Académique Documents
Professionnel Documents
Culture Documents
re
Le
ar
ni
ng
Re
sou
rc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The 80/20 rule is widely applicable in work and daily life scenarios. It is also
applicable to troubleshooting.
ht
In real network maintenance, most faults are simple, such as network cable problems
:
or IP address configuration.
es
Therefore engineers who meet the basic requirements can deal with most faults.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
A short but strong technical series can direct and open our minds, which helps us
:
solve numerous practical problems and lay a solid foundation for the development of
es
professionals.
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Security statement:
ht
and SFTP. FTP, TFTP, and SFTPv1 have security risks, so SFTPv2 is
es
recommended.
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
If you are a maintenance engineer, read the following precautions before doing your
work:
ht
Check whether the fault is an emergency fault. If so, use the pre-defined
:
restore services.
rc
Take electrostatic discharge (ESD) measures and wear an ESD wrist strap
when replacing or maintaining devices.
Re
troubleshooting.
n
ni
confirm the operation feasibility, back up data, and prepare emergency and
Le
Some faults cause resource or money loss for customers, so maintenance engineers
should focus on how to prevent faults and quickly rectify faults. Backing up key data
ht
helps you quickly locate and rectify faults. Back up key data as soon as possible
when the network runs properly.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
fault can be grouped into multiple cause sets, which helps you rectify faults.
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The fault symptoms are different, but the root causes are technical issues.
ht
For example, a user cannot access the Internet. Ping the gateway from the PC. The
ping operation fails. That is, a PC can not connect to its gateway.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
If you have trouble locating the fault, collect fault information and send the information to
Huawei or Huawei agent for fault analysis.
ht
Fault occurrence time, network topology (for example, location of the faulty device
es
on the network, and upstream and downstream devices connected to the faulty
rc
device), operations triggering the fault, measures that you have taken and results,
symptom and influence of the fault (for example, on which ports services are
u
affected).
so
Name, version, current configurations, interfaces of the faulty device. For the
Re
Logs generated when the fault occurs. For the method of obtaining the log
ni
Executing this command requires a long time. You can press Ctrl+C to pause diagnosis
information display on screen.
ht
When a large amount of diagnostic information is displayed, the CPU usage may be high
rc
in a short period.
Therefore, do not use this command when the system is running properly. Running
u
so
device may obviously increase and the device performance may be degraded.
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
When a device is faulty, collect logs and alarms on the device immediately. These logs and
alarms help you know what happened during device operation and where the fault
ht
occurred.
Logs, including user logs and diagnostic logs, record user operations, system faults, and
:
es
system security.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The equipments supporting log file will periodically save files on the local storage device.
ht
Taking Sx7 Chassis switches as an example: By default, the switch records all logs and
alarms in log files and saves log files in the logfile folder. The file name is *.log or *.dblg,
and the default file size is 8 MB. When the size of a log file exceeds 8 MB, the system
:
es
compresses the log file into a zip file and names the compressed file saving time.log.zip
or saving time.dblg.zip, for example, 2013-06-03.19-49-37.log.zip and 2013-09-11.10-
rc
54-52.dblg.zip. The system then records logs and alarms in a new log file.
u
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
80% network faults are caused by simple reasons, for example, cable failures and
incorrect configurations.
ht
Analyze problems from simple to complex. In the OSI model, analyze problems from
:
the physical layer first. Then analyze the data link layer and network layer.
es
If no fault occurs at the network layer, the transport layer will work properly. TCP/IP
rc
has been running for dozens of years and is mature. Most application faults are
caused by application software.
u
so
Problem analysis depends on our knowledge and experience to some degree. Having
a good understanding of network protocols helps rapidly analyze and locate network
Re
faults.
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Highlights of HedEx
ht
so
Knowledge base is where you learn and share experience. A large collection of cases
and technical articles is available. You are more than welcome to submit your own
ht
There are abundant cases to help you solve common issues and complete
:
es
All registered users can browse the forums and comments. Huawei
engineers are there to give you a real-time response.
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
When seeking for technical assistance, we must analyze the trouble first. Because we are
on site, we are the ones who are the most familiar with the troubles.
ht
If we contact others for help without our own analysis, we can not provide enough
information at once, time may be wasted for gathering information again and again.
:
es
If we contact others for help after gathering enough information and necessary analysis,
rc
For different region, Huawei provides different hotline telephone number or Email, you can
u
so
find the details at the following web page: Home page > Contact Us > Aftersale Support
Re
http://support.huawei.com/enterprise/NewsReadAction.action?contentId=NEWS100
0000563
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
If a network fault occurs after a configuration operation, it does not mean that the fault is
caused by the configuration.
ht
Analyzing the problem and finding out the root cause must be done before deciding
whether to recover the configuration.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The compare configuration compares whether the current configurations are identical
with the next startup configuration file.
ht
Note: only the first different will be displayed each time. You need to run it several
times to make sure there is no difference between the running and the saved
:
es
configuration.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The configuration can be recovered only when there is the backup configuration file,
so back up the configuration before any configuration modification.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
Answers:
ar
ABCD
ABCD
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
If the preceding information is displayed, it indicates that the ping failure is caused by
a long link transmission delay. Increase the value of the parameter -t.
ht
If the ping operation succeeds after the value of the parameter -t is increased, check
:
the device status and link status to determine if the ping failure is caused by network
es
or device abnormality.
rc
If the ping operation still fails after the value of the parameter -t is increased, go to
step 2.
u
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Check whether the ping -f is executed. If this command is executed, ping packets do
not support packet fragmentation. In this case, you need to check whether the MTU
ht
value of the outbound interface along the path is smaller than the size of the ping
packet. If yes, change the size of the ping packet to a value smaller than the MTU
:
Check whether the ping -i command is executed to specify the outbound interface of
rc
Ethernet interface, then the destination IP address of the ping operation can only be
so
the IP address of the directly connected interface. If this condition is not met, change
Re
If the route exists and the link along which the ping packet is transmitted is an
es
Ethernet link, run the display arp command to check whether the required ARP entry
exists. If not, go to step 9. If yes, go to step 4.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
You can determine the direction in which the ping failure occurs based on the
numbers of Input/Output packets in the statistics as follows:
ht
- For the source end, the value of Output:echo increases normally and the value
:
of Input:echo does not increase; for the destination end, the values of
es
destination end does not receive the request. Therefore, it can be concluded
u
that the ping failure occurs in the direction from the source end to the
so
destination end.
Re
- For the destination end, the value of Output:echo increases normally and the
value of Input:echo does not increase; for the destination end, the values of
g
source end sends a request but does not receive any response, and the
ni
destination end receives the request and returns a response. Therefore, it can
ar
be concluded that the ping failure occurs in the direction from the destination
Le
For details about how to configure ACL rules and the traffic policy command, refer to
the product manual.
ht
In the interface view, run the traffic-policy command to apply ACL rules to interfaces
:
in sequence.
es
- For the ping request sender and receiver: Apply the traffic policy in the inbound
rc
- For the intermediate device(s): Apply the traffic policy in the both the inbound and
so
Run the display traffic policy statistics interface command on each interface in
n
ni
- If all the ACL rules are matched, ping packets are sent or received normally. If the
ar
ping failure persists, collect the preceding information. Then contact Huawei
Le
- If all the ACL rules for incoming and outgoing packets on an intermediate device
re
are matched, it indicates that the intermediate device works properly. In this
Mo
case, you need to check whether a fault occurs on the source end or destination
end.
- If incoming packets on a device do not match the ACL rules, a fault occurs on the
upstream device in the corresponding direction of ping packets. In this case,
n
/e
perform step 6 on the fault-related device.
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
If a device has been attacked by ICMP packets, the rate of ICMP packets sent to the
CPU has been reduced or these packets have been dropped to protect against
ht
If either of the preceding two conditions is true, the ping operation fails or ping
es
packets are dropped. In this case, determine whether the related configuration that
causes the ping failure can be modified or deleted. Before repeating the ping
rc
operation, run the undo command to delete the related configuration. If the ping
u
Note: The debug function will affect system performance. Therefore, exercise
caution before you decide to perform the debugging operation.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The output information of Router A shows that ARP entries have been properly
established.
ht
The output information on Router B shows that the MAC address corresponding to
:
the IP address 1.1.1.1 is 0016-ecb9-0eb2, and the entry type "S" indicates that the
es
ARP entry is a static one. However, the output information on Router A shows that the
MAC address corresponding to the IP address 1.1.1.1 is not 0016-ecb9-0eb2.
rc
Therefore, the fault may have been caused by a failure to update the static ARP
u
so
MAC address of the peer device changed, but the static binding of IP+MAC+port
number on Router B was not updated. As a result, Router A and Router B cannot ping
g
bound MAC address is replaced. In this troubleshooting case, if the peer device of
Router B is a non-Huawei device and you cannot log in to the device to check its
:
address of the ping packet is correct: Ping Router B on Router A and at the same
rc
time, obtain packets exchanged between Router A and Router B through mirroring.
u
Then, analyze the ping packet to determine whether the destination MAC address
so
re
Le
ar
ni
Answers: A,D
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The Address Resolution Protocol (ARP) is a broadcast protocol, through which a host can
dynamically detect the MAC address mapping an IP address.
ht
Each host has an ARP cache that stores the mapping between IP addresses and MAC
addresses. This is the information that the host knows. When host A intends to send an IP
:
es
packet to host B in the same LAN, it first checks the ARP cache for the IP address of host
B. If the IP address of host B is found, host A can find the corresponding MAC address and
rc
Sometimes, host A cannot find the IP address of host B, probably because host B was just
so
connected to the network or because host A was just powered-on and its cache is empty.
Re
In this case, if host A needs to know the MAC address of host B, host A sends Ethernet
frames called ARP requests to every host on the network segment. This process is called
g
broadcast. A request message sent by host A contains mapping between its own IP
n
address and MAC address as well as the IP address of the destination host to be parsed.
ni
After the destination host (host B) receives the request massage, it stores the mapping
ar
between host A's IP address and MAC address to its cache and sends the mapping
between its own IP address and MAC address in response to host A. When receiving the
Le
ARP reply, host A obtains the MAC address of host B, and caches the mapping between
host B's IP address and MAC address.
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
es
Connectivity failure between two directly connected devices (ARP faults further
rc
affect other direct-connection-based protocols, such as OSPF, so users will find that
the network is disconnected.)
u
so
n
Method of identifying connectivity failure between two directly connected devices: Ping
ni
the IP address of the interface through which the remote device directly connects to the
ar
local device.
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
After ARP interaction is complete, directly connected devices should have each other’s
cache entries. If either or both devices do not have related cache entries, we can
ht
ARP packets need to be processed by the CPU of a device. Therefore, in addition to packet
interaction and transmission environment, errors may also occur when the CPU processes
ht
ARP packets.
To troubleshoot ARP faults, we have to find the causes and take appropriate measures.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Low-level faults occur with a higher probability, so we should start with the check for low-
level faults.
ht
We also need to pay attention to the VLAN configuration on Layer 2 switches. Interfaces
of the host and router in the same network segment must be in the same VLAN.
:
es
If a complex Layer 2 network is deployed, we also need to pay attention to the spanning
tree status of the switch, and ensure all the interfaces in the link are in Forwarding state.
u
so
Note: To display debugging information, run the following commands in the user view:
ht
terminal debugging
terminal monitor
:
After debugging is complete, disable all debugging functions by running the following
es
Usually, we use Wireshark to capture and analyze packets. You can obtain this software
free of charge from the Internet.
ht
For example, ARP flood attacks may cause persistent high CPU usage. If protective
measures have been configured on the device, ARP flood attacks may cause the number of
ht
packets to reach the specified threshold, resulting in failure to process valid ARP packets.
CPCAR is a mechanism that protects the CPU of Huawei devices. If the threshold is too
:
es
We can run the display arp anti-attack configuration all command to check ARP anti-
attack configuration on the device.
u
so
We can adjust the security threshold parameter to ensure that ARP packets are
received and sent normally.
Re
ni
The packet-type command sets the rate limit for packets sent to the CPU. By default, the
device uses the rate limit in the default attack defense policy to limit the rate of protocol
ht
packets. You can also create an attack defense policy and run the packet-type command
to set the rate limit for packets of a specified protocol. The configured rate limit overrides
:
the default rate limit defined in the default attack defense policy.
es
Configuration example: Set the rate limit for ARP reply packets to 1260 pps in the attack
rc
<Huawei> system-view
The arp anti-attack rate-limit enable command enables rate limit for ARP packets.
ht
The arp anti-attack rate-limit command sets the maximum rate and rate limit duration
of ARP packets globally or on an interface.
:
If the maximum rate and rate limit duration are configured in the system or interface view,
es
Failure to ping the gateway is a common network fault and also a typical ARP fault.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
In this case, the physical link is working properly and the VLAN configuration on the Layer
2 switch is correct.
ht
In addition, the two PCs use the same link between the switch and router, so you only
need to check the link between PC1 and the switch.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Capture packets on the PC to check whether ARP requests were sent normally and ARP
replies were received.
ht
In this case, we can find that the PC could send ARP requests normally but did not receive
ARP replies. Then we can determine that the fault might occur on the router.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
If the configuration is correct, you need to query interface status and ARP table status.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
After you configure IP addresses for termination sub-interfaces of two devices, they cannot
ping each other. Check whether you have configured the arp broadcast enable
ht
command on the interfaces. If this command is not configured, the interfaces cannot
initiate ARP requests and will not learn ARP entries.
:
es
By default, the arp broadcast enable command is disabled in versions earlier than
V200R003C00 and is enabled in V200R003C01 and later versions.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The enterprise network connects to the Internet through the ISP network. It is very likely
that faults will occur on the connection between the enterprise network and the ISP
ht
network.
Consider: What may not be the causes of the fault discussed in this case?
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
In fact, checking the ARP table on only the router is not adequate. Because the ISP device
may have correctly received the ARP request and sent back an ARP reply, but it may have
ht
not recorded the mapping between the router's IP address and MAC address into its ARP
table.
:
es
In this case, we cannot check the ISP device, and ISP personnel do not cooperate with us,
so we need other methods to verify our thought.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Theoretically, ARP is designed for a device to dynamically obtain the remote device's MAC
address, which results in vulnerabilities of the ARP protocol. The ISP has possibly set some
ht
limits on the ARP protocol of their own devices, especially the ISP device connecting to the
customer's device.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
ISPs may have enabled MAC address binding function on its devices to allow devices with
specified MAC addresses to connect to its devices. To allow new devices to connect to the
ISP device, many household routers available in the market support manual configuration
:
es
of MAC addresses.
rc
The ultimate solution to this fault is to contact the ISP to bind 100.0.0.10 to the MAC
address of the new device.
u
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
AB
Answers:
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
In this example:
RTA and RTB are deployed on a LAN. The IP addresses of interconnected interfaces
:
on RTA and RTB are 10.1.1.251/24 and 10.1.1.252/24, respectively. RTA and RTB
es
are associated with the same virtual router, and the virtual router uses 10.1.1.254 as
rc
the interface address. All PCs uses 10.1.1.254 as the default gateway address,
without considering the IP address of the physical interface of the router. VRRP
u
so
selects the master from VRRP-enabled routers. The master forwards data packets to
the virtual router. If the master fails, VRRP selects a new master from other VRRP-
Re
enabled routers.
1. Select the master according to the priority. The master can be selected in following
ni
modes:
ar
Compare priorities. The router with a higher priority is selected as the master.
Le
Compare IP addresses when two routers with the same priority compete to be
the master. The router with a larger IP address is selected as the master.
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
In this example:
ht
After the VRRP configuration is complete, internal hosts can access the Internet.
When the master becomes Down, internal hosts cannot access external devices. That
:
is, the VRRP active/standby switchover cannot be performed. Check the VRRP status
es
on the two devices. Dual masters exist, which is the common cause of a VRRP
active/standby switchover failure. This course uses dual masters as an example to
rc
The configurations of the devices in the VRRP group are different. The VRRP
configurations at both ends may be incorrect due to carelessness. For example, the
ht
The link where VRRP Advertisement packets are transmitted is faulty. When working
rc
notify backups in the group that the master works normally. In a VRRP group
so
consisting of one master and one backup, when the backup does not receive packets
Re
from the master within the Master_Down_Interval, the backup becomes the master. In
a VRRP group consisting of one master and multiple backups, when backups do not
g
receive packets from the master within the period of Master_Down_Interval, multiple
n
masters may exist in a short period. The backups then compare the priorities in the
ni
received VRRP packets with local priorities. The backup with the highest priority
ar
becomes the master. When the link fails, the backups cannot receive VRRP multicast
packets. Then the backup with the highest priority becomes the master.
Le
The VRRP Advertisement packets received by the backup with a lower priority are
considered as invalid packets and discarded. For network environments of different
re
security levels, you can set different authentication modes and passwords in the
Mo
packet headers. On a secure network, you can use the default configuration. The
device does not add authentication information to outgoing VRRP packets or
authenticate received VRRP packets. That is, it considers all the received VRRP
packets as valid packets. Therefore, there is no need to set an authentication key. On
n
/e
a network where authentication needs to be configured, if VRRP authentication
information is incorrect, VRRP Advertisement packets are discarded as invalid
om
packets.
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Step 1:
ht
Run the display this command on interfaces configured with the VRRP group to check
whether the VRRP configurations at both ends are the same. For example, check
:
whether the VRID or virtual IP address at both ends is the same and whether IP
es
Step 2:
u
so
On the devices in the VRRP group and devices where VRRP Advertisement packets
pass through, run the display stp brief command to check whether any interface is
Re
blocked.
g
If the value of the STP State field is DISCARDING, the corresponding interface
ar
is blocked.
Le
Step 3:
whether the physical status of interfaces is Up and interfaces work stably. If interfaces
are not connected correctly, correctly connect the interfaces and ensure that the
interface status is Up.
n
Step 4:
/e
Check whether interfaces configured with the VRRP group can be pinged. If the ping
om
operation fails, check the devices where VRRP Advertisement packets pass through.
Run the display current-configuration command to check whether any
.c
configuration causes the ping failure.
ei
Step 5:
aw
Run the display vrrp statistics command to check whether the backup with a lower
hu
priority receives invalid VRRP Advertisement packets.
g.
Step 6:
in
Collect the following information and contact Huawei technical support personnel.
rn
Results of the preceding troubleshooting procedure
The IP address of PCA is 10.1.1.1/24, the gateway address is 10.1.1.254, and PCA
connects to RTA and RTB through SWA. On GE0/0/0 of RTA, VRRP group 1 is
ht
configured, with the virtual IP address of 10.1.1.254 and priority of 200. On GE0/0/0 of
RTB, VRRP group 1 is configured, with the virtual IP address of 10.1.1.254 and
:
priority of 150.
es
After the configuration is complete, ping the address of GE0/0/1 on RTA from PCA.
rc
The ping operation succeeds, indicating that the master can work properly. Shut
u
down GE0/0/1 on RTA so that the backup can complete the switchover and become
so
the master, and ping GE0/0/1 on RTB from PCA. The ping operation fails. The VRRP
Re
The display vrrp command displays the VRRP group status and configuration
:
parameters.
es
Run the display this command on interfaces configured with the VRRP group to
check whether the VRRP configurations at both ends are the same. For example,
ht
check whether the VRID or virtual IP address at both ends is the same and whether
IP addresses of interconnected interfaces are on the same network segment. Here,
:
The display stp command displays the status of and statistics on spanning tree
:
instances.
es
instance instance-id: displays the status of and statistics on a specified spanning tree
u
vsi vsi-name: specifies the name of a VSI. pw pw-name: specifies the name of a PW.
n g
brief: displays brief information about the status of and statistics on spanning tree
ni
The display interface command displays the interface status and statistics.
interface type is not specified, the running status of and statistics on all interfaces are
es
displayed. If the interface number is not specified, the running status of and statistics
rc
slot slot-id: specifies the slot ID of an LPU. The status of and statistics on all
so
SWA is Huawei S5700 series switch. By default, the link type of the interface is hybrid
and the PVID is VLAN 1. When the PVID of GE0/0/3 is set to VLAN 2, interfaces in
:
other default VLANs cannot communication. (For details about the hybrid interface,
es
The undo port hybrid pvid vlan command deletes the PVID of the hybrid interface.
ht
After VLAN 2 of GE0/0/3 on SWA is deleted, the PVID of GE0/0/3 is VLAN 1. GE0/0/3
can communicate with GE0/0/1 and GE0/0/2.
:
On RTA, ping the VRRP interface on RTB. The ping operation is successful.
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
On RTA and RTB, run the display vrrp interface GigabitEthernet 0/0/0 command to
check whether the VRRP status is normal.
ht
The command outputs show that the VRRP statuses of RTA and RTB is Master and
:
Maser the principle and working mechanism of VRRP, which helps you troubleshoot
VRRP faults.
ht
:
When you encounter a fault, run display commands to check the configurations and
es
Check the Layer 2 switching network. In most cases, faults are caused by Layer 2
so
links. To rectify faults of any protocols, perform the check from the lower layer to the
higher layer.
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
False
Le
ABCD
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Network loops also result in broadcast storms, render the MAC address table
unstable, and cause network and routing black holes. Special tools are required to
ht
Layer 2 loop: Due to redundant links, data frames are circularly forwarded at the link
es
layer.
rc
Layer 3 loop: Due to incorrect routes, data packets are circularly forwarded at the
network layer and discarded until the TTL value reduces to 0.
u
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Huawei switches are enabled with Spanning Tree Protocol (STP) to remove loops. If
STP is disabled manually and there are redundant links on networks, Layer 2 loops
ht
may occur. As a result, data frames are circularly forwarded between switches,
resulting in a broadcast storm. In addition, switches will update MAC address entries
:
Routers are network-layer devices and responsible for selecting routes for IP packets
and forward them. When Layer 3 loops occur, data packets are circularly forwarded
ht
Run the display cpu-defend statistics command to check statistics on packets sent
to the CPU.
ht
LDT: loop-detection
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
disp interface Ethernet brief is used to view Ethernet port status.You can run the
this command to obtain the physical status, auto-negotiation mode, duplex mode,
ht
interface rate, and latest average inbound and outbound bandwidth utilization of a
port.
:
es
The preceding figure shows that large traffic occurs on two ports of a device. The two
ports of the device may be looped.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
retry-times retry-times: Specifies the number of retry times before the specified
rc
The display loop-detect eth-loop [ vlan vlan-id ] command is used to view the result
of MAC address flapping detection.
n g
MAC address flapping occurs when a MAC address is learned by two interfaces in
the same VLAN. The MAC address entry learned later replaces the earlier one.
ht
Under normal circumstances, MAC address flapping does not repeatedly occur in a
:
short period. MAC address flapping is usually caused by loops. When a loop occurs
es
and causes a broadcast storm, all the switches affected by the broadcast storm
encounter MAC address flapping. Therefore, MAC address flapping detection can be
rc
By running the display loop-detection command, you can check whether loop
detection is enabled. If loop detection is enabled, the system displays the loop
ht
detection interval, ID of the VLAN where loop detection is enabled, and the ports that
are blocked, shut down, and disabled from learning MAC addresses.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Removing the port from the VLAN where the loop is detected: When MAC address
flapping occurs on a port with a loop prevention action configured, the switch
ht
performs the configured action. When the action is set to error-down, the switch shuts
down the port. When the action is set to quit-VLAN, the switch removes the port from
:
the VLAN where MAC address flapping occurs. Only one port can be shut down
es
during one aging period. By default, a port that is removed from a VLAN joins the
rc
VLAN again 10 minutes later. Do not use the quit-VLAN action in conjunction with the
u
Shutting down the port where the loop is detected: If a port in a VLAN is set to
Re
shutdown mode, the port will be shut down automatically when a loop is detected.
Removing the optical cable from the looped device: Remove the loop by disabling the
g
physical link.
n
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
2. Check for MAC address flapping by enabling MAC address flapping detection in
:
the VLAN.
es
4. Confirm that a loop occurs. Find that the ports where the loop occurs are FE0/0/1
u
Layer 2 loop, follow the Layer 2 loop troubleshooting procedure to identify the devices
es
where the loop occurs and remove the loop immediately to ensure that services run
properly. Then, analyze the devices and identify causes to rectify the fault.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Common causes:
ht
1. Ping the IP address of the destination network. If it can be pinged, the loop occurs on
the destination network. If it cannot be pinged, the loop may be between the source
ht
2. Use the tracert command to trace the destination IP address to check for the nodes
es
where data packets are discarded due to loops when they are transmitted from the
source IP address to the destination IP address.
rc
The tracert command traces the gateway that packets pass through from the
u
so
source host to the destination host. This helps check network connectivity and
locate network faults.
Re
Host specifies the domain name or IPv4 address of the destination host.
ar
3. The node where data packets are discarded is found, indicating that the loop may
Le
occur between the node and its neighboring node. Troubleshoot the node.
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
1. Perform Tarcert tests and find that the loopback nodes are R1 and R3.
ht
.3. The current data forwarding route is PC A->S1->R1->R3->R2, indicating that the fault
:
occurs on R3.
es
4. Check the routing table on R3. A route is destined for R2 and is incorrect.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Check routes on the node where the original data forwarding route is changed:
ht
First, check the routing table to find out the incorrect route. Then, check the current
route configuration and identify causes such as incorrect configuration, redundant
:
The PC can ping the gateway, indicating that the path from the user to the gateway
works properly. However, PC 1 cannot ping a public IP address and AR2200 cannot
ht
ping a public IP address. Tracert tests on a public IP address show that data packets
are looped on AR2200 until TTLs reach 0. According to the original forwarding route,
:
data packets should be forwarded to the next hop on the public network after they
es
reach AR2200. However, they are looped between 172.16.21.1 and 172.16.21.2 now,
rc
Correctly configure next hops and delete unnecessary configurations. Otherwise, the
route to the intranet takes effect after a board is added, resulting in loops.
ht
Before adding a board, you must confirm whether the board will affect the current
es
configuration.
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
Answer to question 2: D
Answer to question 1: D
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
software such as that offered in the Microsoft Windows operating system. The
supplicant must support the Extensible Authentication Protocol over LAN
:
(EAPoL).
es
Port Access Entity (PAE): PAE is an entity that implements algorithms and protocol
operations in 802.1X authentication.
ar
Controlled interface: In authorized mode, the controlled interface transmits service packets
Le
in both directions. In unauthorized mode, the controlled interface cannot receive packets
from the supplicant.
re
Uncontrolled interface: The uncontrolled interface is mainly used to transmit EAPoL frames
Mo
in both directions to ensure that the supplicant can send and receive authentication
packets at any time.
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
When a user needs to access an external network, the user starts the 802.1X client
program, enters the registered user name and password, and initiates a connection
request. At this time, the client sends an authentication request frame (EAPOL-Start) to the
:
es
After receiving the authentication request frame, the device sends an identity request
frame (EAP-Request/Identity), requiring the client to send the user name that has been
u
entered.
so
In response to the request sent by the device, the client sends an identity response frame
Re
The device encapsulates the EAP packet in the response frame sent by the client into a
g
n
RADIUS packet (RADIUS Access-Request) and sends the RADIUS packet to the
ni
After receiving the user name forwarded by the device, the RADIUS server searches the
Le
user name table in the database for a password corresponding to the user name, encrypts
the password with a randomly generated MD5 Challenge, and at the same time, sends the
MD5 Challenge in a RADIUS Access-Challenge packet to the device.
re
The device forwards the MD5 Challenge sent by the RADIUS server to the client.
Mo
After receiving the MD5 Challenge from the device, the client encrypts the password with
the MD5 Challenge, generates an EAP-Response/MD5 Challenge packet, and sends the
n
/e
packet to the device.
The device encapsulates the EAP-Response/MD5 Challenge packet into a RADIUS packet
om
(RADIUS Access-Request) and sends the RADIUS packet to the RADIUS server.
.c
The RADIUS server compares the received encrypted password with the locally encrypted
ei
password. If the two passwords are the same, the user is an authorized user, and the
RADIUS server sends a packet indicating that the authentication succeeds (RADIUS Access-
aw
Accept) to the device.
hu
After receiving the RADIUS Access-Accept packet, the device sends an EAP-Success frame
g.
to the client, changes the interface state to authorized, and allows the user to access the
network through the interface.
in
When the user is online, the device periodically sends handshake packets to the client to
rn
ea
After receiving a handshake packet, the client sends a response packet to the device,
/l
indicating that the user is still online. By default, the device disconnects the user if it does
not receive any response from the client after sending two consecutive handshake packets.
:/
The handshake mechanism allows the device to detect unexpected user disconnections.
tp
If the user wants to go offline, the client sends an EAPOL-Logoff frame to the device.
ht
The device changes the interface state from authorized to unauthorized and sends an EAP-
Failure packet to the client.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The difference between the 802.1X authentication process in EAP termination mode and
that in EAP relay mode is as follows: In EAP termination mode, the device generates an
ht
MD5 Challenge for user password encryption, and then sends the user name, MD5
Challenge, and password encrypted on the client to the RADIUS server for authentication.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Client: An incorrect user name or password is entered on the client. Therefore, the
authentication fails.
:
Device: The 802.1X function is not enabled globally and on the interface at the same time.
es
AAA settings are incomplete or the device is not properly connected with the
rc
authentication server.
u
Server: Settings of user names or passwords are incorrect on the authentication server.
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
If the RADIUS server does not work properly, you need to check whether the RADIUS
server can be pinged and whether the settings on the RADIUS server are correct. If you still
cannot solve the problem, you need to collect information by enabling the debugging
:
es
radius function and report the collected information to Huawei engineers for
troubleshooting.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Low-level faults are more likely to occur. Therefore, you need to troubleshoot low-level
faults first.
ht
You can run commands to check device interface status, for example, run the display
interface GigabitEthernet0/0/1 command to check physical status of interfaces
:
es
and protocol.
rc
The link between the client and switch cannot be pinged because the switch runs
the dot1x enable command automatically. This is normal. Before you check
u
so
whether the link is reachable, you need to disable the dot1x function on
interfaces.
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Run the display aaa configuration command to check the AAA summary.
ht
The test-aaa command tests whether a user can be authenticated using RADIUS
authentication.
ht
Login tests on the device help Huawei technical support personnel locate faults.
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
In this case, the link between the client and switch cannot be pinged because the
switch runs the dot1x enable command automatically. This is normal.
ht
You can check address settings or test connections after running the undo dot1x
:
enable command.
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
In this case, the dot1x enable command is run on the interface of the switch. However,
the output of the globe display dot1x statistics command shows that "Global 802.1x is
ht
Disabled".
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Before configuring the 802.1X feature on Ethernet interfaces, you must run this command
to enable the 802.1X feature. Only specified Layer 2 physical interfaces support the
802.1X feature.
:
es
<sysname> system-view
u
operations.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
In this case, we checked key settings and found that the dot1x function is enabled globally
and on the interfaces and dot1x status is normal.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
online indicates that no special processing is adopted and the accounting is taken as
successful if starting remote accounting fails.
:
es
offline indicates that online services become unavailable to users when starting remote
rc
accounting fails.
u
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
B
B
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The IPSec VPN architecture consists of AH, ESP, and IKE. IPSec uses ESP to ensure
confidentiality of IP data during transmission, and uses AH and ESP to implement data origin
ht
authentication, data integrity check, and anti-replay. ESP and AH define protocol and
payload header formats and available services, but do not define the specific transcoding
:
modes to implement the preceding services. Transcoding modes include data conversion
es
modes, for example, algorithm and key length. To simplify the usage and management of
rc
IPSec, IPSec uses IKE to exchange keys and create and maintain security associations
u
AH supports data integrity check, data origin authentication, and anti-replay. However,
Re
ESP, in addition to providing all the functions provided by AH (the IP packet header is
g
Initiator’s Cookie (SPI): is used by the initiator to uniquely identify an IKE SA. The
value cannot be 0.
ht
Responder’s Cookie (SPI): is used by the responder to uniquely identify an IKE SA.
:
Next Payload: identifies the type of the next payload following the Authentication
rc
Header. If the current payload is the last in the message, this field will be 0. This field
provides a "chaining" capability between payloads. Additional payloads can be added
u
so
to a message by appending it to the end of the message and setting the Next Payload
field of the preceding payload to indicate the new payload's type.
Re
Exchange Type: indicates the type of exchange being used. This field constrains the
payloads sent in each message and message exchange sequence. Phase 1 operates
n g
The packet exchange process in main mode in IKE negotiation phase 1 is as follows:
ht
① The initiator sends an SA payload that contains IKE proposals to implement IKE
proposal negotiation.
:
③ The initiator and responder exchange the DH public keys (KE payload) and random
rc
values (Ni and Nr payloads). Ni and Nr are required to calculate the pre-shared key
u
④ The initiator and responder exchange the DH public keys (KE payload) and random
Re
⑤ The initiator and responder exchange the identity IDs (ID payload) and authenticate
g
the hash values (AUTH payload). Messages (5) and (6) are encrypted and the
n
ni
encryption key is the one generated in messages (3) and (4) to protect the identity
information.
ar
⑥ The initiator and responder exchange the identity IDs (ID payload) and authenticate
Le
Besides the main mode, the aggressive mode can also be used in phase 1. The
re
difference between the two modes is that the aggressive mode uses three-phase
Mo
n
/e
To ensure that a negotiation is successful, the responder must be able to receive
om
ISAKMP messages from the initiator. To ensure that the responder can receive
ISAKMP messages, the remote address must be configured on the initiator using the
.c
remote-address command and the route between the peers must be reachable.
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The packet exchange process in quick mode in IKE negotiation phase 2 is as follows:
ht
① The initiator and responder negotiate the IPSec proposal (SA payload) and the DH
group (KE payload) used by the Perfect Forward Secrecy (PFS). The initiator and
:
responder exchange the identity ID (the ID payload is optional) and the hash value
es
(the AUTH payload). IDci and IDcr are in the ID payload. They are used to exchange
traffic selection identifiers and ensure that both ends protect the same data flows.
rc
② The initiator and responder negotiate the IPSec proposal (SA payload) and the DH
u
so
group (KE payload) used by the Perfect Forward Secrecy (PFS). The initiator and
responder exchange the identity ID (the ID payload is optional) and the hash value
Re
③ The initiator sends the integrity authentication hash value to acknowledge the
n g
negotiation success.
ni
The IPSec SA cannot be established if the IPSec proposals, PFS, or ACL rules on the
ar
IPSec VPN faults are categorized based on the stage during which a fault occurs. IKE
negotiation failures are key problems in IPSec faults. Other faults are caused by
ht
on actual networking.
es
An IKE negotiation involves two phases. In phase 1, IKE SAs are created to provide
secure channels for IPSec SA negotiation in phase 2. Common causes of negotiation
ht
failures in phase 1 include incorrect configuration of the route and other parameters
on the IKE peer. Common causes of negotiation failures in phase 2 include
:
A route (usually a default route) to the private network where the IKE peer resides
must exist in the routing table. The outbound interface of the route is the interface to
ht
which the IPSec policy is applied. If packets do not match the route, the packets are
discarded. If the outbound interface of the matched route is not the interface to which
:
the IPSec policy is applied, the packets cannot be sent to the IPSec module and will
es
IPSec VPN data usually flows between security zones, so you must configure
u
interzone packet filtering to permit the traffic between the source zone (where the
so
internal interface resides) and the destination zone (where the external interface to
Re
which the IPSec policy is applied resides). Otherwise, packets are discarded.
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
First, check whether IKE negotiations, including the IKE SA and IPSec SA
negotiations, fail. Then, check firewall configurations and other configurations.
:
Run the display ipsec statistics command. If the value of IKE packet inbound is 0
on the responder, the responder does not receive any IKE negotiation packet.
:
Run the undo ipsec policy command to unbind IPSec policies from interfaces at
rc
both ends of the IPSec tunnel and check whether the interfaces can ping each
u
After checking the interfaces and IP connectivity, run the ipsec policy command to
Re
3. Check whether the peer gateway on the local device matches the local address on
g
Run the display ike peer name peer-name command to check whether the
remote address is the same as the IP address on the remote device.
ar
Check other configurations on IKE peers, including negotiation modes, identity IDs,
Le
4.
Run the display ike proposal command to check whether the following
Mo
1. Check ACL configurations. IKEv1 requires that ACLs on both ends mirror each other
or ACLs on the initiator is a subset of the ACLs on the responder.
ht
Run the display ipsec policy command to check numbers of ACLs referenced in
:
IPSec policies.
es
Run the display acl acl-number command to check whether the configurations of
rc
Run the display ipsec proposal command to check whether both ends use the
Re
Run the display ipsec policy command to check whether both ends have PFS
enabled and use the same DH group.
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
2. Check the IP connectivity between the gateway and remote private network.
Run the display ip routing-table command. The command output shows that the
rc
route to the remote private network exists and the outbound interface of the
u
Run the display policy interzone command to check whether protected data
flows can be sent from the trust zone to the untrust zone.
n g
Run the display this command in the interface view to check whether IPSec
ar
Run the display ipsec policy command to check numbers of ACLs referenced in
re
IPSec policies.
Mo
Run the display acl acl-number command to check whether the ACL
configurations are correct.
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
In this case, the fault is caused by configuring a secondary IP address. The root
cause may be that the remote gateway address on the local device does not match
ht
the local address on the remote end. Run the display ike peer command. The
command output shows that the value of RemoteAddr on FW A is different from the
:
value of local-address on FW B.
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
After modifying configurations on the IKE peer, you may need to perform a ping
operation to trigger the IKE negotiation.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
In this case, the cause of the IKE negotiation failure is that the remote gateway
address on the local device does not match the local address on the remote end
ht
Because basic configurations, such IP address, route, and interzone policy, are
correct, and the display ike sa command output shows that the SA is abnormal. The
ht
Analyze all possible causes in IKE negotiation phase 1 and phase 2. The display acl
es
command output shows that ACL configurations are different on the two ends,
resulting in an IPSec SA negotiation failure in IKE negotiation phase 2.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
IKEv1 requires that ACLs on both ends mirror each other or the ACL on the initiator is
a subset of the ACL on the responder. In IKEv2 negotiation, the intersection of ACL
ht
In practice, it is recommended that you configure the ACLs at both ends to mirror
es
re
Le
ar
ni
ng
Re
Answers: 1. ABCD 2. B
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
There are many vendors in the network field and interconnection faults are various,
but the roadmap and methods for troubleshooting faults in direct interconnections are
ht
similar.
:
firewall devices. This document does not discuss faults in interconnections of other
devices.
u
so
This document does not discuss device faults caused by software and hardware
issues of devices.
Re
Interconnection faults involve devices of multiple parties. You are advised to obtain
g
Why do interconnection faults occur on devices that comply with the same standards?
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
interconnected devices.
rc
You need to pay attention to this operation because some default settings may
so
necessary.
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
(signal or data) to the sender. If the sender receives the returned data, the link works
es
properly.
rc
loopback remote: The local device loops back the packets received from its peer
device to the peer device to test whether the link between the two devices works
u
so
properly.
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Low-level faults are more likely to occur. Therefore, you need to troubleshoot low-
level faults first.
ht
You can run the display interface/show interface [type slot/port] command to view
interface settings and status and check whether error packets exist on interfaces.
ht
collect all important diagnosis information on a device. You are advised to use this
es
command only when a system is remotely accessible or the local troubleshooting time
is limited.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
You need to carefully check product documents of vendors and the latest protocols
and standards to confirm whether vendors use the same mechanisms to implement
ht
protocols.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
This fault is the most commonly occurred interconnection fault. After direction
interconnection, interfaces cannot go up and links fail.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Besides hardware loopback tests, you can also interconnect two devices of the same
model of the same vendor to verify the interconnection.
ht
If the interconnection between the two devices works properly, you can also infer that
:
Based on the physical feature, XGE interfaces work in the following modes:
ht
LAN mode: XGE interfaces working in LAN mode transmit Ethernet packets and
connect to Ethernet networks.
:
WAN mode: XGE interfaces working in WAN mode transmit synchronous digital
es
hierarchy (SDH) frames and connect to SDH networks. Interfaces working in WAN
rc
These two modes are used in different types of networks. Two interfaces working in
so
Note: Run the shutdown command to disable the interface before configuration and
run the undo shutdown command to enable it.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
This case analyzes the differences between mechanisms to implement the LACP to
demonstrate the process to troubleshooting protocol-related interconnection faults.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
By replacing the devices, we determine that the fault is an interconnection fault and
the devices are free of hardware faults.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Because many vendors implement LACP by using mechanisms that are different from
those specified in the standard protocol, we boldly make this assumption and adopt
ht
re
Le
Answer:
ABCD
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The following assumes that RTA sends the first Hello packet.
ht
1. RTA sends the first Hello packet with an empty neighbor list. After receiving the
Hello packet, RTB adds a neighbor entry of RTA on the receiving port and
:
2. RTB sends a Hello packet containing RTA in the neighbor list to RTA. After
rc
receiving the Hello packet, RTA adds a neighbor entry of RTB on the receiving
port and changes the neighbor status from Down to Init. RTA is in the neighbor
u
so
3. After the neighbor state becomes ExStart, RTA sends a Database Description
n g
(DD) packet to RTB. After receiving the DD packet, RTB in Init state generates
ni
4. After the neighbor state machine becomes ExStart, RTA sends the first DD
Le
n
/e
RTB is assumed to be larger than that of RTA; therefore, RTB should function
as the master router. After router IDs are compared, RTA generates a
om
NegotiationDone event and changes its neighbor state machine from ExStart to
.c
Exchange.
ei
6. In Exchange state, RTA sends a new DD packet containing summary
information about the local link state database (LSDB). In the DD packet, DD
aw
Sequence Number is set to the same as that in the DD packet received from
hu
RTB, M-bit is set to 0 indicating no additional DD packet required for describing
the local LSDB, and MS-bit is set to 0 indicating that RTA advertises itself as
g.
the slave router. After receiving this DD packet, RTB generates a
in
NegotiationDone event and changes its neighbor state machine from ExStart to
Exchange.
rn
7. In Exchange state, RTB sends a new DD packet containing description about
ea
the local LSDB. In this DD packet, DD Sequence Number is increased by 1
/l
(y+1).
:/
8. RTA, as the slave router, needs to acknowledge each DD packet from RTB
even through RTA does not need to update its LSDB using new DD packets.
tp
to RTB.
changes its status to Loading. After receiving all DD packets, RTB changes its
es
status to Full. (Assume that the LSDB on RTB is the latest and complete, so
rc
10. RTA sends a Link State Request (LSR) packet to RTB to request link state
so
information that is learned from DD packets when the neighbor state machine
Re
11. After receiving the LSR packet, RTB sends a Link State Update (LSU) packet
g
containing detailed link state information to RTA. After receiving the LSU
n
packet, RTA changes its neighbor state machine from Loading to Full.
ni
12. RTA then sends a Link State Acknowledgement (LSAck) packet to RTB to
ar
13. LSAck packets are flooded to acknowledge the receiving of Link State
Advertisements (LSAs) rather than LSU packets.
re
14. The neighbor state machine becomes Full, indicating that the adjacency is
Mo
The preceding figure shows the process of setting up a neighbor relationship and
ht
Attempt: This state exists only on the NBMA network and indicates that the
so
router receives no message from the neighbor. In this state, the router has sent
Re
Init: A router has received a Hello packet from its neighbor but is not in the
ar
neighbor list of the received Hello packet. The router has not set up bidirectional
Le
router ID in the Hello packet received from the neighbor. In this state, the router
Mo
n
Exchange: A router exchanges DD packets containing the local LSDB with its
/e
neighbor.
om
Loading: A router exchanges LSR packets with its neighbor to request LSAs
.c
and exchanges LSU packets for advertising LSAs.
Full: The local LSDBs on the two routers have been synchronized.
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
When an IP address fails to be pinged, check whether the local router has a
reachable route to the IP address.
:
In most cases, the ping fails due to either of the following causes:
es
The local or an intermediate fails to send data (failing to reach the destination
rc
end).
u
source end).
Re
In this example, RTA does not have a route to an external address and cannot
send data to RTB. The ping fails.
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The display ospf peer command displays information about neighbors in each
OSPF area.
:
| brief | last-nbr-down ]
rc
The display ospf peer brief command displays brief information about neighbors
u
so
in each OSPF area. This command displays the neighbor ID in an area, interface
that connect to the neighbor, router ID, and neighbor status.
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Let's think about it conversely. If the OSPF neighbor state is not Full, the most
possible causes are as follows:
ht
The OSPF configuration is incorrect. --> Check and correct the configuration.
The direct link is not working properly. --> Rectify the fault on the direct link.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Check whether the following OSPF configuration items on the two ends are
consistent:
ht
Cumulations
es
Hello 0 34
u
DB Description 0 0
so
Link-State Req 0 0
Re
Link-State Update 0 0
Link-State Ack 0 0
n g
ASE: (Disabled)
ni
Router: 1
Le
Network: 0
...
re
Routing Table:
Mo
n
/e
and an Sx700 series modular switch both support a maximum of 1000 interface, an
S5700EI supports a maximum of 64 interfaces, and an S5700HI supports a maximum
om
of 128 interfaces.
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
A router changes its neighbor state to 2-Way as long as it finds its router ID in the
Hello packet received from the neighbor, even if a few packets are lost.
ht
OSPF packets sometimes cannot be received correctly. In this case, check the
:
connectivity at the link layer first. OSPF is a multicast-based protocol. Check whether
es
the link supports multicast, especially when the link passes through the carrier
network.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Run the display ospf [ process-id ] interface command on the two ends of the link
to view the DR priorities of OSPF interfaces.
ht
On a broadcast and NBMA network, the DR can be elected only when the DR
priority of at least one OSPF interface on the link is not 0. Otherwise, the two ends
:
If the DR priorities of OSPF interfaces on the two ends of the link are both 0, run
rc
the ospf dr-priority priority command in the view of an OSPF interface and
u
The ospf mtu-enable command enables an interface to fill in the MTU value when
sending DD packets.
ht
The undo ospf mtu-enable command restores the default settings. By default, the
MTU value is 0 when the interface sends DD packets. That is, the actual MTU
:
Usage Scenario
rc
The default MTU value in the DD packet is 0. Using this command, you can
u
manually configure an interface to fill in the MTU value (the actual MTU
so
consistency, you can configure an interface to use the default value 0 when
the interface sends DD packets.
g
Precautions
n
ni
and original information cannot be restored. Exercise caution when running this
command.
:
es
u rc
so
Re
ng
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Check whether interfaces on the two ends of a link are on the same network
segment.
ht
segment. Devices on the two ends of the link can ping each other. The area ID
:
and area type (NSSA, stub, or normal area) of the interfaces must be the same.
es
The route ID of each router on one network segment must be different from one
Check whether OSPF areas on the two ends of the link are the same.
so
If no, change OSPF areas on the two ends of the link to the same. If yes, go to
Re
same.
n
Run the display ospf error command once every 10 seconds for 5 minutes.
ni
If the count of the Bad authentication type field continuously increases, OSPF
ar
authentication types on the two ends are different. Run the area-
authentication-mode command to configure the same authentication type on
Le
timers on the two ends are different. Check interface configurations on the two
ends and run the ospf timer hello command to set the same Hello timer on the
Mo
interfaces.
If the count of the Dead timer mismatch field continuously increases, Dead
timers on the two ends are different. Check interface configurations on the two
n
/e
ends and run the ospf timer dead command to set the same Dead timer on the
interfaces.
om
If the count of the Extern option mismatch field continuously increases, area
types on the two ends are different (one: normal area; the other: stub or NSSA
.c
area). Set the same area type on the two ends (The stub command
ei
configuration indicates the stub area type, and the nssa command configuration
indicates the NSSA area type.)
aw
hu
g.
in
rn
ea
/l
:/
tp
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Remember that these key parameters may be incorrectly configured, which is the
most common OSPF configuration error.
ht
The ospf mtu-enable command enables an interface to fill in the MTU value when
sending DD packets. By default, the MTU value is 0 when the interface sends DD
:
packets. That is, the actual MTU value of the interface is not filled in.
es
the interface.
so
authenticated.
Re
If the interface is not configured with authentication (null does not mean no
After learning how to locate the OSPF neighbor relationship setup fault, think about
possible situations when the neighbor state is ExStart.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
network device accessibility. You can specify multiple parameters when running the
ping command to improve query efficiency. For example, to test the MTU value on a
:
link, specify the parameters -s and -f to test the largest MTU value on intermediate
es
links.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The display this command displays the running configuration in the current view.
You can specify multiple parameters when running the display interface command to
ht
2. Check whether the two ends of the link have the same OSPF configurations,
including router ID, area ID, and other OSPF configurations.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
area type (NSSA, stub, or normal area) of the interfaces must be the same.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Each router ID in an OSPF process must be unique. Otherwise, devices on the two
ends cannot set up OSPF neighbor relationships and routing information is
ht
incorrect.
If the two devices have the same OSPF process router ID, run the ospf [ process-id
:
] router-id router-id command in the system view to change the OSPF process
es
router ID and ensure that the two devices have different OSPF process router IDs.
rc
Run the reset ospf [ process-id ] process command in the user view to make the
u
Note: When OSPF connections are reset, all OSPF neighbor relationships are re-
established and services are interrupted.
Re
Question: What other commands can be used to display the router ID?
ng
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Refer to the table on page 19 to check parameter settings and locate the fault cause
step by step.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
Answer:
AD
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The actual network is complex, multiple routers may exist between servers and users,
and . In the preceding figure, one router and one switch are deployed between the
ht
Traffic classification and marking: are the basic of QoS. A device must first identify
service flows so that the device can provide differentiated services. A device can
ht
classify traffic based on the CoS field in VLAN packets, ToS field in the IP packet
header, and EXP field in MPLS packets, and can perform fine-granular classification
:
based on ACLs.
es
Traffic policing and shaping: Traffic policing is to limit the rate. CAR technology is
rc
often used.
u
so
Congestion management: When the rate of each flow is limited and the total egress
traffic exceeds the bandwidth of the outbound interface, congestion management
Re
The maximum bandwidth (BWmax) is the minimum bandwidth on the data transmission
path.
ht
The E2E delay is the sum of all transmission delays, processing delay, and queue
:
delay.
es
The jitter occurs because the E2E delay of each packet is different.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Users log out when making calls, and voice services are interrupted.
u
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The packets do not match rules of the traffic classifier in the traffic policy.
The traffic behavior associated with the traffic classifier in the traffic policy is
:
configured incorrectly.
es
The traffic policy conflicts with another applied traffic policy and the packets
u
If the traffic is not matched on the interface, further check the configuration.
ht
Generally, various methods are used to identify traffic. If an ACL is used to match
traffic, run the display acl command to check ACL information. Or, run the display
:
outbound.
u
so
The qos car inbound command applies the QoS CAR profile to the inbound
direction to police incoming traffic.
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Packets are not colored by using priority mapping, CAR, or remark local-
:
precedence.
es
The parameters corresponding to packet colors are not configured in the WRED
rc
drop profile.
u
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
[HUAWEI-drop-wred1] quit
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Check the statistics on each queue of the interface. After the preceding command is
executed, statistics on eight queues are displayed. Here, only the statistics on queue
ht
1 are provided.
从According to the preceding command output, the statistics include the bandwidth
:
es
Here, the traffic classification is incorrect. This example uses only the action used to
identify services. There is no subsequent QoS action.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
First check the traffic policy that is applied to the interface, and then check the
detailed configuration of the traffic policy.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The traffic policy tp1 is applied to the interface and is bound to two traffic classifiers:
tc1 and tc2.
ht
The preceding command output shows that the three services enter queues 2, 3, and
4, respectively.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Each physical interface has eight queues. If queues use PQ and WRR, packets in PQ
queues are first scheduled, and then packets in WRR queues are scheduled based
ht
on the weight.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
The weights of AF1 to AF4 are 10, 20, 30, and 40 respectively.
:
es
The four queues share the bandwidth based on the weight. When the data
service is busy, the voice service may be congested.
rc
scheduled first.
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
D
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
STAs can access wireless networks after CAPWAP tunnels are established. STA access
includes three phases: scanning, link authentication, and association.
ht
STAs can access wireless networks using IPv4 and IPv6. IPv4 is used preferentially.
:
STA can send two types of Probe Request frames: containing an SSID and containing
no SSID. Therefore, active scanning can be classified into two types:
u
so
A STA sends a Probe Request frame containing a specified SSID: A STA sends a
Re
huawei. This method is applicable to the scenario where a STA actively scans
ar
Response frames to notify the STA of the wireless services they can provide.
Mo
This method is applicable to the scenario where a STA actively scans wireless
networks to determine whether wireless services are available.
Passive scanning: A STA listens on the Beacon frames that an AP periodically sends in each
channel to obtain the AP information. The Beacon frame contains the SSID and supported
n
/e
rate. To save power of a STA, enable the STA to passively scan wireless networks. In most
cases, VoIP terminals passively scan wireless networks.
om
Link authentication: To ensure wireless link security, an AP needs to authenticate STAs that
.c
attempt to access the AP. IEEE 802.11 defines two authentication modes: open system
ei
authentication and shared key authentication.
aw
authenticated.
hu
Shared key authentication: requires that an STA and AP have the same shared key
g.
preconfigured. The AP checks whether the STA has the same shared key. If the STA
has the same shared key as the AP, the STA is authenticated. Otherwise, the STA
in
fails the authentication.
rn
Association: STA association refers to link service negotiation. After link authentication is
ea
complete, a STA initiates link service negotiation using Association packets.
/l
The STA sends an Association Request packet to the AP. The Association Request
packet carries the STA's parameters and the parameters that the STA selects based
:/
The AP receives the Association Request packet, encapsulates the packet into a
CAPWAP packet, and sends the CAPWAP packet to the AC.
:
The AC determines whether to authenticate the STA and replies with an Association
es
Response packet.
rc
The AP decapsulates the received Association Response packet and sends the
u
If the STA does not need to be authenticated, the STA can access the wireless
g
network.
n
ni
authentication. After being authenticated, the STA can access the wireless
network.
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Check STA status: Check whether the wireless service is enabled on the STA and whether
the wireless network adapter of the STA is working properly.
ht
Check AP status: Check whether an antenna is installed on the AP and whether the AP is
working properly.
:
es
Check AP configuration: Check whether a VAP is created on the AC6605, whether the
rc
radio interface is enabled on the AP, and the radio signal power configured for the AP on
the AC6605.
u
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Check whether the wireless network adapter of the STA is working properly.
:
Update the wireless network adapter driver to check whether the STA can discover
es
radio signals.
rc
If the STA can discover radio signals, the original wireless network adapter
u
Use another wireless network adapter to check whether the STA can discover radio
Re
signals.
If the STA can discover radio signals, the original wireless network adapter of
g
Run the display ap id ap-id command on the AC6605 to check the State field.
rc
If the State field is displayed as fault, the AP is faulty. Restart the AP.
u
If the AP cannot change to the normal state after it is restarted, restart the
so
AC6605. If the AP still cannot change to the normal state, replace it with a
Re
new AP.
If the new AP still cannot change to the normal state, replace the network
g
cable.
n
ni
If the State field is displayed as normal, the AP is working properly. Go to the next
ar
step.
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Run the display vap { all | ap ap-id | service-set { id service-set-id | name service-set-
name } } command to check the VAP information on the radio.
:
If Error: VAP does not exist is displayed, no VAP is created. Run the radio-profile
es
command to bind radio-profile to a specified radio, then run the service-set to bind
rc
If VAP information is displayed, a VAP has been created. Go to the next step.
u
so
Run the display service-set command on the AC6605 to check whether SSID hiding is
enabled in the VAP.
g
If the Hide SSID field is displayed as enable, SSID hiding has been enabled in the
n
ni
If the Hide SSID field is displayed as disable, SSID hiding is disabled in the VAP. Go
to the next step.
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Run the display radio config command to check the radio interface status.
If the Administrate status field is displayed as enable, the radio interface has been
rc
Check the radio signal power configured for the AP on the A6605.
so
Run the display actual channel-power command on the AC6605 to check the
Re
Note:
ht
The POWER-LEVEL field specifies the actual transmit power level of a radio. The
value of this field ranges from 0 to 15. Level 0 indicates the maximum power. Level
1 is 1 dBm less than level 0; level 2 is 2 dBm less than level 0; and so on. A higher
:
es
power level indicates a lower power. The maximum value displayed is 12. When the
transmit power level is set to 12, 13, 14, or 15, the POWER-LEVEL field is always
rc
displayed as 12.
u
is unable to discover radio signals because the actual transmit power of the radio is
Re
too low. Run the power-level command to set a lower transmit power level for the
radio.
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
STA /AP antenna: Check whether the wireless network adapter of the STA is working
properly and whether an antenna is installed on the AP.
ht
AP signal power: Check the radio signal power configured for the AP on the AC6605.
es
Signal interference: Check whether other wireless devices exist in the environment.
u rc
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Check whether the wireless network adapter of the STA is working properly.
ht
Use another wireless network adapter to check whether WLAN users are disconnected
unexpectedly and frequently.
:
adapter of the STA fails. Replace it with a new wireless network adapter.
rc
Use the inSSIDer software to check whether a channel conflict occurs. If many radio
signals are transmitted over channel 11 but no radio signal is transmitted over
channel 1, run the channel command to change the AP radio channel to channel 1
:
es
Check the radio signal power configured for the AP on the A6605.
ht
Run the display actual channel-power command on the AC6605 to check the actual
channel and power of a specified radio.
:
If the POWER-LEVEL field is displayed as 12 or a value greater than 12, the STA is
es
unable to discover radio signals because the actual transmit power of the radio is
rc
too low. Run the power-level command to set a lower transmit power level for the
radio.
u
so
The POWER-LEVEL field specifies the actual transmit power level of a radio. The value of
this field ranges from 0 to 15. Level 0 indicates the maximum power. Level 1 is 1 dBm less
n g
than level 0; level 2 is 2 dBm less than level 0; and so on. A higher power level indicates a
ni
lower power. The maximum value is 12. When the transmit power level is set to 12, 13,
ar
Check whether other wireless devices exist in the environment, for example, a
working microwave oven. Other wireless devices will interfere with radio signals
from the AP, causing WLAN users to be disconnected unexpectedly and frequently.
:
es
If other wireless devices exist, turn off these devices and connect WLAN users to the
rc
AP again.
u
so
Re
n g
ni
ar
Le
re
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
When an AP and STA support both 5 GHz and 2.4 GHz frequency bands, the AP can
request the STA to associate with the 5 GHz radio first.
ht
Most STAs support both 5 GHz and 2.4 GHz frequency bands and they usually associate
with the 2.4 GHz radio by default when connecting to the Internet. To connect to the 5
:
es
GHz radio, users must manually select the 5 GHz radio. When the 2.4 GHz frequency band
has many users or severe interference, the 5 GHz frequency band can provide better
rc
access service for wireless users. The 5G-prior access function enables STAs to
u
As shown in the figure, when the AP receives a Probe Request frame from the STA,
it checks the radio receiving the Probe Request frame. If the Probe Request frame is
g
received by the 2.4 GHz radio, the AP does not return a Probe Response frame. If
n
ni
the Probe Request frame is received by the 5 GHz radio, the AP returns a Probe
Response. Then the STA associates with the 5 GHz radio.
ar
If only the 2.4 GHz receives 25 Probe Request frames but the 5 GHz radio does not receive
Le
any Probe Request frame, the AP returns a Probe Response frame through the 2.4 GHz.
The STA then can access the 2.4 GHz.
re
inSSIDer is a relatively new open source tool for scanning Wi-Fi signals, which is developed
by MetaGeek (a spectrum analysis program developer). It is a common signal scanning
ht
inSSIDer GUI displays the signal strength change, distribution of signals and signal strength
:
es
on all channels on the time graph, as well as actual signal strength and bandwidth of
channels used by APs. This tool can filter the AP information based on the frequency band,
rc
If a large number of APs are managed, this tool supports the GPS function and outputs AP
so
MAC Address: indicates the unique identity of a wireless network adapter. In the
infrastructure mode, it indicates the MAC address of an AP. In the point-to-point mode, it
ht
SSID: indicates the service set identifier, which is the name of a wireless network in IEEE
:
es
802.11.
rc
Vender: indicates the hardware vendor of a wireless AP displayed on the inSSIDer GUI.
u
so
Max Rate: indicates the maximum rate supported by an AP, in Mbps. This rate is not the
Re
actual throughout.
Security: indicates the secure access level of a wireless network. inSSIDer lists the secure
g
access levels of all scanned wireless networks, for example, Open, WEP, WPA Personal,
n
Network Type: indicates two WLAN network types, including the infrastructure mode and
ar
inSSIDer filter allows users to flexibly select the networks to be displayed. The scanned
wireless networks can be filtered based on the SSID, channel, network type, and security.
ht
If dozens of APs are scanned in an area, you can use the filter to check APs on a specified
channel or APs with a specified SSID. The filter is helpful for engineers to obtain the
:
es
Command function: Using the display actual channel-power command, you can check
the actual channel and power of a specified radio.
ht
Command format: display actual channel-power { ap-id ap-id radio-id radio-id | all }
:
To view the actual channel used by a specified radio and power of the radio, use this
es
command.
rc
The power displayed using this command is the sum of the maximum transmit power of
the radio interface and the antenna gain. If MIMO is supported, the MIMO gain should
u
so
also be added. The maximum power displayed should comply with laws and regulations
corresponding to the country code.
Re
CHANNEL: Actual channel of the radio. The actual channel may be different from
the configured channel before the configured channel is committed.
ar
POWER-LEVEL: Actual transmit power level of the radio. The actual transmit power
Le
level may be different from the configured transmit power level before the
configured power level is committed.
re
POWER (dBm): Actual transmit power of the radio, which corresponds to the power
Mo
A country code identifies the country to which AP radios belong. Different countries
support different AP radio attributes, including the transmit power and supported
ht
channels.
es
If an AC manages the APs that are deployed in the same country, the country code
rc
If an AC manages the APs that are deployed in different countries, the AC needs to
u
so
have a country code configured in the system view and a country code configured in
the AP region view. You can configure country codes in different AP region views to
Re
Notes:
g
n
When configuring an AC for the first time, configure a correct country code in the
ni
system view and a country code in the AP region view to comply with local laws and
ar
regulations.
Le
If country codes are configured in both the system view and AP region view, the
country code configured in the AP region view takes effect. If no country code is
re
configured in the AP region view, the country code configured in the system view
takes effect.
Mo
n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
Operation steps
ht
ni
Note: The AP region must have been created. For details, see How to Configure an
AP Region.
ar
re
C
C
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
sou
rc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n