Data Products Special Issue

Issue 2, 2013

Maintenance Experience
Bimonthly for Data Products No. 5 Issue 280, August, 2013

Preface
In this issue of ZTE's Maintenance Experience, we continue to pass on various field reports and resolutions that are gathered by ZTE engineers and technicians around the world. The content presented in this issue is ten cases of ZTE's Data Products. Have you examined your service policies and procedures lately? Are you confident that your people are using all the tools at their disposal? Are they trained to analyze each issue in a logical manner that provides for less downtime and maximum customer service? A close look at the cases reveals how to isolate suspected faulty or mis-configured equipment, and how to solve a problem step by step, etc. As success in commissioning and service is usually a mix of both discovery and analysis, we consider using this type of approach as an example of successful troubleshooting investigations. While corporate leaders maintain and grow plans for expansion, ZTE employees in all regions carry out with individual efforts towards internationalization of the company. Momentum continues to be built, in all levels, from office interns to veteran engineers, who work together to bring global focus into their daily work. If you would like to subscribe to this magazine (electronic version) or review additional articles and relevant technical materials concerning ZTE products, please visit the technical support website of ZTE CORPORATION (http://ensupport.zte.com.cn). If you have any ideas and suggestions or want to offer your contributions, you can contact us at any time via the following email: doc@zte.com.cn. Thank you for making ZTE a part of your telecom experience!

Maintenance Experience Editorial Committee

Director: Chen Jianzhou Deputy Director: Zeng Li Technical Senior Editors: Hu Jia, Tao Minjuan, Zhang Jianping,Zhu Xiaopei Executive Editor: Zhang Fan

Maintenance Experience Newsroom

Address: ZTE Plaza,No. 55, Hi-tech Road South, ShenZhen, P.R.China Postal code: 518057 Contact: Ning Jiating Tel: +86-755-26776049 Fax: +86-755-26772236 Document support Email: doc@zte.com.cn Technical support website: http://ensupport. zte.com.cn

Maintenance Experience Editorial Committee ZTE Corporation August , 2013

Contents

Rate Limit Configuration Through the Dual Token Bucket Algorithm on the ZXR10 10800E ...................2 Failure to Get Online Because an IP Host User Changes the IP Address and Related Configuration ..... 6 Troubleshooting Fault Due to User-side Attack on the T1200/M6000 BRAS ..........................................7 MPLS L3VPN Troubleshooting on the ZXR10 6804 ................................................................................. 10 Configuration for Connecting to a Private-Network WEB Server by Using a Public-Network Domain Name on the ZXR10 6808 ......................................................................................................................12 NAT Configuration and Analysis on the ZXR10 6800 .............................................................................15 NTP Synchronization Troubleshooting on the ZXR10 6804 ....................................................................18 PPPoE Dial-Up Service Failure When the ZXISAMv3.2.01.c Is Connected to the UAS10800E.............19 Solution for Disallowing Special Line Users Connected to the T1200 BRAS to Provide the FTP Service... 21 Alarm Messages Indicating That PPPoE Users Fail to Get Online on the ZXR10 T1200 .......................23 Troubleshooting of Password Loss Due to System Restart on the ZXR10 8902...................................24 Troubleshooting of Base Station Disconnection Due to a Loop in the L2 Network Connected to the ZXR10 8902............................................................................................................................................ 26 FAQ .......................................................................................................................................................28

Technical Special

Rate Limit Configuration Through the Dual Token Bucket Algorithm on the ZXR10 10800E
Ren Lanbing / ZTE Corporation

Abstract: This paper describes the token bucket principle, and rate limit configuration through the
dual token bucket algorithm.

Key words: BRAS, 10800E, token bucket, rate limit

BRAS Rate Limit Description

The ZXR10 10800E supports two BRAS

To configure a local rate limit policy, it is necessary to bind the policy in the user template of the domain. To distribute a policy name through RADIUS, no additional configuration is needed. (1) The dual token bucket algorithm is used for rate limit. The following describes some concepts: Assume that there are two token buckets, bucket C and bucket P. The rates of generating tokens in the buckets are different. The rate of bucket C is the Committed Information Rate (CRI), and the rate of bucket P is the Peak Information Rate (PIR). 1) CRI: the rate of generating tokens in bucket C, unit: kbps, range: 810000000. 2) Committed Burst Size (CBS): the size of bucket C, unit: bytes, range: 2000 ~ 512000000. 3) PIR: the rate of generating tokens in bucket P, unit: kbps, range: 8 ~ 10000000.

rate limit modes: configuring a rate limit policy locally, and distributing rate limit bandwidths through RADIUS. When rate limit policies are configured locally, only one policy can be bound in a domain. There are the following two modes of distributing bandwidths to dial-up users: Distributing a bandwidth value through a private attribute. It is unnecessary to configure a rate limit policy on the BRAS. Distributing a policy name through a private attribute. It is necessary to configure the corresponding rate limit policy on the BRAS. This paper describes the applications of configuring a local rate limit policy and distributing a policy name through RADIUS. In each application, it is necessary to configure a policy on the BRAS. The policy configuration procedures for the applications are the same.

Maintenance Experience Issue 280

Sincere Service

4) Peak Burst Size (PBS): the size of bucket P, unit: bytes, range: 2000 ~ 512000000. (2) Token bucket principle: Tokens are generated in a bucket at the defined rate. The bucket size can be configured. When the bucket is full, the number of tokens is not increased. When a packet is processed by the token bucket, if there are sufficient tokens in the bucket, the packet can be sent, and the number of tokens in the bucket is decreased. If there are insufficient tokens in the bucket, the packet is dropped. Buckets can be used to control traffic. When a bucket is full of tokens, the packets represented by the tokens can be sent. This ensures transmission of burst data. When there are no tokens in the bucket, packets cannot be sent. Only when new tokens are generated in the bucket, packets can be sent. The traffic rate must be smaller than or equal to the rate of generating tokens. In this way, traffic is limited.

PBS = 4 Mbits = 4096000 bit = (4096000/8) bytes = 512000 bytes, meaning the size of bucket P. The rate limit configuration on the BRAS

is as follows:
policy-map PPPOE a policy-map named PPPOE.*/ class class_default dial-up user default traffic /*Enter limit /*Create

configuration mode. The class name must be class_default.*/ police cir 2048 cbs 256000 pir 4096 pbs 512000 conform-action transmit exceed-action drop violate-action drop

Description: conform-action: the action (transmitting the packets, dropping the packets, or setting the priority) taken when the packet rate is smaller than the CIR. exceed-action: the action (transmitting the packets, dropping the packets, or setting the priority) taken when the packet rate is between the CIR and PIR. violate-action: the action (transmitting the packets, dropping the packets, or setting the priority) taken when the packet rate is greater than the PIR.

Configuration
If the users committed bandwidth is 2

MB, and the burst bandwidth is 4 MB, the configuration is as follows: CIR = 2048 Kbit/s, meaning 2 Mbps. CBS = 2 Mbits = 2048000 bits = (2048000/8) bytes = 256000 bytes, meaning the size of bucket C. PIR = 4096 Kbit/s, meaning 4 Mbps.

Conclusion
(1) A token bucket is an internal storage

pool of a network device. Tokens are virtual information packets generated in the bucket at the specified rate. Packets in the data queue are sent through tokens. After packets are sent, the used tokens are deleted.

Data Products Special Issue Issue 2, 2013

Technical Special

(2) The following rate policy configuration templates are configured on the BRAS during commissioning:
policy-map PPPOE-512K class class_default police cir 512 cbs 64000 pir 512 pbs 64000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-1M class class_default police cir 1024 cbs 128000 pir 1024 pbs 128000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-2M class class_default police cir 2048 cbs 256000 pir 2048 pbs 256000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-4M class class_default police cir 4096 cbs 512000 pir 4096 pbs 512000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-5M class class_default police cir 5120 cbs 640000 pir 5120 pbs 640000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-6M class class_default police cir 6144 cbs 768000 pir 6144 pbs 768000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-8M class class_default police cir 8192 cbs 1024000 pir 8192 pbs 1024000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-10M class class_default police cir 10240 cbs 1280000 pir 10240 pbs 1280000 conform-action transmit exceed-action drop violate-action drop !

Maintenance Experience Issue 280

Sincere Service policy-map PPPOE-20M class class_default police cir 20480 cbs 2560000 pir 20480 pbs 2560000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-30M class class_default police cir 1024 cbs 125000 pir 1024 pbs 125000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-40M class class_default police cir 40960 cbs 5120000 pir 40960 pbs 5120000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-50M class class_default police cir 51200 cbs 6400000 pir 51200 pbs 6400000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-100M class class_default police cir 102400 cbs 12500000 pir 102400 pbs 12500000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-1000M class class_default police cir 1024000 cbs 125000000 pir 1024000 pbs 125000000 conform-action transmit exceed-action violate-action drop !

Data Products Special Issue Issue 2, 2013

Maintenance Instances

Failure to Get Online Because an IP Host User Changes the IP Address and Related Configuration
Sun Yan / ZTE Corporation

Abstract: This paper describes the troubleshooting procedure if a user cannot get online after the IP
host user changes the IP address. The cause is that the previous IP address still exists. After the connection established with the previous IP address is disconnected manually, the fault is resolved.

Key words: IP Host, M6000, address, ARP

Symptom
After an IP host user changes the IP

Fault Analysis
The probable causes are as follows: (1) The configuration related to the new

address, the previous IP address is deleted from the ARP table on the M6000, but the new IP address is not learned. The user fails to ping the gateway successfully with the IP address, so the user cannot get online.

IP address on the M6000 is incorrect. For example, the new IP address is not within the static IP address range, or the new IP address is not bound to the sub-interface. (2) The ARP learning function fails on the M6000, or the aging period is too long.

Solution
(1) Use the previous IP address, and

modify the address on the M6000 to the previous one. If the user can get online, this indicates that the fault is not caused by incorrect configuration. (2) Use the new IP address. The previous IP address is deleted from the ARP table. This indicates that the ARP learning function operates properly, and the aging period is
Figure 1. 6902 VRRP Active/Standby Network Topology

normal. Refresh the ARP table. However, the IP address is not learned.

Maintenance Experience Issue 280

Sincere Service

(3)

Execute

the

show

subscriber

re-configure the new IP address.

ip-host command. The command execution result shows that the creattime is the time when the user gets online with the previous IP address instead of the new IP address. This indicates that the connection established with the previous IP address still exists. (4) Disconnect the online user with the previous IP address compulsively, and then

Conclusion
The connection established with the

previous IP address still exists, which affects the application of the new IP address. It is necessary to disconnect the connection compulsively.

Troubleshooting Fault Due to User-side Attack on the T1200/M6000 BRAS

Chao Wenjun / ZTE Corporation

Abstract: This paper describes troubleshooting on the T1200/M6000 BRAS when a user-side attack
occurs.

Key words: T1200, M6000, BRAS, attack, drop, offline, rate limit

Symptom
On a BRAS device, users connected to a

specified type, and the rate of the packets exceeds the rate limit of the slot on the device. As a result, packets of the type sent by other users are dropped.

slot (such as users connected to different convergence switches) report various faults, for example, users are disconnected repeatedly, the network speed is slow, or users fail to get online.

Solution on the T1200

(1) For the ZXR10 T1200, check the

number of transmitted packets and dropped packets on the corresponding slot. The result is as follows:

Fault Analysis
The probable cause is a user-side attack.

A user sends a large amount of packets of a

Data Products Special Issue Issue 2, 2013

Maintenance Instances

T1200#show security statistic packet slot x packet type -----------uni ppp padi uni ppp lcp echo uni ppp control passed count -------------69017890 3096415341 441307366 dropped count ------------0 0 12829 received count -------------69017890 3096415341 441320195

PPP control packets: Packets sent after the PPPoE Discovery stage and before keep-alive packets are sent are PPP control packets. The result shows that PPP control packets are dropped. Therefore, the fault cause is that a user sends a large amount of PPP control packets, and then PPP control packets sent by other users are dropped. (2) Check the rate limits of different packets on the slot. The result is as follows:
T1200#show configuration security verbose packetlimit-slot x security slot: 3 300 600 600 packet-limit uni-ppp-padi packet-limit uni-ppp-lcp-echo packet-limit uni-ppp-control

The unit of rate limits is packet/s. The rate limits can be modified manually in accordance with the number of users on the slot. If the rate limits are too large, the device CPU may be affected. For the ZXR10 T1200, it is not recommended to modify the rate limits. Locate the user who sends a large amount of packets and then limit the user packets rate. (3) Execute the show security statistic mac-default-limit slot X command to locate the user with the most dropped packets (the user with the most dropped packets is the one who sends the most packets). The result is as follows:
T1200#show security statistic mac-default-limit slot X /*Execute the command for several times to locate the user whose number of packets increases fast.*/ MAC:4487.fcc7.8c51 MAC:c446.195d.76d1 MAC:0025.9ed4.1f48 Drop packets:13 Drop packets:5 Drop packets:14244

(4) After locating the user, configure rate limit based on the users MAC address. The configuration is as follows:
T1200(config)#bras T1200(config-bras)#security T1200(config-security)#permit mac 0025.9ed4.1f48 ctrl-rate x slot x

Maintenance Experience Issue 280

Sincere Service /*The ctrl-rate parameter means the rate limit, ranging from 0 through 20000 (unit: packet/s). The value 0 means no packets sent by the user are processed. For a PPPoE user, set the value to 15.*/

Solution on the M6000

(1) Check the number of the transmitted packets and the number of the dropped packets by

port on the ZXR10 M6000 (the numbers of packets can only be checked by slots on the T1200). The result is as follows:
M6000#show cps flow statistics interface gei-x/x/x/x /*Execute the command for several times to locate the user whose number of packets increases fast.*/ Flowtype igmp-default dhcp l2tp pppoe-session In-packets 2193 220802 0 13936 Upsend-packets 2193 220802 0 13936 Drop-packets 0 15426 0 0

The result shows that DHCP packets are dropped. Therefore, the fault cause is that a user sends a large amount of DHCP packets, and then DHCP packets sent by other users are dropped. (2) Check the rate limits of different packets on the slot. The result is as follows:
M6000#show cps flow rate-limit interface gei-x/x/x/x Interface gei-x/x/x/x gei-x/x/x/x gei-x/x/x/x gei-x/x/x/x Index 44 44 44 44 Flowtype igmp-default dhcp l2tp pppoe-session Rate 400 400 200 1000

The unit of rate limits is packet/s. (3) For the M6000, the CPU provides high performance. It is secure to modify the rate limits to greater values. For example, execute the following commands to modify the rate limit of DHCP packets to 800 packet/s:
M6000(config)#control-plane-security M6000(config-cps)#flow rate-limit 800 flowtype dhcp interface gei-x/x/x/x

Conclusion
If a lot of users are disconnected repeatedly, check whether packet attacks occur at the

BRAS side. You can troubleshoot the faults on the T1200 and M6000 BRAS devices in accordance the above solutions.

Data Products Special Issue Issue 2, 2013

Maintenance Instances

MPLS L3VPN Troubleshooting on the ZXR10 6804

Fan Xianglong / ZTE Corporation

Abstract: This paper describes troubleshooting of the L3VPN ping failure between routers connected
through virtual interfaces. The cause is that the MPLS function is not enabled on the virtual interfaces.

Key words: 6800, VPN, MPLS, multilink, virtual interface

Symptom

As shown in Figure 1, the MPLS VPN function is enabled on the ZXR10 6804 and ZXR10 6802. After configuration is completed, addresses in the VPN cannot be pinged successfully. In the network, the ZXR10 6804, ZXR10 6802 and H3C are connected through multilink virtual interfaces. Each virtual interface consists of four E1 interfaces.

Figure 1. Interconnections Among the ZXR10 6804, ZXR10 6802, and H3C

Fault Analysis

(1) Check the configuration. The result shows that OSPF and BGP operate properly on the routers, VPN routes are learned correctly, and the routers are MPLS LDP neighbors. However, destinations of the VPN routes cannot be pinged successfully.
ZXR10#show ip forwarding route vrf VPN3_NetMag IPv4 Routing Table: status codes: *valid, >best Dest *> 3.3.3.3/32 *> 10.19.81.0/24 Gw 3.3.3.3 10.252.0.181 Interface loopback4 multilink1 Owner address bgp Pri 0 200 Metric 0 0

10

Maintenance Experience Issue 280

Sincere Service *> 10.20.81.0/24 *> 10.20.81.3/32 10.20.81.3 10.20.81.3 gei-0/1.3 gei-0/1.3 direct address 0 0 0 0

ZXR10#ping vrf VPN3_NetMag 3.3.3.3 sending 5,100-byte ICMP echo(es) to 3.3.3.3,timeout is 2 second(s). !!!!! Success rate is 100 percent(5/5),round-trip min/avg/max= 17/18/19 ms. ZXR10#ping vrf VPN3_NetMag 10.20.81.3 sending 5,100-byte ICMP echo(es) to 10.20.81.3,timeout is 2 second(s). !!!!! Success rate is 100 percent(5/5),round-trip min/avg/max= 1/14/19 ms. ZXR10#ping vrf VPN3_NetMag 10.20.81.3 source 3.3.3.3 sending 5,100-byte ICMP echo(es) to 10.20.81.3,timeout is 2 second(s). !!!!! Success rate is 100 percent(5/5),round-trip min/avg/max= 15/18/19 ms. ZXR10#ping vrf VPN3_NetMag 10.19.81.3 source 3.3.3.3 sending 5,100-byte ICMP echo(es) to 10.19.81.3,timeout is 2 second(s). ..... Success rate is 0 percent(0/5). ZXR10#

(2) The VPN routes are normal, and the directly-connected devices can be pinged successfully. The probable cause is that the MPLS configuration is not applied. In accordance with the technical support, it is necessary to enable the MPLS function on the virtual interfaces.

Solution
After the following commands are executed on the devices, the fault is resolved:
ZXR10(config)#mpls interface ? ce1multilink Virtual_template Channelized E1 Multilink interface Virtual_template interface

ZXR10(config)#mpls interface multilink2 ZXR10(config)#mpls interface multilink1

Conclusion

On the ZXR10 6800, to enable the MPLS function on virtual interfaces (such as CE1 channelized interfaces, multilink interfaces, or L2TP VPN virtual interfaces), it is necessary to execute the mpls interface <interface-name> command on each virtual interface. If the command is not executed, LDP neighbors and labels are normal, but labeled packets cannot be forwarded.

Data Products Special Issue Issue 2, 2013

11

Maintenance Instances

Configuration for Connecting to a Private-Network WEB Server by Using a Public-Network Domain Name on the ZXR10 6808
Gao Feng / ZTE Corporation

Abstract: This paper describes the configuration for a private-network user to connect to a
private-network WEB server by using a public-network domain name.

Key words: 6800, NAT, WEB, domain name, static, dynamic, DNS

Network Topology and Requirements

In the network shown in Figure 1, an internal user requires to use a public-network domain

name to connect to the WEB server.

Figure 1. Network Topology

Configuration Commands
Method 1: Use static NAT and dynamic PAT. The NAT-related configuration on the ZXR10 6800 is as follows:

12

Maintenance Experience Issue 280

Sincere Service nat-pool n11 poolid 11 section 1 199.1.1.1 199.1.1.10 $ pat-pool p10 poolid 10 section 1 200.1.1.1 200.1.1.10 $ domain 1 1 type sr ipv4-issued static source rule-id 2 public 13.16.35.1 199.1.1.1 dynamic source rule-id 10 ipv4-list patacl1 permit pool p10 $ subscriber ipv4 public subscriber-id 1 nat-domain 1 interface gei-1/6 interface gei-2/1

Method 2: Use static PAT and dynamic PAT.

The NAT-related configuration on the ZXR10 6800 is as follows (only the configuration different from that in method 1):
domain 1 1 type sr ipv4-issued static source rule-id 2 public 13.16.35.1 80 200.1.1.1 80 tcp dynamic source rule-id 10 ipv4-list patacl1 permit pool p10

Description
If the configuration in method 1 is used, the results are as follows:
Result The host (17.71.1.1) can ping the WEB server (13.16.35.1) successfully. The host (17.71.1.1) can ping 199.1.1.1 successfully. The WEB server (13.16.35.1) can ping the host (17.71.1.1) successfully. The host user can access WEB pages by using IP address 199.1.1.1. The host user can access WEB pages by using the hh.hello.com domain name. The host user can access WEB pages by using the IP address 13.16.35.1. Description Dynamic PAT is used, so the source IP address in the returned packets is not translated. Static NAT is used. Either the private network address or public network address can ping 199.1.1.1 successfully. Static NAT is used.

Static NAT is used. Dynamic PAT is used in the DNS procedure. Static NAT is used to log in to the WEB server. Dynamic PAT is used.

Data Products Special Issue Issue 2, 2013

13

Maintenance Instances

If the configuration in method 2 is used, the results are as follows:

Result The host (17.71.1.1) can ping the WEB server (13.16.35.1) successfully. The WEB server (13.16.35.1) can ping the host (17.71.1.1) successfully. The host user can access WEB pages by using IP address 200.1.1.1. The host user can access WEB pages by using the zoe.guxi.com domain name. The host user can access WEB pages by using the IP address 13.16.35.1. Description Dynamic PAT is used.

Dynamic PAT is used.

Static PAT is used.

Static PAT is used.

Dynamic PAT is used.

Conclusion
Note that the private-network server and the private-network user must be in different

network segments.

14

Maintenance Experience Issue 280

Sincere Service

NAT Configuration and Analysis on the ZXR10 6800

Gao Feng / ZTE Corporation

Abstract: This paper describes NAT configuration, validation, and analysis on the ZXR10 6800. Key words: 6800, NAT, debug, ICMP, ACL

Network Topology
Figure 1 shows the network in which the NAT function is configured.

Figure1. NAT Configuration

Configuration Commands
Execute the following commands on the ZXR10 6800:
service 12/0 nat44 enable ipv4-access-list patacl1 rule 1 permit any exit cgn-pool n10 poolid 10 mode nat section 1 10.9.1.1 10.9.1.255 cgn-pool p2 poolid 2 mode pat section 1 2.3.2.0 2.3.2.25 domain 1 1 type sr ipv4-issued static source rule-id 1 public 27.1.1.1 10.9.1.1 dynamic source rule-id 1 ipv4-list patacl1 permit pool p2 $

Data Products Special Issue Issue 2, 2013

15

Maintenance Instances subscriber ipv4 public subscriber-id 1 nat-domain 1 interface gei-1/5.1 interface gei-1/3 .2

Solution
Perform the following tests to validate the configuration: ping 27.1.1.1 (the private-network server) from the headquarters. Execute the debug icmp command on a device in the headquarters. The result is as follows:
sending 5,100-byte ICMP echo(es) to 27.1.1.1,timeout is 2 second(s). !ZXR10 MPFU-5/0 2013-3-12 10:36:04 IP ICMP:sent type echo request, code IP ICMP:rcvd type echo reply, code 0, src 0, src

81.80.1.1, dst 27.1.1.1 ZXR10 MPFU-5/0 2013-3-12 10:36:04 27.1.1.1, dst 81.80.1.1

The result shows that the server can be pinged successfully, and the private-network address is not translated. Execute the debug icmp command on the server. The result is as follows:
ZXR10#ZXR10 MPFU-2/0 2013-3-12 10:36:04 src 2.3.2.63, dst 27.1.1.1 ZXR10 MPFU-2/0 2013-3-12 10:36:04 27.1.1.1, dst 2.3.2.63 IP ICMP:sent type echo reply, code 0, src IP ICMP:rcvd type echo request, code 0,

The result shows that the private-network address is translated. ping 81.80.1.1 (a private-network address) from the server.
IP ICMP:sent type echo request, code IP ICMP:rcvd type echo reply, code 0, src 0, src

Execute the debug icmp command on the server. The result is as follows:
ZXR10 MPFU-2/0 2013-3-12 10:47:55 27.1.1.1, dst 81.80.1.1 ZXR10 MPFU-2/0 2013-3-12 10:47:55 81.80.1.1, dst 27.1.1.1

The result shows that the server can ping the private network successfully, and the addresses are not translated. Execute the debug icmp command on a device in the headquarters. The result is as follows:
ZXR10#ZXR10 MPFU-5/0 2013-3-12 10:47:55 src 10.9.1.1, dst 81.80.1.1 ZXR10 MPFU-5/0 2013-3-12 10:47:55 81.80.1.1, dst 10.9.1.1 IP ICMP:sent type echo reply, code 0, src IP ICMP:rcvd type echo request, code 0,

The result shows that the address of the server is a public-network IP address. 16 ping 69.1.1.1 (a public-network address) from the server.

Maintenance Experience Issue 280

Sincere Service

Execute the debug icmp command on the server. The result is as follows:
ZXR10#ping 69.1.1.1 sending 5,100-byte ICMP echo(es) to 69.1.1.1,timeout is 2 second(s). ZXR10 MPFU-2/0 2013-3-12 10:52:24 27.1.1.1, dst 69.1.1.1 ZXR10 MPFU-2/0 2013-3-12 10:52:24 69.1.1.1, dst 27.1.1.1 IP ICMP:rcvd type echo reply, code 0, src IP ICMP:sent type echo request, code 0, src

Execute the debug icmp command on a public-network device. The result is as follows:
ZXR10#debug ip icmp ICMP debugging is on ZXR10# ZXR10 MPFU-5/0 2013-3-12 10:52:24 10.9.1.1, dst 69.1.1.1 ZXR10 MPFU-5/0 2013-3-12 10:52:24 69.1.1.1, dst 10.9.1.1 IP ICMP:sent type echo reply, code 0, src IP ICMP:rcvd type echo request, code 0, src

ping 10.9.1.1 (the public-network IP address of the server) from the public network.
IP ICMP:sent type echo request, code IP ICMP:rcvd type echo reply, code 0, src 0, src

Execute the debug icmp command on a public-network device. The result is as follows:
ZXR10 MPFU-5/0 2013-3-12 10:53:57 69.1.1.1, dst 10.9.1.1 ZXR10 MPFU-5/0 2013-3-12 10:53:57 10.9.1.1, dst 69.1.1.1

Execute the debug icmp command on the server. The result is as follows:
ZXR10 MPFU-2/0 2013-3-12 10:53:57 69.1.1.1, dst 27.1.1.1 ZXR10 MPFU-2/0 2013-3-12 10:53:57 27.1.1.1, dst 69.1.1.1 IP ICMP:sent type echo reply, code 0, src IP ICMP:rcvd type echo request, code 0, src

The tests show translation of addresses when a private-network device accesses the headquarters and the public network, and address translation when a device in the headquarters accesses the private network.

Conclusion
(1) To configure static NAT rules on the ZXR10 6800, it is unnecessary to configure an ACL. (2) On the ZXR10 6800, routing is performed before NAT. (3) The ZXR10 6800 does not support the ip nat outside command. Assume that packets are received on an interface configured with the NAT function on the

ZXR10 6800. NAT is performed when the packets are forwarded on another interface of the ZXR10 6800.

Data Products Special Issue Issue 2, 2013

17

Maintenance Instances

NTP Synchronization Troubleshooting on the ZXR10 6804

Xu XiaoGuang / ZTE Corporation

Abstract: This paper describes NTP synchronization troubleshooting on the ZXR10 6804. The cause is
that the MD5 authentication function is not configured on the NTP server.

Key words: 6800, NTP, synchronization, MD5, authentication

Symptom
NTP synchronization fails on the ZXR10

Clock is unsynchronized, stratum 16, no reference clock nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**6 reference time is d459ba49.f5c28f5c (09:03:05 Fri Nov 23 is 0.00 msec root dispersion is 0.00 msec, peer dispersion is 0.00 msec 2012 UTC)

6804.

Fault Analysis
(1) The ZXR10 6804 operates as the

clock offset is 0.00 msec, root delay

NTP client. Ensure that the ZXR10 6804 can ping the NTP server successfully. (2) Check whether the authentication function is enabled, and whether the passwords at both ends are the same. (3) If the configuration is correct, use the debugging function or capture packets to check whether NTP packets are sent and received properly.

The

result

shows

that

NTP

synchronization failed. (3) Execute the show running-config ntp command to check the NTP configuration:
!<ntp> ntp enable ntp authenticate ntp server 21.193.16.1 priority 1 key 1 ntp server 21.193.16.2 priority 2 key 1 ntp source ipv4 21.195.16.3 ntp authentication-key 1 md5 encrypted uMPUd8NZAs4pgdinQ/3kDw== ntp trusted-key 1

Solution
(1) Execute the ping command to verify

that the network between the ZXR10 6804 and NTP server operates properly. (2) Execute the show ntp status command on the ZXR10 6804 to check the NTP state. The result is as follows:

!</ntp>

The

result

shows

that

the

NTP

authentication function is enabled on the NTP

18

Maintenance Experience Issue 280

Sincere Service

client, and the key is encrypted by using the MD5 algorithm. (4) Check the configuration of the NTP server. The result is as follows:
! ntp server 21.193.16.1 priority 1 key 1 ntp server 21.193.16.2 priority 2 key 1 ntp source 21.195.16.1 ntp enable ntp authenticate ntp trusted-key 1 !

The result shows that the authentication key is not configured on the NTP server. (5) Execute the following command on the NTP server:
ntp authentication-key 1 md5 uMPUd8NZAs4pgdinQ/3kDw==

Conclusion
In general, NTP failures are caused by

incorrect configuration.

PPPoE Dial-Up Service Failure When the ZXISAMv3.2.01.c Is Connected to the UAS10800E
Peng Feng / ZTE Corporation

Abstract: This paper describes troubleshooting of a PPPoE dial-up service failure due to different
domain name formats in packets when the ZXISAMv3.2.01.c is connected to the UAS10800E.

Key words: ZXISAM, VRRP, active/standby switchover, VLAN, heartbeat line

Symptom
A PPPoE user fails to get online through

Fault Analysis
The ZXISAMv3.2.01.c has a special

the dial-up service. The client shows Error code 107: Services in the domain are not requested. The same alarm message is generated in the log information in the ZXISAM system.

requirement about the authentication domains for dial-up service users. Authentication domain names must be contained in dial-up service users packets. To resolve the fault, set the UAS10800E to carry domain names in

Data Products Special Issue Issue 2, 2013

19

Maintenance Instances

username, or set the UAS10800E to add domain names in usernames automatically. (1) Enter the D:/ZXISAM/LOG directory
4/22 19:28:59 CO-4000 status 4/22 19:28:59 CO-4000 status transform.

to

check the RADIUS log file named

platform1.log. The log information is as follows:

(212) user test begin login. (221) user test mac 00-18-F3-E2-85-3A, INIT to AUTHING

4/22 19:28:59 CO-4000 radauth*(160) can not find info in T_USER_Service SMS according username:test and domain:. first service's postfix:zte 4/22 19:28:59 CO-4000 authfai*( 63) Success to insert FailAuthRecord. 4/22 19:28:59 CO-4000 radauth*(124) -------------- Access reject Identifier Reply-Message = 25 = Error code 107: Services in the domain are not requested 94 ms 0 ms ( 47) timer handling takes ------------

4/22 19:28:59 CO-4000 radauth*(133) auth takes 4/22 19:29:01 CO-4044 timer

4/22 19:29:02 CO-3604 radauth*(214) Recv auth packet from1.1.1.1:6024 4/22 19:29:02 CO-672 radauth*( 54)

(2) The log information shows that the fault occurs because the username test is not bound to the authentication domain zte. However, username in the ZXISAM been system, to the the has bound

radius authentication-group 1 server 1 192.168.28.70 key zxisam port 1812 algorithm first timeout 3 max-retries 3 deadtime 0 calling-station-format 1 nas-port-id-format china-tel nas-ip-address1.1.1.1 user-name-format strip-domain /*Ignore authentication domain names for dial-up service users*/ vendor enable ! radius accounting-group 1 server 1 192.168.28.70 key zxisam port 1813 algorithm first timeout 3 max-retries 3 deadtime 0 calling-station-format 1 nas-port-id-format china-tel

authentication domain, so the configuration in the ZXISAM system is correct. There is no PPPoE configuration error on the UAS10800E. (3) In accordance with the requirements for dial-up service during users PPPoE in the dial-up ZXISAMv3.2.01.c, service

authentication,

authentication

domains must be contained in usernames, for example, test@zte. However, domain names are not contained in usernames. On the UAS10800E, the configuration about the RADIUS authentication group and RADIUS accounting group is as follows:

20

Maintenance Experience Issue 280

Sincere Service nas-ip-address1.1.1.1 user-name-format dial-up service users*/ vendor enable local-buffer enable interim-packet-quota 80 strip-domain /*Ignore authentication domain names for

requirement of the ZXISAMv3.2.01.c.

Solution
To resolve the fault, modify the

user-name-format strip-domain command to the user-name-format include-domain command in the RADIUS authentication group and RADIUS accounting group. In this way, when PPPoE users dial, only usernames are used. On the UAS10800E, authentication domain names are added to usernames automatically.

The configuration information shows that after PPPoE users send dial-up requests, the UAS10800E authentication automatically domain names removes from

usernames when transmitting the information to the RADIUS server. This does not meet the

Solution for Disallowing Special Line Users Connected to the T1200 BRAS to Provide the FTP Service
Tu Yong / ZTE Corporation

Abstract: This paper describes a solution for disallowing special line users connected to the T1200
BRAS to provide the FTP service.

Key words: T1200, BRAS, FTP, ip-host, ACL, VBUI

Requirement
To prevent special line users connected

to VBUI interfaces. To meet the requirement, ACL can be configured on uplink interfaces or VBUI interfaces on the T1200. However, users are located in multiple network segments. As a result, it is difficult to configure ACLs. If a large number of rules are defined, packet forwarding efficiency on interfaces is affected.
Data Products Special Issue Issue 2, 2013

to the BRAS from providing services that occupy network bandwidth, a carrier requires that special line users should be disallowed to provide the FTP service. On the BMSG T1200, special line users are IP-host users connected

21

Maintenance Instances

Solution
Configure a subscriber-template in a

accounting-group 1 alias xxx subscriber-template access-list-outside deny-port /*Bind the ACL named deny-port o the subscriber direction.*/ template in the outside

domain to define an ACL based on port numbers for special line users. To control a special line user, it is only necessary to configure the users domain name when an IP-host user is configured. The configuration procedure is as follows: (1) Execute the following commands to create an extended ACL:
acl extended name deny-port /*The name of the ACL is deny-port.*/ rule 1 deny tcp any any eq 20 rule 2 deny tcp any any eq 21 rule 3 permit ip any any

(3) Execute the following commands to configure an IP-host user, and bind the user to the domain:
interface vbuix interface which the /*Enter the VBUI access-disallowed

IP-host user is connected*/ ip host 10.26.1.3 slot 7 port 1 vlan 1 domain-name domain /*Create an IP-host user, and bind the user to the domain*/

(2) Execute the following commands to create a domain:

domain x */ none authentication-type /*No authentication*/ authentication-group 1 accounting-type /*No accounting*/ none

Conclusion
After the configuration is completed,

special line users are disallowed to provide FTP services.

22

Maintenance Experience Issue 280

Sincere Service

Alarm Messages Indicating That PPPoE Users Fail to Get Online on the ZXR10 T1200
Xie Jia / ZTE Corporation

Abstract: This paper describes command execution result of the show onlinefail command, and the
probable causes.

Key words: T1200, BRAS, PPPoE, dial-up, show onlinefail

Symptom
There are multiple methods of

the BRAS device, this alarm message is generated. (3) auth request timeout An authentication message times out because the BRAS device receives no successful authentication or authentication failure message returned by the RADISU device. The probable cause is that the return route is unreachable due to a route or connectivity fault between the BRAS device and RADIUS device. (4) Reject for Radius authentication fail! The RADIUS device rejects authentication. In general, the cause is that the username is locked on the RADIUS device. It is necessary to disconnect the user on the RADIUS device. (Usually, this fault occurs after service cutover.) (5) TOO MANY CONNECTIONS. There are too many user connections, so some users cannot be connected successfully. Check whether users cannot obtain resources for connections because the device CPU

troubleshooting faults that PPPoE users fail to get online. In general, you can execute the debug or radius-ping command. To locate causes quickly, you can execute the show onlinefail execution command. command. The following describes alarm messages in the command result of the show onlinefail

Command Execution Output Examples

(1) INVALID LOCATION If a user whose username is bound to an

interface, but the user does not dial on the bound interface, this alarm message is displayed. To resolve the fault, rebind the user on the RADIUS device. (2) Reject for IP assign fail After a user passes dial-up authentication, the BRAS device will allocate an IP address to the user. If no address pool is configured on

Data Products Special Issue Issue 2, 2013

23

Maintenance Instances

usage is high or there are attack packets on the network. (6) can't find user. The corresponding user cannot be located. The probable cause is: the username is incorrect, the username expires, or the user is in arrears. (7) User dial-in so soon. A user dials frequently. A default dialing interval is set to prevent attacks.

(8) user password error. A password is incorrect. The alarm message Receive packet vector invalid displayed after the radius-ping command is executed means that encryption check for an authentication response packet returned by the RADIUS device fails. This means that authentication configuration may be incorrect on the BRAS device or RADIUS device.

Troubleshooting of Password Loss Due to System Restart on the ZXR10 8902

Zhang Qiwen / ZTE Corporation

Abstract: This paper describes the troubleshooting procedure if a user is disconnected after the ZXR10
8902 switch is powered off and then restarted. The cause is that the OSPF authentication function is configured, but the configuration is not saved.

Key words: 8902, OSPF, restart, password, authentication

Symptom
In an office, the ZXR10 8902 switch

Fault Analysis
(1) Log in to the ZXR10 8902 through

operates as the gateway of a customer, and services are configured on the switch. The ZXR10 8902 is connected to the NE40 in the uplink, and OSPF is configured on the devices. After the ZXR10 8902 is powered off and then restarted, the services are interrupted.

Telnet, and then execute the show logging alarm command. No alarm information is displayed. (2) Execute the show ip ospf neighbor command. No information is displayed.
8902#show ip ospf neighbor 8902#

24

Maintenance Experience Issue 280

Sincere Service

(3) The OSPF authentication function is configured to improve security before the device is powered off. (4) Check configuration on the uplink interface. There is no configuration

relationship is normal, and the services are recovered.

8902#show ip ospf neighbor OSPF Neighbor ID 1 Router with Pri Interface FULL/DR vlan4094 ID State (61.133.253.253) (Process ID 1) DeadTime Address 202.100.159.23 00:00:38 61.133.253.5

information about OSPF authentication.

interface vlan 4094 ip address 10.10.253.6 255.255.255.252 out_index 75!

To improve security, it is necessary to configure the authentication function for dynamic routing protocols on the devices in the network. Engineers of the office configured the authentication function on the ZXR10 8902, but the configuration was not saved by executing the write command. After
61.133.253.6

Solution
(1) Execute the following commands to

re-configure the OSPF authentication type and password:

interface vlan 4094 ip address 255.255.255.252 out_index 75 ip message-digest ip ospf message-digest-key 1 md5 G7Oq84sk4l+2SbTlVhBtRQ== encrypt ! ospf authentication

the device is powered off and then restarted, the configuration is lost, and then the services are interrupted. After the OSPF authentication function is re-configured and the configuration is saved, the fault is resolved.

Conclusion
New-added configuration must be saved

(2) Execute the show ip ospf neighbor command. The result shows that the neighbor

promptly.

Data Products Special Issue Issue 2, 2013

25

Maintenance Instances

Troubleshooting of Base Station Disconnection Due to a Loop in the L2 Network Connected to the ZXR10 8902
Li Yong / ZTE Corporation

Abstract: This paper describes troubleshooting of the fault that base stations are disconnected. The
cause is that there is a loop in the network connected to the ZXR10 8902 switch that operates as the network gateway.

Key words: 8902, VRRP, loop, CPU, capture, SuperVLAN

Symptom
The ZXR10 8902 switch operates as a

ZXR10#show logging alarm alarm 16901 occurred %OAM% CPU load exceeds the highest threshold 75% MP(M) panel 1 current CPU load is: 98% sent by MEC 1

network gateway. The 2G and 3G base stations connected to the ZXR10 8902 are disconnected frequently. When the engineers log in to the ZXR10 8902 through Telnet and execute commands, the speed is low.

(3) Execute the following command to check information about MAC address move on the ZXR10 8902. The result shows that no MAC address move alarm is generated.
ZXR10(config)#mac mac-move enable logging-alarm

Fault Analysis
(1) Log in to the ZXR10 8902 through

(4)

Check

traffic

on

gei_2/19

and

Telnet, and check the device alarms. The OSPF connection between the device and a switch in the central office is frequently and irregularly disconnected. (2) The CPU usage of the unique NP card on the ZXR10 8902 is higher than 80%. The main processor usage of the active MPU board is about 80%. There may be a loop in the network.

gei_2/20 connected to downlink devices on the ZXR10 8902. Packets are normal, and broadcast packets and multicast packets do not increase fast. (5) Disable gei_2/20 (the out-of-band management interface) connected to a downlink L2 network device. interface. (6) Disable gei_2/19 (the service interface) connected to a downlink L2 network The fault

symptom remains unchanged. Enable the

26

Maintenance Experience Issue 280

Sincere Service

device. The fault symptom is cleared. The CPU usage of the NP card and MP usage of the active MPU board become normal. There must be a large number of protocol packets sent to gei_2/19, which results in high CPU usage and MP usage.
ARP Packet on NPC: 2 OP SND_MAC 1 1 1 1 1 1 SND_IP DST_MAC DST_IP

(7) When gei_2/19 is enabled, execute the capture command to capture packets forwarded to the CPU of the line card.
ZXR10(config)#capture readspeed 10 npc 2

The following information is obtained:

DIR Port 19 19 19 19 19 19

0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 SND_IP DST_MAC

0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX DST_IP DIR Port

ARP Packet on NPC: 2 OP SND_MA 1 1 1 1 1 1 1 1 1 1 1 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 SRC_IP 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 19 19 19 19 19 19 19 19 19 19 19

IP Packet on NPC: 2 ProType DST_IP VRRP VRRP VRRP VRRP VRRP VRRP VRRP VRRP VRRP VRRP VRRP VRRP 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 OVID IVID TTL PRO SRCPN DSTPN DIR Port 1155 NULL 255 112 NULL 1154 NULL 255 112 NULL 1153 NULL 255 112 NULL 1152 NULL 255 112 NULL 1151 NULL 255 112 NULL 1150 NULL 255 112 NULL 1149 NULL 255 112 NULL 1148 NULL 255 112 NULL 1147 NULL 255 112 NULL 1146 NULL 255 112 NULL 1145 NULL 255 112 NULL 1144 NULL 255 112 NULL NULL RX NULL RX NULL RX NULL RX NULL RX NULL RX NULL RX NULL RX NULL RX NULL RX NULL RX NULL RX 19 19 19 19 19 19 19 19 19 19 19 19 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129

Data Products Special Issue Issue 2, 2013

27

Maintenance Instances

The information shows that a large number of ARP packets and VRRP packets are received on gei_2/19. In accordance with the configuration, the source addresses of the packets are the IP address of a SuperVLAN interface configured on the ZXR10 8902. The VRRP function is configured on the SuperVLAN interface. The OVIDs are the same as those of SubVLANs configured in the SuperVLAN. The SuperVLAN operates as the gateway of the frequently-disconnected base

stations connected to gei_2/19. There must be a loop in the network connected to gei_2/19. Protocol packets sent from gei_2/19 are received on gei_2/19, so the CPU usage of the line card is high, the OSPF connection is disconnected, and the base stations are disconnected.

Solution
The fault is resolved after the loop is

removed.

FAQ
Question: What Are the Differences Between Address Translation and Address Proxy? Answer:
The address translation and address proxy technologies provide the function for using private network addresses to access the Internet. The locations of the address translation and address proxy technologies in the TCP/IP stack are different: The address translation function operates at the network layer. The address proxy function operates at the application layer. Address translation is invisible for applications. To configure address proxy, the IP address of a proxy server must be specified for applications. For example, to access Web pages through address translation, it is unnecessary to perform any setting in a browser. To access Web pages through address proxy, it is necessary to set the IP address of the specified proxy server in a browser. If the proxy server supports HTTP only, only web servers can be accessed through the proxy server, and the FTP service is unavailable. Compared with address proxy, address translation provides higher extensibility,

28

Maintenance Experience Issue 280

Sincere Service

because it is unnecessary to application types.

consider

and passwords. Address proxy supports authentication, and only the users passing authentication based on usernames and passwords can access the Internet.

However, address translation does not support authentication based on usernames

Question: When the M6000 Operates as a BAS and Is Configured With the NAT44 Function, How Are Ports Allocated to Users?

Answer:
When the ZXR10 M6000 is configured with the NAT444 function, ports can be allocated to users dynamically or statically. (1) Dynamic mode: After a user dials and gets online, an initial number of ports are allocated to the user. The configuration is as follows:
cgn-pool test poolid 1 pool-type port-range 128

In accordance with the configuration, 1-128 ports are allocated to the user. If the ports allocated to the user are insufficient, the ZXR10 M6000 increases the number of ports. ZXR10 M6000 increases 128 ports at a time, and generates the corresponding log. (2) Static mode: After a user dials and gets online, the ZXR10 allocates a fixed number of ports to the user. If the ports are insufficient, the ZXR10 M6000 does not increase the ports.

Question: On the ZXR10 T1200, How Many Gateway Addresses and Secondary IP Addresses Can Be Configured in a SuperVLAN? Answer:
A maximum of 1 gateway address and 129 secondary IP addresses can be configured.

Question: How to Configure an ACL on the ZXR10 8900 to Match PPPoE Packets? Answer:
The ZXR10 8900 does not provide the corresponding ACL rules to limit pppoe-data or pppoe-control packets. The packets can be limited in another way. For pppoe-data packets, the Ethernet code is 0x8863, and 34915 in decimal. For pppoe-control packets, the Ethernet code is 0x8864, and 34916 in decimal.

Data Products Special Issue Issue 2, 2013

29

FAQ

You can define the following rules in an ACL to match PPPoE packets:
acl link name shutdown rule 1 deny 34915 ingress an egress any time-range shutdown rule 2 deny 34916 ingress an egress any time-range shutdown

Question: The ZXR10 8905 Is Connected to the NE40E in the Uplink, and the Devices Run IBGP. The maximum-paths 8 Command Is Configured in BGP, but Traffic Is Not Shared. Why? Answer:
Two commands can be executed on the ZXR10 8905 for BGP load sharing: maximum-paths 8 and maximum-paths ibgp 8. The maximum-paths 8 command is valid for EBGP, and the maximum-paths ibgp 8 command is valid for IBGP. In the current network, the devices are IBGP neighbors, so the maximum-paths igbp 8 command should be configured.

Question: How to Handle a COS2 or COS6 Alarm on a Switch? Answer:

On a switch, COS2 packets are ICMP packets or ARP packets. It is recommended that you capture packets for analysis, and isolate the packet source in accordance with the IP address or MAC address. COS6 packets are protocol packets, such as OSPF, BGP, IGMP, or PIM-SM protocol packets. The COS6 packets affect the device. An alarm example is as follows:
An alarm 29440 level 6 occurred at 07:32:58 12/14/2010 UTC sent by NPC 1 %MUX% the CPU port COS6 enters hold state

The

alarm

means

that

the

device

receives a lot of packets from the COS6 queue. You must capture packets to check which type of packets is forwarded to the CPU. In general, abnormal protocol packets are forwarded to the CPU.

30

Maintenance Experience Issue 280

Sincere Service

Question: What Should Be Noted When the VPLS Service Is Configured Crossing H Line Cards on the ZXR10 G Series, ZXR106900 Series and ZXR10 8900 Series Switches? Answer:
To configure the VPLS service (only for VLS) crossing two H line cards, it is necessary to execute the config fabric vpls enable command. If this command is not executed, MAC addresses can be learned, but communication is abnormal.

Question: How to Increase the Forwarding Bandwidth Between Boards on the ZXR10 8900?

Answer:
Data forwarded between boards on the ZXR10 8900 uses the MPU backplane bandwidth. The communication bandwidth between an MPU board and a card is 12 Gbps. If the bandwidth needed to forward data exceeds 12 Gbps, the forwarding performance is affected. When both the active and standby MPU boards are installed, you can execute the crossbar loadbalance command in global configuration mode to use the backplane bandwidth of the standby MPU, so that the forwarding bandwidth between boards is increased to 24 Gbps.

Question: On the ZXR10 8908, How to Bind an IP Address to a MAC Address? Answer:
To bind an IP address to a MAC address, run the set arp permanent/static command in VLAN interface configuration mode. To release binding, run the clear arp command in privileged mode. Note: Static ARP entries are not written to the disk, and not displayed in the show run command execution result. The static ARP entries can only be displayed by executing the show mac command. To write ARP entries to the disk, configure permanent ARP entries.

Data Products Special Issue Issue 2, 2013

31

Address: ZTE Plaza, No.55, Hi-tech Road South, Shenzhen, P.R.China Post code: 518057 Customer Support Hotline: +86-755-26771900 Tel:+86-755-26776049 Fax: +86-755-26772236 Customer Support Email: doc@zte.com.cn Technical Support Website: http://ensupport.zte.com.cn Publication Date: August 23, 2013