded the address mapping of switch's port
b in the ARP cache, so PC 2 does not need to send an ARP request packet to the switch.
Instead, PC 2 obtains the MAC address matching 11.1.1.1/24 from its local ARP cache,
encapsulates the MAC address into the ICMP reply packet, and sends the packet to the
switch.
Issue 02 (2015-01-20)
126
3 Troubleshooting Guide
Similarly, the switch does not need to send an ARP request packet to PC 1. It obtains the
MAC address of PC 1 from its local ARP cache, and forwards the ICMP reply packet to
PC 1.
8.
After receiving the ICMP reply packet, PC 1 removes the Ethernet frame header and IP
header to obtain the ICMP reply packet. The ping operation is successful.
Issue 02 (2015-01-20)
127
3 Troubleshooting Guide
Troubleshooting Procedure
Step 1 Check the configurations.
Check that the interface, VLAN, VLANIF interface, and IP address configurations on the switch
are correct.
Check that the interfaces at both ends are the same type, both ends use the same VLAN
encapsulation, and IP addresses configured for the VLANIF interfaces are valid.
Step 2 Check the link.
Check the physical link between the two devices and rectify problems (if any) to ensure that the
physical link can work normally.
1.
Ensure that interfaces are correctly connected using an optical fiber or network cable
according to the network deployment plan.
2.
The wavelengths of optical modules used at both ends are consistent. It is recommended
that Huawei-certified optical modules be used.
3.
If the two devices are connected through an Eth-Trunk, ensure that the devices have the
same number of physical Eth-Trunk member interfaces. If Link Aggregation Control
Protocol (LACP) is enabled for the Eth-Trunk, ensure that LACP is stable.
4.
Check whether there is any transmission device between the two devices and whether
interfaces at both devices are in Up state.
5.
Check whether cyclic redundancy check (CRC) errors occur on the physical interfaces
along the transmission path of ping packets, and whether the number of CRC errors
increases continuously.
Check whether the physical interfaces are blocked. Check whether the devices run any Layer 2
protocol such as Spanning Tree Protocol (STP), Rapid Ring Protection Protocol (RRPP), and
SmartLink, and determine whether the physical interfaces used to forward ping packets are
blocked by the protocol.
Table 3-14 describes the configuration commands.
Table 3-14 Commands used to check for blocked interfaces
Command
Function
128
3 Troubleshooting Guide
Check whether strict ARP learning is enabled on the switch. If yes, disable strict ARP
learning and check whether the switch can learn the ARP entry properly.
2.
3.
When the ping -c command is executed, the local device continuously sends ARP
Request packets. Collect traffic statistics and check whether the local interface sends
ARP Request packets.
4.
Collect traffic statistics and check whether the peer interface receives the ARP Request
packets. If the peer interface receives the ARP Request packets, check whether it
generates the matching ARP entry and returns ARP Reply packets. If the peer interface
receives ARP Request packets but does not generate the ARP entry, contact Huawei
technical support personnel.
5.
Collect traffic statistics and check whether the peer interface returns ARP Reply packets.
If the peer interface does not return ARP Reply packets, contact Huawei technical
support personnel.
6.
Check whether the local interface receives ARP Reply packets. If the local interface
receives ARP Reply packets but does not forward them to the CPU, contact Huawei
technical support personnel.
Table 3-15 describes the procedure for collecting statistics about ARP Request and Reply
packets.
NOTE
The interface number, VLAN ID, and MAC address in the following steps are only used as an example.
Change them according to actual situation.
Issue 02 (2015-01-20)
129
3 Troubleshooting Guide
Table 3-15 Procedure for collecting ARP Request and Reply packets
Step
Command
Enter the
system view.
Configure a
traffic
classifier.
Configure a
traffic
behavior.
Configure a
traffic policy.
Apply the
traffic policy
to the interface
where traffic
statistics need
to be collected.
Issue 02 (2015-01-20)
130
3 Troubleshooting Guide
Run the display icmp statistics command to view statistics about ICMP packets. Check
whether the sent and received ICMP Echo and Echo Reply packets consistent and whether
checksum errors exist. You can run the reset ip statistics command to delete traffic statistics.
<HUAWEI> display icmp statistics
Input: bad formats
0
echo
521
source quench
0
echo reply
19
timestamp
0
mask requests
0
time exceeded
0
Mping request
0
Output:echo
19
source quench
0
echo reply
512
timestamp
0
mask requests
0
time exceeded
0
Mping request
0
bad checksum
destination unreachable
redirects
parameter problem
information request
mask replies
timestamp reply
Mping reply
destination unreachable
redirects
parameter problem
information request
mask replies
timestamp reply
Mping reply
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
l IP-layer debugging
Enable IP-layer debugging to check the packets sent and received during a ping operation.
To enable IP-layer debugging, define an ACL to match the source and destination IP
addresses in ping packets.
The configuration commands are as follows:
#
acl number 3333
rule 5 permit icmp source x.x.x.x 0 destination y.y.y.y 0
rule 10 permit icmp source y.y.y.y 0 destination x.x.x.x 0
#
debugging ip packet acl 3333 verbose
l CPCAR statistics
View CPCAR statistics to check whether ICMP packets are dropped because of CPCAR
exceeding. The configuration commands are as follows:
Modular switches of V100R002 and fixed switches of V100R005: display cpu-defend icmp
statistics all
Issue 02 (2015-01-20)
131
3 Troubleshooting Guide
Modular switches of V100R003 and later and fixed switches of V100R006 and later: display
cpu-defend statistics packet-type icmp all
Check whether the number of dropped packets is increasing. If so, the rate of ICMP packets
has exceeded the CPCAR and excess ICMP packets are dropped. Increase the CAR value
and perform a ping test again to check whether the fault is rectified. Restore the CAR value
after the fault is rectified.
l Traffic statistics
Configure traffic statistics collection to check the sent and received packets according to
Table 3-16.
Table 3-16 Procedure for configuring traffic statistics collection
Step
Command
Enter the
system view.
Define an
ACL to match
the source and
destination IP
addresses in
ping packets.
Configure a
traffic
classifier.
Configure a
traffic
behavior.
Configure a
traffic policy.
Issue 02 (2015-01-20)
132
3 Troubleshooting Guide
Step
Command
Apply the
traffic policy
to the interface
where traffic
statistics need
to be collected.
After the configurations are complete, run the ping command and check traffic statistics.
The configuration commands are as follows:
display traffic policy statistics interface GigabitEthernet 0/0/1 inbound
display traffic policy statistics interface GigabitEthernet 0/0/1 outbound
If the outbound packet counter is 0, the interface does not send packets. If the inbound packet
counter is 0, the interface does not receive reply packets.
NOTE
The S2352-EI, S3300SI, and S3300EI do not support outbound traffic statistics collection an interface.
l Mirroring
If a small amount of traffic is transmitted on the interface, configure port mirroring according
to Table 3-17.
If a large amount of traffic is transmitted on the interface, configure traffic mirroring
according to Table 3-18.
Table 3-17 Procedure for configuring port mirroring
Step
Command
Enter the
system view.
Configure an
observing port.
Run the observe-port port-number interface interface-type interfacenumber command to configure an observing port.
Configure port
mirroring.
Issue 02 (2015-01-20)
133
3 Troubleshooting Guide
Command
Configure an
observing port.
Configure an ACL
to define the traffic
to be mirrored.
Configure a traffic
behavior.
Configure a traffic
policy.
Issue 02 (2015-01-20)
134
3 Troubleshooting Guide
You can analyze the mirrored packets to check the sent and received packets and check the
VLAN ID, destination MAC address, checksum of the IP header, and ICMP checksum of
the packets.
Step 6 If the fault persists, collect information and contact Huawei technical support personnel.
----End
Description
display stp
Issue 02 (2015-01-20)
135
3 Troubleshooting Guide
Issue 02 (2015-01-20)
136
3 Troubleshooting Guide
Troubleshooting Procedure
Step 1 Check whether STP is enabled on the remote port.
If a switch port is connected to a terminal or server that does not support STP, run the stp edgedport enable command to configure the switch port as an edge port or run the stp disable
command to disable STP on the switch port. Otherwise, when the cable is removed and
reinstalled, or the shutdown and undo shutdown commands are executed on the port, the remote
port does not send STP bridge protocol data units (BPDUs) to the port. As a result, the port must
wait twice the forward-delay (15 seconds by default) before forwarding packets normally.
If the stp edge-port enable command has been configured on the port, run the display stp
interface command to check whether the edge port configuration becomes ineffective. The edge
port configuration takes effect only when both Config and Active are enabled.
<Quidway> display stp interface GigabitEthernet1/0/1
----[Port43(GigabitEthernet1/0/1)]
[UP]---Port
Protocol
:Enabled
Port Role
Port
:Disabled
Port Priority
128
Port Cost(Dot1T )
:Config=auto /
Active=200000000
Designated Bridge/Port
:32768.4cb1-6c3b-aaf5 /
128.43
Port Edged
:Config=enabled / Active=enabled
When the edge port receives STP BPDUs, the value of Active is changed to disabled and the
port becomes a common STP port. The following log information is recorded:
MSTP/4/EDGE_PORT:Edged-port [port-name] received BPDU packet, then the active state
of the edged-port will be disabled!
Check whether the configuration of the device connected to the port changes or the device
transparently transmits STP BPDUs.
Step 2 Check whether the port works in STP mode.
All STP versions are backward compatible. When a port on a device working in RSTP/MSTP
mode receives STP BPDUs, the port automatically transits to the STP mode.
Run the display stp interface command to check the actual working mode of the port.
<Quidway> display stp interface GigabitEthernet2/0/6
----[Port28(GigabitEthernet2/0/6)][FORWARDING]---Port Protocol
:Enabled
Port Role
:Designated Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=20000
Designated Bridge/Port
:32768.0026-0000-9140 / 128.28
Port Edged
:Config=default / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:147 packets/s
Protection Type
:None
Port STP Mode
:STP
Port Protocol Type :Config=auto / Active=dot1s
BPDU Encapsulation :Config=stp / Active=stp
Issue 02 (2015-01-20)
137
3 Troubleshooting Guide
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:12
TC or TCN received :5
BPDU Sent
:24
TCN: 0, Config: 24, RST: 0, MST: 0
BPDU Received
:1
TCN: 0, Config: 1, RST: 0, MST: 0
The fast port transition mechanism is also called the Proposal/Agreement mechanism. The
traditional STP mode cannot provide the fast transition mechanism. A port must wait twice the
forward-delay (15 seconds by default) to enter the Forwarding state. The device can determine
the type of STP BPDUs sent and received by a port based on the number of BPDUs displayed
in the BPDU Sent and BPDU Received fields.
S series switches support the Proposal/Agreement mechanism in enhanced and common modes.
The enhanced mode is the default mode.
l Enhanced mode: The current port calculates the root port when calculating the
synchronization flag bit.
The upstream device sends a Proposal packet to the downstream device, requesting fast
transition. After receiving the Proposal packet, the downstream device configures the port
connected to the upstream device as a root port and blocks all non-edge ports.
The upstream device then sends an Agreement packet to the downstream device. After
the downstream device receives the Agreement packet, the root port changes to
Forwarding.
The downstream device sends an Agreement packet to the upstream device. After
receiving the Agreement packet, the upstream device configures the port connected to
the downstream device as a designated port. The designated port then enters the
Forwarding state.
l Common mode: The current port does not calculate the root port when calculating the
synchronization flag bit.
An upstream device sends a Proposal packet to a downstream device, requesting fast
transition. After receiving the Proposal packet, the downstream device configures the port
connected to the upstream device as a root port and blocks all non-edge ports. The root
port then enters the Forwarding state.
The downstream device sends an Agreement packet to the upstream device. After
receiving the Agreement packet, the upstream device configures the port connected to
the downstream device as a designated port. The designated port then enters the
Forwarding state.
When an S series switch is connected to an upstream RSTP-enabled switch or a non-Huawei
device, fast transition cannot be performed on the upstream device. Run the stp no-agreementcheck command on the S series switch to avoid the problem.
After the port automatically switches to STP-compatible mode, run the stp mcheck command
on the port to switch the port back to MSTP mode manually in the following situations:
l The switch running STP is powered off or removed.
l The switch running STP is switched to MSTP mode.
NOTE
For two directly connected switching devices in a spanning tree, the switching device closer to the root
bridge is the upstream device of the other switching device.
Issue 02 (2015-01-20)
138
3 Troubleshooting Guide
Step 3 Check whether the link type of the port is point-to-point (P2P).
The RSTP/MSTP mode provides the fast transition mechanism. When STP is enabled on both
ends of a link and the link type is P2P, the fast transition mechanism can be implemented on the
ports.
You can run the stp point-to-point command to configure the link type. The link type of a port
is auto by default. That is, RSTP/MSTP checks whether the link of a port is a P2P link. The link
can be a P2P link only when both ends work in full duplex mode.
Run the display interfaceinterface-type interface-number command to check whether the port
works in full duplex mode.
<Quidway> display interface gigabitethernet 2/0/6
GigabitEthernet 2/0/6 current state : UP
Line protocol current state : UP
Description:
Switch Port, PVID :
1, TPID : 8100(Hex), The Maximum Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0025-9ef4-abcd
Last physical up time
: Last physical down time : 2012-05-24 21:01:26
Current system time: 2012-06-05 18:56:41
Port Mode: COMMON FIBER, Transceiver:
1000_BASE_SX_SFP
Speed : 1000,
Loopback: NONE
Duplex: FULL,
Negotiation: ENABLE
Run the display stp interface command to check the link type of the port.
<Quidway> display stp interface GigabitEthernet 2/0/6
----[CIST][Port14(GigabitEthernet2/0/6)][FORWARDING]---Port Protocol
:enabled
Port Role
:Designated Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=20000
Desg. Bridge/Port
:32768.4c1f-cc1f-56b7 / 128.14
Port Edged
:Config=default / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:147 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type :Config=auto / Active=true
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send :2
TC or TCN received :0
BPDU Sent
:103219
TCN: 0, Config: 0, RST: 0, MST: 103219
BPDU Received
:0
TCN: 0, Config: 0, RST: 0, MST: 0
In the preceding command output, Config=auto indicates that the configured value is auto, and
Active=true indicates that the link type of the port is P2P.
Step 4 If the fault persists, collect information and contact Huawei technical support personnel.
----End
139
3 Troubleshooting Guide
A switch supports a maximum of eight observing ports, which can be located on the same
LPU or different LPUs.
Two inbound ports on an E, FA, or S series board can be configured as observing ports,
whereas only one inbound port on an FC or SC series board can be configured as the
observing port. Observing ports can be located on the same LPU or different LPUs.
Only one outbound port on each board can be configured as an observing port. The
observing ports on a switch can be located on the same LPU or different LPUs.
On each E, FA, or S series board, a maximum of two inbound observing ports and one
outbound observing port can be configured. On each FC or SC board, only one inbound
observing port and one outbound observing port can be configured.
Only known unicast packets are mirrored on an outbound port. Unknown unicast packets
are mirrored on an outbound port after being replicated on an inbound port.
Issue 02 (2015-01-20)
Product Model
Number of Mirrored
Ports
S2300SI
Not limited
S2300EI
Not limited
S3300SI
4|1
Not limited
S3300EI
4|1
Not limited
S3300HI
2|1
Not limited
S5300SI
Not limited
S5300EI
4|1
Not limited
S5300HI
2|1
Not limited
S5300LI
Not limited
S6300
Not limited
140
3 Troubleshooting Guide
Loopback:
Duplex: FULL,
ENABLE
Negotiation:
Mdi
: AUTO,
DISABLE
Flow-control:
//Outbound traffic
If the interface connected to the PC has transmitted traffic, the problem may be caused by
the PC's settings.
(a)If the mirrored packets have oversized frames, check whether the network adapter of the
PC is enabled to process oversized frames, as shown below. The settings of the network
adapters from different vendors may be different.
Issue 02 (2015-01-20)
141
3 Troubleshooting Guide
(b)The network adapter may have other settings that block mirrored packets; therefore, use
another PC to obtain mirrored packets.
2.
If the mirrored packets have lost VLAN tags, the PC may remove the VLAN tags from received
packets, so the packets received by Ethereal are untagged. Modify the registry to configure the
PC to conserve the VLAN tags.
Port mirroring
1.
The traffic rate on the mirrored ports cannot exceed the bandwidth supported by the
observing ports.
2.
Observing ports are only used for fault location or traffic analysis and cannot be used
as service ports.
3.
4.
Some PCs cannot process double-tagged packets. Use a PC that supports doubletagged packets or configure the switch to remove one tag from the packets before the
switch mirrors packets.
Issue 02 (2015-01-20)
2.
The packets mirrored to Layer 3 remote observing ports have GRE headers, so they
cannot be resolved by Wireshark.
3.
For Layer 3 port mirroring, a reachable Layer 3 route must be available. For Layer 2
port mirroring, communication between the Layer 2 networks must be normal.
4.
The Layer 2 remote mirrored VLAN is only used for mirroring. Disable MAC address
learning for the VLAN.
5.
On the transit node, the mirrored VLAN ID must be the same as the PVID, and the
same as the VLAN IDs specified in port trunk allow-pass vlan vlan-id and port
hybrid tagged vlan vlan-id.
142
3 Troubleshooting Guide
2.
Check whether the number of observing ports exceeds the upper limit.
3.
4.
If a remote observing port cannot obtain the mirrored packets, check whether the devices
located between the observing port and observing device have lost packets.
5.
If traffic mirroring does not take effect, run the display acl resource [ slot slot-id ]
command to check ACL resource usage.
Issue 02 (2015-01-20)
143
3 Troubleshooting Guide
Troubleshooting Flowchart
Figure 3-22 Layer 2 multicast troubleshooting flowchart
Troubleshooting Procedure
Step 1 Enable IGMP snooping debugging to check whether the switch can receive multicast packets.
1.
Enable report debugging of ICMP snooping to check whether the switch can receive the
report messages from multicast groups.
<HUAWEI> debugging igmp-snooping report
l If the switch does not receive report messages, check whether the PCs work normally.
l If the switch has received report messages, check and analyze the debugging
information.
2.
Issue 02 (2015-01-20)
Enable query debugging of ICMP snooping to check whether the switch can receive the
query messages from multicast groups.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
144
3 Troubleshooting Guide
<HUAWEI> debugging igmp-snooping query
l If the switch does not receive query messages, check whether the PCs work normally.
l If the switch has received query messages, check and analyze the debugging
information.
Step 2 Check the IGMP Packet Exchange Process between upstream and downstream devices by
mirroring the packets. Check whether the packet format is correct. If the packet format is
incorrect, change the destination MAC and IP addresses of the packets to multicast addresses.
Step 3 If IGMP packet version is incompatible with the switch's software version, modify the
configurations on upstream and downstream devices to ensure consistent IGMP versions.
Step 4 The switch receives ICMPv2 packets from network segment 232, so run the igmp-snooping
ssm-policy basic-acl-number command to exclude network segment 232 from the SSM range.
Step 5 If Layer 3 multicast is enabled on the VLANIF interface corresponding to the VLAN with Layer
2 multicast enabled, Layer 2 multicast entries can be generated but hardware entries are not
delivered. As a result, multicast data cannot be forwarded. If you do not need the Layer 3
multicast function, delete the Layer 3 multicast configuration.
If the fault persists, collect information and contact Huawei technical support personnel.
----End
Issue 02 (2015-01-20)
145
3 Troubleshooting Guide
Troubleshooting Flowchart
Figure 3-23 Layer 3 multicast troubleshooting flowchart
Troubleshooting Procedure
Step 1 Check whether the corresponding multicast entry exists on the device.
<HUAWEI> display igmp group X.X.X.X
If the entry does not exist, enable report debugging of IGMP snooping to check whether the
switch can receive the report messages of the corresponding multicast group.
<HUAWEI> debugging igmp-snooping report
l If the switch does not receive report messages, check whether the PCs work normally.
l If the device has received report messages, go to Step 2.
Issue 02 (2015-01-20)
146
3 Troubleshooting Guide
l If the RP information does not exist, check whether BSR and RP are correctly configured on
the device.
l If the RP information exists, go to Step 3.
Step 3 Check whether there is a reachable route to the RP.
<HUAWEI> display ip routing-table X.X.X.X
l If a reachable route to the RP does not exist, check whether the device with RP configured
has advertised a route to the RP or whether a static route is configured from the device to the
RP.
l If the route exists, go to Step 4.
Step 4 View PIM routing entries to check whether the (S, G) entry is generated.
<HUAWEI> display pim routing-table X.X.X.X fsm
l If the (S, G) entry is not generated, multicast packets are not received by the switch or is
received by an incorrect inbound interface.
Configure traffic statistics collection to check whether packets are received by the switch. If
the packets are received by the switch, multicast packets may be received by an incorrect
inbound interface. Check whether entries cannot be created because of an RPF check failure.
<HUAWEI> display multicast rpf-info X.X.X.X
If the multicast entries do not contain outbound interface information, collect information and
contact Huawei technical support personnel.
----End
Issue 02 (2015-01-20)
147
3 Troubleshooting Guide
Issue 02 (2015-01-20)
148
3 Troubleshooting Guide
Troubleshooting Flowchart
Figure 3-24 Flowchart for troubleshooting the problem of multiple master switches
Troubleshooting Procedure
Step 1 Check whether VRRP-enabled switches receive heartbeat packets.
Run the display vrrp statistics command to check VRRP packet statistics. Check whether the
VRRP-enabled switches receive heartbeat packets.
<SwitchA> display vrrp statistics
Checksum errors : 0
Version errors : 0
Vrid errors : 0
Vlanif45 | virtual router 45
Transited to master : 0
Received advertisements : 7
Advertisement interval errors : 0
Failed to authentication check : 0
Received ip ttl errors : 0
Received packets with priority zero : 0
Sent packets with priority zero : 0
Received invalid type packets : 0
Received unmatched address list packets : 0
Unknown authentication type packets : 0
Mismatched authentication type : 0
Packet length errors : 0
Discarded packets since track admin-vrrp : 0
If the VRRP-enabled switches receive the heartbeat packets, check whether the VRID of the
VRRP group, the IP addresses of interfaces and virtual IP addresses, and the interval for sending
VRRP Advertisement packets are correct.
Issue 02 (2015-01-20)
149
3 Troubleshooting Guide
V200R003/V200R005:
<SwitchA> display cpu-defend statistics packet-type vrrp slot 3
Statistics on slot 3:
-------------------------------------------------------------------------------Packet Type
Pass(Packet/Byte)
Drop(Packet/Byte) Last-dropping-time
-------------------------------------------------------------------------------vrrp
0
0
-
Issue 02 (2015-01-20)
150
3 Troubleshooting Guide
Run the preceding command multiple times, if the value of Pass increases, the statistics about
VRRP packets is normal. If the fault persists, contact Huawei technical support personnel.
Run the preceding command multiple times, if the value of Pass does not increase, the statistics
about VRRP packets is abnormal. Contact Huawei technical support personnel.
----End
Troubleshooting Flowchart
Figure 1 shows the flowchart for troubleshooting the fault that a downstream device cannot ping
the VRRP virtual IP address.
Figure 3-25 Flowchart for troubleshooting the failure to ping the VRRP virtual IP address
Troubleshooting Procedure
Locate the fault by using methods in 3.2.3.2 Ping Failure Troubleshooting.
Issue 02 (2015-01-20)
151
3 Troubleshooting Guide
Step 1 Check whether the ping to a virtual IP address is enabled on the device.
By default, the ping to a virtual IP address is disabled on the S2300&S3300&S5300 series
switches of V100R003C00SPC301 and enabled on other models and versions. Table 3-21
describes commands for configuring the ping to a virtual IP address.
Table 3-21 Commands for configuring the ping to a virtual IP address
Model and Version
Commands
S2300&S3300&S5300 V100R003C00SPC301
Run the display current-configuration command in any view on the master to check whether
the ping to a virtual IP address is enabled. If the ping function is enabled, go to step 2. If the
ping function is not enabled, enable the function and ping the virtual IP address again. If the
ping operation still fails, go to step 2.
Step 2 Check whether the downstream device learns the ARP entry matching the virtual MAC address
and virtual IP address of the VRRP group.
The virtual MAC address and virtual IP address are the destination MAC address and destination
IP address of the packets sent by the downstream device; therefore, the downstream device must
correctly learn them. If the downstream device is a PC, run the arp -a command in the Windows
environment. If the downstream device is also a switch, locate the ARP fault by referring to
3.2.3.2 Ping Failure TroubleshootingStep 4.
NOTE
After an active/standby switchover occurs, the new master sends a gratuitous ARP packet.
Step 3 Check whether devices in the VRRP group can ping each other.
If devices in the VRRP group cannot ping each other, locate the fault by referring to 3.2.3.2 Ping
Failure Troubleshooting.
Step 4 Collect information and contact Huawei technical support personnel.
----End
Issue 02 (2015-01-20)
152
3 Troubleshooting Guide
Procedure
Step 1 Check whether data storms occur on the interfaces.
Run the display interface brief command to check traffic on all interfaces. If values of InUti
and OutUti of an interface gradually increase to the interface rate limit, a loop occurs on the
interface.
First query:
<Quidway> display interface Ethernet brief | include up
PHY: Physical
*down: administratively down
(l): loopback
(b): BFD down
InUti/OutUti: input utility/output utility
Interface
Issue 02 (2015-01-20)
PHY
Trunk
153
3 Troubleshooting Guide
GigabitEthernet0/0/2
GigabitEthernet0/0/16
GigabitEthernet1/0/12
MEth0/0/1
up
up
up
up
enable
full
enable
full
enable
full
enable
half
100M 0% 0.01%
-1000M 0.56% 0.56%
1000M 0.56% 0.56%
100M 0.01% 0.01% --
1
1
Last query:
<Quidway> display interface Ethernet brief | include up
PHY: Physical
*down: administratively down
(l): loopback
(b): BFD down
InUti/OutUti: input utility/output utility
Interface
GigabitEthernet0/0/2
GigabitEthernet0/0/16
GigabitEthernet1/0/12
MEth0/0/1
PHY
up
up
up
up
Compare the queried current network traffic with the service traffic when network services are
normal. You can obtain the service traffic bandwidth from the network monitoring diagram.
First query:
l If the current network traffic is much larger than normal service traffic, a Layer 2 loop may
occur.
l If the current network traffic is normal and broadcast storm suppression is not deployed, no
Layer 2 loop occurs.
l If the current network traffic is larger than normal service traffic and broadcast storm
suppression is deployed, go to Step 2.
In addition, you can check the loop based on the number of interfaces that have a large amount
of traffic as well as the outbound and inbound traffic on the interface as follows:
l If only one interface on a device has a large amount of inbound and outbound traffic, a loop
may occur on this interface.
l If two interfaces on a device have a large amount of traffic, a loop may occur between the
two interfaces.
l If an interface has only inbound or outbound traffic, a loop may occur on the upstream or
downstream device of the interface.
Step 2 Check whether MAC address flapping occurs.
MAC address flapping occurs when a MAC address is learned by two interfaces in the same
VLAN. The MAC address entry learned later overwrites the earlier one.
MAC address flapping may be caused by a network loop or a network attack from unauthorized
users.
As shown in Figure 3-27, when SwitchA sends packets in two directions simultaneously, two
interfaces on SwitchB receive the packets. If MAC address flapping occurs on the two interfaces
of SwitchB, a loop may occur on the two interfaces.
Issue 02 (2015-01-20)
154
3 Troubleshooting Guide
By default, fixed and modular switches of all versions support MAC address flapping prevention
configurations including alarm generation and interface blocking upon MAC address flapping.
MAC address flapping detection commands and alarms differ for fixed and modular switches
of different versions.
l Modular switches
In V100R002, the switch supports global MAC address flapping detection on all LPUs except
the S series. When global detection is enabled, the switch can only send trap messages when
MAC address flapping is detected.
In V100R002, run the mac-flapping alarm enable command to enable MAC address
flapping detection.
Compared with V100R002, V100R003 and later versions support VLAN-based MAC
address flapping detection and actions performed when MAC address flapping is detected.
In V100R003 and later versions, run either of the following commands to enable MAC
address flapping detection:
loop-detect eth-loop alarm-only in the system view
loop-detect eth-loop alarm-only in the VLAN view
By default, global MAC address flapping detection is disabled in 100R003 and enabled in
V100R006 and later versions.
Starting from V200R001, switches support global MAC address flapping detection, VLAN
whitelist, and quit-vlan action.
Table 3-22 describes MAC address flapping detection traps in different versions.
Issue 02 (2015-01-20)
155
3 Troubleshooting Guide
Table 3-22 MAC address flapping detection traps on modular switches of different versions
Version
Trap Information
V100R002
Global
detection
L2IF/4/MAC_FLAPPING_ALARM:OID
1.3.6.1.4.1.2011.5.25.42.2.1.7.12The mac-address has
flap value . (BaseTrapSeverity=0, BaseTrapProbableCause=0, BaseTrapEventType=4, L2IfPort=549,entPhysicalIndex=1, MacAdd=0000-0000-002b,vlanid=1001,
FormerIfDescName=Ethernet3/0/2,CurrentIfDescName=
Ethernet3/0/3,DeviceName=S9306-169)
VLANbased
detection
Not supported.
Global
detection
L2IFPPI/4/MAC_FLAPPING_ALARM:OID
1.3.6.1.4.1.2011.5.25.42.2.1.7.12The mac-address has
flap value . (L2IfPort=0,entPhysicalIndex=0,
BaseTrapSeverity=4, BaseTrapProbableCause=549,
BaseTrapEventType=1, MacAdd=00e0fc00-4447,vlanid=1001,
FormerIfDescName=GigabitEthernet6/0/6,CurrentIfDesc
Name=GigabitEthernet6/0/7,DeviceName=9306-222.159)
VLANbased
detection
L2IFPPI/4/MFLPVLANALARM:OID
1.3.6.1.4.1.2011.5.25.160.3.7 Loop exist in vlan 1001, for
mac-flapping.
Global
detection
L2IFPPI/4/MAC_FLAPPING_ALARM:OID
1.3.6.1.4.1.2011.5.25.42.2.1.7.12The mac-address has
flap value. (L2IfPort=0,entPhysicalIndex=0,
BaseTrapSeverity=4, BaseTrapProbableCause=549,
BaseTrapEventType=1, MacAdd=0025-9e6e-1c55,vlanid=1001,
FormerIfDescName=GigabitEthernet2/1/23,CurrentIfDes
cName=GigabitEthernet2/1/22,DeviceName=9303-222.157)
VLANbased
detection
L2IFPPI/4/MFLPVLANALARM:OID
1.3.6.1.4.1.2011.5.25.160.3.7 Loop exists in vlan 1001, for
flapping mac-address 0025-9e6e-1c55 between port
GE2/1/23 and port GE2/1/22.
loop-detect
eth-loop
L2IFPPI/4/MAC_FLAPPING_ALARM:OID
1.3.6.1.4.1.2011.5.25.42.2.1.7.12 The mac-address has
flap value. (L2IfPort=0,entPhysicalIndex=0,
BaseTrapSeverity=4, BaseTrapProbableCause=549,
BaseTrapEventType=1,
MacAdd=0000-0000-0050,vlanid=10,FormerIfDescNam
e=GigabitEthernet6/0/0,CurrentIfDescName=GigabitEth
ernet6/0/23,DeviceName=S9312_106)
V100R003
V100R006
V200R001,
V200R002,
and
V200R003
Issue 02 (2015-01-20)
156
3 Troubleshooting Guide
Version
Trap Information
MAC
address
flapping
detection
L2IFPPI/4/
MFLPVLANALARM:OID1.3.6.1.4.1.2011.5.25.160.3.7
MAC move detected, VlanId = 10, MacAddress =
0000-0000-0050, Original-Port = GE6/0/0, Flapping port
= GE6/0/23. Please check the network accessed to flapping
port.
l Fixed switches
Fixed switches (excluding the S2300 series) of V100R003 and later do not support global
MAC address flapping detection. They support only VLAN-based MAC address flapping
detection and actions such as sending traps and blocking interfaces when MAC address
flapping is detected.
Run the following command in the VLAN view to enable MAC address flapping detection:
loop-detect eth-loop alarm-only
Starting from V200R001, switches support global MAC address flapping detection, VLAN
whitelist, and quit-vlan action.
Table 3-23 describes MAC address flapping detection traps in different versions.
Table 3-23 MAC address flapping detection traps on fixed switches of different versions
Version
Trap Information
V100R003
V100R005
L2IFPPI/4/MFLPVLANALARM:OID 1.3.6.1.4.1.2011.5.25.160.3.7
Loop exists in vlan 1001, for flapping mac-address 0000-0000-002b
between port GE0/0/24 and port GE0/0/23.
V100R006
L2IFPPI/4/MFLPVLANALARM:OID 1.3.6.1.4.1.2011.5.25.160.3.7
Loop exists in vlan 1001, for flapping mac-address 0000-0000-002b
between port GE0/0/24 and port GE0/0/23.
V200R001,
V200R002,
and
V200R003
L2IFPPI/4/MFLPVLANALARM:OID
1.3.6.1.4.1.2011.5.25.160.3.7MAC move detected, VlanId = 1001,
flapping mac-address 0000-0000-002b between port GE0/0/24 and port
GE0/0/23. Please check the network accessed to flapping port.
157
3 Troubleshooting Guide
When LDT is configured on an interface of a modular switch, the switch sends LDT packets
to detect loops in the LDT-enabled VLAN that the interface belongs to. If the switch receives
the LDT packets sent by itself, a loop occurs on the network.
LDT on a modular switch can detect loops in the following scenarios:
1.
2.
From V200R002, the port-quitvlan action is added in the loop-detection mode { port-trap
| port-blocking | port-nolearning | port-shutdown | port-quitvlan } command.
After LDT is enabled, you can run the display loop-detection command to check the LDT
status.
<Quidway> display loop-detection
Loop Detection is enable.
Detection interval time is 5 seconds.
Following vlans enable loop-detection:
vlan 556
Following ports are blocked for loop:
NULL
Following ports are shutdown for loop:
NULL
Following ports are nolearning for loop:
NULL
Run the display loop-detection interface command to check the status of a specified LDTenabled interface.
<Quidway> display loop-detection interface gigabitethernet 1/0/0
The port is enable.
The port's status list:
Status
WorkMode
Recovery-time
EnabledVLAN
----------------------------------------------------------------------Normal
Shutdown
200
556
Issue 02 (2015-01-20)
Vers
ion
Alarm
V100
R002
V100
R003
V100
R006
V200
R001
to
V200
R003
158
3 Troubleshooting Guide
l LBDT
Fixed switches of all versions and modular switches of V200R001 and later versions support
LBDT.
When LBDT is configured on a switch interface, the switch sends an untagged packet and a
packet with a specified VLAN tag to detect loops. Before V200R003, LBDT detects loops
only on interfaces that receive LBDT packets sent by themselves. From V200R003, LBDT
also detects loops in scenarios where an interface receives LBDT packets sent by another
interface on the local device. From V200R002, the quitvlan action is added.
From V200R002, the quitvlan action is added in the loopback-detect action { block |
nolearn | shutdown | trap | quitvlan } command.
When LBDT is enabled, you can run the display loopback-detect command to check the
LBDT configuration and status of LBDT-enabled interfaces.
<Quidway> display loopback-detect
Loopback-detect is enabled in the system view
Loopback-detect interval: 30
Loopback-deteck sending-packet interval: 5
Interface
ProtocolID RecoverTime
Action
Status
------------------------------------------------------------------------------GigabitEthernet0/0/2
602
30
block
NORMAL
Alarm Information
V100R003
V100R006
V200R001
to
V200R003
----End
159
3 Troubleshooting Guide
A ring network topology is complex. Obtain the overall network topology, VLAN plan, device
name, system MAC address, management IP address, local interface name, and remote interface
name.
Complete topology information helps remove loops. If no topology is available, manually draw
a complete topology by starting from the device where the loop is detected and recording device,
interface, and VLAN information of each hop.
For details about how to locate a loop, see 3.2.8.1 Loop Location.
Step 2 Manually remove the loop.
Manual loop removal is required when a network storm seriously affects services and services
need to be restored as soon as possible.
NOTICE
Ensure that manual loop removal does not affect the devices, interfaces, or VLANs along the
remote Telnet path; otherwise, you cannot log in to the device through Telnet.
You can manually remove a loop using one of the following methods:
l Remove an interface from the VLAN where the loop is detected.
This method has the minimum impact on the network. Table 3-26 describes the commands
used on interfaces of different types.
Table 3-26 Removing an interface from a VLAN
Interface
Type
Command
Remarks
Access
Trunk
None.
Hybrid
160
3 Troubleshooting Guide
Verify network connectivity through the ping operation and check whether services are
recovered.
In ring topology where redundant links and configurations exist, services will be automatically
restored after loops are removed, unless in special scenarios.
----End
EAP termination (pap or chap): The device directly parses EAP packets, encapsulates user
authentication information into a RADIUS packet, and sends the packet to the RADIUS
server for authentication.
EAP relay (eap): The device encapsulates EAP packets into RADIUS packets and sends
the packets to the RADIUS server for authentication.
Which method is used depends on the packet processing capability of the RADIUS server.
l
If the RADIUS server has a high performance to resolve a large number of EAP packets
and perform authentication, the EAP relay method can be used.
If the RADIUS server has an insufficient performance, the EAP termination method is
recommended. In this mode, EAP packets are resolved by the device.
To set the 802.1x authentication method, run the dot1x authentication-method { chap | pap |
eap } command in the system, interface, or port group view.
By default, CHAP is used for global 802.1x authentication. The authentication method of the
interface-based 802.1x authentication is the same as that of global 802.1x authentication.
Issue 02 (2015-01-20)
161
3 Troubleshooting Guide
Procedure
Step 1 Check whether the RADIUS server template is correctly configured on the switch.
l The RADIUS server address and port number must be correctly set.
l The shared key of the RADIUS server must be the same as that configured on the RADIUS
server.
Step 2 Run the display dot1x command to check whether dot1x authentication is enabled in the system
view and interface view.
Issue 02 (2015-01-20)
162
3 Troubleshooting Guide
Step 3 Run the ping command to check whether a reachable route exists between the switch and the
RADIUS server.
Step 4 Check whether the user name entered during authentication is the same as that configured on
the RADIUS server.
Step 5 Run the display radius-server configuration [ template template-name ] command to check
whether the user name sent to the RADIUS server carries a domain name and whether the
configuration is the same as that on the RADIUS server.
l If the RADIUS server does not accept the user names carrying domain names, run the undo
radius-server user-name domain-included command in the RADIUS server template view
to configure the switch not to add domain names to the user names.
l If the RADIUS server accepts the user names carrying domain names, run the radius-server
user-name domain-included command in the RADIUS server template view to configure
the switch to add domain names to the user names.
By default, the switch does not modify the user name entered by the user in the packets sent to
the RADIUS server.
Step 6 Enable debugging functions to check whether each module works normally during
authentication. If any module does not work normally, collect the debugging information and
contact Huawei technical support personnel.
<HUAWEI> terminal monitor //Enable information display for terminals.
<HUAWEI> debugging dot1x all //Enable EAPOL module debugging.
<HUAWEI> debugging dot1x packet
<HUAWEI> debugging radius packet //Enable RADIUS module debugging.
<HUAWEI> system-view
[HUAWEI] diagnose
[HUAWEI-diagnose] debugging ucm all //Enable UCM module debugging.
[HUAWEI-diagnose] debugging aaa all //Enable AAA module debugging.
163
3 Troubleshooting Guide
164
3 Troubleshooting Guide
165
3 Troubleshooting Guide
password, and encrypted password to the RADIUS server. The RADIUS server uses the key to
encrypt the password and compares the password with the received password.)
CID=37
Action=NullAction
*0.12845680 GZB_2352 AAA/7/AAADBG:
AAA EVENT:
Result=SUCCESS
FSM:
AuthenState=AuthenIdle
AcctState=AcctIdle
AuthorState=AuthorIdle ELAState=ELAIdle
*0.12845890 GZB_2352 AAA/7/AAADBG:
[AAA debug] Code: AAA->UCM authen ack UserID: 37
*0.12846000 GZB_2352 UCM/7/DebugInfo:
[UCM DBG]MSG Recv From:AAA Code:AAA_UCM_AUTH_ACK
Event:AUTH_CHALLENGE Src:37 D
st:37
*0.12846150 GZB_2352 UCM/7/DebugInfo:
[UCM DBG]Result:2 ReAlloc:0 Portal:0 Padm:0 Ip:0 AuthorCmdFlag:0
*0.12846280 GZB_2352 UCM/7/DebugInfo:
[UCM DBG]MSG Send To:EAPOL Code:CM_EAPOL_AUTH_ACK Src:37 Dst:37
*0.12846410 GZB_2352 UCM/7/DebugInfo:
[UCM DBG]Result:2
*0.12846480 GZB_2352 EAP/7/debug:
EAPoL Message: EAP index 37, CM index 37,
Received challenge message from server//The EAPOL module receives a challenge packet from
AAA.
*0.12846690 GZB_2352 EAP/7/debug:
EAPOL packet: OUT
88 8e 01 00 00 16 01 dd 00 16 04 10 39 7c db 31
74 43 95 ba 3b 23 c3 a8 c7 0e 03 21
*0.12846880 GZB_2352 EAP/7/debug:
EAPoL Event: index 37,
Issue 02 (2015-01-20)
166
3 Troubleshooting Guide
167
3 Troubleshooting Guide
168
3 Troubleshooting Guide
169
3 Troubleshooting Guide
170
3 Troubleshooting Guide
171
3 Troubleshooting Guide
172
3 Troubleshooting Guide
Protocol: Standard
Code : 4//Accounting request
Len : 251
ID : 8
[User-name(1) ] [11] [test@test]
[NAS-Port(5) ] [6 ] [32769]
[Filter-ID(11) ] [8 ] [3000@0]
[NAS-Identifier(32) ] [10] [GZB_2352]
[Acct-Status-Type(40) ] [6 ] [1]
[Acct-Session-Id(44) ] [43] [GZB_23200801010350090000012bffc096
3100037]
[Acct-Authentic(45) ] [6 ] [1]
[Event-Timestamp(55) ] [6 ] [1199159409]
[NAS-Port-Type(61) ] [6 ] [15]
[NAS-Port-Id(87) ] [34] [slot=0;subslot=0;port=8;vlanid=1]
[Ip-Host-Addr(26-60) ] [35] [255.255.255.255 00:1e:90:af:07:f5]
[Input_Peak_Rate(26-1) ] [6 ] [2011]
[Input_Average_Rate(26-2) ] [6 ] [2011]
[Input_Basic_Rate(26-3) ] [6 ] [2011]
*0.12856980 GZB_2352 RDS/7/debug2:
[Output_Peak_Rate(26-4) ] [6 ] [2011]
[Output_Average_Rate(26-5) ] [6 ] [2011]
[Output_Basic_Rate(26-6) ] [6 ] [2011]
[Priority(26-22) ] [6 ] [2011]
[Connect_ID(26-26) ] [6 ] [2011]
[NAS-IP-Address(4) ] [6 ] [114.255.138.105]
*0.12857430 GZB_2352 EAP/7/debug:
EAPoL Message: EAP index 37, CM index 37,
Received authentication success message from server
*0.12857600 GZB_2352 EAP/7/debug:
EAPOL packet: OUT
88 8e 01 00 00 04 03 dd 00 04
Issue 02 (2015-01-20)
173
3 Troubleshooting Guide
174
3 Troubleshooting Guide
The common cause is that the switch fails to obtain the authentication scheme. The authentication scheme
is configured in the domain view. The switch needs to obtain the domain name from the user name. If the
user name does not carry a domain name, the authentication scheme in the default domain is used. If the
fault persists, collect information and contact Huawei technical support personnel.
----End
Issue 02 (2015-01-20)
175
Support
V100R006C03
V100R006C05
V200R001
V200R002
V200R003
Networking
As shown in Figure 4-1, the switch directly connects to the NE40E. A VLANIF interface on
the switch and a GE subinterface on the NE40E function as Layer 3 interfaces. The two interfaces
are added to the same VLAN and assigned IP addresses on the same network segment. The
S9300 and NE40E establish an OSPF neighbor relationship.
Issue 02 (2015-01-20)
176
Fault Symptom
The OSPF neighbor relationship status flaps, causing frequent route convergence. Traffic fails
to be forwarded during route convergence.
Cause Analysis
A fault on an optical fiber or optical module causes frequent Up/Down state changes on the link
between the devices. The unstable link results in OSPF neighbor relationship flapping.
Troubleshooting Procedure
Step 1 Check logs on the switch.
Find out the time when the OSPF neighbor relationship goes Down in the logs. The following
provides an example of log information:
Feb 15 2011 14:27:54 SW_CASA_S9306_01 %%01OSPF/6/NBR_DOWN_REASON(l): Neighbor
state leaves full or changed to Down. (ProcessId=100,
NeighborRouterId=192.168.20.6, NeighborAreaId=0,
NeighborInterface=Vlanif305,NeighborDownImmediate reason=Neighbor Down Due to 1Wayhello Received, NeighborDownPrimeReason=1-Wayhello Received, NeighborChangeTime=
[2011/02/15] 14:27:54)
There are many similar logs. The OSPF neighbor relationship goes Down because the switch
receives 1-way Hello packets.
Step 2 Check logs on the NE40E.
There are logs indicating that the OSPF neighbor relationship goes Down at the same time.
Feb 15 2011 13:26:31 PE_NE40E_CASA_ANWAL_01 %%01OSPF/6/NBR_DOWN_REASON(l)
[67934]:Neighbor state leaves full or changed to Down. (ProcessId=202,
NeighborRouterId=192.168.28.225, NeighborAreaId=0,
NeighborInterface=GigabitEthernet8/0/0.305,NeighborDownImmediate reason=Neighbor
Down Due to Kill Neighbor, NeighborDownPrimeReason=Physical Interface State Change,
NeighborChangeTime=[2011/02/15] 13:26:31)
Step 3 Check whether a physical interface and its subinterface frequently go Up and Down based on
log information.
The following is an example of log information on the NE40E:
Feb 15 2011 13:26:31 PE_NE40E_CASA_ANWAL_01 %%01PHY/4/PHY_STATUS_UP2DOWN(l)
[67928]:Slot=8;GigabitEthernet8/0/0 change status to down.
Feb 15 2011 13:26:32 PE_NE40E_CASA_ANWAL_01 %%01PHY/4/PHY_STATUS_UP(l)
[67947]:Slot=8;GigabitEthernet8/0/0 change status to up.
The log information shows that a physical interface on a device is unstable. When the interface
goes Down, the OSPF neighbor relationship on the local device also goes Down. When the
interface goes Up, the device sends a Hello packet to the peer device for OSPF negotiation. After
Issue 02 (2015-01-20)
177
receiving the Hello packet, the peer device sets the status of the local OSPF neighbor relationship
to Down and re-establishes an OSPF neighbor relationship.
Step 4 Replace the faulty optical fiber or optical module. The fault is rectified.
----End
Support
V100R006C03
V100R006C05
V200R001
V200R002
V200R003
Networking
As shown in Figure 4-2, OSPF is configured on SwitchA, SwitchB, SwitchC, and SwitchD, and
router IDs and IP addresses have been configured for the devices.
Figure 4-2 IP address conflict on a network
Issue 02 (2015-01-20)
178
Fault Symptom
The following problems may occur due to IP address conflicts between interfaces on different
devices:
l
The CPU usage is high. You can run the display cpu-usage command to check the CPU
usage. The command output shows that the ROUT task consumes much more CPU
resources than other tasks.
Cause Analysis
On an OSPF network, IP address conflicts between interfaces may cause frequent aging and
generation of link-state advertisements (LSAs), which results in network instability, route
flapping, and high CPU usage.
Troubleshooting Procedure
Step 1 Run the display ospf lsdb command on each switch once per second to check information about
the OSPF link state database (LSDB) on the switches.
Collect the command output on each switch.
Step 2 Locate the fault based on the collected information.
l Scenario 1
The aging time (Age field) of a network LSA is 3600 on a switch or the switch does not have
the network LSA, and the Sequence value increases quickly.
On the other switches, the aging time of the same network LSA frequently alternates between
3600 and smaller values, and the Sequence value increases quickly.
If the preceding conditions are met, LSA aging is abnormal.
The following provides a command output example:
<HUAWEI> display ospf lsdb
OSPF Process 1 with Router ID 3.3.3.3
Link State Database
Area: 0.0.0.0
AdvRouter
4.4.4.4
3.3.3.3
2.2.2.2
1.1.1.1
4.4.4.4
1.1.1.1
3.3.3.3
1.1.1.1
Type
Router
Router
Router
Router
Network
Network
Network
Network
LinkState ID
4.4.4.4
3.3.3.3
2.2.2.2
1.1.1.1
112.1.1.4
112.1.1.2
222.1.1.3
111.1.1.1
Type
External
External
AS External Database
LinkState ID
AdvRouter
33.33.33.33
4.4.4.4
125.12.1.2
4.4.4.4
Age
2
6
228
258
121
3600
227
259
Len
48
72
60
60
32
32
32
32
Sequence
8000000D
80000016
8000000D
80000009
80000001
80000015
80000003
80000002
Metric
1
1
1
1
0
0
0
0
Age
206
206
Len
36
36
Sequence
800001D7
80000032
Metric
1
1
Run the display ospf routing command on each switch once every second. If route flapping
occurs but the OSPF neighbor relationship does not flap, IP address conflicts or router ID
conflicts have occurred. Based on the display ospf lsdb command output, it is determined
that the IP address of the designated router (DR) conflicts with that of a non-DR.
Issue 02 (2015-01-20)
179
Locate one switch that uses the conflicting IP address based on the AdvRouter value and
then find the conflicting interface on the switch. The other switch is difficult to find based
only on OSPF information. You need to check interface IP addresses against the IP address
plan to locate this switch.
In this example, first determine that the conflicting IP address is 112.1.1.2, and the router ID
of a conflicting device is 1.1.1.1. However, the other conflicting device (3.3.3.3) cannot be
located based on OSPF information.
l Scenario 2
If the LinkState ID values of two network LSAs are both 112.1.1.2 on a switch, the aging
time of the two network LSAs is short, and the Sequence value increases quickly, then an
IP address conflict has occurred between the DR and BDR.
<HUAWEI> display ospf lsdb
OSPF Process 1 with Router ID 3.3.3.3
Link State Database
Area: 0.0.0.0
AdvRouter
4.4.4.4
3.3.3.3
2.2.2.2
1.1.1.1
3.3.3.3
1.1.1.1
3.3.3.3
4.4.4.4
2.2.2.2
Type
Router
Router
Router
Router
Network
Network
Network
Network
Network
LinkState ID
4.4.4.4
3.3.3.3
2.2.2.2
1.1.1.1
112.1.1.2
112.1.1.2
222.1.1.3
212.1.1.4
111.1.1.2
Type
External
External
AS External Database
LinkState ID
AdvRouter
33.33.33.33
4.4.4.4
125.12.1.2
4.4.4.4
Age
17
21
151
1180
3
5
145
10
459
Len
48
72
60
60
32
32
32
32
32
Sequence
8000011D
8000015A
80000089
8000002A
8000016A
80000179
8000002D
80000005
80000003
Metric
1
1
1
1
0
0
0
0
0
Age
30
30
Len
36
36
Sequence
800001DC
80000037
Metric
1
1
Step 3 Change the IP address of a conflicting device based on the IP address plan.
----End
Issue 02 (2015-01-20)
180
Networking
None.
Fault Symptom
IP packets cannot be evenly distributed among Eth-Trunk member interfaces on a switch.
Cause Analysis
An Eth-Trunk between switches implements load balancing using the hash algorithm based on
the source and destination IP/MAC addresses of packets. If packets have identical or similar IP
or MAC addresses, the switch forwards packets through the same link, resulting in unbalanced
traffic distribution.
Troubleshooting Procedure
Step 1 In the Eth-Trunk interface view, check the default hash algorithm.
[Quidway-Eth-Trunk1] display this interface
Eth-Trunk1 current state : UP
Line protocol current state : UP
Description: Link to Eth-Trunk1
Switch Port, PVID :
1, Hash arithmetic : According to SIP-XOR-DIP,The Maximum
Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 4cb1-6c3b-aaf5
Current system time: 2013-08-07 14:51:00+08:00
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes
The command output shows that the Eth-Trunk uses the hash algorithm based on the exclusiveOR result of the source and destination IP addresses to implement load balancing by default. On
an IP network where devices' IP addresses randomly change, such a hash algorithm can ensure
even traffic distribution. On a Layer 2 network, MAC addresses frequently change and IP
addresses are fixed, so traffic may be not evenly distributed.
Step 2 If traffic is not evenly load balanced among Eth-Trunk member interfaces, run the loadbalance command to change the hash algorithm.
[Quidway-Eth-Trunk1] load-balance ?
dst-ip
According to destination IP hash arithmetic
dst-mac
According to destination MAC hash arithmetic
enhanced
Enhanced hash arithmetic
src-dst-ip
According to source/destination IP hash arithmetic
src-dst-mac According to source/destination MAC hash arithmetic
src-ip
According to source IP hash arithmetic
src-mac
According to source MAC hash arithmetic
A switch supports the following load balancing modes for known unicast packets:
l dst-ip (destination IP address) mode
The system obtains the specified three bits from each of the destination IP address and the
outbound TCP or UDP port number to perform the exclusive-OR calculation, and then selects
the outbound interface from the Eth-Trunk table according to the calculation result.
l src-ip (source IP address) mode
Issue 02 (2015-01-20)
181
The system obtains the specified three bits from each of the source IP address and the inbound
TCP or UDP port number to perform the exclusive-OR calculation, and then selects the
outbound interface from the Eth-Trunk table according to the calculation result.
l src-dst-ip (exclusive-OR calculation of the source and destination IP addresses) mode
The system uses the calculation results of the dst-ip and src-ip modes to perform the
exclusive-OR calculation, and then selects the outbound interface from the Eth-Trunk table
according to the calculation result.
l dst-mac (destination MAC address) mode
The system obtains the specified three bits from each of the destination MAC address, VLAN
ID, Ethernet type, and inbound interface information to perform the exclusive-OR
calculation, and then selects the outbound interface from the Eth-Trunk table according to
the calculation result.
l src-mac (source MAC address) mode
The system obtains the specified three bits from each of the source MAC address, VLAN
ID, Ethernet type, and inbound interface information to perform the exclusive-OR
calculation, and then selects the outbound interface from the Eth-Trunk table according to
the calculation result.
l src-dst-mac (exclusive-OR calculation of the source and destination MAC addresses) mode
The system obtains the specified three bits from each of the destination MAC address, source
MAC address, VLAN ID, Ethernet type, and inbound interface information to perform the
exclusive-OR calculation, and then selects the outbound interface from the Eth-Trunk table
according to the calculation result.
l enhanced mode
The system uses an enhanced load balancing profile to select outbound interfaces for different
packets.
NOTE
Modular switches: All cards except the SA series cards support load balancing in enhanced mode.
Fixed switches:
V200R001C01: Only the S5300HI supports load balancing using an enhanced load balancing profile.
V200R002: Only the S5310EI and S5300HI support load balancing using an enhanced load balancing
profile.
V200R003: Only the S5310EI and S5300HI support load balancing using an enhanced load balancing
profile.
To configure a load balancing mode for broadcast and multicast packets, run the unknownunicast load-balance { dmac | smac | smacxordmac | enhanced } command in the system
view.
Issue 02 (2015-01-20)
182
Modular switches: V200R001, V200R002, and V200R003 all support this command.
Fixed switches:
V100R006C03: Only the S2352EI and S3300 support this command, but they do not support the
enhanced parameter.
V100R006C05: Only the S2352P-EI and S3300 support this command, but they do not support the
enhanced parameter.
V200R001: Only the S5300EI and S5300HI support this command.
V200R002: Only the S5310EI, S5300EI, and S5300HI support this command. Only the S5310EI and
S5300HI support the enhanced parameter.
V200R003: Only the S5310EI, S5300EI, and S5300HI support this command. Only the S5310EI and
S5300HI support the enhanced parameter.
----End
Networking
As shown in Figure 4-3, a switch is connected to an enterprise network through a leased line.
The switch functions as a Layer 2 aggregation switch, and an NE80 functions as the gateway.
Figure 4-3 Network where layer 2 packet loss occurs
Fault Symptom
Enterprise network users complain that the network has a slow response to their service requests.
When the NE80 pings a terminal on the enterprise network, packet loss occurs.
Issue 02 (2015-01-20)
183
Cause Analysis
A loop exists on the downstream network of GE10/0/6. As a result, the MAC address of the
NE80 flaps between GE10/0/6 and GE12/0/0 of the switch. When GE10/0/6 learns the MAC
address of the NE80, user packets cannot be forwarded to the gateway.
Troubleshooting Procedure
Step 1 Enable MAC address flapping detection on the switch and check alarms.
NOTE
Alarm information differs for fixed and modular switches of different versions. The following alarm
information is only used as an example.
#Jul 28 09:59:34 2012 Switch L2IF/4/mac_flapping_alarm:OID
1.3.6.1.4.1.2011.5.25.42.2.1.7.12The mac-address has flap value .
(BaseTrapSeverity=0, BaseTrapProbableCause=0, BaseTrapEventType=4,
L2IfPort=549,entPhysicalIndex=1, MacAdd=0025-9e03-02f1,vlanid=107,
FormerIfDescName=GigabitEthernet12/0/0,CurrentIfDescName=GigabitEthernet10/0/6,Dev
iceName= Switch)
The preceding alarm information indicates that MAC address flapping occurs.
Step 2 Set the NE80 MAC address to a static MAC address on GE12/0/0.
The loop on the downstream network of GE10/0/6 is eliminated.
----End
Networking
None.
Fault Symptom
1.
Issue 02 (2015-01-20)
The CPU usage of a switch that is displayed on the NMS is high, as shown in Figure 4-4.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
184
2.
3.
There are also logs indicating that a large number of ARP packets are discarded because
of CPCAR exceeding.
S6300-1 %%01DEFD/4/CPCAR_DROP_MPU(l)[56]:Rate of packets to cpu exceeded the
CPCAR limit on the MPU. (Protocol=arp-miss, ExceededPacketCount=016956)
S6700-1 %%01DEFD/4/CPCAR_DROP_MPU(l)[57]:Rate of packets to cpu exceeded the
CPCAR limit on the MPU. (Protocol=arp-reply, ExceededPacketCount=020699)
S6300-1 %%01DEFD/4/CPCAR_DROP_MPU(l)[58]:Rate of packets to cpu exceeded the
CPCAR limit on the MPU. (Protocol=arp-request, ExceededPacketCount=0574
4.
Cause Analysis
Based on statistics about TC packets on interfaces, the number of received TC packets is large
and continuously increases. MAC address entries are deleted, and ARP entries are updated. The
switch has to process a large number of ARP Miss, ARP Request, and ARP Reply packets,
leading to high CPU usage. OSPF Hello packets and VRRP heartbeat packets cannot be
processed in a timely manner, resulting in protocol flapping.
Issue 02 (2015-01-20)
185
Troubleshooting Procedure
Step 1 Run the stp tc-protection command in the system view.
This command ensures that the device updates entries once every 2 seconds even when it receives
a large number of TC packets. This configuration prevents high CPU usage caused by frequent
updates of MAC address entries and ARP entries.
Step 2 Run the arp topology-change disable and mac-address update arp commands in the system
view.
When receiving TC packets, the switch deletes the MAC address entries and aged ARP entries
by default. If there are many ARP entries on the switch, ARP entry relearning triggers a large
number of ARP packets on the network. After the arp topology-change disable and macaddress update arp commands are configured, the switch updates the outbound interfaces in
ARP entries based on the outbound interfaces in the MAC address entries upon network topology
changes. The commands prevent unnecessary updates of ARP entries.
NOTE
V100R006 and later versions support the mac-address update arp command. V200R001 and later
versions support the arp topology-change disable command.
----End
Networking
None.
Fault Symptom
A switch sends an alarm indicating MAC address flapping. Efforts are then made to check for
loops, but the interface where the loop occurs fails to be located. The MAC address flapping
alarm cannot be rectified.
The following provides the alarm information:
NOTE
Alarm information differs for fixed and modular switches of different versions. The following alarm
information is only used as an example.
Issue 02 (2015-01-20)
186
Cause Analysis
1.
2.
Troubleshooting Procedure
The preceding alarm information shows that the switch can learn the same MAC address from
multiple interfaces. In this case, a loop exists, or multiple Layer 2 devices or terminals share the
same MAC address.
If there is a loop on the network, the alarm usually involves many MAC addresses. In addition,
traffic is heavy on some interfaces, and there are a large number of broadcast packets. If you
disable one interface where the alarm is generated, the alarm is cleared. MAC address flapping
occurs regardless of the service traffic volume.
If multiple terminals share the same MAC address, the alarm usually involves only one MAC
address or a small number of MAC addresses, and the statistics show that the number of received
and sent packets is within a normal range. Change the MAC address learning priority for an
interface. If traffic of users connected to this interface becomes abnormal, multiple user terminals
are using the same MAC address. In this case, change the MAC addresses of the user terminals.
If user traffic remains normal, some Layer 2 devices are using the same MAC address. In this
case, check the configuration of the Layer 2 devices and change their MAC addresses.
Issue 02 (2015-01-20)
187
Networking
Figure 4-6 Network where service interruptions frequently occur due to loops
Fault Symptom
After network reconstruction and migration, the original core devices (Layer 3 devices) are redeployed as access devices ASs (Layer 2 devices). Ping the management IP address of the AS
on the Layer 3 device DS. The command output shows that the ping fails and the VRRP group
status of the DS frequently alternates between master and backup.
The following alarm information is displayed on DS_02:
Sep 17 2013 21:46:11+08:00 DS_02 VRRP/3/VRRPMASTERDOWN:OID
1.3.6.1.4.1.2011.5.25.127.2.30.1 The state of VRRP changed from master to other
state.(VrrpIfIndex=143, VrId=48, IfIndex=143, IPAddress=11.91.127.239,
NodeName=DS_02, IfName=Vlanif948, CurrentState=2, ChangeReason=priority
calculation)
Sep 17 2013 21:46:11+08:00 DS_02 %%01VRRP/4/STATEWARNINGMEV1R3(l):Virtual Router
state BACKUP changed to MASTER, because of protocol timer expired.
(Interface=Vlanif948, VrId=48).
Sep 17 2013 21:46:11+08:00 DS_02 %%01VRRP/4/STATEWARNINGMEV1R3(l):Virtual Router
state MASTER changed to BACKUP, because of priority calculation.
(Interface=Vlanif948, VrId=48)
.
The VRRP group status frequently alternates. Check the VRRP group status after the switchover.
All VRRP groups are in Backup state.
<DS_02> display vrrp brief
VRID State
Interface
Issue 02 (2015-01-20)
Type
Virtual IP
188
-------------------------------------------------------3
Backup
Vlanif903
Normal 10.93.4.30
5
Backup
Vlanif599
Normal 11.91.127.94
14
Backup
Vlanif914
Normal 10.93.41.126
24
Backup
Vlanif924
Normal 10.93.32.126
25
Backup
Vlanif925
Normal 10.93.32.254
Cause Analysis
A loop exists on the network.
Troubleshooting Procedure
Step 1 Run the display cpu-defend vrrp statistics all command to check statistics on VRRP packets.
The command output shows that DS_02 discards a large number of packets.
[DS_02] display cpu-defend vrrp statistics all
Statistics on mainboard:
------------------------------------------------------------------------------Packet Type
Pass(Bytes) Drop(Bytes)
Pass(Packets)
Drop(Packets)
------------------------------------------------------------------------------vrrp
0
0
0
0
------------------------------------------------------------------------------Statistics on slot 1:
------------------------------------------------------------------------------Packet Type
Pass(Bytes) Drop(Bytes)
Pass(Packets)
Drop(Packets)
------------------------------------------------------------------------------vrrp
0
0
0
0
------------------------------------------------------------------------------Statistics on slot 4:
------------------------------------------------------------------------------Packet Type
Pass(Bytes) Drop(Bytes)
Pass(Packets)
Drop(Packets)
------------------------------------------------------------------------------vrrp
79880066214
2581617736
1174644777
37950869
-------------------------------------------------------------------------------
Step 2 Check statistics on each interface. (DS_02 should not discard VRRP packets.)
[DS_02] display interface brief
Interface
PHY
Eth-Trunk1
up
GigabitEthernet4/0/22
up
GigabitEthernet4/0/23
up
Ethernet0/0/0
down
GigabitEthernet4/0/0
up
GigabitEthernet4/0/1
up
GigabitEthernet4/0/2
up
GigabitEthernet4/0/3
up
GigabitEthernet4/0/4
up
GigabitEthernet4/0/5
up
GigabitEthernet4/0/6
up
GigabitEthernet4/0/7
up
GigabitEthernet4/0/8
up
GigabitEthernet4/0/9
up
GigabitEthernet4/0/10
up
GigabitEthernet4/0/11
down
GigabitEthernet4/0/12
up
GigabitEthernet4/0/13
up
GigabitEthernet4/0/14
up
GigabitEthernet4/0/15
up
GigabitEthernet4/0/16
up
GigabitEthernet4/0/17
up
GigabitEthernet4/0/18
up
Issue 02 (2015-01-20)
Protocol
up
up
up
down
up
up
up
up
up
up
up
up
up
up
up
down
up
up
up
up
up
up
up
InUti OutUti
inErrors
31%
31%
0
0.72% 81%
0
81%
0.73%
2
0%
0%
0
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0.01%
82%
81%
81%
81%
81%
81%
81%
81%
81%
82%
82%
82%
0%
82%
82%
82%
82%
82%
82%
0%
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
outErrors
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
189
GigabitEthernet4/0/19
GigabitEthernet4/0/20
GigabitEthernet4/0/21
LoopBack500
NULL0
Vlanif599
up
down
up
up
up
up
up
down
up
up(s)
up(s)
up
87%
82%
0%
0%
0.01% 0.01%
0%
0%
0%
0%
---
0
0
0
0
0
0
0
0
0
0
0
0
According to the preceding statistics, the outgoing traffic occupies more than 80% of the
bandwidth of the interface connecting to the AS, indicating that a loop occurs. In addition, the
incoming traffic occupies more than 80% of the bandwidth on GigabitEthernet4/0/18 and
GigabitEthernet4/0/19, indicating that the loop occurs on the AS devices connected to the two
interfaces. Manually shut down the two interfaces, and then check CPU defense statistics and
ping the management IP address of another AS. The number of dropped VRRP packets stops
increasing and the ping operation succeeds.
Step 3 GigabitEthernet4/0/18 and GigabitEthernet4/0/19 connect to AS_03 and AS_05 respectively.
Both are non-Huawei Layer 3 devices, on which STP is disabled. When the two devices are used
as Layer 2 devices, the command for enabling STP is not configured, resulting in the loop.
Enable STP, and check the STP status and traffic statistics on GigabitEthernet4/0/18 and
GigabitEthernet4/0/19 of the DS. You can find that services are restored.
----End
Networking
None.
Fault Symptom
A traffic policy with a user-defined ACL cannot be created.
<HUAWEI> system-view
[HUAWEI] acl number 5000 //Configure a user-defined ACL.
[HUAWEI-acl-user-5000] rule 5 permit l4-head 0x00000868 0x0000ffff 0 //Match a twobyte character string in the Layer 4 packet header. The matched character string is
0x00000868 and 0 indicates the offset.
[HUAWEI-acl-user-5000] rule 10 permit l4-head 0x00060000 0x00ff0000 24 //Match a
Issue 02 (2015-01-20)
190
one-byte character string in the Layer 4 packet header. The matched character
string is 0x00000868 and 24 indicates the offset.
[HUAWEI] quit
[HUAWEI] traffic classifier c1 operator or //Create a traffic classifier, and set
the relationship between rules to OR (A packet belongs to the class if it matches
one or more of the rules.)
[HUAWEI-classifier-c1] if-match acl 5000 //Create an ACL-based matching rule.
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b5000 //Create a traffic behavior.
[HUAWEI-behavior-b1] redirect interface gigabitethernet0/0/24 //Redirect packets
to GE0/0/24.
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p5000 //Create a traffic policy.
[HUAWEI-trafficpolicy-p5000] classifier c1 behavior b1 //Bind the traffic
classifier to the traffic behavior.
Info: This operation maybe take a long time, please wait for a moment.
Error:Add rule failed, slot 0, policy p5000, class c1, behavior b1 acl 5000, rule
10, on interface GigabitEthernet0/0/21.
Cause Analysis
The traffic policy failed to be created because the user-defined ACL rules contain different
offsets.
Troubleshooting Procedure
Check the offsets in the ACL rules applied to the traffic policy. Ensure that the same offset is
used.
[HUAWEI] display acl 5000
Networking
User terminals connected to a switch can use the video on demand (VOD) service.
Fault Symptom
Pixelation occurs in video programs during peak hours.
Issue 02 (2015-01-20)
191
Cause Analysis
Video traffic bursts frequently occur on the multicast server. When the switch receives multicast
traffic, it forwards multiple copies of the traffic. As a result, the bandwidth required to forward
the traffic may exceed the limit. When the switch's buffer is full, packet loss will occur due to
congestion, resulting in pixelation on user terminals.
Troubleshooting Procedure
1.
Run the display interface interface-type interface-number command in any view or the
display this interface command in the interface view to check the number of outgoing
packets on the interface connecting to user terminals. The command output shows that a
large number of packets are discarded, and the number keeps growing.
2.
Mirror incoming packets on the interface connecting to the multicast server. Use Wireshark
to parse the traffic, and determine whether packet loss occurs on the switch.
l If there is only a small amount of burst traffic, increase the link bandwidth between
network devices.
l The burst traffic rate may reach 1 Gbit/s. As shown in Figure 4-7, the multicast server
hibernates for more than a second, sends video at an approximate rate of 1 Gbit/s, and
enters the hibernation state several milliseconds later. Although the average outgoing
traffic rate is about 10 Mbit/s, the traffic rate approximates to 1 Gbit/s if measured in
milliseconds.
Figure 4-7 Video traffic burst on the multicast server
In this case, change the mode in which the multicast server sends packets, so that packets
can be sent at more stable rates, with little traffic burst, as shown in Figure 4-8.
For V200R001 and later versions, you can also run the qos burst-mode enhanced
command on the related interface to increase the interface buffer size, so that more burst
traffic can be buffered. Then ensure that packets are sent in a stable manner, with little
traffic burst, as shown in Figure 4-8.
Issue 02 (2015-01-20)
192
Install the latest patch for the version in use, and check whether the problem is resolved.
2.
Adjust the mode in which the multicast server sends packets to mitigate traffic congestion.
3.
If multiple traffic conflicts occur, increase the link bandwidth between devices.
Networking
None.
Fault Symptom
When the switch functions as a gateway, users are frequently disconnected from and reconnected
to the LAN, and the switch generates a large number of address conflict alarms.
Issue 02 (2015-01-20)
193
Cause Analysis
To determine the cause, perform the following operations:
1.
Run the display logbuffer command in any view, and obtain the attacker's MAC address
from the displayed logs.
<HUAWEI> display logbuffer
2.
Search for the attacker's MAC address in the MAC address table to find out the interface
connected to the attack source.
3.
Locate the attack source, and you can find that the fault occurs because a PC that is infected
with virus acts as the gateway to request IP addresses from the devices on the network
segment.
Troubleshooting Procedure
1.
2.
Issue 02 (2015-01-20)
194
5 Maintenance Instructions
Maintenance Instructions
Tasks of processing the packets received and sent from the forwarding plane
When Huawei switches are operating, the following functions need to use CPU resources:
l
Device component management: This function manages components in the device and
checks the running status of components, such as cards, power modules, and fan modules.
Stack management: This function manages and maintains the status of member switches
in a stack.
External access management: This function processes the network management traffic sent
to the CPU, such as Telnet, SSH, HTTP, and SNMP traffic.
Issue 02 (2015-01-20)
195
5 Maintenance Instructions
Network control protocol management: This function sends and receives protocol packets,
performs protocol computing, and updates forwarding tables (such as MSTP, MAC, and
FIB tables). Network control protocols include STP, LLDP, LNP, LACP, VCMP, DLDP,
EFM, GVRP, VRRP, and routing protocols.
MAC address learning: This function helps synchronize MAC addresses between stack
member switches.
Packet software forwarding: For example, L2PT forwards Layer 2 protocol packets through
software.
Many active tasks may run on the CPU anytime. For example, there are more than 200 tasks on
the 5300LI. The number of tasks running in the system varies according to the device model.
Generally, if the device supports a large number of features, more tasks run in the system.
Because the system is always operating, CPU usage cannot be 0% even though no service
configuration and network traffic exists on the device. In a stack, the stack member status needs
to be periodically maintained, and most services are running on the master switch. A switch has
a higher CPU usage when it functions as the master switch in a stack. When the number of stack
member switches increases, CPU usage of the master switch increases accordingly.
In the following scenarios, the CPU runs with a heavy load and cannot schedule other tasks in
a timely manner. As a result, services may become abnormal.
l
Packets are sent from the forwarding plane to the CPU at a high rate. For example, owning
to a network loop, the CPU receives a large number of packets within a short period.
You can run the display cpu-usage command on the device to view the current CPU usage,
including the average CPU usage within the last 5 seconds, last 1 minute, and last 5 minutes,
highest CPU usage, time highest CPU usage occurs, and CPU usages of current tasks within the
last 5 seconds in descending order.
NOTE
In most cases, common data packets are forwarded by switch hardware without involving the CPU.
Therefore, a high CPU usage does not affect data forwarding.
Issue 02 (2015-01-20)
196
5 Maintenance Instructions
Multicast packets
PIM, IGMP, MLD, and MSDP packets
Unknown IP multicast packets
Other packets
DHCP packets
ARP and ND broadcast request packets as well as ARP packets sent when dynamic
ARP inspection is configured on a Layer 2 switch
L2PT software forwarded Layer 2 protocol packets (Devices on two ends of a tunnel
forward Layer 2 protocol packets through software, and intermediate devices forward
these packets through hardware.)
First packet in N:1 VLAN mapping (Subsequent packets are forwarded through
hardware.)
Switches use the QoS mechanism to process the packets sent to the CPU and ensure that
important packets are processed first. Switches classifies eight queues of different priorities
according to different types of packets sent to the CPU. Different switch models may support
different types of packets sent to the CPU. The following uses S5300LI as an example. Table
5-1 and Figure 5-1 describe queue classification on the packets sent to the CPU. A larger queue
ID indicates a higher queue priority.
Table 5-1 Queue classification on packets sent to the CPU
Issue 02 (2015-01-20)
Queue ID
Packet Type
Description
VP
ARP Request
197
5 Maintenance Instructions
Queue ID
Packet Type
Description
Other
Other
Switches determine which CPU queue packets will be placed into based on the packet importance
and plane (management, control, or forwarding plane). CPU queues have different priorities.
For example, when Telnet management packets and Layer 2 protocol packets transparently
forwarded through L2PT software are buffered, the CPU first processes the Telnet management
packets in queue 5 to ensure device stability and manageability when CPU load is high.
Additionally, the CPU uses the weighted scheduling mechanism to ensure that packets in lowpriority queues can be processed. On a stable network, the number of packets sent to the CPU
is limited to a specified range, and CPU usage remains within a specified range. If a large number
of packets are sent to the CPU within a specified period, the CPU is busy processing these
packets, resulting in high CPU usage.
Issue 02 (2015-01-20)
198
5 Maintenance Instructions
CPU usage does not exceed 80% when a device runs for a long period.
CPU usage does not exceed 95% when the device runs for a short period.
In the following scenarios, CPU usage may become high. This situation is, however, a normal
situation but not a fault.
l
Spanning tree
In MSTP, CPU usage is directly proportional to the number of instances and active ports.
In VBST, each VLAN runs an independent instance. Therefore, VBST uses more CPU
resources than MSTP when VBST and MSTP have the same number of VLANs and ports.
Command execution
CPU usage temporarily becomes high when some commands are executed for a long period,
for example:
The copy flash:/ command is executed in the user view.
Some debugging commands that have a large amount of display information are
executed, especially when debugging information is displayed through the serial port.
Other scenarios
A port fast learns MAC addresses after having the sticky MAC function enabled.
Port groups are used to add a large number of ports to a large number of VLANs and
change the link type of these ports.
Frequent or a large number of IGMP requests
Frequent network management operations
A large number of concurrent DHCP requests (For example, when a switch functions
as a DHCP server, it restores connections with a large number of users.)
ARP broadcast storm
Ethernet broadcast storm
A large number of concurrent protocol packets are forwarded through software. For
example, L2PT transparently transmits a large number of BPDUs within a short time
or DHCP relay/snooping-enabled switch forwards DHCP packets through software.
Issue 02 (2015-01-20)
199
5 Maintenance Instructions
A large number of data packets that cannot be forwarded through hardware are sent to
the CPU, such as ARP Miss packets.
A port frequently alternates between Up and Down states.
A switch cannot forward or respond to client requests in time, causing DHCP or IEEE
802.1x failures.
Packets software forwarded through the CPU are discarded or the delay in forwarding
packets is increased.
200
5 Maintenance Instructions
When CPU usage becomes high, determine phenomena, clarify the problem, confirm the root
cause, and rectify the problem. For example, consider the following points:
l
Is a high CPU usage a normal situation? Whether it needs to be rectified? How to rectify
it?
Constantly changing: System CPU usage varies according to the system operation and
external environment changes.
Non-real time: System CPU usage reflects CPU usage within a CPU statistical period.
Entity-related: CPU usage is calculated based on the physical CPU. Generally, each
physical entity has an independent physical CPU. Therefore, each member switch in a stack
has its own CPU usage.
Issue 02 (2015-01-20)
201
5 Maintenance Instructions
IFPD
L2_P
FTS
IPCQ
STP
VPR
mv_rx7
VIDL
mv_rx6
AAA
ACL
ADPT
AGNT
AGT6
ALM
ALS
AM
APP
ASFI
ASFM
BATT
BFD
4%
3%
2%
2%
2%
2%
2%
1%
1%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0/1e575090
0/1a777526
0/13ed6c3e
0/1256ab6f
0/175350b9
0/16254e6f
0/123d908c
0/ 5f5df6f
0/ db73d34
0/
1d5c6
0/ 5fa8c7
0/
0
0/
0
0/
0
0/
0
0/ 3c2c178
0/ 155db9
0/
0
0/
0
0/
0
0/
0
0/ 3d8a91
BOX
BPDU
BTRC
CAPM
......
0%
0%
0%
0%
0/
0/
0/
0/
0
1f13d
6295
0
Obtaining Alarm Information and Log Information About a High CPU Usage
When CPU usage exceeds the alarm threshold, the system sends an alarm to the NMS and records
key information such as three tasks that consume most CPU resources into system logs. You
can obtain high CPU usage records through alarm information and log information.
l
202
5 Maintenance Instructions
Issue 02 (2015-01-20)
203
5 Maintenance Instructions
detects the interface link status. These tasks maintain information about current
interfaces and peripheral components (such as optical modules) and interface status and
report interface events to service modules for processing. CPU usage of this type of task
may become high when a large number of interfaces exist, the interface link status flaps,
or optical modules become faulty.
l
Issue 02 (2015-01-20)
204
5 Maintenance Instructions
1.
Issue 02 (2015-01-20)
205
5 Maintenance Instructions
DEFD/4/CPCAR_DROP_MPU:Rate of packets to cpu exceeded the CPCAR limit on the
MPU. (Protocol=[STRING], CIR/CBS=[ULONG]/[ULONG],
ExceededPacketCount=[STRING])
l Determine the type of packets sent to the CPU according to the service module usage.
When many protocol packets are sent to the CPU, the CPU usage of some protocol tasks
becomes high. Determine the packet type according to the CPU usage information of
protocol tasks. The following describes common important protocol tasks.
2.
Task Name
Description
ARP
DHCP
SNPG
ROUT
STP
Issue 02 (2015-01-20)
206
5 Maintenance Instructions
c.
3.
Network Environment
Network environment factors such as network flapping, loops, and attacks often cause a high
CPU usage. Take different measures depending on causes:
l
Network flapping
When network flapping occurs, the network topology changes frequently. The device is
busy in processing network switching events, causing a high CPU usage. Common network
flapping includes STP flapping and routing protocol flapping:
STP flapping
Issue 02 (2015-01-20)
207
5 Maintenance Instructions
STP flapping occurs on Layer 2 networks. When STP flapping occurs frequently, the
device needs to perform STP calculation continuously. The forwarding tables such as
MAC address tables and ARP tables are updated accordingly, causing a high CPU usage.
Fault Location
- When you doubt that frequent STP flapping occurs on a network, run the display stp
topology-change command to check STP topology change information.
- When you determine that there is frequent network topology change, run the display
stp tc-bpdu statistics command to check the statistics on received TC BPDUs to
determine the source of the TC BPDUs.
- Find the device that sends TC BPDUs according to the source of the TC BPDUs, and
analyze the STP topology change cause according to network management events and
system logs on the device.
Suggestion
- If the user-side interface Up/Down event causes the STP topology change, run the stp
edged-port enable command in the interface view to configure the user-side interface
as the edge port and run the stp bpdu-protection command to enable BPDU protection.
- If the root bridge is preempted, run the stp root-protection command on the expected
root port to enable root protection, ensuring that the STP topology is correct.
- If TC BPDUs are used to attack a network, run the stp tc-protection command on the
attacked port to enabled TC protection to reduce the impact of the attack on the device.
- If the topology change cause cannot be located or the fault persists after the preceding
measures are taken, contact Huawei technical support personnel.
Routing protocol flapping
Routing protocol flapping will cause routing information readvertisement and routing
table recalculation. This affects the CPU usage. In practice, OSPF is often used on the
switch to manage dynamic routing information.
Fault Location
Check the cause for the OSPF neighbor Down event according to logs. Run the display
logbuffer command to check the following log:
OSPF/3/NBR_DOWN_REASON:Neighbor state leaves full or changed to Down.
(ProcessId=[USHORT], NeighborRouterId=[IPADDR],
NeighborAreaId=[ULONG], NeighborInterface=[STRING],NeighborDownImmediate
reason=[STRING], NeighborDownPrimeReason=[STRING],
NeighborChangeTime=[STRING])
The NeighborDownImmediate reason parameter indicates the cause for the OSPF
neighbor Down event. The causes are as follows:
- Neighbor Down Due to Inactivity: The device does not receive Hello packets within
the dead time from the neighbor.
- Neighbor Down Due to Kill Neighbor: The device interface used to establish the OSPF
neighbor relationship becomes Down, the BFD session becomes Down, or the reset
ospf process command is executed. You can view the NeighborDownPrimeReason
parameter to determine the detailed cause.
- Neighbor Down Due to 1-Wayhello Received or Neighbor Down Due to
SequenceNum Mismatch: The OSPF status of the remote device first goes Down and
the remote device sends a 1-Wayhello packet to the local device. As a result, the OSPF
status of the local device also becomes Down. In this situation, check whether the fault
is caused by the remote device.
Issue 02 (2015-01-20)
208
5 Maintenance Instructions
Suggestion
The common causes for the OSPF neighbor Down event contain interface flapping and
flooding of many LSAs. Take different measures depending on causes.
- Interface link flapping
The interface link flapping causes the OSPF neighbor relationship flapping. Check the
interface Up/Down event in logs. If the interface link flapping occurs, check the link of
the interface.
- Flooding of many LSAs
When many LSAs are flooded, many LS UPDATE messages are generated on the
network. The device is busy in processing LS UPDATE messages. As a result, Hello
packets cannot be processed in a timely manner and the OSPF status becomes Down.
You are advised to perform the following operations:
If the dead time of the OSPF neighbor relationship is smaller than 20s, run the ospf
timer dead interval command to change the dead time to a value larger than 20s.
Run the sham-hello enable command in the OSPF view to enable the Sham-Hello
function. That is, the device is allowed to maintain the OSPF neighbor relationship by
sending non-Hello packets such as LSUs.
If the fault persists after the preceding measures are taken, contact Huawei technical
support personnel.
l
Network loops
When network loops occur, MAC address flapping frequently occurs and many protocol
packets are sent to the device for processing due to broadcast storms. As a result, the CPU
usage becomes high.
Fault Location
Network loops cause broadcast storms and may also lead to the following problems:
Users cannot log in to the device remotely.
The display interface command output shows a large number of broadcast packets
received on one or more interfaces.
It takes a long time to log in to the device from the serial port.
The device CPU usage exceeds 70%.
A large number of ICMP packets are lost in ping tests.
Indicators of interfaces in the VLAN where a loop has occurred blink at a higher
frequency than usual.
PCs receive many broadcast packets.
MAC address flapping frequently occurs.
Loop alarms are generated when loop detection is enabled.
Suggestion
Issue 02 (2015-01-20)
1.
Determine the interface where broadcast storms occur according to the interface
indicator status and traffic.
2.
Check devices where loops occur hop by hop according to the topology.
3.
Locate the interface where a loop occurs and remove the loop.
4.
If the fault persists after the preceding measures are taken, contact Huawei technical
support personnel.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
209
5 Maintenance Instructions
Network attacks
Network hosts or devices send many abnormal exchange requests to attack other network
devices, affecting the security and service running of the network devices. When network
attacks occur, the device is busy in processing abnormal exchange requests from the attack
source. As a result, the CPU usage becomes high.
Fault Location
The network attacks causing a high CPU usage include ARP packet attacks, ARP Miss
packet attacks, DHCP attacks, and BPDU attacks. In these attacks, many protocol packets
are sent to the device, so you can view statistics on such protocol packets on the device.
ARP packet attacks and ARP Miss packet attacks
Run the display arp packet statistics command to check statistics on ARP packets and
focus on values of ARP Pkt Received and ARP-Miss Msg Received. Determine the
network attack type according to the statistics.
NOTE
In a stack scenario, the display arp packet statistics command displays only the statistics on
ARP packets on the master switch.
Run the debugging arp packet command to enable ARP packet debugging. Check the
source of a large number of sent ARP or ARP Miss packets.
DHCP attacks
Run the display dhcp statistics command to check the statistics on DHCP packets. If
DHCP packets are sent at higher speed, DHCP attacks occur.
TC BPDU attacks
See the fault location in "STP flapping."
Suggestion
If ARP packet attacks, ARP Miss packet attacks, and DHCP attacks occur, enable
automatic attack source tracing to detect attacks.
If TC BPDU attacks occur, see the suggestions in "STP flapping."
Concurrent Services
The impact of many concurrent services on the CPU usage is similar to the impact of network
attacks on the CPU usage, and the fault scenario is also similar (many users go online and many
ARP and DHCP packets are exchanged). The difference is that protocol packets for concurrent
services are normal and protocol packets for network attacks are malicious ones. The fault
location is similar, but the processing is different.
Fault Location
See the fault location in "Network attacks."
Suggestion
l
Adjust service deployment and migrate some hosts or services to other devices.
Reduce the CPCAR value of some protocol packets. This adjustment may reduce the user
login rate. Exercise caution when you perform this operation.
Issue 02 (2015-01-20)
210
5 Maintenance Instructions
User Operations
Generally, when NMS synchronization operations are performed or many command outputs are
delivered to terminals, the CPU usage becomes high. In this case, network management events
occur.
Fault Location
Collect the CPU usage of each task in the case of a high CPU usage. When AGNT or AGT6
tasks occupy a high CPU usage, NMS synchronization operations result in the fault. When VT
tasks occupy a high CPU usage, delivering many command outputs to terminals causes this fault.
Suggestion
The high CPU usage caused by user operations does not last for a long period of time and services
are not affected. If user network management operations are appropriate and do not affect
services, this situation can be ignored. If the CPU usage becomes high continuously or services
are affected, contact Huawei technical support personnel.
Port group feature: When a port group has more than 40 member ports, adding these member
ports to 4096 VLANs in batches may cause CPU usage to exceed 80% in a short period.
Therefore, you are advised to add the member ports to no more than 500 VLANs in batches.
LNP feature: When the type of more than 20 ports is changed in batches, CPU usage may
exceed 80% in a short period. Therefore, you are advised to change the type of ports one
by one.
MAC feature: Frequent MAC address flapping may result in a high CPU usage. When
MAC address flapping may occur frequently, you are advised to run the mac-address
flapping action error-down command to set the action to be performed on the interface
where MAC address flapping occurs to error-down.
Loopback detection feature: When the ports on which loopback detection is enabled are
added to a total of more than 1024 VLANs, you are advised to run the loopback-detect
action shutdown command to shut down the ports on which loops are detected. The VLAN
counter increases by 1 every time a port is added to a VLAN, even when multiple ports are
added to the same VLAN.
Command
Issue 02 (2015-01-20)
Syntax
Function
211
5 Maintenance Instructions
Syntax
Function
1731: Implement the Y.1731 protocol stack, manage the protocol state machine, and
maintain protocol databases.
AAA: Interact with modules such as the UCM and RADIUS modules, process user
authentication messages, and maintain authentication and authorization entries.
ADPT: Implement the EFM protocol, manage the protocol state machine, and maintain
protocol databases.
AM: Manage IP address pools and addresses and manage IP addresses for the DHCP
module.
Issue 02 (2015-01-20)
212
5 Maintenance Instructions
ARP: Implement the ARP protocol, manage the protocol state machine, and maintain
protocol databases.
au_msg_hnd: Process AU messages. MAC entry learning and issuing are implemented
using AU messages.
BEAT: Send and receive heartbeat packets between boards to monitor inter-board
communication.
BFD: Implement the BFD protocol, manage the protocol state machine, and maintain
protocol databases.
bmLI: Scan port status and notify the application modules of status changes.
BOX: Output the data stored in a black box. A black box stores the error and exception
information generated during device operation.
CSBR: Check the configuration consistency between master and slave boards.
CSSM: Implement the stack protocol and manage the stack status.
DEFD: Monitor traffic sent to the CPU and maintain CPU protection data.
DHCP: Process the DHCP protocol and implement DHCP snooping and DHCP relay.
DLDP: Implement the DLDP protocol, manage the protocol state machine, and maintain
protocol databases.
Issue 02 (2015-01-20)
213
5 Maintenance Instructions
EAP: Implement 802.1x authentication, MAC address authentication, and MAC address
bypass authentication, manage the protocol state machine, and maintain protocol databases.
EOAM: Implement the EOAM 802.1ag protocol, manage the protocol state machine, and
maintain protocol databases.
FCAT: Capture the packets sent or received by the CPU for fault location.
FIB: Generate IPv4 forwarding entries on the MPU and issue the entries to LPUs.
FIB6: Manage IPv6 FIB entries, maintain software entries, and request the application layer
to maintain chip entries.
frag_add: Synchronize MAC entries from the hardware table to the software table, walk
through the hardware table, and add the MAC entries that do not exist in the software table
to the software table.
frag_del: Synchronize MAC entries from the hardware table to the software table, walk
through the software table, and delete the MAC entries that do not exist in the hardware
table from the software table.
FTS: Receive packets. This task is created by FECD. After the driver receives packets, it
sends the packets to the FTS task for processing if these packets are not sent to the super
task for processing.
GVRP: Implement the GVRP protocol, manage the protocol state machine, and maintain
protocol databases.
HS2M: Synchronize data between the master and slave MPUs to ensure high reliability.
IFPD: Implement interface management, maintain interface data, and process interface
status changes.
Issue 02 (2015-01-20)
214
5 Maintenance Instructions
INFO: Receive and send logs, alarms, and debugging information generated by service
modules.
IPCR: Send, receive, and distribute IPC messages to related service modules.
IPMC: Adapt to Layer 3 multicast protocols, monitor the control plane changes, and issue
forwarding entries.
L2MC: Listen to IGMP/MLD packets on LPUs and implement fast join/leave of channels.
L3IO: Issue entries of Layer 3 protocols, such as URPF and VRRP, on LPUs.
L3M4: Adapt to the ARP protocol on the MPU, issue IPv4 unicast forwarding entries, and
respond to the changes at the control plane.
L3MB: Adapt to Layer 3 protocols on the MPU such as URPF and VRRP, and issue
forwarding entries.
LACP: Implement the LACP protocol stack, manage the protocol state machine, and
maintain protocol databases.
LDT: Implement the LDT protocol, manage the protocol state machine, and maintain
protocol databases.
LLDP: Implement the LLDP protocol, manage the protocol state machine, and maintain
protocol databases.
LSPA: Maintain LSP forwarding entries and request the application-layer to maintain chip
entries.
MCSW: Adapt to the Layer 3 multicast protocol, respond to the changes at the control
plane, and issue forwarding entries.
Issue 02 (2015-01-20)
215
5 Maintenance Instructions
NDMB: Adapt to the ND protocol on the MPU, issue IPv6 unicast forwarding entries, and
respond to the changes at the control plane.
NQAS: Respond to and process NQA events and packets as an NQA server.
NTPT: Implement the NTP protocol, manage the protocol state machine, and maintain
protocol databases.
OAM1: Adapt to the OAM 802.1ag protocol, respond to protocol-layer changes, and
process the changes at the forwarding plane.
OAMT: This is a task at the adaptation layer. Respond to protocol changes and maintain
chip entries.
PNGI: Provide the fast ping operation on LPUs and fast respond to the ping operation.
PNGM: Provide the fast ping operation on MPUs and fast respond to the ping operation.
PPI: This is a task at the adaptation layer. Maintain chip interface status.
QOSB: Issue QoS entries on LPUs and maintain issued QoS entries.
RACL: Create session table entries based on TCP/UDP/ICMP initial packet, and monitor
and age out session table entries.
RDS: Implement the RADIUS protocol, manage the protocol state machine, and maintain
protocol databases.
ROUT: Implement routing and route learning, select the optimal route, and issue FIB
entries.
Issue 02 (2015-01-20)
216
5 Maintenance Instructions
RRPP: Implement the RRPP protocol on LPUs, detect interface status quickly, and issue
hardware entries.
SAPP: Manage application layer's protocol dictionary and whitelist, maintain software
entries and request the adaptation layer to set chip status.
SDKD: Detect the status of the interface connected to the backplane and collect the packet
rate on the interface.
SECB: Issue security entries to LPUs and maintain issued security entries.
SECE: Implement functions such as ARP, IP, and CPU security functions, manage the
protocol state machine, and maintain protocol databases.
SMAG: Smart link agent. Fast detect and process port status changes.
SMLK: Implement the SmartLink protocol, manage the protocol state machine, and
maintain protocol databases.
SRVC: Process DHCP packets related to IP sessions, and interact with the user management
and authentication and authorization module to carry out authorization and accounting.
STFW: Implement super forwarding and maintain forwarding entries in the trunk memory.
STP: Implement the STP protocol stack, manage the protocol state machine, and maintain
protocol databases.
STRA: Monitor and identify attack traffic and punish attack source.
SUPP: Process interruption messages and timer messages in the device management
module.
Issue 02 (2015-01-20)
217
5 Maintenance Instructions
TACH: Implement the HWTACACS protocol, manage the protocol state machine, and
maintain protocol databases.
tBulkClnt: USB insertion and removal driver management task (operating system task).
tUsbPgs: USB insertion and removal device management task (operating system task).
UCM: Interact with the AAA module, process user status, and maintain user tables.
UTSK: Optimize protocol processing and ensure the high priority of protocol packets.
VRRP: Implement the VRRP protocol stack, manage the protocol state machine, and
maintain protocol databases.
Issue 02 (2015-01-20)
218
5 Maintenance Instructions
VT0: Authenticate the first login user and process the user's commands.
Object OID
Data Type
Description
Implemented
Specifications
hwEntityCpuUs
age
1.3.6.1.4.1.2011
.
5.25.31.1.1.1.1.
5
Integer32
This object
indicates CPU
usage.
read-only
1.3.6.1.4.1.2011
.
5.25.31.1.1.1.1.
6
Integer32
hwEntityCpuUs
ageThreshold
The value
ranges from 2 to
100.
This object
indicates the
CPU usage
threshold.
read-write
The value
ranges from 2 to
100.
The default
value is 95.
Issue 02 (2015-01-20)
219
5 Maintenance Instructions
5.2.1 Ping
Ping Overview
Ping is a common method used to test whether a device is reachable. It uses a series of Internet
Control Message Protocol (ICMP) packets to determine:
l
The round-trip delay in communication between the local and remote devices.
Ping Implementation
Figure 5-2 Ping process
Figure 5-2 shows the ping implementation process. SwitchA sends an ICMP Echo Request
packet to SwitchB. After receiving the Echo Request packet, SwitchB sends an ICMP Echo
Reply packet. The ping process is complete when SwitchA receives the Echo Reply packet.
The ping process is successful only when the following requirements are met:
l
The Echo Request packet sent by the source reaches the destination.
The Echo Reply packet sent by the destination reaches the source within a predetermined
timeout period. On a switch, the default timeout period is 2000 ms.
This document provides descriptions for only the commonly used parameters of the ping command. For
more information, including usage of supported ping commands, see the S2750EI&S5700 Series Ethernet
Switches Command Reference.
ping [ -a source-ip-address | -i interface-type interface-number | -m time | -c count | -f | -h ttlvalue | { -s packetsize | -range [ min min-size | max max-size | step step-size ] * } | -t timeout ]
*host
Issue 02 (2015-01-20)
220
5 Maintenance Instructions
-a: specifies a source IP address for sending ICMP Echo Request packets. If this parameter
is not specified, the device uses the IP address of the outbound interface as the source IP
address of outgoing Echo Request packets.
-i: specifies an interface for sending ICMP Echo Request packets. If this parameter is not
specified, the device uses the default outbound interface to send Echo Request packets.
-m: specifies the interval for sending Echo Request packets. The default value is 500 ms.
-c: specifies the number of Echo Request packets to be sent. The default value is 5. You
can increase the number of outgoing Echo Request packets to obtain the packet loss ratio,
and further evaluate network quality.
-f: indicates that packets are not fragmented. After this parameter is specified, ICMP packets
are not fragmented. If the ICMP packet size exceeds the link MTU, the ICMP packet is
discarded. If you do not want ICMP packets to be discarded, do not specify this parameter
or increase the link MTU.
-h: specifies the time to live (TTL) value. The default value is 255. If the value of the TTL
field is reduced to 0 during packet forwarding, the device sends an ICMP Timeout packet
to the source, indicating that the destination is unreachable.
-s: specifies the length of an ICMP Echo Request packet (excluding the IP packet header
and ICMP packet header). The default packet length is 56 bytes.
-range: specifies the length of an ICMP Echo Request packet (excluding the IP packet
header and ICMP packet header) and the packet length increment (step). If this parameter
is specified, the length of the first packet is min, and the length of subsequent packets
increases by step until the packet length reaches the maximum value max. By default,
min is 56 bytes, max is 9600 bytes, and step is 1 byte.
min: specifies the minimum length of the payload in an ICMP Echo Request packet. The
default value is 56 bytes.
max: specifies the maximum length of the payload in an ICMP Echo Request packet. The
default value is 9600 bytes.
step: specifies the packet length increment. The default value is 1 byte.
-t: specifies the timeout period for an ICMP Echo Reply packet. The default value is 2000
ms. The device considers that the destination is unreachable if it does not receive an ICMP
Echo Reply packet within the timeout period. You can set this parameter to a larger value
to compensate for poor network quality.
The ping command provides a series of parameters. You can select different parameters by
factors such as the detection purpose, network type, and network status.
Ping Command Supported on a PC
The ping command differs on PCs running different operating systems. The following describes
the commonly used ping parameters supported on a Windows-based PC.
ping [ -a | -n number | -l number | -t | -f ] *ip-address
l
Issue 02 (2015-01-20)
221
5 Maintenance Instructions
-t: indicates that the ping process continues until manual operations are performed. You
can press Ctrl+Break to pause the ping command and view the statistics, or press Ctrl
+C to terminate the running of the ping command.
Ping Example
The following describes ping commands on a switch.
l
time=24 ms
time=6 ms
time=13 ms
time=6 ms
time=12 ms
time=6 ms
time=13 ms
Description
Issue 02 (2015-01-20)
222
5 Maintenance Instructions
Item
Description
The ping failure troubleshooting in this document is based on lab environment. Device faults are simulated
in the lab according to the networking diagrams for fault location. If you perform the ping tests on a live
network where devices are configured, ensure that you know potential impacts on the configurations.
In this document, only ping packets are obtained for fault analysis; therefore, private communication data
is not collected or stored. If you need to obtain packets carrying private data on a live network, ensure that
appropriate measures be taken to protect data privacy.
223
5 Maintenance Instructions
Segment-by-segment ping can be used to determine the location where the fault occurs,
reducing the fault range to a network segment.
Traffic statistics collection or packet capturing can be used to analyze cause of a ping failure.
You can analyze collected packet statistics or obtained packet information to find the cause
of the fault and then rectify the fault correspondingly.
Many issues can lead to a ping failure; therefore, you need to take various factors into
consideration during actual troubleshooting. Based on analysis of frequently occurred ping
failures, common causes of ping failure are as follows:
l
ARP issue
VLAN issue
Routing issue
A ping failure can be regarded as severe ping packet loss. For details on how to troubleshoot a ping packet
loss, see Why Ping Packets Are Lost.
Fault Location
The following example shown in Figure 5-3 describes how to locate a ping failure.
Figure 5-3 Ping test networking
Issue 02 (2015-01-20)
224
5 Maintenance Instructions
Fault Description
C:\Users> ping 192.168.4.41
Pinging 192.168.4.41 with 32 bytes of data:
Request timed out.
Request timed out.
...
Ping statistics for 192.168.4.41:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Troubleshooting Procedure
Troubleshoot a fault according to possible causes of the fault. The troubleshooting process is as
follows:
1.
2.
3.
4.
For details on how to configure traffic statistics collection and packet capturing, see References.
If the switches do not provide the packet capturing function, obtain third-party packet capturing software
and install it. For details on how to use the software, see the related software use guide.
If the PC fails to obtain packet information but SwitchA obtains packet information, the
computer settings are incorrect. Refer to Incorrect Computer Settings for the handling
method for the fault.
If neither the PC nor SwitchA obtains packet information, the physical link is faulty. Refer
to Physical Link Fault for the handling method for the fault.
Issue 02 (2015-01-20)
225
5 Maintenance Instructions
If both the PC and SwitchA can only obtain ARP request packets, the fault is caused by an
ARP issue, a VLAN issue, or an access control issue. Refer to ARP Issue, VLAN Issue,
or Access Control Issue for the handling method for the fault.
If both the PC and SwitchA can correctly obtain ARP packets but not ICMP packets, the
fault is caused by an access control issue. Refer to Access Control Issue for the handling
method for the fault.
NOTE
All the above are common methods for fault location. On an actual network, you should troubleshoot a
fault by checking all the possible causes: Incorrect Computer Settings, Physical Link Fault, ARP
Issue, VLAN Issue, and Access Control Issue.
# Assume that the PC can successfully ping the IP address 192.168.1.10 of SwitchA but fails to
ping the IP address 192.168.2.21 of SwitchB. In addition, SwitchA can successfully ping the IP
address 192.168.2.21 of SwitchB.
The ping failure is caused by a routing issue. Refer to Routing Issue for the handling method
for the fault.
References
If you want to configure traffic statistics collection on the switches, refer to the following
configuration.
l
2.
3.
4.
5.
Issue 02 (2015-01-20)
226
5 Maintenance Instructions
192.168.2.21 0
[SwitchA-acl-adv-3001] quit
2.
3.
4.
5.
Run the display traffic policy statistics interface gigabitethernet 0/0/2 inbound verbose
rule-base and display traffic policy statistics interface gigabitethernet 0/0/2 outbound
verbose rule-base commands to view interface traffic statistics.
Run the reset traffic policy statistics interface gigabitethernet 0/0/2 inbound and reset
traffic policy statistics interface gigabitethernet 0/0/2 outbound commands in the user
view to clear interface traffic statistics.
l
2.
3.
4.
Issue 02 (2015-01-20)
227
2.
5 Maintenance Instructions
3.
4.
Run the display traffic policy statistics interface gigabitethernet 0/0/2 inbound verbose
rule-base and display traffic policy statistics interface gigabitethernet 0/0/2 outbound
verbose rule-base commands to view interface traffic statistics.
Run the reset traffic policy statistics interface gigabitethernet 0/0/2 inbound and reset
traffic policy statistics interface gigabitethernet 0/0/2 outbound commands in the user
view to clear interface traffic statistics.
l
If you want to capture packets through port mirroring, refer to the following configuration.
If the traffic volume on an interface is not heavy, configure port mirroring to check the
number of packets sent and received. (SwitchA is used as an example.)
1.
2.
If the traffic volume on an interface is heavy, configure traffic mirroring. (SwitchA is used
as an example.)
1.
2.
3.
4.
5.
6.
Issue 02 (2015-01-20)
228
5 Maintenance Instructions
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] traffic-policy 3033 inbound
[SwitchA-GigabitEthernet0/0/2] traffic-policy 3033 outbound
[SwitchA-GigabitEthernet0/0/2] return
Run the ipconfig /all command to check whether the local network is correctly configured.
C:\Users> ipconfig /all
Windows IP Configuration
...
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix
Description . . . . . . . . . .
Physical Address. . . . . . . .
DHCP Enabled. . . . . . . . . .
Autoconfiguration Enabled . . .
Link-local IPv6 Address . . . .
(Preferred)
IPv4 Address. . . . . . . . . .
Subnet Mask . . . . . . . . . .
...
Default Gateway . . . . . . . .
...
2.
.
.
.
.
.
.
:
:
:
:
:
:
huawei.com
Xen Net Device Driver
28-6E-D4-88-B7-19
Yes
Yes
fe80::dd9a:f549:2b85:b027%13
. : 192.168.1.5(Preferred)
. : 255.255.255.0
. : 192.168.1.1
3.
Ping the local IP address to check whether the IP address of the computer is correct or
whether the network adapter is correctly configured.
C:\Users> ping 192.168.1.5
Pinging 192.168.1.5 with 32 bytes of data:
Reply from 192.168.1.5: bytes=32 time<1ms TTL=128
Reply from 192.168.1.5: bytes=32 time<1ms TTL=128
...
Ping statistics for 192.168.1.5:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Issue 02 (2015-01-20)
229
5 Maintenance Instructions
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
If "Request time out" is displayed in the MS-DOS, the network adapter is faulty, or the
network adapter is incorrectly configured. Disconnect the network cable and ping the local
address again. If the ping succeeds, the local IP address is the same as the IP address of
another device. If the ping fails, the network adapter is faulty, or the network adapter is
incorrectly configured. Check the related network configuration.
4.
Ping the local gateway or the IP address of the local network segment to check the computer
hardware and the connection between the computer and the local network segment.
C:\Users> ping 192.168.1.11
Pinging 192.168.1.11 with 32 bytes of data:
Reply from 192.168.1.11: bytes=32 time<1ms TTL=128
Reply from 192.168.1.11: bytes=32 time<1ms TTL=128
...
Ping statistics for 192.168.1.11:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
5.
If the fault persists, change the firewall setting or perform the ping test on another computer.
Fault Description
The PC fails to ping the address 192.168.1.10 of SwitchA.
C:\Users> ping 192.168.1.10
Pinging 192.168.1.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.1.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Troubleshooting Procedure
1.
Issue 02 (2015-01-20)
230
5 Maintenance Instructions
Pinging
Request
Request
Request
Request
Packet headers cannot be obtained on the PC's network adapter and GE0/0/1 on
SwitchA.
l Ping 192.168.1.5 on SwitchA.
<SwitchA> ping 192.168.1.5
PING 192.168.1.5: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.1.5 ping statistics --5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
Packet headers are successfully obtained on the PC's network adapter and GE0/0/1 on
SwitchA. The captured packet information is shown as follows.
Figure 5-5 Packet information on the PC's network adapter
Compare the packet information obtained from the PC and SwitchA. You can see that
SwitchA successfully sends ICMP packets, while the PC's network adapter can only receive
ICMP packets but cannot send ICMP packets. The fault occurs on the PC.
2.
Issue 02 (2015-01-20)
231
3.
5 Maintenance Instructions
Ping SwitchA from the PC again. If the following information is displayed, the ping
succeeds and the fault is rectified.
C:\Users> ping 192.168.1.10
Pinging 192.168.1.10 with 32 bytes of data:
Reply from 192.168.1.10: bytes=32 time<1ms TTL=128
Reply from 192.168.1.10: bytes=32 time<1ms TTL=128
...
Ping statistics for 192.168.1.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Interfaces connected to optical fibers or network cables do not meet link deployment
requirements.
View the indicator status on an interface. If the indicator is off, the interface is not
connected. Replace the interface or network cable and try again.
Run the display interface interface-type interface-number command to view the interface
status and analyze the cause according to the command output.
Run the display stp brief, display rrpp verbose, and display smart-link group all
commands to check whether the device is running any Layer 2 protocols such as Spanning
Tree Protocol (STP), Rapid Ring Protection Protocol (RRPP), and Smart Link. Determine
whether the physical interface receiving ping packets is blocked by any of the protocols.
If the interface is blocked, modify the related configuration to unblock the interface.
Issue 02 (2015-01-20)
232
5 Maintenance Instructions
Fault Description
SwitchA fails to ping the address 192.168.2.21 of SwitchB.
<SwitchA> ping 192.168.2.21
PING 192.168.2.21: 56 data bytes, press CTRL_C to
break
Request time
out
Request time
out
Request time
out
Request time
out
Request time
out
Troubleshooting Procedure
1.
Description:
...
The command outputs on SwitchA and SwitchB show that the interfaces on the two
switches are in Down state. The ping failure may be caused by the physical link fault.
2.
Issue 02 (2015-01-20)
233
5 Maintenance Instructions
Reply from 192.168.2.21: bytes=56 Sequence=1
Reply from 192.168.2.21: bytes=56 Sequence=2
Reply from 192.168.2.21: bytes=56 Sequence=3
Reply from 192.168.2.21: bytes=56 Sequence=4
Reply from 192.168.2.21: bytes=56 Sequence=5
--- 192.168.2.21 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/2 ms
ttl=255
ttl=255
ttl=255
ttl=255
ttl=255
time=2
time=1
time=1
time=1
time=1
ms
ms
ms
ms
ms
Run the display arp interface interface-type interface-number command to check whether
the device can correctly learn the ARP entry of a directly connected interface.
Run the display mac-address interface-type interface-number command to view the MAC
address entry and check whether the outbound interface of the entry is the same as that in
the ARP entry.
If ARP learning fails, check whether the interface, VLAN, VLANIF, and IP address are correctly
configured. If so, check whether the ARP and ARP security configurations limit ARP learning.
Fault Description
SwitchA fails to ping the address 192.168.2.21 of SwitchB.
<SwitchA> ping 192.168.2.21
PING 192.168.2.21: 56 data bytes, press CTRL_C to
break
Issue 02 (2015-01-20)
234
5 Maintenance Instructions
Request time
out
Request time
out
Request time
out
Request time
out
Request time
out
--- 192.168.2.21 ping statistics
--5 packet(s)
transmitted
0 packet(s)
received
100.00% packet loss
Troubleshooting Procedure
1.
l Ping 192.168.2.20 on SwitchB and capture packets on GE0/0/2 of SwitchA and GE0/0/1
of SwitchB. The captured packet information is shown as follows.
Issue 02 (2015-01-20)
235
5 Maintenance Instructions
To further locate the fault, check the ARP entries on GE0/0/2 of SwitchA and GE0/0/1 of
SwitchB.
l Check the ARP entries on SwitchA.
<SwitchA> display arp interface gigabitethernet 0/0/2
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPNINSTANCE
VLAN/
CEVLAN
--------------------------------------------------------------------------------------------------------------------------------------------------------Total:0
Dynamic:0
Static:0
Interface:0
The command outputs show that neither SwitchA nor SwitchB learns an ARP entry.
Compare packet information on GE0/0/2 of SwitchA with that on GE0/0/1 of SwitchB.
You can find that packets sent by SwitchA and SwitchB have different VLAN IDs.
GE0/0/2 allows packets from VLAN 20 to pass, and GE0/0/1 allows packets from
VLAN 25 to pass. ARP learning fails because the interfaces are added to different
VLANs.
2.
Issue 02 (2015-01-20)
236
5 Maintenance Instructions
[SwitchA-GigabitEthernet0/0/2] display this
port link-type trunk
port trunk allow-pass vlan 20
[SwitchA-GigabitEthernet0/0/2] quit
The command outputs show that the configuration on SwitchB is incorrect and needs to be
modified.
3.
4.
Run the display port vlan interface-type interface-number command to check the VLAN
to which the interface belongs.
The VLAN to which an interface belongs is specified during network planning. If the
configuration is incorrect, add the interface to the correct VLAN.
Issue 02 (2015-01-20)
Run the display port vlan interface-type interface-number command to check the link type
of the interface.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
237
5 Maintenance Instructions
Interfaces of different link types process packets in different ways. If link type of the
interface is incorrect, configure a correct link type for the interface.
l
Run the display interface brief and display ip interface brief interface-type interfacenumber commands to check the interface status and the IP address of the interface.
After you configure a VLANIF interface and add a physical interface to the corresponding
VLAN, ensure that the VLANIF interface is in Up state for communication. If the
configuration is incorrect, perform the correct configuration again.
Fault Description
SwitchA fails to ping the address 192.168.2.21 of SwitchB.
<SwitchA> ping 192.168.2.21
PING 192.168.2.21: 56 data bytes, press CTRL_C to
break
Request time
out
Request time
out
Request time
out
Request time
out
Request time
out
--- 192.168.2.21 ping statistics
--5 packet(s)
transmitted
0 packet(s)
received
100.00% packet loss
Troubleshooting Procedure
1.
Issue 02 (2015-01-20)
238
5 Maintenance Instructions
Physical
up
up
Physical
up
up
The command outputs show that the ping fails because the link types of GE0/0/1 and
GE0/0/2 are different.
2.
The command outputs show that the configuration on SwitchB is incorrect and needs to be
modified.
3.
4.
Issue 02 (2015-01-20)
239
5 Maintenance Instructions
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/16/50 ms
The number of routes in the device's routing table has reached the upper limit.
To determine whether a routing issue occurs, run the display ip routing-table command to
check the routing table. If no route to the destination network segment exists, re-configure the
routes.
In addition to routes to the destination device, you also need to check return routes from the
destination device. The device supports multiple routing protocols. You can configure a routing
protocol based on actual requirements.
Fault Description
SwitchA fails to ping the address 192.168.3.31 of SwitchC.
<SwitchA> ping 192.168.3.31
PING 192.168.3.31: 56 data bytes, press CTRL_C to
break
Request time
out
Request time
out
Issue 02 (2015-01-20)
240
5 Maintenance Instructions
Request time
out
Request time
out
Request time
out
--- 192.168.3.31 ping statistics
--5 packet(s)
transmitted
0 packet(s)
received
100.00% packet loss
Troubleshooting Procedure
1.
ms
ms
ms
ms
ms
The command outputs show that SwitchA does not have a route to the network segment
192.168.3.0.
2.
Issue 02 (2015-01-20)
241
5 Maintenance Instructions
Reply from 192.168.3.30: bytes=56 Sequence=3 ttl=255 time=40 ms
Reply from 192.168.3.30: bytes=56 Sequence=4 ttl=255 time=50 ms
Reply from 192.168.3.30: bytes=56 Sequence=5 ttl=255 time=40 ms
--- 192.168.3.30 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/46/50 ms
The command outputs show that SwitchA can send packets to 192.168.3.0. Because
SwitchA and SwitchB are directly connected, and SwitchB has a route to 192.168.2.0,
SwitchA can receive response packets from SwitchB.
However, SwitchA cannot receive response packets from SwitchC, indicating that SwitchC
does not have a route to 192.168.2.0.
3.
4.
ms
ms
ms
ms
ms
242
5 Maintenance Instructions
Generally, access control is configured to filter packets of specified types or with specified source
or destination addresses.
Common methods to determine an access control issue are as follows:
l
Capture packets on an interface, analyze obtained packet information, and check the
corresponding configuration.
As access control is commonly configured to ensure device security or meet service requirements, services
will not be affected though a ping failure occurs. Exercise caution when you rectify such a fault to ensure
that the device can function properly.
Fault Description
SwitchA fails to ping the address 192.168.2.21 of SwitchB.
<SwitchA> ping 192.168.2.21
PING 192.168.2.21: 56 data bytes, press CTRL_C to
break
Request time
out
Request time
out
Request time
out
Request time
out
Request time
out
--- 192.168.2.21 ping statistics
--5 packet(s)
transmitted
0 packet(s)
received
100.00% packet loss
Issue 02 (2015-01-20)
243
5 Maintenance Instructions
Troubleshooting Procedure
1.
l Ping 192.168.2.20 on SwitchB and capture packets on GE0/0/2 of SwitchA and GE0/0/1
of SwitchB. The captured packet information is shown as follows.
Figure 5-18 Packet information on GE0/0/2 of SwitchA
Issue 02 (2015-01-20)
244
5 Maintenance Instructions
Compare packet statistics on GE0/0/2 of SwitchA and GE0/0/1 of SwitchB. You can find
that SwitchA successfully sends ping request packets but SwitchB does not respond to the
packets. SwitchB successfully sends ping request packets and receives response packets
from SwitchA; however, SwitchB does not process the packets.
According to the preceding analysis, you can see that the fault occurs on SwitchB as it does
not process ICMP Request and Reply packets. The cause of this phenomenon is that
SwitchB discards incoming ICMP packets because access control is configured on it.
2.
The command output shows that a traffic policy is configured on the interface.
# Check the traffic policy configuration.
<SwitchB> display traffic policy user-defined
User Defined Traffic Policy Information:
Policy: tp1
Classifier: tc1
Operator: AND
Behavior: tb1
Deny
Total policy number is 1
<SwitchB> display traffic classifier user-defined
User Defined Classifier Information:
Classifier: tc1
Operator: AND
Rule(s) : if-match acl 3000
Total classifier number is 1
<SwitchB> display acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 5
rule 5 deny icmp (match-counter 0)
4.
ms
ms
ms
ms
ms
Issue 02 (2015-01-20)
245
5 Maintenance Instructions
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/36/50 ms
The ping packet loss troubleshooting in this document is based on lab environment. Device faults are
simulated in the lab according to the networking diagrams for fault location. If you perform the ping tests
on a live network where devices are configured, ensure that you know potential impacts on the
configurations.
Segment-by-segment ping can be used to determine the location where the fault occurs,
reducing the fault range to a directly connected network segment.
Traffic statistics collection can be used to analyze cause of a ping packet loss. You can
analyze collected packet statistics to find the fault location and determine cause of the fault.
Many issues can lead to a ping packet loss; therefore, you need to take various factors into
consideration during actual troubleshooting. Based on analysis of frequently occurred ping
packet loss events, common causes of ping packet loss are as follows:
l
Network loop
ARP issue
ICMP issue
Issue 02 (2015-01-20)
246
5 Maintenance Instructions
NOTE
Ping packet loss does not mean poor network quality. In some cases, services can be normally transmitted
even when a ping packet loss occurs. Pay attention to the following points when analyzing a ping packet
loss:
l When packets are forwarded by a device hardware at a high speed, packet loss will not occur. For
example, ping a PC from the device. When packets are sent to the CPU for processing but the CPU is
busy, packet loss will occur. For example, ping the IP address of a device.
l The CPU protection function is provided to protect a device against network attacks. When this function
is enabled, the device will discard ARP and ICMP packets whose Control Plane Committed Access
Rate (CPCAR) values exceed the limit, resulting in ping packet loss. In this case, services can be
transmitted normally.
Fault Location
The following example shown in Figure 5-20, describes how to locate and rectify a ping packet
loss.
Figure 5-20 Ping test networking
Fault Description
C:\Users> ping -n 100 192.168.4.41
Pinging 192.168.4.41 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 192.168.4.41: bytes=32 time<1ms TTL=128
...
Reply from 192.168.4.41: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.4.41:
Packets: Sent = 100, Received = 80, Lost = 20 (20% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Troubleshooting Procedure
Troubleshoot a fault according to possible causes of the fault. The troubleshooting process is as
follows:
1.
2.
Issue 02 (2015-01-20)
247
5 Maintenance Instructions
Ping SwitchA, SwitchB, SwitchC, and SwitchD from the PC. Determine the problematic
network segment based on the ping results. Assume that a ping packet loss occurs when
the PC pings SwitchB, the fault occurs on the direct link between SwitchA and SwitchB.
3.
b.
c.
d.
e.
b.
c.
d.
e.
248
5 Maintenance Instructions
b.
c.
d.
e.
b.
c.
d.
e.
4.
Issue 02 (2015-01-20)
249
5 Maintenance Instructions
If the number of outgoing packets on SwitchA is larger than the number of incoming packets
of SwitchB, the ping packet loss occurs on the link between SwitchA and SwitchB.
Troubleshoot the fault according to Physical Link Fault.
If the number of outgoing packets on SwitchA equals the number of incoming packets of
SwitchB, but the number of outgoing packets of SwitchB is less than the number of
incoming packets, the ping packet loss occurs on SwitchB. In this case, the fault may be
caused by a network loop or an ICMP issue.
Log in to SwitchB and run the display cpu-usage and display interface brief commands
to check whether the CPU and interface bandwidth usage is high. Run the display macaddress flapping record or display trapbuffer command to check whether MAC address
flapping occurs. If the CPU and interface bandwidth usage is high or MAC address flapping
occurs, troubleshoot the fault according to Network Loop.
Log in to SwitchB and run the display cpu-defend statistics packet-type icmp all or
display anti-attack statistics icmp-flood command to check whether ICMP packets are
discarded. Run the display current-configuration | include icmp rate-limit command to
check whether the rate limit for ICMP packets is too low. If ICMP packets are discarded
or the rate limit for ICMP packets is too low, troubleshoot the fault according to ICMP
Issue.
If the number of outgoing packets on SwitchA is less than the number of ping packets sent
by SwitchA, the ping packet loss occurs on SwitchA. In this case, the fault may be caused
by a network loop or an ARP issue.
Log in to SwitchA and run the display cpu-usage and display interface brief commands
to check whether the CPU and interface bandwidth usage is high. Run the display macaddress flapping record or display trapbuffer command to check whether MAC address
flapping occurs. If the CPU and interface bandwidth usage is high or MAC address flapping
occurs, troubleshoot the fault according to Network Loop.
Log in to SwitchA and run the display arp packet statistics and display cpu-defend
statistics commands to check whether ARP packets are discarded. If ARP packets are
discarded, troubleshoot the fault according to ARP Issue.
NOTE
To further locate the fault, you can ping SwitchA from SwitchB continuously to analyze the statistics. To
clear interface statistics, run the reset traffic policy statistics interface interface-type interface-number
{ inbound | outbound } command.
Issue 02 (2015-01-20)
250
5 Maintenance Instructions
The transmit and receive optical powers of optical modules are too low.
Electrical interfaces work in different modes. For example, an interface works in autonegotiation mode while the other works in non-auto-negotiation mode.
NOTE
Electrostatic discharge cannot be implemented if a device is not grounded or the device is overheated due
to fan failures. In this case, ping packet loss may occur.
A physical link fault can be manually detected. For example, you can check the bend radius of
optical fibers, length of cables or fibers, and indicators of devices or PC's network adapter to
find a physical link fault. Generally, a physical link fault can be rectified after you replace the
faulty component.
Fault Description
Ping packet loss occurs when SwitchA pings the address 192.168.2.21 of SwitchB.
<SwitchA> ping -c 100 192.168.2.21
PING 192.168.2.21: 56 data bytes, press CTRL_C to
break
Reply from 192.168.2.21: bytes=56 Sequence=1 ttl=255 time=1
ms
Request time out
Reply from 192.168.2.21: bytes=56 Sequence=3 ttl=255 time=7 ms
Request time out
...
Reply from 192.168.2.21: bytes=56 Sequence=100 ttl=255 time=2
ms
--- 192.168.2.21 ping statistics
--100 packet(s)
transmitted
91 packet(s)
received
9.00% packet
loss
round-trip min/avg/max = 1/1/19 ms
Troubleshooting Procedure
1.
Issue 02 (2015-01-20)
251
5 Maintenance Instructions
Interface:
GigabitEthernet0/0/2
Traffic policy outbound:
3001
Rule number:
1
Current status:
OK!
Statistics interval:
300
Packets:
Bytes:
Rate(pps):
Rate(bps):
10,200
0
0
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
Issue 02 (2015-01-20)
252
5 Maintenance Instructions
Interface:
GigabitEthernet0/0/2
Traffic policy inbound:
3000
Rule number:
1
Current status:
OK!
Statistics interval:
300
Packets:
Bytes:
Rate(pps):
Rate(bps):
8,874
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
Interface:
GigabitEthernet0/0/1
Traffic policy inbound:
3000
Issue 02 (2015-01-20)
253
5 Maintenance Instructions
Rule number:
1
Current status:
OK!
Statistics interval:
300
Packets:
Bytes:
Rate(pps):
Rate(bps):
9,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
Interface:
GigabitEthernet0/0/1
Traffic policy outbound:
3001
Rule number:
1
Current status:
OK!
Statistics interval:
300
Issue 02 (2015-01-20)
254
5 Maintenance Instructions
Packets:
Bytes:
Rate(pps):
Rate(bps):
9,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
View traffic statistics on SwitchA and SwitchB. You can see that the number of
incoming packets on SwitchA is less than the number of outgoing packets on SwitchB,
and the number of incoming packets on SwitchA is less than the number of outgoing
packets on SwitchA, indicating that the ping packet loss occurs on the link between
SwitchA and SwitchB.
2.
Issue 02 (2015-01-20)
255
5 Maintenance Instructions
The test result shows that ping packet loss does not occur.
Run the display interface brief | include up command to view the traffic statistics on all
interfaces in Up state. If a network loop exists, the values of InUti and OutUti on the faulty
interface increase gradually to approximately 100%, which is much higher than the service
traffic volume.
First query result:
<SwitchA> display interface brief | include up
...
Interface
PHY
Protocol InUti OutUti
outErrors
GigabitEthernet0/0/2
up
up
0.56% 0.56%
0
...
inErrors
0
inErrors
0
If ping packet loss is caused by network loops, configure protocols such as RRPP, SEP, Smart
Link, or STP/RSTP/MSTP on the device to detect and eliminate loops.
Issue 02 (2015-01-20)
256
5 Maintenance Instructions
Fault Description
Ping packet loss occurs when SwitchA pings the address 192.168.2.21 of SwitchB.
<SwitchA> ping -c 100 -m 5 192.168.2.21
PING 192.168.2.21: 56 data bytes, press CTRL_C to
break
Reply from 192.168.2.21: bytes=56 Sequence=1 ttl=255 time=1
ms
Request time out
Reply from 192.168.2.21: bytes=56 Sequence=3 ttl=255 time=7 ms
Request time out
...
Reply from 192.168.2.21: bytes=56 Sequence=100 ttl=255 time=2
ms
--- 192.168.2.21 ping statistics
--100 packet(s)
transmitted
92 packet(s)
received
8.00% packet
loss
round-trip min/avg/max = 1/1/17
ms
Troubleshooting Procedure
1.
Issue 02 (2015-01-20)
257
5 Maintenance Instructions
Interface:
GigabitEthernet0/0/2
Traffic policy outbound:
3001
Rule number:
1
Current status:
OK!
Statistics interval:
300
Packets:
Bytes:
Rate(pps):
Rate(bps):
10,200
0
0
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
Issue 02 (2015-01-20)
258
5 Maintenance Instructions
Interface:
GigabitEthernet0/0/2
Traffic policy inbound:
3000
Rule number:
1
Current status:
OK!
Statistics interval:
300
Packets:
Bytes:
Rate(pps):
Rate(bps):
9,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
Interface:
GigabitEthernet0/0/1
Traffic policy inbound:
3000
Rule number:
1
Issue 02 (2015-01-20)
259
5 Maintenance Instructions
Current status:
OK!
Statistics interval:
300
Packets:
Bytes:
Rate(pps):
Rate(bps):
10,200
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
Interface:
GigabitEthernet0/0/1
Traffic policy outbound:
3001
Rule number:
1
Current status:
OK!
Statistics interval:
300
Issue 02 (2015-01-20)
260
5 Maintenance Instructions
--------------------------------------------------------------------Classifier: 3001 operator
and
Behavior:
3001
Board :
0
rule 5 permit icmp source 192.168.2.21 0 destination 192.168.2.20 0 (matchcounter 0)
--------------------------------------------------------------------Passed
92
Packets:
Bytes:
Rate(pps):
Rate(bps):
9,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
View traffic statistics on SwitchA and SwitchB. You can see that the number of outgoing
packets on SwitchA equals the number of incoming packets on SwitchB, but the number
of outgoing packets on SwitchB is less than the incoming packets, indicating that the
ping packets have been dropped on SwitchB. You need to further locate the cause of
the fault.
2.
Issue 02 (2015-01-20)
Protocol
InUti OutUti
up
0.01%
0.01%
0%
0%
down
inErrors
261
5 Maintenance Instructions
0
GigabitEthernet0/0/3
0
GigabitEthernet0/0/4
0
...
up
up
down
down
98.00% 98.00%
0%
0%
0
0
The command output shows the CPU usage and interface bandwidth usage on SwitchB.
You can find that SwitchB discards ping packets, indicating that a loop may exist on the
network connected to SwitchB. To further determine the cause, disable GE0/0/3 on
SwitchB and perform the ping operation again.
# Disable GE0/0/3 on SwitchB.
<SwitchB> system-view
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] shutdown
[SwitchB] quit
3.
Summary
There are three types of loops:
l
Self-loop on an interface
During network deployment, a Tx-Rx self-loop usually occurs on an interface because
optical fibers are connected incorrectly or the interface is damaged by high voltage. As
shown in Figure 1-22, a self-loop occurs on an interface of the Switch. As a result, packets
sent from this interface are looped back to the interface, which may cause traffic forwarding
errors or MAC address flapping on the interface.
Issue 02 (2015-01-20)
262
5 Maintenance Instructions
Issue 02 (2015-01-20)
263
5 Maintenance Instructions
ARP security functions, such as ARP Miss suppression based on source IP address and
ARP rate suppression, are configured on a device, resulting in slow ARP learning.
A device is attacked by ARP packets and the number of ARP packets sent to the CPU
exceeds the CPCAR value. As a result, some ARP packets are discarded.
Run the display arp packet statistics command to check whether ARP packets are
discarded. You can check the ARP security configuration on the device to find the cause
of the fault.
If the fault is caused by incorrect ARP security configuration, re-configure ARP security
to enable the device to properly process ARP packets.
Run the display cpu-defend statistics command to check whether the CPU discards ARP
packets.
If the device is attacked by ARP packets, configure ARP security functions to defend
against ARP attacks and increase the CPCAR value for ARP packets. For example, the
configuration is as follows:
<SwitchA> system-view
[SwitchA] cpu-defend policy arp
[SwitchA-cpu-defend-policy-arp] car packet-type arp-reply cir 32
Warning: Improper parameter settings may affect stable operating of the
system. Use this command under assistance of Huawei engineers. Continue? [Y/
N]:y
[SwitchA-cpu-defend-policy-arp] car packet-type arp-request cir 32
Issue 02 (2015-01-20)
264
5 Maintenance Instructions
Warning: Improper parameter settings may affect stable operating of the
system. Use this command under assistance of Huawei engineers. Continue? [Y/
N]:y
[SwitchA-cpu-defend-policy-arp] quit
[SwitchA] cpu-defend-policy arp global
Fault Description
SwitchA fails to ping the address 192.168.2.21 of SwitchB.
<SwitchA> ping -c 10000 192.168.2.21
PING 192.168.2.21: 56 data bytes, press CTRL_C to
break
Request time out
Request time out
Request time out
...
Reply from 192.168.2.21: bytes=56 Sequence=100 ttl=255 time=1
ms
...
Reply from 192.168.2.21: bytes=56 Sequence=10000 ttl=255 time=2
ms
--- 192.168.2.21 ping statistics
--10000 packet(s)
transmitted
9000 packet(s)
received
10.00% packet
loss
round-trip min/avg/max = 1/1/19 ms
Troubleshooting Procedure
1.
Issue 02 (2015-01-20)
265
5 Maintenance Instructions
Interface:
GigabitEthernet0/0/2
Traffic policy outbound:
3001
Rule number:
1
Current status:
OK!
Statistics interval:
300
Packets:
Bytes:
Rate(pps):
Rate(bps):
1100,384
0
0
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
Interface:
GigabitEthernet0/0/2
Traffic policy inbound:
3000
Issue 02 (2015-01-20)
266
5 Maintenance Instructions
Rule number:
1
Current status:
OK!
Statistics interval:
300
Packets:
Bytes:
Rate(pps):
Rate(bps):
1100,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
Interface:
GigabitEthernet0/0/1
Traffic policy inbound:
3000
Rule number:
1
Current status:
OK!
Issue 02 (2015-01-20)
267
5 Maintenance Instructions
Statistics interval:
300
Packets:
Bytes:
Rate(pps):
Rate(bps):
1100,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
Interface:
GigabitEthernet0/0/1
Traffic policy outbound:
3001
Rule number:
1
Current status:
OK!
Statistics interval:
300
Issue 02 (2015-01-20)
268
5 Maintenance Instructions
Behavior:
3001
Board :
0
rule 5 permit icmp source 192.168.2.21 0 destination 192.168.2.20 0 (matchcounter 0)
--------------------------------------------------------------------Passed
8999
Packets:
Bytes:
Rate(pps):
Rate(bps):
1100,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
View traffic statistics on SwitchA and SwitchB. You can see that the number of outgoing
packets on SwitchA is less than the number of ping packets sent by SwitchA, indicating
that the ping packet loss occurs on SwitchA. The possible cause is that ARP learning
fails on SwitchA. Generally, ARP learning of SwitchA fails because SwitchB does not
respond an ARP reply packet. Further troubleshoot SwitchB.
2.
Issue 02 (2015-01-20)
269
5 Maintenance Instructions
NA
NA
...
Status
Cir(Kbps)
Cbs(Byte)
Queue
Port-
---------------------------------------------------------------------8021x
NA
arp-miss
NA
arp-reply
NA
arp-request
NA
bfd
...
Enabled
256
32000
Enabled
64
10000
Enabled
1000
Enabled
1000
Enabled
512
64000
NA
The command outputs show that SwitchB discards some ARP packets because CPCAR
value is exceeded. The ARP learning on SwitchA fails, and ping packet loss occurs.
3.
4.
Issue 02 (2015-01-20)
270
5 Maintenance Instructions
Ping packet loss occurs when ping packets are transmitted at high speeds. The fault will
not occur if the transmission speed is lowered.
Ping packet loss occurs regularly when large-sized ping packets are sent.
A device is attacked by ICMP packets and the number of ICMP packets sent to the CPU
exceeds the CPCAR value. As a result, some ICMP packets are discarded.
ICMP attack defense is configured on a device. When ICMP packets are sent at a speed
higher than the rate limit, the device discards ICMP packets.
ICMP rate limit is configured on a device. When ICMP packets are sent at a speed higher
than the rate limit, the device discards ICMP packets.
Run the display icmp statistics and display anti-attack statistics icmp-flood commands
to check whether the device discards ICMP packets.
If the device discards ICMP packets, re-configure ICMP security functions to enable the
device to properly process ICMP packets.
Check the rate limit for ICMP packets by viewing the icmp rate-limit total threshold
threshold-value configuration.
If the rate limit for ICMP packets is small, run the icmp rate-limit total threshold
threshold-value command to set a large value. For example, the configuration is as follows:
<SwitchA> system-view
[SwitchA] icmp rate-limit enable
[SwitchA] icmp rate-limit total threshold 500
Run the display cpu-defend statistics packet-type icmp all command to check whether
the CPU discards ICMP packets.
If the device is attacked by ICMP packets, configure ICMP security functions to defend
against ICMP attacks and increase the CPCAR value for ICMP packets. For example, the
configuration is as follows:
<SwitchA> system-view
[SwitchA] cpu-defend policy icmp
[SwitchA-cpu-defend-policy-icmp] car packet-type icmp cir 256
Warning: Improper parameter settings may affect stable operating of the
system. Use this command under assistance of Huawei engineers. Continue? [Y/
N]:y
[SwitchA-cpu-defend-policy-icmp] quit
[SwitchA] cpu-defend-policy icmp global
Issue 02 (2015-01-20)
271
5 Maintenance Instructions
You can also rectify this fault by running the icmp-reply fast command to enable fast
ICMP reply.
Fault Description
SwitchA fails to ping the address 192.168.2.21 of SwitchB.
<SwitchA> ping -c 100 -m 5 192.168.2.21
PING 192.168.2.21: 56 data bytes, press CTRL_C to
break
Reply from 192.168.2.21: bytes=56 Sequence=1 ttl=255 time=1
ms
Request time out
...
Reply from 192.168.2.21: bytes=56 Sequence=100 ttl=255 time=2
ms
--- 192.168.2.21 ping statistics
--100 packet(s)
transmitted
92 packet(s)
received
8.00% packet
loss
round-trip min/avg/max = 1/1/17
ms
Troubleshooting Procedure
1.
Interface:
GigabitEthernet0/0/2
Issue 02 (2015-01-20)
272
5 Maintenance Instructions
Traffic policy outbound:
3001
Rule number:
1
Current status:
OK!
Statistics interval:
300
Packets:
Bytes:
Rate(pps):
Rate(bps):
10,200
0
0
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
Interface:
GigabitEthernet0/0/2
Traffic policy inbound:
3000
Rule number:
1
Current status:
Issue 02 (2015-01-20)
273
5 Maintenance Instructions
OK!
Statistics interval:
300
Packets:
Bytes:
Rate(pps):
Rate(bps):
9,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
Interface:
GigabitEthernet0/0/1
Traffic policy inbound:
3000
Rule number:
1
Current status:
OK!
Statistics interval:
300
---------------------------------------------------------------------
Issue 02 (2015-01-20)
274
5 Maintenance Instructions
Classifier: 3000 operator
and
Behavior:
3000
Board :
0
rule 5 permit icmp source 192.168.2.20 0 destination 192.168.2.21 0 (matchcounter 0)
--------------------------------------------------------------------Passed
100
Packets:
Bytes:
Rate(pps):
Rate(bps):
10,200
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
Interface:
GigabitEthernet0/0/1
Traffic policy outbound:
3001
Rule number:
1
Current status:
OK!
Statistics interval:
300
Issue 02 (2015-01-20)
275
5 Maintenance Instructions
Packets:
Bytes:
Rate(pps):
Rate(bps):
9,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
View traffic statistics on SwitchA and SwitchB. You can see that the number of outgoing
packets on SwitchA equals the number of incoming packets on SwitchB, but the number
of outgoing packets on SwitchB is less than the incoming packets, indicating that the
ping packets have been dropped on SwitchB. You need to further locate the cause of
the fault.
2.
The command output shows that the rate limit for ICMP packets is 10 pps, which may cause
ping packet loss.
3.
4.
Issue 02 (2015-01-20)
276
5 Maintenance Instructions
100 packet(s)
transmitted
100 packet(s)
received
0.00% packet
loss
round-trip min/avg/max = 1/1/19 ms
Hop count
It takes time to forward packets from one hop to another; therefore, the larger the hop count,
the longer the network latency.
Network traffic
Packets wait in queues before they are processed by a device; therefore, a larger network
traffic volume takes a longer time for packet queuing and thereby causes a longer network
latency.
Insufficient memory
When a device receives a large number of packets, the device does not have sufficient
memory to process the packets; resulting in slow process speed and high network latency.
277
5 Maintenance Instructions
When packets are forwarded by a device's hardware at a high speed, the network latency
is low. For example, ping a PC from the device. When packets are processed by the CPU,
the network latency is high. For example, ping a device gateway.
Despite the long latency of pinging the gateway, forwarding of data packets does not slow
down because data packets are processed by the chip but not the CPU. You can enable the
fast ICMP reply function by running the icmp-reply fast command on the device to reduce
the latency. After this function is enabled, the device quickly responds to received Echo
Request packets destined for its own IP address. The CPU of the LPU directly responds to
the ICMP packets, improving the process speed of ICMP packets, and reducing network
latency.
To prevent impact of ping attacks on a device, ICMP packets have the lowest priority among
all packets and are the last packets to be transmitted and processed. Therefore, long latency
is caused.
5.2.5 Tracert
Tracert Overview
Tracert is a method used to test the reachability of the route that packets pass through from the
source to the destination. The tracert result can display the packet forwarding path. Tracert is
implemented based on the ICMP protocol. When a network failure occurs, you can use tracert
to locate faulty network nodes.
Tracert Implementation
Figure 5-28 Tracert process
Figure 5-28 shows the tracert implementation process. The process is described as follows:
1.
The source end (SwitchA) sends a User Datagram Protocol (UDP) packet whose TTL value
is 1 and destination UDP port number is larger than 30000 to the destination device (log
host). Generally, UDP port numbers larger than 30000 are not used by any program.
2.
After receiving the UDP packet, the first-hop host (SwitchB) determines that the destination
IP address of the packet is not the local IP address and decreases the TTL value by one.
The TTL value is 0, so SwitchB discards the UDP packet, and sends an ICMP Time
Exceeded packet containing its local IP address 10.1.1.2 to SwitchA. SwitchA obtains the
IP address of SwitchB.
Issue 02 (2015-01-20)
278
5 Maintenance Instructions
3.
After receiving the ICMP Time Exceeded packet from SwitchB, SwitchA sends a UDP
packet with the TTL value of 2.
4.
After receiving the UDP packet, the second-hop host (SwitchC) returns an ICMP Time
Exceeded packet containing its local IP address 10.1.2.2 to SwitchA. SwitchA obtains the
IP address of SwitchC.
5.
The preceding process is repeated until the destination end determines that the destination
IP address of the UDP packet is its local IP address and processes the packet. The destination
end searches for the upper-layer protocol that uses the destination port number of the packet.
No program uses this UDP port number, so the destination end returns an ICMP Destination
Unreachable packet containing its local IP address 10.1.3.2.
6.
After receiving the ICMP Destination Unreachable packet, the source end determines that
the UDP packet has reached the destination end, terminates the tracert process, and
generates the path of the UDP packet, which is 10.1.1.2 -> 10.1.2.2 -> 10.1.3.2.
This document provides descriptions for only the commonly used parameters of the tracert command. For
more information, including usage of supported tracert commands, see the S2750EI&S5700 Series Ethernet
Switches Command Reference.
-a: specifies the source IP address. If this parameter is not specified, the device uses the IP
address of the outbound interface as the source IP address of outgoing tracert packets.
-f: specifies the initial TTL. If the value of this parameter is greater than the number of hops
between the source and destination hosts, nodes along the path do not return ICMP Time
Exceeded packets to the source host because the value of the TTL field is greater than 0.
If a value has been set for max-ttl, the value of first-ttl must be smaller than that of maxttl.
-m: indicates the maximum TTL. Generally, the value of max-ttl is the number of hops a
packet passes through. If a value has been set for first-ttl, the value of max-ttl must be larger
than that of first-ttl. By default, the value of max-ttl is 30.
-q: specifies the number of UDP packets sent each time. When the network quality is poor,
you can increase the number of outgoing UDP packets to ensure that the packets can reach
the destination device. By default, the device sends three UDP packets each time.
-w: specifies the timeout period for waiting for a response packet. If a UDP packet does
not reach the gateway within the specified timeout period, " * " is displayed. You are advised
to set the timeout period to a large value when the network quality is poor and network
speed is slow. The default value is 5000 ms.
Issue 02 (2015-01-20)
279
5 Maintenance Instructions
host: specifies the IP address or domain name. If a domain name is specified, the device
performs domain name resolution (DNS) and displays the obtained IP address.
Tracert Example
<SwitchA> tracert 10.26.0.115
traceroute to 10.26.0.115(10.26.0.115), max hops: 30 ,packet length: 40,press
CTRL_C to break
1 10.3.112.1
10 ms 10 ms 10 ms
2 10.32.216.1 19 ms 19 ms 19 ms
4 10.32.136.23 19 ms 39 ms 39 ms
5 * * *
6 * * *
7 * * *
8 10.26.0.115
69 ms 79 ms 79 ms
Issue 02 (2015-01-20)
Item
Description
traceroute to
max hops
packet length
280
5 Maintenance Instructions
Item
Description
1 10.3.112.1 10 ms 10 ms 10 ms
5.2.6 Applications
5.2.6.1 Measuring Network Latency
5.2.6.2 Measuring Network Reliability
5.2.6.3 Measuring the Packet Size, Fragment Flag, and MTU
Issue 02 (2015-01-20)
281
5 Maintenance Instructions
time=5
time=1
time=1
time=1
time=1
5 packet(s)
received
0.00% packet
loss
round-trip min/avg/max = 1/1/5 ms
The ping test result shows that the minimum, average, and maximum bidirectional latencies on
the network are 1 ms, 1 ms, and 5 ms respectively. The minimum, average, and maximum
unidirectional latencies on the network are 0.5 ms, 0.5 ms, and 2.5 ms respectively.
Note the following points when using ping to measure network latency:
l
The result of a latency test is accurate if you specify the source address and outbound
interface.
The time values obtained using ping are for the Round Trip Time (RTT), which is the time
between when an Echo Request packet is sent and the Echo Reply packet is received. The
unidirectional network latency is half of the time displayed in the command output.
The ping test result shows severe network jitter, which is generated because the control
module of the device takes time to receive and send packets. The network jitter does not
affect service forwarding of the device; therefore, you can ignore it.
When a large number of protocol or data packets are transmitted over a network, ping
packets compete for network resources with these packets. This may result in a long latency
or even ping packet loss.
When you test network latency on a multi-hop network, take load balancing into
consideration. The network latency of different load balancing paths is different.
The network latency is calculated in milliseconds. Values smaller than 1 ms are displayed
as 1 ms.
Issue 02 (2015-01-20)
282
5 Maintenance Instructions
The ping test result shows that 3000 packets were sent and 2970 packets were received.
Therefore, the number of dropped packets is 30 (a packet loss ratio of 1.00%).
283
5 Maintenance Instructions
In this case, you need to measure the packet size and MTU on the network and check whether
packet fragmentation is allowed.
The following describes how to use the ping command to measure the MTU on an interface.
Two switches are located on the network shown in Figure 5-31. The ping parameters -range,
min, max, step, and -f are specified for the measurement.
NOTE
The ping command uses ICMP packets. The packet size in the ping command output is the payload length
of ICMP packets, excluding the length of the IP and ICMP packet headers. The IP packet header occupies
20 bytes and the ICMP packet header occupies 8 bytes additionally. You can determine the value of these
parameters according to your needs.
1.
During the first measurement, the minimum packet length, maximum packet length, and
step are set to 900 bytes, 1050 bytes, and 50 bytes respectively, and packet fragmentation
is not allowed. This measurement can determine the maximum packet length allowed on
the network.
<SwitchA> ping -range min 900 max 1050 step 50 -f 192.168.2.21
PING 192.168.2.21: 900-1050 data bytes, press CTRL_C to
break
Reply from 192.168.2.21: bytes=900 Sequence=1 ttl=255 time=1
ms
Reply from 192.168.2.21: bytes=950 Sequence=2 ttl=255 time=1
ms
Request time out
(1000)
Request time out
(1050)
2.
The result of the first measurement shows that the packet length allowed on the network is
larger than 950 bytes and smaller than 1000 bytes. During the second measurement, the
minimum packet length, maximum packet length, and step are set to 950 bytes, 1000 bytes,
and 1 byte respectively, and packet fragmentation is not allowed.
<SwitchA> ping -range min 950 max 1000 step 1 -f 192.168.2.21
PING 192.168.2.21: 950-1000 data bytes, press CTRL_C to break
Issue 02 (2015-01-20)
284
5 Maintenance Instructions
Reply from 192.168.2.21: bytes=950 Sequence=1 ttl=255 time=10
ms
...
Reply from 192.168.2.21: bytes=972 Sequence=23 ttl=255 time=5
ms
Request time out
(973)
...
Request time out
(1000)
3.
The result of the second measurement shows that the maximum packet length allowed on
the network is 972 bytes. During the third measurement, the device only sends packets with
4096 bytes.
<SwitchA> ping -s 4096 192.168.2.21
PING 192.168.2.21: 4096 data bytes, press CTRL_C to
break
Reply from 192.168.2.21: bytes=4096 Sequence=1 ttl=255
ms
Reply from 192.168.2.21: bytes=4096 Sequence=2 ttl=255
ms
Reply from 192.168.2.21: bytes=4096 Sequence=3 ttl=255
ms
Reply from 192.168.2.21: bytes=4096 Sequence=4 ttl=255
ms
Reply from 192.168.2.21: bytes=4096 Sequence=5 ttl=255
ms
time=2
time=2
time=2
time=2
time=9
The maximum length of ping packets allowed on the network is 972 bytes.
Issue 02 (2015-01-20)
285
6 Important Notes
Important Notes
6.1.2 Ensure That All Cards Are Securely Locked in the Chassis
Description: After inserting a card into a chassis, make sure that it is completely seated in the
chassis and locked by the eject levers. Otherwise, problems such as card registration failure or
packet loss may occur.
Issue 02 (2015-01-20)
286
6 Important Notes
Reason: If a card is not securely locked in the chassis, it cannot exchange signals with the
backplane normally.
Identification method: Figure 6-1 shows a loosely installed card.
Figure 6-1 Loosely installed card
Suggestion: Check all cards after the installation to ensure that each card is securely locked in
the chassis by the eject levers.
Versions involved: all versions
Issue 02 (2015-01-20)
287
6 Important Notes
Suggestion: Install a tray or a pair of guide rails in the cabinet and mount the chassis on the tray
or guide rails. Ensure that the chassis is closely attached to the tray or guide rails.
Versions involved: version independent
Issue 02 (2015-01-20)
OM1
33 m
OM2
82 m
OM3
300 m
288
6 Important Notes
Reason: The transmission distance depends on specifications of the optical fibers used.
Identification method: Look up the model of the optical module in the Hardware
Description to obtain the maximum transmission distance based on the type of optical fibers
used.
Suggestion: Select optical fibers based on the actual transmission distance.
Versions involved: version independent
289
6 Important Notes
6.2.5 When Configuring STP on an Eth-Trunk, Set the Cost of the Eth-Trunk to a Fixed Value
6.2.6 The S6300 Series Switches Support Copper Transceiver Modules Since V200R002
6.2.7 CSS ID Is a Mandatory Parameter for CSS Configuration
6.2.8 IPv6 Features of Modular Switches Are Controlled by Licenses
290
6 Important Notes
Identification method: Run the display vlan 1 command to check whether an interface is in
VLAN 1, and run the display interface vlanif command to check whether VLAN 1 is used as
the management VLAN.
Suggestion: Remove unnecessary interfaces from VLAN 1 to prevent loops in this VLAN.
Versions involved: all versions
291
6 Important Notes
Identification method: Run the display this interface command in the interface view to check
the duplex mode of the interfaces.
[HUAWEI-GigabitEthernet0/0/1] display this interface
..........
Duplex: FULL,
Negotiation: ENABLE
Suggestion: Change the negotiation modes of the interfaces or improve the link quality to ensure
that the interfaces work in full duplex mode.
Versions involved: all versions
292
6 Important Notes
Identification method: Run the display css status command to check the CSS parameters on
a switch.
[HUAWEI] display css status
Suggestion: Run the set css id command to change the CSS ID of one switch to 2.
Versions involved: all modular switch versions that support the CSS feature
Issue 02 (2015-01-20)
293
7 Prewarning
Prewarning
You can view prewarning information about the S series switches using the following navigation
path after logging in to http://support.huawei.com/enterprise:
Navigation path: Support > News > Product News > Warning Notices > Enterprise Networking
> Switch > Campus Switch
Table 7-1 List of warning notices about the S series switches
Issue 02 (2015-01-20)
Product
Link
S series
switches
http://support.huawei.com/enterprise/
NewsReadAction.action?
newType=03&contentId=NEWS1000
002855&idAbsPath=03_ROOT|
03Second_0305|7919710|9856733|
7923144
S series
switches
http://support.huawei.com/enterprise/
NewsReadAction.action?
newType=03&contentId=NEWS1000
003677&idAbsPath=03_ROOT|
03Second_0305|7919710|9856733|
7923144
294