Preface - Experience, Issue126(Data Products).pdf · Preface Maintenance Experience Editorial Committee Maintenance Experience Newsroom Address: ZTE Plaza, Keji Road South, Hi-Tech

PrefaceMaintenance ExperienceEditorial Committee

Maintenance ExperienceNewsroom

Address: ZTE Plaza, Keji Road South, Hi-Tech

Industrial Park, Nanshan District,

Shenzhen, P.R.China

Postal code: 518057

Contact: Song Chunping

Email: [email protected]

Tel: +86-755-26770600, 26771195

Fax: +86-755-26772236

Document support mail box: [email protected]

Technical support website: http://ensupport.zte.

com.cn

Maintenance Experience Editorial CommitteeZTE CorporationAugust, 2008

In this issue of ZTE's "Maintenance Experience", we continue to pass on various field reports and resolutions that are gathered by ZTE engineers and technicians around the world.

The content presented in this issue is as below:● One Special Document● Nine Maintenance Cases of ZTE's Data ProductsHave you examined your service polices and procedures

lately? Are you confident that your people are using all the tools at their disposal? Are they trained to analyze each issue in a logical manner that provides for less downtime and maximum customer service? A close look at the cases reveals how to isolate suspected faulty or mis-configured equipment, and how to solve a problem step by step, etc. As success in commissioning and service is usually a mix of both discovery and analysis, we consider using this type of approach as an example of successful troubleshooting investigations.

While corporate leaders maintain and grow plans for expansion, ZTE employees in all regions carry out with individual efforts towards internationalization of the company. Momentum continues to be built, in all levels, from office interns to veteran engineers, who work together to bring global focus into their daily work.

If you would like to subscribe to this magazine (electronic version) or review additional articles and relevant technical materials concerning ZTE products, please visit the technical support website of ZTE Corporation (http://ensupport.zte.com.cn).

If you have any ideas and suggestions or want to offer your contributions, you can contact us at any time via the following email: [email protected].

Thank you for making ZTE a part of your telecom experience!

Maintenance ExperienceBimonthly for Data ProductsNo.47 Issue 126, August 2008

Director: Qiu Weizhao

Deputy Director: Chen Jianzhou

Editors:Jiang Guobing, Zhang Shoukui, Wu Feng,

Yuan Yufeng, Tang Hongxuan, Chen Huachun,

Li Gangyi, Gu Yu, Song Jianbo, Tian Jinhua,

Du Jianli, Qu Ruizheng, Zhang Zhongdong,

Liu Xianmin, Wang Zhaozheng, Liu Wenjun,

Wang Yapping, Lei Kun, Wang Tiancheng, Cai

Hongming

Technical Senior Editors:Hu Jia, Bai Jianwen

Executive Editor:Zhang Fan

Contents

SNMP Protocol Configuration

T64G Route Loop Processing

1 SNMP Overview ..............................................................................................................................32 SNMP Principle ...............................................................................................................................4 2.1 SNMP Protocol .........................................................................................................................................................4

2.2 Management Information Base ................................................................................................................................4

2.3 SNMP Packet ...........................................................................................................................................................5

2.4 SNMP Message Types .............................................................................................................................................5

2.5 SNMP Working Procedure .......................................................................................................................................5

2.6 SNMPv2 and SNMPv3 .............................................................................................................................................6

3 Configuring SNMP ...........................................................................................................................64 SNMP Application ............................................................................................................................85 SNMP Diagnosis and Maintenance .................................................................................................9

Network Topology ............................................................................................................................. 11Malfunction Situation ........................................................................................................................ 11Malfunction Analysis ......................................................................................................................... 11Solution.............................................................................................................................................12

Link Interrupt Caused by POS Parameter MismatchPOS Overview ..................................................................................................................................13Network Topology .............................................................................................................................14Malfunction Situation ........................................................................................................................14Malfunction Analysis .........................................................................................................................14Solution.............................................................................................................................................16Experience Summary .......................................................................................................................17

Label Distribution Malfunction in MPLSNetwork Topology .............................................................................................................................18Malfunction Situation ........................................................................................................................19Malfunction Analysis .........................................................................................................................19Solution.............................................................................................................................................21Experience Summary .......................................................................................................................24

Contents

STP Malfunction on 2826S Switch

OSPF Equivalent Default Route

Network Topology .............................................................................................................................25Malfunction Situation ........................................................................................................................25Malfunction Analysis .........................................................................................................................25Solution.............................................................................................................................................28

Network Topology .............................................................................................................................30Malfunction Situation ........................................................................................................................30Malfunction Analysis .........................................................................................................................30Solution.............................................................................................................................................33Experience Summary .......................................................................................................................33

Supervlan ConfigurationNetwork Topology .............................................................................................................................34Malfunction Situation ........................................................................................................................34Malfunction Analysis .........................................................................................................................34Solution.............................................................................................................................................35Experience Summary .......................................................................................................................36

Address SuperpositionNetwork Topology .............................................................................................................................37Malfunction Situation ........................................................................................................................37Malfunction Analysis .........................................................................................................................37Solution.............................................................................................................................................38Experience Summary .......................................................................................................................38

Switch CPU Utilization Ratio AbnormityNetwork Topology .............................................................................................................................39Malfunction Situation ........................................................................................................................39Malfunction Analysis .........................................................................................................................39Solution.............................................................................................................................................40Experience Summary .......................................................................................................................41

GGSN Cell Phone Online Service through IP Bearer NetworkNetwork Topology .............................................................................................................................42Cell Phone Online Service through IP Bearer Network ....................................................................43Related Configuration .......................................................................................................................43

www.zte.com.cn

3Data Products

⊙ Yang Zhiwei / ZTE Corporation

SNMP Protocol Configuration

1 SNMP OverviewSimple Network Management Protocol (SNMP)

is a suite of network management protocol defined

by the Internet Engineering Task Force (IETF). It

is based on the Simple Gateway Monitor Protocol

(SGMP). With SNMP, a management station

can manage all network devices that support the

protocol remotely, such as monitoring the network

state, modifying the configurations on the devices

and receiving the alarms of the network events.

SNMP manages devices on the base of servers

and clients. The background network management

servers work as the SNMP servers and the

foreground network devices work as the clients.

The background devices and the foreground

devices share a Management Information Base

(MIB) and communicate with each other through

SNMP. When a routing switch is used to work as

the SNMP agent, it is required to specify a SNMP

server and define the contents and privilege that

are allowed to be sampled.

Key words: SNMP, network management, MIB

The network managed by SNMP

consists of three parts:

The managed devices: A managed

device (also called network equipment)

is a node in the network, including the

SNMP agent. It is in the management

network. A managed device collects and

stores management information. The NMS

can obtain the management information

through SNMP. A managed device can

be a router, an access server, a switch, a

bridge, a hub, a host or a printer.

The agent: An SNMP agent is a module

of the network management software on

the managed device. The SNMP agent

has related local management information

and converts the information to a format

that is compatible with SNMP.

The Network Management System

(NMS): An NMS runs the application

program to monitor and manage devices.

August 2008 Issue 126

Maintenance Experience4

Besides, the NMS also provides rich

processing program and necessary

storage resource. A managed network

should have one or more NMSs.

At p resent , there are SNMPv1,

SNMPv2 and SNMPv3. There is little

d i f f e r e n c e b e t w e e n S N M P v 1 a n d

SNMPv2. SNMPv3 is an enhanced version

which contains the operations of other

protocols. SNMPv3 is more secure and

contains remote configurations, compared

with SNMPv1 and SNMPv2. To solve

the compatibility of different versions,

RFC3584 defines the coexistence policy.

The application of SNMPv1 and SNMPv2

is all-pervading, and the application of

SNMPv3 is increasing.

2 SNMP Principle2.1 SNMP Protocol

SNMP is the communication protocol

between the management process and

the agent process. It is a protocol on

the application layer and the lower layer

protocol is UDP. The management process

port number is 162. The agent process

number is 161. The position of SNMP in

TCP/IP suite is shown below.

SNMP

UDP

IP

Link layer protocol

Hardware physical layer

SNMP uses the agent/management

station mode. The network management

and maintenance are implemented through

the interactions between the agent and

the management station. The subordinate

SNMP agents respond to the queries

about MIB from the management station (principal

SNMP agent).

2.2 Management Information BaseSNMP is a protocol on the application layer.

It requires the protocol entities at both sides to

exchange different types of messages. However,

user data on the lower layer should be BYTE

sequences. This brings about a problem about

decoding: how does a SNMP protocol entity identify

the message from a received BYTE sequence, and

convert a message expressed with internal date

structure to a BYTE sequence and then send it

out?

To solve this problem, it is necessary to define

a data structure that is abstracted from the actual

software data structure, called abstract syntax.

Therefore, the Management Information Base (MIB)

is defined. It includes all parameters that may be

queried and modified in the agent process.

MIB is a set of the standard variable definitions

of the monitored network devices. SNMP uses the

hierarchical-structure naming rule to identify the

management objects. It is like a tree. The node of

the tree stands for the management object. Each

node is identified by a unique path from the root to

the node, as shown in Figure 1.

Figure 1. Tree Structure

Management object B can be identif ied

uniquely by the number string {1.2.1.1}. This

number string is the object identif ier of the

www.zte.com.cn

5Data Products

management object, which identifies a path from

the tree to B.

The object identifier of A is {1.2.1.1.5} or {B 5}. {B

5} means A is the fifth child of B.

O n t h e m a n a g e d d e v i c e , t h e t r e e i s

implemented by a complicated data structure.

Fortunately, the establishment of the tree is finished

by the MIB compiler. The pointers for accessing

the functions are kept in the leaf nodes. The agent

obtains the values of the management variables

from related modules by using the functions.

2.3 SNMP PacketThe SNMP agent and the management

station communicate with each other through the

standard messages of SNMP. Each message is

an independent data packet. SNMP uses UDP as

the layer 4 protocol. A SNMP packet consists of

two parts: SNMP header (consisting of the version

identifier and the community name) and the

Protocol Data Unit (PDU), as shown in Figure 2.

● Version Identifier

A version identifier ensures that all SNMP

agents use the same version of SNMP. Each

SNMP agent discards the data packets of version

that is different from itself.

● Community Name

The subordinate SNMP agent implements

authentication on SNMP management station

with the community name. When authentication

is configured, the subordinate SNMP agent will

authenticate the community name and the IP

addresses of the management stations. If the

authentication fails, the subordinate SNMP agent

will send a Trap message indicating authentication

failure to the management station.

● PDU

The type of a SNMP message and the related

parameters are specified in a PDU.

2.4 SNMP Message TypesSNMP defines five types of messages:

● Get-Request

● Get-Response

● Get-Next-Request

● Set-Request

● Trap

The SNMP management station uses

the Get-Request messages to search

information of the network devices with

the SNMP agent. The SNMP agent replies

with the Get-Response messages. The

Get-Next-Request message is used

together with the Get-Request message to

query the column element of the specified

table object.

The SNMP management station uses

the Set-Request messages to configure

the network devices remotely. The

configuration includes configuring the

device name and attributes, deleting a

device, enabling or disabling an attribute.

When emergent events occur, the

managed devices send Trap messages to

the SNMP management station. When the

SNMP management station receives the

Trap PDU, it displays the contents from

the variable dual table. The common Trap

type includes cold boot, hot boot and link

state change.

2.5 SNMP Working ProcedureThe agent residing in the managed

device receives the request messages

through No. 161 port of UDP. After

d e c o d i n g a n d c o m m u n i t y n a m e

authent icat ion, the agent gets the

corresponding nodes of management

var iables in MIB and the values of

variables. Then the agent generates

response messages, codes them and

sends them back to the management

station. When the management station

Figure 2. SNMP Packet



receives the response messages, it also

takes the same actions.

According to the RFC1157, the detailed

process of the agent when it receives a

message is described below.

(1) The agent decodes the message

according to the ASN.1 coding rule, and

then generates the massage expressed

by internal data structure. When an error

occurs during decoding, the message will

be discarded.

(2) The agent gets the version number

from the message and compares i t

with the version number that the agent

supports. If the numbers are different, the

message will be discarded.

(3) The agent gets the community

name from the message. The community

name is filled in by the management

station which sends the message. If the

community name is different from the

name that the device recognizes, the

message is discarded and the agent

generates a Trap message.

(4 ) When the message passes

authentication, the agent extracts the PDU

and deals with the PDU. Otherwise, the

message is discarded. Then the agent

generates a message and sends it to the

destination. The destination is the source

address of the received message.

2.6 SNMPv2 and SNMPv3SNMP developed rapidly in the early

1990s, but the shortage was also exposed.

For example, it was hard to transmit a lot

of data and it lacked ID authentication and

privacy mechanisms. Therefore, SNMPv2

was released in 1993. It has the following

features:

● Supporting distr ibuted network

management

● Extending data type

● Supporting to transmit a lot of data

● Adding the functions to process malfunctions

● Strengthening the ability of data definition

language

However, SNMPv2 d id no t sa t i s fy the

expected requirements completely, especially

on security, such as authentication (including ID

authentication when users initialize to access,

information integrality analysis and prevention of

repeated operations), encryption, authorization,

access control, remote secure configuration

and management capability, etc. In 1996, the

modified version of SNMPv2, that is, SNMPv2c

was released. These functions were improved in

this version. However, the security performance

was not enhanced. SNMPv2c continued to use the

authentication mode based on the simple text of

SNMPv1.

IETF SNMPv3 working group brought forward

the RFC 2271~2275 to form the SNMPv3 in

January, 1998. The system frame of all functions

in SNMPv1 and SNMPv2 was defined in these

documents. Besides, a new security mechanism

(including the authentication service and encryption

service) and a suite of network security and control

access rules were defined in these documents.

So to speak, the security and management

mechanisms were added based on SNMPv2

in SNMPv3. The system structure of SNMPv3

defined by RFC 2271 embodies the modularization

design idea. Therefore, functions can be added

and modified easily. SNMPv3 series documents

(RFC2570~2575) are the supplements and

refinement of RFC2271~2275.

3 Configuring SNMPZXR10 routers, switches and ZXUAS devices

support SNMPv1, SNMPv2c and SNMPv3. The

configuration commands and parameters are

described below.

(1) To configure a SNMP community, use the

following command.

www.zte.com.cn

7Data Products

snmp-server community <community-name>

[view <view-name>] [ro | rw]

SNMPv1 and SNMPv2c use community

authentication mode. A community can be set to

read-only (ro) or read-write (rw). In ro mode, the

community can only query the information on the

device. In rw mode, the community can query the

information and configure the device.

T h i s c o m m a n d i s u s e d i n t h e g l o b a l

configuration mode. <community-name> is a string

with 1~32 characters. <view-name> is the view

name of an MIB.

The privilege to operate the device (ro or rw) is

restricted by the view. If the parameter of view is

omitted, the default view is used. When the ro | rw

keyword is omitted, the system uses ro by default.

(2) To define an SNMPv2 view, use the

following command.

snmp-server view <view-name> <subtree-id>

{included | excluded}<view-name> is a character string. <subtree-

id> can be an object identifier (OID) in the form

of 1.2.3.4.5, or the node name of the MIB subtree

(such as internet). Use the keywords include or

excluded to include or exclude a subtree.

(3) To configure the system principal contact

mode of an MIB object , use the fo l lowing

command.

snmp-server contact <mib-syscontact-text>

sysContact is a management variable of the

MIB II system group. It contains the principal

identifier and contact method of the managed

device.

Example: This example describes how to set

the contact mode of the system principal.

ZXR10(config)#snmp-server contact this is

ZXR10, tel:(025)52872006

(4) To configure the location of an MIB object,

use the following command.

snmp-server location <mib-syslocation-text>

T h e l o c a t i o n o f a n M I B o b j e c t

(sysLocation) is an administrative variable

in the system of MIB II.

Example: This example describes how

to set the location of the system of the MIB

object.

ZXR10(con f i g )#snmp-se rve r location this is ZXR10 in china

(5) To configure the type of Trap

messages that are allowed to send, use

the following command.

s n m p - s e r v e r e n a b l e t r a p

[<notification-type>]

Trap messages are sent by the

managed devices to the NMS without

requests to report the emergent events. It

can include information about BGP, OSPF,

RMON, SNMP, Stalarm and VPN.

(6) To configure the destination host

of Trap messages, use the following

command.

snmp-server host [mng | vrf <vrf-

name>] <ip-address> [trap | inform] version {1 | 2c | 3 {auth | noauth | priv}} <community-name> [udp-port <udp-port>]

[<trap-type>]

This command configures the VRF

name, IP address, version, authentication

mode, community name, UDP port and

Trap type of a Trap message or an Inform

message.

(7) To configure an ACL to control the

address of the hosts that accesses to the

system through SNMP protocol, use the

following command.

snmp-server access- l is t <ac l -

number>

This command configures the matched

ACL number to control the address of the

hosts that accesses to the system through



SNMP protocol.

(8) To configure the name of an SNMP

context, use the following command.

snmp-server context <context-name>

This command is only applied to

SNMPv3.

(9) To configure an SNMP group, use


snmp-server group <groupname> v3 {auth | noauth | priv}[context <context-

name> match-prefix | match-exact ]

[read <readview>] [write <writeview>]

[notify <notifyview>]

This command is used to configures

an SNMPv3 group and specifies the group

name, authentication mode, context name,

read view name, write view name and

notify view name.

(10) To configure an SNMP user, use


snmp-server user <username>

<groupname> v3 [encrypted] [auth {md5 | sha} <auth-password> [priv des56 <priv-

password>]]

This command is only applied to

SNMPv3. The keyword encrypted means

that the password is not the original text

but a worked key. It is not recommended

to use this option.

4 SNMP ApplicationThe appl icat ion of SNMPv1 and

SNMPv2c is shown below.

snmp-server community aaaa view

AllView ro

/*configure the community name

and the view name*/

snmp-server enable trap

snmp-server enable inform

snmp-server host 132.109.96.29

inform version 2c aaaa


trap version 2c aaaa

syslog server 132.109.96.29 fport 514 lport

514

unm on

unm server mng 132.109.96.29 aaaa

/*the SNMP network management is MNG

management */

The application of SNMPv1 and SNMPv2c on

the E series devices is shown below.

unm on

logging on



snmp-server community public view AllView

ro

snmp-server community private view

AllView rw

/*use two communities, one is “read only”,

the other is “read and write”*/

snmp-server host 10.40.46.188 trap version

2c public

l o g g i n g t r a p i n f o r m a t i o n a l p u b l i c

10.40.46.188

unm server 10.40.46.188 public

The application of SNMPv3 is shown below.

unm on

unm server 168.1.1.1 public

snmp-server context contexta

snmp-server group group1 v3 priv context

contexta read view1 write view1 notify view1

snmp-server host 168.1.1.1 ver 3 auth

www.zte.com.cn

9Data Products

user10 ospf snmp

/*configure the sending host address. The

version is V3. Authentication is configured.

The SNMPv3 user name is user10.*/

snmp-server view view1 1.3.6.1.2.1.1

included

/*define a view*/

snmp-server user10 group1 v3 auth md5

12345678 priv des56 12345678

/*configure the use name and password*/

5 SNMP Diagnosis and MaintenanceThe following commands are used for SNMP

diagnosis and maintenance.

(1) To display the statistics information about

the SNMP messages, use show snmp command,

as shown below.

ZXR10(config)#show snmp

Contact : +86-25-52870000

Location: No.68 Zijinghua Rd. Yuhuatai

District, Nanjing, China

0 SNMP packets input

0 Bad SNMP version errors

0 Unknown community name

0 Illegal operation for community name

supplied

0 Number of requested variables

0 Number of altered variables

0 Get-request PDUs

0 Get-next PDUs

0 Set-request PDUs

0 SNMP packets output

0 Too big errors (Maximum packet size

1400)

0 No such name errors

0 Bad values errors

0 General errors

0 Response PDUs

0 Trap PDUsSNMP

(2) To d isplay a l l o f the current

configurations of SNMP, use show snmp config command, as shown below.

ZXR10(config)#show snmp config

snmp-se rve r l oca t i on No .68

Zijinghua Rd. Yuhuatai District,

Nanjing, China

s n m p - s e r v e r c o n t a c t

+86-25-52870000

snmp-server packetSize 1400

snmp-server engine-id

830900020300010289d64401

snmp-server community aaaa view

AllView ro




inform version 2c aaaa


trap version 2c aaaa

syslog server 132.109.96.29 fport

514 lport 514

unm on

unm server mng 132.109.96.29

aaaa

logging on

(3) To display the local engine ID

of SNMP, use show snmp engine_id

command, as shown below. As the core

part in an SNMP entity, an SNMP engine

is used to receive/authenticate SNMP

messages, and abstract PDU assembled

messages to communicate with the SNMP

program.



ZXR10(config)#show snmp engine-id

the engine-

id:830900020300010289d64401

(4) To display the local groups of SNMP, use show snmp group command, as shown below.

ZXR10#show snmp group

groupName :group1

sec_Model :v3

sec_Level :PRIV

readView :view1

writeView :view1

notifyView:view1

rowStatus :ACTIVE

(5) To display the local users of SNMP, use show snmp user command, as shown below.

ZXR10(config)#show snmp user

username :user10

engine-id :830900020300010289d64401

auth_type :MD5

group_name :group1(v3)

encryptType:DES_CBC

storageType:NONVOLATILE

row_status :ACTIVE

www.zte.com.cn

11Data Products

Network TopologyAs shown in Figure 1, the devices in the

network are connected in series. Static routes are

configured on T64G and T160G.Malfunction Situation

Recently, users said that there were many

alarms indicating TTL=1 on the uplink port of T64G.

The alarms appeared once every several minutes.

These alarms did not appear before. The users

were worried about that this would affect CPU and

services.

Malfunction AnalysisTo find out the problem, the engineers took the

following steps.

(1) The engineers logged into the T64G and

they found that there were many alarms indicating

TTL=1 on the uplink port. TTL is the time to live

Figure 1. Network Topology

of a packet. By default, the TTL value is

255. If a packet passes a hop, the TTL

value is decreased by one. When the TTL

value is decreased to 1, the packet will be

discarded. Therefore, there may be a route

loop on the device. The engineers logged

into the T160G and they also found that

there were many alarms indicating TTL=1

and alarms for ICMP packets on the uplink

port.

(2) To find out the source address of

the packet, it was necessary to capture

the packets. It was a gigabit uplink port, so

⊙ Li Kui / ZTE Corporation

T64G Route Loop Processing

Key words: TTL, static route, route loop



it was not suitable to mirror the data on the

port. With the agreement of the users, the

engineers captured the packets on the line

card. The result showed that there was a

source address sending a lot of packets

to a host in the network, and the protocol

type of the packets was null, as shown in

Figure 2. This may be caused by virus or

Figure 2. Result of Packet Capturing

attacks. It was recommended to configure ACL to

filter the source IP address.

(3) After configuring ACL, the engineers found

that there were still alarms indicating TTL=1 on

the T64G. Therefore, the problem was not caused

by virus or attacks. The engineers logged into the

devices again to check the configurations. They

found that there were many static routes on the

T64G and T160G.

(4) The engineers checked the static route

configuration. They found that redundant static

routes were configured on the T64G. These

routes used to head to the 5200G, but they were

not deleted after the address of the 5200G was

changed. Therefore, the packets were forwarded

between the T64G and T160G back and forth,

which caused the route loop. When the TTL of the

packets were decreased to 1, the packets were

discarded.

SolutionThe engineers deleted these static routes. The

alarms disappeared. The problem was solved. ■

www.zte.com.cn

13Data Products

POS OverviewP a c k e t o v e r S O N E T / S D H ( P O S ) i s a

technique that uses SONET/SDH to provide high-

speed transmission paths to transmit IP data. It

encapsulates packets with link layer protocols

such as PPP, HDLC and CHDLC, and then maps

the encapsulated packets to the SONET/SDH

synchronous payload through the service adapter

in the path layer of NET/SDH. After that, the

payload passes by the SONET/SDH transmission

layer and segment layer. Path cost and segment

cost are added to the payload. Then the payload

is encapsulated to a SONET/SDH frame. When

it reaches the optical network, it is transmitted in

fibers. POS keeps the feature of connectionless.

The impor tant parameters o f POS are

described as follows:

C2: It is a signal mark byte, belonging to the

Higher-Order Path Overhead byte. It is used to

identify the multiple connection structure of the

⊙ Zhou Hongwei / ZTE Corporation

Link Interrupt Caused by POS Parameter Mismatch

Key words: POS, C2, S1S0, J1, G1Error

Virtual Container (VC) and the character of

the payload. The default value is 0x16, 22

in decimalization.

J1: It is the path trace byte, belonging

to the Higher-Order Path Overhead byte.

It is used to detect the Higher-Order Path

continuity of the connection between two

interfaces. The default value is null.

S1S0: The range is 0 to 3. In SONET

standard, this value is not defined and

not detected at the receiving side. In

SDH standard, this value is defined and

detected at the receiving side. If this value

is not 2, the two sides can not be jointed.

To ensure a successful joint, the three

parameters of POS should be consistent.

On a ZXR10 T64E router, the default value

of C2 is 22, the default value of J1 is 0, and

the default value of S1S0 is 2.



Network TopologyAs shown in Figure 3, the interface POS3_5/1

on the T64E router connects to the POS interface

on the Cisco router through a SDH transmission

network.

Malfunction SituationUsers found that a lot of packets were lost on POS3_5/1 of the T64E router. The users logged

into the T64E router remotely, and they pinged to the Cisco router with a packet of short length

through POS3_5/1. The result is shown below.

ZZXCT64E# ping 192.168.1.10 op 1000 100 2 limit 0

sending 1000,100-byte ICMP echos to 192.168.1.10,timeout is 2 seconds.

!!!!!!!!!!!!!!!!!.!!!!!!!!.!!!.!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!

(Part of the result is omitted.)

Success rate is 92 percent(926/1000),round-trip min/avg/max= 0/5/100 ms.

The users pinged to the Cisco router with a packet of long length through POS3_5/1. The

result is shown below.

ZZXCT64E# ping 192.168.1.10 op 1000 1500 2 limit 0


.!!.!!!.!!!!!!!!!!!.!!!.......!!.!.!!..!!!!.!..!.!!....!! !..!.!!!.!!.!! !..!.!!!.!!.!!

!!!.!!..!.!!!.!!.!!!!!!!!!!.!.!!!!!!.!!!..

(Part of the result is omitted.)


Malfunction Analysis

To find out the problem, the engineers took the following steps.

(1) The engineers checked the interface information on POS3_5/1, as shown below.

ZZXCT64E#show interface pos3_5/1

pos3_5/1 is up, line protocol is up

Description is TO-JN-AR1

Keepalive set:10 sec

The port is optical

crc 32

clock source line

scramble payload-enable

Internet address is 222.43.7.253/30

MTU 1500 bytes


www.zte.com.cn

15Data Products

MRU 1500 bytes BW 155520 Kbits

Encapsulation PPP,

LCP OPENED,IPCP OPENED,IPV6CP STARTING

MPLSCP STARTING,OSINLCP STARTING

Last clearing of "show interface" counters 0Day 0Hour 25Min 1Sec

120 seconds input rate: 9713797 Bps, 16831 pps

120 seconds output rate: 4443675 Bps, 20562 pps

Interface peak rate : input 10873508 Bps, output 5197123 Bps

Interface utilization: input 49%, output 22%

Input:

Packets : 26525386 Bytes: 14832473267

Unicasts : 0 Multicasts: 0 Broadcasts: 0

B1Error : 0 B2Error : 0 B3Error : 0

M1Error : 0 G1Error : 9813660 FIFOError : 0

Abort : 0 Oversize : 0 Undersize : 0

FCS : 0

Output:

Packets : 32288555 Bytes: 6951365662


FIFOErr : 0 UnderFifo : 0 Oversize : 0

Undersize: 0 LinkError : 0

(2) A moment later, the engineers checked the interface information on POS3_5/1 again, as

shown below.





The port is optical

crc 32

clock source line



MTU 1500 bytes


Encapsulation PPP,










Input:

Packets : 2134398563 Bytes: 1086284953224





FCS : 0

Output:

Packets : 2842508343 Bytes: 1056010143766




The results showed that the number of “G1Error” item increased.

SolutionThe “G1Error” item was related to the SDH transmission, especially the parameters C2, S1S0

and J1 of POS. The engineers set the values of the three parameters to defaults. After that, the

number of “G1Error” item disappeared, as shown below.





The port is optical

crc 32

clock source line



MTU 1500 bytes


Encapsulation PPP,





www.zte.com.cn

17Data Products




Input:

Packets : 8736607844 Bytes: 4400023154583





FCS : 0

Output:

Packets : 11766523133 Bytes: 4229378830915




The engineers pinged to the Cisco router with a packet of short length through POS3_5/1. The


ZZXCT64E#ping 192.168.1.10 op 100 100 2 limit 0


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


The engineers pinged to the Cisco router with a packet of long length through POS3_5/1. The


ZZXCT64E#ping 192.168.1.10 op 100 1500 2 limit 0


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent(100/100),round-trip min/avg/max= 0/9/20 ms

The results showed that no packets were lost. The problem was solved.

Experience SummaryFor POS joint, pay attention to the following points:

The POS interface on a ZXR10 T64E router supports link coding scrambling. By default, the

link coding scrambling function is enabled on the POS interface, that is, pos scramble-atm is

the default configuration. However, the link coding scrambling function is not enabled on the POS

interface of the Cisco router by default. The link coding scrambling function on the devices at the

two ends should be consistent; otherwise, the link is not through.



To enable the link coding scrambling function on the POS interface, use the pos scramble-atm

command and the default value of parameter C2 is 0x16. To disable the link coding scrambling

function on the POS interface, use the no pos scramble-atm command and the default value of

parameter C2 is 0XCF.

By default, the CRC value on the ZXR10 T64E router is 32, and the CRC value on the Cisco

router is 16. The CRC values should be consistent; otherwise, the link is not through.

The clock of the ZXR10 T64E router is the internal clock. When two ZXR10 T64E routers are

connected back to back, the clock of one router should be the internal clock, and the clock of the

other router should be line clock. Otherwise, the link is not through. Usually, the clock of a ZXR10

T64E router is set to the internal clock.

The MTU of the POS interface on the Cisco interface is 4096. If the values of MTU on the POS

interfaces at two sides are different, it is normal when users ping to the other side with a packet of

short length at one side. However, packet lost will occur when the users ping to the other side with

a packet of long length at one side. Therefore, when the values of MTU on the POS interfaces at

two sides are different, set the MTU value of the POS interface on the Cisco router to 1500 to keep

the MTU value consistent with the MTU value of the POS interface on the ZXR10 T64E router. ■

Network TopologyAs shown in Figure 1, the GER08 routers at

POKHARA, SUNDHARA, PATAN, HETUDA nodes

and SUNDHARA CISCO 2600 run OSPF. They are

in area 0. The SUNDHARA CISCO 2600 connects

to the user network. The routes of the user network

are redistributed to area 0 through SUNDHARA

CISCO 2600. The PATAN GER08 router connects

to the PATAN CISCO 2600 router and they learn

the routes of internet through EBGP.

⊙ Yang Zhiwei / ZTE Corporation

Label Distribution Malfunction in MPLS

Key words: MPLS, LDP, pop tag, label distribution


www.zte.com.cn

19Data Products

The users planned to configure MPLS on the GER08 routers at POKHARA, SUNDHARA,

PATAN and HETUDA nodes.

Malfunction SituationThe users enabled MPLS on the GER08 routers at POKHARA, SUNDHARA, PATAN and

HETUDA nodes and then enabled MPLS on the corresponding interfaces. After that, they could

not ping to the users that connected to SUNDHARA CISCO 2600 (the network segment was

202.70.65.0 to 202.70.86.0) successfully on the routers except at SUNDHARA GER08.

Malfunction AnalysisTo find out the problem, the engineers took the following steps.

(1) The engineers checked the MPLS labels on the POKHARA GER08 router, as shown below.

Pokhara-GER08-1#show mpls forwarding-table

Mpls Ldp Forwarding-table:

InLabel OutLabe Dest Pfxlen Interface NextHop

25 73 0.0.0.0 0 gei_5/1 202.70.93.122

38 37 172.16.1.11 32 gei_5/1 202.70.93.122

40 40 192.184.4.166 32 gei_5/1 202.70.93.122

28 27 202.70.65.24 30 gei_5/1 202.70.93.122

59 58 202.70.65.32 30 gei_5/1 202.70.93.122

53 52 202.70.65.33 32 gei_5/1 202.70.93.122

55 54 202.70.65.44 30 gei_5/1 202.70.93.122

32 31 202.70.65.45 32 gei_5/1 202.70.93.122

47 46 202.70.65.52 30 gei_5/1 202.70.93.122

45 44 202.70.65.53 32 gei_5/1 202.70.93.122

54 53 202.70.65.84 30 gei_5/1 202.70.93.122

51 50 202.70.65.88 30 gei_5/1 202.70.93.122

65 63 202.70.65.92 30 gei_5/1 202.70.93.122

43 42 202.70.65.93 32 gei_5/1 202.70.93.122

62 60 202.70.65.104 30 gei_5/1 202.70.93.122

64 62 202.70.65.108 30 gei_5/1 202.70.93.122

78 77 202.70.65.188 30 gei_5/1 202.70.93.122

69 68 202.70.65.189 32 gei_5/1 202.70.93.122

68 67 202.70.65.192 30 gei_5/1 202.70.93.122

52 51 202.70.65.193 32 gei_5/1 202.70.93.122

76 74 202.70.65.200 30 gei_5/1 202.70.93.122

67 66 202.70.65.201 32 gei_5/1 202.70.93.122

31 30 202.70.65.232 30 gei_5/1 202.70.93.122

33 33 202.70.66.0 29 gei_5/1 202.70.93.122

56 55 202.70.66.56 29 gei_5/1 202.70.93.122



70 69 202.70.66.96 29 gei_5/1 202.70.93.122

71 70 202.70.66.128 29 gei_5/1 202.70.93.122

72 71 202.70.66.152 29 gei_5/1 202.70.93.122

30 29 202.70.66.208 29 gei_5/1 202.70.93.122

29 28 202.70.68.128 25 gei_5/1 202.70.93.122

……

The result showed that the POKHARA GER08 router had learned the labels from the

SUNDHARA GER08 router through gei_5/1. In the network topology, the POKHARA GER08

router was the penultimate hop and the SUNDHARA GER08 router was the last hop. Therefore,

the labels that the POKHARA GER08 router received from the SUNDHARA GER08 router should

be the POP tags.

(2) The engineers checked the label forwarding table on the SUNDHARA GER08 router, as

shown below.

Sundhara-GER08-1#show mpls forwarding-table


InLabel OutLabel Dest Pfxlen Interface NextHop

73 Untagged 0.0.0.0 0 gei_1/1 202.70.93.73

37 Untagged 172.16.1.11 32 fei_3/1 202.70.93.133

40 Untagged 192.184.4.166 32 fei_3/1 202.70.93.133

27 Untagged 202.70.65.24 30 fei_3/1 202.70.93.133

58 Untagged 202.70.65.32 30 fei_3/1 202.70.93.133

52 Untagged 202.70.65.33 32 fei_3/1 202.70.93.133

54 Untagged 202.70.65.44 30 fei_3/1 202.70.93.133

31 Untagged 202.70.65.45 32 fei_3/1 202.70.93.133

46 Untagged 202.70.65.52 30 fei_3/1 202.70.93.133

44 Untagged 202.70.65.53 32 fei_3/1 202.70.93.133

53 Untagged 202.70.65.84 30 fei_3/1 202.70.93.133

50 Untagged 202.70.65.88 30 fei_3/1 202.70.93.133

63 Untagged 202.70.65.92 30 fei_3/1 202.70.93.133

42 Untagged 202.70.65.93 32 fei_3/1 202.70.93.133

60 Untagged 202.70.65.104 30 fei_3/1 202.70.93.133

62 Untagged 202.70.65.108 30 fei_3/1 202.70.93.133

77 Untagged 202.70.65.188 30 fei_3/1 202.70.93.133

68 Untagged 202.70.65.189 32 fei_3/1 202.70.93.133

67 Untagged 202.70.65.192 30 fei_3/1 202.70.93.133

51 Untagged 202.70.65.193 32 fei_3/1 202.70.93.133

74 Untagged 202.70.65.200 30 fei_3/1 202.70.93.133

66 Untagged 202.70.65.201 32 fei_3/1 202.70.93.133

www.zte.com.cn

21Data Products

30 Untagged 202.70.65.232 30 fei_3/1 202.70.93.133

33 Untagged 202.70.66.0 29 fei_3/1 202.70.93.133

55 Untagged 202.70.66.56 29 fei_3/1 202.70.93.133

69 Untagged 202.70.66.96 29 fei_3/1 202.70.93.133

70 Untagged 202.70.66.128 29 fei_3/1 202.70.93.133

71 Untagged 202.70.66.152 29 fei_3/1 202.70.93.133

29 Untagged 202.70.66.208 29 fei_3/1 202.70.93.133

28 Untagged 202.70.68.128 25 fei_3/1 202.70.93.133

38 Untagged 202.70.71.0 24 fei_3/1 202.70.93.133

26 Untagged 202.70.75.132 30 fei_3/1 202.70.93.133

64 Untagged 202.70.75.136 30 fei_3/1 202.70.93.133

45 Untagged 202.70.75.137 32 fei_3/1 202.70.93.133……

The result showed that the out labels of the routes that were advertised by the CISCO 2600

router were untagged. It was correct, because the SUNDHARA GER08 router did not establish

LDP neighbor relationships with the CISCO 2600 router. According to MPLS protocol, the labels of

the routes to other MPLS routers distributed by the SUNDHARA GER08 router should be the POP

tags.

When a local router works as an edge LSR, the next hop router may be a non-MPLS router,

in this situation, the local LSR can not bind the out label. According to the MPLS frame protocol,

when a router does not receive the out label, it will discard the packet with labels.

When the users accessed to the SUNDHARA user network through the routers except the

SUNDHARA GER08 router, the packets were tagged when they reached the SUNDHARA GER08

router. However, in the label forwarding table of SUNDHARA GER08 router, the corresponding out

labels were untagged. Therefore, the packets were not forwarded normally, but discarded.

SolutionThe mpls ldp egress {for <prefix-access-list> | nexthop <nexthop-access-list>} command

is used to control LDP to distribute pop tags for the special destination network segment which is

connected indirectly, that is, the egress control policy. The parameters <prefix-access-list> and

<nexthop-access-list> are used together with ACL to match the route information. When the route

information matches the ACL, pop tags are distributed.

The engineers modified the configuration on the SUNDHARA GER08 router, as shown below.

Sundhara-GER08-1(config)#ip access-list standard 2

Sundhara-GER08-1(config-std-acl)# rule 1 permit 202.70.93.133 0.0.0.0

Sundhara-GER08-1(config-std-acl)#exit

Sundhara-GER08-1(config)#mpls ip

Sundhara-GER08-1(config)#mpls ldp router-id loopback1 force



Sundhara-GER08-1(config)#mpls ldp egress nexthop 2

The engineers checked the label information on the SUDHARA GER08 router, as shown

below.

Sundhara-GER08-1#show mpls forwarding-table



……

26 Pop tag 0.0.0.0 0 gei_1/1 202.70.93.73

18 Pop tag 202.70.93.1 32 gei_1/1 202.70.93.73

21 Pop tag 202.70.93.4 32 gei_1/1 202.70.93.73

20 21 202.70.93.8 32 gei_1/1 202.70.93.73

16 Pop tag 202.70.93.68 30 gei_1/1 202.70.93.73

17 Pop tag 202.70.93.76 30 gei_1/1 202.70.93.73

19 20 202.70.93.88 30 gei_1/1 202.70.93.73

25 Pop tag 202.70.93.128 30 gei_1/1 202.70.93.73

22 Pop tag 202.70.93.248 29 gei_1/1 202.70.93.73……

The engineers checked the label information on the POKHARA GER08 router, as shown

below.

Pokhara-GER08-1#show mpls forwarding-table



25 Pop tag 0.0.0.0 0 gei_5/1 202.70.93.122

38 Pop tag 172.16.1.11 32 gei_5/1 202.70.93.122

40 Pop tag 192.184.4.166 32 gei_5/1 202.70.93.122

28 Pop tag 202.70.65.24 30 gei_5/1 202.70.93.122

59 Pop tag 202.70.65.32 30 gei_5/1 202.70.93.122

53 Pop tag 202.70.65.33 32 gei_5/1 202.70.93.122

55 Pop tag 202.70.65.44 30 gei_5/1 202.70.93.122

32 Pop tag 202.70.65.45 32 gei_5/1 202.70.93.122

47 Pop tag 202.70.65.52 30 gei_5/1 202.70.93.122

45 Pop tag 202.70.65.53 32 gei_5/1 202.70.93.122

54 Pop tag 202.70.65.84 30 gei_5/1 202.70.93.122

51 Pop tag 202.70.65.88 30 gei_5/1 202.70.93.122

65 Pop tag 202.70.65.92 30 gei_5/1 202.70.93.122

43 Pop tag 202.70.65.93 32 gei_5/1 202.70.93.122

62 Pop tag 202.70.65.104 30 gei_5/1 202.70.93.122

www.zte.com.cn

23Data Products

64 Pop tag 202.70.65.108 30 gei_5/1 202.70.93.122

78 Pop tag 202.70.65.188 30 gei_5/1 202.70.93.122

69 Pop tag 202.70.65.189 32 gei_5/1 202.70.93.122

68 Pop tag 202.70.65.192 30 gei_5/1 202.70.93.122

52 Pop tag 202.70.65.193 32 gei_5/1 202.70.93.122

76 Pop tag 202.70.65.200 30 gei_5/1 202.70.93.122

67 Pop tag 202.70.65.201 32 gei_5/1 202.70.93.122

31 Pop tag 202.70.65.232 30 gei_5/1 202.70.93.122

33 Pop tag 202.70.66.0 29 gei_5/1 202.70.93.122

56 Pop tag 202.70.66.56 29 gei_5/1 202.70.93.122

70 Pop tag 202.70.66.96 29 gei_5/1 202.70.93.122

71 Pop tag 202.70.66.128 29 gei_5/1 202.70.93.122

72 Pop tag 202.70.66.152 29 gei_5/1 202.70.93.122

30 Pop tag 202.70.66.208 29 gei_5/1 202.70.93.122

29 Pop tag 202.70.68.128 25 gei_5/1 202.70.93.122

39 Pop tag 202.70.71.0 24 gei_5/1 202.70.93.122

27 Pop tag 202.70.75.132 30 gei_5/1 202.70.93.122

75 Pop tag 202.70.75.136 30 gei_5/1 202.70.93.122

60 Pop tag 202.70.75.137 32 gei_5/1 202.70.93.122……

The POKHARA GER08 router received the pop tags distributed by the SUNDHARA GER08

router. Therefore, when the packets reached the SUDHARA GER08 router, the labels were

popped up. Then the packets were forwarded normally according to the routing table.

The problem was solved.

The label distribution configuration for the indirect EBGP routes is described below.

On the PATAN GER08 router, the configuration is shown below.

Patan-GER08(config)#ip access-list standard 2

Patan-GER08(config-std-acl)# rule 2 permit 202.70.93.129 0.0.0.0

Patan-GER08(config-std-acl)#exit

Patan-GER08(config)#mpls ip

Patan-GER08(config)#mpls ldp router-id loopback1 force

Patan-GER08(config)#mpls ldp egress nexthop 2

The information of label forwarding table on the SUNDHARA GER08 router or HETUDA

GER08 router is shown below.



Hetuda- GER08#show mpls forwarding-table


……


26 Pop tag 0.0.0.0 0 gei_1/1 202.70.93.73

18 Pop tag 202.70.93.1 32 gei_1/1 202.70.93.73

21 Pop tag 202.70.93.4 32 gei_1/1 202.70.93.73

20 21 202.70.93.8 32 gei_1/1 202.70.93.73

16 Pop tag 202.70.93.68 30 gei_1/1 202.70.93.73

17 Pop tag 202.70.93.76 30 gei_1/1 202.70.93.73

19 20 202.70.93.88 30 gei_1/1 202.70.93.73

25 Pop tag 202.70.93.128 30 gei_1/1 202.70.93.73

22 Pop tag 202.70.93.248 29 gei_1/1 202.70.93.73

……

The PATAN GER08 router did not learn routes form the PATAN CISCO2600 router, because

the routes were EBGP routes. MPLS did not distribute labels for these routes.

Experience SummaryAccording to the MPLS protocol, the pop tags are not distributed for indirect routes. If the

mpls ldp egress command is not configured for the indirect routes, the LER will distribute labels

for indirect routes outside the MPLS network. When the upstream device receives the packets

with labels distributed by the LER, the devices will discard the packets because the out labels are

untagged. ■

www.zte.com.cn

25Data Products

Network TopologyAs shown in Figure 1, the three devices form a

loop. Spanning-tree function is enabled on these

three devices. A smartgroup is configured between

switches 3906-1 and 3906-2. Switches 3906-1 and

3906-2 run VRRP, and switch 3901-1 is the master. Malfunction Situation

The users could ping to the management

address of switch 2826S on switch 3901-1

successfully, but they could not ping to the same

address on switch 3906-2.


following steps.

(1) The engineers checked the information of

spanning-tree instances on the three switches.

The information of spanning-tree instances on

switch 3906-1 is shown below.

⊙ Li Weiting / ZTE Corporation

STP Malfunction on 2826S SwitchKey words: STP, VRRP, Mac address, management address




3906-1#show spanning-tree instance 0

Spanning tree enabled protocol MSTP

Root ID: Priority 4096; Address 00d0.d0c0.03c0

Hello-Time 2 sec; Max-Age 20 sec

Forward-Delay 15 sec;

RegRootID: Priority 4096; Address 00d0.d0c0.03c0

BridgeID: Priority 4096; Address 00d0.d0c0.03c0


Forward-Delay 15 sec; Max-Hops 20

Message-Age 0 sec; RemainHops 20

Interface Prio.Nbr

Name Port ID Cost Sts Role Type Bound

-------------------------------------------------------------------------------

fei_1/8 128.48 200000 Forward Designated p2p MSTP

sg1 128.1 100000 Forward Designated p2p MSTP

The information of spanning-tree instances on switch 3906-2 is shown below:

3906-2#show spanning-tree instance 0

Spanning tree enabled protocol MSTP

Root ID: Priority 4096; Address 00d0.d0c0.03c0


Forward-Delay 15 sec;

RegRootID: Priority 8192; Address 00d0.d0c0.0280

BridgeID: Priority 8192; Address 00d0.d0c0.0280


Forward-Delay 15 sec; Max-Hops 20

Message-Age 1 sec; RemainHops 20

Interface Prio.Nbr

Name Port ID Cost Sts Role Type Bound

------------------------------------------------------------------------------------

fei_1/8 128.48 200000 Forward Designated p2p MSTP

sg1 128.1 100000 Forward Root p2p MSTP

The information of spanning-tree instances on switch 2826S is shown below:

www.zte.com.cn

27Data Products

2826S(cfg)#show stp instance 0

RootID:

Priority : 4096 Address : 00.d0.d0.c0.03.c0

HelloTime(s) : 2 MaxAge(s) : 20

ForwardDelay(s): 15

Reg RootID:

Priority : 16384 Address : 00.d0.d0.fc.76.92

RemainHops : 20

BridgeID:

Priority : 16384 Address : 00.d0.d0.fc.76.92

HelloTime(s) : 2 MaxAge(s) : 20

ForwardDelay(s): 15 MaxHops : 20

Interface PortId Cost Status Role Bound GuardStatus

-------------------------------------------------------------------------------

1 128.1 200000 Forward Root MSTP None

2 128.2 200000 Discard Alternate MSTP None

The above results showed that switch 3906-1 had the highest priority, and it worked as the

root switch. The state of port 2 on switch 2826S is Discard, which indicated that the link between

switches 3906-2 and 2826S was blocked.

(2) The management address of switch 2826S was 192.168.69.132. The engineers pinged to

the address on switch 3906-2, as shown below.

3906-2#ping 192.168.69.132


……

(3)The engineers checked the ARP information on switch 3906-2, as shown below.

3906-2#show arp

Arp protect whole is disabled . The count is 3.

Address Age(min) Hardware Addr Interface

192.168.69.132 2 00d0.d0fc.7692 vlan601192.168.70.2 - 00d0.d0c0.0283 vlan601

192.168.69.130 - 00d0.d0c0.0283 vlan601

(4) The engineers checked the MAC address table on switch 3906-2, as shown below.



3906-2#show mac dynamic

Total MAC address : 4

Flags: vid --VLAN id, stc --static

per --permanent, toS --to-static

srF --source filter, dsF --destination filter

time --day:hour:min:sec

MAC_Address port vid stc per toS srF dsF Time

----------------------------------------------------------------------------------

00d0.d0fc.7692 fei_1/8 601 0 0 0 0 0 0:01:32:560000.5e00.0114 sg1 601 0 0 0 0 0 0:01:33:15

0000.5e00.011e sg1 601 0 0 0 0 0 0:01:33:15

00d0.d0c0.03c0 sg1 601 0 0 0 0 0 0:01:33:18

The above result showed that the MAC address 00d0.d0fc.7692 was learned on fei_1/8

of switch 3906-2. In spanning-tree protocol, switches interact to each other through BPDU

messages. BPDU messages are transmitted in the format of Ethernet frames. The source MAC

address of a BPDU message is the MAC address of the switch which sends the BPDU message.

Although the state of fei_1/2 on switch 2826S was Discard, BPDU messages were not affected.

Therefore, switch 3906-2 learned the MAC address 00d0.d0fc.7692 through the BPDU message

sent by switch 2826S.

SolutionTo solve the problem, the engineers changed the MAC address of network management system

on switch 2826S to an address that was different from that of the switch itself, as shown below.

2826S(cfg)#config router

2826S(cfg-router)#set ipport 0 disable

2826S(cfg-router)#set ipport 0 mac 00.D0.D0.FC.76.76

After the modification, the users could access to the switch 2826S on switch 3906-2. the

problem was solved.

The engineers checked the information of ARP and MAC, as shown below.

3906-2#show arp

Arp protect whole is disabled . The count is 3.

Address Age(min) Hardware Addr Interface

192.168.69.132 0 00d0.d0fc.7676 vlan601

192.168.70.2 - 00d0.d0c0.0283 vlan601

192.168.69.130 - 00d0.d0c0.0283 vlan601

3906-2#show mac dynamic

www.zte.com.cn

29Data Products

Total MAC address : 5

Flags: vid --VLAN id, stc --static

per --permanent, toS --to-static

srF --source filter, dsF --destination filter

time --day:hour:min:sec

MAC_Address port vid stc per toS srF dsF Time

---------------------------------------------------------------------------------

00d0.d0fc.7676 sg1 601 0 0 0 0 0 0:00:41:52

00d0.d0fc.7692 fei_1/8 601 0 0 0 0 0 0:00:45:15

0000.5e00.011e sg1 601 0 0 0 0 0 0:00:43:30

0000.5e00.0114 sg1 601 0 0 0 0 0 0:00:43:30

00d0.d0c0.03c0 sg1 1 0 0 0 0 0 0:00:43:31

The above result showed that the MAC address corresponding to the network management

address 192.168.69.132 on switch 2826S was 00d0.d0fc.7676. Switch 3906-2 learned this MAC

address through sg1. Therefore, messages passed by switch 3906-1 and then reached switch

2826S. ■



Network TopologyAs shown in Figure 1, T128-1, T128-2 and

T32C run OSPF and they are in area 0. The notify

default route always command is configured on the

two T128 routers. The next hop of the default route

on the T128-1 router is ROUTER-1, and the next

hop of the default route on the T128-2 router is

ROUTER-2.

Malfunction Situation

By default, up to 4 equivalent routes are

allowed on a ZXR10 T32C router. According to

the network topology, there should be two default

routes on the T32C router, one to the T128-1 router

and the other to the T128-2 router. However, there

was only one default route to T128-2.

⊙ Gu Weiwei / ZTE Corporation

OSPF Equivalent Default RouteKey words: equivalent route, OSPF, default route, options



(1) The engineers checked the routing table on the T32C router, as shown below.

T32c# show ip route

Destination Gateway Owner Netif

-----------------------------------------------------------------------------------

default 222.62.207.149 OSPF_ASE t128-210.0.0.0/24 directly connected - en0

127.0.0.1 127.0.0.1 - lo0

221.122.224.0/24 222.62.207.26 Static 7401

(2) The engineers checked the LSA information on the T32C router, as shown below. The

link-ids of these two LSAs are 0.0.0.0.

T32c# ospf show database external link-id 0.0.0.0

OSPF Router with ID (222.62.207.10)

www.zte.com.cn

31Data Products

AS External Link States

Link ID ADV Router Age Seq# Checksum Cost

-----------------------------------------------------------------------------

0.0.0.0 222.62.207.2 181 80001b9c 50ec 1

0.0.0.0 222.62.207.137 1121 80000ab7 693 1

The result showed that the T32C router received two Type-5 LSAs from the two T128 routers.

(3) The engineers checked the OSPF external data information on the T32C router, as shown

below.

T32c# OSPf Show DAtabase EXternal

OSPF Router with ID (222.62.207.10)

……

Routing Bit Set on this LSA

LS Age: 411

Options:

LS Type: AS External Link

Link State ID: 0.0.0.0

Advertising Router: 222.62.207.2 /*T128-1*/

LS Seq Number: 80001ba7

Checksum: 3af7

Length: 36

Network Mask: /0

Metric Type: 2 TOS: 0

Metric: 1 Forward Address:

External Route Tag: 3

Routing Bit Set on this LSA

LS Age: 1348

Options:

LS Type: AS External Link

Link State ID: 0.0.0.0

Advertising Router: 222.62.207.137 /*T128-2*/

LS Seq Number: 80000ac2

Checksum: ef9e

Length: 36

Network Mask: /0

Metric Type: 2 TOS: 0



Metric: 1 Forward Address:

External Route Tag: 3

The result showed that the metric type, metric value and LSA type of the two default routes

were the same. This indicated that the two routes are equivalent.

(4) The engineers checked the two OSPF neighbors of the T32C router, as shown below.

T32C# ospf show neighbor

Neighbor 222.62.207.137, interface address 222.62.207.149

In the area 0.0.0.0 via interface address 222.62.207.150

Neighbor priority is 1, State is Full

Options 0 Dead timer due in 17:20:34

Hitless Helper: not active




Options 1 Dead timer due in 17:20:31


The result showed that the Options value of T128-2 was 0, while the Options value of T128-1

was 1.

(5) According to RFC documents, the value of Options is related to the state and configuration

of the device. The engineers checked the configurations on the two T128 routers. They found that

the T128-2 router advertised the network segment between itself and the ROUTER-2 to the OSPF

area, but the ROUTER-2 was not the OSPF neighbor of the T128-2 router. However, the T128-1

router did not advertise the network segment between itself and ROUTER-1 to the OSPF area.

OSPF configuration on the T128-2 router was shown below.

router ospf 1

network 222.62.207.136 0.0.0.3 area 0.0.0.0

network 222.62.207.144 0.0.0.3 area 0.0.0.0

network 222.62.207.148 0.0.0.3 area 0.0.0.0network 222.62.207.152 0.0.0.3 area 0.0.0.0

network 222.62.207.156 0.0.0.3 area 0.0.0.0

notify default route always

redistribute static

redistribute connected

www.zte.com.cn

33Data Products

SolutionThe engineers used the no network 222.62.207.148 0.0.0.3 area 0.0.0.0 command to delete

the network segment advertised by the T128-2 router between itself and the ROUTER-2. After

that, the engineers checked the OSPF neighbor state and routing table on the T32C router, as

shown below.

T32C# ospf show neighbor




Options 1

Dead timer due in 17:08:02





Options 1

Dead timer due in 17:08:03


T32C#

T32C# show ip route

Destination Gateway Owner Netif

----------- ------- ----- -----

default 222.62.207.9 OSPF_ASE t128-1

222.62.207.149 OSPF_ASE t128-2

10.0.0.0/24 directly connected - en0

127.0.0.1 127.0.0.1 - lo0

221.122.224.0/24 222.62.207.26 Static 7401

The result showed that the Options values on the two neighbors of the T32C router were 1.

The route information showed that the T32C router learned the two default routes from the T128-1

router and the T128-2 router. The problem was solved.

Experience SummaryIn this case, the ROUTER-2 was not the OSPF neighbor of the T32C router. The default

route to the uplink device ROUTER-2 was configured on the T128-2 (it is the ASBR) router.

Therefore, the network between ROUTER-2 and the T128-2 router was advertised. This is the

cause of the problem. ■



Network TopologyIn a college, the users obtained IP addresses

through DHCP to get on-line. As users in part of

offices required using static IP addresses, new VLAN

IDs were added to the switches based on the primary

network topology. A Supervlan was configured on

T64G. The topology is as shown in Figure 1.


A new VLAN was added for the users with static

IP addresses. The VLAN ID was 200. Supervlan

2 was configured on T64G. The IP address and

network gateway address were configured correctly

on the PCs. The users failed to ping to the gateway 172.16.8.1 successfully on the PCs.


(1) The engineers checked the configurations of the PCs and disabled the firewall and wireless


⊙ Wang Huali / ZTE Corporation

Supervlan ConfigurationKey words: Supervlan, subvlan, B10 version

www.zte.com.cn

35Data Products

network cards.

(2) The engineers checked the configuration on the 2826S switch, as shown below.

set port 2 pvid 200 /*port 2 connects to the user pc*/

set vlan 200 enable

set vlan 200 add port 2untag

set vlan 200 add port 25 tag /*up-connects to the gei_2/1 of T64G*/

The engineers did not find any problem.

(3) The engineers checked the configuration on the T64G, as shown below.

vlan 200

supervlan 2

interface supervlan 2

ip address 172.16.8.1 255.255.255.128

inter-subvlan-routing disable

interface gei_2/1

description test1

protocol-protect mode dhcp enable

negotiation auto

hybrid-attribute copper

switchport mode trunk

switchport trunk native vlan 1

switchport trunk vlan 200 /*user vlan*/

switchport trunk vlan 4093

switchport qinq normal

The engineers tried not to set the vlan 200 as the sub interface of the Supervlan and modified

the configuration as below.

interface vlan 200

ip address 172.16.8.1 255.255.255.128

After that, the engineers found that the users could ping to the gateway 172.16.8.1 successfully

on the PCs. Therefore, the problem was caused by the configuration of the Supervlan.

SolutionThe engineers modified the configuration to bind the sub interface to the IP address pool on

T64G, as shown below.



T64G(config)#vlan 200

T64G(config-vlan)# supervlan 2

T64G(config-vlan)# ip supervlan pool 172.16.8.2 172.16.8.20/*the address range of the users that access through vlan200*/

T64G(config-vlan)#exit


Experience SummaryThe problem was solved after the sub interface was bound to the IP address pool, because

the default configuration on the switch was ip-pool-filter enable. The switch before version

B10 supports 255 Supervlans. Each Supervlan supports up to 8 subvlans but the subvlan can

not be bound to the address pool. The switch after version B10 supports 255 Supervlans. Each

Supervlan supports up to 4094 subvlans and the subvlan can be bound to the address pool. Two

default configuration commands are added to the Supervlan after version B10, as shown below.

T64G(config)#interface supervlan1

T64G(config-if)#arp-broadcast disable /*default configuration*/

T64G(config-if)#ip-pool-filter enable /* default configuration*/

If the users do not configure the subvlan pool, the configuration can be changed as follows.

T64G(config)#interface supervlan1

T64G(config-if)#arp-broadcast enable

T64G(config-if)#ip-pool-filter disable

When the subvlan pool is configured, it is not recommended to change the configuration of the

Supervlan. ■

www.zte.com.cn

37Data Products


⊙ Shan Changliang / ZTE Corporation

Address SuperpositionKey words: BAS, address superposition, address pool, dial

Network Topology As shown in Figure 10, the users of dial-up

services connect to a UAS 10400. They get on-

line after passing the authentication of the dial-up

services.


During the service rush hour (20:00~21:00)

everyday, some users could dial successfully

but they failed to access to the Internet. The

users could ping to the address of UAS 10400

successfully but failed to ping to other addresses.

If the users hung up and retried to dial for

many times, maybe they could access to the

Internet. After the service rush hour, the problem

disappeared.

Malfunction AnalysisThe engineers had dealt with the similar



problem before. The problem was solved

after the engineers changed the related

cards. Therefore, the engineers tried to

change the ports, slots and cards, but the

problem was not solved.

Therefore, the problem may be caused

by routes. The engineers took the following

steps.

(1) The engineers input the show s u b s c r i b e r s a c t i v e u s e r n a m e

<username> command to f ind an IP

address of a user with the problem

(192.168.1.20).

( 2 ) Th e e n g i n e e r s l o g g e d i n t o

another device and input the trace route 192.168.1.20 command.

( 3 ) Th e e n g i n e e r s l o g g e d i n t o

another device and input the trace route

192.168.1.1 command. The address

192.168.1.1 was the interface address of

the address pool that the user address

(192.168.1.20) was in.

The results of step 2 and 3 showed

that there was a strange address (not the

address of the UAS 10400). It was the

address of the MA5200.

The engineers logged into the MA5200

and checked the configuration. They

found that there was a network segment

of user address 192.168.1.0/24 which was the

same with the network segment configured on

the UAS 10400. Besides, on the S8016 there

was a static route that designated the next hop of

192.168.1.0/24 to the MA5200.

Due to the address superposition and there was

no route to the UAS 10400 from 192.168.1.0/24

on the S8016, when the users connecting to the

UAS 10400 obtained the addresses in network

segment 192.168.1.0/24, they failed to access to

the Internet.

SolutionThe engineers deleted the network segment

192.168.1.0/24 from the address pool on the

MA5200, and then configured the back route of

192.168.1.0/24 to the UAS 10400 on the S8016.


Experience SummaryAccording to the address distribution algorithm

on UAS 10400, the addresses in the pool are

distributed from top to bottom. The address pool

192.168.1.0/24 was the last but one, therefore, it

was used only during the service rush hour.

When the users hung up and retried to dial,

if there were addresses in the pool on the top

released at that time, the users could obtain the

addresses to access to the Internet normally. ■

www.zte.com.cn

39Data Products

Network TopologyAs shown in Figure 1, one ZXR10 3252 switch

works as the gateway and other ZXR10 3252

switches work as the access switches. The users

use fixed IP addresses to access the network.


The users said that sometimes there were long

time delays before they succeeded accessing the

network, and sometimes they failed to access the

network.

The engineers logged into the gateway switch

to check the CPU utilization ratio. They found that

the CPU utilization ratio kept at about 50% to 60%.

When the users pinged to the gateway, there were

long time delays.


following steps.

(1) The engineers logged into the gateway

switch to check the system process information, as

shown below.

3252#show taskinfo

NAME PRI STATUS MTICKS Used(%)

----------------------------------------------------

Protocol 140 PEND 1 41.20

The result showed that the protocol processes

took up about 40% CPU resources.

(2) The engineers input the show logging alarm command on the gateway switch to display

the alarm information, as shown below.

⊙ Zhang Fan / ZTE Corporation

Switch CPU Utilization Ratio AbnormityKey words: 3252, CPU, utilization ratio, ARP, ACL

3252#show logging alarm

An alarm 21768 level 5 occurred

a t 23:36:01 04/01/2007 UTC

sent by MCP %ACL PROTOCOL

PROTECT% Receive too many

packets of 'arprequest' from port

fei_1/1


a t 23:36:31 04/01/2007 UTC




fei_1/4


a t 23:36:31 04/01/2007 UTC




fei_1/1

……




The result showed that the switch received a lot of ARP REQUEST messages.

(3) The engineers input the debug arp command to check the ARP processes on the switch,

as shown below.

3252#debug arp

ARP debugging is on

18:55:48 IP ARP:req filtered src 192.168.11.175 000D.8769.079E, dst 192.168.222.41

wrong cable vlan308


wrong cable vlan308


wrong cable vlan308

……

The result showed that there were some items that could not be filtrated by the ARP source

filtration function.

According to the arp source-filtered rule, when an interface receives an ARP message, the

system searches the route according to the source IP address. If the route belongs to the local

interface, the device accepts the message; otherwise, the device discards the message. By

default, the ARP source filtration function is enabled.

In this case, the gateway switch received a lot of ARP REQUEST messages. The source IP

address of these ARP REQUEST messages was not in the address range of its subnet. That is, an

illegal user sent the messages. Therefore, the messages could not pass the ARP source filtration

and were discarded.

Since these messages were discarded, the gateway switch should not process these

messages. Why did the CPU utilization ratio keep high? It was because that the ARP source

filtration function was implemented by the software and CPU took part in the judgment and

calculation. Therefore, these messages cost a lot of CPU resources.

SolutionThe engineers used ACL to filtrate the illegal messages, as shown below.

acl basic number 1

rule 1 deny 192.168.11.0 0.0.0.255 /*refuse the packets with source IP addresses in

network segment 192.168.11.0/24 */

rule 2 permit any

!

Interface fei_1/1

ip access-group 1 0 in /*apply the ACL to the interface*/

!

Interface fei_1/4

ip access-group 1 0 in

!

www.zte.com.cn

41Data Products

The ACL function is implemented by hardware. When the interface received illegal messages,

the messages were discarded directly and did not cost the CPU resources.

Experience SummaryWith the development of network, there are more and more network viruses. In this case, a

host of the user infected a virus. The virus changed the source IP address of the messages and

sent them to the switch. This affected the switch and other users.

The anti-virus ACL can be applied to interfaces to protect the host effectively. A common anti-

virus ACL configuration is shown as follows.

acl extend number 101

rule 1 deny tcp any any eq 135









rule 10 deny udp any any eq 1433









rule 19permit ip any any

!




wireless communication.

(2) The user connects to GGSN through

SGSN. Internal interconnection IP addresses

are configured between SGSN and GGSN. And

GTP runs on SGSN and GGSN. The cell data is

encapsulated on SGSN and de-capsulated on

GGSN.

(3) GGSN distributes the IP address, gateway

and DNS for the user through DHCP.

(4) When the cell phone user obtains the IP

address, gateway and DNS, the messages for

online service are sent to SGSN.

(5) The messages for online service are

encapsulated by GTP on SGSN, and then are sent

to GGSN.

(6) When GGSN receives these messages,

it implements GTP de-capsulation for these

messages.

(7) After de-capsulation, these messages

become common IP messages. They are

forwarded through Gi interface on GGSN.

(8) These IP messages (using IP addresses of

the private network) reach the router after Layer 2

transparent transmission on the switch and filtration

on the firewall (Layer 2 transparent transmission).

(9) The router translates the IP addresses of

these messages into public network addresses

through NAT on VLAN sub interfaces. After that,

these messages are sent to the Internet. Therefore,

the cell phone user can get on-line.

Network TopologyFigure 1 shows a topology of the cell

phone online service through IP bearer

network.

The flow of the cell phone online

service is described as follows:

(1) A user connects to SGSN through

⊙ Zhang Jintao / ZTE Corporation

GGSN Cell Phone Online Service through IP Bearer Network

Key words: SGSN, GGSN, GTP, DHCP, NAT, cell phone online service

www.zte.com.cn

43Data Products

Cell Phone Online Service through IP Bearer NetworkAccording to the flow of the cell phone online service, cell phone online service can be realized

through IP bearer network in the following steps:

(1) Configure the IP addresses for the Gi interfaces on GGSN, for example, 192.168.100.4/24 and 192.168.101.4/24.

(2) Configure two VLANs on the access switch to transmit the messages from Gi interfaces

transparently, for example, Vlan 100 and Vlan 101.

(3) Configure Netscreen Redundant Protocol (NSRP) on the firewalls. Meanwhile, configure

Layer 2 VLAN transparent transmission on the firewalls for messages from Gi interfaces.

(4) Enable two VLAN sub interfaces on the two routers to configure VRRP as the redundant

gateway for the Gi interfaces. Add a switch between the two routers to forward Layer 2 multicast

messages of VRRP.

(5) Configure OSPF on the two routers.

(6) Configure the two VLAN sub interfaces as the inside interfaces of NAT, and configure

the interfaces connecting to the Internet as the outside interfaces of NAT. Configure the address

pool of the private network as the private address that the cell phone user obtains (for example,

10.1.0.0/16). Configure the address pool of the public network as the corresponding public

network segment.

(7) On the two routers, configure default routes to the peer router that connects to the Internet.

(8) On the two routers, configure static back routes with 10.1.0.0/16 (the private IP address

of the cell phone) as the destination network segment, and with the IP addresses of Gi interfaces

(192.168.100.4 and 192.168.101.4) on GGSN as the next hops.

Related ConfigurationOn the switches and firewalls, it is only required to configure the corresponding channels for

VLAN transparent transmission.

On the VRRP master, the configuration is as follows:

(1) This step describes how to configure a sub interface as the VRRP gateway of the Gi

interfaces of GGSN.

interface fei_1/1.13

encapsulation dot1Q 13

ip address 192.168.100.254 255.255.255.0

vrrp 3 ip 192.168.100.254

vrrp 3 advertise 3

ip nat inside

!

interface fei_1/1.14

encapsulation dot1Q 14

ip address 192.168.101.254 255.255.255.0

vrrp 4 ip 192.168.101.254



vrrp 4 advertise 3

ip nat inside

!

(2) This step describes how to configure the outside interface of NAT.

interface fei_5/1

ip address 213.55.83.241 255.255.255.248

negotiation auto

ip nat outside

!

(3)This step describes how to configure the address pool of NAT.

ip nat start

ip nat pool mobile 213.55.83.243 213.55.83.244 prefix-length 29

ip nat inside source list 1 pool mobile overload

!

ip access-list standard 1

permit 10.1.0.0 0.0.255.255

!

(4) This step describes how to configure the related routes.

router ospf 100

router-id 192.168.105.254

network 192.168.105.16 0.0.0.3 area 0.0.0.0

network 192.168.105.254 0.0.0.0 area 0.0.0.0

redistribute connected

!

ip route 10.1.0.0 255.255.0.0 192.168.101.4 tag 152

ip route 10.1.0.0 255.255.0.0 192.168.100.4 tag 151

ip route 0.0.0.0 0.0.0.0 213.55.83.242

!

www.zte.com.cn

45Data Products

Documents

Preface - Experience, Issue126(Data Products).pdf · Preface Maintenance Experience Editorial Committee Maintenance Experience Newsroom Address: ZTE Plaza, Keji Road South, Hi-Tech