Sx300 Series Switches Maintenance Guide

Sx300 Series Switches
Maintenance Guide
Issue
02
Date
2015-01-20
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://enterprise.huawei.com
Issue 02 (2015-01-20)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.

Maintenance Guide
About This Document
About This Document

Intended Audience
This document provides guidance for maintaining the S series switches, covering FAQ, common
maintenance commands and preventive inspection guide, troubleshooting guide, typical
troubleshooting cases, configuration notes, and prewarning.
Maintenance personnel must have the following qualifications:
l
Be familiar with the current network topology and NE version information.
Have equipment maintenance experience and be familiar with equipment maintenance

methods.
Applicable Versions
This document is applicable to V200R003 and earlier versions of the S series switches.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Conventions
Symbol
Description
Indicates an imminently hazardous situation which, if not
avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in death or serious injury.
avoided, may result in minor or moderate injury.
Issue 02 (2015-01-20)

ii

Maintenance Guide
About This Document
Symbol
Description
avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to
personal injury.
Calls attention to important information, best practices and
tips.
NOTE is used to address information not related to
personal injury, equipment damage, and environment
deterioration.
Change History
Changes between document issues are cumulative. The latest document issue contains all the
changes made in earlier issues.
Issue 02 (2015-01-20)
Issue
Release Date
Description
02
2015-01-20
The second commercial release.
01
2014-10-30
Initial official release.

iii

Maintenance Guide
1 FAQ
FAQ
1.1 Hardware
1.1.1 How Do I View the Transmit and Receive Optical Power of an Optical Module?
1.1.2 How Do I Identify Combo Interfaces of a Switch?
1.1.3 Why Are Only Two Optical Interfaces Displayed After a 4-Port Front subcard Is Installed
in an S5300?
1.1.4 When and How Should a Surge Protector Be Used on a Fixed Switch?
1.1.5 What Are Similarities and Differences Between Console and Mini USB Interfaces?
1.1.6 Are Subcards of Fixed Switches Hot Swappable?
1.1.7 Can AC and DC Power Supplies Be Installed on the same Switch?
1.1.8 Can a 10GE Optical Interface Use a GE Optical Module?
1.1.9 Can a GE Optical Interface Use a 100M Optical Module?
1.1.10 Can a GE Optical Interface Use a 10GE Optical Module?
1.1.11 Which Product Models Support Copper Transceiver Modules?
1.1.12 Can a GE Optical Interface Be Manually Configured as a 100M Interface to Work with
Another 100M Optical Interface?
1.1.13 Can Two GE Interfaces Be Connected Using a 100M Network Cable?
1.1.1 How Do I View the Transmit and Receive Optical Power of an

Optical Module?
Run the display transceiver verbose command.
1.1.1.1 In V100R006C03 or V100R006C05 of fixed or modular switches
1.1.1.2 In V200R001 of fixed switches
1.1.1.3 Modular Switch V200R001
1.1.1.4 Fixed Switch V200R002&V200R003
Issue 02 (2015-01-20)


Maintenance Guide
1 FAQ
1.1.1.5 Modular Switch V200R002&V200R003
1.1.1.1 In V100R006C03 or V100R006C05 of fixed or modular switches

The RX Power(dBM) field in the command output indicates the receive power of the optical
module, and the TX Power(dBM) field indicates the transmit power.
<Quidway> display transceiver interface gigabitethernet 0/0/1 verbose
GigabitEthernet0/0/1 transceiver information:
------------------------------------------------------------Common information:
Transceiver Type
:1000_BASE_SX_SFP
Connector Type
:LC
Wavelength(nm)
:850
Transfer Distance(m)
:300(50um),150(62.5um)
Digital Diagnostic Monitoring :YES
Vendor Name
:SumitomoElectric
Vendor Part Number
:HFBR-5710L
Ordering Name
:
------------------------------------------------------------Manufacture information:
Manu. Serial Number
:88K056C10353
Manufacturing Date
:2008-08-08
Vendor Name
:SumitomoElectric
------------------------------------------------------------Diagnostic information: //The diagnoistic information is displayed only in
V100R006C03.
Temperature(C)
:26.00
Temp High Threshold(C)
:85.00
Temp Low Threshold(C)
:-40.00
Voltage(V)
:3.29
Volt High Threshold(V)
:3.64
Volt Low Threshold(V)
:2.95
Bias Current(mA)
:4.57
Bias High Threshold(mA)
:9.00
Bias Low Threshold(mA)
:2.00
RX Power(dBM)
:-40.00
RX Power High Threshold(dBM) :0.00
RX Power Low Threshold(dBM) :-16.99
TX Power(dBM)
:-5.03
TX Power High Threshold(dBM) :-2.22
TX Power Low Threshold(dBM) :-6.99
------------------------------------------------------------User information:
THIS_IS_A_TEST
------------------------------------------------------------Diagnostic information:
Temperature(C)
:40.21
Temp High Warning Threshold(C)
:93.00
Temp Low Warning Threshold(C)
:-30.00
Temp High Alarm
Threshold(C)
:110.00
Temp Low Alarm
Threshold(C)
:-40.00
Voltage(V)
Volt High Warning
Volt Low Warning
Volt High Alarm
Volt Low Alarm
Threshold(V)
Threshold(V)
Threshold(V)
Threshold(V)
:3.26
:3.70
:2.90
:3.90
:2.70
Bias
Bias
Bias
Bias
Bias
Threshold(mA)
Threshold(mA)
Threshold(mA)
Threshold(mA)
:23.78
:70.00
:4.00
:80.00
:2.00
Current(mA)
High Warning
Low Warning
High Alarm
Low Alarm
RX Power(dBM)
Issue 02 (2015-01-20)
:-31.10


Maintenance Guide
1 FAQ
RX
RX
RX
RX
Power
Power
Power
Power
High
Low
High
Low
Warning
Warning
Alarm
Alarm
Threshold(dBM)
Threshold(dBM)
Threshold(dBM)
Threshold(dBM)
:-1.00
:-20.00
:0.75
:-23.97
TX Power(dBM)
:-5.78
TX Power High Warning Threshold(dBM) :-1.00
TX Power Low Warning Threshold(dBM) :-11.50
TX Power High Alarm
Threshold(dBM) :0.99
TX Power Low Alarm
Threshold(dBM) :-13.50
-------------------------------------------------------------
1.1.1.2 In V200R001 of fixed switches

Gigabitethernet0/0/1 transceiver information:
Transceiver Type
:OC3_INTER_REACH_SFP
Connector Type
:LC
Wavelength(nm)
:1310
:15000(9um)
Vendor Name
:HUAWEI
Vendor Part Number
:34060358
Ordering Name
:
Manu. Serial Number
:EH1048220807
Manufacturing Date
:2010-12-06
Vendor Name
:HUAWEI
------------------------------------------------------------Alarm information:
RX loss of signal
RX power low
Temperature(C)
:26.00
:85.00
:-40.00
Voltage(V)
:3.29
:3.64
:2.95
Bias Current(mA)
:4.57
:9.00
:2.00
RX Power(dBM)
:-40.00
TX Power(dBM)
:-5.03
-------------------------------------------------------------
1.1.1.3 Modular Switch V200R001

The Current Rx Power(dBM) field in the command output indicates the current receive power
of the optical module, and the Current Tx Power(dBM) field indicates the current transmit
power.
Issue 02 (2015-01-20)


Maintenance Guide
1 FAQ
Transceiver Type
:OC3_INTER_REACH_SFP
Connector Type
:LC
Wavelength(nm)
:1310
:15000(9um)
Vendor Name
:HUAWEI
Vendor Part Number
:34060358
Ordering Name
:
Manu. Serial Number
:EH1048220807
Manufacturing Date
:2010-12-06
Vendor Name
:HUAWEI
RX loss of signal
RX power low
Temperature(C)
:18
Voltage(V)
:3.32
Bias Current(mA)
:8.12
:27.34
:2.17
Current Rx Power(dBM)
:-30.00
Default Rx Power High Threshold(dBM) :0.00
Default Rx Power Low Threshold(dBM) :-16.99
Current Tx Power(dBM)
:-4.42
Default Tx Power High Threshold(dBM) :0.00
Default Tx Power Low Threshold(dBM) :-9.50
User Set Rx Power High Threshold(dBM) :0.00
User Set Rx Power Low Threshold(dBM) :-16.99
User Set Tx Power High Threshold(dBM) :0.00
User Set Tx Power Low Threshold(dBM) :-9.50
-------------------------------------------------------------
1.1.1.4 Fixed Switch V200R002&V200R003

Gigabitethernet0/0/1 transceiver information:
Transceiver Type
:1000_BASE_SX_SFP
Connector Type
:LC
Wavelength(nm)
:850
:300(50um),150(62.5um)
Vendor Name
:SumitomoElectric
Vendor Part Number
:HFBR-5710L
Ordering Name
:
Manu. Serial Number
:88K056C10353
Manufacturing Date
:2008-08-08
Vendor Name
:SumitomoElectric
Temperature(C)
:26.00
:85.00
:-40.00
Voltage(V)
:3.29
:3.64
Issue 02 (2015-01-20)


Maintenance Guide
1 FAQ

:2.95
Bias Current(mA)
:4.57
:9.00
:2.00
RX Power(dBM)
:-40.00
TX Power(dBM)
:-5.03
-------------------------------------------------------------
1.1.1.5 Modular Switch V200R002&V200R003

The Current Rx Power(dBM) field in the command output indicates the current receive power
of the optical module, and the Current Tx Power(dBM) field indicates the current transmit
power.
Transceiver Type
:1000_BASE_SX_SFP
Connector Type
:LC
Wavelength(nm)
:850
:500(50um),300(62.5um)
Vendor Name
:FINISAR CORP.
Vendor Part Number
:FTLF8519P2BNL-HW
Ordering Name
:
Manu. Serial Number
:PEP3L5D
Manufacturing Date
:2008-12-05
Vendor Name
:FINISAR CORP.
TX power low
Temperature(C)
:39
Voltage(V)
:3.31
Bias Current(mA)
:6.59
:10.50
:2.50
Current Rx Power(dBM)
:-2.23
Default Rx Power High Threshold(dBM) :3.01
Default Rx Power Low Threshold(dBM) :-15.02
Current Tx Power(dBM)
:-2.45
Default Tx Power High Threshold(dBM) :3.01
Default Tx Power Low Threshold(dBM) :-9.00
User Set Rx Power High Threshold(dBM) :3.01
User Set Rx Power Low Threshold(dBM) :-15.02
User Set Tx Power High Threshold(dBM) :3.01
User Set Tx Power Low Threshold(dBM) :-9.00
-------------------------------------------------------------
1.1.2 How Do I Identify Combo Interfaces of a Switch?

A combo interface is a dual-purpose interface consisting of an Ethernet optical interface and an
Ethernet electrical interface on the panel. The electrical and optical interfaces of a combo
interface are multiplexed, and only one of them can work at a time.
Issue 02 (2015-01-20)


Maintenance Guide
1 FAQ
NOTE
In V100R003 and earlier versions, a combo interface works as an optical interface by default.
In V100R005 and later versions, a combo interface works in auto mode by default and automatically
determines the interface type depending on whether the optical interface has an optical module installed:
l If the optical interface has no optical module installed and the electrical interface has no network cable
connected, the interface type depends on which interface is connected first. If the electrical interface
is connected by a network cable first, the electrical interface is used for data switching. If the optical
interface has an optical module installed first, the optical interface is used for data switching.
l If the electrical interface has a network cable connected and is in Up state, the electrical interface is
still used for data switching when the optical interface has an optical module installed.
l If the optical interface has an optical module installed, it is still used for data switching when the
electrical interface has a network cable connected, regardless of whether the optical interface is in Up
state.
l If the optical interface has an optical module installed (with optical fibers connected) and the electrical
interface has a network cable connected, the optical interface is used for data switching after the switch
restarts.
You can use the combo-port command to configure a combo interface to work as an electrical or optical
interface.
You can use the following methods to identify a combo interface on a switch:
l
Identify a combo interface based on the interface identifier on the switch panel. If two
interfaces have the same ID but connect to different transmission media, the two interfaces
are multiplexed as a combo interface. As shown in Figure 1-1, interfaces 1 and 2 are combo
interfaces.
Figure 1-1 Combo interfaces on a switch
Run the display interface command to check whether an interface is a combo interface.
<HUAWEI> display interface gigabitethernet 1/0/1
...
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0025-9e80-2494
Port Mode: COMBO AUTO
Speed : 100, Loopback: NONE
1.1.3 Why Are Only Two Optical Interfaces Displayed After a 4-Port
Front subcard Is Installed in an S5300?
This is because no extended channel rear card is installed in the switch.
An S5300SI or S5300EI switch can provide only two optical interfaces for front subcard. If a
4-port front subcard is installed, the switch must use an ES5D00ETPB00 extended channel rear
subcard to provide the other two interfaces. Without an extended channel rear subcard, only two
optical interfaces are displayed.
l
Issue 02 (2015-01-20)
If a 4-port GE front subcard (LS5D00E4GF01/LS5D0E4GFA00) and an ES5D00ETPC00

rear stack card (working normally) are used together in a switch, only the first and second
interfaces on the front card can work normally, and the other two interfaces cannot be used.

Maintenance Guide
1 FAQ
If a 4-port 10GE front subcard (LS5D00E4XY01) and an ES5D00ETPC00 rear stack card
(working normally) are used together in a switch, only the first and third interfaces on the
front subcard can work normally, and the other two interfaces cannot be used.
NOTE
The available interfaces on the LS5D00E4XY01 front subcard are displayed as XGigabitEthernet */1/1
and XGigabitEthernet */1/2 on the CLI, corresponding to physical interfaces 1 and 3 on the front subcard.
* indicates a slot ID on the switch.
1.1.4 When and How Should a Surge Protector Be Used on a Fixed

Switch?
Common Causes of Lightning Strikes
l
Outdoor network cables or power cables are routed overhead.
A switch is deployed outdoors but is not properly grounded.
Damages of Lightning Strikes

l
If power cables of a switch are routed overhead in an outdoor environment, lightning strikes
may burn the power supplies.
If network cables of a switch are routed overhead in an outdoor environment, lightning

strikes may burn interfaces of the switch.
When a switch undergoes lightning strikes, overvoltage is induced by lightning on network

cables and transmitted to interior of the chassis. The surge protection measures, such as lightning
rod and chassis grounding cannot prevent the damage. Therefore, surge protectors or surge
protection circuits are recommended.
Surge Protector Use Precautions

Take the following precautions to protect a switch from lightning:
l
Ensure that the ground cable is connected to a ground bar or a ground point on the cabinet.
Avoid routing cables overhead in an outdoor environment. Bury cables underground or

route them in steel tubes.
To protect network interfaces against lightning, use 8-line surge protectors (or Huawei
certified 4-line surge protectors).
When installing a network interface surge protector, connect the IN end to terminals and
the OUT end to network interfaces of the switch.
If a fixed switch is installed in a network box, as shown in Figure 1-2, follow the instructions :
l
Connect the ground cables of the switch and surge protectors to the ground bar in the
network box.
The maximum length of a ground cable cannot exceed 40 cm, and a length of smaller than
15 cm is recommended.
If the network box is located outdoors and power cables are routed aerially over a long
distance (more than 300 m) to the network box, it is recommended that you install a power
Issue 02 (2015-01-20)


Maintenance Guide
1 FAQ
supply surge protector in the network box. The decoupled power cable must be at least 3
m long.
Figure 1-2 Cable connection in a network box
1.1.5 What Are Similarities and Differences Between Console and

Mini USB Interfaces?
The console interface can be connected to an operation terminal for onsite configuration. It must
be used with a console cable. After a switch is powered on for the first time, you need to log in
to the switch through the console interface to configure the switch.
The Mini USB interface is also used to connect an operation terminal to the switch. The Mini
USB and console interfaces are logically the same interface. Only one of the Mini USB and
console interfaces can be used at a time. The Mini USB interface is preferred.
1.1.6 Are Subcards of Fixed Switches Hot Swappable?

Subcards of the S5300-SI and S5300-EI are not hot swappable. Subcards of the S3300-HI,
S5300-HI, and S5310-EI are hot swappable.
Issue 02 (2015-01-20)


Maintenance Guide
1 FAQ
1.1.7 Can AC and DC Power Supplies Be Installed on the same

Switch?
Fixed Switches
Product Type
Model
Can AC and DC Power

Supplies Be Installed on the
same Switch?
S3300/S5300/S6300
S3326C-HI
Yes
S5310-28C-EI
Yes
S5310-52C-EI
Yes
S5328C-HI
Yes
S5328C-HI-24S
Yes
S3300-52P-EI
Yes
S5300-EI (non-PoE)
No
S5300-SI (non-PoE)
No
S6300
No
Modular Switches
AC and DC power supplies cannot be installed in the slots of the same type on the same switch,
and the power supplies of different power cannot be installed on the same switch.
1.1.8 Can a 10GE Optical Interface Use a GE Optical Module?

Fixed Switches
10GE XFP interfaces cannot use GE optical modules. Only 10GE SFP+ interfaces on certain
switch models and versions can use GE optical modules. For details, see Table 1-1.
Table 1-1 10GE interface support for GE optical modules
Series
Support for 10GE

Interface
Support for GE Optical Module on

10GE Optical Interface
S2300
Not supported
NA
S2350
S3300
Issue 02 (2015-01-20)


Maintenance Guide
1 FAQ
Series
Support for 10GE

Interface
Support for GE Optical Module on

10GE Optical Interface
S5300-LI
Supported (fixed interfaces of

the models with an X in
product names, for example,
S5300-28X-LI-AC)
Supported
S5300-SI
Supported by all models

except the TP models (10GE
interface cards)
Supported
S5300-EI
Supported (10GE interface

cards)
Not supported
S5300-HI
Supported (10GE interface

cards)
Supported
S5310-EI
Supported (fixed interfaces or

interfaces on 10GE interface
cards)
Supported
S6300
Supported (fixed interfaces)
Supported
On the S6300 of V100R006C00SPC800,
when a GE optical module is installed on a
10GE optical interface, the interface speed
automatically changes to 1000 Mbit/s and the
interface works in non-auto-negotiation
mode. If the 10GE interface connects to a GE
interface, the GE interface must also work in
non-auto-negotiation mode. Otherwise, the
two interfaces cannot go Up. After patch
V100R006SPH005 is loaded, the 10GE
optical interface with a GE optical module
installed can be switched to the autonegotiation mode using the negotiation
auto command. The interface can then
communicate with an optical interface that
works at 1000 Mbit/s in auto-negotiation
mode.
In versions later than
V100R006C00SPC800, a 10GE interface
automatically works at 1000 Mbit/s in autonegotiation mode after a GE optical module
is installed.
Modular Switches
10GE interfaces on the following cards support GE optical modules:
Issue 02 (2015-01-20)

10

Maintenance Guide
1 FAQ
S9300: LE0DX16SFC00, LE0DX40SFC00
S9300E: LE0DX16SFC00, LE0DX40SFC00, LE2D2X48SEC0

NOTE
You are not advised to install a low-speed optical module on a high-speed optical interface.
1.1.9 Can a GE Optical Interface Use a 100M Optical Module?

Fixed Switches
Whether a GE interface can use a 100M optical module depends on device models and software
version, as shown in Table 1-2 .
Table 1-2 GE interface support for 100M optical modules
Series
Support for GE Optical

Interface
Support for 100M Optical Module

on GE Optical Interface
S2300
Supported only on combo optical

interfaces and 100/1000BASE-X optical
interfaces
S2350

interfaces
S3300

interfaces
S5300-LI

interfaces
S5300-SI

interfaces on GE interface cards)

interfaces, not on interface cards
S5300-HI

Supported only on 100/1000BASE-X

optical interfaces, not on interface cards
S5310-EI


interfaces, not on interface cards
S6300
10GE interfaces can be

configured as GE interfaces
Not supported
S5300-EI
Modular Switches
All GE optical interfaces on modular switches support 100M optical modules.
NOTE
You are not advised to install a low-speed optical module on a high-speed optical interface.
Issue 02 (2015-01-20)

11

Maintenance Guide
1 FAQ
1.1.10 Can a GE Optical Interface Use a 10GE Optical Module?

GE optical ports of the switch cannot use 10GE optical modules. Similarly, 100M optical ports
cannot use GE optical modules.
1.1.11 Which Product Models Support Copper Transceiver

Modules?
Fixed Switches
Huawei fixed switches support only one type of copper transceiver module: SFP-1000BaseT, a
GE copper transceiver module that has been certified by Huawei.
Table 1-3 describes the fixed switches' support for copper transceiver modules.
Table 1-3 Fixed switches' support for copper transceiver modules
Series
Support for GE Copper Transceiver Module
S2300
Not supported
S2350
Supported on all optical interfaces except the combo optical

interfaces
S3300
Not supported
S5300-LI

interfaces, in V200R002C00 and later versions
S5300-SI

interfaces
NOTE
10GE interface cards are supported in V200R002C00 and later versions.
When interfaces on a GE interface card use GE copper transceiver modules,
the interfaces can go Up, but the commands used for configuring the interface
speed, duplex mode, auto-negotiation, MDI, flow control, and virtual cable
test cannot be used on the interfaces.
S5300-EI

interfaces and interfaces on 10GE interface cards
NOTE
S5300-HI
Supported on all optical interfaces

NOTE
10GE interface cards are supported in V200R002C00 and later versions.
Issue 02 (2015-01-20)

12

Maintenance Guide
1 FAQ
Series
Support for GE Copper Transceiver Module
S5310-EI

interfaces, in V200R002C00 and later versions
S6300
Supported on all optical interfaces, in V200R001C01 and later

versions
Modular Switches
GE copper transceiver modules can be used on all GE optical interface cards and the 10GE
optical interface cards that support GE optical modules.
GE optical interface cards of modular switches support only Huawei-certified copper transceiver
modules. When non-Huawei-certified copper transceiver modules are installed on interfaces of
Huawei switches, the interfaces still work as optical interfaces.
1.1.12 Can a GE Optical Interface Be Manually Configured as a

100M Interface to Work with Another 100M Optical Interface?
It depends on the installed optical module. However, this method is not recommended even if
it is feasible.
1.1.13 Can Two GE Interfaces Be Connected Using a 100M Network

Cable?
In V100R006SPC800 and later versions, switch interfaces cannot work at a lower speed through
auto-negotiation by default. If two GE interfaces are connected using a 100M network cable
(Category-4 or lower category cable), the interface speed cannot be negotiated as 100 Mbit/s
and the two interfaces are in Down state. You can manually set the speed of the two interfaces
to 100 Mbit/s or replace the 100M network cable with a 1000M cable.
1.2 DHCP
1.2.1 What are functions of DHCP?
1.2.2 How Do I Configure a DHCP Server?
1.2.3 How Do I Configure the DHCP Relay Agent?
1.2.4 How Do I Configure DHCP Snooping?
1.2.5 How Do I Maintain DHCP?
1.2.6 How Can I Use the Extended DHCP Functions?
1.2.7 How Does a Switch Support DHCP?
1.2.1 What are functions of DHCP?

Dynamic Host Configuration Protocol (DHCP)dynamically manages and configures user IP
addresses based on the client/server model. DHCP clients request network configuration
Issue 02 (2015-01-20)

13

Maintenance Guide
1 FAQ
parameters from a DHCP server, and the DHCP server returns the parameters (including IP
addresses, subnet masks, and default gateway addresses) according to configured policies.
DHCP supports Option fields. For details about Option fields, see RFC2132.
The DHCP protocol structure involves the following roles:
l
DHCP Server
A DHCP server processes requests for address allocation, address renewal, and address release
from DHCP clients or DHCP relay agents, and allocates IP addresses and other network
configuration parameters to DHCP clients.
l
DHCP Relay
A DHCP relay agent forwards DHCP packets between clients and server to help the them
complete address configuration. The request packets sent by DHCP clients are broadcast on the
network. If the server and client are located on different links, the DHCP relay agent is required
to forward packets between the server and client. It is unnecessary to deploy a DHCP server on
each network segment. Therefore, network deployment costs are reduced and centralized device
management is implemented.
The DHCP relay agent is optional in a DHCP protocol structure. It is required only when DHCP
clients and server are on different network segments.
l
DHCP Client
DHCP clients obtain IP addresses and other network configuration parameters by exchanging
DHCP packets with the DHCP server. After the DHCP client function is configured on an
interface, the interface can function as a DHCP client to dynamically obtain configuration
parameters such as an IP address from a DHCP server. This facilitates device configurations and
centralized management.
1.2.2 How Do I Configure a DHCP Server?

A switch functioning as a DHCP server can allocate IP addresses to clients in either of the
following methods:
l
Allocating IP addresses using a global address pool
An IP address pool is created in the system view on a DHCP server. In the interface view, the
server is configured to allocate IP addresses, gateway addresses, and DNS server addresses to
clients based on the global address pool.
l
Allocating IP addresses using an interface address pool
An IP address pool is created in the interface view on a DHCP server. In the interface view, the
server is configured to allocate IP addresses, gateway addresses, and DNS server addresses to
clients based on the interface address pool.
NOTE
In the preceding configurations, the interface can be a VLANIF interface or a physical interface working
in Layer 3 mode. Since V200R005C00, the physical interfaces working in Layer 3 mode have supported
the preceding configurations.
Depending on creation methods, address pools are classified into interface address pools and
global address pools.
Issue 02 (2015-01-20)

14

Maintenance Guide
1 FAQ
Interface address pool

An IP address is allocated to the interface of the server connecting to clients. The address
pool is on the same network segment as the interface address, and the IP addresses in the
address pool can only be allocated to the clients connected to this interface. This method
is applicable only when the DHCP clients and server are on the same network segment.
For example, when a switch functions as a DHCP server, the switch can allocate IP
addresses to only the clients connected to one interface or allocate IP addresses of different
network segments to clients on different interfaces.
Global address pool

An address pool of the specified network segment is created in the system view. The IP
addresses in the address pool can be allocated to the clients connected to all interfaces on
the server. This method is applicable when:
The DHCP server and clients are on different network segments, and a DHCP relay
agent is deployed.
The DHCP server and clients are on the same network segment, and the server needs
to allocate IP addresses to only the clients connected to one interface or allocate IP
addresses of different network segments to clients on different interfaces.
As shown in Figure 1-3, the switch functions as a DHCP server to allocate IP addresses and
DNS address to the PC. Both the global and interface address pools can be used in this scenario.
Figure 1-3 A switch functions as a DHCP server
Configure the DHCP server to use a global address pool:

1.
Create an IP address pool.

<HUAWEI> system-view
[HUAWEI] ip pool 1 //Create an IP address pool.
[HUAWEI-ip-pool-1] network 10.10.10.0 mask 255.255.255.0 //Configure a
network segment.
[HUAWEI-ip-pool-1] gateway-list 10.10.10.1 //Configure the gateway
address.
[HUAWEI-ip-pool-1] excluded-ip-address 10.10.10.10 10.10.10.50 //
Configure a reserved IP address.
[HUAWEI-ip-pool-1] dns-list 10.8.8.8 //Configure a DNS server address.
[HUAWEI-ip-pool-1] lease day 0 hour 8 minute 0 //Configure the lease
period.
[HUAWEI-ip-pool-1] quit
2.
Enable the DHCP function.

[HUAWEI] dhcp enable //Enable DHCP globally.
3.
Enable DHCP server on VLANIF10 and configure the server to use the global address
pool.
[HUAWEI] interface vlanif10 //Enter the VLANIF interface view.
[HUAWEI-Vlanif10] ip address 10.10.10.1 255.255.255.0 //Configure IP
addresses.
[HUAWEI-Vlanif10] dhcp select global //Configure the DHCP server to use
the global address pool.
l
Issue 02 (2015-01-20)
Configure the DHCP server to use an interface address pool:

15

Maintenance Guide
1 FAQ
1.

[HUAWEI] dhcp enable
2.
Enable DHCP server on VLANIF10 and configure the server to use the interface
address pool.
NOTICE
Before running the dhcp select interface command, allocate an IP address to the
VLANIF interface.
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] ip address 10.10.10.1 255.255.255.0 //Configure a
network segment.
[HUAWEI-Vlanif10] dhcp select global //Configure the DHCP server to use
the interface address pool.
[HUAWEI-Vlanif10] dhcp server dns-list 10.8.8.8 //Configure a DNS server
address.
[HUAWEI-Vlanif10] dhcp server excluded-ip-address 10.10.10.10
10.10.10.50 //Configure a reserved IP address.
[HUAWEI-Vlanif10] dhcp server lease day 0 hour 8 minute 0 //Configure the
lease period.
[HUAWEI-Vlanif10] quit
1.2.3 How Do I Configure the DHCP Relay Agent?

When DHCP clients and server are on different network segments, a switch (which cannot be a
DHCP server) needs to be configured as the DHCP relay agent to forward request packets from
clients to the DHCP server.
NOTE
Before configuring a DHCP relay agent, ensure that reachable routes exist between clients and the DHCP
server.
The procedure for configuring DHCP relay agent is as follows:

1.
Configure a destination DHCP server group.

[HUAWEI] dhcp server group group1
[HUAWEI-dhcp-server-group-group1] dhcp-server 10.10.10.1
[HUAWEI-dhcp-server-group-group1] quit
2.

[HUAWEI] dhcp enable
3.
Configure DHCP relay on VLANIF100 and bind VLANIF100 to group1.

[HUAWEI] interface
[HUAWEI-Vlanif100]
[HUAWEI-Vlanif100]
[HUAWEI-Vlanif100]
[HUAWEI-Vlanif100]
vlanif 100
ip address 10.20.20.1 24
dhcp select relay
dhcp relay server-select group1
quit
1.2.4 How Do I Configure DHCP Snooping?

DHCP snooping is a DHCP security feature that intercepts and analyzes DHCP packets
transmitted between DHCP clients and a DHCP server. DHCP snooping creates and maintains
a DHCP snooping binding table, and filters untrusted DHCP packets according to the table. The
Issue 02 (2015-01-20)

16

Maintenance Guide
1 FAQ
binding table contains the MAC address, IP address, lease, binding type, VLAN ID, and interface
information.
The DHCP snooping binding entries are dynamically generated based on the DHCP ACK
packets received by trusted interfaces. The entries record the mappings between clients' IP
addresses and MAC addresses. DHCP snooping is equivalent to a firewall between DHCP clients
and the DHCP server to prevent DHCP Denial of Service (DoS) attacks, bogus DHCP server
attacks, and bogus DHCP request packet attacks, and ensure that only authorized users can access
the network.
Figure 1-4 Prevention against bogus DHCP server attack
In the scenario shown in Figure 1-4, the procedure for configuring bogus DHCP server attack
is as follows:
1.
Enable DHCP snooping globally.
<Quidway> system-view
[Quidway] dhcp enable
[Quidway] dhcp snooping enable
2.
Enable DHCP snooping on user-side interfaces GE0/0/2 and GE0/0/3.
[Quidway] interface gigabitethernet

[Quidway-GigabitEthernet0/0/2] dhcp
[Quidway-GigabitEthernet0/0/2] quit
[Quidway] interface gigabitethernet
[Quidway-GigabitEthernet0/0/3] dhcp
3.
0/0/2
snooping enable
0/0/3
snooping enable
Configure the DHCP server-side interface GE0/0/1 as a trusted interface.
[Quidway] interface gigabitethernet 0/0/1

[Quidway-GigabitEthernet0/0/1] dhcp snooping trusted
1.2.5 How Do I Maintain DHCP?

1.
Check whether the IP addresses run out.
Run the ping ip-address command to test whether an IP address is allocated to a client. If the
ping operation is successful, the IP address has been allocated. If the ping operation fails, the IP
address is idle.
Issue 02 (2015-01-20)

17

Maintenance Guide
2.
1 FAQ
Check IP addresses that are dynamically allocated.
Run the display ip pool name ip-pool-name used command on the DHCP server to check
allocated IP addresses.
3.
Reclaim IP addresses.
Run the reset ip pool { interface pool-name | name ip-pool-name } { start-ip-address [ endip-address ] | all | conflict | expired | used } command in the user view to manually reclaim IP
addresses in the address pool.
If an IP address has been manually bound to a MAC address, the binding is still valid after this
command is executed and the IP address cannot be allocated to other clients. To unbind the IP
address from the MAC address, run the following commands as required:
l
For a global address pool
undo static-bind [ ip-address ip-address | mac-address mac-address ]

l
For an interface address pool
undo dhcp server static-bind [ ip-address ip-address | mac-address mac-address ]
1.2.6 How Can I Use the Extended DHCP Functions?

l
How to bind a fixed IP address to a specified MAC address

There are two methods:
Based on a global address pool
[HUAWEI] ip pool 1
[HUAWEI-ip-pool-1] static-bind ip-address X.X.X.X mac-address H-H-H
Based on an interface address pool

[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] dhcp server static-bind ip-address X.X.X.X mac-address HH-H
NOTE
The IP address to be bound to a specified MAC address cannot be occupied. If the IP address is being
occupied, run the reset ip pool { interface pool-name | name ip-pool-name } { start-ip-address
[ end-ip-address ] | all | conflict | expired | used } command in the user view to reclaim the IP address
in the address pool.
How to enable authorized users with static IP addresses to go online

After the DHCP snooping and IPSG functions are enabled (using the ip source check userbind enable command), the switch discards packets from the authorized users with static
IP addresses because the switch does not have the dynamic DHCP snooping entries
matching the packets. As a result, the users cannot go online. To address this problem, you
can configure static binding entries for these users.
Run the following command.
In the system view:
user-bind static { { { ip-address | ipv6-address } { start-ip [ to end-ip ] } &<1-10> |
ipv6-prefix prefix/prefix-length } | mac-address mac-address } * [ interface interfacetype interface-number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]
Issue 02 (2015-01-20)

18

Maintenance Guide
1 FAQ
At least two attributes among IP address, MAC address, interface, and VLAN need to be
specified in a static binding entry. The effect varies depending on the bound attributes. At
most four attributes can be bound.
After the static binding entries are configured, authorized users with static IP addresses can
go online. If a static user changes the IP address, the user cannot go online because the
device has neither the dynamic nor static DHCP snooping binding entry of the user.
1.2.7 How Does a Switch Support DHCP?

l
Modular switch
All models and versions support DHCP server, DHCP relay, and DHCP snooping. The
DHCP client has been supported since V200R005C00.
Fixed switch
In the versions earlier than V200R005C00, S2300SI, S2300EI, S5306LI, and
S5300LI support only DHCP client, but do not support DHCP server or DHCP relay.
In the versions later than V200R005C00, all models except S5306LI, support DHCP
server, DHCP relay, and DHCP client. The S5306LI supports only DHCP client.
All models except S2300SI support DHCP snooping.
1.3 PoE
1.3.1 How Much Power Does a PoE Power Module Provide?
1.3.2 Which Switch Models Support the PoE Function?
1.3.3 Why Can't a PoE Card Be Registered?
1.3.1 How Much Power Does a PoE Power Module Provide?

Power over Ethernet (PoE) refers to power supply over a 10Base-T, 100Base-TX, or 1000BaseT Ethernet cable.
PoE provides power for terminals such as IP phones, access points (APs), portable device
chargers, point-of-sale (POS) machines, cameras, and data collectors. These terminals are
powered when they connect to the network, so the indoor power supply systems are not required.
IEEE 802.3af and IEEE 802.3at are PoE standards defined to provide remote power supply for
the devices from different vendors. IEEE 802.3af supports a maximum of 15.4 W power and
IEEE 802.3at supports a maximum of 30 W power.
Fixed switch
Fixed switches support 250 W (sales part number 02130878), 500 W (sales part number
02130879) PoE power modules. The actual available power of a 250 W PoE power module is
around 120 W (measured 123.2 W). The actual available power of a 500 W PoE power module
is around 370 W (measured 369.6 W).
A 250 W PoE power module can provide 802.3af full power on 8 interfaces or 802.3at full power
on 4 interfaces.
A 500 W PoE power module can provide 802.3af full power on 24 interfaces or 802.3at full
power on 12 interfaces.
Issue 02 (2015-01-20)

19

Maintenance Guide
1 FAQ
PoE supports remote power supply over a distance of up to 100 m.
Modular switch
Table 1-4 lists the PoE power modules supported by the S9300 series switches and the available
power they can provide.
NOTICE
Different types of power modules cannot be used in the same switch.
Table 1-4 PoE power modules supported by the S9300 series switches and their available power
PoE Power Module Supported
Maximum Available
Power
800 W AC power module (sales part number 0213085)
800 W
2200 W AC power module (sales part number 02130909)
2200 W
2200 W DC power module (sales part number 02270099)
Table 1-5 lists the PoE power that the S9300 series switches can provide and the number of PoE
interfaces they support.
Table 1-5 PoE power provided by the S9300 series switches and the number of PoE interfaces
supported
Chassis
Number of PoE
Power Modules
Supported
Maximum Power
Number of PoE Interfaces

Supported
S9303
2200 W
144
S9306
8800 W
288
S9312
576
1.3.2 Which Switch Models Support the PoE Function?

Fixed switches
You can use the display device command to check a switch's product name and determine
whether the switch supports the PoE function according to its product name.
l
Issue 02 (2015-01-20)
If the product name contains PWR, this switch model supports the PoE function.
20

Maintenance Guide
1 FAQ
If the product name does not contain PWR, this switch model does not support the PoE
function.
Modular switches
Among modular switches, only the S9300 series switches support the PoE function. The PoE
card of an S9300 is LE0DG48VEA00.
1.3.3 Why Can't a PoE Card Be Registered?

The PoE card of an S9300 is LE0DG48VEA00. The possible causes are as follows: 1. The PoE
power module is not installed in the PoE power slot. 2. The PoE power module is not powered
on. 3. The DIMM is faulty. For the handling methods, see "Cards Cannot Be Registered" in the
Hardware Troubleshooting.
1.4 NAT
1.4.1 Do Huawei Switches Support NAT?
1.4.2 How Do I Configure Outbound NAT to Enable Private Network Users to Access the
Internet?
1.4.3 How Do I Configure NAT Server to Enable Internet Users to Access Private Servers?
1.4.1 Do Huawei Switches Support NAT?

Fixed switches in all versions do not support NAT.
Modular switches in V100R003 and later versions support NAT after an SPU is installed.
1.4.2 How Do I Configure Outbound NAT to Enable Private

Network Users to Access the Internet?
Applicable Products and Versions
This configuration applies to modular switches in V100R006C00 and later versions.
Networking Requirements
The SPU is installed in slot 5 of the Switch in Figure 1-5. Hosts on the internal networks of
company A and company B use private IP addresses. Company A has 100 hosts and 101 idle
public IP addresses (202.169.10.100 to 202.169.10.200). Hosts in company B are on a VPN and
company B does not have idle public IP addresses.
Company A and company B require that internal hosts access the Internet.
Issue 02 (2015-01-20)

21

Maintenance Guide
1 FAQ
Figure 1-5 Configuring outbound NAT to allow private network users to access the Internet
Configuration Roadmap
The configuration roadmap is as follows:
1.
Direct flows from the Switch to the SPU.
2.
On the Switch, configure outbound NAT with an address pool for hosts in company A. The
Switch maps each private IP address to a public IP address so that hosts in company A can
successfully access the Internet.
3.
On the Switch, configure Easy IP without an address pool for hosts in company B. The
Switch maps each private IP address to the public IP address of the outbound interface so
that hosts in company B can successfully access the Internet.
1.
Configure Layer 2 flow import to direct flows from the Switch to the SPU. GE2/0/1 and
GE2/0/3 are inbound interfaces, and GE2/0/2 is the outbound interface.
Procedure
# Configure the Switch.

[HUAWEI] sysname Switch
[Switch] vlan batch 101 to 103
[Switch] interface eth-trunk 1
[Switch-Eth-Trunk1] port link-type trunk
[Switch-Eth-Trunk1] port trunk allow-pass vlan 101 to 103
[Switch-Eth-Trunk1] quit
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 101
[Switch-GigabitEthernet2/0/1] quit
[Switch] interface xgigabitethernet 5/0/0
Issue 02 (2015-01-20)

22

Maintenance Guide
1 FAQ
[Switch-XGigabitEthernet5/0/0] eth-trunk 1
[Switch-XGigabitEthernet5/0/0] quit
[Switch] interface xgigabitethernet 5/0/1
[Switch-XGigabitEthernet5/0/1] eth-trunk 1
[Switch-XGigabitEthernet5/0/1] quit
# On the SPU, configure IP addresses for interfaces and add interfaces to VLANs.
[HUAWEI] sysname SPU
[SPU] interface eth-trunk 1
[SPU-Eth-Trunk1] quit
[SPU] interface eth-trunk 1.1
[SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination
[SPU-Eth-Trunk1.1] dot1q termination vid 101
[SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0
[SPU-Eth-Trunk1.1] arp broadcast enable
[SPU-Eth-Trunk1.1] quit
[SPU] ip vpn-instance vpn_b
[SPU-vpn-instance-vpn_b] route-distinguisher 0:1
[SPU-vpn-instance-vpn_b] quit
[SPU-Eth-Trunk1.3] ip binding vpn-instance vpn_b
[SPU] ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 eth-trunk 1.2
202.169.10.2
[SPU] interface xgigabitethernet 0/0/1
[SPU-XGigabitEthernet0/0/1] eth-trunk 1
[SPU-XGigabitEthernet0/0/1] quit
2.
Configure outbound NAT on the SPU.

[SPU] nat address-group 1 202.169.10.100 202.169.10.200
[SPU] acl 2000
[SPU-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255
[SPU-acl-basic-2000] quit
[SPU] acl 2001
[SPU-acl-basic-2001] rule 5 permit vpn-instance vpn_b source 10.0.0.0
0.0.0.255
[SPU-acl-basic-2001] quit
[SPU-Eth-Trunk1.2] nat outbound 2000 address-group 1 no-pat
[SPU-Eth-Trunk1.2] nat outbound 2001
3.
Verify the configuration.
Run the display nat outbound interface eth-trunk 1.2 command on the SPU to view the
outbound NAT configuration.
[SPU] display nat outbound interface eth-trunk 1.2
NAT Outbound
Information:
--------------------------------------------------------------------------
Issue 02 (2015-01-20)

23

Maintenance Guide
1 FAQ
Interface
Type
Acl
Address-group/IP/Interface
-------------------------------------------------------------------------Eth-Trunk1.2
pat
Eth-Trunk1.2
easyip
2000
2001
202.169.10.1
no-
-------------------------------------------------------------------------Total : 2
After the configuration is complete, hosts in company A and company B can access the Internet.
Take company A as an example. On the host with the private IP address 192.168.20.2, ping the
public IP address 202.169.10.2 on the Internet. The ping succeeds.
Run the display nat session destination 202.169.10.2 command on the SPU to view the source
IP address before and after the NAT operation.
[SPU] display nat session destination 202.169.10.2
The operation may take a few minutes, please
wait...
NAT Session Table
Information:
Protocol
: ICMP
(1)
SrcAddr
192.168.20.2
Vpn
DestAddr
202.169.10.2
Vpn
Type Code IcmpId

44006
: 8
NATInfo
New SrcAddr
202.169.10.100
New DestAddr
New IcmpId
----
----
Total : 1
Take company B as an example. On the host with the private IP address 10.0.0.2, ping the public
IP address 202.169.10.2 on the Internet. The ping succeeds.
Run the display nat session destination 202.169.10.2 command on the SPU to view the source
IP address before and after the NAT operation.
[SPU] display nat session destination 202.169.10.2
The operation may take a few minutes, please
wait...
NAT Session Table
Issue 02 (2015-01-20)

24

Maintenance Guide
1 FAQ
Information:
Protocol
: ICMP
(1)
SrcAddr
vpn_b
DestAddr
202.169.10.2
Vpn
: 10.0.0.2
Vpn
Type Code IcmpId

44028
: 8
NATInfo
New SrcAddr
202.169.10.1
New DestAddr
New IcmpId
----
10240
Total : 1
Configuration Files
l
Configuration file of the SPU

#
sysname SPU
#
ip vpn-instance vpn_b
route-distinguisher 0:1
#
acl number 2000
rule 5 permit source 192.168.20.0 0.0.0.255
#
acl number 2001
rule 5 permit vpn-instance vpn_b source 10.0.0.0 0.0.0.255
#
nat address-group 1 202.169.10.100 202.169.10.200
#
interface Eth-Trunk1
#
interface Eth-Trunk1.1
control-vid 101 dot1q-termination
dot1q termination vid 101
ip address 192.168.20.1 255.255.255.0
arp broadcast enable
#
ip address 202.169.10.1 255.255.255.0
nat outbound 2000 address-group 1 no-pat
nat outbound 2001
#
ip binding vpn-instance vpn_b
ip address 10.0.0.1 255.255.255.0
Issue 02 (2015-01-20)

25

Maintenance Guide
1 FAQ
#
interface XGigabitEthernet0/0/1
eth-trunk 1
#
eth-trunk 1
#
ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk1.2 202.169.10.2
#
return
Configuration file of the Switch

#
sysname Switch
#
vlan batch 101 to 103
#
port link-type trunk
port trunk allow-pass vlan 101 to 103
#
interface GigabitEthernet2/0/1
port trunk allow-pass vlan 101
#
#
#
eth-trunk 1
#
eth-trunk 1
#
return
1.4.3 How Do I Configure NAT Server to Enable Internet Users to

Access Private Servers?
This configuration applies to modular switches in V100R006C00 and later versions.
Networking Requirements
The SPU is installed in slot 5 of the Switch in Figure 1-6. Company A provides a web server
for Internet users to access. The private IP address of the web server is 192.168.20.2:8080 and
its public IP address is 202.169.10.5. Company B provides an FTP server on the VPN for Internet
users to access. The private IP address of the FTP server is 10.0.0.3 and its public IP address is
202.169.10.33.
Internet users need to access company A's web server and company B's FTP server using public
IP addresses.
Issue 02 (2015-01-20)

26

Maintenance Guide
1 FAQ
Figure 1-6 Networking diagram for NAT server configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
Direct flows from the Switch to the SPU.
2.
Configure the NAT server function so that Internet users can access company A's web
server and company B's FTP server using public IP addresses.
3.
Enable the NAT ALG function to implement address translation for FTP packets.
1.
Configure Layer 2 flow import to direct flows from the Switch to the SPU. GE2/0/2 is the
inbound interface, and GE2/0/1 and GE2/0/3 are outbound interfaces.
Procedure
# Configure the Switch.

[HUAWEI] vlan batch 101 to 103
[HUAWEI] interface eth-trunk 1
[HUAWEI-Eth-Trunk1] port link-type trunk
[HUAWEI-Eth-Trunk1] port trunk allow-pass vlan 101 to 103
[HUAWEI-Eth-Trunk1] quit
[HUAWEI] interface gigabitethernet 2/0/1
[HUAWEI-GigabitEthernet2/0/1] port link-type trunk
[HUAWEI-GigabitEthernet2/0/1] port trunk allow-pass vlan 101
[HUAWEI-GigabitEthernet2/0/1] quit
[HUAWEI] interface xgigabitethernet 5/0/0
[HUAWEI-XGigabitEthernet5/0/0] eth-trunk 1
[HUAWEI-XGigabitEthernet5/0/0] quit
[HUAWEI] interface xgigabitethernet 5/0/1
[HUAWEI-XGigabitEthernet5/0/1] eth-trunk 1
[HUAWEI-XGigabitEthernet5/0/1] quit
Issue 02 (2015-01-20)

27

Maintenance Guide
1 FAQ
# On the SPU, configure IP addresses for interfaces and add interfaces to VLANs.
<SPU> system-view
[SPU] interface eth-trunk 1
[SPU-Eth-Trunk1] quit
[SPU] ip vpn-instance vpn_b
[SPU-vpn-instance-vpn_b] route-distinguisher 0:1
[SPU-vpn-instance-vpn_b] quit
[SPU-Eth-Trunk1.3] ip binding vpn-instance vpn_b
[SPU] ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 eth-trunk 1.2
202.169.10.2
2.
Configure the internal servers on the SPU.

[SPU-Eth-Trunk1.2] nat server protocol tcp global 202.169.10.5 www inside
192.168.20.2 8080
[SPU-Eth-Trunk1.2] nat server protocol tcp global 202.169.10.33 ftp inside
10.0.0.3 ftp vpn-instance vpn_b
3.
On the SPU, enable the NAT ALG function for FTP.

[SPU] nat alg ftp enable
4.
Verify the configuration.

Run the display nat server interface eth-trunk 1.2 command on the SPU to view the NAT
server configuration.
[SPU] display nat server interface eth-trunk 1.2
Nat Server Information:
Interface : Eth-Trunk1.2
Global IP/Port
: 202.169.10.5/80(www)
Inside IP/Port
: 192.168.20.2/8080
Protocol : 6(tcp)
VPN instance-name : ---Description : ---Global IP/Port
Inside IP/Port
Protocol : 6(tcp)
VPN instance-name
Total :
: 202.169.10.33/21(ftp)
: 10.0.0.3/21(ftp)
: vpn_b
After the configuration is complete, Internet users can access company A's web server and
company B's FTP server using public IP addresses.
Issue 02 (2015-01-20)

28

Maintenance Guide
1 FAQ
Configuration Files
l
Configuration file of the SPU

#
sysname SPU
#
ip vpn-instance vpn_b
route-distinguisher 0:1
#
nat alg ftp enable
#
#
ip address 192.168.20.1 255.255.255.0
#
ip address 202.169.10.1 255.255.255.0
nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080
nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp vpninstance vpn_b
#
ip binding vpn-instance vpn_b
ip address 10.0.0.1 255.255.255.0
#
eth-trunk 1
#
eth-trunk 1
#
ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk1.2 202.169.10.2
#
return
Configuration file of the Switch

#
vlan batch 101 to 103
#
port trunk allow-pass vlan 101 to 103
#
#
#
#
eth-trunk 1
Issue 02 (2015-01-20)

29

Maintenance Guide
1 FAQ
#
eth-trunk 1
#
return
1.5 Web System

1.5.1 How Do I Obtain a Web File and Configure the Web System?
1.5.2 What Rights Do Web Management Accounts Have?
1.5.1 How Do I Obtain a Web File and Configure the Web System?
Obtaining a Web File
The web file is released with the system software package and varies depending on software
versions. The following uses S9300V200R003 as an example to describe how to obtain a web
file.
Step 1 Open the Internet Explorer and enter http://enterprise.huawei.com/en/ in the address box.
NOTE
You must have a permission to obtain the web file. To obtain the permission, choose My Huawei >
Permissions.
Step 2 Choose Support > Product Support.

Step 3 Choose Software > Enterprise Networking > Switch > Campus Switch.
Step 4 In the navigation tree on the left, choose S9300.
Step 5 Select Quidway S9300 V200R003C00SPC500 and click the version number to view details.
Step 6 Under Version and Patch Software, find the web file with the file name extension .web.7z and
download the web file.
----End
Loading the Web File and Configuring an HTTP User

The following uses S9300 V200R003 as an example.
Step 1 Run the system-view command to enter the system view.
Step 2 Run the http server load file-name command to load the web file.
NOTE
Before loading a web file, upload the web file to the switch through FTP, SFTP, or TFTP. The web file
must be loaded to the root directory of the switch's storage medium; otherwise, the web file cannot be
loaded.
Step 3 Run the http secure-server enable command to enable the HTTPS server function.
Step 4 Run the http server enable command to enable the HTTP server function.
Issue 02 (2015-01-20)

30

Maintenance Guide
1 FAQ
Step 5 Run the aaa command to enter the AAA view.

Step 6 Run the local-useruser-namepassword { cipher | irreversible-cipher } password command to
configure an AAA local user name and password.
Step 7 Run the local-useruser-nameprivilege levellevel command to set the local user level.
NOTE
HTTP users of level 3 or higher can manage the switch on the web system, whereas HTTP users of level
2 or lower can only view the switch configuration.
Step 8 Run the local-useruser-nameservice-type http command to set the service type to HTTP.
----End
Logging In to the Web System

Step 1 Open the Internet Explorer on the PC, enter http://IP address (for example, https://
10.164.19.131) in the address box, and press Enter. The login dialog box is displayed.
NOTE
The IP address is the management address of a device, and can be an IPv4 or IPv6 address depending on
the HTTPS type (HTTPS IPv4 or IPv6) you have selected.
To ensure compatibility, the system converts http://IP address you entered into https://IP address.
Step 2 Enter the HTTP user name, password, and verification code, and select a language for the web
system.
Step 3 Click Login or press Enter. The web system home page is displayed.
----End
You can manage and maintain the switch after logging in to the web system.
1.5.2 What Rights Do Web Management Accounts Have?

Web management accounts are local AAA users whose service type is HTTP.
HTTP users of level 3 or higher can manage the switch on the web system, whereas HTTP users
of level 2 or lower can only view the switch configuration.
1.6 NAC
1.6.1 What Is the Difference Between 802.1x and DOT1x?
1.6.2 Must a Shared Key Be Configured for Portal Authentication?
1.6.3 Why Does a User Go Offline 10 Seconds After Passing 802.1x Authentication?
1.6.4 Why 802.1x or MAC Address Authentication Does Not Take Effect After Being Enabled
and the Configuration Is Displayed in the Configuration File?
1.6.5 Which VLAN Do DHCP Users Connected to a Switch Interface Obtain IP Addresses From
If MAC Address Authentication Is Enabled and a Guest VLAN Is Configured on the Interface?
Issue 02 (2015-01-20)

31

Maintenance Guide
1 FAQ
1.6.1 What Is the Difference Between 802.1x and DOT1x?

They are different names for the same function.
1.6.2 Must a Shared Key Be Configured for Portal Authentication?

On a switch in V100R006 or a later version, a shared key must be configured for information
exchange with the Portal server during External Portal authentication. The shared key configured
on the switch must be the same as that on the Portal server.
1.6.3 Why Does a User Go Offline 10 Seconds After Passing 802.1x

Authentication?
If handshake with online 802.1x users is enabled on a switch, the switch periodically sends
handshake packets to a user client after the client is authenticated. If the client sends no
handshake packet to the switch, the switch forces the user offline.
The user goes offline 10 seconds after being authenticated. This may be caused by a handshake
failure.
To solve this problem, run the undo dot1x handshake command to disable the handshake
function.
1.6.4 Why 802.1x or MAC Address Authentication Does Not Take

Effect After Being Enabled and the Configuration Is Displayed in
the Configuration File?
If ACL resources are used up, the dot1x enable or mac-authen command run globally or on an
interface does not take effect.
1.6.5 Which VLAN Do DHCP Users Connected to a Switch Interface

Obtain IP Addresses From If MAC Address Authentication Is
Enabled and a Guest VLAN Is Configured on the Interface?
When a user without VLAN tag passes MAC address authentication, the user obtains an IP
address from the VLAN matching the interface PVID. When a user with a VLAN tag passes
MAC address authentication, the user obtains an IP address from the VLAN matching the VLAN
tag.
If a user fails MAC address authentication, the user obtains an IP address from the guest VLAN
on the interface where the user accesses.
1.7 Loop Detection

1.7.1 Which Switch Models Support Loop Detection?
1.7.2 How Do I Configure Single-Interface Loop Detection?
1.7.3 How Do I Configure Multi-Interface Loop Detection?
Issue 02 (2015-01-20)

32

Maintenance Guide
1 FAQ
1.7.4 What Is the Default Interval for Sending LBDT Packets on an Interface?
1.7.5 How Do I Differentiate LBDT Packets Sent by Different Interfaces
1.7.1 Which Switch Models Support Loop Detection?

Among the S series switches, the S2300SI does not support loop detection, and the S2300EI
does not support loop detection in a link aggregation group (does not support the loopbackdetect packet vlan command). Other models support loop detection.
1.7.2 How Do I Configure Single-Interface Loop Detection?

Switches can detect only external loops that occur on a single interface. After external loop
detection is enabled, the switch sends packets periodically to check whether an external loop
occurs on an interface. When a loop is found on an interface, the switch performs the specified
action on the interface. In versions earlier than V200R002, the switch sets the interface state to
blocking by default. In V200R002 and later versions, the switch sets the interface state to
shutdown by default.
Usage Scenario
Generally, single-interface loop detection is used on downlink interfaces of newly deployed
switches to help field engineers discover incorrect cable connections.
It is recommended that you set the action for interfaces with loops to block.
Configuration Procedure
After you enable loop detection globally, this function is enabled on all interfaces.
[Quidway] loopback-detect enable
Modular switches of V200R001 and later versions support loop detection in eight VLANs on
an interface.
Fixed switches of V100R005 and later versions support loop detection in eight VLANs on an
interface. In addition to trap, shutdown, and block, the action for interfaces with loops can be
set to nolearn (stop learning MAC addresses).
The following configuration is performed on fixed switches:
[Quidway-Ethernet0/0/1] loopback-detect packet vlan 20 21 22 23 24 25 26 27
[Quidway-Ethernet0/0/1] loopback-detect action nolearn
Modular switches of V200R001 and later versions and fixed switches of V100R005 and later
versions can generate loop traps, and the traps contain VLANs where loops have occurred.
The following is an example of loop trap:
#Jan 1 2008 06:43:54-08:00 Quidway LDT/4/Porttrap:OID1.3.6.1.4.1.2011.5.25.174.3.3
Loopback does exist on interface(5) Ethernet0/0/1 ( VLAN 20 ) , loopback detect status: 4.
(1:normal; 2:block;3:shutdown; 4:trap; 5:nolearn)
Precautions
Loop detection is an auxiliary tool and consumes system resources. When loop detection is
complete, run the undo loopback-detect enable command to disable this function.
Issue 02 (2015-01-20)

33

Maintenance Guide
1 FAQ
1.7.3 How Do I Configure Multi-Interface Loop Detection?

S series switches support MAC address flapping detection. MAC address flapping detection can
detect loops formed among multiple interfaces. It is recommended that you configure multiinterface loop detection on downlink interfaces and set the action for interfaces with loops to
alarm-only. When a loop is detected, the system sends a trap to the network management system
to help locate the fault.
You can enable MAC address flapping detection in a VLAN to detect loops in the VLAN. All
software versions support MAC address flapping detection in up to 32 VLANs.
[Quidway] vlan 3
[Quidway-vlan-3] loop-detect eth-loop block-time 30 retry-times 3
The alarm information includes the interface number, VLAN ID, and time. The system can
display consecutive alarms and specific MAC addresses where flapping occurs.
#Jan 1 2008 06:53:12-08:00 Quidway L2IFPPI/4/
MFLPIFRESUME:OID1.3.6.1.4.1.2011.5.25.160.3.2 Loop does not exist in vlan 3,
Interface Ethernet0/0/1 resumed, block-time is 30 for mac-flapping disappeared.
#Jan 1 2008 06:52:22-08:00 Quidway L2IFPPI/4/
MFLPIFBLOCK:OID1.3.6.1.4.1.2011.5.25.160.3.1 Loop exist in vlan 3,
InterfaceEthernet0/0/1 blocked, block-time is 30 for mac-flapping, Mac Address is
00e0-fc22-765a.
In V200R003 and later versions, a switch considers that a loop has occurred on the network
connected to an interface if detection packets sent from the interface are sent back to another
interface. This mechanism can also be used for multi-interface loop detection.
1.7.4 What Is the Default Interval for Sending LBDT Packets on an

Interface?
Run the loopback-detect packet-interval packet-interval-time command in the system view to
set the interval for sending LBDT packets.
l
V100R005: The default interval for sending LBDT packets is 30s.
V100R006 and later versions: The default interval for sending LBDTpackets is 5s.
NOTE
A shorter interval indicates that the system sends more LBDT packets in a given period and detects loops
more accurately. However, more system resources are consumed.
1.7.5 How Do I Differentiate LBDT Packets Sent by Different

Interfaces
The LBDT-enabled interface sends an LBDT packet at intervals to detect loops. If the LBDT
packet is received by the same interface, a loopback occurs on the interface or loops occur on
the network connected to the interface. Then the interface switches to the loopback detection
state. The interface automatically restores after three detection intervals.
NOTE
LBDT packets are sent frequently; therefore, the CPU usage will increase if the LBDT function is enabled
on all interfaces.
l
Issue 02 (2015-01-20)
V100R005
34

Maintenance Guide
1 FAQ
LBDT packets sent by different interfaces are distinguished by the protocol ID. By default,
the system assigns a protocol ID to each interface in ascending order.
You can run the loopback-detect protocol protocol-id command to configure a protocol
ID in LBDT packets.
NOTE
l The protocol ID in LBDT packets can be configured only when LBDT is disabled.
l The protocol ID in LBDT packets must be unique on an interface.
V100R006 and later versions

LBDT packets sent by different interfaces are distinguished by the interface index.
1.8 How Do I Configure a Static Binding Entry (user-bind

static) for IPSG?
IPSG stands for IP Source Guard, a feature used to defend against source IP address spoofing
attacks.
IPSG checks validity of IP packets against DHCP dynamic or static binding entries. The IPSG
function works only when binding entries are available. Before a switch forwards an IP packet,
it compares the source IP address, source MAC address, inbound interface, and VLAN ID of
the IP packet with DHCP binding entries. If the IP packet matches a binding entry, the switch
considers the IP packet valid and forwards it. Otherwise, the switch considers the IP packet as
an attack packet and discards it.
You can configure static binding entries on a switch when the switch connects to a LAN with
only a few hosts using static IP addresses. All the S series switches support configuration of
static DHCP binding entries.
The configuration procedure is as follows:
# Create static binding entries by specifying the bound IP addresses and MAC addresses in the
system view.
[Quidway] user-bind static ip-address 10.1.1.1 mac-address 00E0-1011-0001
[Quidway] user-bind static ip-address 10.1.1.2 mac-address 00E0-1011-0002
# Enable IPSG on specified interfaces.

[Quidway] interface Ethernet0/0/1
[Quidway-Ethernet0/0/1] ip source check user-bind enable
[Quidway-Ethernet0/0/1] quit
[Quidway] interface Ethernet0/0/2
[Quidway-Ethernet0/0/2] ip source check user-bind enable
[Quidway-Ethernet0/0/2] quit
1.9 VLAN
1.9.1 How Do I Change the Link Type of an Interface?
1.9.2 Which VLAN Assignment Methods Do S Series Switches Support?
1.9.3 The Link Type of an Interface Cannot Be Changed from Hybrid to Access. How Is This
Problem Solved?
Issue 02 (2015-01-20)

35

Maintenance Guide
1 FAQ
1.9.1 How Do I Change the Link Type of an Interface?

Four link types are defined: access, trunk, hybrid, and dot1q-tunnel. The following provides the
methods to set different link types.
1.
Access
[Quidway-GigabitEthernet1/0/1] port link-type access
[Quidway-GigabitEthernet1/0/1] port default vlan 10
The preceding configuration changes the link type of the interface to access.
An access interface processes packets as follows:
l When receiving an untagged packet, the interface accepts the packet and tags it with
the default VLAN ID.
l When receiving a tagged packet:
If the VLAN ID of the packet is the same as the default VLAN ID of the interface, the
interface accepts the packet.
If the VLAN ID of the packet is different from the default VLAN ID of the interface,
the interface drops the packet.
l Before sending a packet, the interface removes the VLAN tag from the packet.
2.
Trunk
[Quidway-GigabitEthernet1/0/1] port link-type trunk
[Quidway-GigabitEthernet1/0/1] port trunk pvid vlan 20
[Quidway-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 10 20
The preceding configuration changes the link type of the interface to trunk.
A trunk interface processes packets as follows:
l When receiving an untagged packet:
The interface tags the packet with the default VLAN ID. If the default VLAN ID is in
the list of allowed VLAN IDs, the interface accepts the packet.
The interface tags the packet with the default VLAN ID. If the default VLAN ID is not
in the list of allowed VLAN IDs, the interface drops the packet.
If the VLAN ID of the packet is in the list of allowed VLAN IDs, the interface accepts
the packet.
If the VLAN ID of the packet is not in the list of allowed VLAN IDs, the interface drops
the packet.
l When sending a packet:
If the VLAN ID of the packet is the same as the default VLAN and is in the list of
allowed VLAN IDs, the interface removes the tag from the packet and sends the packet.
If the VLAN ID of the packet is different from the default VLAN and is in the list of
allowed VLAN IDs, the interface retains the tag and sends the packet.
3.
Hybrid
[Quidway-GigabitEthernet1/0/1]
port
port
port
port
link-type hybrid
hybrid pvid vlan 10
hybrid untagged vlan 2 10
hybrid tagged vlan 20
The preceding configuration changes the link type of the interface to hybrid.
A hybrid interface processes packets as follows:
Issue 02 (2015-01-20)

36

Maintenance Guide
1 FAQ

The interface tags the packet with the default VLAN ID. If the default VLAN ID is in
the list of allowed VLAN IDs, the interface accepts the packet.
The interface tags the packet with the default VLAN ID. If the default VLAN ID is not
in the list of allowed VLAN IDs, the interface drops the packet.
If the VLAN ID of the packet is in the list of allowed VLAN IDs, the interface accepts
the packet.
If the VLAN ID of the packet is not in the list of allowed VLAN IDs, the interface drops
the packet.
l When sending a packet:
If the VLAN ID of the packet is in the list of allowed VLAN IDs, the interface sends
the packet. You can run the port hybrid untagged vlan command to configure the
interface to remove tags of packets or run the port hybrid tagged vlan command to
configure the interface to send tagged packets.
4.
Dot1q-tunnel
[Quidway-GigabitEthernet1/0/1] port link-type dot1q-tunnel
[Quidway-GigabitEthernet1/0/1] port default vlan 20
The preceding configuration changes the link type of the interface to dot1q-tunnel. A dot1qtunnel interface adds a VLAN tag to packets before forwarding them, regardless of the
original VLAN IDs of the packets. Before sending a packet, a dot1q-tunnel interface
removes the tag with the default VLAN ID from the packet.
1.9.2 Which VLAN Assignment Methods Do S Series Switches

Support?
Table 1-6 lists the VLAN assignment methods supported by different switch models of different
versions.
Table 1-6 VLAN assignment methods
VLAN Assignment Method
V100R006C03
V100R006C05
V200R001/
V200R002/
V200R003
Port-based VLAN assignment
Supported by all models
Supported by all
models
Supported by all
models
MAC address-based VLAN

assignment
Not supported by the

S2300SI

S2300SI
Supported by all
models
IP subnet-based VLAN assignment

S2352EI and S2300

S2300
Supported by all
models
Protocol-based VLAN assignment

S2352EI and S2300

S2300
Supported by all
models
Policy-based VLAN assignment

S2352EI and S2300
Not supported
Supported by all
models
Issue 02 (2015-01-20)

37

Maintenance Guide
1 FAQ
1.9.3 The Link Type of an Interface Cannot Be Changed from

Hybrid to Access. How Is This Problem Solved?
Before using the port link-type command to change the link type of an interface, restore the
default configuration of the interface.
You can run the display the display this command in the interface view to view the interface
configuration. Assume that the following configuration is used:
#
undo port hybrid vlan 1
port hybrid tagged vlan 10
#
Run the port hybrid untagged vlan 1 and undo port hybrid tagged vlan 10 commands to
restore the default configuration of the interface. Then change the link type of the interface.
1.10 Password
1.10.1 Which Are the Default Passwords Used on S Series Switches?
1.10.2 How Can I Delete a Console Login Password?
1.10.1 Which Are the Default Passwords Used on S Series Switches?

On the S series switches of all versions:
l
When you log in a a switch through a console port, no default user name or password is
provided. The system asks you to set the user name and password when you log in to the
switch for the first time.
Before you log in to a switch through Telnet, create a Telnet account.

You can set the Telnet login authentication method in the VTY. If the password
authentication mode is configured, set a password in the VTY. If the AAA local
authentication mode is configured, set the user name and password in the AAA view. If
the remote AAA authentication mode is configured, set the user name and password on the
AAA server.
When you log in to a switch through web, your default user level is 0: visit level.
For other default passwords, see Table 1-7

NOTE
By default, the console login password, BootROM password, and Telnet password are case-sensitive.
Issue 02 (2015-01-20)

38

Maintenance Guide
1 FAQ
Table 1-7 Default passwords used by S series switches

Series
Type
Version
BootROM
Password
Web User
Name and
Password
S9300/
S9300E
S9300
V100R001&V100R0
02
7800
Web login is not

supported.
V100R003
9300
If you forget the

password, use the
super password
Good luck to
7800!!! to log in to
the switch.
admin/admin
If you forget the

password, use the
super password
Good luck to
9300!!! to log in to
the switch.
V100R006
9300
If you forget the
password, use the
super password
7800 to log in to
the switch.
V200R001&V200R0
02
V200R003 and later
versions
S9300E
Issue 02 (2015-01-20)
All versions
Admin@huawei.
com
After the system
software is
upgraded, the
default password
may be changed to
9300 or 7800.
Admin@huawei.
com

admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
Web login is not
supported.
39

Maintenance Guide
1 FAQ
Series
Type
Version
BootROM
Password
Web User
Name and
Password
S2300
S2352EI/
S2300EI/
S2300SI
V100R002V100R006
(C00&C01)
huawei
admin/admin
V100R006C03
Admin@huawei.
com
V100R006C05
S3300
If you forget the

password, use the
super password
www.huawei.co
m to log in to the
switch.
After the system

software is
upgraded, the
default password
may be changed to
huawei.
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
S2350EI
All versions
Admin@huawei.
com
admin/
admin@huawe
i.com
S3300HI
V100R006
(C00&C01)
huawei
admin/admin
V200R001
Admin@huawei.
com
If you forget the

password, use the
super password
www.huawei.co
m to log in to the
switch.
After the system

software is
upgraded, the
default password
may be changed to
huawei.
Issue 02 (2015-01-20)

40

Maintenance Guide
Series
1 FAQ
Type
Version
BootROM
Password
Web User
Name and
Password
S3300EI/
S3300SI
V100R001V100R006
(C00&C01)
huawei
admin/admin
V100R006C03
Admin@huawei.
com
V100R006C05
S5300
If you forget the

password, use the
super password
www.huawei.co
m to log in to the
switch.
After the system

software is
upgraded, the
default password
may be changed to
huawei.
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
S5320EI
All versions
Admin@huawei.
com
admin/
admin@huawe
i.com
S5310EI
V200R002
Admin@huawei.
com
admin/admin
V200R003 and later

versions
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
S5300LI
Issue 02 (2015-01-20)
V200R001&V200R0
02
Admin@huawei.
com

admin/admin
41

Maintenance Guide
Series
1 FAQ
Type
Version
BootROM
Password
V200R003 and later

versions
Web User
Name and
Password
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
S5300EI
V100R002V100R006
huawei
V200R001&V200R0
02
Admin@huawei.
com
V200R003 and later

versions
S5300SI
admin/admin
If you forget the

password, use the
super password
www.huawei.co
m to log in to the
switch.
After the system

software is
upgraded, the
default password
may be changed to
huawei.
V100R003V100R006
huawei
V200R001&V200R0
02
Admin@huawei.
com
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
admin/admin
If you forget the

password, use the
super password
www.huawei.co
m to log in to the
switch.
After the system

software is
upgraded, the
default password
Issue 02 (2015-01-20)

42

Maintenance Guide
Series
1 FAQ
Type
Version
BootROM
Password
Web User
Name and
Password
V200R003 and later

versions
may be changed to
huawei.
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
S5306LI/
S5300HI
V100R006
V200R003 and later

versions
N/A
admin/admin
If you forget the

password, use the
super password
www.huawei.co
m to log in to the
switch.
V200R001&V200R0
02
S6300EI
huawei
V100R006
Admin@huawei.
com
After the system
software is
upgraded, the
default password
may be changed to
huawei.
huawei
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
admin/admin
If you forget the

password, use the
super password
www.huawei.co
m to log in to the
switch.
V200R001&V200R0
02
Admin@huawei.
com
After the system
software is
upgraded, the
default password
Issue 02 (2015-01-20)

43

Maintenance Guide
1 FAQ
Series
Type
Version
BootROM
Password
Web User
Name and
Password
V200R001 and later

versions
may be changed to
huawei.
admin/
admin@huawe
i.com
After the system
software is
upgraded, the
default
password may
be changed to
admin.
1.10.2 How Can I Delete a Console Login Password?

Deleting the Console Login Password of a Fixed Switch Running V100R002/
V100R003
1.
Restart the switch. When the BootROM menu is displayed, choose option "5.Enter
filesystem submenu" to display the file system submenu.
2.
When the file system submenu is displayed, choose option "4.Rename file from flash" to
rename the default configuration file vrpcfg.zip. For example, change the file name to
vrptest.zip.
3.
Log in to the switch after the restart. The system uses the factory settings now.
4.
Decompress the vrptest file and name the decompressed file vrpcfg.bat.
<Quidway> unzip vrptest vrpcfg.bat
5.
Run the execute command to invoke the original configuration and delete the console login
password.
[Quidway] execute vrpcfg.bat
[Quidway] user-interface console 0
[Quidway-ui-console0] undo authentication-mode
[Quidway-ui-console0] quit
[Quidway] quit
6.
Save the configuration in the vrpcfg.zip file.

<Quidway> save
The current configuration will be written to the device. Continue? [Y/
N]:y
Info: Please input the file name(*.cfg,*.zip)
[vrpcfg.zip]:
Jun 25 2010 11:41:59 Quidway %%01CFM/4/SAVE(l): The user chose Y when deciding
w
hether to save the configuration to the device.
vrpcfg.zip
//Enter the
default configuration file name vrpcfg.zip.
7.
Issue 02 (2015-01-20)
After the switch restarts, the console login password is deleted, and the original service
configurations are retained.

44

Maintenance Guide
1 FAQ

V200R001/V200R002/V200R003
During a startup process, a switch loads the BootROM program and the system software in
sequence. When the following information is displayed, press Ctrl+B within 2 seconds to display
the BootROM menu.
BIOS LOADING ...
Copyright (c) 2008-2010 HUAWEI TECH CO., LTD.
CX22EFFE (Ver124, Jun 9 2010, 17:41:46)
Press Ctrl+B to enter BOOTROM menu ... 0
password:
//Enter the BootROM password. The default password is Admin@huawei.com.
After you enter the correct BootROM password, the following BootROM menu is displayed:
BOOTROM
MENU
1. Boot with default mode

2. Enter serial submenu
3. Enter startup submenu
4. Enter ethernet submenu
5. Enter filesystem submenu
6. Modify BOOTROM password
7. Clear password for console user
8. Reboot
Enter your choice(1-8): 7
Note: Clear password for console user? Yes or No(Y/N): y
Clear password for console user successfully. Choose "1" to boot, then set a new
password
Note: Do not choose "Reboot" or power off the device, otherwise this operation will
not take effect
Choose option "7 .Clear password for console user" and then choose option "1. Boot with default
mode." The console login password is then deleted.
NOTICE
After clearing the console login password, choose option "1. Boot with default mode" in the
BootROM menu to restart the system. Do not choose option "8. Reboot" or power off the switch.
Otherwise, the configuration will be lost.
Deleting the Console Login Password of a Modular Switch Running V100R001/

V100R002/V100R003
1.
Restart the switch. When the BootROM menu is displayed, press CTRL+Z to display the
hidden menu.
2.
Choose option "8-Rename file in CFCard" to rename the default configuration file
vrpcfg.zip. For example, change the file name to vrptest.zip.
3.
Log in to the switch after the restart. The system uses the factory settings now.
4.
Decompress the vrptest file and name the decompressed file vrpcfg.bat.
<Quidway> unzip vrptest vrpcfg.bat
5.
Issue 02 (2015-01-20)
Run the execute command to invoke the original configuration and delete the console login
password.
45

Maintenance Guide
1 FAQ
[Quidway] execute vrpcfg.bat
[Quidway] user-interface console 0
[Quidway-ui-console0] undo authentication-mode
[Quidway-ui-console0] quit
[Quidway] quit
6.
Save the configuration in the vrpcfg.zip file.

<Quidway> save
The current configuration will be written to the device. Continue? [Y/
N]:y
Info: Please input the file name(*.cfg,*.zip)
[vrpcfg.zip]:
Jun 25 2010 11:41:59 Quidway %%01CFM/4/SAVE(l): The user chose Y when deciding
w
hether to save the configuration to the device.
vrpcfg.zip
//Enter the
default configuration file name vrpcfg.zip.
7.
After the switch restarts, the console login password is deleted, and the original service
configurations are retained.

V200R001/V200R002/V200R003
When you attempt to log in to a new switch through the console port for the first time, the system
prompts you to enter the console login password. You can also run the set authentication
password [ cipher password ] command in the console login user interface to set the console
login password. If you forget the Telnet or console login password, clear the console login
password in the BootROM menu. Perform the following steps:
During the startup process, press Ctrl+B as prompted and enter the password to enter the
BootROM menu. Choose option 8 in the BootROM menu to clear the console login password.
MAIN
1.
2.
3.
4.
5.
6.
7.
8.
9.
MENU
Boot with default mode

Boot from Flash
Boot from CFCard
Enter serial submenu
Enter ethernet submenu
Modify Flash description area
Modify BootROM password
Clear password for console user
Reboot
Enter your choice(1-9):8

Note: Clear password for console user? Yes or No(Y/N): y
Clear password for console user successfully. Choose "1" to boot, then set a new
password
Note: Do not choose "Reboot" or power off the device, otherwise this operation will
not take effect
NOTICE
After clearing the console login password, choose option "1. Boot with default mode" in the
BootROM menu to restart the system. Do not choose option "9. Reboot" or power off the switch.
Otherwise, the configuration will be lost.
Issue 02 (2015-01-20)

46

Maintenance Guide
1 FAQ
1.11 Eth-Trunk
1.11.1 What Is Eth-Trunk?
1.11.2 What Are the Types of Eth-Trunk Load Balancing?
1.11.3 What Are the Types of Eth-Trunks?
1.11.4 How Long Is the LACP Timeout Period?
1.11.5 How Do I Check Interface Negotiation Information When the Eth-Trunk Interface Works
in LACP Mode?
1.11.6 Which Measures Can Be Taken to Fix the Eth-Trunk Unidirectional Communication
Fault?
1.11.1 What Is Eth-Trunk?

Link aggregation technology bundles multiple physical links into a logical link to increase link
bandwidth. For the protocol standards, see IEEE 802.3ad.
As the network scale expands increasingly, users require higher bandwidth and reliability of
backbone links. Traditional technologies often use high-speed interface cards or devices
supporting high-speed interface cards to increase the bandwidth. This method, however, is costly
and inflexible.
Link aggregation technology bundles multiple physical interfaces into a logical interface to
increase the bandwidth without upgrading the hardware. In addition, link aggregation uses the
link backup mechanism to improve reliability of links between devices.
Link aggregation has the following advantages:
l
Increasing Bandwidth
The maximum bandwidth of a link aggregation interface is the total bandwidth of member
interfaces.
Improving Reliability
When an active link fails, traffic on the link is switched to another member link, ensuring
high reliability of the link aggregation interface.
Load Balancing
In a link aggregation group, traffic is load balanced among active member links.
1.11.2 What Are the Types of Eth-Trunk Load Balancing?

There are two types of load balancing: flow-based load balancing and packet-based load
balancing. Switches support only flow-based load balancing. You can run the load-balance
command to configure an appropriate Eth-Trunk load balancing mode. This configuration
ensures that outgoing traffic is properly load balanced among physical links, preventing
congestion on these links.
Issue 02 (2015-01-20)

47

Maintenance Guide
1 FAQ
You can set the load balancing mode based on the network condition. When a parameter in traffic
changes frequently, you can set the load balancing mode based on this parameter to ensure that
the traffic is load balanced evenly.
For known unicast packets, the switch supports the following load balancing modes:
l
dst-ip mode
The system obtains the specified three bits from each of the destination IP address and
destination TCP or UDP port number to perform the Exclusive-OR calculation, and selects
the outbound interface from the Eth-Trunk table according to the calculation result.
src-ip mode
The system obtains the specified three bits from each of the source IP address and source
TCP or UDP port number to perform the Exclusive-OR calculation, and selects the
outbound interface from the Eth-Trunk table according to the calculation result.
src-dst-ip mode
The system uses the calculation results of the dst-ip and src-ip modes to perform the
Exclusive-OR calculation, and selects the outbound interface from the Eth-Trunk table
according to the calculation result.
dst-mac mode
The system obtains the specified three bits from each of the destination MAC address,
VLAN ID, Ethernet type, and inbound interface information to perform the Exclusive-OR
calculation, and selects the outbound interface from the Eth-Trunk table according to the
calculation result.
src-mac mode
The system obtains the specified three bits from each of the source MAC address, VLAN
ID, Ethernet type, and inbound interface information to perform the Exclusive-OR
calculation, and selects the outbound interface from the Eth-Trunk table according to the
calculation result.
src-dst-mac mode
The system obtains the specified three bits from each of the source MAC address,
destination MAC address, VLAN ID, Ethernet type, and inbound interface information to
perform the Exclusive-OR calculation, and selects the outbound interface from the EthTrunk table according to the calculation result.
Enhanced mode
The system uses an enhanced load balancing profile to select outbound interfaces for
different packets.
NOTE
Modular switches: All cards, excluding the SA series cards, support enhanced load balancing mode.
Fixed switches:
V200R001C01: Only the S5300HI supports enhanced load balancing mode.
V200R002: Only the S5310EI and S5300HI support enhanced load balancing mode.
V200R003: Only the S5310EI and S5300HI support enhanced load balancing mode.
By default, unknown unicast packets are load balanced based on the source and destination MAC
addresses. To configure the load balancing mode for unknown unicast packets, run the
unknown-unicast load-balance { dmac | smac | smacxordmac | enhanced } command in the
system view.
Issue 02 (2015-01-20)

48

Maintenance Guide
1 FAQ
[Quidway]unknown-unicast loadbalance ?
dmac
Destination MAC hash
arithmetic
enhanced
Enhanced hash
arithmetic
smac
arithmetic
smacxordmac
Source MAC hash
According to MAC hash arithmetic
1.11.3 What Are the Types of Eth-Trunks?

Eth-Trunks are classified into Eth-Trunks in manual load balancing mode and Eth-Trunks in
Link Aggregation Control Protocol (LACP) mode.
l
Eth-Trunk in manual load balancing mode

The manual load balancing mode is the basic link aggregation mode. In this mode, you
must manually create an Eth-Trunk, add member interfaces to the Eth-Trunk, and specify
active member interfaces. In this mode, LACP is not required. In manual load balancing
mode, all active member interfaces forward data and load balance traffic. All the active
member interfaces load balance the traffic evenly. If an active link fails, the remaining
active links load balance the traffic evenly.
Eth-Trunk in LACP mode

In LACP mode, you must manually create an Eth-Trunk and add member interfaces to the
Eth-Trunk. Different from manual load balancing mode, active member interfaces in LACP
mode are selected by sending LACP data units (LACPDUs). When a group of interfaces
are added to an Eth-Trunk, the devices at both ends determine active interfaces and inactive
interfaces by sending LACPDUs to each other.
The LACP mode is also called M:N mode. It implements both load balancing and link
backup. M active links in the link aggregation group forward data and load balance traffic,
while the other N inactive links are standby links and do not forward data. If an active link
fails, the system selects the link with the highest priority from the N inactive links. The
inactive link becomes active and starts to forward data.
1.11.4 How Long Is the LACP Timeout Period?

IEEE802.3ad defines two intervals for sending LACPDUs: 1 second and 30 seconds.
To set the LACP timeout period, run the lacp timeout { fast | slow } command. After the
command is used, the local end informs the remote end of the timeout period by sending
LACPDUs.
l
If the fast keyword is specified, the interval is 1 second.
If the slow keyword is specified, the interval is 30 seconds.
The LACP timeout period is three times the interval for sending LACPDUs:
l
When the fast keyword is specified, the LACP timeout period is 3 seconds.
When the slow keyword is specified, the LACP timeout period is 90 seconds.
You can set different timeout periods on the two ends. To facilitate maintenance, you are advised
to set the same LACP timeout period on the two ends.
Issue 02 (2015-01-20)

49

Maintenance Guide
1 FAQ
1.11.5 How Do I Check Interface Negotiation Information When the

Eth-Trunk Interface Works in LACP Mode?
Run the display eth-trunk command to check the negotiation information of the Eth-Trunk
interface.
<Quidway> display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1
WorkingMode: STATIC
Preempt Delay: Disabled
Hash arithmetic: According to SA-XOR-DA
System Priority: 32768
System ID: 4c1f-cc45-a8f8
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: up
Number Of Up Port In Trunk: 2
------------------------------------------------------------------------------------------------------ActorPortName
Status
PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet1/0/1 Selected 1GE
32768
513
561
10111100 1
GigabitEthernet1/0/2 Selected 1GE
32768
514
561
10111100 1
Partner:
----------------------------------------------------------------------------------------------------------ActorPortName
SysPri
SystemID
PortPri PortNo PortKey
PortState
GigabitEthernet1/0/1 32768
5489-98f5-a433 32768
1025
561
10111100
GigabitEthernet1/0/2 32768
5489-98f5-a433 32768
1026
561
10111100
Local device information is displayed in the Local section, and the peer device information is
displayed in the Partner section (the interface name is displayed as the corresponding local
interface name). The PortState field contains the following information:
Each bit is described as follows:

LACP_Activity: has a fixed value of 1 (this interface remains in active state), indicating that
the interface can send LACPDUs as long as it joins the Eth-Trunk interface and turns Up.
LACP_TimeOut: indicates the timeout period of the LACPDUs. It is set to 1 for fast and 0 for
slow. You can determine the timeout period of LACPDUs on both ends based on the value of
this bit.
Aggregation: indicates whether the local interface can be aggregated with other member
interfaces in an Eth-Trunk interface. This bit is set to 1 for switch interfaces that have joined the
Eth-Trunk interface and are in Up state, and is set to 0 for interfaces that are in Down state.
Synchronization: synchronization flag. Interfaces that can enter the Selected state are
determined based on the interface rate, duplex mode, and packet exchange. This bit is set to 1
for interfaces in Selected state and to 0 for other interfaces.
Collecting and Distributing: These two bits are set to all 1s only when the local end and peer
end negotiate successfully.
Defaulted: This bit is set to 1 when the interface is added to the Eth-Trunk interface and starts
negotiation, and is set to 0 when the negotiation succeeds.
Expired: indicates the timeout bit. This bit is set to 1 if LACP packets are not received within
the timeout period. This bit is set to 0 if negotiation succeeds.
Issue 02 (2015-01-20)

50

Maintenance Guide
1 FAQ
The PortState field should be displayed as 11111100 or 10111100 if negotiation succeeds.
1.11.6 Which Measures Can Be Taken to Fix the Eth-Trunk

Unidirectional Communication Fault?
To rectify the unidirectional communication fault of an Eth-Trunk, use the following features:
l
EFM: tests link connectivity continuously. When the unidirectional communication fault
occurs, the two ends of the Eth-Trunk can keep consistent status.
LACP: The two ends of the Eth-Trunk can keep consistent status by exchanging LACPDUs.
When a unidirectional communication fault occurs, LACP can detect the fault in a timely
manner and transfer the selected status to the other side, thus solving the traffic loss
problem.
NOTE
In V100R005 and later versions, DLDP can monitor the link status of optical fibers or copper twisted-pair
cables. If DLDP detects a unidirectional link, it automatically shuts down the port on the unidirectional
link or requests users to manually shut down the port, to prevent a traffic forwarding interruption.
1.12 How Do I Restore the Factory Settings on the CLI?

To restore the factory settings, perform the following operations on the Command-Line Interface
(CLI):
<Quidway> reset saved-configuration //Clear current configurations.
Warning: The action will delete the saved configuration in the device.
The configuration will be erased to reconfigure. Continue? [Y/N]:y
Warning: Now clearing the configuration in the device.
Info: Succeeded in clearing the configuration in the device.
<Quidway> reboot
//Restart the switch.
Info: The system is now comparing the configuration, please wait.
Warning: The configuration has been modified, and it will be saved to the next
startup saved-configuration file . Continue? [Y/N]:N
//Select N to ignore
configuration saving.
Info: If want to reboot with saving diagnostic information, input 'N' and then
execute 'reboot save diagnostic-information'.
System will reboot! Continue?[Y/N]:y
//Select Y to restart the switch.
After the switch restarts, the factory settings are restored. You can configure the switch based
on new service requirements.
NOTE
If you configure a new switch or a restarted switch without any configuration, enter Y twice according to
the command output displayed on the CLI to save the new configuration. The command output displayed
on the CLI is as follows:
<Quidway> save
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
Info: Please input the file name ( *.cfg, *.zip ) [vrpcfg.zip]:
flash:/vrpcfg.zip exists, overwrite?[Y/N]:y
Now saving the current configuration to the slot 0.
Save the configuration successfully.
Issue 02 (2015-01-20)

51

Maintenance Guide
1 FAQ
1.13 Using the display elabel Command to Obtain the Serial

Number
1.13.1 How Do I Obtain the Serial Number of a Fixed Switch?
1.13.2 How Do I Obtain the Serial Number of a Modular Switch?
1.13.1 How Do I Obtain the Serial Number of a Fixed Switch?

Log in to the switch through Telnet or the console interface, and then run the display elabel slot
slot-id command (slot-id specifies the slot ID of the switch) in the user view to display the
electronic label information. In the command output, the BarCode field shows the serial number
of the switch.
<Quidway> display elabel slot 0
/$[System Integration Version]
/$SystemIntegrationVersion=3.0
[Slot_0]
/$[Board Integration Version]
/$BoardIntegrationVersion=3.0
[Main_Board]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
[Board Properties]
BoardType=CX22EFGEA
BarCode=2102351820109C000451
Item=02351820
1.13.2 How Do I Obtain the Serial Number of a Modular Switch?

Obtaining the Chassis Serial Number
l
In a standalone switch:
Log in to the switch through Telnet or the console interface, and then run the display elabel
backplane command in the user view to display the electronic label information. The
BarCode field in the command output shows the chassis serial number.
<Quidway> display elabel backplane
Info: It is executing, please wait...
[BackPlane_1]
[Board Properties]
BoardType=EH02BAKK
BarCode=2102113089P0BB000881
Item=02113089
Issue 02 (2015-01-20)

52

Maintenance Guide
1 FAQ
In a cluster:
Log in to the master switch through Telnet or the console interface, and then run the display
elabel backplane chassis chassis-id command (chassis-id specifies the CSS ID of a
member chassis) in the user view to display the electronic label information. The
BarCode field in the command output shows the serial number of the specified chassis.
<Quidway> display elabel backplane chassis ?
INTEGER<1-2> Chassis
ID
<Quidway> display elabel backplane chassis 2
Info: It is executing, please
wait...
[BackPlane_2]
[Board
Properties]
BoardType=EH02BAKK
BarCode=2102113089P0BB000881
Item=02113549
NOTE
The command syntax may differ in different software versions. You can enter a question mark (?)
to obtain help information about the command and set the chassis ID according to the help
information.
Obtaining the Serial Number of a Card

elabel command in the user view and specify a slot ID according to help information to display
the electronic label of a card. The BarCode field in the command output shows the serial number
of the card.
<Quidway> display elabel ?
<1-1>
The present chassis
backplane Backplane
brief
Display information briefly
<Quidway> display elabel 1/?
<4,6-8>
<CMU1>
<FAN1-FAN2>
<PWR1-PWR2>
<Quidway> display elabel 1/6 brief
Info: It is executingplease wait...
[Slot_6]
[Main_Board]
[Board Properties]
BoardType=ET1D2S08SX1E
BarCode=020LVF6TBB000043
Issue 02 (2015-01-20)

53

Maintenance Guide
1 FAQ
Item=03020LVF
NOTE
The command syntax may differ in different software versions. You can enter a question mark (?) to obtain
help information about the command and set the slot ID according to the help information.
Obtaining the Serial Number of a Power Module

the electronic label of a power module. The SN field in the command output shows the serial
number of the power module.
<1-1>
The present chassis
backplane Backplane
brief
<5,8,13,16>
<FAN1-FAN5>
<Quidway> display elabel 1/PWR1
<CMU1>
<PWR1-PWR4>
[Slot_21]
[Main_Board]
DATE=13_02_08
SN=A664A0212080086V0.9A
NOTE
help information about the command and set the power module ID according to the help information.
Obtaining the Serial Number of a Fan Module

the electronic label of a fan module. The BarCode field in the command output shows the serial
number of the fan module.
<1-1>
The present chassis
backplane Backplane
brief
<5,8,13,16>
<FAN1-FAN5>
<Quidway> display elabel 1/FAN2
<CMU1>
<PWR1-PWR4>
[Slot_18]
[Main_Board]
Issue 02 (2015-01-20)

54

Maintenance Guide
1 FAQ
[Board Properties]
BoardType=LE02FCMC
BarCode=2103010JTF0123456789
Item=02120995
NOTE
help information about the command and set the fan module ID according to the help information.
1.14 Software and Hardware Requirements of Stack

A stack can be set up through stack cards or service ports. If switches run software versions
incompatible with one another, they cannot set up a stack. Therefore, you are advised to upgrade
software of member switches to the same version before setting up a stack.
1.14.1 What Are the Software and Hardware Requirements of Stack Card Stacking?
1.14.2 What Are the Software and Hardware Requirements of Service Port Stacking?
1.14.1 What Are the Software and Hardware Requirements of Stack

Card Stacking?
The stack card ES5D00ETPC00 and PCIe cable are used for stack card stacking. Table 1-8 lists
the devices supporting stack card stacking and describes their software and hardware
requirements.
Table 1-8 Software and hardware requirements for stack card stacking
Series
Maxi
mum
Num
ber of
Mem
bers
Ports
Supporting
Stack
Stack Cable
Remarks
S5300-EI
Two ports on
a stack card
l 1 m PCIe cable
Any models of
the S5300-EI
series can set up
a stack.
Two ports on
a stack card
l 1 m PCIe cable
S5300-SI
Issue 02 (2015-01-20)
l 3 m PCIe cable (supported in

V200R002 and later versions. In
V200R002, only S5352C-EI
and S5328C-EI-24S support the
3 m PCIe cable. In V200R003
and later versions, all the S5300EI series support the 3 m PCIe
cable.)
l 3 m PCIe cable (supported in

V200R003 and later versions)

Any models of
the S5300-SI
series can set up
a stack.
55

Maintenance Guide
1 FAQ
1.14.2 What Are the Software and Hardware Requirements of

Service Port Stacking?
Table 1-9 lists the devices supporting service port stacking and describes their software and
hardware requirements.
Table 1-9 Software and hardware requirements for service port stacking
Issue 02 (2015-01-20)
Series
Max
imu
m
Nu
mbe
r of
Me
mbe
rs
Ports Supporting
Stack
Stack Cable
Remarks
S2352P
Two GE SFP optical

ports (ID: 49/50)
1.5 m SFP cable
S3328TP
Two GE SFP optical

ports (ID: 25/26)
1.5 m SFP cable
S3352P
Two GE SFP optical

ports (ID: 49/50)
1.5 m SFP cable
S2350
(V200R00
3 and later
versions)
Two SFP optical ports

(not combo ports)
l 1 m passive SFP
+ cable
NOTE
Only the third and forth
service ports counted
from the right can be
configured as physical
member ports of a stack
port.
l 10 m active SFP
+ cable
Any models of the

S2350 series can set up
a stack.
l 3 m, 10 m AOC
cable
l 6GE stack
optical module
(SFP-6GE-LR)
and optical fiber

56

Maintenance Guide
1 FAQ
Series
Max
imu
m
Nu
mbe
r of
Me
mbe
rs
Ports Supporting
Stack
Stack Cable
Remarks
S5300-PLI (with
GE uplink
ports)
l V200R001: last
two SFP ports
l 1 m passive SFP
+ cable
l V200R002 and
later versions: last
four SFP ports
l 10 m active SFP
+ cable
l V200R001: A switch
supports at most two
logical stack ports,
and each logical
stack port can have
only one physical
member port. Each
switch can use a
maximum of two
service ports as
physical member
ports.
l 3 m, 10 m AOC
cables
(applicable in
V200R003C00
and later
versions)
l V200R002 and later

versions: A switch
supports at most two
logical stack ports,
and each logical
stack port can have at
most two physical
member ports. Each
switch can use a
maximum of four
service ports as
physical member
ports. When two
physical member
ports are included in
a logical stack port,
either stack ports 1
and 2 or stack ports 3
and 4 can be
included.
Any models of the
S5300-P-LI series can
set up a stack, but
S5300-P-LI models
cannot set up a stack
with S5300-X-LI
models.
Issue 02 (2015-01-20)

57

Maintenance Guide
Series
1 FAQ
Max
imu
m
Nu
mbe
r of
Me
mbe
rs
Ports Supporting
Stack
Stack Cable
Remarks
NOTE
S5300-10P-LI-AC,
S5300-28P-LI-BAT, and
S5300-28P-LI-24S-BAT
cannot set up a stack.
S5300-XLI (with
10GE
uplink
ports)
Four SFP+ optical

ports
l 1 m passive SFP
+ cable
l 3 m passive SFP
+ cable
l 10 m active SFP
+ cable
l 3 m, 10 m AOC
cables
(applicable in
V200R003C00
and later
versions)
l 10GE SFP+
optical module
and optical fiber
A switch supports at
most two logical stack
ports, and each logical
most two physical
member ports. Each
switch can use a
maximum of four
service ports as physical
member ports. When
two physical member
ports are included in a
logical stack port, either
stack ports 1 and 2 or
stack ports 3 and 4 can
be included.
Any models of the
S5300-X-LI series can
set up a stack, but
S5300-P-LI models
cannot set up a stack
with S5300-X-LI
models.
Issue 02 (2015-01-20)

58

Maintenance Guide
Series
Max
imu
m
Nu
mbe
r of
Me
mbe
rs
Ports Supporting
Stack
Stack Cable
Remarks
S5310-EI
Any 10GE ports,

including the four
fixed 10GE SFP+
optical ports on the
front panel and ports
on the
LS5D00X2SA00 rear
card (A switch
supports a maximum
of two rear cards, and
each card provides
two 10GE SFP+
optical ports.)
l 1 m passive SFP
+ cable
A switch supports at
most two logical stack
ports, and each logical
most four physical
member ports. Each
switch can use a
maximum of eight
service ports as physical
member ports.
NOTE
Each logical stack port
can have a maximum of
four physical member
ports. Ports on different
rear cards can be added
to the same logical
stack port, but ports on
a rear card and fixed
ports on the front panel
cannot be added to the
same logical stack port.
l 10GE SFP+
optical module
and optical fiber
10GE ports on front

subcards: The S5300HI supports
LS5D00X2SA00 and
LS5D00X4SA00
front subcards, which
provide two and four
10GE SFP+ optical
ports respectively.
l 1 m passive SFP
+ cable
NOTE
After a front subcard is
replaced, the stack
becomes invalid and
needs to be
reconfigured.
l 10GE SFP+
optical module
and optical fiber
S5300-HI
Issue 02 (2015-01-20)
1 FAQ
l 3 m passive SFP
+ cable
l 10 m active SFP
+ cable
l 3 m, 10 m AOC
cables
(applicable in
V200R003C00
and later
versions)
l 3 m passive SFP
+ cable
l 10 m active SFP
+ cable
l 3 m, 10 m AOC
cable

Any models of the

S5310-EI series can set
up a stack.
Any models of the

S5300-HI series can set
up a stack.
NOTE
The S5300-HI series does
not support the stack
function in versions
earlier than V200R003.
59

Maintenance Guide
1 FAQ
Series
Max
imu
m
Nu
mbe
r of
Me
mbe
rs
Ports Supporting
Stack
Stack Cable
Remarks
S6300
All 10GE ports on the

switch
l 1 m passive SFP
+ cable
NOTE
A maximum of eight
service ports can be
used as physical
member ports. Four
ports with contiguous
IDs must be configured
together, and the last ID
of the service ports
must be a multiple of 4.
For example, ports 1 to
4, or 5 to 8 can be
configured as physical
member ports together,
but ports 2 to 5 cannot.
l 3 m passive SFP
+ cable
Any models of the

S6300 series can set up
a stack. The ports cannot
be used as stack ports
when they work as GE
ports.
l 10 m passive
SFP+ cable
l 10 m active SFP
+ cable
(supported in
V200R001C00
and later
versions)
l 3 m, 10 m AOC
cables
(applicable in
V200R003C00
and later
versions)
l 10GE SFP+
optical module
and optical fiber
S5306TPLI-AC
Stacking incapable
1.15 Software and Hardware Requirements of CSS

Member switches can set up a CSS through CSS cards or service ports.
1.15.1 What Are the Software and Hardware Requirements of CSS Card Clustering?
1.15.2 What Are the Software and Hardware Requirements of Service Port Clustering?
1.15.1 What Are the Software and Hardware Requirements of CSS

Card Clustering?
Table 1-10 lists the devices supporting CSS card clustering and describes software and hardware
requirements for these devices.
Issue 02 (2015-01-20)

60

Maintenance Guide
1 FAQ
Table 1-10 Software and hardware requirements for CSS card clustering
l S9306
Device Model
l S9312
Software Version
V100R003C00 and later versions
License Required
No
CSS Card Model
LE0D0VSTSA00
CSS Card Slot
l LE0MSRUA subcard slot

l LE0DSRUA subcard slot
l LE0D00SRUB00 subcard slot
Hot Swapping
l CSS card: not hot swappable

l MPU: hot swappable. Before removing
the active LE0MSRUA, LE0DSRUA, or
LE0D00SRUB00 card, run the slave
switchover command to perform an
active/standby switchover.
Hardware Configuration
l Only the S9306 and S9306, S9306 and

S9312, or S9312 and S9312 can set up a
CSS.
l Switches to set up a CSS must have both
active and standby SRUs installed. The
SRUs can be of different models.
Pluggable Modules for Ports on CSS Cards
Copper cable:
l 3 m QSFP+ high-speed cable
l 10 m QSFP+ high-speed cable
Optical module and fiber:
40G QSFP+ optical module. The required
optical fiber depends on the optical module
used. When OM3 optical fibers are used, the
maximum transmission distance is 100 m.
When OM4 optical fibers are used, the
maximum transmission distance is 150 m.
1.15.2 What Are the Software and Hardware Requirements of

Service Port Clustering?
Table 1-11 lists the devices supporting service port clustering and describes software and
hardware requirements for these devices.
Issue 02 (2015-01-20)

61

Maintenance Guide
1 FAQ
Table 1-11 Software and hardware requirements for service port clustering
Device Model
Service Card
Model
l S9306
l S9306E
l S9312
l S9312E
l LE2D2X08
SED4
l LE2D2X08
SED5
l LE2D2X08
SED5
(available in
V200R003)
LE1D2L02QFC
0
l LH2D2X08
SED4
l LE2D2X08
SED4
(available in
V200R003)
l LE0DX12X
SA00
l LE2D2X08
SED5
(available in
V200R003)
l LE0DX16S
FC00
l LH2D2X12
SSA0
l LE0DX40S
FC00
l LE0DX12X
SA00
(available in
V200R003)
LH2D2L02QF
C0 and
LE1D2L02QFC
0 (available in
V200R003)
l LE0DX16S
FC00
l LE0DX40S
FC00
Issue 02 (2015-01-20)

62

Maintenance Guide
Pluggable
Modules on
Service Ports
1 FAQ
Cooper cable:
Cooper cable:
Cooper cable:
Cooper cable:
l 1 m SFP+
high-speed
cable
l 1 m QSFP+
high-speed
cable
l 1 m SFP+
high-speed
cable
l 1 m QSFP+
high-speed
cable
l 3 m SFP+
high-speed
cable
l 3 m QSFP+
high-speed
cable
l 3 m SFP+
high-speed
cable
l 3 m QSFP+
high-speed
cable
l 10 m SFP+
active highspeed cable
l 5 m QSFP+
high-speed
cable
l 10 m SFP+
active highspeed cable
l 5 m QSFP+
high-speed
cable
NOTE
The
LE0DX12XSA
00 does not
support the 3 m
SFP+ highspeed cable.
Optical module
and fiber: 40G
QSFP+ optical
module. The
required optical
fiber depends on
the optical
module used
and the
maximum
transmission
distance is 10
km.
NOTE
LH2D2X12SSA
0 and
LE0DX12XSA
00 (available
only in
V200R003)
Optical module
and fiber: 40G
QSFP+ optical
module. The
required optical
fiber depends on
the optical
module used
and the
maximum
transmission
distance is 10
km.
Active optical
cable:
Optical module
and fiber:
Active optical
cable:
Not supported
10G SFP+
optical module.
The required
optical fiber
depends on the
optical module
used and the
maximum
transmission
distance is 80
km.
Not supported
Optical module
and fiber: 10G
SFP+ optical
module. The
required optical
fiber depends on
the optical
module used
and the
maximum
transmission
distance is 80
km.
Active optical
cable:
l SFP-10GA0C3M
l SFP-10GA0C10M
The
LH2D2X12SSA
0 and
LE0DX12XSA
00 do not
support the 3 m
SFP+ highspeed cable.
Active optical
cable:
l SFP-10GA0C3M
l SFP-10GA0C10M
Issue 02 (2015-01-20)

63

Maintenance Guide
Constraints
1 FAQ
l On the
LE2D2X08
SED4 and
LE2D2X08
SED5, at
most four
ports can be
configured
as CSS
physical
member
ports. The
four physical
member
ports must
be the first
four ports
(numbered 0
to 3) or the
last four
ports
(numbered 4
to 7) on the
LPUs.
l On an
LE0DX16S
FC00 or
LE0DX40S
FC00, a
group of four
ports must
be
configured
as CSS
physical
member
ports
together.
The start
port number
must be 4*N
and the end
port number
must be 4*N
+3 (N = 0, 1,
2...). For
example,
service ports
0 to 3 or 4 to
7 can be
Issue 02 (2015-01-20)
The
interconnected
CSS physical
member ports
on the two
member
switches must
be both 40GE
ports. 10GE
ports derived
from a 40GE
port cannot be
added to a
logical CSS
port.
l On the
LH2D2X08
SED4,
LE2D2X08
SED4
(available
only in
V200R003),
or
LE2D2X08
SED5 at
most four
ports can be
configured
as CSS
physical
member
ports. The
four physical
member
ports must
be the first
four ports
(numbered 0
to 3) or the
last four
ports
(numbered 4
to 7) on the
LPUs.
The
interconnected
CSS physical
member ports
on the two
member
switches must
be both 40GE
ports. 10GE
ports derived
from a 40GE
port cannot be
added to a
logical CSS
port.
l On an
LE0DX16S
FC00 or
LE0DX40S
FC00, a
group of four
ports must
be
configured
as CSS
physical
member
ports
together.
The start
port number
must be 4*N
and the end
port number
must be 4*N

64

Maintenance Guide
1 FAQ
configured
as CSS
physical
member
ports
together, but
service ports
2 to 5 cannot
be
configured
together.
When any
service port
in a group is
configured
as a CSS
physical
member
port, the
other three
service ports
in the group
must also be
configured
as CSS
physical
member
ports. The
LE0DX40S
FC00 allows
a maximum
of 32
member
ports in a
logical CSS
port.
Issue 02 (2015-01-20)
+3 (N = 0, 1,
2...). For
example,
service ports
0 to 3 or 4 to
7 can be
configured
as CSS
physical
member
ports
together, but
service ports
2 to 5 cannot
be
configured
together.
When any
service port
in a group is
configured
as a CSS
physical
member
port, the
other three
service ports
in the group
must also be
configured
as CSS
physical
member
ports. The
LE0DX40S
FC00 allows
a maximum
of 32 ports to
be added to a
logical CSS
port.
Requirement
on MPU
Each CSS member switch must

have at least one MPU. If both
member switches have one MPU,
the MPUs in the two chassis can be
different models.
Each CSS member switch must

have at least one MPU. If both
member switches have one MPU,
the MPUs in the two chassis can be
different models.
Software
Version

65

Maintenance Guide
1 FAQ
License
Required
Yes
Yes
Hardware
Configuration
l Only the S9306 and S9306,

S9306 and S9312, or S9312 and
S9312 can set up a CSS.
l Only the S9306E and S9306E,

S9306E and S9312E, or S9312E
and S9312E can set up a CSS.
l Two CSS cards can be installed

in a chassis. It is recommended
that the two CSS cards have the
same model. The two chassis
must use the same type of ports
for CSS connection, for
example, 10G SFP+ optical
ports.
l Two CSS cards can be installed

in a chassis. It is recommended
that the two CSS cards have the
same model. The two chassis
must use the same type of ports
for CSS connection, for
example, 10G SFP+ optical
ports.
l Each LPU allows only one

logical CSS port.
l Each LPU allows only one

logical CSS port.
1.16 Rate Limiting

1.16.1 How Do I Configure Port Rate Limiting on a Modular Switch?
1.16.2 Why Traffic Rates Cannot Be Limited Accurately After CAR Is Configured?
1.16.1 How Do I Configure Port Rate Limiting on a Modular Switch?

Configure QoS CAR on an interface to implement rate limiting in the inbound direction.
Alternatively, configure a traffic policy with an ACL-based traffic classifier to limit the rate of
packets matching the ACL.
QoS CAR cannot be applied to outbound traffic, but you can limit the rate of outbound traffic
using a traffic policy or traffic shaping.
1.16.2 Why Traffic Rates Cannot Be Limited Accurately After CAR

Is Configured?
A switch counts lengths of the inter-frame gaps and VLAN tags when limiting the traffic rate
based on CAR. It is recommended that you use packets of over 1000 bytes in CAR tests to
minimize the impact of inter-frame gaps and VLAN tags.
For example, a 64-byte packet usually has a 20-byte inter-frame gap and a 4-byte VLAN tag.
Therefore, the total packet length is 88 bytes (64 bytes + 20 bytes + 4 bytes = 88 bytes). During
CAR rate limiting, the switch calculates the traffic rate based on the packet length of 88 bytes,
so the rate limiting result is inaccurate. If the switch uses large packets, the lengths of inter-frame
gap and the VLAN tag account for a small proportion of the total packet length and cause a little
impact on the packet rate. Therefore, the rate limiting result is more accurate.
1.17 Port Isolation

Issue 02 (2015-01-20)

66

Maintenance Guide
1 FAQ
1.17.1 In What Scenarios Can Port Isolation Be Used?

1.17.2 How Do I Configure Port Isolation?
1.17.3 What Precautions Should Be Taken to Configure Port Isolation?
1.17.1 In What Scenarios Can Port Isolation Be Used?

To implement Layer 2 isolation between interfaces, you can add interfaces to different VLANs.
However, this method consumes many VLAN resources. Port isolation can also isolate interfaces
in the same VLAN. You can add interfaces to a port isolation group to implement Layer 2
isolation between these interfaces. Port isolation provides secure and flexible networking
schemes.
Figure 1-7 shows the port isolation method and application scenario. PC1, PC2, and PC3 belong
to VLAN 10. After GE1/0/1 and GE1/0/2 connected to PC1 and PC2 are added to a port isolation
group, PC1 and PC2 cannot communicate with each other in VLAN 10. PC3 can still
communicate with PC1 and PC2.
Figure 1-7 Port isolation example
You can configure unidirectional port isolation in the following situation: Multiple hosts connect
to a device through different interfaces. One of the hosts may send a large number of broadcast
packets to other hosts, causing security risks. You can configure unidirectional port isolation to
isolate the risky host from other hosts.
As show in Figure 1-8, PC4 may threaten network security by sending a large number of
broadcast packets to other hosts. You can configure unidirectional port isolation on GE1/0/4
connected to PC4 to block packets sent from this interface to GE1/0/5 and GE1/0/6. In this way,
broadcast packets sent from PC4 cannot reach PC5 or PC6, but broadcast packets sent from PC5
and PC6 can reach PC4.
Issue 02 (2015-01-20)

67

Maintenance Guide
1 FAQ
Figure 1-8 Unidirectional port isolation example
1.17.2 How Do I Configure Port Isolation?

The port isolation feature isolates interfaces in a VLAN. To configure port isolation, run the
port-isolate enable [ group group-id ] command in the interface view. For example, configure
port isolation on GigabitEthernet1/0/1:
[Quidway] interface gigabitethernet1/0/1
[Quidway-GigabitEthernet1/0/1] port-isolate enable
To configure unidirectional port isolation, run the am isolate { interface-type interfacenumber }&<1-8> or am isolate interface-type interface-number1 [ to interface-number2 ]
command in the interface view. For example, configure unidirectional isolation on
GigabitEthernet1/0/1 and GigabitEthernet1/0/2:
[Quidway] interface gigabitethernet 1/0/1
[Quidway-GigabitEthernet1/0/1] am isolate gigabitethernet 1/0/2
1.17.3 What Precautions Should Be Taken to Configure Port

Isolation?
l
Port isolation applies only to interfaces of the same device and cannot isolate interfaces on
different devices.
Interfaces in a port isolation group are isolated from each other, but interfaces in different
port isolation groups can communicate. If group-id is not specified, an interface is added
to port isolation group 1.
Issue 02 (2015-01-20)

68

Maintenance Guide
1 FAQ
By default, port isolation blocks Layer 2 communication but allows Layer 3

communication. To isolate interfaces at both Layer 2 and Layer 3, run the port-isolate
mode all command in the system view.
1.18 Layer 2 Transparent Transmission

1.18.1 Can BPDUs Be Transparently Transmitted by a Switch?
1.18.1 Can BPDUs Be Transparently Transmitted by a Switch?

l
After the bpdu enable command is run on an interface, the interface sends received BPDUs
to the CPU for processing.
The local device determines whether to process BPDUs of a protocol depending on whether
the protocol is enabled. For example, whether STP BPDUs on an interface are sent to the
CPU depends on whether STP has been enabled on the interface using the stp enable
command.
After the bpdu disable command is run on an interface, the interface discards BPDUs.
By default, an interface discards received BPDUs.

To configure a switch to transparently transmit BPDUs, enable Layer 2 protocol transparent
transmission on an interface by running the l2protocol-tunnel all enable command in the
interface view. To ensure successful forwarding of packets, configure the default VLAN on the
inbound and outbound interfaces of all devices on the forwarding path.
1.19 Basic Configuration

1.19.1 How Do I Delete Files from the Recycle Bin?
1.19.2 How Do I Increase Command Level?
1.19.3 What Are the Differences Between the Tracert Functions of a Network Device and a PC?
1.19.1 How Do I Delete Files from the Recycle Bin?
NOTICE
The files deleted from the recycle bin cannot be recovered.
To delete files from the recycle bin in the specified path, run the reset recycle-bin [ filename ]
command in the user view.
Issue 02 (2015-01-20)

69

Maintenance Guide
1 FAQ
1.19.2 How Do I Increase Command Level?

A user level matches a certain command level. After logging in to a switch, a user can run only
the commands of which the levels are the same as or lower than the user level. For example, a
user at level 2 can run only the commands at levels 0, 1, and 2.
By default, the command level ranges from 0 to 3, and the user level ranges from 0 to 15. An
administrator can change the command level as required so that users of different levels can
execute commands correspondingly.
The administrator at user level 15 can run the following command to increase command levels:
l
Run the command-privilege level level view view-name command-key command with the
command-key parameter specified.
Run the command-privilege level rearrange command to increase command levels in

batches.
If the levels of commands have not been changed using the command-privilege level level
view view-name command-key command, the levels of all level-2 and level-3 commands
will be increased to level 10 and level 15 after the preceding command is executed, whereas
the levels of level-0 and level-1 commands are unchanged.
1.19.3 What Are the Differences Between the Tracert Functions of a

Network Device and a PC?
The tracert command is used to discover the gateways that packets actually pass through from
the source to the destination. The tracert command is used to check the network connectivity
and locate network faults.
The process of a tracert command is as follows:
The sender sends a packet with TTL 1. When the TTL expires, the first hot returns an ICMP
error message indicating that the message cannot be forwarded anymore.
The sender sends a packet with TTL 2. When the TTL expires, the second hot returns an ICMP
The sender sends a packet with TTL 3. When the TTL expires, the third hot returns an ICMP
The sender repeats the preceding process by increasing the TTL value until the packet reaches
the destination.
l
When performing the tracert operation, a network device sends UDP packets. The UDP
port number of the three UDP packets starts from 33434 and is incremented by 1 every
time the packets pass a hop. When one node on the path has equal-cost routes, the node
performs a hash operation based on flows. Therefore, the UDP packets are distributed to
different routes, and a maximum of three IP addresses on the equal-cost routes are shown
each time.
The following figure shows information about tracert packets sent by a network device.
The first hop has only one route, so only one next-hop 192.168.2.1 is displayed. The second
hop has two next hops (192.168.11.2 and 192.168.21.2), so the three packets are distributed
to two links.
Issue 02 (2015-01-20)

70

Maintenance Guide
1 FAQ
When performing a tracert operation, a PC sends ICMP packets, which are irrelevant to
port numbers. If a network device on the path has equal-cost routes, the ICMP packets are
distributed to only one link, and only one next-hop IP address is displayed. However, if the
network device performs load balancing based on packets, the ICMP packets are distributed
to different links.
The following figure shows information about the tracert packets sent by a PC. Three
packets arrive at each hop together. For example, three packets have TTL 5.
1.20 Interface Management

1.20.1 Can a GE Optical Module Be Installed on a 10GE Optical Port of S6300?
1.20.2 How Do I Restore the Default Configurations on an Interface?
1.20.3 Why Do Two GE Interfaces with Auto-Negotiation Enabled Work at 100 Mbit/s?
1.20.4 How Do I Configure Edge Ports for Fixed Switches in a Batch?
1.20.5 Why Can't Connected Optical Ports Go Up After Single-Fiber Bidirectional Optical
Modules Are Used?
1.20.1 Can a GE Optical Module Be Installed on a 10GE Optical Port

of S6300?
Yes.
In V100R006C00SPC800, when a 10GE optical port of an S6300 connects to a GE optical
module, the port rate switches to 1000 Mbit/s and works in non-auto-negotiation mode. If the
10GE optical port connects to a 1000M optical port on the peer device, the two ports can go Up
only when the 1000M optical port on the peer device works in non-auto-negotiation mode.
After the switch has V100R006SPH005 installed and the 10GE optical port of the switch
connects to a GE optical module, you can run the negotiation auto command to switch the port
status to auto-negotiation. In this situation, the 10GE optical port can connect to a GE optical
port in auto-negotiation mode.
In versions later than V100R006C00SPC800, a 10GE interface of S6300 automatically works
at 1000 Mbit/s in auto-negotiation mode after a GE optical module is installed.
Issue 02 (2015-01-20)

71

Maintenance Guide
1 FAQ
1.20.2 How Do I Restore the Default Configurations on an Interface?

Some interface configurations cannot be modified directly. To modify these configurations, you
need to restore the default values first, and then reconfigure them.
Restore the default interface configurations as follows:
1. In V100R006 and earlier versions, run the undo commands in the interface view to restore
the default value of each configuration. The following is an example:
[HUAWEI-GigabitEthernet1/0/2]display this //Check whether non-default
configurations exist on an interface.
#
//The interface type has been set to
Trunk.
undo port trunk allow-pass vlan 1
//The interface has been deleted from
VLAN 1.
//The interface has been added to VLAN
20.
#
[HUAWEI-GigabitEthernet1/0/2]port link-type access //An error message is displayed
when you modify configurations on GE1/0/2.
Error: Please renew the default configurations.
//You are requested to restore
the default configurations.
[HUAWEI-GigabitEthernet1/0/2]undo port trunk allow-pass vlan 20 //Delete the
interface from VLAN 20.
[HUAWEI-GigabitEthernet1/0/2]port trunk allow-pass vlan 1
//Add the interface to
VLAN 1.
[HUAWEI-GigabitEthernet1/0/2]port link-type access
//The
configurations can be modified now.
2. In V200R001C00 and later versions, you can run the clear configuration interface
GigabitEthernet 1/0/2 command in the system view to clear all interface configurations.
However, this command will shut down the interface. To enable the interface, run the undo
shutdown command in the interface view.
1.20.3 Why Do Two GE Interfaces with Auto-Negotiation Enabled

Work at 100 Mbit/s?
The link between the two interfaces is unstable during auto-negotiation, so negotiation packets
are lost. As a result, the negotiated rate is lower than the maximum rates supported by the two
interfaces. The reason why link is unstable may be that the network cable is shaking, the RJ45
connector on an end is not properly connected, or the network cable is faulty. To enable the two
interfaces to negotiate a specified speed, run the auto speed command on the interfaces.
1.20.4 How Do I Configure Edge Ports for Fixed Switches in a Batch?

Run the port-group command, for example:
[HUAWEI] port-group group1
[HUAWEI-port-group-group1] group-member GigabitEthernet 0/0/1 to GigabitEthernet
0/0/24
[HUAWEI-port-group-group1] stp edged-port enable
//The following information is
automatically displayed.
[HUAWEI-GigabitEthernet0/0/1]stp edged-port enable
[HUAWEI-GigabitEthernet0/0/24]stp edged-port enable
In the port group view, you can configure interface attributes and interface services.
Issue 02 (2015-01-20)

72

Maintenance Guide
1 FAQ
1.20.5 Why Can't Connected Optical Ports Go Up After Single-Fiber

Bidirectional Optical Modules Are Used?
The single-fiber bidirectional optical (BIDI) modules must be used in pairs; otherwise, the two
ports cannot be connected. For example, if one end uses the TX1310/RX1490 module, the other
end must use the TX1490/RX1310 module.
1.21 MIB
1.21.1 Which MIB Objects Correspond to CPU Usage and Entity Memory Usage?
1.21.1 Which MIB Objects Correspond to CPU Usage and Entity

Memory Usage?
Table 1-12 lists the MIB objects corresponding to CPU usage and entity memory usage.
Table 1-12 MIB objects corresponding to CPU usage and entity memory usage
Item
MIB Object Name
OID
CPU usage
hwEntityCpuUsage
1.3.6.1.4.1.2011.5.25.31.1.1.
1.1.5
Entity memory usage
hwEntityMemUsage
1.3.6.1.4.1.2011.5.25.31.1.1.
1.1.7
1.22 Information Center

1.22.1 How Can I Hide Console Port Information?
1.22.1 How Can I Hide Console Port Information?

Some messages are displayed for configuration changes, but not for errors. For example, when
you run a command, the following message is displayed:
DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been
changed. The current change number is 1, the change loop count is 64, and the
maximum number of records is 1.
You can run the following commands to hide this message:

l
Disable the DSA module in the Console information channel from sending traps.
[HUAWEI] info-center source dsa channel console trap level warning state off
Disable display of logs, traps, and debugging message output for user terminals.
<HUAWEI> undo terminal monitor
NOTE
This command is valid for only the current login.
Issue 02 (2015-01-20)

73

Maintenance Guide
1 FAQ
1.23 MAC
1.23.1 What Is the Purpose of the Function of ARP Update upon MAC Entry Changes?
1.23.2 Does a Switch Support MAC Address Flapping Detection?
1.23.1 What Is the Purpose of the Function of ARP Update upon

MAC Entry Changes?
Principles
Each network device uses an IP address to communicate with other devices. On an Ethernet
network, a device, which may be a user host, switching device, or routing device, sends and
receives Ethernet data frames based on MAC addresses. The ARP protocol maps IP addresses
to MAC addresses. When a device communicates with a device on a different network segment,
it finds the MAC address and outbound interface of a packet according to the corresponding
ARP entry.
If a user host moves from one interface to another, the MAC address of the host is learned by
the new interface, so the outbound interface mapping the MAC address changes. The
corresponding ARP entry, however, is updated until the aging time expires. Before the ARP
entry aging time expires, the device sends data frames based on the original ARP entry.
After the mac-address update arp command is executed on a switch to enable this function,
the switch updates outbound interfaces in ARP entries immediately when outbound interfaces
in MAC address entries change.
NOTE
This function is unavailable in versions earlier than V100R006C00.
Configuration Impact
After this command is executed, the gratuitous ARP function becomes ineffective.
Precautions
The mac-address update arp command takes effect only for dynamic ARP entries. Static ARP
entries are not updated when the corresponding MAC address entries change.
The mac-address update arp command does not take effect after ARP anti-spoofing is enabled
using the arp anti-attack entry-check enable command.
After the mac-address update arp command is run, the switch updates an ARP entry only if
the outbound interface in the corresponding MAC address entry changes.
Example
# Enable a switch to update outbound interfaces in ARP entries when outbound interfaces in
MAC address entries change.
Issue 02 (2015-01-20)

74

Maintenance Guide
1 FAQ
[Quidway] mac-address update arp
1.23.2 Does a Switch Support MAC Address Flapping Detection?

The modular and fixed switches support MAC address flapping detection in different situations.
l
Modular switches
In V100R002, the switch supports global MAC address flapping detection on all LPUs
except the S series. After global detection is enabled, the switch can only send traps if MAC
address flapping is detected.
In V100R002, run the mac-flapping alarm enable command to enable MAC address
flapping detection.
Compared with V100R002, V100R003 and later versions also support VLAN-based MAC
address flapping detection and actions performed when MAC address flapping is detected.
In V100R003 and later versions, the loop-detect eth-loop alarm-only command can be
run in the system or VLAN view to enable MAC address flapping detection.
By default, global MAC address flapping detection is disabled in V100R003 and enabled
in V100R006 and later versions.
Since V200R001, switches have supported global MAC address flapping detection, VLAN
whitelist, and quit-vlan action.
Fixed switches
Fixed switches (excluding S2300) of V100R003 and later versions do not support global
MAC address flapping detection. They support only VLAN-based MAC address flapping
detection and actions such as sending traps and blocking interfaces when MAC address
flapping is detected.
Run the following command in the VLAN view to enable MAC address flapping detection:
loop-detect eth-loop alarm-only
Since V200R001, switches have supported global MAC address flapping detection, VLAN
Issue 02 (2015-01-20)

75

Maintenance Guide
2 Common Maintenance Commands and Preventive

Maintenance Inspection
Common Maintenance Commands and

Preventive Maintenance Inspection
Table 2-1 lists the common maintenance commands for the S series switches.
Table 2-1 Common maintenance commands for the S series switches
Issue 02 (2015-01-20)
Chec
k
Item
Command
Expected Result
Result
Confirmatio
n
Softw
are
versio
n
<HUAWEI> display version
The software
version and file are
the same as the
target software
version and file.
Passed
Patch
versio
n
<HUAWEI> display patchinformation
The patch version

and file are the same
as the target patch
version and file.
Passed

Rema
rks
Failed
Not
involved
Failed
Not
involved
76

Maintenance Guide

Chec
k
Item
Command
Expected Result
Result
Confirmatio
n
Config
uratio
n file
<HUAWEI> compare
configuration
If there is no
command line
difference between
the two versions, the
command lines
before and after the
upgrade are the
same.
Passed
<HUAWEI> display currentconfiguration

<HUAWEI> display savedconfiguration
Rema
rks
Failed
Not
involved
If the command
lines are different,
find the difference
and run the save
command to save
the current
configuration.
Syste
m time
<HUAWEI> display clock
The difference
between the
device's system
time and the PC's
system time is no
more than 5
minutes.
Passed
Failed
Not
involved
NOTE
Convert the device's
system time to
Greenwich Mean
Time (GMT) for
check.
Issue 02 (2015-01-20)
Ethern
et
interfa
ce
<HUAWEI> display interface

ethernet brief
Optica
l
interfa
ce
<HUAWEI> display transceiver

verbose
The local and

remote interfaces
must have the same
rate and duplex
mode. In autonegotiation mode,
the local and remote
interfaces must
work in the same
mode. Neither of
them works in halfduplex mode.
Passed
The receive and

transmit optical
power of optical
interfaces is within
the allowed range.
Passed

Failed
Not
involved
Failed
Not
involved
77

Maintenance Guide

Chec
k
Item
Command
Expected Result
Result
Confirmatio
n
Statisti
cs on
an
interfa
ce
<HUAWEI> display interface

brief
The packet statistics

on each interface
are correct and no
error packet exists.
Passed
Devic
e
runnin
g
status
<HUAWEI> display device
All cards are in

Registered and
Normal states.
Passed
Power
modul
e
status
<HUAWEI> display power
All power modules

are in Supply state.
Passed
Fan
modul
e
status
<HUAWEI> display fan
Tempe
rature
<HUAWEI> display
temperature all
CPU
usage
Rema
rks
Failed
Not
involved
Failed
Not
involved
Failed
Not
involved
<HUAWEI> display cpu-usage
All fan modules are

in Present and
Registered states
and the fan speed is
normal (expressed
in percentage).
Passed
Each card is in
Normal state and
the temperature is
5C lower than the
upper threshold.
Passed
The CPU usage is

no higher than 80%.
Passed
Failed
Not
involved
Failed
Not
involved
Failed
Not
involved
BGP
peer
status
Issue 02 (2015-01-20)
<HUAWEI> display bgp peer

<HUAWEI> display currentconfiguration configuration |
include bgp
The BGP peers

must stay in
Establish state and
are steadily Up. If
the connection
between two peers
is interrupted, find
the cause.

Passed
Failed
Not
involved
78

Maintenance Guide
Issue 02 (2015-01-20)

Chec
k
Item
Command
Expected Result
Result
Confirmatio
n
OSPF
neighb
or
status
<HUAWEI> display ospf peer
The OSPF
neighbors must stay
in Full or 2 WAY
state, and the
neighbor
relationship is kept
for no less than one
day.
Passed
IS-IS
neighb
or
status
<HUAWEI> display isis peer
The IS-IS neighbors

must stay in Up
state.
Passed
Increa
se in
the
numbe
r of
OSPF
error
packet
s
<HUAWEI> display ospf error
Check whether the

number of OSPF
error packets
increases in 5
minutes. If not, this
item passes the
check.
Passed
VRRP
runnin
g
status
<HUAWEI> display vrrp
The VRRP status of Passed

the device is
Failed
steadily Master or
Not
Backup.
involved
CPCA
R
traffic
statisti
cs
<HUAWEI> reset cpu-defend

statistics all
In the CPCAR
traffic statistics, the
count of dropped
packets is 0.

include isis

include ospf
Rema
rks
Failed
Not
involved
Failed
Not
involved
Failed
Not
involved
If the number of
OSPF error packets
is more than 500 and
does not increase
within 5 minutes,
this item fails the
check.
<HUAWEI> display cpu-defend

statistics all

Passed
Failed
Not
involved
79

Maintenance Guide
3 Troubleshooting Guide
Troubleshooting Guide
3.1 Hardware Troubleshooting

3.1.1 Hardware Troubleshooting (Modular Switches)
3.1.2 Hardware Troubleshooting (Fixed Switches)
3.1.1 Hardware Troubleshooting (Modular Switches)

3.1.1.1 Card Registration Troubleshooting
3.1.1.2 Cluster Troubleshooting
3.1.1.1 Card Registration Troubleshooting

Fault Description
l
The card registration process lasts a long time, and the RUN/ALM indicator of the card is
steady yellow.
In the display device command output, the Register field displays Unregistered.
Possible Causes
This fault is commonly caused by one of the following:
l
The card is not properly installed.
The card is not hot swappable but it has been hot swapped, causing card damage.
Alarms have been generated for electronic devices on the card.
The available power is insufficient for the card.
The card is not supported by the chassis model or software version.
The card connector fails.
Issue 02 (2015-01-20)

80

Maintenance Guide
Troubleshooting Procedure
Step 1 Check whether the card is properly installed. If not, reinstall the card. If the card is properly
installed, go to Step 2.
Step 2 If the card is a flexible service unit or CSS card, check whether it has been hot swapped. If so,
go to Step 7. If not, go to Step 3.
Step 3 Run the display alarm command to check alarms about all cards or specify the slot ID to check
alarms about the problematic card. If the command output contains alarms about electronic
components on the card, go to Step 7. If not, go to Step 4.
Step 4 Run the display power system command to check the power of the system and card. If the
available system power is insufficient, go to Step 7. If the available system power is sufficient,
go to Step 5.
NOTE
An LE0DG48VEA00 card can start and register only when the following conditions are met:
l A dual in-line memory module (DIMM) has been installed in the DIMM slot of the card.
l The card is installed in a PoE chassis.
l The PoE power modules are supplying power to the chassis.
Step 5 Run the display version command to check whether the model and version of the card match
the chassis. If not, replace the card with a card matching the chassis. If the card matches the
chassis, go to Step 6.
Version
Mapping
For the mapping between card models, versions, and switches, see the
"Version Support for Components" in the Hardware Description.
Use
Constraints
l In V200R002C00 and later versions, the following LPUs are

interchangeable in S9300 and S9300E chassis: LE0DG48SBC00,
LE0DG48TBC00, LE0DX40SFC00, LE0DX16SFC00, LE0MG48TD,
LE0MG48SD, and LE0DCMUA0000. The other LPUs are not
interchangeable in the two chassis series.
l In V200R003C00 and later versions, the following LPUs are not
interchangeable in S9300 and S9300E chassis: LH2D2SRUDC00,
LE2D2SRUDC01, LE0MSRUA, LE0DSRUA, LE0D00SRUB00,
LH2D2MCUA000, LE0MMCUA, LE0D0VAMPA00,
LE0DG48VEA00, LE0D0WMNPA00, LE2D2X48SEC0,
LH2D2G48SEC0, LH2D2G48TEC0, LH2D2T24XEA0,
LH2D2S24XEC0, LH2D2X12SSA0, LH2D2X08SED4,
LH2D2X04XEC0, LH2D2X04XED0, and LH2D2L02QFC0. Other
LPUs are interchangeable in the two chassis series.
Card
Installation
and Removal
Issue 02 (2015-01-20)
When a card is moved from a chassis running a later version to a chassis

running an earlier version, the BootROM and Bootload software of the card
may be downgraded to the earlier version. When the card is installed back
to the chassis running the later version, the card cannot start. When this
occurs, log in to Huawei website to download the correct software version
for the switch, and then run the upgrade jtag slot slot-id command in the
diagnostic view to upgrade the BootROM and Bootload software to the later
version.

81

Maintenance Guide
Step 6 Check the card connector and then reinstall the card or install it in another slot to check whether
it works normally.
Remove the card from the slot and check the card connector. If the card connector is intact,
install the card in the original slot. If the card still fails to register after several attempts of
reinstallation, install it in another slot. If the problem persists, go to Step 7.
If there are idle pin holes on the card connector, use a flashlight to illuminate the card connector
and check whether any pins are bent. If some pins are bent, go to Step 7.
Step 7 Ask for technical support.
----End
3.1.1.2 Cluster Troubleshooting

3.1.1.2.1 Two Chassis Fail to Set Up a Cluster
3.1.1.2.2 A Cluster Splits
3.1.1.2.1 Two Chassis Fail to Set Up a Cluster
Fault Description
After Cluster Switch System (CSS) configuration is completed and the two switches restart, the
display css status command is executed to display the CSS status. The CSS status field displays
-- or single (single-chassis cluster), indicating that the two switches fail to set up a cluster.
Possible Causes
l
Cluster cables are loose.
Cluster cables are incorrectly connected.
The CSS function is not enabled.
One or more CSS cards or cluster cables fail.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Step 1 Run the terminal monitor and terminal trapping commands in the user view to enable the
alarm function. Check whether there are any alarms on incorrect cluster cable connections. (The
alarms for LE0D0VSTSA00 CSS cards are 1.3.6.1.4.1.2011.5.25.183.3.3.2.4
hwCssConnectError and 1.3.6.1.4.1.2011.5.25.183.3.3.2.19 hwCssPhyCardConnectError.
l If no such alarm is displayed, go to Step 2.
l If such alarms are displayed, connect cluster cables correctly according to the alarm
messages.
Issue 02 (2015-01-20)

82

Maintenance Guide
NOTE
If alarms on incorrect cluster cable connections are displayed, you can confirm that the CSS function
is enabled on the switches and the CSS cards are working properly. Otherwise, the CSS management
module cannot detect the cluster cable connections.
You can obtain the following information from an alarm message:

CSS ID, slot ID, and number of the CSS port where the cluster cable is incorrectly
connected
Correct connection of the cluster cable
For example, a switch continuously generates the following alarm message:
Mar 31 2010 10:53:43 SYS-136 CSSM/4/CSSCONNECTERROR:OID
1.3.6.1.4.1.2011.5.25.183.3.3.2.4 Connect error, 2/13 CSS port 3 link to 1/14
port 2, this port should link to 1/13 port 2
The message indicates that CSS port 2/13/3 (CSS ID/slot ID/port number) is incorrectly
connected to CSS port 1/14/2. CSS port 2/13/3 should be connected to CSS port 1/13/2.
Rectify the fault according to the following table.
Error Shown in
Alarm Message
Cause
Solution
A cluster cable is
connected to ports
with different CSS
IDs, for example,
"2/13 CSS port 3
link to 1/14 port 2."
The CSS IDs are

correct but the cable
is connected to an
incorrect port.
Connect the cluster cable to the correct port

according to the alarm message and ensure
that the cable connector is securely
connected to the port. After the cluster cable
is correctly connected, a switch will restart
and the CSS will be set up.
A cluster cable is
connected to ports
with the same CSS
ID, for example
"2/13 CSS port 3
link to 2/14 port 2."
The possible causes

are:
Run the display css status command on the

two switches to check their CSS IDs.
l The cluster cable

connects two
ports in the same
chassis.
l If the switches have different CSS IDs,

the CSS ID configuration is correct, and
the cluster cable is connected to ports in
the same chassis. Connect the cluster
cable correctly according to the alarm
message.
l The cluster cable

is connected to
ports in different
chassis, but the
chassis are
configured with
the same CSS ID.
l If the switches have the same CSS ID, run

the set css id command to change the
CSS ID on one of the switches, and then
restart this switch.
If the cluster still cannot be set up, perform either of the following operations:
l If there are other alarm messages on incorrect cluster cable connections, repeat this step until
all alarms are cleared.
l If no such alarm is displayed, go to Step 3.
Step 2 Check that the CSS function is enabled on the switches.
Run the display css status command on the switches to check whether the CSS function is
enabled.
Issue 02 (2015-01-20)

83

Maintenance Guide
l If the CSS Enable field in the command output displays Off, the CSS function is not enabled.
Run the css enable command to enable this function, and then restart the switch.
l If the CSS Enable field displays On, the CSS function is enabled. Go to Step 3.
Step 3 Check the status of the CSS cards.
NOTICE
To remove a CSS card, remove the MPU with the CSS card from the switch. Do not hot swap
the CSS card directly.
If the cluster cannot be set up after you enable the CSS function, set the correct CSS IDs, and
correctly connect all the cluster cables, check indicators on the CSS cards to determine the CSS
card status. Check the CSS card indicators and rectify the fault according to Table 3-1.
Table 3-1 CSS card indicators and troubleshooting methods
Indicator
Description
Troubleshooting Method
RUN/ALM
If this indicator is steady red, the

CSS card has failed. If the
indicator is steady green, the
CSS card is working normally.
l If both CSS cards in a chassis have

RUN/ALM indicators steady red,
the active MPU of the chassis may
have failed. Replace the MPU and
check again.
l If only one CSS card in a chassis has
its RUN/ALM indicator steady red,
the CSS card may have failed.
Replace the CSS card and check
again.
CSS ID
The indicator that is turned on

indicates the CSS ID of the local
chassis. Currently, a cluster can
have only two member switches;
therefore, only the CSS ID
indicators 1 and 2 can be turned
on.
If both CSS ID indicators 1 and 2 are off,

replace the CSS card.
If both indicators 1 and 2 are off,

Issue 02 (2015-01-20)

84

Maintenance Guide
Indicator
Description
LINK (S9300/
LE0D0VSTS
A00)
If the LINK indicator of a CSS

port is steady on, the link on the
CSS port is Up. If the indicator is
off, the link on the CSS port is
Down.
If the LINK indicator of a CSS port is

off, the cluster cable connected to the
port may be faulty. Replace the cluster
cable and check again.
NOTE
The LINK indicator only shows the
link status on a CSS port and cannot
determine whether the CSS port is
transmitting data.
Step 4 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, logs, and alarms of the switches
----End
3.1.1.2.2 A Cluster Splits
Fault Description
Indicators on CSS cards of cluster member switches are in abnormal states or cluster switch
system management (CSSM) alarms are generated.
Possible Causes
l
Cluster cables are faulty.
A card with CSS ports fails.
MPUs of the cluster member switches fail.
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Step 1 Check whether there are any CSSM alarms.

Run the terminal monitor and terminal trapping commands in the user view to enable the
alarm function.
l If there are alarms with OID of 1.3.6.1.4.1.2011.5.25.183.3.3.2.5 or
1.3.6.1.4.1.2011.5.25.183.3.3.2.1, the cluster has split or a CSS link is Down. Check whether
all cluster cables are securely connected to CSS ports. If any cluster cable is loose, unplug
and plug it again. After all cluster cables are properly connected, the two switches will merge
into a cluster.
l If no such alarm is generated, go to Step 2.
Issue 02 (2015-01-20)

85

Maintenance Guide
Step 2 Check indicators on CSS cards of the two switches to determine whether the CSS cards are
working normally.
NOTICE
To remove a CSS card, remove the MPU with the CSS card from the switch. Do not hot swap
the CSS card directly.
Check the CSS card indicators and rectify the fault according to Table 3-2.
Table 3-2 CSS card indicators and troubleshooting methods
Indicator
Description
RUN/ALM
If this indicator is steady red, the

CSS card has failed. If the
indicator is steady green, the
CSS card is working normally.
l If both CSS cards in a chassis have

RUN/ALM indicators steady red,
the active MPU of the chassis may
have failed. Replace the MPU and
check again.
l If only one CSS card in a chassis has
its RUN/ALM indicator steady red,
Replace the CSS card and check
again.
CSS ID
The indicator that is turned on

indicates the CSS ID of the local
chassis. Currently, a cluster can
have only two member switches;
therefore, only the CSS ID
indicators 1 and 2 can be turned
on.
If both CSS ID indicators 1 and 2 are off,

replace the CSS card.
If both indicators 1 and 2 are off,

LINK (S9300/
LE0D0VSTS
A00)
If the LINK indicator of a CSS

port is steady on, the link on the
CSS port is Up. If the indicator is
off, the link on the CSS port is
Down.
If the LINK indicator of a CSS port is

off, the cluster cable connected to the
port may be faulty. Replace the cluster
cable and check again.
NOTE
The LINK indicator only shows the
link status on a CSS port and cannot
determine whether the CSS port is
transmitting data.
Step 3 If the cluster cannot be set up after you replace the faulty cluster cable, CSS card, or MPU, see
3.1.1.2.1 Two Chassis Fail to Set Up a Cluster to rectify the fault.
Issue 02 (2015-01-20)

86

Maintenance Guide
Step 4 If the fault persists, collect the following information and contact Huawei technical support
personnel:
----End
3.1.2 Hardware Troubleshooting (Fixed Switches)

3.1.2.1 Device Start Troubleshooting
3.1.2.2 Optical Module Troubleshooting
3.1.2.3 Interface Troubleshooting
3.1.2.4 PoE Troubleshooting
3.1.2.5 Product and Version Support for Components
3.1.2.1 Device Start Troubleshooting

3.1.2.1.1 A Device Restarts Repeatedly
3.1.2.1.1 A Device Restarts Repeatedly
Fault Description
A switch restarts unexpectedly and displays the following information during startup (the restart
may repeat):
Press Ctrl+B to enter BOOTROM menu ... 0
Auto-booting...
Please confirm app file typeID[0x0]!
Invalid package file!
Or:
program
Exception current instruction address: 0x08080804
Machine Status Register: 0x0008b032
Condition Register: 0x20000048
Task: 0x53f9e18 "root"
Possible Causes
The software package is incorrect or missing.
Step 1 Load the software package according to the upgrade guide.
----End
3.1.2.2 Optical Module Troubleshooting

Issue 02 (2015-01-20)

87

Maintenance Guide
3.1.2.2.1 Transmit Power of an Optical Module Is Smaller Than the Nominal Value
3.1.2.2.1 Transmit Power of an Optical Module Is Smaller Than the Nominal Value
Fault Description
Many low transmit power traps are recorded in logs. Measured by an optical power meter, the
transmit power of the optical module is smaller than the nominal value.
The low transmit power trap is as follows:
ENTITYTRAP_1.3.6.1.4.1.2011.5.25.219.2.4.5 hwOpticalInvalid 136194
ENTITYTRAP/3/OPTICALINVALID: OID [oid] Optical Module is invalid.(Index=
[INTEGER], EntityPhysicalIndex=[INTEGER], PhysicalName="[OCTET]",
EntityTrapFaultID=[INTEGER])
Possible Causes
l
The transmit bore of the optical module is contaminated.
The laser transmission circuit of the optical module is faulty.
Step 1 Check optical bores of the optical module. If they are contaminated, use a cotton swab to clean
the optical bores. Use a dust-proof cap to protect unused optical modules from contamination.
Step 2 If the transmit power of the optical module is still abnormal, install the optical module on another
optical port. If the fault persists, the optical module is faulty. Replace the optical module and
send back the faulty one for repair or contact Huawei technical support personnel.
----End
3.1.2.3 Interface Troubleshooting

3.1.2.3.1 Two Connected Electrical Interfaces Cannot Go Up
3.1.2.3.2 Two Connected Optical Interfaces Cannot Go Up
3.1.2.3.1 Two Connected Electrical Interfaces Cannot Go Up
Fault Description
After two electrical interfaces are connected using a network cable, they cannot go Up.
Issue 02 (2015-01-20)

88

Maintenance Guide
Troubleshooting Flowchart
Figure 3-1 Troubleshooting flowchart
NOTICE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to
correct the fault, you will have a record of your actions to provide Huawei technical support
personnel.
Step 1 Check whether the interfaces have been shut down or whether the cable between them is loose
or removed. If an interface is shut down, run the undo shutdown command to restore the
interface.
Step 2 Check configurations on the two interfaces and ensure that:
l The two interfaces work at the same speed and duplex mode.
l The two interfaces both work in auto-negotiation or non-auto-negotiation mode.
NOTICE
If the remote device is a non-Huawei device and its interface cannot transition to link up state
through auto-negotiation, forcibly configure the interface speed and duplex mode on the two
ends.
l The media delivery index (MDI) mode is properly set on the two interfaces. The MDI mode
determines whether an interface supports crossover cables. Three MDI modes are available:
normal, across, and auto. If the network cable type is unknown, set the MDI mode to auto
on the two interfaces. Table 3-3 and Table 3-4 describe the interface states in the three MDI
modes.
Issue 02 (2015-01-20)

89

Maintenance Guide
Table 3-3 Interface connection using a straight-through cable

Straight-through Cable
MDI Mode Before Connection
Interface Status After Connection
Interface A
Interface B
Interface A
Interface B
GE electrical interface
(auto)
(auto)
Up
Up
FE electrical interface
(auto)
(auto)
Up
Up
(auto)
(normal)
Up
Up
(auto)
(across)
Up
Up
(across)
(normal)
Up
Up
(across)
(across)
Down
Down
(normal)
(normal)
Down
Down
Table 3-4 Interface connection using a crossover cable

crossover Cable
Issue 02 (2015-01-20)
MDI Mode Before Connection
Interface Status After Connection
Interface A
Interface B
Interface A
Interface B
(auto)
(auto)
Up
Up
(auto)
(auto)
Up
Up
(auto)
(normal)
Up
Up
(auto)
(across)
Up
Up
(normal)
(normal)
Down
Down
(across)
(normal)
Up
Up

90

Maintenance Guide
crossover Cable
(across)
(across)
Up
Up
Step 3 Check the link.

l Check the cable connection.
Check whether the cable is loose or damaged.
Check the type of the network cable. A GE electrical interface cannot go Up if a Category
4 or lower category cable is used.
Check whether wires of the network cable are faulty. A GE interface may fail to go Up
if any of the four wire pairs in the network cable is faulty.
l Ensure that the interfaces can work properly.
Check whether the metal reeds in the interfaces cave or shift.
Perform internal and external loopback tests to check whether the interfaces can work
normally.
l Use the following methods to test the link:
External loopback test: To check whether a network cable is normal, connect two normal
interfaces on the same switch. If the interfaces can go Up, the network cable is normal.
(To avoid loops in service VLANs, create dedicated VLANs for external loopback tests
or add the two interfaces to different VLANs.)
Run the virtual-cable-test command to check whether any short circuit or cross
connection exists on wires of the cable. If so, determine whether the problem is caused
by the interfaces or the network cable.
NOTICE
This command will cause Up/Down state transitions on an interface.
If the interfaces can go Up but you suspect that they cannot receive or transmit packets,
run the test-packet start interfaceinterface-type interface-number -c command on the
two interfaces to display packet statistics. Check whether the interfaces can send and
receive packets normally.
[Quidway] test-packet start interface Ethernet 0/0/1 ?
-c
The number of packet
-s
The packet size
<cr>
personnel:
l Related commands: display this interface, display logbuffer, display this
----End
Issue 02 (2015-01-20)

91

Maintenance Guide
3.1.2.3.2 Two Connected Optical Interfaces Cannot Go Up
Fault Description
After two optical interfaces are connected, they cannot go Up.
Troubleshooting flowchart
Figure 3-2 Troubleshooting flowchart
NOTICE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to
correct the fault, you will have a record of your actions to provide Huawei technical support
personnel.
Step 1 Check whether the interfaces have been shut down or whether the optical fiber between them is
loose or removed. If an interface is shut down, run the undo shutdown command to restore the
interface.
Step 2 Check configurations on the two interfaces and ensure that:
l The two interfaces work at the same speed.
l The two interfaces use the same negotiation mode.
Issue 02 (2015-01-20)

92

Maintenance Guide
Step 3 Check whether the optical modules used on the optical interfaces are Huawei-certified optical
modules. If a non-Huawei-certified optical module is used, replace it with a Huawei-certified
optical module.
Step 4 Check whether the optical fiber matches the optical modules at both ends.
l Multimode optical fibers must be used with multimode optical modules.
l Single-mode optical fibers must be used with single-mode optical modules.
NOTE
Generally, a single-mode fiber is yellow, and a multimode fiber is orange.
Step 5 Run the display transceiver interface interface-type interface-numberverbose command with
the problematic interface specified in the system view to check whether the optical modules on
the two ends have the same wavelength.
<Quidway> display transceiver interface GigabitEthernet 0/1/1 verbose
Transceiver Type
:1000_BASE_SX_SFP
Vendor PN
:FTLF8519P3BTL-HW
Connector Type
:LC
Wavelength(nm)
:850
:500(50um),300(62.5um)
Vendor Name
:FINISAR CORP.
Ordering Name
:
Temperature( )
:27.00
Temp High Threshold( )
:90.00
Temp Low Threshold( )
:-20.00
Voltage(V)
:3.27
:3.70
:2.90
Bias Current(mA)
:6.94
:24.01
:1.75
RX Power(dBM)
:-28.54
TX Power(dBM)
:-4.99
TX Power High Threshold(dBM) :0.00
-------------------------------------------------------------
Step 6 Check whether the optical modules match the optical interfaces. If not, for example, if a 1000M
optical module is installed on a 100M optical interface, replace the optical module.
Step 7 Check whether the transmit power and receive power of the optical modules are within the
allowed range. If the receive or transmit power is excessively high or low, the optical interfaces
cannot go Up. The excessively long transmission distance or low optical fiber quality may also
be the reason why interfaces cannot go Up.
Step 8 Perform a loopback test if the preceding items are normal. Connect an optical fiber to the bores
of the same optical module and check whether the optical interface can go Up.
Step 9 Replace the optical modules or fiber if the problem cannot be located.
personnel:
Issue 02 (2015-01-20)

93

Maintenance Guide

l Related commands: display this interface, display logbuffer, display this, display
transceiver verbose
----End
3.1.2.4 PoE Troubleshooting

3.1.2.4.1 A PoE Switch Fails to Supply Power to an Attached PD
3.1.2.4.2 Collecting Information for PoE Fault Location
3.1.2.4.3 Determining Whether a Switch Support the PoE Function
3.1.2.4.4 Determining Whether a PoE Module Supports the PoE Function
3.1.2.4.5 Forcibly Powering On a Non-Standard PD Connected to a PoE Switch
Issue 02 (2015-01-20)

94

Maintenance Guide
3.1.2.4.1 A PoE Switch Fails to Supply Power to an Attached PD
Figure 3-3 PoE troubleshooting flowchart
Step 1 Collect information about the switch and PD, and confirm the model, power, and standard
compliance (802.3af or 802.3at) of the PD.
Issue 02 (2015-01-20)

95

Maintenance Guide
Step 2 Check that the switch and the power modules of the switch support the PoE function.
Step 3 Check that the PD and the network cable connected to the PD work normally.
Step 4 Check whether the PD is an AP using non-isolated power supply. If so, replace the AP.
Step 5 Check whether the PoE function of the switch is normal. If not, send the switch to the Huawei
agent or Huawei for repair.
Check whether the PD is a standard PD. If it is a non-standard PD using 48 V power supply,
forcibly power on the PoE interface connected to the PD. If the non-standard PD does not use
-48 V power supply, contact Huawei Technical Assistant Center.
----End
3.1.2.4.2 Collecting Information for PoE Fault Location
Procedure
NOTE
Collect the following information and send the collected information as well as numbers of the interfaces
connected to PDs to Huawei technical support personnel.
Step 1 Run the display poe power-state command to check the power supply state of an interface.
<HUAWEI> display poe power-state interface gigabitethernet 0/0/3
Port legacy detect
: disable
Port power enabled
: enable
Port power ON/OFF
: on
Port power status
: Powered
Port PD class
: 3
Port reference power(mW)
: 15400
Port power priority
: Low
Port max power(mW)
: 15400
Port current power(mW)
: 2794
Port peak power(mW)
: 2794
Port average power(mW)
: 2741
Port current(mA)
: 52.73
Port voltage(V)
: 53.00
Step 2 Run the display poe power command to check power information on an interface.
<HUAWEI> display poe power interface gigabitethernet 0/0/3
Port PD power(mW)
: 3710
Port PD class
: 2
Port PD reference power(mW) : 7000
Port user set max power(mW) : 15400
Port PD peak power(mW)
: 3816
Port PD average power(mW)
: 3487
Step 3 Run the display poe information command to check current PoE running information.
<HUAWEI> display poe information
PSE Information of slot 0:
User Set Max Power(mW)
:
POE Power Supply(mW)
:
Available Total Power(mW) :
Total Power Consumption(mW):
Power Peak Value(mW)
:
Power-Management Mode
:
Power High Inrush
:
739200
369600
369600
0
0
auto
disable
Step 4 Run the display poe-power command to check PoE power information.
Issue 02 (2015-01-20)

96

Maintenance Guide
<HUAWEI> display poe-power

Slot 0
Total Available POE Power(mW) : 246400
Reserved POE Power Percent
: 20 %
POE Power Threshold Percent
: 90 %
POE Power 1
Power Value(mW)
: 123200
Type
: PSA250-A2
Supported Mode
: Redundancy,
POE Power 2
Power Value(mW)
: 123200
Type
: PSA250-A2
Supported Mode
: Redundancy,
Slot 1
: 20 %
: 90 %
POE Power 1
Power Value(mW)
: 123200
Type
: PSA250-A2
Supported Mode
: Redundancy,
POE Power 2
Power Value(mW)
: 369600
Type
: PSA500-A1
Supported Mode
: Redundancy,
Slot 2
: 20 %
: 90 %
POE Power 1
Power Value(mW)
: 369600
Type
: PSA500-A1
Supported Mode
: Redundancy,
POE Power 2
Power Value(mW)
: 369600
Type
: PSA500-A1
Supported Mode
: Redundancy,
Balance
Balance
Balance
Balance
Balance
Balance
Step 5 Run the display interface brief command to check interface states and brief information.
<HUAWEI> display interface brief
PHY: Physical
*down: administratively down
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface
PHY
Protocol InUti OutUti
GigabitEthernet0/0/1
up
up
0.06%
100%
up
up
100%
100%
up
up
0%
100%
up
up
100%
100%
up
up
99%
100%
down down
0%
0%
down down
0%
0%
down down
0%
0%
down down
0%
0%
down down
0%
0%
down down
0%
0%
down down
0%
0%
down down
0%
0%
down down
0%
0%
down down
0%
0%
down down
0%
0%
Issue 02 (2015-01-20)

inErrors
0
0
0
0
0
10
12
0
0
0
0
0
0
0
0
0
outErrors
21217388
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
97

Maintenance Guide
MEth0/0/1
NULL0
down
down
down
down
down
down
down
down
down
up
down
down
down
down
down
down
down
down
down
up(s)
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
----End
3.1.2.4.3 Determining Whether a Switch Support the PoE Function

Run the display device command to obtain the product name of a switch and determine whether
the switch supports the PoE function according to the product name.
l
If the product name contains PWR, this product model supports the PoE function.
If the product name does not contain PWR, this product model does not support the PoE
function.
3.1.2.4.4 Determining Whether a PoE Module Supports the PoE Function

You can determine whether a power module supports the PoE function from its appearance or
name label.
l
Check the name label attached on the power module. If the name label shows that the DC
output is -53.5 V, the power module is a PoE power module. If "-53.5V" is not displayed
on the name label, the power module is a non-PoE power module.
Check the appearance of the power module. All non-PoE power modules have no fans, as
shown in Figure 3-4, Figure 3-5. All PoE power modules have fans, as shown in Figure
3-6, Figure 3-7.
Figure 3-4 150 W AC power module (LS5M100PWA00)
Issue 02 (2015-01-20)

98

Maintenance Guide
Figure 3-5 150 W DC power module (LS5M100PWD00)
Figure 3-6 250 W AC PoE power module
Issue 02 (2015-01-20)
Check the appearance of the power module. All non-PoE power modules have no fans, as
shown in Figure 3-8Figure 3-9. All PoE power modules have fans, as shown in Figure
3-10, Figure 3-11.

99

Maintenance Guide
Figure 3-8 150 W AC power module (LS5M100PWA00)
Figure 3-9 150 W DC power module (LS5M100PWD00)
Issue 02 (2015-01-20)

100

Maintenance Guide
3.1.2.4.5 Forcibly Powering On a Non-Standard PD Connected to a PoE Switch

There are many non-standard PDs sold in market. To prevent damages caused by non-standard
PDs, Huawei switches detect and classify connected PDs and supply power only to standard
PDs.
If you confirm that a non-standard uses 48 V power supply, run the following command on the
interface connected to the PD to forcibly power on the PD.
poe force-power: forcibly powers on a PD.
undo poe force-power: cancels the power-on configuration.
View: interface view
NOTE
The poe force-power command enables a switch to power on a PD without PD detection and classification.
3.1.2.5 Product and Version Support for Components

Product and Version Support for Cards
Table 3-5 Product and version support for cards
Card Type
Card Name
Applicable
Product Series
Version Support
Front card
LS5D00E2XX00
l S5300C-SI
V100R002 to V200R003C00
LS5D00E2XY00
l S5300-EI
LS5D00E4XY01
V100R005 to V200R003C00
LS5D00E4GF01
S5300-EI
V100R002 to V200R003C00
LS5D0E4GFA00
S5300C-SI
V100R003 to V200R003C00
LS5D00X2SA00
l S5300-HI
V100R006C00 to
V200R003C00
l S5310-EI
Issue 02 (2015-01-20)
V100R005 to V200R003C00

101

Maintenance Guide
Card Type
Card Name
Applicable
Product Series
LS5D00X4SA00
S5300-HI
Version Support
LS5D00G4SC00
Rear card
LS5D21G08S00
S5310-EI
V200R002C00 to
V200R003C00
l S5300-SI
V100R003 to V200R003C00
LS5D21G08T00
ES5D00ETPC00
l S5300-EI
ES5D00ETPB00
l S5300C-SI
V100R002 to V200R003C00
l S5300-EI
Product Support for Power Modules

Table 3-6 Product support for power modules
Power Module
Description
Power Module Name
Applicable Product Series
150 W AC power module
LS5M100PWA00 (purple
grey)
150 W DC power module
LS5M100PWD00 (purple
grey)
S5328C-SI, S5352C-SI,
S5328C-EI, S5328C-EI-24S,
S5352C-EI
170 W AC power module
W0PSA1700
170 W DC power module
LS5M0PSD1700
250 W AC PoE power

module
W0PSA2500
500 W AC PoE power

module
W0PSA5000
S5348TP-PWR-SI, S5352CPWR-SI, S5324TP-PWR-SI,

S5328C-PWR-SI,
S5300-52C-PWR-EI,
S5300-28C-PWR-EI,
S5352C-PWR-EI, S5328CPWR-EI
15 A rectifier module
LS5W2PSA0870
RPS1800
S5300-HI
3.2 Software Troubleshooting

3.2.1 Pack Loss Troubleshooting
3.2.2 Eth-Trunk Fault Troubleshooting
Issue 02 (2015-01-20)

102

Maintenance Guide
3.2.3 Ping Failure Troubleshooting

3.2.4 STP Fault Troubleshooting
3.2.5 Mirroring Troubleshooting
3.2.6 Multicast Troubleshooting
3.2.7 VRRP Service Troubleshooting
3.2.8 Layer 2 Loop Troubleshooting
3.2.9 dot1x Troubleshooting
3.2.1 Pack Loss Troubleshooting

3.2.1.1 Common Fault Location Commands
3.2.1.2 Ping Packets Are Lost
3.2.1.3 Layer 2 Packets Are Lost
3.2.1.4 Packets Are Lost in Traffic Statistics

Table 3-7 describe common commands for locating a packet loss fault.
Table 3-7 display commands
Issue 02 (2015-01-20)
Command
Description
display current-configuration interface

interface-type interface-number
Displays interface configurations.
display arp interface vlanif vlan-id
Displays ARP entries on a VLANIF interface.
display arp all
Displays all ARP entries.
display ip routing-table
Displays routing information.
display fib
Displays FIB information.
display icmp statistics
Displays statistics about ICMP packets.
display cpu-defend icmp statistics all
Displays CPCAR statistics about ICMP

packets (only supported by modular switch
V100R002 and fixed switch V100R005).
display cpu-defend statistics packet-type

icmp all
Displays CPCAR statistics about ICMP

packets (only supported by V100R006 and
later versions).
display traffic policy statistics interface

interface-type interface-number { inbound |
outbound }
Displays traffic statistics on an interface

where a traffic policy has been configured for
collecting traffic statistics.

103

Maintenance Guide
Command
Description
display traffic policy statistics interface

interface-type interface-number { inbound |
outbound } verbose rule-based
Displays detailed traffic statistics on an

interface, including statistics on the traffic
matching ACL rules.
display traffic policy statistics global {

inbound | outbound } verbose rule-based
Displays global traffic statistics.
3.2.1.2 Ping Packets Are Lost

Figure 3-12 Flowchart for troubleshooting a ping packet loss fault
Step 1 Check whether MAC address flapping or ARP entry flapping occurs.
Issue 02 (2015-01-20)

104

Maintenance Guide
When the outbound interface of a route changes or an IP address conflict occurs on a switch,
ARP entry flapping or MAC address flapping occurs. In this case, ping packets from downstream
devices may be lost.
Run the following commands to check whether the route, ARP entry, and MAC address of the
outbound interface frequently change:
display ip routing-table
display arp
display mac-address
If ARP entry flapping or MAC address flapping occurs, a loop exists on the network. Remove
the loop by referring to 3.2.8 Layer 2 Loop Troubleshooting.
Step 2 Check whether large ping packets are dropped because of CAR exceeding.
For example, when a 9000-byte ping packet is sent and three packets are sent per second (devices
of most vendors send ping packets at a higher speed), the rate for sending packets is 216 kbps.
However, the default CIR of a modular switch is 192 kbps and that of a fixed switch is 128 kbps.
As a result, the switch discards ICMP packets because of CAR exceeding.
Use the following commands to check whether packets are dropped because of CAR exceeding.
If the value of Drop increases, packets are dropped because of CAR exceeding. Increase the
CAR value properly and perform the ping operation again. Restore the CAR value after the fault
is rectified.
l For modular switches of V100R002 and fixed switches of V100R005, run the display cpudefend icmp statistics all command.
l For modular switches of V100R003 and later versions and fixed switches of V100R006 and
later versions, run the display cpu-defend statistics packet-type icmp all command.
You can check the CAR value using the following commands:
l For modular switches of V100R002 and fixed switches of V100R005, run the display cpudefend icmp configuration all command.
l For modular switches of V100R003 and later versions and fixed switches of V100R006 and
later versions, run the display cpu-defend configuration packet-type icmp all command.
You can modify the CIR as follows:
[HUAWEI] cpu-defend policy 1
[HUAWEI-cpu-defend-policy-1] car packet-type icmp cir 256
[HUAWEI-cpu-defend-policy-1] quit
[HUAWEI] cpu-defend-policy 1 global
Step 3 Check whether rate limiting is configured for ICMP packets.

By default, rate limiting for ICMP packets is enabled. If the rate of ping packets is high, some
ping packets will be dropped. You can increase the rate threshold of ICMP packets to check
whether the packet loss fault is rectified. The default rate threshold of ICMP packets is 128
pps (64 pps for the S5300SI).
You can modify the rate threshold of ICMP packets using the following command:
icmp rate-limit total threshold threshold-value
Issue 02 (2015-01-20)

105

Maintenance Guide
Step 4 Check whether ping packet suppression is enabled.

NOTE
Perform this step only for fixed switches of V100R003.
By default, ping packet suppression is enabled for fixed switches of V100R003. When the
number of ICMP packets received by an interface per second exceeds the specified threshold,
the interface suppresses ICMP packets for 2 minutes. During this period, the interface does not
process the received ICMP packets.
Non-Huawei devices send ping packets at high rates. When such a non-Huawei device pings a
Huawei fixed switch of V100R003, packets are normally received and then are not processed.
After about 2 minutes, the ping operation succeeds. To rectify the fault, run the undo icmp ratelimit enable command on Huawei switch.
Step 5 If the fault persists, collect information and contact Huawei technical support personnel.
----End
Issue 02 (2015-01-20)

106

Maintenance Guide
3.2.1.3 Layer 2 Packets Are Lost

Figure 3-13 Layer 2 packet loss troubleshooting flowchart
Step 1 Locate the device where packets are lost.
Configure traffic statistics collection on the inbound and outbound interfaces of the switch based
on the packet forwarding path. Compare the collected traffic statistics to determine whether
Issue 02 (2015-01-20)

107

Maintenance Guide
packets are discarded on the switch. For example, packets with source IP address 1.1.1.1 and
destination IP address 2.2.2.2 are lost. The packets are received on GE2/0/1and sent out from
GE5/0/10 on the switch.
The configuration is as follows:
#
acl 3999
rule permit ip source 1.1.1.1 0 destination 2.2.2.2 0
#
traffic classifier test
if-match acl 3999
#
traffic behavior test
statistic enable
#
traffic policy test
classfier test behavior test
#
interface GigabitEthernet 2/0/1
traffic-policy test inbound
#
interface GigabitEthernet 5/0/10
traffic-policy test outbound
Check the collected statistics. If the number of inbound packets is equal to the number of
outbound packets, packet loss does not occur on the switch. If the number of inbound packets
is greater than the number of outbound packets, packet loss occurs on the switch.
View traffic statistics using the following commands:
display traffic policy statistics interface GigabitEthernet 2/0/1 inbound
display traffic policy statistics interface GigabitEthernet 5/0/10 outbound
You can delete traffic statistics using the following commands:
reset traffic policy statistics interface GigabitEthernet 2/0/1 inbound
reset traffic policy statistics interface GigabitEthernet 5/0/10 outbound
NOTE
For non-IP packets, collect traffic statistics based on the source MAC address, destination MAC address,
or VLAN. Compare the traffic statistics to check whether packets are forwarded through the switch.
Step 2 Check the configuration.

l Check whether a traffic policy is configured to limit the rate of packets on the interface, in
the VLAN, or globally.
If so, adjust the rate limit.
l Check whether the inbound and outbound interfaces belong to the same service VLAN.
If not, configure the inbound and outbound interfaces in the same VLAN.
Step 3 Check the interface and link status.
l Check whether the link between the two devices is normal, and whether the interfaces at both
ends work at the same speed and mode.
l If the devices are connected using optical interfaces, check whether the optical power on the
interfaces is normal and whether there are optical power traps.
Issue 02 (2015-01-20)

108

Maintenance Guide
For details, see 3.1.2.3 Interface Troubleshooting in "Hardware Troubleshooting."

Step 4 Check whether MAC address flapping occurs.
l Modular switches
In V100R002, the switch supports global MAC address flapping detection on all LPUs except
the S series. When global detection is enabled, the switch can only send trap messages when
MAC address flapping is detected.
flapping detection.
Compared with V100R002, V100R003 and later versions support VLAN-based MAC
In V100R003 and later versions, run either of the following commands to enable MAC
address flapping detection:
loop-detect eth-loop alarm-only in the system view
loop-detect eth-loop alarm-only in the VLAN view
By default, global MAC address flapping detection is disabled in 100R003 and enabled in
V100R006 and later versions.
Starting from V200R001, switches support global MAC address flapping detection, VLAN
Table 3-8 describes MAC address flapping detection traps in different versions.
Table 3-8 MAC address flapping detection traps on modular switches of different versions
Version
Trap Information
V100R002
Global
detection
L2IF/4/MAC_FLAPPING_ALARM:OID
1.3.6.1.4.1.2011.5.25.42.2.1.7.12The mac-address has
flap value . (BaseTrapSeverity=0, BaseTrapProbableCause=0, BaseTrapEventType=4, L2IfPort=549,entPhysicalIndex=1, MacAdd=0000-0000-002b,vlanid=1001,
FormerIfDescName=Ethernet3/0/2,CurrentIfDescName=
Ethernet3/0/3,DeviceName=S9306-169)
VLANbased
detection
Not supported.
Global
detection
L2IFPPI/4/MAC_FLAPPING_ALARM:OID
flap value . (L2IfPort=0,entPhysicalIndex=0,
BaseTrapSeverity=4, BaseTrapProbableCause=549,
BaseTrapEventType=1, MacAdd=00e0fc00-4447,vlanid=1001,
FormerIfDescName=GigabitEthernet6/0/6,CurrentIfDesc
Name=GigabitEthernet6/0/7,DeviceName=9306-222.159)
V100R003
Issue 02 (2015-01-20)

109

Maintenance Guide
Version
Trap Information
V100R006
V200R001,
V200R002,
and
V200R003
VLANbased
detection
L2IFPPI/4/MFLPVLANALARM:OID
1.3.6.1.4.1.2011.5.25.160.3.7 Loop exist in vlan 1001, for
mac-flapping.
Global
detection
flap value. (L2IfPort=0,entPhysicalIndex=0,
BaseTrapEventType=1, MacAdd=0025-9e6e-1c55,vlanid=1001,
FormerIfDescName=GigabitEthernet2/1/23,CurrentIfDes
cName=GigabitEthernet2/1/22,DeviceName=9303-222.157)
VLANbased
detection
1.3.6.1.4.1.2011.5.25.160.3.7 Loop exists in vlan 1001, for
flapping mac-address 0025-9e6e-1c55 between port
GE2/1/23 and port GE2/1/22.
loop-detect
eth-loop
1.3.6.1.4.1.2011.5.25.42.2.1.7.12 The mac-address has
BaseTrapEventType=1,
MacAdd=0000-0000-0050,vlanid=10,FormerIfDescNam
e=GigabitEthernet6/0/0,CurrentIfDescName=GigabitEth
ernet6/0/23,DeviceName=S9312_106)
MAC
address
flapping
detection
L2IFPPI/4/
MFLPVLANALARM:OID1.3.6.1.4.1.2011.5.25.160.3.7
MAC move detected, VlanId = 10, MacAddress =
0000-0000-0050, Original-Port = GE6/0/0, Flapping port
= GE6/0/23. Please check the network accessed to flapping
port.
l Fixed switches
Fixed switches (excluding the S2300 series) of V100R003 and later do not support global
Issue 02 (2015-01-20)

110

Maintenance Guide
Table 3-9 MAC address flapping detection traps on fixed switches of different versions
Version
Trap Information
V100R003
L2IF/4/MFLPPORTRESUME:OID 1.3.6.1.4.1.2011.5.25.160.3.7 Loop

exist in vlan for
(hwMflpVlanId:"[1001]";hwMflpVlanCfgAlarmReason:"[for flapping
mac-address 0000-0000-002b between port GE0/0/24 and port
GE0/0/23]")
V100R005
L2IFPPI/4/MFLPVLANALARM:OID 1.3.6.1.4.1.2011.5.25.160.3.7
Loop exists in vlan 1001, for flapping mac-address 0000-0000-002b
between port GE0/0/24 and port GE0/0/23.
V100R006
V200R001,
V200R002,
and
V200R003
1.3.6.1.4.1.2011.5.25.160.3.7MAC move detected, VlanId = 1001,
flapping mac-address 0000-0000-002b between port GE0/0/24 and port
GE0/0/23. Please check the network accessed to flapping port.
If MAC address flapping is detected, a loop exists on the network. Remove the loop by referring
to 3.2.8 Layer 2 Loop Troubleshooting.
Step 5 Check whether congestion occurs.
View traffic statistics. If the number of discarded outbound packets increases, congestion occurs.
The following provides a command output example:
[Switch] display interface gigabitEthernet 0/0/2
GigabitEthernet0/0/2 current state : UP
Line protocol current state : UP
Description:mav-3550-12G_0_4
Switch Port, PVID :
1, TPID : 8100(Hex), The Maximum Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is e024-7f03-5730
Port Mode: COMMON FIBER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi
: NORMAL
Last 300 seconds input rate 46795760 bits/sec, 10279 packets/sec
Last 300 seconds output rate 82925816 bits/sec, 12317 packets/sec
Input peak rate 330618568 bits/sec, Record time: 2012-05-28 15:54:32
Output peak rate 256751464 bits/sec, Record time: 2012-05-29 07:34:24
Input: 1364418188 packets, 590098536948 bytes
Unicast:
1348575035, Multicast:
5742574
Broadcast:
6573364, Jumbo:
3527215
Discard:
0, Total Error:
0
CRC:
0, Giants:
0
Jabbers:
0, Fragments:
0
Runts:
0, DropEvents:
0
Alignments:
0, Symbols:
0
Ignoreds:
0, Frames:
0
Output: 1775192399 packets, 1431792826655 bytes
Unicast:
1764324430, Multicast:
Broadcast:
5453339, Jumbo:
Discard:
819924, Total Error:
Collisions:
0, ExcessiveCollisions:
Issue 02 (2015-01-20)

3364531
2050099
0
0
111

Maintenance Guide
Late Collisions:
Buffers Purged:
0,
0
Deferreds:
Input bandwidth utilization threshold : 100.00%

Output bandwidth utilization threshold: 100.00%
Input bandwidth utilization : 4.68%
Output bandwidth utilization : 8.29%
If congestion occurs, run the qos burst-mode enhanced command to enable enhanced burst
traffic buffering on the interface. If the fault persists or the device does not support the qos burstmode command, expand the capabilities of the device.
Step 6 Mirroring
If a small amount of traffic is transmitted on the interface, configure port mirroring according
to Table 3-10.
If a large amount of traffic is transmitted on the interface, configure traffic mirroring according
to Table 3-11.
Table 3-10 Procedure for configuring port mirroring
Step
Command
Enter the system

view.
Run the system-view command.
Configure an
observing port.
Run the observe-port port-number interface interface-type interfacenumber command to configure an observing port.
Configure port
mirroring.
1. Run the interface interface-type interface-number command to enter

the view of the mirrored port.
2. Run the port-mirroring to observe-port port-number both command
to copy the packets sent and received on the mirrored port to the
observing port.
Table 3-11 Procedure for configuring traffic mirroring
Issue 02 (2015-01-20)
Step
Command
Enter the system

view.
Configure an
observing port.
Run the observe-port port-number interface interface-type

interface-number command to configure an observing port.

112

Maintenance Guide
Step
Command
Configure an ACL to
define the traffic to
be mirrored.
1. Run the acl numberacl-number command to create an advanced

ACL.
NOTE
The advanced ACL number ranges from 3000 to 3999.
2. Run the rule rule-id permit icmp source source-ip 0

destination destination-ip 0 command to define an ACL rule to
match the ICMP Echo Request packets.
match the ICMP Echo Reply packets.
4. Run the quit command to return to the system view.
Configure a traffic
classifier.
1. Run the traffic classifier classifier-name operator and command

to create a traffic classifier.
2. Run the if-match acl acl-number command to configure a match
clause based on the configured ACL rules.
Configure a traffic
behavior.
1. Run the traffic behavior behavior-name command to create a

traffic behavior.
2. Run the mirroring observing-port port-id command to mirror
traffic to the observing port.
Configure a traffic
policy.
1. Run the traffic policy policy-name command to create a traffic

policy.
2. Run the classifier classifier-name behavior behavior-name
command to associate the traffic classifier with the traffic
behavior.
Apply the traffic

policy to the
mirrored interface.
1. Run the interfaceinterface-type interface-number command to

enter the view of the interface where traffic statistics need to be
collected.
2. Run the traffic-policy policy-name inbound command to apply
the traffic policy to the inbound direction of the interface.
3. Run the traffic-policy policy-name outbound command to apply
the traffic policy to the outbound direction of the interface.
You can analyze the mirrored packets to check the sent and received packets and check the
VLAN ID, destination MAC address, checksum of the IP header, and ICMP checksum of the
packets.
Issue 02 (2015-01-20)

113

Maintenance Guide
----End
3.2.1.4 Packets Are Lost in Traffic Statistics

Check the following information based on traffic statistics:
1.
Whether traffic arrives at the inbound interface of the switch and whether packets are lost
on the upstream device
2.
Whether traffic is forwarded to the outbound interface of the switch. If all traffic is
transmitted to the outbound interface, no packet is lost.
3.
Whether the Layer 2 and Layer 3 information of traffic on the inbound interface of the
switch is correct. If the information is correct, the upstream device has correctly
encapsulated and forwarded packets.
4.
Whether the Layer 2 and Layer 3 information of traffic on the outbound interface of the
switch is correct. If the information is correct, the switch has correctly encapsulated and
forwarded packets.
5.
Whether traffic is unstable because of MAC address flapping, route change, or IP address
conflict.
The switch can collect statistics on incoming and outgoing traffic globally or based on interfaces.
The switch use the traffic policy function to collect traffic statistics. When a traffic policy is
applied to an interface, the switch collects statistics about only incoming or outgoing traffic on
this interface; when a traffic policy is applied globally, the switch collects statistics about
incoming or outgoing traffic on all interfaces.
NOTE
The traffic policy configured in an interface view takes precedence of that configured in the system view.
When traffic matches the traffic policy on an interface, the traffic cannot match the global traffic policy.
Therefore, traffic statistics are not displayed.
Step 1 Configure traffic statistics collection.

[HUAWEI] acl number 3999 //Configure ACL.
[HUAWEI-acl-adv-3999] rule 5 permit icmp source 1.1.1.1 0 destination 2.2.2.2 0
[HUAWEI-acl-adv-3999] quit
[HUAWEI] traffic classifier test operator or precedence 45 //Configure a traffic
classifier.
[HUAWEI-classifier-test] if-match acl 3999 //Apply ACL 3999.
[HUAWEI-classifier-test] quit
[HUAWEI] traffic behavior test //Configure a traffic policy.
[HUAWEI-behavior-test] statistic enable //Bind the traffic classifier to a traffic
behavior.
[HUAWEI-behavior-test] quit
[HUAWEI] interface gigabitethernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] traffic-policy test inbound //Bind the traffic
policy to the inbound direction (or run the traffic-policy test global inbound
command in the system view to bind the traffic policy).
NOTE
When you set the relationship between rules in a traffic policy to and, you can add information such as ifmatch vlan-id to each rule in the specified ACL. In this way, you can check whether Layer 2 information
about an IP address is correct and whether packets are correctly encapsulated on the upstream device and
local device.
Issue 02 (2015-01-20)

114

Maintenance Guide
Step 2 Check traffic statistics.

[HUAWEI] display traffic policy statistics interface GigabitEthernet 1/0/1
inbound //Display all traffic statistics.
[HUAWEI] display traffic policy statistics interface GigabitEthernet 1/0/1 inbound
verbose rule-base //Display traffic statistics of each rule.
Step 3 If traffic is not forwarded through the expected interface, the reason may not be packet loss. You
should check whether traffic flapping occurs. When traffic flapping occurs, traffic is forwarded
through an unexpected interface.
Traffic flapping may be caused by MAC address flapping, route changes, or IP address conflicts.
The specified inbound and outbound interfaces are bound to a traffic policy, and the traffic policy
is globally applied to both inbound and outbound directions. The traffic policy configured in the
interface view takes precedence of that configured in the system view, so the global traffic
statistics should not be obtained. If the global traffic traffics are obtained, traffic flapping occurs.
The collected information includes:
l Symptom
l Networking diagram, including interface numbers
l Procedure:
1.
Which configurations have been performed before the fault occurs
2.
Which operations have been performed after the fault occurs and information that has
been collected
----End
3.2.2 Eth-Trunk Fault Troubleshooting

3.2.2.1 Feature Description
3.2.2.3 Eth-Trunk in Manual Load Balancing Mode Cannot Go Up
3.2.2.4 Negotiation Fails on an Eth-Trunk in LACP Mode
3.2.2.5 Uneven Load Balancing of an Eth-Trunk
3.2.2.1 Feature Description

Working Mechanism and Concepts
Eth-Trunk is a bundling technology that binds multiple physical interfaces into a logical
interface. The logical interface is called an Eth-Trunk, and the physical interfaces are called
member interfaces. Eth-Trunk technology increases link bandwidth, improves reliability, and
implements load balancing.
An Eth-Trunk distributes traffic on multiple member interfaces and also provides higher link
reliability and bandwidth. You can configure an Eth-Trunk to support various routing protocols
and services.
Issue 02 (2015-01-20)

115

Maintenance Guide
Figure 3-14 shows an example of Eth-Trunk. Two switches are connected through three
interfaces. The three interfaces are bundled into an Eth-Trunk to increase bandwidth and improve
reliability.
Figure 3-14 Eth-Trunk networking
Eth-Trunk Working Modes

An Eth-Trunk can work in manual load balancing mode or Link Aggregation Control Protocol
(LACP) mode.
l
Manual load balancing mode
The manual load balancing mode is a basic link aggregation mode. In manual load balancing
mode, you must create an Eth-Trunk, add interfaces to the Eth-Trunk, and specify active
interfaces. LACP is not required in this mode.
All active member interfaces forward data and load balance traffic. Traffic is evenly distributed
to the member interfaces. If an active link fails, the remaining active links share the traffic evenly.
l
LACP mode
In LACP mode, you must create an Eth-Trunk and add interfaces to the Eth-Trunk. Unlike the
manual load balancing mode, the LACP mode selects active interfaces by sending LACP data
units (LACPDUs). When a group of interfaces is added to an Eth-Trunk, the devices at both
ends exchange LACPDUs to determine active and inactive interfaces.
The LACP mode is called M:N mode, which implements both load balancing and link backup.
M active links in the link aggregation group (LAG) are responsible for data forwarding and load
balancing, whereas the other N inactive links are backup ones and do not forward data. If one
of the M links is faulty, the link with the highest priority among the N links replaces the faulty
link. This link enters the active state and starts to forward data.

Table 3-12 describe common commands for locating Eth-Trunk faults.
Issue 02 (2015-01-20)
Command
Description
display eth-trunk
Displays the configuration of an Eth-Trunk.
display interface eth-trunk
Displays the status of an Eth-Trunk.
display trunkmembership eth-trunk
Displays information about an Eth-Trunk and its

member interfaces.
display trunkfwdtbl eth-trunk
Displays information about the Eth-Trunk

forwarding table.

116

Maintenance Guide
Command
Description
display load-balance-profile
Displays details about a specified load balancing

profile.
display lacp statistics eth-trunk
Displays statistics about LACPDUs in LACP mode.
display trunk index-map
Displays the mapping between Eth-Trunk IDs and

internal indexes.
display e-trunk
Displays E-Trunk information.
3.2.2.3 Eth-Trunk in Manual Load Balancing Mode Cannot Go Up

Figure 3-15 Flowchart for troubleshooting a Down Eth-Trunk in manual load balancing mode
Run the display eth-trunk command to check the working mode of an Eth-Trunk. If
WorkingMode is NORMAL, the Eth-Trunk works in manual load balancing mode.
WorkingMode: NORMAL
Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 3 Max Bandwidth-affected-linknumber: 8
Operate status: down
--------------------------------------------------------------------------------
Issue 02 (2015-01-20)

117

Maintenance Guide
PortName
Status
Up
Down
Weight
1
1
Step 1 Check whether Eth-Trunk member interfaces are Up.
The physical status of Eth-Trunk member interfaces must be Up so that the Eth-Trunk can work
properly.
Run the display eth-trunk command to check information about Eth-Trunk member interfaces.
If the Eth-Trunk member interface status is Down, run the display interface command to check
the physical status of the member interfaces. If the physical status of the member interfaces is
Down, check their link status. For details, see 3.1.2.3 Interface Troubleshooting.
Step 2 Check the configuration of the Eth-Trunk.
Run the display eth-trunk command to check whether the lower threshold for the number of
active interfaces in the Eth-Trunk is configured. If the number of Eth-Trunk member interfaces
in Up state is less than the lower threshold, the Eth-Trunk goes Down.
WorkingMode: NORMAL
Least Active-linknumber: 3 Max Bandwidth-affected-linknumber: 8
-------------------------------------------------------------------------------PortName
Status
Weight
Up
1
Down
1
The default lower threshold for the number of active interfaces in an Eth-Trunk is 1. You can
run the least active-linknumberlink-number command to configure the lower threshold. The
default upper threshold for the number of active interfaces in an Eth-Trunk is 8. You can run
the max active-linknumberlink-number command to configure the upper threshold.
----End
Issue 02 (2015-01-20)

118

Maintenance Guide
3.2.2.4 Negotiation Fails on an Eth-Trunk in LACP Mode

Figure 3-16 Flowchart for troubleshooting a Down Eth-Trunk in LACP mode
Check the working mode of an Eth-Trunk using either of the following methods:
Method 1: Check the WorkingMode field in the display eth-trunk command output.
l
If WorkingMode is NORMAL, the Eth-Trunk works in manual load balancing mode.
In V100R006C03, V100R006C05, and V200R001, if WorkingMode is STATIC, the EthTrunk works in LACP mode.
In V200R002 and V200R003, if WorkingMode is LACP, the Eth-Trunk works in LACP

mode.
Method 2: Check the configuration in the Eth-Trunk interface view.

Issue 02 (2015-01-20)

119

Maintenance Guide
In V100R006C03, V100R006C05, and V200R001, if mode lacp-static is configured, the

Eth-Trunk works in LACP mode.
In V200R002 and V200R003, if mode lacp is configured, the Eth-Trunk works in LACP
mode.
Step 1 Check whether Eth-Trunk member interfaces are Up.
The physical status of Eth-Trunk member interfaces must be Up so that the Eth-Trunk can work
properly.
Run the display eth-trunk command to check information about Eth-Trunk member interfaces.
If the Eth-Trunk member interface status is Down, run the display interface command to check
the physical status of the member interfaces. If the physical status of the member interfaces is
Down, check their link status. For details, see 3.1.2.3 Interface Troubleshooting.
Step 2 Check the configuration of the Eth-Trunk.
Check whether the configuration on two ends of the Eth-Trunk is consistent. Both ends must
work in LACP mode because the two devices need to perform LACPDU negotiation. It is
recommended that other settings on the two ends of the Eth-Trunk be consistent.
Run the display eth-trunk command to check whether the lower and upper thresholds for the
number of active interfaces in the Eth-Trunk are configured. If the number of Eth-Trunk member
interfaces in Up state is less than the lower threshold, the Eth-Trunk goes Down.
Local:
LAG ID: 1
WorkingMode: STATIC
System ID: 4cb1-6c3b-aaf5
-------------------------------------------------------------------------------ActorPortName
Status
PortType PortPri PortNo PortKey PortState Weight
Unselect 1GE
32768
1
1329
10100010 1
Unselect 1GE
32768
2
1329
10100010 1
Partner:
-------------------------------------------------------------------------------ActorPortName
SysPri
SystemID
PortPri PortNo PortKey PortState
0
0000-0000-0000 0
0
0
10100011
0
0000-0000-0000 0
0
0
10100011
The default lower threshold for the number of active interfaces in an Eth-Trunk is 1. You can
run the least active-linknumberlink-number command to configure the lower threshold. The
default upper threshold for the number of active interfaces in an Eth-Trunk is 8. You can run
the max active-linknumberlink-number command to configure the upper threshold.
If the least active-linknumber command has been configured before you run the max activelinknumberlink-number command, ensure that the upper threshold for the number of active
interfaces is larger than or equal to the lower threshold for the number of active interfaces.
Step 3 Check whether Eth-Trunk member interfaces normally send and receive LACPDUs.
Run the display lacp statistics eth-trunk command to check statistics about LACPDUs sent
and received by Eth-Trunk member interfaces.
<Quidway> display lacp statistics eth-trunk 1
Eth-Trunk1's PDU statistic is:
Issue 02 (2015-01-20)

120

Maintenance Guide
-----------------------------------------------------------------------------Port
LacpRevPdu
LacpSentPdu MarkerRevPdu MarkerSentPdu
100
100
0
0
The increase in the number of LACPDUs is relevant to the packet timeout interval configured
on the Eth-Trunk.
[Quidway-Eth-Trunk1] lacp timeout slow/fast
In fast mode, the remote end sends LACPDUs at an interval of 1 second. In slow mode, the
remote end sends LACPDUs at an interval of 30 seconds. The fast mode ensures quicker response
but consumes more system resources than the slow mode. The timeout intervals configured at
the two ends can be different. You are advised to set the same LACPDU timeout interval on
both ends to facilitate maintenance.
If the increase in the number of received LACPDUs is incorrect, check whether the remote end
does not send LACPDUs or the local end discards the received LACPDUs. If the number of
LACPDUs received on the local end is incorrect, locate the reason why the local interface does
not receive LACPDUs.
For the S2300, S3300SI, S3300EI, S5300EI, and S5300SI, if the remote end sends LACPDUs
but the local end does not receive the LACPDUs, check whether bpdu enable is configured on
the Eth-Trunk.
----End
Issue 02 (2015-01-20)

121

Maintenance Guide
3.2.2.5 Uneven Load Balancing of an Eth-Trunk

Figure 3-17 Flowchart for troubleshooting uneven load balancing of an Eth-Trunk
Step 1 Check the packet type (known or unknown unicast packets).
The forwarding processes and the default hash algorithms are different for known and unknown
unicast packets.
Step 2 Check the hash algorithm of the Eth-Trunk.
Issue 02 (2015-01-20)

122

Maintenance Guide
l For known unicast packets, run the display eth-trunk command to check the hash mode in
the Hash arithmetic field. Alternatively, you can check the Eth-Trunk configuration to
confirm the hash mode.
Local:
LAG ID: 1
WorkingMode: STATIC
System ID: 4cb1-6c3b-aaf5
------------------------------------------------------------------------------ActorPortName
Status
PortType PortPri PortNo PortKey PortState
Weight
Unselect 1GE
32768
1
1329
10100010 1
Unselect 1GE
32768
2
1329
10100010 1
Partner:
------------------------------------------------------------------------------ActorPortName
SysPri
SystemID
PortPri PortNo PortKey
PortState
0
0000-0000-0000 0
0
0
10100011
0
0000-0000-0000 0
0
0
10100011
Table 3-13 describes the default load balancing mode of an Eth-Trunk.

Table 3-13 Default load balancing mode of an Eth-Trunk
Version
Default Load Balancing Mode
V100R006C03/V100R006C05
src-dst-mac
V200R001
src-dst-mac for the S5300SI and S5300EI, and rcdst-ip for other models
V200R002/V200R003
src-dst-mac for the S5300SI and S5300EI, and rcdst-ip for other models
l For broadcast and multicast packets, run the unknown-unicast load-balance { dmac |
smac | smacxordmac | enhanced } command in the system view to configure a load
balancing mode.
NOTE
Modular switches: V200R001, V200R002, and V200R003 all support this command.
Fixed switches:
V100R006C03: Only the S2352EI and S3300 support this command, but do not support the
enhanced parameter.
V100R006C05: Only the S2352P-EI and S3300 support this command, but do not support the
enhanced parameter.
V200R001: Only the S5300EI and S5300HI support this command.
V200R002: Only the S5310EI, S5300EI, and S5300HI support this command, and only the S5310EI
and S5300HI support the enhanced parameter.
V200R003: Only the S5310EI, S5300EI, and S5300HI support this command, and only the S5310EI
and S5300HI support the enhanced parameter.
l If load balancing using an enhanced load balancing profile is configured, run the display
load-balance-profile command to check the hash mode of each type of packets. There is
Issue 02 (2015-01-20)

123

Maintenance Guide
only one global enhanced load balancing profile. This profile takes effect on both known and
unknown unicast packets, and uses different fields for calculation based on the packet type.
NOTE
Modular switches: All cards except the SA series cards support load balancing using an enhanced load
balancing profile.
Fixed switches:
V200R001C01: Only the S5300HI supports load balancing using an enhanced load balancing profile.
V200R002: Only the S5310EI and S5300HI support load balancing using an enhanced load balancing
profile.
profile.
[Quidway-load-balance-profile-a] display load-balance-profile a
Load-balance-profile: a
Packet
HashField
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IPV4
sip
dip
IPV6
sip
dip
L2
smac
dmac
MPLS
top-label
2nd-label
Step 3 Check whether characteristics of forwarded packets match the configured hash mode.
Check whether the characteristics of packets forwarded on an Eth-Trunk match the configured
hash mode. If the characteristics of packets forwarded on an Eth-Trunk do not match the
configured hash mode, for example, MAC addresses of forwarded packets are changed but the
hash mode is src-ip, traffic cannot be evenly load balanced.
In each hash mode, the system performs the hash calculation based on specified bits in fields.
If the changed bits in the source IP address or MAC address field are used in the hash calculation,
traffic cannot be evenly load balanced even if the characteristics of the forwarded packets match
the hash mode. In this case, use an enhanced load balancing profile. In addition, an enhanced
load balancing profile needs to be used for transmission of some special packets such as MPLS
packets.
Step 4 Check the number of selected Eth-Trunk member interfaces.
l Assume that the number of Eth-Trunk member interfaces is X. If known or unknown unicast
packets are forwarded and the common load balancing mode is used, traffic is evenly load
balanced when traffic of different characteristics is even, X is an exponential multiple of 2,
and the number of packet changes is an integer multiple of X.
l If load balancing using an enhanced load balancing profile is configured, the port number is
also used in the hash algorithm to achieve even load balancing.
----End
3.2.3 Ping Failure Troubleshooting

3.2.3.1 Ping Overview
3.2.3.2 Ping Failure Troubleshooting
Issue 02 (2015-01-20)

124

Maintenance Guide
3.2.3.1 Ping Overview

The ping command implementation is based on the Internet Control Message Protocol (ICMP).
The source end sends an ICMP Echo Request message to the destination end to check reachability
of the destination end. If the source end receives an ICMP Echo Reply message from the
destination end within a specified period, the destination end is reachable. If the source end does
not receive an ICMP Echo Reply message from the destination end within a specified period,
the destination end is unreachable.
The source end determines the quality of the link to the reachable destination end based on the
number of sent ICMP Echo Request messages and received ICMP Echo Reply messages, and
determines the distance to destination end according to the round-trip time (RTT) of ping packets.
Description of Ping Process

As shown in Figure 3-18, The ping 11.1.1.2 command is executed on PC 1 to ping PC2.
Figure 3-18 Ping process
The ping process is as follows:

1.
The ping program on PC 1 generates an ICMP Echo Request packet.

a.
Issue 02 (2015-01-20)
The ICMP Echo Request packet is transmitted to the IP layer along the protocol stack.
Then the IP header (including the source and destination IP addresses) is encapsulated
into the ICMP Echo Request packet.

125

Maintenance Guide
During encapsulation, the IP layer determines that the source and destination IP
addresses are located on different network segments according to the IP addresses and
masks in the ICMP packet.
b.
The ICMP Echo Request packet is then transmitted to the link layer. The ICMP Echo
Request packet cannot be encapsulated with the Ethernet frame header because the
destination MAC address is unknown.
c.
PC 1 searches for the next hop in the FIB table because the source and destination IP
addresses are located on different network segments.
(1) If the next hop is not found, the IP or MAC address of the next hop cannot be
obtained. Therefore, the ICMP Echo Request packet cannot be encapsulated with the
Ethernet frame header. The ping operation fails.
(2) If the next hop is found, the IP address of the next hop is obtained. However, the
MAC address of the next hop is unknown. PC 1 sends an ARP request packet to request
the MAC address of the next hop.
2.
After the next-hop port a (10.1.1.2/24) of the switch receives the ARP request packet, it
finds that the destination of the ARP request packet is itself. Then port a responds with a
unicast ARP reply packet that contains the MAC address mapping 10.1.1.2/24 to PC 1.
3.
When receiving the ARP reply packet, PC 1 obtains the MAC address of the next hop. Then
PC 1 encapsulates the ICMP Echo Request packet into an Ethernet frame and sends the
Ethernet frame to the switch.
When sending the ARP request packet to the switch, PC 1 has filled the mapping between
its own IP address and MAC address into the packet. The switch fills the address mapping
of PC 1 into the local ARP cache. This improves efficiency of subsequent communication
between the switch and PC 1 and reduces communication data.
4.
After receiving the ICMP Echo Request packet, the switch removes the Ethernet frame
header, and sends the packet to the IP layer. The IP layer finds that the destination
(11.1.1.2/24) is not itself, so it searches the routing table and re-encapsulates the packet.
The switch does not know the destination MAC address (MAC address matching
11.1.1.2/24), so the switch sends a broadcast ARP request packet.
5.
PC 2 receives the ARP request packet and finds that the destination of the packet is itself,
so PC 2 returns a unicast ARP reply packet that contains the MAC address matching
11.1.1.2/24.
In addition, PC 2 records the mapping between the IP address and MAC address of switch's
port b into the local ARP cache.
6.
The switch obtains the MAC address of PC 2 from the ARP reply packet, encapsulates an
Ethernet frame header into the packet, and sends the packet to PC 2.
7.
After receiving the ARP reply packet, PC 2 removes the Ethernet frame header. PC 2 finds
that the packet is an ICMP Echo Request packet, so PC 2 sends an ICMP reply packet to
PC 1. In this ICMP reply packet, the source IP address is PC 2's IP address (11.1.1.2/24)
and the destination IP address is PC 1's IP address (10.1.1.1/24).
Since the source and destination IP addresses are located on different network segments,
PC 2 searches the FIB table for the next hop. The next hop is switch's port b (11.1.1.1/24).
As mentioned in preceding steps, PC 2 has recorded the address mapping of switch's port
b in the ARP cache, so PC 2 does not need to send an ARP request packet to the switch.
Instead, PC 2 obtains the MAC address matching 11.1.1.1/24 from its local ARP cache,
encapsulates the MAC address into the ICMP reply packet, and sends the packet to the
switch.
Issue 02 (2015-01-20)

126

Maintenance Guide
Similarly, the switch does not need to send an ARP request packet to PC 1. It obtains the
MAC address of PC 1 from its local ARP cache, and forwards the ICMP reply packet to
PC 1.
8.
After receiving the ICMP reply packet, PC 1 removes the Ethernet frame header and IP
header to obtain the ICMP reply packet. The ping operation is successful.

Figure 3-19 Ping failure troubleshooting flowchart
Issue 02 (2015-01-20)

127

Maintenance Guide
Step 1 Check the configurations.
Check that the interface, VLAN, VLANIF interface, and IP address configurations on the switch
are correct.
Check that the interfaces at both ends are the same type, both ends use the same VLAN
encapsulation, and IP addresses configured for the VLANIF interfaces are valid.
Step 2 Check the link.
Check the physical link between the two devices and rectify problems (if any) to ensure that the
physical link can work normally.
1.
Ensure that interfaces are correctly connected using an optical fiber or network cable
according to the network deployment plan.
2.
The wavelengths of optical modules used at both ends are consistent. It is recommended
that Huawei-certified optical modules be used.
3.
If the two devices are connected through an Eth-Trunk, ensure that the devices have the
same number of physical Eth-Trunk member interfaces. If Link Aggregation Control
Protocol (LACP) is enabled for the Eth-Trunk, ensure that LACP is stable.
4.
Check whether there is any transmission device between the two devices and whether
interfaces at both devices are in Up state.
5.
Check whether cyclic redundancy check (CRC) errors occur on the physical interfaces
along the transmission path of ping packets, and whether the number of CRC errors
increases continuously.
Check whether the physical interfaces are blocked. Check whether the devices run any Layer 2
protocol such as Spanning Tree Protocol (STP), Rapid Ring Protection Protocol (RRPP), and
SmartLink, and determine whether the physical interfaces used to forward ping packets are
blocked by the protocol.
Table 3-14 describes the configuration commands.
Table 3-14 Commands used to check for blocked interfaces
Command
Function
display stp brief
Displays the STP status and brief statistics

information.
display rrpp verbose domain domain-id
Displays the detailed RRPP configuration.
display smart-link group all
Displays status of all SmartLink groups.
Step 3 Check the route.

Check whether there is a reachable route to the destination address.
l If the switch is connected to a terminal, check whether the correct gateway address is
configured on the terminal.
l If the switch is connected to another switch or a router, check whether a correct return route
is available on the peer device.
Issue 02 (2015-01-20)

128

Maintenance Guide
Reference command: display ip routing-table

If no reachable route is available, check whether the protocol status of interfaces is Up and
whether the routing protocol works normally.
Step 4 Check the ARP entry.
l Check whether the switch has learned the ARP entry matching the IP address of the directly
connected device.
The configuration commands are as follows:
display arp
display arp interface vlanif vlanif-id
l If the switch has learned the correct ARP entry, check the corresponding MAC address entry
to ensure that the outbound interface in the MAC address entry is the same as the physical
outbound interface in the ARP entry.
display mac-address mac-address
display mac-address mac-address vlan vlan-id
l If the switch does not learn the ARP entry, rectify the ARP fault as follows:
1.
Check whether strict ARP learning is enabled on the switch. If yes, disable strict ARP
learning and check whether the switch can learn the ARP entry properly.
2.
Run the ping -c command on either of the two ends.

ping -c 100000 ip-address
You can specify the -t or -m parameter to configure a proper rate for sending ping
packets.
3.
When the ping -c command is executed, the local device continuously sends ARP
Request packets. Collect traffic statistics and check whether the local interface sends
ARP Request packets.
4.
Collect traffic statistics and check whether the peer interface receives the ARP Request
packets. If the peer interface receives the ARP Request packets, check whether it
generates the matching ARP entry and returns ARP Reply packets. If the peer interface
receives ARP Request packets but does not generate the ARP entry, contact Huawei
technical support personnel.
5.
Collect traffic statistics and check whether the peer interface returns ARP Reply packets.
If the peer interface does not return ARP Reply packets, contact Huawei technical
support personnel.
6.
Check whether the local interface receives ARP Reply packets. If the local interface
receives ARP Reply packets but does not forward them to the CPU, contact Huawei
technical support personnel.
Table 3-15 describes the procedure for collecting statistics about ARP Request and Reply
packets.
NOTE
The interface number, VLAN ID, and MAC address in the following steps are only used as an example.
Change them according to actual situation.
Issue 02 (2015-01-20)

129

Maintenance Guide
Table 3-15 Procedure for collecting ARP Request and Reply packets
Step
Command
Enter the
system view.
Configure a
traffic
classifier.
1. Run the traffic classifier classifier-name operator command to

create a traffic classifier.
2. Run the if-match l2-protocol arp command to configure a match
clause for ARP packets.
3. Run the if-match source-mac mac-address command to configure a
match clause based on the source MAC address.
4. Run the if-match destination-mac mac-address command to
configure a match clause based on the destination MAC address.
5. Run the if-match vlan-id vlan-id command to configure a match
clause based on the VLAN.
NOTE
In the ARP Request packets, the destination MAC address is FFFF-FFFF-FFFF,
and the source MAC address is the MAC address of the sender.
In the ARP Reply packets, the destination MAC address is the MAC address of
the peer end, and the source MAC address is the MAC address of the local end.
Configure a
traffic
behavior.
1. Run the traffic behavior behavior-name command to create a traffic

behavior.
2. Run the statistic enable command to enable traffic statistics
collection.
Configure a
traffic policy.

policy.
command to associate the traffic classifier with the traffic behavior.
Apply the
traffic policy
to the interface
where traffic
statistics need
to be collected.
1. Run the interfaceinterface-type interface-number command to enter

the view of the interface where traffic statistics need to be collected.
2. Run the traffic-policy policy-name inbound command to apply the
traffic policy to the inbound direction of the interface.
Step 5 Check statistics about sent and received packets.

Find out where ping packets are lost, which is the key to rectifying the ping failure.
l ICMP packet statistics
Issue 02 (2015-01-20)

130

Maintenance Guide
Run the display icmp statistics command to view statistics about ICMP packets. Check
whether the sent and received ICMP Echo and Echo Reply packets consistent and whether
checksum errors exist. You can run the reset ip statistics command to delete traffic statistics.
<HUAWEI> display icmp statistics
Input: bad formats
0
echo
521
source quench
0
echo reply
19
timestamp
0
mask requests
0
time exceeded
0
Mping request
0
Output:echo
19
source quench
0
echo reply
512
timestamp
0
mask requests
0
time exceeded
0
Mping request
0
bad checksum
destination unreachable
redirects
parameter problem
information request
mask replies
timestamp reply
Mping reply
destination unreachable
redirects
parameter problem
information request
mask replies
timestamp reply
Mping reply
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
l IP-layer debugging
Enable IP-layer debugging to check the packets sent and received during a ping operation.
To enable IP-layer debugging, define an ACL to match the source and destination IP
addresses in ping packets.
#
acl number 3333
rule 5 permit icmp source x.x.x.x 0 destination y.y.y.y 0
rule 10 permit icmp source y.y.y.y 0 destination x.x.x.x 0
#
debugging ip packet acl 3333 verbose
The following uses the ping 7.8.20.5 command as an example.

Run the ping 7.8.20.5 command:
PING 7.8.20.5: 56 data bytes, press CTRL_C to break*0.55569503 L3FC-4 IP/7/
debug_case:Sending, interface = Vlanif20, version = 4, headlen = 20, tos =
0,pktlen = 84, pktid = 35000, offset = 0, ttl = 255, protocol = 1,checksum =
64727, s = 7.8.20.4, d = 7.8.20.5prompt: Sending the packet from local at
Vlanif20
45 00 00 54 88 b8 00 00 ff 01 fc d7 07 08 14 04
07 08 14 05 08 00 00 9e ab cf 00 01 03 4f ec 5e
81 00 c0 01 50 49 4e 00 00 00 ff 05 00 01 02 03
04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13
14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
24 25 26 27
Reply from 7.8.20.5: bytes=56 Sequence=1 ttl=255 time=2 ms*0.55569603 L3FC-4 IP/
7/debug_case:Receiving, interface = Vlanif20, version = 4, headlen = 20, tos =
0,pktlen = 84, pktid = 44132, offset = 0, ttl = 255, protocol = 1,checksum =
55595, s = 7.8.20.5, d = 7.8.20.4prompt: Receiving IP packet from Vlanif20
45 00 00 54 ac 64 00 00 ff 01 d9 2b 07 08 14 05
07 08 14 04 00 00 0e 9d ab cf 00 01 03 4f ec 5e
81 00 c0 01 50 4e 47 00 00 00 00 02 00 01 02 03
04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13
14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
24 25 26 27
l CPCAR statistics
View CPCAR statistics to check whether ICMP packets are dropped because of CPCAR
exceeding. The configuration commands are as follows:
Modular switches of V100R002 and fixed switches of V100R005: display cpu-defend icmp
statistics all
Issue 02 (2015-01-20)

131

Maintenance Guide
Modular switches of V100R003 and later and fixed switches of V100R006 and later: display
cpu-defend statistics packet-type icmp all
Check whether the number of dropped packets is increasing. If so, the rate of ICMP packets
has exceeded the CPCAR and excess ICMP packets are dropped. Increase the CAR value
and perform a ping test again to check whether the fault is rectified. Restore the CAR value
after the fault is rectified.
l Traffic statistics
Configure traffic statistics collection to check the sent and received packets according to
Table 3-16.
Table 3-16 Procedure for configuring traffic statistics collection
Step
Command
Enter the
system view.
Define an
ACL to match
the source and
destination IP
addresses in
ping packets.
1. Run the acl numberacl-number command to create an advanced

ACL.
NOTE
2. Run the rule rule-id permit icmp source source-ip 0 destination

destination-ip 0 command to define an ACL rule to match the ICMP
Echo Request packets.
3. Run the rule rule-id permit icmp source source-ip 0 destination
destination-ip 0 command to define an ACL rule to match the ICMP
Echo Reply packets.
Configure a
traffic
classifier.
1. Run the traffic classifier classifier-name operator command to

create a traffic classifier.
2. Run the if-match acl acl-number command to configure a match
clause based on the configured ACL rules.
Configure a
traffic
behavior.
1. Run the traffic behavior behavior-name command to create a traffic

behavior.
2. Run the statistic enable command to enable traffic statistics
collection.
Configure a
traffic policy.

policy.
command to associate the traffic classifier with the traffic behavior.
Issue 02 (2015-01-20)

132

Maintenance Guide
Step
Command
Apply the
traffic policy
to the interface
where traffic
statistics need
to be collected.
1. Run the interface interface-type interface-number command to enter

the view of the interface where traffic statistics need to be collected.
2. Run the traffic-policy policy-name inbound command to apply the
traffic policy to the inbound direction of the interface.
3. Run the traffic-policy policy-name outbound command to apply the
traffic policy to the outbound direction of the interface.
After the configurations are complete, run the ping command and check traffic statistics.
display traffic policy statistics interface GigabitEthernet 0/0/1 inbound
display traffic policy statistics interface GigabitEthernet 0/0/1 outbound
If the outbound packet counter is 0, the interface does not send packets. If the inbound packet
counter is 0, the interface does not receive reply packets.
NOTE
The S2352-EI, S3300SI, and S3300EI do not support outbound traffic statistics collection an interface.
l Mirroring
If a small amount of traffic is transmitted on the interface, configure port mirroring according
to Table 3-17.
If a large amount of traffic is transmitted on the interface, configure traffic mirroring
according to Table 3-18.
Table 3-17 Procedure for configuring port mirroring
Step
Command
Enter the
system view.
Configure an
observing port.
Run the observe-port port-number interface interface-type interfacenumber command to configure an observing port.
Configure port
mirroring.
1. Run the interface interface-type interface-number command to

enter the view of the mirrored port.
2. Run the port-mirroring to observe-port port-number both
command to copy the packets sent and received on the mirrored port
to the observing port.
Issue 02 (2015-01-20)

133

Maintenance Guide
Table 3-18 Procedure for configuring traffic mirroring

Step
Command
Enter the system

view.
Configure an
observing port.
Run the observe-port port-number interface interface-type

interface-number command to configure an observing port.
Configure an ACL
to define the traffic
to be mirrored.
1. Run the acl numberacl-number command to create an

advanced ACL.
NOTE

match the ICMP Echo Request packets.
match the ICMP Echo Reply packets.
Configure a traffic
classifier.
1. Run the traffic classifier classifier-name operator and

command to create a traffic classifier.
2. Run the if-match acl acl-number command to configure a
match clause based on the configured ACL rules.
Configure a traffic
behavior.
1. Run the traffic behavior behavior-name command to create a

traffic behavior.
2. Run the mirroring observing-port port-id command to mirror
traffic to the observing port.
Configure a traffic
policy.

policy.
command to associate the traffic classifier with the traffic
behavior.
Apply the traffic

policy to the
mirrored interface.
1. Run the interfaceinterface-type interface-number command to

enter the view of the interface where traffic statistics need to be
collected.
2. Run the traffic-policy policy-name inbound command to apply
the traffic policy to the inbound direction of the interface.
3. Run the traffic-policy policy-name outbound command to
apply the traffic policy to the outbound direction of the interface.
Issue 02 (2015-01-20)

134

Maintenance Guide
You can analyze the mirrored packets to check the sent and received packets and check the
VLAN ID, destination MAC address, checksum of the IP header, and ICMP checksum of
the packets.
----End
3.2.4 STP Fault Troubleshooting

3.2.4.2 Fast Convergence Failure on a Port

Table 3-19 describe common commands for locating STP faults.
Command
Description
display current-configuration | include stp
Displays global STP configuration.
display current-configuration interface

interface-type interface-number
Displays the interface configuration.
display stp region-configuration
Displays the multiple spanning tree (MST)

region configuration.
display stp brief
Displays the STP status and brief statistics.
display stp
Displays the STP status and statistics.
display stp tc-bpdu statistics (supported by

modular switches starting from V100R006 and
by fixed switches starting from V100R005)
Displays statistics about TC/TCN packets

on an interface.
display stp topology-change (supported by

modular switches starting from V100R006 and
by fixed switches starting from V100R005)
Issue 02 (2015-01-20)

135

Maintenance Guide
3.2.4.2 Fast Convergence Failure on a Port

Figure 3-20 Flowchart for troubleshooting a fast convergence failure on a port
Issue 02 (2015-01-20)

136

Maintenance Guide
Step 1 Check whether STP is enabled on the remote port.
If a switch port is connected to a terminal or server that does not support STP, run the stp edgedport enable command to configure the switch port as an edge port or run the stp disable
command to disable STP on the switch port. Otherwise, when the cable is removed and
reinstalled, or the shutdown and undo shutdown commands are executed on the port, the remote
port does not send STP bridge protocol data units (BPDUs) to the port. As a result, the port must
wait twice the forward-delay (15 seconds by default) before forwarding packets normally.
If the stp edge-port enable command has been configured on the port, run the display stp
interface command to check whether the edge port configuration becomes ineffective. The edge
port configuration takes effect only when both Config and Active are enabled.
<Quidway> display stp interface GigabitEthernet1/0/1
----[Port43(GigabitEthernet1/0/1)]
[UP]---Port
Protocol
:Enabled
Port Role
Port
:Disabled
Port Priority
128
Port Cost(Dot1T )
:Config=auto /
Active=200000000
Designated Bridge/Port
:32768.4cb1-6c3b-aaf5 /
128.43
Port Edged
:Config=enabled / Active=enabled
When the edge port receives STP BPDUs, the value of Active is changed to disabled and the
port becomes a common STP port. The following log information is recorded:
MSTP/4/EDGE_PORT:Edged-port [port-name] received BPDU packet, then the active state
of the edged-port will be disabled!
Check whether the configuration of the device connected to the port changes or the device
transparently transmits STP BPDUs.
Step 2 Check whether the port works in STP mode.
All STP versions are backward compatible. When a port on a device working in RSTP/MSTP
mode receives STP BPDUs, the port automatically transits to the STP mode.
Run the display stp interface command to check the actual working mode of the port.
<Quidway> display stp interface GigabitEthernet2/0/6
----[Port28(GigabitEthernet2/0/6)][FORWARDING]---Port Protocol
:Enabled
Port Role
:Designated Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=20000
Designated Bridge/Port
:32768.0026-0000-9140 / 128.28
Port Edged
:Config=default / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:147 packets/s
Protection Type
:None
Port STP Mode
:STP
Port Protocol Type :Config=auto / Active=dot1s
BPDU Encapsulation :Config=stp / Active=stp
Issue 02 (2015-01-20)

137

Maintenance Guide
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:12
TC or TCN received :5
BPDU Sent
:24
TCN: 0, Config: 24, RST: 0, MST: 0
BPDU Received
:1
The fast port transition mechanism is also called the Proposal/Agreement mechanism. The
traditional STP mode cannot provide the fast transition mechanism. A port must wait twice the
forward-delay (15 seconds by default) to enter the Forwarding state. The device can determine
the type of STP BPDUs sent and received by a port based on the number of BPDUs displayed
in the BPDU Sent and BPDU Received fields.
S series switches support the Proposal/Agreement mechanism in enhanced and common modes.
The enhanced mode is the default mode.
l Enhanced mode: The current port calculates the root port when calculating the
synchronization flag bit.
The upstream device sends a Proposal packet to the downstream device, requesting fast
transition. After receiving the Proposal packet, the downstream device configures the port
connected to the upstream device as a root port and blocks all non-edge ports.
The upstream device then sends an Agreement packet to the downstream device. After
the downstream device receives the Agreement packet, the root port changes to
Forwarding.
The downstream device sends an Agreement packet to the upstream device. After
receiving the Agreement packet, the upstream device configures the port connected to
the downstream device as a designated port. The designated port then enters the
Forwarding state.
l Common mode: The current port does not calculate the root port when calculating the
synchronization flag bit.
An upstream device sends a Proposal packet to a downstream device, requesting fast
transition. After receiving the Proposal packet, the downstream device configures the port
connected to the upstream device as a root port and blocks all non-edge ports. The root
port then enters the Forwarding state.
The downstream device sends an Agreement packet to the upstream device. After
receiving the Agreement packet, the upstream device configures the port connected to
the downstream device as a designated port. The designated port then enters the
Forwarding state.
When an S series switch is connected to an upstream RSTP-enabled switch or a non-Huawei
device, fast transition cannot be performed on the upstream device. Run the stp no-agreementcheck command on the S series switch to avoid the problem.
After the port automatically switches to STP-compatible mode, run the stp mcheck command
on the port to switch the port back to MSTP mode manually in the following situations:
l The switch running STP is powered off or removed.
l The switch running STP is switched to MSTP mode.
NOTE
For two directly connected switching devices in a spanning tree, the switching device closer to the root
bridge is the upstream device of the other switching device.
Issue 02 (2015-01-20)

138

Maintenance Guide
Step 3 Check whether the link type of the port is point-to-point (P2P).
The RSTP/MSTP mode provides the fast transition mechanism. When STP is enabled on both
ends of a link and the link type is P2P, the fast transition mechanism can be implemented on the
ports.
You can run the stp point-to-point command to configure the link type. The link type of a port
is auto by default. That is, RSTP/MSTP checks whether the link of a port is a P2P link. The link
can be a P2P link only when both ends work in full duplex mode.
Run the display interfaceinterface-type interface-number command to check whether the port
works in full duplex mode.
<Quidway> display interface gigabitethernet 2/0/6
GigabitEthernet 2/0/6 current state : UP
Description:
Switch Port, PVID :
1, TPID : 8100(Hex), The Maximum Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0025-9ef4-abcd
Last physical up time
: Last physical down time : 2012-05-24 21:01:26
Current system time: 2012-06-05 18:56:41
Port Mode: COMMON FIBER, Transceiver:
1000_BASE_SX_SFP
Speed : 1000,
Loopback: NONE
Duplex: FULL,
Negotiation: ENABLE
Run the display stp interface command to check the link type of the port.
<Quidway> display stp interface GigabitEthernet 2/0/6
----[CIST][Port14(GigabitEthernet2/0/6)][FORWARDING]---Port Protocol
:enabled
Port Role
:Designated Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=20000
Desg. Bridge/Port
:32768.4c1f-cc1f-56b7 / 128.14
Port Edged
:Config=default / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:147 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type :Config=auto / Active=true
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send :2
TC or TCN received :0
BPDU Sent
:103219
BPDU Received
:0
In the preceding command output, Config=auto indicates that the configured value is auto, and
Active=true indicates that the link type of the port is P2P.
----End
3.2.5 Mirroring Troubleshooting

3.2.5.1 Mirroring Specifications
3.2.5.2 Mirroring Troubleshooting
Issue 02 (2015-01-20)

139

Maintenance Guide
3.2.5.1 Mirroring Specifications

S9300 Mirroring Specifications
l
A switch supports a maximum of eight observing ports, which can be located on the same
LPU or different LPUs.
Two inbound ports on an E, FA, or S series board can be configured as observing ports,
whereas only one inbound port on an FC or SC series board can be configured as the
observing port. Observing ports can be located on the same LPU or different LPUs.
Only one outbound port on each board can be configured as an observing port. The
observing ports on a switch can be located on the same LPU or different LPUs.
On each E, FA, or S series board, a maximum of two inbound observing ports and one
outbound observing port can be configured. On each FC or SC board, only one inbound
observing port and one outbound observing port can be configured.
Only known unicast packets are mirrored on an outbound port. Unknown unicast packets
are mirrored on an outbound port after being replicated on an inbound port.
S2300/S3300/S5300/S6300 Mirroring Specifications

Table 3-20 S2300/S3300/S5300/S6300 mirroring specifications
Issue 02 (2015-01-20)
Product Model
Number of Inbound and

Outbound Observing
Ports
Number of Mirrored
Ports
S2300SI
One inbound or outbound

port
Not limited
S2300EI

port
Not limited
S3300SI
4|1
Not limited
S3300EI
4|1
Not limited
S3300HI
2|1
Not limited
S5300SI

port
Not limited
S5300EI
4|1
Not limited
S5300HI
2|1
Not limited
S5300LI

port
Not limited
S6300

port
Not limited

140

Maintenance Guide
3.2.5.2 Mirroring Troubleshooting

Common Mirroring Faults
1.
Why Does a PC Fail to Obtain Mirrored Packets after Mirroring Is Configured?

Check whether the switch's interface connected to the PC has transmitted traffic.
<Quidway> display interface GigabitEthernet
1/0/1
GigabitEthernet1/0/1 current state :
DOWN
Line protocol current state : DOWN //Port status
Description:
Switch Port, PVID :
1, TPID : 8100(Hex), The Maximum Frame Length is
9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 4cb1-6c3baaf5
Last physical up time
:
Last physical down time : 2013-07-11 19:15:42 UTC
+08:00
Current system time: 2013-08-02 01:18:07
+08:00
Port Mode: COMMON
COPPER
Speed : 1000,
NONE
Loopback:
Duplex: FULL,
ENABLE
Negotiation:
Mdi
: AUTO,
DISABLE
Flow-control:
Last 300 seconds input rate 0 bits/sec, 0 packets/

sec
statistics
Input peak rate 0 bits/sec, Record time:
Output peak rate 0 bits/sec, Record time: -
//Outbound traffic
If the interface connected to the PC has transmitted traffic, the problem may be caused by
the PC's settings.
(a)If the mirrored packets have oversized frames, check whether the network adapter of the
PC is enabled to process oversized frames, as shown below. The settings of the network
adapters from different vendors may be different.
Issue 02 (2015-01-20)

141

Maintenance Guide
Figure 3-21 Network adapter settings
(b)The network adapter may have other settings that block mirrored packets; therefore, use
another PC to obtain mirrored packets.
2.
Why Are the Mirrored Packets Untagged?
If the mirrored packets have lost VLAN tags, the PC may remove the VLAN tags from received
packets, so the packets received by Ethereal are untagged. Modify the registry to configure the
PC to conserve the VLAN tags.
Mirroring Use Precautions

l
Port mirroring
1.
The traffic rate on the mirrored ports cannot exceed the bandwidth supported by the
observing ports.
2.
Observing ports are only used for fault location or traffic analysis and cannot be used
as service ports.
3.
On a switch, the mirrored packets cannot be mirrored again.
4.
Some PCs cannot process double-tagged packets. Use a PC that supports doubletagged packets or configure the switch to remove one tag from the packets before the
switch mirrors packets.
Remote port mirroring

1.
Issue 02 (2015-01-20)
2.
The packets mirrored to Layer 3 remote observing ports have GRE headers, so they
cannot be resolved by Wireshark.
3.
For Layer 3 port mirroring, a reachable Layer 3 route must be available. For Layer 2
port mirroring, communication between the Layer 2 networks must be normal.
4.
The Layer 2 remote mirrored VLAN is only used for mirroring. Disable MAC address
learning for the VLAN.
5.
On the transit node, the mirrored VLAN ID must be the same as the PVID, and the
same as the VLAN IDs specified in port trunk allow-pass vlan vlan-id and port
hybrid tagged vlan vlan-id.

142

Maintenance Guide
Instruction for Locating the Mirroring Problems

1.
Check whether the mirroring function is correctly configured on the switch.
2.
Check whether the number of observing ports exceeds the upper limit.
3.
Check whether any item in the use precautions is violated.
4.
If a remote observing port cannot obtain the mirrored packets, check whether the devices
located between the observing port and observing device have lost packets.
5.
If traffic mirroring does not take effect, run the display acl resource [ slot slot-id ]
command to check ACL resource usage.
3.2.6 Multicast Troubleshooting

3.2.6.1 Layer 2 Multicast Troubleshooting

Layer 2 multicast is enabled on a switch. The switch cannot generate Layer 2 multicast entries
or forwarding entries are unstable under the impact of improper configurations, networking
environment, or peer device. As a result, multicast data cannot be correctly forwarded.
Issue 02 (2015-01-20)

143

Maintenance Guide
Figure 3-22 Layer 2 multicast troubleshooting flowchart
Step 1 Enable IGMP snooping debugging to check whether the switch can receive multicast packets.
1.
Enable report debugging of ICMP snooping to check whether the switch can receive the
report messages from multicast groups.
<HUAWEI> debugging igmp-snooping report
l If the switch does not receive report messages, check whether the PCs work normally.
l If the switch has received report messages, check and analyze the debugging
information.
2.
Issue 02 (2015-01-20)
Enable query debugging of ICMP snooping to check whether the switch can receive the
query messages from multicast groups.
144

Maintenance Guide
<HUAWEI> debugging igmp-snooping query
l If the switch does not receive query messages, check whether the PCs work normally.
l If the switch has received query messages, check and analyze the debugging
information.
Step 2 Check the IGMP Packet Exchange Process between upstream and downstream devices by
mirroring the packets. Check whether the packet format is correct. If the packet format is
incorrect, change the destination MAC and IP addresses of the packets to multicast addresses.
Step 3 If IGMP packet version is incompatible with the switch's software version, modify the
configurations on upstream and downstream devices to ensure consistent IGMP versions.
Step 4 The switch receives ICMPv2 packets from network segment 232, so run the igmp-snooping
ssm-policy basic-acl-number command to exclude network segment 232 from the SSM range.
Step 5 If Layer 3 multicast is enabled on the VLANIF interface corresponding to the VLAN with Layer
2 multicast enabled, Layer 2 multicast entries can be generated but hardware entries are not
delivered. As a result, multicast data cannot be forwarded. If you do not need the Layer 3
multicast function, delete the Layer 3 multicast configuration.
If the fault persists, collect information and contact Huawei technical support personnel.
----End

Layer 3 multicast is enabled on a switch. The switch cannot generate Layer 3 multicast entries
or forwarding entries are unstable under the impact of improper configurations, networking
environment, or peer device. As a result, multicast data cannot be correctly forwarded.
Issue 02 (2015-01-20)

145

Maintenance Guide
Figure 3-23 Layer 3 multicast troubleshooting flowchart
Step 1 Check whether the corresponding multicast entry exists on the device.
<HUAWEI> display igmp group X.X.X.X
If the entry does not exist, enable report debugging of IGMP snooping to check whether the
switch can receive the report messages of the corresponding multicast group.
<HUAWEI> debugging igmp-snooping report
l If the switch does not receive report messages, check whether the PCs work normally.
l If the device has received report messages, go to Step 2.
Issue 02 (2015-01-20)

146

Maintenance Guide
Step 2 Check whether RP information exists on the DR.

<HUAWEI> display pim rp-info
l If the RP information does not exist, check whether BSR and RP are correctly configured on
the device.
l If the RP information exists, go to Step 3.
Step 3 Check whether there is a reachable route to the RP.
<HUAWEI> display ip routing-table X.X.X.X
l If a reachable route to the RP does not exist, check whether the device with RP configured
has advertised a route to the RP or whether a static route is configured from the device to the
RP.
l If the route exists, go to Step 4.
Step 4 View PIM routing entries to check whether the (S, G) entry is generated.
<HUAWEI> display pim routing-table X.X.X.X fsm
l If the (S, G) entry is not generated, multicast packets are not received by the switch or is
received by an incorrect inbound interface.
Configure traffic statistics collection to check whether packets are received by the switch. If
the packets are received by the switch, multicast packets may be received by an incorrect
inbound interface. Check whether entries cannot be created because of an RPF check failure.
<HUAWEI> display multicast rpf-info X.X.X.X
l If the entries are created, go to Step 5.

Step 5 Check whether packet sending and receiving configurations are correct.
Check whether the packet TTL is 1 and whether multicast group address belongs to the SSM
range (network segment 232). In addition, check whether the RP serves a specified range of
multicast group addresses. For example, check whether the group-policy basic-acl-number
parameter has been specified when the c-rp command is executed in the PIM view. If this
parameter is specified, the device has specified the served multicast group address range when
notifying the BSR of the candidate RP.
l If the configurations are incorrect, modify the configurations.
l If the configurations are correct, go to Step 6.
Step 6 Check whether multicast entries contain outbound interface information.
<HUAWEI> display multicast forwarding-table X.X.X.X
If the multicast entries do not contain outbound interface information, collect information and
contact Huawei technical support personnel.
----End
3.2.7 VRRP Service Troubleshooting

3.2.7.1 Multiple Master Switches Exist After VRRP Is Configured
3.2.7.2 Downstream Device Cannot Ping the VRRP Virtual IP Address
Issue 02 (2015-01-20)

147

Maintenance Guide
3.2.7.1 Multiple Master Switches Exist After VRRP Is Configured

Fault Description
According to the output of the display vrrp command executed on each switch in the VRRP
group, multiple switches are in master state.
The VRRP group status of SwitchA is Master.
<SwitchA> display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES
Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
The VRRP group status of SwitchB is Master.

<SwitchB> display vrrp
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 100
Preempt : YES
Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Issue 02 (2015-01-20)

148

Maintenance Guide
Figure 3-24 Flowchart for troubleshooting the problem of multiple master switches
Step 1 Check whether VRRP-enabled switches receive heartbeat packets.
Run the display vrrp statistics command to check VRRP packet statistics. Check whether the
VRRP-enabled switches receive heartbeat packets.
<SwitchA> display vrrp statistics
Checksum errors : 0
Version errors : 0
Vrid errors : 0
Vlanif45 | virtual router 45
Transited to master : 0
Received advertisements : 7
Advertisement interval errors : 0
Failed to authentication check : 0
Received ip ttl errors : 0
Received packets with priority zero : 0
Sent packets with priority zero : 0
Received invalid type packets : 0
Received unmatched address list packets : 0
Unknown authentication type packets : 0
Mismatched authentication type : 0
Packet length errors : 0
Discarded packets since track admin-vrrp : 0
If the VRRP-enabled switches receive the heartbeat packets, check whether the VRID of the
VRRP group, the IP addresses of interfaces and virtual IP addresses, and the interval for sending
VRRP Advertisement packets are correct.
Issue 02 (2015-01-20)

149

Maintenance Guide
<SwitchA> display vrrp

State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
Preempt : YES
Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
If the VRRP-enabled switches do not receive the heartbeat packets, go to step 2.

Step 2 Check whether the VRRP-enabled switches can be pinged.
Ping the remote interface's IP address. If the ping operation fails, rectify the fault according to
3.2.3 Ping Failure Troubleshooting. If the fault persists, contact Huawei technical support
personnel. If the ping operation succeeds, go to step 3.
Step 3 Check whether the statistics about sent and received VRRP packets at the bottom layer are
normal.
In V100R002/V100R003, run the display cpu-defend vrrp statistics command to check
statistics about VRRP packets.
<SwitchA> display cpu-defend vrrp statistics slot 1
CPCAR on slot 1
----------------------------------------------------------------------------------------Packet Type
Pass(Bytes) Drop(Bytes)
Pass(Packets)
Drop(Packets)
vrrp
612
N/A
9
0
------------------------------------------------------------------------------------------
In V100R006/V200R001/V200R002, run the display cpu-defend statistics packet-type

vrrp command to check statistics about VRRP packets.
<SwitchA> display cpu-defend statistics packet-type vrrp slot 3
Statistics on slot 3:
------------------------------------------------------------------------------------Packet Type
Pass(Packets)
Drop(Packets)
------------------------------------------------------------------------------------vrrp
0
0
0
0
-------------------------------------------------------------------------------------
V200R003/V200R005:
<SwitchA> display cpu-defend statistics packet-type vrrp slot 3
-------------------------------------------------------------------------------Packet Type
Pass(Packet/Byte)
Drop(Packet/Byte) Last-dropping-time
-------------------------------------------------------------------------------vrrp
0
0
-
Issue 02 (2015-01-20)

150

Maintenance Guide
Run the preceding command multiple times, if the value of Pass increases, the statistics about
VRRP packets is normal. If the fault persists, contact Huawei technical support personnel.
Run the preceding command multiple times, if the value of Pass does not increase, the statistics
about VRRP packets is abnormal. Contact Huawei technical support personnel.
----End
3.2.7.2 Downstream Device Cannot Ping the VRRP Virtual IP Address

Fault Description
On a VRRP network, a downstream device cannot ping the virtual IP address of a VRRP group.
Figure 1 shows the flowchart for troubleshooting the fault that a downstream device cannot ping
the VRRP virtual IP address.
Figure 3-25 Flowchart for troubleshooting the failure to ping the VRRP virtual IP address
Locate the fault by using methods in 3.2.3.2 Ping Failure Troubleshooting.
Issue 02 (2015-01-20)

151

Maintenance Guide
Step 1 Check whether the ping to a virtual IP address is enabled on the device.
By default, the ping to a virtual IP address is disabled on the S2300&S3300&S5300 series
switches of V100R003C00SPC301 and enabled on other models and versions. Table 3-21
describes commands for configuring the ping to a virtual IP address.
Table 3-21 Commands for configuring the ping to a virtual IP address
Model and Version
Commands
S2300&S3300&S5300 V100R003C00SPC301
vrrp vrid x accept-mode enable

undo vrrp vrid x accept-mode enable
Other models and versions
vrrp virtual-ip ping enable

undo vrrp virtual-ip ping enable
Run the display current-configuration command in any view on the master to check whether
the ping to a virtual IP address is enabled. If the ping function is enabled, go to step 2. If the
ping function is not enabled, enable the function and ping the virtual IP address again. If the
ping operation still fails, go to step 2.
Step 2 Check whether the downstream device learns the ARP entry matching the virtual MAC address
and virtual IP address of the VRRP group.
The virtual MAC address and virtual IP address are the destination MAC address and destination
IP address of the packets sent by the downstream device; therefore, the downstream device must
correctly learn them. If the downstream device is a PC, run the arp -a command in the Windows
environment. If the downstream device is also a switch, locate the ARP fault by referring to
3.2.3.2 Ping Failure TroubleshootingStep 4.
NOTE
After an active/standby switchover occurs, the new master sends a gratuitous ARP packet.
Step 3 Check whether devices in the VRRP group can ping each other.
If devices in the VRRP group cannot ping each other, locate the fault by referring to 3.2.3.2 Ping
Failure Troubleshooting.
Step 4 Collect information and contact Huawei technical support personnel.
----End
3.2.8 Layer 2 Loop Troubleshooting

3.2.8.1 Loop Location
3.2.8.2 Fast Loop Removal
Issue 02 (2015-01-20)

152

Maintenance Guide
3.2.8.1 Loop Location

Fault Location Flowchart
If a network fault such as a Layer 2 loop occurs, data storms occur on interfaces and MAC
address flapping frequently occurs. You can locate whether a loop occurs on nodes along the
backbone link according to Figure 3-26.
Figure 3-26 Loop location flowchart
Procedure
Step 1 Check whether data storms occur on the interfaces.
Run the display interface brief command to check traffic on all interfaces. If values of InUti
and OutUti of an interface gradually increase to the interface rate limit, a loop occurs on the
interface.
First query:
<Quidway> display interface Ethernet brief | include up
PHY: Physical
(l): loopback
(b): BFD down
Interface
Issue 02 (2015-01-20)
PHY
Auto-Neg Duplex Bandwidth InUti OutUti

Trunk
153

Maintenance Guide
MEth0/0/1
up
up
up
up
enable
full
enable
full
enable
full
enable
half
100M 0% 0.01%
-1000M 0.56% 0.56%
1000M 0.56% 0.56%
100M 0.01% 0.01% --
1
1
Last query:
<Quidway> display interface Ethernet brief | include up
PHY: Physical
(l): loopback
(b): BFD down
Interface
MEth0/0/1
PHY
up
up
up
up
Auto-Neg Duplex Bandwidth InUti OutUti

Trunk
enable
full
100M 0% 0.01%
-enable
full
1000M 76% 76%
1
enable
full
1000M 76% 76%
1
enable
half
100M 0.01% 0.01% --
Compare the queried current network traffic with the service traffic when network services are
normal. You can obtain the service traffic bandwidth from the network monitoring diagram.
First query:
l If the current network traffic is much larger than normal service traffic, a Layer 2 loop may
occur.
l If the current network traffic is normal and broadcast storm suppression is not deployed, no
Layer 2 loop occurs.
l If the current network traffic is larger than normal service traffic and broadcast storm
suppression is deployed, go to Step 2.
In addition, you can check the loop based on the number of interfaces that have a large amount
of traffic as well as the outbound and inbound traffic on the interface as follows:
l If only one interface on a device has a large amount of inbound and outbound traffic, a loop
may occur on this interface.
l If two interfaces on a device have a large amount of traffic, a loop may occur between the
two interfaces.
l If an interface has only inbound or outbound traffic, a loop may occur on the upstream or
downstream device of the interface.
Step 2 Check whether MAC address flapping occurs.
MAC address flapping occurs when a MAC address is learned by two interfaces in the same
VLAN. The MAC address entry learned later overwrites the earlier one.
MAC address flapping may be caused by a network loop or a network attack from unauthorized
users.
As shown in Figure 3-27, when SwitchA sends packets in two directions simultaneously, two
interfaces on SwitchB receive the packets. If MAC address flapping occurs on the two interfaces
of SwitchB, a loop may occur on the two interfaces.
Issue 02 (2015-01-20)

154

Maintenance Guide
Figure 3-27 MAC address flapping
By default, fixed and modular switches of all versions support MAC address flapping prevention
configurations including alarm generation and interface blocking upon MAC address flapping.
MAC address flapping detection commands and alarms differ for fixed and modular switches
of different versions.
l Modular switches
In V100R002, the switch supports global MAC address flapping detection on all LPUs except
the S series. When global detection is enabled, the switch can only send trap messages when
MAC address flapping is detected.
flapping detection.
Compared with V100R002, V100R003 and later versions support VLAN-based MAC
In V100R003 and later versions, run either of the following commands to enable MAC
address flapping detection:
loop-detect eth-loop alarm-only in the system view
loop-detect eth-loop alarm-only in the VLAN view
By default, global MAC address flapping detection is disabled in 100R003 and enabled in
V100R006 and later versions.
Issue 02 (2015-01-20)

155

Maintenance Guide
Table 3-22 MAC address flapping detection traps on modular switches of different versions
Version
Trap Information
V100R002
Global
detection
L2IF/4/MAC_FLAPPING_ALARM:OID
flap value . (BaseTrapSeverity=0, BaseTrapProbableCause=0, BaseTrapEventType=4, L2IfPort=549,entPhysicalIndex=1, MacAdd=0000-0000-002b,vlanid=1001,
FormerIfDescName=Ethernet3/0/2,CurrentIfDescName=
Ethernet3/0/3,DeviceName=S9306-169)
VLANbased
detection
Not supported.
Global
detection
flap value . (L2IfPort=0,entPhysicalIndex=0,
BaseTrapEventType=1, MacAdd=00e0fc00-4447,vlanid=1001,
FormerIfDescName=GigabitEthernet6/0/6,CurrentIfDesc
Name=GigabitEthernet6/0/7,DeviceName=9306-222.159)
VLANbased
detection
1.3.6.1.4.1.2011.5.25.160.3.7 Loop exist in vlan 1001, for
mac-flapping.
Global
detection
BaseTrapEventType=1, MacAdd=0025-9e6e-1c55,vlanid=1001,
FormerIfDescName=GigabitEthernet2/1/23,CurrentIfDes
cName=GigabitEthernet2/1/22,DeviceName=9303-222.157)
VLANbased
detection
1.3.6.1.4.1.2011.5.25.160.3.7 Loop exists in vlan 1001, for
flapping mac-address 0025-9e6e-1c55 between port
GE2/1/23 and port GE2/1/22.
loop-detect
eth-loop
1.3.6.1.4.1.2011.5.25.42.2.1.7.12 The mac-address has
BaseTrapEventType=1,
MacAdd=0000-0000-0050,vlanid=10,FormerIfDescNam
e=GigabitEthernet6/0/0,CurrentIfDescName=GigabitEth
ernet6/0/23,DeviceName=S9312_106)
V100R003
V100R006
V200R001,
V200R002,
and
V200R003
Issue 02 (2015-01-20)

156

Maintenance Guide
Version
Trap Information
MAC
address
flapping
detection
L2IFPPI/4/
MFLPVLANALARM:OID1.3.6.1.4.1.2011.5.25.160.3.7
MAC move detected, VlanId = 10, MacAddress =
0000-0000-0050, Original-Port = GE6/0/0, Flapping port
= GE6/0/23. Please check the network accessed to flapping
port.
l Fixed switches
Fixed switches (excluding the S2300 series) of V100R003 and later do not support global
Table 3-23 MAC address flapping detection traps on fixed switches of different versions
Version
Trap Information
V100R003
L2IF/4/MFLPPORTRESUME:OID 1.3.6.1.4.1.2011.5.25.160.3.7 Loop

exist in vlan for
(hwMflpVlanId:"[1001]";hwMflpVlanCfgAlarmReason:"[for flapping
mac-address 0000-0000-002b between port GE0/0/24 and port
GE0/0/23]")
V100R005
V100R006
V200R001,
V200R002,
and
V200R003
1.3.6.1.4.1.2011.5.25.160.3.7MAC move detected, VlanId = 1001,
flapping mac-address 0000-0000-002b between port GE0/0/24 and port
GE0/0/23. Please check the network accessed to flapping port.
Step 3 Configure loop detection (LDT) or loopback detection (LBDT).

Modular and fixed switches support LDT and LBDT.
l LDT
Only modular switches support LDT.
Issue 02 (2015-01-20)

157

Maintenance Guide
When LDT is configured on an interface of a modular switch, the switch sends LDT packets
to detect loops in the LDT-enabled VLAN that the interface belongs to. If the switch receives
the LDT packets sent by itself, a loop occurs on the network.
LDT on a modular switch can detect loops in the following scenarios:
1.
A switch interface receives LDT packets sent by itself.
2.
A switch interface receives LDT packets sent by another interface.
From V200R002, the port-quitvlan action is added in the loop-detection mode { port-trap
| port-blocking | port-nolearning | port-shutdown | port-quitvlan } command.
After LDT is enabled, you can run the display loop-detection command to check the LDT
status.
<Quidway> display loop-detection
Loop Detection is enable.
Detection interval time is 5 seconds.
Following vlans enable loop-detection:
vlan 556
Following ports are blocked for loop:
NULL
Following ports are shutdown for loop:
NULL
Following ports are nolearning for loop:
NULL
Run the display loop-detection interface command to check the status of a specified LDTenabled interface.
<Quidway> display loop-detection interface gigabitethernet 1/0/0
The port is enable.
The port's status list:
Status
WorkMode
Recovery-time
EnabledVLAN
----------------------------------------------------------------------Normal
Shutdown
200
556
Table 3-24 describes examples of LDT alarms.

Table 3-24 LDT alarms on modular switches
Issue 02 (2015-01-20)
Vers
ion
Alarm
V100
R002
LDT/4/DetectLoop:OID: 1.3.6.1.4.1.2011.5.25.174.3.1 InterfaceIndex: 12

InterfaceName: Ethernet3/0/1 VlanListLow: VlanListHigh:, The port detected
loop!
V100
R003
LDT/4/DetectLoop:OID: 1.3.6.1.4.1.2011.5.25.174.3.1 InterfaceIndex: 7

InterfaceName: GigabitEthernet6/0/1 VlanListLow: 1000 VlanListHigh: none,
The port detected loop!
V100
R006
LDT/4/DetectLoop:OID: 1.3.6.1.4.1.2011.5.25.174.3.1 The port detected loop.

(InterfaceIndex: 14 InterfaceName: GigabitEthernet1/0/1 VlanListLow: 1000
VlanListHigh: none)
V200
R001
to
V200
R003
LDT/4/DETECTLOOP:OID 1.3.6.1.4.1.2011.5.25.174.3.1 The port detected

loop. (InterfaceIndex: 87 InterfaceName: Ethernet1/0/10 VlanListLow: 10
VlanListHigh: none)

158

Maintenance Guide
l LBDT
Fixed switches of all versions and modular switches of V200R001 and later versions support
LBDT.
When LBDT is configured on a switch interface, the switch sends an untagged packet and a
packet with a specified VLAN tag to detect loops. Before V200R003, LBDT detects loops
only on interfaces that receive LBDT packets sent by themselves. From V200R003, LBDT
also detects loops in scenarios where an interface receives LBDT packets sent by another
interface on the local device. From V200R002, the quitvlan action is added.
From V200R002, the quitvlan action is added in the loopback-detect action { block |
nolearn | shutdown | trap | quitvlan } command.
When LBDT is enabled, you can run the display loopback-detect command to check the
LBDT configuration and status of LBDT-enabled interfaces.
<Quidway> display loopback-detect
Loopback-detect is enabled in the system view
Loopback-detect interval: 30
Loopback-deteck sending-packet interval: 5
Interface
ProtocolID RecoverTime
Action
Status
------------------------------------------------------------------------------GigabitEthernet0/0/2
602
30
block
NORMAL
Table 3-25 describes examples of LBDT alarms.

Table 3-25 LBDT alarms on switches of different versions
Version
Alarm Information
V100R003
LDT/4/Porttrap:OID 1.3.6.1.4.1.2011.5.25.174.3.3Loopback does exist on

interface(27)GigabitEthernet0/0/22 ( VLAN 1000 ) , loopback detect status:
2.(1:normal; 2:block; 3:shutdown; 4:trap; 5:nolearn)
V100R006
LDT/4/Porttrap:OID 1.3.6.1.4.1.2011.5.25.174.3.3Loopback does exist on

interface(27)GigabitEthernet0/0/22 ( VLAN 1000 ) , loopback detect status:
2.(1:normal; 2:block; 3:shutdown; 4:trap; 5:nolearn)
V200R001
to
V200R003
LBDT/4/PORTTRAP:OID 1.3.6.1.4.1.2011.5.25.174.3.3 Loopback does

exist on interface(97)XGigabitEthernet1/0/44 ( VLAN 1000 ) , loopback
detect status: 3.(1:normal; 2:block; 3:shutdown; 4:trap; 5:nolearn;
6:quitvlan)
----End
3.2.8.2 Fast Loop Removal

A loop on an Ethernet network leads to a data storm in a short period of time. When traffic on
an interface reaches the maximum load, link congestion may occur, affecting services on the
Ethernet network. After a loop occurs on the Ethernet network, perform the following operations
to remove the loop:
Step 1 Obtain the network topology and locate the loop.
Issue 02 (2015-01-20)

159

Maintenance Guide
A ring network topology is complex. Obtain the overall network topology, VLAN plan, device
name, system MAC address, management IP address, local interface name, and remote interface
name.
Complete topology information helps remove loops. If no topology is available, manually draw
a complete topology by starting from the device where the loop is detected and recording device,
interface, and VLAN information of each hop.
For details about how to locate a loop, see 3.2.8.1 Loop Location.
Step 2 Manually remove the loop.
Manual loop removal is required when a network storm seriously affects services and services
need to be restored as soon as possible.
NOTICE
Ensure that manual loop removal does not affect the devices, interfaces, or VLANs along the
remote Telnet path; otherwise, you cannot log in to the device through Telnet.
You can manually remove a loop using one of the following methods:
l Remove an interface from the VLAN where the loop is detected.
This method has the minimum impact on the network. Table 3-26 describes the commands
used on interfaces of different types.
Table 3-26 Removing an interface from a VLAN
Interface
Type
Command
Remarks
Access
undo port default vlan
This command may affect

downstream services.
Trunk
undo port trunk allow-pass vlan id
None.
Hybrid
undo port hybrid vlan id
Tagged and untagged packets are

not distinguished.
l Shut down the physical interface where the loop occurs.

This method can be used to remove a loop.
Ensure that packets from all VLANs can pass through the device on which the interface is
shut down.
l Remove the optical fiber where the loop occurs.
This method can be used to remove a loop.
This method is similar to shutting down the interface where the loop occurs, and is used only
when you cannot log in to the device.
Step 3 Check whether services are restored.
Issue 02 (2015-01-20)

160

Maintenance Guide
Verify network connectivity through the ping operation and check whether services are
recovered.
In ring topology where redundant links and configurations exist, services will be automatically
restored after loops are removed, unless in special scenarios.
----End
3.2.9 dot1x Troubleshooting

3.2.9.1 dot1x Feature Description
3.2.9.2 dot1x Authentication Troubleshooting
3.2.9.1 dot1x Feature Description

dot1x is 802.1x. When performing 802.1x authentication for an access user, a switch exchanges
EAP packets with the user terminal and RADIUS server. The switch exchanges EAP packets
with the RADIUS server in either of the following ways:
l
EAP termination (pap or chap): The device directly parses EAP packets, encapsulates user
authentication information into a RADIUS packet, and sends the packet to the RADIUS
server for authentication.
EAP relay (eap): The device encapsulates EAP packets into RADIUS packets and sends
the packets to the RADIUS server for authentication.
Which method is used depends on the packet processing capability of the RADIUS server.
l
If the RADIUS server has a high performance to resolve a large number of EAP packets
and perform authentication, the EAP relay method can be used.
If the RADIUS server has an insufficient performance, the EAP termination method is
recommended. In this mode, EAP packets are resolved by the device.
To set the 802.1x authentication method, run the dot1x authentication-method { chap | pap |
eap } command in the system, interface, or port group view.
By default, CHAP is used for global 802.1x authentication. The authentication method of the
interface-based 802.1x authentication is the same as that of global 802.1x authentication.
3.2.9.2 dot1x Authentication Troubleshooting

Users fail dot1x authentication. Rectify the fault according to Figure 3-28.
Issue 02 (2015-01-20)

161

Maintenance Guide
Figure 3-28 dot1x authentication troubleshooting flowchart
Procedure
Step 1 Check whether the RADIUS server template is correctly configured on the switch.
l The RADIUS server address and port number must be correctly set.
l The shared key of the RADIUS server must be the same as that configured on the RADIUS
server.
Step 2 Run the display dot1x command to check whether dot1x authentication is enabled in the system
view and interface view.
Issue 02 (2015-01-20)

162

Maintenance Guide
Step 3 Run the ping command to check whether a reachable route exists between the switch and the
RADIUS server.
Step 4 Check whether the user name entered during authentication is the same as that configured on
the RADIUS server.
Step 5 Run the display radius-server configuration [ template template-name ] command to check
whether the user name sent to the RADIUS server carries a domain name and whether the
configuration is the same as that on the RADIUS server.
l If the RADIUS server does not accept the user names carrying domain names, run the undo
radius-server user-name domain-included command in the RADIUS server template view
to configure the switch not to add domain names to the user names.
l If the RADIUS server accepts the user names carrying domain names, run the radius-server
user-name domain-included command in the RADIUS server template view to configure
the switch to add domain names to the user names.
By default, the switch does not modify the user name entered by the user in the packets sent to
the RADIUS server.
Step 6 Enable debugging functions to check whether each module works normally during
authentication. If any module does not work normally, collect the debugging information and
contact Huawei technical support personnel.
<HUAWEI> terminal monitor //Enable information display for terminals.
<HUAWEI> debugging dot1x all //Enable EAPOL module debugging.
<HUAWEI> debugging dot1x packet
<HUAWEI> debugging radius packet //Enable RADIUS module debugging.
[HUAWEI] diagnose
[HUAWEI-diagnose] debugging ucm all //Enable UCM module debugging.
[HUAWEI-diagnose] debugging aaa all //Enable AAA module debugging.
The following is the debugging information for a normal authentication process:

Received EAPoL_start packet //If the client initiates the authentication request, the switch
receives an EAPoL_start packet first.
*0.12842010 GZB_2352 EAP/7/debug:
EAPoL Event: index 37,
Send connect request message successfully
*0.12842140 GZB_2352 EAP/7/debug:
Create wait connect response timer successfully
*0.12842280 GZB_2352 EAP/7/debug:
Enter INITIAL status
*0.12842390 GZB_2352 UCM/7/DebugInfo:
[UCM DBG]MSG Recv From:EAPOL Code:EAPOL_CM_CIB_REQ Event:CONN_REQ Src:
37 Dst:4
294967295
Issue 02 (2015-01-20)

163

Maintenance Guide

[UCM DBG]AccessType:13 If:1282 Vlan:1 IP:255.255.255.255 Mac:001e-90af-07f5
[UCM State]Cib:37 Event:CONN_REQ State From IDLE BUTT To ALLOC BUTT
[UCM DBG]MSG Send To:EAPOL Code:CM_EAPOL_CIB_ACK Src:37 Dst:37
[UCM DBG]Result:0 Server:ffffffff Gate:ffffffff
*0.12843160 GZB_2352 EAP/7/debug:
EAPoL Message: EAP index 37, CM index 37,
Received CIB request ack message
*0.12843300 GZB_2352 EAP/7/debug:
EAPOL packet: OUT
88 8e 01 00 00 05 01 dc 00 05 01
*0.12843420 GZB_2352 EAP/7/debug:
Send EAP_request/identity packet to user successfully //After receiving the EAPoL_start packet,
the switch sends an EAP_request/identity packet to the client, asking the user to enter the user
name and password.
*0.12843570 GZB_2352 EAP/7/debug:
Send EAP_request/identity packet to user successfully
*0.12843720 GZB_2352 EAP/7/debug:
Create wait user response timer successfully
*0.12843860 GZB_2352 EAP/7/debug:
Enter CONNECTING status
*0.12843970 GZB_2352 EAP/7/debug:
EAPOL packet: IN
88 8e 01 00 00 0e 02 dc 00 0e 01 74 65 73 74 40
74 65 73 74 // Content of the response packet received by the EAPOL module.
*0.12844130 GZB_2352 EAP/7/debug:
Issue 02 (2015-01-20)

164

Maintenance Guide

Received user response packet
*0.12844250 GZB_2352 EAP/7/debug:
Send authentication request message successfully
*0.12844390 GZB_2352 EAP/7/debug:
Send authentication request to server successfully//EAPOLThe switch sends the response packet
from the client to the UCM module.
*0.12844670 GZB_2352 EAP/7/debug:
Create wait authentication response timer successfully
*0.12844820 GZB_2352 EAP/7/debug:
Enter RESPONSE status
[UCM DBG]MSG Recv From:EAPOL Code:EAPOL_CM_AUTH_REQ Event:AUTH_REQ
Src:37 Dst:
37
[UCM State]Cib:37 Event:AUTH_REQ State From ALLOC BUTT To AUTH BUTT
[UCM DBG]MSG Send To:AAA Code:UCM_AAA_AUTH_REQ Src:37 Dst:37
[UCM DBG]UserName:
*0.12845400 GZB_2352 AAA/7/AAADBG:
[AAA debug] Code: UCM->AAA authen request UserID: 37
*0.12845520 GZB_2352 AAA/7/AAADBG:
AAA EVENT:
Event AAA_MAIN->AAA_AUTHEN:EAPEndAuthenReq //The AAA module terminates the
EAP response packet from the client, generates a private key, and sends the private key to the
client through a challenge packet. (Termination process: The switch sends a randomly generated
private key to the client, and the client uses this key to encrypt the password. When receiving
the password from the client, the authentication device sends the private key, user name,
Issue 02 (2015-01-20)

165

Maintenance Guide
password, and encrypted password to the RADIUS server. The RADIUS server uses the key to
encrypt the password and compares the password with the received password.)
CID=37
Action=NullAction
*0.12845680 GZB_2352 AAA/7/AAADBG:
AAA EVENT:
Result=SUCCESS
FSM:
AuthenState=AuthenIdle
AcctState=AcctIdle
AuthorState=AuthorIdle ELAState=ELAIdle
*0.12845890 GZB_2352 AAA/7/AAADBG:
[AAA debug] Code: AAA->UCM authen ack UserID: 37
[UCM DBG]MSG Recv From:AAA Code:AAA_UCM_AUTH_ACK
Event:AUTH_CHALLENGE Src:37 D
st:37
[UCM DBG]Result:2 ReAlloc:0 Portal:0 Padm:0 Ip:0 AuthorCmdFlag:0
[UCM DBG]MSG Send To:EAPOL Code:CM_EAPOL_AUTH_ACK Src:37 Dst:37
[UCM DBG]Result:2
*0.12846480 GZB_2352 EAP/7/debug:
Received challenge message from server//The EAPOL module receives a challenge packet from
AAA.
*0.12846690 GZB_2352 EAP/7/debug:
EAPOL packet: OUT
88 8e 01 00 00 16 01 dd 00 16 04 10 39 7c db 31
74 43 95 ba 3b 23 c3 a8 c7 0e 03 21
*0.12846880 GZB_2352 EAP/7/debug:
Issue 02 (2015-01-20)

166

Maintenance Guide
Send EAP_request/identity packet to user successfully

*0.12847030 GZB_2352 EAP/7/debug:
Send EAP_request/challenge packet successfully//The EAPOL module forwards the challenge
packet to the client.
*0.12847170 GZB_2352 EAP/7/debug:
Enter REQUEST status
*0.12847280 GZB_2352 EAP/7/debug:
EAPOL packet: IN
88 8e 01 00 00 1f 02 dd 00 1f 04 10 a3 49 8d 44
32 96 e8 de 44 16 ff fc 9d c9 23 c9 74 65 73 74
40 74 65 73 74 //The EAPOL module receives the response packet encrypted by the client.
*0.12847530 GZB_2352 EAP/7/debug:
Received user response packet
*0.12847650 GZB_2352 EAP/7/debug:
Send authentication request message successfully
*0.12847790 GZB_2352 EAP/7/debug:
Send authentication request to server successfully
*0.12847930 GZB_2352 EAP/7/debug:
Create wait authentication response timer successfully
*0.12848080 GZB_2352 EAP/7/debug:
Enter RESPONSE status
[UCM DBG]MSG Recv From:EAPOL Code:EAPOL_CM_AUTH_REQ Event:AUTH_REQ
Src:37 Dst:
37
Issue 02 (2015-01-20)

167

Maintenance Guide
[UCM DBG]MSG Send To:AAA Code:UCM_AAA_AUTH_REQ Src:37 Dst:37

[UCM DBG]UserName:
*0.12848650 GZB_2352 AAA/7/AAADBG:
[AAA debug] Code: UCM->AAA authen request UserID: 37
*0.12848770 GZB_2352 AAA/7/AAADBG:
AAA EVENT:
Event AAA_MAIN->AAA_AUTHEN:EAPEndAuthenReq
CID=37
Action=NullAction
*0.12848930 GZB_2352 AAA/7/AAADBG:
AAA EVENT:
Result=SUCCESS
FSM:
AcctState=AcctIdle
AuthorState=AuthorIdle ELAState=ELAWaitResponse
*0.12849150 GZB_2352 AAA/7/AAADBG:
AAA EVENT:
Event AAA_AUTHEN->AAA_AUTHEN:NomalAuthenReq
CID=37
Action=NullAction
*0.12849310 GZB_2352 AAA/7/AAADBG:
AAA EVENT:
Result=SUCCESS
FSM:
AcctState=AcctIdle
AuthorState=AuthorIdle ELAState=ELAWaitAuthenAck
*0.12849530 GZB_2352 AAA/7/AAADBG:
AAA EVENT:CID = 37,UserName = test@test Start authen
*0.12849640 GZB_2352 AAA/7/AAADBG:
Issue 02 (2015-01-20)

168

Maintenance Guide
AAA EVENT:CID = 37,get domain index 1 to temp domain index

//After receiving the response from client, the AAA module obtains the domain name and
authentication scheme, and then sends an authentication request to the RADIUS module.
*0.12849760 GZB_2352 AAA/7/AAADBG:
AAA EVENT:CID 37 State From aaa_auth_idle To aaa_auth_wait
*0.12849880 GZB_2352 AAA/7/AAADBG:
[AAA debug] Code: AAA->RADIUS authen request UserID: 37 Template: account
*0.12850020 GZB_2352 AAA/7/AAADBG:
AAA EVENT:CID = 37, Username = test@test Send authen req to Radius and start ti
mer
*0.12850170 GZB_2352 RDS/7/debug2:
Radius Sent a Packet
Server Template: 0
Server IP : 114.255.138.108
Protocol: Standard
Code : 1//Authentication request
Len : 257
ID : 24
[User-name(1) ] [11] [test@test]
[Challenge-Password(3) ] [19] [dda3498d443296e8de4416fffc9dc923c9
]
[CHAP-Challenge(60) ] [18] [397cdb31744395ba3b23c3a8c70e0321]
[NAS-Port(5) ] [6 ] [32769]
[Service-Type(6) ] [6 ] [2]
[Framed-Protocol(7) ] [6 ] [1]
[Framed MTU(12) ] [6 ] [1500]
[Calling-Station-Id(31) ] [16] [001E-90AF-07F5]
[NAS-Identifier(32) ] [10] [GZB_2352]
[NAS-Port-Type(61) ] [6 ] [15]
[NAS-Port-Id(87) ] [34] [slot=0;subslot=0;port=8;vlanid=1]
[Login-IP-Host(14) ] [6 ] [0]
[NAS-Startup-Timestamp(26-59) ] [6 ] [2011]
*0.12851380 GZB_2352 RDS/7/debug2:
Issue 02 (2015-01-20)

169

Maintenance Guide
[Ip-Host-Addr(26-60) ] [35] [255.255.255.255 00:1e:90:af:07:f5]

[Connect_ID(26-26) ] [6 ] [2011]
[Version(26-254) ] [29] [Huawei VRP Software Version]
[Product-ID(26-255) ] [5 ] [VRP]
[NAS-IP-Address(4) ] [6 ] [114.255.138.105]
*0.12851850 GZB_2352 RDS/7/debug2:
Radius Received a Packet//The switch receives an authentication response from the RADIUS
server.
Server Template: 0
Server IP : 114.255.138.108
Server Port : 1812
Protocol: Standard
Code : 2//Authentication is successful.
Len : 43
ID : 24
[Tunnel-Type(64) ] [6 ] [13]
[Tunnel-Medium-type(65) ] [6 ] [6]
[Tunnel-Private-Group-id(81) ] [5 ] [100]
[Filter-ID(11) ] [6 ] [3000]
*0.12852370 GZB_2352 AAA/7/AAADBG:
[AAA debug] Code: RADIUS->AAA authen accept UserID: 37 Template: account
*0.12852510 GZB_2352 AAA/7/AAADBG:
AAA EVENT:
Event AAA_MAIN->AAA_AUTHEN:RDSAuthenAccept
CID=37
Action=NewAuthenAction
*0.12852670 GZB_2352 AAA/7/AAADBG:
AAA EVENT:
Result=SUCCESS
FSM:
AuthenState=AuthenWait
AcctState=AcctIdle
Issue 02 (2015-01-20)

170

Maintenance Guide
*0.12852890 GZB_2352 AAA/7/AAADBG:

AAA EVENT:pstAuthenReq->ucAuthCode = 2
*0.12852980 GZB_2352 AAA/7/AAADBG:
AAA EVENT:Privilege of Authentication REQ is: 15
*0.12853080 GZB_2352 AAA/7/AAADBG:
AAA EVENT:Get AuthorCmdFlag by Privilege of Authentication REQ is: 0
*0.12853210 GZB_2352 AAA/7/AAADBG:
AAA EVENT:CID =37,UserName = test@test RDS Authen Success//Authentication is
successful.
*0.12853330 GZB_2352 AAA/7/AAADBG:
AAA EVENT:CID 37 State From aaa_auth_wait To aaa_authed
*0.12853440 GZB_2352 AAA/7/AAADBG:
AAA EVENT:
Event AAA_AUTHEN->AAA_AUTHEN:EAPEndAuthenAck
CID=37
Action=NullAction
*0.12853600 GZB_2352 AAA/7/AAADBG:
AAA EVENT:
Result=SUCCESS
FSM:
AuthenState=Authened
AcctState=AcctIdle
*0.12853820 GZB_2352 AAA/7/AAADBG:
[AAA debug] Code: AAA->UCM authen ack UserID: 37
*0.12853930 GZB_2352 AAA/7/AAADBG:
AAA EVENT:CID = 37,UserName = test@test Authen State is OK
[UCM DBG]MSG Recv From:AAA Code:AAA_UCM_AUTH_ACK Event:AUTH_PASS
Src:37 Dst:37
[UCM DBG]Result:0 ReAlloc:0 Portal:0 Padm:0 Ip:ffffffff AuthorCmdFlag:0
Issue 02 (2015-01-20)

171

Maintenance Guide
[UCM State]Cib:37 Event:AUTH_PASS State From AUTH BUTT To UP BUTT

*0.12854480 GZB_2352 AAA/7/AAADBG:
AAA EVENT:
Event AAA_ACCT->AAA_ACCT:Login-StartAcctReq
CID=37
Action=ConnectUpAction
*0.12854650 GZB_2352 AAA/7/AAADBG:
AAA EVENT:
Result=SUCCESS
FSM:
AcctState=AcctIdle
*0.12854860 GZB_2352 AAA/7/AAADBG:
AAA EVENT:Domain = test Online Number plus One
*0.12854960 GZB_2352 AAA/7/AAADBG:
AAA EVENT:CID = 37,UserName = test@test Send Start Acct Req to RDS//Accounting
request
*0.12855100 GZB_2352 AAA/7/AAADBG:
AAA EVENT:CID 37 State From aaa_acct_idle To aaa_acct_start_wait
*0.12855220 GZB_2352 AAA/7/AAADBG:
[AAA debug] Code: AAA->RADIUS acct start request UserID: 37 Template: acc
ount
*0.12855370 GZB_2352 AAA/7/AAADBG:
AAA EVENT:CID = 37,UserName = test@test Send start acct request to RDS
[UCM DBG]MSG Send To:EAPOL Code:CM_EAPOL_AUTH_ACK Src:37 Dst:37
[UCM DBG]Result:0
*0.12855700 GZB_2352 RDS/7/debug2:
Radius Sent a Packet
Server Template: 0
Server IP : 114.255.138.108
Issue 02 (2015-01-20)

172

Maintenance Guide
Protocol: Standard
Code : 4//Accounting request
Len : 251
ID : 8
[User-name(1) ] [11] [test@test]
[NAS-Port(5) ] [6 ] [32769]
[Filter-ID(11) ] [8 ] [3000@0]
[NAS-Identifier(32) ] [10] [GZB_2352]
[Acct-Status-Type(40) ] [6 ] [1]
[Acct-Session-Id(44) ] [43] [GZB_23200801010350090000012bffc096
3100037]
[Acct-Authentic(45) ] [6 ] [1]
[Event-Timestamp(55) ] [6 ] [1199159409]
[NAS-Port-Type(61) ] [6 ] [15]
[NAS-Port-Id(87) ] [34] [slot=0;subslot=0;port=8;vlanid=1]
[Ip-Host-Addr(26-60) ] [35] [255.255.255.255 00:1e:90:af:07:f5]
[Input_Peak_Rate(26-1) ] [6 ] [2011]
[Input_Average_Rate(26-2) ] [6 ] [2011]
[Input_Basic_Rate(26-3) ] [6 ] [2011]
*0.12856980 GZB_2352 RDS/7/debug2:
[Output_Peak_Rate(26-4) ] [6 ] [2011]
[Output_Average_Rate(26-5) ] [6 ] [2011]
[Output_Basic_Rate(26-6) ] [6 ] [2011]
[Priority(26-22) ] [6 ] [2011]
[Connect_ID(26-26) ] [6 ] [2011]
[NAS-IP-Address(4) ] [6 ] [114.255.138.105]
*0.12857430 GZB_2352 EAP/7/debug:
Received authentication success message from server
*0.12857600 GZB_2352 EAP/7/debug:
EAPOL packet: OUT
88 8e 01 00 00 04 03 dd 00 04
Issue 02 (2015-01-20)

173

Maintenance Guide
*0.12857720 GZB_2352 EAP/7/debug:

Send EAP_success packet to user successfully
*0.12857860 GZB_2352 EAP/7/debug:
Send EAP_success packet
*0.12857970 GZB_2352 EAP/7/debug:
EAPoL Error: index 37, status 3
Invalid reauthenticate action attribute from authentication server
*0.12858140 GZB_2352 EAP/7/debug:
Send update dynamic info successfully
*0.12858270 GZB_2352 EAP/7/debug:
User is online
*0.12858370 GZB_2352 RDS/7/debug2:
Radius Received a Packet
Server Template: 0
Server IP : 114.255.138.108
Server Port : 1813
Protocol: Standard
Code : 5//Accounting is successful.
Len : 20
ID : 8
[UCM DBG]MSG Recv From:EAPOL Code:UNKNOWN Src:37 Dst:2194975792
[UCM DBG]MSG Send To:AAA Code:UNKNOWN Src:37 Dst:37
[UCM WARNING]Changing msg to event fail
*0.12859000 GZB_2352 AAA/7/AAADBG:
[AAA debug] Code: RADIUS->AAA acct start ack UserID: 37 Template: account
Issue 02 (2015-01-20)

174

Maintenance Guide
*0.12859140 GZB_2352 AAA/7/AAADBG:

AAA EVENT:
Event AAA_MAIN->AAA_ACCT:RDSStartAcctAck
CID=37
Action=ConnectUpAction
*0.12859310 GZB_2352 AAA/7/AAADBG:
AAA EVENT:
Result=SUCCESS
FSM:
AcctState=AcctStartWait
*0.12859520 GZB_2352 AAA/7/AAADBG:
AAA EVENT:CID = 37,UserName = test@test Receive RDS Start Acct ACK//Accounting
starts.
*0.12859650 GZB_2352 AAA/7/AAADBG:
AAA EVENT:CID 37 State From aaa_acct_start_wait To aaa_acct_accting
*0.12859780 GZB_2352 AAA/7/AAADBG:
NOTE
The common cause is that the switch fails to obtain the authentication scheme. The authentication scheme
is configured in the domain view. The switch needs to obtain the domain name from the user name. If the
user name does not carry a domain name, the authentication scheme in the default domain is used. If the
fault persists, collect information and contact Huawei technical support personnel.
----End
Issue 02 (2015-01-20)

175

Maintenance Guide
4 Typical Fault Troubleshooting Cases
Typical Fault Troubleshooting Cases
4.1 OSPF Neighbor Relationship Flapping Caused by an

Unstable Link
In this example, the switches support Open Shortest Path First (OSPF). Table 4-1 describes the
versions and products that support OSPF.
Table 4-1 Product and version support for OSPF
Version
Support
V100R006C03
No models support OSPF.
V100R006C05
V200R001
Fixed switches: All models support OSPF.

Modular switches: All models support OSPF.
V200R002

V200R003

Networking
As shown in Figure 4-1, the switch directly connects to the NE40E. A VLANIF interface on
the switch and a GE subinterface on the NE40E function as Layer 3 interfaces. The two interfaces
are added to the same VLAN and assigned IP addresses on the same network segment. The
S9300 and NE40E establish an OSPF neighbor relationship.
Issue 02 (2015-01-20)

176

Maintenance Guide
Figure 4-1 Networking of an OSPF neighbor relationship
Fault Symptom
The OSPF neighbor relationship status flaps, causing frequent route convergence. Traffic fails
to be forwarded during route convergence.
Cause Analysis
A fault on an optical fiber or optical module causes frequent Up/Down state changes on the link
between the devices. The unstable link results in OSPF neighbor relationship flapping.
Step 1 Check logs on the switch.
Find out the time when the OSPF neighbor relationship goes Down in the logs. The following
provides an example of log information:
Feb 15 2011 14:27:54 SW_CASA_S9306_01 %%01OSPF/6/NBR_DOWN_REASON(l): Neighbor
state leaves full or changed to Down. (ProcessId=100,
NeighborRouterId=192.168.20.6, NeighborAreaId=0,
NeighborInterface=Vlanif305,NeighborDownImmediate reason=Neighbor Down Due to 1Wayhello Received, NeighborDownPrimeReason=1-Wayhello Received, NeighborChangeTime=
[2011/02/15] 14:27:54)
There are many similar logs. The OSPF neighbor relationship goes Down because the switch
receives 1-way Hello packets.
Step 2 Check logs on the NE40E.
There are logs indicating that the OSPF neighbor relationship goes Down at the same time.
Feb 15 2011 13:26:31 PE_NE40E_CASA_ANWAL_01 %%01OSPF/6/NBR_DOWN_REASON(l)
[67934]:Neighbor state leaves full or changed to Down. (ProcessId=202,
NeighborRouterId=192.168.28.225, NeighborAreaId=0,
NeighborInterface=GigabitEthernet8/0/0.305,NeighborDownImmediate reason=Neighbor
Down Due to Kill Neighbor, NeighborDownPrimeReason=Physical Interface State Change,
NeighborChangeTime=[2011/02/15] 13:26:31)
Step 3 Check whether a physical interface and its subinterface frequently go Up and Down based on
log information.
The following is an example of log information on the NE40E:
Feb 15 2011 13:26:31 PE_NE40E_CASA_ANWAL_01 %%01PHY/4/PHY_STATUS_UP2DOWN(l)
[67928]:Slot=8;GigabitEthernet8/0/0 change status to down.
Feb 15 2011 13:26:32 PE_NE40E_CASA_ANWAL_01 %%01PHY/4/PHY_STATUS_UP(l)
[67947]:Slot=8;GigabitEthernet8/0/0 change status to up.
The log information shows that a physical interface on a device is unstable. When the interface
goes Down, the OSPF neighbor relationship on the local device also goes Down. When the
interface goes Up, the device sends a Hello packet to the peer device for OSPF negotiation. After
Issue 02 (2015-01-20)

177

Maintenance Guide
receiving the Hello packet, the peer device sets the status of the local OSPF neighbor relationship
to Down and re-establishes an OSPF neighbor relationship.
Step 4 Replace the faulty optical fiber or optical module. The fault is rectified.
----End
Conclusions and Suggestions

If OSPF neighbor relationship flapping occurs, check logs on both ends of the link. If interfaces
on both ends go Up and Down at the same time, the link is unstable.
The link instability may be caused by a faulty optical fiber, faulty optical module, insecurely
connected electrical interface, loose cable connection, or link failure.
4.2 Route Flapping Caused by an IP Address Conflict

In this example, the switches support OSPF. Table 4-2 describes the versions and products that
support OSPF.
Table 4-2 Product and version support for OSPF
Version
Support
V100R006C03
V100R006C05
V200R001

V200R002

V200R003

Networking
As shown in Figure 4-2, OSPF is configured on SwitchA, SwitchB, SwitchC, and SwitchD, and
router IDs and IP addresses have been configured for the devices.
Figure 4-2 IP address conflict on a network
Issue 02 (2015-01-20)

178

Maintenance Guide
Fault Symptom
The following problems may occur due to IP address conflicts between interfaces on different
devices:
l
The CPU usage is high. You can run the display cpu-usage command to check the CPU
usage. The command output shows that the ROUT task consumes much more CPU
resources than other tasks.
Route flapping occurs.
Cause Analysis
On an OSPF network, IP address conflicts between interfaces may cause frequent aging and
generation of link-state advertisements (LSAs), which results in network instability, route
flapping, and high CPU usage.
Step 1 Run the display ospf lsdb command on each switch once per second to check information about
the OSPF link state database (LSDB) on the switches.
Collect the command output on each switch.
Step 2 Locate the fault based on the collected information.
l Scenario 1
The aging time (Age field) of a network LSA is 3600 on a switch or the switch does not have
the network LSA, and the Sequence value increases quickly.
On the other switches, the aging time of the same network LSA frequently alternates between
3600 and smaller values, and the Sequence value increases quickly.
If the preceding conditions are met, LSA aging is abnormal.
The following provides a command output example:
<HUAWEI> display ospf lsdb
OSPF Process 1 with Router ID 3.3.3.3
Link State Database
Area: 0.0.0.0
AdvRouter
4.4.4.4
3.3.3.3
2.2.2.2
1.1.1.1
4.4.4.4
1.1.1.1
3.3.3.3
1.1.1.1
Type
Router
Router
Router
Router
Network
Network
Network
Network
LinkState ID
4.4.4.4
3.3.3.3
2.2.2.2
1.1.1.1
112.1.1.4
112.1.1.2
222.1.1.3
111.1.1.1
Type
External
External
AS External Database
LinkState ID
AdvRouter
33.33.33.33
4.4.4.4
125.12.1.2
4.4.4.4
Age
2
6
228
258
121
3600
227
259
Len
48
72
60
60
32
32
32
32
Sequence
8000000D
80000016
8000000D
80000009
80000001
80000015
80000003
80000002
Metric
1
1
1
1
0
0
0
0
Age
206
206
Len
36
36
Sequence
800001D7
80000032
Metric
1
1
Run the display ospf routing command on each switch once every second. If route flapping
occurs but the OSPF neighbor relationship does not flap, IP address conflicts or router ID
conflicts have occurred. Based on the display ospf lsdb command output, it is determined
that the IP address of the designated router (DR) conflicts with that of a non-DR.
Issue 02 (2015-01-20)

179

Maintenance Guide
Locate one switch that uses the conflicting IP address based on the AdvRouter value and
then find the conflicting interface on the switch. The other switch is difficult to find based
only on OSPF information. You need to check interface IP addresses against the IP address
plan to locate this switch.
In this example, first determine that the conflicting IP address is 112.1.1.2, and the router ID
of a conflicting device is 1.1.1.1. However, the other conflicting device (3.3.3.3) cannot be
located based on OSPF information.
l Scenario 2
If the LinkState ID values of two network LSAs are both 112.1.1.2 on a switch, the aging
time of the two network LSAs is short, and the Sequence value increases quickly, then an
IP address conflict has occurred between the DR and BDR.
<HUAWEI> display ospf lsdb
OSPF Process 1 with Router ID 3.3.3.3
Link State Database
Area: 0.0.0.0
AdvRouter
4.4.4.4
3.3.3.3
2.2.2.2
1.1.1.1
3.3.3.3
1.1.1.1
3.3.3.3
4.4.4.4
2.2.2.2
Type
Router
Router
Router
Router
Network
Network
Network
Network
Network
LinkState ID
4.4.4.4
3.3.3.3
2.2.2.2
1.1.1.1
112.1.1.2
112.1.1.2
222.1.1.3
212.1.1.4
111.1.1.2
Type
External
External
AS External Database
LinkState ID
AdvRouter
33.33.33.33
4.4.4.4
125.12.1.2
4.4.4.4
Age
17
21
151
1180
3
5
145
10
459
Len
48
72
60
60
32
32
32
32
32
Sequence
8000011D
8000015A
80000089
8000002A
8000016A
80000179
8000002D
80000005
80000003
Metric
1
1
1
1
0
0
0
0
0
Age
30
30
Len
36
36
Sequence
800001DC
80000037
Metric
1
1
Step 3 Change the IP address of a conflicting device based on the IP address plan.
----End

On an OSPF network, IP address conflicts between interfaces may cause frequent aging and
generation of LSAs, which results in network instability, route flapping, and high CPU usage.
Therefore, configure IP addresses for interfaces according to the plan, and do not modify planned
network parameters. If an IP address conflict occurs, locate the conflicting devices and rectify
the fault in a timely manner.
4.3 Unbalanced Traffic Distribution Among Eth-Trunk

Member Interfaces
All products and versions.
Issue 02 (2015-01-20)

180

Maintenance Guide
Networking
None.
Fault Symptom
IP packets cannot be evenly distributed among Eth-Trunk member interfaces on a switch.
Cause Analysis
An Eth-Trunk between switches implements load balancing using the hash algorithm based on
the source and destination IP/MAC addresses of packets. If packets have identical or similar IP
or MAC addresses, the switch forwards packets through the same link, resulting in unbalanced
traffic distribution.
Step 1 In the Eth-Trunk interface view, check the default hash algorithm.
[Quidway-Eth-Trunk1] display this interface
Eth-Trunk1 current state : UP
Description: Link to Eth-Trunk1
Switch Port, PVID :
1, Hash arithmetic : According to SIP-XOR-DIP,The Maximum
Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 4cb1-6c3b-aaf5
Current system time: 2013-08-07 14:51:00+08:00
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes
The command output shows that the Eth-Trunk uses the hash algorithm based on the exclusiveOR result of the source and destination IP addresses to implement load balancing by default. On
an IP network where devices' IP addresses randomly change, such a hash algorithm can ensure
even traffic distribution. On a Layer 2 network, MAC addresses frequently change and IP
addresses are fixed, so traffic may be not evenly distributed.
Step 2 If traffic is not evenly load balanced among Eth-Trunk member interfaces, run the loadbalance command to change the hash algorithm.
[Quidway-Eth-Trunk1] load-balance ?
dst-ip
According to destination IP hash arithmetic
dst-mac
According to destination MAC hash arithmetic
enhanced
Enhanced hash arithmetic
src-dst-ip
According to source/destination IP hash arithmetic
src-dst-mac According to source/destination MAC hash arithmetic
src-ip
According to source IP hash arithmetic
src-mac
According to source MAC hash arithmetic
A switch supports the following load balancing modes for known unicast packets:
l dst-ip (destination IP address) mode
The system obtains the specified three bits from each of the destination IP address and the
outbound TCP or UDP port number to perform the exclusive-OR calculation, and then selects
the outbound interface from the Eth-Trunk table according to the calculation result.
l src-ip (source IP address) mode
Issue 02 (2015-01-20)

181

Maintenance Guide
The system obtains the specified three bits from each of the source IP address and the inbound
TCP or UDP port number to perform the exclusive-OR calculation, and then selects the
outbound interface from the Eth-Trunk table according to the calculation result.
l src-dst-ip (exclusive-OR calculation of the source and destination IP addresses) mode
The system uses the calculation results of the dst-ip and src-ip modes to perform the
exclusive-OR calculation, and then selects the outbound interface from the Eth-Trunk table
l dst-mac (destination MAC address) mode
The system obtains the specified three bits from each of the destination MAC address, VLAN
ID, Ethernet type, and inbound interface information to perform the exclusive-OR
calculation, and then selects the outbound interface from the Eth-Trunk table according to
the calculation result.
l src-mac (source MAC address) mode
The system obtains the specified three bits from each of the source MAC address, VLAN
ID, Ethernet type, and inbound interface information to perform the exclusive-OR
calculation, and then selects the outbound interface from the Eth-Trunk table according to
the calculation result.
l src-dst-mac (exclusive-OR calculation of the source and destination MAC addresses) mode
The system obtains the specified three bits from each of the destination MAC address, source
MAC address, VLAN ID, Ethernet type, and inbound interface information to perform the
exclusive-OR calculation, and then selects the outbound interface from the Eth-Trunk table
l enhanced mode
The system uses an enhanced load balancing profile to select outbound interfaces for different
packets.
NOTE
Modular switches: All cards except the SA series cards support load balancing in enhanced mode.
Fixed switches:
V200R001C01: Only the S5300HI supports load balancing using an enhanced load balancing profile.
profile.
profile.
To configure a load balancing mode for broadcast and multicast packets, run the unknownunicast load-balance { dmac | smac | smacxordmac | enhanced } command in the system
view.
Issue 02 (2015-01-20)

182

Maintenance Guide

NOTE
Modular switches: V200R001, V200R002, and V200R003 all support this command.
Fixed switches:
V100R006C03: Only the S2352EI and S3300 support this command, but they do not support the
enhanced parameter.
V100R006C05: Only the S2352P-EI and S3300 support this command, but they do not support the
enhanced parameter.
V200R001: Only the S5300EI and S5300HI support this command.
V200R002: Only the S5310EI, S5300EI, and S5300HI support this command. Only the S5310EI and
S5300HI support the enhanced parameter.
V200R003: Only the S5310EI, S5300EI, and S5300HI support this command. Only the S5310EI and
S5300HI support the enhanced parameter.
----End

You can configure a load balancing mode based on the traffic model. When a parameter of traffic
changes frequently, you can set the load balancing mode based on this parameter to ensure that
the traffic is evenly load balanced. For example, if IP addresses of packets change frequently,
select the dst-ip, src-ip, or src-dst-ip load balancing mode. If MAC addresses of packets change
frequently and IP addresses are fixed, select the dst-mac, src-mac, or src-dst-mac load
balancing mode.
4.4 Layer 2 Packet Loss Caused by Loops

Networking
As shown in Figure 4-3, a switch is connected to an enterprise network through a leased line.
The switch functions as a Layer 2 aggregation switch, and an NE80 functions as the gateway.
Figure 4-3 Network where layer 2 packet loss occurs
Fault Symptom
Enterprise network users complain that the network has a slow response to their service requests.
When the NE80 pings a terminal on the enterprise network, packet loss occurs.
Issue 02 (2015-01-20)

183

Maintenance Guide
Cause Analysis
A loop exists on the downstream network of GE10/0/6. As a result, the MAC address of the
NE80 flaps between GE10/0/6 and GE12/0/0 of the switch. When GE10/0/6 learns the MAC
address of the NE80, user packets cannot be forwarded to the gateway.
Step 1 Enable MAC address flapping detection on the switch and check alarms.
NOTE
Alarm information differs for fixed and modular switches of different versions. The following alarm
information is only used as an example.
#Jul 28 09:59:34 2012 Switch L2IF/4/mac_flapping_alarm:OID
1.3.6.1.4.1.2011.5.25.42.2.1.7.12The mac-address has flap value .
(BaseTrapSeverity=0, BaseTrapProbableCause=0, BaseTrapEventType=4,
L2IfPort=549,entPhysicalIndex=1, MacAdd=0025-9e03-02f1,vlanid=107,
FormerIfDescName=GigabitEthernet12/0/0,CurrentIfDescName=GigabitEthernet10/0/6,Dev
iceName= Switch)
The preceding alarm information indicates that MAC address flapping occurs.
Step 2 Set the NE80 MAC address to a static MAC address on GE12/0/0.
The loop on the downstream network of GE10/0/6 is eliminated.
----End

To locate Layer 2 packet loss and intermittent disconnection problems, first check whether MAC
address flapping occurs in addition to checking basic factors such as network cables, optical
power of optical modules, and interface status. Then configure a static MAC address and check
whether the problems are resolved. Configuring a static MAC address only prevents loops. To
eliminate loops, configure a loop prevention protocol.
4.5 High CPU Usage Caused by a Large Number of TC

Packets
Networking
None.
Fault Symptom
1.
Issue 02 (2015-01-20)
The CPU usage of a switch that is displayed on the NMS is high, as shown in Figure 4-4.
184

Maintenance Guide
Figure 4-4 CPU usage of a switch displayed on the NMS
2.
Logs indicating high CPU usage are generated on the switch.

S6300-1 %%01VOSCPU/4/CPU_USAGE_HIGH(l)[31]:The CPU is overloaded(CpuUsage=96%,
Threshold=95%), and the tasks with top three CPU occupancy are:
FTS total
: 18%
SRMT total
: 11%
SOCK total
: 8%
S6300-1 %%01VOSCPU/4/CPU_USAGE_HIGH(l)[60]:The CPU is overloaded
(CpuUsage=100%, Threshold=95%), and the tasks with top three CPU occupancy
are:
PPI
total
: 41%
SRMT total
: 10%
FTS total
: 8%
3.
There are also logs indicating that a large number of ARP packets are discarded because
of CPCAR exceeding.
S6300-1 %%01DEFD/4/CPCAR_DROP_MPU(l)[56]:Rate of packets to cpu exceeded the
CPCAR limit on the MPU. (Protocol=arp-miss, ExceededPacketCount=016956)
CPCAR limit on the MPU. (Protocol=arp-reply, ExceededPacketCount=020699)
CPCAR limit on the MPU. (Protocol=arp-request, ExceededPacketCount=0574
4.
Collect statistics about transmitted and received TC packets on interfaces.

As shown in Figure 4-5, the number of received TC packets increases on all STP-enabled
interfaces.
Figure 4-5 Increase in the number of TC packets on interfaces
Cause Analysis
Based on statistics about TC packets on interfaces, the number of received TC packets is large
and continuously increases. MAC address entries are deleted, and ARP entries are updated. The
switch has to process a large number of ARP Miss, ARP Request, and ARP Reply packets,
leading to high CPU usage. OSPF Hello packets and VRRP heartbeat packets cannot be
processed in a timely manner, resulting in protocol flapping.
Issue 02 (2015-01-20)

185

Maintenance Guide
Step 1 Run the stp tc-protection command in the system view.
This command ensures that the device updates entries once every 2 seconds even when it receives
a large number of TC packets. This configuration prevents high CPU usage caused by frequent
updates of MAC address entries and ARP entries.
Step 2 Run the arp topology-change disable and mac-address update arp commands in the system
view.
When receiving TC packets, the switch deletes the MAC address entries and aged ARP entries
by default. If there are many ARP entries on the switch, ARP entry relearning triggers a large
number of ARP packets on the network. After the arp topology-change disable and macaddress update arp commands are configured, the switch updates the outbound interfaces in
ARP entries based on the outbound interfaces in the MAC address entries upon network topology
changes. The commands prevent unnecessary updates of ARP entries.
NOTE
V100R006 and later versions support the mac-address update arp command. V200R001 and later
versions support the arp topology-change disable command.
----End

When deploying STP, you are advised to enable TC protection and configure all interfaces
connected to terminals as edge interfaces. These measures prevent status change of an interface
from causing STP network flapping and route re-convergence.
4.6 Relationship Between MAC Address Flapping and

Loops
Networking
None.
Fault Symptom
A switch sends an alarm indicating MAC address flapping. Efforts are then made to check for
loops, but the interface where the loop occurs fails to be located. The MAC address flapping
alarm cannot be rectified.
The following provides the alarm information:
NOTE
Alarm information differs for fixed and modular switches of different versions. The following alarm
information is only used as an example.
Issue 02 (2015-01-20)

186

Maintenance Guide
Nov 21 2013 19:29:33 Quidway L2IFPPI/4/MAC_FLAPPING_ALARM:OID

1.3.6.1.4.1.2011.5.25.42.2.1.7.12The mac-address has flap value.
(L2IfPort=0,entPhysicalIndex=0, BaseTrapSeverity=4, BaseTrapProbableCause=549,
BaseTrapEventType=1, MacAdd=5654-4c83-05c0,vlanid=712,
FormerIfDescName=GigabitEthernet1/1/16,CurrentIfDescName=GigabitEthernet1/1/12,Dev
iceName=Quidway)
Cause Analysis
1.
A loop exists on the network.
2.
There are multiple terminals with the same MAC address.
The preceding alarm information shows that the switch can learn the same MAC address from
multiple interfaces. In this case, a loop exists, or multiple Layer 2 devices or terminals share the
same MAC address.
If there is a loop on the network, the alarm usually involves many MAC addresses. In addition,
traffic is heavy on some interfaces, and there are a large number of broadcast packets. If you
disable one interface where the alarm is generated, the alarm is cleared. MAC address flapping
occurs regardless of the service traffic volume.
If multiple terminals share the same MAC address, the alarm usually involves only one MAC
address or a small number of MAC addresses, and the statistics show that the number of received
and sent packets is within a normal range. Change the MAC address learning priority for an
interface. If traffic of users connected to this interface becomes abnormal, multiple user terminals
are using the same MAC address. In this case, change the MAC addresses of the user terminals.
If user traffic remains normal, some Layer 2 devices are using the same MAC address. In this
case, check the configuration of the Layer 2 devices and change their MAC addresses.

When MAC address flapping occurs, troubleshoot the fault based on the symptoms. MAC
address flapping does not necessarily result from loops, but loops will definitely result in MAC
address flapping.
4.7 Frequent Service Interruptions Caused by Loops

S9300 V100R003C00SPC200
Issue 02 (2015-01-20)

187

Maintenance Guide
Networking
Figure 4-6 Network where service interruptions frequently occur due to loops
Fault Symptom
After network reconstruction and migration, the original core devices (Layer 3 devices) are redeployed as access devices ASs (Layer 2 devices). Ping the management IP address of the AS
on the Layer 3 device DS. The command output shows that the ping fails and the VRRP group
status of the DS frequently alternates between master and backup.
The following alarm information is displayed on DS_02:
Sep 17 2013 21:46:11+08:00 DS_02 VRRP/3/VRRPMASTERDOWN:OID
1.3.6.1.4.1.2011.5.25.127.2.30.1 The state of VRRP changed from master to other
state.(VrrpIfIndex=143, VrId=48, IfIndex=143, IPAddress=11.91.127.239,
NodeName=DS_02, IfName=Vlanif948, CurrentState=2, ChangeReason=priority
calculation)
Sep 17 2013 21:46:11+08:00 DS_02 %%01VRRP/4/STATEWARNINGMEV1R3(l):Virtual Router
state BACKUP changed to MASTER, because of protocol timer expired.
(Interface=Vlanif948, VrId=48).
Sep 17 2013 21:46:11+08:00 DS_02 %%01VRRP/4/STATEWARNINGMEV1R3(l):Virtual Router
state MASTER changed to BACKUP, because of priority calculation.
(Interface=Vlanif948, VrId=48)
.
The VRRP group status frequently alternates. Check the VRRP group status after the switchover.
All VRRP groups are in Backup state.
<DS_02> display vrrp brief
VRID State
Interface
Issue 02 (2015-01-20)
Type
Virtual IP

188

Maintenance Guide
-------------------------------------------------------3
Backup
Vlanif903
Normal 10.93.4.30
5
Backup
Vlanif599
Normal 11.91.127.94
14
Backup
Vlanif914
Normal 10.93.41.126
24
Backup
Vlanif924
Normal 10.93.32.126
25
Backup
Vlanif925
Normal 10.93.32.254
Cause Analysis
A loop exists on the network.
Step 1 Run the display cpu-defend vrrp statistics all command to check statistics on VRRP packets.
The command output shows that DS_02 discards a large number of packets.
[DS_02] display cpu-defend vrrp statistics all
Statistics on mainboard:
------------------------------------------------------------------------------Packet Type
Pass(Packets)
Drop(Packets)
------------------------------------------------------------------------------vrrp
0
0
0
0
------------------------------------------------------------------------------Statistics on slot 1:
------------------------------------------------------------------------------Packet Type
Pass(Packets)
Drop(Packets)
------------------------------------------------------------------------------vrrp
0
0
0
0
------------------------------------------------------------------------------Statistics on slot 4:
------------------------------------------------------------------------------Packet Type
Pass(Packets)
Drop(Packets)
------------------------------------------------------------------------------vrrp
79880066214
2581617736
1174644777
37950869
-------------------------------------------------------------------------------
Step 2 Check statistics on each interface. (DS_02 should not discard VRRP packets.)
[DS_02] display interface brief
Interface
PHY
Eth-Trunk1
up
up
up
Ethernet0/0/0
down
up
up
up
up
up
up
up
up
up
up
up
down
up
up
up
up
up
up
up
Issue 02 (2015-01-20)
Protocol
up
up
up
down
up
up
up
up
up
up
up
up
up
up
up
down
up
up
up
up
up
up
up
InUti OutUti
inErrors
31%
31%
0
0.72% 81%
0
81%
0.73%
2
0%
0%
0
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0.01%
82%

81%
81%
81%
81%
81%
81%
81%
81%
82%
82%
82%
0%
82%
82%
82%
82%
82%
82%
0%
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
outErrors
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
189

Maintenance Guide
LoopBack500
NULL0
Vlanif599
up
down
up
up
up
up
up
down
up
up(s)
up(s)
up
87%
82%
0%
0%
0.01% 0.01%
0%
0%
0%
0%
---
0
0
0
0
0
0
0
0
0
0
0
0
According to the preceding statistics, the outgoing traffic occupies more than 80% of the
bandwidth of the interface connecting to the AS, indicating that a loop occurs. In addition, the
incoming traffic occupies more than 80% of the bandwidth on GigabitEthernet4/0/18 and
GigabitEthernet4/0/19, indicating that the loop occurs on the AS devices connected to the two
interfaces. Manually shut down the two interfaces, and then check CPU defense statistics and
ping the management IP address of another AS. The number of dropped VRRP packets stops
increasing and the ping operation succeeds.
Step 3 GigabitEthernet4/0/18 and GigabitEthernet4/0/19 connect to AS_03 and AS_05 respectively.
Both are non-Huawei Layer 3 devices, on which STP is disabled. When the two devices are used
as Layer 2 devices, the command for enabling STP is not configured, resulting in the loop.
Enable STP, and check the STP status and traffic statistics on GigabitEthernet4/0/18 and
GigabitEthernet4/0/19 of the DS. You can find that services are restored.
----End

When the network traffic is unstable, check traffic statistics on interfaces to determine whether
a loop occurs. If a loop occurs, locate the source based on the information about packets received
and sent by the interfaces. Shut down interfaces temporarily. Find out the root cause and resolve
the problem accordingly.
4.8 Failure to Create a Traffic Policy with a User-Defined

ACL
S2300&S3300&S5300 V100R005/V100R006/V200R001/V200R002/V200R003
S6300 V100R006/V200R001/V200R002/V200R003
Networking
None.
Fault Symptom
A traffic policy with a user-defined ACL cannot be created.
[HUAWEI] acl number 5000 //Configure a user-defined ACL.
[HUAWEI-acl-user-5000] rule 5 permit l4-head 0x00000868 0x0000ffff 0 //Match a twobyte character string in the Layer 4 packet header. The matched character string is
0x00000868 and 0 indicates the offset.
[HUAWEI-acl-user-5000] rule 10 permit l4-head 0x00060000 0x00ff0000 24 //Match a
Issue 02 (2015-01-20)

190

Maintenance Guide
one-byte character string in the Layer 4 packet header. The matched character
string is 0x00000868 and 24 indicates the offset.
[HUAWEI] quit
[HUAWEI] traffic classifier c1 operator or //Create a traffic classifier, and set
the relationship between rules to OR (A packet belongs to the class if it matches
one or more of the rules.)
[HUAWEI-classifier-c1] if-match acl 5000 //Create an ACL-based matching rule.
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b5000 //Create a traffic behavior.
[HUAWEI-behavior-b1] redirect interface gigabitethernet0/0/24 //Redirect packets
to GE0/0/24.
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p5000 //Create a traffic policy.
[HUAWEI-trafficpolicy-p5000] classifier c1 behavior b1 //Bind the traffic
classifier to the traffic behavior.
Info: This operation maybe take a long time, please wait for a moment.
Error:Add rule failed, slot 0, policy p5000, class c1, behavior b1 acl 5000, rule
10, on interface GigabitEthernet0/0/21.
Cause Analysis
The traffic policy failed to be created because the user-defined ACL rules contain different
offsets.
Check the offsets in the ACL rules applied to the traffic policy. Ensure that the same offset is
used.
[HUAWEI] display acl 5000

If user-defined ACL rules are applied to a traffic policy, the offsets in the rules must be the same.
4.9 Pixelation in VOD Programs Due to Multicast Traffic

Bursts
S2300&S3300&S5300 V100R005/V100R006/V200R001/V200R002/V200R003
S6300 V100R006/V200R001/V200R002/V200R003
S9300 V100R003/V100R006/V200R001/V200R002/V200R003
Networking
User terminals connected to a switch can use the video on demand (VOD) service.
Fault Symptom
Pixelation occurs in video programs during peak hours.
Issue 02 (2015-01-20)

191

Maintenance Guide
Cause Analysis
Video traffic bursts frequently occur on the multicast server. When the switch receives multicast
traffic, it forwards multiple copies of the traffic. As a result, the bandwidth required to forward
the traffic may exceed the limit. When the switch's buffer is full, packet loss will occur due to
congestion, resulting in pixelation on user terminals.
1.
Run the display interface interface-type interface-number command in any view or the
display this interface command in the interface view to check the number of outgoing
packets on the interface connecting to user terminals. The command output shows that a
large number of packets are discarded, and the number keeps growing.
2.
Mirror incoming packets on the interface connecting to the multicast server. Use Wireshark
to parse the traffic, and determine whether packet loss occurs on the switch.
l If there is only a small amount of burst traffic, increase the link bandwidth between
network devices.
l The burst traffic rate may reach 1 Gbit/s. As shown in Figure 4-7, the multicast server
hibernates for more than a second, sends video at an approximate rate of 1 Gbit/s, and
enters the hibernation state several milliseconds later. Although the average outgoing
traffic rate is about 10 Mbit/s, the traffic rate approximates to 1 Gbit/s if measured in
milliseconds.
Figure 4-7 Video traffic burst on the multicast server
In this case, change the mode in which the multicast server sends packets, so that packets
can be sent at more stable rates, with little traffic burst, as shown in Figure 4-8.
For V200R001 and later versions, you can also run the qos burst-mode enhanced
command on the related interface to increase the interface buffer size, so that more burst
traffic can be buffered. Then ensure that packets are sent in a stable manner, with little
traffic burst, as shown in Figure 4-8.
Issue 02 (2015-01-20)

192

Maintenance Guide
Figure 4-8 Traffic information after traffic burst is resolved

When pixelation occurs in the VOD service, check the number of packets received and sent by
the interface connected to user terminals. Determine whether packets are discarded and check
the mode in which the multicast server sends packets.
If packets are discarded by the interface, traffic congestions occur. In this case, perform the
following operations:
1.
Install the latest patch for the version in use, and check whether the problem is resolved.
2.
Adjust the mode in which the multicast server sends packets to mitigate traffic congestion.
3.
If multiple traffic conflicts occur, increase the link bandwidth between devices.
4.10 Intermittent User Disconnection When the Switch

Functions as a Gateway
Networking
None.
Fault Symptom
When the switch functions as a gateway, users are frequently disconnected from and reconnected
to the LAN, and the switch generates a large number of address conflict alarms.
Issue 02 (2015-01-20)

193

Maintenance Guide
ARP/4/ARP_DUPLICATE_IPADDR:Received an ARP packet with a duplicate IP address from

the interface. (IpAddress=[IPADDR], InterfaceName=[STRING], MacAddress=[STRING])
Cause Analysis
To determine the cause, perform the following operations:
1.
Run the display logbuffer command in any view, and obtain the attacker's MAC address
from the displayed logs.
<HUAWEI> display logbuffer
ARP/4/ARP_DUPLICATE_IPADDR:Received an ARP packet with a duplicate IP address

from the interface. (IpAddress=[IPADDR], InterfaceName=[STRING], MacAddress=
[STRING]).
2.
Search for the attacker's MAC address in the MAC address table to find out the interface
connected to the attack source.
3.
Locate the attack source, and you can find that the fault occurs because a PC that is infected
with virus acts as the gateway to request IP addresses from the devices on the network
segment.
1.
Remove virus from the PC.
2.
Configure the ARP gateway anti-collision function on the switch.

The switch then generates ARP anti-attack entries and discards the ARP packets with the
same source MAC address from the same VLAN in a certain period. This can prevent ARP
packets with the bogus gateway address from being broadcast on a VLAN.
[HUAWEI] arp anti-attack gateway-duplicate enable

The attacker sets the gateway address to the static IP address of the infected PC. The PC then
broadcasts gratuitous ARP packets on the LAN. When the other PCs on the LAN receive these
packets, they change the gateway MAC address to the attacker's MAC address in their local
gateway ARP entries. As a result, no users on the LAN can access the network normally.
The attacker frequently sends gratuitous ARP packets with the source IP address as the bogus
gateway address. Even if the gateway can request uninfected hosts to recover the gateway MAC
address when it receives the ARP packets, frequent changes of the gateway MAC address on
the hosts will also result in network disconnections.
Issue 02 (2015-01-20)

194

Maintenance Guide
5 Maintenance Instructions
Maintenance Instructions
5.1 High CPU Usage

CPU usage is the percentage of the amount of time the CPU spends in processing non-idle tasks.
CPU usage is an important performance indicator of a device.
NOTE
This chapter applies only to fixed-configuration switches.
5.1.1 CPU Tasks and CPU Usage

5.1.2 CPU Packet Processing Principles
5.1.3 Determining Whether a High CPU Usage Is a Fault
5.1.4 Troubleshooting a High CPU Usage
5.1.5 Recommended Configuration
5.1.6 Common Information
5.1.1 CPU Tasks and CPU Usage

This topic describes CPU tasks, functions, and usage after the device starts.
After the device starts, the CPU keeps running the following tasks:
l
System tasks of maintaining and managing the device status
Protocol tasks required in current network environments
Tasks of processing the packets received and sent from the forwarding plane
When Huawei switches are operating, the following functions need to use CPU resources:
l
Device component management: This function manages components in the device and
checks the running status of components, such as cards, power modules, and fan modules.
Stack management: This function manages and maintains the status of member switches
in a stack.
External access management: This function processes the network management traffic sent
to the CPU, such as Telnet, SSH, HTTP, and SNMP traffic.
Issue 02 (2015-01-20)

195

Maintenance Guide
Network control protocol management: This function sends and receives protocol packets,
performs protocol computing, and updates forwarding tables (such as MSTP, MAC, and
FIB tables). Network control protocols include STP, LLDP, LNP, LACP, VCMP, DLDP,
EFM, GVRP, VRRP, and routing protocols.
MAC address learning: This function helps synchronize MAC addresses between stack
member switches.
Packet software forwarding: For example, L2PT forwards Layer 2 protocol packets through
software.
ARP entry learning and aging
Processing of other packets sent to the CPU
Many active tasks may run on the CPU anytime. For example, there are more than 200 tasks on
the 5300LI. The number of tasks running in the system varies according to the device model.
Generally, if the device supports a large number of features, more tasks run in the system.
Because the system is always operating, CPU usage cannot be 0% even though no service
configuration and network traffic exists on the device. In a stack, the stack member status needs
to be periodically maintained, and most services are running on the master switch. A switch has
a higher CPU usage when it functions as the master switch in a stack. When the number of stack
member switches increases, CPU usage of the master switch increases accordingly.
In the following scenarios, the CPU runs with a heavy load and cannot schedule other tasks in
a timely manner. As a result, services may become abnormal.
l
Packets are sent from the forwarding plane to the CPU at a high rate. For example, owning
to a network loop, the CPU receives a large number of packets within a short period.
A task occupies the CPU for a long period.
You can run the display cpu-usage command on the device to view the current CPU usage,
including the average CPU usage within the last 5 seconds, last 1 minute, and last 5 minutes,
highest CPU usage, time highest CPU usage occurs, and CPU usages of current tasks within the
last 5 seconds in descending order.
NOTE
In most cases, common data packets are forwarded by switch hardware without involving the CPU.
Therefore, a high CPU usage does not affect data forwarding.
5.1.2 CPU Packet Processing Principles

This topic describes the packets to be processed by the CPU and packet processing principles.
Huawei switches forward common data packets through hardware without involving the CPU.
The following types of packets will be sent to the CPU for further processing:
l
Protocol packets to be terminated by switches

All the packets with a local destination address need to be sent to the CPU.
Protocol control packets, such as STP, LLDP, LNP, LACP, VCMP, DLDP, EFM,
GVRP, and VRRP
Route update packets, such as RIP, OSPF, BGP, and IS-IS packets
SNMP, Telnet, and SSH packets
ARP and ND Response packets
Issue 02 (2015-01-20)

196

Maintenance Guide
Data packets requiring special processing

ICMP packets with the option
IPv6 packets with the hop-by-hop option
IPv4/IPv6 packets with a TTL value smaller than or equal to 1
Packets with a local destination address
ARP, ND, and FIB Miss packets
Packets on which ACL-based packet classification is performed

Packets discarded by the ACL deny action after the logging function is enabled
Packets redirected to the CPU through traffic policies
Multicast packets
PIM, IGMP, MLD, and MSDP packets
Unknown IP multicast packets
Other packets
DHCP packets
ARP and ND broadcast request packets as well as ARP packets sent when dynamic
ARP inspection is configured on a Layer 2 switch
L2PT software forwarded Layer 2 protocol packets (Devices on two ends of a tunnel
forward Layer 2 protocol packets through software, and intermediate devices forward
these packets through hardware.)
First packet in N:1 VLAN mapping (Subsequent packets are forwarded through
hardware.)
Switches use the QoS mechanism to process the packets sent to the CPU and ensure that
important packets are processed first. Switches classifies eight queues of different priorities
according to different types of packets sent to the CPU. Different switch models may support
different types of packets sent to the CPU. The following uses S5300LI as an example. Table
5-1 and Figure 5-1 describe queue classification on the packets sent to the CPU. A larger queue
ID indicates a higher queue priority.
Table 5-1 Queue classification on packets sent to the CPU
Issue 02 (2015-01-20)
Queue ID
Packet Type
Description
IPC, RPC, LACP
Internal management packets
VP
Internal software forwarded

protocol packets
Telnet, SSH, LNP, DHCP
Management plane protocol

packets
ARP Request
Important control plane

protocol packets
STP, SMLK, EOAM, VCMP
Important control plane

protocol packets

197

Maintenance Guide
Queue ID
Packet Type
Description
LBDT, LLDP, DLDP,

IGMP, ICMP, NTP, 802.1x,
GVRP, L2PT, ARP Miss,
FTP, SNMP
Control plane protocol

packets
Other
Other
Figure 5-1 Placing different types of packets into CPU queues
Switches determine which CPU queue packets will be placed into based on the packet importance
and plane (management, control, or forwarding plane). CPU queues have different priorities.
For example, when Telnet management packets and Layer 2 protocol packets transparently
forwarded through L2PT software are buffered, the CPU first processes the Telnet management
packets in queue 5 to ensure device stability and manageability when CPU load is high.
Additionally, the CPU uses the weighted scheduling mechanism to ensure that packets in lowpriority queues can be processed. On a stable network, the number of packets sent to the CPU
is limited to a specified range, and CPU usage remains within a specified range. If a large number
of packets are sent to the CPU within a specified period, the CPU is busy processing these
packets, resulting in high CPU usage.
5.1.3 Determining Whether a High CPU Usage Is a Fault

In some situations, a high CPU usage does not result in network problems. For example, a high
CPU usage caused by known network events or administrator operations is a normal situation
and acceptable. A high CPU usage cannot be simply treated as a fault. It is a fault only when it
makes a device unable to process services normally.
5.1.3.1 A High CPU Usage Is a Normal Situation
5.1.3.2 Impact of a High CPU Usage on the System
Issue 02 (2015-01-20)

198

Maintenance Guide
5.1.3.1 A High CPU Usage Is a Normal Situation

In some network applications, a high CPU usage is a normal situation. Generally, a large network
requires more CPU resources to process network traffic. When more member switches need to
be managed in a stack, more CPU resources are required to maintain and manage the stack.
The device status is considered as normal in the following situations:
l
CPU usage does not exceed 80% when a device runs for a long period.
CPU usage does not exceed 95% when the device runs for a short period.
In the following scenarios, CPU usage may become high. This situation is, however, a normal
situation but not a fault.
l
Spanning tree
In MSTP, CPU usage is directly proportional to the number of instances and active ports.
In VBST, each VLAN runs an independent instance. Therefore, VBST uses more CPU
resources than MSTP when VBST and MSTP have the same number of VLANs and ports.
Routing table update

When a Layer 3 switch receives a route update message, the switch uses CPU resources to
update routing information to the control plane. In a stack, the switch also needs to
synchronize routing information to other member switches. During routing table update,
the following factors affect CPU usage:
Number of routing entries
Update frequency
Number of routing protocol processes that receive the update message
Number of member switches in a stack
Command execution
CPU usage temporarily becomes high when some commands are executed for a long period,
for example:
The copy flash:/ command is executed in the user view.
Some debugging commands that have a large amount of display information are
executed, especially when debugging information is displayed through the serial port.
Other scenarios
A port fast learns MAC addresses after having the sticky MAC function enabled.
Port groups are used to add a large number of ports to a large number of VLANs and
change the link type of these ports.
Frequent or a large number of IGMP requests
Frequent network management operations
A large number of concurrent DHCP requests (For example, when a switch functions
as a DHCP server, it restores connections with a large number of users.)
ARP broadcast storm
Ethernet broadcast storm
A large number of concurrent protocol packets are forwarded through software. For
example, L2PT transparently transmits a large number of BPDUs within a short time
or DHCP relay/snooping-enabled switch forwards DHCP packets through software.
Issue 02 (2015-01-20)

199

Maintenance Guide
A large number of data packets that cannot be forwarded through hardware are sent to
the CPU, such as ARP Miss packets.
A port frequently alternates between Up and Down states.
5.1.3.2 Impact of a High CPU Usage on the System

A high CPU usage adversely affects the system processing capability and may result in the
following network faults:
l
The STP topology changes or even network loops occur.

A switch periodically receives BPDUs through the CPU to maintain its root or alternate
port role. If an upstream device cannot send BPDUs in time because its CPU is busy or the
local CPU is too busy to process received BPDUs in time, the switch considers that the
original path to the root bridge is faulty and reselects a root port, causing network
reconvergence. If the switch also has an alternate port, the switch uses the alternate port as
the new root port. In this situation, a loop may occur on the network.
The routing topology changes.

Keepalive packets of dynamic routing protocols are processed by the CPU. If the CPU is
too busy to receive and send Hello packets in time, route flapping occurs. Route flapping
includes OSPF flapping, BGP flapping, and VRRP flapping.
Reliability detection protocols flap.

Keepalive packets of detection protocols such as 802.3ah, 802.1ag, DLDP, BFD, and MPLS
OAM are periodically processed by the CPU. S5300HI detects the timeout of 802.1ag,
BFD, and MPLS OAM and processes the Keepalive packets of these protocols through the
hardware OAM engine but not the CPU. Therefore, on the S5300HI, Keepalive packet
processing of 802.1ag, BFD, and MPLS OAM is not affected by the CPU load. If the CPU
is too busy to receive and send protocol packets in time, protocols flap and service traffic
forwarding is adversely affected.
Eth-Trunk of LACP type flaps.

LACP is maintained by the CPU. If the CPU is too busy to receive and send LACP packets
in time, Eth-Trunk shuts down a link, leading to link flapping.
A switch cannot respond to normal management requests.

Telnet or SSH sessions cannot be set up, causing a failure to manage the device, slow
device response, or delay in executing commands.
SNMP times out.
MAC/IP ping lasts a long time or even times out.
A switch cannot forward or respond to client requests in time, causing DHCP or IEEE
802.1x failures.
Packets software forwarded through the CPU are discarded or the delay in forwarding
packets is increased.
More memory resources are used.
5.1.4 Troubleshooting a High CPU Usage

This topic describes how to troubleshoot a high CPU usage, including possible causes and
measures taken to solve the problem.
Issue 02 (2015-01-20)

200

Maintenance Guide
When CPU usage becomes high, determine phenomena, clarify the problem, confirm the root
cause, and rectify the problem. For example, consider the following points:
l
When does CPU usage become high?
What is the system doing when CPU usage becomes high?
What factors cause a high CPU usage?
Is a high CPU usage a normal situation? Whether it needs to be rectified? How to rectify
it?
5.1.4.1 Obtaining CPU Usage Information

5.1.4.2 Identifying Device Behaviors
5.1.4.3 Analyzing the Root Cause
5.1.4.4 Common Causes of and Solution to a High CPU Usage
5.1.4.1 Obtaining CPU Usage Information

CPU usage is the percentage of the amount of time the CPU spends in processing non-idle tasks.
It has the following characteristics:
l
Constantly changing: System CPU usage varies according to the system operation and
external environment changes.
Non-real time: System CPU usage reflects CPU usage within a CPU statistical period.
Entity-related: CPU usage is calculated based on the physical CPU. Generally, each
physical entity has an independent physical CPU. Therefore, each member switch in a stack
has its own CPU usage.
Obtaining Device Information

Run the display device command to obtain device information, including the device model,
whether the device joins a stack, and what member switches the stack has.
<HUAWEI> display device
S5300-28P-LI-AC's Device status:
Slot Sub Type
Online
Power
Register
Status
Role
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0
S5300-28P-LI
Present
PowerOn
Registered
Normal
Master
1
S5300-28P-LI
Present
PowerOn
Registered
Normal
Standby
2
S5300-28P-LI
Present
PowerOn
Registered
Normal
Slave
Obtaining CPU Usage Statistics

Run the display cpu-usage [ slave | slot slot-id ] command to view CPU usage statistics on the
device with high CPU usage. slot-id indicates the stack ID of a member switch in a stack.
<HUAWEI> display cpu-usage slot 0
CPU Usage Stat. Cycle: 60 (Second)
CPU Usage
: 99% Max: 100%
CPU Usage Stat. Time : 2014-06-05 15:19:46
CPU utilization for five seconds: 99%: one minute: 75%: five minutes: 42%
Max CPU Usage Stat. Time : 2014-06-05 14:33:36.
TaskName
CPU Runtime(CPU Tick High/Tick Low) Task Explanation
ARP
30%
0/bda2b23b
ARP
OS
30%
0/b2d02f1f
Operation System
L2IF
21%
0/8448bf54
L2IF
Issue 02 (2015-01-20)

201

Maintenance Guide
IFPD
L2_P
FTS
IPCQ
STP
VPR
mv_rx7
VIDL
mv_rx6
AAA
ACL
ADPT
AGNT
AGT6
ALM
ALS
AM
APP
ASFI
ASFM
BATT
BFD
4%
3%
2%
2%
2%
2%
2%
1%
1%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0/1e575090
0/1a777526
0/13ed6c3e
0/1256ab6f
0/175350b9
0/16254e6f
0/123d908c
0/ 5f5df6f
0/ db73d34
0/
1d5c6
0/ 5fa8c7
0/
0
0/
0
0/
0
0/
0
0/ 3c2c178
0/ 155db9
0/
0
0/
0
0/
0
0/
0
0/ 3d8a91
BOX
BPDU
BTRC
CAPM
......
0%
0%
0%
0%
0/
0/
0/
0/
0
1f13d
6295
0
IFPD Ifnet Product Adapter

L2_PR
FTS
IPCQIPC task for single queue
STP
VPR VP Receive
mv_rx7
DOPRA IDLE
mv_rx6
AAA Authen Account Authorize
ACL Access Control List
ADPT Adapter
AGNTSNMP agent task
AGT6SNMP AGT6 task
ALM Alarm Management
ALS Loss of Signal
AM
Address Management
APP
ASFI
ASFM
BATT Main Task
BFD Bidirection Forwarding
Detect
BOX Output
BPDU Adapter
BTRC
CAPM Capture Packet
Obtaining Alarm Information and Log Information About a High CPU Usage
When CPU usage exceeds the alarm threshold, the system sends an alarm to the NMS and records
key information such as three tasks that consume most CPU resources into system logs. You
can obtain high CPU usage records through alarm information and log information.
l
View alarm information about a high CPU usage.

You can check whether a high CPU usage alarm is generated on the device through the
NMS or using the display trapbuffer command. The related alarm information is as
follows:
ENTITYTRAP_1.3.6.1.4.1.2011.5.25.219.2.14.1 hwCPUUtilizationRising
ENTITYTRAP/4/ENTITYCPUALARM:OID [oid] CPU utilization exceeded the pre-alarm
threshold.(Index=[INTEGER],
EntityPhysicalIndex=[INTEGER], PhysicalName=[OCTET], EntityThresholdType=
[INTEGER], EntityThresholdValue=[INTEGER],
EntityThresholdCurrent=[INTEGER], EntityTrapFaultID=[INTEGER].)
View log information about high CPU usage.

You can view the system log file or run the display logbuffer command to check whether
a high CPU usage log is generated on the device. The related log information is as follows:
VOSCPU/4/CPU_USAGE_HIGH
VOSCPU/4/CPU_USAGE_HIGH:The CPU is overloaded (CpuUsage=[ULONG]%, Threshold=
[ULONG]%), and the tasks with top three
CPU occupancy are: [CPU-resources-usage]
5.1.4.2 Identifying Device Behaviors

After collecting CPU usage of a device, analyze device behaviors when CPU usage becomes
high. Generally, a high CPU usage is related to service processing or abnormal network
environments. When system CPU usage becomes high, you can collect tasks with a high CPU
usage to analyze device behaviors.
Issue 02 (2015-01-20)

202

Maintenance Guide
Collecting the Tasks with a High CPU Usage

Obtain the tasks with a high CPU usage based on the command output in 1.4.1 Obtaining CPU
Usage Information or collected alarm and log information. You are advised to focus on the first
three tasks with the highest CPU usage.
Analyzing Device Behaviors Based on the Task Type

The system provides service functions through tasks. CPU usage of tasks is an indicator of
service functions and an important measure to help you analyze device behaviors. In most cases,
you can focus on the following types of tasks based on service deployment:
l
System idle task

This type of task is a special task in the system. It is named VIDL, has the lowest priority,
and occupies the CPU only when all the other tasks are idle. When a non-idle task needs
to occupy the CPU, the VIDL task cannot occupy the CPU.
CPU usage is the percentage of the amount of time the CPU spends in processing non-idle
tasks. The system calculates the device CPU usage based on the time during which the
VIDL task occupies the CPU. A higher CPU usage of the VIDL task indicates a lower
system CPU usage and idler system.
System management task

This type of task manages system resources and provides the basic mechanism for operating
systems, such as timers and information center. The following describes common system
management tasks that may cause a high CPU usage:
Information center task: includes the BOX task and INFO task. The BOX task outputs
the information stored in black boxes, and the INFO task receives and outputs the logs
and alarms generated by service modules. These tasks provide operating systems with
basic information center functions such as recording logs, alarms, exceptions, and
infinite loops and outputting debugging information. When the device displays a large
amount of debugging information or log information, CPU usage of this type of task
becomes high.
Device management task: includes the DEV task, HOTT task, and SRMI task. The DEV
task manages hardware modules on the device, the HOTT task manages hot swap of
cards, and the SRMI task processes external interruptions related to device components.
These tasks process a variety of device change events and may result in a short-term
high CPU usage during the configuration recovery, active/standby switchover, addition
of new stack members, and installation of subcards. In this situation, services are not
affected. When some device components become faulty, a large number of interruptions
are reported, which may cause CPU usage of the SRMI task to become high.
Inter-device communication task: includes the IPCR task, IPCQ task, and RPCQ task.
The IPCR task sends, receives, and distributes inter-device communication messages,
the IPCQ task retransmits inter-device communication messages that fail to be
transmitted, and the RPCQ task provides the remote procedure calling function. These
tasks implement inter-device management message communication. CPU usage of this
type of task becomes high when a large number of inter-device management messages
are generated, for example, a large number of routes flap, a large number of users get
online concurrently, or a ring network flaps.
Interface management task: includes the IFNT task, IFPD task, and linkscan task. The
IFNT task processes interface status change events, the IFPD task maintains the
interface database and processes interface status change events, and the linkscan task
Issue 02 (2015-01-20)

203

Maintenance Guide
detects the interface link status. These tasks maintain information about current
interfaces and peripheral components (such as optical modules) and interface status and
report interface events to service modules for processing. CPU usage of this type of task
may become high when a large number of interfaces exist, the interface link status flaps,
or optical modules become faulty.
l
Network management task

This type of task provides the network management GUI and monitors as well as manages
the network status. Common tasks that may result in a high CPU usage include:
Network management task: includes the AGNT task, AGT6 task, VTx task, and FTPS
task. The AGNT task provides the IPv4 SNMP function, and the AGT6 task provides
the IPv6 SNMP function. The VTx task is also called VTY user task, which provides
VTY users with the login, authentication, and man-machine interaction functions. x
indicates the login sequence of a user. For example, the task name of the first user is
VT0. The FTPS task provides the FTP service function. These tasks provide the
capability to manage the device through the network. CPU usage of this type of task
may become high for a short time when a large amount of data is printed on a user
terminal, multiple FTP processes download files simultaneously, or the network
management software frequently accesses the device to traverse MIB object
information.
Network monitoring task: includes the NSA task, NQAS task, and NQAC task. The
NSA task provides the NetStream function to monitor service traffic on a network; both
the NQAS and NQAC tasks provide the NQA function to perform simulation tests on
service packets on the live network. These tasks provide the network monitoring
capability and will not result in a high CPU usage in most situations.
Packet receiving/sending task

Packets on a network can be classified into control packets and data packets based on the
function. Because the control plane and forwarding plane are separated on Huawei
switches, control packets and some data packets (such as ARP Miss and multicast RPFFail packets) need to be processed on the control plane of which the processing core is the
CPU. Packets sent from the forwarding plane to the CPU are resolved and distributed by a
series of packet receiving/sending tasks and then processed as well as forwarded by the
device. In this process, tasks such as BCMR, BCMT, MV0 to MV7, FTS, VP, VPR, VPS,
and SOCK need to participate. When a large number of packets are sent to the control plane,
CPU usages of these tasks increase significantly. This is a major cause for high system
CPU usage.
Service protocol task

Service protocol tasks provide most protocol functions on switches. When a network is
stable, service protocol interaction and processing do not introduce a great fluctuation of
CPU usage. When the network frequently changes or even flaps, service protocols need to
perform frequent interaction and calculation to adapt to network environment changes. In
this situation, CPU usage may become high. Common tasks that may result in a high CPU
usage include routing management tasks (such as ROUT and FIB), MAC management
tasks (such as frag_add, frag_del, and MSYN), user management tasks (include DHCP,
EAP, and SAM), and protocol tasks with frequent interaction (such as ARP). The ROUT
task provides routing protocol functions such as BGP, IS-IS, OSPF, and RIP.
Issue 02 (2015-01-20)

204

Maintenance Guide
5.1.4.3 Analyzing the Root Cause

Understanding Major Network Events
A high CPU usage is often caused by internal or external events such as the service configuration,
NMS synchronization, network environment, and apparatus fault. Before determining the root
cause of the high CPU usage, check whether there are major network events according to network
O&M information. The major network events include service migration, link status change,
service adjustment, spare part replacement, NMS synchronization, login of many users, device
alarm, and network flapping. The network O&M information gives a clue to troubleshooting
and reduces the troubleshooting range.
Analyzing the Cause Based on Device Behaviors

Through analysis of device behaviors when the CPU usage becomes high, determine the
immediate cause; through analysis of the network deployment and network environment, locate
the root cause of the high CPU usage. The processes of different tasks are different, so the root
causes of the high CPU usage are also different.
l
System management task

A system management task manages system components and provides basic functions for
other service modules. A high CPU usage of a system management task is often caused by
internal events (such as hardware faults) or triggered by other service modules. When the
high CPU usage is triggered by a service module, analyze the fault based on information
about the service module.
Network management task

A high CPU usage of a network management task is caused by network management events
such as NMS synchronization. The influence lasts for a short time and services are not
affected. Analyze the root cause together with network management events.
Protocol receiving/sending task and service protocol task

The two tasks that cause a high CPU usage often occur simultaneously. Generally, many
protocol packets are sent to the CPU for processing. As a result, the CPU usage becomes
high. Analyze the cause according to the following roadmap:
1.
Determine the packet type.

Different switch models collect statistics on packets sent to the CPU in multiple modes,
including:
l Analyze the type of sent packets according to statistics on packets sent to the CPU
(supported by only the S5310EI, S5300EI, S5300HI, and S6300).
You can run the display cpu-defend statistics all command to check statistics on all
packets sent to the CPU. The statistical value is accumulated continuously. Through
consecutive statistics collection, if the rate of packets of a type sent to the CPU increases
or even the rate exceeds the rate limit, packets of this type cause the high CPU usage.
(You can run the display cpu-defend rate all command to check the collection rate. If
the rate exceeds the rate limit, packets are discarded.) You can run the reset cpu-defend
statistics command to clear statistics. CPU attack defense technology monitors packets
sent to the CPU at intervals of 10 minutes. If the number of packets sent to the CPU
within the detection period exceeds the threshold, the system logs important information
including the packet type, drop packet quantity, and occurrence time. The log format is
as follows:
Issue 02 (2015-01-20)

205

Maintenance Guide
DEFD/4/CPCAR_DROP_MPU:Rate of packets to cpu exceeded the CPCAR limit on the
MPU. (Protocol=[STRING], CIR/CBS=[ULONG]/[ULONG],
ExceededPacketCount=[STRING])
l Determine the type of packets sent to the CPU according to the service module usage.
When many protocol packets are sent to the CPU, the CPU usage of some protocol tasks
becomes high. Determine the packet type according to the CPU usage information of
protocol tasks. The following describes common important protocol tasks.
2.
Task Name
Description
ARP
Implements ARP protocol stack

processing, manages the protocol state
machine, and maintains the ARP-specific
database.
DHCP
Implements DHCP protocol stack

processing and provides the DHCP
snooping and DHCP relay functions.
SNPG
Implements IGMP snooping/MLD

snooping protocol stack processing, and
listens to and processes IGMP and MLD
messages.
ROUT
Is responsible for route selection and

learning of a routing protocol, selects the
optimal route, and delivers routes to the
FIB.
STP
Implements the STP protocol stack,

manages the protocol state machine, and
maintains the STP-specific database.
(Optional) Determine packet characteristics.

If the cause cannot be analyzed based on the packet type and network management events,
obtain packet information through port mirroring or enable debugging to analyze the
characteristics of packets sent to the CPU.
l (Recommended) Obtain packet information through port mirroring.
You can directly obtain the packet information through port mirroring. This mode does
not affect the device CPU usage. It is recommended that mirroring be configured on the
inbound interface of packets sent to the CPU. For details on how to configure port
mirroring on a switch, see S2350EI&S5300 Series Ethernet Switches Configuration
Guide - Mirroring Configuration.
l Enable the debugging.
If mirroring conditions are not met, enable the debugging to obtain the packet
characteristics. Enabling the debugging occupies CPU resources. In addition, much
debugging information during fault location will aggravate the high CPU usage.
Exercise caution when you enable the debugging.
a.
Issue 02 (2015-01-20)
(Optional) Define ACLs to filter packets.

206

Maintenance Guide
To filter debugging information at the IP layer, specify ACLs in debugging commands

to filter debugging information.
b.
Enable debugging at corresponding layers.

Common debugging information includes debugging information at the IP and link
layers.
Debugging information at the IP layer: You can run the debugging ip packet
command to enable the debugging at the IP layer. This command can display
debugging information based on the ACL.
Debugging information at the link layer: You can run the debugging ethernet
packet command to enable the debugging at the link layer. This command can display
debugging information based on the packet type and interface.
c.
Enable information display and debugging on a terminal.

Run the terminal monitor and terminal debugging commands to view debugging
information on a terminal.
3.
Analyze the root cause.

You can obtain the immediate cause of the high CPU usage according to the packet type
and characteristics. Further analyze the root cause and take troubleshooting measures based
on the immediate cause. Common root causes include protocol flapping, network loops,
network attacks, and concurrent services. For detailed troubleshooting measures, see
5.1.4.4 Common Causes of and Solution to a High CPU Usage.
5.1.4.4 Common Causes of and Solution to a High CPU Usage

Hardware Fault
When the switch hardware is faulty, components may report many interruption messages. As a
result, the CPU usage becomes high.
Fault Location
If a hardware fault causes a high CPU usage, the tasks that process interruption messages, for
example, SRMI, SRMR, and BCMDPC tasks, occupy high CPU usage. That is, if the CPU usage
is high and the preceding tasks occupy more CPU resources, the hardware may fail.
Suggestion
Manually reset the device with a high CPU usage. You are advised to power off the device with
a high CPU usage. If the fault persists after restart, contact Huawei technical support personnel.
Network Environment
Network environment factors such as network flapping, loops, and attacks often cause a high
CPU usage. Take different measures depending on causes:
l
Network flapping
When network flapping occurs, the network topology changes frequently. The device is
busy in processing network switching events, causing a high CPU usage. Common network
flapping includes STP flapping and routing protocol flapping:
STP flapping
Issue 02 (2015-01-20)

207

Maintenance Guide
STP flapping occurs on Layer 2 networks. When STP flapping occurs frequently, the
device needs to perform STP calculation continuously. The forwarding tables such as
MAC address tables and ARP tables are updated accordingly, causing a high CPU usage.
Fault Location
- When you doubt that frequent STP flapping occurs on a network, run the display stp
topology-change command to check STP topology change information.
- When you determine that there is frequent network topology change, run the display
stp tc-bpdu statistics command to check the statistics on received TC BPDUs to
determine the source of the TC BPDUs.
- Find the device that sends TC BPDUs according to the source of the TC BPDUs, and
analyze the STP topology change cause according to network management events and
system logs on the device.
Suggestion
- If the user-side interface Up/Down event causes the STP topology change, run the stp
edged-port enable command in the interface view to configure the user-side interface
as the edge port and run the stp bpdu-protection command to enable BPDU protection.
- If the root bridge is preempted, run the stp root-protection command on the expected
root port to enable root protection, ensuring that the STP topology is correct.
- If TC BPDUs are used to attack a network, run the stp tc-protection command on the
attacked port to enabled TC protection to reduce the impact of the attack on the device.
- If the topology change cause cannot be located or the fault persists after the preceding
measures are taken, contact Huawei technical support personnel.
Routing protocol flapping
Routing protocol flapping will cause routing information readvertisement and routing
table recalculation. This affects the CPU usage. In practice, OSPF is often used on the
switch to manage dynamic routing information.
Fault Location
Check the cause for the OSPF neighbor Down event according to logs. Run the display
logbuffer command to check the following log:
OSPF/3/NBR_DOWN_REASON:Neighbor state leaves full or changed to Down.
(ProcessId=[USHORT], NeighborRouterId=[IPADDR],
NeighborAreaId=[ULONG], NeighborInterface=[STRING],NeighborDownImmediate
reason=[STRING], NeighborDownPrimeReason=[STRING],
NeighborChangeTime=[STRING])
The NeighborDownImmediate reason parameter indicates the cause for the OSPF
neighbor Down event. The causes are as follows:
- Neighbor Down Due to Inactivity: The device does not receive Hello packets within
the dead time from the neighbor.
- Neighbor Down Due to Kill Neighbor: The device interface used to establish the OSPF
neighbor relationship becomes Down, the BFD session becomes Down, or the reset
ospf process command is executed. You can view the NeighborDownPrimeReason
parameter to determine the detailed cause.
- Neighbor Down Due to 1-Wayhello Received or Neighbor Down Due to
SequenceNum Mismatch: The OSPF status of the remote device first goes Down and
the remote device sends a 1-Wayhello packet to the local device. As a result, the OSPF
status of the local device also becomes Down. In this situation, check whether the fault
is caused by the remote device.
Issue 02 (2015-01-20)

208

Maintenance Guide
Suggestion
The common causes for the OSPF neighbor Down event contain interface flapping and
flooding of many LSAs. Take different measures depending on causes.
- Interface link flapping
The interface link flapping causes the OSPF neighbor relationship flapping. Check the
interface Up/Down event in logs. If the interface link flapping occurs, check the link of
the interface.
- Flooding of many LSAs
When many LSAs are flooded, many LS UPDATE messages are generated on the
network. The device is busy in processing LS UPDATE messages. As a result, Hello
packets cannot be processed in a timely manner and the OSPF status becomes Down.
You are advised to perform the following operations:
If the dead time of the OSPF neighbor relationship is smaller than 20s, run the ospf
timer dead interval command to change the dead time to a value larger than 20s.
Run the sham-hello enable command in the OSPF view to enable the Sham-Hello
function. That is, the device is allowed to maintain the OSPF neighbor relationship by
sending non-Hello packets such as LSUs.
If the fault persists after the preceding measures are taken, contact Huawei technical
support personnel.
l
Network loops
When network loops occur, MAC address flapping frequently occurs and many protocol
packets are sent to the device for processing due to broadcast storms. As a result, the CPU
usage becomes high.
Fault Location
Network loops cause broadcast storms and may also lead to the following problems:
Users cannot log in to the device remotely.
The display interface command output shows a large number of broadcast packets
received on one or more interfaces.
It takes a long time to log in to the device from the serial port.
The device CPU usage exceeds 70%.
A large number of ICMP packets are lost in ping tests.
Indicators of interfaces in the VLAN where a loop has occurred blink at a higher
frequency than usual.
PCs receive many broadcast packets.
MAC address flapping frequently occurs.
Loop alarms are generated when loop detection is enabled.
Suggestion
Issue 02 (2015-01-20)
1.
Determine the interface where broadcast storms occur according to the interface
indicator status and traffic.
2.
Check devices where loops occur hop by hop according to the topology.
3.
Locate the interface where a loop occurs and remove the loop.
4.
If the fault persists after the preceding measures are taken, contact Huawei technical
support personnel.
209

Maintenance Guide
Network attacks
Network hosts or devices send many abnormal exchange requests to attack other network
devices, affecting the security and service running of the network devices. When network
attacks occur, the device is busy in processing abnormal exchange requests from the attack
source. As a result, the CPU usage becomes high.
Fault Location
The network attacks causing a high CPU usage include ARP packet attacks, ARP Miss
packet attacks, DHCP attacks, and BPDU attacks. In these attacks, many protocol packets
are sent to the device, so you can view statistics on such protocol packets on the device.
ARP packet attacks and ARP Miss packet attacks
Run the display arp packet statistics command to check statistics on ARP packets and
focus on values of ARP Pkt Received and ARP-Miss Msg Received. Determine the
network attack type according to the statistics.
NOTE
In a stack scenario, the display arp packet statistics command displays only the statistics on
ARP packets on the master switch.
Run the debugging arp packet command to enable ARP packet debugging. Check the
source of a large number of sent ARP or ARP Miss packets.
DHCP attacks
Run the display dhcp statistics command to check the statistics on DHCP packets. If
DHCP packets are sent at higher speed, DHCP attacks occur.
TC BPDU attacks
See the fault location in "STP flapping."
Suggestion
If ARP packet attacks, ARP Miss packet attacks, and DHCP attacks occur, enable
automatic attack source tracing to detect attacks.
If TC BPDU attacks occur, see the suggestions in "STP flapping."
Concurrent Services
The impact of many concurrent services on the CPU usage is similar to the impact of network
attacks on the CPU usage, and the fault scenario is also similar (many users go online and many
ARP and DHCP packets are exchanged). The difference is that protocol packets for concurrent
services are normal and protocol packets for network attacks are malicious ones. The fault
location is similar, but the processing is different.
Fault Location
See the fault location in "Network attacks."
Suggestion
l
Adjust service deployment and migrate some hosts or services to other devices.
Reduce the CPCAR value of some protocol packets. This adjustment may reduce the user
login rate. Exercise caution when you perform this operation.
Contact Huawei technical support personnel.
Issue 02 (2015-01-20)

210

Maintenance Guide
User Operations
Generally, when NMS synchronization operations are performed or many command outputs are
delivered to terminals, the CPU usage becomes high. In this case, network management events
occur.
Fault Location
Collect the CPU usage of each task in the case of a high CPU usage. When AGNT or AGT6
tasks occupy a high CPU usage, NMS synchronization operations result in the fault. When VT
tasks occupy a high CPU usage, delivering many command outputs to terminals causes this fault.
Suggestion
The high CPU usage caused by user operations does not last for a long period of time and services
are not affected. If user network management operations are appropriate and do not affect
services, this situation can be ignored. If the CPU usage becomes high continuously or services
are affected, contact Huawei technical support personnel.
5.1.5 Recommended Configuration

This topic describes the recommended configuration in some special scenarios to avoid a high
CPU usage.
l
Port group feature: When a port group has more than 40 member ports, adding these member
ports to 4096 VLANs in batches may cause CPU usage to exceed 80% in a short period.
Therefore, you are advised to add the member ports to no more than 500 VLANs in batches.
LNP feature: When the type of more than 20 ports is changed in batches, CPU usage may
exceed 80% in a short period. Therefore, you are advised to change the type of ports one
by one.
MAC feature: Frequent MAC address flapping may result in a high CPU usage. When
MAC address flapping may occur frequently, you are advised to run the mac-address
flapping action error-down command to set the action to be performed on the interface
where MAC address flapping occurs to error-down.
Loopback detection feature: When the ports on which loopback detection is enabled are
added to a total of more than 1024 VLANs, you are advised to run the loopback-detect
action shutdown command to shut down the ports on which loops are detected. The VLAN
counter increases by 1 every time a port is added to a VLAN, even when multiple ports are
added to the same VLAN.
5.1.6 Common Information

This topic describes commands, CPU tasks, and network management OID related to CPU
usage.
Command
Issue 02 (2015-01-20)
Syntax
Function
display cpu-usage [ slave | slot slot-id ]
Display CPU usage.

211

Maintenance Guide
Syntax
Function
display logbuffer [ size value | slot slot-id |

module module-name | security | level
{ severity | level } ] *
Display log information on the device.
display trapbuffer [ size value ]
Display alarm information on the device.
display cpu-defend rate [ packet-type

packet-type ] [ slot slot-id | all ]
Display the rate at which protocol packets are

sent to the CPU.
display cpu-defend statistics [ packet-type

packet-type ] [ slot slot-id | all ]
Display statistics on the protocol packets sent

to the CPU.
display stp [ process process-id ] [ instance

instance-id ] topology-change
Display STP topology changes.
display stp [ process process-id ] [ instance

instance-id ] [ interface interface-type
interface-number | slot slot-id ] tc-bpdu
statistics
Display STP TC BPDU statistics.
display arp packet statistics
Display ARP packet statistics.
display dhcp statistics
Display DHCP packet statistics.
CPU Task Names and Functions

l
BUFM: Output debugging information.
1731: Implement the Y.1731 protocol stack, manage the protocol state machine, and
maintain protocol databases.
_EXC: Process system exception events.
_TIL: Monitor and process deadloops caused by software errors.
AAA: Interact with modules such as the UCM and RADIUS modules, process user
authentication messages, and maintain authentication and authorization entries.
ACL: Access control list.
ADPG: Maintain dynamic VLAN chip entries at the adaptation layer.
ADPT: Implement the EFM protocol, manage the protocol state machine, and maintain
protocol databases.
age_task: Age MAC entries.
AGNT: Implement the IPv4 SNMP protocol.
AGT6: Implement the IPv6 SNMP protocol.
ALM: Add, clear, and manage alarm information.
ALS: Implement automatic laser shutdown.
AM: Manage IP address pools and addresses and manage IP addresses for the DHCP
module.
APP: Schedule Layer 3 services in a unified manner.
Issue 02 (2015-01-20)

212

Maintenance Guide
ARP: Implement the ARP protocol, manage the protocol state machine, and maintain
protocol databases.
au_msg_hnd: Process AU messages. MAC entry learning and issuing are implemented
using AU messages.
bcmC: Collect packet statistics on chip interface.
bcmD: Process asynchronous message of chip's driver software.
bcmR: Receive packets from the chip.
bcmT: Send packets to the chip.
bcmX: Send packets asynchronously to the chip of a certain type.
bcmL2MOD.0: Learn MAC address entries.
BEAT: Send and receive heartbeat packets between boards to monitor inter-board
communication.
BFD: Implement the BFD protocol, manage the protocol state machine, and maintain
protocol databases.
bmLI: Scan port status and notify the application modules of status changes.
BOX: Output the data stored in a black box. A black box stores the error and exception
information generated during device operation.
BULK_CLASS: Manage the USB flash drive (operating system task).
BULK_CLASS_IRP: Manage USB I/O request packets (operating system task).
BusM A: Manage USB bus (operating system task).
CCTL: Collect and schedule performance data in a batch.
CDM: Manage configuration data.
CFM: Restore configurations.
CHAL: Adapt to hardware.
CKDV: Control and manage clock card.
CMD_Switching: Listen to the socket.
CMDA: Execute commands in a batch.
cmdExec: Execute commands.
CSBR: Check the configuration consistency between master and slave boards.
CSPF: Implement the CSPF protocol and calculate paths.
CssC: Process stack events.
CSSM: Implement the stack protocol and manage the stack status.
DEFD: Monitor traffic sent to the CPU and maintain CPU protection data.
DELM: Enable STP to delete MAC entries.
DEV: Manage hardware modules on the device.
DEVA: Process hot swapping events of subcards.
DFSU: Load logic files.
DHCP: Process the DHCP protocol and implement DHCP snooping and DHCP relay.
DLDP: Implement the DLDP protocol, manage the protocol state machine, and maintain
protocol databases.
Issue 02 (2015-01-20)

213

Maintenance Guide
DSMS: Process environment alarms generated by the environment monitoring system.
EAP: Implement 802.1x authentication, MAC address authentication, and MAC address
bypass authentication, manage the protocol state machine, and maintain protocol databases.
Ecm: Manage communication between low-level boards.
ECM: Implement communication between low-level boards.
EFMT: Send 802.3ah test packets.
EHCD_IH: USB host controller driver task (operating system task).
ELAB: Manage device electronic labels.
EOAM: Implement the EOAM 802.1ag protocol, manage the protocol state machine, and
Eout: Output debugging information about the ECM task.
FBUF: Send packets.
FCAT: Capture the packets sent or received by the CPU for fault location.
FECD: Process MOD synchronization messages.
FIB: Generate IPv4 forwarding entries on the MPU and issue the entries to LPUs.
FIB6: Manage IPv6 FIB entries, maintain software entries, and request the application layer
to maintain chip entries.
FM93: Output fault information.
FMAT: Manage faults.
FMCK: Detect device faults.
FMON: Monitor logic card faults.
frag_add: Synchronize MAC entries from the hardware table to the software table, walk
through the hardware table, and add the MAC entries that do not exist in the software table
to the software table.
frag_del: Synchronize MAC entries from the hardware table to the software table, walk
through the software table, and delete the MAC entries that do not exist in the hardware
table from the software table.
FTPS: Provide FTP service.
FTS: Receive packets. This task is created by FECD. After the driver receives packets, it
sends the packets to the FTS task for processing if these packets are not sent to the super
task for processing.
GREP: Manage chip's GRE forwarding entries at the adaptation layer.
GTL: Manage common data such as memory and character strings.
GVRP: Implement the GVRP protocol, manage the protocol state machine, and maintain
protocol databases.
HACK: Process HA response messages.
HOTT: Manage hot swapping events of LPUs.
HS2M: Synchronize data between the master and slave MPUs to ensure high reliability.
IFNT: Process interface status changes.
IFPD: Implement interface management, maintain interface data, and process interface
status changes.
Issue 02 (2015-01-20)

214

Maintenance Guide
INFO: Receive and send logs, alarms, and debugging information generated by service
modules.
IP: Schedule IP protocol tasks in a unified manner.
IPCQ: Retransmit IPC messages upon message transmission failures.
IPCR: Send, receive, and distribute IPC messages to related service modules.
IPMC: Adapt to Layer 3 multicast protocols, monitor the control plane changes, and issue
forwarding entries.
ITSK: Send, receive, and distribute various protocol packets.
L2: Schedule Layer 2 services in a unified manner.
L2MC: Listen to IGMP/MLD packets on LPUs and implement fast join/leave of channels.
L3I4: Issue IPv4 unicast forwarding entries on LPUs.
L3IO: Issue entries of Layer 3 protocols, such as URPF and VRRP, on LPUs.
L3M4: Adapt to the ARP protocol on the MPU, issue IPv4 unicast forwarding entries, and
respond to the changes at the control plane.
L3MB: Adapt to Layer 3 protocols on the MPU such as URPF and VRRP, and issue
forwarding entries.
LACP: Implement the LACP protocol stack, manage the protocol state machine, and
LCS: Manage licenses.
LCSP: Load authorized features allowed by the license.
LDRV: Synchronize software versions between master and slave boards.
LDT: Implement the LDT protocol, manage the protocol state machine, and maintain
protocol databases.
LHAL: Provide hardware adaptation for LPUs to shield hardware difference.
LINK: Schedule link layer tasks in a unified manner.
linkscan: Detect the port link status.
LLDP: Implement the LLDP protocol, manage the protocol state machine, and maintain
protocol databases.
LOAD: Load mirrored version files and patch packages on LPUs.
LSPA: Maintain LSP forwarding entries and request the application-layer to maintain chip
entries.
LSPM: Create, update, and delete LSPs.
MCSW: Adapt to the Layer 3 multicast protocol, respond to the changes at the control
plane, and issue forwarding entries.
MERX: Process the packets received on the management interface.
MFF: Implement MFF.
MFIB: Manage Layer 3 multicast forwarding entries.
MIRR: Implement port mirroring.
MOD: Manage, allocate, and reclaim board numbers.
MSYN: Synchronize MAC address entries between boards.
MTR: Implement scheduled statistics on memory usage.
Issue 02 (2015-01-20)

215

Maintenance Guide
mv_rx0: Process the packets in queue 0 of the CPU.
NDIO: Issue IPv6 unicast forwarding entries on LPUs.
NDMB: Adapt to the ND protocol on the MPU, issue IPv6 unicast forwarding entries, and
respond to the changes at the control plane.
NQAC: Respond to and process NQA packets as an NQA client.
NQAS: Respond to and process NQA events and packets as an NQA server.
NSA: Manage chip entries at the VRP NetStream adaptation layer.
NTPT: Implement the NTP protocol, manage the protocol state machine, and maintain
protocol databases.
OAM1: Adapt to the OAM 802.1ag protocol, respond to protocol-layer changes, and
process the changes at the forwarding plane.
OAMI: Process packets received from logic cards.
OAMT: This is a task at the adaptation layer. Respond to protocol changes and maintain
chip entries.
OS: Operating system.
PING: Quickly respond to ping packets.
PNGI: Provide the fast ping operation on LPUs and fast respond to the ping operation.
PNGM: Provide the fast ping operation on MPUs and fast respond to the ping operation.
Port: Process chip debugging commands.
port_statistics: Collect port statistics.
PPI: This is a task at the adaptation layer. Maintain chip interface status.
PTAL: Implement redirection authentication, authentication and authorization, manage the

protocol state machine, and maintain protocol databases.
QOSA: Manage QoS configurations and maintain chip entries.
QOSB: Issue QoS entries on LPUs and maintain issued QoS entries.
RACL: Create session table entries based on TCP/UDP/ICMP initial packet, and monitor
and age out session table entries.
RDS: Implement the RADIUS protocol, manage the protocol state machine, and maintain
protocol databases.
RMON: Monitor system remotely.
root: System root task.
ROUT: Implement routing and route learning, select the optimal route, and issue FIB
entries.
RPCQ: Invoke remote procedures.
Issue 02 (2015-01-20)

216

Maintenance Guide
RRPP: Implement the RRPP protocol on LPUs, detect interface status quickly, and issue
hardware entries.
RSA: Calculate the RSA key.
RTMR: Manage scheduled tasks.
SAM: Issue service entries to LPUs and maintain issued entries.
SAPP: Manage application layer's protocol dictionary and whitelist, maintain software
entries and request the adaptation layer to set chip status.
SDKD: Detect the status of the interface connected to the backplane and collect the packet
rate on the interface.
SDKE: Display related LSW chip entries.
SECB: Issue security entries to LPUs and maintain issued security entries.
SECE: Implement functions such as ARP, IP, and CPU security functions, manage the
protocol state machine, and maintain protocol databases.
SERVER: TCP/IP server task.
SFPM: Query manufacturer information and digital diagnosis information of optical

modules.
SIMC: Simulate CPU usage faults.
SLAG: Implement E-Trunk.
SMAG: Smart link agent. Fast detect and process port status changes.
SMLK: Implement the SmartLink protocol, manage the protocol state machine, and
smsL: Load the environment monitoring module.
smsR: Send environment monitoring requests.
smsT: Send packets for the environment monitoring system.
SNPG: Listen to and process IGMP and MLD protocol packets.
SOCK: Schedule and process IP packets.
SRM: Manage devices.
SRMI: Process external interruptions.
SRMT: Device management timer.
SRVC: Process DHCP packets related to IP sessions, and interact with the user management
and authentication and authorization module to carry out authorization and accounting.
STFW: Implement super forwarding and maintain forwarding entries in the trunk memory.
STND: Help the operating system to schedule tasks and events.
STP: Implement the STP protocol stack, manage the protocol state machine, and maintain
protocol databases.
STRA: Monitor and identify attack traffic and punish attack source.
STRB: Monitor LPUs and identify attack traffic.
SUPP: Process interruption messages and timer messages in the device management
module.
t1: Implement the temporary task (operating system task).
Issue 02 (2015-01-20)

217

Maintenance Guide
TACH: Implement the HWTACACS protocol, manage the protocol state machine, and
TAD: Transmit alarms.
TARP: Process alarm information.
tBulkClnt: USB insertion and removal driver management task (operating system task).
TCPKEEPALIVE: Keep the TCP connection.
TCTL: Control the upload of performance data collected in a batch.
tDcacheUpd: Update the disk cache (operating system task).
tExcTask: Process exceptions (operating system task).
TICK: Process the system timer task.
tLogTask: Process log tasks (operating system task).
TM: Maintain access service entries and chip entries.
tNetTask: Process network-related tasks (operating system task).
TNLM: Manage tunnels.
TNQA: Schedule NQA client tasks in a unified manner.
TRAP: Process alarm information.
tRlogind: Log in to the virtual terminal remotely (operating system task).
tTelnetd: Process the Telnet server task (operating system task).
TTNQ: Schedule NQA server tasks in a unified manner.
tUsbPgs: USB insertion and removal device management task (operating system task).
tWdbTask: Debugging task (operating system task).
U 34: Process user's commands.
UCM: Interact with the AAA module, process user status, and maintain user tables.
UDPH: UDP helper.
USB: Upgrade the version using the USB flash drive.
usbPegasusLib: USB hot LIB (operating system task).
usbPegasusLib_IRP: USB host I/O request LIB (operating system task).
UTSK: Optimize protocol processing and ensure the high priority of protocol packets.
VCON: Redirect traffic at the LPU's serial port.
VFS: Manage the virtual file system.
VIDL: Collect statistics on CPU usage of idle tasks.
VMON: Monitor task execution.
VP: Receive and sent VP packets between boards.
VPR: Receive VP packets between boards.
VPRE: Process VP messages.
VPS: Send VP packets between boards.
VRPT: Timer test task.
VRRP: Implement the VRRP protocol stack, manage the protocol state machine, and
Issue 02 (2015-01-20)

218

Maintenance Guide
VT: Process the virtual terminal task.
VT0: Authenticate the first login user and process the user's commands.
VTRU: Process Vtrunk Up/Down events.
VTYD: Process login requests of all users.
WEB: Implement Web authentication.
WEBS: Allow users to log in to the device through Web.
XMON: Monitor system task running.
XQOS: QoS task.
Network Management OIDs Related to CPU Usage

Object Name
Object OID
Data Type
Description
Implemented
Specifications
hwEntityCpuUs
age
1.3.6.1.4.1.2011
.
5.25.31.1.1.1.1.
5
Integer32
This object
indicates CPU
usage.
read-only
1.3.6.1.4.1.2011
.
5.25.31.1.1.1.1.
6
Integer32
hwEntityCpuUs
ageThreshold
The value
ranges from 2 to
100.
This object
indicates the
CPU usage
threshold.
read-write
The value
ranges from 2 to
100.
The default
value is 95.
5.2 Ping and Tracert

5.2.1 Ping
5.2.2 Why Cannot I Ping a Device
5.2.3 Why Ping Packets Are Lost
5.2.4 Why Ping Packets Are Delayed
5.2.5 Tracert
5.2.6 Applications
Issue 02 (2015-01-20)

219

Maintenance Guide
5.2.1 Ping
Ping Overview
Ping is a common method used to test whether a device is reachable. It uses a series of Internet
Control Message Protocol (ICMP) packets to determine:
l
Whether a remote device is reachable.
Whether packets have been lost during remote access.
The round-trip delay in communication between the local and remote devices.
Ping Implementation
Figure 5-2 Ping process
Figure 5-2 shows the ping implementation process. SwitchA sends an ICMP Echo Request
packet to SwitchB. After receiving the Echo Request packet, SwitchB sends an ICMP Echo
Reply packet. The ping process is complete when SwitchA receives the Echo Reply packet.
The ping process is successful only when the following requirements are met:
l
The Echo Request packet sent by the source reaches the destination.
The Echo Reply packet sent by the destination reaches the source within a predetermined
timeout period. On a switch, the default timeout period is 2000 ms.
Ping Command Format

Ping Command Supported on a Device
NOTE
This document provides descriptions for only the commonly used parameters of the ping command. For
more information, including usage of supported ping commands, see the S2750EI&S5700 Series Ethernet
Switches Command Reference.
ping [ -a source-ip-address | -i interface-type interface-number | -m time | -c count | -f | -h ttlvalue | { -s packetsize | -range [ min min-size | max max-size | step step-size ] * } | -t timeout ]
*host
Issue 02 (2015-01-20)

220

Maintenance Guide
-a: specifies a source IP address for sending ICMP Echo Request packets. If this parameter
is not specified, the device uses the IP address of the outbound interface as the source IP
address of outgoing Echo Request packets.
-i: specifies an interface for sending ICMP Echo Request packets. If this parameter is not
specified, the device uses the default outbound interface to send Echo Request packets.
-m: specifies the interval for sending Echo Request packets. The default value is 500 ms.
-c: specifies the number of Echo Request packets to be sent. The default value is 5. You
can increase the number of outgoing Echo Request packets to obtain the packet loss ratio,
and further evaluate network quality.
-f: indicates that packets are not fragmented. After this parameter is specified, ICMP packets
are not fragmented. If the ICMP packet size exceeds the link MTU, the ICMP packet is
discarded. If you do not want ICMP packets to be discarded, do not specify this parameter
or increase the link MTU.
-h: specifies the time to live (TTL) value. The default value is 255. If the value of the TTL
field is reduced to 0 during packet forwarding, the device sends an ICMP Timeout packet
to the source, indicating that the destination is unreachable.
-s: specifies the length of an ICMP Echo Request packet (excluding the IP packet header
and ICMP packet header). The default packet length is 56 bytes.
-range: specifies the length of an ICMP Echo Request packet (excluding the IP packet
header and ICMP packet header) and the packet length increment (step). If this parameter
is specified, the length of the first packet is min, and the length of subsequent packets
increases by step until the packet length reaches the maximum value max. By default,
min is 56 bytes, max is 9600 bytes, and step is 1 byte.
min: specifies the minimum length of the payload in an ICMP Echo Request packet. The
default value is 56 bytes.
max: specifies the maximum length of the payload in an ICMP Echo Request packet. The
default value is 9600 bytes.
step: specifies the packet length increment. The default value is 1 byte.
-t: specifies the timeout period for an ICMP Echo Reply packet. The default value is 2000
ms. The device considers that the destination is unreachable if it does not receive an ICMP
Echo Reply packet within the timeout period. You can set this parameter to a larger value
to compensate for poor network quality.
host: specifies the domain name or IP address of the destination host.
The ping command provides a series of parameters. You can select different parameters by
factors such as the detection purpose, network type, and network status.
Ping Command Supported on a PC
The ping command differs on PCs running different operating systems. The following describes
the commonly used ping parameters supported on a Windows-based PC.
ping [ -a | -n number | -l number | -t | -f ] *ip-address
l
-a: indicates that the PC resolves an IP address to a host name.
-n: specifies the number of Echo Request packets to be sent.
-l: specifies the buffer size.
Issue 02 (2015-01-20)

221

Maintenance Guide
-t: indicates that the ping process continues until manual operations are performed. You
can press Ctrl+Break to pause the ping command and view the statistics, or press Ctrl
+C to terminate the running of the ping command.
-f: indicates that packets are not fragmented.
ip-address: specifies the IP address of the destination host.
Ping Example
The following describes ping commands on a switch.
l
Example of ping failure:

<SwitchA> ping 192.168.2.25
PING 192.168.2.25: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time
out
Request time out
Request time out
--- 192.168.2.25 ping statistics --5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
Example of ping success:

<SwitchA> ping -a 192.168.2.20 -c 7 -s 2048 192.168.2.21
PING 192.168.2.21: 2048 data bytes, press CTRL_C to
break
Reply from 192.168.2.21: bytes=2048 Sequence=1 ttl=255
time=24 ms
time=6 ms
time=13 ms
time=6 ms
time=12 ms
time=6 ms
time=13 ms

0.00% packet loss
round-trip min/avg/max = 6/11/24 ms
Table 5-2 Description of the ping command output

Item
Description
PING 192.168.2.21: 2048 data bytes, press

CTRL_C to break
Operation description of the ping command.

l Destination IP address.
l Length of Echo Request packets.
l Press Ctrl+C to terminate the ping
operation.
Issue 02 (2015-01-20)

222

Maintenance Guide
Item
Description
Reply from 192.168.2.21
Response from the destination host to each

Echo Request packet.
l bytes: indicates the length of the ICMP
Echo Reply packet.
l sequence: indicates the sequence number
of the ICMP Echo Reply packet.
l ttl: indicates the TTL value of the ICMP
Echo Reply packet.
l time: indicates the response time, in
milliseconds.
If no ICMP Echo Reply packet is received
before the timeout period expires, "Request
time out" is displayed.
192.168.2.21 ping statistics
Statistics collected after the ping test on the

destination host is complete.
l packet(s) transmitted: indicates the
number of sent Echo Request packets.
l packet(s) received: indicates the number
of received Echo Request packets.
l % packet loss: indicates the percentage of
packets with no responses against total
packets sent.
l round-trip min/avg/max: indicates the
minimum, average, and maximum roundtrip delay, in milliseconds. The
information is not displayed when a ping
fails.
5.2.2 Why Cannot I Ping a Device

NOTE
The ping failure troubleshooting in this document is based on lab environment. Device faults are simulated
in the lab according to the networking diagrams for fault location. If you perform the ping tests on a live
network where devices are configured, ensure that you know potential impacts on the configurations.
In this document, only ping packets are obtained for fault analysis; therefore, private communication data
is not collected or stored. If you need to obtain packets carrying private data on a live network, ensure that
appropriate measures be taken to protect data privacy.

5.2.2.2 Incorrect Computer Settings
5.2.2.3 Physical Link Fault
5.2.2.4 ARP Issue
Issue 02 (2015-01-20)

223

Maintenance Guide
5.2.2.5 VLAN Issue

5.2.2.6 Routing Issue
5.2.2.7 Access Control Issue

Fault Analysis
A ping failure refers to the failure to receiving any ping response packet for reasons such as link
connection fault or ARP learning failure.
When a ping failure occurs, determine the location where the fault occurs, analyze cause of the
fault, and then rectify the fault accordingly.
l
Segment-by-segment ping can be used to determine the location where the fault occurs,
reducing the fault range to a network segment.
Traffic statistics collection or packet capturing can be used to analyze cause of a ping failure.
You can analyze collected packet statistics or obtained packet information to find the cause
of the fault and then rectify the fault correspondingly.
Many issues can lead to a ping failure; therefore, you need to take various factors into
consideration during actual troubleshooting. Based on analysis of frequently occurred ping
failures, common causes of ping failure are as follows:
l
Incorrect computer settings
Physical link fault
ARP issue
VLAN issue
Routing issue
Access control issue

NOTE
A ping failure can be regarded as severe ping packet loss. For details on how to troubleshoot a ping packet
loss, see Why Ping Packets Are Lost.
Fault Location
The following example shown in Figure 5-3 describes how to locate a ping failure.
Figure 5-3 Ping test networking
Issue 02 (2015-01-20)

224

Maintenance Guide
Fault Description
C:\Users> ping 192.168.4.41
Pinging 192.168.4.41 with 32 bytes of data:
Request timed out.
Request timed out.
...
Ping statistics for 192.168.4.41:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Troubleshoot a fault according to possible causes of the fault. The troubleshooting process is as
follows:
1.
Check the ping operation.

First, check whether the ping command is correctly used. For example, a ping failure may
occur if the size of ping packets exceeds the MTU on the outbound interface, but packet
fragmentation is not allowed. Secondly, check whether the destination address is correct.
A ping failure occurs when the destination address is incorrect. For details on the ping
command usage, see Ping.
2.
Narrow down the fault range.

When the PC fails to ping the IP address 192.168.4.41, it is difficult to find the cause of
the fault. In this case, you need to narrow down the fault range. Ping SwitchA, SwitchB,
SwitchC, and SwitchD from the PC. If you still cannot locate the network segment where
the fault occurs, ping SwitchB, SwitchC, and SwitchD from SwitchA, and so on. Stop the
ping operation when you can determine the problematic network segment.
3.
Check the link and configuration.

After determining the problematic network segment, check the physical environment first.
The check items include device interfaces, physical cables, cable connections, and optical
modules. After that, check common configurations, including interface configuration,
VLAN configuration, and IP addresses.
If you find an exception, rectify it timely and perform a ping test again. If the fault persists,
further fault location is required.
4.
Locate the fault.

# Assume that the PC fails to ping the IP address 192.168.1.10 of SwitchA. (A ping failure
on a directly connected network segment can be located using a similar method.)
Capture packets on the PC, and capture packets or collect packet statistics on SwitchA.
Perform ping operations on the PC and SwitchA respectively to view packet information
or traffic statistics.
NOTE
For details on how to configure traffic statistics collection and packet capturing, see References.
If the switches do not provide the packet capturing function, obtain third-party packet capturing software
and install it. For details on how to use the software, see the related software use guide.
If the PC fails to obtain packet information but SwitchA obtains packet information, the
computer settings are incorrect. Refer to Incorrect Computer Settings for the handling
method for the fault.
If neither the PC nor SwitchA obtains packet information, the physical link is faulty. Refer
to Physical Link Fault for the handling method for the fault.
Issue 02 (2015-01-20)

225

Maintenance Guide
If both the PC and SwitchA can only obtain ARP request packets, the fault is caused by an
ARP issue, a VLAN issue, or an access control issue. Refer to ARP Issue, VLAN Issue,
or Access Control Issue for the handling method for the fault.
If both the PC and SwitchA can correctly obtain ARP packets but not ICMP packets, the
fault is caused by an access control issue. Refer to Access Control Issue for the handling
method for the fault.
NOTE
All the above are common methods for fault location. On an actual network, you should troubleshoot a
fault by checking all the possible causes: Incorrect Computer Settings, Physical Link Fault, ARP
Issue, VLAN Issue, and Access Control Issue.
# Assume that the PC can successfully ping the IP address 192.168.1.10 of SwitchA but fails to
ping the IP address 192.168.2.21 of SwitchB. In addition, SwitchA can successfully ping the IP
address 192.168.2.21 of SwitchB.
The ping failure is caused by a routing issue. Refer to Routing Issue for the handling method
for the fault.
References
If you want to configure traffic statistics collection on the switches, refer to the following
configuration.
l
Traffic statistics collection of ICMP packets (SwitchA is used as an example.)
# Configure SwitchA to collect statistics about incoming packets.

1.
Configure an ACL rule.

<SwitchA> system-view
[SwitchA] acl number 3000
[SwitchA-acl-adv-3000] rule permit icmp source 192.168.2.21 0 destination
192.168.2.20 0
[SwitchA-acl-adv-3000] quit
2.
Configure a traffic classifier.

[SwitchA] traffic classifier 3000
[SwitchA-classifier-3000] if-match acl 3000
[SwitchA-classifier-3000] quit
3.
Configure a traffic behavior.

[SwitchA] traffic behavior 3000
[SwitchA-behavior-3000] statistic enable
[SwitchA-behavior-3000] quit
4.
Configure a traffic policy.

[SwitchA] traffic policy 3000
[SwitchA-trafficpolicy-3000] classifier 3000 behavior 3000
[SwitchA-trafficpolicy-3000] quit
5.
Apply the traffic policy to the interface.

[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] traffic-policy 3000 inbound
[SwitchA-GigabitEthernet0/0/2] return
# Configure SwitchA to collect statistics about outgoing packets.

1.

Issue 02 (2015-01-20)

226

Maintenance Guide
192.168.2.21 0
2.

3.

4.

5.

[SwitchA-GigabitEthernet0/0/2] traffic-policy 3001 outbound
Run the display traffic policy statistics interface gigabitethernet 0/0/2 inbound verbose
rule-base and display traffic policy statistics interface gigabitethernet 0/0/2 outbound
verbose rule-base commands to view interface traffic statistics.
Run the reset traffic policy statistics interface gigabitethernet 0/0/2 inbound and reset
traffic policy statistics interface gigabitethernet 0/0/2 outbound commands in the user
view to clear interface traffic statistics.
l
Traffic statistics collection of ARP packets (SwitchA is used as an example.)

1.

[SwitchA] traffic classifier statarp01
[SwitchA-classifier-statarp01] if-match l2-protocol arp
[SwitchA-classifier-statarp01] if-match destination-mac 4c1f-cc0e-672a
[SwitchA-classifier-statarp01] if-match source-mac 4c1f-cc03-1529
[SwitchA-classifier-statarp01] quit
2.

[SwitchA] traffic behavior statarp01
[SwitchA-behavior-statarp01] statistic enable
[SwitchA-behavior-statarp01] quit
3.

[SwitchA] traffic policy statarp01
[SwitchA-trafficpolicy-statarp01] classifier statarp01 behavior statarp01
[SwitchA-trafficpolicy-statarp01] quit
4.

[SwitchA-GigabitEthernet0/0/2] traffic-policy statarp01 inbound

1.

[SwitchA] traffic classifier statarp02
[SwitchA-classifier-statarp02] if-match l2-protocol arp
[SwitchA-classifier-statarp02] if-match destination-mac 4c1f-cc03-1529
[SwitchA-classifier-statarp02] if-match source-mac 4c1f-cc0e-672a
[SwitchA-classifier-statarp02] quit
Issue 02 (2015-01-20)

227

Maintenance Guide
2.

[SwitchA] traffic behavior statarp02
[SwitchA-behavior-statarp02] statistic enable
[SwitchA-behavior-statarp02] quit
3.

[SwitchA] traffic policy statarp02
[SwitchA-trafficpolicy-statarp02] classifier statarp02 behavior statarp02
[SwitchA-trafficpolicy-statarp02] quit
4.

[SwitchA-GigabitEthernet0/0/2] traffic-policy statarp02 outbound
verbose rule-base commands to view interface traffic statistics.
Run the reset traffic policy statistics interface gigabitethernet 0/0/2 inbound and reset
traffic policy statistics interface gigabitethernet 0/0/2 outbound commands in the user
view to clear interface traffic statistics.
l
If you want to capture packets through port mirroring, refer to the following configuration.
If the traffic volume on an interface is not heavy, configure port mirroring to check the
number of packets sent and received. (SwitchA is used as an example.)
1.
Configure the observing port.

[SwitchA] observe-port 1 interface gigabitethernet 0/0/5
2.
Configure a mirrored port to obtain packets bidirectionally.

[SwitchA-GigabitEthernet0/0/2] port-mirroring to observe-port 1 both
If the traffic volume on an interface is heavy, configure traffic mirroring. (SwitchA is used
as an example.)
1.
Configure the observing port.

[SwitchA] observe-port 1 interface gigabitethernet 0/0/5
2.

192.168.2.20 0
192.168.2.21 0
3.

4.

[SwitchA-behavior-3033] mirroring to observe-port 1
5.

6.
Issue 02 (2015-01-20)

228

Maintenance Guide
5.2.2.2 Incorrect Computer Settings

Fault Analysis
You can determine whether ping failures are caused by incorrect computer settings according
to Ping Failure Troubleshooting.
Common computer faults are as follows:
l
The network adapter of the computer is damaged.
The IP address of the computer or the gateway address is incorrect.
The computer is infected by viruses.
The firewall is enabled on the computer to restrict packet forwarding.
Common methods to determine a computer fault are as follows:

1.
Run the ipconfig /all command to check whether the local network is correctly configured.
C:\Users> ipconfig /all
Windows IP Configuration
...
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix
Description . . . . . . . . . .
Physical Address. . . . . . . .
DHCP Enabled. . . . . . . . . .
Autoconfiguration Enabled . . .
Link-local IPv6 Address . . . .
(Preferred)
IPv4 Address. . . . . . . . . .
Subnet Mask . . . . . . . . . .
...
Default Gateway . . . . . . . .
...
2.
.
.
.
.
.
.
:
:
:
:
:
:
huawei.com
Xen Net Device Driver
28-6E-D4-88-B7-19
Yes
Yes
fe80::dd9a:f549:2b85:b027%13
. : 192.168.1.5(Preferred)
. : 255.255.255.0
. : 192.168.1.1
Ping 127.0.0.1 to check whether the TCP/IP protocol is correctly configured.

C:\Users> ping 127.0.0.1
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
...
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
3.
Ping the local IP address to check whether the IP address of the computer is correct or
whether the network adapter is correctly configured.
C:\Users> ping 192.168.1.5
...
Issue 02 (2015-01-20)

229

Maintenance Guide
If "Request time out" is displayed in the MS-DOS, the network adapter is faulty, or the
network adapter is incorrectly configured. Disconnect the network cable and ping the local
address again. If the ping succeeds, the local IP address is the same as the IP address of
another device. If the ping fails, the network adapter is faulty, or the network adapter is
incorrectly configured. Check the related network configuration.
4.
Ping the local gateway or the IP address of the local network segment to check the computer
hardware and the connection between the computer and the local network segment.
C:\Users> ping 192.168.1.11
...
5.
If the fault persists, change the firewall setting or perform the ping test on another computer.
Example for Troubleshooting Incorrect Computer Settings

The following example describes how to locate and rectify a computer fault. As shown in Figure
5-4, SwitchA and the PC are directly connected.
Fault Description
The PC fails to ping the address 192.168.1.10 of SwitchA.
C:\Users> ping 192.168.1.10
Request timed out.
Request timed out.
Request timed out.
Request timed out.
1.
Capture packets to analyze cause of the fault.

Obtain packet sending and receiving information on the interfaces to find the cause of the
fault. For details on how to capture packets, see 1.2.1 Ping Failure Troubleshooting.
l Ping 192.168.1.10 on the PC.
C:\Users> ping 192.168.1.10
Issue 02 (2015-01-20)

230

Maintenance Guide
Pinging
Request
Request
Request
Request
192.168.1.10 with 32 bytes of data:

timed out.
timed out.
timed out.
timed out.

Packet headers cannot be obtained on the PC's network adapter and GE0/0/1 on
SwitchA.
l Ping 192.168.1.5 on SwitchA.
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
Packet headers are successfully obtained on the PC's network adapter and GE0/0/1 on
SwitchA. The captured packet information is shown as follows.
Figure 5-5 Packet information on the PC's network adapter
Figure 5-6 Packet information on GE0/0/1 of SwitchA
Compare the packet information obtained from the PC and SwitchA. You can see that
SwitchA successfully sends ICMP packets, while the PC's network adapter can only receive
ICMP packets but cannot send ICMP packets. The fault occurs on the PC.
2.
Rectify the fault.

As the packet information shows that the PC cannot send ICMP packets, you can check
whether the firewall setting on the PC is correct. Disable the firewall function on the PC.
For example, the operation in Windows 7 is as follows:
Choose Control Panel > System and Security > Windows Firewall > Customize
Settings, select Turn off Windows Firewall (Not Recommended), and click OK.
Issue 02 (2015-01-20)

231

Maintenance Guide
3.
Ping SwitchA from the PC again. If the following information is displayed, the ping
succeeds and the fault is rectified.
C:\Users> ping 192.168.1.10
...

Fault Analysis
You can determine whether ping failures are caused by physical link faults according to Ping
Common physical link faults are as follows:
l
Interfaces connected to optical fibers or network cables do not meet link deployment
requirements.
The optical module wavelengths do not meet actual needs.
Communication interfaces of devices are damaged.
Optical fibers or network cables are deteriorating or damaged.
Interfaces are blocked.
Common methods to determine a physical link fault are as follows:

l
View the indicator status on an interface. If the indicator is off, the interface is not
connected. Replace the interface or network cable and try again.
Run the display interface interface-type interface-number command to view the interface
status and analyze the cause according to the command output.
Run the display stp brief, display rrpp verbose, and display smart-link group all
commands to check whether the device is running any Layer 2 protocols such as Spanning
Tree Protocol (STP), Rapid Ring Protection Protocol (RRPP), and Smart Link. Determine
whether the physical interface receiving ping packets is blocked by any of the protocols.
If the interface is blocked, modify the related configuration to unblock the interface.
Example for Troubleshooting a Physical Link Fault

The following example describes how to locate and rectify a physical link fault. As shown in
Figure 5-7, SwitchA and SwitchB are directly connected.
Issue 02 (2015-01-20)

232

Maintenance Guide
Fault Description
SwitchA fails to ping the address 192.168.2.21 of SwitchB.
break
Request time
out
Request time
out
Request time
out
Request time
out
Request time
out
--- 192.168.2.21 ping statistics

--5 packet(s)
transmitted
0 packet(s)
received
100.00% packet loss
1.
Analyze cause of the fault.

# View the interface status of SwitchA.
<SwitchA> display interface gigabitethernet 0/0/2
GigabitEthernet0/0/2 current state : DOWN
Line protocol current state : DOWN
Description:
...
# View the interface status of SwitchB.

<SwitchB> display interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 current state :
DOWN
Line protocol current state :
DOWN
Description:
...
The command outputs on SwitchA and SwitchB show that the interfaces on the two
switches are in Down state. The ping failure may be caused by the physical link fault.
2.
Rectify the fault.

# Replace the cable between the two interfaces and perform the ping test again to check
whether the fault is rectified.
Issue 02 (2015-01-20)

233

Maintenance Guide
Reply from 192.168.2.21: bytes=56 Sequence=1
0.00% packet loss
ttl=255
ttl=255
ttl=255
ttl=255
ttl=255
time=2
time=1
time=1
time=1
time=1
ms
ms
ms
ms
ms
5.2.2.4 ARP Issue

Fault Analysis
You can determine whether a ping failure is caused by an ARP issue according to Ping Failure
Troubleshooting.
A device needs to know the MAC address when encapsulating an ICMP packet. If the MAC
address does not exist, the device needs to learn the corresponding ARP entry. An ARP learning
failure may lead to loss of ping packets. Generally, an ARP-related ping failure occurs when the
device cannot correctly learn ARP entries.
Common methods to determine an ARP issue are as follows:
l
Run the display arp interface interface-type interface-number command to check whether
the device can correctly learn the ARP entry of a directly connected interface.
Run the display mac-address interface-type interface-number command to view the MAC
address entry and check whether the outbound interface of the entry is the same as that in
the ARP entry.
If ARP learning fails, check whether the interface, VLAN, VLANIF, and IP address are correctly
configured. If so, check whether the ARP and ARP security configurations limit ARP learning.
Example for Troubleshooting an ARP Issue

The following example describes how to locate and rectify an ARP issue. As shown in Figure
5-8, SwitchA and SwitchB are directly connected.
Fault Description
break
Issue 02 (2015-01-20)

234

Maintenance Guide
Request time
out
Request time
out
Request time
out
Request time
out
Request time
out
--5 packet(s)
transmitted
0 packet(s)
received
100.00% packet loss
1.

l Ping 192.168.2.21 on SwitchA and capture packets on GE0/0/2 of SwitchA and GE0/0/1
of SwitchB. The captured packet information is shown as follows.
Figure 5-10 Packet information on GE0/0/1 of SwitchB
l Ping 192.168.2.20 on SwitchB and capture packets on GE0/0/2 of SwitchA and GE0/0/1
Issue 02 (2015-01-20)

235

Maintenance Guide
To further locate the fault, check the ARP entries on GE0/0/2 of SwitchA and GE0/0/1 of
SwitchB.
l Check the ARP entries on SwitchA.
<SwitchA> display arp interface gigabitethernet 0/0/2
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPNINSTANCE
VLAN/
CEVLAN
--------------------------------------------------------------------------------------------------------------------------------------------------------Total:0
Dynamic:0
Static:0
Interface:0
l Check the ARP entries on SwitchB.

<SwitchB> display arp interface gigabitethernet 0/0/1
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPNINSTANCE
VLAN/CEVLAN
--------------------------------------------------------------------------------------------------------------------------------------------------------Total:0
Dynamic:0
Static:0
Interface:0
The command outputs show that neither SwitchA nor SwitchB learns an ARP entry.
Compare packet information on GE0/0/2 of SwitchA with that on GE0/0/1 of SwitchB.
You can find that packets sent by SwitchA and SwitchB have different VLAN IDs.
GE0/0/2 allows packets from VLAN 20 to pass, and GE0/0/1 allows packets from
VLAN 25 to pass. ARP learning fails because the interfaces are added to different
VLANs.
2.
Check the configuration.

# Check the interface configuration of SwitchA.
Issue 02 (2015-01-20)

236

Maintenance Guide
[SwitchA-GigabitEthernet0/0/2] display this
[SwitchA-GigabitEthernet0/0/2] quit
# Check the interface configuration of SwitchB.

<SwitchB> system-view
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] display this
[SwitchB-GigabitEthernet0/0/1] quit
The command outputs show that the configuration on SwitchB is incorrect and needs to be
modified.
3.
Modify the configuration on SwitchB.

[SwitchB] undo interface vlanif 25
[SwitchB] vlan batch 20
[SwitchB] interface vlanif 20
[SwitchB-Vlanif20] ip address 192.168.2.21 24
[SwitchB-Vlanif20] quit
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 20
4.
Check whether the fault is rectified.

[SwitchA] ping 192.168.2.21
Reply from 192.168.2.21: bytes=56 Sequence=1 ttl=255 time=50 ms
0.00% packet loss
5.2.2.5 VLAN Issue

Fault Analysis
You can determine whether a ping failure is caused by a VLAN issue according to Ping Failure
Troubleshooting.
Common VLAN issues are as follows:
l
An interface has not been added to a planned VLAN.
The link type of the interface is incorrectly configured.
The status of the VLANIF interface is Down, or the IP address is incorrect.
Common methods to determine a VLAN issue are as follows:

l
Run the display port vlan interface-type interface-number command to check the VLAN
to which the interface belongs.
The VLAN to which an interface belongs is specified during network planning. If the
configuration is incorrect, add the interface to the correct VLAN.
Issue 02 (2015-01-20)
Run the display port vlan interface-type interface-number command to check the link type
of the interface.
237

Maintenance Guide
Interfaces of different link types process packets in different ways. If link type of the
interface is incorrect, configure a correct link type for the interface.
l
Run the display interface brief and display ip interface brief interface-type interfacenumber commands to check the interface status and the IP address of the interface.
After you configure a VLANIF interface and add a physical interface to the corresponding
VLAN, ensure that the VLANIF interface is in Up state for communication. If the
configuration is incorrect, perform the correct configuration again.
Example for Troubleshooting a VLAN Issue

The following example describes how to locate and rectify a VLAN issue. As shown in Figure
Fault Description
break
Request time
out
Request time
out
Request time
out
Request time
out
Request time
out
--5 packet(s)
transmitted
0 packet(s)
received
100.00% packet loss
1.
Check the VLAN configuration.

# Check the VLAN to which the interface belongs and the link type of the interface.
Issue 02 (2015-01-20)

238

Maintenance Guide
l Check information of GE0/0/2 on SwitchA.

<SwitchA> display port vlan gigabitethernet 0/0/2
Port
Link Type
PVID Trunk VLAN List
-----------------------------------------------------------------------------GigabitEthernet0/0/2
trunk
1
1 20
l Check information of GE0/0/1 on SwitchB.

<SwitchB> display port vlan gigabitethernet 0/0/1
Port
Link Type
PVID Trunk VLAN List
-----------------------------------------------------------------------------GigabitEthernet0/0/1
access
20
-
# Check the status and IP address of the VLANIF interface.

l Check the configuration of SwitchA.
<SwitchA> display ip interface brief vlanif 20
...
Interface
IP Address/Mask
Protocol
Vlanif20
192.168.2.20/24
Physical
up
up
l Check the configuration of SwitchB.

<SwitchB> display ip interface brief vlanif 20
...
Interface
IP Address/Mask
Protocol
Vlanif20
192.168.2.21/24
Physical
up
up
The command outputs show that the ping fails because the link types of GE0/0/1 and
GE0/0/2 are different.
2.
Check the configuration.

# Check the interface configuration of SwitchA.
[SwitchA-GigabitEthernet0/0/2] display this
# Check the interface configuration of SwitchB.

[SwitchB-GigabitEthernet0/0/1] display this
port link-type access
port default vlan 20
The command outputs show that the configuration on SwitchB is incorrect and needs to be
modified.
3.
Modify the configuration on SwitchB.

[SwitchB-GigabitEthernet0/0/1]
4.
undo port default vlan

quit

[SwitchA] ping 192.168.2.21
--- 192.168.2.21 ping statistics ---
Issue 02 (2015-01-20)

239

Maintenance Guide
5 packet(s) transmitted
0.00% packet loss
5.2.2.6 Routing Issue

Fault Analysis
You can determine whether a ping failure is caused by a routing issue according to Ping Failure
Troubleshooting.
Common routing issues are as follows:
l
No route to the destination network segment exists.
No return route from the destination device exists.
The number of routes in the device's routing table has reached the upper limit.
Route configurations are incorrect.
To determine whether a routing issue occurs, run the display ip routing-table command to
check the routing table. If no route to the destination network segment exists, re-configure the
routes.
In addition to routes to the destination device, you also need to check return routes from the
destination device. The device supports multiple routing protocols. You can configure a routing
protocol based on actual requirements.
Example for Troubleshooting a Routing Issue

The following example describes how to locate and rectify a routing issue. As shown in Figure
5-14, SwitchA, SwitchB, and SwitchC form a network.
Fault Description
SwitchA fails to ping the address 192.168.3.31 of SwitchC.
break
Request time
out
Request time
out
Issue 02 (2015-01-20)

240

Maintenance Guide
Request time
out
Request time
out
Request time
out
--5 packet(s)
transmitted
0 packet(s)
received
100.00% packet loss
1.
Analyze cause of the fault.

# Ping the destination address 192.168.2.21 on SwitchA.
Reply from 192.168.2.21: bytes=56 Sequence=1 ttl=255 time=50
ms
ms
ms
ms
ms

0.00% packet loss

Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
The command outputs show that SwitchA does not have a route to the network segment
192.168.3.0.
2.
Configure a route on SwitchA.

# Configure a route to the network segment 192.168.3.0 on SwitchA.
[SwitchA] ip route-static 192.168.3.0 24 192.168.2.21
[SwitchA] quit
# Ping the destination address 192.168.3.30 on SwitchA again.

Issue 02 (2015-01-20)

241

Maintenance Guide
0.00% packet loss

Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
The command outputs show that SwitchA can send packets to 192.168.3.0. Because
SwitchA and SwitchB are directly connected, and SwitchB has a route to 192.168.2.0,
SwitchA can receive response packets from SwitchB.
However, SwitchA cannot receive response packets from SwitchC, indicating that SwitchC
does not have a route to 192.168.2.0.
3.
Configure a route on SwitchC.

# Configure a route to the network segment 192.168.2.0 on SwitchC.
<SwitchC> system-view
[SwitchC] ip route-static 192.168.2.0 24 192.168.3.30
[SwitchC] quit
4.

ms
ms
ms
ms
ms

0.00% packet loss
5.2.2.7 Access Control Issue

Fault Analysis
You can determine whether a ping failure is caused by an access control issue according to Ping
Access control is commonly configured on a device to ensure device security or meet service
requirements. If ping packets are restricted by access control rules, a ping failure occurs.
Issue 02 (2015-01-20)

242

Maintenance Guide
Generally, access control is configured to filter packets of specified types or with specified source
or destination addresses.
Common methods to determine an access control issue are as follows:
l
Capture packets on an interface, analyze obtained packet information, and check the
corresponding configuration.
Run the display current-configuration interface interface-type interface-number

command to check whether access control-related configuration exists on an interface.
NOTE
As access control is commonly configured to ensure device security or meet service requirements, services
will not be affected though a ping failure occurs. Exercise caution when you rectify such a fault to ensure
that the device can function properly.
Example for Troubleshooting an Access Control Issue

The following example describes how to locate and rectify an access control issue. As shown
in Figure 5-15, SwitchA and SwitchB are directly connected.
Fault Description
break
Request time
out
Request time
out
Request time
out
Request time
out
Request time
out
--5 packet(s)
transmitted
0 packet(s)
received
100.00% packet loss
Issue 02 (2015-01-20)

243

Maintenance Guide
1.

l Ping 192.168.2.21 on SwitchA and capture packets on GE0/0/2 of SwitchA and GE0/0/1
l Ping 192.168.2.20 on SwitchB and capture packets on GE0/0/2 of SwitchA and GE0/0/1
Issue 02 (2015-01-20)

244

Maintenance Guide
Compare packet statistics on GE0/0/2 of SwitchA and GE0/0/1 of SwitchB. You can find
that SwitchA successfully sends ping request packets but SwitchB does not respond to the
packets. SwitchB successfully sends ping request packets and receives response packets
from SwitchA; however, SwitchB does not process the packets.
According to the preceding analysis, you can see that the fault occurs on SwitchB as it does
not process ICMP Request and Reply packets. The cause of this phenomenon is that
SwitchB discards incoming ICMP packets because access control is configured on it.
2.
Check the configuration of SwitchB.

To further analyze cause of the fault, check the configuration of SwitchB.
# Check the interface configuration.
<SwitchB> display current-configuration interface gigabitethernet 0/0/1
#
traffic-policy tp1 inbound
#
return
The command output shows that a traffic policy is configured on the interface.
# Check the traffic policy configuration.
<SwitchB> display traffic policy user-defined
User Defined Traffic Policy Information:
Policy: tp1
Classifier: tc1
Operator: AND
Behavior: tb1
Deny
Total policy number is 1
<SwitchB> display traffic classifier user-defined
User Defined Classifier Information:
Classifier: tc1
Operator: AND
Rule(s) : if-match acl 3000
Total classifier number is 1
<SwitchB> display acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 5
rule 5 deny icmp (match-counter 0)
An ACL rule is configured on SwitchB to discard received ICMP packets.

3.
Rectify the fault.

# Disable the traffic policy on the interface.
[SwitchB-GigabitEthernet0/0/1] undo traffic-policy tp1 inbound
4.

ms
ms
ms
ms
ms
--- 192.168.2.21 ping statistics ---
Issue 02 (2015-01-20)

245

Maintenance Guide
5 packet(s) transmitted
0.00% packet loss
5.2.3 Why Ping Packets Are Lost

NOTE
The ping packet loss troubleshooting in this document is based on lab environment. Device faults are
simulated in the lab according to the networking diagrams for fault location. If you perform the ping tests
on a live network where devices are configured, ensure that you know potential impacts on the
configurations.
5.2.3.1 Ping Packet Loss Troubleshooting

5.2.3.3 Network Loop
5.2.3.4 ARP Issue
5.2.3.5 ICMP Issue
5.2.3.1 Ping Packet Loss Troubleshooting

Fault Analysis
A ping packet loss refers to the loss of some ping packets for reasons such as long transmission
distance or network congestion.
When a ping packet loss occurs, determine the location where the fault occurs, analyze cause of
the fault, and then rectify the fault accordingly.
l
Segment-by-segment ping can be used to determine the location where the fault occurs,
reducing the fault range to a directly connected network segment.
Traffic statistics collection can be used to analyze cause of a ping packet loss. You can
analyze collected packet statistics to find the fault location and determine cause of the fault.
Many issues can lead to a ping packet loss; therefore, you need to take various factors into
consideration during actual troubleshooting. Based on analysis of frequently occurred ping
packet loss events, common causes of ping packet loss are as follows:
l
Physical link fault
Network loop
ARP issue
ICMP issue
Issue 02 (2015-01-20)

246

Maintenance Guide
NOTE
Ping packet loss does not mean poor network quality. In some cases, services can be normally transmitted
even when a ping packet loss occurs. Pay attention to the following points when analyzing a ping packet
loss:
l When packets are forwarded by a device hardware at a high speed, packet loss will not occur. For
example, ping a PC from the device. When packets are sent to the CPU for processing but the CPU is
busy, packet loss will occur. For example, ping the IP address of a device.
l The CPU protection function is provided to protect a device against network attacks. When this function
is enabled, the device will discard ARP and ICMP packets whose Control Plane Committed Access
Rate (CPCAR) values exceed the limit, resulting in ping packet loss. In this case, services can be
transmitted normally.
Fault Location
The following example shown in Figure 5-20, describes how to locate and rectify a ping packet
loss.
Fault Description
C:\Users> ping -n 100 192.168.4.41
Request timed out.
Request timed out.
...
Troubleshoot a fault according to possible causes of the fault. The troubleshooting process is as
follows:
1.
Configure the device to send multiple ping packets.

To replicate ping packet losses for fault location, the device needs to send a large number
of ping packets. You can specify the -c count parameter to enable the device to send multiple
ping packets. For details on the ping command usage, see Ping.
2.
Narrow down the fault range.

If a ping packet loss occurs when the PC pings the IP address 192.168.4.41, it is difficult
to directly locate the fault cause. In this case, you need to narrow down the fault range.
Issue 02 (2015-01-20)

247

Maintenance Guide
Ping SwitchA, SwitchB, SwitchC, and SwitchD from the PC. Determine the problematic
network segment based on the ping results. Assume that a ping packet loss occurs when
the PC pings SwitchB, the fault occurs on the direct link between SwitchA and SwitchB.
3.
Configure traffic statistics collection.

To further locate the faulty node, configure traffic statistics collection on SwitchA and
SwitchB to obtain packet loss information.
Configuring traffic statistics collection on SwitchA
a.

192.168.2.20 0
b.

c.

d.

e.


a.

192.168.2.21 0
b.

c.

d.

e.

Configuring traffic statistics collection on SwitchB

Issue 02 (2015-01-20)

248

Maintenance Guide
# Configure SwitchB to collect statistics about incoming packets.

a.

[SwitchB] acl number 3000
[SwitchB-acl-adv-3000] rule permit icmp source 192.168.2.20 0 destination
192.168.2.21 0
[SwitchB-acl-adv-3000] quit
b.

[SwitchB] traffic classifier 3000
[SwitchB-classifier-3000] if-match acl 3000
[SwitchB-classifier-3000] quit
c.

[SwitchB] traffic behavior 3000
[SwitchB-behavior-3000] statistic enable
[SwitchB-behavior-3000] quit
d.

[SwitchB] traffic policy 3000
[SwitchB-trafficpolicy-3000] classifier 3000 behavior 3000
[SwitchB-trafficpolicy-3000] quit
e.

[SwitchB-GigabitEthernet0/0/1] traffic-policy 3000 inbound
# Configure SwitchB to collect statistics about outgoing packets.

a.

[SwitchB] acl number 3001
[SwitchB-acl-adv-3001] rule permit icmp source 192.168.2.21 0 destination
192.168.2.20 0
[SwitchB-acl-adv-3001] quit
b.

[SwitchB] traffic classifier 3001
[SwitchB-classifier-3001] if-match acl 3001
[SwitchB-classifier-3001] quit
c.

[SwitchB] traffic behavior 3001
[SwitchB-behavior-3001] statistic enable
[SwitchB-behavior-3001] quit
d.

[SwitchB] traffic policy 3001
[SwitchB-trafficpolicy-3001] classifier 3001 behavior 3001
[SwitchB-trafficpolicy-3001] quit
e.

[SwitchB-GigabitEthernet0/0/1] traffic-policy 3001 outbound
4.
Analyze the statistics.

Ping SwitchB from SwitchA continuously.
verbose rule-base commands on SwitchA to view interface traffic statistics.
verbose rule-base commands on SwitchB to view interface traffic statistics.
Issue 02 (2015-01-20)

249

Maintenance Guide
If the number of outgoing packets on SwitchA is larger than the number of incoming packets
of SwitchB, the ping packet loss occurs on the link between SwitchA and SwitchB.
Troubleshoot the fault according to Physical Link Fault.
If the number of outgoing packets on SwitchA equals the number of incoming packets of
SwitchB, but the number of outgoing packets of SwitchB is less than the number of
incoming packets, the ping packet loss occurs on SwitchB. In this case, the fault may be
caused by a network loop or an ICMP issue.
Log in to SwitchB and run the display cpu-usage and display interface brief commands
to check whether the CPU and interface bandwidth usage is high. Run the display macaddress flapping record or display trapbuffer command to check whether MAC address
flapping occurs. If the CPU and interface bandwidth usage is high or MAC address flapping
occurs, troubleshoot the fault according to Network Loop.
Log in to SwitchB and run the display cpu-defend statistics packet-type icmp all or
display anti-attack statistics icmp-flood command to check whether ICMP packets are
discarded. Run the display current-configuration | include icmp rate-limit command to
check whether the rate limit for ICMP packets is too low. If ICMP packets are discarded
or the rate limit for ICMP packets is too low, troubleshoot the fault according to ICMP
Issue.
If the number of outgoing packets on SwitchA is less than the number of ping packets sent
by SwitchA, the ping packet loss occurs on SwitchA. In this case, the fault may be caused
by a network loop or an ARP issue.
Log in to SwitchA and run the display cpu-usage and display interface brief commands
to check whether the CPU and interface bandwidth usage is high. Run the display macaddress flapping record or display trapbuffer command to check whether MAC address
flapping occurs. If the CPU and interface bandwidth usage is high or MAC address flapping
occurs, troubleshoot the fault according to Network Loop.
Log in to SwitchA and run the display arp packet statistics and display cpu-defend
statistics commands to check whether ARP packets are discarded. If ARP packets are
discarded, troubleshoot the fault according to ARP Issue.
NOTE
To further locate the fault, you can ping SwitchA from SwitchB continuously to analyze the statistics. To
clear interface statistics, run the reset traffic policy statistics interface interface-type interface-number
{ inbound | outbound } command.

Fault Analysis
You can determine whether ping packet losses are caused by physical link faults according to
Ping Packet Loss Troubleshooting.
Common physical link faults are as follows:
l
The network adapter on the PC is faulty.
Device interfaces are faulty.
Cable connectors are insecurely connected.
Network cables are too long or damaged.
The bend radius of optical fibers is too large.
Issue 02 (2015-01-20)

250

Maintenance Guide
The transmit and receive optical powers of optical modules are too low.
Electrical interfaces work in different modes. For example, an interface works in autonegotiation mode while the other works in non-auto-negotiation mode.
NOTE
Electrostatic discharge cannot be implemented if a device is not grounded or the device is overheated due
to fan failures. In this case, ping packet loss may occur.
A physical link fault can be manually detected. For example, you can check the bend radius of
optical fibers, length of cables or fibers, and indicators of devices or PC's network adapter to
find a physical link fault. Generally, a physical link fault can be rectified after you replace the
faulty component.
Example for Troubleshooting a Physical Link Fault

The following example describes how to locate and rectify a physical link fault. As shown in
Figure 5-21, SwitchA and SwitchB are directly connected.
Fault Description
Ping packet loss occurs when SwitchA pings the address 192.168.2.21 of SwitchB.
<SwitchA> ping -c 100 192.168.2.21
break
ms
Request time out
Request time out
...
ms
--100 packet(s)
transmitted
91 packet(s)
received
9.00% packet
loss
1.
Locate the fault.

Collect traffic statistics on SwitchA and SwitchB. For details on how to configure traffic
statistics collection, see Ping Packet Loss Troubleshooting.
Issue 02 (2015-01-20)

251

Maintenance Guide
Run the ping -c 100 192.168.2.21 command on SwitchA.

l Check traffic statistics on SwitchA.
# Check traffic statistics about outgoing packets on SwitchA.
<SwitchA> display traffic policy statistics interface gigabitethernet 0/0/2
outbound verbose rule-base
Interface:
Traffic policy outbound:
3001
Rule number:
1
Current status:
OK!
Statistics interval:
300
--------------------------------------------------------------------Classifier: 3001 operator

and
Behavior:
3001
Board :
0
rule 5 permit icmp source 192.168.2.20 0 destination 192.168.2.21 0 (matchcounter 0)
--------------------------------------------------------------------Passed
100
Packets:
Bytes:
Rate(pps):
Rate(bps):
10,200
0
0
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
# Check traffic statistics about incoming packets on SwitchA.

inbound verbose rule-base
Issue 02 (2015-01-20)

252

Maintenance Guide
Interface:
Traffic policy inbound:
3000
Rule number:
1
Current status:
OK!
300

and
Behavior:
3000
Board :
0
--------------------------------------------------------------------Passed
87
Packets:
Bytes:
Rate(pps):
Rate(bps):
8,874
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
l Check traffic statistics on SwitchB.

# Check traffic statistics about incoming packets on SwitchB.
<SwitchB> display traffic policy statistics interface gigabitethernet 0/0/1
Interface:
3000
Issue 02 (2015-01-20)

253

Maintenance Guide
Rule number:
1
Current status:
OK!
300

and
Behavior:
3000
Board :
0
--------------------------------------------------------------------Passed
92
Packets:
Bytes:
Rate(pps):
Rate(bps):
9,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
# Check traffic statistics about outgoing packets on SwitchB.

Interface:
3001
Rule number:
1
Current status:
OK!
300
Issue 02 (2015-01-20)

254

Maintenance Guide

and
Behavior:
3001
Board :
0
--------------------------------------------------------------------Passed
92
Packets:
Bytes:
Rate(pps):
Rate(bps):
9,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
View traffic statistics on SwitchA and SwitchB. You can see that the number of
incoming packets on SwitchA is less than the number of outgoing packets on SwitchB,
and the number of incoming packets on SwitchA is less than the number of outgoing
packets on SwitchA, indicating that the ping packet loss occurs on the link between
SwitchA and SwitchB.
2.
Rectify the fault.

Replace the cable connecting SwitchA and SwitchB and perform the ping test again.
<SwitchA> ping -c 100 192.168.2.21
...
--100 packet(s)
transmitted
100 packet(s)
received
0.00% packet
loss
Issue 02 (2015-01-20)

255

Maintenance Guide
The test result shows that ping packet loss does not occur.
5.2.3.3 Network Loop

Fault Analysis
You can determine whether ping packet losses are caused by network loops according to Ping
Packet Loss Troubleshooting.
Generally, redundant links are used on an Ethernet switching network to enhance network
reliability. The use of redundant links, however, may produce loops, causing broadcast storms
and rendering the MAC address table unstable. As a result, the communication quality
deteriorates, and communication may even be interrupted. Network loops may lead to high CPU
and interface bandwidth usages and ping packet losses.
If loops exist on the network where a device locates, the device responds at low speeds. Common
methods to locate a network loop are as follows:
l
Run the display interface brief | include up command to view the traffic statistics on all
interfaces in Up state. If a network loop exists, the values of InUti and OutUti on the faulty
interface increase gradually to approximately 100%, which is much higher than the service
traffic volume.
First query result:
<SwitchA> display interface brief | include up
...
Interface
PHY
outErrors
up
up
0.56% 0.56%
0
...
inErrors
0
Second query result:

<SwitchA> display interface brief | include up
...
Interface
PHY
outErrors
up
up
76%
76%
0
...
inErrors
0
Determine whether MAC address flapping occurs on the switch.

Run the display trapbuffer command to check MAC address flapping logs.
Run the mac-address flapping detection command to configure MAC address flapping
detection, and then run the display mac-address flapping record command to check
whether MAC address flapping occurs.
Run the display mac-address command multiple times on the device. If multiple interfaces
learn the same MAC address, MAC address flapping has occurred.
Check the CPU usage.

Run the display cpu-usage command to check the CPU usage. Network loops may lead
to continuous high CPU usage; therefore, the switch fails to process ping packets and
discards them.
If ping packet loss is caused by network loops, configure protocols such as RRPP, SEP, Smart
Link, or STP/RSTP/MSTP on the device to detect and eliminate loops.
Issue 02 (2015-01-20)

256

Maintenance Guide
Example for Troubleshooting a Network Loop

The following example describes how to locate and rectify ping packet loss caused by network
loops. As shown in Figure 5-22, SwitchA and SwitchB are directly connected.
Fault Description
Ping packet loss occurs when SwitchA pings the address 192.168.2.21 of SwitchB.
<SwitchA> ping -c 100 -m 5 192.168.2.21
break
ms
Request time out
Request time out
...
ms
--100 packet(s)
transmitted
92 packet(s)
received
8.00% packet
loss
round-trip min/avg/max = 1/1/17
ms
1.
Locate the fault.

Issue 02 (2015-01-20)

257

Maintenance Guide

Interface:
3001
Rule number:
1
Current status:
OK!
300

and
Behavior:
3001
Board :
0
--------------------------------------------------------------------Passed
100
Packets:
Bytes:
Rate(pps):
Rate(bps):
10,200
0
0
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------

Issue 02 (2015-01-20)

258

Maintenance Guide
Interface:
3000
Rule number:
1
Current status:
OK!
300

and
Behavior:
3000
Board :
0
--------------------------------------------------------------------Passed
92
Packets:
Bytes:
Rate(pps):
Rate(bps):
9,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------

Interface:
3000
Rule number:
1
Issue 02 (2015-01-20)

259

Maintenance Guide
Current status:
OK!
300

and
Behavior:
3000
Board :
0
--------------------------------------------------------------------Passed
100
Packets:
Bytes:
Rate(pps):
Rate(bps):
10,200
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------

Interface:
3001
Rule number:
1
Current status:
OK!
300
Issue 02 (2015-01-20)

260

Maintenance Guide
and
Behavior:
3001
Board :
0
--------------------------------------------------------------------Passed
92
Packets:
Bytes:
Rate(pps):
Rate(bps):
9,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
View traffic statistics on SwitchA and SwitchB. You can see that the number of outgoing
packets on SwitchA equals the number of incoming packets on SwitchB, but the number
of outgoing packets on SwitchB is less than the incoming packets, indicating that the
ping packets have been dropped on SwitchB. You need to further locate the cause of
the fault.
2.
Locate the cause of the fault.

If loops exist on the network where a device locates, the device responds at low speeds. In
this case, check the CPU usage and interface packet statistics to determine whether the fault
is caused by a loop.
# Check the CPU usage.
<SwitchB> display cpu-usage
CPU Usage Stat. Cycle: 60 (Second)
CPU Usage
: 95% Max: 97%
CPU Usage Stat. Time : 2013-08-21 16:38:44
CPU utilization for five seconds: 95%: one minute: 95%: five minutes: 95%
Max CPU Usage Stat. Time : 2013-08-21 09:51:04.
....
# Check the packet sending and receiving rates on the interfaces.

<SwitchB> display interface brief
...
Interface
PHY
outErrors
up
0
down
Issue 02 (2015-01-20)
Protocol
InUti OutUti
up
0.01%
0.01%
0%
0%
down

inErrors
261

Maintenance Guide
0
0
0
...
up
up
down
down
98.00% 98.00%
0%
0%
0
0
The command output shows the CPU usage and interface bandwidth usage on SwitchB.
You can find that SwitchB discards ping packets, indicating that a loop may exist on the
network connected to SwitchB. To further determine the cause, disable GE0/0/3 on
SwitchB and perform the ping operation again.
# Disable GE0/0/3 on SwitchB.
[SwitchB-GigabitEthernet0/0/3] shutdown
[SwitchB] quit
# Perform the ping operation.

<SwitchA> ping -c 100 192.168.2.21
...
ms

--100 packet(s)
transmitted
100 packet(s)
received
0.00% packet
loss
# Enable GE0/0/3 on SwitchB after the verification.

[SwitchB-GigabitEthernet0/0/3] undo shutdown
3.
Rectify the fault.

Disabling the interface is not the final solution to the ping packets lost. To solve the problem,
eliminate the loop on the connected network. Generally, you can configure the Multiple
Spanning Tree Protocol (MSTP) on the connected network eliminate the loop.
Summary
There are three types of loops:
l
Self-loop on an interface
During network deployment, a Tx-Rx self-loop usually occurs on an interface because
optical fibers are connected incorrectly or the interface is damaged by high voltage. As
shown in Figure 1-22, a self-loop occurs on an interface of the Switch. As a result, packets
sent from this interface are looped back to the interface, which may cause traffic forwarding
errors or MAC address flapping on the interface.
Issue 02 (2015-01-20)

262

Maintenance Guide
Figure 5-23 Self-loop on an interface
Loop on the connected network or device

As shown in Figure 1-23, a loop occurs on the network or device connected to the Switch.
Packets sent from Interface1 are sent back through the downstream network or device.
Figure 5-24 Loop on the connected network or device
Loop between two interfaces of a device

As shown in Figure 1-24, a loop occurs on the network where the Switch locates or between
two interfaces of the Switch. Packets sent from Interface1 are looped back to Interface2.
Issue 02 (2015-01-20)

263

Maintenance Guide
Figure 5-25 Loop between two interfaces of a device
5.2.3.4 ARP Issue

Fault Analysis
You can determine whether ping packet loss is caused by an ARP issue according to Ping Packet
Loss Troubleshooting.
The fault symptom of a common ARP-related fault is that: ping packet loss occurs at the
beginning because ARP learning fails; ping packet loss does not occur during the aging period
of ARP entries after successful ARP learning; and ping packet loss occurs again because ARP
learning fails.
Common ARP issues are as follows:
l
ARP security functions, such as ARP Miss suppression based on source IP address and
ARP rate suppression, are configured on a device, resulting in slow ARP learning.
A device is attacked by ARP packets and the number of ARP packets sent to the CPU
exceeds the CPCAR value. As a result, some ARP packets are discarded.
Common methods to determine an ARP issue are as follows:

l
Run the display arp packet statistics command to check whether ARP packets are
discarded. You can check the ARP security configuration on the device to find the cause
of the fault.
If the fault is caused by incorrect ARP security configuration, re-configure ARP security
to enable the device to properly process ARP packets.
Run the display cpu-defend statistics command to check whether the CPU discards ARP
packets.
If the device is attacked by ARP packets, configure ARP security functions to defend
against ARP attacks and increase the CPCAR value for ARP packets. For example, the
configuration is as follows:
[SwitchA] cpu-defend policy arp
[SwitchA-cpu-defend-policy-arp] car packet-type arp-reply cir 32
Warning: Improper parameter settings may affect stable operating of the
system. Use this command under assistance of Huawei engineers. Continue? [Y/
N]:y
[SwitchA-cpu-defend-policy-arp] car packet-type arp-request cir 32
Issue 02 (2015-01-20)

264

Maintenance Guide
N]:y
[SwitchA-cpu-defend-policy-arp] quit
[SwitchA] cpu-defend-policy arp global
Example for Troubleshooting an ARP Issue

The following example describes how to locate and rectify an ARP issue. As shown in Figure
Fault Description
<SwitchA> ping -c 10000 192.168.2.21
break
Request time out
Request time out
Request time out
...
ms
...
ms
--10000 packet(s)
transmitted
9000 packet(s)
received
10.00% packet
loss
1.
Locate the fault.

Issue 02 (2015-01-20)

265

Maintenance Guide
Interface:
3001
Rule number:
1
Current status:
OK!
300

and
Behavior:
3001
Board :
0
--------------------------------------------------------------------Passed
8999
Packets:
Bytes:
Rate(pps):
Rate(bps):
1100,384
0
0
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------

Interface:
3000
Issue 02 (2015-01-20)

266

Maintenance Guide
Rule number:
1
Current status:
OK!
300

and
Behavior:
3000
Board :
0
--------------------------------------------------------------------Passed
8999
Packets:
Bytes:
Rate(pps):
Rate(bps):
1100,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------

Interface:
3000
Rule number:
1
Current status:
OK!
Issue 02 (2015-01-20)

267

Maintenance Guide
300

and
Behavior:
3000
Board :
0
--------------------------------------------------------------------Passed
8999
Packets:
Bytes:
Rate(pps):
Rate(bps):
1100,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------

Interface:
3001
Rule number:
1
Current status:
OK!
300

and
Issue 02 (2015-01-20)

268

Maintenance Guide
Behavior:
3001
Board :
0
--------------------------------------------------------------------Passed
8999
Packets:
Bytes:
Rate(pps):
Rate(bps):
1100,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
packets on SwitchA is less than the number of ping packets sent by SwitchA, indicating
that the ping packet loss occurs on SwitchA. The possible cause is that ARP learning
fails on SwitchA. Generally, ARP learning of SwitchA fails because SwitchB does not
respond an ARP reply packet. Further troubleshoot SwitchB.
2.

# Check whether the CPU of SwitchB discards packets.
<SwitchB> display cpu-defend statistics all
------------------------------------------------------------------------------Packet Type
Pass(Packet/Byte)
Drop(Packet/Byte) Last-droppingtime
------------------------------------------------------------------------------8021x
0
0
0
0
arp-miss
0
0
0
0
arp-reply
1222
222
NA
NA
arp-request
2002
422
-
Issue 02 (2015-01-20)

269

Maintenance Guide
NA
NA
...
# Check the CPCAR value for ARP packets on SwitchB.

<SwitchB> display cpu-defend configuration all
Car configurations on slot 0.
---------------------------------------------------------------------Packet Name
Type
Status
Cir(Kbps)
Cbs(Byte)
Queue
Port-
---------------------------------------------------------------------8021x
NA
arp-miss
NA
arp-reply
NA
arp-request
NA
bfd
...
Enabled
256
32000
Enabled
64
10000
Enabled
1000
Enabled
1000
Enabled
512
64000
NA
The command outputs show that SwitchB discards some ARP packets because CPCAR
value is exceeded. The ARP learning on SwitchA fails, and ping packet loss occurs.
3.
Rectify the fault.

# Increase the CPCAR value to rectify the fault.
[SwitchB] cpu-defend policy arp
[SwitchB-cpu-defend-policy-arp] car packet-type arp-reply cir 32
N]:y
[SwitchB-cpu-defend-policy-arp] car packet-type arp-request cir 32
N]:y
[SwitchB-cpu-defend-policy-arp] quit
[SwitchB] cpu-defend-policy arp global
4.

<SwitchA> ping -c 10000 192.168.2.21
break
ms
...
ms

--10000 packet(s)
transmitted
10000 packet(s)
received
0.00% packet
loss
Issue 02 (2015-01-20)

270

Maintenance Guide
5.2.3.5 ICMP Issue

Fault Analysis
You can determine whether ping packet loss is caused by an ICMP issue according to Ping
Packet Loss Troubleshooting.
The fault symptoms of common ICMP-related faults are as follows:
l
Ping packet loss occurs when ping packets are transmitted at high speeds. The fault will
not occur if the transmission speed is lowered.
Ping packet loss occurs regularly when large-sized ping packets are sent.
Ping packet loss occurs every two minutes approximately.
Common ICMP issues are as follows:

l
A device is attacked by ICMP packets and the number of ICMP packets sent to the CPU
exceeds the CPCAR value. As a result, some ICMP packets are discarded.
ICMP attack defense is configured on a device. When ICMP packets are sent at a speed
higher than the rate limit, the device discards ICMP packets.
ICMP rate limit is configured on a device. When ICMP packets are sent at a speed higher
than the rate limit, the device discards ICMP packets.
Common methods to determine an ICMP issue are as follows:

l
Run the display icmp statistics and display anti-attack statistics icmp-flood commands
to check whether the device discards ICMP packets.
If the device discards ICMP packets, re-configure ICMP security functions to enable the
device to properly process ICMP packets.
Check the rate limit for ICMP packets by viewing the icmp rate-limit total threshold
threshold-value configuration.
If the rate limit for ICMP packets is small, run the icmp rate-limit total threshold
threshold-value command to set a large value. For example, the configuration is as follows:
[SwitchA] icmp rate-limit enable
[SwitchA] icmp rate-limit total threshold 500
Run the display cpu-defend statistics packet-type icmp all command to check whether
the CPU discards ICMP packets.
If the device is attacked by ICMP packets, configure ICMP security functions to defend
against ICMP attacks and increase the CPCAR value for ICMP packets. For example, the
[SwitchA] cpu-defend policy icmp
[SwitchA-cpu-defend-policy-icmp] car packet-type icmp cir 256
N]:y
[SwitchA-cpu-defend-policy-icmp] quit
[SwitchA] cpu-defend-policy icmp global
Issue 02 (2015-01-20)

271

Maintenance Guide
You can also rectify this fault by running the icmp-reply fast command to enable fast
ICMP reply.
Example for Troubleshooting an ICMP Issue

The following example describes how to locate and rectify an ICMP issue. As shown in Figure
Fault Description
<SwitchA> ping -c 100 -m 5 192.168.2.21
break
ms
Request time out
...
ms
--100 packet(s)
transmitted
92 packet(s)
received
8.00% packet
loss
round-trip min/avg/max = 1/1/17
ms
1.
Locate the fault.

Run the ping -c 100 -m 5 192.168.2.21 command on SwitchA.
Interface:
Issue 02 (2015-01-20)

272

Maintenance Guide
3001
Rule number:
1
Current status:
OK!
300

and
Behavior:
3001
Board :
0
--------------------------------------------------------------------Passed
100
Packets:
Bytes:
Rate(pps):
Rate(bps):
10,200
0
0
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------

Interface:
3000
Rule number:
1
Current status:
Issue 02 (2015-01-20)

273

Maintenance Guide
OK!
300

and
Behavior:
3000
Board :
0
--------------------------------------------------------------------Passed
92
Packets:
Bytes:
Rate(pps):
Rate(bps):
9,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------

Interface:
3000
Rule number:
1
Current status:
OK!
300
---------------------------------------------------------------------
Issue 02 (2015-01-20)

274

Maintenance Guide
Classifier: 3000 operator
and
Behavior:
3000
Board :
0
--------------------------------------------------------------------Passed
100
Packets:
Bytes:
Rate(pps):
Rate(bps):
10,200
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------

Interface:
3001
Rule number:
1
Current status:
OK!
300

and
Behavior:
3001
Board :
0
Issue 02 (2015-01-20)

275

Maintenance Guide

--------------------------------------------------------------------Passed
92
Packets:
Bytes:
Rate(pps):
Rate(bps):
9,384
0
8
--------------------------------------------------------------------Dropped
Packets:
Bytes:
Rate(pps):
Rate(bps):
0
0
0
0
---------------------------------------------------------------------
packets on SwitchA equals the number of incoming packets on SwitchB, but the number
of outgoing packets on SwitchB is less than the incoming packets, indicating that the
ping packets have been dropped on SwitchB. You need to further locate the cause of
the fault.
2.

The -m parameter in the ping command enables the devices to send multiple ping packets
continuously in a short period. In this case, ping packet loss may be caused by rate limit of
ICMP packets. Check the ICMP packet rate limit configuration.
<SwitchB> display current-configuration | include icmp rate-limit
icmp rate-limit
enable
icmp rate-limit total threshold 10
The command output shows that the rate limit for ICMP packets is 10 pps, which may cause
ping packet loss.
3.
Rectify the fault.

Increase the rate limit for ICMP packets.
[SwitchB] icmp rate-limit enable
[SwitchB] icmp rate-limit total threshold 100
4.

<SwitchA> ping -c 100 -m 5 192.168.2.21
break
ms
...
ms

---
Issue 02 (2015-01-20)

276

Maintenance Guide
100 packet(s)
transmitted
100 packet(s)
received
0.00% packet
loss
5.2.4 Why Ping Packets Are Delayed

Possible Causes of Network Latency
Network latency indicates round-trip delay time, including the latency from source to destination
plus the latency from destination back to source.
Major factors affecting network latency are the hop count and network traffic.
l
Hop count
It takes time to forward packets from one hop to another; therefore, the larger the hop count,
the longer the network latency.
Network traffic
Packets wait in queues before they are processed by a device; therefore, a larger network
traffic volume takes a longer time for packet queuing and thereby causes a longer network
latency.
The causes of high network latency are as follows:

l
Large number of hops on the packet transmission path

The transmission time of packets in the physical medium can be ignored because optical
and electrical signals are transmitted at high speeds. However, the device spends some time
processing packets before forwarding them. When packets pass through a large number of
hops, the network latency is high.
Insufficient network bandwidth

When the network through which packets pass does not have sufficient bandwidth, network
congestion will occur and packets need to wait in queues, resulting in high network latency.
Insufficient memory
When a device receives a large number of packets, the device does not have sufficient
memory to process the packets; resulting in slow process speed and high network latency.
Ping Test for Network Latency Measurement

Ping tests can be used to measure network latency. The test results are only used for reference
and cannot be regarded as the measured network latency. No reference value is available for
determining whether the network latency is normal because the requirements vary depending
on network status. Other measurements, such as network quality analysis (NQA), are required
to accurately measure the network latency.
Pay attention to the following points when analyzing a ping delay:
Issue 02 (2015-01-20)

277

Maintenance Guide
When packets are forwarded by a device's hardware at a high speed, the network latency
is low. For example, ping a PC from the device. When packets are processed by the CPU,
the network latency is high. For example, ping a device gateway.
Despite the long latency of pinging the gateway, forwarding of data packets does not slow
down because data packets are processed by the chip but not the CPU. You can enable the
fast ICMP reply function by running the icmp-reply fast command on the device to reduce
the latency. After this function is enabled, the device quickly responds to received Echo
Request packets destined for its own IP address. The CPU of the LPU directly responds to
the ICMP packets, improving the process speed of ICMP packets, and reducing network
latency.
To prevent impact of ping attacks on a device, ICMP packets have the lowest priority among
all packets and are the last packets to be transmitted and processed. Therefore, long latency
is caused.
5.2.5 Tracert
Tracert Overview
Tracert is a method used to test the reachability of the route that packets pass through from the
source to the destination. The tracert result can display the packet forwarding path. Tracert is
implemented based on the ICMP protocol. When a network failure occurs, you can use tracert
to locate faulty network nodes.
Tracert Implementation
Figure 5-28 Tracert process
Figure 5-28 shows the tracert implementation process. The process is described as follows:
1.
The source end (SwitchA) sends a User Datagram Protocol (UDP) packet whose TTL value
is 1 and destination UDP port number is larger than 30000 to the destination device (log
host). Generally, UDP port numbers larger than 30000 are not used by any program.
2.
After receiving the UDP packet, the first-hop host (SwitchB) determines that the destination
IP address of the packet is not the local IP address and decreases the TTL value by one.
The TTL value is 0, so SwitchB discards the UDP packet, and sends an ICMP Time
Exceeded packet containing its local IP address 10.1.1.2 to SwitchA. SwitchA obtains the
IP address of SwitchB.
Issue 02 (2015-01-20)

278

Maintenance Guide
3.
After receiving the ICMP Time Exceeded packet from SwitchB, SwitchA sends a UDP
packet with the TTL value of 2.
4.
After receiving the UDP packet, the second-hop host (SwitchC) returns an ICMP Time
Exceeded packet containing its local IP address 10.1.2.2 to SwitchA. SwitchA obtains the
IP address of SwitchC.
5.
The preceding process is repeated until the destination end determines that the destination
IP address of the UDP packet is its local IP address and processes the packet. The destination
end searches for the upper-layer protocol that uses the destination port number of the packet.
No program uses this UDP port number, so the destination end returns an ICMP Destination
Unreachable packet containing its local IP address 10.1.3.2.
6.
After receiving the ICMP Destination Unreachable packet, the source end determines that
the UDP packet has reached the destination end, terminates the tracert process, and
generates the path of the UDP packet, which is 10.1.1.2 -> 10.1.2.2 -> 10.1.3.2.
Tracert Command Format

Tracert Command Supported on a Device
NOTE
This document provides descriptions for only the commonly used parameters of the tracert command. For
more information, including usage of supported tracert commands, see the S2750EI&S5700 Series Ethernet
Switches Command Reference.
tracert [ -a source-ip-address | -f first-ttl | -m max-ttl | -p port | -q nqueries | -vpn-instance

vpn-instance-name | -w timeout ] *host
l
-a: specifies the source IP address. If this parameter is not specified, the device uses the IP
address of the outbound interface as the source IP address of outgoing tracert packets.
-f: specifies the initial TTL. If the value of this parameter is greater than the number of hops
between the source and destination hosts, nodes along the path do not return ICMP Time
Exceeded packets to the source host because the value of the TTL field is greater than 0.
If a value has been set for max-ttl, the value of first-ttl must be smaller than that of maxttl.
-m: indicates the maximum TTL. Generally, the value of max-ttl is the number of hops a
packet passes through. If a value has been set for first-ttl, the value of max-ttl must be larger
than that of first-ttl. By default, the value of max-ttl is 30.
-p: specifies the UDP port number of the destination host.

If this parameter is not specified, the tracert command uses a random port whose
number is larger than 32768 for the destination device to receive packets.
If this parameter is specified, ensure that the destination port is not occupied; otherwise,
tracert fails.
-q: specifies the number of UDP packets sent each time. When the network quality is poor,
you can increase the number of outgoing UDP packets to ensure that the packets can reach
the destination device. By default, the device sends three UDP packets each time.
-w: specifies the timeout period for waiting for a response packet. If a UDP packet does
not reach the gateway within the specified timeout period, " * " is displayed. You are advised
to set the timeout period to a large value when the network quality is poor and network
speed is slow. The default value is 5000 ms.
Issue 02 (2015-01-20)

279

Maintenance Guide
host: specifies the IP address or domain name. If a domain name is specified, the device
performs domain name resolution (DNS) and displays the obtained IP address.
Tracert Command Supported on a PC

The tracert command differs on PCs running different operating systems. The following
describes the commonly used tracert parameters supported on a Windows PC.
tracert [ -d | -h maximum_hops | -j host-list | -w timeout ] *host
l
-d: specifies the PC does not resolve the host name.
-h: specifies the maximum TTL value.
-j: specifies the loose source address routing list.
-w: specifies the timeout period of UDP packets, in milliseconds.
host: specifies the domain name or IP address of the destination host.
Tracert Example
<SwitchA> tracert 10.26.0.115
traceroute to 10.26.0.115(10.26.0.115), max hops: 30 ,packet length: 40,press
CTRL_C to break
1 10.3.112.1
10 ms 10 ms 10 ms
2 10.32.216.1 19 ms 19 ms 19 ms
4 10.32.136.23 19 ms 39 ms 39 ms
5 * * *
6 * * *
7 * * *
8 10.26.0.115
69 ms 79 ms 79 ms
Table 5-3 Description of the tracert command output
Issue 02 (2015-01-20)
Item
Description
traceroute to
Tracert test to a specified destination address.
max hops
Maximum TTL value.
packet length
Length of the sent packet.

280

Maintenance Guide
Item
Description
1 10.3.112.1 10 ms 10 ms 10 ms
"1" indicates the first-hop gateway. The

sequence number increases by each hop. By
default, the maximum hop count is 30.
"10.3.112.1" is the gateway address of the
first hop. The IPv4 address following the
serial number of each hop is the gateway
address of the hop.
"10 ms 10 ms 10 ms" indicates the time
difference between the three sent UDP
packets and the received ICMP Time
Exceeded or ICMP Destination Unreachable
packets. By default, three UDP packets are
sent each time to check whether a hop is
reachable.
NOTE
The ping command can only detect whether the
destination end is unreachable. The tracert
command can detect routing loops on a network.
If the same address is displayed multiple times in
the tracert command output, a routing loop
occurs.
On the Nth hop, either the ICMP Time

Exceeded packet or the ICMP Destination
Unreachable packet is received within a
specified period. By default, the timeout
period for receiving the ICMP Time
Exceeded packet or the ICMP Destination
Unreachable packet is 5000 ms.
5.2.6 Applications
5.2.6.1 Measuring Network Latency
5.2.6.2 Measuring Network Reliability
5.2.6.3 Measuring the Packet Size, Fragment Flag, and MTU
5.2.6.1 Measuring Network Latency

Problems such as slow network connection speed and intermittent network access frequently
occur. These problems may be caused by network latency. Ping is helpful to measure network
latency. You can obtain the overall network status by viewing the minimum latency.
The following example describes how to use the ping command to measure network latency.
Issue 02 (2015-01-20)

281

Maintenance Guide
<SwitchA> ping -a 192.168.2.20 -i vlanif 20 192.168.2.21

break
ms
ms
ms
ms
ms
--5 packet(s)
transmitted
time=5
time=1
time=1
time=1
time=1
5 packet(s)
received
0.00% packet
loss
The ping test result shows that the minimum, average, and maximum bidirectional latencies on
the network are 1 ms, 1 ms, and 5 ms respectively. The minimum, average, and maximum
unidirectional latencies on the network are 0.5 ms, 0.5 ms, and 2.5 ms respectively.
Note the following points when using ping to measure network latency:
l
The result of a latency test is accurate if you specify the source address and outbound
interface.
The time values obtained using ping are for the Round Trip Time (RTT), which is the time
between when an Echo Request packet is sent and the Echo Reply packet is received. The
unidirectional network latency is half of the time displayed in the command output.
The ping test result shows severe network jitter, which is generated because the control
module of the device takes time to receive and send packets. The network jitter does not
affect service forwarding of the device; therefore, you can ignore it.
When a large number of protocol or data packets are transmitted over a network, ping
packets compete for network resources with these packets. This may result in a long latency
or even ping packet loss.
When you test network latency on a multi-hop network, take load balancing into
consideration. The network latency of different load balancing paths is different.
The network latency is calculated in milliseconds. Values smaller than 1 ms are displayed
as 1 ms.
Issue 02 (2015-01-20)

282

Maintenance Guide
5.2.6.2 Measuring Network Reliability

Ping can be used to measure network reliability. You can obtain the status of the current network
by viewing the ping test result.
Because network transmission quality is variable, being influenced by numerous factors, many
ping packets are required for testing network reliability. Generally, using a larger number of
ping packets during a load test can better reflect the network status. It is recommended to set a
large packet size and send at least 3000 ping packets to test whether packet loss occurs.
The packet loss statistics obtained through the ping test provide a basis for determining network
reliability.
The following example describes how to perform a ping test to measure network reliability. In
this example, the packet size is 4096 bytes and the number of sent ping packets is 3000.
<SwitchA> ping -c 3000 -s 4096 192.168.2.21

break
ms
ms
Request time out
...
--3000 packet(s)
transmitted
2970 packet(s)
received
1.00% packet
loss
The ping test result shows that 3000 packets were sent and 2970 packets were received.
Therefore, the number of dropped packets is 30 (a packet loss ratio of 1.00%).
5.2.6.3 Measuring the Packet Size, Fragment Flag, and MTU

Variables such as latency, jitter, packet drops, and packet reassembly can slow network access
speeds. Packet length can also affect access speed. If a transmission device sends packets whose
length exceeds the MTU value on its interface, the transmission device must fragment the
packets. Packet fragmentation and encapsulation cause transmission latency. In addition, some
packet fragments may be dropped on the network; therefore, packet retransmission is required.
Issue 02 (2015-01-20)

283

Maintenance Guide
In this case, you need to measure the packet size and MTU on the network and check whether
packet fragmentation is allowed.
The following describes how to use the ping command to measure the MTU on an interface.
Two switches are located on the network shown in Figure 5-31. The ping parameters -range,
min, max, step, and -f are specified for the measurement.
NOTE
The ping command uses ICMP packets. The packet size in the ping command output is the payload length
of ICMP packets, excluding the length of the IP and ICMP packet headers. The IP packet header occupies
20 bytes and the ICMP packet header occupies 8 bytes additionally. You can determine the value of these
parameters according to your needs.
1.
During the first measurement, the minimum packet length, maximum packet length, and
step are set to 900 bytes, 1050 bytes, and 50 bytes respectively, and packet fragmentation
is not allowed. This measurement can determine the maximum packet length allowed on
the network.
<SwitchA> ping -range min 900 max 1050 step 50 -f 192.168.2.21
PING 192.168.2.21: 900-1050 data bytes, press CTRL_C to
break
ms
ms
Request time out
(1000)
Request time out
(1050)

--4 packet(s)
transmitted
2 packet(s)
received
50.00% packet
loss
2.
The result of the first measurement shows that the packet length allowed on the network is
larger than 950 bytes and smaller than 1000 bytes. During the second measurement, the
minimum packet length, maximum packet length, and step are set to 950 bytes, 1000 bytes,
and 1 byte respectively, and packet fragmentation is not allowed.
<SwitchA> ping -range min 950 max 1000 step 1 -f 192.168.2.21
PING 192.168.2.21: 950-1000 data bytes, press CTRL_C to break
Issue 02 (2015-01-20)

284

Maintenance Guide
ms
...
ms
Request time out
(973)
...
Request time out
(1000)

--51 packet(s)
transmitted
23 packet(s)
received
54.90% packet
loss
3.
The result of the second measurement shows that the maximum packet length allowed on
the network is 972 bytes. During the third measurement, the device only sends packets with
4096 bytes.
<SwitchA> ping -s 4096 192.168.2.21
break
ms
ms
ms
ms
ms
time=2
time=2
time=2
time=2
time=9

--5 packet(s)
transmitted
5 packet(s)
received
0.00% packet
loss
After the measurement, the conclusions are as follows:

l
The maximum length of ping packets allowed on the network is 972 bytes.
The minimum MTU value on the network interface is 1000 bytes.
Packet fragmentation is allowed on the interface.
Issue 02 (2015-01-20)

285

Maintenance Guide
6 Important Notes
Important Notes
6.1 Important Notes About Hardware Installation

6.1.1 Huawei Switches Must Use Huawei-Certified Optical Modules
6.1.2 Ensure That All Cards Are Securely Locked in the Chassis
6.1.3 Use a Tray or a Pair of Guide Rails to Support a Switch in a Cabinet and Ensure That the
Chassis Is Closely Attached to the Tray or Guide Rails
6.1.4 Select Appropriate Fibers to Connect 10GE Multimode Optical Modules on Two Switches
6.1.5 Ground a Switch Reliably by Connecting Its Ground Screw to a Ground Point
6.1.1 Huawei Switches Must Use Huawei-Certified Optical

Modules
Description: Huawei switches must use Huawei-certified optical modules. Non-Huaweicertified optical modules cannot ensure transmission reliability and may affect service stability.
Huawei is not responsible for any problem caused by the use of non-Huawei-certified optical
modules and will not fix such problems.
Reason: Optical modules from various vendors differ in implementations or specifications. NonHuawei-certified optical modules are not verified through interoperability tests with Huawei
switches and may cause unexpected problems when they are used on Huawei switches. Huawei
certification is a measure to guarantee reliability and quality of optical modules.
Identification method: Run the display transceiver command to check whether an optical
module has passed Huawei certification. If the Vendor Name field displays HUAWEI, the optical
module has passed Huawei certification.
<HUAWEI> display transceiver interface GigabitEthernet 3/0/0 verbose
Versions involved: all versions
6.1.2 Ensure That All Cards Are Securely Locked in the Chassis
Description: After inserting a card into a chassis, make sure that it is completely seated in the
chassis and locked by the eject levers. Otherwise, problems such as card registration failure or
packet loss may occur.
Issue 02 (2015-01-20)

286

Maintenance Guide
6 Important Notes
Reason: If a card is not securely locked in the chassis, it cannot exchange signals with the
backplane normally.
Identification method: Figure 6-1 shows a loosely installed card.
Figure 6-1 Loosely installed card
Suggestion: Check all cards after the installation to ensure that each card is securely locked in
the chassis by the eject levers.
6.1.3 Use a Tray or a Pair of Guide Rails to Support a Switch in a

Cabinet and Ensure That the Chassis Is Closely Attached to the Tray
or Guide Rails
Description: When installing a switch in a cabinet, use a tray or a pair of guide rails to support
the chassis and ensure that the chassis is closely attached to the tray or guide rail. If the chassis
is supported only by mounting brackets, the chassis may be distorted after being used for a long
time.
Reason: If a chassis is supported only by mounting brackets for a long time, the chassis may be
distorted.
Identification method: As shown in Figure 6-2, the chassis is not closely attached to the tray.
Issue 02 (2015-01-20)

287

Maintenance Guide
6 Important Notes
Figure 6-2 Gap between the chassis and tray
Suggestion: Install a tray or a pair of guide rails in the cabinet and mount the chassis on the tray
or guide rails. Ensure that the chassis is closely attached to the tray or guide rails.
Versions involved: version independent
6.1.4 Select Appropriate Fibers to Connect 10GE Multimode Optical

Modules on Two Switches
Description: When two interfaces need to communicate using 10GE multimode optical
modules, select optical fibers based on the transmission distance on the network. For example,
a 300 m 10GE multimode optical module supports a maximum transmission distance of 300 m,
but the actual transmission distance varies depending on the optical fiber used.Table 6-1 lists
the maximum transmission distance of a 10GE multimode optical module working with different
optical fibers.
Table 6-1 Maximum transmission distance of a 10GE multimode optical module working with
different optical fibers
Issue 02 (2015-01-20)
Optical Fiber Type
Maximum Transmission Distance
OM1
33 m
OM2
82 m
OM3
300 m

288

Maintenance Guide
6 Important Notes
Reason: The transmission distance depends on specifications of the optical fibers used.
Identification method: Look up the model of the optical module in the Hardware
Description to obtain the maximum transmission distance based on the type of optical fibers
used.
Suggestion: Select optical fibers based on the actual transmission distance.
6.1.5 Ground a Switch Reliably by Connecting Its Ground Screw to

a Ground Point
Description: After installing a switch, connect the ground screw on the switch to a ground point
using a ground cable, as shown in Figure 6-3.
Figure 6-3 Grounding a switch
Reason: A switch must be grounded to ensure reliability.

Identification method: Check the device grounding against the hardware installation
specifications.
Suggestion: Connect the ground cable according to the hardware installation guide.
6.2 Important Notes About Software Configuration

6.2.1 Periodically Check Whether a Switch Has Loaded the Latest Patch and Whether the Patch
Is Normal
6.2.2 Remove Interfaces from VLAN 1 If They Do Not Need to Join VLAN 1
6.2.3 When Deploying STP, Configure User-side Interfaces as Edge Ports and Configure TC
Protection on Them
6.2.4 Prevent Two Interconnected Electrical Interfaces from Working in Half-Duplex Mode
After Negotiation
Issue 02 (2015-01-20)

289

Maintenance Guide
6 Important Notes
6.2.5 When Configuring STP on an Eth-Trunk, Set the Cost of the Eth-Trunk to a Fixed Value
6.2.6 The S6300 Series Switches Support Copper Transceiver Modules Since V200R002
6.2.7 CSS ID Is a Mandatory Parameter for CSS Configuration
6.2.8 IPv6 Features of Modular Switches Are Controlled by Licenses
6.2.1 Periodically Check Whether a Switch Has Loaded the Latest

Patch and Whether the Patch Is Normal
Description: Huawei releases patches for switch software versions on the official support
website (http://support.huawei.com/enterprise/) at variable intervals to resolve known issues of
switch products, preventing impact of similar issues on customer networks.
Reason: Known issues of software are more likely to occur than unknown issues. You need to
periodically load latest patches to switches to prevent known issues from occurring on your
network.
<HUAWEI> display patch-information
Patch Package Name
:cfcard:/s9700v200r001sph00X.pat
Patch Package Version:V200R001SPH00X
The state of the patch state file is: Running
The current state is: Running
************************************************************************
*
The hot patch information, as follows:
*
************************************************************************
Slot
Type
State
Count
-----------------------------------------------------------7
C
Running
202
8
C
Running
202
1
HSP
Running
62
1
APP
Running
31
3
HSP
Running
62
3
APP
Running
31
Check whether the current patch version is the latest:

The highlighted text in the command output is the patch version. Download latest versions
periodically from the support website.
The State column shows the patch status. Ensure that all the patches are in running state. If a
patch is in active or deactive state, run the patch active and patch run commands to run the
patch.
6.2.2 Remove Interfaces from VLAN 1 If They Do Not Need to Join

VLAN 1
Description: All interfaces of a switch belong to VLAN 1 by default. Before using an interface,
determine whether it needs to join VLAN 1. If not, remove the interface from VLAN 1 to prevent
loops in VLAN 1. In addition, do not use VLAN 1 as the management VLAN.
Reason: All interfaces of a switch belong to VLAN 1 by default, which may cause broadcast
storms in VLAN 1.
Issue 02 (2015-01-20)

290

Maintenance Guide
6 Important Notes
Identification method: Run the display vlan 1 command to check whether an interface is in
VLAN 1, and run the display interface vlanif command to check whether VLAN 1 is used as
the management VLAN.
Suggestion: Remove unnecessary interfaces from VLAN 1 to prevent loops in this VLAN.
6.2.3 When Deploying STP, Configure User-side Interfaces as Edge

Ports and Configure TC Protection on Them
Description: A switch may receive many TC packets from user-side interfaces due to frequent
network topology changes or attacks. The TC packets are sent to the CPU, resulting in a high
CPU usage. This will cause problems such as packet loss and forwarding performance
deterioration.
Reason: If many TC packets are sent to the CPU, many CPU resources are consumed. The high
CPU usage will cause problems such as packet loss and forwarding performance deterioration.
Identification method:
1. Check whether there are logs about a large number of TC packets received.
2. Run the display stp tc-bpdu statistics command on the switch to check statistics about sent
and received TC packets.
3. When the switch functions as a Layer 3 gateway, it deletes ARP entries frequently after
receiving TC packets. As a result, many Layer 3 packets are sent to the switch, triggering the
ARP Miss process. When the traffic rate exceeds CPCAR for ARP Miss, the switch logs the
events.
4. When the switch is used for Layer 2 forwarding, it frequently deletes MAC address entries
after receiving TC packets. Many Layer 2 packets are broadcast because no matching MAC
address entries are found. As a result, the traffic rate may reach the interface bandwidth. When
this occurs, the system records the events in diagnostic logs.
Suggestion: Configure user-side interfaces as edge ports and enable TC protection on them. The
[HUAWEI] stp bpdu-protection
[HUAWEI] stp tc-protection
[HUAWEI] stp edged-port enable
6.2.4 Prevent Two Interconnected Electrical Interfaces from

Working in Half-Duplex Mode After Negotiation
Description: Two interconnected electrical interfaces may choose the half-duplex mode
because, for example, they use different negotiation modes. In this case, packet collisions will
occur when the traffic rate reaches around 15% of the link bandwidth. This causes problems
such as error packets and packet loss.
Reason: Interconnected electrical interfaces may work in half-duplex mode due to inconsistent
negotiation mode, network fault, or other reasons.
Issue 02 (2015-01-20)

291

Maintenance Guide
6 Important Notes
Identification method: Run the display this interface command in the interface view to check
the duplex mode of the interfaces.
[HUAWEI-GigabitEthernet0/0/1] display this interface
..........
Duplex: FULL,
Negotiation: ENABLE
Suggestion: Change the negotiation modes of the interfaces or improve the link quality to ensure
that the interfaces work in full duplex mode.
6.2.5 When Configuring STP on an Eth-Trunk, Set the Cost of the

Eth-Trunk to a Fixed Value
Description: The cost of an Eth-Trunk changes after physical status of Eth-Trunk member
interfaces changes. The change of cost value causes STP convergence, affecting network
services.
Reason: The cost of an Eth-Trunk is the cost of a single member interface divided by the number
of member interfaces. Therefore, changes of member interface status cause changes of the cost
value. Because a smaller cost value indicates higher link quality, you are advised to set the cost
of an Eth-Trunk to a value smaller than cost values of the physical member interfaces.
Identification method: Check whether STP is enabled on an Eth-Trunk.
Suggestion: Set the cost of the Eth-Trunk to a value smaller than cost values of physical member
interfaces.
6.2.6 The S6300 Series Switches Support Copper Transceiver

Modules Since V200R002
Description: 10GE interfaces of the S6300 series switches support copper transceiver modules
in V200R001C01, V200R002, and later versions. The interfaces cannot use copper transceiver
modules in V200R001C00 and earlier versions.
Reason: System software of V200R001 and earlier versions do not support copper transceiver
modules.
Identification method: Run the display version command to check whether the software
version is V200R002 or later.
Suggestion: Use copper transceiver modules on switches running V200R002 or later versions.
Versions involved: S6300 V200R002C00 and later
6.2.7 CSS ID Is a Mandatory Parameter for CSS Configuration

Description: When configuring the CSS feature on two modular switches, you must run the set
css id command to set the CSS IDs of the switches to 1 and 2 respectively.
Reason: The default CSS ID of a modular switch is 1. If you do not change the default setting,
the two switches cannot set up a cluster because of CSS ID conflict.
Issue 02 (2015-01-20)

292

Maintenance Guide
6 Important Notes
Identification method: Run the display css status command to check the CSS parameters on
a switch.
[HUAWEI] display css status
Suggestion: Run the set css id command to change the CSS ID of one switch to 2.
Versions involved: all modular switch versions that support the CSS feature
6.2.8 IPv6 Features of Modular Switches Are Controlled by Licenses

Description: To use IPv6 features on a modular switch, you need to apply for a license.
Reason: IPv6 features of modular switches are license controlled.
Identification method: Run the following command to check whether the switch has loaded
an IPv6 license.
<HUAWEI> display license
Info: No license is activated.
Suggestion: If the preceding information is displayed, apply for an IPv6 license.

Versions involved: all modular switch versions
Issue 02 (2015-01-20)

293

Maintenance Guide
7 Prewarning
Prewarning
You can view prewarning information about the S series switches using the following navigation
path after logging in to http://support.huawei.com/enterprise:
Navigation path: Support > News > Product News > Warning Notices > Enterprise Networking
> Switch > Campus Switch
Table 7-1 List of warning notices about the S series switches
Issue 02 (2015-01-20)
Product
Warning Notice Title
Link
S series
switches
Prewarning for a Failure in Saving

the Configuration File Caused by
Improper Info Display on the
Ethernet Switch
http://support.huawei.com/enterprise/
NewsReadAction.action?
newType=03&contentId=NEWS1000
002855&idAbsPath=03_ROOT|
03Second_0305|7919710|9856733|
7923144
S series
switches
Prewarning for Protocol State

Flapping on an Ethernet Switch
Caused by Delay in Packet
Processing in CPU
http://support.huawei.com/enterprise/
NewsReadAction.action?
newType=03&contentId=NEWS1000
003677&idAbsPath=03_ROOT|
03Second_0305|7919710|9856733|
7923144

294

Sx300 Series Switches Maintenance Guide

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Sx300 Series Switches Maintenance Guide

Transféré par

Droits d'auteur :

Formats disponibles

Sx300 Series Switches

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Huawei Proprietary and Confidential