The port state in instance 2 of MSTP is not correct due to mis-configurations in same region

Issue Description

The port1(ge0/1/1) state in instance 2 of MSTP in Huawei S5700 switch was forwarding, should be discarding as designed (see below topology), however, it was forwarding:
[s5700]dis stp ins 2 brief
MSTID  Port                        Role  STP State     Protection
2    GigabitEthernet0/0/47       DESI  FORWARDING      NONE
2    GigabitEthernet0/0/48       DESI  FORWARDING      NONE
2    GigabitEthernet0/1/1        MAST  FORWARDING      NONE
2    GigabitEthernet0/1/2        ALTE  DISCARDING      NONE
QQ图片20171117104757
Alarm Information

There is no alarm.

Handling Process

1.after checking the confiruations, we found that the region configurations in instance 3 was different on s5700 from the two core switches(CSW1&CSW2),
a.csw1
stp region-configuration
region-name RG1
revision-level 1
instance 1 vlan 5 10 15
instance 2 vlan 20 25 30
instance 3 vlan 500 to 501
active region-configuration
b.csw2
stp region-configuration
region-name RG1
revision-level 1
instance 1 vlan 5 10 15
instance 2 vlan 20 25 30
instance 3 vlan 500 to 501
active region-configuration
c.s5700
stp region-configuration
region-name RG1
revision-level 1
instance 1 vlan 5 10 15
instance 2 vlan 20 25 30
instance 3 vlan 500
active region-configuration
2. So this make the s5700 in the differnet region, so it chose the port1(ge0/1/1) as master port to connect to the other MSTP region:
[s5700]dis stp ins 2 brief
MSTID  Port                        Role  STP State     Protection
2    GigabitEthernet0/0/47       DESI  FORWARDING      NONE
2    GigabitEthernet0/0/48       DESI  FORWARDING      NONE
2    GigabitEthernet0/1/1        MAST  FORWARDING      NONE
2    GigabitEthernet0/1/2        ALTE  DISCARDING      NONE
3. Add the vlan 501 in instance3 on s5700, and active the region configurations, it became OK.
instance 3 vlan 501
active region-configuration

Root Cause

The region configurations of another instance3 on s5700 was different with the two core switches.(CSW1&CSW2)

Suggestions

The MSTP region contains four elements, Configuration Name,Revision Level,Configuration
Identifier Format Selector,and the mapping of VIDs to spanning trees.If one of them is different, should be in different MSTP region.
When design and deploy a MSTP network, should pay attention to the above things.

 

Advertisements

The user uses TACACS server authentication to login S5700 but always failed case

Issue Description

The customer uses TACACS server as the authentication method, after he configures on the switch S5700, but he always can’t login the switch S5700.

Alarm Information

None

Handling Process

Firstly,To check basic configuration, I find that the Tacacs configuration isn’t complete on S5700, there are some important configuration lost. As following:

aaa
authentication-scheme default
authentication-scheme test
authentication-mode hwtacacs
authorization-scheme default
authorization-scheme test               
authorization-mode hwtacacs
authorization-cmd 3 hwtacacs
authorization-cmd 15 hwtacacs
accounting-scheme default
accounting-scheme test
accounting-mode hwtacacs
domain default
domain default_admin

// There is no domain configuration for the hwtacacs authentication, need to configure.

And then ask the customer to add the following domain configuraion:

domain test
authentication-scheme test
authorization-scheme test
hwtacacs-server test

After added above configuration, the customer test again but still failed. At this time, he find that the authentication on the Tacacs server shows login successfully, as following:

Troubleshooting Of MAC Flapping For S7703

Issue Description

eSight detect the phenomenon MAC Flapping in S7703.

Alarm Information

This is the screenshot of alarm from eSight:

QQ图片20171109151819

Handling Process

1. MAC address flapping occurs in the following situations: a. Network cables of switches are connected incorrectly or switches use incorrect configurations;b. Unauthorized users simulate MAC address of valid network devices to attack the network. Firstly check the indicators. The

indicators never flashing frequently. Secondly collect the information by the command display interface brief. The figure of InUti and OutUti is very low. Thirdly collect the information of Spanning Tree by the command display stp. The protocol of MSTP is enable the setting for the ports is appropriate. Eliminate the root cause is by the ring in the network.
2. Check the information of display trapbuffe. The information about MAC Flapping is just as below:
#Oct 30 2014 14:28:02 S7703 L2IFPPI/4/MAC_FLAPPING_ALARM:OID 1.3.6.1.4.1.2011.5.25.42.2.1.7.12 The mac-address has flap value.  (L2IfPort=0,entPhysicalIndex=0,  BaseTrapSeverity=4, BaseTrapProbableCause=549, BaseTrapEventType=1,  MacAdd=1047-808a-e2f6,vlanid=99, FormerIfDescName=GigabitEthernet3/0/44, CurrentIfDescName=XGigabitEthernet1/0/0,DeviceName= S7703)
#Oct 30 2014 14:26:02 S7703 L2IFPPI/4/MAC_FLAPPING_ALARM:OID 1.3.6.1.4.1.2011.5.25.42.2.1.7.12 The mac-address has flap value.  (L2IfPort=0,entPhysicalIndex=0, BaseTrapSeverity=4, BaseTrapProbableCause=549, BaseTrapEventType=1,  MacAdd=1047-808a-e2f6,vlanid=99, FormerIfDescName=XGigabitEthernet1/0/0, CurrentIfDescName=GigabitEthernet3/0/44,DeviceName=SS7703)
From the information we found only the MAC Address 1047-808a-e2f6 flapping,and the switch learned the MAC Address from the interface XGE1/0/0 & GE3/0/44.
3. Confirm the MAC Address 1047-808a-e2f6 belong to which equipment by the command display arp | in 1047-808a-e2f6
<S7703>display arp | in 1047-808a-e2f6
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE
VLAN/CEVLAN
——————————————————————————
10.0.99.44      1047-808a-e2f6  20        D-0/0       XGE1/0/0
10.0.99.45      1047-808a-e2f6  20        D-0/0       GE3/0/44
——————————————————————————
Total:326       Dynamic:305     Static:0     Interface:21
4. From the ARP mapping list, we can find the MAC Address of 1047-808a-e2f6 belong to IP Address 10.0.99.44 and 10.0.99.45. So the MAC addresses of two equipments are the same. Finally we found customer changed the MAC Address of one IA5000 this is the root cause.
5. Resume the MAC Address of IA5000 to the default value. Then the phenomenon of MAC Flapping disappear.

Root Cause

Because of human factors the MAC addresses of two equipments are the same. That cause the MAC Flapping.

Suggestions

During troubleshooting, using different way to reduce the arrange of  possible root cause. That will be helpful for the work.

 

Contact information:

Telephone: 852-30623083
Email: Sales@Thunder-link.com
Supports@Thunder-link.com
Website: http://www.thunder-link.com

Web Interface Issue in S5700

Issue Description

I cannot open the web of S5700 E1 switch.

Alarm Information

<Quidway>dis current-configuration
#
!Software Version V200R001C00SPC300
sysname Quidway
#
undo http server enable
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$I6.ASV)hJET,p”Dn.YM%3aXO%$%$
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface GigabitEthernet0/1/1
#
interface GigabitEthernet0/1/2
#
interface GigabitEthernet0/1/3
#
interface GigabitEthernet0/1/4
#
interface NULL0
#
user-interface con 0
authentication-mode password
set authentication password cipher %$%$UiPSO)yB-6YQx9E`{T>),ULCz\p%F3dpkLR1uGXb}+|3$[RM%$%$
user-interface vty 0 4
user-interface vty 16 20
#
return
<Quidway>

Handling Process

<Quidway> system-view
[Quidway] http server load web_1.zip
Info: Load web file successfully.

Then you can run

[Quidway] http server enable

Root Cause

If you want to manage and maintain devices widely on the graphical user interface, You can configure the web network management function. In configuring the web network management function, if you want to update the loaded webpage file,

You can run the http server load command.

Suggestions

No

Which VLAN Do DHCP Users Connected to a Switch Interface Obtain IP Addresses From If MAC Address Authentication Is Enabled and a Guest VLAN Is Configured on the Interface

Issue Description

Which VLAN Do DHCP Users Connected to a Switch Interface Obtain IP Addresses From If MAC Address Authentication Is Enabled and a Guest VLAN Is Configured on the Interface?

Solution

When a user without VLAN tag passes MAC address authentication, the user obtains an IP address from the VLAN matching the interface PVID. When a user with a VLAN tag passes MAC address authentication, the user obtains an IP address from the VLAN matching the VLAN tag.

If a user fails MAC address authentication, the user obtains an IP address from the guest VLAN on the interface where the user accesses.

Contact information:

Telephone: 852-30623083
Email: Sales@Thunder-link.com
Supports@Thunder-link.com
Website: http://www.thunder-link.com

Why Ping Packets Especially Large Ping Packets Are Lost Sometimes?

Issue Description

FAQ-Why Ping Packets Especially Large Ping Packets Are Lost Sometimes?

Alarm Information

None

Handling Process

FAQ-Why Ping Packets Especially Large Ping Packets Are Lost Sometimes?

This problem is caused by the CPU protection mechanism. The CPU protection mechanism processes ICMP packets as follows:

The software limits the rate of ICMP packets.
The icmp rate-limit { total | interface interface-type interface-number [ to interface-number ] } threshold threshold-value command limits the rate of ICMP packets on each GE interface to 20 pps and on the device to 100 pps by default. When the number of ICMP packets sent by an interface every second exceeds the rate threshold, the system delivers an ACL. The ACL discards all the ICMP packets with the MAC address as the device’s MAC address. After two minutes, the device is restored. This process continues. You can run the undo icmp rate-limit { total | interface interface-type interface-number [ to interface-number ] }} command to cancel rate limiting.
The system limits the rate of ICMP packets sent to the CPU.
The rate limit of ICMP packets sent to the CPU is 128 kbit/s. Assume that the packet size is 1024 bytes. Only 16 packets can be sent to the CPU within 1s, that is, a packet is sent every 62.5 ms. If a packets is sent at the rate grater than 62.5 ms, the packet is discarded. Assume that the packet size is 64 bytes. Only 256 packets can be sent to the CPU within 1s, that is, a packet is sent every 4 ms.

Root Cause

None

Suggestions

None

For more solution:

Contact information:

Telephone: 852-30623083
Email: Sales@Thunder-link.com
Supports@Thunder-link.com
Website: http://www.thunder-link.com