1. Checking the Interface Type, VLAN ID, and IP Addresses
If a PC is directly connected to a switch, ensure that the IP addresses of the PC and VLANIF interface are on the same subnet.
If a switch is directly connected to another network device, ensure that the connected ports have the same type and VLAN configuration and the IP addresses of the two VLANIF interfaces are on the same subnet.
For example, check the VLAN configuration of GE0/0/1.
<HUAWEI> display port vlan Port Link Type PVID Trunk VLAN List ------------------------------------------------------------------------------- Eth-Trunk0 hybrid 1 - GigabitEthernet0/0/1 access 1 - GigabitEthernet0/0/2 trunk 1 1-11 13-30 GigabitEthernet0/0/3 access 10 - ……
For example, check the IP address configuration on VLANIF interfaces.
<HUAWEI> display ip interface brief …… Interface IP Address/Mask Physical Protocol Vlanif1 10.1.1.1/24 down down Vlanif3 10.2.1.1/24 up up Vlanif10 unassigned *down down ……
2. Checking Link Status
Check whether the physical layer functions properly and whether the interfaces connected by a fiber or network cable work normally.
Check that the VLANIF interfaces are Up. This is the prerequisite of a successful ping. If the VLANIF interfaces are Down, no member interface in this VLAN is Up. Check the cable and connection again to ensure that the interfaces can go Up.
<HUAWEI> display ip interface brief ...... Interface IP Address/Mask Physical Protocol Vlanif1 10.1.1.1/24 down down Vlanif3 10.2.1.1/24 up up Vlanif10 unassigned *down down ...... <HUAWEI> display interface brief ...... Interface PHY Protocol InUti OutUti inErrors outErrors Eth-Trunk0 down down 0% 0% 0 0 GigabitEthernet0/0/1 down down 0% 0% 0 0 GigabitEthernet0/0/2 down down 0% 0% 0 0
If an electrical port is Down, see Interconnected Electrical Interfaces Cannot Go Up. If an optical port is Down, see Interconnected Optical Ports Cannot Go Up.
3. Checking Whether the Interface STP Status Is Normal
If both the VLANIF and physical interfaces are Up, check whether the interfaces are blocked by STP. If the interfaces are blocked by STP, see STP Faults Occur.
Run the display stp brief command to view the STP status. In the command output, if STP state is displayed as DISCARDING, the interface is blocked.
<HUAWEI> display stp brief MSTID Port Role STP State Protection 0 GigabitEthernet0/0/1 DESI DISCARDING LOOPBACK
4. Checking the Routes
Check whether directly connected routes are configured.
Run the display ip routing-table 10.1.1.10 command to view routing information. If the Proto value is Direct, it is a directly connected route. The routing follows the longest matching rule. When a non-direct route has a longer mask than the direct route, packets cannot be forwarded through the directly connected interface. IF the destination IP address matches a non-direct route, locate the routing failure.
<HUAWEI> display ip routing-table 10.1.1.10 Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Table : Public Summary Count : 1 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif1
Check whether policy-based routing is configured.
Run the display traffic-policy applied-record command to check whether policy-based routing is configured in the interface or VLAN view.
For example, to apply policy-based routing to GE0/0/1 and redirect the packets from PC 10.1.1.2 to 10.2.1.2, perform the following operations:
Run the display traffic-policy applied-record command to check whether a traffic policy is applied:
<HUAWEI> display traffic-policy applied-record # ------------------------------------------------- Policy Name: p1 Policy Index: 1 Classifier:c1 Behavior:b1 //Associate traffic policy p1 with classifier c1 and behavior b1. ------------------------------------------------- *interface GigabitEthernet0/0/1 traffic-policy p1 inbound //Apply p1 to the inbound direction of GE0/0/1. slot 0 : success ------------------------------------------------- Policy total applied times: 1. #
Run the display traffic behavior user-defined behavior-name command to check whether redirection is specified for the traffic behavior associated with the policy.
<HUAWEI> display traffic behavior user-defined b1 User Defined Behavior Information: Behavior: b1 Redirect: Redirect ip-nexthop (no forced) 10.2.1.2 //Set the action of b1 to redirection and next hop address to 10.2.1.2.
Run the display traffic classifier user-defined classifier-name command to check the ACL number associated with the traffic classifier.
<HUAWEI> display traffic classifier user-defined c1 User Defined Classifier Information: Classifier: c1 Operator: AND Rule(s) : if-match acl 3000 //Associate c1 with ACL 3000.
Run the display acl acl-number command to check ACL content.
<HUAWEI> display acl 3000 Advanced ACL 3000, 1 rule Acl's step is 5 rule 5 permit ip source 10.1.1.2 0 //ACL 3000 matches all IP packets with source IP address 10.1.1.2.
Modify the traffic policy to ensure correct traffic forwarding between PC and switch.
Configuration roadmap: Create an ACL to match the traffic from PC to the local subnet. The matching traffic is not redirected.
Configuration order: Create the traffic classifier without redirection, and then the traffic classifier for redirection. Bind the traffic classifier without redirection and its behavior to the traffic policy, and then bind the traffic classifier and behavior for redirection to the policy.
<HUAWEI> system-view [HUAWEI] acl 3001 //Create an ACL. [HUAWEI-acl-adv-3001] rule permit ip source 10.1.1.2 0 destination 10.1.1.0 0.0.0.255 //Match the IP packets (without redirection) from PC to the local network segment. [HUAWEI-acl-adv-3001] quit [HUAWEI] traffic behavior b2 //Create traffic behavior. [HUAWEI-behavior-b2] permit //Set the action to permit (without redirection). [HUAWEI-behavior-b2] quit //The policy has been applied to the interface; therefore, unbind the policy from the interface, unbind the classifier from the traffic policy, delete the classifier globally, and then reconfigure them in sequence. [HUAWEI] int GigabitEthernet0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo traffic-policy inbound //Unbind the traffic policy from the interface. [HUAWEI-GigabitEthernet0/0/1] quit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] undo classifier c1 //Unbind the classifier from the policy. [HUAWEI-trafficpolicy-p1] quit [HUAWEI] undo traffic classifier c1 //Delete the classifier globally. [HUAWEI] traffic classifier c2 //Create the traffic classifier c2 without redirection configured. [HUAWEI-classifier-c2] if-match acl 3001 //Associate ACL 3001 with c2. [HUAWEI-classifier-c2] quit [HUAWEI] traffic classifier c1 //Create the traffic classifier c1 used for redirection. [HUAWEI-classifier-c1] if-match acl 3000 //Associate ACL 3000 with c1. [HUAWEI-classifier-c1] quit [HUAWEI] traffic policy p1 //Bind the traffic policy to c2 and its behavior, and then to c1 and its behavior. [HUAWEI-trafficpolicy-p1] classifier c2 behavior b2 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [HUAWEI-trafficpolicy-p1] quit [HUAWEI] nterface GigabitEthernet0/0/1 //Apply the traffic policy to the interface. [HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound [HUAWEI-GigabitEthernet0/0/1] return <HUAWEI>
5. Checking ARP
Check whether the ARP entry of the directly connected address is learned.
<HUAWEI> display arp | include 10.1.1.10 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN ------------------------------------------------------------------------------ 10.1.1.10 2222-2222-2222 20 D-0 GE0/0/3 ......
If ARP entries cannot be learned, rectify the ARP fault. For example, check whether the MAC address entries can be learned, whether an ARP attack consumes ARP resources, whether strict ARP learning is enabled, and whether the MAC address or ARP entries match the IPSG binding table in a VLAN or on an interface.
If the ARP entry is correctly learned, verify the MAC address entry. Check whether the outbound interfaces in the MAC address entry and ARP entry are identical. If they are not identical, check whether a loop or MAC address conflict occurs.
<HUAWEI> display mac-address 2222-2222-22222 MAC Address VLAN/VSI Learned-From Type ------------------------------------------------------------------------------ 2222-2222-22222 1/- GE0/0/3 dynamic ......
6. Checking Whether a Blacklist Is Configured
If a blacklist for cpu-defend is configured, the switch discards the packets from the blacklisted users.
Run the display cpu-defend policy command to check the policy name applied globally or to the specified slot, the display cpu-defend policy policy-name command to check whether a blacklist is configured in the policy, and the display acl acl-number command to check the content of ACL referenced by the blacklist.
<HUAWEI> display cpu-defend policy ---------------------------------------------------------------- Name : default Related slot : <> ---------------------------------------------------------------- Name : test Related slot : <1> //Apply the policy test to slot 1. ---------------------------------------------------------------- <HUAWEI> display cpu-defend policy test Related slot : <1> Configuration : Blacklist 1 ACL number : 3300 //Configure a blacklist in the policy and associate the blacklist to ACL 3300. Car packet-type icmp : CIR(5000) CBS(20000) Car packet-type tcp : CIR(2000) CBS(376000) <HUAWEI> display acl 3300 Advanced ACL 3300, 1 rule Acl's step is 5 rule 5 permit ip source 10.10.10.1 0 (match-counter 0) //The ACL matches the IP packets with source IP address 10.10.10.1.
Packets matching the ACL are discarded, regardless of whether the ACL contains a permit or deny rule.
If a blacklist is configured and contains the remote IP address, delete the blacklist or modify the referenced ACL to ensure that packets can be correctly processed.
For example, to delete the blacklist in the attack defense policy test, run the following commands:
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-defend-policy-test] dis this # cpu-defend policy test blacklist 1 acl 3300 car packet-type icmp cir 5000 cbs 20000 car packet-type tcp cir 2000 cbs 376000 ¡ ¡ [HUAWEI-defend-policy-test] undo blacklist 1 [HUAWEI-defend-policy-test] return <HUAWEI>
If no blacklist is configured or a blacklist does not contain the remote IP address, go to the next step on the Revelations.
NOTE:
If the remote end can successfully ping the switch but the switch cannot ping the remote end, check whether the ping function is disabled on the remote end (for example, ping is prohibited by the software firewall or a policy rejecting ping packets is configured).
7. Checking Packet Sending and Receiving Statistics
If no problem is detected in the preceding steps but the ping operation still fails, configure traffic statistics collection on the interfaces to check statistics on sent and received packets and locate the fault.
Create an ACL to match the source and destination IP addresses in ping packets.
[HUAWEI] acl number 3333 [HUAWEI-acl-adv-3333] rule 5 permit icmp source x.x.x.x 0 destination y.y.y.y 0 [HUAWEI-acl-adv-3333] rule 10 permit icmp source y.y.y.y 0 destination x.x.x.x 0 [HUAWEI-acl-adv-3333] quit
Configure the traffic classifier, traffic behavior, and traffic policy.
[HUAWEI] traffic classifier 3333 [HUAWEI-classifier-3333] if-match acl 3333 [HUAWEI-classifier-3333] quit [HUAWEI] traffic behavior 3333 [HUAWEI-behavior-3333] statistic enable [HUAWEI-behavior-3333] quit [HUAWEI] traffic policy 3333 [HUAWEI-trafficpolicy-3333] classifier 3333 behavior 3333 [HUAWEI-trafficpolicy-3333] quit
Apply the policy to the inbound and outbound directions of the interface.
[HUAWEI] interface GigabitEthernet 0/0/10 [HUAWEI-GigabitEthernet0/0/10] traffic-policy 3333 inbound [HUAWEI-GigabitEthernet0/0/10] traffic-policy 3333 outbound [HUAWEI-GigabitEthernet0/0/10] return
If the switch is directly connected to a PC, apply the traffic policy in the inbound and outbound directions of the interface connected to the PC. If the switch is directly connected to another network device, you are advised to apply the traffic policy in both directions on the two interfaces.
Check traffic statistics.
Clear the existing statistics.
<HUAWEI> reset traffic policy statistics interface GigabitEthernet 0/0/10 inbound <HUAWEI> reset traffic policy statistics interface GigabitEthernet 0/0/10 outbound
Perform a ping operation and run the display command to view packet statistics.
<HUAWEI> reset traffic policy statistics interface GigabitEthernet 0/0/10 inbound <HUAWEI> reset traffic policy statistics interface GigabitEthernet 0/0/10 outbound
NOTE:
inbound indicates received packets and outbound indicates sent packets.
Perform the following steps to check statistics on sent and received packets:
For example, device A pings device B.
Check whether the number of ping packets sent by device A’s port is the same as the number of packets displayed. If not, the ping packets are discarded by device A.
Check whether the number of packets sent by device A’s port is the same as the number of packets received by device B’s port. If not, the ping packets are discarded on the link.
Check whether the number of packets sent by device B’s port is the same as the number of packets received by device A’s port. If not, the ping packets are discarded by device B.
Check whether the number of packets returned by device B is the same as the number of packets sent by device A. If not, the ping packets are discarded on the link.
If the packets are discarded on the link, replace the link. If the packets are discarded by the PC or non-Huawei device, locate the fault on them. If the packets are discarded by Huawei switch, locate the packet loss reason or contact Huawei engineers.
8. Checking Whether Too Many ICMP Packets Are Discarded by CPCAR
Check whether the switch has received too many ICMP packets. Excess ICMP packets are discarded by CAR, but not sent to the CPU. The commands vary according to switch models and software versions. Check whether the Drop counter in the command output increases.
For modular switches running V100R002 and fixed switches running V100R005:
<HUAWEI> display cpu-defend icmp statistics all CPCAR on mainboard ------------------------------------------------------------------------------- Packet Type Pass(Bytes) Drop(Bytes) Pass(Packets) Drop(Packets) icmp 0 0 0 0 ------------------------------------------------------------------------------- CPCAR on slot 4 ------------------------------------------------------------------------------- Packet Type Pass(Bytes) Drop(Bytes) Pass(Packets) Drop(Packets) icmp 0 0 0 0 -------------------------------------------------------------------------------
For modular switches running V100R003 or later and fixed switches running V100R005 or later:
<HUAWEI> display cpu-defend statistics packet-type icmp all Statistics on mainboard: ------------------------------------------------------------------------------- Packet Type Pass(Bytes) Drop(Bytes) Pass(Packets) Drop(Packets) ------------------------------------------------------------------------------- icmp 4488 0 44 0 ------------------------------------------------------------------------------- Statistics on slot 3: ------------------------------------------------------------------------------- Packet Type Pass(Bytes) Drop(Bytes) Pass(Packets) Drop(Packets) ------------------------------------------------------------------------------- icmp 0 0 0 0 -------------------------------------------------------------------------------
If the Drop counter increases, increase the CAR value and test whether the problem is solved. Change the CAR value as follows:
Run the cpu-defend policy command to set the CAR value.
<HUAWEI> system-view [HUAWEI] cpu-defend policy 1 [HUAWEI-cpu-defend-policy-1] car packet-type icmp cir 256 [HUAWEI-cpu-defend-policy-1] display this # cpu-defend policy 1 car packet-type icmp cir 256 cbs 48128 #
Apply the policy globally or to a specified LPU.
Global:
[HUAWEI-cpu-defend-policy-1] quit [HUAWEI] cpu-defend-policy 1 global
To an LPU:
[HUAWEI] slot 1 [HUAWEI-slot-1] cpu-defend-policy 1 [HUAWEI-slot-1] dis this # slot 1 cpu-defend-policy 1 #
NOTICE:
Ensure that the increased CAR value will not cause a high CPU usage.
9. Checking the Packet Format
A switch may fail to process the packets that are in incorrect formats, for example, the packets with incorrect destination MAC address or with VLAN CFI being 1. You need to check packet information to determine whether the ping failure is caused by incorrect packet format.
Obtain packet information on interfaces to view packet information. If traffic volume on an interface is small, configure port mirroring to obtain all packets from the interface and analyze the ICMP packets.
If mirroring cannot be implemented, run the capture command to view packets received on the interface. Packet information can be displayed on your screen or saved to the switch as a .cap file. Then you can analyze the packets. Commands:
[HUAWEI] capture-packet interface GigabitEthernet 4/0/38 destination terminal packet-num 100 Info: Captured packets will be shown on terminal. [HUAWEI] Packet: 1 ------------------------------------------------------- 00 00 0a 88 15 d0 00 00 0a 88 15 d5 81 00 00 c8 08 00 45 00 00 54 17 9e 00 00 ff 01 05 eb 07 08 c8 0d 07 08 c8 02 08 00 40 69 ab e4 00 01 0f 84 d1 ea 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f ------------------------------------------------------- Packet: 2 ------------------------------------------------------- 00 00 0a 88 15 d0 00 00 0a 88 15 d5 81 00 00 c8 08 00 45 00 00 54 17 9e 00 00 ff 01 05 eb 07 08 c8 0d 07 08 c8 02 08 00 40 69 ab e4 00 01 0f 84 d1 ea 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f -------------------------------------------------------
NOTE:
This command is available since V100R006. This is only one way to use this command. For other usages of this command, see the product manual.
10. Collecting Information and Seeking Technical Support
If the fault persists, collect related information and seek technical support.
Collecting Fault Information
Collect operation results of the preceding steps and record the results in a file.
Collect all diagnostic information and export the information to a file.
Run the display diagnostic-information file-name command in the user view to collect diagnostic information and save the information to a file.
<HUAWEI> display diagnostic-information dia-info.txt Now saving the diagnostic information to the device 100% Info: The diagnostic information was saved to the device successfully.
When the diagnostic file is generated, you can export the file from the device using FTP, SFTP, or SCP.
NOTICE:
You can run the dir command in the user view to check whether the file is generated.
You can also run the display diagnostic-information command and save terminal logs in a diagnostic file on a disk.
If this command displays a long output, press Ctrl+C to abort this command.
This command displays diagnostic information, which helps locate faults but may affect system performance. For example, CPU usage may become high. Therefore, do not use this command when the system is running properly.
Running the display diagnostic-information command simultaneously on multiple terminals connected to the device is prohibited. This is because CPU usage of the device may obviously increase and the device performance may be degraded.
Collect the log and trap information on the device and export the information to files.
Run the save logfile all command in the user view to save the logs in the user log buffer area and diagnostic log buffer area to the user log file and diagnostic log file, respectively.
<HUAWEI> save logfile all Info: Save logfile successfully. Info: Save diagnostic logfile successfully.
When the diagnostic file is generated, you can export the file from the device using FTP, SFTP, or SCP.
NOTE:
You can also run the display logbuffer and display trapbuffer commands to view the log and trap information on the device, and save the information in diagnostic files on a disk.
If you have any question, please feel free to contact csd@telecomate.com.
NOTE:
Technical support personnel will provide instructions for you to submit all the collected information and files, so that they can locate faults.
Leave a comment