Mo

re
Le
ar
ni
ng
Re
sou
rc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The 80/20 rule is widely applicable in work and daily life scenarios. It is also
applicable to troubleshooting.
ht

 In real network maintenance, most faults are simple, such as network cable problems
:

or IP address configuration.
es

 Therefore engineers who meet the basic requirements can deal with most faults.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 It is ok to cultivate a technical professional by systematic training, but it costs too

much time and energy.
ht

 A short but strong technical series can direct and open our minds, which helps us
:

solve numerous practical problems and lay a solid foundation for the development of
es

professionals.
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Security statement：
ht

 For brief analysis, the course uses FTP as an example to describe

corresponding technologies. The device supports file transfer using FTP, TFTP
:

and SFTP. FTP, TFTP, and SFTPv1 have security risks, so SFTPv2 is
es

recommended.
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 If you are a maintenance engineer, read the following precautions before doing your
work:
ht

 Check whether the fault is an emergency fault. If so, use the pre-defined
:

troubleshooting methods to recover the faulty module immediately and then

es

restore services.
rc

 Strictly conform to operation rules and industrial safety standards, ensuring

personnel and device safety.
u
so

 Take electrostatic discharge (ESD) measures and wear an ESD wrist strap
when replacing or maintaining devices.
Re

 Record original information in detail when any problem arises during

g

troubleshooting.
n
ni

 Make records when performing important operations such as restarting the

device or erasing the database. Before performing important operations,
ar

confirm the operation feasibility, back up data, and prepare emergency and
Le

security measures. Only qualified personnel can perform important operations.

re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Some faults cause resource or money loss for customers, so maintenance engineers
should focus on how to prevent faults and quickly rectify faults. Backing up key data
ht

helps you quickly locate and rectify faults. Back up key data as soon as possible
when the network runs properly.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The principle of troubleshooting is to locate and rectify a fault.

ht

 Generally, the troubleshooting process includes observing fault symptoms, collecting

information, analyzing problems, and locating the root cause. All possible causes of a
:

fault can be grouped into multiple cause sets, which helps you rectify faults.
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The fault symptoms are different, but the root causes are technical issues.
ht

 For example, a user cannot access the Internet. Ping the gateway from the PC. The
ping operation fails. That is, a PC can not connect to its gateway.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 If you have trouble locating the fault, collect fault information and send the information to
Huawei or Huawei agent for fault analysis.
ht

 Collect the following information:

:

 Fault occurrence time, network topology (for example, location of the faulty device
es

on the network, and upstream and downstream devices connected to the faulty
rc

device), operations triggering the fault, measures that you have taken and results,
symptom and influence of the fault (for example, on which ports services are
u

affected).
so

Name, version, current configurations, interfaces of the faulty device. For the
Re

method of obtaining these information, see Collecting Diagnostic

Information and Common display Commands.
n g

 Logs generated when the fault occurs. For the method of obtaining the log
ni

information, see Obtaining Logs and Alarms.

ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Executing this command requires a long time. You can press Ctrl+C to pause diagnosis
information display on screen.
ht

 It is recommended to save the information to a text file, and then transfer it to a PC

using FTP/TFTP.
:
es

 When a large amount of diagnostic information is displayed, the CPU usage may be high
rc

in a short period.

Therefore, do not use this command when the system is running properly. Running
u


so

the display diagnostic-information command simultaneously on multiple

terminals connected to the device is prohibited. This is because CPU usage of the
Re

device may obviously increase and the device performance may be degraded.
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 When a device is faulty, collect logs and alarms on the device immediately. These logs and
alarms help you know what happened during device operation and where the fault
ht

occurred.

Logs, including user logs and diagnostic logs, record user operations, system faults, and
:


es

system security.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The equipments supporting log file will periodically save files on the local storage device.
ht

 Taking Sx7 Chassis switches as an example: By default, the switch records all logs and
alarms in log files and saves log files in the logfile folder. The file name is *.log or *.dblg,
and the default file size is 8 MB. When the size of a log file exceeds 8 MB, the system
:
es

compresses the log file into a zip file and names the compressed file saving time.log.zip
or saving time.dblg.zip, for example, 2013-06-03.19-49-37.log.zip and 2013-09-11.10-
rc

54-52.dblg.zip. The system then records logs and alarms in a new log file.
u
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 80% network faults are caused by simple reasons, for example, cable failures and
incorrect configurations.
ht

 Analyze problems from simple to complex. In the OSI model, analyze problems from
:

the physical layer first. Then analyze the data link layer and network layer.
es

 If no fault occurs at the network layer, the transport layer will work properly. TCP/IP
rc

has been running for dozens of years and is mature. Most application faults are
caused by application software.
u
so

 Problem analysis depends on our knowledge and experience to some degree. Having
a good understanding of network protocols helps rapidly analyze and locate network
Re

faults.
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Note: Before performing any operation, ensure that the

ht

operation has the minimal impact on network services.

:
es
rc
u
so
Re
g
n
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Highlights of HedEx
ht

 Supports quick, accurate, and comprehensive search.

 Centrally manages Huawei product documents.

:

Convenient annotation function.

es

Convenient document feedback function.

rc

Automatically recommends product documents.

u


so

 One-click login to Huawei Support Website for Carriers or Enterprises.

Re

 Easy to manage various applications by Huawei.

 Simple. Easy to use and no installation is required.

n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Knowledge base is where you learn and share experience. A large collection of cases
and technical articles is available. You are more than welcome to submit your own
ht

article to share with others.

There are abundant cases to help you solve common issues and complete
:


es

installation or maintenance tasks quickly.

rc

 Support-E boasts Chinese and English technical communities, including many

specialized forums. Personal space is also supported.
u
so

 All registered users can browse the forums and comments. Huawei
engineers are there to give you a real-time response.
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 When seeking for technical assistance, we must analyze the trouble first. Because we are
on site, we are the ones who are the most familiar with the troubles.
ht

 If we contact others for help without our own analysis, we can not provide enough
information at once, time may be wasted for gathering information again and again.
:
es

 If we contact others for help after gathering enough information and necessary analysis,
rc

we can provide enough information at once, and time will be saved.

For different region, Huawei provides different hotline telephone number or Email, you can
u


so

find the details at the following web page: Home page > Contact Us > Aftersale Support
Re

 http://support.huawei.com/enterprise/NewsReadAction.action?contentId=NEWS100
0000563
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 If a network fault occurs after a configuration operation, it does not mean that the fault is
caused by the configuration.
ht

 Analyzing the problem and finding out the root cause must be done before deciding
whether to recover the configuration.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The compare configuration compares whether the current configurations are identical
with the next startup configuration file.
ht

 Note: only the first different will be displayed each time. You need to run it several
times to make sure there is no difference between the running and the saved
:
es

configuration.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The configuration can be recovered only when there is the backup configuration file,
so back up the configuration before any configuration modification.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo


re



Le

Answers:
ar

ABCD
ABCD
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo


re
Le
ar
ni
ng
Re
so
urc
es
:

Theoretical overview of ping operations

ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 If the preceding information is displayed, it indicates that the ping failure is caused by
a long link transmission delay. Increase the value of the parameter -t.
ht

 If the ping operation succeeds after the value of the parameter -t is increased, check
:

the device status and link status to determine if the ping failure is caused by network
es

or device abnormality.
rc

 If the ping operation still fails after the value of the parameter -t is increased, go to
step 2.
u
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Check whether the ping -f is executed. If this command is executed, ping packets do
not support packet fragmentation. In this case, you need to check whether the MTU
ht

value of the outbound interface along the path is smaller than the size of the ping
packet. If yes, change the size of the ping packet to a value smaller than the MTU
:

value. If not, go to substep B.

es

 Check whether the ping -i command is executed to specify the outbound interface of
rc

ping packets. If the specified outbound interface is a broadcast interface, such as an

u

Ethernet interface, then the destination IP address of the ping operation can only be
so

the IP address of the directly connected interface. If this condition is not met, change
Re

the ping operation. If the fault persists, go to step 3.

n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Run the display fib slot-number destination-address command on each node to

check whether there is a route to the destination address. If the route does not exist,
ht

refer to OSPF Troubleshooting or IS-IS Troubleshooting to rectify the fault.

:

 If the route exists and the link along which the ping packet is transmitted is an
es

Ethernet link, run the display arp command to check whether the required ARP entry
exists. If not, go to step 9. If yes, go to step 4.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Run the command on both the sender and the receiver.

ht

 display icmp statistics

:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 You can determine the direction in which the ping failure occurs based on the
numbers of Input/Output packets in the statistics as follows:
ht

- For the source end, the value of Output:echo increases normally and the value
:

of Input:echo does not increase; for the destination end, the values of
es

Output:echo and input:echo both remain unchanged. In this situation, the

source end sends a request but does not receive any response, and the
rc

destination end does not receive the request. Therefore, it can be concluded
u

that the ping failure occurs in the direction from the source end to the
so

destination end.
Re

- For the destination end, the value of Output:echo increases normally and the
value of Input:echo does not increase; for the destination end, the values of
g

Output:echo and input:echo both increase normally. In this situation, the

n

source end sends a request but does not receive any response, and the
ni

destination end receives the request and returns a response. Therefore, it can
ar

be concluded that the ping failure occurs in the direction from the destination
Le

end to the source end.

 After determining the direction in which the fault occurs, go to step 5.

re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 For details about how to configure ACL rules and the traffic policy command, refer to
the product manual.
ht

 In the interface view, run the traffic-policy command to apply ACL rules to interfaces
:

in sequence.
es

- For the ping request sender and receiver: Apply the traffic policy in the inbound
rc

direction of the interfaces.

u

- For the intermediate device(s): Apply the traffic policy in the both the inbound and
so

outbound directions of the interfaces.

Re

- In the case of Trunk or VLANIF interfaces, the traffic policy needs to be

configured on the related physical interface.
g

 Run the display traffic policy statistics interface command on each interface in
n
ni

sequence to view ACL matching results.

- If all the ACL rules are matched, ping packets are sent or received normally. If the
ar

ping failure persists, collect the preceding information. Then contact Huawei
Le

technical support engineers.

- If all the ACL rules for incoming and outgoing packets on an intermediate device
re

are matched, it indicates that the intermediate device works properly. In this
Mo

case, you need to check whether a fault occurs on the source end or destination
end.
 - If incoming packets on a device do not match the ACL rules, a fault occurs on the
upstream device in the corresponding direction of ping packets. In this case,

n
/e
perform step 6 on the fault-related device.

om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The preceding information shows the next-hop device (indicated by 3 * * *) of 89.0.0.2 10

is faulty. After determining the faulty device, go to step 6.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 If a device has been attacked by ICMP packets, the rate of ICMP packets sent to the
CPU has been reduced or these packets have been dropped to protect against
ht

attacks. As a result, a ping failure occurs.

:

 If either of the preceding two conditions is true, the ping operation fails or ping
es

packets are dropped. In this case, determine whether the related configuration that
causes the ping failure can be modified or deleted. Before repeating the ping
rc

operation, run the undo command to delete the related configuration. If the ping
u

operation fails again, go to step 7.

so

 If no CPU attack defense policy is configured, go to step 7.

Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Note: The debug function will affect system performance. Therefore, exercise
caution before you decide to perform the debugging operation.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The output information of Router A shows that ARP entries have been properly
established.
ht

 The output information on Router B shows that the MAC address corresponding to
:

the IP address 1.1.1.1 is 0016-ecb9-0eb2, and the entry type "S" indicates that the
es

ARP entry is a static one. However, the output information on Router A shows that the
MAC address corresponding to the IP address 1.1.1.1 is not 0016-ecb9-0eb2.
rc

 Therefore, the fault may have been caused by a failure to update the static ARP
u
so

configuration. To be specific, before network adjustment, static binding of

IP+MAC+port number was configured on Router B. After network adjustment, the
Re

MAC address of the peer device changed, but the static binding of IP+MAC+port
number on Router B was not updated. As a result, Router A and Router B cannot ping
g

through each other.

n
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 If static binding of IP and MAC addresses is configured on a device, the

corresponding ARP entry must be updated once the device corresponding to the
ht

bound MAC address is replaced. In this troubleshooting case, if the peer device of
Router B is a non-Huawei device and you cannot log in to the device to check its
:

configuration, you can do as follows to determine whether the destination MAC

es

address of the ping packet is correct: Ping Router B on Router A and at the same
rc

time, obtain packets exchanged between Router A and Router B through mirroring.
u

Then, analyze the ping packet to determine whether the destination MAC address
so

carried in the packet is correct.

Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo


re
Le
ar
ni

Answers: A,D
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The Address Resolution Protocol (ARP) is a broadcast protocol, through which a host can
dynamically detect the MAC address mapping an IP address.
ht

 Each host has an ARP cache that stores the mapping between IP addresses and MAC
addresses. This is the information that the host knows. When host A intends to send an IP
:
es

packet to host B in the same LAN, it first checks the ARP cache for the IP address of host
B. If the IP address of host B is found, host A can find the corresponding MAC address and
rc

then send the packet to this MAC address.

u

Sometimes, host A cannot find the IP address of host B, probably because host B was just
so

connected to the network or because host A was just powered-on and its cache is empty.
Re

In this case, if host A needs to know the MAC address of host B, host A sends Ethernet
frames called ARP requests to every host on the network segment. This process is called
g

broadcast. A request message sent by host A contains mapping between its own IP
n

address and MAC address as well as the IP address of the destination host to be parsed.
ni

After the destination host (host B) receives the request massage, it stores the mapping
ar

between host A's IP address and MAC address to its cache and sends the mapping
between its own IP address and MAC address in response to host A. When receiving the
Le

ARP reply, host A obtains the MAC address of host B, and caches the mapping between
host B's IP address and MAC address.
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 We need to understand “direct connection” correctly.“Direct connection” here means that

two Layer 3 devices are directly connected through a Layer 2 Ethernet link, which can be a
ht

network cable or cross several Layer 2 switches.

ARP fault symptom

:


es

 Connectivity failure between two directly connected devices (ARP faults further
rc

affect other direct-connection-based protocols, such as OSPF, so users will find that
the network is disconnected.)
u
so

 Intermittent network disconnections: If the ARP protocol is not stable, intermittent

network disconnections will occur. Short network service interruptions can cause
Re

packet loss. Users will find the network responds slowly.

In the above figure, ARP faults may probably occur at ①③⑦ or ⑨.

g


n

Method of identifying connectivity failure between two directly connected devices: Ping
ni

the IP address of the interface through which the remote device directly connects to the
ar

local device.
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 After ARP interaction is complete, directly connected devices should have each other’s
cache entries. If either or both devices do not have related cache entries, we can
ht

determine that an ARP fault occurred.

:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 ARP packets need to be processed by the CPU of a device. Therefore, in addition to packet
interaction and transmission environment, errors may also occur when the CPU processes
ht

ARP packets.

To troubleshoot ARP faults, we have to find the causes and take appropriate measures.
:


es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Common ARP troubleshooting procedure is as follows:

ht

 Check for low-level faults such as link faults.

 Check whether the local device is working properly.

:

Check whether the remote device is working properly.

es


u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Low-level faults occur with a higher probability, so we should start with the check for low-
level faults.
ht

 We also need to pay attention to the VLAN configuration on Layer 2 switches. Interfaces
of the host and router in the same network segment must be in the same VLAN.
:
es

 Related command: display vlan

rc

 If a complex Layer 2 network is deployed, we also need to pay attention to the spanning
tree status of the switch, and ensure all the interfaces in the link are in Forwarding state.
u
so

 Related command: display stp brief

Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Note: To display debugging information, run the following commands in the user view:
ht

 terminal debugging

 terminal monitor
:

After debugging is complete, disable all debugging functions by running the following
es

command in the user view:

rc

 Undo debugging all

u
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Usually, we use Wireshark to capture and analyze packets. You can obtain this software
free of charge from the Internet.
ht

 Note: Capturing packets on the customer's network involves information security

problems, so you must obtain the customer's written authorization letter before capturing
:
es

packets. If packet capture is necessary, do it on the customer's device.

u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 For example, ARP flood attacks may cause persistent high CPU usage. If protective
measures have been configured on the device, ARP flood attacks may cause the number of
ht

packets to reach the specified threshold, resulting in failure to process valid ARP packets.

CPCAR is a mechanism that protects the CPU of Huawei devices. If the threshold is too
:


es

small, valid ARP packets may also be discarded.

rc

 We can run the display arp anti-attack configuration all command to check ARP anti-
attack configuration on the device.
u
so

 We can adjust the security threshold parameter to ensure that ARP packets are
received and sent normally.
Re

 The ultimate solution is to find out the attack source.

g

We provide another dedicated lecture to introduce the troubleshooting method of

n


ni

ARP security problems.

ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The packet-type command sets the rate limit for packets sent to the CPU. By default, the
device uses the rate limit in the default attack defense policy to limit the rate of protocol
ht

packets. You can also create an attack defense policy and run the packet-type command
to set the rate limit for packets of a specified protocol. The configured rate limit overrides
:

the default rate limit defined in the default attack defense policy.
es

 Configuration example: Set the rate limit for ARP reply packets to 1260 pps in the attack
rc

defense policy mypolicy.

u
so

<Huawei> system-view

[Huawei] cpu-defend policy mypolicy

Re

[Huawei-cpu-defend-policy-mypolicy] packet-type arp-reply rate-limit 1260

n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The arp anti-attack rate-limit enable command enables rate limit for ARP packets.
ht

 The arp anti-attack rate-limit command sets the maximum rate and rate limit duration
of ARP packets globally or on an interface.
:

 If the maximum rate and rate limit duration are configured in the system or interface view,
es

the configuration in the interface view takes precedence.

u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 To obtain technical support, you can also visit http://support.huawei.com/enterprise/.

ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Failure to ping the gateway is a common network fault and also a typical ARP fault.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 In this case, the physical link is working properly and the VLAN configuration on the Layer
2 switch is correct.
ht

 In addition, the two PCs use the same link between the switch and router, so you only
need to check the link between PC1 and the switch.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Capture packets on the PC to check whether ARP requests were sent normally and ARP
replies were received.
ht

 In this case, we can find that the PC could send ARP requests normally but did not receive
ARP replies. Then we can determine that the fault might occur on the router.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 A considerable number of network faults are caused by incorrect configuration.

ht

 If the configuration is correct, you need to query interface status and ARP table status.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 After you configure IP addresses for termination sub-interfaces of two devices, they cannot
ping each other. Check whether you have configured the arp broadcast enable
ht

command on the interfaces. If this command is not configured, the interfaces cannot
initiate ARP requests and will not learn ARP entries.
:
es

 By default, the arp broadcast enable command is disabled in versions earlier than
V200R003C00 and is enabled in V200R003C01 and later versions.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The enterprise network connects to the Internet through the ISP network. It is very likely
that faults will occur on the connection between the enterprise network and the ISP
ht

network.

Consider: What may not be the causes of the fault discussed in this case?
:


es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 In fact, checking the ARP table on only the router is not adequate. Because the ISP device
may have correctly received the ARP request and sent back an ARP reply, but it may have
ht

not recorded the mapping between the router's IP address and MAC address into its ARP
table.
:
es

 In this case, we cannot check the ISP device, and ISP personnel do not cooperate with us,
so we need other methods to verify our thought.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Theoretically, ARP is designed for a device to dynamically obtain the remote device's MAC
address, which results in vulnerabilities of the ARP protocol. The ISP has possibly set some
ht

limits on the ARP protocol of their own devices, especially the ISP device connecting to the
customer's device.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Currently, most PC network cards support manual configuration of MAC addresses.

ht

 ISPs may have enabled MAC address binding function on its devices to allow devices with
specified MAC addresses to connect to its devices. To allow new devices to connect to the
ISP device, many household routers available in the market support manual configuration
:
es

of MAC addresses.
rc

 The ultimate solution to this fault is to contact the ISP to bind 100.0.0.10 to the MAC
address of the new device.
u
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo


re



Le

AB
Answers:
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 VRRP provides a virtual router on a LAN.

ht

In this example:

RTA and RTB are deployed on a LAN. The IP addresses of interconnected interfaces
:

on RTA and RTB are 10.1.1.251/24 and 10.1.1.252/24, respectively. RTA and RTB
es

are associated with the same virtual router, and the virtual router uses 10.1.1.254 as
rc

the interface address. All PCs uses 10.1.1.254 as the default gateway address,
without considering the IP address of the physical interface of the router. VRRP
u
so

selects the master from VRRP-enabled routers. The master forwards data packets to
the virtual router. If the master fails, VRRP selects a new master from other VRRP-
Re

enabled routers.

 The working mechanism of the virtual router is as follows:

n g

1. Select the master according to the priority. The master can be selected in following
ni

modes:
ar

 Compare priorities. The router with a higher priority is selected as the master.
Le

 Compare IP addresses when two routers with the same priority compete to be
the master. The router with a larger IP address is selected as the master.
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 In this example:
ht

 After the VRRP configuration is complete, internal hosts can access the Internet.
When the master becomes Down, internal hosts cannot access external devices. That
:

is, the VRRP active/standby switchover cannot be performed. Check the VRRP status
es

on the two devices. Dual masters exist, which is the common cause of a VRRP
active/standby switchover failure. This course uses dual masters as an example to
rc

describe VRRP troubleshooting.

u
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The configurations of the devices in the VRRP group are different. The VRRP
configurations at both ends may be incorrect due to carelessness. For example, the
ht

VRID or virtual IP address at both ends is different, and IP addresses of

interconnected interfaces are on different network segments. A minor configuration
:

error may cause the fault.

es

 The link where VRRP Advertisement packets are transmitted is faulty. When working
rc

normally, the master sends a VRRP multicast packet at the Advertisement_Interval to

u

notify backups in the group that the master works normally. In a VRRP group
so

consisting of one master and one backup, when the backup does not receive packets
Re

from the master within the Master_Down_Interval, the backup becomes the master. In
a VRRP group consisting of one master and multiple backups, when backups do not
g

receive packets from the master within the period of Master_Down_Interval, multiple
n

masters may exist in a short period. The backups then compare the priorities in the
ni

received VRRP packets with local priorities. The backup with the highest priority
ar

becomes the master. When the link fails, the backups cannot receive VRRP multicast
packets. Then the backup with the highest priority becomes the master.
Le

 The VRRP Advertisement packets received by the backup with a lower priority are
considered as invalid packets and discarded. For network environments of different
re

security levels, you can set different authentication modes and passwords in the
Mo

packet headers. On a secure network, you can use the default configuration. The
device does not add authentication information to outgoing VRRP packets or
 authenticate received VRRP packets. That is, it considers all the received VRRP
packets as valid packets. Therefore, there is no need to set an authentication key. On

n
/e
a network where authentication needs to be configured, if VRRP authentication
information is incorrect, VRRP Advertisement packets are discarded as invalid

om
packets.

.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Step 1:
ht

Run the display this command on interfaces configured with the VRRP group to check
whether the VRRP configurations at both ends are the same. For example, check
:

whether the VRID or virtual IP address at both ends is the same and whether IP
es

addresses of interconnected interfaces are on the same network segment. If the

VRRP configurations at both ends are different, modify the configurations.
rc

 Step 2:
u
so

On the devices in the VRRP group and devices where VRRP Advertisement packets
pass through, run the display stp brief command to check whether any interface is
Re

blocked.
g

 If the value of the STP State field is FORWARDING, the corresponding

n

interface is not blocked.

ni

 If the value of the STP State field is DISCARDING, the corresponding interface
ar

is blocked.
Le

 Step 3:

 Check whether interfaces transmitting VRRP Advertisement packets are correctly

re

connected. Repeat display interface interface-type interface-number to check

Mo

whether the physical status of interfaces is Up and interfaces work stably. If interfaces
are not connected correctly, correctly connect the interfaces and ensure that the
 interface status is Up.

n
 Step 4:

/e
Check whether interfaces configured with the VRRP group can be pinged. If the ping

om
operation fails, check the devices where VRRP Advertisement packets pass through.
Run the display current-configuration command to check whether any

.c
configuration causes the ping failure.

ei
 Step 5:

aw
Run the display vrrp statistics command to check whether the backup with a lower

hu
priority receives invalid VRRP Advertisement packets.

g.
 Step 6:

in
Collect the following information and contact Huawei technical support personnel.

rn
 Results of the preceding troubleshooting procedure

Configuration file, log file, and alarm file of the device

ea

/l
:/
tp
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 To obtain the contact method of Huawei's local representative office, visit

http://support.huawei.com/enterprise/.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The IP address of PCA is 10.1.1.1/24, the gateway address is 10.1.1.254, and PCA
connects to RTA and RTB through SWA. On GE0/0/0 of RTA, VRRP group 1 is
ht

configured, with the virtual IP address of 10.1.1.254 and priority of 200. On GE0/0/0 of
RTB, VRRP group 1 is configured, with the virtual IP address of 10.1.1.254 and
:

priority of 150.
es

 After the configuration is complete, ping the address of GE0/0/1 on RTA from PCA.
rc

The ping operation succeeds, indicating that the master can work properly. Shut
u

down GE0/0/1 on RTA so that the backup can complete the switchover and become
so

the master, and ping GE0/0/1 on RTB from PCA. The ping operation fails. The VRRP
Re

active/standby switchover cannot be performed. Restore the interface status of RTA

and check the VRRP running status on RTA and RTB. The VRRP status of the two
g

routers are both Master.

n
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Command used to check the VRRP status:

ht

 display vrrp [ interface interface-type interface-number [ virtual-router-id ] ] [ brief ]

 The display vrrp command displays the VRRP group status and configuration
:

parameters.
es

 interface interface-type interface-number: specifies the interface type and number

rc

and virtual-router-id specifies the VRID.

u

 brief : displays brief information about the VRRP group.

so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Run the display this command on interfaces configured with the VRRP group to
check whether the VRRP configurations at both ends are the same. For example,
ht

check whether the VRID or virtual IP address at both ends is the same and whether
IP addresses of interconnected interfaces are on the same network segment. Here,
:

the VRRP configurations on two interfaces are the same.

es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 display stp [ process process-id ] [ instance instance-id ] [ interface interface-type

interface-number | vsi vsi-name pw pw-name | slot slot-id ] [ brief ]：
ht

 The display stp command displays the status of and statistics on spanning tree
:

instances.
es

 process process-id: specifies the ID of an MSTP process.

rc

 instance instance-id: displays the status of and statistics on a specified spanning tree
u

instance. instance-id specifies the ID of the spanning tree instance.

so

 interface interface-type interface-number: displays the status of and statistics on a

Re

specified spanning tree instance on a specified interface.

 vsi vsi-name: specifies the name of a VSI. pw pw-name: specifies the name of a PW.
n g

 brief: displays brief information about the status of and statistics on spanning tree
ni

instances. slot slot-id: specifies the slot ID.

ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 display interface [ interface-type [ interface-number ] | slot slot-id ]

ht

 The display interface command displays the interface status and statistics.

 interface-type interface-number: specifies the interface type and number. If the

:

interface type is not specified, the running status of and statistics on all interfaces are
es

displayed. If the interface number is not specified, the running status of and statistics
rc

on all interfaces of the specified type are displayed.

u

 slot slot-id: specifies the slot ID of an LPU. The status of and statistics on all
so

interfaces on the LPU are displayed.

Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The display current-configuration command displays the current configuration.

ht

 SWA is Huawei S5700 series switch. By default, the link type of the interface is hybrid
and the PVID is VLAN 1. When the PVID of GE0/0/3 is set to VLAN 2, interfaces in
:

other default VLANs cannot communication. (For details about the hybrid interface,
es

refer to the VLAN technology documentation.)

u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The undo port hybrid pvid vlan command deletes the PVID of the hybrid interface.
ht

 After VLAN 2 of GE0/0/3 on SWA is deleted, the PVID of GE0/0/3 is VLAN 1. GE0/0/3
can communicate with GE0/0/1 and GE0/0/2.
:

 On RTA, ping the VRRP interface on RTB. The ping operation is successful.
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 On RTA and RTB, run the display vrrp interface GigabitEthernet 0/0/0 command to
check whether the VRRP status is normal.
ht

 The command outputs show that the VRRP statuses of RTA and RTB is Master and
:

Backup, respectively. The fault is rectified.

es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Maser the principle and working mechanism of VRRP, which helps you troubleshoot
VRRP faults.
ht
:

 When you encounter a fault, run display commands to check the configurations and
es

parameters. Check whether incorrect configurations cause the fault. Carelessness

rc

often causes faults.

u

 Check the Layer 2 switching network. In most cases, faults are caused by Layer 2
so

links. To rectify faults of any protocols, perform the check from the lower layer to the
higher layer.
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo



re

False
Le

ABCD
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Network loops also result in broadcast storms, render the MAC address table
unstable, and cause network and routing black holes. Special tools are required to
ht

troubleshoot devices and networks.

:

 Layer 2 loop: Due to redundant links, data frames are circularly forwarded at the link
es

layer.
rc

 Layer 3 loop: Due to incorrect routes, data packets are circularly forwarded at the
network layer and discarded until the TTL value reduces to 0.
u
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Huawei switches are enabled with Spanning Tree Protocol (STP) to remove loops. If
STP is disabled manually and there are redundant links on networks, Layer 2 loops
ht

may occur. As a result, data frames are circularly forwarded between switches,
resulting in a broadcast storm. In addition, switches will update MAC address entries
:

repeatedly, resulting in MAC address flapping and exhausting resources.

es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Routers are network-layer devices and responsible for selecting routes for IP packets
and forward them. When Layer 3 loops occur, data packets are circularly forwarded
ht

between routers and discarded until the TTL value reduces to 0.

:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Run the display cpu-defend statistics command to check statistics on packets sent
to the CPU.
ht

 LDT: loop-detection
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 disp interface Ethernet brief is used to view Ethernet port status.You can run the
this command to obtain the physical status, auto-negotiation mode, duplex mode,
ht

interface rate, and latest average inbound and outbound bandwidth utilization of a
port.
:
es

 The preceding figure shows that large traffic occurs on two ports of a device. The two
ports of the device may be looped.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 loop-detect eth-loop { [ block-mac ] block-time block-time retry-times retry-

times | alarm-only } is used to configure global MAC address flapping detection.
ht

 block-mac: Blocks traffic from the flapping MAC address.

:

 block-time block-time: Specifies the blocking time for interfaces.

es

 retry-times retry-times: Specifies the number of retry times before the specified
rc

interface is permanently blocked.

u

 Block-action: Indicates the action.

so

 alarm-only: Only an alarm is reported.

Re

 The display loop-detect eth-loop [ vlan vlan-id ] command is used to view the result
of MAC address flapping detection.
n g

 vlan vlan-id: Indicates the ID of a VLAN.

ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 MAC address flapping occurs when a MAC address is learned by two interfaces in
the same VLAN. The MAC address entry learned later replaces the earlier one.
ht

 Under normal circumstances, MAC address flapping does not repeatedly occur in a
:

short period. MAC address flapping is usually caused by loops. When a loop occurs
es

and causes a broadcast storm, all the switches affected by the broadcast storm
encounter MAC address flapping. Therefore, MAC address flapping detection can be
rc

used to check for loops on a network.

u
so

 MacAdd: Flapping MAC address

Vlanid: ID of the VLAN where MAC address flapping occurs

Re

 FormerIfDescName: Interface that first learns the MAC address

g

 CurrentIfDescName: Interface that later learns the MAC address

n
ni

 L2IfPort: Interface index

ar

 entPhysicalIndex: Device number

Le

 BaseTrapSeverity: Alarm severity

 BaseTrapProbableCause: Alarm cause

re

 BaseTrapEventType: Event type

Mo

 DeviceName: Device name

 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 By running the display loop-detection command, you can check whether loop
detection is enabled. If loop detection is enabled, the system displays the loop
ht

detection interval, ID of the VLAN where loop detection is enabled, and the ports that
are blocked, shut down, and disabled from learning MAC addresses.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Removing the port from the VLAN where the loop is detected: When MAC address
flapping occurs on a port with a loop prevention action configured, the switch
ht

performs the configured action. When the action is set to error-down, the switch shuts
down the port. When the action is set to quit-VLAN, the switch removes the port from
:

the VLAN where MAC address flapping occurs. Only one port can be shut down
es

during one aging period. By default, a port that is removed from a VLAN joins the
rc

VLAN again 10 minutes later. Do not use the quit-VLAN action in conjunction with the
u

dynamic VLAN function because they conflict with each other.

so

 Shutting down the port where the loop is detected: If a port in a VLAN is set to
Re

shutdown mode, the port will be shut down automatically when a loop is detected.

 Removing the optical cable from the looped device: Remove the loop by disabling the
g

physical link.
n
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Intermittent network connection interruption is a common network fault. It is also a

typical loop fault.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Because large traffic occurs on ports connected to downstream access devices, a

loop may occur on downstream devices.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The fault may occur on AS1, so check AS1.

ht

 1. Check port traffic statistics.

 2. Check for MAC address flapping by enabling MAC address flapping detection in
:

the VLAN.
es

 3. View MAC address flapping detection results.

rc

 4. Confirm that a loop occurs. Find that the ports where the loop occurs are FE0/0/1
u

and FE0/0/2. Remove the loop immediately.

so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 To troubleshoot ARP learning failures, engineers should be familiar with loop

prevention protocols and master necessary troubleshooting methods.
ht

 If a loop occurs on a large network, judge whether it is a Layer 2 loop first. If it is a

:

Layer 2 loop, follow the Layer 2 loop troubleshooting procedure to identify the devices
es

where the loop occurs and remove the loop immediately to ensure that services run
properly. Then, analyze the devices and identify causes to rectify the fault.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Common causes:
ht

Cables are connected incorrectly.

Configurations of network devices are incorrect.

:
es

In network restructuring scenarios, incorrect cable connections or configurations

are the most possible causes.
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

1. Ping the IP address of the destination network. If it can be pinged, the loop occurs on
the destination network. If it cannot be pinged, the loop may be between the source
ht

and destination IP addresses, resulting in packet loss.

:

2. Use the tracert command to trace the destination IP address to check for the nodes
es

where data packets are discarded due to loops when they are transmitted from the
source IP address to the destination IP address.
rc

The tracert command traces the gateway that packets pass through from the
u
so

source host to the destination host. This helps check network connectivity and
locate network faults.
Re

tracert [ -a source-ip-address | -f first-ttl ] *host

g

-a source-ip-address: specifies the source IP address of the tracert test.

n
ni

-f first-ttl: specifies the initial Time-to-Live (TTL).

Host specifies the domain name or IPv4 address of the destination host.
ar

3. The node where data packets are discarded is found, indicating that the loop may
Le

occur between the node and its neighboring node. Troubleshoot the node.
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

1. Perform Tarcert tests and find that the loopback nodes are R1 and R3.
ht

2. The original outgoing route is PC A->S1->R1->R3

.3. The current data forwarding route is PC A->S1->R1->R3->R2, indicating that the fault
:

occurs on R3.
es

4. Check the routing table on R3. A route is destined for R2 and is incorrect.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Check routes on the node where the original data forwarding route is changed:
ht

 First, check the routing table to find out the incorrect route. Then, check the current
route configuration and identify causes such as incorrect configuration, redundant
:

route, and incorrect routing protocol configuration. Correct the configuration.

es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 You can also obtain technical support at http://support.huawei.com/enterprise/.

ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The PC can ping the gateway, indicating that the path from the user to the gateway
works properly. However, PC 1 cannot ping a public IP address and AR2200 cannot
ht

ping a public IP address. Tracert tests on a public IP address show that data packets
are looped on AR2200 until TTLs reach 0. According to the original forwarding route,
:

data packets should be forwarded to the next hop on the public network after they
es

reach AR2200. However, they are looped between 172.16.21.1 and 172.16.21.2 now,
rc

indicating that the fault occurs on AR2200.

u
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Correctly configure next hops and delete unnecessary configurations. Otherwise, the
route to the intranet takes effect after a board is added, resulting in loops.
ht

Consequently, network connections are interrupted and services cannot be provided.

:

 Before adding a board, you must confirm whether the board will affect the current
es

configuration.
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo



re
Le
ar
ni
ng
Re

Answer to question 2: D
Answer to question 1: D
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Supplicant: The supplicant is usually a user terminal that is authenticated by the

authenticator. The supplicant must be running 802.1X-compliant client
ht

software such as that offered in the Microsoft Windows operating system. The
supplicant must support the Extensible Authentication Protocol over LAN
:

(EAPoL).
es

 Authenticator: The authenticator is usually a network device that supports the

rc

802.1X protocol. The authenticator provides an interface that allows the

u

supplicant to access the LAN.

so

 Authentication server: The authentication server is an entity that provides the

Re

authentication service for the authenticator. The authentication server is

usually a Remote Authentication Dial-In User Service (RADIUS) server for
g

implementing authentication, authorization, and accounting (AAA).

n
ni

 Port Access Entity (PAE): PAE is an entity that implements algorithms and protocol
operations in 802.1X authentication.
ar

 Controlled interface: In authorized mode, the controlled interface transmits service packets
Le

in both directions. In unauthorized mode, the controlled interface cannot receive packets
from the supplicant.
re

 Uncontrolled interface: The uncontrolled interface is mainly used to transmit EAPoL frames
Mo

in both directions to ensure that the supplicant can send and receive authentication
packets at any time.
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

The EAP relay authentication process is described as follows:

ht

 When a user needs to access an external network, the user starts the 802.1X client
program, enters the registered user name and password, and initiates a connection
request. At this time, the client sends an authentication request frame (EAPOL-Start) to the
:
es

device to start the authentication process.

rc

 After receiving the authentication request frame, the device sends an identity request
frame (EAP-Request/Identity), requiring the client to send the user name that has been
u

entered.
so

In response to the request sent by the device, the client sends an identity response frame
Re

(EAP-Response/Identity) carrying the user name to the device.

The device encapsulates the EAP packet in the response frame sent by the client into a
g


n

RADIUS packet (RADIUS Access-Request) and sends the RADIUS packet to the
ni

authentication server for processing.

ar

 After receiving the user name forwarded by the device, the RADIUS server searches the
Le

user name table in the database for a password corresponding to the user name, encrypts
the password with a randomly generated MD5 Challenge, and at the same time, sends the
MD5 Challenge in a RADIUS Access-Challenge packet to the device.
re

 The device forwards the MD5 Challenge sent by the RADIUS server to the client.
Mo
  After receiving the MD5 Challenge from the device, the client encrypts the password with
the MD5 Challenge, generates an EAP-Response/MD5 Challenge packet, and sends the

n
/e
packet to the device.

The device encapsulates the EAP-Response/MD5 Challenge packet into a RADIUS packet

om


(RADIUS Access-Request) and sends the RADIUS packet to the RADIUS server.

.c
 The RADIUS server compares the received encrypted password with the locally encrypted

ei
password. If the two passwords are the same, the user is an authorized user, and the
RADIUS server sends a packet indicating that the authentication succeeds (RADIUS Access-

aw
Accept) to the device.

hu
 After receiving the RADIUS Access-Accept packet, the device sends an EAP-Success frame

g.
to the client, changes the interface state to authorized, and allows the user to access the
network through the interface.

in
When the user is online, the device periodically sends handshake packets to the client to

rn


monitor the online status of the user.


ea
After receiving a handshake packet, the client sends a response packet to the device,
/l
indicating that the user is still online. By default, the device disconnects the user if it does
not receive any response from the client after sending two consecutive handshake packets.
:/

The handshake mechanism allows the device to detect unexpected user disconnections.
tp

 If the user wants to go offline, the client sends an EAPOL-Logoff frame to the device.
ht

 The device changes the interface state from authorized to unauthorized and sends an EAP-
Failure packet to the client.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The difference between the 802.1X authentication process in EAP termination mode and
that in EAP relay mode is as follows: In EAP termination mode, the device generates an
ht

MD5 Challenge for user password encryption, and then sends the user name, MD5
Challenge, and password encrypted on the client to the RADIUS server for authentication.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 What are other symptoms of 802.1X authentication faults in actual projects?

ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

Analyze possible causes from the perspective of the three entities:

ht

Client: An incorrect user name or password is entered on the client. Therefore, the
authentication fails.
:

Device: The 802.1X function is not enabled globally and on the interface at the same time.
es

AAA settings are incomplete or the device is not properly connected with the
rc

authentication server.
u

Server: Settings of user names or passwords are incorrect on the authentication server.
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 In this process, it is assumed that the RADIUS server works properly.

ht

 If the RADIUS server does not work properly, you need to check whether the RADIUS
server can be pinged and whether the settings on the RADIUS server are correct. If you still
cannot solve the problem, you need to collect information by enabling the debugging
:
es

radius function and report the collected information to Huawei engineers for
troubleshooting.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Low-level faults are more likely to occur. Therefore, you need to troubleshoot low-level
faults first.
ht

You can run commands to check device interface status, for example, run the display
interface GigabitEthernet0/0/1 command to check physical status of interfaces
:
es

and protocol.
rc

The link between the client and switch cannot be pinged because the switch runs
the dot1x enable command automatically. This is normal. Before you check
u
so

whether the link is reachable, you need to disable the dot1x function on
interfaces.
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Check settings. If global 802.1X is disabled, you need to enable it.

ht

Run the dot1x enable command to enable 802.1X authentication on interfaces.

:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Run the display aaa configuration command to check the AAA summary.
ht

 AAA summary information includes: usages of domains, authentication schemes,

accounting schemes, number of access users in the domain, and number of online users in
each state.Run the display accounting-scheme [ scheme-name ] command to display
:
es

accounting scheme settings. scheme-name indicates the name of an accounting scheme.

u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The test-aaa command tests whether a user can be authenticated using RADIUS
authentication.
ht

test-aaa user-name user-password radius-template template-name [ chap | pap ]

:

 Login tests on the device help Huawei technical support personnel locate faults.
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Adopt the troubleshooting process discussed in previous slides.

ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 In this case, the link between the client and switch cannot be pinged because the
switch runs the dot1x enable command automatically. This is normal.
ht

 You can check address settings or test connections after running the undo dot1x
:

enable command.
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 In this case, the dot1x enable command is run on the interface of the switch. However,
the output of the globe display dot1x statistics command shows that "Global 802.1x is
ht

Disabled".

The dot1x enable command must be run globally and on interfaces.

:


es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 By default, the 802.1X feature is disabled on interfaces.

ht

 Before configuring the 802.1X feature on Ethernet interfaces, you must run this command
to enable the 802.1X feature. Only specified Layer 2 physical interfaces support the
802.1X feature.
:
es

 Enable the 802.1X feature on Ethernet 1/0/0.

rc

<sysname> system-view
u

[sysname] interface Ethernet 1/0/0

so

[sysname-Ethernet1/0/0] dot1x enable

Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The links between devices are normal.

ht

ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interface-type interface-

number } | -m time | -n | -p pattern | -q | -r | -s packetsize | -t timeout | -tos tos-value | -v | -
vpn-instance vpn-instance-name ] * host command; -c count indicates the number of ping
:
es

operations.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 In this case, we checked key settings and found that the dot1x function is enabled globally
and on the interfaces and dot1x status is normal.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 accounting start-failonline; The accounting start-fail command is used to configure an

accounting failure policy.
ht

online indicates that no special processing is adopted and the accounting is taken as
successful if starting remote accounting fails.
:
es

offline indicates that online services become unavailable to users when starting remote
rc

accounting fails.
u
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo

B
B
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

The IPSec VPN architecture consists of AH, ESP, and IKE. IPSec uses ESP to ensure
confidentiality of IP data during transmission, and uses AH and ESP to implement data origin
ht

authentication, data integrity check, and anti-replay. ESP and AH define protocol and
payload header formats and available services, but do not define the specific transcoding
:

modes to implement the preceding services. Transcoding modes include data conversion
es

modes, for example, algorithm and key length. To simplify the usage and management of
rc

IPSec, IPSec uses IKE to exchange keys and create and maintain security associations
u

(SAs) through automatic negotiation. Functions of these protocols are as follows:

so

 AH supports data integrity check, data origin authentication, and anti-replay. However,
Re

AH does not encrypt the protected data.

 ESP, in addition to providing all the functions provided by AH (the IP packet header is
g

not included in the data integrity check), encrypts IP packets.

n
ni

 IKE is used to automatically negotiate password algorithms used by AH and ESP.

ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Initiator’s Cookie (SPI): is used by the initiator to uniquely identify an IKE SA. The
value cannot be 0.
ht

 Responder’s Cookie (SPI): is used by the responder to uniquely identify an IKE SA.
:

The value is 0 in the first message and cannot be 0 in subsequent messages.

es

 Next Payload: identifies the type of the next payload following the Authentication
rc

Header. If the current payload is the last in the message, this field will be 0. This field
provides a "chaining" capability between payloads. Additional payloads can be added
u
so

to a message by appending it to the end of the message and setting the Next Payload
field of the preceding payload to indicate the new payload's type.
Re

 Exchange Type: indicates the type of exchange being used. This field constrains the
payloads sent in each message and message exchange sequence. Phase 1 operates
n g

in either main or aggressive mode.

ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The packet exchange process in main mode in IKE negotiation phase 1 is as follows:
ht

① The initiator sends an SA payload that contains IKE proposals to implement IKE
proposal negotiation.
:

② The responder sends an SA payload to accept the negotiated IKE proposal.

es

③ The initiator and responder exchange the DH public keys (KE payload) and random
rc

values (Ni and Nr payloads). Ni and Nr are required to calculate the pre-shared key
u

(to generate the encryption key and authentication key).

so

④ The initiator and responder exchange the DH public keys (KE payload) and random
Re

values (Ni and Nr payloads).

⑤ The initiator and responder exchange the identity IDs (ID payload) and authenticate
g

the hash values (AUTH payload). Messages (5) and (6) are encrypted and the
n
ni

encryption key is the one generated in messages (3) and (4) to protect the identity
information.
ar

⑥ The initiator and responder exchange the identity IDs (ID payload) and authenticate
Le

the hash values (AUTH payload).

 Besides the main mode, the aggressive mode can also be used in phase 1. The
re

difference between the two modes is that the aggressive mode uses three-phase
Mo

exchanges and does not protect the identity information.

  The IKE SA cannot be established if the IKE proposals, identity IDs, or pre-shared
keys on the two ends do not match.

n
/e
 To ensure that a negotiation is successful, the responder must be able to receive

om
ISAKMP messages from the initiator. To ensure that the responder can receive
ISAKMP messages, the remote address must be configured on the initiator using the

.c
remote-address command and the route between the peers must be reachable.

ei
aw
hu
g.
in
rn
ea
/l
:/
tp
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The packet exchange process in quick mode in IKE negotiation phase 2 is as follows:
ht

① The initiator and responder negotiate the IPSec proposal (SA payload) and the DH
group (KE payload) used by the Perfect Forward Secrecy (PFS). The initiator and
:

responder exchange the identity ID (the ID payload is optional) and the hash value
es

(the AUTH payload). IDci and IDcr are in the ID payload. They are used to exchange
traffic selection identifiers and ensure that both ends protect the same data flows.
rc

② The initiator and responder negotiate the IPSec proposal (SA payload) and the DH
u
so

group (KE payload) used by the Perfect Forward Secrecy (PFS). The initiator and
responder exchange the identity ID (the ID payload is optional) and the hash value
Re

(the AUTH payload).

③ The initiator sends the integrity authentication hash value to acknowledge the
n g

negotiation success.
ni

 The IPSec SA cannot be established if the IPSec proposals, PFS, or ACL rules on the
ar

two ends do not match.

Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 IPSec VPN faults are categorized based on the stage during which a fault occurs. IKE
negotiation failures are key problems in IPSec faults. Other faults are caused by
ht

incorrect configurations of basic router or firewall features, for example, license,

interface, link, route, security zone, and NAT. You need to troubleshoot faults based
:

on actual networking.
es

 This course describes how to troubleshoot IKE negotiation failures.

u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 An IKE negotiation involves two phases. In phase 1, IKE SAs are created to provide
secure channels for IPSec SA negotiation in phase 2. Common causes of negotiation
ht

failures in phase 1 include incorrect configuration of the route and other parameters
on the IKE peer. Common causes of negotiation failures in phase 2 include
:

inconsistent ACL configuration.

es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 A route (usually a default route) to the private network where the IKE peer resides
must exist in the routing table. The outbound interface of the route is the interface to
ht

which the IPSec policy is applied. If packets do not match the route, the packets are
discarded. If the outbound interface of the matched route is not the interface to which
:

the IPSec policy is applied, the packets cannot be sent to the IPSec module and will
es

be transmitted in plain text.

rc

 IPSec VPN data usually flows between security zones, so you must configure
u

interzone packet filtering to permit the traffic between the source zone (where the
so

internal interface resides) and the destination zone (where the external interface to
Re

which the IPSec policy is applied resides). Otherwise, packets are discarded.
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The IPSec VPN troubleshooting roadmap is as follows:

ht

First, check whether IKE negotiations, including the IKE SA and IPSec SA
negotiations, fail. Then, check firewall configurations and other configurations.
:

Check whether the local device works properly.

es

Check whether the remote device works properly.

u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

1. Check whether the responder can receive IKE negotiation packets.

ht

Run the display ipsec statistics command. If the value of IKE packet inbound is 0
on the responder, the responder does not receive any IKE negotiation packet.
:

2. Check the IP connectivity between the IKE peers.

es

Run the undo ipsec policy command to unbind IPSec policies from interfaces at
rc

both ends of the IPSec tunnel and check whether the interfaces can ping each
u

other.Ping -a source-ip-address host

so

After checking the interfaces and IP connectivity, run the ipsec policy command to
Re

apply the IPSec policies on the interfaces.

3. Check whether the peer gateway on the local device matches the local address on
g

the remote device.

n
ni

Run the display ike peer name peer-name command to check whether the
remote address is the same as the IP address on the remote device.
ar

Check other configurations on IKE peers, including negotiation modes, identity IDs,
Le

4.

and pre-shared keys.

re

5. Check IKE proposal configurations on IKE peers.

Run the display ike proposal command to check whether the following
Mo

configurations are the same:encryption algorithms, authentication methods,

authentication algorithms, integrity algorithms, and DH groups.
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

1. Check ACL configurations. IKEv1 requires that ACLs on both ends mirror each other
or ACLs on the initiator is a subset of the ACLs on the responder.
ht

Run the display ipsec policy command to check numbers of ACLs referenced in
:

IPSec policies.
es

Run the display acl acl-number command to check whether the configurations of
rc

the security ACL are correct.

u

2. Check IPSec proposal configurations on both ends.

so

Run the display ipsec proposal command to check whether both ends use the
Re

same security protocol, authentication algorithm, encryption algorithm, and

encapsulation mode.
g

3. Check PFS configurations on both ends.

n
ni

Run the display ipsec policy command to check whether both ends have PFS
enabled and use the same DH group.
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

1. Check the IP connectivity between the PC and gateway.

ht

Check the gateway interface and route.

Check the IP address of the PC interface and route.

:
es

2. Check the IP connectivity between the gateway and remote private network.

Run the display ip routing-table command. The command output shows that the
rc

route to the remote private network exists and the outbound interface of the
u

route is the interface to which the IPSec policy is applied.

so

3. Check interzone packet-filtering configurations.

Re

Run the display policy interzone command to check whether protected data
flows can be sent from the trust zone to the untrust zone.
n g

4. Check whether IPSec policies are correctly applied to tunnel interfaces.

ni

Run the display this command in the interface view to check whether IPSec
ar

policies are applied to the interfaces.

Le

5. Check ACL configurations.

Run the display ipsec policy command to check numbers of ACLs referenced in
re

IPSec policies.
Mo

Run the display acl acl-number command to check whether the ACL
configurations are correct.
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 You can also obtain technical support at http://support.huawei.com/enterprise/.

ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 In this case, the fault is caused by configuring a secondary IP address. The root
cause may be that the remote gateway address on the local device does not match
ht

the local address on the remote end. Run the display ike peer command. The
command output shows that the value of RemoteAddr on FW A is different from the
:

value of local-address on FW B.
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 After modifying configurations on the IKE peer, you may need to perform a ping
operation to trigger the IKE negotiation.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 In this case, the cause of the IKE negotiation failure is that the remote gateway
address on the local device does not match the local address on the remote end
ht

because a secondary address is specified as the local address of the tunnel on FW B.

:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Because basic configurations, such IP address, route, and interzone policy, are
correct, and the display ike sa command output shows that the SA is abnormal. The
ht

cause is the IKE negotiation failure.

:

 Analyze all possible causes in IKE negotiation phase 1 and phase 2. The display acl
es

command output shows that ACL configurations are different on the two ends,
resulting in an IPSec SA negotiation failure in IKE negotiation phase 2.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 IKEv1 requires that ACLs on both ends mirror each other or the ACL on the initiator is
a subset of the ACL on the responder. In IKEv2 negotiation, the intersection of ACL
ht

rules on both ends is the negotiation result.

:

 In practice, it is recommended that you configure the ACLs at both ends to mirror
es

each other to simplify configurations.

u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo


re
Le
ar
ni
ng
Re

Answers: 1. ABCD 2. B
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 There are many vendors in the network field and interconnection faults are various,
but the roadmap and methods for troubleshooting faults in direct interconnections are
ht

similar.
:

 Vendors include Cisco, Juniper, ZTE, HP, and Ericsson

es

 .Interconnection devices discussed in this document refer to routers, switches, and

rc

firewall devices. This document does not discuss faults in interconnections of other
devices.
u
so

 This document does not discuss device faults caused by software and hardware
issues of devices.
Re

 Interconnection faults involve devices of multiple parties. You are advised to obtain
g

support from customers and technical personnel of other vendors when

n

troubleshooting interconnection faults.

ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Why do interconnection faults occur on devices that comply with the same standards?
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Interconnection fault troubleshooting is to find root causes of faults and take

measures to eliminate faults.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Interconnection fault troubleshooting roadmap:

ht

Troubleshoot low-level faults caused by different displayed settings on

interconnected devices.
:

Troubleshoot low-level faults caused by different displayed settings on

es

interconnected devices.
rc

Troubleshoot faults caused by different default settings on interconnected devices.

u

You need to pay attention to this operation because some default settings may
so

not be displayed and default settings vary with vendors.

Re

Check whether interconnected devices use the same mechanisms to implement

protocols. Although interconnected devices implement the same technical
g

standards, implementation mechanisms may be different. You need to carefully

n

check technical documents of other vendors and ask customers to obtain

ni

support from engineers of other vendors to solve problems together if

ar

necessary.
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 First of all, you need to determine whether a fault is an interconnection fault.

ht

 Loopback is to create a loop by connecting the local sending/receiving end to the

remote sending/receiving end. Principle: The receiver returns transmitted information
:

(signal or data) to the sender. If the sender receives the returned data, the link works
es

properly.
rc

 loopback remote: The local device loops back the packets received from its peer
device to the peer device to test whether the link between the two devices works
u
so

properly.
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Low-level faults are more likely to occur. Therefore, you need to troubleshoot low-
level faults first.
ht

 You need to troubleshoot interconnection faults caused by inconsistent settings first.

:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

You can run the display interface/show interface [type slot/port] command to view
interface settings and status and check whether error packets exist on interfaces.
ht

You can run the display diagnostic-information/show tech-support command to

:

collect all important diagnosis information on a device. You are advised to use this
es

command only when a system is remotely accessible or the local troubleshooting time
is limited.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 You need to carefully check product documents of vendors and the latest protocols
and standards to confirm whether vendors use the same mechanisms to implement
ht

protocols.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 You can also obtain support at http://support.huawei.com/enterprise/.

ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 This fault is the most commonly occurred interconnection fault. After direction
interconnection, interfaces cannot go up and links fail.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Besides hardware loopback tests, you can also interconnect two devices of the same
model of the same vendor to verify the interconnection.
ht

 If the interconnection between the two devices works properly, you can also infer that
:

the fault is not caused by hardware faults of the devices.

es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Based on the physical feature, XGE interfaces work in the following modes:
ht

 LAN mode: XGE interfaces working in LAN mode transmit Ethernet packets and
connect to Ethernet networks.
:

 WAN mode: XGE interfaces working in WAN mode transmit synchronous digital
es

hierarchy (SDH) frames and connect to SDH networks. Interfaces working in WAN
rc

mode support only point-to-point packet transmission.

u

 These two modes are used in different types of networks. Two interfaces working in
so

these two modes cannot communicate properly.

Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Note: Run the shutdown command to disable the interface before configuration and
run the undo shutdown command to enable it.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Interconnection faults caused by inconsistent parameter settings account for a large

part of all interconnection faults.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 This case analyzes the differences between mechanisms to implement the LACP to
demonstrate the process to troubleshooting protocol-related interconnection faults.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 By replacing the devices, we determine that the fault is an interconnection fault and
the devices are free of hardware faults.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Because many vendors implement LACP by using mechanisms that are different from
those specified in the standard protocol, we boldly make this assumption and adopt
ht

backward reasoning to verify it. In the end, we solve this problem.

:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Different vendors use different mechanisms to implement the same LACP.

ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo


re
Le

Answer:

ABCD
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The following assumes that RTA sends the first Hello packet.
ht

1. RTA sends the first Hello packet with an empty neighbor list. After receiving the
Hello packet, RTB adds a neighbor entry of RTA on the receiving port and
:

changes the neighbor status from Down to Init.

es

2. RTB sends a Hello packet containing RTA in the neighbor list to RTA. After
rc

receiving the Hello packet, RTA adds a neighbor entry of RTB on the receiving
port and changes the neighbor status from Down to Init. RTA is in the neighbor
u
so

list of the Hello packets and therefore generates a 2-WayReceived event. To

set up an adjacency with RTB connected over point-to-point (P2P) network,
Re

RTA changes the neighbor status from Init to ExStart.

3. After the neighbor state becomes ExStart, RTA sends a Database Description
n g

(DD) packet to RTB. After receiving the DD packet, RTB in Init state generates
ni

a 2-WayReceived event. RTB needs to set up an adjacency with RTA and

therefore changes the neighbor state machine from Init to ExStart.
ar

4. After the neighbor state machine becomes ExStart, RTA sends the first DD
Le

packet to RTB. The fields in this DD packet are set as follows:

DD Sequence Number = x (assumed)

re

bit = 1, indicating that this packet is the first in a sequence of DD packets

Mo

 M-bit = 1, indicating that more DD packets follow this one

 MS-bit = 1, indicating that RTA advertises itself as the master router

 5. After the neighbor state machine is ExStart, RTB sends the first DD packet in
which DD Sequence Number is set to y (assumed) to RTA. The router ID of

n
/e
RTB is assumed to be larger than that of RTA; therefore, RTB should function
as the master router. After router IDs are compared, RTA generates a

om
NegotiationDone event and changes its neighbor state machine from ExStart to

.c
Exchange.

ei
6. In Exchange state, RTA sends a new DD packet containing summary
information about the local link state database (LSDB). In the DD packet, DD

aw
Sequence Number is set to the same as that in the DD packet received from

hu
RTB, M-bit is set to 0 indicating no additional DD packet required for describing
the local LSDB, and MS-bit is set to 0 indicating that RTA advertises itself as

g.
the slave router. After receiving this DD packet, RTB generates a

in
NegotiationDone event and changes its neighbor state machine from ExStart to
Exchange.

rn
7. In Exchange state, RTB sends a new DD packet containing description about

ea
the local LSDB. In this DD packet, DD Sequence Number is increased by 1
/l
(y+1).
:/

8. RTA, as the slave router, needs to acknowledge each DD packet from RTB
even through RTA does not need to update its LSDB using new DD packets.
tp

Therefore, RTA sends an empty DD packet with DD Sequence Number of y+1

ht

to RTB.

9. After sending all DD packets, RTA generates an ExchangeDone event and

:

changes its status to Loading. After receiving all DD packets, RTB changes its
es

status to Full. (Assume that the LSDB on RTB is the latest and complete, so
rc

RTB does not need to request LSDB updates from RTA.)

u

10. RTA sends a Link State Request (LSR) packet to RTB to request link state
so

information that is learned from DD packets when the neighbor state machine
Re

is Exchange but not contained in the local LSDB.

11. After receiving the LSR packet, RTB sends a Link State Update (LSU) packet
g

containing detailed link state information to RTA. After receiving the LSU
n

packet, RTA changes its neighbor state machine from Loading to Full.
ni

12. RTA then sends a Link State Acknowledgement (LSAck) packet to RTB to
ar

ensure information transmission reliability.

Le

13. LSAck packets are flooded to acknowledge the receiving of Link State
Advertisements (LSAs) rather than LSU packets.
re

14. The neighbor state machine becomes Full, indicating that the adjacency is
Mo

successfully set up.

 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The preceding figure shows the process of setting up a neighbor relationship and
ht

the process of neighbor state changes.

 OSPF has eight neighbor states: Down, Attempt, Init, 2-Way, ExStart, Exchange,
:

Loading, and Full.

es

 Down: It is the initial stage of setting up sessions between neighbors. In this

rc

state, a router receives no packets from its neighbor.

u

 Attempt: This state exists only on the NBMA network and indicates that the
so

router receives no message from the neighbor. In this state, the router has sent
Re

packets to the neighbor at an interval specified by HelloInterval. If the router

receives no Hello packets from the neighbor within a dead interval specified by
n g

RouterDeadInterval, the state changes to Down.

ni

 Init: A router has received a Hello packet from its neighbor but is not in the
ar

neighbor list of the received Hello packet. The router has not set up bidirectional
Le

communication with its neighbor.

 2-Way: A router changes its neighbor state machine to 2-Way when finding its
re

router ID in the Hello packet received from the neighbor. In this state, the router
Mo

determines whether to set up an adjacency with the neighbor. If no, the

neighbor state remains in 2-Way state. If yes, the neighbor state changes to
ExStart.
  ExStart: The local and neighbor routers negotiate the master/slave roles.

n
 Exchange: A router exchanges DD packets containing the local LSDB with its

/e
neighbor.

om
 Loading: A router exchanges LSR packets with its neighbor to request LSAs

.c
and exchanges LSU packets for advertising LSAs.
Full: The local LSDBs on the two routers have been synchronized.

ei


aw
hu
g.
in
rn
ea
/l
:/
tp
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 To rectify the fault, locate the fault first.

ht

 When an IP address fails to be pinged, check whether the local router has a
reachable route to the IP address.
:

 In most cases, the ping fails due to either of the following causes:
es

 The local or an intermediate fails to send data (failing to reach the destination
rc

end).
u

 The destination or an intermediate fails to return data (failing to reach the

so

source end).
Re

 In this example, RTA does not have a route to an external address and cannot
send data to RTB. The ping fails.
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 No local OSPF routing information is obtained. Check whether the neighbor

relationship is normal.
ht

 The display ospf peer command displays information about neighbors in each
OSPF area.
:

display ospf [ process-id ] peer [ [ interface-type interface-number ] [ neighbor-id ]

es

| brief | last-nbr-down ]
rc

The display ospf peer brief command displays brief information about neighbors
u


so

in each OSPF area. This command displays the neighbor ID in an area, interface
that connect to the neighbor, router ID, and neighbor status.
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Let's think about it conversely. If the OSPF neighbor state is not Full, the most
possible causes are as follows:
ht

 The OSPF configuration is incorrect. --> Check and correct the configuration.
 The direct link is not working properly. --> Rectify the fault on the direct link.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Check whether the following OSPF configuration items on the two ends are
consistent:
ht

Router ID, area ID, and other OSPF configuration items

 Question: Why is it impossible that the neighbor state remains in Attempt state?
:
es
u rc
so
Re
ng
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

The display ospf cumulative command displays OSPF statistics.

ht

[RTA]display ospf cumulative

OSPF Process 1 with Router ID 1.1.1.1
:

Cumulations
es

IO Statistics Type Input Output

rc

Hello 0 34
u

DB Description 0 0
so

Link-State Req 0 0
Re

Link-State Update 0 0
Link-State Ack 0 0
n g

ASE: (Disabled)
ni

LSAs originated by this router

ar

Router: 1
Le

Network: 0
...
re

Routing Table:
Mo

Intra Area: 2 Inter Area: 0 ASE: 0

Up Interface Cumulate: 1
  Note: The number of interfaces enabled in an OSPF process varies depending on
products. For details, see the product documentation. For example, an NE40E router

n
/e
and an Sx700 series modular switch both support a maximum of 1000 interface, an
S5700EI supports a maximum of 64 interfaces, and an S5700HI supports a maximum

om
of 128 interfaces.

.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 A router changes its neighbor state to 2-Way as long as it finds its router ID in the
Hello packet received from the neighbor, even if a few packets are lost.
ht

 OSPF packets sometimes cannot be received correctly. In this case, check the
:

connectivity at the link layer first. OSPF is a multicast-based protocol. Check whether
es

the link supports multicast, especially when the link passes through the carrier
network.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Run the display ospf [ process-id ] interface command on the two ends of the link
to view the DR priorities of OSPF interfaces.
ht

 On a broadcast and NBMA network, the DR can be elected only when the DR
priority of at least one OSPF interface on the link is not 0. Otherwise, the two ends
:

can only remain in 2-Way state.

es

 If the DR priorities of OSPF interfaces on the two ends of the link are both 0, run
rc

the ospf dr-priority priority command in the view of an OSPF interface and
u

change the DR priority of the interface to a non-0 value.

so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The ospf mtu-enable command enables an interface to fill in the MTU value when
sending DD packets.
ht

 The undo ospf mtu-enable command restores the default settings. By default, the
MTU value is 0 when the interface sends DD packets. That is, the actual MTU
:

value of the interface is not filled in.

es

 Usage Scenario
rc

 The default MTU value in the DD packet is 0. Using this command, you can
u

manually configure an interface to fill in the MTU value (the actual MTU
so

value) when the interface sends the DD packet.

As different vendors may adopt different default MTU values, to keep
Re

consistency, you can configure an interface to use the default value 0 when
the interface sends DD packets.
g

Precautions
n


ni

 OSPF does not support the preceding configuration on a null interface.

 After the ospf mtu-enable command is configured, the system automatically
ar

restarts the OSPF process.

Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The reset ospf process command restarts the OSPF process.

 When OSPF connections are reset, OSPF neighbor relationships are interrupted
ht

and original information cannot be restored. Exercise caution when running this
command.
:
es
u rc
so
Re
ng
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Check whether interfaces on the two ends of a link are on the same network
segment.
ht

 The interfaces on a broadcast or NBMA network must be on the same network

segment. Devices on the two ends of the link can ping each other. The area ID
:

and area type (NSSA, stub, or normal area) of the interfaces must be the same.
es

 Check whether the router ID of each router is unique.

rc

 The route ID of each router on one network segment must be different from one

another. Otherwise, route flapping occurs unexpectedly.

u

Check whether OSPF areas on the two ends of the link are the same.
so

 If no, change OSPF areas on the two ends of the link to the same. If yes, go to
Re

the next step.

 Check whether other OSPF configurations on the two ends of the link are the
g

same.
n

 Run the display ospf error command once every 10 seconds for 5 minutes.
ni

 If the count of the Bad authentication type field continuously increases, OSPF
ar

authentication types on the two ends are different. Run the area-
authentication-mode command to configure the same authentication type on
Le

the two ends.

 If the count of the Hello timer mismatch field continuously increases, Hello
re

timers on the two ends are different. Check interface configurations on the two
ends and run the ospf timer hello command to set the same Hello timer on the
Mo

interfaces.
  If the count of the Dead timer mismatch field continuously increases, Dead
timers on the two ends are different. Check interface configurations on the two

n
/e
ends and run the ospf timer dead command to set the same Dead timer on the
interfaces.

om
 If the count of the Extern option mismatch field continuously increases, area
types on the two ends are different (one: normal area; the other: stub or NSSA

.c
area). Set the same area type on the two ends (The stub command

ei
configuration indicates the stub area type, and the nssa command configuration
indicates the NSSA area type.)

aw
hu
g.
in
rn
ea
/l
:/
tp
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Remember that these key parameters may be incorrectly configured, which is the
most common OSPF configuration error.
ht

 The ospf mtu-enable command enables an interface to fill in the MTU value when
sending DD packets. By default, the MTU value is 0 when the interface sends DD
:

packets. That is, the actual MTU value of the interface is not filled in.
es

 The basic principle of OSPF authentication is as follows:

rc

 If an interface is configured with authentication, use the authentication mode on

u

the interface.
so

 If the interface is configured as a null interface, the interface is not

authenticated.
Re

 If the interface is not configured with authentication (null does not mean no

authentication configuration), use the authentication mode in the area.

g

 If the area is not configured with authentication, no authentication is required.

n
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 After learning how to locate the OSPF neighbor relationship setup fault, think about
possible situations when the neighbor state is ExStart.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 On RTA, ping RTB using 1500-byte packets.

 The ping command is the most commonly used commissioning tool for testing
ht

network device accessibility. You can specify multiple parameters when running the
ping command to improve query efficiency. For example, to test the MTU value on a
:

link, specify the parameters -s and -f to test the largest MTU value on intermediate
es

links.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The display this command displays the running configuration in the current view.
 You can specify multiple parameters when running the display interface command to
ht

improve query efficiency.

:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

When the neighbor status cannot be displayed, proceed as follows:

1. Check the interface status to ensure that the link is normal.
ht

2. Check whether the two ends of the link have the same OSPF configurations,
including router ID, area ID, and other OSPF configurations.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The interfaces on a broadcast or NBMA network must be on the same network

segment. Devices on the two ends of the link can ping each other. The area ID and
ht

area type (NSSA, stub, or normal area) of the interfaces must be the same.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Each router ID in an OSPF process must be unique. Otherwise, devices on the two
ends cannot set up OSPF neighbor relationships and routing information is
ht

incorrect.
 If the two devices have the same OSPF process router ID, run the ospf [ process-id
:

] router-id router-id command in the system view to change the OSPF process
es

router ID and ensure that the two devices have different OSPF process router IDs.
rc

 Run the reset ospf [ process-id ] process command in the user view to make the
u

new router ID take effect.

so

 Note: When OSPF connections are reset, all OSPF neighbor relationships are re-
established and services are interrupted.
Re

 Question: What other commands can be used to display the router ID?
ng
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Refer to the table on page 19 to check parameter settings and locate the fault cause
step by step.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo


re


Le

Answer:

AD
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The actual network is complex, multiple routers may exist between servers and users,
and . In the preceding figure, one router and one switch are deployed between the
ht

server and user.

:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Traffic classification and marking: are the basic of QoS. A device must first identify
service flows so that the device can provide differentiated services. A device can
ht

classify traffic based on the CoS field in VLAN packets, ToS field in the IP packet
header, and EXP field in MPLS packets, and can perform fine-granular classification
:

based on ACLs.
es

 Traffic policing and shaping: Traffic policing is to limit the rate. CAR technology is
rc

often used.
u
so

 Congestion management: When the rate of each flow is limited and the total egress
traffic exceeds the bandwidth of the outbound interface, congestion management
Re

needs to be performed. Usually, the following queue scheduling mechanisms are

used: FIFO, PQ, WFQ, WRR, DRR, and CBQ.
n g

 Congestion avoidance: Congestion avoidance is required when services are

ni

extremely congested. Congestion avoidance is used to discard some packets in

advance, preventing queues from being occupied.
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The maximum bandwidth (BWmax) is the minimum bandwidth on the data transmission
path.
ht

 The E2E delay is the sum of all transmission delays, processing delay, and queue
:

delay.
es

 The jitter occurs because the E2E delay of each packet is different.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Common QoS faults are as follows:

ht

 Users log out when making calls, and voice services are interrupted.

 Pixelation occurs in videos.

:
es

 Internet access expires.

The file download speed is unstable.

rc


u
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 QoS troubleshooting roadmap:

ht

 Check modules one by one.

:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The common causes of the ineffective traffic policy are as follows:

ht

 The packets do not match rules of the traffic classifier in the traffic policy.

 The traffic behavior associated with the traffic classifier in the traffic policy is
:

configured incorrectly.
es

 The traffic policy is applied to an incorrect object.

rc

 The traffic policy conflicts with another applied traffic policy and the packets
u

match rules in the applied traffic policy.

so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 If the traffic is not matched on the interface, further check the configuration.
ht

 Generally, various methods are used to identify traffic. If an ACL is used to match
traffic, run the display acl command to check ACL information. Or, run the display
:

current-configuration command to check the configuration.

es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The common causes are as follows:

ht

 qos car inbound is not configured.

 CAR parameters are incorrect.

:
es

To control inbound services, specify inbound. To control outbound services, specify

rc

outbound.
u
so

 The qos car inbound command applies the QoS CAR profile to the inbound
direction to police incoming traffic.
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The common causes for ineffective congestion avoidance are as follows:

ht

 The interface or queue is not configured with WRED.

 Packets are not colored by using priority mapping, CAR, or remark local-
:

precedence.
es

 The parameters corresponding to packet colors are not configured in the WRED
rc

drop profile.
u
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Configuration of the WRED drop profile wred1:

ht

<HUAWEI> system view

[HUAWEI] drop-profile wred1

:
es

[HUAWEI-drop-wred1] color green low-limit 80 high-limit 100 discard-percentage

10
rc

[HUAWEI-drop-wred1] color yellow low-limit 60 high-limit 80 discard-percentage 20

u
so

[HUAWEI-drop-wred1] color red low-limit 40 high-limit 60 discard-percentage 40

Re

[HUAWEI-drop-wred1] quit
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The common causes are as follows:

ht

 The queue scheduling mode is configured incorrectly.

 The weight ratio between WRR queues is greater than 50:1.

:
es

 Packets enter incorrect queues.

u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Check the statistics on each queue of the interface. After the preceding command is
executed, statistics on eight queues are displayed. Here, only the statistics on queue
ht

1 are provided.

从According to the preceding command output, the statistics include the bandwidth
:


es

and numbers of received and sent packets.

rc

 Check whether packets enter correct queues based on queue statistics.

u
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 You can also visit http://support.huawei.com/enterprise/ to obtain technical support.

ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Here, the traffic classification is incorrect. This example uses only the action used to
identify services. There is no subsequent QoS action.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 First check the traffic policy that is applied to the interface, and then check the
detailed configuration of the traffic policy.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The traffic policy tp1 is applied to the interface and is bound to two traffic classifiers:
tc1 and tc2.
ht

 Further check the services matching the two traffic classifiers.

:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The possible causes of ineffective congestion management are as follows:

ht

 Packets cannot enter correct queues. As a result, low-priority packets are

forwarded, but high-priority packets of voice services are discarded.
:

 The queue scheduling mode and weight are configured incorrectly.

es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 The preceding command output shows that the three services enter queues 2, 3, and
4, respectively.
ht
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Each physical interface has eight queues. If queues use PQ and WRR, packets in PQ
queues are first scheduled, and then packets in WRR queues are scheduled based
ht

on the weight.
:
es
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 According to the preceding configuration:

ht

 AF1 to AF4 use WRR scheduling.

 The weights of AF1 to AF4 are 10, 20, 30, and 40 respectively.
:
es

 The four queues share the bandwidth based on the weight. When the data
service is busy, the voice service may be congested.
rc

 Solution: Place voice services to a PQ queue so that voice services can be

u

scheduled first.
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re



Le

D
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 STAs can access wireless networks after CAPWAP tunnels are established. STA access
includes three phases: scanning, link authentication, and association.
ht

 STAs can access wireless networks using IPv4 and IPv6. IPv4 is used preferentially.
:

 Scanning: A STA can actively or passively scan wireless networks:

es

 Active scanning: A STA periodically searches for surrounding wireless networks. A

rc

STA can send two types of Probe Request frames: containing an SSID and containing
no SSID. Therefore, active scanning can be classified into two types:
u
so

 A STA sends a Probe Request frame containing a specified SSID: A STA sends a
Re

Probe Request frame containing an SSID in each channel to discover the AP

with the same SSID. Only the AP with the same SSID will respond to the STA
after receiving the Probe Request. For example, the STA sends a Probe
n g

Request frame containing the SSID huawei to discover an AP with SSID

ni

huawei. This method is applicable to the scenario where a STA actively scans
ar

wireless networks to access a specified wireless network.

Le

 A STA periodically broadcasts a Probe Request frame: A STA periodically

broadcasts a Probe Request frame in the supported channels to scan wireless
networks. After APs receive the Probe Request frame, they return Probe
re

Response frames to notify the STA of the wireless services they can provide.
Mo

This method is applicable to the scenario where a STA actively scans wireless
networks to determine whether wireless services are available.
  Passive scanning: A STA listens on the Beacon frames that an AP periodically sends in each
channel to obtain the AP information. The Beacon frame contains the SSID and supported

n
/e
rate. To save power of a STA, enable the STA to passively scan wireless networks. In most
cases, VoIP terminals passively scan wireless networks.

om
 Link authentication: To ensure wireless link security, an AP needs to authenticate STAs that

.c
attempt to access the AP. IEEE 802.11 defines two authentication modes: open system

ei
authentication and shared key authentication.

Open System Authentication: indicates no authentication, allowing any STA to be

aw


authenticated.

hu
 Shared key authentication: requires that an STA and AP have the same shared key

g.
preconfigured. The AP checks whether the STA has the same shared key. If the STA
has the same shared key as the AP, the STA is authenticated. Otherwise, the STA

in
fails the authentication.

rn
 Association: STA association refers to link service negotiation. After link authentication is

ea
complete, a STA initiates link service negotiation using Association packets.
/l
 The STA sends an Association Request packet to the AP. The Association Request
packet carries the STA's parameters and the parameters that the STA selects based
:/

on service configuration, including the transmission rate, channels, QoS capabilities,

tp

access authentication algorithm, and encryption algorithm.

ht

 The AP receives the Association Request packet, encapsulates the packet into a
CAPWAP packet, and sends the CAPWAP packet to the AC.
:

The AC determines whether to authenticate the STA and replies with an Association
es

Response packet.
rc

 The AP decapsulates the received Association Response packet and sends the
u

decapsulated Association Response packet to the STA.

so

 Note: The STA determines whether it needs to be authenticated based on the

Re

received Association Response packet:

 If the STA does not need to be authenticated, the STA can access the wireless
g

network.
n
ni

 If the STA needs to be authenticated, the STA initiates user access

ar

authentication. After being authenticated, the STA can access the wireless
network.
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Check STA status: Check whether the wireless service is enabled on the STA and whether
the wireless network adapter of the STA is working properly.
ht

 Check AP status: Check whether an antenna is installed on the AP and whether the AP is
working properly.
:
es

 Check AP configuration: Check whether a VAP is created on the AC6605, whether the
rc

radio interface is enabled on the AP, and the radio signal power configured for the AP on
the AC6605.
u
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Check whether the wireless service is enabled on the STA.

ht

 If the wireless service is not enabled, enable it.

 Check whether the wireless network adapter of the STA is working properly.
:

Update the wireless network adapter driver to check whether the STA can discover
es

radio signals.
rc

 If the STA can discover radio signals, the original wireless network adapter
u

driver of the STA fails. Update the driver.

so

 Use another wireless network adapter to check whether the STA can discover radio
Re

signals.

If the STA can discover radio signals, the original wireless network adapter of
g

the STA fails. Replace it with a new wireless network adapter.

n
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Check whether an antenna is installed on the AP.

ht

 Check whether an antenna is installed on the AP. If no antenna is installed, install an

antenna on the AP.
:

 Check whether the AP is working properly.

es

 Run the display ap id ap-id command on the AC6605 to check the State field.
rc

 If the State field is displayed as fault, the AP is faulty. Restart the AP.
u

If the AP cannot change to the normal state after it is restarted, restart the
so

AC6605. If the AP still cannot change to the normal state, replace it with a
Re

new AP.

If the new AP still cannot change to the normal state, replace the network
g

cable.
n
ni

 If the State field is displayed as normal, the AP is working properly. Go to the next
ar

step.
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Check whether a VAP is created on the AC6605.

ht

 Run the display vap { all | ap ap-id | service-set { id service-set-id | name service-set-
name } } command to check the VAP information on the radio.
:

 If Error: VAP does not exist is displayed, no VAP is created. Run the radio-profile
es

command to bind radio-profile to a specified radio, then run the service-set to bind
rc

service-set to a specified radio to create a VAP.

If VAP information is displayed, a VAP has been created. Go to the next step.
u


so

 Check whether SSID hiding is enabled in the VAP.

Re

 Run the display service-set command on the AC6605 to check whether SSID hiding is
enabled in the VAP.
g

If the Hide SSID field is displayed as enable, SSID hiding has been enabled in the
n


ni

VAP. Run the undo ssid-hide command to disable SSID hiding.

ar

 If the Hide SSID field is displayed as disable, SSID hiding is disabled in the VAP. Go
to the next step.
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Check whether the radio interface is enabled on the AP.

ht

 Run the display radio config command to check the radio interface status.

 If the Administrate status field is displayed as disable, the radio interface is

:

disabled. Run the radio enable to enable the radio interface.

es

 If the Administrate status field is displayed as enable, the radio interface has been
rc

enabled. Go to the next step.

u

 Check the radio signal power configured for the AP on the A6605.
so

 Run the display actual channel-power command on the AC6605 to check the
Re

actual channel and power of a specified radio.

n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Note:
ht

 The POWER-LEVEL field specifies the actual transmit power level of a radio. The
value of this field ranges from 0 to 15. Level 0 indicates the maximum power. Level
1 is 1 dBm less than level 0; level 2 is 2 dBm less than level 0; and so on. A higher
:
es

power level indicates a lower power. The maximum value displayed is 12. When the
transmit power level is set to 12, 13, 14, or 15, the POWER-LEVEL field is always
rc

displayed as 12.
u

If the POWER-LEVEL field is displayed as 12 or a value approximate to 12, the STA

so

is unable to discover radio signals because the actual transmit power of the radio is
Re

too low. Run the power-level command to set a lower transmit power level for the
radio.
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 STA /AP antenna: Check whether the wireless network adapter of the STA is working
properly and whether an antenna is installed on the AP.
ht

 Channel conflict: Check whether a channel conflict occurs.

:

 AP signal power: Check the radio signal power configured for the AP on the AC6605.
es

 Signal interference: Check whether other wireless devices exist in the environment.
u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Check whether the wireless network adapter of the STA is working properly.
ht

 Use another wireless network adapter to check whether WLAN users are disconnected
unexpectedly and frequently.
:

 If no WLAN user is disconnected unexpectedly, the original wireless network

es

adapter of the STA fails. Replace it with a new wireless network adapter.
rc

 If WLAN users are logged out frequently, go to the next step.

u

 Check whether an antenna is installed on the AP.

so

 Check whether an antenna is installed on the AP.

Re

 If no antenna is installed, install an antenna on the AP.

g

 If an antenna has been installed, go to next step.

n
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Check whether a channel conflict occurs.

ht

 Use the inSSIDer software to check whether a channel conflict occurs. If many radio
signals are transmitted over channel 11 but no radio signal is transmitted over
channel 1, run the channel command to change the AP radio channel to channel 1
:
es

from channel 11.If the fault persists, go to the next step.

u rc
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Check the radio signal power configured for the AP on the A6605.
ht

 Run the display actual channel-power command on the AC6605 to check the actual
channel and power of a specified radio.
:

 If the POWER-LEVEL field is displayed as 12 or a value greater than 12, the STA is
es

unable to discover radio signals because the actual transmit power of the radio is
rc

too low. Run the power-level command to set a lower transmit power level for the
radio.
u
so

 If the POWER-LEVEL field is displayed as 0 or a value approximate to 0, the actual

transmit power of the radio is within the specified range. Go to the next step.
Re

 The POWER-LEVEL field specifies the actual transmit power level of a radio. The value of
this field ranges from 0 to 15. Level 0 indicates the maximum power. Level 1 is 1 dBm less
n g

than level 0; level 2 is 2 dBm less than level 0; and so on. A higher power level indicates a
ni

lower power. The maximum value is 12. When the transmit power level is set to 12, 13,
ar

14, or 15, the POWER-LEVEL field is always displayed as 12.

Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Check whether other wireless devices exist in the environment.

ht

 Check whether other wireless devices exist in the environment, for example, a
working microwave oven. Other wireless devices will interfere with radio signals
from the AP, causing WLAN users to be disconnected unexpectedly and frequently.
:
es

 If other wireless devices exist, turn off these devices and connect WLAN users to the
rc

AP again.
u
so
Re
n g
ni
ar
Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 When an AP and STA support both 5 GHz and 2.4 GHz frequency bands, the AP can
request the STA to associate with the 5 GHz radio first.
ht

 Most STAs support both 5 GHz and 2.4 GHz frequency bands and they usually associate
with the 2.4 GHz radio by default when connecting to the Internet. To connect to the 5
:
es

GHz radio, users must manually select the 5 GHz radio. When the 2.4 GHz frequency band
has many users or severe interference, the 5 GHz frequency band can provide better
rc

access service for wireless users. The 5G-prior access function enables STAs to
u

preferentially associate with the 5 GHz radio.

so

 5G-prior access is implemented as follows:

Re

 As shown in the figure, when the AP receives a Probe Request frame from the STA,
it checks the radio receiving the Probe Request frame. If the Probe Request frame is
g

received by the 2.4 GHz radio, the AP does not return a Probe Response frame. If
n
ni

the Probe Request frame is received by the 5 GHz radio, the AP returns a Probe
Response. Then the STA associates with the 5 GHz radio.
ar

 If only the 2.4 GHz receives 25 Probe Request frames but the 5 GHz radio does not receive
Le

any Probe Request frame, the AP returns a Probe Response frame through the 2.4 GHz.
The STA then can access the 2.4 GHz.
re

 In a complex signal environment, it is recommended that users use 5G-prior access

Mo

function to avoid the signal interference, greatly improving user experience.

Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 inSSIDer is a relatively new open source tool for scanning Wi-Fi signals, which is developed
by MetaGeek (a spectrum analysis program developer). It is a common signal scanning
ht

tool, providing a simple and clear GUI for easy operation.

inSSIDer GUI displays the signal strength change, distribution of signals and signal strength
:


es

on all channels on the time graph, as well as actual signal strength and bandwidth of
channels used by APs. This tool can filter the AP information based on the frequency band,
rc

channel, signal, and security of APs.

u

If a large number of APs are managed, this tool supports the GPS function and outputs AP
so

locations to Google Earth.

Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 MAC Address: indicates the unique identity of a wireless network adapter. In the
infrastructure mode, it indicates the MAC address of an AP. In the point-to-point mode, it
ht

indicates the MAC address generated randomly.

SSID: indicates the service set identifier, which is the name of a wireless network in IEEE
:


es

802.11.
rc

 RSSI: indicates the received signal strength indication, in dBm.

Vender: indicates the hardware vendor of a wireless AP displayed on the inSSIDer GUI.
u


so

 Max Rate: indicates the maximum rate supported by an AP, in Mbps. This rate is not the
Re

actual throughout.

 Security: indicates the secure access level of a wireless network. inSSIDer lists the secure
g

access levels of all scanned wireless networks, for example, Open, WEP, WPA Personal,
n

WPA-Enterprise, WPA2-Personal, and WPA2-Enterprise.

ni

Network Type: indicates two WLAN network types, including the infrastructure mode and
ar

Adhoc mode (also called as point-to-point mode).

Le
re
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 inSSIDer filter allows users to flexibly select the networks to be displayed. The scanned
wireless networks can be filtered based on the SSID, channel, network type, and security.
ht

 If dozens of APs are scanned in an area, you can use the filter to check APs on a specified
channel or APs with a specified SSID. The filter is helpful for engineers to obtain the
:
es

information that they want.

u rc
so
Re
n g
ni
ar
Le
re
Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Command function: Using the display actual channel-power command, you can check
the actual channel and power of a specified radio.
ht

 Command format: display actual channel-power { ap-id ap-id radio-id radio-id | all }
:

 To view the actual channel used by a specified radio and power of the radio, use this
es

command.
rc

 The power displayed using this command is the sum of the maximum transmit power of
the radio interface and the antenna gain. If MIMO is supported, the MIMO gain should
u
so

also be added. The maximum power displayed should comply with laws and regulations
corresponding to the country code.
Re

 The displayed result display actual channel-power ap-id 1 radio-id 0 indicates:

g

 RADIO: Radio ID identified by the AP ID and radio ID on the AP

n
ni

 CHANNEL: Actual channel of the radio. The actual channel may be different from
the configured channel before the configured channel is committed.
ar

POWER-LEVEL: Actual transmit power level of the radio. The actual transmit power
Le

level may be different from the configured transmit power level before the
configured power level is committed.
re

 POWER (dBm): Actual transmit power of the radio, which corresponds to the power
Mo

level. The value is measured in dBm.

 CHANNEL-BANDWIDTH: Bandwidth of a channel

 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 A country code identifies the country to which AP radios belong. Different countries
support different AP radio attributes, including the transmit power and supported
ht

channels.

When configuring country codes, consider the following two scenarios:

:


es

 If an AC manages the APs that are deployed in the same country, the country code
rc

needs to be configured for the AC in the system view.

If an AC manages the APs that are deployed in different countries, the AC needs to
u


so

have a country code configured in the system view and a country code configured in
the AP region view. You can configure country codes in different AP region views to
Re

enable APs in different countries to comply with local radio requirements.

Notes:
g


n

When configuring an AC for the first time, configure a correct country code in the
ni

system view and a country code in the AP region view to comply with local laws and
ar

regulations.
Le

 If country codes are configured in both the system view and AP region view, the
country code configured in the AP region view takes effect. If no country code is
re

configured in the AP region view, the country code configured in the system view
takes effect.
Mo
 n
/e
om
.c
ei
aw
hu
g.
in
rn
ea
/l
:/
tp

 Operation steps
ht

 Run the system-view command to enter the system view.

 Run the wlan ac-global country-code country-code command to configure the

:

global country code of the AC.

es

 By default, the global country code of an AC is CN.

rc

 For details about country codes, see wlan ac-global country-code.

u

If a country code is modified, the corresponding VAP is deleted.

so

(Optional) Configure a country code in the AP region view:

Re

 Run the wlan command to enter the WLAN view.

g

Run the ap-region id region-id command to enter the AP region view.

n


ni

 Note: The AP region must have been created. For details, see How to Configure an
AP Region.
ar

Run the country-code country-code command to configure the country code in

Le

the AP region view.

re

 By default, no country code is configured in the AP region view.

Mo
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo



re

C
C
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
so
urc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n
Mo
re
Le
ar
ni
ng
Re
sou
rc
es
:
ht
tp
:/
/l
ea
rn
in
g.
hu
aw
ei
.c
om
/e
n