Professional Documents
Culture Documents
Issue 2, 2013
Maintenance Experience
Bimonthly for Data Products No. 5 Issue 280, August, 2013
Preface
In this issue of ZTE's Maintenance Experience, we continue to pass on various field reports and resolutions that are gathered by ZTE engineers and technicians around the world. The content presented in this issue is ten cases of ZTE's Data Products. Have you examined your service policies and procedures lately? Are you confident that your people are using all the tools at their disposal? Are they trained to analyze each issue in a logical manner that provides for less downtime and maximum customer service? A close look at the cases reveals how to isolate suspected faulty or mis-configured equipment, and how to solve a problem step by step, etc. As success in commissioning and service is usually a mix of both discovery and analysis, we consider using this type of approach as an example of successful troubleshooting investigations. While corporate leaders maintain and grow plans for expansion, ZTE employees in all regions carry out with individual efforts towards internationalization of the company. Momentum continues to be built, in all levels, from office interns to veteran engineers, who work together to bring global focus into their daily work. If you would like to subscribe to this magazine (electronic version) or review additional articles and relevant technical materials concerning ZTE products, please visit the technical support website of ZTE CORPORATION (http://ensupport.zte.com.cn). If you have any ideas and suggestions or want to offer your contributions, you can contact us at any time via the following email: doc@zte.com.cn. Thank you for making ZTE a part of your telecom experience!
Contents
Rate Limit Configuration Through the Dual Token Bucket Algorithm on the ZXR10 10800E ...................2 Failure to Get Online Because an IP Host User Changes the IP Address and Related Configuration ..... 6 Troubleshooting Fault Due to User-side Attack on the T1200/M6000 BRAS ..........................................7 MPLS L3VPN Troubleshooting on the ZXR10 6804 ................................................................................. 10 Configuration for Connecting to a Private-Network WEB Server by Using a Public-Network Domain Name on the ZXR10 6808 ......................................................................................................................12 NAT Configuration and Analysis on the ZXR10 6800 .............................................................................15 NTP Synchronization Troubleshooting on the ZXR10 6804 ....................................................................18 PPPoE Dial-Up Service Failure When the ZXISAMv3.2.01.c Is Connected to the UAS10800E.............19 Solution for Disallowing Special Line Users Connected to the T1200 BRAS to Provide the FTP Service... 21 Alarm Messages Indicating That PPPoE Users Fail to Get Online on the ZXR10 T1200 .......................23 Troubleshooting of Password Loss Due to System Restart on the ZXR10 8902...................................24 Troubleshooting of Base Station Disconnection Due to a Loop in the L2 Network Connected to the ZXR10 8902............................................................................................................................................ 26 FAQ .......................................................................................................................................................28
Technical Special
Rate Limit Configuration Through the Dual Token Bucket Algorithm on the ZXR10 10800E
Ren Lanbing / ZTE Corporation
Abstract: This paper describes the token bucket principle, and rate limit configuration through the
dual token bucket algorithm.
To configure a local rate limit policy, it is necessary to bind the policy in the user template of the domain. To distribute a policy name through RADIUS, no additional configuration is needed. (1) The dual token bucket algorithm is used for rate limit. The following describes some concepts: Assume that there are two token buckets, bucket C and bucket P. The rates of generating tokens in the buckets are different. The rate of bucket C is the Committed Information Rate (CRI), and the rate of bucket P is the Peak Information Rate (PIR). 1) CRI: the rate of generating tokens in bucket C, unit: kbps, range: 810000000. 2) Committed Burst Size (CBS): the size of bucket C, unit: bytes, range: 2000 ~ 512000000. 3) PIR: the rate of generating tokens in bucket P, unit: kbps, range: 8 ~ 10000000.
rate limit modes: configuring a rate limit policy locally, and distributing rate limit bandwidths through RADIUS. When rate limit policies are configured locally, only one policy can be bound in a domain. There are the following two modes of distributing bandwidths to dial-up users: Distributing a bandwidth value through a private attribute. It is unnecessary to configure a rate limit policy on the BRAS. Distributing a policy name through a private attribute. It is necessary to configure the corresponding rate limit policy on the BRAS. This paper describes the applications of configuring a local rate limit policy and distributing a policy name through RADIUS. In each application, it is necessary to configure a policy on the BRAS. The policy configuration procedures for the applications are the same.
Sincere Service
4) Peak Burst Size (PBS): the size of bucket P, unit: bytes, range: 2000 ~ 512000000. (2) Token bucket principle: Tokens are generated in a bucket at the defined rate. The bucket size can be configured. When the bucket is full, the number of tokens is not increased. When a packet is processed by the token bucket, if there are sufficient tokens in the bucket, the packet can be sent, and the number of tokens in the bucket is decreased. If there are insufficient tokens in the bucket, the packet is dropped. Buckets can be used to control traffic. When a bucket is full of tokens, the packets represented by the tokens can be sent. This ensures transmission of burst data. When there are no tokens in the bucket, packets cannot be sent. Only when new tokens are generated in the bucket, packets can be sent. The traffic rate must be smaller than or equal to the rate of generating tokens. In this way, traffic is limited.
PBS = 4 Mbits = 4096000 bit = (4096000/8) bytes = 512000 bytes, meaning the size of bucket P. The rate limit configuration on the BRAS
is as follows:
policy-map PPPOE a policy-map named PPPOE.*/ class class_default dial-up user default traffic /*Enter limit /*Create
configuration mode. The class name must be class_default.*/ police cir 2048 cbs 256000 pir 4096 pbs 512000 conform-action transmit exceed-action drop violate-action drop
Description: conform-action: the action (transmitting the packets, dropping the packets, or setting the priority) taken when the packet rate is smaller than the CIR. exceed-action: the action (transmitting the packets, dropping the packets, or setting the priority) taken when the packet rate is between the CIR and PIR. violate-action: the action (transmitting the packets, dropping the packets, or setting the priority) taken when the packet rate is greater than the PIR.
Configuration
If the users committed bandwidth is 2
MB, and the burst bandwidth is 4 MB, the configuration is as follows: CIR = 2048 Kbit/s, meaning 2 Mbps. CBS = 2 Mbits = 2048000 bits = (2048000/8) bytes = 256000 bytes, meaning the size of bucket C. PIR = 4096 Kbit/s, meaning 4 Mbps.
Conclusion
(1) A token bucket is an internal storage
pool of a network device. Tokens are virtual information packets generated in the bucket at the specified rate. Packets in the data queue are sent through tokens. After packets are sent, the used tokens are deleted.
Technical Special
(2) The following rate policy configuration templates are configured on the BRAS during commissioning:
policy-map PPPOE-512K class class_default police cir 512 cbs 64000 pir 512 pbs 64000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-1M class class_default police cir 1024 cbs 128000 pir 1024 pbs 128000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-2M class class_default police cir 2048 cbs 256000 pir 2048 pbs 256000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-4M class class_default police cir 4096 cbs 512000 pir 4096 pbs 512000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-5M class class_default police cir 5120 cbs 640000 pir 5120 pbs 640000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-6M class class_default police cir 6144 cbs 768000 pir 6144 pbs 768000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-8M class class_default police cir 8192 cbs 1024000 pir 8192 pbs 1024000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-10M class class_default police cir 10240 cbs 1280000 pir 10240 pbs 1280000 conform-action transmit exceed-action drop violate-action drop !
Sincere Service policy-map PPPOE-20M class class_default police cir 20480 cbs 2560000 pir 20480 pbs 2560000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-30M class class_default police cir 1024 cbs 125000 pir 1024 pbs 125000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-40M class class_default police cir 40960 cbs 5120000 pir 40960 pbs 5120000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-50M class class_default police cir 51200 cbs 6400000 pir 51200 pbs 6400000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-100M class class_default police cir 102400 cbs 12500000 pir 102400 pbs 12500000 conform-action transmit exceed-action drop violate-action drop ! policy-map PPPOE-1000M class class_default police cir 1024000 cbs 125000000 pir 1024000 pbs 125000000 conform-action transmit exceed-action violate-action drop !
Maintenance Instances
Failure to Get Online Because an IP Host User Changes the IP Address and Related Configuration
Sun Yan / ZTE Corporation
Abstract: This paper describes the troubleshooting procedure if a user cannot get online after the IP
host user changes the IP address. The cause is that the previous IP address still exists. After the connection established with the previous IP address is disconnected manually, the fault is resolved.
Symptom
After an IP host user changes the IP
Fault Analysis
The probable causes are as follows: (1) The configuration related to the new
address, the previous IP address is deleted from the ARP table on the M6000, but the new IP address is not learned. The user fails to ping the gateway successfully with the IP address, so the user cannot get online.
IP address on the M6000 is incorrect. For example, the new IP address is not within the static IP address range, or the new IP address is not bound to the sub-interface. (2) The ARP learning function fails on the M6000, or the aging period is too long.
Solution
(1) Use the previous IP address, and
modify the address on the M6000 to the previous one. If the user can get online, this indicates that the fault is not caused by incorrect configuration. (2) Use the new IP address. The previous IP address is deleted from the ARP table. This indicates that the ARP learning function operates properly, and the aging period is
Figure 1. 6902 VRRP Active/Standby Network Topology
normal. Refresh the ARP table. However, the IP address is not learned.
Sincere Service
(3)
Execute
the
show
subscriber
ip-host command. The command execution result shows that the creattime is the time when the user gets online with the previous IP address instead of the new IP address. This indicates that the connection established with the previous IP address still exists. (4) Disconnect the online user with the previous IP address compulsively, and then
Conclusion
The connection established with the
previous IP address still exists, which affects the application of the new IP address. It is necessary to disconnect the connection compulsively.
Abstract: This paper describes troubleshooting on the T1200/M6000 BRAS when a user-side attack
occurs.
Key words: T1200, M6000, BRAS, attack, drop, offline, rate limit
Symptom
On a BRAS device, users connected to a
specified type, and the rate of the packets exceeds the rate limit of the slot on the device. As a result, packets of the type sent by other users are dropped.
slot (such as users connected to different convergence switches) report various faults, for example, users are disconnected repeatedly, the network speed is slow, or users fail to get online.
number of transmitted packets and dropped packets on the corresponding slot. The result is as follows:
Fault Analysis
The probable cause is a user-side attack.
Maintenance Instances
T1200#show security statistic packet slot x packet type -----------uni ppp padi uni ppp lcp echo uni ppp control passed count -------------69017890 3096415341 441307366 dropped count ------------0 0 12829 received count -------------69017890 3096415341 441320195
PPP control packets: Packets sent after the PPPoE Discovery stage and before keep-alive packets are sent are PPP control packets. The result shows that PPP control packets are dropped. Therefore, the fault cause is that a user sends a large amount of PPP control packets, and then PPP control packets sent by other users are dropped. (2) Check the rate limits of different packets on the slot. The result is as follows:
T1200#show configuration security verbose packetlimit-slot x security slot: 3 300 600 600 packet-limit uni-ppp-padi packet-limit uni-ppp-lcp-echo packet-limit uni-ppp-control
The unit of rate limits is packet/s. The rate limits can be modified manually in accordance with the number of users on the slot. If the rate limits are too large, the device CPU may be affected. For the ZXR10 T1200, it is not recommended to modify the rate limits. Locate the user who sends a large amount of packets and then limit the user packets rate. (3) Execute the show security statistic mac-default-limit slot X command to locate the user with the most dropped packets (the user with the most dropped packets is the one who sends the most packets). The result is as follows:
T1200#show security statistic mac-default-limit slot X /*Execute the command for several times to locate the user whose number of packets increases fast.*/ MAC:4487.fcc7.8c51 MAC:c446.195d.76d1 MAC:0025.9ed4.1f48 Drop packets:13 Drop packets:5 Drop packets:14244
(4) After locating the user, configure rate limit based on the users MAC address. The configuration is as follows:
T1200(config)#bras T1200(config-bras)#security T1200(config-security)#permit mac 0025.9ed4.1f48 ctrl-rate x slot x
Sincere Service /*The ctrl-rate parameter means the rate limit, ranging from 0 through 20000 (unit: packet/s). The value 0 means no packets sent by the user are processed. For a PPPoE user, set the value to 15.*/
port on the ZXR10 M6000 (the numbers of packets can only be checked by slots on the T1200). The result is as follows:
M6000#show cps flow statistics interface gei-x/x/x/x /*Execute the command for several times to locate the user whose number of packets increases fast.*/ Flowtype igmp-default dhcp l2tp pppoe-session In-packets 2193 220802 0 13936 Upsend-packets 2193 220802 0 13936 Drop-packets 0 15426 0 0
The result shows that DHCP packets are dropped. Therefore, the fault cause is that a user sends a large amount of DHCP packets, and then DHCP packets sent by other users are dropped. (2) Check the rate limits of different packets on the slot. The result is as follows:
M6000#show cps flow rate-limit interface gei-x/x/x/x Interface gei-x/x/x/x gei-x/x/x/x gei-x/x/x/x gei-x/x/x/x Index 44 44 44 44 Flowtype igmp-default dhcp l2tp pppoe-session Rate 400 400 200 1000
The unit of rate limits is packet/s. (3) For the M6000, the CPU provides high performance. It is secure to modify the rate limits to greater values. For example, execute the following commands to modify the rate limit of DHCP packets to 800 packet/s:
M6000(config)#control-plane-security M6000(config-cps)#flow rate-limit 800 flowtype dhcp interface gei-x/x/x/x
Conclusion
If a lot of users are disconnected repeatedly, check whether packet attacks occur at the
BRAS side. You can troubleshoot the faults on the T1200 and M6000 BRAS devices in accordance the above solutions.
Maintenance Instances
Abstract: This paper describes troubleshooting of the L3VPN ping failure between routers connected
through virtual interfaces. The cause is that the MPLS function is not enabled on the virtual interfaces.
Symptom
As shown in Figure 1, the MPLS VPN function is enabled on the ZXR10 6804 and ZXR10 6802. After configuration is completed, addresses in the VPN cannot be pinged successfully. In the network, the ZXR10 6804, ZXR10 6802 and H3C are connected through multilink virtual interfaces. Each virtual interface consists of four E1 interfaces.
Figure 1. Interconnections Among the ZXR10 6804, ZXR10 6802, and H3C
Fault Analysis
(1) Check the configuration. The result shows that OSPF and BGP operate properly on the routers, VPN routes are learned correctly, and the routers are MPLS LDP neighbors. However, destinations of the VPN routes cannot be pinged successfully.
ZXR10#show ip forwarding route vrf VPN3_NetMag IPv4 Routing Table: status codes: *valid, >best Dest *> 3.3.3.3/32 *> 10.19.81.0/24 Gw 3.3.3.3 10.252.0.181 Interface loopback4 multilink1 Owner address bgp Pri 0 200 Metric 0 0
10
Sincere Service *> 10.20.81.0/24 *> 10.20.81.3/32 10.20.81.3 10.20.81.3 gei-0/1.3 gei-0/1.3 direct address 0 0 0 0
ZXR10#ping vrf VPN3_NetMag 3.3.3.3 sending 5,100-byte ICMP echo(es) to 3.3.3.3,timeout is 2 second(s). !!!!! Success rate is 100 percent(5/5),round-trip min/avg/max= 17/18/19 ms. ZXR10#ping vrf VPN3_NetMag 10.20.81.3 sending 5,100-byte ICMP echo(es) to 10.20.81.3,timeout is 2 second(s). !!!!! Success rate is 100 percent(5/5),round-trip min/avg/max= 1/14/19 ms. ZXR10#ping vrf VPN3_NetMag 10.20.81.3 source 3.3.3.3 sending 5,100-byte ICMP echo(es) to 10.20.81.3,timeout is 2 second(s). !!!!! Success rate is 100 percent(5/5),round-trip min/avg/max= 15/18/19 ms. ZXR10#ping vrf VPN3_NetMag 10.19.81.3 source 3.3.3.3 sending 5,100-byte ICMP echo(es) to 10.19.81.3,timeout is 2 second(s). ..... Success rate is 0 percent(0/5). ZXR10#
(2) The VPN routes are normal, and the directly-connected devices can be pinged successfully. The probable cause is that the MPLS configuration is not applied. In accordance with the technical support, it is necessary to enable the MPLS function on the virtual interfaces.
Solution
After the following commands are executed on the devices, the fault is resolved:
ZXR10(config)#mpls interface ? ce1multilink Virtual_template Channelized E1 Multilink interface Virtual_template interface
Conclusion
On the ZXR10 6800, to enable the MPLS function on virtual interfaces (such as CE1 channelized interfaces, multilink interfaces, or L2TP VPN virtual interfaces), it is necessary to execute the mpls interface <interface-name> command on each virtual interface. If the command is not executed, LDP neighbors and labels are normal, but labeled packets cannot be forwarded.
11
Maintenance Instances
Configuration for Connecting to a Private-Network WEB Server by Using a Public-Network Domain Name on the ZXR10 6808
Gao Feng / ZTE Corporation
Abstract: This paper describes the configuration for a private-network user to connect to a
private-network WEB server by using a public-network domain name.
Key words: 6800, NAT, WEB, domain name, static, dynamic, DNS
Configuration Commands
Method 1: Use static NAT and dynamic PAT. The NAT-related configuration on the ZXR10 6800 is as follows:
12
Sincere Service nat-pool n11 poolid 11 section 1 199.1.1.1 199.1.1.10 $ pat-pool p10 poolid 10 section 1 200.1.1.1 200.1.1.10 $ domain 1 1 type sr ipv4-issued static source rule-id 2 public 13.16.35.1 199.1.1.1 dynamic source rule-id 10 ipv4-list patacl1 permit pool p10 $ subscriber ipv4 public subscriber-id 1 nat-domain 1 interface gei-1/6 interface gei-2/1
The NAT-related configuration on the ZXR10 6800 is as follows (only the configuration different from that in method 1):
domain 1 1 type sr ipv4-issued static source rule-id 2 public 13.16.35.1 80 200.1.1.1 80 tcp dynamic source rule-id 10 ipv4-list patacl1 permit pool p10
Description
If the configuration in method 1 is used, the results are as follows:
Result The host (17.71.1.1) can ping the WEB server (13.16.35.1) successfully. The host (17.71.1.1) can ping 199.1.1.1 successfully. The WEB server (13.16.35.1) can ping the host (17.71.1.1) successfully. The host user can access WEB pages by using IP address 199.1.1.1. The host user can access WEB pages by using the hh.hello.com domain name. The host user can access WEB pages by using the IP address 13.16.35.1. Description Dynamic PAT is used, so the source IP address in the returned packets is not translated. Static NAT is used. Either the private network address or public network address can ping 199.1.1.1 successfully. Static NAT is used.
Static NAT is used. Dynamic PAT is used in the DNS procedure. Static NAT is used to log in to the WEB server. Dynamic PAT is used.
13
Maintenance Instances
Conclusion
Note that the private-network server and the private-network user must be in different
network segments.
14
Sincere Service
Abstract: This paper describes NAT configuration, validation, and analysis on the ZXR10 6800. Key words: 6800, NAT, debug, ICMP, ACL
Network Topology
Figure 1 shows the network in which the NAT function is configured.
Configuration Commands
Execute the following commands on the ZXR10 6800:
service 12/0 nat44 enable ipv4-access-list patacl1 rule 1 permit any exit cgn-pool n10 poolid 10 mode nat section 1 10.9.1.1 10.9.1.255 cgn-pool p2 poolid 2 mode pat section 1 2.3.2.0 2.3.2.25 domain 1 1 type sr ipv4-issued static source rule-id 1 public 27.1.1.1 10.9.1.1 dynamic source rule-id 1 ipv4-list patacl1 permit pool p2 $
15
Maintenance Instances subscriber ipv4 public subscriber-id 1 nat-domain 1 interface gei-1/5.1 interface gei-1/3 .2
Solution
Perform the following tests to validate the configuration: ping 27.1.1.1 (the private-network server) from the headquarters. Execute the debug icmp command on a device in the headquarters. The result is as follows:
sending 5,100-byte ICMP echo(es) to 27.1.1.1,timeout is 2 second(s). !ZXR10 MPFU-5/0 2013-3-12 10:36:04 IP ICMP:sent type echo request, code IP ICMP:rcvd type echo reply, code 0, src 0, src
81.80.1.1, dst 27.1.1.1 ZXR10 MPFU-5/0 2013-3-12 10:36:04 27.1.1.1, dst 81.80.1.1
The result shows that the server can be pinged successfully, and the private-network address is not translated. Execute the debug icmp command on the server. The result is as follows:
ZXR10#ZXR10 MPFU-2/0 2013-3-12 10:36:04 src 2.3.2.63, dst 27.1.1.1 ZXR10 MPFU-2/0 2013-3-12 10:36:04 27.1.1.1, dst 2.3.2.63 IP ICMP:sent type echo reply, code 0, src IP ICMP:rcvd type echo request, code 0,
The result shows that the private-network address is translated. ping 81.80.1.1 (a private-network address) from the server.
IP ICMP:sent type echo request, code IP ICMP:rcvd type echo reply, code 0, src 0, src
Execute the debug icmp command on the server. The result is as follows:
ZXR10 MPFU-2/0 2013-3-12 10:47:55 27.1.1.1, dst 81.80.1.1 ZXR10 MPFU-2/0 2013-3-12 10:47:55 81.80.1.1, dst 27.1.1.1
The result shows that the server can ping the private network successfully, and the addresses are not translated. Execute the debug icmp command on a device in the headquarters. The result is as follows:
ZXR10#ZXR10 MPFU-5/0 2013-3-12 10:47:55 src 10.9.1.1, dst 81.80.1.1 ZXR10 MPFU-5/0 2013-3-12 10:47:55 81.80.1.1, dst 10.9.1.1 IP ICMP:sent type echo reply, code 0, src IP ICMP:rcvd type echo request, code 0,
The result shows that the address of the server is a public-network IP address. 16 ping 69.1.1.1 (a public-network address) from the server.
Sincere Service
Execute the debug icmp command on the server. The result is as follows:
ZXR10#ping 69.1.1.1 sending 5,100-byte ICMP echo(es) to 69.1.1.1,timeout is 2 second(s). ZXR10 MPFU-2/0 2013-3-12 10:52:24 27.1.1.1, dst 69.1.1.1 ZXR10 MPFU-2/0 2013-3-12 10:52:24 69.1.1.1, dst 27.1.1.1 IP ICMP:rcvd type echo reply, code 0, src IP ICMP:sent type echo request, code 0, src
Execute the debug icmp command on a public-network device. The result is as follows:
ZXR10#debug ip icmp ICMP debugging is on ZXR10# ZXR10 MPFU-5/0 2013-3-12 10:52:24 10.9.1.1, dst 69.1.1.1 ZXR10 MPFU-5/0 2013-3-12 10:52:24 69.1.1.1, dst 10.9.1.1 IP ICMP:sent type echo reply, code 0, src IP ICMP:rcvd type echo request, code 0, src
ping 10.9.1.1 (the public-network IP address of the server) from the public network.
IP ICMP:sent type echo request, code IP ICMP:rcvd type echo reply, code 0, src 0, src
Execute the debug icmp command on a public-network device. The result is as follows:
ZXR10 MPFU-5/0 2013-3-12 10:53:57 69.1.1.1, dst 10.9.1.1 ZXR10 MPFU-5/0 2013-3-12 10:53:57 10.9.1.1, dst 69.1.1.1
Execute the debug icmp command on the server. The result is as follows:
ZXR10 MPFU-2/0 2013-3-12 10:53:57 69.1.1.1, dst 27.1.1.1 ZXR10 MPFU-2/0 2013-3-12 10:53:57 27.1.1.1, dst 69.1.1.1 IP ICMP:sent type echo reply, code 0, src IP ICMP:rcvd type echo request, code 0, src
The tests show translation of addresses when a private-network device accesses the headquarters and the public network, and address translation when a device in the headquarters accesses the private network.
Conclusion
(1) To configure static NAT rules on the ZXR10 6800, it is unnecessary to configure an ACL. (2) On the ZXR10 6800, routing is performed before NAT. (3) The ZXR10 6800 does not support the ip nat outside command. Assume that packets are received on an interface configured with the NAT function on the
ZXR10 6800. NAT is performed when the packets are forwarded on another interface of the ZXR10 6800.
17
Maintenance Instances
Abstract: This paper describes NTP synchronization troubleshooting on the ZXR10 6804. The cause is
that the MD5 authentication function is not configured on the NTP server.
Symptom
NTP synchronization fails on the ZXR10
Clock is unsynchronized, stratum 16, no reference clock nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**6 reference time is d459ba49.f5c28f5c (09:03:05 Fri Nov 23 is 0.00 msec root dispersion is 0.00 msec, peer dispersion is 0.00 msec 2012 UTC)
6804.
Fault Analysis
(1) The ZXR10 6804 operates as the
NTP client. Ensure that the ZXR10 6804 can ping the NTP server successfully. (2) Check whether the authentication function is enabled, and whether the passwords at both ends are the same. (3) If the configuration is correct, use the debugging function or capture packets to check whether NTP packets are sent and received properly.
The
result
shows
that
NTP
synchronization failed. (3) Execute the show running-config ntp command to check the NTP configuration:
!<ntp> ntp enable ntp authenticate ntp server 21.193.16.1 priority 1 key 1 ntp server 21.193.16.2 priority 2 key 1 ntp source ipv4 21.195.16.3 ntp authentication-key 1 md5 encrypted uMPUd8NZAs4pgdinQ/3kDw== ntp trusted-key 1
Solution
(1) Execute the ping command to verify
that the network between the ZXR10 6804 and NTP server operates properly. (2) Execute the show ntp status command on the ZXR10 6804 to check the NTP state. The result is as follows:
!</ntp>
The
result
shows
that
the
NTP
18
Sincere Service
client, and the key is encrypted by using the MD5 algorithm. (4) Check the configuration of the NTP server. The result is as follows:
! ntp server 21.193.16.1 priority 1 key 1 ntp server 21.193.16.2 priority 2 key 1 ntp source 21.195.16.1 ntp enable ntp authenticate ntp trusted-key 1 !
The result shows that the authentication key is not configured on the NTP server. (5) Execute the following command on the NTP server:
ntp authentication-key 1 md5 uMPUd8NZAs4pgdinQ/3kDw==
Conclusion
In general, NTP failures are caused by
incorrect configuration.
PPPoE Dial-Up Service Failure When the ZXISAMv3.2.01.c Is Connected to the UAS10800E
Peng Feng / ZTE Corporation
Abstract: This paper describes troubleshooting of a PPPoE dial-up service failure due to different
domain name formats in packets when the ZXISAMv3.2.01.c is connected to the UAS10800E.
Symptom
A PPPoE user fails to get online through
Fault Analysis
The ZXISAMv3.2.01.c has a special
the dial-up service. The client shows Error code 107: Services in the domain are not requested. The same alarm message is generated in the log information in the ZXISAM system.
requirement about the authentication domains for dial-up service users. Authentication domain names must be contained in dial-up service users packets. To resolve the fault, set the UAS10800E to carry domain names in
19
Maintenance Instances
username, or set the UAS10800E to add domain names in usernames automatically. (1) Enter the D:/ZXISAM/LOG directory
4/22 19:28:59 CO-4000 status 4/22 19:28:59 CO-4000 status transform.
to
(212) user test begin login. (221) user test mac 00-18-F3-E2-85-3A, INIT to AUTHING
4/22 19:28:59 CO-4000 radauth*(160) can not find info in T_USER_Service SMS according username:test and domain:. first service's postfix:zte 4/22 19:28:59 CO-4000 authfai*( 63) Success to insert FailAuthRecord. 4/22 19:28:59 CO-4000 radauth*(124) -------------- Access reject Identifier Reply-Message = 25 = Error code 107: Services in the domain are not requested 94 ms 0 ms ( 47) timer handling takes ------------
4/22 19:28:59 CO-4000 radauth*(133) auth takes 4/22 19:29:01 CO-4044 timer
4/22 19:29:02 CO-3604 radauth*(214) Recv auth packet from1.1.1.1:6024 4/22 19:29:02 CO-672 radauth*( 54)
(2) The log information shows that the fault occurs because the username test is not bound to the authentication domain zte. However, username in the ZXISAM been system, to the the has bound
radius authentication-group 1 server 1 192.168.28.70 key zxisam port 1812 algorithm first timeout 3 max-retries 3 deadtime 0 calling-station-format 1 nas-port-id-format china-tel nas-ip-address1.1.1.1 user-name-format strip-domain /*Ignore authentication domain names for dial-up service users*/ vendor enable ! radius accounting-group 1 server 1 192.168.28.70 key zxisam port 1813 algorithm first timeout 3 max-retries 3 deadtime 0 calling-station-format 1 nas-port-id-format china-tel
authentication domain, so the configuration in the ZXISAM system is correct. There is no PPPoE configuration error on the UAS10800E. (3) In accordance with the requirements for dial-up service during users PPPoE in the dial-up ZXISAMv3.2.01.c, service
authentication,
authentication
domains must be contained in usernames, for example, test@zte. However, domain names are not contained in usernames. On the UAS10800E, the configuration about the RADIUS authentication group and RADIUS accounting group is as follows:
20
Sincere Service nas-ip-address1.1.1.1 user-name-format dial-up service users*/ vendor enable local-buffer enable interim-packet-quota 80 strip-domain /*Ignore authentication domain names for
Solution
To resolve the fault, modify the
user-name-format strip-domain command to the user-name-format include-domain command in the RADIUS authentication group and RADIUS accounting group. In this way, when PPPoE users dial, only usernames are used. On the UAS10800E, authentication domain names are added to usernames automatically.
The configuration information shows that after PPPoE users send dial-up requests, the UAS10800E authentication automatically domain names removes from
usernames when transmitting the information to the RADIUS server. This does not meet the
Solution for Disallowing Special Line Users Connected to the T1200 BRAS to Provide the FTP Service
Tu Yong / ZTE Corporation
Abstract: This paper describes a solution for disallowing special line users connected to the T1200
BRAS to provide the FTP service.
Requirement
To prevent special line users connected
to VBUI interfaces. To meet the requirement, ACL can be configured on uplink interfaces or VBUI interfaces on the T1200. However, users are located in multiple network segments. As a result, it is difficult to configure ACLs. If a large number of rules are defined, packet forwarding efficiency on interfaces is affected.
Data Products Special Issue Issue 2, 2013
to the BRAS from providing services that occupy network bandwidth, a carrier requires that special line users should be disallowed to provide the FTP service. On the BMSG T1200, special line users are IP-host users connected
21
Maintenance Instances
Solution
Configure a subscriber-template in a
accounting-group 1 alias xxx subscriber-template access-list-outside deny-port /*Bind the ACL named deny-port o the subscriber direction.*/ template in the outside
domain to define an ACL based on port numbers for special line users. To control a special line user, it is only necessary to configure the users domain name when an IP-host user is configured. The configuration procedure is as follows: (1) Execute the following commands to create an extended ACL:
acl extended name deny-port /*The name of the ACL is deny-port.*/ rule 1 deny tcp any any eq 20 rule 2 deny tcp any any eq 21 rule 3 permit ip any any
(3) Execute the following commands to configure an IP-host user, and bind the user to the domain:
interface vbuix interface which the /*Enter the VBUI access-disallowed
IP-host user is connected*/ ip host 10.26.1.3 slot 7 port 1 vlan 1 domain-name domain /*Create an IP-host user, and bind the user to the domain*/
Conclusion
After the configuration is completed,
22
Sincere Service
Alarm Messages Indicating That PPPoE Users Fail to Get Online on the ZXR10 T1200
Xie Jia / ZTE Corporation
Abstract: This paper describes command execution result of the show onlinefail command, and the
probable causes.
Symptom
There are multiple methods of
the BRAS device, this alarm message is generated. (3) auth request timeout An authentication message times out because the BRAS device receives no successful authentication or authentication failure message returned by the RADISU device. The probable cause is that the return route is unreachable due to a route or connectivity fault between the BRAS device and RADIUS device. (4) Reject for Radius authentication fail! The RADIUS device rejects authentication. In general, the cause is that the username is locked on the RADIUS device. It is necessary to disconnect the user on the RADIUS device. (Usually, this fault occurs after service cutover.) (5) TOO MANY CONNECTIONS. There are too many user connections, so some users cannot be connected successfully. Check whether users cannot obtain resources for connections because the device CPU
troubleshooting faults that PPPoE users fail to get online. In general, you can execute the debug or radius-ping command. To locate causes quickly, you can execute the show onlinefail execution command. command. The following describes alarm messages in the command result of the show onlinefail
interface, but the user does not dial on the bound interface, this alarm message is displayed. To resolve the fault, rebind the user on the RADIUS device. (2) Reject for IP assign fail After a user passes dial-up authentication, the BRAS device will allocate an IP address to the user. If no address pool is configured on
23
Maintenance Instances
usage is high or there are attack packets on the network. (6) can't find user. The corresponding user cannot be located. The probable cause is: the username is incorrect, the username expires, or the user is in arrears. (7) User dial-in so soon. A user dials frequently. A default dialing interval is set to prevent attacks.
(8) user password error. A password is incorrect. The alarm message Receive packet vector invalid displayed after the radius-ping command is executed means that encryption check for an authentication response packet returned by the RADIUS device fails. This means that authentication configuration may be incorrect on the BRAS device or RADIUS device.
Abstract: This paper describes the troubleshooting procedure if a user is disconnected after the ZXR10
8902 switch is powered off and then restarted. The cause is that the OSPF authentication function is configured, but the configuration is not saved.
Symptom
In an office, the ZXR10 8902 switch
Fault Analysis
(1) Log in to the ZXR10 8902 through
operates as the gateway of a customer, and services are configured on the switch. The ZXR10 8902 is connected to the NE40 in the uplink, and OSPF is configured on the devices. After the ZXR10 8902 is powered off and then restarted, the services are interrupted.
Telnet, and then execute the show logging alarm command. No alarm information is displayed. (2) Execute the show ip ospf neighbor command. No information is displayed.
8902#show ip ospf neighbor 8902#
24
Sincere Service
(3) The OSPF authentication function is configured to improve security before the device is powered off. (4) Check configuration on the uplink interface. There is no configuration
To improve security, it is necessary to configure the authentication function for dynamic routing protocols on the devices in the network. Engineers of the office configured the authentication function on the ZXR10 8902, but the configuration was not saved by executing the write command. After
61.133.253.6
Solution
(1) Execute the following commands to
the device is powered off and then restarted, the configuration is lost, and then the services are interrupted. After the OSPF authentication function is re-configured and the configuration is saved, the fault is resolved.
Conclusion
New-added configuration must be saved
(2) Execute the show ip ospf neighbor command. The result shows that the neighbor
promptly.
25
Maintenance Instances
Troubleshooting of Base Station Disconnection Due to a Loop in the L2 Network Connected to the ZXR10 8902
Li Yong / ZTE Corporation
Abstract: This paper describes troubleshooting of the fault that base stations are disconnected. The
cause is that there is a loop in the network connected to the ZXR10 8902 switch that operates as the network gateway.
Symptom
The ZXR10 8902 switch operates as a
ZXR10#show logging alarm alarm 16901 occurred %OAM% CPU load exceeds the highest threshold 75% MP(M) panel 1 current CPU load is: 98% sent by MEC 1
network gateway. The 2G and 3G base stations connected to the ZXR10 8902 are disconnected frequently. When the engineers log in to the ZXR10 8902 through Telnet and execute commands, the speed is low.
(3) Execute the following command to check information about MAC address move on the ZXR10 8902. The result shows that no MAC address move alarm is generated.
ZXR10(config)#mac mac-move enable logging-alarm
Fault Analysis
(1) Log in to the ZXR10 8902 through
(4)
Check
traffic
on
gei_2/19
and
Telnet, and check the device alarms. The OSPF connection between the device and a switch in the central office is frequently and irregularly disconnected. (2) The CPU usage of the unique NP card on the ZXR10 8902 is higher than 80%. The main processor usage of the active MPU board is about 80%. There may be a loop in the network.
gei_2/20 connected to downlink devices on the ZXR10 8902. Packets are normal, and broadcast packets and multicast packets do not increase fast. (5) Disable gei_2/20 (the out-of-band management interface) connected to a downlink L2 network device. interface. (6) Disable gei_2/19 (the service interface) connected to a downlink L2 network The fault
26
Sincere Service
device. The fault symptom is cleared. The CPU usage of the NP card and MP usage of the active MPU board become normal. There must be a large number of protocol packets sent to gei_2/19, which results in high CPU usage and MP usage.
ARP Packet on NPC: 2 OP SND_MAC 1 1 1 1 1 1 SND_IP DST_MAC DST_IP
(7) When gei_2/19 is enabled, execute the capture command to capture packets forwarded to the CPU of the line card.
ZXR10(config)#capture readspeed 10 npc 2
0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 SND_IP DST_MAC
0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX DST_IP DIR Port
ARP Packet on NPC: 2 OP SND_MA 1 1 1 1 1 1 1 1 1 1 1 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 0000.5e00.0101 10.127.76.129 SRC_IP 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 0000.0000.0000 255.255.255.255 RX 19 19 19 19 19 19 19 19 19 19 19
IP Packet on NPC: 2 ProType DST_IP VRRP VRRP VRRP VRRP VRRP VRRP VRRP VRRP VRRP VRRP VRRP VRRP 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 224.0.0.18 OVID IVID TTL PRO SRCPN DSTPN DIR Port 1155 NULL 255 112 NULL 1154 NULL 255 112 NULL 1153 NULL 255 112 NULL 1152 NULL 255 112 NULL 1151 NULL 255 112 NULL 1150 NULL 255 112 NULL 1149 NULL 255 112 NULL 1148 NULL 255 112 NULL 1147 NULL 255 112 NULL 1146 NULL 255 112 NULL 1145 NULL 255 112 NULL 1144 NULL 255 112 NULL NULL RX NULL RX NULL RX NULL RX NULL RX NULL RX NULL RX NULL RX NULL RX NULL RX NULL RX NULL RX 19 19 19 19 19 19 19 19 19 19 19 19 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129 10.127.76.129
27
Maintenance Instances
The information shows that a large number of ARP packets and VRRP packets are received on gei_2/19. In accordance with the configuration, the source addresses of the packets are the IP address of a SuperVLAN interface configured on the ZXR10 8902. The VRRP function is configured on the SuperVLAN interface. The OVIDs are the same as those of SubVLANs configured in the SuperVLAN. The SuperVLAN operates as the gateway of the frequently-disconnected base
stations connected to gei_2/19. There must be a loop in the network connected to gei_2/19. Protocol packets sent from gei_2/19 are received on gei_2/19, so the CPU usage of the line card is high, the OSPF connection is disconnected, and the base stations are disconnected.
Solution
The fault is resolved after the loop is
removed.
FAQ
Question: What Are the Differences Between Address Translation and Address Proxy? Answer:
The address translation and address proxy technologies provide the function for using private network addresses to access the Internet. The locations of the address translation and address proxy technologies in the TCP/IP stack are different: The address translation function operates at the network layer. The address proxy function operates at the application layer. Address translation is invisible for applications. To configure address proxy, the IP address of a proxy server must be specified for applications. For example, to access Web pages through address translation, it is unnecessary to perform any setting in a browser. To access Web pages through address proxy, it is necessary to set the IP address of the specified proxy server in a browser. If the proxy server supports HTTP only, only web servers can be accessed through the proxy server, and the FTP service is unavailable. Compared with address proxy, address translation provides higher extensibility,
28
Sincere Service
consider
and passwords. Address proxy supports authentication, and only the users passing authentication based on usernames and passwords can access the Internet.
Question: When the M6000 Operates as a BAS and Is Configured With the NAT44 Function, How Are Ports Allocated to Users?
Answer:
When the ZXR10 M6000 is configured with the NAT444 function, ports can be allocated to users dynamically or statically. (1) Dynamic mode: After a user dials and gets online, an initial number of ports are allocated to the user. The configuration is as follows:
cgn-pool test poolid 1 pool-type port-range 128
In accordance with the configuration, 1-128 ports are allocated to the user. If the ports allocated to the user are insufficient, the ZXR10 M6000 increases the number of ports. ZXR10 M6000 increases 128 ports at a time, and generates the corresponding log. (2) Static mode: After a user dials and gets online, the ZXR10 allocates a fixed number of ports to the user. If the ports are insufficient, the ZXR10 M6000 does not increase the ports.
Question: On the ZXR10 T1200, How Many Gateway Addresses and Secondary IP Addresses Can Be Configured in a SuperVLAN? Answer:
A maximum of 1 gateway address and 129 secondary IP addresses can be configured.
Question: How to Configure an ACL on the ZXR10 8900 to Match PPPoE Packets? Answer:
The ZXR10 8900 does not provide the corresponding ACL rules to limit pppoe-data or pppoe-control packets. The packets can be limited in another way. For pppoe-data packets, the Ethernet code is 0x8863, and 34915 in decimal. For pppoe-control packets, the Ethernet code is 0x8864, and 34916 in decimal.
29
FAQ
You can define the following rules in an ACL to match PPPoE packets:
acl link name shutdown rule 1 deny 34915 ingress an egress any time-range shutdown rule 2 deny 34916 ingress an egress any time-range shutdown
Question: The ZXR10 8905 Is Connected to the NE40E in the Uplink, and the Devices Run IBGP. The maximum-paths 8 Command Is Configured in BGP, but Traffic Is Not Shared. Why? Answer:
Two commands can be executed on the ZXR10 8905 for BGP load sharing: maximum-paths 8 and maximum-paths ibgp 8. The maximum-paths 8 command is valid for EBGP, and the maximum-paths ibgp 8 command is valid for IBGP. In the current network, the devices are IBGP neighbors, so the maximum-paths igbp 8 command should be configured.
The
alarm
means
that
the
device
receives a lot of packets from the COS6 queue. You must capture packets to check which type of packets is forwarded to the CPU. In general, abnormal protocol packets are forwarded to the CPU.
30
Sincere Service
Question: What Should Be Noted When the VPLS Service Is Configured Crossing H Line Cards on the ZXR10 G Series, ZXR106900 Series and ZXR10 8900 Series Switches? Answer:
To configure the VPLS service (only for VLS) crossing two H line cards, it is necessary to execute the config fabric vpls enable command. If this command is not executed, MAC addresses can be learned, but communication is abnormal.
Question: How to Increase the Forwarding Bandwidth Between Boards on the ZXR10 8900?
Answer:
Data forwarded between boards on the ZXR10 8900 uses the MPU backplane bandwidth. The communication bandwidth between an MPU board and a card is 12 Gbps. If the bandwidth needed to forward data exceeds 12 Gbps, the forwarding performance is affected. When both the active and standby MPU boards are installed, you can execute the crossbar loadbalance command in global configuration mode to use the backplane bandwidth of the standby MPU, so that the forwarding bandwidth between boards is increased to 24 Gbps.
Question: On the ZXR10 8908, How to Bind an IP Address to a MAC Address? Answer:
To bind an IP address to a MAC address, run the set arp permanent/static command in VLAN interface configuration mode. To release binding, run the clear arp command in privileged mode. Note: Static ARP entries are not written to the disk, and not displayed in the show run command execution result. The static ARP entries can only be displayed by executing the show mac command. To write ARP entries to the disk, configure permanent ARP entries.
31
Address: ZTE Plaza, No.55, Hi-tech Road South, Shenzhen, P.R.China Post code: 518057 Customer Support Hotline: +86-755-26771900 Tel:+86-755-26776049 Fax: +86-755-26772236 Customer Support Email: doc@zte.com.cn Technical Support Website: http://ensupport.zte.com.cn Publication Date: August 23, 2013