Services Are Interrupted Due to Different MTU Values on Huawei S5700 and Vendor R’s Switch

Issue Description

Two Huawei S5700s are configured in a stack. Each switch is connected to a vendor R’s switch through an Eth-Trunk that is aggregated by three Ethernet links. The 5700s, functioning as access switches, use Eth-Trunk interfaces to transparently transmit VLAN packets to vendor R’s switches. The gateway is configured on vendor R’s switch. Service interruption occurs from time to time, but the interface status is normal and no alarm information is generated. Such symptoms cannot be simulated.

Alarm Information

None

Handling Process

The MTU value on the S5700 cannot be changed. Therefore, change the MTU value on interfaces of vendor R’s switch to 1600. After the configuration, services are recovered.

Root Cause

When the fault occurs, capture packets on the S5700 and analyze the Eth-Trunk. It is found that the size of response packets is 1500 bytes or nearly 1500 bytes, and the DF value of these large packets is 1 indicating that the packets cannot be fragmented. Capture packets on the uplink device. It is found that the uplink device cannot receive large packets of 1500 bytes or nearly 1500 bytes. The fault may occur on the Eth-Trunk. After communication with vendor R, it is found that the MTU value is set to 1492 on member interfaces of the Eth-Trunk on vendor R’s switch. Change the MTU value to 1600. Services are recovered.

Suggestions

None

Advertisements

The port state in instance 2 of MSTP is not correct due to mis-configurations in same region

Issue Description

The port1(ge0/1/1) state in instance 2 of MSTP in Huawei S5700 switch was forwarding, should be discarding as designed (see below topology), however, it was forwarding:
[s5700]dis stp ins 2 brief
MSTID  Port                        Role  STP State     Protection
2    GigabitEthernet0/0/47       DESI  FORWARDING      NONE
2    GigabitEthernet0/0/48       DESI  FORWARDING      NONE
2    GigabitEthernet0/1/1        MAST  FORWARDING      NONE
2    GigabitEthernet0/1/2        ALTE  DISCARDING      NONE
QQ图片20171117104757
Alarm Information

There is no alarm.

Handling Process

1.after checking the confiruations, we found that the region configurations in instance 3 was different on s5700 from the two core switches(CSW1&CSW2),
a.csw1
stp region-configuration
region-name RG1
revision-level 1
instance 1 vlan 5 10 15
instance 2 vlan 20 25 30
instance 3 vlan 500 to 501
active region-configuration
b.csw2
stp region-configuration
region-name RG1
revision-level 1
instance 1 vlan 5 10 15
instance 2 vlan 20 25 30
instance 3 vlan 500 to 501
active region-configuration
c.s5700
stp region-configuration
region-name RG1
revision-level 1
instance 1 vlan 5 10 15
instance 2 vlan 20 25 30
instance 3 vlan 500
active region-configuration
2. So this make the s5700 in the differnet region, so it chose the port1(ge0/1/1) as master port to connect to the other MSTP region:
[s5700]dis stp ins 2 brief
MSTID  Port                        Role  STP State     Protection
2    GigabitEthernet0/0/47       DESI  FORWARDING      NONE
2    GigabitEthernet0/0/48       DESI  FORWARDING      NONE
2    GigabitEthernet0/1/1        MAST  FORWARDING      NONE
2    GigabitEthernet0/1/2        ALTE  DISCARDING      NONE
3. Add the vlan 501 in instance3 on s5700, and active the region configurations, it became OK.
instance 3 vlan 501
active region-configuration

Root Cause

The region configurations of another instance3 on s5700 was different with the two core switches.(CSW1&CSW2)

Suggestions

The MSTP region contains four elements, Configuration Name,Revision Level,Configuration
Identifier Format Selector,and the mapping of VIDs to spanning trees.If one of them is different, should be in different MSTP region.
When design and deploy a MSTP network, should pay attention to the above things.

 

The user uses TACACS server authentication to login S5700 but always failed case

Issue Description

The customer uses TACACS server as the authentication method, after he configures on the switch S5700, but he always can’t login the switch S5700.

Alarm Information

None

Handling Process

Firstly,To check basic configuration, I find that the Tacacs configuration isn’t complete on S5700, there are some important configuration lost. As following:

aaa
authentication-scheme default
authentication-scheme test
authentication-mode hwtacacs
authorization-scheme default
authorization-scheme test               
authorization-mode hwtacacs
authorization-cmd 3 hwtacacs
authorization-cmd 15 hwtacacs
accounting-scheme default
accounting-scheme test
accounting-mode hwtacacs
domain default
domain default_admin

// There is no domain configuration for the hwtacacs authentication, need to configure.

And then ask the customer to add the following domain configuraion:

domain test
authentication-scheme test
authorization-scheme test
hwtacacs-server test

After added above configuration, the customer test again but still failed. At this time, he find that the authentication on the Tacacs server shows login successfully, as following:

Troubleshooting Of MAC Flapping For S7703

Issue Description

eSight detect the phenomenon MAC Flapping in S7703.

Alarm Information

This is the screenshot of alarm from eSight:

QQ图片20171109151819

Handling Process

1. MAC address flapping occurs in the following situations: a. Network cables of switches are connected incorrectly or switches use incorrect configurations;b. Unauthorized users simulate MAC address of valid network devices to attack the network. Firstly check the indicators. The

indicators never flashing frequently. Secondly collect the information by the command display interface brief. The figure of InUti and OutUti is very low. Thirdly collect the information of Spanning Tree by the command display stp. The protocol of MSTP is enable the setting for the ports is appropriate. Eliminate the root cause is by the ring in the network.
2. Check the information of display trapbuffe. The information about MAC Flapping is just as below:
#Oct 30 2014 14:28:02 S7703 L2IFPPI/4/MAC_FLAPPING_ALARM:OID 1.3.6.1.4.1.2011.5.25.42.2.1.7.12 The mac-address has flap value.  (L2IfPort=0,entPhysicalIndex=0,  BaseTrapSeverity=4, BaseTrapProbableCause=549, BaseTrapEventType=1,  MacAdd=1047-808a-e2f6,vlanid=99, FormerIfDescName=GigabitEthernet3/0/44, CurrentIfDescName=XGigabitEthernet1/0/0,DeviceName= S7703)
#Oct 30 2014 14:26:02 S7703 L2IFPPI/4/MAC_FLAPPING_ALARM:OID 1.3.6.1.4.1.2011.5.25.42.2.1.7.12 The mac-address has flap value.  (L2IfPort=0,entPhysicalIndex=0, BaseTrapSeverity=4, BaseTrapProbableCause=549, BaseTrapEventType=1,  MacAdd=1047-808a-e2f6,vlanid=99, FormerIfDescName=XGigabitEthernet1/0/0, CurrentIfDescName=GigabitEthernet3/0/44,DeviceName=SS7703)
From the information we found only the MAC Address 1047-808a-e2f6 flapping,and the switch learned the MAC Address from the interface XGE1/0/0 & GE3/0/44.
3. Confirm the MAC Address 1047-808a-e2f6 belong to which equipment by the command display arp | in 1047-808a-e2f6
<S7703>display arp | in 1047-808a-e2f6
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE
VLAN/CEVLAN
——————————————————————————
10.0.99.44      1047-808a-e2f6  20        D-0/0       XGE1/0/0
10.0.99.45      1047-808a-e2f6  20        D-0/0       GE3/0/44
——————————————————————————
Total:326       Dynamic:305     Static:0     Interface:21
4. From the ARP mapping list, we can find the MAC Address of 1047-808a-e2f6 belong to IP Address 10.0.99.44 and 10.0.99.45. So the MAC addresses of two equipments are the same. Finally we found customer changed the MAC Address of one IA5000 this is the root cause.
5. Resume the MAC Address of IA5000 to the default value. Then the phenomenon of MAC Flapping disappear.

Root Cause

Because of human factors the MAC addresses of two equipments are the same. That cause the MAC Flapping.

Suggestions

During troubleshooting, using different way to reduce the arrange of  possible root cause. That will be helpful for the work.

 

Contact information:

Telephone: 852-30623083
Email: Sales@Thunder-link.com
Supports@Thunder-link.com
Website: http://www.thunder-link.com

Web Interface Issue in S5700

Issue Description

I cannot open the web of S5700 E1 switch.

Alarm Information

<Quidway>dis current-configuration
#
!Software Version V200R001C00SPC300
sysname Quidway
#
undo http server enable
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$I6.ASV)hJET,p”Dn.YM%3aXO%$%$
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface GigabitEthernet0/1/1
#
interface GigabitEthernet0/1/2
#
interface GigabitEthernet0/1/3
#
interface GigabitEthernet0/1/4
#
interface NULL0
#
user-interface con 0
authentication-mode password
set authentication password cipher %$%$UiPSO)yB-6YQx9E`{T>),ULCz\p%F3dpkLR1uGXb}+|3$[RM%$%$
user-interface vty 0 4
user-interface vty 16 20
#
return
<Quidway>

Handling Process

<Quidway> system-view
[Quidway] http server load web_1.zip
Info: Load web file successfully.

Then you can run

[Quidway] http server enable

Root Cause

If you want to manage and maintain devices widely on the graphical user interface, You can configure the web network management function. In configuring the web network management function, if you want to update the loaded webpage file,

You can run the http server load command.

Suggestions

No

Which VLAN Do DHCP Users Connected to a Switch Interface Obtain IP Addresses From If MAC Address Authentication Is Enabled and a Guest VLAN Is Configured on the Interface

Issue Description

Which VLAN Do DHCP Users Connected to a Switch Interface Obtain IP Addresses From If MAC Address Authentication Is Enabled and a Guest VLAN Is Configured on the Interface?

Solution

When a user without VLAN tag passes MAC address authentication, the user obtains an IP address from the VLAN matching the interface PVID. When a user with a VLAN tag passes MAC address authentication, the user obtains an IP address from the VLAN matching the VLAN tag.

If a user fails MAC address authentication, the user obtains an IP address from the guest VLAN on the interface where the user accesses.

Contact information:

Telephone: 852-30623083
Email: Sales@Thunder-link.com
Supports@Thunder-link.com
Website: http://www.thunder-link.com