[All About Switches] FAQ

digest [Copy the link]
Released on : 2018-3-6 10:10:56   Latest reply:2018-06-05 18:52:53
825 3
1.Why Cannot Storm Control Be Configured on a Layer 3 Interface?Traffic forwarded at Layer 3 will not be broadcast. Therefore, storm control is not required or supported by Layer 3 interfaces.

2.Why Does 802.1x Authentication Fails When I Use a Remote Desktop Connection to Access a PC Running a Windows Operating System?
When you use a remote desktop connection to access a PC running a Windows operating system that has passed 802.1x authentication successfully, the connection is lost after 2 minutes. The cause is that the identity authentication mode of 802.1x authentication on the PC is user authentication. You need to change the identity authentication mode to "User or Computer authentication" or "Computer Authentication". Choose Control Panel > Network and Internet > Network Connections. Right-click the network connection in use and choose Properties. The Properties dialog box is displayed. Choose Authenticate > Other Settings, and set Specify authentication mode to User or Computer authentication or Computer Authentication.

3.How Long Does a Roaming Wireless User Go Online?
If a wireless user is roaming, the user cannot go online immediately after the VLAN and access interface are switched. The reason is that the user entry is aged out after a period of time. For versions earlier than V200R010, authentication is initiated again after the user entry is aged out. Therefore, the user needs to wait for several minutes. To allow the user to go online immediately, you can upgrade the system software of the device to V200R010 and configure the MAC address migration function.

4.Why Is Traffic Not Load Balanced Among Eth-Trunk Member Interfaces?Switches support only flow-based load balancing. If a switch receives too much traffic, an Eth-Trunk member interface will send a large amount of traffic out. In this case, the Eth-Trunk cannot achieve load balancing.
5.Why Cannot MAC Address Entries Be Aged Out?Interfaces on a switch frequently go Up and Down and the aging timer for global MAC address entries is continuously updated. As a result, MAC address entries cannot be aged out.
6.When an Authentication-Free Rule and a Traffic Policy Are Configured in the Interface View, Why Cannot the Traffic Policy Take Effect?The authentication-free rule configured in the interface view has a higher priority than the traffic policy. Therefore, the authentication-free rule takes effect, while the traffic policy does not.
7.Why N:1 VLAN Mapping Is Not Recommended for the S3328 Running V100R005?Creating N:1 VLAN mapping on the S3328 running V100R005 will cause a high CPU usage, affecting services. Therefore, N:1 VLAN mapping is not recommended.
8.How Do I Disable the S9300 Running V100R002 from Frequently Displaying Logs Indicating that Packets Are Dropped Because the Rate Exceeds the CPCAR?On the switch, run the display channel command to check the channel through which logs are reported to the NMS and then run the info-center source QOSE channel channelid log state off command to disable the switch from displaying logs indicating that packets are dropped because the rate exceeds the CPCAR.
9.Why MAC Address Flapping Occurs After a Chassis Is Replaced?MAC address flapping alarms are frequently displayed on the switch after all service cards of V100R002 are used on the chassis running V200R008 and MPUs are not replaced.After comparisons, it is found that the undo mac-learning priority 0 allow-flapping command is configured in V100R002 to prevent MAC address flapping between interfaces with the same priority. However, this command is not configured on MPUs of V200R008. Therefore, MAC address flapping does not occur before the replacement but occurs after the replacement.
10.Why Do Some Interfaces Take 30 Seconds to Change to the Forwarding State After the MSTP Status Changes?When an edge interface goes from Down to Up, the process of changing the interface status from learning to forwarding is performed within 1 second to prevent temporary loops. This is normal.When a non-edge interface goes from Down to Up, packets can be normally forwarded only after 30 seconds.
11.How Do I Configure a Traffic Policy to Match Both IPv4 and IPv6 ACLs?If both IPv4 and IPv6 ACLs need to be configured in the same traffic policy, you need to configure two traffic classifiers to match IPv4 and IPv6 ACLs respectively.The following is a configuration example:<HUAWEI> system-view[HUAWEI] acl name test1
[HUAWEI-acl-adv-test1] rule 1 deny ip source 86.108.150.48 0
[HUAWEI-acl-adv-test1] quit
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match acl test1
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] permit
[HUAWEI-behavior-b1] quit
[HUAWEI] acl ipv6 name test2
[HUAWEI-acl6-adv-test2] rule 2 deny ipv6 source fc00:1::1/64
[HUAWEI-acl6-adv-test2] quit
[HUAWEI] traffic classifier c2
[HUAWEI-classifier-c2] if-match ipv6 acl test2
[HUAWEI-classifier-c2] quit
[HUAWEI] traffic behavior b2
[HUAWEI-behavior-b2] permit
[HUAWEI-behavior-b2] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] classifier c2 behavior b2
[HUAWEI-trafficpolicy-p1] quit12.What Are the Application Scenarios of Port Isolation and MFF on the S3300?You are not advised to configure port isolation and MFF at the same time on the S3300. The application scenarios of port isolation and MFF are as follows:Port IsolationTo implement Layer 2 isolation between interfaces, you can add different interfaces to different VLANs. This wastes VLAN resources. Port isolation can isolate interfaces in the same VLAN. That is, you only need to add interfaces to a port isolation group to implement Layer 2 isolation between these interfaces. Port isolation provides secure and flexible networking schemes for customers.To isolate broadcast packets in the same VLAN but allow users connecting to different interfaces to communicate at Layer 3, you can set the port isolation mode to Layer 2 isolation and Layer 3 interworking. To prevent interfaces in the same VLAN from communicating at both Layer 2 and Layer 3, you can set the port isolation mode to Layer 2 and Layer 3 isolation.Figure 1-1 Port isolation example shows the port isolation method and application scenario. PC1, PC2, and PC3 belong to VLAN 10. After GE1/0/1 connecting to PC1 and GE1/0/2 connecting to PC2 are added to a port isolation group, PC1 and PC2 cannot communicate with each other in VLAN 10, but they can communicate with PC3.Figure 1-1 Port isolation example 
MFF isolates user devices in a broadcast domain at Layer 2 and allows them to connect at Layer 3. MFF uses proxy ARP to capture ARP request packets and returns an ARP reply packet with the gateway MAC address as the source MAC address to users. All traffic from users is forwarded to the gateway so the gateway can monitor traffic and prevent attacks.As shown in Figure 1-2 Layer 2 isolation by MFF, user traffic is sent to the gateway, but not the Layer 2 aggregation node. Users are isolated at Layer 2.Figure 1-2 Layer 2 isolation by MFF
13.What Can I Do If IGMP Report Packets Cannot Be Forwarded When a Switch Has No Router Port?As shown in Figure 1-1 Router port description, the Layer 3 device Router receives data from the multicast source and forwards the data to the downstream devices. IGMP snooping is configured on the Layer 2 multicast devices SwitchA and SwitchB. HostA, HostB, and HostC are receiver hosts (multicast group members).Figure 1-1 Router port description
   Port Role
         
   Function
         
   Generation
         
  Router port
        Ports marked as blue points on SwitchA  and SwitchB.
        NOTE
        A router port is a port of a Layer  2 multicast device connected to an upstream multicast router.
        
  Receives multicast packets from a Layer 3  multicast device such as a designated router (DR) or IGMP querier.
        
  l   A router port generated by a  protocol is called a dynamic router port. A port becomes a dynamic router  port when it receives an IGMP General Query message or PIM Hello message with  any source address except 0.0.0.0. The PIM Hello messages are sent from the  PIM port on a Layer 3 multicast device to discover and maintain neighbor  relationships.
        l   A manually configured router  port is called a static router port.
        
If a switch does not have a router port,IGMP Report packets cannot be forwarded. You can run the igmp-snooping static-router-port vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> commandin the interface view to configure the interface as a static router port in aspecified VLAN.

14.When the BFD Session Status and Interface Status Are Associated, After a BFD Session Goes Down, an Interface Is Shut Down. After the undo shutdown Command Is Run, Why Does the Interface Still Fail to Go Up?
As shown in the below figure, the association between the BFD session status and interface status is configured on both SwitchA and SwitchB. However, the association between the BFD session status and interface status is deleted from SwitchB due to certain reasons. When a BFD session goes down, the interface GE1/0/1 is shut down.
After the undo shutdown command is run on the interface GE1/0/1, the interface is still Down. In this case, you need to disable the association between the BFD session status and interface status (oam-bind ingress bfd-session bfd-session trigger if-down egress interface gigabitethernet 1/0/1) from the interface. After the configuration is deleted, the interface goes Up.


15.Why Can a Switch Ping a Server but the Server Cannot Ping the Switch After They Are Connected?
When the server pings the switch, if the destination MAC address of the ICMP packets is that of the switch, the ping operation succeeds; otherwise, the ping operation fails. The failure of the server to ping the switch is caused by the change of the destination MAC address of the ICMP packets.

16.Why Does the Service Gateway Fail to Be Pinged When a WLAN User Roams in S12700+ACU2 Networking Whereas the Fixed-Location Network Access Is Normal in the Airport Scenario?
The STA is not disconnected from the WLAN network during roaming. The service is interrupted because the gateway responds to the ARP request packets of the STA slowly or the ARP response packets are lost. The AP receives a large number of broadcast and multicast packets, causing a high CPU usage. To solve this problem, port isolation must be configured on the switch connected to the AP and on all the other switches in the path to the gateway switch (included).

17.Why Does the remark 8021p Command Fail to Re-mark the 802.1p Priority in the Inner VLAN Tag in QinQ Packets?
The remark 8021p command can re-mark only the 802.1p priority in the outer VLAN tag, but cannot re-mark the 802.1p priority in the inner VLAN tag.

18.Why Does the Configured IPSG Function Not Take Effect After an Interface Is Configured as a Trusted Interface?
After an interface is configured as a trusted interface, all packets are forwarded directly without being checked. As a result, the configured IPSG function does not take effect.
19.Can VRRP Be Configured on the Super VLAN or MUX VLAN on a Switch?
The switch supports VRRP configuration on the super VLAN. You can run the vrrp advertise send-mode command to determine the sub-VLAN in which VRRP heartbeat packets are sent.
The switch does not support the VRRP configuration on the MUX VLAN, and it is not recommended that the VRRP and MUX VLAN be used together. The MUX VLAN is generally used in Layer 2 communication scenarios.
20.Why Does Not the Traffic Policy Take Effect When Two Pairs of Traffic Classifiers and Traffic Behaviors Are Configured in a Traffic Policy and One Pair of the Traffic Classifier and Traffic Behavior Matches a User-defined ACL?
If one pair of the traffic classifier and traffic behavior matches a user-defined ACL and the matching order in a traffic policy is set to config, the traffic policy does not take effect. To make the traffic policy take effect, set the matching order to auto using the traffic policy policy-name match-order auto command.
21.Why Is the Downlink Interface Blocked by STP Packets and the Service interrupted When the Downlink Interface of a Switch Is Connected to the S5700 or S5300 Running V100R005C01?
The downlink interface is blocked because the specified interface receives STP packets. The bpdu enable command is not enabled on the S5700 or S5300 running V100R005C01 by default, so the S5700or S5300 does not forward BPDU packets received from other switches. The S5700 or S5300 considers itself as the root switch and keeps forwarding BDPU packets to other switches.
For modular switches running V100R001, and S3300, S5300, S3700, S5700 switches running V100R003 and V100R005, the bpdu enable command needs to be configured on the interfaces that participate in STP calculation. Otherwise, the switches do not process received STP packets. (Transmission of STP packets is not affected.) Configuration implemented using the bpdu enable command can be easily ignored on the Eth-Trunk of the S3300&S5300S3700&S5700.
For modular switches running V100R002 and later versions, the bpdu enable command does not need to be configured on the interfaces that participate in STP calculation. The bpdu disable or bpdu bridge disable command is configured by default.
For fixed switches running V100R006 and later versions, the bpdu enable command is configured on an interface by default.
22.Why Do Packets Forwarded at Layer 3 Cannot Be Redirected to the Firewall?
In below figure, redirection is configured on GE1/8/10, packets are sent to the firewall through Eth-Trunk19 and then forwarded to SwitchA through Eth-Trunk20.
PC and Server are deployed on different network segments. Packets are forwarded at Layer 3 from SwitchA, and the MAC addresses of packets are replaced with the MAC address of VLANIF 3 (GE1/8/12 is added to VLAN 3), so the source MAC addresses of packets forwarded back to SwitchA through Eth-Trunk 20 are the MAC address of VLANIF 3. SwitchA discards packets that the source MAC address is the MAC address of VLANIF, so PC cannot receive packets and cannot ping Server.
23.What are the common causes of high CPU usage on the S3300?


  • By default, an interface sends all received BPDUs to the CPU. That is, the interface sends the received BPDUs of any protocol to the CPU even if the corresponding protocol is disabled. For example, even if STP is disabled, the STP BPDUs are also sent to the CPU. As a result, the CPU usage is high. On the live network, it is recommended that the bpdu disable command be run on the interfaces that do not use Layer 2 protocols, such as STP, to prevent the interfaces from sending BPDUs to the CPU.  
  • In versions earlier than V100R006C05, the S3300 sends reserved multicast packets to the CPU by default, causing high CPU usage. You can run the deny packet-type reserved-multicast command in the attack defense policy view to discard the reserved multicast packets sent to the CPU.

24.Why is the CPU usage still high when the switch does not receive any service requests and all interfaces are Down?The IP address 192.168.1.1/172 is configured on the switch, but 192.168.1.1/172 is specified as the IP address of the DNS server on many hosts. As a result, the switch receives a large number of DNS and TCP packets, leading to high CPU usage. After the IP address of the switch is changed, the CPU usage becomes normal.
25.When the S7700 is connected to the S5700 and the S5700 is connected to the OceanStor S2600T, the OceanStor S2600T frequently goes offline. How to determine whether the fault occurs on a switch or the OceanStor S2600T?Configure the traffic statistics collection function on the S7700 and S5700 respectively. After traffic statistics analysis, it is found that the fault is caused by OceanStor S2600T, instead of the switches.The following describes how to configure ICMP traffic statistics collection on the S7700 as an example:# Configure traffic statistics collection for packets received by the S7700.1.Configure an ACL rule.<SwitchA> system-view  [SwitchA] acl number 3000  [SwitchA-acl-adv-3000] rule permit icmp source 192.168.2.21 0 destination 192.168.2.20 0  [SwitchA-acl-adv-3000] quit2.Configure a traffic classifier.[SwitchA] traffic classifier 3000  [SwitchA-classifier-3000] if-match acl 3000  [SwitchA-classifier-3000] quit3.Configure a traffic behavior.[SwitchA] traffic behavior 3000  [SwitchA-behavior-3000] statistic enable  [SwitchA-behavior-3000] quit4.Configure a traffic policy.[SwitchA] traffic policy 3000  [SwitchA-trafficpolicy-3000] classifier 3000 behavior 3000  [SwitchA-trafficpolicy-3000] quit5.Apply the traffic policy to an interface.[SwitchA] interface gigabitethernet 1/0/1  [SwitchA-GigabitEthernet1/0/1] traffic-policy 3000 inbound  [SwitchA-GigabitEthernet1/0/1] quit# Configure traffic statistics collection for packets sent by the S7700.1.Configure an ACL rule.<SwitchA> system-view  [SwitchA] acl number 3001  [SwitchA-acl-adv-3001] rule permit icmp source 192.168.2.20 0 destination 192.168.2.21 0  [SwitchA-acl-adv-3001] quit2.Configure a traffic classifier.[SwitchA] traffic classifier 3001  [SwitchA-classifier-3001] if-match acl 3001  [SwitchA-classifier-3001] quit3.Configure a traffic behavior.[SwitchA] traffic behavior 3001  [SwitchA-behavior-3001] statistic enable  [SwitchA-behavior-3001] quit4.Configure a traffic policy.[SwitchA] traffic policy 3001  [SwitchA-trafficpolicy-3001] classifier 3001 behavior 3001  [SwitchA-trafficpolicy-3001] quit5.Apply the traffic policy to an interface.[SwitchA] interface gigabitethernet 1/0/1  [SwitchA-GigabitEthernet1/0/1] traffic-policy 3001 outbound  [SwitchA-GigabitEthernet1/0/1] quitAfter the configuration is complete, run the display traffic policy statistics interface gigabitethernet 1/0/1 inbound verbose rule-base and display traffic policy statistics interface gigabitethernet 1/0/1 outbound verbose rule-base commands to check interface traffic statistics. The following provides an example of checking the inbound traffic statistics on GE1/0/1:[HUAWEI] display traffic policy statistics interface gigabitethernet 1/0/1 inbound verbose rule-base   Interface: GigabitEthernet1/0/1  Traffic policy inbound: 3000  Rule number: 1  Current status: success  Statistics interval: 300 ---------------------------------------------------------------------  Classifier: 3000 operator and                              Behavior: 3000                                      Board : 1    rule 5 permit icmp source 192.168.2.21 0 destination 192.168.2.20 0 (match-counter 0)  ---------------------------------------------------------------------                       Passed           |      Packets:                             0                                              |      Bytes:                               0                                              |      Rate(pps):                           0                                              |      Rate(bps):                           0                            ---------------------------------------------------------------------                       Dropped          |      Packets:                             0                                              |      Bytes:                               0                                              |      Rate(pps):                           0                                              |      Rate(bps):                           0                            ---------------------------------------------------------------------26.How Can I Check the Mappings Between Cards and Software VersionsYou can use the following methods to checkcards available in different software versions.


  •   Check Hardware Description of the  corresponding product. This document describes the mappings between cards and  software versions in detail.  
  • Check the mappings between cards and software  versions using the Hardware Query Tool.

27.What Are the Differences Between an Optical Module and a Copper Module?What Is an Optical ModuleOn an optical network, a sender needs toconvert electrical signals into optical signals before sending them to areceiver, and the receiver needs to convert received optical signals intoelectrical signals. An optical module is a component that completeselectrical/optical conversion on an optical network. The following figure showsthe structure of an optical module.Figure1-1 Structure of an optical module 
                 1. Handle
      
      2. Receiver
      
      3. Transmitter
      
      4. Shell
      
      5. Label
      
      6. Dust plug
      
      7. Spring
      
      8. Connector
      
      -
      

The following figure shows the appearanceof an SFP/eSFP optical module.Figure1-2 SFP/eSFP optical moduleWhat Is a Copper Module (Also Called anElectrical Module)Unlike optical modules, copper modules donot perform electrical-optical conversion. When two optical interfaces havecopper modules installed, the interfaces can be connected using a copper cable.Currently, Huawei offers only GE copper modules with RJ45 interfaces. GE coppermodules work with Category 5 network cables, comply with 1000BASE-T (IEEE802.3ab), and support a maximum transmission distance of 100 m.The following figure shows the appearanceof a GE copper module.Figure1-3 Appearance of a GE copper moduleOptical modules and copper modules areinstalled on optical interfaces. Optical modules are used with optical fibersand copper modules are used with network cables.Not all optical interfaces support coppermodules. You can use the Hardware Query Tool to check whether a specific device or cardsupports copper modules.28.Why Is the Clock Frequency Not Determined Though theNTP Status Information on a Modular Switch Shows that the Clock Has Been Set?
Run the display ntp-service status command on the switch to view the NTPstatus.

[HUAWEI] display ntp-service status
clock status: synchronized 
clock stratum: 5 
reference clock ID: 192.168.30.1
nominal frequency: 100.0000 Hz 
actual frequency: 100.0000 Hz 
clock precision: 2^18
clock offset: 1.5096 ms 
root delay: 109.93 ms 
root dispersion: 5.94 ms 
peer dispersion: 178.51 ms 
reference time: 08:03:54.402 UTC May 5 2017(DCB6B06A.6713AD5B)
synchronization state: clock set butfrequency not determined

The synchronization state of the localclock shows that the clock has been set but the clock frequency is notdetermined. After the operation logs related to the time setting on the switchare checked, it is suspected that the time zone is changed, triggering NTPsynchronization again.

If the NTP server is stable, the frequencysynchronization completion time of NTPv3 is generally eight synchronizationcalibration periods, that is, ranging from 8 x 64 seconds to 8 x 1024 seconds.After the server runs stably for a period of time (two hours later), run the display ntp-service status commandagain. It is found that the clock synchronization is complete.

29.When an S Series Switch Is Connected to a VoiceServer, Can the Port on the Switch for Connecting to the Server Be Configuredas an Observing Port in the Mirroring Function?
This configuration is not recommended. Ifthe mirrored port and observing port belong to the same VLAN, when the mirroredport sends a packet, the voice server receives two copies of the packet,affecting services.

30.What Are the Solutions to the Slow Response from an SSeries Switch to the SNMP NMS?
Solution 1: Multiple terminals may accessthe S series switch at the same time. The SNMP module of the switch needs torespond to multiple terminal users concurrently, resulting in a delay. In thiscase, you can run the snmp-agent aclcommand to configure an SNMP ACL to restrict the access of other users.

For example, perform the followingconfiguration:

# Allow only the NMS that matches ACL 2000to access the switch through SNMP.

<HUAWEI> system-view
[HUAWEI] acl 2000
[HUAWEI-basic-2000] rule permit source192.168.10.10 0
[HUAWEI-basic-2000] quit
[HUAWEI] snmp-agent acl 2000

Solution 2: On the SNMP NMS, change theSNMP request sending interval to 1 minute or change the resending timeout interval(currently 0.5s).


Solution 3: Upgrade the switch to thelatest version and check whether the fault is rectified.



31.Why Is the Internet Access Speed Slow After theS5700-10P-LI Is Switched from a Layer 2 Forwarding Device to a Layer 3 Gateway?

Generally, the S5700-10P-LI is planned as aLayer 2 device on the network. When the S5700-10P-LI functions as a Layer 3forwarding device, software forwarding is performed by default, and theperformance is poor. In this case, the configuration needs to be modified toenable hardware forwarding. That is, you need to run the assign ipv4-forward-mode hardware command and restart the switchfor the configuration to take effect. In addition, there are some restrictionson the switch after the hardware forwarding mode is enabled. Therefore, you arenot advised to use the S5700-10P-LI as a Layer 3 gateway.
32.Why Are Files Uploaded Slowly After the NegotiationMode Is Changed to Auto-Negotiation on the Interface of a Switch Connected tothe Server?When the switch is connected to the server,it takes a long time to upload files from the client to the server. The uploadof a 50 KB file takes even several minutes. No packet is lost and the delay isnot long.

Currently, the interface on the switchworks in auto-negotiation mode, and the negotiated rate is only 10 Mbit/s. Youcan run the undo negotiation autocommand to configure the interface to work in non-auto-negotiation mode, andthen run the speed 1000 command toforcibly set the rate to 1000 Mbit/s. If the problem persists, contact thetechnical personnel of the peer server.



33.Why Does MAC Address Flapping Occur on a ModularSwitch Using an MPU of the New Version?A modular switch originally uses an MPU ofV100R003. After the MPU is replaced with an MPU of V200R008 and the cableconnections remain unchanged, MAC address flapping occurs. In this case, youneed to compare the command line differences between the two versions. Aftercomparison, it is found that the undomac-learning priority 0 allow-flapping command is configured on the MPU ofV100R003 but is not configured on the MPU of V200R008. After the command is runon the MPU of V200R008, the problem is solved. This command is used to preventMAC address flapping between interfaces with the same priority.

Although MAC address flapping does notoccur after this command is run, it is recommended that you check the networktopology to eliminate loops.



34.Why Does the NMS Obtain Information Slowly ThroughSNMP After a Stack Is Set Up?


The time that the NMS takes to obtaininformation through SNMP increases with the number of fixed switches thatconstitute a stack. This is because the time taken to obtain port informationis proportional to the number of nodes to be traversed.



35.Can Users Modify the Configuration File Manually andSpecify it as the Configuration File for Next Startup


The startupsaved-configuration command specifies the system configuration file fornext startup.

Do not change the configuration filemanually and specify the configuration file for next startup. Otherwise, thedevice may not start normally. For example, if users modify BGP-relatedconfigurations in the configuration file without permission, the configurationfile may be delivered abnormally because there is no space after the pound key(#).

36.How Can I Determine Whether a Router ID ConflictOccurs


Run the display logbuff command in any view to check whether theOSPF/4/CONFLICT_ROUTERID_INTF log is generated on a device.

<Quidway>  displaylogbuffer  
 ... ...
May  4 2017 00:17:57+02:00 NEOTEL-S9306-2%OSPF/4/CONFLICT_ROUTERID_INTF(l)[311]:OSPF Router id conflict is detectedon interface. (ProcessId=43, RouterId=10.228.233.194, AreaId=0.0.0.0,InterfaceName=Vlanif102, IpAddr=41.48.16.21, PacketSrcIp=41.48.16.21)
May  4 2017 00:15:57+02:00 NEOTEL-S9306-2%OSPF/4/CONFLICT_ROUTERID_INTF(l)[312]:OSPF Router id conflict is detectedon interface. (ProcessId=43, RouterId=10.228.233.194, AreaId=0.0.0.0,InterfaceName=Vlanif102, IpAddr=41.48.16.21, PacketSrcIp=41.48.16.21)
May  4 2017 00:13:56+02:00 NEOTEL-S9306-2%OSPF/4/CONFLICT_ROUTERID_INTF(l)[313]:OSPF Router id conflict is detectedon interface. (ProcessId=43, RouterId=10.228.233.194, AreaId=0.0.0.0,InterfaceName=Vlanif102, IpAddr=41.48.16.21, PacketSrcIp=41.48.16.21)

If the preceding alarm is generated, arouter ID conflict occurs. In most cases, you can run the ospf router-id router-idcommand to change the router ID.

In special cases, if the source IP address(PacketSrcIp=41.48.16.21) in the router ID conflict log is the IP address ofthe device, the device has received the packet sent from the interface. You needto check whether a loop exists on the network, obtain the MAC address in theOSPF packet, and locate the device that sends the packet back.

37.Does the Switch Filter PPPoE and MPLS Packets Based onUDP Port Numbers
When a switch filters packets such asPPPoE, MPLS, tunnel, and CAPWAP packets using the ACL, the switch cannot parsethe internal IP address of the packets.

For example, the user attempts to obtainspecified packets by filtering flows through the ACL on the switch.

When a traffic policy is configured on theinbound interface to forward the traffic to the mirrored port, only the packetsfrom the UDP 53 port can be received.

<HUAWEI> system-view
[HUAWEI] observe-port 1 interfaceGigabitEthernet 0/0/14 
[HUAWEI] acl number 3001
[HUAWEI--acl-adv-3001] rule 5 permit udpdestination-port eq 53
[HUAWEI--acl-adv-3001] quit
[HUAWEI] traffic classifier a1 operatorand
[HUAWEI-classifier-a1] if-match  acl 3001 
[HUAWEI-classifier-a1] quit
[HUAWEI] traffic behavior  b1               
[HUAWEI-behavior-b1] permit       
[HUAWEI-behavior-b1] mirroring toobserve-port 1   
[HUAWEI-behavior-b1]quit
[HUAWEI]traffic policy yagoo   
[HUAWEI-trafficpolicy-yagoo]classifier a1 behavior  b1   
[HUAWEI-trafficpolicy-yagoo]quit  
[HUAWEI]interface  GigabitEthernet  0/0/4   
[HUAWEI-GigabitEthernet0/0/4]traffic-policy yagoo inbound  



The result shows that the customer canobtain the Ethernet packets from the destination port 53, but cannot obtain thePPP packets from the destination port 53. The reason is that an S series switchcannot obtain the internal IP addresses of PPPoE packets when the switch usesthe ACL to filter packets.
38.Why Is the Interface Indicator On While No Cable IsConnected to an Interface?
The possible causes are as follows:

Cause 1: The loopback internal command is run on the interface to enable theinloop function.

You can run the display this interface command in the interface view to check theinterface information.

Check the Loopback field. If the value is INTERNAL, the inloop function is enabled. In this case, run the undo loopback command to disable thisfunction.

Cause 2: If the value of the Loopback field in the preceding step isNONE, the inloop function isdisabled on the switch. If the network cable has not been connected, thehardware may be faulty. In this case, contact technical support personnel.

39.What Are the Default Status of User Login and FileManagement Functions ?


The user login and file managementfunctions involve FTP/SFTP, Telnet/STelnet, and HTTP/HTTPS. The default statusof each version and related configuration commands are as follows:

FTP:

The ftpserver enable command enables the FTP server function to allow FTP users tolog in to the FTP server.

The undoftp server command disables the FTP server function so that FTP userscannot log in to the FTP server.

By default, the FTP function is disabled.

SFTP:

The sftpserver enable command enables the SFTP service on the SSH server.

The undosftp server enable command disables the SFTP service on the SSH server.

By default, the SFTP service is disabled onthe SSH server.

Telnet:

The telnetserver enable command enables the Telnet service.

The undotelnet server enable command disables the Telnet service.

By default, the Telnet service is enabledin V200R003 and earlier versions. In V200R005 and later versions, the Telnetservice is disabled.

STelnet:

The stelnetserver enable command enables the STelnet service on an SSH server.

The undostelnet server enable command disables the STelnet service on an SSHserver.

By default, the STelnet service is disabledon SSH servers.

HTTP:

The httpserver enable command enables the HTTP server function.

The undohttp server enable command disables the HTTP server function.

By default, the HTTP server function isenabled.

HTTPS:

The httpsecure-server enable command enables the HTTPS service function.

The undohttp secure-server enable command disables the HTTPS service function.


By default, the HTTPS service function isenabled.


40.How Can a User Be Upgraded to a Higher-Level User ?
Users can change their level in thefollowing ways:

1. The administrator sets the password usedto change the user level to level 15.

<HUAWEI> system-view
[HUAWEI] super password level 15 cipherHuawei@5678

2. A common user logs in to the switchthrough Telnet and changes the user level online.

<HUAWEI> super 15
Password:  // Enter Huawei@5678.
Now user privilege is 15 level, and only those commands whose level is equal too
r less than this level can be used.                        
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE   // The user level is upgraded successfully.


41.How Can I Query the Patch Information About a SwitchThrough a MIB Object ?


The OID of the MIB object used for queryingthe patch information about a switch is 1.3.6.1.4.1.2011.5.25.19.1.8.5.1.1.4.

For example, run the following command onthe NMS to check the patch information:

[DEVICE]$ snmpwalk -v 2c -c Community Hostname1.3.6.1.4.1.2011.5.25.19.1.8.5.1.1.4
SNMPv2-SMI::enterprises.2011.5.25.19.1.8.5.1.1.4.0.50 = STRING: "V200R007SPH001"
SNMPv2-SMI::enterprises.2011.5.25.19.1.8.5.1.1.4.1.50 = STRING: "V200R007SPH001"


The command output shows that the patchversion is V200R007SPH001. In [0.50] and [1.50] in the preceding commandoutput, 0 and 1 indicate the stack ID of a member switch in the stack, and 50indicates that the patch contains 50 patch units.

42.Should ACL Rules Be Configured for the VTY User ?


To prevent attacks and ensure security ofthe network and data, it is recommended that ACL rules be configured for VTLchannels to prevent all VTL channels from being occupied due to the attack fromTelnet packets. In this case, there is no available VTY channel for normalusers, so that they cannot log in to the device. The following rules can beconfigured:


<HUAWEI> display user-interface maximum-vty  
Maximum of VTY user:15
<HUAWEI> displaycurrent-configuration | begin user-interface
user-interface maximum-vty 15
user-interface con 0
authentication-mode aaa
idle-timeout 0 0
screen-length 25
user-interface vty 0 14
acl 2000 inbound
authentication-mode aaa
user privilege level 3
idle-timeout 0 0
screen-length 25
protocol inbound telnet
#
<9312> display acl 2000
Basic ACL 2000, 3 rules
Acl's step is 5
rule 1 permit source 10.0.5.0 0.0.0.255 
rule 2 permit source 10.0.9.0 0.0.0.255 
rule 10 deny 

43 Why Are There a Large Number of Error Packets in theInbound Direction of the S2700 When the S2700 Is Connected to the S5700 andPackets Are Correctly Sent and Received on the S5700 ?


In the scenario where the S5700 and S2700are connected, run the display interfaceinterface-type interface-numbercommand to check packet statistics on interfaces. The command output shows thatthe number of packets received in the inbound direction on the S2700 keepsincreasing, but the S5700 has no error packet statistics. Analysis shows thatthe maximum frame length allowed by the S5700 is 9,216 bytes, which can beadjusted by running the jumboframeenable value command. However,the maximum frame length allowed by the S2700 is 1,600 bytes, and no commandline is available for adjusting it. Therefore, when there are packets largerthan 1,600 bytes but less than 9,216 bytes on the link, the S2700 counts themas error packets, but the S5700 counts them as normal packets.



44. Are Packets on the Forwarding Plane and Control PlaneFragmented on S Series Switches ?


The maximum transmission unit (MTU) of aninterface can be configured to control the maximum number of bytes that can besent at a time. If the MTU value takes effect and the length of the transmittedpacket is greater than the MTU value, the packet is fragmented. Otherwise, thepacket is not fragmented even if the packet length is large. Therefore, tocheck whether packets on the forwarding plane and control plane are fragmented,you need to first check whether the MTU value takes effect.

l  For modular switches:

Configure the MTU value to take effecton data packets on the control plane. For LE1D2S04SEC0, LE1D2X32SEC0,LE1D2H02QEC0, and X series cards on switches running V200R010 and laterversion, the configured MTU value takes effect on data packets on theforwarding plane after you run the ipv4fragment enable command to enable packet fragmentation. For other cards,configure the MTU value not to take effect on data packets on the forwardingplane.

For cards on switches running V200R009and earlier versions, configure the MTU value to take effect only on datapackets on the control plane. That is, packets on the forwarding plane are notfragmented.

l  For fixed switches:

Configure the MTU value to take effecton data packets on the control plane. For S5320HI and S5720HI switches runningV200R010 and later version, the configured MTU value takes effect on datapackets on the forwarding plane after you run the ipv4 fragment enable command to enable packet fragmentation. Forother switches, configure the MTU value not to take effect on data packets onthe forwarding plane.


For switches running V200R009 andearlier versions, configure the MTU value to take effect only on data packetson the control plane. That is, packets on the forwarding plane are notfragmented.

45.Why Is the Configuration File Lost After a StackMember Quits the Stack and Then Rejoins the Stack?


Two S5700 switches are stacked using stackcards, and the standby switch is unexpectedly powered off and then restarted.After the restart, the standby switch rejoins the stack, but its configurationfile is lost. You can check the user operation logs to locate the fault.

May 26 2017 09:29:39 CDGT-HUAWEI-5720FSP/4/STACKMEMBER_LEAVE:OID 1.3.6.1.4.1.2011.5.25.183.1.22.7 Slot 2 leaves fromstack.
May 26 2017 09:33:01 CDGT-HUAWEI-5720%SHELL/6/CMDCONFIRM_UNIFORMRECORD(s)[743844]:Record command information.(Task=VT0, IP=113.215.2.220, VpnName=, User=admin, Command="sa",PromptInfo="The current configuration will be written to the device.Areyou sure to continue?[Y/N]", UserInput=Y)
May 26 2017 09:33:01 CDGT-HUAWEI-5720 /4/SAVE(s)[743845]:The user choseY when deciding whether to save the configuration to the device.
May 26 2017 14:38:30 CDGT-HUAWEI-5720 %LOAD/6/SLOTJOINED(l)[751557]:Slot 2joined the stack.

The preceding operation logs show that the save command is run to save theconfiguration file after the standby switch is powered off and then powered on.Then the standby switch rejoins the stack. After analyzing the stack setupprocess, R&D engineers confirm that if the configuration file is savedafter the standby switch quits the stack, its original stack configuration willbe lost after it rejoins the stack.


Therefore, you are not advised to run the save command to save the configurationfile after a switch is unexpectedly powered off and then powered on.

46.What Should I Check First If Packet Loss Occurs When aSwitch Pings the Gateway IP Address ?


You need to first check whether the switchhas learned the ARP entry corresponding to the gateway IP address. That is, runthe display arp network net-number command to check whether theMAC address corresponding to the gateway IP address in the ARP entry is thesame as the actual gateway MAC address. If not, an IP address conflict mayoccur on the network. The IP address of another network device is incorrectlyconfigured to be the same as the gateway IP address. As a result, packet lossoccurs when you ping the gateway IP address on the switch.


47.What Are the Possible Causes for the Restart of aSwitch with Dual Power Modules?


Two S6720-30C-EI switches set up a stackand are connected to the same socket in the equipment room. Only one switchrestarts unexpectedly. Since the switch is powered by dual power modules, thepossibility that both power modules are faulty can be excluded. The fault maybe caused by an external power supply exception.



48.Why Does a Ping with Large Ping Packets Fail When an SSeries Switch Is Connected to an NE Router ?


When an S series switch is connected to anNE router, the Ping -s 1555 192.168.1.3(the IP address is the switch IP address) command cannot be executed to pingthe S series switch. However, the Ping-s 1554 192.168.1.3 command can be executed to ping the switch.

You can log in to the S series switch,access the view of the interface connecting the switch to the NE router, andrun the display this interfacecommand to view packet statistics. The command output shows that the value ofthe Giants field on the interface is90, that is, the number of packets received on the interface exceeds themaximum length of the jumbo frame. So the size of the large ping packets mayexceed the maximum frame length allowed by the interface. You can run the jumboframe enable value command to set the maximum frame length allowed by anEthernet interface.


<SwitchC> system-view                                   
[SwitchC] interface GigabitEthernet  0/0/2      
[SwitchC-GigabitEthernet0/0/2] displaythis interface 
GigabitEthernet0/0/2 current state : UP
Line protocol current state : UP
Description:HUAWEI, Quidway Series, GigabitEthernet0/0/2 Interface
Switch Port, TPID : 8100(Hex), The Maximum Frame Length is 1600
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 2cab-0083-3880
Port Mode: COMMON FIBER
Speed : 1000,  Loopback: NONE
Duplex: FULL,  Negotiation: DISABLE
Last 300 seconds input rate 184 bits/sec, 0 packets/sec
Last 300 seconds output rate 376 bits/sec, 0 packets/sec
Input peak rate 78224 bits/sec, Record time: 2008-01-01 01:21:42
Output peak rate 93152 bits/sec, Record time: 2008-01-01 01:18:22
Input:  31511 packets, 2595452 bytes
Unicast        :               29140, Multicast          :                2249
Broadcast      :                   0, Jumbo              :                  32
CRC            :                   0, Giants             :                  90
Jabbers        :                   0, Fragments          :                   0
Runts          :                   0, DropEvents         :                   0
Alignments     :                   0, Symbols            :                   0
Ignoreds       :                   0, Frames             :                   0
Discard        :                   0, Total Error        :                  90
Pause          :                   0
Output:  55317 packets, 4341335 bytes
Unicast        :               52978, Multicast          :                2276
Broadcast      :                   0, Jumbo              :                  63
Collisions     :                   0, Deferreds          :                   0
Late Collisions:                   0,ExcessiveCollisions:                   0
Buffers Purged :                   0
Discard        :                   0, Total Error        :                   0
Pause          :                   0
    Input bandwidth utilization threshold: 100.00%
    Output bandwidth utilizationthreshold: 100.00%
    Input bandwidth utilization  : 0.01%
    Output bandwidth utilization : 0.01%
[SwitchC-GigabitEthernet0/0/2] jumboframeenable 1700

49.What Are the Precautions for the Source Interface andSource Address When the peer connect-interface Command Is Run ?


To establish a BGP peer connection betweentwo indirectly connected physical interfaces, the peer connect-interface command must be run on both sides.

To establish a BGP peer connection betweena local loopback interface and a remote interface, the loopback interface mustbe specified as the source interface in the command. To establish a BGP peerconnection between a local physical interface and a remote interface, thephysical interface must be specified as the source interface in the command.

To enable a device to send BGP packets evenif its physical interface fails, you are advised to configure the device to usea loopback interface as the source interface of the BGP packets. When theloopback interface is used as the source interface of the BGP packets, ensurethat the loopback interface address of the BGP peer is reachable.

For example, when setting up a BGP peerconnection between SwitchA and SwitchB, run the peer connect-interface command as follows:

Configuration of SwitchA:

<SwitchA> system-view
[SwitchA] bgp 100
[SwitchA-bgp] peer 10.16.6.6 as-number 100 
[SwitchA-bgp] peer 10.16.6.6 connect-interface loopback0 10.18.8.8

Configuration of SwitchB:


<SwitchB> system-view
[SwitchB] bgp 100
[SwitchB-bgp] peer 10.18.8.8 as-number 100 
[SwitchA-bgp] peer 10.18.8.8 connect-interface loopback0 10.16.6.6



50.What Are the Differences Between SSH1.X and SSH2.0?


SSH2.0 and SSH1.X indicate the versionssupported by the SSH server and client.

The SSH server compares its own SSH versionwith that sent by the SSH client and determines whether it can work with theclient based on the ssh servercompatible-ssh1x enable command configuration. If the command has been runto enable the SSH server to be compatible with earlier versions, the followingprocessing logic is used:

l  If the protocol version on theclient is earlier than 1.3 or later than 2.0, version negotiation fails and theserver disconnects from the client.

l  If the protocol version on theclient is later than or equal to 1.3 and earlier than 1.99, the SSH1.5 servermodule is invoked and the SSH1.X process is performed when theSSH1.X-compatible mode is configured. When the SSH1.X-incompatible mode isconfigured, version negotiation fails and the server disconnects from theclient.

l  If the protocol version on theclient is 1.99 or 2.0, the SSH2.0 server module is invoked and the SSH2.0process is performed.

On S series switches running V200R006 or anearlier version, the SSH server is enabled to be compatible with earlierversions by default. In V200R007 and later versions, the SSH server is disabledfrom being compatible with earlier versions by default for network security. Ifa switch is upgraded from an earlier version to V200R007 or a later version(the SSH server is enabled to be compatible with earlier versions by defaultbefore the upgrade), the SSH server is still enabled to be compatible withearlier versions after the upgrade.


SSH2.0 has an extended structure andsupports more authentication modes and key exchange methods than SSH1.X. SSH2.0can eliminate the security risks that SSH1.X has. SSH2.0 is more secure andtherefore is recommended. After the upgrade, you are advised to run the undo ssh server compatible-ssh1x enablecommand to disable the SSH server from being compatible with earlier versionsto improve security.

51.How Can I Ensure Reliability of Stack Connections forService Ports on Modular Switches ?


Service ports are connected in two waysaccording to link distribution:

l  1+0 networking: Each memberswitch has one logical CSS port and connects to the other member switch throughphysical member ports on one service card.

l  1+1 networking: Each memberswitch has two logical CSS ports, and physical member ports of the logical CSSports are located on two service cards. Cluster links on the two service cardsimplement link redundancy.

Note:

When connecting cluster cables, payattention to the following points:

Physical member ports of a logical CSS porton one switch must connect to physical member ports of a logical CSS port onthe other switch.

In 1+1 networking, it is recommended thattwo service cards have the same number of cluster links.

To ensure reliability, pay attention to thefollowing points when using the preceding two service port clusteringnetworkings:

l  You are advised to use 1+1networking and configure multi-active detection (MAD) to ensure high reliability.

l  It is recommended that at leasttwo physical member ports be added to a logical CSS port on a service card, andphysical member ports added to the logical CSS port be connected to the peermember switch. All these links have a stack heartbeat detection mechanism,which can better monitor the stack status.


l  It is not recommended thatupstream ports and MAD ports be deployed on service cards that set up acluster.



52. Why Is the Interface Error Packet Statistics Displayedon the NMS Inconsistent with That Displayed on the Switch ?
To clear interface traffic statistics onthe NMS, you need to run the resetcounters if-mib interface command in the user view on the S series switch.To clear traffic statistics about an interface, you need to run the reset counters interface command in theuser view on the S series switch.


The preceding commands are independent ofeach other, that is, running the resetcounters if-mib interface command does not affect the traffic statisticsdisplayed after the display interfacecommand is executed. You can run the resetcounters interface command to clear the traffic statistics that isdisplayed after the display interfacecommand is executed. Similarly, running the reset counters interface command does not affect packet statisticson the NMS. You can run the resetcounters if-mib interface command to clear the statistics about theinterface that is displayed on the NMS.

53.What Are the Other Impacts After the reset arp staticCommand Is Run to Clear ARP Entries ?
When you run the reset arp static command to clear static ARP entries, the commandfor configuring static ARP entries is also deleted.

Example:


[Quidway] arp static 1.1.1.1 0efc-0505-86e3                      
[Quidway] displaycurrent-configuration  | include arpstatic       
arp static 1.1.1.1 0efc-0505-86e3          
[Quidway] quit                                       
<Quidway> reset  arp static                                          
Warning: This operation will reset all static ARP entries, and clear theconfigurations of all static ARP, continue?[Y/N]:y            
<Quidway> displaycurrent-configuration  | include arpstatic                       // The arp static 1.1.1.1 0efc-0505-86e3command has been deleted.
<Quidway>   



54.How Can I Calculate the Card Resources Occupied by theObserving Ports in Mirroring Configuration ?

When an observing port is configured oncard A and packets on a mirrored port on card B are copied to the observingport on card A, the number of remaining observing ports to which packets on allthe mirrored ports on card B can be copied is reduced accordingly.

For example, a maximum of six observingports can be configured for an E series card in slot 1. Inbound packets on allthe mirrored ports can be copied to a maximum of four observing ports, andoutbound packets can be copied to a maximum of two observing ports. If theinbound and outbound packets on a mirrored port are copied to the sameobserving port on the card in slot 2, the numbers of remaining observing portsfor inbound and outbound packets are 3 and 1 respectively. Therefore, the totalnumber of remaining observing ports is 4 (equal to 3 plus 1) but not 5 (equalto 6 minus 1).


<HUAWEI> system-view
[HUAWEI] observe-port 1 interfacegigabitethernet 2/0/2
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port-mirroringto observe-port 1 both


55.What Is the Implementation Mechanism of LogSuppression ?
To enable suppression of statistics aboutconsecutive repeated logs, you can run the info-centerstatistic-suppress enable command in the system view.

When an ARP attack or route link failureoccurs, a large number of repeated logs are generated in a short time after ARPand VRRP are enabled. This wastes both the storage space and CPU resources, andusers do not want to view these repeated logs. You can run the info-center statistic-suppress enablecommand to enable suppression of statistics about consecutive repeated logs sothat the system can still record other logs.

Logs that are generated consecutively andwith the identical log ID and parameters can be regarded as repeatedlygenerated logs.

Statistics about repeatedly generated logsare first output at the 30th second from the time the first log is output, andthen statistics about repeatedly generated logs are output at the 120th second.After being output two times, statistics about repeatedly generated logs areoutput every 600 seconds.

By default, once receiving a log, theinformation center outputs the log. If the information center receivesrepeatedly generated logs within a period, it outputs the number of these logsand will output logs only when it receives a new log (a log with a differentlog ID). For example, a module sends logs to the information center in thesequence of A1(T1) A2(T2) A3(T2) B1(T3) B2(T4) B3(T4) C1(T5) C2(T6) A4(T7)B4(T8) B5(T8) B5(T8) B7(T9) A5(T9) B8(T10) D1(T11) A6(T11) A7(T12) A8(T12)A9(T13) A10(T14) A11(T15) A12(T16) A13(T17) A14(T18) B9(T18). A1 to A14 are thesame; B1 to B9 are the same; C1, C2 and D1 are different from others; T1 to T18are sequence numbers. The log information output by the information center isas follows:

T1:A1
T3(1): last message repeated 2 times
T3:B1
T5: last message repeated 2 times
T5:C1
T6:C2
T7:A4
T8:B4
T9(1): last message repeated 3 times
T9:A5
T10:B8
T11:D1
T11:A6
T13(2): last message repeated 3 times
T18(2): last message repeated 5 times
T18:B9

Logs of the service module received by theinformation center show that:

l  Statistics about repeatedlygenerated logs are output when either of the following conditions is met:

The next log is a different log, asshown in (1).

b. The time period (every 30 seconds,120 seconds, and 600 seconds) for outputting log statistics expires, as shownin (2).

l  Each time the statistics areoutput, the service module resets the count. For example, during the periodfrom T11 to T18, log A is generated 9 (1+3+5) times.

l  The information center outputslogs in the same sequence the logs are generated, making the trace ofinformation and scenario easy.

Note:

The logs followingthe sequence of A B A B A B A B are repeatedly generated logs, so statisticsabout these logs cannot be suppressed using the info-center statistic-suppress enable command.

Example 1: If a port frequently alternatesbetween Up and Down, logs cannot be suppressed.

Nov 18 2017 10:12:15+08:00HNSY-WGX-ZXJ-SW1-S9306 %IFNET/4/IF_STATE(l)[4059453]:InterfaceGigabitEthernet6/0/45 has turned into UP state.
Nov 18 2017 10:12:18+08:00 HNSY-WGX-ZXJ-SW1-S9306%IFNET/4/IF_STATE(l)[4059454]:Interface GigabitEthernet6/0/45 has turnedinto DOWN state.
Nov 18 2017 10:12:20+08:00 HNSY-WGX-ZXJ-SW1-S9306%IFNET/4/IF_STATE(l)[4059455]:Interface GigabitEthernet6/0/45 has turnedinto UP state.
Nov 18 2017 10:12:29+08:00 HNSY-WGX-ZXJ-SW1-S9306%IFNET/4/IF_STATE(l)[4059456]:Interface GigabitEthernet6/0/45 has turnedinto DOWN state.
Nov 18 2017 10:12:31+08:00 HNSY-WGX-ZXJ-SW1-S9306%IFNET/4/IF_STATE(l)[4059457]:Interface GigabitEthernet6/0/45 has turnedinto UP state.
 



Example 2: If other logs are generated whenrepeatedly generated logs are printed, the suppression function will beinterrupted.

 
Nov 18 2017 12:32:02+08:00 HNSY-WGX-ZXJ-SW1-S9306 %INFO/6/SUPPRESS_LOG(l)[4059459]:Lastmessage repeated 1 times.(InfoID=5246983, ModuleName=IFNET, InfoAlias=IF_STATE)
Nov 18 2017 12:46:05+08:00 HNSY-WGX-ZXJ-SW1-S9306%INFO/6/SUPPRESS_LOG(l)[4059460]:Last message repeated 4times.(InfoID=5246983, ModuleName=IFNET, InfoAlias=IF_STATE)
Nov 18 2017 14:26:25+08:00 HNSY-WGX-ZXJ-SW1-S9306D/4/CPCAR_DROP_LPU(l)[4059461]:Some packets are dropped by cpcar on theLPU in slot 3. (Protocol=arp-reply, Drop-Count=0123)//If different logs aregenerated, the suppression function will be interrupted and the record willrestart.
Nov 18 2017 17:56:25+08:00 HNSY-WGX-ZXJ-SW1-S9306%INFO/6/SUPPRESS_LOG(l)[4059462]:Last message repeated 2times.(InfoID=4280946691, ModuleName=DEFD, InfoAlias=CPCAR_DROP_LPU)
Nov 18 2017 18:06:25+08:00 HNSY-WGX-ZXJ-SW1-S9306%INFO/6/SUPPRESS_LOG(l)[4059463]:Last message repeated 1times.(InfoID=4280946691, ModuleName=DEFD, InfoAlias=CPCAR_DROP_LPU)
Nov 18 2017 18:30:00+08:00 HNSY-WGX-ZXJ-SW1-S9306%IFNET/4/IF_STATE(l)[4059464]:Interface GigabitEthernet6/0/45 has turnedinto DOWN state.
Nov 18 2017 18:31:22+08:00 HNSY-WGX-ZXJ-SW1-S9306%IFNET/4/IF_STATE(l)[4059465]:Interface GigabitEthernet6/0/45 has turnedinto UP state.



56.Why Is the Bandwidth of the VLANIF Interface on aSwitch Displayed as 1 Gbit/s on the U2000 ?


The VLANIF interface is the logicalinterface and does not exist physically, and the switch does not provideinformation about bandwidth usage of the VLANIF interface. For bandwidthinformation obtained from the NMS, the default value of 1 Gbit/s is configuredfor the VLANIF interface based on the RFC rule.



57.Why Does a Switch Receive a Reply Packet After ItPings a Network ID (Network Address) ?
SwitchA and SwitchB are directly connectedthrough management interfaces. After the network ID 192.168.16.0 is pinged onSwitchA, SwitchA receives a reply packet.


When SwitchA pings the network ID, thedestination MAC address of the ICMP packet sent by SwitchA is FFF-FFFF-FFFF. Ifthe service interface of SwitchB receives the ICMP packet, the packet is notsent to the CPU because only the ICMP unicast request packets destined toSwitchB are sent to the CPU. However, if the ICMP packet sent from SwitchA isreceived by the management interface of SwitchB, the packet is sent to the CPU.Therefore, SwitchA can receive an ICMP reply packet from SwitchB.



58.What Is the VTY Login Mechanism When an ACL IsConfigured to Control the Login Rights of Some VTY Users ?


The maximum number of login users on aswitch is 15. An ACL is configured in VTY 0 to VTY 4 instead of VTY 5 to VTY14. When only VTY 0 is occupied currently, a user can log in to the switchthrough an IP address excluded by the ACL, and the login occupies VTY 5.

<HUAWEI> display user-interface maximum-vty  
Maximum of VTY user:15
<HUAWEI> displaycurrent-configuration | begin user-interface
user-interface maximum-vty 15
user-interface con 0
authentication-mode aaa
idle-timeout 0 0
screen-length 25
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
user privilege level 3
idle-timeout 0 0
screen-length 25
protocol inbound telnet
user-interface vty 5 14
authentication-mode aaa
user privilege level 3
idle-timeout 0 0
screen-length 25
protocol inbound telnet
user-interface vty 16 20
#
<9312> display acl 2000
Basic ACL 2000, 3 rules
Acl's step is 5
rule 1 permit source 10.0.5.0 0.0.0.255 
rule 2 permit source 10.0.9.0 0.0.0.255 
rule 10 deny 
<9312> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
0 CON 0 24:49:10 pass no Username : admin
+ 34 VTY 0 00:00:00 TEL 10.0.9.10 pass no Username : admin

When another terminal with the IP address10.1.18.213 is used to log in to the switch, the login is also successful. Thefollowing user information is displayed after the display users command is run:

<HUAWEI> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
0 CON 0 24:50:00 pass no Username : admin
+ 34 VTY 0 00:00:00 TEL 10.0.9.10 pass no Username : admin
39 VTY 5 00:00:02 TEL 10.1.18.213 pass no Username : admin


Using the terminal with the IP address10.1.18.213, the user can log in to a switch running V200R010C00, but cannotlog in to a switch running V200R001C00. This is because the VTY channels aretraversed when the user logs in to a switch running V200R010. If the invalid IPaddress is denied by VTY 0 to VTY 4, the switch further traverses VTY 5 to VTY14. When the user logs in to a switch running V200R001, if the invalid IPaddress is denied by VTY 0, the switch does not traverse VTY 1 to VTY 14,leading to a login failure.

59.Why Does a User Fail to Be Authenticated Due to theLong Password When the User Performs HWTACACS or RADIUS Authentication to LogIn to the Device Through Telnet
If the S series switch is V200R003 or anearlier version, the switch can identify a maximum of 16 characters. Therefore,if the password length is too long, a login failure occurs because the passwordinteraction is abnormal when a user logs in to the switch and enters a password(longer than 16 characters). You are advised to change the password length(shorter than 16 characters) or upgrade the S series switch to V200R005 or alater version.


60.Why Is the Download Rate Slow in a Shared File Download Test on the WLAN
Applicable versions and models: All models and versions of the WLAN AC
The higher the link setup rate, the higher the download rate of the STA. The link setup rate depends on factors such as the radio frequency bandwidth and guard interval (GI) mode.
To achieve a higher rate, configure higher working bandwidth, for example, 40 MHz (not recommended on the 2.4 GHz frequency band), and set the GI mode to short. If non-802.1111ac APs and STAs are used, replace them with 802.11ac APs and STAs (such as MacBook), set the working bandwidth to 80 MHz, and set the GI mode to short.
In addition, if the current service data forwarding mode is tunnel forwarding, you can change the forwarding mode to direct forwarding and configure only one VAP to be generated on the AP under the download rate test.
However, the test mode of the shared file download is limited by the read/write performance of STAs. If the read/write performance of STAs reaches the bottleneck, the rate of the wireless link cannot be improved. The SpeedTest software can be used in the download rate test.
 
61.Why Are WLAN Users Disconnected Frequently
Applicable versions and models: All WLAN AC models in the V200R005C00, V200R006C00, V200R007C00, and V200R008C00 versions
Answer: If multiple service sets bound to an AP have the same SSID but different service VLANs, WLAN users may go offline frequently. For example, the following configuration is incorrect:
service-set name ser-employee id 1
 forward-mode tunnel

 wlan-ess 1
 ssid chinamoney-2F
 traffic-profile id 1
 security-profile id 1
 service-vlan 207
service-set name ser-guest id 2
 forward-mode tunnel
 wlan-ess 2
 ssid chinamoney-2F-guest
 traffic-profile id 1
 security-profile id 2
 service-vlan 208
service-set name ser-employee-vlan209 id 3
 forward-mode tunnel
 wlan-ess 1
 ssid chinamoney-2F
 traffic-profile id 1
 security-profile id 1
 service-vlan 209
service-set name peixun id 4
 forward-mode tunnel
 wlan-ess 4
 ssid peixun
 traffic-profile id 1
 security-profile id 0
 service-vlan 206
ap 0 radio 0
 radio-profile id 0
 service-set id 1 wlan 1
 service-set id 2 wlan 2
 service-set id 3 wlan 3
 service-set id 4 wlan 4
ap 0 radio 1
 radio-profile id 0
 service-set id 1 wlan 1
 service-set id 2 wlan 2
 service-set id 3 wlan 3
 service-set id 4 wlan 4

 





 

This post was last edited by All_About_Switch at 2018-3-17 10:31.
  • x
  • convention:

Comment Reply

Go to the specified floor
WoodWood  Admin   Released on 2018-3-6 18:23:05 Helpful(0) Helpful(0)

  • x
  • convention:

Comment Reply

gululu  Admin   Released on 2018-3-7 08:31:54 Helpful(0) Helpful(0)

  • x
  • convention:

Comment Reply

Come on!
wissal     Released on 2018-6-5 18:52:53 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Comment Reply

Reply
You need to log in to reply to the post Login | Register

If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top