NN46205-703 03.02 Troubleshooting

Nortel Ethernet Routing Switch 8600

TroubleshootingRelease: 7.0Document Revision: 03.02

www.nortel.com

NN46205-703.

Nortel Ethernet Routing Switch 8600Release: 7.0Publication: NN46205-703Document release date: 12 April 2010

Copyright © 2008-2010 Nortel Networks. All Rights Reserved.

While the information in this document is believed to be accurate and reliable, except as otherwise expresslyagreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OFANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document aresubject to change without notice.

THE SOFTWARE DESCRIBED IN THIS DOCUMENT IS FURNISHED UNDER A LICENSE AGREEMENT ANDMAY BE USED ONLY IN ACCORDANCE WITH THE TERMS OF THAT LICENSE.

Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

All other trademarks are the property of their respective owners.

.

3.

ContentsSoftware license 15

New in this release 19Features 19

Route Switch Processor (RSP) Packet Tracing 19ERCD record dumps 19Key Health Indicators (KHI) 20show debug generic command 20Troubleshooting flash or PCMCIA devices 20Troubleshooting EDM 20Troubleshooting high CPU utilization due to ICMP redirects 20Troubleshooting BPDU filtering 21Troubleshooting IstSessionDown message 21Troubleshooting IP Multinetting 21Troubleshooting BGP+ 21Troubleshooting Multicast VLAN Registration (MVR) 21Troubleshooting IGMP Layer 2 querier 21Troubleshooting PIM with SMLT 21Troubleshooting IPv6 DHCP Relay 21Troubleshooting IPv6 VRRP 21Troubleshooting IPv6 RSMLT 21Troubleshooting RADIUS 21Troubleshooting DHCP Snooping 22Troubleshooting Dynamic ARP Inspection (DAI) 22Troubleshooting IP Source Guard 22

Changes in revision 03.02 228695 SF/CPU renamed to 8895 SF/CPU 22

Introduction 23

Troubleshooting planning fundamentals 25Proper installation and routine maintenance 25Network configuration 25

Site network map 26Logical connections 26

Nortel Ethernet Routing Switch 8600Troubleshooting

NN46205-703 03.02 12 April 2010


.

4

Device configuration information 26Other important data about your network 26

Normal behavior on your network 27

Troubleshooting fundamentals 29Connectivity problems 29Routing table problems 29

Troubleshooting tool fundamentals 31Troubleshooting overview 31Digital Diagnostic Monitoring 34Port mirroring 34

Overview 34Port mirroring and modules 35R modules 37RS modules 38ACLs, ACEs, and port mirroring 38Port mirroring considerations and restrictions 39

Remote mirroring 39Remote mirroring considerations and restrictions 40

Ping Snoop 41Packet Capture Tool 42

PCAP packet flow 43PCAP feature support 43PCAP, IP, and MAC filter sets 44PCAP filters 44PCAP limitations and considerations 44PCAP and R series modules 46

General diagnostic tools 46Traceroute 46Ping 47Trace 47

Route Switch Processor Packet Tracing 48CP to COP messaging 49Interval 49

ERCD Records Dump 49CP to COP messaging 50

Log and trap fundamentals 51Simple Network Management Protocol 51Overview of traps and logs 52System Messaging Platform 53

Log message format 53Log files 55Log file transfer 56


NN46205-703 03.02 12 April 2010


.

5

Common error log messages 61

Hardware troubleshooting 71LED indications of problems 71Apparent module failure 72

Troubleshooting module failure: workaround 1 73Troubleshooting module failure: workaround 2 73

Failure to get a logon prompt from the Console port 73Cable connection problems 74

10BASE-T cables 74100BASE-T and 1000BASE-T cables 75SFP, XFP, and GBIC cables 75

Troubleshooting flash or PCMCIA cards 75

Software troubleshooting 77Enterprise Device Manager (EDM) troubleshooting 77Switch failure to read configuration file 77No Enterprise Device Manager access to a switch 78How to stop ICMP redirects from causing high CPU utilization 78

Resolution 79

Software troubleshooting tool configuration using EnterpriseDevice Manager 81Flushing routing tables by VLAN 82Flushing routing tables by port 82Configuring port mirroring 83Configuring ACLs for mirroring 84Configuring ACEs for mirroring 86Example of configuring port mirroring on an R module 89Configuring remote mirroring 93Configuring PCAP globally 94Configuring PCAP on a port 95Configuring PCAP filters 96Configuring advanced PCAP filters 98Configuring VLAN MAC filters for PCAP 100Testing the switch fabric and address resolution table 101Viewing address resolution table statistics 102Running a ping test 103Viewing ping probe history 106Viewing ping results 106Running a traceroute test 107Viewing traceroute results 110Viewing the traceroute history 111Performing an external loopback test 112


NN46205-703 03.02 12 April 2010


.

6

Performing an internal loopback test 114Configuring Ping Snoop for R series modules 114

Software troubleshooting tool configuration using the CLI 117General troubleshooting 118

Roadmap of general CLI troubleshooting commands 118Using the CLI for troubleshooting 120Using hardware record dumps 121Using trace to diagnose problems 122Using auto-trace to diagnose problems 125

show debug generic command 126Collecting Key Health Indicator (KHI) information 128

Configuring global KHI 129Configuring Management KHI 130Configuring Chassis KHI 131Configuring Performance KHI 132Configuring Protocol KHI 132Configuring Forwarding KHI 134Configuring IP interface KHI 135Port KHI 136

Enabling and disabling the Route Switch Processor (RSP) Packet Tracing 138Dumping RSP Packet Tracing 140Dumping specified ERCD records 142Using PIM debugging commands 143Using BGP debugging commands 144Port mirroring configuration 146

Roadmap of port mirroring CLI commands 147Configuring port mirroring 148Configuring global mirroring actions with an ACL 152Configuring ACE debug actions to mirror 153Example of port mirroring configuration with ACLs (rx-filter mode) 155

Remote mirroring configuration 157Configuring remote mirroring 157Example of remote mirroring configuration using ACLs 160

PCAP configuration 163Roadmap of PCAP CLI commands 164Accessing the Secondary CPU 165Configuring PCAP global parameters 166Enabling PCAP on a port 168Configuring PCAP capture filters 169Configuring VLAN MAC filters for PCAP 176Example PCAP configuration 177Using the captured packet dump 178Copying captured packets to a remote machine 179


NN46205-703 03.02 12 April 2010


.

7

Resetting the PCAP DRAM buffer 179Modifying PCAP parameters 180Example of capturing all traffic with PCAP filters 180Example of capturing specific traffic with PCAP filters 182Example of capturing specific traffic with PCAP and ACLs 183PCAP troubleshooting example 184

Testing the switch fabric 187Testing the ARP address table 188Clearing ARP information for an interface 189Flushing routing, MAC, and ARP tables for an interface 189Job aid: ping and traceroute considerations 190Running a ping test 190

Example of using ping for an IP VPN device 192Running a traceroute test 193

Example of using traceroute for an IP VPN device 194Configuring Ping Snoop for R series modules 194

Software troubleshooting tool configuration using theNNCLI 197General troubleshooting 198

Roadmap of general NNCLI troubleshooting commands 198Using the NNCLI for troubleshooting 200Using hardware record dumps 201Using trace to diagnose problems 202Using auto-trace to diagnose problems 205

Collecting Key Health Indicator (KHI) information 206Configuring global KHI 207Configuring Management KHI 208Configuring Chassis KHI 209Configuring Performance KHI 210Configuring Protocol KHI 211Configuring Forwarding KHI 212Configuring IP interface KHI 214Configuring Port KHI 215

Enabling and disabling the Route Switch Processor Packet Tracing 217Dumping RSP Packet Tracing 219Dumping specified ERCD records 221Using PIM debugging commands 222Using BGP debugging commands 224Port mirroring configuration 225

Roadmap of port mirroring NNCLI commands 225Configuring port mirroring 226Configuring global mirroring actions with an ACL 228Configuring ACE debug actions to mirror 229


NN46205-703 03.02 12 April 2010


.

8

Configuring remote mirroring 231PCAP configuration 233

Roadmap of PCAP NNCLI commands 233Accessing the Secondary CPU 235Configuring PCAP global parameters 235Enabling PCAP on a port 237Configuring PCAP capture filters 238Configuring VLAN MAC filters for PCAP 242Using the captured packet dump 243Copying captured packets to a remote machine 244Resetting the PCAP DRAM buffer 245Modifying PCAP parameters 245

Testing the switch fabric 246Testing the ARP address table 247Clearing ARP information for an interface 247Flushing routing, MAC, and ARP tables for an interface 248Job aid: ping and traceroute considerations 249Running a ping test 249Running a traceroute test 251Configuring Ping Snoop for R series modules 252

SNMP trap configuration using Enterprise Device Manager 255Configuring an SNMP host target address 255Configuring target table parameters 257Viewing the trap sender table 259Configuring an SNMP notify table 259Configuring SNMP notify filter profile table parameters 260Configuring SNMP notify filter table parameters 261Enabling SNMP trap logging 262

Log configuration using Enterprise Device Manager 265Log configuration navigation 265Configuring the system log 265Configuring the system log table and severity level mappings 266

SNMP trap configuration using the CLI 269Roadmap of SNMP trap CLI commands 269Configuring SNMP notifications 272Configuring an SNMP host target address 273

Example of configuring an SNMP target table 275Configuring SNMP target table parameters 275

Example of configuring additional target parameters 276Configuring an SNMP notify filter table 277Configuring SNMP interfaces 278Enabling SNMP trap logging 279


NN46205-703 03.02 12 April 2010


.

9

Configuring a UNIX system log and syslog host 280

Log configuration using the CLI 283Roadmap of CLI log commands 283Configuring logging 284Viewing logs 285Configuring the remote host address for log transfer 287Configuring system logging to a PCMCIA or external flash 289Starting system message logging to a PCMCIA or external flash card 290Configuring system message control 291Extending system message control 292Configuring CLI logging 293

SNMP trap configuration using the NNCLI 295Roadmap of SNMP trap NNCLI commands 295Job aid: SNMP configuration in the NNCLI 297

snmpNotifyFilterTable 297snmpTargetAddrTable 298snmpTargetParamsTable 298snmpNotifyTable 298

Configuring SNMP notifications 298Configuring an SNMP host 299

Example of configuring an SNMP host 301Configuring SNMP target table parameters 301Configuring an SNMP notify filter table 301Configuring SNMP interfaces 302Enabling SNMP trap logging 303Configuring a UNIX system log and syslog host 304

Log configuration using the NNCLI 307Roadmap of NNCLI log commands 307Configuring logging 308Viewing logs 309Configuring the remote host address for log transfer 311Configuring system logging to a PCMCIA or external flash 312Starting system message logging to a PCMCIA or external flash card 313Configuring system message control 314Extending system message control 315Configuring NNCLI logging 316

Recovery trees and procedures 319Recovery trees 319

IST failure 319DHCP Relay failure 320SNMP failure 321Flash failure 322


NN46205-703 03.02 12 April 2010


.

10

Licensing problems and recovery 323Job aid: general tips and information 323Issue: license will not install 324Issue: cannot transfer license 325Issue: license file generation does not succeed 326Issue: licensed features cannot be configured 327

Layer 1 troubleshooting 329Troubleshooting fiber optic links 329Troubleshooting DWDM XFPs 330

Additional useful commands 331

Layer 2 troubleshooting 333Troubleshooting SMLT failure using the CLI or NNCLI 333Troubleshooting IST failure using the CLI 335Troubleshooting IST failure using the NNCLI 336Troubleshooting IstSessionDown message using CLI or NNCLI 337Troubleshooting BPDU filtering 337

No packets received on the port 337SNMP trap not received 339Displaying BPDU filtering records 339

Unicast routing troubleshooting 341Routing and licensing: protocol will not run 341IP Multinetting troubleshooting 342OSPF troubleshooting 342

Viewing OSPF errors 342OSPF neighbor state problems 343OSPF down state or no state problems 345OSPF Init state problems 346OSPF ExStart/Exchange problems 347

BGP+ troubleshooting 347Neighbors not established between the BGP peers 348BGP routes not coming up in the switch routing table 348Routes are not advertised to a BGP peer 349General BGP+ troubleshooting 349Enabling trace and debugging for BGP+ troubleshooting 350Route policy problems 351

IP VPN Lite troubleshooting 351

Multicast routing troubleshooting 353Multicast routing troubleshooting using Enterprise Device Manager 353

Viewing group trace information for IGMP snoop 354Viewing multicast routes 354Viewing pruned multicast routes 355Viewing multicast group sources 356


NN46205-703 03.02 12 April 2010


.

11

Viewing multicast routes by egress VLAN 356Viewing IGAP network connectivity information 357Enabling multicast routing process statistics 358

Multicast routing troubleshooting using the CLI 359Multicast routing troubleshooting using the CLI navigation 359Viewing multicast group trace information for IGMP snoop 359Viewing PGM interface errors 360Viewing PGM negative acknowledgement errors 361Viewing multicast routes 362Showing the hardware resource usage 364Viewing multicast routing process statistics 365

Multicast routing troubleshooting using the NNCLI 367Viewing multicast group trace information for IGMP snoop 367Viewing PGM interface errors 368Viewing PGM negative acknowledgement errors 369Viewing multicast routes 370Showing the hardware resource usage 372Viewing multicast routing process statistics 373

Troubleshooting Multicast VLAN Registration (MVR) 375Unable to add a VLAN as a receiver VLAN 375Traffic is not passing from the source to the receiver 375Enabling trace messages for MVR troubleshooting 376

Troubleshooting IGMP Layer 2 querier 376Querier not elected 376Enabling trace messages for IGMP Layer 2 querier troubleshooting 377

Troubleshooting static mroute 377Troubleshooting IGMPv3 backwards compatibility 381Troubleshooting PIM with SMLT 382

IGMPv3 groups not listed 382No (S,G) Mroute record created 383Enabling trace messages for IGMP and PIM troubleshooting 383

Troubleshooting MSDP 384MSDP peer not established 385MSDP peer established, but no MSDP local cache and foreign cache

entries 385Troubleshooting multicast virtualization 387

General multicast virtualization troubleshooting 387Cannot enable PIM on a VRF 388Cannot create a PIM instance on a VRF 389Cannot enable PIM on a VLAN or brouter interface 389Warning message appears when enabling PIM on an interface 390Cannot enable IGMPv3 on a VLAN 391Maximum number of PIM neighbors is reached 391


NN46205-703 03.02 12 April 2010


.

12

Upper layer troubleshooting 393SNMP troubleshooting 393DHCP troubleshooting 394Troubleshooting IPv6 DHCP Relay 395

IPv6 DHCP Relay switch side troubleshooting 395IPv6 DHCP Relay server side troubleshooting 396IPv6 DHCP Relay client side troubleshooting 397Enabling trace messages for IPv6 DHCP Relay 397

Troubleshooting BFD 397BFD session stays in down state 397BFD enabled on OSPF or BGP, but session not created 398BFD session flaps 398BFD session goes down when MLT member ports are enabled or

disabled 399BFD with trace on 400

Troubleshooting IPv6 VRRP 400VRRP transitions 401Backup master enabled but not routing packets 402Enabling trace messages for IPv6 VRRP troubleshooting 402Risks associated with enabling trace messages 404VRRP with higher priority running as backup 404

Troubleshooting IPv6 RSMLT 404Configuration considerations 405RSMLT peers not up 405Enabling trace messages for RSMLT troubleshooting 405

Troubleshooting IPv6 connectivity loss 406Troubleshooting RADIUS 407

RADIUS switch side troubleshooting 407RADIUS server side troubleshooting 408Enabling trace messages for RADIUS troubleshooting 410

Troubleshooting DHCP Snooping 410Client not assigned IP address 410DHCP Snooping configured properly but client not assigned IP 411Client assigned IP address but no binding entry created 411Client not always successfully assigned an IP address. 412Client loses IP address after a switch reboot 412

Troubleshooting Dynamic ARP Inspection 412Enabling trace messages for Dynamic ARP Inspection troubleshooting 413

Troubleshooting IP Source Guard 413Enabling trace messages for IP Source Guard troubleshooting 414

Troubleshooting TACACS+ 414Customer unable to log on using Telnet or rlogin 415Customer unable to log on using SSH 415


NN46205-703 03.02 12 April 2010


.

13

Customer unable to log on using PPP 416Customer unable to log on by any means (Telnet, rlogin, SSH, and PPP) 417Administrator unable to obtain accounting information from the TACACS+

server 417Administrator unable to receive trap packets from the Ethernet Routing Switch

8600 418User unable to login 418

Nortel Secure Network Access troubleshooting 419Monitoring DHCP requests 420Issue: client unable to reach the DHCP server 420Issue: SSH session is not established between edge switch and SNAS server

421Issue: NSNA connection not established after HA failover 421Issue: TG page does not open when client is in Red VLAN 422Issue: page is not automatically redirected to SNAS login page 422Issue: client not registered by switch 422Issue: PC client Web page displays Cannot contact Web Server 423

Software download 425Downloading Ethernet Routing Switch 8600 software 425Downloading Ethernet Routing Switch 8600 documentation 425

Technical support 427Gathering critical information 427Data collection commands 428

General troubleshooting issue 428Collecting port statistics 428IP route issues 429Multi-Link Trunk issues 430CPU spike issues 430Commands for dumping hardware records for MAC, ARP, and routes in legacy

modules 432Contacting support 432

Customer service 433Updated versions of documentation 433Getting help 433Express Routing Codes 433Additional information 434

Safety messages 435Notices 435

Attention notice 435Caution ESD notice 435Caution notice 436


NN46205-703 03.02 12 April 2010


.

14

Traps reference 439Proprietary traps 439Standard traps 450

Index 459


NN46205-703 03.02 12 April 2010


.

15.

Software licenseThis section contains the Nortel Networks software license.

Nortel Networks Inc. software license agreementThis Software License Agreement ("License Agreement") is betweenyou, the end-user ("Customer") and Nortel Networks Corporation andits subsidiaries and affiliates ("Nortel Networks"). PLEASE READ THEFOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSETERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE.USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OFTHIS LICENSE AGREEMENT. If you do not accept these terms andconditions, return the Software, unused and in the original shippingcontainer, within 30 days of purchase to obtain a credit for the fullpurchase price.

"Software" is owned or licensed by Nortel Networks, its parent or one ofits subsidiaries or affiliates, and is copyrighted and licensed, not sold.Software consists of machine-readable instructions, its components, data,audio-visual content (such as images, text, recordings or pictures) andrelated licensed materials including all whole or partial copies. NortelNetworks grants you a license to use the Software only in the countrywhere you acquired the Software. You obtain no rights other than thosegranted to you under this License Agreement. You are responsible for theselection of the Software and for the installation of, use of, and resultsobtained from the Software.

1. Licensed Use of Software. Nortel Networks grants Customer anonexclusive license to use a copy of the Software on only one machineat any one time or to the extent of the activation or authorized usage level,whichever is applicable. To the extent Software is furnished for use withdesignated hardware or Customer furnished equipment ("CFE"), Customeris granted a nonexclusive license to use Software only on such hardwareor CFE, as applicable. Software contains trade secrets and Customeragrees to treat Software as confidential information using the same careand discretion Customer uses with its own similar information that it doesnot wish to disclose, publish or disseminate. Customer will ensure thatanyone who uses the Software does so only in compliance with the terms


NN46205-703 03.02 12 April 2010


.

16 Software license

of this Agreement. Customer shall not a) use, copy, modify, transferor distribute the Software except as expressly authorized; b) reverseassemble, reverse compile, reverse engineer or otherwise translate theSoftware; c) create derivative works or modifications unless expresslyauthorized; or d) sublicense, rent or lease the Software. Licensors ofintellectual property to Nortel Networks are beneficiaries of this provision.Upon termination or breach of the license by Customer or in the eventdesignated hardware or CFE is no longer in use, Customer will promptlyreturn the Software to Nortel Networks or certify its destruction. NortelNetworks may audit by remote polling or other reasonable means todetermine Customer’s Software activation or usage levels. If suppliers ofthird party software included in Software require Nortel Networks to includeadditional or different terms, Customer agrees to abide by such termsprovided by Nortel Networks with respect to such third party software.

2. Warranty. Except as may be otherwise expressly agreed to inwriting between Nortel Networks and Customer, Software is provided"AS IS" without any warranties (conditions) of any kind. NORTELNETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THESOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOTLIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY ANDFITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OFNON-INFRINGEMENT. Nortel Networks is not obligated to provide supportof any kind for the Software. Some jurisdictions do not allow exclusionof implied warranties, and, in such event, the above exclusions may notapply.

3. Limitation of Remedies. IN NO EVENT SHALL NORTELNETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANYOF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTYCLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS,FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL,PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOSTPROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OROTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OFYOUR USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS,ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIRPOSSIBILITY. The forgoing limitations of remedies also apply to anydeveloper and/or supplier of the Software. Such developer and/or supplieris an intended beneficiary of this Section. Some jurisdictions do not allowthese limitations or exclusions and, in such event, they may not apply.

4. General

1. If Customer is the United States Government, the following paragraphshall apply: All Nortel Networks Software available under this LicenseAgreement is commercial computer software and commercial computer


NN46205-703 03.02 12 April 2010


.

Nortel Networks Inc. software license agreement 17

software documentation and, in the event Software is licensed foror on behalf of the United States Government, the respective rightsto the software and software documentation are governed by NortelNetworks standard commercial license in accordance with U.S. FederalRegulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and48 C.F.R. 227.7202 (for DoD entities).

2. Customer may terminate the license at any time. Nortel Networksmay terminate the license if Customer fails to comply with the termsand conditions of this license. In either event, upon termination,Customer must either return the Software to Nortel Networks or certifyits destruction.

3. Customer is responsible for payment of any taxes, including personalproperty taxes, resulting from Customer’s use of the Software.Customer agrees to comply with all applicable laws including allapplicable export and import laws and regulations.

4. Neither party may bring an action, regardless of form, more than twoyears after the cause of the action arose.

5. The terms and conditions of this License Agreement form the completeand exclusive agreement between Customer and Nortel Networks.

6. This License Agreement is governed by the laws of the country inwhich Customer acquires the Software. If the Software is acquired inthe United States, then this License Agreement is governed by thelaws of the state of New York.


NN46205-703 03.02 12 April 2010


.

18 Software license


NN46205-703 03.02 12 April 2010


.

19.

New in this releaseThe following section details what’s new in Nortel Ethernet Routing Switch8600 Troubleshooting (NN46205-703) for Release 7.0:

• “Features” (page 19)

• “Changes in revision 03.02” (page 22)

FeaturesSee the following sections for information about feature changes:

Route Switch Processor (RSP) Packet TracingRelease 7.0 supports Route Switch Processor (RSP) Packet Tracing on Rand RS modules, which provides CLI and NNCLI support for COP debugcommands.

For more information, see “Route Switch Processor Packet Tracing” (page48).

To configure RSP Packet Tracing using the CLI, see:

• “Enabling and disabling the Route Switch Processor (RSP) PacketTracing” (page 138)

• “Dumping RSP Packet Tracing” (page 140)

To configure RSP Packet Tracing using the NNCLI, see:

• “Enabling and disabling the Route Switch Processor Packet Tracing”(page 217)


ERCD record dumpsThe Enterprise RSP Control Driver (ERCD) record dumps feature dumpsrequested ERCD records. The ERCD records are maintained on theCOP in a specific radix table. When the CP requests the ERCD records,


NN46205-703 03.02 12 April 2010


.

20 New in this release

the radix table is traversed and the records which match the criteria (forspecific port or specific slot or both) are obtained. These records areobtained from the COP through CP to COP messaging with reply.

The CP displays the records on the CLI or NNCLI prompt.

For more information, see “ERCD Records Dump” (page 49). To configureERCD record dumps, see “Dumping specified ERCD records” (page142) (CLI) and “Dumping specified ERCD records” (page 221) (NNCLI).

Key Health Indicators (KHI)The Ethernet Routing Switch 8600 supports Key Health Indicators (KHI)that allow for the collection of statistics and information about the healthof the system for troubleshooting purposes related to system failure. TheKey Health Indicator (KHI) feature identifies a small number of key healthindicators that allow quick assessment of the overall operational stateof the Ethernet Routing Switch 8600. These indicators do not providecomplete coverage of all possible failure scenarios. Rather, KHI is adiagnostic tool for the health of the switch. Further debugging is requiredto correctly understand the system state and actions required to remedythe situation.

For more information, see “Collecting Key Health Indicator (KHI)information” (page 128). To configure KHI, see “Configuring global KHI”(page 129) (CLI) and “Configuring global KHI” (page 207) (NNCLI).

show debug generic commandThe show debug generic [verbose] command is mainly used fordebugging purposes only. It displays information from multiple systemshell commands. For more information, see “show debug genericcommand” (page 126).

Troubleshooting flash or PCMCIA devicesInformation about troubleshooting flash or PCMCIA devices is added tothis document. See “Troubleshooting flash or PCMCIA cards” (page 75).

Troubleshooting EDMEDM troubleshooting information is added to this document. See“Enterprise Device Manager (EDM) troubleshooting” (page 77).

Troubleshooting high CPU utilization due to ICMP redirectsInformation about troubleshooting high CPU utilization due to ICMPredirects is added to this document. See “How to stop ICMP redirects fromcausing high CPU utilization” (page 78)


NN46205-703 03.02 12 April 2010


.

Features 21

Troubleshooting BPDU filteringBPDU filtering troubleshooting information is added to this document. See“Troubleshooting BPDU filtering” (page 337).

Troubleshooting IstSessionDown messageIstSessionDown message troubleshooting information is added to thisdocument. See “Troubleshooting IstSessionDown message using CLI orNNCLI” (page 337).

Troubleshooting IP MultinettingIP Multinetting troubleshooting information is added to this document. See“IP Multinetting troubleshooting” (page 342).

Troubleshooting BGP+BGP+ troubleshooting information is added to this document. See “BGP+troubleshooting” (page 347).

Troubleshooting Multicast VLAN Registration (MVR)Multicast VLAN Registration troubleshooting information is added to thisdocument. See “Troubleshooting Multicast VLAN Registration (MVR)”(page 375).

Troubleshooting IGMP Layer 2 querierIGMP Layer 2 querier troubleshooting information is added to thisdocument. See “Troubleshooting IGMP Layer 2 querier” (page 376).

Troubleshooting PIM with SMLTPIM with SMLT troubleshooting information is added to this document.See “Troubleshooting PIM with SMLT” (page 382).

Troubleshooting IPv6 DHCP RelayIPv6 DHCP Relay troubleshooting information is added to this document.See “Troubleshooting IPv6 DHCP Relay” (page 395).

Troubleshooting IPv6 VRRPIPv6 VRRP troubleshooting information is added to this document. See“Troubleshooting IPv6 VRRP” (page 400).

Troubleshooting IPv6 RSMLTIPv6 RSMLT troubleshooting information is added to this document. See“Troubleshooting IPv6 RSMLT” (page 404).

Troubleshooting RADIUSRADIUS troubleshooting information is added to this document. See“Troubleshooting RADIUS” (page 407).


NN46205-703 03.02 12 April 2010


.

22 New in this release

Troubleshooting DHCP SnoopingDHCP snooping troubleshooting information is added to this document.See “Troubleshooting DHCP Snooping” (page 410).

Troubleshooting Dynamic ARP Inspection (DAI)Dynamic ARP Inspection troubleshooting information is added to thisdocument. See “Troubleshooting Dynamic ARP Inspection” (page 412).

Troubleshooting IP Source GuardIP Source Guard troubleshooting information is added to this document.See “Troubleshooting IP Source Guard” (page 413).

Changes in revision 03.02See the following section for information about changes that have beenmade in revision 03.02 of this document.

8695 SF/CPU renamed to 8895 SF/CPUThe 8695 SF/CPU is renamed to the 8895 SF/CPU. All instances of 8695SF/CPU in this document are updated to 8895 SF/CPU.


NN46205-703 03.02 12 April 2010


.

23.

IntroductionUse this document to help you troubleshoot the Ethernet Routing Switch8600.

For information about using Enterprise Device Manager, the commandline interface (CLI), or the Nortel command line interface (NNCLI), seeNortel Ethernet Routing Switch 8600 User Interface Fundamentals(NN46205-308).

Navigation• “Troubleshooting planning fundamentals” (page 25)

• “Troubleshooting tool fundamentals” (page 31)

• “Log and trap fundamentals” (page 51)

• “Common error log messages” (page 61)

• “Troubleshooting fundamentals” (page 29)

• “Hardware troubleshooting” (page 71)

• “Software troubleshooting” (page 77)

• “Software troubleshooting tool configuration using Enterprise DeviceManager” (page 81)

• “Software troubleshooting tool configuration using the CLI” (page 117)

• “Software troubleshooting tool configuration using the NNCLI” (page197)

• “SNMP trap configuration using Enterprise Device Manager” (page255)

• “SNMP trap configuration using the CLI” (page 269)

• “SNMP trap configuration using the NNCLI” (page 295)

• “Recovery trees and procedures” (page 319)

• “Layer 1 troubleshooting” (page 329)

• “Layer 2 troubleshooting” (page 333)


NN46205-703 03.02 12 April 2010


.

24 Introduction

• “Unicast routing troubleshooting” (page 341)

• “Multicast routing troubleshooting” (page 353)

• “Upper layer troubleshooting” (page 393)

• “Software download” (page 425)

• “Technical support ” (page 427)

• “Traps reference” (page 439)


NN46205-703 03.02 12 April 2010


.

25.

Troubleshooting planningfundamentals

You can better troubleshoot the problems on your network by planning forthese events in advance. To do this, you must know the following:

• that your system is properly installed and routinely maintained

• the configuration of your network

• the normal behavior of your network

Navigation• “Proper installation and routine maintenance” (page 25)

• “Network configuration” (page 25)

• “Normal behavior on your network” (page 27)

Proper installation and routine maintenanceTo prevent problems, follow proper maintenance and installationprocedures. For information about routine maintenance procedures,see Nortel Ethernet Routing Switch 8600 Routine Maintenance(NN46205-312).

Network configurationTo keep track of the configuration of your network, gather the informationdescribed in the following sections. This information, when kept up-to-date,is extremely helpful for locating information when you experience networkor device problems.

Network configuration navigation

• “Site network map” (page 26)

• “Logical connections” (page 26)


NN46205-703 03.02 12 April 2010


.

26 Troubleshooting planning fundamentals

• “Device configuration information” (page 26)

• “Other important data about your network” (page 26)

Site network mapA site network map identifies where each device is physically located onyour site, which helps locate the users and applications that are affectedby a problem. You can use the map to systematically search each part ofyour network for problems.

Logical connectionsThe Ethernet Routing Switch 8600 supports virtual LANs (VLAN). WithVLANs, you must know how your devices are connected logically as wellas physically.

Device configuration informationMaintain online and paper copies of your device configuration information.Ensure that all online data is stored with the regular data backup for yoursite. If your site does not have a backup system, copy the information ontoa backup disk (such as a CD or zip disk) and store the backup disk in anoffsite location.

You can use FTP and TFTP to store configuration files on a remote server.

Other important data about your networkFor a complete picture of your network, have the following informationavailable:

• all passwords

Store passwords in a safe place. It is a good practice to keep recordsof you previous passwords in case you must restore a device to aprevious software version and need to use the old password that wasvalid for that version.

• device inventory

It is a good practice to maintain a device inventory, which lists alldevices and relevant information for your network. The inventoryallows you to easily see the device type, IP address, ports, MACaddresses, and attached devices.

• MAC address-to-port number list

If your hubs or switches are not managed, you must keep a list of theMAC addresses that correlate to the ports on your hubs and switches.

• change control


NN46205-703 03.02 12 April 2010


.

Normal behavior on your network 27

Maintain a change control system for all critical systems. Permanentlystore change control records.

• contact details

It is a good practice to store the details of all support contracts, supportnumbers, engineer details, and telephone and fax numbers. Havingthis information available when troubleshooting can save you time.

Normal behavior on your networkWhen you are familiar with your network when it is fully operational,you can be more effective at troubleshooting problems that arise. Tounderstand the normal behavior of your network, monitor your networkover a long period of time. During this time you can see a pattern in thetraffic flow, such as which devices are typically accessed or when peakusage times occur.

To identify problems, you can use a baseline analysis, which is animportant indicator of overall network health. A baseline serves as auseful reference of network traffic during normal operation, which you canthen compare to captured network traffic while you troubleshoot networkproblems. A baseline analysis speeds the process of isolating networkproblems. By running tests on a healthy network, you compile normaldata for your network. You can then use this normal data to compareagainst the results you get when your network is experiencing trouble. Forexample, ping each node to discover how long it typically takes to receivea response from devices on your network. Capture and save each theresponse time for each device and when you are troubleshooting you canuse these baseline response times to help you troubleshoot.


NN46205-703 03.02 12 April 2010


.

28 Troubleshooting planning fundamentals


NN46205-703 03.02 12 April 2010


.

29.

Troubleshooting fundamentalsThis section provides conceptual information about common problems.

Navigation• “Connectivity problems” (page 29)

• “Routing table problems” (page 29)

Connectivity problemsTo help troubleshoot connectivity problems, always provide source anddestination IP pairs to facilitate in troubleshooting. Ten pairs generallyprovides a sufficient amount of information for troubleshooting (fiveworking pairs and five pairs with connectivity issues).

A dump of the hardware records from the ingress OctaPID can becaptured. For example, you can use the command dump ar 0 all 3where all hardware records from OctaPID 0 slot 1 port 1 are dumped witha verbosity level of 3. Generally, a verbosity level of 1 suffices.

Routing table problemsRouting table problems can include the following:

• inactive routes

• unnecessary routes

• black hole routes

• flapping links (links going up and coming down) that cause the routesto flap

• incorrect route tables

• invalid ARP cache that causes incorrect IP assignment

• problems with administrative distance or other settings


NN46205-703 03.02 12 April 2010


.

30 Troubleshooting fundamentals

You can delete static or dynamic routes from the routing table. You canalso force the router to redo the RIP, OSPF, and BGP route selectionalgorithms. As a last resort, you can clear the routing table and force therouter to relearn routes.

Do not restart a router to clear a problem. In doing so, you also clear thelogs. Logs on routers are vital and can help determine many problems.


NN46205-703 03.02 12 April 2010


.

31.

Troubleshooting tool fundamentalsThis section provides conceptual information about the methods and toolsthat you can use to troubleshoot and isolate problems in your EthernetRouting Switch 8600 network.

Navigation• “Troubleshooting overview” (page 31)

• “Digital Diagnostic Monitoring” (page 34)

• “Port mirroring” (page 34)

• “Remote mirroring” (page 39)

• “Ping Snoop” (page 41)

• “Packet Capture Tool” (page 42)

• “General diagnostic tools” (page 46)

• “Route Switch Processor Packet Tracing” (page 48)

• “ERCD Records Dump” (page 49)

Troubleshooting overviewThe types of problems that typically occur with networks involveconnectivity and performance. The Ethernet Routing Switch 8600 supportsa diverse range of network architectures and protocols, some of which areused to maintain and monitor connectivity and isolate connectivity faults.

In addition, the Ethernet Routing Switch 8600 supports a wide range ofdiagnostic tools that you can use to monitor and analyze traffic; captureand analyze data packets; trace data flows; view statistics; and manageevent messages.

Certain protocols and tools are tailored for troubleshooting specificEthernet Routing Switch 8600 network topologies. Other tools are moregeneral in their application and can be used to diagnose and monitoringress and egress traffic on the Ethernet Routing Switch 8600.


NN46205-703 03.02 12 April 2010


.

32 Troubleshooting tool fundamentals

When connectivity problems occur and the source of the problem isunknown, it is usually best to follow the OSI network architecture layers.Therefore, confirm that your physical environment, such as the cables andmodule connections, is operating without any failures before moving up tothe network and application layers.

When gathering information about a problem, consider the followinginformation.

• Consider the OSI model when troubleshooting. Start at Layer 1 andmove upwards. Address Resolution Protocol (ARP) can cause somedifficulties; ARP operates at Layer 2 to resolve MAC addresses to IPaddresses (Layer 3).

• Router-specific tools and protocols can help you gather information.Ethernet Routing Switch 8600-specific tools are outlined in thisdocument.

• You can use client- and server-based tools from Microsoft, Novell,Linux, and UNIX. For example, you can use Windows tools likeifconfig, ipconfig, winipcfg, and route print to obtain IP informationand routing tables. Servers also maintain route tables. The followingsection shows the output of the route print command.


NN46205-703 03.02 12 April 2010


.

Troubleshooting overview 33

Microsoft(R) Windows DOS(C)Copyright Microsoft Corp 1990-2001.C:\DOCUME~1\USER>route print ===========================================================================Interface List0x1 ........................... MS TCP Loopback interface0x2 ...00 12 f0 74 2a 87 ...... Intel(R) PRO/Wireless 2200BGNetwork Connection - Packet Scheduler Miniport0x3 ...00 14 38 08 19 c6 ...... Broadcom NetXtreme GigabitEthernet - Packet Sch eduler Miniport0x4 ...44 45 53 54 42 00 ...... Nortel IPSECSHM Adapter- Packet Scheduler Minip ort ======================================================================================================================================================Active Routes:Network Destination Netmask Gateway Interface Metric0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.102 260.0.0.0 0.0.0.0 207.179.154.100 207.179.154.100 1127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1192.168.0.0 255.255.255.0 192.168.0.102 192.168.0.102 25192.168.0.0 255.255.255.0 207.179.154.100 207.179.154.100 1192.168.0.102 255.255.255.255 127.0.0.1 127.0.0.1 25192.168.0.255 255.255.255.255 192.168.0.102 192.168.0.102 25198.164.27.30 255.255.255.255 192.168.0.1 192.168.0.102 1207.179.154.0 255.255.255.0 207.179.154.100 207.179.154.10030207.179.154.100 255.255.255.255 127.0.0.1 127.0.0.1 30207.179.154.255 255.255.255.255 207.179.154.100207.179.154.100 30224.0.0.0 240.0.0.0 192.168.0.102 192.168.0.102 25224.0.0.0 240.0.0.0 207.179.154.100 207.179.154.100 1255.255.255.255 255.255.255.255 192.168.0.102 192.168.0.1021255.255.255.255 255.255.255.255 207.179.154.100 3 1255.255.255.255 255.255.255.255 207.179.154.100207.179.154.100 1Default Gateway: 207.179.154.100 ===========================================================================Persistent Routes: None

• Other problems can give the impression that a router problem istaking place. Problems with a Domain Name Service (DNS) server, oranother switch, firewall, or access point can give the impression theyare routing problems.


NN46205-703 03.02 12 April 2010


.


Digital Diagnostic MonitoringUse Digital Diagnostic Monitoring (DDM) to monitor laser operatingcharacteristics such as temperature, voltage, current, and power. Thisfeature works at any time during active laser operation without affectingdata traffic. Two types of devices support DDM: Small Form-factorPluggable (SFP) transceivers and 10 Gigabit SFPs (XFP).

An interface that supports DDM is called a Digital Diagnostic Interface(DDI). These devices provide real-time monitoring of individual DDI SFPsand XFPs on a variety of Nortel products. The DDM software provideswarnings or alarms when the temperature, voltage, laser bias current,transmitter power, or receiver power fall outside of vendor-specifiedthresholds during initialization.

For more information about DDM, SFPs and XFPs, see Nortel EthernetRouting Switch 8600 Installation — SFPs, XFPs, GBICs. and OADMHardware Components (NN46205-320).

Port mirroringThe Ethernet Routing Switch 8600 has a port mirroring feature that helpsyou monitor and analyze network traffic. Port mirroring supports bothingress (incoming traffic) and egress (outgoing traffic) port mirroring.When you enable port mirroring, ingress or egress packets are forwardednormally from the mirrored (source) port, and a copy of the packets is sentto the mirroring (destination) port.

Port mirroring navigation

• “Overview” (page 34)

• “Port mirroring and modules” (page 35)

• E and M modules

• “R modules” (page 37)

• “RS modules” (page 38)

• “ACLs, ACEs, and port mirroring” (page 38)

• “Port mirroring considerations and restrictions” (page 39)

OverviewPort mirroring causes the switch to make a copy of a traffic flow and sendthe copy to a device for analysis. Port mirroring is used in diagnosticsniffing—the mirror allows a network administrator to view the packets inthe flow without breaking the physical connection to place a packet snifferinline. Mirroring is also used for security reasons.


NN46205-703 03.02 12 April 2010


.

Port mirroring 35

You can use egress mirroring to monitor packets as they leave specifiedports. In addition, you can monitor traffic for Media Access Control (MAC)addresses, where traffic with a given MAC source address (SA) or MACdestination address (DA) is copied to the specified mirroring port.

Use a network analyzer to observe and analyze packet traffic at themirroring port. Unlike other methods that analyze packet traffic, the packettraffic is uninterrupted and packets flow normally through the mirrored port.

You can use the VLAN forwarding database feature to monitor traffic forMedia Access Control (MAC) addresses. In this case, traffic with a givensource or destination MAC address is copied to the mirror port. UsingEnterprise Device Manager, you can enable this feature by setting theMonitor field to true for a MAC address in the VLANs Forwarding tab.Monitoring of MAC address traffic must be within the context of a VLAN.

Port mirroring and modulesThe number of mirroring ports (also called destination ports) that you canconfigure depends on the type and quantity of modules you have in yoursystem configuration.

The module switch fabric determines the quantity of mirrored (source)ports that can be supported by a single mirroring (destination) port basedon the OctaPID ID assignment for that module. For example, a 48-port10/100TX module is assigned 6 OctaPID IDs, and each OctaPID IDsupports up to 8 ports (6 x 8 = 48 ports). You can assign one destinationport per OctaPID ID.

When you configure destination ports, the CLI interface automaticallyassigns the actual OctaPID ID assignment according to the switch fabricin specific Ethernet Routing Switch 8600 modules. The assignment of theOctaPID ID by the interface follows a fixed set of configuration rules basedon the module type.

For some modules, source ports that are members of the same OctaPIDID can be mirrored only to the same destination port. If you try to assignsource ports that are members of the same OctaPID ID to differentdestination ports, the CLI prompts you with an error message.

The following table describes ingress mirroring functionality for R and RSmodules. Only one type of mirroring destination is supported at any giventime. You cannot mirror the same port to multiple classes of destinations,for example, MLT and VLAN. However, you can mirror to multiple physicaldestinations.


NN46205-703 03.02 12 April 2010


.


Table 1Ingress mirroring functionality for R and RS modules

Function Support information

Ingress port mirroring and ingress flow mirroring

One port to one port Supported, no restriction in each lane

One to MLT group [(for threat protectionsystem (TPS applications)]

Supported

One to many (MGID/VLAN) Supported

One to one remote mirrored destination Supported

Many to one (multiple mirrored ports to onemirroring port)

Supported

Many to MLT group Supported

Many to many (VLAN/MGID) (multiple portswith several different destinations)

Supported

Many to many remote mirrored destination Supported

VLAN and port combination as a mirroringdestination

Not supported

Ingress flow mirroring

Allow filters to specify a separatedestination per access control entry(ACE)

Supported

Flow-based remote mirroring Supported

The following table describes egress mirroring functionality.

Table 2Egress mirroring functionality for R and RS modules


Egress port mirroring and egress flow mirroring

One port to one port R module—restriction: one egress source in eachlaneRS module—no restrictions in each lane

One to MLT groups (for TPS applications) R module—one egress source in each laneRS module—supported

One to many (MGID/VLAN) R module—one egress source in each laneRS module—supported

One to one remote mirrored destination R module—one egress source in each laneRS module—supported

Many to one (multiple mirrored ports to onemirroring port)

R module—one egress source in each laneRS module—supported


NN46205-703 03.02 12 April 2010


.

Port mirroring 37


Many to MLT group R module—one egress source in each laneRS module—supported

Many to many (VLAN/MGID) (multiple portswith several different destinations)

R module—one egress source in each laneRS module—Many to many MGIDs

Many to many remote mirrored destination R module—one egress source in each laneRS module—supported

VLAN and port combination as mirroringdestination

Not supported

Egress flow mirroring

Allow filter to specify a separate destinationper ACE

R module—one egress source in each laneRS module—supported

Flow-based remote mirroring R module—one egress source in each laneRS module—supported

R modulesOn R modules, you can create one enabled entry for each lane on amodule. Therefore, you can create up to 3 entries on a 3 lane module, andup to 24 entries on an 8-module chassis.

If you have an R module installed and set the mirroring mode to rx, youmust use an ACL filter option to mirror the port.

R modules support two port mirroring modes: rx (ingress, that is, inPortand inVLAN) and tx (egress, that is, outPort and outVLAN).

In rx modes, when you configure the ACE Debug or ACL Global options tomirror, use the ACE to configure the mirroring destination port.

In tx modes, when you configure the ACE Debug or ACL Global optionsto mirror, use the Diagnostics parameter to configure the mirroringdestination. For example, in Enterprise Device Manager, choose the Edit,Diagnostics, General, Port Mirrors tab to select the destination ports.

The following table shows the maximum number of entries that you canconfigure on an R module.

Table 3Maximum port mirroring entries per R module

Module Number of lanes Maximum port mirroring entries

8630GBR 3 1 port from each group of 10 ports:1 port from ports 1–101 port from ports 11–201 port from ports 21–30


NN46205-703 03.02 12 April 2010


.


Module Number of lanes Maximum port mirroring entries

8648GTR 2 1 port from each group of 24 ports:1 port from ports 1–241 port from ports 25–48

8683XZR/ZW8683XLR

3 Can mirror all 3 ports

RS modulesRS modules offer enhanced port mirroring functionality. Using RSmodules, you can specify a destination multilink trunking (MLT) group, adestination port or set of ports, or a destination VLAN.

RS modules support both rxFilter and txFilter modes, but operatedifferently than R modules. Similar to R modules, you select the mode byconfiguring the inPort/outPort/inVLAN/outVLAN ACL parameters. You canconfigure the mirroring action globally in an ACL, or for a specific ACEby using the ACE Debug actions. However, regardless of the ingress oregress mode, you configure the mirroring destination by using an ACE.

To modify an RS module port mirroring instance, first disable the instance.Also, to change a port, VLAN, or MLT entry, first remove whicheverparameter is attached to the entry and then add the required entry. Forexample, if an entry has mirroring ports already assigned, remove theports using the remove mirroring-ports command, and then, toassign a VLAN to the entry, use the add mirroring-vlan command.

ACLs, ACEs, and port mirroringFor R series modules, you can configure an ACL or an ACE to perform themirroring operation. To do so, you can configure the ACL global action tomirror, or you can configure the ACE debug action to mirror. If you use theglobal action, mirroring applies to all ACEs that match in an ACL.

For Release 5.0. to decouple flow-based mirrors from port-based mirrors,ACEs use a new parameter called debug mirror enable. Also, in theACE, you can specify the egress ports, the egress MLT-ID, and theegress VLAN. For more information, see Nortel Ethernet Routing Switch8600 Configuration — QoS and IP Filtering for R and RS Modules (NN46205-507).

You can use filters to reduce the amount of mirrored traffic. To use filterswith port mirroring for an R or RS module, you must use an ACL-basedfilter. Apply an ACL to the mirrored port in the egress, ingress, or bothdirections. Traffic patterns that match the ACL/ACE with an action ofpermit are forwarded to the destination and also to the mirroring port.Traffic patterns that match an ACE with an action of drop (deny) are notforwarded to the destination, but still reach the mirroring port For example,


NN46205-703 03.02 12 April 2010


.

Remote mirroring 39

for an ACL/ACE with a match action of permit and debug mirroringenabled, packets are mirrored to the specified mirroring destination on theACE. If a port or VLAN filter is enabled, that filter is used as the mirroringfilter.

You can specify more than one mirroring destination by using multipleACEs. Use each ACE to specify a different destination.

You cannot configure a port-based and a flow-based mirroring filter onthe same port. If such a case occurs, then the flow-based mirror takesprecedence.

For more information about configuring ACLs and ACEs, see NortelEthernet Routing Switch 8600 Configuration — QoS and IP Filtering for Rand RS Modules (NN46205-507).

Port mirroring considerations and restrictionsWith R and RS modules, you can configure the Ethernet Routing Switch8600 to monitor both ingress and egress traffic.

Mirrored traffic shares ingress queue, egress queue, and fabric bandwidthwith normal traffic and therefore can impact normal traffic. Therefore,use these features with this potential consequence in mind and enablethem only for troubleshooting, debugging, or for security purposes such aspacket sniffing, intrusion detection, or intrusion prevention.

Mirroring does not affect IPFIX actions. After duplication, the packetproceeds along its original path.

You can configure as many ingress mirroring flows as you have filters.In flow-based remote mirroring, the RMS encapsulates all flow-basedmirroring packets, and does not distinguish between RMTs based onflows. You can configure one RMS and one RMT per port.

To avoid VLANs and Spanning Tree Groups (STG) members from seeingmirrored traffic, you must remove mirroring (destination) ports from allVLANs and STGs.

Ingress mirroring mirrors packets that are not dropped by the MAC. TheMAC drops any errored packet, for example, packets that are too shortor too long. Control packets consumed by the MAC (802.3x flow control)are also not mirrored.

Remote mirroringUse remote mirroring to steer mirrored traffic through a switch cloud to anetwork analysis probe located on a remote switch. With remote mirroring,many ports from different switches can be monitored using one network


NN46205-703 03.02 12 April 2010


.


probe device. This function is achieved by encapsulating mirrored packets.The encapsulated frame can be bridged though the network to the remotediagnostic termination port.

Remote mirroring uses a specific VLAN if remote mirroring is enabledon the port mirroring destination port. The VLAN ID is set in the MonitorTag field of the remote mirrored packet. With this feature, the user cansegregate remote mirrored traffic to a single VLAN.

When an RMT port receives an encapsulated frame from the switch fabric,it strips off the remote mirroring encapsulation as it is being transmitted onthe port. Remote mirrored encapsulated frames are identified when theconfigured remote mirroring destination MAC address is detected as thedestination MAC address in the packet. The RMT sends dummy broadcastLayer 2 packets with the remote mirroring destination MAC address asthe source MAC address so that all nodes in the network can learn thisMAC address. The dummy broadcast is sent every 10 seconds (becausethe minimum value of the forwarding database [FDB] aging timer is 10seconds). When you configure a port as a RMT, a static FDB entry isadded to channel all traffic destined for the remote mirroring destinationMAC address to the RMT port. When you remove an RMT port from all ofthe configured VLANs, the remote mirroring feature is disabled on the port.

The remote mirroring encapsulation wrapper is 20 bytes in length andconsists of a Layer 2 Destination Address, Layer 2 Source Address,Monitor Tag, Monitor Ether Type, and Monitor Control. The originalCRC-32 is stripped from a mirrored packet, and a new CRC-32 iscomputed over the entire encapsulated frame. When the mirrored frame is1522 bytes (1518 plus 4-byte 802.1p/q tag), the resulting maximum framelength is 1542 bytes. To support this, all the nodes in the network must beable to handle 1542-byte packets.

Remote mirroring considerations and restrictionsMirrored traffic shares ingress, egress, and fabric bandwidth with normaltraffic and therefore can impact normal traffic. Therefore, use thesefeatures with this potential consequence in mind and enable them onlyfor troubleshooting, debugging, or for security purposes such as packetsniffing, intrusion detection, or intrusion prevention.

To support remote mirroring, all the nodes in the network must be able tohandle a packet size up to 1542 bytes.

The following limitations apply to remote mirroring:

• You can configure a maximum of 16 RMTs in a switch.

• Only one port of an OctaPID can act as an RMT.

• Only one port in an OctaPID can act as an RMS.


NN46205-703 03.02 12 April 2010


.

Ping Snoop 41

• On R modules, you can mirror only one port in each egress lane. Thisdoes not apply to RS modules.

• The RMS port must be a port mirroring destination port because onlymirrored packets are remote mirrored. The switch does not check if theport is a port mirroring destination port, and sends no error messages ifthe port is not.

• An RMT must be part of at least one port-based VLAN.

Be aware of the following information:

• If the RMS is a tagged port, the mirrored packet is encapsulated andtransmitted with the VLAN ID of the RMS port and forwarded to theRMT. Encapsulation does not modify the mirrored packet data or theVLAN ID. When the RMT port receives an encapsulated frame fromthe switch fabric, the port removes the remote mirroring encapsulationand the frame is transmitted on the port with the VLAN ID of themirrored packet (the original packet).

• If port mirroring is disabled, no packets are remote mirrored.

• Packets are captured as long as the RMT is reachable.

• When you enable or disable remote mirroring, a trap is sent to the trapreceiver, and an SNMP log message states that remote mirroring isenabled or disabled and the mode.

• When you remove an I/O module from a slot, the RMS and the RMTon all ports in the slot are disabled. This action generates an SNMPlog message and a trap. When you reinsert the module, the RMS andRMT are reenabled, but you must reenable remote mirroring.

• The RMT switch can receive the remote mirroring packet with completeremote mirroring encapsulation (including the remote mirroring tag).

• Remote mirrored packets are sent with lowest priority (that is, a p-bitvalue of 0).

Ping SnoopYou can use Ping Snoop to help troubleshoot MultiLink Trunking (MLT)and Split MultiLink Trunking (SMLT) networks. Ping Snoop displays theroute that IP traffic takes over an MLT or SMLT path. Ping Snoop enablesa filter that copies Internet Control Message Protocol (ICMP) messages tothe CPU. The CPU then monitors the ICMP stream. The console displaysthe port that is used for each IP traffic flow from source to destinationstation. There is no mechanism to prevent line-rate ICMP traffic from goingto the CPU as a result of enabling Ping Snoop.


NN46205-703 03.02 12 April 2010


.


For R and RS modules, there exists a preconfigured Ping Snoop ACTand ACL. If you have an R series module installed, you must use the ACLfilter option.

You create a Ping Snoop filter by specifying a source and destination IPaddress. Then, you specify the ports on which you want to enable PingSnoop. Only one Ping Snoop filter is supported on a port. If an ICMPrequest is received on any of the added ports, the source and destinationIP address and the port on which the packet was received appear on themanagement console.

Ping Snoop uses one of the available global filters (0–7). If eight globalfilters are configured on a port prior to enabling ping snoop, Ping Snoopcannot be enabled for a port. You must remove at least one of the globalfilters to enable Ping Snoop.

By design, Ping Snoop configurations are not saved to the configurationfile and are deleted by resetting the switch. In addition, your Ping Snoopconfiguration is erased if you log off and then log on under a differentsecurity level.

Packet Capture ToolThe Packet Capture Tool (PCAP) is a data packet capture tool thatcaptures ingress and egress packets on selected I/O ports. With thisfeature, you can capture, save, and download one or more traffic flowsthrough the Ethernet Routing Switch 8600. The captured packets can thenbe analyzed offline for troubleshooting purposes. This feature is based onthe mirroring capabilities of the I/O ports.

To use PCAP, you must have the Advanced Routing License. For moreinformation about licensing, see Nortel Ethernet Routing Switch 8600Administration ( NN46205-605).

All captured packets are stored in the Secondary CPU, used as thePCAP engine. The Master CPU maintains its protocol handling and is notaffected by any capture activity.

PCAP provides support for ACL filters on R module ports.

Packet Capture Tool navigation

• “PCAP packet flow” (page 43)

• “PCAP feature support” (page 43)

• “PCAP, IP, and MAC filter sets” (page 44)

• “PCAP filters” (page 44)


NN46205-703 03.02 12 April 2010


.

Packet Capture Tool 43

• “PCAP limitations and considerations” (page 44)

• “PCAP and R series modules” (page 46)

PCAP packet flowBy default, PCAP uses port mirroring. If a filter set is applied, flowmirroring is used. If further filtering is required, PCAP software filters areapplied. You can store captured packets in the PCAP engine DRAM(PCAP00), on a PCMCIA device (or on external flash on the 8895SF/CPU), or on the network. You can then use FTP to download thestored packets to an offline analyzer tool such as EtherReal or Sniffer Pro.

The following figure illustrates how to use the PCAP tool to configurePCAP filters and enable them on ports.

Figure 1PCAP example

PCAP feature supportPCAP supports the following features:

• PCAP uses the Secondary CPU as the PCAP engine.

• PCAP supports activating packet capture on one or multiple ports.

• PCAP can capture packets on ingress, egress, or both directions (Rand RS modules).

• You can use PCAP with existing IP traffic filters so that only packetsthat match this filter criteria are captured.

• You can use PCAP with existing MAC (fdb) filters so that only packetsthat match this filter criteria are captured.


NN46205-703 03.02 12 April 2010


.


• PCAP supports software filters, which provides a way to filter thepackets in the PCAP engine.

• Captured packets can be stored on a PCMCIA device (or on externalflash on the 8895 SF/CPU) or on the network. The packets are storedin Sniffer Pro file format.

PCAP, IP, and MAC filter setsYou use IP traffic filter sets to limit the amount of data traffic sent to thePCAP engine. The PCAP engine is the device that actively captures datapackets.

Using IP filter sets affects data network traffic depending on the actiontaken at the filter and port level. Applying IP filter sets has the sameaffect on network traffic as configuring filter sets to ports using PCAPparameters. For routed IP traffic, use Source/Destination IP filter sets; forbridged IP traffic use Global IP filter sets.

You can use PCAP to capture packets that match criteria based on MACaddress filters. Nortel recommends that you use PCAP with MAC filtersbecause it reduces traffic flow on the PCAP engine.

PCAP filtersYou use the PCAP filters to selectively configure match criteria to captureor drop frames. The configured parameters determine which filter to applyto a given frame. The default behavior is to accept the frame. You canalso set trigger filters to globally start and stop packet capturing.

PCAP limitations and considerationsThis section describes the limitations and considerations of the PCAP tool.

• PCAP is not compatible with HA-CPU. Be sure to disable HA-CPUprior to using this feature.

• PCAP is now supported with SuperMezz.

• Flow control packets can be issued if port performance is affectedwhile PCAP is enabled.

• When setting capture-filter parameters for PCAP, a value of 0 isaccepted when setting the range of values. The value of 0 disables thefilter parameter (a value of 0 means the filter parameter is disabled).Do not use 0 in setting a range of values in a filter parameter.

• When the Secondary CPU cycles in the PCAP engine are used forpacket capturing, and if the packet incoming rate is high (about 200Mbps), the log messages and certain CLI commands executed in theSecondary CPU are queued. This state is recovered after the packetcapturing is completed. For immediate recovery, disable PCAP on the


NN46205-703 03.02 12 April 2010


.

Packet Capture Tool 45

individual ports in the primary CPU on which packets are to ingress.The packets captured until this time are stored in the buffer.

• To autosave using an anonymous FTP session to a Windows system,first create a /pub subdirectory in the c: directory or the drive whichis the default for the FTP server.

• PCAP uses two levels of filtering to capture packets: one at thehardware level and one at the software level. The hardware level usesthe existing IP filters; the software level uses capture filters. Use theconfig ethernet <ports> pcap add set command to add IPfilters for the specified port for PCAP and for regular IP traffic filtering.Therefore, when you use the config ethernet <ports> pcap infocommand, you may see filter set values that are specific to IP trafficfilters only.

Use the config ethernet <ports> pcap enable command toenable or disable PCAP on the port. When you use the configethernet <ports> pcap info command, the information displayedfor the enable parameter refers to PCAP only (that is, if enable is set totrue, this means that PCAP is enabled for the specified interface).

• If you use an IP filter as a PCAP filter to capture packets, then youdisable PCAP globally and at the port level, the IP filter remains active.

• If you want the PCAP configuration file to be restored after a SF/CPUfailover, you must source the configuration file after the SecondaryCPU becomes the Master. Otherwise, the PCAP configuration file isnot loaded.

• If you globally disable PCAP, the number of packets dropped inhardware continues to go up unless you also disable PCAP on theport. To disable PCAP on the port, use the config <ethernet><ports> pcap command.

Because the PCAP feature is based on the mirroring capabilities of the I/Oports, limitations that apply to port mirroring also apply to PCAP. Theselimitations include:

• PCAP cannot be enabled on a port that has port mirroring currentlyenabled.

• PCAP cannot be enabled if PCAP or port mirroring is enabled onany other port on the same OctaPID. For 10/100 ports, there is oneOctaPID for every 8 ports. For example, ports 1-8 use one OctaPID,ports 9-16 use another OctaPID, and ports 17-24 use anotherOctaPID. For all Gigabit ports, each port has its own OctaPID.


NN46205-703 03.02 12 April 2010


.


PCAP and R series modulesRelease 4.1.1 and later provides support for ACLs with PCAP on Rmodule ports. At the port level, you can now enable PCAP in any one ofthe following six modes:

• rx (ingress)

• tx (egress)

• both (both ingress and egress)

• rxfilter (filter applied at ingress)

• txfilter (filter applied at egress)

• bothfilter (filter applied at both ingress and egress)

Rx, tx, and both modes do not require hardware filters, and are supportedby R series modules.

RxFilter, txFilter and bothFilter filter modes allow filters or ACLs to beapplied at the port level to aid capture. Release 4.1.1 adds the followingmodes: txFilter and bothFilter.

R series modules support all six modes; R modules support both egressand ingress filtering. For rxFilter, txFilter, or bothFilter configurations, Rmodule ACLs are available for use.

General diagnostic toolsThe Ethernet Routing Switch 8600 has diagnostic features available withEnterprise Device Manager, the Command Line Interface (CLI), and theNortel CLI (NNCLI). You can use these diagnostic tools to help you withtroubleshooting operational and configuration issues. You can performsuch tasks as configuring and displaying log files, viewing and monitoringport statistics, tracing a route, running loopback and ping tests, testing theswitch fabric, and viewing the address resolution table.

For more information about statistics, see Nortel Ethernet Routing Switch8600 Performance Management (NN46205-704).

TracerouteTraceroute determines the path a packet takes to reach a destination byreturning the sequence of hops (IP addresses) the packet traverses.

According to RFC 1393, traceroute operates by: "sending out a packetwith a Time To Live (TTL) of 1. The first hop then sends back an ICMPerror message indicating that the packet could not be forwarded becausethe TTL expired. The packet is then resent with a TTL of 2, and thesecond hop returns the TTL expired. This process continues until the


NN46205-703 03.02 12 April 2010


.

General diagnostic tools 47

destination is reached. The purpose behind this is to record the sourceof each ICMP TTL exceeded message to provide a trace of the path thepacket took to reach the destination."

PingPing is a simple and useful diagnostic tool used to determine reachability.When using Ping, the switch sends an ICMP Echo Request to adestination IP address. If the destination receives the packet, it respondswith an ICMP Echo Response.

If a Ping test is successful, the destination you are having difficultyreaching is alive and reachable. Even if a router is reachable, it can haveimproperly working interfaces or corrupted routing tables.

TraceUse trace commands to provide detailed data collection about softwaremodules on the Ethernet Routing Switch 8600. The trace toolset can beused to trace multiple modules simultaneously and provides options tospecify the verbosity level of the output.

Trace logging can be enabled through the bootconfig trace-logging flag.This command causes the trace output to be captured in systrace files inthe PCMCIA card (or in external flash on the 8895 SF/CPU) of the primaryCPU. Any trace run with this flag set to true is copied to the PCMCIA (orexternal flash) under filename systrace.

CAUTIONRisk of traffic lossUsing the trace tool inappropriately can cause primary CPUlockup conditions, loss of access to the switch, loss of protocols,and service degradation.

Using the trace tool inappropriately can cause primary CPU lockupconditions, loss of access to the switch, loss of protocols, and servicedegradation. While these occurrences are uncommon, when using thetrace level tool, minimize this risk. Nortel recommends the following:

• In situations where trace data is required concurrently from multiplemodules, troubleshooting during a maintenance window should beconsidered if feasible. A maintenance window period should also beconsidered if the switch is stable but CPU utilization is high and CPUtraces (example trace levels 9 and 11) are required to diagnose thecause.

• To avoid potential issues due to logging trace data to the PCMCIA(or external flash) card, the trace-logging feature should be disabled(config bootconfig flags trace-logging false).


NN46205-703 03.02 12 April 2010


.


• Run trace commands from the console port whenever the CPUutilization is already high.

• Initially activate tracing at lower verbosity settings (that is, 2 rather than3). Increase to verbosity level 3 or 4 only if required, and after level2 is run safely.

• Avoid leaving traces active for extended periods of time. For high CPUutilizations, a few seconds (typically less than 5 seconds) is generallysufficient to identify the cause for sustained high CPU utilization.

Route Switch Processor Packet TracingThe Ethernet Routing Switch 8600 supports Route Switch Processor(RSP) Packet Tracing on R and RS modules, which provides CLI andNNCLI support for the following COP debug commands:

• ercdIngressPktTraceEnable / ercdIngressPktTraceDisable

• ercdEgressPktTraceEnable / ercdEgressPktTraceDisable

• ercdIngressPktTrace

• ercdEgressPktTrace

• ercdIngressDisplayPacket

• ercdEgressDisplayPacket

Two CLI or NNCLI commands enable or disable the ingress or egressPacket Tracing. When you enable Packet Tracing, the CP sends amessage to the COP and Packet Tracing is internally enabled on the COP.Similarly, when Packet Tracing is disabled on the CP, it is disabled onthe COP. By default the Packet Tracing is enabled for one second. Afterone second, the Packet Tracing is disabled internally. While enabling thePacket Tracing, RSP selection is based on port by default—a port numberis internally converted into RSP-ID and Packet Tracing is enabled on thatlane. Therefore, when Packet Tracing is enabled using one port, it displaysenabled on all the ports in that lane. Packet Tracing is collected on theCOP and it is sent to the CP when you enter the dump trace commandthrough the CLI or NNCLI.

When you enter the dump trace command, a message is sent to theCOP and all the Packet Tracing data that is collected is copied into thereply buffer and is sent to the CP. On the CP, the data is formatted anddisplayed. While displaying the Packet Tracing data, RSP selection usesthe port by default. Packet Tracing data can be displayed by using any ofthe ports in the lane: it does not need to be on the same port on which thePacket Tracing is enabled.


NN46205-703 03.02 12 April 2010


.

ERCD Records Dump 49

CP to COP messagingWhen you enable Packet Tracing on the CP, a message is sent to theCOP to internally enable Packet Tracing on the specific RSP.

The message consists of the following:

• RSP number—the number of the RSP on which Packet Tracing isenabled. This determines whether the Packet Tracing is ingress oregress.

Lane Left Center Right

Lane No. 2 0 1

Ingress-RSP 5 1 3

Egress-RSP 4 0 2

• slot number

• state—enable or disable

• interval—the number of seconds for which the Packet Tracing remainsenabled

IntervalAn optional parameter interval enables Packet Tracing for the desirednumber of seconds. The value of the interval can be 1, 10, 30, 60, 120, or300 seconds. When you enable Packet Tracing, a timer is started on theCOP, which runs for the interval number of seconds and disables PacketTracing after the interval number of seconds. When Packet Tracing isdisabled, the COP sends a trace disable message to the CP.

ERCD Records DumpEthernet Routing Switch 8600 provides CLI and NNCLI support for thefollowing COP debug commands:

• dump ercdRecord arp

• dump ercdRecord ip

• dump ercdRecord ip_subnet

• dump ercdRecord mac—When MAC is learned against a port , oneMAC record is created on the COP. The same entry is downloaded bythe CP, to all the other slots available on the Metro Ethernet RoutingSwitch 8600. This command shows the learned MAC entries for thespecified port that are present on the COP, and the correspondingVLAN record of the port. You can run this command for the slot(the port belongs to, other slots, or both), to check if the CP hasdownloaded the MAC records correctly.


NN46205-703 03.02 12 April 2010


.


• dump ercdRecord mac_vlan

• dump ercdRecord mgid

• dump ercdRecord protocol

• dump ercdRecord vlan—When you add a port under a VLAN,there is one ingress VLAN record created for the port on COP. Thiscommand output displays the VLANs to which this port belongs andthe corresponding ingress VLAN records of this port.

The dump ercdRecords command dumps the specified ERCD records.The ERCD records dump is requested by the CP to the COP and thenthe records are obtained at the COP and replied back to the CP. The CPdisplays the records on the CLI or NNCLI prompt.

The Enterprise RSP Control Driver (ERCD) records are maintained on theCOP in a specific radix table. When the CP requests the ERCD records,the radix table is traversed and the records which match the criteria (forspecific port or specific slot or both) are obtained. These records areobtained from the COP through CP to COP messaging with reply.

The records are obtained from the COP with a specified block size, withmultiple messaging, because there is a specific limit to the buffer size forCP to COP messaging.

CP to COP messagingWhen you enter the command for a specified ERCD record, thecorresponding message ID is sent to the CP with a reply buffer. The COPcalls the corresponding function with which to traverse through the specificradix table and to get records. After the block size is filled by the COP, areply is sent back to the CP. The CP prints the records on CLI or NNCLIand, depending on the records count, resends the message to the COPuntil the radix end node is traversed.


NN46205-703 03.02 12 April 2010


.

51.

Log and trap fundamentalsUse the information in this section to help you understand Simple NetworkManagement Protocol (SNMP) traps and log files, available as part of theEthernet Routing Switch 8600 System Messaging Platform.

Navigation• “Simple Network Management Protocol” (page 51)

• “Overview of traps and logs” (page 52)

• “System Messaging Platform” (page 53)

Simple Network Management ProtocolThe Simple Network Management Protocol (SNMP) provides facilities formanaging and monitoring network resources. It consists of the following:

• agents

An agent is software running on a device that maintains informationabout device configuration and current state in a database.

• managers

An SNMP manager is an application that contacts an SNMP agent toquery or modify the agent database.

• the SNMP protocol

SNMP is the application-layer protocol used by SNMP agents andmanagers to send and receive data.

• Management Information Bases (MIB)

The MIB is a text file that specifies the managed objects by an objectidentifier (OID).

ATTENTIONAn Ethernet Routing Switch 8600 does not reply to SNMP requests to its VRRPvirtual interface address. It does, however, reply to SNMP requests to itsphysical IP address.


NN46205-703 03.02 12 April 2010


.

52 Log and trap fundamentals

An SNMP manager and agent communicate through the SNMP protocol.A manager sends queries and an agent responds; however, traps areinitiated by an agent. There are several types of packets used betweenSNMP managers and agents:

• Get Request

This message requests the values of one or more objects.

• Get Next Request

This message requests the value of the next object.

• Set Request

This message requests to modify the value of one or more objects.

• Get Response

This message is sent by an SNMP agent in response to a GetRequest, Get Next Request, or Set Request message.

• Trap

An SNMP trap is a notification triggered by events at the agent.

Overview of traps and logsThe SNMP trap is an industry-standard method used to manage events.You can set SNMP traps for specific types of log messages (for example,Warning or Fatal) from specific applications, and send them to a trapserver for further processing. For example, you can configure the EthernetRouting Switch 8600 to send SNMP traps to a server when a port isunplugged or when a power supply fails.

On any UNIX-based management platform, you can use system log(syslog) messaging to manage event messages. The Ethernet RoutingSwitch 8600 syslog software communicates with a server softwarecomponent named syslogd on your management workstation.

The UNIX daemon syslogd is a software component that receives andlocally logs, displays, prints, and forwards messages that originate fromsources internal and external to the workstation. For example, syslogdon a UNIX workstation concurrently handles messages received fromapplications running on the workstation, as well as messages receivedfrom a Ethernet Routing Switch 8600 running in a network accessible tothe workstation.


NN46205-703 03.02 12 April 2010


.

System Messaging Platform 53

The remote UNIX management workstation does the following:

• receives system log messages from the Ethernet Routing Switch 8600

• examines the severity code in each message

• uses the severity code to determine appropriate system handling foreach message

This document only describes SNMP commands related to traps. Forinformation about configuring SNMP community strings and related topics,see Nortel Ethernet Routing Switch 8600 Security (NN46205-601).

System Messaging PlatformThe System Messaging Platform (SMP) creates a scheme for thedisplay and access of system messages. SMP enhances your access ofinformation by offering greater serviceability.

In addition to standardizing system messages, SMP captures all relevanterror information (system messages and crash dumps) in a single file.SMP helps in collecting, analyzing, and providing solutions to issues ina timely manner.

System Messaging Platform navigation

• “Log message format” (page 53)

• “Log files” (page 55)

• “Log file transfer” (page 56)

Log message formatThe log messages for the Ethernet Routing Switch 8600 have astandardized format. All system messages are tagged with the followinginformation:

• Module ID—software module from which the log is generated.

• Nortel Proprietary (NP) information for debugging purposes.

• SF/CPU slot—identifies which slot of the SF/CPU generated the logmessage.

• Category—the category of the log message.

• Severity—the severity of the message.

The SMP message format is as follows:

<Module ID><Task><NP info><CPU slot><Time stamp><Category><Severity>The following is an example of an SMP message:


NN46205-703 03.02 12 April 2010


.


VLAN Task=tTrapd No-interface CPU5 [10/14/98 15:46:26] VLANWARNING Link Down

NP information is encrypted before it is written to the log file. Theencrypted information is for debugging purposes. Only a Nortel CustomerService engineer can decrypt the information. The CLI commands displaythe logs without the encrypted information. Nortel recommends that youdo not edit the log file.

The following table lists the system message categories.

Table 4SMP categories

SMP categories

ATM IP PIM SNMP

CPU IPMC POLICY STG

DVMRP IP-RIP POS SW

EAP IPX QOS VLAN

FILTER MLT RADIUS WEB

HW NONE RIP

IGMP OSPF RMON

The following table describes the system message severity levels.

Table 5SMP severity levels

Severity level Definition

INFO Information only. No action is required.

ERROR A nonfatal condition occurred. You may be requiredto take appropriate action. For example, an errormessage is generated when the system is unable tolock onto the semaphore required to initialize the IPaddresses used for transferring the SMP log file to aremote host.

WARNING A nonfatal condition occurred. No immediate action isneeded.

FATAL A nonfatal condition occurred. The system cannotrecover without restarting. For example, a fatalmessage is generated when the configuration databaseis corrupted.

Based on the severity code in each message, the switch dispatches eachmessage to any or all of the following destinations:


NN46205-703 03.02 12 April 2010


.


• workstation display

• local log file

• designated printer

• one or more remote hosts

Internally, the Ethernet Routing Switch 8600 has four severity levels forlog messages: Info, Warning, Error, Fatal. The system log supports eightdifferent severity levels:

• Debug

• Info

• Notice

• Warning

• Critical

• Error

• Alert

• Emergency

The following table shows the default mapping of internal severity levels tosyslog severity levels.

Table 6Default and system log severity level mapping

UNIX systemerror codes

System logseverity level

Internal Ethernet RoutingSwitch 8600 severity level

0 Emergency Fatal

1 Alert –

2 Critical –

3 Error Error

4 Warning Warning

5 Notice– –

6 Info Info

7 Debug –

Log filesThe SMP changes the way syslog files are captured and named.


NN46205-703 03.02 12 April 2010


.


The syslog.txt and sysHwlog.txt files are merged to enhance logmaintenance. A single log file captures both hardware and softwaremessages. This log file is simultaneously saved to DRAM and, if available,the PCMCIA card (or external flash on the 8895 SF/CPU).

Crash dump information is captured, encrypted, and stored in the log filefor debugging purpose. The time when the crash dump occurred is alsocaptured. Crash dump information is only retained when logging to aPCMCIA (or external flash) card; this information is not saved to DRAM.

Nortel recommends that you log to a PCMCIA (or external flash) card andkeep a PCMCIA (or external flash) card in each SF/CPU at all times. TheDRAM has limited memory allocated to SMP. DRAM logs are stored in acircular list, which overwrites older log messages when the log fills up. TheDRAM log also does not contain any encrypted information, which can limitthe information available during troubleshooting.

Log file naming conventionsThe following lists the naming conventions used for the log file.

• The log file is named according to 8.3 (xxxxxxxx.sss) format. Thefirst six characters of the log file name contains the last three bytesof the chassis base MAC address. The next two characters specifythe slot number of the SF/CPU that generated the logs. The last threecharacters (sss) denote the sequence number of the log file.

• The sequence number of the log file is incremented after everysuccessful auto-transfer of the file to the remote host.

• After reboot, the log file name with the highest sequence number onthe PCMCIA (or external flash) is used to store system messages. Ifthe log file does not exist, a new log file with the sequence number 000is created.

Log file transferThe system logs contain important information for debugging andmaintaining your Ethernet Routing Switch 8600. When logging to thePCMCIA card (or external flash on the 8895 SF/CPU), the log file isautomatically transferred to a remote host when it reaches your specifiedsize parameters. You can configure up to 10 remote hosts, creatinglong-term backup storage of your system log files.

Of the 10 configured remote hosts, 1 is the primary host and the other 9are redundant. Upon initiating a transfer, SMP always attempts to use host1 first. If host 1 is not reachable, SMP tries host 2, and then host 3, andon through the list of redundant hosts in sequential order until it finds areachable host.


NN46205-703 03.02 12 April 2010


.


If the autotransfer of the log file is unsuccessful, SMP will log any futuremessages in the DRAM instead of the PCMCIA (or external flash).

You can specify the following information to configure the transfer criteria:

• Configurable log size parameters for the PCMCIA (or external flash)include:

— minsize—the minimum acceptable free space available on thePCMCIA (or external flash) for logging

— maxsize—the maximum size of the log file on the PCMCIA (orexternal flash)

— maxoccupyPercentage—the amount of memory to use for SMPlogging when the maxsize parameter cannot be met

• The IP address of the remote host.

• The name of the log file that is to be stored on the remote host.

• The user name and password, if required. You can use the followingcommand to configure the user name and password:config bootconfig host user <value> password <value>

Be aware of the following restrictions when transferring log files to aremote host:

• The remote host IP address must be reachable.

• When you transfer a log file from a host to the switch, (for example,to display it with the show log file command), you should rename thelog file. Failure to rename the log file may cause the switch to use therecently transferred file as the current log, if the sequence numberin the extension is higher than the current log file. For example, ifbf860005.002 is the current log file and you transfer bf860005.007 tothe switch, the switch logs future messages to the bf860005.007 file.You can avoid this if you rename the log file to something other thanthe format used by SMP.

• If your TFTP server is a UNIX-based machine, any files written to theserver must already exist. For example, you must create dummy fileswith the same names as your system logs. You can accomplish this byusing the touch command (for example, touch bf860005.001).

Log file transfer criteriaBefore logging a system message on the PCMCIA card (or external flashon the 8895 SF/CPU), SMP calculates the space available for loggingaccording to the parameters defined. Either logging continues on theexternal memory card, or SMP transfers the existing log to a remotehost. After the current log file is transferred, a new log file is created


NN46205-703 03.02 12 April 2010


.


on the external memory card. If there is not enough free space on theexternal memory card for the new log file to reach the configured minsizeparameter, SMP begins logging to DRAM until there is enough free spaceon the card.

ATTENTIONMake sure you have sufficient space for the SMP log on your PCMCIA (orexternal flash) card. Smaller amounts of free space for the log cause morefrequent transfers.

If the transfer of a log file fails, a message indicating the failure isgenerated. Also, if all the configured hosts are unreachable and thetransfer fails, a log message is generated and the logging of messagesto the external memory card is stopped. A trap is generated and loggingcontinues in the DRAM.

After the system successfully transfers the current SMP log file to aremote host, the system deletes the SMP log on the external memorycard. A new log file is started, with the extension incremented by 1(for example, /pcmcia/bf860005.003 is transferred, deleted, and/pcmcia/bf860005.004 is created)

The following examples show how SMP determines when to transfer thelog files and whether to continue logging to the external memory card.

Example 1

The Ethernet Routing Switch 8600 has been in operation with an 8 MB(8192 KB) PCMCIA card installed.

The configured parameters are as follows:

• minsize: 100 KB

• maxsize: 2048 KB

• maxoccupyPercentage: 90

Current operating parameters are as follows:

• PCMCIA card size: 8192 KB

• Current log file size: 200 KB

There are no files on the PCMCIA card except for the current SMP log file.The system recalculates the allowable log file size as follows:

• Space available to SMP: 8192 KB – 0KB = 8192 KB

• Allowed log file size: 2048 KB


NN46205-703 03.02 12 April 2010


.


The system transfers the current log file to a remote host when thelog file size reaches the configured maximum size of 2048 KB. ThemaxoccupyPercentage parameter does not have any affect in thisexample, since the space available for SMP is so much greater than themaxsize parameter.

Example 2

The Ethernet Routing Switch 8600 has been in operation for some timewith an 8 MB (8192 KB) PCMCIA card installed.


• minsize: 100 KB






There are some image and configuration files on the PCMCIA card whichtake up a total of 6144 KB. The system recalculates the allowable log filesize as follows:

• Space available to SMP: 8192 KB – 6144 KB = 2048 KB

• Allowed log file size: 2048 KB * 0.90 = 1843 KB

The switch transfers the log file to a remote host when the file reaches1843 KB. A transfer is triggered at 1843 KB, rather than 2048 KB, becauseof the maxoccupyPercentage parameter. This parameter, set at 90%in this example, ensures that the PCMCIA card never completely fills to100% capacity. Therefore, maxsize or maxoccuptPercentage triggersthe log file transfer depending on which is reached first.

Example 3

The Ethernet Routing Switch 8600 has been in operation for some timewith an 8MB (8192KB) PCMCIA card installed.


• minsize: 500 KB




NN46205-703 03.02 12 April 2010


.





There are some image and configuration files on the PCMCIA card thattake up a total of 7782 KB. The system recalculates the allowable log filesize as follows:

• Space available to SMP: 8192 KB – 7782 KB = 410 KB

• Allowed log file size: 410 KB * 0.90 = 369 KB

The log file is immediately transferred to a remote host the next time alog message is generated. Logging to the PCMCIA card also stops, andsystem logging is continued in DRAM on the CPU.

The calculated allowed log file size (369 KB) is below the set minsizeparameter (500 KB). In this scenario, the system transfers the log when itchecks the available space on the PCMCIA card before writing the next logmessage. Because the calculated free space available on the PCMCIAcard (410 KB) is below the set minsize, no new messages are saved to thePCMCIA card until more space is available to SMP on the PCMCIA card.


NN46205-703 03.02 12 April 2010


.

61.

Common error log messagesThe following table describes the most frequently seen error log messageson the Ethernet Routing Switch 8600, and the associated remedial action.

Table 7Common error log messages

Name Description Remedial Action

rarSetIeeeVlanRL:Counter Allocation Failed

The usage of counterallocation for rate limitingimplementation has beenexceeded.

Ensure the rate limiting appliedon those ports does not exceedthe available counter allocation(x [ 256) The number of availableports and vlans where rate-limitingcan be applied is limited by 256available counter locations onthe switch. When this numberis exceeded, an error message"rarSetIeeeVlanRL:CounterAllocation Failed" appears andthe rate-limiting configured onthe ports fails. To calculate thenumber of counter allocations beingutilized, use the following formula:For port-based vlans: Count 1 foreach port with rate-limiting enabled.Example: 4 ports in vlan x = 4 * Forprotocol-based and ip-subnet-basedvlans: Count 2 for each port withrate-limiting enabled. Example: 6ports in vlan y = 12 The total of thiscalculation for all vlans on the switchmust not exceed 256.


NN46205-703 03.02 12 April 2010


.

62 Common error log messages


dpmMultConnectionPopFAILEDdpmCreateMultConnectionByMgid FAILEDdpmEvifAddPepBlockEvifNum FAILED

The error messagesare due to the 8600reaching the max limitof Pep streams. The8600 is unable to add aMulticast record to theR-module hardwarerecords because ofinsufficient pep streams.

Please focus on multicast trafficespecially the number of streams andreceivers. Use IGMP access liststo control the number of Multicaststreams. You do not see thismessage with Release 5.0 or greater.

Power Supply Up(PsId=1,OperStatus=3)Power Supply 1 upPower Supply Down(PsId=1,OperStatus=4)

Power supply failure. Check power supply. Remove andreseat the power supply.

Shutdown port 1/6 dueto excessive controlframes multicast 0,broadcast 11133 packetper second

The port is shut down dueto excessive broadcast ormulticast packets.

Investigate and remove the source ofthe broadcast storm. Reenable theport.

rarCheckConsistency:Record size 90 in hashbin 0x00002ff9 Nextthreshold 100rarCheckConsistency:Record size 80 in hashbin 0x00002ff9 Nextthreshold 90rarCheckConsistency:Record size 70 in hashbin

The message is expectedunder normal operatingconditions and it onlybecomes a cause forconcern if the Hashbins continue to growat a rapid rate over asustained period. If theHash bins do continue togrow, then it could be anissue with the network orswitches configuration,whereby you are learningmany ARP, MAC or routeentries.

If this message appears morethan once an hour, contact NortelTechnical Support.

Clock Recovery FailedReset tmux on slot 1

Clock recovery happenswhen the timing onthe backplane isresynchronized. Thismessage indicates thatthe clock synchronizationattempts failed on thetmux This error can occurand if severe enough, theSoftware takes necessaryactions to reset theappropriate ASICs, that is,SWIP (Switch Processor)or TapMux. In this case,

Check the SMP logs and see if thesemessages are occurring frequently.One or two occurrence of thesemessages doesn’t mean a hardwareissue. Also hwDumpAll can becollected to rule out any hardwareissues.


NN46205-703 03.02 12 April 2010


.



the clock synchronizationattempts failed on thetmux for slot1 and sothe tmux was reset. Thismeans that some internalcorrective actions wereproceeded by the softwarebecause errors werereported for a specifictmux. The tmux is thepart of the I/O module thatcommunicates with theswitch fabric, actually thisis the receiving multiplexeron the I/O module.

bfmTest: Total RecordMemory test failed

Backplane forwardingmemory test failed.

Reseat the module. If the errorreturns, replace the module.

smltRemote is False forthis mac

This message is not anerror message and it isnot service effecting. (CRQ01745278)

Ignore this message.

HwCheck: Fad CRRFailed, Reset swip.Total=3240HwCheck: Fad CRRFailed, Reset swip.Total=3239

The error is stating thatthe SWIP is being resetbecause CRR failedon the FAD, errors willbe logged and if theycontinue the switch willtake the card offline as theerrors can compromisethe traffic. The SWIP andFAD are located on CP/SFcard and it is the interfaceto the TMUXs on theI/O cards. The problemcould be on either end.hwDumps will give us abetter understanding ofwhere the errors are, butone sample is not enough.

If you see these message frequently,contact Nortel Technical Support.

SNMP INFO Cannotcommunicate with backupCPUSNMP INFO Communicationestablished with backupCPU

This message does notalways mean that thestandby/backup CPU isbad.

You will see these messages at bootup or upgrading the standby CPU, Ifthis message appears when you arenot performing routine maintenancecontact Nortel Technical Support.


NN46205-703 03.02 12 April 2010


.



HW ERROR rarCheckOneRecord: Inconsistencyat OpId=31 RecNum=00da4RecTyp=9 Word=N4Sys=0000068fAru=0000060f 0000060f0000060

The consistency checkon the octapid failedfor the record numbergiven above. Occasionalerrors are okay but if thefrequency of these errorsincreases, this is mostlikely a hardware issue.

Ignore message if service is notimpacted. The way to stop streamingerrors is to reseat (remove andreinsert) the module. If reseating themodule does not resolve the issueand service is still impacted, replacethe module.

sysSeepromGetInfo:crc failed for secondtime on device 20, calc:5241 dev: 0sysSeepromGetInfo:crc failed on device 20,calc: 5241 dev: 0

Device 20 is a powersupply. Some of thepower supplies come withun-programmed seeprom.This is the reason forthe error. The seeprommessage appears onlyonce during boot-timeand never re-appears.It should not cause anyoperational impact.

You can reprogram the power supplyfrom boot monitor mfg-diag. If youtake out the power supply, you canobtain all information required toprogram it on the power supplysticker.Procedure to reprogram PS:-- Beforeperforming the following steps,please remove the PS and note theinformation on the sticker. Also makea note of the chassis informationlike base MAC address. Keep themhandy before performing the followingsteps. Boot the switch to get to themonitor mode loaded

boot configuration from file/flash/boot.cfgPress to stop auto-boot... 3monitor# privEntering privilege commandmodemonitor# mfg-diag*monitor/mfg-diag# writeEnter readYou will be able to see the devicewhich is not programmed properly.In this example, the device is 20(Determine how many power suppliesyou have. Power supply starts from20,21,22. 20 being the first one, 21the middle and 22 is for the thirdslot.)

Enter writeThe switch prompts for a device IDEnter i2c device id (0-30)[0]: 20


NN46205-703 03.02 12 April 2010


.



Type the device number which is notprogrammed properly.The switch prompts for theinformation about the device.

Enter Card Type (in hex)[0x0]: 0x10900000 ?Hit Enter to keep the original valueDescription (string max len32) []: 8001 690W 110/220V ACPower Supply ?Enter a new descriptionSerial number (string max len16) []: ?Enter the value from the sticker onthe Power Supply

Hw Version (string max len 16)[]: ?

Enter the value from the sticker onthe Power Supply

Part Number (string max len16) []: 202067 ?Enter a new Part NumberDate Code (string max len 16)[]: ?

Hit Enter to keep the original valueDeviations (string max len 16)[]: ?

Hit Enter to keep the original value

After entering the above information,the switch prompts you to confirmthe information. Enter y Is thiscorrect (y/n) ? y

Enter save to save this informationand enter boot to reset the switch:*monitor/mfg-diag# save*monitor/mfg-diag# boot


NN46205-703 03.02 12 April 2010


.



key exchange failedno matching cipherfound: client aes256-cbc,rijndael256-cbc,[email protected],aes192-cbc,rijndael192-cbc,aes128-cbc,rijndael128-cbc,3des-cbc,blowfish-cbcserver

SSH authentication failed.No cipher found.

Verify the SSH client settings andensure that they match the settings in8600.

HW INFO System activityperformed

This is a generic messageindicating an activity hasbeen performed. In manycases the message isfollowed by the activityperformed, such as STPchange, routing change,and user logon.

The message is information only. Noaction required

HW ERROR FAD Mis-Aligndetected, SWIP ResetStatus=8. Total=4

FAD Errors: The FabricAccess Device (FAD) isa module in the SSF thatparticipates in sendingpackets to the Backplane.This is ASIC on SSF thatcontrols access to I/Omodules or backplane.The Switch Processor(SWIP) is the processorthat controls the SSFand FADs. The errormessage indicates thatthe Hardware or Softwarehas determined thatthere exists a data error(Mis-Alignment) from I/Oto SSF. Each I/O moduleis connected through ahigh-speed back planebus to a Switch Fabric onthe CPU SF module. Allingress and egress traffic,even if it is containedon the same I/O moduleport, passes across thehigh-speed back planebus through the SwitchFabric. To guard againstdata bit errors, the CPU

If you see this message frequently,contact Nortel Technical Support.


NN46205-703 03.02 12 April 2010


.



software continuouslymonitors the data integritybetween I/O modules andCPU Switch Fabric. If ananomaly/error is detected,it could propagate a dataerror into the SwitchFabric, which couldcompromise the integrityof the egress traffic.

CPU6 [01/16/0817:36:07] HW ERRORbfmTest:FailedRegister Test Octapid31 on slot 4CPU6 [01/16/0817:36:07] HW INFOInitialization of cardfailed for Slot 4 !

The bfm refers to thebackplane forwardingmodule. It is on every I/Omodule and it connectsthe I/O module to thebackplane of the switch.The octapids and ASICsare the other half of an I/Omodule. Commonly the"bfm" will have randompacket tests runningbetween the OCTAPIDand the FADs, located onthe CPU. If the FAD andOCTAPID packets do notmatch, and this happenson five consecutive test,then an error is reported,usually with a " FADmisalignment reset SWIP".Also, the bfm will run arandom test between itand the OCTAPIDS andthis is where the failure isappearing.

Reseat the module. If the errorreturns, replace the module.

HW WARNING HwCheck:Fad CRR Failed, Resetswip. Total=6<000>

The Fabric Access Device(FAD) is a module in theSSF which participatesin sending packets tothe Backplane. This isASIC on SSF that controlsaccess to I/O modules orbackplane. The SwitchProcessor (SWIP) is theprocessor that controls theSSF and FADs. The errormessage indicates thatthe Hardware/Software

If you see this message frequently,contact Nortel Technical Support.


NN46205-703 03.02 12 April 2010


.



has determined thatthere exists a data error(Mis-Alignment) from I/Oto SSF. If enough of thesehappen, SWIP is resetto try and cure issue. Ifyou see a few of thesemessages, it is OK. Seelots, most probably causeis SSF on which you seethe messages. Apparentlywe’re seeing the errorson both SSFs. Each I/Omodule is connected viaa high-speed back planebus to a Switch Fabricon the CPU SF module.All ingress and egresstraffic, even if its containedon the same I/O moduleport, passes across thehigh-speed back planebus through the SwitchFabric. To guard againstdata bit errors, the CPUsoftware continuouslymonitors the data integritybetween I/O modules andCPU Switch Fab

8600 4.1.4 COP SWercdProcIpRecMsg:Failed to Delete IPRecord

R module coprocessorfailed to delete IP record.

Fix for COP SW "failed to deleteip record" now fixed in Release4.1.6.2..Please update to Release4.1.6.2 or later.

rcdIndexReadEntry:The RSP 0 is not upercdGetLaneEqStats:Failed to read EQ statsfor lane 0rcdWriteRsp: The RSP 0is not upercdWriteEgressMgidTable: rcdWriteRsp ofMGID record failedrcdWriteRsp: The RSP 0is not upercdEgressPortRecUpdate:rcdIndexWriteEntry()

The RSP (Route SwitchProcessor) is not up. FoeLane 0, the Co=Processorfailed to read the EgressQueue stats. Writing therecord to the RSP memoryfailed.

Contact Nortel Technical Support.


NN46205-703 03.02 12 April 2010


.



Failed to Update PortrecordrcdWriteRsp: The RSP 0is not upmsgControl: messagesstarting with ’rcdI’suppressed.

Code=0x3d0004chCardIn: can’tinitialize a nonETICKET card inEnhanced operationalmodeCard taken off-line:Slot=1 Type= --dpmDoSlotState: resetslot 1 - SM handshakefail

An R-module is notrecognized correctly wheninserted with enhancedmode (EOM) enabled,and fails to come online(initially).CPU generates thismessage

The bootconfig flag control-record-optimization and enhanced operationalmode flag are legacy flags.In a chassis with all R-modules andR-mode enabled, you should set theflags to false or disabled:- Control-record-optimization(config bootconfig flagscontrol-record-optimization<false|true>)- Enhanced-operational-mode(EOM) (config sys set flagsenhanced-operational-mode<false|true>).

Initializing 8691SF inslot #5 ...Swip Address Line testfailed for Slot 5SWIP SRAM Address Testin slot 5 FAILED initcardInitModule:Rebooting because mySF in slot 5 FAILED init

CPU failed to boot. Reseat the SF/CPU.

CPU6 [03/13/0804:17:16] SW INFOmsgControl: messagesstarting with ’smlt’suppressed. CPU6[03/13/08 04:17:16]MLT INFO smltRemote isFalse for this mac.

SMLT informationalmessage from CPU.

Use the following commands tosuppress the messages.sys set msg-control control-interval30sys set msg-control max-msg-num 2sys set msg-control enablesys set msg-control force-msg addsmltIf you are still seeing these messagesyou will need to suppress themessages on each switch.


NN46205-703 03.02 12 April 2010


.



10:54:40] HW WARNINGopCheckGigOctaPid:Octapid Reset OpId= 8 CPU5 [01/11/0810:54:30] SNMP INFOLink Up(2/1) [01/11/0807:40:49] The previousmessage repeated8 time(s). CPU5[01/09/08 11:41:00]HW INFO System activityperformed

Port 2/1 connects tooctapid 8 and the octapidis reset during the test.

Replace the card if this errormessage is reported.

HwCheck: ClockRecovery Failed Resettmux on slot 2

Clock drift has causedbit misalignment on thebackplane trap to slot 2so the tapmux was resetand sync with the CPUmodule.

If the message only appears once,there is no need for concern. If yousee 3 or more messages a daycontact Nortel Technical Support.

Continuous fad historyerrors, Reset swip.Total=x

A certain amount(normally less than 10)of errors in a very shortperiod of time have beennoticed on TMUX (andglobally logged as history)like clock recovery orTMUX lockup.

If these messages appear frequently,contact Nortel Technical Support.

Continuous tmux historyerror, Reset tmux onslot y

A certain amount(normally less than 10)of errors in a very shortperiod of time have beennoticed on TMUX (andglobally logged as history)like clock recovery orTMUX lockup.

If these messages appear frequently,contact Nortel Technical Support.


NN46205-703 03.02 12 April 2010


.

71.

Hardware troubleshootingThe following sections provide troubleshooting information for some of themore common problems you may encounter with the Ethernet RoutingSwitch 8600 chassis.

Navigation• “LED indications of problems” (page 71)

• “Apparent module failure” (page 72)

• “Failure to get a logon prompt from the Console port” (page 73)

• “Cable connection problems” (page 74)

LED indications of problemsThe following table lists possible problems indicated by the LEDs onEthernet Routing Switch 8600 modules and suggests corrective action.

Table 8LED problem indicators

Symptom Probable cause Corrective action

Green AC power supplyLEDs are off.

The switch is not receivingAC power or the powersupply has failed.

Verify that each AC power cord isfastened securely at both ends andthat power is available at each ACpower outlet. Plug in a device such asa lamp to ensure that the power outletis operational. Verify that each powersupply is turned on.

The Link/Activity LED fora connected port is offor does not blink (andyou believe that traffic ispresent).

The switch is experiencinga port connection problem,or the link partner is notautonegotiating properly.

Verify that the cable connections tothe link partner are correct. Verifyport configuration parameters for bothends of the connection. Move thecable to another port to see whetherthe problem occurs on the new port.


NN46205-703 03.02 12 April 2010


.

72 Hardware troubleshooting

Table 8LED problem indicators (cont’d.)

Symptom Probable cause Corrective action

The Link/Activity LED blinkscontinuously.

There may be a high trafficload or possible packetbroadcast storm.

Verify port configuration parametersfor both ends of the connection.

The Online LED is steadyamber for longer than 3minutes.

Software incompatibilityexists, or the modulecannot communicate withthe master module over thebackplane.

Use the show log command tocheck the system log for indicationsof communication problems. Use theboot command to download a newsoftware image.

The Master LED on amodule in slot 1 or slot 2 isamber.

The module has detecteda system clock generationfailure on its own circuitry.

Replace the module; make sure that itis in the correct slot.

This LED has significance only for themodule in slot 1 or slot 2 that providesthe clock function for the switch.

The Fault LED is blinkingamber.

A chassis failure has beendetected.

From the console managementstation, use the show log commandto check the system log forinformation about hardware failures.

Check the fan tray to make sure bothfans are running.

Check the switch power supplies; onemay have stopped functioning.

The module may have failed to readthe MAC address from the chassisbackplane. If this is the case, arrangeto replace the chassis.

The Fault LED is steadyamber.

The module failed itspower-on self-test. Adiagnostic or hardwarefailure has been detected.

Replace the module.

No LEDs are lit. A hardware failure hasbeen detected.

Turn the switch power off and thenturn it on again.

Apparent module failureIf a module failure occurs, check for possible backplane connectionproblems. Ensure that the module is correctly seated in the backplaneconnector and that the retaining screws are securely tightened.


NN46205-703 03.02 12 April 2010


.

Failure to get a logon prompt from the Console port 73

If a module fails during module initialization and the replacement module isthe same module type, in rare cases, the new module may not initialize.

To work around this issue, follow the steps in either workaround 1 or 2.

Troubleshooting module failure: workaround 1Procedure steps

Step Action

1 Remove the faulty module.

2 Insert a module type that is different from the module typeremoved in Step 1 and wait for this replacement module toinitialize.

3 Remove the module inserted in Step 2.

4 Insert a new module model in the same slot as the faulty moduleresided. This new module model must be identical to the modulemodel removed in Step 1.

--End--

Troubleshooting module failure: workaround 2Procedure steps

Step Action

1 Remove the faulty module.

2 Insert a new module.

3 Reboot the chassis.

--End--

If the module still fails to operate, contact the Nortel Technical SolutionsCenter for assistance.

Failure to get a logon prompt from the Console port

Step Action

1 If you connect a terminal to the console port of the 8692 or 8895SF/CPU module and you fail to get a logon prompt, the port mayhave an incorrect DCE/DTE setting. Try moving the DCE/DTEswitch from its current setting to the other position. See thefollowing figure.


NN46205-703 03.02 12 April 2010


.


2 Ensure that your terminal program has the appropriate settingsconfigured and that your cable is wired properly. For moreinformation, see Nortel Ethernet Routing Switch 8600 Installation— Modules (NN46205-304).

3 If the console screen still fails to show a prompt, use EnterpriseDevice Manager to check the port settings. In the Device view,select the Console port, and then choose Configuration, Edit,Serial Port.

Check to see that the port settings are 9600 baud and 8 databits. If necessary, change the port settings to match.

--End--

Cable connection problemsPort connection problems are usually traced to a poor cable connection orto an improper connection of the port cables at either end of the link. Toremedy such problems, make sure that the cable connections are secureand that the cables are connected to the correct ports at both ends of thelink. If you are using homemade cables, ensure that the cables are wiredcorrectly.

10BASE-T cablesCabling for 10BASE-T networks can consist of two-pair Category 3, 4, or5 unshielded twisted pair (UTP) wiring. However, to prepare for futureupgrades to Fast Ethernet, Nortel strongly recommends that you use allCategory 5 cable in your network.

Ethernet 10BASE-T network installations use cables consisting of twopairs of twisted pair wires—one pair to send data and one to receive data.These wires must connect to another 10BASE-T station that has thesending pair attached to its receiving pair and vice versa. If the two nodesare wired alike, they both attempt to send data out on the same RJ-45pins. In such a case, a straight-through cable does not work. However, acrossover cable operates normally.


NN46205-703 03.02 12 April 2010


.

Troubleshooting flash or PCMCIA cards 75

100BASE-T and 1000BASE-T cablesThe 100 Mbit/s ports and 1 Gbit/s ports are designed to operate usingCategory 5 UTP cabling only. Category 5 UTP cable is a two-pair cable.To minimize crosstalk noise, maintain the twist ratio of the cable up to thepoint of termination; untwist at any termination cannot exceed 0.5 in. (1.27cm).

SFP, XFP, and GBIC cablesCables for the optical transceivers vary depending on the specific devicetype. For information about the cable requirements for SFPs, XFPs, andGBICs, see Nortel Ethernet Routing Switch 8600 Installation — SFPs,XFPs, GBICs, and OADM Hardware Components (NN46205-320).

Troubleshooting flash or PCMCIA cardsFor an external flash or PCMCIA card, the most common source of errorsis physically removing the card before it is synchronized. Do not removethe external compact flash or the PCMCIA before it is synchronized. Toguarantee the external memory is in a consistent state before you removeit, use one of the following commands.

• pcmcia-stop (on 8692 SF/CPU)

• dos-stop /pcmcia (on 8895 SF/CPU)

Be sure to back up all configurations, as all files are lost if the card iscorrupted.

To troubleshoot the onboard flash device, or the external flash or PCMCIAdevices, use the following procedure.

Step Action

1 To verify the format of the file system on a flash or PCMCIAdevice, you can use the following command:

dos-chkdsk <device>

2 To attempt to correct any format errors on the device, you canuse the same command with the repair option. Note that thiscommand erases any data on the device.

dos-chkdsk <device> repair

This may or may not be correct the problem.

3 If the repair is not successful, you can reformat the device withthe following command. Note that this command erases any dataon the device.


NN46205-703 03.02 12 April 2010


.


dos-format <device>

--End--

Variable Value

<device> Specifies the device name:• /flash: onboard flash memory

• /pcmcia: external PCMCIA (8692 SF/CPU)or compact flash (8895 SF/CPU) memory


NN46205-703 03.02 12 April 2010


.

77.

Software troubleshootingThis section contains general troubleshooting tools for Ethernet RoutingSwitch 8600 software.

Navigation• “Enterprise Device Manager (EDM) troubleshooting” (page 77)

• “Switch failure to read configuration file” (page 77)

• “No Enterprise Device Manager access to a switch” (page 78)

• “How to stop ICMP redirects from causing high CPU utilization” (page78)

Enterprise Device Manager (EDM) troubleshootingIf you are experience difficulties with Enterprise Device Manager, collectthe following information for troubleshooting:

Procedure steps

Step Action

1 Define the problem symptoms, with configuration error, if viewed.

2 Obtain a screen capture of the error or issue.

3 Cross-reference against the CLI or NNCLI commands forconfiguration details.

--End--

Switch failure to read configuration fileThe switch can fail to read and load a saved configuration file when itboots. This situation occurs if the factorydefaults bootconfig flag is set totrue.


NN46205-703 03.02 12 April 2010


.

78 Software troubleshooting

Procedure steps

Step Action

1 In the runtime CLI, set the flag to false using the followingcommand:

config bootconfig flags factorydefaults false

2 In the boot monitor CLI, set the flag to false using the followingcommand:

flags factorydefaults false

3 In the NNCLI, set the flag to false using the following command:

no boot config flags factorydefaults

--End--

No Enterprise Device Manager access to a switchIf the switch and the PC running the Web browser are in the samenetwork, you may find that even though other applications (such asTelnet) can access a particular switch, the Enterprise Device Managercannot. This situation can occur if the Web browser has a proxy serverthat resolves the www path and returns the reachable IP address to thebrowser. If there is no route from the proxy server to the switch, the httpquery does not reach the switch, and there is no response.

To prevent this problem, make sure that if your Web browser uses a proxyserver, a route is specified from the proxy server to the switch.

How to stop ICMP redirects from causing high CPU utilizationIf the switch experiences CPU utilization up to 100% due to processingof redirects at a rate of over 500 per second, there are multiple potentialcauses, depending on your network topology:

• Hosts can send packets to the 8600 VLAN destined for networksbeyond the same VLAN firewalls and routers.

• Hosts, servers, routers, firewalls, and the 8600 VLAN can all be on thesame VLAN in a legacy network design.

• Hosts and servers can constantly send packets to networks beyondfirewalls and gateways.

• Hosts and servers can use the 8600 VLAN address as their defaultgateway.

In all the above cases, each packet reaching the 8600 destined for othernetworks causes an ICMP redirect, which must be processed by the CPU.


NN46205-703 03.02 12 April 2010


.

How to stop ICMP redirects from causing high CPU utilization 79

ResolutionTo resolve this issue, enable ICMP redirect. With ICMP redirect enabled,the 8600 switch sends redirect messages to any host sending packetsto other networks. The redirect message includes the destination hostaddress and its proper next-hop router.

Step Action

1 Enable ICMP redirect:

icmp-redirect-msg enable (CLI)

OR

ip icmp redirect (NNCLI Global Configuration mode)

--End--


NN46205-703 03.02 12 April 2010


.

80 Software troubleshooting


NN46205-703 03.02 12 April 2010


.

81.

Software troubleshooting toolconfiguration using Enterprise DeviceManager

Use the procedures in this section to help you use Ethernet Routing Switch8600 troubleshooting tools.

Navigation• “Flushing routing tables by VLAN” (page 82)

• “Flushing routing tables by port” (page 82)

• “Configuring port mirroring” (page 83)

• “Configuring ACLs for mirroring” (page 84)

• “Configuring ACEs for mirroring” (page 86)

• “Example of configuring port mirroring on an R module” (page 89)

• “Configuring remote mirroring” (page 93)

• “Configuring PCAP globally” (page 94)

• “Configuring PCAP on a port” (page 95)

• “Configuring PCAP filters” (page 96)

• “Configuring advanced PCAP filters” (page 98)

• “Configuring VLAN MAC filters for PCAP” (page 100)

• “Testing the switch fabric and address resolution table” (page 101)

• “Viewing address resolution table statistics” (page 102)

• “Running a ping test” (page 103)

• “Viewing ping probe history” (page 106)

• “Viewing ping results” (page 106)

• “Running a traceroute test” (page 107)

• “Viewing traceroute results” (page 110)


NN46205-703 03.02 12 April 2010


.

82 Software troubleshooting tool configuration using Enterprise Device Manager

• “Viewing the traceroute history” (page 111)

• “Performing an external loopback test” (page 112)

• “Performing an internal loopback test” (page 114)

• “Configuring Ping Snoop for R series modules” (page 114)

Flushing routing tables by VLANFor administrative and troubleshooting purposes, sometimes you mustflush the routing tables. You can use Enterprise Device Manager to flushthe routing tables by VLAN or flush them by port. Perform this procedureto flush the IP routing table for a VLAN.

Procedure steps

Step Action

1 In the navigation tree, open the following folders Configuration,VLAN.

2 Double-clickVLANs.

3 Click the Advanced tab.

4 In the Vlan Operation Action box for the VLAN you want toflush, double-click, and then select a flush option from the list.

In a VLAN context, all entries associated with the VLAN areflushed. You can also flush the ARP entries and IP routes for theVLAN.

5 Click Apply.

--End--

Flushing routing tables by portFor administrative and troubleshooting purposes, sometimes you mustflush the routing tables. You can use Enterprise Device Manager to flushthe routing tables by VLAN or flush them by port. Use this procedure toflush the IP routing table for a port.

Procedure steps

Step Action

1 In the Device Physical View tab, select a port.

2 In the navigation tree, open the following folders Configuration,Edit, Port.

3 Double-clickGeneral.


NN46205-703 03.02 12 April 2010


.

Configuring port mirroring 83

4 In the Action section, select flushAll.

In a port context, all entries associated with the port are flushed.You can flush the ARP entries and IP routes for a port. After youflush a routing table, it is not automatically repopulated. Therepopulation time delay depends on the routing protocols in use.

5 Click Apply.

--End--

Configuring port mirroringUse port mirroring to aid in diagnostic and security operations.

Connect the sniffer (or other traffic analyzer) to the output port you specifywith the MirroringPort parameter.

To change a port mirroring configuration, first disable mirroring.

Procedure steps

Step Action

1 In the navigation tree, open the following folders Configuration,Edit, Diagnostics.


3 Click the Port Mirrors tab.

4 Click Insert.

5 Use the following variable definitions tables to configure mirroringas required.

6 To enable port mirroring for the instance, select Enable.

7 Click Insert.

--End--

Variable definitionsUse the information in the following table to help you use the Port Mirrorstab.

Variable Value

Id Specifies an assigned identifier for theconfigured port mirroring instance.

MirroredPortList Specifies the port or ports to be mirrored (thesource ports).


NN46205-703 03.02 12 April 2010


.


Variable Value

MirroringPortList Specifies the destination port or ports (the portsto which the mirrored packets are forwarded).Used to configure the mirroring ports.

Mode Specifies the traffic direction of the packet beingmirrored:• tx mirrors egress packets.

• rx mirrors ingress packets.

• both mirrors both egress and ingress packets.

• rxFilter mirrors and filters ingress packets.

• txFilter mirrors and filters egress packets.

• bothFilter mirrors and filters both egress andingress packets.

If you use the rx option with an R series module,you must use an ACL-based filter.

Enable Enables or disables this port mirroring instance.The default value is Enable.

RemoteMirrorVlanId Specifies the virtual local area network (VLAN)ID to which mirrored packets must be send forremote mirroring. If set, this VLAN ID is used inthe mirror tag of the remote mirrored packet.

MirroringVlanId Specifies the destination VLAN ID.

MirroringMltId Specifies the destination multilink trunk ID.

Configuring ACLs for mirroringUse the ACL global action of mirroring to mirror packets for any ACE thatmatches a particular packet.

Prerequisites

• The ACT exists.

• The ACT is applied.

• The ACL exists.

Procedure steps

Step Action

1 In the navigation tree, open the following folders Configuration,Security, Data Path.

2 Double-clickACL Filters.

3 Click the ACL tab.


NN46205-703 03.02 12 April 2010


.

Configuring ACLs for mirroring 85

4 In the GlobalAction column, double-click a row and configurethe desired mirror option.

5 Click Apply.

6 For R modules in Tx modes, choose Edit, Diagnostics,General, Port Mirrors, and configure the mirroring ports.

OR

For RS or R modules in Rx mode: specify mirroring ports in theACE Debug tab. On the ACL tab, select an ACL, click ACE,select an ACE, then click Action/Debug.

--End--

Variable definitionsUse the information in the following table to help you configure portmirroring using ACLs.

Variable Value

AclId Specifies a unique identifier for the ACL from1 to 4096.

ActId Specifies a unique identifier for the ACT entryfrom 1 to 4096.

Type Specifies whether the ACL is VLAN orport-based. Valid options are:

• inVlan

• outVlan

• inPort

• outPort

ATTENTIONThe inVlan and outVlan ACLs drop packetsif you add a VLAN after ACE creation. ForVLAN-based filters, ensure the ACE uses Rmodule slots, irrespective of the VLAN portmembership on a slot.

Name Specifies a descriptive, user-defined name forthe ACL.

VlanList For inVlan and outVlan ACL types, specifies allVLANs associated with the ACL.

PortList For inPort and outPort ACL types, specifies theports associated with the ACL.


NN46205-703 03.02 12 April 2010


.


Variable Value

DefaultAction Specifies the action taken when none of theACEs in the ACL match. Valid options are denyand permit, with permit as the default. Denymeans packets are dropped; permit meanspackets are forwarded.

GlobalAction Indicates the action applied to all ACEs thatmatch in an ACL. Valid options are:

• none

• mirror

• count

• mirror-count

• count-ipfix

• ipfix

• mirror-count-ipfix

• mirror-ipfix

If you enable mirroring, ensure that you specifythe source and destination mirroring ports:

• For R modules in Tx modes: specify portsin the Edit, Diagnostics, Port Mirrors tab

• For RS or R modules in Rx modes: specifyports in the ACE Debug tab

State Enables or disables all of the ACEs in the ACL.The default value is enable.

PktType Specifies IPv4 or IPv6.

AceListSize Indicates the number of ACEs in a particularACL.

Configuring ACEs for mirroringUse an ACE to define the mirroring actions the filter performs.

Prerequisites

• The ACL exists.

• The ACE exists.


NN46205-703 03.02 12 April 2010


.

Configuring ACEs for mirroring 87

Procedure steps

Step Action

1 In the navigation tree, open the following folders Configuration,Security, Data Path.



4 Select the ACL for which to modify an ACE.

5 Click ACE.

6 Select an ACE and click Action/Debug.

7 In Flags, select mirror.

CAUTIONRisk of packet lossIf not absolutely necessary, Nortel recommendsthat you do not select copyToPrimaryCpor copyToSecondaryCp. Selecting thecopyToPrimaryCp parameter causes packetsto be sent to the CP, which can overwhelm it. Youcan use PCAP, the Packet Capture Tool, rather thanselecting the parameter copyToPrimaryCp.

8 For R and RS modules in Rx mode : configure one of:DstPortList, DstVlanId, or DstMltId.

OR

For R modules in Tx mode: configure the Edit, Diagnostics,Port Mirrors tab.

--End--

Variable definitionsUse the information in the following table to help you configure ACEs.

Variable Value

AceId Specifies a unique identifier and priority for theACE.

AclId Specifies the ACL ID.

Name Specifies a descriptive, user-defined name for theACE. The system automatically assigns a name ifone is not chosen.

AdminState Indicates whether the ACE is enabled. An ACE canonly be modified if it is disabled.


NN46205-703 03.02 12 April 2010


.


Variable Value

OperState The current operational state of the ACE.

Mode Indicates the operating mode associated with thisACE. Valid options are deny and permit, with denyas the default.

MltIndex Specifies whether to override the MLT-index pickedby the MLT algorithm when a packet is sent out onMLT ports. Valid values range from 0 to 8, with 0as the default.MLT index is not supported for multicast traffic, butfor unicast traffic only.

RemarkDscp Specifies whether the DSCP parameter marksnonstandard traffic classes and local-use Per-HopBehavior (PHB). The default is disable.

RemarkDot1Priority Specifies whether Dot1 Priority, as described byLayer 2 standards (802.1Q and 802.1p), is enabled.The default is disable.

Police Specifies the policer. Valid values range from 0 to16383, with zero (0) as the default. When policingis not desired, set the value to zero.Configure a policer using the QoS, Policy tab.

RedirectNextHop Redirects matching IP traffic to the next hop.

RedirectUnreach Configures the desired behavior for redirectedtraffic when the specified next-hop is not reachable.The default value is deny.

EgressQueue Specifies a 10/100/1000 Mbit/s module egressqueue to which to send matching packets.

If you specify a value greater than 8, it is notapplied to 10/100/1000 Mbit/s module becausethis module supports only 8 queues. However,the value is applied to the 1 Gbit/s and 10 Gbit/smodule types. The default value is 64.

EgressQueue1g Specifies a 1 Gbit/s module egress queue to whichto send matching packets. The default value is 64.

EgressQueue10g Specifies a 10 Gbit/s module egress queue towhich to send matching packets. The default valueis 64.

EgressQueueNNSC Identifies the configured ACE NNSC. The default isdisable.


NN46205-703 03.02 12 April 2010


.

Example of configuring port mirroring on an R module 89

Variable Value

StopOnMatch Enables or disables the stop-on-match option. Thisoption specifies whether to stop or continue whenan ACE that matches the packet is found. Whenthis ACE matches, a match on other ACEs withlower priority is not attempted.

Flags Specifies one of the following flag values:

• none—No action (default value).

• count—Enables or disables counting if a packetthat matches the ACE is found.

• copyToPrimaryCp—Enables or disables thecopying of matching packets to the primary CP.

• copyToSecondaryCp—Enables or disables thecopying of matching packets to the secondaryCP.

• mirror—Enables or disables the mirroring ofmatching packets to an interface.

If you enable mirroring, ensure that you configurethe appropriate parameters:

• For R and RS modules in Rx mode: DstPortList,DstVlanId, or DstMltId.

• For R modules in Tx mode: configure the Edit,Diagnostics, Port Mirrors tab.

DstPortList Specifies the ports to which to mirror traffic.

DstVlanId Specifies the VLAN to which to mirror traffic.

DstMltId Specifies the Multilink Trunking (MLT) group towhich to mirror traffic.

IpfixState Specifies whether IPFIX is enabled or disabled.

RedirectNextHopIpv6 Redirects matching IPv6 traffic to the next hop.

Example of configuring port mirroring on an R moduleThis example accomplishes the following:

• enables port mirroring on any port for VLAN 220

• uses port 3/48 as the monitoring port

• sets up an access control list (ACL) so that only TransmissionControl Protocol (TCP) traffic with a range from port 20 to 500 andInternet Control Message Protocol (ICMP) frames are mirrored to themonitoring port


NN46205-703 03.02 12 April 2010


.


To create the ACT, perform this procedure.

Procedure steps

Step Action

1 From the Enterprise Device Manager menu bar, chooseSecurity, Data Path, ACL Filters.

2 On the ACT tab, click Insert.

3 In Actid, type 2.

4 In Name, type ACT-2.

5 From the IpAttrs box, select ipProtoType.

6 From the ProtocolAttrs options, select tcpDstPort.

7 Click Insert.

8 In the ACT tab of the ACL dialog box, double-click the Applycolumn entry for ACT-2, and then click true.

9 Click Apply.

--End--

To create ACL 1, which associates with ACT 2, perform this procedure.

Procedure steps

Step Action


2 Click Insert.

3 In AclId, type 1.

4 In ActId, select ACT-2.

5 In Name, type ACL-1.

6 From the Type options, select inVlan.

7 Click Insert.

--End--

To configure ACE 1 with flag mirror and mode permit, perform thisprocedure.

Procedure steps


NN46205-703 03.02 12 April 2010


.

Example of configuring port mirroring on an R module 91

Step Action

1 On the ACL tab, select AclId 1.

2 Click ACE.

3 Click Insert.

4 In AceId, type 1.

5 In Name, type icmp.

6 From the Mode options, select permit.

7 From the Flags options, select mirror.

8 Click Insert.

9 Select AceId 1.

10 Click IP.

11 Click the Protocol tab.

12 Click Insert.

13 From the Oper options, select eq.

14 In List, type icmp.

15 Click Insert.

16 Double-click the AdminState for ACE 1, and then select enable.

17 Click Apply.

--End--

To configure ACE 2 with action mirror and mode permit, perform thisprocedure.

Procedure steps

Step Action

1 In the ACE, ACL 1, ACE Common tab, click Insert.

2 In AceId, type 2.

3 In Name, type tcp_range.


5 From the Flags options, select mirror.

6 Click Insert

7 In the ACE, ACL 1, ACE Common tab, Select ACE 2.

8 Click IP.


NN46205-703 03.02 12 April 2010


.


9 Click the Protocol tab.

10 Click Insert.


12 In the List box, type tcp.

13 Click Insert.

14 Select ACE 2.

15 Click the Proto tab.

16 Click the TCP Destination Port tab.

17 Click Insert.


19 In Port, type 20-500.

20 Click Insert.

21 Double-click the AdminState for ACE 2.

22 Select enable.

23 Click Apply.

--End--

To configure port mirroring, perform this procedure.

Procedure steps

Step Action

1 From the Enterprise Device Manager menu bar, choose Edit ,Diagnostics, General.

2 Click Port Mirrors.

3 Click Insert.

4 In the ID box, type 1.

5 In MirroredPortList, type 3/25.

6 In MirroringPortList, type 3/48.

7 From the Mode options, select bothFilter.

8 Select Enable.

9 Click Insert.

--End--


NN46205-703 03.02 12 April 2010


.

Configuring remote mirroring 93

Configuring remote mirroringUse remote mirroring to monitor many ports from different switches usingone network probe device.

Procedure steps

Step Action

1 From the Device Physical View tab, select a port.



4 Click the Remote Mirroring tab.

5 To add an entry, click Insert.

6 Select Enable.

7 Choose the mode.

8 Type the source MAC address (optional).

9 Type the destination MAC address.

10 Select a VLAN from the list (optional).

11 Click Insert.

--End--

Variable definitionsUse the information in the following table to help you configure remotemirroring.

Variable Value

Index Specifies the port.

Enable Enables or disables remote mirroring on the port.When remote mirroring termination (RMT) isenabled, the following things occur:

• A static entry for the DstMac is added to theFDB. All packets that come with that remotemirroring dstmac are sent to the RMT port.

• The switch periodically (once in 10 seconds)transmits broadcast Layer 2 packets in allassociated VLANs so that all nodes in thenetwork can learn the DstMac address.

Mode Specifies whether the port is a RMT or a RMS.


NN46205-703 03.02 12 April 2010


.


Variable Value

SrcMac Specifies the source MAC address of the remotemirrored packet. The remote mirroring packet issent with this source MAC address.

DstMac Specifies the destination MAC address of theremote mirrored packet. Packets are bridged tothis MAC address. Remote mirroring packets aresent to this MAC address.

EtherType Specifies the Ethertype of the remote mirroredpacket. The default value is 0x8103. Packets aresent with this Ethertype.

VlanIdList If the port is a termination port, represents thefilter lists VLAN in which the destination MACaddress resides.

Configuring PCAP globallyUse the Packet Capture Tool (PCAP) to capture packets fortroubleshooting and security purposes. Configure PCAP globally to definehow PCAP operates on the Ethernet Routing Switch 8600.

Prerequisites

• The Secondary SF/CPU is installed and active.

• If saving to the external memory card, a PCMCIA card (or externalflash on the 8895 SF/CPU) is installed.

Procedure steps

Step Action


2 Double-click PCAP.

3 Configure PCAP as required.

4 Click Apply.

--End--

Variable definitionsUse the information in the following table to help you configure globalPCAP parameters.


NN46205-703 03.02 12 April 2010


.

Configuring PCAP on a port 95

Variable Value

Enable Enables or disables PCAP globally on the PCAPengine (Slave SF/CPU).

BufferWrap Enables buffer wrap-around when the buffer isfull. When enabled, PCAP continues to capturepackets, otherwise, packet capturing stops.

PcmciaWrap Enables overwriting the present file in thePCMCIA (or external flash) during autosave.

FrameSize Specifies the number of bytes of each packetthat are captured.

BufferSize Specifies the amount of memory allocated fordata.

AutoSave Saves data automatically when the buffer is full.

AutoSaveFileName Specifies the name of the file in which packetsare stored.

AutoSaveDevice Specifies the device used to store the capturedpackets. If the device is network, the user mustenter an IP address.

AutoSaveNetworkIpAddress Specifies the IP address of the remote hostwhere the data must be stored. This field is validonly if the device is network.

CopyFileName Specifies the file name to use when copying thePCAP file from the PCAP engine DRAM or aPCMCIA (or external flash) device to a remoteclient (user local machine).

Configuring PCAP on a portConfigure PCAP on a port so that the port supports PCAP, and to applyfilters to the captured data. You can apply IP- or Access Control List(ACL)-based filters.

Prerequisites

• If required, IP filters exist.

• If required, ACLs with a global action of mirror exist.

Procedure steps

Step Action

1 From the Device Physical View tab, select a port.




NN46205-703 03.02 12 April 2010


.


4 Click the PCAP tab.

5 Select Enable.

6 Choose the PCAP mode.

7 As required, select a filter set and ACL.

8 Click Apply.

--End--

Variable definitionsUse the information in the following table to help you configure port PCAPparameters.

Variable Value

Enable Enables or disables PCAP on the port.

Mode Sets the PCAP mode (tx, rx, both, rxFilter, txFilter,bothFilter). When PCAP is enabled in rxFiltermode, only ingress packets which match the filtercriteria are captured. The default is rx mode.

FilterListSize Indicates zero or more filter lists associated withthis port for PCAP

FilterSet Applies an IP filter set (Global or SourceDestination) to the port.

AclFilterListSize Indicates the number of ACL filters assigned tothis port. The ACLs must have a global-action ofmirror.

AclFilterList Indicate zero or more ACL filter lists associatedwith this port for PCAP. The ACLs must have aglobal-action of mirror.

Configuring PCAP filtersUse filters to narrow the scope of the types of packets to capture. Usethese filters to match MAC and IP addresses, DSCP and p-bit markings,VLAN IDs, and protocol types.

Procedure steps

Step Action


2 Double-clickPCAP.

3 Click the PcapFilter tab.


NN46205-703 03.02 12 April 2010


.

Configuring PCAP filters 97

4 Click Insert.

5 Configure the filter as required.

6 Click Insert.

--End--

Variable definitionsUse the information in the following table to help you configure PCAP filterparameters.

Variable Value

Id Indicates the unique ID that represents the filter.

Enable Enables or disables the filter.

Action Specifies the action that occurs when the policymatches.

SrcMac Specifies the source MAC address to match.

SrcMacMask Specifies the source MAC address mask thatspecifies an address range.

IsInverseSrcMac Specifies the source MAC address inverse.When set, all MAC addresses other than the onespecified are matched.

DstMac Specifies the destination MAC address.

DstMacMask Specifies the destination MAC address mask thatspecifies an address range.

IsInverseDstMac Specifies the destination MAC address inverse.When set, all MAC addresses other than the onespecified are matched.

VlanId Specifies the VLAN ID of the packet to match.

ToVlanId Specifies the destination VLAN ID; used tospecify a range.

IsInverseVlanId Specifies the VLAN ID inverse. When set, allVLAN IDs other than the one specified arematched.

Pbit Specifies the 802.1p-bit of the packet to bematched.

ToPbit Specifies an 802.1p-bit range.

IsInversePbit Specifies the p-bit inverse. When set, all p-bitsother than the one specified are matched.

PbitMatchZero When selected, 0 is considered a valid p-bitvalue. Packets with a p-bit of 0 can be captured.Otherwise, 0 is considered a disable value.


NN46205-703 03.02 12 April 2010


.


Variable Value

EtherType Specifies the EtherType of the packet to match.

ToEtherType Specifies an EtherType range.

IsInverseEtherType Specifies the EtherType inverse. When set, allEtherTypes other than the one specified arematched.

SrcIp Specifies the source IP address of the packet tomatch.

ToSrcIp Specifies a source IP address range.

IsInverseSrcIp Specifies the source IP address inverse. Whenset, source IP addresses other than the onespecified are matched.

DstIp Specifies the destination IP address of the packetto match.

ToDstIp Specifies the destination IP address range.

IsInverseDstIp Specifies the Destination IP address inverse.When set, all addresses other than the onespecified are matched.

Dscp Specifies the DiffServ Codepoint (DSCP) of thepacket to match.

ToDscp Specifies a DSCP range.

IsInverseDscp Specifies the DSCP inverse. When set, allDSCPs other than the one specified arematched.

DscpMatchZero When set, 0 is considered a valid DSCP value.Packets with a DSCP of 0 can be captured.Otherwise, 0 is considered a disable value.

ProtocolType Specifies the protocol of the packet to match.

ToProtocolType Specifies a protocol type range.

IsInverseProtocolType Specifies the protocol type inverse. When set,all protocols other than the one specified arematched.

Configuring advanced PCAP filtersUse advanced filters to match UDP and TCP parameters, as well as tospecify user-defined parameters.


NN46205-703 03.02 12 April 2010


.

Configuring advanced PCAP filters 99

Procedure steps

Step Action


2 Double-clickPCAP.

3 Click the PcapAdvancedFilter tab.


5 Click Apply.

--End--

Variable definitionsUse the information in the following table to help you configure advancedPCAP filter parameters.

Variable Value

Id Specifies the unique ID that represents the filter.

UdpPort Specifies the UDP port of the packet to match.UdpPort can be one or a range of UDP portvalues.

ToUdpPort Specifies a range of UDP ports.

IsInverseUdpPort Indicates that all other values other than thespecified range of UDP ports are matched.

TcpPort Specifies the TCP port of the packet to match.

ToTcpPort Specifies a range of TCP ports.

IsInverseTcpPort Indicates that all other values other than thespecified range of TCP ports are matched.

UserDefinedData Specifies the user-defined data to match.

UserDefinedDataSize Specifies the length of user-defined data.

UserDefinedOffset Specifies the offset from which the match muststart.

IsInverseUserDefined Indicates that all data other than the specifieduser-defined data is matched.

Timer Specifies that PCAP is invoked when the firstpacket is matched and stopped after a setvalue of time. After starting the timer, the filteris disabled. This option is active only when theaction is set to trigger-on. The default value is 0.


NN46205-703 03.02 12 April 2010


.


Variable Value

PacketCount When set, PCAP stops after capturing thespecified value of packets. This is similar to therefresh-timer option; once this is invoked, thefilter is disabled. This option is active only whenthe action parameter is set to trigger-on. Todelete this option, set it to 0. The default valueis 0.

RefreshTimer When set, starts or resets the timer. If anotherpacket is not received within the specifiedtime, PCAP is disabled globally. This option isactive only when the action parameter is set to’trigger-on’. To delete this option, set it to 0. Thedefault value is 0.

Configuring VLAN MAC filters for PCAPUse PCAP with VLAN MAC address (forwarding database) filters to reducetraffic flow on the PCAP engine.

Prerequisites

• A VLAN exists.

• For more information about VLANs and MAC filters, see NortelEthernet Routing Switch 8600 Configuration — VLANs and SpanningTree (NN46205-517).

Procedure steps

Step Action

1 In the navigation tree, open the following folders Configuration,VLAN.

2 Double-clickVLANs.

3 Select a VLAN.

4 Click Bridge.

5 Click Filter.

6 Click Insert.


8 Select Pcap.

9 Click Insert.

--End--


NN46205-703 03.02 12 April 2010


.

Testing the switch fabric and address resolution table 101

Testing the switch fabric and address resolution tableYou can use the Diagnostics Test tab in Enterprise Device Manager toperform two tests. You can test the switch fabric and check the addressresolution (AR) table for consistency.

The fabric test causes the CPU to generate traffic and send it through theswitch fabric. The CPU generates little traffic.

The AR table test performs a consistency check on address resolutiontable entries.

Procedure steps

Step Action



3 To test the Address Resolution table, click AR Test.

The test runs; PassCount and FailCount are updated. Use theStop button to stop in-progress tests.

4 To test the switch fabric, click Fabric.

The test runs; PassCount and FailCount are updated. Use theStop button to stop in-progress tests.

--End--

Variable definitionsUse the information in the following table to understand the testparameters.

Variable Value

Result The result of the most recently run (or current) test: none,success, inProgress, notSupported, unAbleToRun, aborted,failed.

Code More specific information about the test result (for example,an error code after a failed test): none, NoReceive (timeouton a send), BadSeq (packets received out of sequence),BadLen (packet length mismatch), BadData (packet datamismatch)

PassCount The number of iterations of the test case that completedsuccessfully.

FailCount The number of iterations of the test case that failed.


NN46205-703 03.02 12 April 2010


.


Viewing address resolution table statisticsThe address resolution (AR) Stats tab shows statistics for the internalstate of the AR translation table. These statistics are debugging aids, andyou should use them only when consulting with Nortel support personnel.The statistic of most interest is the NoSpace counter, which indicates thenumber of entries the AR table could not add because of lack of space.

Procedure steps

Step Action



3 Click the AR Stats tab.

--End--

Variable definitionsUse the information in the following table to help you understand the ARtable statistics.

Variable Value

TblSize Specifies the size of the AR translation table.

Free Specifies the number of free entries available inthe AR translation table.

NoSpace Specifies the number of entries that were notadded to the AR translation table because of lackof space.

Added Specifies the number of entries added to the ARtranslation table.

Deleted Specifies the number of entries deleted from theAR translation table.

MacAdded Specifies the number of MAC entries added tothe AR translation table.

MacDeleted Specifies the number of MAC entries deletedfrom the AR translation table.

MacMoved Specifies the number of MAC entries moved inthe AR translation table.

IpAdded Specifies the number of IP entries added to theAR translation table.

IpDeleted Specifies the number of IP entries deleted fromthe AR translation table.


NN46205-703 03.02 12 April 2010


.

Running a ping test 103

Variable Value

McastTblSize Specifies the size of the Multicast AR translationtable.

FreeMcastGroups Specifies the number of free multicast groupsavailable in the AR table.

IpMcastAdded Specifies the number of IP multicast entriesadded to the AR table.

IpMcastDeleted Specifies the number of IP multicast entriesdeleted from the AR table.

VlanByPortAdded Specifies the number of VLAN by Port entriesadded to the AR table.

VlanByPortDeleted Specifies the number of VLAN by Port entriesdeleted from the AR table.

VlanByProtocolAdded Specifies the number of VLAN by Protocol Typeentries added to the AR table.

VlanByProtocolDeleted Specifies the number of VLAN by Protocol Typeentries deleted from the AR table.

VlanByIpSubnetAdded Specifies the number of VLAN by IP Subnetentries added to the AR table.

VlanByIpSubnetDeleted Specifies the number of VLAN by IP Subnetentries deleted from the AR table.

IpSubnetsAdded Specifies the number of IP Subnet entries addedto the AR table.

IpSubnetsDeleted Specifies the number of IP Subnet entriesdeleted from the AR table.

RsvpsAdded Specifies the number of Resource ReservationSetup Protocol (RSVP) entries added to the ARtable.

RsvpsDeleted Specifies the number of RSVP entries deletedfrom the AR table.

Running a ping testUse Ping to determine if an entity is reachable.

Several CLI and NNCLI Ping commands are available for MPLS. See“Running a ping test” (page 190) or “Running a ping test” (page 249).

Procedure steps

Step Action



NN46205-703 03.02 12 April 2010


.


2 Double-clickPing/Trace Route.

3 Click Insert.

4 In the OwnerIndex box, type the owner index.

5 In the TestName box, type the name of the test.

6 In the TargetAddress box, type the host IP address.

7 From the AdminStatus options, choose enabled or disabled.

8 In the remainder of the option boxes, type the desired values.

9 Click Insert.

10 Select an entry.

11 Click Start.

--End--

Variable definitionsUse the information in the following table to help you use Ping.

Variable Value

OwnerIndex Provides access control by a securityadministrator using the View-Based AccessControl Model (VACM) for tables in whichmultiple users may need to independently createor modify entries. This is a string of up to 32characters.

TestName Specifies the name of the Ping test.

TargetAddressType Specifies the type of host address to be used ata remote host to perform a ping operation.

TargetAddress Specifies the host address to be used at aremote host to perform a ping operation.

DataSize Specifies the size of the data portion (in octets)to be transmitted in a ping operation. The defaultis 16.

TimeOut Specifies the timeout value, in seconds, for aremote ping operation. The default is 3 s.

ProbeCount Specifies the number of times to perform a pingoperation at a remote host. The default is 1.

AdminStatus Specifies the state of the ping control entry:enabled or disabled.

DataFill Determines the data portion of a probe packet

Frequency Specifies the number of seconds to wait beforerepeating a ping test. The default is 0.


NN46205-703 03.02 12 April 2010


.


Variable Value

MaxRows Specifies the maximum number of entriesallowed in the PingProbeHistory table.

StorageType Specifies the storage type for this row.

TrapGeneration Specifies when to generate a notification. Theoptions are:

• ProbeFailure—Generates a PingProbeFailednotification subject to the value ofpingCtlTrapProbeFailureFilter. Theobject pingCtlTrapProbeFailureFilter can beused to specify the number of successiveprobe failures that are required before apingProbeFailed notification is generated.

• TestFailure—Generates a PingTestFailednotification. The object pingCtlTrapTestFailureFilter can be used to determine the numberof probe failures that signal when a test fails.

• TestCompletion—Generates aPingTestCompleted notification.

TrapProbeFailureFilter Specifies the number of successiveprobe failures that are required before apingProbeFailed notification is generated.

TrapTestFailureFilter Determines the number of probe failures thatsignal when a test fails.

Type Selects or reports the implementation methodused to calculate ping response time.

Descr Describes the remote ping test.

SourceAddressType Specifies the type of the source address used ata remote host when performing a ping operation.

SourceAddress Specifies the IP address (a.b.c.d) as the sourceaddress in outgoing probe packets.

IfIndex Setting this object to an interface’s ifIndex, priorto starting a remote ping operation, directs theping probes to be transmitted over the specifiedinterface.

ByPassRouteTable Enables (optionally) the bypassing of the routetable.

DSField Specifies the value to store in the DifferentiatedServices (DS) field in the IP packet used toencapsulate the ping probe.


NN46205-703 03.02 12 April 2010


.


Viewing ping probe historyYou can view the history of Ping tests performed by the switch.

Procedure steps

Step Action



3 Select a Ping entry.

4 Click Ping Probe History.

--End--

Variable definitionsUse the information in the following table to help you understand Pinghistorical data.

Variable Value

OwnerIndex Specifies the owner index.

TestName Indicates the name given to the test.

Index Specifies the index number.

Response Indicates the amount of time, measured inmilliseconds, between request (probe) andresponse, or when it timed out. Response isreported as 0 when it is not possible to transmita probe.

Status Indicates the status of the response; the result ofa particular probe done by a remote host.

LastRC Indicates the last implementation-method-specificreply code (RC) received. If ICMP Echo is used,then a successful probe ends when an ICMPresponse is received that contains the codeICMP_ECHOREPLY(0).

Time Indicates the timestamp for this probe result.

Viewing ping resultsYou can view performance-related data for Ping tests.


NN46205-703 03.02 12 April 2010


.

Running a traceroute test 107

Procedure steps

Step Action



3 Select a Ping test entry.

4 Click Ping Result.

--End--

Variable definitionsUse the information in the following table to help you understand Ping testresults.

Variable Value

OwnerIndex Specifies the Ping test owner.

TestName Specifies the test name.

OperStatus Indicates the operational status of the test. Thedefault is disabled.

IpTargetAddressType Specifies the IP address type of the target.

IpTargetAddress Specifies the IP address of the target.

MinRtt Specifies the minimum ping round-trip-time(RTT) received. A value of 0 means that no RTTis received.

MaxRtt Specifies the maximum ping RTT received. Avalue of 0 means that no RTT is received.

AverageRtt Specifies the current average ping RTT.

ProbeResponses Specifies the number of responses to probes.

SentProbes Specifies the number of sent probes.

RttSumOfSquares Specifies the sum of squares of RTT for allprobes received.

LastGoodProbe Specifies the date and time when the lastresponse is received for a probe.

Running a traceroute testUse traceroute to determine the route packets take through a network to adestination.


NN46205-703 03.02 12 April 2010


.


Several CLI and NNCLI traceroute commands are available for MPLS andIPX. See “Running a traceroute test” (page 193) or “Running a traceroutetest” (page 251).

Procedure steps

Step Action



3 Click the Trace Route Control tab.

4 Click Insert.

5 Configure the instance as required.

6 Click Insert.

7 Select an entry, and then click Start.

--End--

Variable definitionsUse the information in the following table to help you use the traceroutefunction.

Variable Value

OwnerIndex Provides access control by a securityadministrator using the View-Based AccessControl Model (VACM) for tables in whichmultiple users may need to independently createor modify entries.

TestName Specifies the name of the traceroute test.

TargetAddressType Specifies the type of host address to be used onthe Trace Route request at the remote host.

TargetAddress Specifies the host address used on thetraceroute request at the remote host.

ByPassRouteTable Enables bypassing of the route table. Ifenabled, the remote host bypasses the normalrouting tables and sends directly to a hoston an attached network. If the host is noton a directly-attached network, an error isreturned. This option can be used to perform thetraceroute operation to a local host through aninterface that has no route defined.


NN46205-703 03.02 12 April 2010


.


Variable Value

DataSize Specifies the size of the data portion of a TraceRoute request in octets. The default is 0.

TimeOut Specifies the timeout value, in seconds, for aTrace Route request. The default is 3.

ProbesPerHop Specifies the number of times to reissue a TraceRoute request with the same time-to-live (TTL)value. The default is 3.

Port Specifies the UDP port to which to send thetraceroute request to. Specify a port that is not inuse at the destination (target) host. The defaultis the IANA assigned port 33434.

MaxTtl Specifies the maximum time-to-live from 1 to255. The default is 30.

DSField Specifies the value to store in the DifferentiatedServices (DS) field in the IP packet used toencapsulate the Trace Route probe.

SourceAddressType Specifies the type of the source address to useat a remote host.

SourceAddress Uses the specified IP address (which must begiven as an IP number, not a hostname) as thesource address in outgoing probe packets.

IfIndex Directs the traceroute probes to be transmittedover the specified interface

MiscOptions Enables an application to specify implementation-dependent options.

MaxFailures Indicates the maximum number of consecutivetimeouts allowed before terminating a remoteTrace Route request. The default is 5.

DontFragment Enables setting of the do not fragment flag (DF)in the IP header for a probe.

InitialTtl Specifies the initial TTL value to use. The defaultis 1.

Frequency Specifies the number of seconds to wait beforerepeating a trace route test as defined by thevalue of the various objects in the correspondingrow. The default is 0.

StorageType Specifies the storage type for this row.

AdminStatus Specifies the desired state for TraceRouteCtlEntry. The options are enabled or disabled.

MaxRows Specifies the maximum number of entriesallowed in the TraceRouteProbeHistoryTable.


NN46205-703 03.02 12 April 2010


.


Variable Value

TrapGeneration Determines when to generate a notification forthis entry. The options are:

• PathChange—Generate a TraceRoutePathChange notification when the current path variesfrom a previously determined path.

• TestFailure—Generate a TraceRouteTestFailed notification when the full path to a targetcan’t be determined.

• TestCompletion—Generate a TraceRouteTestCompleted notification when the path to atarget has been determined.

Descr Describes the remote trace route test.

CreateHopsEntries Keeps the current path for a trace route test inthe TraceRouteHopsTable on a per hop basiswhen the value of this object is true.

Type Reports or selects the implementation method tobe used for performing a trace route operation.

Viewing traceroute resultsYou can view the results of traceroute tests.

Procedure steps

Step Action




4 Select a traceroute entry.

5 ClickTrace Route Result.

--End--

Variable definitionsUse the information in the following table to understand the resultparameters.

Variable Value

OwnerIndex Specifies the index of the owner.


NN46205-703 03.02 12 April 2010


.

Viewing the traceroute history 111

Variable Value

TestName Specifies the name of the test.

OperStatus Specifies the operational status of the test. Thedefault is disabled.

CurHopCount Specifies the current count of hops.

CurProbeCount Specifies the current count of probes.

IpTgtAddressType Specifies the IP target address type

IpTgtAddr Specifies the IP target address.

TestAttempts Specifies the number of test attempts.

TestSuccesses Specifies the number of successful test attempts.

LastGoodPath Specifies the date and time when the lastresponse is received for a probe.

Viewing the traceroute historyThe traceroute probe history contains probe information for the hops inthe routing path.

Procedure steps

Step Action




4 Select an entry.

5 Click the Trace Route Probe History button.

--End--

Variable definitionsUse the information in the following table to understand the historyparameters.

Variable Value

OwnerIndex Identifies the Trace Route entry to which a proberesult belongs.

TestName Specifies the test name.

Index Specifies the Index.


NN46205-703 03.02 12 April 2010


.


Variable Value

HopIndex Indicates for which hop in a traceroute path theprobe results are intended.

ProbeIndex Specifies the index of a probe for a particularhop in a traceroute path.

HAddrType Specifies the IP address type of the hop to whichthis probe belongs.

HAddr Specifies the IP address of the hop to which thisprobe belongs.

Response Specifies the cumulative results at any time.

Status Specifies the status of the probe.

LastRC When a new entry is added, the old entry ispurged if the total number of entries exceedsthe specified maximum number of entries in theControl Table Entry.

Time Specifies the response time of the probe.

Performing an external loopback testA DRAM memory test and an internal loopback test are run during theautomatic boot sequence. However, you can also run external and internalloopback tests on the port. Loopback tests ensure continuity of the datapath.

You can run only one loopback test at a time. You must stop a loopbacktest before you start one on another port.

An external loopback test uses a loopback connector connected to theport to loop data back to the same port. You must supply the loopbackconnector.

ATTENTIONThis procedure increases CPU utilization.

Procedure steps

Step Action

1 Install an external loopback connector.

2 From the Device Physical View, select a port.



5 On the Interface tab, set AdminStatus to testing.


NN46205-703 03.02 12 April 2010


.

Performing an external loopback test 113

6 Set AutoNegotiate to false.

7 Set Admin Duplex to full.

8 Click the Test tab.

9 Click Ext. Loopback.

10 Let the test run for several seconds.

11 To stop the test, click Stop.

The result, Fail or Success, is shown along with packet counts.

--End--

Variable definitionsUse the information in the following table to use the port Test tab.

Variable Value

Result Shows the result of the most recently run (orcurrent) test:

• None

• Success

• InProgress

• NotSupported

• unAbleToRun

• Aborted

• Failed

The code contains more specific information onthe test result (for example, an error code aftera failed test):

• NoReceive (timeout on a send)

• BadSeq (packets received out of sequence)

• BadLen (packet length mismatch)

• BadData (packet data mismatch)

Code Contains a code that provides more specificinformation about the test results, for example,an error-code after a failed test.

PassCount Specifies the number of successful iterations ofthe loopback test.

FailCount Specifies the number of failed iterations of theloopback test.


NN46205-703 03.02 12 April 2010


.


Performing an internal loopback testDuring an internal loopback test, packets are looped back at the PHYdevice. No connector is needed. You can run the test with or withoutanother device attached to the test port.

ATTENTIONThis procedure increases CPU utilization.

Procedure steps

Step Action

1 From the Device Physical View, select a port.



4 On the Interface tab, set AdminStatus to testing.

5 Click Apply.

6 Click the Test tab.

7 Click Int. Loopback.

Let the test run for several seconds.

8 To stop the test, click Stop.

The result, Fail or Success, is shown along with packet counts.

9 On the Interface tab, set AdminStatus to up to resume normaloperations.

--End--

Configuring Ping Snoop for R series modulesUse Ping Snoop to troubleshoot multilink trunking configurations.

The predefined ACL and ACTs for Ping Snoop are numbered 4096. Youcan use your own ACT, ACL, and ACE instead, but you are duplicating theACT, ACL, and ACE that the system predefines.

Configure the ACE action, debug action, and the IP addresses that yourequire.


NN46205-703 03.02 12 April 2010


.

Configuring Ping Snoop for R series modules 115

Procedure steps

Step Action

1 Locate the already partially defined ACT-ACL available pair. Inthe navigation tree, open the following folders Configuration,Security, Data Path.



4 For ACL 4096, add the appropriate ports as members.

5 Ensure the State is enable.

6 Click Apply.

7 Create an ACE with actions permit and CopyToPrimaryCp: clickthe ACE button.

8 Click Insert.

9 Name the ACE and configure the ID.


11 From the Flags options, select copyToPrimaryCp.

12 Click Insert.

13 For the ACE, configure a source IP address, a destination IPaddress, or both: select the ACE, and then click the IP button.

14 To configure the source IP address, in the Source Address tab,click Insert. Configure Oper to eq and type the IP address in theList box, and then click Insert.

15 To configure the destination IP address, in the DestinationAddress tab, click Insert. Configure Oper to eq and type the IPaddress in the List box, and then click Insert.

16 In the ACE Common tab, configure the AdminState of the PingSnoop ACE to enable and click Apply.

--End--


NN46205-703 03.02 12 April 2010


.



NN46205-703 03.02 12 April 2010


.

117.

Software troubleshooting toolconfiguration using the CLI

Use the procedures described in this section to configure troubleshootingtools using the CLI.

Navigation• “General troubleshooting” (page 118)

• “show debug generic command” (page 126)

• “Collecting Key Health Indicator (KHI) information” (page 128)

• “Enabling and disabling the Route Switch Processor (RSP) PacketTracing” (page 138)


• “Dumping specified ERCD records” (page 142)

• “Using PIM debugging commands” (page 143)

• “Using BGP debugging commands” (page 144)

• “Port mirroring configuration” (page 146)

• “Remote mirroring configuration” (page 157)

• “PCAP configuration” (page 163)

• “Testing the switch fabric” (page 187)

• “Testing the ARP address table” (page 188)

• “Clearing ARP information for an interface” (page 189)

• “Flushing routing, MAC, and ARP tables for an interface” (page 189)

• “Job aid: ping and traceroute considerations” (page 190)





NN46205-703 03.02 12 April 2010


.

118 Software troubleshooting tool configuration using the CLI

General troubleshootingThis section provides information about general troubleshooting using theCLI.

General troubleshooting navigation

• “Roadmap of general CLI troubleshooting commands” (page 118)

• “Using the CLI for troubleshooting” (page 120)

• “Using hardware record dumps” (page 121)

• “Using trace to diagnose problems” (page 122)

• “Using auto-trace to diagnose problems” (page 125)

Roadmap of general CLI troubleshooting commandsThe following roadmap lists some of the CLI commands and theirparameters that you can use to complete the procedures in this section.

Command Parameters

config cli more <true|false>

grep [<keyword>]config r-module <slot#> trace

level [<modid>] [level>]

dump ar <opid> <vlan|ip_subnet|mac_vlan|mac|arp|ip|ipx|ipmc|ip_filter|protocol|sys_rec|all><verbosity>

artable

fabric

hardware [<ports>]

led <ports> <tx|rx> <off|yellow|green>

test

loopback <ports> [<int|ext>]

artable

fabric

test stop

loopback <ports>


NN46205-703 03.02 12 April 2010


.

General troubleshooting 119

Command Parameters

clear

filter

grep [<keyword>]

info [tail]

level [<modid>] [<level>]

modid-list

off

route-policy <on|off> [protocol<rip|ospf|bgp|dvmrp|any>] [policy-type<accept|announce>] [policy <name>][ipaddr <interface-addr>] [iflist<if-name>]

trace

screen [<on|off>]

add-module <modid> <level>

auto-trace <enable|disable>

high-percentage <percent>

high-track-duration <seconds>

info

low-percentage <percent>

low-track-duration <seconds>

trace auto-enable

remove-module <modid>

on [info] [error] [pkt] [warn] [debug][nbr] [icmp] [ipclient] [all]

off [info] [error] [pkt] [warn] [debug][nbr] [icmp] [ipclient] [all]

trace ipv6 base

info

on [info] [error] [pkt] [warn] [debug][all]

off [info] [error] [pkt] [warn] [debug][all]

trace ipv6 forwarding

info

on [info] [error] [pkt] [warn] [debug][nbr] [redirect] [all]

off [info] [error] [pkt] [warn] [debug][nbr] [redirect] [all]

trace ipv6 nd

info


NN46205-703 03.02 12 April 2010


.


Command Parameters

on [info] [warn] [error] [config] [import][adj] [spf] [pkt] [lsa] [all]

off [info] [warn] [error] [config][import] [adj] [spf] [pkt] [lsa] [all]

trace ipv6 ospf

info

on [info] [warn] [error] [update] [fib][debug] [redist] [change-list] [all]

off [info] [warn] [error] [update] [fib][debug] [redist] [change-list] [all]

trace ipv6 rtm

info

on [common] [tcp] [udp] [all]

off [common] [tcp] [udp] [all]

trace ipv6 transport

info

add <IPX-network-number>

delete <IPX-network-number>

trace ipx policy rip in-policy

info

add <IPX-network-number>

delete <IPX-network-number>

trace ipx policy rip out-policy

info

file [tail]show trace

level

artable

fabric

loopback [<ports>]

show test

show-all [file <value>]

Using the CLI for troubleshootingYou can use the CLI to help provide diagnostic information.

Procedure steps

Step Action

1 Prior to capturing data it is useful to disable scrolling of theoutput display. To do this issue the following command:

config cli more false

2 You can view configuration file information using the morecommand, for example:

more boot.cfg


NN46205-703 03.02 12 April 2010


.


3 The following command output should be captured when anyswitch problem is observed.

show tech

show config

show port stats show-all

show port error show-all

When troubleshooting issues specific to a protocol, always useshow-all option for that command, if it exists.

--End--

Using hardware record dumpsTo aid in troubleshooting, a dump of the hardware records from an ingressOctaPID can be captured. Generally, a verbosity level of 1 suffices.

The dump ar command displays the hardware registers of the RaptARUattached to an OctaPID.

Procedure steps

Step Action

1 To dump hardware record information, enter the followingcommand:

dump ar <octapid> <vlan|ip_subnet|mac_vlan|mac|arp|ip|ipx|ipmc|ip_filter|protocol|sys_rec|all> <verbosity>

For example, dump all hardware records from OctaPID 0 slot 1port 1 with a verbosity level of 3:

dump ar 0 all 3

--End--

Variable definitionsUse the information in the following table to help you use the dumpcommand.

Variable Value

<opid> Specifies the OctaPID assignment from 1 to 64.


NN46205-703 03.02 12 April 2010


.


Variable Value

<vlan|ip_subnet|mac_vlan|mac|arp|ip|ipx|ipmc|ip_filter|protocol|sys_rec|all>

Specifies a record type in the AR table.

<verbosity> Specifies the verbosity from 0 to 3. Highernumbers specify more verbosity.

Using trace to diagnose problemsUse trace to observe the status of a software module at a given time.

For example, if a CPU utilization issue is observed (generally a sustainedspike above 90%) perform a trace of the control plane (CP) activity.

Prerequisites


• For information about how to use trace appropriately, see “Trace”(page 47).

Procedure steps

Step Action

1 Clear the trace:

trace clear

2 Begin the trace operation:

trace level <modid> <level>

For example, to trace the CP port, verbose level:

trace level 9 3

Wait approximately thirty seconds.

The default trace settings for CPU utilization are: High CPUUtilization: 90%, High Track Duration: 5 seconds, Low CPUUtilization:75%, and Low Track Duration: 5 seconds.

3 Stop tracing:

trace off

4 View the trace results:


NN46205-703 03.02 12 April 2010


.


trace info

OR

show trace file [tail]

5 You can save the trace file to the PCMCIA (or external flash)card for retrieval.

save trace

The file is saved with a file name of systrace.txt.

--End--

R series modules use different trace commands:

config r-module <slot#> trace level [<modid>] [level>]

config r-module <slot#> trace grep [<keyword>]

Variable definitions Use the information in the following table to helpyou use the trace command.

Variable Value

clear Clears any previous trace output.

filter Filters the trace output.

grep [keyword] Performs a comparison of trace messages (getregular expression and print [GREP]).

info [tail] Shows the trace output. [tail] shows the lastresults first.

level <modid> <level> Starts the trace by specifying the module ID andlevel.• <modid> specifies the module ID from 0 to

107.

• <level> specifies the trace level from 0 to4, where 0 is disabled; 1 is very terse; 2 isterse; 3 is very verbose, 4 is verbose.

modid-list Provides a list of module IDs and modulenames.

off Stops the trace operation.


NN46205-703 03.02 12 April 2010


.


Variable Value

route-policy <on|off>[protocol <rip|ospf|bgp|dvmrp|any>][policy-type <accept|announce>] [policy<name>] [ipaddr<interface-addr>][iflist <if-name>]

Traces route policy serviceability.

screen [<on|off>] Enables or disables the display of trace outputto the screen.

Job aidThe following table specifies the Module ID values that you can specify inthe trace command.

Table 9Module ID values

0 - Common 23 - IGMP 45 - RTM 93 - IPFIX

1 - SNMP Agent 24 - IPFIL 46 - P2CMN 94 - MOD_IPMC6

2 - RMON 25 - MLT 47 - RIP 95 -MOD_MCAST6_CMN

3 - Port Manager 26 - IPPOLICY 48 - PIM 96 - MOD_MLD

4 - Chassis Manager 27 - IPMC 49 - RPS 97 - MOD_PIM6

5 - STG Manager 28 - SYSLOG 50 - NTP 98 - SLPP

6 - Phase2 OSPF 29 - DVMRP 51 - TCP 99 - INFINITY

7 - Hardware I/F 30 - P2IPX 52 - BGP 100 - MPLS

8 - (N/A) 31 - RCIPX 53 - EPILOGUE 101 - RCMPLS

9 - CP Port 32 - RAR 54 - SSH 102 - NNCLI

10 - (N/A) 33 - OP 56 - HAL 103 - VRF

11 - VLAN Manager 34 - BOOT 57 - WIND 104 - NSNA

12 - CLI 35 - IOM 58 - EAP 105 - MIRRORFPGA

13 - Main 36 - QOS 59 - LACP 106 - MSTP

14 - Phase2 IP+RIP 37 - FLEXDB 60 - PING 107 - RSTP

15 - RCC IP 38 - SMM 61 - DNS 108 - MSDP

16 - HTTP Server 39 - ATM 62 - DPM 109 - TACACS+

19 - Watch Dog Timer 40 - POS 63 - BOOTP 115 - BFD

20 - TopologyDiscovery

41 - RADIUS 64 - DPMMSG 116 - DHCPSNOOP


NN46205-703 03.02 12 April 2010


.


21 - (N/A) 42 - SIO_COM 65 - FILTER 117 - DAI

22 - (N/A) 43 - PGM 66 - RCIP6

Using auto-trace to diagnose problemsYou can use auto-trace to automatically perform the trace function when aparameter reaches a certain threshold.

For example, if the SF/CPU fluctuates and accessing the switch to performa CP trace is not possible, use auto-trace to automatically perform thisfunction. Auto-trace monitors CPU utilization. When the configuredutilization is reached and sustained for the configured amount of time, aCP trace is performed and saved to the PCMCIA (or external flash on the8895 SF/CPU).

Procedure steps

Step Action

1 Configure the module and verbosity:

trace auto-enable add-module <modid> <level>

For example:

trace auto-enable add-module 9 3

2 Use the following variable definitions table to configure any otherrequired parameters.

3 Enable automatic tracing:

trace auto-enable auto-trace enable

--End--

Variable definitionsUse the information in the following table to help you use the traceauto-enable command.

Variable Value

add-module <modid><level>

Configures the trace auto-enable function byspecifying the module ID and level.• <modid> specifies the module ID from 0

to 107.

• <level> specifies the trace level from 0to 4, where 0 is disabled; 1 is very terse;2 is terse; 3 is very verbose, 4 is verbose.


NN46205-703 03.02 12 April 2010


.


Variable Value

auto-trace<enable|disable>

Enables or disables the auto-trace function.

high-percentage<percent>

Specifies the high-percentage threshold fora module. The range is 60 to 100%. Thedefault is 90%.

high-track-duration<seconds>

Specifies, in seconds, the maximum amountof time that the activity must be sustained totrigger the trace. The range is 3 to 10 s. Thedefault is 5 s.

info Shows information about the auto-traceconfiguration.

low-percentage <percent> Specifies the low-percentage threshold for amodule. The range is 50 to 90%. The defaultis 75%.

low-track-duration<seconds>

Specifies, in seconds, the minimum amountof time that the activity must be sustained totrigger the trace. The range is 3 to 10 s. Thedefault is 5 s.

remove-module <modid> Removes a module ID from the auto-traceinstance.

show debug generic commandThe show debug generic [verbose] command is mainly used fordebugging purposes only. It displays information from multiple systemshell commands.

The verbose option displays 4 extra commands which are prone to someamount of risk and hence Nortel recommends to execute the verbosecommand only during a maintenance window. A warning message in thecommand confirms the same.

The following table lists the commands displayed by the show debuggeneric command with associated descriptions. The table also lists therecommended number of times to execute the command (once or twice)in order to obtain best results for meaningful analysis of the specifieddata. Executing the command twice allows for an analysis of data at twodifferent time periods.


NN46205-703 03.02 12 April 2010


.

show debug generic command 127

Table 10show debug generic commands

Command Definition For bestresults

readrtc Displays the local and hardware time. execute twice

sysCliShowPerf Displays system performance parameters like CPU/SF/Bufferutilizations and DRAM info.

execute twice

cppShowStats Displays statistics and details of packets sent to the CPU. execute twice

cppSocketStatsShow

Displays cpp socket statistics like fd, sockerror etc. execute twice

spyReport Displays a list of tasks running, their task priority, and howmany ticks of the CPU they used in the last polling cycle.

execute twice

sopShowStats Displays statistics on packets sent to the System OctaPID. execute twice

tcpstatShow Displays statistics for all the TCP packets. execute twice

udpstatShow Displays statistics for all the UDP packets. execute twice

ipstatShow Displays statistics for all the IP packets. execute twice

mbufShow Displays the number of memory buffers available to thesystem.

execute twice

inetstatShow Displays all internet protocol (TCP/UDP) socket connections execute twice

ifShow Displays network interfaces info. execute twice

rcDumpIcmpStats

Dumps ICMP stats. execute twice

rcDumpIpStats Dumps all the IP statistics details. execute twice

icmpstatShow Displays statistics for all the ICMP packets execute once

memShow Displays CPU memory utilization and also all the blocks in thefree list of the system partition.

execute once

showInspect Displays status of all tasks in system. execute once

dumpAllZeroSrcMacInfo

Dumps the count and other info of all zero source MACframes.

execute once

The following additional commands are called by the verbose option.These commands are prone to some amount of risk and hence it isadvisable to execute the verbose commands only during a maintenancewindow.


NN46205-703 03.02 12 April 2010


.


Table 11show debug generic verbose commands

Command Definition For bestresults

sysCliShowPerf;

netStackSysPoolShow

Displays system performance parameters like CPU/SF/Bufferutilizations and DRAM info;displays memory buffer information.

execute twice

fbufDump Displays statistics about all queues. execute once

cppQShow Displays CPP queue statistics. execute once

hwDumpAll Dumps most of the hardware records. execute once

Collecting Key Health Indicator (KHI) informationThe Ethernet Routing Switch 8600 supports Key Health Indicators (KHI)that allow for the collection of statistics and information about the healthof the system for troubleshooting purposes related to system failure. TheKey Health Indicator (KHI) feature identifies a small number of key healthindicators that allow quick assessment of the overall operational stateof the Ethernet Routing Switch 8600. These indicators do not providecomplete coverage of all possible failure scenarios. Rather, KHI is adiagnostic tool for the health of the switch. Further debugging is requiredto correctly understand the system state and actions required to remedythe situation.

KHI provides global health information for the switch, including:

• Chassis health indication

• CPU performance health indication

• Port state change indication

• Forwarding health indication

• IP interface configuration and operation information

• Protocol information

• Management information: Log, TCP, UDP and Users

The switch stores the information locally and displays the information asrequested by the user using show commands.

KHI supports multiple KHI types that track specific switch areas orsubsystems. Each KHI type keeps track of the last ten events forthe specific subsystem (for example, protocol going down or loss of


NN46205-703 03.02 12 April 2010


.

Collecting Key Health Indicator (KHI) information 129

connection) in a rolling history. KHI creates a reference point using a timestamp, and then tracks events from that point forward. Clear commandsare provided to reestablish fresh timelines.

Generally, the KHI information allows you to track the source of a problemto a particular subsystem. Once this determination is made, you can usespecific statistics for that subsystem (for example, OSPF-specific statisticsand show commands) to further locate the source of the issue.

To configure KHI, you can enable or disable the feature globally. Inaddition, you can enable or disable some of the KHI types individually.This additional control is provided for KHI types that have a greater impacton loaded systems.

The main configuration actions for KHI are:

• Enabling or disabling KHI (at global or feature-level)

• Displaying statistics

• Clearing statistics/history to establish a new timeline

Currently, EDM does not support KHI configuration.

The following sections describe the various KHI options.

Configuring global KHIYou can enable or disable KHI globally. In addition, the Ethernet RoutingSwitch 8600 provides a global boot delay parameter for KHI.

If the system begins collecting statistics immediately at boot-up, thetransitions that the system initially experiences do not provide anappropriate baseline of normal operations against which to compare. Toprovide a valid baseline, you can configure the boot-delay parameterto specify how long the system can take to stabilize before KHI beginscollecting statistics.

Use the following procedure to configure KHI at the global level.

Procedure steps

Step Action

1 To enable KHI globally, enter:

config sys set khi khi-enable <true|false>

2 To configure the boot delay, enter:

config sys set khi boot-delay <minutes>


NN46205-703 03.02 12 April 2010


.


3 To display high-level KHI information, enter:

show khi info

4 To display all KHI information, enter:

show khi show-all [file <value>]

5 To clear all KHI statistics, enter:

clear khi all

6 To clear the KHI log, enter

clear khi log

--End--

Variable definitions

Variable Value

<true|false> Enables or disables the specified KHI feature.

<minutes> Specifies the boot delay period, in minutes.

[file <value>] If the filename is specified, the system stores theoutput to a file. Otherwise, it displays the outputto the console. If you specify a filename but omitthe directory, the system stores the output to thePCMCIA directory by default.

[history] Displays the event history (max 10).

Configuring Management KHIManagement KHI tracks TCP connections, CLI users, and KHI log status.

To configure management KHI, use the following procedure.

Procedure steps

Step Action

1 To enable the KHI feature globally, enter:


2 To enable the management KHI feature, enter:

config sys set khi mgmt-khi-enable <true|false>

3 To display the management KHI information, enter:


NN46205-703 03.02 12 April 2010


.


show khi mgmt [all] [history]

--End--


Variable Value


[all] Displays all management KHI information, including theevent history.


Configuring Chassis KHIChassis KHI displays the chassis key health indicators, such astemperature, fans, power supply, slots and CPU state.

To configure chassis KHI, use the following procedure.

Procedure steps

Step Action



2 To enable the chassis KHI feature, enter:

config sys set khi chassis-khi-enable <true|false>

3 To display chassis KHI information, enter:

show khi chassis

4 To clear chassis KHI statistics, enter:

clear khi chassis

--End--

ATTENTIONWhen the switch is running with a single SF/CPU and the HA flag is on, if youenter the show khi chassis command, the standbyMezz state appears asunsupported yellow. The state shows unsupported because this is not asupported configuration, and yellow because the configuration does not causean outage.


NN46205-703 03.02 12 April 2010


.


Configuring Performance KHIPerformance KHI displays the performance key health indicators, such asutilization status for CPU and switch fabric.

To configure performance KHI, use the following procedure.

Procedure steps

Step Action



2 To enable the performance KHI feature, enter:

config sys set khi performance-khi-enable <true|false>

3 To display performance KHI information, enter:

show khi performance

4 To clear performance KHI statistics, enter:

clear khi performance

--End--

Configuring Protocol KHIProtocol KHI tracks the health of the following protocols:

• OSPF

• BGP

• IST/SMLT

• PIM

• IGMP

• VLACP

• RTM and FDB table statistics

Protocol KHI also provides statistics and historical data for protocol andneighbor state transitions. It also allows for the establishment of referencetimestamps and reference data to track protocol health in the network. Itsupports VRFs.


NN46205-703 03.02 12 April 2010


.


Every protocol has a large number of parameters that can be tracked,but only the key parameters are tracked by the KHI. Protocol informationis collected and displayed on-demand, creating minimal overhead. Theinformation is not stored in any separate database (except reference data),so that memory utilization is also minimal.

To ensure the validity of the KHI information, ensure that it is in syncwith the output from the protocol show commands, and verify that thetimestamps are relevant.

To configure protocol KHI, use the following procedure.

Procedure steps

Step Action

1 To enable protocol KHI, enable the KHI feature globally byentering:


2 To display the protocol KHI information, enter:

show khi protocol-stats [history] [vrf <vrfName>]

ATTENTIONWhen you display IST/SMLT information, the information (especiallythe SMLT table) is computed on demand. Carefully consider thefrequency of issuing the show khi protocol-stats when thesetup is a large IST/SMLT setup. Nortel recommends issuing thecommand when the network has stabilized.

3 To clear the protocol KHI statistics, enter:

clear khi protocol

Use the clear command when the network is stable, to provide agood reference point for the number of routes and neighbors

--End--


Variable Value

<true|false> Enables or disables the specified KHIfeature.


[vrf <vrfName>] Displays VRF-specific data.


NN46205-703 03.02 12 April 2010


.


Configuring Forwarding KHIForwarding KHI tracks the following on each chassis slot:

• Asic Resets

• RSP State Error Events

• RSP Stats Error Events

• F2X (F2I, F2E) Error Events

In addition, it also provides a history of the last 10 Forwarding KHI events.

The current status for each slot under Forwarding KHI is collected every2 minutes and indicates the health status of the slot within the previous 2minutes.

Asic/RSP/F2X health information is monitored every 30 seconds and theinformation is maintained on the line card.

Forwarding KHI information on the CP is collected every 2 minutes.Collection of this information can have an impact when the system is busy.

The first time a particular forwarding error event occurs, it is reported as aKHI Warning message and also logged in the Forwarding KHI HistoricalData. All subsequent error events of the same type and on the sameslot-lane are not reported until a clear operation is performed.

The memory used for Forwarding KHI information is minimal, however,collection of Forwarding KHI information can have an impact when thesystem is busy. Nortel recommends to enable Forwarding KHI when theSystem has stabilized.

To ensure the validity of the KHI information, verify that the timestampsare relevant.

Forwarding KHI monitoring involves reading some registers that areclear-on-read operation. As such, debug commands that dump theseregisters cannot be used while Forwarding KHI is enabled.

To configure Forwarding KHI, use the following procedure.

Procedure steps

Step Action



2 To enable the forwarding KHI feature, enter:


NN46205-703 03.02 12 April 2010


.


config sys set khi forwarding-khi-enable <true|false>

3 To display the forwarding KHI information, enter:

show khi forwarding [<all|current-status|asic|rsp-state|rsp-stats|f2x|history>] [slot <value>]

4 To clear the forwarding KHI statistics, enter:

clear khi forwarding

Clear command allows to establish last clear timestamps.

--End--


Variable Value


all Displays all forwarding KHI information.

current-status Displays the current status of forwarding by slot.

asic Displays ASIC health information.

rsp-state Displays ingress and egress RSP state information.

rsp-stats Displays ingress and egress RSP statistics.

f2x Displays F2X health information.

history Displays the event history (max 10).

[slot <value>] Displays information for a specific slot.

Configuring IP interface KHIIP Interface KHI provides the total configured and total operational IPinterface count. It also provides a history of the last 10 IP InterfaceUp/Down events. As the memory used for IP Interface KHI information isminimal, it has minimal impact on the system.

The IP Interface Count is calculated when the show command is executed.The KHI uses the existing IP Interface Up/Down state transition to keeptrack of the IP Interface Operational Count and also to maintain thehistorical data.

The clear command allows you to establish a reference count and lastclear timestamps.

To ensure the validity of the KHI information, ensure that it is in syncwith the output from the IP interface show commands, and verify that thetimestamps are relevant.

To configure IP Interface KHI, use the following procedure.


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 To enable the IP interface KHI feature, enable KHI globally byentering:


2 To display the IP interface KHI information, enter:

show khi ip-interface

3 To clear the IP interface KHI statistics, enter:

clear khi ip

--End--


Variable Value


Port KHIPort KHI tracks the following information:

• Overall system statistics (unicast, multicast and broadcast Rx, Txpackets) for the preceding 2 minutes

• Port Up/Down Events

• SMLT Port Up/Down Events

• IST Port Up/Down Events

• Port Errors

It also provides a history of the last 10 Port KHI events.

The Current Up/Down ports list is collected when the show commandis executed. The system statistics under Port KHI are collected every2 minutes and indicate the total packets (Unicast/Multicast/Broadcast)received/transmitted within the previous 2 minutes. When a clear operationis performed, the operationally UP ports are stored as a reference, andthe current status for Port KHI is marked as Yellow if any of those portsgo down.

The first time a particular port error occurs, it is reported as a KHIWarning message and also logged under the Port KHI historical data. Allsubsequent port errors of the same type and on the same port are notreported until a clear operation is performed.


NN46205-703 03.02 12 April 2010


.


To ensure the validity of the KHI information, ensure that it is in syncwith the output from the port show commands, and verify that thetimestamps are relevant. There may be a slight delay in the KHI outputif shown concurrently with port show commands, as KHI polls line cardsconsecutively, which can introduce a delay in the output for the first cardspolled.

While the memory used for Port KHI is minimal, collecting system statisticswhen a system is busy can have a system impact.

Nortel recommends to enable Port KHI when a system has stabilized.

The clear command allows you to establish a reference list of UP Portsand to establish the last clear timestamps. It also clears any existing porterror information.

To provide a useful reference point for the UP Ports list, use the clearcommand when the network is stable.

To configure Port KHI, use the following procedure.

Procedure steps

Step Action



2 To enable port KHI, enter:

config sys set khi port-khi-enable <true|false>


show khi port [<all|system-stats|state|errors|history>]


clear khi port

--End--


Variable Value


all Displays all port KHI information.


NN46205-703 03.02 12 April 2010


.


Variable Value

system-stats Displays system port statistics for unicast, multicast, andbroadcast packets.

state Displays port state (up, down, and health), including theport state for SMLT and IST ports.

errors Displays port errors.


Enabling and disabling the Route Switch Processor (RSP) PacketTracing

Configure the Route Switch Processor (RSP) Packet Tracing to observethe behavior of the RSP on each R and RS module. The RSP is theprogrammable Application Specific Integrated Circuit (ASIC) that controlsthe ports and traffic flow.

Procedure steps

ATTENTIONThe CLI command accepts only a single port.

Step Action

1 Enable the RSP ingress Packet Tracing by using the followingcommand:

config rsp-trace ingress-pkt-trace port <value> stateenable [interval <value>]

OR

Enable the RSP egress Packet Tracing by using the followingcommand:

config rsp-trace egress-pkt-trace port <value> stateenable [interval <value>]

2 Confirm the configuration by using the following command:

config rsp-trace info

ATTENTIONOnly the ports in lanes on which the trace is enabled are displayed

3 Disable the RSP ingress Packet Tracing by using the followingcommand:

config rsp-trace ingress-pkt-trace port <value> statedisable [interval <value>]


NN46205-703 03.02 12 April 2010


.

Enabling and disabling the Route Switch Processor (RSP) Packet Tracing 139

OR

Disable the RSP egress Packet Tracing by using the followingcommand:

config rsp-trace egress-pkt-trace port <value> statedisable [interval <value>]

--End--

Variable definitionsThe following table describes variables that you enter in the configrsp-trace ingress-pkt-trace port <value> state <value> orthe config rsp-trace egress-pkt-trace port <value> state<value> command.

Variable Value

port <value> Specifies the port on which to enablePacket Tracing.value specifies the number of the port inthe format of slot/port.

ATTENTIONAlthough you specify only one port, thePacket Tracing is enabled on all ports inthat lane. The info command displaysall ports in that lane so that you do notenable Packet Tracing on the same RSPthrough a different port.

state <value> Specifies the state of the ingress or egressPacket Tracing. By default the trace isenabled for 1 second. After 1 second, thetrace is disabled internally. An optionalparameter, interval, is provided to keep thetrace enabled for the desired number ofseconds.value specifies the state as enable ordisable.

ATTENTIONRSP Packet Tracing displays only thelast 1024 packets captured.

[interval <value>] Indicates the time interval for which thePacket Tracing is to remain enabled.


NN46205-703 03.02 12 April 2010


.


Variable Value

value specifies a value of 1, 10, 30 60,120, or 300 seconds. The default value is1 second.

The interval is an optional parameter.If you do not configure the interval, thedefault value is 1 second. If you doconfigure it, the time interval changesimmediately. On all subsequent occasionswhen you enable rsp-trace, if you donot specify a new interval value, it isset to the previously set interval value.This eliminates the need to change theconfiguration every time you use thiscommand.

Job aidThe following table describes the fields for the config rsp-trace infocommand.

Field Description

ingress-pkt-trace:/egress-pkt-trace: Specifies the Packet Tracing as ingress oregress.

port Specifies all the ports in the lane on which thetrace is enabled.

ATTENTIONAfter the trace is disabled internally (whenthe interval timer expires), the ports arenot displayed in the output of the configrsp-trace info command.

state Specifies whether Packet Tracing is enabled.

interval Specifies the interval in seconds for which thePacket Tracing is enabled.

Dumping RSP Packet TracingDump the RSP Packet Tracing to display the ingress and egress RSPTracing information that is collected by enabling the tracing.

Procedure steps



NN46205-703 03.02 12 April 2010


.

Dumping RSP Packet Tracing 141

ATTENTIONRSP Packet Tracing displays only the last 1024 packets captured.

Step Action

1 Display the specific egress RSP packet by using the followingcommand:

dump rsp-trace egress-display-pkt port <value> pkt-id<value>

OR

Display the specific ingress RSP packet by using the followingcommand:

dump rsp-trace ingress-display-pkt port <value> pkt-id<value>

2 Display the ingress Packet Tracing by using the followingcommand:

dump rsp-trace ingress-pkt-trace port <value>[start-pkt <value>] [end-pkt <value>]

OR

Display the egress Packet Tracing by using the followingcommand:

dump rsp-trace egress-pkt-trace port <value> [start-pkt<value>] [end-pkt <value>]

--End--

Variable definitionsUse the information in the following table to help you complete thepreceding procedure steps.

Variable Value

end-pkt <value> Specifies the packet ID of the last packetto display.value specifies the packet ID as aninteger in the range of 1–1024.


NN46205-703 03.02 12 April 2010


.


Variable Value

pkt-id <value> Specifies the ID as an integer of thepacket to display.value specifies the packet ID as aninteger in the range of 1–1024.

port <value> Specifies a port in the lane for which todisplay the trace.

start-pkt <value> Specifies the packet ID of the first packetto display.value specifies the packet ID as aninteger in the range of 1–1024.

Dumping specified ERCD recordsDump a specified Enterprise RSP Control Driver (ERCD) record to viewthat record.

Procedure steps


Step Action

1 Dump ERCD records:

dump ercdRecord{arp slot <value> |ip slot <value> |ip_subnet port <value> |mac slot <value> |mac_vlan port <value> |mgid slot <value> |protocol port <value> |vlan port <value> }[verbose <value>]

--End--

Variable definitionsThe following table describes the variables that you use with the dumpercdRecord command.

Variable Value

arp Specifies ARP ERCD records.

ip Specifies IP ERCD records.


NN46205-703 03.02 12 April 2010


.

Using PIM debugging commands 143

Variable Value

ip-subnet Specifies IP subnet ERCD records.

mac Specifies MAC ERCD records.Displays the learned MAC entries forthe specified port that are presenton the COP and the correspondingVLAN record of the port to check if theMAC entry learned against one port isdownloaded properly to all availableslots.

mac_vlan Specifies MAC VLAN ERCD records.

mgid Specifies MGID ERCD records.

protocol Specifies protocol ERCD records.

vlan Specifies VLAN ERCD records.Displays the VLANs to which this portbelongs and the corresponding ingressVLAN records of this port.

slot <value> Specifies the slot number to which yousend the query.

port <value> Specifies the port number {slot/port}for which you get the records.

[verbose <value>] Specifies an expanded display. valueis in the range of 0–3.

Using PIM debugging commandsUse PIM traces to aid in PIM troubleshooting.

Procedure steps

Step Action

1 To start debug trace message output:

config ip pim debug-pimmsg pimdbgtrace 1

2 To stop debug trace message output:

config ip pim debug-pimmsg pimdbgtrace 2

3 To display trace messages forwarded by the switch:

config ip pim debug-pimmsg send 1

4 To display trace messages received by the switch:

config ip pim debug-pimmsg rcv 1

5 Display Hello messages forwarded and received by the switch.

config ip pim debug-pimmsg hello 1


NN46205-703 03.02 12 April 2010


.


6 To display and log debug trace messages:

config ip pim debug-pimmsg pimdbglog 1

7 To disable previously enabled register messages:

config ip pim debug-pimmsg register 2

8 To display debug trace messages from a specific interface:

config ip pim debug-pimmsg source <ipaddress>

--End--

Variable definitionsUse the information in the following table to use the config ip pimdebug-pimmsg command. For the following parameter values, 1=true and2=false. The default value for each parameter is 2 (false).

Variable Value

assert <true=1|false=2> Displays the assert debug traces.

bstrap <true=1|false=2> Displays bootstrap debug traces.

group <ipaddress> Displays debug traces from a specific group IP address.

hello <true=1|false=2> Displays hello debug traces.

info Displays the current PIM debug trace flag settings on theswitch.

joinprune <true=1|false=2> Displays join/prune debug traces.

pimdbglog <true=1|false=2> Enables or disables whether the switch logs debug traces.

pimdbgtrace <true=1|false=2> Enables or disables PIM debug traces.

rcv <true=1|false=2> Displays trace messages received by the switch.

register <true=1|false=2> Displays register debug traces.

regstop <true=1|false=2> Displays register stop debug traces.

rp-adv <true=1|false=2> Displays RP advertisement debug traces.

send <true=1|false=2> Displays trace messages forwarded by the switch.

source <ipaddress> Displays debug traces from a specific source IP address.

Using BGP debugging commandsUse global and peer debug commands to display specific debug messagesfor your global and peers BGP configuration, including the BGP neighbors.

You can use these commands to troubleshoot your BGP configuration.


NN46205-703 03.02 12 April 2010


.

Using BGP debugging commands 145

Procedure stepsProcedure steps

Step Action

1 Display specific debug messages for your global BGPconfiguration using the following command:

config ip bgp global-debug mask <value>

2 Display specific debug messages for your global BGP neighborsusing the following command:

config ip bgp neighbor-debug-all mask <value>

3 Display specific debug messages for BGP peers or peer groupusing the following command:

config ip bgp neighbor <nbr_ipaddr|peer-group-name> neighbor-debug mask <value>

4 You can also run BGP trace using the following command:

trace level 52 3

--End--

Variable definitionsUse the information in the following table to use the global-debug maskcommands.

Variable Value

<nbr_ipaddr|peer-group-name>

Specifies the peer IP address or the peer groupname.

<value> Specifies one or more mask choices thatyou enter separated by commas with nospace between choices. For example:[<mask>,<mask>,<mask>...]. The mask canbe: none, all, error, packet, event, trace,warning, state, init, filter, update.

Job aidUse Debug command mask values to control debug messages for globalBGP message types, and for message types associated with a specifiedBGP peer or peer group.


NN46205-703 03.02 12 April 2010


.


Table 12Job aid: mask categories and messages

Mask category Message

none None disables the display of all debugmessages

all All sets the switch to display all categories ofdebug messages

error Error sets the switch to display error debugmessages

packet Packet sets the switch to display packet debugmessages

event Event sets the switch to display event debugmessages

warning Warning sets the switch to display warningdebug messages

init Init sets the switch to display initialization debugmessages

filter Filter sets the switch to display filter-relateddebug messages

update Update sets the switch to display update-relateddebug messages

The following tips can help you use the debug commands:

• You can display debug commands for multiple mask choices byentering the mask choices separated by commas, with no spacebetween choice.

For example, to display the global debug command for mask choiceserror and packet, use the following command:config ip bgp global-debug mask error,packet

• To end (disable) the display of debug messages, use the none maskchoice. For example, to end the display of global debug messages,use the following command:config ip bgp global-debug mask none

• You can save debug messages in a log file, or you can display themessages on your console. For example, to display (and log) a debugmessage, use the following command:

config ip bgp debug-screen [ <setting> ]

Port mirroring configurationYou can use port mirroring to aid in troubleshooting procedures.


NN46205-703 03.02 12 April 2010


.

Port mirroring configuration 147

Port mirroring configuration navigation

• “Roadmap of port mirroring CLI commands” (page 147)


• “Configuring global mirroring actions with an ACL” (page 152)

• “Configuring ACE debug actions to mirror” (page 153)

• “Example of port mirroring configuration with ACLs (rx-filter mode)”(page 155)

Roadmap of port mirroring CLI commandsThe following roadmap lists some of the CLI commands and theirparameters that you can use to complete the procedures in this section.

Command Parameter

create in-port <value> [out-port <value>][mode <value>] [enable <value>] [remote-mirror-vlan-id <value>] [mirroring-mlt <value>][mirroring-vlan <value>]

delete

enable <true|false>

info

mode <tx|rx|both|rxFilter|txFilter|bothFilter>

config diag mirror-by-port<id>

remote-mirror-vlan-id <vid>

mirrored-ports <port>

mirroring-mlt <mid>

mirroring-ports <port>

config diag mirror-by-port<id> add

mirroring-vlan <vid>

mirrored-ports <port>

mirroring-mlt <mid>

mirroring-ports <port>

config diag mirror-by-port<id> remove

mirroring-vlan <vid>


NN46205-703 03.02 12 April 2010


.


Command Parameter

action <mode> [mlt-index <value>] [remark-dscp<value>] [remark-dot1p <value>] [police<value>] [redirect-next-hop <value>][unreachable <value>] [egress-queue <value>][stop-on-match <value>] [egress-queue-nnsc<value>] [ipfix <value>]

create [name <value>]

config filter acl <acl-id>ace <ace-id>

debug [count <value>] [copytoprimarycp<value>] [copytosecondarycp <value>][mirror <value>] [mirroring-dst-ports<value>] [mirroring-dst-vlan <value>][mirroring-dst-mlt <value>]

info

mirroring-dst-ports <port>

mirroring-dst-vlan <vid>

config filter acl<acl-id> ace <ace-id>remove-mirror-dst

mirroring-dst-mlt <mid>

config filter acl <acl-id>set global-action <none|mirror| count|mirror-count|ipfix|mirror-ipfix|count-ipfix|mirror-count-ipfix>

show diag mirror-by-port

show filter acl debug[<acl-id>] [<ace-id>]


Connect the sniffer (or other traffic analyzer) to the output port you specifywith out-port <value>.

Procedure steps

Step Action

1 Create a port mirroring instance:

config diag mirror-by-port <id> create in-port <value>[out-port <value>] [mode <value>] [enable <value>][remote-mirror-vlan-id <value>] [mirroring-mlt<value>] [mirroring-vlan <value>]

<id> specifies the mirror-by-port entry ID in the range of 1 to383.

Mirroring is not operational until you issue the enable parameter.


NN46205-703 03.02 12 April 2010


.


2 Add mirroring entries as required:

config diag mirror-by-port <id> add {mirrored-ports<port]|mirroring-mlt <mid>|mirroring-port<port>|mirroring-vlan <vid>}

3 Use the following variable definitions tables to configure mirroringas required.

4 Enable mirroring:

config diag mirror-by-port <id> enable true

5 Ensure that your configuration is correct by using the followingcommand:

config diag mirror-by-port <id> info

show diag mirror-by-port

--End--

Variable definitionsUse the information in the following table to help you use the configdiag mirror-by-port <id> command.

Variable Value

add {mirrored-ports<port>|mirroring-mlt<mid>|mirroring-ports<port>|mirroring-vlan<vid>}

Add ports, MLTs, or VLANs to themirroring instance.To change a port mirroring configuration,first disable it.

• mirrored-ports <port> specifiesthe source port for mirrored packets

• mirroring-mlt <mid> specifies thedestination MLTs for mirrored packets

• mirroring-ports <port> specifiesthe destination ports for mirroredpackets

• mirroring-vlan <vid> specifiesthe destination VLAN for mirroredpackets


NN46205-703 03.02 12 April 2010


.


Variable Value

create in-port <value>[out-port <value>] [mode<value>] [enable <value>][remote-mirror-vlan-id<value>] [mirroring-mlt<value>] [mirroring-vlan<value>]

Creates a new mirror-by-port table entry.

• in-port <value> is the mirroredport.

• out-port <value> is the mirroringport.

• mode <value> sets the mirror mode(see description for mode).

• enable <value> enables or disablesthe mirroring port (see description forenable).

• remote-mirror-vlan-id <value>sets the VLAN ID for the remotemirrored packet (see description forremote-mirror-vlan-id).

• mirroring-vlan <value> is themirroring VLAN ID, from 1 to 4094.

• mirroring-mlt <value>is themirroring MLT ID, from 1 to 256.

To modify a port mirroring instance, firstdisable the instance. Also, to change aport, VLAN, or MLT entry, first removewhichever parameter is attached to theentry, and then add the required entry.For example, if an entry has mirroringports already assigned, then the portshave to be removed using the removemirroring-ports command, and then,to assign a VLAN to the entry, use theadd mirroring-vlan command.

delete Deletes an entry from the mirror-by-porttable.To change a port mirroring configuration,first disable it.

enable <true|false> Enables or disables a mirroring portalready created in the mirror-by-port table.

info Displays current port mirroring settings.


NN46205-703 03.02 12 April 2010


.


Variable Value


Sets the mirroring mode. The default is rx.

• tx mirrors egress packets.


• both mirrors both egress and ingresspackets.

• rxFilter mirrors and filters ingresspackets. If you use the rxFilter optionwith an R series module, you must usean ACL-based filter.

• txFilter mirrors and filters egresspackets.

• bothFilter mirrors and filters bothegress and ingress packets.

remote-mirror-vlan-id<vid>

Sets the remote mirror VLAN ID.

• <vid> is the ID of the VLAN in therange of 0 to 4094.

remove {mirrored-ports<port>|mirroring-mlt<mid>|mirroring-ports<port>|mirroring-vlan<vid>}

Remove ports, an MLT, or a VLAN fromthe mirroring instance.To change a port mirroring configuration,first disable it.

• mirrored-ports <port> specifiesthe source port for mirrored packets.

• mirroring-mlt <mid> specifies thedestination MLTs for mirrored packets.

• mirroring-ports <port> specifiesthe destination ports for mirroredpackets.

• mirroring-vlan <vid> specifiesthe destination VLANs for mirroredpackets.

Example of configuring port mirroringProcedure steps

Step Action

1 Create the port mirroring instance. Traffic passing port 7/1 ismirrored to port 7/2:

config diag mirror-by-port 3 create in-port 7/1 out-port7/2


NN46205-703 03.02 12 April 2010


.


The analyzer is connected to port 7/2.

2 Mirror both ingress and egress traffic passing through port 7/1:

config diag mirror-by-port 3 mode both

3 Enable mirroring for the instance:

config diag mirror-by-port 3 enable true

--End--

Configuring global mirroring actions with an ACLYou can configure the global action to mirror a packet that matches anACE.

Prerequisites

• The ACL exists.

Procedure steps

Step Action

1 To configure the global action to mirror, use the followingcommand:

config filter acl <acl-id> set global-action mirror

<acl-id> specifies an ACL ID from 1 to 4096.

2 Ensure your configuration is correct:

config filter acl <acl-id> set info

--End--

Variable definitionsUse the information in the following table to help you use the configfilter acl <acl-id> set command.

Variable Value

default-action<value>

Specifies the default action to take when none of theACEs match. Options include <deny|permit>.The default is permit.


NN46205-703 03.02 12 April 2010


.


Variable Value

info Displays the status of the global and default actions.

global-action<value>

The <value> parameter specifies the global actionfor matching ACEs:

• none

• mirror, count, mirror-count, ipfix, mirror-ipfix,count-ipfix, and mirror-count-ipfix

If you enable mirroring, ensure you specify thesource and destination mirroring ports:

• For R modules in Tx mode: use config diagmirror-by-port commands to specifymirroring ports.

• For R or RS modules in Rx mode: use theconfig filter acl <acl-id> ace <ace-id>debug commands to specify mirroring ports.

Configuring ACE debug actions to mirrorUse debug actions to use filters for troubleshooting procedures.

Prerequisites

• The ACL exists.

• The ACE exists.

Procedure steps

Step Action

1 Configure the debug actions to mirror using the followingcommand:

config filter acl <acl-id> ace <ace-id> debug [mirror<enable|disable>] [mirroring-dst-ports <value>][mirroring-dst-vlan <value>] [mirroring-dst-mlt<value>]

<acl-id> specifies an ACL ID from 1 to 4096.

<ace-id> specifies an ACE ID from 1 to 1000.

2 Ensure the configuration is correct:

show filter acl debug [<acl-id>] [<ace-id>]

--End--


NN46205-703 03.02 12 April 2010


.


Variable definitionsUse the information in the following table to help you use the configfilter acl <acl-id> ace <ace-id> debug mirror commands.

Variable Value

mirror<enable|disable>

Enables or disables mirroring for the ACE.If you enable mirroring, ensure that you configurethe appropriate parameters:

• For R and RS modules in Rx mode: mirroring-dst-ports, mirroring-dst-vlan,or mirroring-dst-mlt.

• For R modules in Tx mode: use theconfigdiag mirror-by-port commands tospecify the mirroring source/destination.

mirroring-dst-ports<value>

Specifies the destination port or ports formirroring.

mirroring-dst-vlan<value>

Specifies the destination VLAN for mirroring.

mirroring-dst-mlt<value>

Specifies the destination MLT group formirroring.

Example of configuring R module txFilter mode mirroring

Procedure steps

Step Action

1 This configuration sends mirrored ICMP packets from port 2/1to port 4/1. Configure ACT 3:

ERS8610:5# config filter act 3 create

ERS8610:5# config filter act 3 ipProtoType

ERS8610:5# config filter act 3 apply

2 Configure an outVLAN ACL that uses ACT 3 and VLAN 2:

ERS8610:5# config filter acl 21 create outVlan act 3

ERS8610:5# config filter acl 21 vlan add 2

3 Add ACE 21 with action of permit to mirror ICMP traffic:

ERS8610:5# config filter acl 21 ace 1 create nameicmp

ERS8610:5# config filter acl 21 ace 1 action permit


NN46205-703 03.02 12 April 2010


.


ERS8610:5# config filter acl 21 ace 1 ipip-protocol-type eq icmp

ERS8610:5# config filter acl 21 ace 1 debug mirrorenable

ERS8610:5# config filter acl 21 ace 1 enableERS8610:5#

4 Because this is an R module in txFilter mode, configure themirroring source and destination ports:

ERS8610:5# config diag mirror-by-port 1 createin-port 1/1 out-port 3/1 mode txFilter enable true

--End--

Example of port mirroring configuration with ACLs (rx-filter mode)This configuration example shows how to:

• Enable port mirroring (rxFilter mode) for a port on VLAN 220.

• Use port 3/48 as the monitoring port.

• Configure an ACL so that TCP traffic from ports 20 to 500, and ICMPframes are mirrored to the monitoring port.

The configuration shown in the following figure is used.


NN46205-703 03.02 12 April 2010


.


Figure 2Port mirroring setup

Procedure steps

Step Action

1 Create a new ACT to filter on ICMP frames and TCP destinationports. Configure a new ACT with ID = 2:

ERS-8610:5# config filter act 2 create

2 Select the IP attributes of the IP protocol type:

ERS-8610:5# config filter act 2 ip ipProtoType

3 Select the protocol attributes of TCP source port, TCPdestination port, and UDP destination port

ERS-8610:5# config filter act 2 protocol tcpDstPort

4 Enable ACT 2:

ERS-8610:5# config filter act 2 apply

5 Create ACL 1 with type ingress VLAN:

ERS-8610:5# config filter acl 1 create inVlan act 2

6 Add ingress VLAN of 220 to ACL 1:


NN46205-703 03.02 12 April 2010


.

Remote mirroring configuration 157

ERS-8610:5# config filter acl 1 vlan add 220

7 Add ACE 1 with action of permit to mirror ICMP traffic:

ERS-8610:5# config filter acl 1 ace 1 create nameicmpERS-8610:5# config filter acl 1 ace 1 action permitERS-8610:5# config filter acl 1 ace 1 debug mirrorenable mirroring-dst-ports 3/48ERS-8610:5# config filter acl 1 ace 1 ipip-protocol-type eq icmpERS-8610:5# config filter acl 1 ace 1 enable

8 Add ACE 2 with action of permit to mirror TCP traffic with adestination port range from 20 to 500:

ERS-8610:5# config filter acl 1 ace 2 create nametcp_rangeERS-8610:5# config filter acl 1 ace 2 action permitERS-8610:5# config filter acl 1 ace 2 debug mirrorenable mirroring-dst-ports 3/48ERS-8610:5# config filter acl 1 ace 2 ipip-protocol-type eq tcpERS-8610:5# config filter acl 1 ace 2 protocoltcp-dst-port eq 20-500ERS-8610:5# config filter acl 1 ace 2 enable

--End--

Remote mirroring configurationUse remote mirroring to aid in troubleshooting procedures.

Remote mirroring configuration navigation


• “Example of remote mirroring configuration using ACLs” (page 160)


For more information about configuring remote mirroring, see Remote PortMirroring Technical Configuration Guide.

Procedure steps

Step Action

1 Configure remote mirroring using the following command:


NN46205-703 03.02 12 April 2010


.


config ethernet <slot/port> remote-mirroring create[enable <true|false>] [mode <source|termination>][srcmac <mac>] [dstmac <mac>] [ether-type <ether-type>]

2 Use the following variable definitions table to configure any otherparameters that are required.

3 Ensure that the remote mirroring configuration is correct:

show port info remote-mirroring

--End--

Variable definitionsUse the information in the following table to use the config ethernet<slot/port> remote-mirroring command.

Variable Value

add-vlan-id <vlan-id> Specifies to which VLAN the remotemirroring destination MAC addressbelongs. This must be a port-basedVLAN. Used only for Remote MirroringTermination (RMT) ports. When the RMTport is removed from the last VLAN in thelist, RMT is disabled on the port.

create [enable <true|false>] [mode<source|termination>][srcmac <mac>] [dstmac<mac>] [ether-type<ether-type>]

Creates a remote mirroring entry for theport. Create an entry before setting anyremote mirroring parameters on the port.

• <true|false> enables or disablesremote mirroring on the port.

• <source|termination> specifiesthe mode. Source (the default) meansthat this port is the source of packets(remote mirroring source [RMS]).Termination means that this portcollects mirrored packets (remotemirroring termination [RMT]).

• srcmac <mac> is the sourceMAC address in the format0x00:0x00:0x00:0x00:0x00:0x00.

• dstmac <mac> is the destinationMAC address in the format0x00:0x00:0x00:0x00:0x00:0x00.

• <ether-type> is the ether-typeof the remote mirrored packet. Thedefault value is 0x8103.


NN46205-703 03.02 12 April 2010


.


Variable Value

delete Deletes the remote mirroring portconfiguration.

dstmac <DstMac> Sets the destination MAC address foruse in the remote mirroring encapsulationheader. The mirrored packet is sent tothis MAC address. The DstMac is usedonly for RMS ports.

For RMT ports, one of the unusedMAC addresses from the switch portMAC address range is used. This MACaddress is saved in the configuration file.

enable <true|false> Enables or disables remote mirroringon the port. When remote mirroring isenabled, the following events occur:

• A static entry for the DstMac is addedto the Forwarding Database (FDB).All packets that come with this remotemirroring DstMac are sent to the RMTport.

• The switch periodically (once in 10seconds) transmits broadcast Layer2 packets in the associated VLAN sothat all nodes in the network can learnthe DstMac.

ether-type <ether-type> Specifies the Ethertype of the remotemirrored packet. The default value is0x8103.

info Displays the remote mirroringconfiguration of the port.

mode <source|termination> Specifies whether the port is an RMT(mode is termination) or an RMS (modeis source).


NN46205-703 03.02 12 April 2010


.


Variable Value

remove-vlan-id <vlan-id> Removes a VLAN from the VLAN list.Used only for RMT ports. When the RMTport is removed from the last VLAN in thelist, RMT is disabled from the port.

srcmac <Srcmac> Sets the source MAC address for usein the remote mirroring encapsulationheader. The mirrored packet is sentfrom the RMS port, and the source MACparameter in the header is derived fromthis address. The source MAC address ofthe encapsulated frame contains the first45 bits of this MAC address. The threeleast significant bits are derived from theport number of the RMS port. The MACaddress of the port is used as the defaultvalue.

Example of remote mirroring configuration using ACLsRemote mirroring is configured for the network shown in the followingfigure. Because R modules are used, ACLs are also used.

Figure 3Remote mirroring network example

Configure an ACL-based mirroring entry on Switch 1 (S1).


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 Create a new ACT with ID 2:

ERS-8610:5# config filter act 2 create

2 Select the IP attributes:

ERS-8610:5# config filter act 2 ip ipProtoType

3 Select the protocol attributes:

ERS-8610:5# config filter act 2 protocol tcpDstPort

4 Enable ACT 2:

ERS-8610:5# config filter act 2 apply

--End--

Configure the Access Control List (ACL).

Procedure steps

Step Action

1 Create ACL 1 of type ingress VLAN:

ERS-8610:5# config filter acl 1 create inVlan act 2

2 Add ingress VLAN of 220:

ERS-8610:5# config filter acl 1 vlan add 220

--End--

Add Access Control Entries (ACE) to ACL 1.

Procedure steps

Step Action

1 Add ACE 1 with action of permit to use to mirror ICMP traffic:

ERS-8610:5# config filter acl 1 ace 1 create nameicmp

ERS-8610:5# config filter acl 1 ace 1 action permit

ERS-8610:5# config filter acl 1 ace 1 debug mirrorenable

ERS-8610:5# config filter acl 1 ace 1 debug mirrorout-port 2/29


NN46205-703 03.02 12 April 2010


.


ERS-8610:5# config filter acl 1 ace 1 ipip-protocol-type eq icmp

ERS-8610:5# config filter acl 1 ace 1 enable

2 Add ACE 2 with action of permit to use to mirror TCP traffic witha destination port range from 20 to 500:

ERS-8610:5# config filter acl 1 ace 2 create nametcp_range

ERS-8610:5# config filter acl 1 ace 2 action permit

ERS-8610:5# ERS-8610:5# config filter acl 1 ace 2debug mirror enable

config filter acl 1 ace 1 debug mirror out-port 2/29

ERS-8610:5# config filter acl 1 ace 2 ipip-protocol-type eq tcp

ERS-8610:5# config filter acl 1 ace 2 protocoltcp-dst-port eq 20-500

ERS-8610:5# config filter acl 1 ace 2 enable

--End--

Configure the VLAN and remote mirroring on switch S3.

Procedure steps

Step Action

1 Configure the VLAN:ERS-8610:5# config vlan 10 create byport 1ERS-8610:5# config vlan 10 ports add 1/15,2/8

2 Configure remote mirroring:ERS-8610:5# config ethernet 1/15 remote-mirroringcreateERS-8610:5# config ethernet 1/15 remote-mirroringadd-vlan-id 10ERS-8610:5# config ethernet 1/15 remote-mirroringmode terminationERS-8610:5# config ethernet 1/15 remote-mirroringenable true

3 Show remote-mirroring information to get the correct destinationMAC address for switch 1:ERS-8610:5# config ethernet 1/15 remote-mirroringinfo

--End--


NN46205-703 03.02 12 April 2010


.

PCAP configuration 163

Configure switch S1.

Procedure steps

Step Action

1 Configure the VLAN:

ERS-8610:5# config vlan 10 create byport 1

ERS-8610:5# config vlan 10 ports add 1/1

2 Configure port mirroring:

ERS-8610:5# config diag mirror-by-port 1 createin-port 1/15 out-port 1/1 mode rx enable trueremote-mirror-vlan-id 10

3 Configure remote mirroring:

ERS-8610:5# config ethernet 1/1 remote-mirroringcreate

ERS-8610:5# config ethernet 1/1 remote-mirroringdstmac 00:e0:7b:82:9d:9c

ERS-8610:5# config ethernet 1/1/ remote-mirroringenable true

--End--

PCAP configurationUse the Packet Capture Tool to aid in troubleshooting procedures. Anactive Secondary CPU is required.

PCAP configuration navigation

• “Roadmap of PCAP CLI commands” (page 164)

• “Accessing the Secondary CPU” (page 165)

• “Configuring PCAP global parameters” (page 166)

• “Enabling PCAP on a port” (page 168)

• “Configuring PCAP capture filters” (page 169)


• “Example PCAP configuration” (page 177)

• “Using the captured packet dump” (page 178)

• “Copying captured packets to a remote machine” (page 179)

• “Resetting the PCAP DRAM buffer” (page 179)


NN46205-703 03.02 12 April 2010


.


• “Modifying PCAP parameters” (page 180)

• “Example of capturing all traffic with PCAP filters” (page 180)

• “Example of capturing specific traffic with PCAP filters” (page 182)

• “Example of capturing specific traffic with PCAP and ACLs” (page 183)

• “PCAP troubleshooting example” (page 184)

Roadmap of PCAP CLI commandsThe following table lists the commands and their parameters that you useto perform the procedures in this section.

Command Parameter

add set <value>

add-acl-filter <acl-id>

enable <true|false> [mode <value>]

info

remove set <value>

config {ethernet} <ports>pcap

remove-acl-filter <acl-id>

auto-save <true|false> [file-name <value>][device <value>] [ip <value>]

buffer-size <2...256> or <2...420>

buffer-wrap <true|false>

enable <true|false>

ethertype-for-svlan-level <EtherType for hexvlan level>

fragment-size <64...9600>

info

pcmcia-wrap <true|false>

config diag pcap

reset-stat

action <capture|drop|trigger-on|trigger-off>

create

delete

dscp <dscp> [to <value>] [match-zero <value>][not]

dstip <ipaddr> [to <value>] [not]

dstmac <DstMac> [mask <value>] [not]

enable <true|false>

config diag pcapcapture-filter <listid>


NN46205-703 03.02 12 April 2010


.


Command Parameter

ether-type <Ethertype> [to <value>] [not]

info

packet-count <PacketCount>

pbits <Pbits> [to <value>] [match-zero <value>][not]

protocol-type <protocoltype> [to <value>] [not]

refresh-timer <RefreshTimer>

srcip <ipaddr> [to <value>] [not]

srcmac <SrcMac> [mask <value>] [not]

tcp-port <tcport> [to <value>] [not]

timer <Timer>

udp-port <udpport> [to <value>] [not]

user-defined <0..9600> <data> [not]

vlan-id <Vlanid> [to <value>] [not]

config vlan <vid> fdb-filterpcap <mac> <enable|disable>

See Nortel Ethernet Routing Switch 8600 Configuration —VLANs and Spanning Tree (NN46205-517)

capture-filter [id <value>]

dump

info

port

show-all [file <value>]

show diag pcap

stats

Accessing the Secondary CPUThe PCAP engine is the Secondary CPU. You can gain access to thePCAP engine through a direct console or modem connection to thesecondary CPU, or by using a peer telnet session from the primary CPU.A connection is made to the secondary CPU, which then prompts for thelogon and password.

Procedure steps

Step Action

1 Log on to the Primary CPU.

2 Access the Secondary CPU by entering the following command:


NN46205-703 03.02 12 April 2010


.


peer telnet

--End--

Configuring PCAP global parametersConfigure PCAP globally to define how PCAP operates on the EthernetRouting Switch 8600.

Prerequisites


• If saving to external memory, a PCMCIA card (or external flash on the8895 SF/CPU) is installed.

Procedure steps

Step Action

1 Enable PCAP using the following command:

config diag pcap enable true

2 Use the following variable definitions table to configure otherparameters as required.


config diag pcap info

show diag pcap info

--End--

Variable definitionsUse the information in the following table to complete the config diagpcap command.

Variable Value

auto-save <true|false> file-name <value>[device <value>] [ip<value>]

Enables or disables auto-save. When enabled,saves the captured frames into the devicespecified and continues to capture frames.The default is enable. If this option is disabled,packets are stored in the DRAM buffer only.

file-name <value> is the name of the filewhere captured frames are saved.


NN46205-703 03.02 12 April 2010


.


Variable Value

device <value> is the device name (PCMCIAor network).

ip <value> is the IP address used. This isused only if the device is network.

buffer-size <2...256>or <2...420>

Specifies the size of the buffer allocated forstoring data. A Mezz SF/CPU can use up to 420MB. The default is 32 MB.

buffer-wrap<true|false>

Enables buffer wrapping. When this parameteris set to true and the buffer becomes full, thecapture continues by wrapping the buffer. If thisparameter is set to false and the buffer becomesfull, the packet capture stops. The default valueis true. A log message is generated when thebuffer is wrapped.

enable <true|false> Enables or disables PCAP globally. The defaultis false.

ethertype-for-svlan-level <EtherType forhex vlan level>

Specifies the Ethernet type for sVLAN packets.With this information, PCAP can identify andcapture the tag information of packets receivedfrom SVLAN ports.

<ethertype-for-svlan-level> is ahexadecimal value. The default is 0x8100.

fragment-size<64...9600>

Specifies the number of bytes from each frameto capture. The default is the first 64 bytes ofeach frame.

info Displays the current PCAP configuration.

pcmcia-wrap<true|false>

Enables or disables PCMCIA wrapping. Whenthis parameter is set to true and the autosavedevice is PCMCIA, this causes an overwriteof the present file on the PCMCIA (or externalflash) during an autosave. If this parameter is setto false, the present file is not overwritten. A logis generated when the file is overwritten on thePCMCIA (or external flash).

reset-stat This command resets the PCAP engine DRAMbuffer, as well as all software counters used forPCAP statistics. This command can be executedin the Primary or Secondary SF/CPUs.


NN46205-703 03.02 12 April 2010


.


Enabling PCAP on a portConfigure PCAP on a port so that the port supports PCAP, and to applyfilters to the captured data. You can apply IP- or Access Control List(ACL)-based filters.

Prerequisites



Procedure steps

Step Action

1 Apply filter sets or ACLs to captured packets:

config {ethernet} <ports> pcap add set <value>

config {ethernet} <ports> pcap add-acl-filter <acl-id>

2 To enable PCAP on Ethernet ports, use the following command:

config {ethernet} <ports> pcap enable true [mode<value>]

3 Ensure PCAP is correctly configured:

show diag pcap port

--End--

Variable definitionsUse the information in the following table to complete the config{ethernet} <ports> pcap command.

Variable Value

add set <value> Adds an IP filter set (Global or Source Destination)to a port. <value> specifies the filter set. TheIP filter set must already exist. Filter GlobalSet ID values are in the range of 1 to 100 andSource/Destination sets are in the range of 300 to1000.


NN46205-703 03.02 12 April 2010


.


Variable Value

Adding a filter set causes the following to happen:

• Creates an IP traffic filter for a port if one doesnot already exist; otherwise, disables the IPtraffic filter.

• Adds the IP traffic filter set to the port.

• Sets the mirror bit for all the filters in the set.

• Restores the default-action of the port. Ifdefault-action was not set, set to forwarding.

• Enables the traffic filter on the port.

add-acl-filter<acl-id>

Applies an ACL to captured packets. The ACL IDcan be from 1 to 4096.

enable <true|false>[mode <value>]

Enables or disables PCAP on the port. The defaultPCAP mode captures ingress packets (rx mode).

mode <value> specifies rx, tx, both, txfilter,rxFilter, or bothFilter. If PCAP is enabled in filtermode, then only packets which match the filtercriteria are captured.

info Displays the current PCAP configurationinformation.

remove set <value> Removes a filter. <value> is the number of thefilter set. The Source/Destination set is a valuefrom 1 to 100. The Global set is a value from 300to 1000.

Removing a set causes the following to happen:

• Disables the IP traffic filter

• Removes the IP traffic filter set from the port

remove-acl-filter<acl-id>

Removes an ACL.

Configuring PCAP capture filtersUse capture filters to better define the match criteria used on packets.

Nortel recommends using PCAP with IP or MAC filters to reduce the loadon the PCAP engine.


NN46205-703 03.02 12 April 2010


.


To create a functional capture filter that captures specific packets, createtwo filters. Use one filter to capture specific packets, and another filter todrop all other packets.

Procedure steps

Step Action

1 To create a capture filter, enter the following command:

config diag pcap capture-filter <list-id> create

2 Configure the filter action:

config diag pcap capture-filter <list-id> action<capture|drop|trigger-on|trigger-off>

3 Use the following variable definitions table to define the matchparameters; for example:

config diag pcap capture-filter <list-id> dscp 60 to 63

4 Enable the filter:

config diag pcap capture-filter <list-id> enable true


config diag pcap capture-filter <list-id> info

show diag pcap capture-filter [id <value>]

--End--

Variable definitionsUse the information in the following table to help you use the configdiag pcap capture-filter <listid> command.

Variable Value


Determines the action taken by the filter.

• capture indicates that the packet iscaptured.

• drop indicates that the packet is dropped.

• trigger-on indicates to start capturing thepacket when a packet matches this filter.PCAP is enabled globally and the trigger filteris disabled.

• trigger-off indicates to stop capturingthe packet when a packet matches this filter.


NN46205-703 03.02 12 April 2010


.


Variable Value

PCAP is disabled globally and the triggerfilter is disabled.

create Creates a new PCAP filter.

delete Deletes an existing filter.

dscp <dscp>[to <value>][match-zero <value>][not]

Specifies the DSCP value of the packet.

• <dscp> can be one or a range of DSCPvalues from 0 to 63. The default is 0, whichmeans this option is disabled.

• to <value> specifies a range.

• <value> is either true or false. When thisoption is set to true, 0 is considered a validvalue. When it is set to false, 0 is considereda disable value.

• not means that the filter matches for all othervalues than the range of values defined.

dstip <ipaddr/mask>[to <value>] [not]

Specifies the destination IP address.<ipaddr/mask> can be one address, or a range of IPaddresses. The default is 0.0.0.0, which meansthis option is disabled.

to <value> specifies a range.

not means that the filter matches for all othervalues than the range of values defined.

dstmac <DstMac> [mask<value>] [not]

Specifies the MAC address of the destination.If the mask is set, then only the first fewbytes are compared. <DstMac> representsa range of MAC addresses. The default is00:00:00:00:00:00, which means this option isdisabled.

<value> is the destination MAC address mask,and specifies a range.


enable <true|false> Enables or disables the filter. The default isdisable.


NN46205-703 03.02 12 April 2010


.


Variable Value

ether-type<Ethertype>[to <value>][not]

Specifies the Ethernet type of the packet.

<Ethertype> can be one or a range ofEther-type values. The default is 0, meaning thatthis option is disabled.



info Displays the current PCAP filter configuration.

packet-count<PacketCount>

When set, PCAP stops after capturing thespecified number of packets. This is similar tothe refresh-timer option; after it is invoked, thefilter is disabled. This option is active only whenthe action parameter is set to trigger-on. Thedefault value is 0, which means this option isdisabled.

pbits <Pbits>[to <value>][match-zero <value>][not]

Specifies the priority bit of the packet.

<Pbits> can be one value or a range. Thedefault is 0, which means this option is disabled.


<value> is either true or false. When this optionis set to true, 0 is considered a valid value.When it is set to false, 0 is considered a disablevalue.


protocol-type<protocoltype>[to <value>][not]

Specifies the protocol of the packet.

<protocoltype> can be one value or a rangeof protocol-type values. The default is 0, whichmeans this option is disabled.




NN46205-703 03.02 12 April 2010


.


Variable Value

refresh-timer<RefreshTimer>

When set, this starts or resets a timer. If anotherpacket is not received within the specifiedtime, PCAP is disabled globally. This option isactive only when the action parameter is set totrigger-on. To delete this option, set it to 0. Thedefault value is 0.

srcip <ipaddr>[to <value>][not]

Specifies the source IP address.

<ipaddr> can be one address or a range of IPaddresses. The default is 0.0.0.0, which meansthis option is disabled.



srcmac <SrcMac>[mask <value>][not]

Specifies the MAC address of the source.

<SrcMac> is the source MAC address. If themask is set, then only the first few bytes arecompared. The default is 00:00:00:00:00:00,which means this option is disabled.

mask <value> is the mask of the source MACaddress. This parameter specifies an addressrange.


tcp-port <tcport>[to <value>][not]

Specifies the TCP port of the packet.

<tcport> can be one value or a range of TCPport values. The default is 0, which means thisoption is disabled.




NN46205-703 03.02 12 April 2010


.


Variable Value

timer <Timer> When set, PCAP is invoked when the firstpacket is matched and stopped after the setvalue of time. After starting the timer, the filter isdisabled.

This option is active only when the actionparameter is set to trigger-on.

<Timer> is a value from 100 to 3600000milliseconds. The default value is zero. Settingthe value to 0 disables the timer.

udp-port <udpport>[to <value>][not]

Specifies the UDP port of the packet.

<udpport> can be one or a range of UDP portvalues. The default is 0, which means this optionis disabled.



user-defined<0..9600> <data> [not]

Sets a user defined value on which to match thepacket. The user can define a pattern in hex orcharacters to match. The user can also specifythe offset to start the match. The default valueof pattern is null (’’) which means that this field isdiscarded. To disable this option, set the patternto null (’’).


vlan-id <Vlanid>[to <value>][not]

Specifies the VLAN ID of the packet.

<Vlanid> can be one or a range of VLAN IDs.The default is 0, which means that this option isdisabled.




NN46205-703 03.02 12 April 2010


.


Examples of PCAP capture filter configurationProcedure steps

Step Action

1 Start packet capture based on the protocol; in this case, type 6(TCP):

config diag pcap enable false

config diag pcap capture-filter 7 create

config diag pcap capture-filter 7 action capture

config diag pcap capture-filter 7 protocol-type 6

config diag pcap capture-filter 7 enable true

While this capture filter specifies to capture TCP packets, thedefault action is to capture all packets. A PCAP capture filterwith action drop must be configured to drop all packets toachieve the desired result.

2 Capture packets for a predefined time period:


config diag pcap capture-filter 7 action trigger-on


config diag pcap capture-filter 7 timer 10


When the trigger-on option is used, packet capture startswhen the first packet that matches the protocol-type criteria isprocessed and continues for the length of the timer value.

3 Drop all IP broadcast packets:


config diag pcap capture-filter 8 action drop

config diag pcap capture-filter 8 dstip 255.255.255.255


4 Capture packets for a predefined number of packets:



config diag pcap capture-filter 7 srcip 10.10.10.10

config diag pcap capture-filter 7 packet-count 1000


5 Stop packet capture when the PCAP engine buffer is full:

config diag pcap buffer-wrap false


NN46205-703 03.02 12 April 2010


.


6 Save captured packets after the PCAP engine buffer is full:

config diag pcap auto-save true file-name pcap_test.capdevice pcmcia

7 Configure the PCAP engine buffer size:

config diag pcap buffer-size 10

8 Configure the fragment size, which is the number of bytes ofeach captured packet that is captured.

config diag pcap fragment-size 200

9 Enable packet capture globally.


--End--


Prerequisites

• A VLAN exists.


Procedure steps

Step Action

1 Enable PCAP with the mode set to rxFilter.


config eth <port> pcap enable true mode rxFilter

2 Enable PCAP with FDB filters on a VLAN. To enable PCAP foran FDB filter by MAC address, use the following command:

config vlan <vid> fdb-filter pcap <mac> enable

--End--

Variable definitionsUse the information in the following table to help you perform thisprocedure.


NN46205-703 03.02 12 April 2010


.


Variable Value

<mac> Specifies the MAC address in the format0x00:0x00:0x00:0x00:0x00:0x00.

<port> Specifies the slot and port.

Example PCAP configurationThe following basic steps are required to set the PCAP parameters, enablePCAP on a port, enable PCAP, and copy the captured packets to a remotemachine.

Procedure steps

Step Action

1 Enable PCAP parameters.

config diag pcap auto-save true file-name pcap_test.capdevice pcmcia

2 Enable PCAP on a port, by MAC address, or IP filter.

config ether 2/10 pcap enable true mode <rx|tx|both|rxFilter|txFilter|bothFilter>

OR

config ether 2/10 pcap enable true mode rxFilter

config vlan 2 fdb-filter pcap 00:08:07:60:89:D6 enable

OR

config ether 2/10 pcap enable true mode rxFilter

config ip traffic-filter create global src-ip10.10.10.10/32 dst-ip 10.10.20.20/32 id 5

3 Enable PCAP globally.


4 Configure a PCAP filter that only allows TCP ports that are notin 20 to 21.

config diag pcap capture-filter 7 tcp-port 20 to 21 not

5 Display all PCAP statistics.

show diag pcap stats

6 Disable PCAP at the port level.

config ether 2/10 pcap enable false

7 Copy captured packets to a file.

copy PCAP00 /pcmcia/pcap_packets.cap


NN46205-703 03.02 12 April 2010


.


8 Use Ethereal or Sniffer Pro to analyze the packets.

--End--

Job aid

Table 13show diag pcap stats field descriptions

Field Description

Packet Capacity count This is the maximum number of packets thatcurrently can be stored in the PCAP enginebuffer. Reset-stat does not reset this value.

Number of packets receivedin PCAP engine

This is the number of packets currently in thePCAP engine buffer. When buffer-wrap occurs,this is set to 0 and the count starts again.

When buffer-wrap occurs, the second field is setto 0 and the third field is not set to zero. Fromthe capture log, the user can determine howmany times buffer-wrap has occurred.

Number of packetsaccumulated in PCAPengine

This is the number of packets accumulated in thePCAP engine.

When buffer-wrap occurs, the second field is setto 0 and the third field is not set to zero. Fromthe capture log, the user can determine howmany times buffer-wrap has occurred.

Number of packets droppedin PCAP engine by filters

The number of packets dropped when ingresspackets match the filter criteria and the PCAPaction is set to drop.

Number of packets droppedin Hardware

The number of packets dropped by the PCAPengine hardware when the amount of packetsbeing forwarded cannot be processed.

Using the captured packet dumpYou can view packets using a CLI session and the Secondary SF/CPU.Dumping a large number of captured packets is CPU intensive. The switchdoes not respond to any commands while the dump is in progress. Nortelrecommends you use this command only when it is absolutely necessary.However, there is no degradation in normal traffic handling or switchfailover.


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 Log on to the Secondary SF/CPU.

2 Use the following command:

show diag pcap dump

--End--

Copying captured packets to a remote machineYou can copy packets to a remote machine, or the switch flash or PCMCIA(or external flash on the 8895 SF/CPU). If PCAP is used with autosavedisabled, captured packets are stored in the Secondary SF/CPU DRAMbuffer.

Procedure steps

Step Action

1 To copy the packets to a file for later viewing, use the copy orFTP get commands. These commands can be executed in thePrimary CPU.

copy PCAP00 /<device> /<filename>

OR

ftp> get PCAP00 <filename>

For example:

copy PCAP00 /pcmcia/file.cap

--End--


Variable Value

<device> Specifies pcmcia, flash, or an IP host by IPaddress.

<filename> Specifies the PCAP file (.cap).

Resetting the PCAP DRAM bufferYou can clear the PCAP DRAM buffer and the PCAP counters.


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action


2 Disable PCAP:


3 Reset the PCAP engine DRAM buffer:

config diag pcap reset-stat

--End--

Modifying PCAP parametersCertain steps are required to modify PCAP parameters.

Procedure steps

Step Action

1 Disable PCAP on ports:

config eth <slot/port> pcap enable false

2 Disable PCAP globally:

config diag pcap ena false

3 Make desired PCAP modifications.

4 Reset PCAP statistics and counters:

config diag pcap reset-stat

5 Globally enable PCAP:


6 Enable PCAP on ports:

config eth <slot/port> pcap enable true mode <value>

--End--

Example of capturing all traffic with PCAP filters


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 Configure PCAP to auto save the captured traffic to the PCMCIA(or external flash) card on the Secondary CPU. Name the filepcap_data.cap.

ERS8600-B:5# config diag pcap auto-save truefile-name pcap_data.cap device pcmcia

2 Change the buffer size to 128 MB.

ERS8600-B:5# config diag pcap buffer-size 128

Be sure not to exceed the buffer size on the backup CPU.Although the following command is used to view the CPU buffersize on the primary CPU (if both the primary and backup CPUhave the same DRAM size), this command also indicates theDRAM used. This command cannot be used on the SecondarySF/CPU when it is in slave mode.

ERS8600-B:5# show sys perf

3 Enable PCAP globally and enable PCAP on port 7/26 to capturetraffic in both directions.

ERS8600-B:5# config diag pcap enable true

ERS8600-B:5# config ethernet 7/26 pcap enable truemode both

4 Use the following commands to view your PCAP configuration.

ERS8600-B:5# config diag pcap info

ERS8610-B:5# show diag pcap port

5 Use the following command to view the real-time PCAPstatistics.

ERS8610-B:5# show diag pcap stat

Captured traffic is written to the backup CPU PCMCIA (orexternal flash) card when the number of packets received inthe PCAP engine equals the packet capacity count. If thePCAP wrap parameter is enabled, captured traffic continuouslyoverwrites to the PCMCIA (or external flash) file.

6 Stop PCAP and save the captured traffic DRAM contents.

ERS8610-B:5# config diag pcap enable falseERS8610-B:5# copy PCAP00 /pcmcia/capture.cap

7 Forward the captured file to a server.

ERS8610-B:5# peer telnet


NN46205-703 03.02 12 April 2010


.


ERS8610-B:6# copy /pcmcia/capture.cap10.99.99.1:capture.cap

--End--

Example of capturing specific traffic with PCAP filters

Procedure steps

Step Action

1 Ensure PCAP is disabled.

ERS8600-B:5# config diag pcap enable false

2 Create capture-filter 1 and configure it to capture traffic with asource IP address of 10.1.1.100 and a UDP port 1025.

ERS8600-B:5# config diag pcap capture-filter 1create

ERS8600-B:5# config diag pcap capture-filter 1action capture

ERS8600-B:5# config diag pcap capture-filter 1srcip 10.1.1.100

ERS8600-B:5# config diag pcap capture-filter 1udp-port 1025

ERS8600-B:5# config diag pcap capture-filter 1enable true

3 Create capture-filter 2 and configure to drop all traffic. This isrequired so that you only capture traffic using the criteria fromstep 2.

ERS8600-B:5# config diag pcap capture-filter 2create

ERS8600-B:5# config diag pcap capture-filter 2action drop

ERS8600-B:5# config diag pcap capture-filter 2enable true

4 Enable PCAP globally and reset the PCAP statistics.

ERS8600-B:5# config diag pcap reset-stat true

ERS8600-B:5# config diag pcap enable true

5 View the PCAP filters.


NN46205-703 03.02 12 April 2010


.


ERS8600-B:5# show diag pcap capture-filter

--End--

Example of capturing specific traffic with PCAP and ACLs

Procedure steps

Step Action

1 Disable PCAP.

ERS8600-B:5# config diag pcap enable false

2 Create ACL 1 and configure it to capture traffic with a source IPaddress of 10.1.1.100 and UDP port 1025.

ERS8600-B:5# config filter act 1 create

ERS8600-B:5# config filter act 1 ip srcIp,dstIp

ERS8600-B:5# config filter act 1 protocoludpSrcPort,udpDstPort

ERS8600-B:5# config filter act 1 apply

ERS8600-B:5# config filter acl 1 create inPort act 1

ERS8600-B:5# config filter acl 1 port add 7/26

ERS8600-B:5# config filter acl 1 ace 1 create name"one"

ERS8600-B:5# config filter acl 1 ace 1 action permit

ERS8600-B:5# config filter acl 1 ace 1 ip src-ip eq10.1.1.100

ERS8600-B:5# config filter acl 1 ace 1 protocoludp-dst-port eq 69

ERS8600-B:5# config filter acl 1 ace 1 enable

3 Configure PCAP on port 7/26 and enable the mode to allowcapture using ACLs.

ERS8600-B:5# config ethernet 7/26 pcap enable truemode rxFilter

4 Enable PCAP globally again and reset the PCAP statistics.

ERS8600-B:5# config diag pcap reset-stat trueERS8600-B:5# config diag pcap enable true

--End--


NN46205-703 03.02 12 April 2010


.


PCAP troubleshooting exampleYou are the network administrator at a large multinational softwarecompany and encounter the following problem. A user calls and statesthat they are trying to download some data from an FTP server to theirclient machine. However, they are having a problem connecting to the FTPserver. The FTP client resides on client 1 and the FTP server is on client2. The FTP server is connected to an Ethernet Routing Switch 8600 (R1)through port interface 2/10.

Configuration detailsThe hardware and software used is as follows:

• one Ethernet Routing Switch 8600 (R1) with dual SF/CPU modules

• each SF/CPU module contains a PCMCIA card

• two clients

• I/O cards

• an FTP and TFTP daemon running on a client server

• sniffer network software

Method 1In this solution, PCAP is configured to capture all packets on port interface2/10 and packets are saved on a PCMCIA device. The file containingcaptured packets is then copied using FTP for analysis at a later time.


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 Enable PCAP in receive mode on R1, port interface 2/10, tocapture all ingress packets.

config ether 2/10 pcap enable true

2 Configure PCAP parameters:

config diag pcap auto-save true file_name pcap_test.capdevice pcmcia

3 Enable PCAP


4 Show PCAP statistics.

show diag pcap stats

5 Disable PCAP


6 Copy the captured packets:

copy PCAP00 /pcmcia/pcap_test.cap

You can also use FTP:

--End--


NN46205-703 03.02 12 April 2010


.


Method 2In solution 1, the number of packets that are captured is quite large. In thissolution, PCAP is configured to refine the type of packets to be capturedso that fewer packets are captured. This solution uses IP traffic filtersto capture only packets with a source IP address of 10.10.10.10 and adestination IP address of 10.10.20.20. In addition to procedures followedin method 1, perform the following steps:

Procedure steps

Step Action

1 Configure an IP traffic filter.

config ip traffic-filter create global src-ip10.10.10.10/32 dst-ip 10.10.20.20/32 id 5

config ip traffic-filter filter 5 action mode forward

2 Create a filter set.

config ip traffic-filter global-set 5 create namepcap_set

config ip traffic-filter global-set 5 add-filter 5

3 Apply a filter set to the port.

config eth 2/10 pcap add set 5

config eth 2/10 pcap enable true mode rxFilter

--End--

Method 3If the amount of traffic flowing between client 1 and client 2 is still too largefor analysis, define a filter by protocol-type as shown in this solution. Inthis solution, PCAP filters are configured on the PCAP engine to drop allIP packets that are not protocol type 6 and are not FTP packets. In effect,this captures all TCP/FTP packets. When used in conjunction with IPfilters, this narrows down the number of packets captured to TCP/FTPpackets flowing from client 2 to client 1.

In addition to procedures followed in method 1 and 2, perform the followingsteps.

Procedure steps

Step Action

1 Configure a capture filter:


NN46205-703 03.02 12 April 2010


.

Testing the switch fabric 187


config diag pcap capture-filter 7 action drop

config diag pcap capture-filter 7 protocol-type 6 not

config diag pcap capture-filter 7 tcp-port 20 to 21 not


--End--

Method 4If the amount of traffic flowing between client 1 and client 2 is still too largefor analysis, start packet capture when the first TCP/FTP packet arrives atthe port, which also enables PCAP automatically. This is done by settingthe trigger-on parameter. Prior to setting the trigger-on filter, disablePCAP. PCAP is disabled after the first 1000 packets are captured bysetting the packet-count parameter. Do this procedure after you performthe steps in methods 1 and 2.

Procedure steps

Step Action

1 Disable PCAP.


2 Configure the filter.




config diag pcap capture-filter 10 tcp-port 20 to 21

config diag pcap capture-filter 10 packet-count 1000


--End--

Testing the switch fabricYou can test the switch fabric for consistency. The fabric test causes theCPU to generate traffic and send it through the switch fabric. The CPUgenerates little traffic.


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 Test the switch fabric by entering the following command:

test fabric

2 Stop the test after a few seconds:

test stop fabric

3 View the results of the test:

show test fabric

Currently no test is running.Last test results:

IfIndex: 0Result: successPassCount: 62115FailCount: 0

--End--

Job aid: show test fabric command outputUse the information in the following table to understand the testparameters.

Field Description

IfIndex Specifies the interface index, if applicable.

Result Shows the result of the most recently run(or current) test: none, success, inProgress,notSupported, unAbleToRun, aborted, failed.

PassCount Specifies the number of iterations of the testcase that completed successfully.

FailCount Specifies the number of iterations of the testcase that failed.

Testing the ARP address tableYou can test the Address Resolution Protocol address table forconsistency.


NN46205-703 03.02 12 April 2010


.

Flushing routing, MAC, and ARP tables for an interface 189

Procedure steps

Step Action

1 Test the address table by entering the following command.

test artable


test stop artable


show test artable

--End--

Clearing ARP information for an interfaceYou can clear the ARP cache as part of ARP problem resolutionprocedures.

Procedure steps

Step Action

1 Clear ARP information using the following commands:

clear ip arp ports <port>

clear ip arp vlan <vid>

--End--

Flushing routing, MAC, and ARP tables for an interfaceFor administrative and troubleshooting purposes, sometimes you mustflush or clear the routing tables. The clear and flush commands performthe same function; they remove the contents of the table.

Procedure steps

Step Action

1 Flush IP routing tables by port by entering the followingcommand:

config ethernet <ports> action flushIp

2 Flush IP routing tables by VLAN by entering the followingcommand:


NN46205-703 03.02 12 April 2010


.


config vlan <vid> action flushIp

3 You can also flush the MAC address and ARP tables:

config ethernet <ports> action flushArp

config ethernet <ports> action flushMacFdb

config vlan <vid> action flushArp

config vlan <vid> action flushMacFdb

4 Clear a routing table using the following commands:

clear ip route port <ports>

clear ip route vlan <vid>

--End--

Job aid: ping and traceroute considerationsPing and traceroute may fail when reaching VRF, IP VPN, or MPLSdevices if large packet sizes are used for the operation. Do not use packetsizes larger than the following:

• Ping for VRF Lite: 1480 bytes

• Ping for IP VPN with MPLS: 1480 bytes

• Ping for IP VPN Lite: 1446 bytes

• Traceroute for VRF Lite: 1444 bytes

• Traceroute for IP VPN with MPLS: 1444 bytes

• Traceroute for IP VPN Lite: 1444 bytes

Running a ping testUse ping operations to determine that a path exists to another device, andthat it is reachable.

Procedure steps

Step Action

1 To ping a device:

ping <HostName/ipv4address/ipv6address> [scopeid<value>] [datasize <value>] [count <value>] [-s][-I <value>] [-t <value>] [-d] [vrf <value>] [source<value>]


NN46205-703 03.02 12 April 2010


.


<HostName/ipv4address/ipv6address> specifies thedevice by host name, IPv4 address <a.b.c.d>, or IPv6 address<x.x.x.x.x.x.x.x>.

2 To ping an IPX device:

pingipx <ipxhost> [<count>] [-s] [-q] [-t <value>]

<ipxhost> specifies the IPX host in the net.node format:0x00:0x00:0x00:0x00.0x00:0x00:0x00:0x00:0x00:0x00

3 To ping an MPLS device:

mplsping ipv4 <prefix/len> [ttl <value>] [source<value>] [count <value>]

mplsping rsvp <lsp-name> [ttl <value>] [source <value>][count <value>]

<prefix/len> specifies the IPv4 address and prefix length;<lsp-name> specifies the name of the label-switched path.

--End--

Variable definitionsUse the information in the following table to help you use the ping<HostName/ipv4address/ipv6address> command.

Variable Value

-d Sets the ping debug flag. In debug mode, theping reply includes additional information aboutthe device being pinged.

-s Specifies that the IPv4 or IPv6 ping should beretransmitted at continuous intervals at theinterval defined by -I <value>.

-I <value> Specifies the interval between pingretransmissions from 1 to 60 seconds.

-t <value> Specifies the no-answer timeout from 1 to 120seconds.

count <value> Specifies the number of times to ping thedevice from 1 to 9999. The default is 1.

datasize <value> Specifies the size of the ping packet in octets,either 16 to 4076, or 16 to 65487. The defaultis 16 octets.

scopeid <value> Specifies the circuit scope ID for IPv6 from 1to 9999.

source <value> Specifies the source IP address for use in IPVPN pings.

vrf <value> Specifies the VRF instance by VRF name.


NN46205-703 03.02 12 April 2010


.


Use the information in the following table to help you use the pingipx<ipxhost> command.

Variable Value

-q Specifies quiet output (same as nonverbosemode).

-s Specifies that the ping should be retransmittedat continuous intervals.

-t <value> Specifies the no-answer timeout from 1 to 120seconds.

<count> Specifies the number of times to ping thedevice from 1 to 9999. The default is 1.

Use the information in the following table to help you use the mplspingipv4 <prefix/len> and mplsping rsvp <lsp-name> commands.

Variable Value

count <value> Specifies the number of times to ping thedevice from 1 to 1000. The default is 1.

ttl <value> Specifies the time-to-live of the MPLS pingpacket from 1 to 255.

source <value> Specifies the source IP address.

Example of using ping for an IP VPN device

Step Action

1 Ping the IP VPN device:

ping 100.100.1.1 vrf 100 source 200.100.1.1 count 10datasize 1446 count 10


NN46205-703 03.02 12 April 2010


.


PING 100.100.1.1: 1438 data bytes1446 bytes from 100.100.1.1: icmp_seq=0. time=1.605 ms1446 bytes from 100.100.1.1: icmp_seq=1. time=1.568 ms1446 bytes from 100.100.1.1: icmp_seq=2. time=1.584 ms1446 bytes from 100.100.1.1: icmp_seq=3. time=1.586 ms1446 bytes from 100.100.1.1: icmp_seq=4. time=1.579 ms1446 bytes from 100.100.1.1: icmp_seq=5. time=1.589 ms1446 bytes from 100.100.1.1: icmp_seq=6. time=1.577 ms1446 bytes from 100.100.1.1: icmp_seq=7. time=1.588 ms1446 bytes from 100.100.1.1: icmp_seq=8. time=1.590 ms1446 bytes from 100.100.1.1: icmp_seq=9. time=1.535 ms----100.100.1.1 PING Statistics----10 packets transmitted, 10 packets received, 0% packetlossround-trip (ms) min/avg/max = 1.535/1.580/1.605

--End--


Procedure steps

Step Action

1 To use traceroute, enter the following command:

traceroute <ipaddr> [<datasize>] [-m <value>] [-p<value>] [-q <value>] [-w <value>] [-v] [vrf <value>][source <value>]

--End--

Variable definitionsUse the information in the following table to help you use the traceroute<ipaddr> command.

Variable Value

-m <value> Specifies the is maximum time-to-live (TTL) (1to 255).

-p <value> Specifies the base UDP port number (0 to65535).

-q <value> Specifies the number of probes per TTL (1 to255).


NN46205-703 03.02 12 April 2010


.


Variable Value

-v Specifies verbose mode (detailed output).

-w <value> Specifies the wait time per probe (1 to 255).

datasize <value> Specifies the size of the probe packet (1 to1464).

source <value> Specifies the source IP address for use in IPVPN traceroutes.

vrf <value> Specifies the VRF instance by VRF name.

Example of using traceroute for an IP VPN device

Step Action

1 Trace the route to the IP VPN device:

traceroute 100.100.1.1 1444 vrf 100 source 200.100.1.1

traceroute to 100.100.1.1, 30 hops max, 1500 byte packets(vrf 100)1 100.100.1.1 1.263 ms 0.799 ms 0.725 ms

--End--




By default, ping snoop messages are echoed only to the serial consoleport. If you do not have access to the serial port and are connecting viaTelnet (or other means such as SSH or Rlogin), to see the messages inyour session, enter:

config log screen on

This setting is specific to the CLI session where it is executed. Thecommand does not save to the configuration file and when the CLI sessionis closed the setting is removed.


NN46205-703 03.02 12 April 2010


.


You can use two sessions with this command: in one session, configurethe ping snoop commands, and in the other session, issue the configlog screen on command to see the messages; when done, close thesecond session.

Procedure steps

Step Action

1 Add the required ports to the ACL:

config filter acl 4096 port add <ports>

2 Enable the ACL;

config filter acl 4096 enable

3 Create an ACE:

config filter acl 4096 ace <ace-id> create

4 Configure the ACE action:

config filter acl 4096 ace <ace-id> action <permit|deny>

5 Configure the destination IP address:

config filter acl 4096 ace <ace-id> ip dst-ip eq <ip addr>

6 Configure the source IP address (optional):

config filter acl 4096 ace <ace-id> ip src-ip eq <ip addr>

7 Enable the ACE:

config filter acl 4096 ace <ace-id> enable


config filter acl 4096 info

config filter acl 4096 port info

--End--

Variable definitionsUse the information in the following table to help you use thesecommands.

Variable Value

<ace-id> Specifies the ID of the ACE from 1 to 1000.

<ip addr> Specifies the source or destination IPaddress.


NN46205-703 03.02 12 April 2010


.



NN46205-703 03.02 12 April 2010


.

197.

Software troubleshooting toolconfiguration using the NNCLI

Use the tools described in this section to perform troubleshootingprocedures using the NNCLI.

Navigation• “General troubleshooting” (page 198)

• “Collecting Key Health Indicator (KHI) information” (page 206)

• “Enabling and disabling the Route Switch Processor Packet Tracing”(page 217)


• “Dumping specified ERCD records” (page 221)

• “Using PIM debugging commands” (page 222)

• “Using BGP debugging commands” (page 224)

• “Port mirroring configuration” (page 225)


• “PCAP configuration” (page 233)

• “Testing the switch fabric” (page 246)

• “Testing the ARP address table” (page 247)

• “Clearing ARP information for an interface” (page 247)

• “Flushing routing, MAC, and ARP tables for an interface” (page 248)

• “Job aid: ping and traceroute considerations” (page 249)





NN46205-703 03.02 12 April 2010


.

198 Software troubleshooting tool configuration using the NNCLI

General troubleshootingThis section provides information about general troubleshooting using theNNCLI.

General troubleshooting navigation

• “Roadmap of general NNCLI troubleshooting commands” (page 198)

• “Using the NNCLI for troubleshooting” (page 200)

• “Using hardware record dumps” (page 201)

• “Using trace to diagnose problems” (page 202)

• “Using auto-trace to diagnose problems” (page 205)

Roadmap of general NNCLI troubleshooting commandsThe following roadmap lists some of the NNCLI commands and theirparameters that you can use to complete the procedures in this section.

Command Parameters

Privileged EXEC mode

clear trace

dump ar <0-64> <WORD 1-1536><0-3>

auto

file [tail]

level

show trace

modid-list

all [<WORD 1-99>]

artable

fabric

show test

loopback [<portList>]

terminal more <disable|enable>

artable

fabric

hardware [<portList>]

led <portList> <tx|rx> <off|yellow|green>

test

loopback <portList> [<int|ext>]


NN46205-703 03.02 12 April 2010


.


Command Parameters

artable

fabric

test stop

loopback <portList>

grep [<WORD 0-128>]

level [<0-107>] [<0-4>]

screen [<disable|enable>]

trace

shutdown

disable

enable

high-percentage <60-100>

high-track-duration <3-10>

low-percentage <50-90>

low-track-duration <3-10>

module add <0-107> <0-4>

trace auto

module remove <0-107>

<cr>

backtrace

clear

lines [<WORD 0-256>]

range [<WORD 0-256>]

trace filter file <WORD 0-128>

supress

<cr>

clear

disable

info

trace filter module <0-89>

supress

base <disable|enable> [info] [error] [pkt][warn] [debug] [nbr] [icmp] [ipclient][all]

forwarding <disable|enable> [info][error] [pkt] [warn] [debug] [all]

nd <disable|enable> [info] [error] [pkt][warn] [debug] [nbr] [redirect] [all]

ospf <disable|enable> [info] [warn][error] [config] [import] [adj] [spf][pkt] [lsa] [all]

trace ipv6


NN46205-703 03.02 12 April 2010


.


Command Parameters

rtm <disable|enable> [info] [warn][error] [update] [fib] [debug] [redist][change-list] [all]

transport <disable|enable> [common] [tcp][udp] [all]

cancel input-network-filter {0x00000000|00:00:00:00|<value>}

cancel output-network-filter {0x00000000|00:00:00:00|<value>}

input-network-filter {0x00000000|00:00:00:00|<value>}

trace ipx-policy rip

output-network-filter {0x00000000|00:00:00:00|<value>}

cancel input-sap-filter {0x00000000|00:00:00:00|<value>}

cancel output-sap-filter {0x00000000|00:00:00:00|<value>}

input-sap-filter {0x00000000|00:00:00:00|<value>}

trace ipx-policy sap

output-sap-filter {0x00000000|00:00:00:00|<value>}

<cr>

source <A.B.C.D>

trace mpls ipv4 <A.B.C.D/X>

ttl <1-255>

<cr>

source <A.B.C.D>

trace mpls rsvp <WORD 0-32>

ttl <1-255>

<cr>

address <A.B.C.D>

iflist <WORD 1-256>

name <WORD 1-64>

protocol <rip|ospf|bgp|dvmrp|any>

trace route-map <on|off>

type <accept|announce>

grep [<WORD 0-1024>]r-module <1-10> trace

level [<67-90> <0-4>]

Using the NNCLI for troubleshootingYou can use the NNCLI to help provide diagnostic information.


NN46205-703 03.02 12 April 2010


.


Prerequisites

• Access Privileged EXEC mode.

Procedure steps

Step Action

1 Prior to capturing data it is useful to disable scrolling of theoutput display. To do this, issue the following command:

terminal more disable

2 You can view configuration file information using the morecommand, for example:

more boot.cfg

3 The following command output should be captured when anyswitch problem is observed.

show tech

show running-config [verbose] [module <cli|sys|web|rmon|vlan|port|qos|traffic-filter|mlt|stg|ip|ipx|diag|dvmrp|radius|ntp|svlan|lacp|naap|cluster|bootp|filter|ipv6>]

show interfaces FastEthernet statistics

show interfaces FastEthernet error

--End--

Using hardware record dumpsTo aid in troubleshooting, a dump of the hardware records from an ingressOctaPID can be captured. Generally, a verbosity level of 1 suffices.

The dump ar command displays the hardware registers of the RaptARUattached to an OctaPID.

Prerequisites


Procedure steps

Step Action

1 To dump hardware record information, enter the followingcommand:


NN46205-703 03.02 12 April 2010


.


dump ar <0-64> <WORD 1-1536> <0-3>

For example, dump all hardware records from OctaPID 0 slot 1port 1 with a verbosity level of 3:

dump ar 0 all 3

--End--

Variable definitionsUse the information in the following table to help you use the dumpcommand.

Variable Value

<0-64> Specifies the OctaPID assignment from 1 to 64.

<WORD 1-1536> Specifies a record type in the AR table. Optionsinclude vlan, ip_subnet, mac_vlan, mac, arp, ip,ipx, ipmc, ip_filter, protocol, sys_rec, all.

<0-3> Specifies the verbosity from 0 to 3. Highernumbers specify more verbosity.

Using trace to diagnose problemsUse trace to observe the status of a software module at a given time.

For example, if a CPU utilization issue is observed (generally a sustainedspike above 90%) perform a trace of the control plane (CP) activity.

Prerequisites


• For information about how to use trace appropriately, see “Trace”(page 47).


Procedure steps

Step Action

1 Clear the trace:

clear trace


NN46205-703 03.02 12 April 2010


.


2 Begin the trace operation:

trace level [<0-107>] [<0-4>]

For example, to trace the CP port, verbose level:

trace level 9 3

Wait approximately 30 seconds.

The default trace settings for CPU utilization are: High CPUUtilization: 90%, High Track Duration: 5 seconds, Low CPUUtilization: 75%, and Low Track Duration: 5 seconds.

3 Stop tracing:

trace shutdown

4 View the trace results:

show trace file [tail]

5 You can save the trace file to the PCMCIA card for retrieval.

save trace

The file is saved with a file name of systrace.txt.

--End--

R series modules use different trace commands:

r-module <1-10> trace level [<67-90> <0-4>]

r-module <1-10> trace grep [<WORD 0-1024>]

Variable definitions Use the information in the following table to helpyou use the trace command.

Variable Value

grep [<WORD 0-128>] Performs a comparison of trace messages (getregular expression and print [GREP]).

level [<0-107>][<0-4>]

Starts the trace by specifying the module ID andlevel.• <0-107> specifies the module ID from 0 to

107.

• <0-4> specifies the trace level from 0 to4, where 0 is disabled; 1 is very terse; 2 isterse; 3 is very verbose, 4 is verbose.

shutdown Stops the trace operation.

screen Enables the display of trace output to thescreen.


NN46205-703 03.02 12 April 2010


.


Use the information in the following table to help you use the r-module<1-10> trace commands.

Variable Value

grep [<WORD 0-1024>] Performs a comparison of trace messages (getregular expression and print [GREP]).

level [<67-90> <0-4>] Starts the trace by specifying the module ID andlevel.• <67-90> specifies the module ID.


Job aidThe following table specifies the Module ID values that you can specify inthe trace command.

Table 14Module ID values

0 - Common 23 - IGMP 45 - RTM 93 - IPFIX

1 - SNMP Agent 24 - IPFIL 46 - P2CMN 94 - MOD_IPMC6

2 - RMON 25 - MLT 47 - RIP 95 -MOD_MCAST6_CMN

3 - Port Manager 26 - IPPOLICY 48 - PIM 96 - MOD_MLD

4 - Chassis Manager 27 - IPMC 49 - RPS 97 - MOD_PIM6

5 - STG Manager 28 - SYSLOG 50 - NTP 98 - SLPP

6 - Phase2 OSPF 29 - DVMRP 51 - TCP 99 - INFINITY

7 - Hardware I/F 30 - P2IPX 52 - BGP 100 - MPLS

8 - (N/A) 31 - RCIPX 53 - EPILOGUE 101 - RCMPLS

9 - CP Port 32 - RAR 54 - SSH 102 - NNCLI

10 - (N/A) 33 - OP 56 - HAL 103 - VRF

11 - VLAN Manager 34 - BOOT 57 - WIND 104 - NSNA

12 - CLI 35 - IOM 58 - EAP 105 - MIRRORFPGA

13 - Main 36 - QOS 59 - LACP 106 - MSTP

14 - Phase2 IP+RIP 37 - FLEXDB 60 - PING 107 - RSTP

15 - RCC IP 38 - SMM 61 - DNS 108 - MSDP

16 - HTTP Server 39 - ATM 62 - DPM 109 - TACACS+

19 - Watch Dog Timer 40 - POS 63 - BOOTP 115 - BFD

20 - TopologyDiscovery

41 - RADIUS 64 - DPMMSG 116 - DHCPSNOOP


NN46205-703 03.02 12 April 2010


.


21 - (N/A) 42 - SIO_COM 65 - FILTER 117 - DAI

22 - (N/A) 43 - PGM 66 - RCIP6

Using auto-trace to diagnose problemsYou can use auto-trace to automatically perform the trace function when aparameter reaches a certain threshold.

For example, if the SF/CPU fluctuates and accessing the switch to performa CP trace is not possible, use auto-trace to automatically perform thisfunction. Auto-trace monitors CPU utilization. When the configuredutilization is reached and sustained for the configured amount of time, aCP trace is performed and saved to the PCMCIA (or external flash on the8895 SF/CPU).

Prerequisites


Procedure steps

Step Action

1 Configure the module and verbosity:

trace auto module add <0-107> <0-4>

For example:

trace auto module add 9 3

2 Use the following variable definitions table to configure any otherrequired parameters.

3 Enable automatic tracing:

trace auto enable

--End--

Variable definitionsUse the information in the following table to help you use the trace autocommand.

Variable Value

disable Disables the auto-trace function.

enable Enables the auto-trace function.


NN46205-703 03.02 12 April 2010


.


Variable Value

high-percentage <60-100> Specifies the high-percentage threshold for amodule. The range is 60 to 100%.

high-track-duration<3-10>

Specifies, in seconds, the maximum amountof time that the activity must be sustained totrigger the trace. The range is 3 to 10 s.

low-percentage <50-90> Specifies the low-percentage threshold for amodule. The range is 50 to 90%.

low-track-duration<3-10>

Specifies, in seconds, the minimum amountof time that the activity must be sustained totrigger the trace. The range is 3 to 10 s.

module add <0-107> <0-4> Configures the trace auto-enable function byspecifying the module ID and level.• <0-107> specifies the module ID from 0

to 107.


module remove <0-107> Removes a module ID from the auto-traceinstance.

Collecting Key Health Indicator (KHI) informationThe Ethernet Routing Switch 8600 supports Key Health Indicators (KHI)that allow for the collection of statistics and information about the healthof the system for troubleshooting purposes related to system failure. TheKey Health Indicator (KHI) feature identifies a small number of key healthindicators that allow quick assessment of the overall operational stateof the Ethernet Routing Switch 8600. These indicators do not providecomplete coverage of all possible failure scenarios. Rather, KHI is adiagnostic tool for the health of the switch. Further debugging is requiredto correctly understand the system state and actions required to remedythe situation.

KHI provides global health information for the switch, including:

• Chassis health indication

• CPU performance health indication

• Port state change indication

• Forwarding health indication

• IP interface configuration and operation information

• Protocol information

• Management information: Log, TCP, UDP and Users


NN46205-703 03.02 12 April 2010


.


The switch stores the information locally and displays the information asrequested by the user using show commands.

KHI supports multiple KHI types that track specific switch areas orsubsystems. Each KHI type keeps track of the last ten events forthe specific subsystem (for example, protocol going down or loss ofconnection) in a rolling history. KHI creates a reference point using a timestamp, and then tracks events from that point forward. Clear commandsare provided to reestablish fresh timelines.

Generally, the KHI information allows you to track the source of a problemto a particular subsystem. Once this determination is made, you can usespecific statistics for that subsystem (for example, OSPF-specific statisticsand show commands) to further locate the source of the issue.

To configure KHI, you can enable or disable the feature globally. Inaddition, you can enable or disable some of the KHI types individually.This additional control is provided for KHI types that have a greater impacton loaded systems.

The main configuration actions for KHI are:

• Enabling or disabling KHI (at global or feature-level)

• Displaying statistics

• Clearing statistics/history to establish a new timeline

Currently, EDM does not support KHI configuration.

The following sections describe the various KHI options.

Configuring global KHIYou can enable or disable KHI globally. In addition, the Ethernet RoutingSwitch 8600 provides a global boot delay parameter for KHI.

If the system begins collecting statistics immediately at boot-up, thetransitions that the system initially experiences do not provide anappropriate baseline of normal operations against which to compare. Toprovide a valid baseline, you can configure the boot-delay parameterto specify how long the system can take to stabilize before KHI beginscollecting statistics.

Use the following procedure to configure KHI at the global level.

Prerequisites

• Log on to Global Configuration mode.


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action


[no] khi enable

2 To configure the boot delay, enter:

khi boot-delay <minutes>

3 To display high-level KHI information, enter:

show khi info

4 To clear all KHI statistics, enter:

clear khi all

5 To clear the KHI log, enter

clear khi log

--End--


Variable Value

[no] Disables the specified KHI feature.

<minutes> Specifies the boot delay period, inminutes.

Configuring Management KHIManagement KHI tracks TCP connections, CLI users, and KHI log status.

To configure management KHI, use the following procedure.

Prerequisites


Procedure steps

Step Action


[no] khi enable

2 To enable the management KHI feature, enter:

[no] khi mgmt


NN46205-703 03.02 12 April 2010


.


3 To display the management KHI information, enter:

show khi mgmt [all] [history]

--End--


Variable Value


[all] Displays all management KHIinformation, including the eventhistory.


Configuring Chassis KHIChassis KHI displays the chassis key health indicators, such astemperature, fans, power supply, slots and CPU state.

To configure chassis KHI, use the following procedure.

Prerequisites


Procedure steps

Step Action


[no] khi enable

2 To enable chassis KHI, enter:

[no] khi chassis

3 To display chassis KHI information, enter:

show khi chassis [all] [history]

4 To clear chassis KHI statistics, enter:

clear khi chassis

--End--


NN46205-703 03.02 12 April 2010


.


ATTENTIONWhen the switch is running with a single SF/CPU and the HA flag is on, if youenter the show khi chassis command, the standbyMezz state appears asunsupported yellow. The state shows unsupported because this is not asupported configuration, and yellow because the configuration does not causean outage.


Variable Value


[all] Displays all chassis KHI information,including the event history.


Configuring Performance KHIPerformance KHI displays the performance key health indicators, such asutilization status for CPU and switch fabric.

To configure performance KHI, use the following procedure.

Prerequisites


Procedure steps

Step Action


[no] khi enable

2 To enable performance KHI, enter:

[no] khi performance

3 To display performance KHI information, enter:

show khi performance [all] [history]

4 To clear performance KHI statistics, enter:

clear khi performance

--End--


NN46205-703 03.02 12 April 2010


.



Variable Value


[all] Displays all performance KHIinformation, including the eventhistory.


Configuring Protocol KHIProtocol KHI tracks the health of the following protocols:

• OSPF

• BGP

• IST/SMLT

• PIM

• IGMP

• VLACP

• RTM and FDB table statistics

Protocol KHI also provides statistics and historical data for protocol andneighbor state transitions. It also allows for the establishment of referencetimestamps and reference data to track protocol health in the network. Itsupports VRFs.

Every protocol has a large number of parameters that can be tracked,but only the key parameters are tracked by the KHI. Protocol informationis collected and displayed on-demand, creating minimal overhead. Theinformation is not stored in any separate database (except reference data),so that memory utilization is also minimal.

To ensure the validity of the KHI information, ensure that it is in syncwith the output from the protocol show commands, and verify that thetimestamps are relevant.

To configure protocol KHI, use the following procedure.

Prerequisites



NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 To enable protocol KHI, enable the KHI feature globally byentering:

[no] khi enable

2 To display the protocol KHI information, enter:

show khi protocol-stats [history] [vrf <vrfName>]

ATTENTIONWhen you display IST/SMLT information, the information (especiallythe SMLT table) is computed on demand. Carefully consider thefrequency of issuing the show khi protocol-stats when thesetup is a large IST/SMLT setup. Nortel recommends issuing thecommand when the network has stabilized.

3 To clear the protocol KHI statistics, enter:

clear khi protocol

Use the clear command when the network is stable, to provide agood reference point for the number of routes and neighbors

--End--


Variable Value



[vrf <vrfName>] Displays VRF-specific data.

Configuring Forwarding KHIForwarding KHI tracks the following on each chassis slot:

• Asic Resets

• RSP State Error Events

• RSP Stats Error Events

• F2X (F2I, F2E) Error Events

In addition, it also provides a history of the last 10 Forwarding KHI events.

The current status for each slot under Forwarding KHI is collected every2 minutes and indicates the health status of the slot within the previous 2minutes.


NN46205-703 03.02 12 April 2010


.


Asic/RSP/F2X health information is monitored every 30 seconds and theinformation is maintained on the line card.

Forwarding KHI information on the CP is collected every 2 minutes.Collection of this information can have an impact when the system is busy.

The first time a particular forwarding error event occurs, it is reported as aKHI Warning message and also logged in the Forwarding KHI HistoricalData. All subsequent error events of the same type and on the sameslot-lane are not reported until a clear operation is performed.

The memory used for Forwarding KHI information is minimal, however,collection of Forwarding KHI information can have an impact when thesystem is busy. Nortel recommends to enable Forwarding KHI when theSystem has stabilized.

To ensure the validity of the KHI information, verify that the timestampsare relevant.

Forwarding KHI monitoring involves reading some registers that areclear-on-read operation. As such, debug commands that dump theseregisters cannot be used while Forwarding KHI is enabled.

To configure Forwarding KHI, use the following procedure.

Prerequisites


Procedure steps

Step Action


[no] khi enable

2 To enable the forwarding KHI feature, enter:

[no] khi forwarding

3 To display the forwarding KHI information, enter:

show khi forwarding [<all|asic|current-status|f2x|history|rsp-state|rsp-stats>] [slot <value>]

4 To clear the forwarding KHI statistics, enter:

clear khi forwarding


NN46205-703 03.02 12 April 2010


.


Clear command allows to establish last clear timestamps.

--End--


Variable Value


all Displays all forwarding KHIinformation.

asic Displays ASIC health information.

current-status Displays the current status offorwarding by slot.

f2x Displays F2X health information.


rsp-state Displays ingress and egress RSPstate information.

rsp-stats Displays ingress and egress RSPstatistics.

[slot <value>] Displays information for a specific slot.

Configuring IP interface KHIIP Interface KHI provides the total configured and total operational IPinterface count. It also provides a history of the last 10 IP InterfaceUp/Down events. As the memory used for IP Interface KHI information isminimal, it has minimal impact on the system.

The IP Interface Count is calculated when the show command is executed.The KHI uses the existing IP Interface Up/Down state transition to keeptrack of the IP Interface Operational Count and also to maintain thehistorical data.

The clear command allows you to establish a reference count and lastclear timestamps.

To ensure the validity of the KHI information, ensure that it is in syncwith the output from the IP interface show commands, and verify that thetimestamps are relevant.

To configure IP Interface KHI, use the following procedure.

Prerequisites



NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 To enable the IP interface KHI feature, enable KHI globally byentering:

[no] khi enable


show khi ip-interface


clear khi ip

--End--


Variable Value


Configuring Port KHIPort KHI tracks the following information:

• Overall system statistics (unicast, multicast and broadcast Rx, Txpackets) for the preceding 2 minutes

• Port Up/Down Events

• SMLT Port Up/Down Events

• IST Port Up/Down Events

• Port Errors

It also provides a history of the last 10 Port KHI events.

The Current Up/Down ports list is collected when the show commandis executed. The system statistics under Port KHI are collected every2 minutes and indicate the total packets (Unicast/Multicast/Broadcast)received/transmitted within the previous 2 minutes. When a clear operationis performed, the operationally UP ports are stored as a reference, andthe current status for Port KHI is marked as Yellow if any of those portsgo down.

The first time a particular port error occurs, it is reported as a KHIWarning message and also logged under the Port KHI historical data. Allsubsequent port errors of the same type and on the same port are notreported until a clear operation is performed.


NN46205-703 03.02 12 April 2010


.


To ensure the validity of the KHI information, ensure that it is in syncwith the output from the port show commands, and verify that thetimestamps are relevant. There may be a slight delay in the KHI outputif shown concurrently with port show commands, as KHI polls line cardsconsecutively, which can introduce a delay in the output for the first cardspolled.

While the memory used for Port KHI is minimal, collecting system statisticswhen a system is busy can have a system impact.

Nortel recommends to enable Port KHI when a system has stabilized.

The clear command allows you to establish a reference list of UP Portsand to establish the last clear timestamps. It also clears any existing porterror information.

To provide a useful reference point for the UP Ports list, use the clearcommand when the network is stable.

To configure Port KHI, use the following procedure.

Prerequisites


Procedure steps

Step Action


[no] khi enable

2 To enable port KHI, enter:

[no] khi port


show khi port [<all|errors|history|state|system-stats>]


clear khi port

--End--


NN46205-703 03.02 12 April 2010


.

Enabling and disabling the Route Switch Processor Packet Tracing 217


Variable Value


all Displays all port KHI information.

errors Displays port errors.


state Displays port state (up, down, andhealth), including the port state forSMLT and IST ports.

system-stats Displays system port statistics forunicast, multicast, and broadcastpackets.

Enabling and disabling the Route Switch Processor Packet TracingConfigure the Route Switch Processor (RSP) Packet Tracing to observethe behavior of the RSP on each R and RS module. The RSP is theprogrammable Application Specific Integrated Circuit (ASIC) that controlsthe ports and traffic flow.

Prerequisites


Procedure steps

ATTENTIONThe NNCLI command accepts only a single port.

Step Action

1 Enable the RSP ingress Packet Tracing by using the followingcommand:

rsp-trace ingress-pkt-trace <slot/port> enable[<interval-value>]

OR

Enable the RSP egress Packet Tracing by using the followingcommand:

rsp-trace egress-pkt-trace <slot/port> enable[<interval-value>]

2 Confirm the configuration by using the following command:


NN46205-703 03.02 12 April 2010


.


show rsp-trace

ATTENTIONOnly the ports in lanes on which the trace is enabled are displayed

3 Disable the RSP ingress Packet Tracing by using the followingcommand:

no rsp-trace ingress-pkt-trace <slot/port> enable

OR

Disable the RSP egress Packet Tracing by using the followingcommand:

no rsp-trace egress-pkt-trace <slot/port> enable

--End--

Variable definitionsThe following table describes variables that you enter in the rsp-traceingress-pkt-trace or the config rsp-trace egress-pkt-tracecommand.

Variable Value

<slot/port> Specifies the port on which to enablePacket Tracing.

ATTENTIONAlthough you specify only one port,the Packet Tracing is enabled on allports in that lane. The info commanddisplays all ports in that lane so thatyou do not enable Packet Tracingon the same RSP through a differentport.

enable Enables the state of the ingress oregress Packet Tracing. By default thetrace is enabled for 1 second. After 1second, the trace is disabled internally.An optional parameter, interval, isprovided to keep the trace enabled forthe desired number of seconds.

ATTENTIONRSP Packet Tracing displays onlythe last 1024 packets captured.


NN46205-703 03.02 12 April 2010


.

Dumping RSP Packet Tracing 219

Variable Value

[<interval-value>] Indicates the time interval for whichthe Packet Tracing is to remainenabled.<interval-value> specifies a valueof 1, 10, 30 60, 120, or 300 seconds.The default value is 1 second.

The interval is an optional parameter.If you do not configure the interval, thedefault value is 1 second. If you doconfigure it, the time interval changesimmediately. On all subsequentoccasions when you enable rsp-trace,if you do not specify a new intervalvalue, it is set to the previously setinterval value. This eliminates theneed to change the configurationevery time you use this command.

no Disables ingress or egress PacketTracing.

Job aidThe following table describes the fields for the show rsp-tracecommand.

Field Description

ingress-pkt-trace:/egress-pkt-trace: Specifies the Packet Tracing as ingress oregress.

port Specifies all the ports in the lane on which thetrace is enabled.

ATTENTIONAfter the trace is disabled internally (whenthe interval timer expires), the ports arenot displayed in the output of the configrsp-trace info command.

state Specifies whether Packet Tracing is enabled.

interval Specifies the interval in seconds for which thePacket Tracing is enabled.

Dumping RSP Packet TracingDump the RSP Packet Tracing to display the ingress and egress RSPTracing information that is collected by enabling the tracing.


NN46205-703 03.02 12 April 2010


.


Prerequisites


Procedure steps


ATTENTIONRSP Packet Tracing displays only the last 1024 packets captured.

Step Action

1 Display the specific egress RSP packet by using the followingcommand:

dump rsp-trace egress-display-pkt <slot/port> <pkt-id>

OR

Display the specific ingress RSP packet by using the followingcommand:

dump rsp-trace ingress-display-pkt port <slot/port><pkt-id>

2 Display the ingress Packet Tracing by using the followingcommand:

dump rsp-trace ingress-pkt-trace <slot/port>[<start-pkt> <end-pkt>]

OR

Display the egress Packet Tracing by using the followingcommand:

dump rsp-trace egress-pkt-trace <slot/port>[<start-pkt> <end-pkt>]

--End--

Variable definitionsUse the information in the following table to help you complete thepreceding procedure steps.


NN46205-703 03.02 12 April 2010


.

Dumping specified ERCD records 221

Variable Value

<slot/port> Specifies a port in the lane for which todisplay the trace.

<pkt-id> Specifies the ID as an integer of thepacket to display.value specifies the packet ID as aninteger in the range of 1–1024.

<start-pkt> Specifies the packet ID of the firstpacket to display as an integer in therange of 1–1024.

<end-pkt> Specifies the packet ID of the lastpacket to display as an integer in therange of 1–1024.

Dumping specified ERCD recordsDump a specified Enterprise RSP Control Driver (ERCD) record to viewthat record.

Prerequisites


Procedure steps


Step Action

1 Dump ERCD records:

dump ercdRecord{arp <slot> |ip <slot>|ip_subnet <slot/port>|mac <slot> |mac_vlan <slot/port> |mgid <slot> |protocol <slot/port> |vlan <slot/port>}[verbose <value>]

--End--


NN46205-703 03.02 12 April 2010


.


Variable definitionsThe following table describes the variables that you use with the dumpercdRecord command.

Variable Value

arp Specifies ARP ERCD records.

ip Specifies IP ERCD records.

ip-subnet Specifies IP subnet ERCD records.

mac Specifies MAC ERCD records.Displays the learned MAC entries forthe specified port that are presenton the COP and the correspondingVLAN record of the port to check if theMAC entry learned against one port isdownloaded properly to all availableslots.

mac_vlan Specifies MAC VLAN ERCD records.

mgid Specifies MGID ERCD records.

protocol Specifies protocol ERCD records.

vlan Specifies VLAN ERCD records.Displays the VLANs to which this portbelongs and the corresponding ingressVLAN records of this port.

<slot> Specifies the slot number to which yousend the query.

<slot/port> Specifies the port number {slot/port}for which you get the records.

[verbose <value>] Specifies an expanded display. valueis in the range of 0–3.

Using PIM debugging commandsUse PIM traces to aid in PIM troubleshooting.

PrerequisitesAccess Global Configuration mode.

Procedure steps

Step Action

1 Start debug trace message output.

debug ip pim pimdbgtrace

2 Stop debug trace message output.


NN46205-703 03.02 12 April 2010


.

Using PIM debugging commands 223

no debug ip pim pimdbgtrace

3 Display trace messages forwarded by the switch.

debug ip pim send

4 Display trace messages received by the switch.

debug ip pim rcv-dbg-trace

5 Display Hello messages forwarded and received by the switch.

debug ip pim hello

6 Display and log debug trace messages.

debug ip pim pimdbglog

7 Disable previously enabled register messages.

debug ip pim register

8 Display debug trace messages from a specific interface.

debug ip pim source <A.B.C.D>

--End--

Variable definitionsUse the information in the following table to use the debug ip pimcommands.

Variable Value

assert Displays the assert debug traces.

bstrap Displays bootstrap debug traces.

group <A.B.C.D> Displays debug traces from a specific group IP address.

hello Displays hello debug traces.

joinprune Displays join/prune debug traces.

pimdbglog Enables or disables whether the switch logs debug traces.

pimdbgtrace Enables or disables PIM debug traces.

rcv-dbg-trace Displays trace messages received by the switch.

register Displays register debug traces.

regstop Displays register stop debug traces.

rp-adv Displays RP advertisement debug traces.

send Displays trace messages forwarded by the switch.

source <A.B.C.D> Displays debug traces from a specific source IP address.


NN46205-703 03.02 12 April 2010


.


Using BGP debugging commandsUse global and peers debug commands to display specific debugmessages for your global and peers BGP configuration, including the BGPneighbors.

You can use these commands to troubleshoot your BGP configuration.

For debug tips and mask information, see “Job aid” (page 145) and Jobaid: displaying debug parameters.

PrerequisitesAccess BGP Router Configuration mode.

Procedure steps

Step Action

1 To display specific debug messages for your global BGPconfiguration, enter the following command:

global-debug mask <WORD 1-100>

To remove specific debug messages use no global-debugmask <WORD 1-100>.

2 Display specific debug messages for your global BGP neighborsusing the following command:

neighbor-debug-all mask <WORD 1-100>

To remove specific debug messages use no neighbor-debug-all mask <WORD 1-100>.

3 Display specific debug messages for BGP peers or peer groupsusing the following command:

neighbor <nbr_ipaddr|peer-group-name> neighbor-debugmask <WORD 1-100>

4 You can also run BGP trace using the following command:

trace level 52 3

--End--

Variable definitionsUse the information in the following table to use the debug commands.


NN46205-703 03.02 12 April 2010


.


Variable Value

<nbr_ipaddr|peer-group-name>

Specifies the peer IP address or the peergroup name.

mask <WORD 1-100> Specifies one or more mask choices thatyou enter, separated by commas with nospace between choices. For example:[<mask>,<mask>,<mask>...]. Options include:none, all, error, packet, event, trace, warning,state, init, filter, update.

Port mirroring configurationUse port mirroring to aid in diagnostic and security operations.

Port mirroring configuration navigation

• “Roadmap of port mirroring NNCLI commands” (page 225)


• “Configuring global mirroring actions with an ACL” (page 228)

• “Configuring ACE debug actions to mirror” (page 229)

Roadmap of port mirroring NNCLI commandsThe following roadmap lists some of the NNCLI commands and theirparameters that you can use to complete the procedures in this section.

Command Parameter


show filter acl debug [<1-4096>][<1-1000>]

show mirror-by-port

Global Configuration mode

copy-to-primary-cp enable

copy-to-secondary-cp enable

count enable

mirror enable

monitor-dst-mlt <1-256>

monitor-dst-ports <portList>

filter acl ace debug <1-4096><1-1000>

monitor-dst-vlan <0-4094>


NN46205-703 03.02 12 April 2010


.


Command Parameter

filter acl set <1-4096> global-action <count|count-ipfix|ipfix|mirror|mirror-count|mirror-count-ipfix|mirror-ipfix>

enable

in-port <portList> {monitor-mlt<1-256>|monitor-vlan <0-4094>|out-port<portList>}


mirror-by-port <1-383>

remote-mirror-vlan-id <0-4094>

mirror-by-port mirror-port<1-383> <portList>

mirror-by-port monitor-mlt<1-383> <1-256>

mirror-by-port monitor-port<1-383> <portList>

mirror-by-port monitor-vlan<1-383> <0-4094>


Connect the sniffer (or other traffic analyzer) to the output port you specifywith out-port <portList>.

Prerequisites

• Access Global Configuration mode.

Procedure steps

Step Action

1 Create a port mirroring instance:

mirror-by-port <1-383> in-port <portList> {monitor-mlt<1-256>|monitor-vlan <0-4094>|out-port <portList>}

<1-383> specifies the mirror-by-port entry ID in the range of 1to 383.

2 Configure the mode:

mirror-by-port <1-383> mode <tx|rx|both|rxFilter|txFilter|bothFilter>


NN46205-703 03.02 12 April 2010


.


3 Enable the mirroring instance:

mirror-by-port <1-383> enable

4 Modify existing mirroring entries as required:

mirror-by-port mirror-port <1-383> <portList>

mirror-by-port monitor-mlt <1-383> <1-256>

mirror-by-port monitor-port <1-383> <portList>

mirror-by-port monitor-vlan <1-383> <0-4094>

5 Ensure that your configuration is correct by using the followingcommand:

show mirror-by-port

--End--

Variable definitionsUse the information in the following table to help you use themirror-by-port <1-383> command.

Variable Value

in-port <portList>{monitor-mlt <1-256>|monitor-vlan <0-4094>|out-port <portList>}

Creates a new mirror-by-port table entry.

• in-port <portList> specifies themirrored port.

• monitor-mlt <1-256> specifies themirroring MLT ID from 1 to 256.

• monitor-vlan <0-4094> specifiesthe mirroring VLAN ID from 0 to 4094.

• out-port <portList> specifies themirroring port.

enable Enables or disables a mirroring instancealready created in the mirror-by-port table.


Sets the mirroring mode. The default is rx.

• tx mirrors egress packets.


• both mirrors both egress and ingresspackets.

• rxFilter mirrors and filters ingresspackets. If you use the rxFilter optionwith an R series module, you must usean ACL-based filter.


NN46205-703 03.02 12 April 2010


.


Variable Value

• txFilter mirrors and filters egresspackets.

• bothFilter mirrors and filters bothegress and ingress packets.

remote-mirror-vlan-id<0-4094>

Sets the remote mirror VLAN ID.

Use the information in the following table to help you use themirror-by-port command.

Variable Value

mirror-port <1-383><portList>

Modifies the mirrored port.

monitor-mlt <1-383> <1-256> Modifies the monitoring MLT; <1-256>specifies the mirroring MLT ID.

monitor-port <1-383><portList>

Modifies the monitoring ports.

monitor-vlan <1-383><0-4094>

Modifies the monitoring VLAN.

Example of a simple mirroring configuration

Procedure steps

Step Action

1 Create the port mirroring instance. Traffic passing port 7/1 ismirrored to port 7/2:

mirror-by-port 3 in-port 7/1 out-port 7/2

The analyzer is connected to port 7/2.

2 Mirror both ingress and egress traffic passing through port 7/1:

mirror-by-port 3 mode both

3 Enable mirroring for the instance:

mirror-by-port 3 enable

--End--

Configuring global mirroring actions with an ACLConfigure the global action to mirror to mirror packets that match an ACE.


NN46205-703 03.02 12 April 2010


.


Prerequisites

• The ACL exists.

• Enter Global Configuration mode.

Procedure steps

Step Action

1 To set the global action for an ACL, use the following command:

filter acl set <1-4096> global-action <count|count-ipfix|ipfix|mirror|mirror-count|mirror-count-ipfix|mirror-ipfix>

<1-4096> specifies an ACL ID from 1 to 4096.

--End--

Variable definitionsUse the information in the following table to help you use the filter aclset <1-4096> commands.

Variable Value

global-action<count|count-ipfix|ipfix|mirror|mirror-count|mirror-count-ipfix|mirror-ipfix>

Specifies the global action to take for matchingACEs: mirror, count, mirror-count, ipfix, mirror-ipfix,count-ipfix, or mirror-count-ipfix.If you enable mirroring, ensure you specify thesource and/or destination mirroring ports:

• For R modules in Tx modes: use mirror-by-port commands to specify mirroring ports.

• For R and RS modules in Rx modes: use thefilter acl ace debug commands to specifymirroring ports. See “Configuring ACE debugactions to mirror” (page 229).

Configuring ACE debug actions to mirrorUse debug actions to use filters for troubleshooting or monitoringprocedures.

If you use the mirror action, ensure that you specify the mirroringdestination: MLTs, ports, or VLANs.


NN46205-703 03.02 12 April 2010


.


Prerequisites

• The ACE exists.

• Enter Global Configuration mode.

Procedure steps

Step Action

1 Configure debug actions for an ACE using the followingcommand:

filter acl ace debug <1-4096> <1-1000> [mirror enable][monitor-dst-ports <portList>] [monitor-dst-vlan<0-4094>] [monitor-dst-mlt <1-256>]

<1-4096> specifies the ACL ID from 1 to 4096; <1-1000>specifies the ACE ID from 1 to 1000.


show filter acl debug [<1-4096>] [<1-1000>]

--End--

Variable definitionsUse the information in the following table to help you use the filter aclace debug <1-4096> <1-1000> commands.

Variable Value

copy-to-primary-cpenable

Enables the ability to copy matching packets to theprimary (Master) CPU.

copy-to-secondary-cp enable

Enables the ability to copy matching packets to theSecondary CPU.

count enable Enables the ability to count matching packets.

mirror enable Enables mirroring.If you enable mirroring, ensure that you configurethe appropriate parameters:

• For R and RS modules in Rx mode:monitor-dst-ports, monitor-dst-vlan,or monitor-dst-mlt.

• For R modules in Tx mode: use themirror-by-port commands to specify the mirroringsource/destination.


NN46205-703 03.02 12 April 2010


.

Configuring remote mirroring 231

Variable Value

monitor-dst-ports<portList>

Configures mirroring to a destination port or ports.

monitor-dst-mlt<1-256>

Configures mirroring to a destination MLT group.

monitor-dst-vlan<0-4094>

Configures mirroring to a destination VLAN.


Prerequisites

• Access Interface Configuration mode.

Procedure steps

Step Action

1 Configure remote mirroring using the following command:

remote-mirroring [enable] [mode <source|termination>][srcMac <0x00:0x00:0x00:0x00:0x00:0x00>] [dstMac<0x00:0x00:0x00:0x00:0x00:0x00>] [ether-type<0x00-0xffff>] [vlan-id <1-4094>]

2 Ensure that the remote mirroring configuration is correct:

show remote-mirroring interfaces <fastEthernet|gigabitEthernet> [enable] [mode <source|termination>][srcMac <0x00:0x00:0x00:0x00:0x00:0x00>] [dstMac<0x00:0x00:0x00:0x00:0x00:0x00>] [ether-type<0x00-0xffff>] [vlan-id <1-4094>]

--End--

Variable definitionsUse the information in the following table to use the remote-mirroringcommand.


NN46205-703 03.02 12 April 2010


.


Variable Value

dstMac <0x00:0x00:0x00:0x00:0x00:0x00>

Sets the destination MAC address foruse in the remote mirroring encapsulationheader. The mirrored packet is sent tothis MAC address. The DstMac is usedonly for RMS ports.

For RMT ports, one of the unusedMAC addresses from the switch portMAC address range is used. This MACaddress is saved in the configuration file.

enable Enables remote mirroring on the port.When remote mirroring is enabled, thefollowing events occur:

• A static entry for the DstMac is addedto the Forwarding Database (FDB).All packets that come with this remotemirroring DstMac are sent to the RMTport.

• The switch periodically (once in 10seconds) transmits broadcast Layer2 packets in the associated VLAN sothat all nodes in the network can learnthe DstMac.

ether-type <0x00-0xffff> Specifies the Ethertype of the remotemirrored packet. The default value is0x8103.

mode <source|termination> Specifies whether the port is an RMT(mode is termination) or an RMS (modeis source).

srcMac <0x00:0x00:0x00:0x00:0x00:0x00>

Sets the source MAC address for usein the remote mirroring encapsulationheader. The mirrored packet is sentfrom the RMS port, and the source MACparameter in the header is derived fromthis address. The source MAC address ofthe encapsulated frame contains the first45 bits of this MAC address. The threeleast significant bits are derived from theport number of the RMS port. The MACaddress of the port is used as the defaultvalue.

vlan-id <1-4094> Specifies to which VLAN the remotemirroring destination MAC addressbelongs. This must be a port-based


NN46205-703 03.02 12 April 2010


.


Variable Value

VLAN. Used only for Remote MirroringTermination (RMT) ports. When the RMTport is removed from the last VLAN in thelist, RMT is disabled on the port.

PCAP configurationUse the Packet Capture Tool to aid in troubleshooting procedures. Anactive Secondary CPU is required.

PCAP configuration navigation

• “Roadmap of PCAP NNCLI commands” (page 233)

• “Accessing the Secondary CPU” (page 235)

• “Configuring PCAP global parameters” (page 235)

• “Enabling PCAP on a port” (page 237)

• “Configuring PCAP capture filters” (page 238)


• “Using the captured packet dump” (page 243)

• “Copying captured packets to a remote machine” (page 244)

• “Resetting the PCAP DRAM buffer” (page 245)

• “Modifying PCAP parameters” (page 245)

Roadmap of PCAP NNCLI commandsThe following table lists the commands and their parameters that you useto perform the procedures in this section.

Command Parameter


<cr>

capture-filter [id <1-1000>]

dump

port

show pcap

stats



NN46205-703 03.02 12 April 2010


.


Command Parameter

auto-save [file-name <WORD 1-40>] [pcmcia][network] [ip <A.B.C.D>]

buffer-size <2-420>

buffer-wrap

enable

ethertype-for-svlan-level <0x5dd-0xffff>

fragment-size <64-9600>

pcmcia-wrap

pcap

reset-stat

<cr>


dscp <0-63> [<0-63>] [match-zero]

dstip <A.B.C.D> [<A.B.C.D>]

dstmac <0x00:0x00:0x00:0x00:0x00:0x00> [<1-6>]

enable

ether-type <0x0-0xffff> [<0x0-0xffff>]

packet-count <0-65535>

pbits <0-7> [<0-7>] [match-zero]

protocol-type <0-255> [<0-255>]

refresh-timer <WORD 1-7>

srcip <A.B.C.D> [<A.B.C.D>]

srcmac <0x00:0x00:0x00:0x00:0x00:0x00> [<1-6>]

tcp-port <0-65535> [<0-65535>]

timer <WORD 1-7>

udp-port <0-65535> [<0-65535>]

user-defined <0-9600> <WORD 0-50>

pcap capture-filter<1-1000>

vid <0-4092> [<0-4092>]

vlan mac-address-filter<1-4094> pcap <0x00:0x00:0x00:0x00:0x00:0x00> [enable]

Interface Configuration mode

<1-1000>

acl-filter <1-4096>

pcap

enable [mode <tx|rx|both|rxFilter|txFilter|bothFilter>]


NN46205-703 03.02 12 April 2010


.


Accessing the Secondary CPUThe PCAP engine is the Secondary CPU. You can gain access to thePCAP engine through a direct console or modem connection to thesecondary CPU, or by using a peer telnet session from the primary CPU.A connection is made to the secondary CPU, which then prompts for thelogin and password.

Prerequisites


Procedure steps

Step Action

1 Log on to the Primary CPU.

2 Access the Secondary CPU by entering the following command:

peer telnet

--End--

Configuring PCAP global parametersConfigure PCAP globally to define how PCAP operates on the EthernetRouting Switch 8600.

Prerequisites


• If saving to external memory, a PCMCIA card (or external flash on the8895 SF/CPU) is installed.


Procedure steps

Step Action

1 Enable PCAP using the following command:

pcap enable

2 Use the following variable definitions table to configure otherparameters as required.



NN46205-703 03.02 12 April 2010


.


show pcap

--End--

Variable definitionsUse the information in the following table to complete the pcap command.

Variable Value

auto-save[file-name <WORD1-40>][pcmcia] [network][ip <A.B.C.D>]

Enables or disables auto-save. When enabled,saves the captured frames into the devicespecified and continues to capture frames.The default is enable. If this option is disabled,packets are stored in the DRAM buffer only.

file-name <WORD 1-40> is the name of the filewhere captured frames are saved.

pcmcia sets the device to PCMCIA.

network sets the device to network.

ip <A.B.C.D> is the IP address used. This isused only if the device is network.

buffer-size <2-420> Specifies the size of the buffer allocated forstoring data. A Mezz SF/CPU can use up to 420MB. The default is 32 MB.

buffer-wrap Enables buffer wrapping. When this parameteris set to true and the buffer becomes full, thecapture continues by wrapping the buffer. If thisparameter is set to false and the buffer becomesfull, the packet capture stops. The default valueis true. A log message is generated when thebuffer is wrapped.

enable Enables PCAP globally. The default is disabled.To disable PCAP, use the no pcap enablecommand.

ethertype-for-svlan-level <0x5dd-0xffff>

Specifies the Ethernet type for sVLAN packets.With this information, PCAP can identify andcapture the tag information of packets receivedfrom SVLAN ports.

<0x5dd-0xffff> is a hexadecimal value. Thedefault is 0x8100.


NN46205-703 03.02 12 April 2010


.


Variable Value

fragment-size<64-9600>

Specifies the number of bytes from each frameto capture. The default is the first 64 bytes ofeach frame.

pcmcia-wrap Enables PCMCIA wrapping. When thisparameter is set to true and the autosave deviceis PCMCIA, this causes an overwrite of thepresent file on the PCMCIA (or external flash)during an autosave. If this parameter is set tofalse, the present file is not overwritten. A logis generated when the file is overwritten on thePCMCIA (or external flash).

reset-stat This command resets the PCAP engine DRAMbuffer, as well as all software counters used forPCAP statistics. This command can be executedin the Primary or Secondary SF/CPU.

Enabling PCAP on a portConfigure PCAP on a port so that the port supports PCAP, and to applyfilters to the captured data. You can apply IP- or Access Control List(ACL)-based filters.

Prerequisites




Procedure steps

Step Action

1 Apply filter sets or ACLs to captured packets:

pcap <1-1000>

pcap acl-filter <1-4096>

2 To enable PCAP on Ethernet ports, use the following command:

pcap enable [mode {tx|rx|both|rxFilter|txFilter|bothFilter}]

3 Ensure PCAP is correctly configured:

show pcap port

--End--


NN46205-703 03.02 12 April 2010


.


Variable definitionsUse the information in the following table to complete the pcap command.

Variable Value

<1-1000> Adds an IP filter set (Global or Source Destination)to a port. <1-1000> specifies the filter set. TheIP filter set must already exist. Filter GlobalSet ID values are in the range of 1 to 100 andSource/Destination sets are in the range of 300 to1000.

Adding a filter set causes the following to happen:

• Creates an IP traffic filter for a port if one doesnot already exist; otherwise, disables the IPtraffic filter.

• Adds the IP traffic filter set to the port.

• Sets the mirror bit for all the filters in the set.

• Restores the default-action of the port. Ifdefault-action was not set, set to forwarding.

• Enables the traffic filter on the port.

acl-filter <1-4096> Applies an ACL to captured packets. The ACL IDcan be from 1 to 4096.

enable[mode <tx|rx|both|rxFilter|txFilter|bothFilter>]

Enables or disables PCAP on the port. The defaultPCAP mode captures ingress packets (rx mode).

If PCAP is enabled in filter mode, then onlypackets which match the filter criteria arecaptured.

Configuring PCAP capture filtersUse capture filters to better define the match criteria used on packets.

Nortel highly recommends using PCAP with IP or MAC filters to reduce theload on the PCAP engine.

To create a functional capture filter that captures specific packets, createtwo filters. Use one filter to capture specific packets, and another filter todrop all other packets.

Prerequisites



NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 To create a capture filter, enter the following command:

pcap capture-filter <1-1000>

2 Configure the filter action:

pcap capture-filter <1-1000> action <capture|drop|trigger-on|trigger-off>

3 Use the following variable definitions table to define the matchparameters; for example:

pcap capture-filter 1 dscp 60 to 63

4 Enable the filter:

pcap capture-filter <1-1000> enable


show pcap capture-filter [<1-1000>]

--End--

Variable definitionsUse the information in the following table to help you use the pcapcapture-filter <1-1000> command.

Variable Value

<cr> Creates a new PCAP filter.


Determines the action taken by the filter.

• capture indicates that the packet iscaptured.

• drop indicates that the packet is dropped.

• trigger-on indicates to start capturing thepacket when a packet matches this filter.PCAP is enabled globally and the trigger filteris disabled.

• trigger-off indicates to stop capturingthe packet when a packet matches this filter.PCAP is disabled globally and the triggerfilter is disabled.


NN46205-703 03.02 12 April 2010


.


Variable Value

dscp <0-63> [<0-63>][match-zero]

Specifies the DSCP value of the packet.

<0-63> is the DSCP from 0 to 63. The default is0, which means this option is disabled.

Use the second <0-63> to specify a range.

When match-zero is set, 0 is considered avalid value. When it is not set, 0 is considered adisable value.

dstip <A.B.C.D>[<A.B.C.D>]

Specifies the destination IP address. The defaultis 0.0.0.0, which means this option is disabled.

Use the second <A.B.C.D> to specify a range.

dstmac <0x00:0x00:0x00:0x00:0x00:0x00>[<1-6>]

Specifies the MAC address of the destination. Ifthe mask is set, then only the first few bytes arecompared.

<1-6> is the destination MAC address mask,and specifies a range.

enable Enables the filter. The default is disable.

ether-type<0x0-0xffff>[<0x0-0xffff>]

Specifies the Ethernet type of the packet.

<Ethertype> is an Ether-type. The default is 0,meaning that this option is disabled.

Use the second <0x0-0xffff> to specify arange.

packet-count<0-65535>

When set, PCAP stops after capturing thespecified number of packets. This is similar tothe refresh-timer option; after it is invoked, thefilter is disabled. This option is active only whenthe action parameter is set to trigger-on. Thedefault value is 0, which means this option isdisabled.


NN46205-703 03.02 12 April 2010


.


Variable Value

pbits <0-7> [<0-7>][match-zero]

Specifies the priority bit of the packet.

The default is 0, which means this option isdisabled.


When match-zero is set, 0 is considered avalid value. When it is not set, 0 is considered adisable value.

protocol-type <0-255>[<0-255>]

Specifies the packet protocol type.



refresh-timer <WORD1-7>

When set, this starts or resets a timer. If anotherpacket is not received within the specifiedtime, PCAP is disabled globally. This option isactive only when the action parameter is set totrigger-on. To delete this option, set it to 0. Thedefault value is 0.

srcip <A.B.C.D>[<A.B.C.D>]

Specifies the source IP address.

The default is 0.0.0.0, which means this optionis disabled.

Use the second <A.B.C.D> to specify a range.

srcmac <0x00:0x00:0x00:0x00:0x00:0x00>[<1-6>]

Specifies the MAC address of the source.

If the mask is set, then only the first few bytesare compared. The default is 00:00:00:00:00:00,which means this option is disabled.

<1-6> is the mask of the source MAC address.This parameter specifies an address range.

tcp-port <0-65535>[<0-65535>]

Specifies the TCP port of the packet.




NN46205-703 03.02 12 April 2010


.


Variable Value

timer <WORD 1-7> When set, PCAP is invoked when the firstpacket is matched and stopped after the setvalue of time. After starting the timer, the filter isdisabled.

This option is active only when the actionparameter is set to trigger-on.

<WORD 1-7> is a value from 100 to 3600000milliseconds. The default value is zero. Settingthe value to 0 disables the timer.

udp-port <0-65535>[<0-65535>]

Specifies the UDP port of the packet.



user-defined <0-9600><WORD 0-50>

Sets a user defined value on which to match thepacket. The user can define a pattern in hex orcharacters to match (<0-9600>). The user canalso specify the offset to start the match (<WORD0-50>). The default value of pattern is null (’’)which means that this field is discarded. Todisable this option, set the pattern to null (’’).

vid <0-4092>[<0-4092>]

Specifies the VLAN ID of the packet.

The default is 0, which means that this option isdisabled.



Prerequisites

• A VLAN exists.


• Access Global and Interface Configuration mode.


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 In Global Configuration mode, enable PCAP:

pcap enable

2 In Interface Configuration mode, enable PCAP in RxFilter mode:

pcap enable mode rxFilter

3 Enable PCAP with FDB filters on a VLAN. To enable PCAP foran FDB filter by MAC address, in Global Configuration mode,use the following command:

vlan mac-address-filter <1-4094> pcap <0x00:0x00:0x00:0x00:0x00:0x00> [enable]

--End--


Variable Value

<0x00:0x00:0x00:0x00:0x00:0x00>

Specifies the MAC address in the format0x00:0x00:0x00:0x00:0x00:0x00.

<1-4094> Specifies the VLAN by VLAN ID.

Using the captured packet dumpYou can view packets using a NNCLI session and the Secondary SF/CPU.Dumping a large number of captured packets is CPU intensive. The switchdoes not respond to any commands while the dump is in progress. Nortelrecommends you use this command only when it is absolutely necessary.However, there is no degradation in normal traffic handling or switchfailover.

Prerequisites


Procedure steps

Step Action


2 Use the following command:


NN46205-703 03.02 12 April 2010


.


show pcap dump

--End--

Copying captured packets to a remote machineYou can copy packets to a remote machine, or the switch flash or PCMCIA(or external flash on the 8895 SF/CPU). If PCAP is used with autosavedisabled, captured packets are stored in the Secondary SF/CPU DRAMbuffer.

Prerequisites


Procedure steps

Step Action

1 To copy the packets to a file for later viewing, use the copy orFTP get commands. These commands can be executed in thePrimary CPU.

copy PCAP00 <WORD 1-99>

OR

ftp> get PCAP00 <WORD 1-99>

For example:

copy PCAP00 /pcmcia/file.cap

--End--


Variable Value

<WORD 1-99> Specifies pcmcia, flash, or an IP host by IPaddress and specifies the PCAP file (.cap).Formats include:• a.b.c.d:<file>

• /pcmcia/<file>

• /flash/<file>


NN46205-703 03.02 12 April 2010


.


Resetting the PCAP DRAM bufferYou can clear the PCAP DRAM buffer and the PCAP counters.

Prerequisites


Procedure steps

Step Action


2 Disable PCAP:

no pcap enable

3 Reset the PCAP engine DRAM buffer:

pcap reset-stat

--End--

Modifying PCAP parametersCertain steps are required to modify PCAP parameters.

Prerequisites

• Access Global and Interface Configuration mode.

Procedure steps

Step Action

1 In Interface Configuration mode, disable PCAP:

no pcap enable

2 In Global Configuration mode, disable PCAP globally:

no pcap enable

3 Make desired PCAP modifications.

4 Reset PCAP statistics and counters:

pcap reset-stat

5 In Global Configuration mode, globally enable PCAP:

pcap enable

6 In Interface Configuration mode, enable PCAP:


NN46205-703 03.02 12 April 2010


.


pcap enable [mode <tx|rx|both|rxFilter|txFilter|bothFilter>]

--End--

Testing the switch fabricYou can test the switch fabric for consistency. The fabric test causes theCPU to generate traffic and send it through the switch fabric. The CPUgenerates little traffic.

Prerequisites


Procedure steps

Step Action

1 Test the switch fabric by entering the following command.

test fabric


test stop fabric


show test fabric

Currently no test is running.Last test results:

IfIndex: 0Result: successPassCount: 62115FailCount: 0

--End--

Job aidUse the information in the following table to understand the testparameters.

Field Description

IfIndex Specifies the interface index, if applicable.


NN46205-703 03.02 12 April 2010


.

Clearing ARP information for an interface 247

Field Description

Result Shows the result of the most recently run(or current) test: none, success, inProgress,notSupported, unAbleToRun, aborted, failed.

PassCount Specifies the number of iterations of the testcase that completed successfully.

FailCount Specifies the number of iterations of the testcase that failed.

Testing the ARP address tableYou can test the Address Resolution Protocol address table forconsistency.

Prerequisites


Procedure steps

Step Action

1 Test the address table by entering the following command.

test artable


test stop artable


show test artable

--End--

Clearing ARP information for an interfaceYou can clear the ARP cache as part of ARP problem resolutionprocedures.

Prerequisites



NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 Clear ARP information using the following commands:

clear ip arp interface fastethernet <portList>

clear ip arp interface gigabitethernet <portList>

clear ip arp interface vlan <1-4094>

--End--

Flushing routing, MAC, and ARP tables for an interfaceFor administrative and troubleshooting purposes, sometimes you mustflush or clear the routing tables. The clear and flush commands performthe same function; they remove the contents of the table.

Prerequisites

• Access Interface Configuration mode.

Procedure steps

Step Action

1 Flush IP routing tables by port by entering the followingcommand:

action flushIp

2 You can also flush the MAC address and ARP tables:

action flushArp

action flushMacFdb

3 Clear a routing table using the following commands in PrivilegedEXEC mode:

clear ip route interface fastethernet <portList>

clear ip route interface gigabitethernet <portList>

clear ip route interface vlan <1-4094>

--End--


NN46205-703 03.02 12 April 2010


.


Job aid: ping and traceroute considerationsPing and traceroute may fail for VRF, IP VPN, or MPLS routes if largepacket sizes are used for the operation. Do not use packet sizes largerthan the following:

• Ping for VRF Lite: 1480 bytes

• Ping for IP VPN with MPLS: 1480 bytes

• Ping for IP VPN Lite: 1446 bytes

• Traceroute for VRF Lite: 1444 bytes

• Traceroute for IP VPN with MPLS: 1444 bytes

• Traceroute for IP VPN Lite: 1444 bytes

Running a ping testUse ping operations to determine that a path exists to another device, andthat it is reachable.

Prerequisites


Procedure steps

Step Action

1 To ping a device:

ping <WORD 0-256> [scopeid <1-9999>] [datasize<16-4076>] [count <1-9999>] [-s] [-I <1-60>] [-t<1-120>] [-d] [source <WORD 1-256>] [vrf <WORD 0-16>]

<WORD 0-256> specifies the device by host name, IPv4 address<a.b.c.d>, or IPv6 address <x.x.x.x.x.x.x.x>.

2 To ping an IPX device:

pingipx <0x00:0x00:0x00:0x00.0x00:0x00:0x00:0x00:0x00:0x00> [<1-9999>] [-s] [-q] [-t <1-120>]

<0x00:0x00:0x00:0x00.0x00:0x00:0x00:0x00:0x00:0x00> specifies the IPX host in the net.node format.

3 To ping an MPLS device:

ping-mpls ipv4 <prefix/len> [ttl <1-255>] [source<A.B.C.D>] [count <1-1000>]

ping-mpls rsvp <WORD 0-32> [ttl <1-255>] [source<A.B.C.D>] [count <1-1000>]


NN46205-703 03.02 12 April 2010


.


<prefix/len> specifies the IPv4 address and prefix length;<WORD 0-32 specifies the name of the label-switched path.

--End--

Variable definitionsUse the information in the following table to help you use the ping <WORD0-256> command.

Variable Value

-d Sets the ping debug flag. In debug mode, theping reply includes additional information aboutthe device being pinged.

-s Specifies that the IPv4 or IPv6 ping should beretransmitted at continuous intervals at theinterval defined by -I <1-60>.

-I <1-60> Specifies the interval between pingretransmissions from 1 to 60 seconds.

-t <1-120> Specifies the no-answer timeout from 1 to 120seconds.

count <1-9999> Specifies the number of times to ping thedevice from 1 to 9999. The default is 1.

datasize <16-4076> Specifies the size of the ping packet in octets,either 16 to 4076, or 16 to 65487. The defaultis 16 octets.

scopeid <1-9999> Specifies the circuit scope ID for IPv6 from 1to 9999.

source <WORD 1-256> Specifies the source IP address for use in IPVPN pings.

vrf <WORD 0-16> Specifies the VRF instance by VRF name.

Use the information in the following table to help you use the pingipx<0x00:0x00:0x00:0x00.0x00:0x00:0x00:0x00:0x00:0x00>command.

Variable Value

-q Specifies quiet output (same as nonverbosemode).

-s Specifies that the ping should be retransmittedat continuous intervals.

-t <1-120> Specifies the no-answer timeout from 1 to 120seconds.

<1-9999> Specifies the number of times to ping thedevice from 1 to 9999. The default is 1.


NN46205-703 03.02 12 April 2010


.


Use the information in the following table to help you use the ping-mplsipv4 <prefix/len> and ping-mpls rsvp <WORD 0-32> commands.

Variable Value

count <1-1000> Specifies the number of times to ping thedevice from 1 to 1000. The default is 1.

ttl <1-255> Specifies the time-to-live of the MPLS pingpacket from 1 to 255.

source <A.B.C.D> Specifies the source IP address.


Prerequisites


Procedure steps

Step Action

1 To use traceroute, enter the following command:

traceroute <A.B.C.D> [<1-1464>] [-m <1-255>] [-p<0-65535>] [-q <1-255>] [-w <1-255>] [-v] [source <WORD1-256>] [vrf <WORD 0-16>]

--End--

Variable definitionsUse the information in the following table to help you use the traceroute<A.B.C.D> command.

Variable Value

-m <1-255> Specifies the is maximum time-to-live (TTL) (1to 255).

-p <0-65535 Specifies the base UDP port number (0 to65535).

-q <1-255> Specifies the number of probes per TTL (1 to255).

-v Specifies verbose mode (detailed output).

-w <1-255> Specifies the wait time per probe (1 to 255).


NN46205-703 03.02 12 April 2010


.


Variable Value

<1-1464> Specifies the size of the probe packet (1 to1464).

source <WORD 1-256> Specifies the source IP address for use in IPVPN traceroutes.

vrf <WORD 0-16> Specifies the VRF instance by VRF name.




By default, ping snoop messages are echoed only to the serial consoleport. If you do not have access to the serial port and are connecting viaTelnet (or other means such as SSH or Rlogin), to see the messages inyour session, enter the following Global Configuration command:

logging screen

This setting is specific to the NNCLI session where it is executed. Thecommand does not save to the configuration file and when the NNCLIsession is closed the setting is removed.

You can use two sessions with this command: in one session, configurethe ping snoop commands, and in the other session, issue the loggingscreen command to see the messages; when done, close the secondsession.

Prerequisites


Procedure steps

Step Action

1 Add the required ports to the ACL:

filter acl port 4096 <portList>

2 Enable the ACL:


NN46205-703 03.02 12 April 2010


.


filter acl 4096 enable

3 Create an ACE:

filter acl ace 4096 <1-1000> [name <WORD 0-32>]

<1-1000> is the ACE ID.

4 Configure the ACE action:

filter acl ace action 4096 <1-1000> <permit|deny>

5 Configure the destination IP address:

filter acl ace ip 4096 <1-1000> dst-ip eq <A.B.C.D>

6 Configure the source IP address (optional):

filter acl ace ip 4096 <1-1000> src-ip eq <A.B.C.D>

7 Enable the ACE:

filter acl ace 4096 <1-1000> enable


show filter acl 4096

--End--

Variable definitionsUse the information in the following table to help you use thesecommands.

Variable Value

<A.B.C.D> Specifies the source or destination IPaddress.


NN46205-703 03.02 12 April 2010


.



NN46205-703 03.02 12 April 2010


.

255.

SNMP trap configuration usingEnterprise Device Manager

Use SNMP traps and notifications to allow management stations to gatherinformation about switch activities, alarms, and other information.

You configure traps by creating SNMP trap notifications, creating a targetaddress to which you want to send the notifications, and specifying targetparameters.

Specify which protocols and processes generate traps by enabling trapsfor that protocol. For example, to allow SNMP traps to be generated forOSPF, use the following command: config ip ospf trap enable.

For information about configuring SNMP community strings and relatedtopics, see Nortel Ethernet Routing Switch 8600 Security (NN46205-601).

SNMP trap configuration navigation• “Configuring an SNMP host target address” (page 255)

• “Configuring target table parameters” (page 257)

• “Viewing the trap sender table” (page 259)

• “Configuring an SNMP notify table” (page 259)

• “Configuring SNMP notify filter profile table parameters” (page 260)

• “Configuring SNMP notify filter table parameters” (page 261)

Configuring an SNMP host target addressConfigure a target table to specify the list of transport addresses to use inthe generation of SNMP messages.


NN46205-703 03.02 12 April 2010


.

256 SNMP trap configuration using Enterprise Device Manager

Procedure steps

Step Action

1 In the navigation tree, open the following folders: Configuration,Edit, SNMPv3.

2 Double-clickTarget Table.

3 Click Insert.

4 In the Name box, type a unique identifier.

5 In the TDomain box, select the transport type of the address.

6 In the TAddress box, type the transport address.

7 In the Timeout box, type the maximum round trip time.

8 In the RetryCount box, type the number of retries to beattempted.

9 In the TagList box, type the list of tag values.

10 In the Params box, type the SnmpAdminString.

11 In the TMask box, type the mask.

12 In the MMS box, type the maximum message size.

13 Click Insert.

--End--

Variable definitionsUse the information in the following table to configure a target table.

Variable Value

Name Specifies a unique identifier for this table. Thename is a community string.

TDomain Specifies the transport type of the address:ipv4Tdomain or ipv6Tdomain.

TAddress Specifies the transport address in xx.xx.xx.xx:port format, for example: 10:10:10:10:162,where 162 is the trap listening port on thesystem 10.10.10.10. You can also specify IPv6addresses.


NN46205-703 03.02 12 April 2010


.

Configuring target table parameters 257

Variable Value

Timeout Specifies the maximum round trip time requiredfor communicating with the transport address.The value is in 1/100 seconds. The default is1500.When a message is sent to this address anda response (if one is expected) is not receivedwithin this time period, an implementationassumes that the response will not be delivered.

RetryCount Specifies the maximum number of retries whena response is not received for a generatedmessage. The count can be in the range of 0 to255. The default is 3.

TagList Contains a list of tag values which are used toselect target addresses for a particular operation.A tag refers to a class of targets to which themessages may be sent. This parameter refersto a Tag value listed in the Notify Table tab(Configuration, Edit, SnmpV3, Notify Table).

Params Contains SNMP parameters to be used whengenerating messages to send to this transportaddress. This parameter refers to a Namevalue listed in the Target Params Table tab(Configuration, Edit, SnmpV3, Target Table,Target Params Table). For example, to receiveSNMPv2C traps, use TparamV2.

TMask Specifies the mask. The value can be emptyor in six-byte hex string format. Tmask is anoptional parameter that allows an entry in theTargetAddrTable to specify multiple addresses.

MMS Specifies the maximum message size. The sizecan be zero, or 484 to 2147483647. The defaultis 484.

Although the maximum MMS is 2147483647, theswitch supports the maximum SNMP packet sizeof 8192.

Configuring target table parametersThe target table contains the security parameters for SNMP. Configure thetarget table to set parameters such as SNMP version and security levels.


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action


2 Double-clickTarget Table.

3 Click the Target Params Table tab.

4 Click Insert.

5 In the Name box, type a target table name.

6 From the MPModel options, select an SNMP version.

7 From the Security Model options, select the security model.

8 In the SecurityName box, type readview or writeview.

9 From the SecurityLevel options, select the security level for thetable.

10 Click Insert.

--End--

Variable definitionsUse the information in the following table to configure a target table withSNMP security parameters.

Variable Value

Name Identifies the target table.

MPModel Specifies the Message Processing Model touse when generating messages: SNMPv1,SNMPv2c, or SNMPv3/USM.

SecurityModel Specifies the security model to use whengenerating messages: SNMPv1, SNMPv2c,or USM. An implementation can return aninconsistentValue error if an attempt is made toset this variable to a value for a security modelwhich the implementation does not support.

SecurityName Identifies the Principal on whose behalf SNMPmessages are generated.

SecurityLevel Specifies the security level used when generatingSNMP messages: noAuthNoPriv, authNoPriv, orauthPriv.


NN46205-703 03.02 12 April 2010


.

Configuring an SNMP notify table 259

Viewing the trap sender tableUse the Trap Sender Table tab to view source and receiving addresses.

Procedure steps

Step Action

1 In the navigation tree, open the following folders: Configuration,Edit.

2 Double-clickChassis.

3 Click the Trap Sender Table tab.

--End--

Variable definitionsUse the information in the following table to use the Trap Sender Tabletab.

Variable Value

RecvAddress Specifies the IP address for the trap receiver. This is aread-only parameter that contains the IP address configured inthe TAddress field in the TargetTable.

SrcAddress Identifies the IP address for the trap sender.

Configuring an SNMP notify tableConfigure the notify table to select management targets to receivenotifications, as well as the type of notification to send to eachmanagement target.

Procedure steps

Step Action


2 Double-clickNotify Table.

3 Click Insert.

4 In the Name box, type a notify table name.

5 In the Tag box, type the transport tag for the table.

6 From the Type options, select a type.


NN46205-703 03.02 12 April 2010


.


7 Click Insert.

--End--

Variable definitionsUse the information in the following table to configure an SNMP notifytable.

Variable Value

Name Specifies a unique identifier.

Tag Specifies the tag.

Type Determines the type of notification generated.This value is only used when generatingnotifications, and is ignored for other purposes.If an SNMP entity only supports generation ofUnconfirmed-Class PDUs then this parametermay be read-only.

• trap—messages generated containUnconfirmed-Class PDUs

• inform—messages generated containConfirmed-Class PDUs

Configuring SNMP notify filter profile table parametersConfigure the profile table to associate a notification filter profile with aparticular set of target parameters.

Procedure steps

Step Action



3 Click the Notify Filter Profile Table tab.

4 Click Insert.

5 In the TargetParamsName box, type a name for the targetparameters.

6 In the NotifyFilterProfileName box, type a name for the notifyfilter profile.


NN46205-703 03.02 12 April 2010


.

Configuring SNMP notify filter table parameters 261

7 Click Insert.

--End--

Variable definitionsUse the information in the following table to configure a notify filter profiletable.

Variable Value

TargetParamsName Specifies the unique identifier associated with thisentry.

NotifyFilterProfileName Specifies the name of the filter profile to be usedwhen generating notifications.

Configuring SNMP notify filter table parametersConfigure the SNMP table of filter profiles to determine whether particularmanagement targets should receive particular notifications.

Procedure steps

Step Action



3 Click the Notify Filter Table tab.

4 Click Insert.

5 In the NotifyFilterProfileName box, type a name for the notifyfilter profile.

6 In the Subtree box, type subtree location information inx.x.x.x.x.x.x.x.x.x. format.

7 In the Mask box, type the mask location in hex string format.

8 From the Type options, select included or excluded to set filterflag.

9 Click Insert.

--End--

Variable definitionsUse the information in the following table to configure a filter profile.


NN46205-703 03.02 12 April 2010


.


Variable Value

NotifyFilterProfileName Specifies the name of the filter profile used whilegenerating notifications.

Subtree Specifies the MIB subtree which, when combinedwith Mask, defines a family of subtrees which areincluded in or excluded from the filter profile. Formore information, see RFC 2573.

Mask Specifies the bit mask (in hexadecimal) which,in combination with Subtree, defines a family ofsubtrees which are included in or excluded fromthe filter profile.

Type Indicates whether the family of filter subtrees areincluded in or excluded from a filter.

Enabling SNMP trap loggingYou can save a copy of all SNMP traps and view them.

Procedure steps

Step Action

1 In the navigation tree, open the following folders: Configuration,Edit, Diagnostics.


3 Click the Error tab.

4 Select AuthenticationTraps.

5 Click Apply.

--End--

Variable definitionsUse the information in the following table to understand error parameters.

Variable Value

AuthenticationTrap Enables or disables the sending of traps whenan error occurs.


NN46205-703 03.02 12 April 2010


.

Enabling SNMP trap logging 263

Variable Value

LastErrorCode Specifies the last reported error code.

LastErrorSeverity Specifies the last reported error severity:

0= Informative Information

1= Warning Condition

2= Error Condition

3= Manufacturing Information

4= Fatal Condition


NN46205-703 03.02 12 April 2010


.



NN46205-703 03.02 12 April 2010


.

265.

Log configuration using EnterpriseDevice Manager

Use log files and messages to help perform diagnostic and faultmanagement functions.

Log configuration navigation• “Configuring the system log” (page 265)

• “Configuring the system log table and severity level mappings” (page266)

Configuring the system logUse the system log to track all user activity on the switch. The system logcan send messages to up to ten syslog hosts.

Procedure steps

Step Action


2 Double-clickSystem Log.

3 Select Enable.

4 Configure MaxHosts and Header as required.

5 Click Apply.

--End--

Variable definitionsUse the information in the following table to help you configure the systemlog operational parameters.


NN46205-703 03.02 12 April 2010


.

266 Log configuration using Enterprise Device Manager

Variable Value

Enable Enables or disables the syslog feature. Whenenabled, this feature sends a message to aserver on a network that is configured to receiveand store diagnostic messages from this device.The type of messages sent is user-configurable.

MaxHosts Specifies the maximum number of remote hostsconsidered active and able to receive messagesfrom the syslog service.

OperState Specifies the operational state of the syslogservice.

Header Specifies the IP header type for thesyslog packet. The options are: default,managementVIP, and circuitlessIP.

Configuring the system log table and severity level mappingsUse the system log table to customize the mappings between the severitylevels and the type of alarms.

Procedure steps

Step Action


2 Double-clickSystem Log.

3 Click the System Log Table tab.

4 Click Insert.

5 Configure the parameters as required.

6 Click Insert.

7 To modify mappings, double-click a parameter to view a list ofoptions. Configure the options as required.

8 Click Apply.

--End--

Variable definitionsUse the information in the following table to help you customize severitylevel mappings.

Variable Value

Id Specifies the ID for the syslog host.


NN46205-703 03.02 12 April 2010


.

Configuring the system log table and severity level mappings 267

Variable Value

IpAddr Specifies the IP address of the syslog host.

UdpPort Specifies the UDP port to use to send messagesto the syslog host (514 to 530).

Enable Enables or disables the sending of messages tothe syslog host.

HostFacility Specifies the syslog host facility used to identifymessages (LOCAL0 to LOCAL7). The default isLOCAL7.

Severity Specifies the message severity for which syslogmessages are sent.

MapInfoSeverity Specifies the syslog severity to use for INFOmessages. The default is INFO.

MapWarningSeverity Specifies the syslog severity to use forWARNING messages. The default isWARNING.

MapErrorSeverity Specifies the syslog severity to use for ERRORmessages. The default is ERROR.

MapFatalSeverity Specifies the syslog severity to use for FATALmessages. The default is EMERGENCY.


NN46205-703 03.02 12 April 2010


.

268 Log configuration using Enterprise Device Manager


NN46205-703 03.02 12 April 2010


.

269.

SNMP trap configuration using the CLIUse SNMP traps and notifications to allow management stations to gatherinformation about switch activities, alarms, and other information.

In the CLI, you configure traps by configuring SNMP trap notifications,creating a target address to which you want to send the notifications, andspecifying target parameters.

Specify which protocols and processes generate traps by enabling trapsfor that protocol. For example, to allow SNMP traps to be generated forOSPF, use the following command: config ip ospf trap enable.


SNMP trap configuration navigation• “Roadmap of SNMP trap CLI commands” (page 269)

• “Configuring SNMP notifications” (page 272)

• “Configuring an SNMP host target address” (page 273)

• “Configuring SNMP target table parameters” (page 275)

• “Configuring an SNMP notify filter table” (page 277)

• “Configuring SNMP interfaces” (page 278)

• “Enabling SNMP trap logging” (page 279)

• “Configuring a UNIX system log and syslog host” (page 280)

Roadmap of SNMP trap CLI commandsThe following roadmap lists some of the CLI commands and theirparameters that you can use to complete the procedures in this section.


NN46205-703 03.02 12 April 2010


.

270 SNMP trap configuration using the CLI

Command Parameter

enable <true|false>

info

config snmp snmplog

maxfilesize <64 to 256000>

create <Notify Name> [tag <value>] [type<value>]

delete <Notify Name>

info

tag <Notify Name> new-tag <value>

config snmp-v3 notify

type <Notify Name> new-type <value>

create <Profile Name> <subtree oid> [mask<value>] [type <value>]

delete <Profile Name> <subtree oid>

info

mask <Profile Name> <subtree oid> new-mask<value>

config snmp-v3 ntfy-filter

type <Profile Name> <subtree oid> new-type<value>

create <Params Name> [profile <value>]

delete <Params Name>

info

config snmp-v3 ntfy-profile

profile <Params Name> <new-profile>

create <Target Name> <Ip addr:port> <Targetparm> [timeout <value>] [retry <value][taglist <value>] [mask <value>] [mms<value>] [tdomain <value>]

delete <Target Name>

info

mask <Target Name> new-mask <value>

mms <Target Name> new-mms <value>

parms <Target Name> new-parms <value>

retry <Target Name> new-retry <value>

taglist <Target Name> new-taglist <value>

config snmp-v3 target-addr

timeout <Target Name> new-timeout <value>


NN46205-703 03.02 12 April 2010


.

Roadmap of SNMP trap CLI commands 271

Command Parameter

create <Tparm Name> mp-model <value>sec-level <value> [sec-name <value>]

delete <Tparm Name>

info

mp-model <Tparm Name> new-mpmodel <value>

sec-level <Tparm Name> new-seclevel<value>

config snmp-v3 target-param

sec-name <Tparm Name> [new-secname<value>]

agent-conformance <enable|disable>

force-iphdr-sender <true|false>

force-trap-sender <true|false>

info

config sys set snmp

sender-ip <ipaddr> <ipaddr>

info

ip-header-type <default|circuitless-ip|management-virtual-ip>

max-hosts <maxhost>

config sys syslog

state <enable|disable>

address <ipaddr>

create

delete

facility <facility>

host <enable|disable>

info

maperror <level>

mapfatal <level>

mapinfo <level>

mapwarning <level>

severity <info|warning|error|fatal> [<info|warning|error|fatal>] [<info|warning|error|fatal>] [<info|warning|error|fatal>]

config sys syslog host

udp-port <port>

show snmp snmplog info

show snmplog file [tail] [grep<value>]


NN46205-703 03.02 12 April 2010


.


Command Parameter

notify

ntfy-filter

ntfy-profile

target-addr

show snmp-v3

target-param

Configuring SNMP notificationsConfigure the notify table to select management targets to receivenotifications, as well as the type of notification to send to eachmanagement target.

Procedure steps

Step Action

1 Create an SNMP notification by using the following command:

config snmp-v3 notify create <Notify Name> [tag <value>][type <value>]

2 To specify the required tags for an existing notification, enter thefollowing command:

config snmp-v3 notify tag <Notify Name> new-tag <value>

3 To specify the required type for an existing notification, enter thefollowing command:

config snmp-v3 notify type <Notify Name> new-type<value>

4 Ensure that the configuration is correct:

config snmp-v3 notify info

show snmp-v3 notify

--End--

Variable definitionsUse the information in the following table to complete the configsnmp-v3 notify command.


NN46205-703 03.02 12 April 2010


.

Configuring an SNMP host target address 273

Variable Value

create <Notify Name>[tag <value>] [type<value>]

Creates an SNMP trap notification entry.• <Notify Name> is the index of the notify table

with a string length of 1 to 32.

• tag <value> specifies the tag.

• type <value> can specify trap or inform.

delete <Notify Name> Deletes an entry from the notify table.

info Displays the notify table information.

tag <Notify Name>new-tag <value>

Specifies the new notify tag for the entry in thenotify table.

type <Notify Name>new-type <value>

Specifies the new notify type for the entry in thenotify table. The valid options are trap and inform.

Configuring an SNMP host target addressConfigure a target address to specify the transport addresses to use inthe generation of SNMP messages.

Procedure steps

Step Action

1 Add an SNMP target address by entering the followingcommand:

ATTENTIONYou must include all of the required parameters in this command. Ifyou do not include them, the command is not parsed correctly and thetraps are not sent to the destination address. The later addition ofthese missing parameters does not rectify the situation.

config snmp-v3 target-addr create <Target Name> <Ipaddr:port> <Target parm> [timeout <value>] [retry<value>] [taglist <value>] [mask <value>] [mms <value>][tdomain <value>]


config snmp-v3 target-addr info

show snmp-v3 target-addr

--End--

Variable definitionsUse the information in the following table to use the config snmp-v3target-addr command.


NN46205-703 03.02 12 April 2010


.


Variable Value

create <Target Name><Ip addr:port><Target parm>[timeout <value>][retry <value>][taglist <value>][mask <value>][mms <value>][tdomain <value>]

Creates a new entry for the target address table.• <Target Name> is the target name with a

string length of 1 to 32.

• <Ip addr:port> is the target IP address inthe form a.b.c.d:port (or ipv6addr:port if thedomain option is set to IPv6) with a stringlength of 1 to 255.

• <Target parm> is the target parameter with astring length of 1 to 32.

• timeout <value> specifies the timeout valuein seconds with a range of 0 to 214748364.The default is 1500.

• retry <value> specifies the retry count valuewith a range of 0 to 255. The default is 3.

• taglist <value> specifies the tag list with astring length of 1 to 255.

• mask <value> specifies the mask in the form0x00:00...6 octets separated by colons with astring length of 13 to 19.

• mms <value> specifies the maximummessage size as an integer with a range of 1 to2147483647. The default is 484.

• tdomain <value> specifies the targettransport domain.

delete <Target Name> Deletes an entry from the target address table.

info Displays target address table information.

mask <Target Name>new-mask <value>

Specifies a new mask for the target.

mms <Target Name>new-mms <value>

Specifies a new maximum message size (MMS)associated with an entry in the target addresstable.Although the maximum value for the MMS is 2 147483 647, the device supports the maximum SNMPpacket size of 8192 (8K).

parms <Target Name>new-parms <value>

Specifies a new string value that identifies targetaddress table entries.

retry <Target Name>new-retry <value>

Specifies a new number of retries to be attemptedwhen a response is not received for a generatedmessage.


NN46205-703 03.02 12 April 2010


.

Configuring SNMP target table parameters 275

Variable Value

taglist<Target Name>new-taglist <value>

Specifies a new list of tag values.

timeout<Target Name>new-timeout <value>

Specifies a new maximum route trip time requiredfor communicating with the transport address.

Example of configuring an SNMP target table

Procedure steps

Step Action

1 Create the target parameter ID (TparamV2) and target addressID (TAddr1), as well as the other target parameters:

config snmp-v3 target-addr create Taddr1 198.202.188.207:162 TparamV2 timeout 1500 retry 3 taglist DefTag maskff:ff:00:00:00:00 mms 484

--End--

Configuring SNMP target table parametersThe target table contains the security parameters for SNMP. Configure thetarget table to set parameters such as SNMP version and security levels.

Prerequisites

ATTENTIONRelease 3.3 and Release 3.5 supports only SNMPv1 or SNMPv2c trapconfigurations, when you upgrade to Release 5.0, the trap configurations are inSNMPv1/SNMPv2c/SNMPv3.

Procedure steps

Step Action

1 Configure SNMP target table parameters:

config snmp-v3 target-param create <Tparm Name> mp-model<value> sec-level <value> [sec-name <value>]


config snmp-v3 target-param info


NN46205-703 03.02 12 April 2010


.


show snmp-v3 target-param

--End--

Variable definitionsUse the information in the following table to help you use the configsnmp-v3 target-param command.

Variable Value

create <Tparm Name>mp-model <value>sec-level <value>[sec-name <value>]

Specifies target table parameters.• <Tparm Name> is the name of the target

parameter with a string length of 1 to 32.

• mp-model <value> specifies the MP model.The valid options are snmpv1, snmpv2c, andusm (SNMPv3).

• sec-level <value> specifies the securitylevel as noAuthNoPriv, authNoPriv, orauthPriv.

• <sec-name> specifies the security name witha string length of 1 to 32.

delete <Tparm Name> Deletes the specified target parameter table.

info Displays information for the target parametertable.

mp-model <Tparm Name>new-mpmodel <value>

Specifies the new SNMP version. The validoptions are snmpv1, snmpv2c, and usm(SNMPv3).

sec-level <Tparm Name>new-seclevel <value>

Specifies a new security level. The valid optionsare noAuthNoPriv, authNoPriv, and authPriv.

sec-name <Tparm Name>[new-secname <value>]

Specifies a new security name (readview orwriteview), which identifies the principal thatgenerates SNMP messages.

Example of configuring additional target parameters

Procedure steps

Step Action

1 Configure target table parameters:


NN46205-703 03.02 12 April 2010


.

Configuring an SNMP notify filter table 277

config snmp-v3 target-param create TparamV2 mp--modelsnmpv2c sec-level noAuthNoPriv sec-name readview

--End--

Configuring an SNMP notify filter tableConfigure the notify table to select management targets to receivenotifications, as well as the type of notification to send to eachmanagement target. For more information about the notify filter table, seeRFC 3413.

Procedure steps

Step Action

1 Create a new notify filter table by using the following command:

config snmp-v3 ntfy-filter create <Profile Name><subtree oid> [mask <value>] [type <value>]


config snmp-v3 ntfy-filter info

show snmp-v3 ntfy-filter

--End--

Variable definitionsUse the information in the following table to complete the configsnmp-v3 ntfy-filter command.

Variable Value

create<Profile Name><subtree oid>[mask <value>][type <value>]

Creates a notify filter table.• <Profile Name> specifies the name of the

profile with a string length of 1 to 31.

• <subtree oid> identifies the filter subtreewith a string length of 1 to 32.

• mask <value> specifies the bit mask incombination with snmpNotifyFilterMask, whichdefines a family of subtrees.

• type <value> indicates whether the familyof filter subtrees defined by this entry isincluded (include) or excluded (exclude)from a filter.


NN46205-703 03.02 12 April 2010


.


Variable Value

delete <Profile Name><subtree oid>

Deletes the specified notify filter profile.• <Profile Name> specifies the name of the



info Displays notify filter information.

mask <Profile Name><subtree oid> new-mask<value>

Specifies the new bit mask in combination withsnmpNotifyFilterMask, which defines a family ofsubtrees.

• <Profile Name> specifies the name of theprofile with a string length of 1 to 31.


• new-mask <value> is in the format of0x00:00...with a string length of 1 to 49.

type <Profile Name><subtree oid> new-type<value>

Specifies the new type that you want for a profile.The valid values are include and exclude.• <Profile Name> specifies the name of the



• new-type <value> specifies include orexclude.

Configuring SNMP interfacesIf the Ethernet Routing Switch 8600 has multiple interfaces, configure theIP interface from which the SNMP traps originate.

Procedure steps

Step Action

1 Configure the destination and source IP addresses for SNMPtraps:

config sys set snmp sender-ip <dest-ipaddr> <src-ipaddr>

2 If required, send the source address (sender IP) as the sendernetwork in the notification message:

config sys set snmp force-trap-sender true

3 If required, force the SNMP and IP sender flag to be the same:


NN46205-703 03.02 12 April 2010


.


config sys set snmp force-iphdr-sender true

--End--

Variable definitionsUse the information in the following table to complete the config sys setsnmp command.

Variable Value

agent-conformance<enable|disable>

Activates or disables the agent conformancemode. Conforms to MIB standards whendisabled. If you activate this option, featureconfiguration is stricter and error handlingless informative. Activating this option is not arecommended or normally supported mode ofoperation.

force-iphdr-sender<true|false>

Specify true to configure the SNMP and IPsender to the same value. The default is false.

force-trap-sender<true|false>

Specify true to send the configured sourceaddress (sender IP) as the sender network inthe notification message.

info Displays the current SNMP settings.

sender-ip <dest-ipaddr><src-ipaddr>

Configures the SNMP trap receiver and sourceIP addresses. Specify the IP address of thedestination SNMP server that will receive theSNMP trap notification in the first IP address.Specify the source IP address of the SNMPtrap notification packet that is transmitted in thesecond IP address. If this is set to 0.0.0.0 thenthe switch uses the IP address of the localinterface that is closest (from an IP routingtable perspective) to the destination SNMPserver.

Enabling SNMP trap loggingUse SNMP trap logging to send a copy of all traps to the PCMCIA card (orexternal flash on the 8895 SF/CPU).

Prerequisites

• A PCMCIA (or external flash) card must be installed.


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 To enable SNMP trap logging, use the following command:

config snmp snmplog enable true

2 To set the maximum file size:

config snmp snmplog maxfilesize <64-256000>


show snmp snmplog info

4 To view the contents of the SNMP log, use the followingcommand:

show snmplog file [tail] [grep <value>]

--End--

Variable definitionsUse the information in the following table to help you use the configsnmp snmplog command.

Variable Value

<enable|disable> Enables or disables the logging of traps.

info Displays information about SNMP logging.

maxfilesize<64-256000>

Specifies the maximum file size for the trap log.

Configuring a UNIX system log and syslog hostThe syslog commands control a facility in UNIX machines that logsSNMP messages and assigns each message a severity level based onimportance.

Procedure steps

Step Action

1 Configure system logging using the following command, alongwith the parameters in the following table:

config sys syslog

2 Configure the syslog host using the following command, alongwith the parameters in the following table:

config sys syslog host


NN46205-703 03.02 12 April 2010


.


3 View the configuration to ensure it is correct:

show sys syslog host info

show sys syslog general-info

--End--

Variable definitionsUse the information in the following table to help you use the config syssyslog command.

Variable Value

info Displays syslog configuration information.

ip-header-type<default|circuitless-ip|management-virtual-ip>

Specifies the IP header in syslog packets todefault, circuitless-ip or management-virtual-ip:• If set to default, then for syslog packets

that are transmitted in-band via input/output(I/O) ports, the IP address of the VLAN isused. For syslog packets that are transmittedout-of-band through the management port,the physical IP address of the Master CPU isused in the IP header.

• If set to management-virtual-ip, thenfor syslog packets that are transmittedout-of-band only through the managementport, the virtual management IP address ofthe switch is used in the IP header.

• If set to circuitless-ip, then for all syslogmessages (in-band or out-of-band), thecircuitless IP address is used in the IPheader. If a user has configured multipleCLIPs, the first CLIP configured is used.

max-hosts <maxhost> Specifies the maximum number of syslog hostssupported. <maxhost> is the maximum numberof enabled hosts allowed (1 to 10).

state<enable|disable>

Enables or disables sending syslog messages onthe switch.

Use the information in the following table to help you use the config syssyslog host command.

Variable Value

address <ipaddr> Configures a host location for the syslog host.<ipaddr> is the IP address of the UNIX systemsyslog host.


NN46205-703 03.02 12 April 2010


.


Variable Value

create Creates a syslog host instance.

delete Deletes a syslog host.

facility <facility> Specifies the UNIX facility used in messagesto the syslog host. <facility> is the UNIXsystem syslog host facility (LOCAL0 to LOCAL7).

host <enable|disable> Enables or disables the syslog host.

info Shows information about the syslog hostconfiguration.

maperror <level> Specifies the syslog severity to use for Errormessages. <level> is one of {emergency|alert|critical|error|warning|notice|info|debug}.

mapfatal <level> Specifies the syslog severity to use for Fatalmessages. <level> is one of {emergency|alert|critical|error|warning|notice|info|debug}.

mapinfo <level> Specifies the syslog severity level to use forInformation messages. <level> is one of{emergency|alert|critical|error|warning|notice|info|debug}.

mapwarning <level> Specifies the syslog severity to use for Warningmessages. <level> is {emergency|alert|critical|error|warning|notice|info|debug}.

severity<info|warning|error|fatal>[<info|warning|error|fatal>][<info|warning|error|fatal>][<info|warning|error|fatal>]

Specifies the severity levels for which syslogmessages should be sent for the specifiedmodules. <severity> is the severity for whichsyslog messages are sent.

udp-port <port> Specifies the UDP port number on which to sendsyslog messages to the syslog host. <port> isthe UNIX system syslog host port number (514to 530).


NN46205-703 03.02 12 April 2010


.

283.

Log configuration using the CLIUse log files and messages to help perform diagnostic and faultmanagement functions.

Log configuration navigation• “Roadmap of CLI log commands” (page 283)

• “Configuring logging” (page 284)

• “Viewing logs” (page 285)

• “Configuring the remote host address for log transfer” (page 287)

• “Configuring system logging to a PCMCIA or external flash” (page 289)

• “Starting system message logging to a PCMCIA or external flash card”(page 290)


• “Configuring system message control” (page 291)

• “Extending system message control” (page 292)

• “Configuring CLI logging” (page 293)

Roadmap of CLI log commandsThe following roadmap lists some of the CLI commands and theirparameters that you can use to complete the procedures in this section.

Command Parameter

config bootconfig logfile<minsize> <maxsize><maxoccupyPercentage>

config bootconfig flags logging<true|false>

config cli clilog enable <true|false>


NN46205-703 03.02 12 April 2010


.

284 Log configuration using the CLI

Command Parameter

maxfilesize <64 to 256000>

info

clear

info

level [<level>]

logToPCMCIA <true|false>

screen [<setting>]

config log

write <str>

add-IP <ipaddr>

filename <str>

info

config log transferFile

remove-IP

action <suppress-msg|send-trap|both>

control-interval <minutes>

disable

enable

info

config sys set msg-control

max-msg-num <number>

add <str>

del <str>

config sys set msg-controlforce-msg

info

show cli clilog info

show clilog file [tail] [grep<value>]

show log file [tail][name-of-file <value>][category <value>][severity <value>][CPU <value>][save-to-file <value>]

ATTENTIONThe show log file tail name-of-file<filename> command does not produce anyoutput if the tail option is used. The workaroundis to redirect the output to another file using thesave-to-file option and view the log file in a texteditor.

show log level

Configuring loggingYou can configure log file parameters, as well as write, or clear the log fileautomatically created by the system.


NN46205-703 03.02 12 April 2010


.

Viewing logs 285

Procedure steps

Step Action

1 Define which messages are logged:

config log level [<level>]

2 Write the log file from memory to a file:

config log write <str>

3 Use the following table to help you configure other parametersas required.

--End--

Variable definitionsUse the information in the following table to help you use the config logcommands.

Variable Value

clear Clears the log file.

info Displays the current log settings.

level [<level>] Shows and sets the logging level. <level>is one of these values: 0 = Information; allmessages are recorded. 1 = Warning; onlywarning and more serious messages arerecorded. 2 = Error; only error and more seriousmessages are recorded. 3 = Manufacturing; thisparameter is not available for customer use. 4= Fatal; only fatal messages are recorded. Thedefault is 0.

logToPCMCIA<true|false>

Starts or stops logging system messages to thePCMCIA (or external flash) card. The defaultvalue is true.

screen [<setting>] Sets the log display on the screen to on or off,where setting is on or off. The default value is off.

write <str> Writes the log file with the designated string.<str> is the string or command that you appendto the log file. If the string contains spaces, youmust enclose the string in quotation marks.

Viewing logsYou can view log files by file name, category, severity, and SF/CPU.


NN46205-703 03.02 12 April 2010


.


ATTENTIONThe show log file tail name-of-file <filename> command does notproduce any output if the tail option is used. The workaround is to redirectthe output to another file using the save-to-file option and view the log file in atext editor.

Procedure steps

Step Action

1 To display log information by file name, category, severity, orSF/CPU, enter the following command:

show log file [tail] [name-of-file <value>] [category<value>] [severity <value>] [CPU <value>] [save-to-file<value>]

--End--

Variable definitionsUse the following table for help with the show log file command.

category <value> Filters and list the logs according to category. Specifya string length of 0–100 characters. To specify multiplefilters, separate each category by the vertical bar (|), forexample, OSPF|FILTER|QOS.

Options include CPU, DVMRP, EAP, FILTER, HW,IGMP, IP, IPX, IP-RIP, IPMC, MLT, MPLS, OSPF, PIM,POLICY, QOS, RADIUS, RIP, RMON, SNMP, STG,SW, VLAN, WEB, COP-SW, HAL, RCMPLS.

CPU <value> Filters and list the logs according to the SF/CPUthat generated it. Specify a string length of 0–25characters. To specify multiple filters, separateeach SF/CPU by the vertical bar (|), for example,CPU5|CPU6.

name-of-file<value>

Displays the valid logs from the file name specified by<value>. For example, /pcmcia/logcopy.txt. You cannotuse this command on the current log file—the file intowhich the messages are currently logged. Specify astring length of 1–99 characters.


NN46205-703 03.02 12 April 2010


.

Configuring the remote host address for log transfer 287

save-to-file<value>

Redirects the output to the specified file and remove allencrypted information. The tail option is not supportedwith the save-to-file option. Specify a string lengthof 0–99 characters.

severity <value> Filters and list the logs according to severity. SpecifyINFO, ERROR, WARNING, or FATAL. To specifymultiple filters, separate each severity by the verticalbar (|), for example, ERROR|WARNING|FATAL.

Job aidThe following example shows you how to display all of the log messagesgenerated by OSPF and IP with severity levels of ERROR and WARNING.

ERS 8610:5# show log file category OSPF|IP severityERROR|WARNING cpu CPU5

The following example shows you how to display the log messages from aspecific log file.

ERS 8610:5# show log file name-of-file /pcmcia/sample.txt

Configuring the remote host address for log transferConfigure the remote host address for log transfer. The system transfersthe current log file to a remote host when the log file size reaches theconfigured maximum size.

Prerequisites

• The IP address you configure for the remote host must be reachable atthe time of configuration.

Procedure steps

Step Action

1 Configure the remote host address for log transfer by using thefollowing command:

config log transferFile <id> add_IP <ipaddr>

<id> specifies the ID for the remote host. The range is 1–10.

2 You can specify the file name:

config log transferFile <id> filename <str>

This command sets the IP address for the remote host to thedefault (0.0.0.0).


NN46205-703 03.02 12 April 2010


.


3 To show the configured IP address and the file name for theremote host, use the following command:

config log transferFile <id> info

--End--

Variable definitionsUse the information in the following table to help you use the config logtransferFile <id> command.

Variable Value

add-IP <ipaddr> Specifies the IP address of the host to where thelog file needs to be transferred. Specify the IPaddress in the format a.b.c.d. The remote hostmust be reachable or the configuration fails.

filename <str> Specify the name of the file stored in the remotehost. If not configured, the current log file name isthe default.

ATTENTIONNortel recommends that you do not set thisoption. If this option is set, the previouslytransferred log file is overwritten on the remoteserver.

info Shows information about the log file transferconfiguration.

remove-IP Removes the IP address.

Job aidThe following example shows you how to configure the remote hostaddress for log transfer.

ERS-8610:5# config log transferFile 1 add-IP 10.10.42.1

ERS-8610:5# config log transferFile 1 info

Sub-Context:Current Context:RemoteIPAddress : 10.10.42.1File Name : 39d00005.000

If the IP address you are attempting to configure is not reachable, thefollowing message appears:


NN46205-703 03.02 12 April 2010


.

Configuring system logging to a PCMCIA or external flash 289

Destination IP address not reachable !!! Could not configure

Configuring system logging to a PCMCIA or external flashSystem logs are a valuable diagnostic tool. You can send log messages toa PCMCIA card (or external flash on the 8895 SF/CPU) for later retrieval.

Define the minimum and maximum log file sizes to bound the file storagesize on the PCMCIA (or external flash) card. The system transfersthe current log file to a remote host when the log file size reaches theconfigured maximum size.

Although log file parameters are stored in the boot configuration file, youcan change them at anytime without restarting the system. Changes madeto these parameters take effect immediately.

When you remove the PCMCIA (or external flash) card from the primarySF/CPU, a trap is generated and system logging continues in DRAM only.

CAUTIONRisk of data lossBefore removing the PCMCIA (or external flash) card fromyour primary SF/CPU, you must stop the logging of systemmessages. Failure to do so may corrupt the file system on thePCMCIA (or external flash) card and cause your log file to bepermanently lost.

Prerequisites


Procedure steps

Step Action

1 Enable system logging to a PCMCIA (or external flash) card:

config bootconfig flags logging <true|false>

If the logging flag is not set to true, the entries are stored inmemory.

2 Configure the logfile parameters:

config bootconfig logfile <minsize> <maxsize><maxoccupyPercentage>

--End--


NN46205-703 03.02 12 April 2010


.


Variable definitionsUse the information in the following table to help you use the configbootconfig commands in this procedure.

Variable Value

flags logging<true|false>

Enables or disables logging to a PCMCIA(or external flash) card. The log fileis named using an 8.3 (xxxxxxxx.sss)format. The first six characters of the filename contain the last three bytes of thechassis base MAC address. The next twocharacters specify the slot number of theSF/CPU that generated the logs. The lastthree characters denote the sequencenumber of the log file. Multiple sequencenumbers are generated for the samechassis and same slot, if the SF/CPU isreplaced, reinserted, or if the maximum logfile size is reached.

logfile <minsize><maxsize><maxoccupyPercentage>

Configures the logfile parameters:• <minsize> specifies the minimum

space used for the logfile from 64 to 500KB.

• <maxsize> specifies the minimumspace used for the logfile from 500 to16384 KB.

• <maxoccupyPercentage> specifiesthe maximum percentage of space onthe memory card used for the logfilefrom 10 to 90%.

Starting system message logging to a PCMCIA or external flashcard

Begin or stop logging system messages to the PCMCIA card (or externalflash on the 8895 SF/CPU).

Be aware that when you remove the PCMCIA (or external flash) card fromthe primary SF/CPU, a trap is generated and system logging continues inDRAM only.


NN46205-703 03.02 12 April 2010


.

Configuring system message control 291


Procedure steps

Step Action

1 To begin or stop logging system messages on the PCMCIA (orexternal flash) card, use the following command:

config log logToPCMCIA <true|false>

--End--

Variable definitionsUse the date in the following table to complete the config loglogToPCMCIA command.

Variable Value

<true|false> Begin or stop the logging of system messages on thePCMCIA (or external flash) card. If true is specified,the following message appears: Logging to PCMCIASTARTED. If false is specified, the following messageappears: Logging to PCMCIA STOPPED.

Configuring system message controlConfigure system message control to suppress duplicate error messageson the console, and to determine the action to take if they occur.

Procedure steps

Step Action

1 Configure system message control action by using the followingcommand:

config sys set msg-control action <suppress-msg|send-trap|both>

2 Configure the maximum number of messages by using thefollowing command:

config sys set msg-control max-msg-num <number>


NN46205-703 03.02 12 April 2010


.


3 Configure the interval by using the following command:

config sys set msg-control control-interval <minutes>

4 Enable message control:

config sys set msg-control enable

--End--

Variable definitionsUse the information in the following table to complete the config sys setmsg-control command.

Variable Value


Configures the message control action. Thedefault value is supress-msg.

control-interval<minutes>

Configures the message control interval inminutes. The valid options are 1 to 30. Thedefault value is 5.

disable Disables system message control.

enable Activates system message control. Enablingthis command suppresses duplicate errormessages.

info Displays the configuration of systemmessage control.

max-msg-num <number> Configures the number of occurrences ofa message after which the control actionhappens. To set the maximum number ofoccurrences, enter a value from 2 to 500.The default value is 5.

Extending system message controlUse the force message control option to extend the message controlfeature functionality to the software and hardware log messages.

To enable the message control feature, you must specify an action, controlinterval, and maximum message number. After enabling the feature, thelog messages, which get repeated and cross the maximum messagenumber in the control interval, trigger the force message feature. You caneither suppress the message or send a trap notification, or both.


NN46205-703 03.02 12 April 2010


.

Configuring CLI logging 293

Procedure steps

Step Action

1 Configure the force message control option by using thefollowing command:

config sys set msg-control force-msg add <str>


config sys set msg-control force-msg info

--End--

Variable definitionsUse the information in the following table to complete the config sys setforce-msg command.

Variable Value

add <str> Used to add a forced message controlpattern, where <str> is a string of 4characters. You can add a four-byte patterninto the force-msg table. The software andthe hardware log messages that use the firstfour bytes matching one of the patterns inthe force-msg table undergo the configuredmessage control action. You can specifyup to 32 different patterns in the force-msgtable. This includes a wild-card pattern(****) as well. Upon specifying the wild-cardpattern, all messages undergo messagecontrol.

del <str> Deletes a forced message control pattern.

info Displays the current configuration.

Configuring CLI loggingWhen enabled, CLI logging keeps track of all command line interfacecommands executed on the switch. Use CLI logging for fault managementpurposes.

Procedure steps

Step Action

1 To enable or disable CLI logging, enter the following command:

config cli clilog enable <true|false>


NN46205-703 03.02 12 April 2010


.


2 To change the maximum file size used for CLI logs:

config cli clilog maxfilesize <64 to 256000>


config cli clilog info

show cli clilog info

4 To view the CLI log:

show clilog file [tail] [grep <value>]

--End--

Variable definitionsUse the information in the following table to help you use the config cliclilog commands.

Variable Value

enable <true|false> Enables or disables CLI logging.

info Shows configuration information.

maxfilesize <64 to 256000> Specifies the maximum file size of the logfile in KB.

Use the information in the following table to help you use the showclilog file commands.

Variable Value

tail Shows the last results first.

grep <value> Performs a string search in the CLI logfile. <value> is the string, of up to 256characters in length, to match.


NN46205-703 03.02 12 April 2010


.

295.

SNMP trap configuration using theNNCLI

Use SNMP traps and notifications to allow management stations to gatherinformation about switch activities, alarms, and other information.

Specify which protocols and processes generate traps by enabling trapsfor that protocol. For example, to allow SNMP traps to be generated forOSPF, use the following command: ip ospf trap enable.


SNMP trap configuration navigation• “Roadmap of SNMP trap NNCLI commands” (page 295)

• “Job aid: SNMP configuration in the NNCLI” (page 297)

• “Configuring SNMP notifications” (page 298)

• “Configuring an SNMP host” (page 299)

• “Configuring SNMP target table parameters” (page 301)

• “Configuring an SNMP notify filter table” (page 301)

• “Configuring SNMP interfaces” (page 302)

• “Enabling SNMP trap logging” (page 303)

• “Configuring a UNIX system log and syslog host” (page 304)

Roadmap of SNMP trap NNCLI commandsThe following roadmap lists some of the NNCLI commands and theirparameters that you can use to complete the procedures in this section.

Command Parameter



NN46205-703 03.02 12 April 2010


.

296 SNMP trap configuration using the NNCLI

Command Parameter

clear logging

show snmp-server host

show snmp-server notify-filter

show syslog

show syslog host <1-10>


agent-conformance enable

authentication-trap enable

force-iphdr-sender enable

force-trap-sender enable

notify-filter <WORD 1-32> <WORD 1-32>

snmp-server

sender-ip <A.B.C.D> <A.B.C.D>

v1 <WORD 1-32> [filter <WORD 1-32>][target-name <WORD 1-32>]

v2c <WORD 1-32> [inform [mms <0-2147483647>] [retries <0-255>] [timeout<0-2147483647>]] [filter <WORD 1-32>][target-name <WORD 1-32>]

snmp-server host <WORD 1-256> port<1-65535>

v3 {noAuthnoPriv|authNoPriv|authPriv}<WORD 1-32> [inform [retries <0-255>][timeout <0-2147483647>]] [filter <WORD1-32>] [target-name <WORD 1-32>]

enablesnmp-server log

max-file-size <64-256000>

enable

ip-header-type <default|circuitless-ip|management-virtual-ip>

syslog

max-hosts <1-10>

<cr>

address <A.B.C.D>

enable

facility {local0|local1|local2|local3|local4|local5|local6|local7}

maperror {emergency|alert|critical|error|warning|notice|info|debug}

mapfatal {emergency|alert|critical|error|warning|notice|info|debug}

syslog host <1-10>


NN46205-703 03.02 12 April 2010


.

Job aid: SNMP configuration in the NNCLI 297

Command Parameter

mapinfo {emergency|alert|critical|error|warning|notice|info|debug}

mapwarning {emergency|alert|critical|error|warning|notice|info|debug}

severity <info|warning|error|fatal>[<info|warning|error|fatal>][<info|warning|error|fatal>][<info|warning|error|fatal>]

udp-port <514-530>

Job aid: SNMP configuration in the NNCLISNMP is configured differently in the NNCLI than in the CLI.Auto-generation of several parameters and command structure changesmeans that several configuration procedures are no longer required in theNNCLI. The following sections describe the changes.

• “snmpNotifyFilterTable” (page 297)

• “snmpTargetAddrTable” (page 298)

• “snmpTargetParamsTable” (page 298)

• “snmpNotifyTable” (page 298)

snmpNotifyFilterTableIn the CLI, the Type is explicitly specified to be include or exclude. Inthe NNCLI, this is specified by using the Subtree OID. If the SubtreeOID parameter uses a + prefix (or no prefix), this indicates include. If theSubtree OID uses the - prefix, this indicates exclude.

In the CLI, the Mask is explicitly configured in hex-colon format. InNNCLI, the user does not calculate the mask, because it is automaticallycalculated. The wildcard character * can specify the mask within theOID. The OID need not be specified in the dotted decimal format; youcan alternatively specify the MIB parameter names. The OIDs areautomatically calculated.

Example:

snmp-server view abc ifEntry.*.2

This command creates an entry with ViewName = abc, Subtree =1.3.6.1.2.1.2.2.1.0.2 and Mask = FF: A0.

Notify-filter mask entries in the notify-filter table are not saved if youchange from CLI to NNCLI mode.


NN46205-703 03.02 12 April 2010


.


snmpTargetAddrTableIn the CLI, the TargetName is user-configurable. In NNCLI, it is generatedbased on the TargetAddress, SecurityModel and SecurityName given bythe user while creating an entry.

The TargetAddrTaglist can be specified only for v2 and v3 users. If theInform parameter is not configured, the default is used (Trap).

In NNCLI, it is not possible to modify the timeout, retries and MMS valuesfor an SNMPv1 target-address, but is possible for SNMPv2 and SNMPv3.The port option is not required for snmp-server host creation.

In the NNCLI, the TargetAddrParamsName is the same as theTargetName. In CLI, the user specifies both of these names explicitly. Theoriginal TargetName is retained across CLI and NNCLI.

For successful load of SNMP server host configurations into NNCLI fromCLI or Enterprise Device Manager, those configurations must be complete.That is, the corresponding TargetParam entries and TargetAddressconfigurations must be complete.

In the NNCLI, the snmpTargetAddrTable, snmpNotifyFilterProfileTable,and snmpTargetParamsTable are simultaneously created usingthe snmp-server host command. Deletion of an entry in thesnmpTargetAddrTable deletes all the entries corresponding to that entryfrom these tables.

Toggling between CLI and NNCLI can cause loss of configurationsbecause the target address table configurations are different in CLI andNNCLI. The Tparm Name parameter is lost while changing from CLI toNNCLI.

snmpTargetParamsTableIn the NNCLI, the snmpTargetParamsTable is populated by using thesnmp-server host command.

snmpNotifyTableThere are two preconfigured entries in the snmpNotifyTable. Theseentries cannot be modified or deleted. The NNCLI command set does notallow you to create or delete entries in the snmpNotifyTable; this table isautomatically generated.

Configuring SNMP notificationsThe SNMP notification table (snmpNotifyTable) is preconfigured andnonconfigurable in the NNCLI.


NN46205-703 03.02 12 April 2010


.

Configuring an SNMP host 299

Configuring an SNMP hostConfigure an SNMP host so that the switch can forward SNMP traps to ahost for monitoring. You can use SNMPv1, SNMPv2c, or SNMPv3.

Prerequisites


Procedure steps

Step Action

1 Configure an SNMPv1 host by entering the following command:

snmp-server host <WORD 1-256> port <1-65535> v1 <WORD1-32> [filter <WORD 1-32>] [target-name <WORD 1-32>]

<WORD 1-256> specifies either an IPv4 or IPv6 address. port<1-65535> specifies the host server port number.

2 Configure an SNMPv2c host by entering the following command:

snmp-server host <WORD 1-256> port <1-65535> v2c<WORD 1-32> [inform [mms <0-2147483647>] [retries<0-255>] [timeout <0-2147483647>]] [filter <WORD 1-32>][target-name <WORD 1-32>]

3 Configure an SNMPv3 host by entering the following command:

snmp-server host <WORD 1-256> port <1-65535> v3{noAuthnoPriv|authNoPriv|AuthPriv} <WORD 1-32> [inform[retries <0-255>] [timeout <0-2147483647>]] [filter<WORD 1-32>] [target-name <WORD 1-32>]



--End--

Variable definitionsUse the information in the following table to use the snmp-server host<WORD 1-256> port <1-65535> command.


NN46205-703 03.02 12 April 2010


.


Variable Value

v1 <WORD 1-32>[filter <WORD 1-32>][target-name <WORD1-32>]

Creates a new SNMPv1 entry for the targetaddress table.• <WORD 1-32> specifies the security name,

which identifies the principal that generatesSNMP messages.

• filter <WORD 1-32> specifies the filterprofile to use.

• target-name <WORD 1-32> is the targetname with a string length of 1 to 32.

v2c <WORD 1-32> [inform[mms <0-2147483647>][retries <0-255>][timeout <0-2147483647>]] [filter <WORD1-32>] [target-name<WORD 1-32>]

Creates a new SNMPv2c entry for the targetaddress table.• <WORD 1-32> specifies the security name,

which identifies the principal that generatesSNMP messages.

• inform indicates that SNMP notificationsshould be sent as inform (rather than trap).

• mms <0-2147483647> specifies themaximum message size as an integer witha range of 1 to 2147483647. The defaultvalue is 484.

• retries <0-255> specifies the retry countvalue with a range of 0 to 255. The defaultvalues is 3.

• timeout <0-2147483647> specifies thetimeout value in seconds with a range of 0to 214748364. The default value is 1500.



v3 {noAuthnoPriv|authNoPriv|AuthPriv}<WORD 1-32>[inform [retries<0-255>][timeout <0-2147483647>]][filter <WORD 1-32>][target-name <WORD1-32>]

Creates a new SNMPv3 entry for the targetaddress table.• {noAuthnoPriv|authNoPriv|AuthPri

v} specifies the security level.

• <WORD 1-32> specifies the security name,which identifies the principal that generatesSNMP messages.

• inform indicates that SNMP notificationsshould be sent as inform (rather than trap).

• retries <0-255> specifies the retry countvalue with a range of 0 to 255.


NN46205-703 03.02 12 April 2010


.

Configuring an SNMP notify filter table 301

Variable Value

• timeout <0-2147483647> specifies thetimeout value in seconds with a range of 0to 214748364.



Example of configuring an SNMP host

Procedure steps

Step Action

1 Configure the target table entry:

snmp-server host 198.202.188.207 port 162 v2c ReadViewinform retries 3

snmp-server host 198.202.188.207 port 162 v2c ReadViewinform mms 484

snmp-server host 198.202.188.207 port 162 v2c ReadViewinform timeout 1500

--End--

Configuring SNMP target table parametersIn NNCLI, the target table parameters (security name, model) areconfigured as part of the SNMP host configuration. For more information,see “Configuring an SNMP host” (page 299).

Configuring an SNMP notify filter tableConfigure the notify table to select management targets to receivenotifications, as well as the type of notification to send to eachmanagement target. For more information about the notify filter table, seeRFC 3413.

Prerequisites



NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 Create a new notify filter table by using the following command:

snmp-server notify-filter <WORD 1-32> <WORD 1-32>


show snmp-server notify-filter

--End--

Variable definitionsUse the information in the following table to complete the snmp-servernotify-filter command.

Variable Value

<WORD 1-32> <WORD1-32>

Creates a notify filter table.• <WORD 1-32> specifies the name of the filter


• The second <WORD 1-32> identifies the filtersubtree OID with a string length of 1 to 32.

If the Subtree OID parameter uses a + prefix (orno prefix), this indicates include. If the SubtreeOID uses the - prefix, this indicates exclude.

Configuring SNMP interfacesIf the Ethernet Routing Switch 8600 has multiple interfaces, configure theIP interface from which the SNMP traps originate.

Prerequisites


Procedure steps

Step Action

1 Configure the destination and source IP addresses for SNMPtraps:

snmp-server sender-ip <A.B.C.D> <A.B.C.D>

2 If required, send the source address (sender IP) as the sendernetwork in the notification message:


NN46205-703 03.02 12 April 2010


.


snmp-server force-trap-sender enable

3 If required, force the SNMP and IP sender flag to be the same:

snmp-server force-iphdr-sender enable

--End--

Variable definitionsUse the information in the following table to complete the snmp-servercommand.

Variable Value

agent-conformanceenable

Enables the agent conformance mode.Conforms to MIB standards when disabled. Ifyou activate this option, feature configurationis stricter and error handling less informative.Activating this option is not a recommended ornormally supported mode of operation.

authentication-trapenable

Activates the generation of authenticationtraps.

force-iphdr-senderenable

Enables the automatic configuration of theSNMP and IP sender to the same value. Thedefault is false.

force-trap-senderenable

Enabled sending the configured sourceaddress (sender IP) as the sender network inthe notification message.

sender-ip <A.B.C.D><A.B.C.D>

Configures the SNMP trap receiver and sourceIP addresses. Specify the IP address of thedestination SNMP server that will receive theSNMP trap notification in the first IP address.Specify the source IP address of the SNMPtrap notification packet that is transmitted in thesecond IP address. If this is set to 0.0.0.0 thenthe switch uses the IP address of the localinterface that is closest (from an IP routingtable perspective) to the destination SNMPserver.

Enabling SNMP trap loggingUse SNMP trap logging to send a copy of all traps to the PCMCIA card (orexternal flash on the 8895 SF/CPU).


NN46205-703 03.02 12 April 2010


.


Prerequisites



Procedure steps

Step Action

1 To enable SNMP trap logging, use the following command:

snmplog enable

2 To configure the maximum log file size:

snmplog maxfilesize <64-256000>

3 To view the contents of the SNMP log, use the followingcommand:

show snmplog

--End--

Variable definitionsUse the information in the following table to help you use the snmplogcommand.

Variable Value

enable Enables or disables the logging of traps.

maxfilesize<64-256000>

Specifies the maximum file size for the trap log.

Configuring a UNIX system log and syslog hostThe syslog commands control a facility in UNIX machines that logsSNMP messages and assigns each message a severity level based onimportance.

Prerequisites


Procedure steps

Step Action

1 Enable the system log using the following command:


NN46205-703 03.02 12 April 2010


.


syslog enable

Configure other syslog parameters as required using theparameters in the following table.

2 Configure the syslog host using the following command:

syslog host <1-10>

Configure other syslog host parameters as required using theparameters in the following table.

3 View the configuration to ensure it is correct:

show syslog

show syslog host <1-10>

--End--

Variable definitionsUse the information in the following table to help you use the syslogcommand.

Variable Value

enable Enables the sending of syslog messages on theswitch.

ip-header-type<default|circuitless-ip|management-virtual-ip>

Specifies the IP header in syslog packets todefault, circuitless-ip or management-virtual-ip.• If set to default, then for syslog packets that

are transmitted in-band via input/output (I/O)ports, the IP address of the VLAN is used.For syslog packets that are transmittedout-of-band through the management port,the physical IP address of the Master CPUis used in the IP header.

• If set to management-virtual-ip, thenfor syslog packets that are transmittedout-of-band only through the managementport, the virtual management IP address ofthe switch is used in the IP header.

• If set to circuitless-ip, then for all syslogmessages (in-band or out-of-band), thecircuitless IP address is used in the IPheader. If a user has configured multipleCLIPs, the first CLIP configured is used.

max-hosts <1-10> Specifies the maximum number of sysloghosts supported. <maxhost> is the maximumnumber of enabled hosts allowed (1 to 10).


NN46205-703 03.02 12 April 2010


.


Use the information in the following table to help you use the sysloghost <1-10> command.

Variable Value

<cr> Creates a syslog host instance.

address <A.B.C.D> Configures a host location for the syslog host.<A.B.C.D> is the IP address of the UNIXsystem syslog host.

facility {local0|local1|local2|local3|local4|local5|local6|local7}

Specifies the UNIX facility used in messages tothe syslog host. {local0|local1|local2|local3|local4|local5|local6|local7} isthe UNIX system syslog host facility (LOCAL0to LOCAL7).

enable Enables the syslog host.

maperror {emergency|alert|critical|error|warning|notice|info|debug}

Specifies the syslog severity to use for Errormessages.

mapfatal {emergency|alert|critical|error|warning|notice|info|debug}

Specifies the syslog severity to use for Fatalmessages.

mapinfo {emergency|alert|critical|error|warning|notice|info|debug}

Specifies the syslog severity level to use forInformation messages.

mapwarning {emergency|alert|critical|error|warning|notice|info|debug}

Specifies the syslog severity to use for Warningmessages.

severity <info|warning|error|fatal> [<info|warning|error|fatal>][<info|warning|error|fatal>] [<info|warning|error|fatal>]

Specifies the severity levels for which syslogmessages should be sent for the specifiedmodules.

udp-port <514-530> Specifies the UDP port number on which tosend syslog messages to the syslog host. Thisis the UNIX system syslog host port number(514 to 530).


NN46205-703 03.02 12 April 2010


.

307.

Log configuration using the NNCLIUse log files and messages to help perform diagnostic and faultmanagement functions.

Log configuration navigation• “Roadmap of NNCLI log commands” (page 307)

• “Configuring logging” (page 308)

• “Viewing logs” (page 309)

• “Configuring the remote host address for log transfer” (page 311)

• “Configuring system logging to a PCMCIA or external flash” (page 312)


• “Configuring system message control” (page 314)

• “Extending system message control” (page 315)

• “Configuring NNCLI logging” (page 316)

Roadmap of NNCLI log commandsThe following roadmap lists some of the NNCLI commands and theirparameters that you can use to complete the procedures in this section.

Command Parameter


clear logging

show clilog

show clilog file [tail] [grep <WORD1-256>]


NN46205-703 03.02 12 April 2010


.

308 Log configuration using the NNCLI

Command Parameter

config

file [tail] [category <WORD 0-100>][severity <WORD 0-25>] [CPU <WORD0-25>] [name-of-file <WORD 1-99>][save-to-file <WORD 1-99>]

level

show logging

transferFile <1-10>


boot config logfile <64-500><500-16384> <10-90>

boot config flags logging

clilog enable

clilog maxfilesize <64 to 256000>

level <0-4>

logToPCMCIA

screen

logging

write <WORD 1-1536>

address <A.B.C.D>logging transferFile <1-10>

filename <WORD 0-255>

<cr>


control-interval <1-30>

sys msg-control

max-msg-num <2-500>

sys force-msg <WORD 4-4>

Configuring loggingYou can configure log file parameters, as well as write, or clear the log fileautomatically created by the system.

Prerequisites



NN46205-703 03.02 12 April 2010


.

Viewing logs 309

Procedure steps

Step Action

1 Define which messages are logged:

logging level <0-4>

2 Write the log file from memory to a file:

logging write <WORD 1-1536>

3 Use the following table to help you configure other parametersas required.

--End--

Variable definitionsUse the information in the following table to help you use the loggingcommands.

Variable Value

level <0-4> Shows and sets the logging level. The levelis one of these values: 0 = Information;all messages are recorded. 1 = Warning;only warning and more serious messagesare recorded. 2 = Error; only error andmore serious messages are recorded. 3= Manufacturing; this parameter is notavailable for customer use. 4 = Fatal; only fatalmessages are recorded. The default value is 0.

logToPCMCIA Starts logging system messages to thePCMCIA (or external flash) card. The defaultconfiguration is true.

screen Sets the log display on the screen to on. Thedefault configuration is off.

write <WORD 1-1536> Writes the log file with the designated string.<WORD 1-1536> is the string or commandthat you append to the log file. If the stringcontains spaces, you must enclose the string inquotation marks.

Viewing logsYou can view log files by file name, category, severity, and SF/CPU.

Prerequisites



NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 To display log information by file name, category, severity, orSF/CPU, enter the following command:

show logging file [tail] [category <WORD 0-100>][severity <WORD 0-25>] [CPU <WORD 0-25>] [name-of-file<WORD 1-99>] [save-to-file <WORD 1-99>]

--End--

Variable definitionsUse the following table for help with the show logging file command.

category <WORD0-100>

Filters and list the logs according to category. Specifya string length of 0–100 characters. Categoriesinclude SNMP, EAP, RADIUS, RMON, WEB, STG,IGMP, HW, MLT, FILTER, QOS, SW, CPU, IP, VLAN,IPMC, DVMRP, |IPX, IP-RIP, MPLS, OSPF, |PIM,POLICY, RIP. To specify multiple filters, separateeach category by the vertical bar (|), for example,OSPF|FILTER|QOS.

CPU <WORD 0-25> Filters and list the logs according to the SF/CPUthat generated it. Specify a string length of 0–25characters. To specify multiple filters, separateeach SF/CPU by the vertical bar (|), for example,CPU5|CPU6.

name-of-file<WORD 1-99>

Displays the valid logs from this file. For example,/pcmcia/logcopy.txt. You cannot use this command onthe current log file—the file into which the messagesare currently logged). Specify a string length of 1–99characters.

save-to-file<WORD 1-99>

Redirects the output to the specified file and remove allencrypted information. The tail option is not supportedwith the save-to-file option. Specify a string lengthof 1–99 characters.

severity <WORD0-25>

Filters and list the logs according to severity. Choicesinclude INFO, ERROR, WARNING, FATAL. To specifymultiple filters, separate each severity by the verticalbar (|), for example, ERROR|WARNING|FATAL.


NN46205-703 03.02 12 April 2010


.

Configuring the remote host address for log transfer 311

Configuring the remote host address for log transferConfigure the remote host address for log transfer. The system transfersthe current log file to a remote host when the log file size reaches theconfigured maximum size.

Prerequisites

• The IP address you configure for the remote host must be reachable atthe time of configuration.


Procedure steps

Step Action

1 Configure the remote host address for log transfer by using thefollowing command:

logging transferFile <1-10> address <A.B.C.D>

2 You can specify the file name:

logging transferFile <1-10> filename <WORD 0-255>

--End--

Variable definitionsUse the information in the following table to help you use the loggingtransferFile <1-10> command.

Variable Value

address <A.B.C.D> Specifies the IP address of the host to where thelog file needs to be transferred. The remote hostmust be reachable or the configuration will fail.

filename <WORD0-255>

Specify the name of the file stored in the remotehost. If not configured, the current log file name isthe default.

ATTENTIONNortel recommends that you do not set thisoption. If this option is set, the previouslytransferred log file is overwritten on the remoteserver.


NN46205-703 03.02 12 April 2010


.


Configuring system logging to a PCMCIA or external flashSystem logs are a valuable diagnostic tool. You can send log messages toa PCMCIA card (or external flash on the 8895 SF/CPU) for later retrieval.

Define the minimum and maximum log file sizes to bound the file storagesize on the PCMCIA (or external flash) card. The system transfersthe current log file to a remote host when the log file size reaches theconfigured maximum size.

Although log file parameters are stored in the boot configuration file, youcan change them at anytime without rebooting the system. Changes madeto these parameters take effect immediately.

When you remove the PCMCIA (or external flash) card from the primarySF/CPU, a trap is generated and system logging continues in DRAM only.


Prerequisites



Procedure steps

Step Action

1 Enable system logging to a PCMCIA (or external flash) card:

boot config flags logging

If the logging flag is not set to true, the entries are stored inmemory.

2 Configure the logfile parameters:

boot config logfile <64-500> <500-16384> <10-90>

--End--


NN46205-703 03.02 12 April 2010


.

Starting system message logging to a PCMCIA or external flash card 313

Variable definitionsUse the information in the following table to help you use the bootconfig commands in this procedure.

Variable Value

flags logging Enables or disables logging to a PCMCIA(or external flash) card. The log fileis named using an 8.3 (xxxxxxxx.sss)format. The first six characters of the filename contain the last three bytes of thechassis base MAC address. The next twocharacters specify the slot number of theSF/CPU that generated the logs. The lastthree characters denote the sequencenumber of the log file. Multiple sequencenumbers are generated for the samechassis and same slot, if the SF/CPU isreplaced, reinserted, or if the maximum logfile size is reached.

logfile <64-500><500-16384> <10-90>

Configures the logfile parameters:• <64-500> specifies the minimum space

used for the logfile from 64 to 500 KB.

• <500-16384> specifies the minimumspace used for the logfile from 500 to16384 KB.

• <10-90> specifies the maximumpercentage of space used for the logfilefrom 10 to 90%.

Starting system message logging to a PCMCIA or external flashcard

Begin or stop logging system messages to the PCMCIA card (or externalflash on the 8895 SF/CPU).

Note that when you remove the PCMCIA (or external flash) card from theprimary SF/CPU, a trap is generated and system logging continues inDRAM only.



NN46205-703 03.02 12 April 2010


.


Prerequisites


Procedure steps

Step Action

1 To begin logging system messages on the PCMCIA (or externalflash) card, use the following command:

log logToPCMCIA

2 To stop logging:

no log logToPCMCIA

--End--

Configuring system message controlConfigure system message control to suppress duplicate error messageson the console, and to determine the action to take if they occur.

Prerequisites


Procedure steps

Step Action

1 Configure system message control action by using the followingcommand:

sys msg-control action <suppress-msg|send-trap|both>

2 Configure the maximum number of messages by using thefollowing command:

sys msg-control max-msg-num <2-500>

3 Configure the interval by using the following command:

sys msg-control control-interval control-interval<1-30>

4 Enable message control:


NN46205-703 03.02 12 April 2010


.

Extending system message control 315

sys msg-control

--End--

Variable definitionsUse the information in the following table to complete the sysmsg-control command.

Variable Value

<cr> Activates system message control. Enablingthis command suppresses duplicate errormessages.


Configures the message control action. Thedefault value is suppress-msg.

control-interval <1-30> Configures the message control interval inminutes. The valid options are 1 to 30. Thedefault value is 5.

max-msg-num <2-500> Configures the number of occurrences ofa message after which the control actionhappens. To set the maximum number ofoccurrences, enter a value from 2 to 500. Thedefault values is 5.

Extending system message controlUse the force message control option to extend the message controlfeature functionality to the software and hardware log messages.

To enable the message control feature, you must specify an action, controlinterval, and maximum message number. After enabling the feature, thelog messages, which get repeated and cross the maximum messagenumber in the control interval, trigger the force message feature. You caneither suppress the message or send a trap notification, or both.

Prerequisites


Procedure steps

Step Action

1 Configure the force message control option by using thefollowing command:


NN46205-703 03.02 12 April 2010


.


sys force-msg <WORD 4-4>

--End--

Variable definitionsUse the information in the following table to help you use this command.

Variable Value

<WORD 4-4> Used to add a forced message controlpattern, where <WORD 4-4> is a string of 4characters. You can add a four-byte patterninto the force-msg table. The software andthe hardware log messages that use the firstfour bytes matching one of the patterns inthe force-msg table undergo the configuredmessage control action. You can specifyup to 32 different patterns in the force-msgtable. This includes a wildcard pattern (****)as well. Upon specifying the wildcard pattern,all messages undergo message control.

Configuring NNCLI loggingWhen enabled, NNCLI logging keeps track of all command line interfacecommands executed on the switch. Use NNCLI logging for faultmanagement purposes.

Prerequisites


Procedure steps

Step Action

1 To enable NNCLI logging, enter the following command:

clilog enable

2 To change the maximum file size used for NNCLI logs:

clilog maxfilesize <64 to 256000>


show clilog

4 To view the NNCLI log:


NN46205-703 03.02 12 April 2010


.

Configuring NNCLI logging 317

show clilog file [tail] [grep <WORD 1-256>]

--End--

Variable definitionsUse the information in the following table to help you use the clilogcommands.

Variable Value

enable Enables NNCLI logging. To disable, usethe no clilog enable command.

maxfilesize <64 to 256000> Specifies the maximum file size of the logfile in KB.

Use the information in the following table to help you use the showclilog file commands.

Variable Value

tail Shows the last results first.

grep <WORD 1-256> Performs a string search in the log file.<WORD 1-256> is the string, of up to 256characters in length, to match.


NN46205-703 03.02 12 April 2010


.



NN46205-703 03.02 12 April 2010


.

319.

Recovery trees and proceduresThis section provides problem scenarios and recovery procedures.

Navigation• “Recovery trees” (page 319)

• “Licensing problems and recovery” (page 323)

Recovery treesRecovery trees provide a quick reference for troubleshooting withoutprocedural detail. They are meant to quickly guide you through somecommon failure scenarios and provide a solution.

Recovery trees navigation

• “IST failure” (page 319)

• “DHCP Relay failure” (page 320)

• “SNMP failure” (page 321)

• “Flash failure” (page 322)

IST failureUse the following flowchart to help provide guidance if an Interswitch Trunk(IST) fails. For more information, see “Troubleshooting IST failure usingthe CLI” (page 335) and “Troubleshooting IST failure using the NNCLI”(page 336).


NN46205-703 03.02 12 April 2010


.

320 Recovery trees and procedures

Figure 4IST failure recovery tree

DHCP Relay failureUse the following flowchart to help provide guidance if DHCP Relay fails.For more information, see “DHCP troubleshooting” (page 394).


NN46205-703 03.02 12 April 2010


.

Recovery trees 321

Figure 5DHCP Relay failure recovery tree

SNMP failureUse the following flowchart to help provide guidance if Simple NetworkManagement Protocol (SNMP) access fails. For more information, see“SNMP troubleshooting” (page 393).


NN46205-703 03.02 12 April 2010


.


Figure 6SNMP failure recovery tree

Flash failureUse the following flowchart to help provide guidance if you cannot writeto the flash.

CAUTIONRisk of file lossBefore you format the flash, ensure you back up all files.Formatting the flash deletes all files, including configuration andlicense files.


NN46205-703 03.02 12 April 2010


.

Licensing problems and recovery 323

Figure 7Flash failure recovery tree

Licensing problems and recoveryThe following sections describe licensing problems you may encounterand provides solutions. For more information about installing licensesand accessing the License Bank, see Ethernet Routing Switch 8600Administration (NN46205-605).

Licensing problems and recovery navigation

• “Job aid: general tips and information” (page 323)

• “Issue: license will not install” (page 324)

• “Issue: cannot transfer license” (page 325)

• “Issue: license file generation does not succeed” (page 326)

• “Issue: licensed features cannot be configured” (page 327)

Job aid: general tips and informationThe following paragraphs provide important license information.


NN46205-703 03.02 12 April 2010


.


When you configure the name of license file, use only lowercasecharacters.

To unlock Advanced or Premier features, a switch requires only onelicense file. If you upgrade from an Advanced license to a Premier license,you can delete the Advanced License file. If they have different names,more than one license file can be stored in Flash memory, but only oneis used to unlock features.

If two license files are installed on an Ethernet Routing Switch 8600, forexample, one Advanced and one Premier license file, the Premier Licensetakes precedence over the Advanced License. For example, if the filenames are bld100_8610adv.dat and bld100_8610prem.dat, during the bootprocess, only the Premier license file is loaded.

You can swap licenses to another switch a maximum of once per 10chassis licenses purchased, with an exception for the 1-chassis license, asfollows:

• 1-chassis license: 1 swap

• 10-chassis license: 1 swap

• 50-chassis license: 5 swaps

• 100-chassis license: 10 swaps

The license bank can contain many licenses of the same or different types.A license file is generated for a specific license and switch type. EachLicense Authorization Code (LAC) type and deposit appears separatelyin the license bank, and shows the number of licenses that are used andavailable for the LAC. License files are not transferable between switchtypes, for example, between an Ethernet Routing Switch 8600 and anEthernet Routing Switch 8300.

If you lose or forgot your license portal password, call Nortel TechnicalSupport.

If you lose a license file, logon to the license bank and download thelicense file again.

Issue: license will not installThis section describes methods to troubleshoot the following licensingscenario:

• The license will not install or is not recognized on a switch.

• An "Invalid license file" message appears on the console or CLI.

Possible causes:


NN46205-703 03.02 12 April 2010


.


• The license file does not contain a MAC address that matches theswitch to which it is installed. This may occur due to:

— switch replacement

— incorrect MAC address specified when the license file wasgenerated

Prerequisites

• Use the show license command to double-check that the license isnot installed.

• For more information about transferring a license and installinga license, see Ethernet Routing Switch 8600 Administration(NN46205-605).

Procedure steps

Step Action

1 Check the license file on the License Bank and confirm that theMAC address is incorrect.

2 To correct the MAC address, use the Transferring a licenseprocedure.

3 Check the license file on the License Bank and confirm that theMAC address is now correct.

4 Install the license file on the switch.

--End--

Issue: cannot transfer licenseThis section describes methods to troubleshoot the following licensingscenario:

• Attempts to transfer a license using the Replace Switch MAC functionfail. After the Replace Switch MAC button is clicked, the error message


NN46205-703 03.02 12 April 2010


.


"You have reached the limit of MAC address changes for this file"appears.

Procedure steps

Step Action

1 Check if there is another LAC entry in the License Bank for theswitch of the same license type (that is, Advanced or Premier)that has not been used to swap a MAC address. If so, selecta license file from that LAC and try the Replace Switch MACfunction again.

2 If the same error message appears again, or there is no LACavailable, contact Nortel Customer Support and request a newLAC.

--End--

Issue: license file generation does not succeedThis section describes methods to troubleshoot the following licensingscenario:

• The license file is not generated. The error message appears: Licensefilename contains invalid characters

Possible causes:

• A user attempts to generate a license file using illegal filenamecharacters

Procedure steps

Step Action

1 Do not use illegal characters. For information about allowedcharacters, either click the File Format ? link on theGENERATE LICENSE page, or see Ethernet Routing Switch8600 Administration (NN46205-605).

--End--


NN46205-703 03.02 12 April 2010


.


Issue: licensed features cannot be configuredThis section describes methods to troubleshoot the following licensingscenario:

• After a license file is installed and the switch is rebooted, theassociated licensed features cannot be configured.

Possible causes:

• The license file is not stored in the correct location on the switch.

• The license is not installed.

The commands used in this procedure are the same for CLI or NNCLI.

Procedure steps

Step Action

1 Use the following command to determine if the license is loadedor running:

show license

2 Check the flash directory for the presence of the license file:

dir

The license file must be stored in the flash directory.

3 Ensure that the license file name and location follows theguidelines given in Ethernet Routing Switch 8600 Administration(NN46205-605).

If the license file has the wrong file extension, rename the file sothat it has a .dat file extension.

4 Check switch log messages for errors during boot:

show clilog file

5 After the license filename and location criteria for the license fileis correct, restart the switch:

boot

--End--


NN46205-703 03.02 12 April 2010


.



NN46205-703 03.02 12 April 2010


.

329.

Layer 1 troubleshootingUse this section to help you troubleshoot Layer 1 (physical layer)problems.

Navigation• “Troubleshooting fiber optic links” (page 329)

• “Troubleshooting DWDM XFPs” (page 330)

Troubleshooting fiber optic linksTo troubleshoot optical links and devices, you can use Digital DiagnosticMonitoring (DDM), as well as published optical specifications.

You can troubleshoot fiber optic links to ensure that the optical transmittersand receivers are operating correctly, and to determine if a receiver issaturated, or not receiving enough power.

For small form factor pluggable (SFP) transceiver, 10 Gigabit SFP (XFP)transceiver, and Gigabit Interface Converter (GBIC) specifications, seeNortel Ethernet Routing Switch 8600 Installation — SFP, XFP, GBIC andOADM Hardware Components (NN46205-320).

Procedure steps

Step Action

1 Measure the SFP, XFP, or GBIC transmit power.

2 Compare the measured transmit power with the specified launchpower.

The values should be similar. If the measured power is far belowthe specified value, then a faulty transmitter is a possible cause.

3 Compare the measured transmit power for the near-end opticaldevice to the measured transmit power for the far-end device.


NN46205-703 03.02 12 April 2010


.

330 Layer 1 troubleshooting

Large differences could mean that the optical devices aremismatched (that is, -SX versus -LX).

4 Measure the receive power at each end of the link.

5 Compare the receive power to the transmit power.

• For short fiber links, the transmit and received power shouldbe similar (after taking into consideration connection losses).

• For long fiber links, the transmit and received power shouldbe similar (after taking into consideration connection lossesand fiber attenuation).

Large differences could mean a damaged fiber or dirty or faultyconnectors. It could also mean that the link does not use theright type of fiber (single mode or multimode). If the receiverpower is measured to be zero, and the link used to work, it isprobable that the far-end transmitter is not operating or the fiberis broken.

6 Compare the measured receive power for the near-end opticaldevice to the measured receive power for the far-end device.

Large differences could mean that the optical devices aremismatched (that is, -SX versus -LX). If optical devices aremismatched, the receiver can be saturated (overdriven).

7 If a receiver is saturated but still operable, install a suitableattenuator.

For long-haul optical devices, the receive power must besignificantly less that the transmit power.

8 To help debug the link, loop back the local transmit and receiveports, and use the DDM parameters to help determine the fault.

--End--

Troubleshooting DWDM XFPsAs a physical layer device, a DWDM XFP does not require specificconfiguration to be used. If you experience issues with DWDM XFPs,perform the following steps.

Procedure steps

Step Action

1 To ensure that the DWDM XFPs under use are properlysupported, enter the following CLI command:

show sys pluggable-optical-modules info

OR


NN46205-703 03.02 12 April 2010


.

Troubleshooting DWDM XFPs 331

enter the following NNCLI command:

show pluggable-optical-module basic

From the command output, verify whether the DWDM XFPs arerecognized by the Ethernet Routing Switch as DWDM.

2 In Enterprise Device Manager, select the DWDM XFP port,and then select Edit, Port, General, DDI/SFP and verify thatthe correct information is displayed in the DDI/SFP tab for theDWDM XFP.

3 If the DWDM XFP port shuts down suddenly, theddm-alarm-portdown option may be activated. A high orlow alarm may have occurred on the port. In this case, checkwhether a message has been logged or a trap has beengenerated on the port due to the alarm occurring. If a log or trapis present, take remedial actions to clear the alarm, dependingon the type of alarm.

--End--

Additional useful commandsThe following CLI commands also provide useful information relating toDWDM XFPs:

• show sys pluggable-optical-module info [<portlist>]

• show sys pluggable-optical-module info [<portlist>][detail]

• show sys pluggable-optical-module temperature[<portlist>]

• show sys pluggable-optical-module voltage [<portlist>]

• config sys set pluggable-optical-module info

The following are the NNCLI command equivalents:

• show pluggable-optical-module basic [<portlist>]

• show pluggable-optical-module detail [<portlist>]

• show pluggable-optical-module temperature [<portlist>]

• show pluggable-optical-module voltage [<portlist>]

• show pluggable-optical-module config [<portlist>]


NN46205-703 03.02 12 April 2010


.



NN46205-703 03.02 12 April 2010


.

333.

Layer 2 troubleshootingUse this section to help you troubleshoot Layer 2 (VLAN, spanning tree,link aggregation, multilink trunking) problems.

Navigation• “Troubleshooting SMLT failure using the CLI or NNCLI” (page 333)

• “Troubleshooting IST failure using the CLI” (page 335)

• “Troubleshooting IST failure using the NNCLI” (page 336)

• “Troubleshooting IstSessionDown message using CLI or NNCLI” (page337)

Troubleshooting SMLT failure using the CLI or NNCLIIn typical SMLT topologies, critical network traffic runs over the aggregatedlinks. Therefore, SMLT failure can cause a partial network outagewhen network protocols such as VRRP, OSPF, and RIP, and link layerprotocols such as VLACP register SMLT links going down and (potentially)recovering.

Possible reasons for SMLT failures are as follows:

• the CP-limit feature shuts down an SMLT link due to excessive controltraffic

• the Extended CP-limit feature shuts down an SMLT link due to SystemOctapid congestion

• IST link failure

• VLACP no longer receives VLACP PDUs from a peering device

• SLPP detects a network loop condition

• SMLT configuration errors

• Layer 1 connectivity problems with fiber or copper media


NN46205-703 03.02 12 April 2010


.


If an SMLT failure or link flap occurs, run the following diagnosticcommands to determine the SMLT status and identify a potential triggerfor the issue.

Procedure steps

Step Action

1 To display the status of the SMLT, enter the following CLIcommand:

show mlt info

OR


show mlt

2 To display the SMLT ports and verify their link integrity andstatus, enter the following CLI command:

show port info state

OR


show interface {fastethernet | gigabitEthernet } state

3 To verify in and out data flows over the SMLT interfaces, enterthe following using the CLI or NNCLI:

show mlt stats

4 To identify any SMLT error increments and study the ISTinterface status, enter the following CLI command:

show mlt show-all

OR

enter the following NNCLI commands:

show mlt error main

show mlt error collision

show ist mlt

5 To examine the IST interface message statistics for anyirregularities, enter the following CLI command:

show mlt ist stats

OR


show ist stat


NN46205-703 03.02 12 April 2010


.

Troubleshooting IST failure using the CLI 335

6 If Single Link Trunks (SLT) are provisioned, to establishwhether these links have been affected, enter the following CLIcommand:

show smlt info

OR


show mlt

7 After the SMLT links recover, to inspect forward database (FDB)table software records for their integrity, enter the following CLIcommand:

show vlan info fdb-e [<vid>]

OR


show vlan mac-address-entry [vlan <vid>]

8 After the SMLT links recover, to inspect ARP table softwarerecords for their integrity, enter the following CLI command:

show ip arp info [<ip address>]

OR


show ip arp [<ip address>]

--End--

Troubleshooting IST failure using the CLIWhen interswitch trunk (IST) links are used, all critical network traffic runsthis link. Therefore, in the event of IST failure, network protocols like RIP,VRRP, OSPF, VLACP and so on go up and down and eventually causes anetwork outage.

There are the possible reasons for IST failure:

• The IST had been disabled.

• An incorrect peer IP address is configured.

• The MLT does not have the proper ports configured.

• MLT ports are down.

For a flowchart recovery tree, see “IST failure” (page 319).


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 Check IST settings:

show mlt ist info

If any settings are incorrect, make the correction.

2 Check MLT settings:

show mlt info

Verify that the correct ports are members of the MLTs, and thatthe trunk is enabled.

3 Check interface status:

show ip interface

show ports info all

Verify that, for each interface, the port state is enabled, andits operational state is up. If they are not, try to disable thenreenable the port. If the ports do not come up, there may be aphysical layer issue.

--End--

Troubleshooting IST failure using the NNCLIWhen interswitch trunk (IST) links are used, all critical network traffic runsthis link. Therefore, in the event of IST failure, network protocols like RIP,VRRP, OSPF, VLACP and so on go up and down and eventually causes anetwork outage.

There are the possible reasons for IST failure:

• The IST had been disabled.

• An incorrect peer IP address is configured.

• The MLT does not have the proper ports configured.

• MLT ports are down.

For a flowchart recovery tree, see “IST failure” (page 319).

Procedure steps

Step Action

1 Check IST settings:

show ist mlt


NN46205-703 03.02 12 April 2010


.

Troubleshooting BPDU filtering 337

If any settings are incorrect, make the correction.

2 Check MLT settings:

show mlt <1-256>

Verify that the correct ports are members of the MLTs, and thatthe trunk is enabled.

3 Check interface status:

show ip interface

Verify that, for each interface, the port state is enabled, andits operational state is up. If they are not, try to disable thenreenable the port. If the ports do not come up, there may be aphysical layer issue.

--End--

Troubleshooting IstSessionDown message using CLI or NNCLIIf the Ethernet Routing Switch 8600 shows the log messageIstSessionDown for no apparent reason or additional information asto why, use show mlt ist stats (CLI) or show ist stat (NNCLI)to determine if a switch is having difficulty sending or receiving the ISTmessages.

The normal IST message timeout is 50 seconds and is affected by the portlink state. If the lowest numbered port is up, the IST mechanism sends ISTmessages on this link and expects to receive them on this link. A failure ofthe lowest numbered link results in failover to the 2nd lowest, but the ISTalways tries to return to the lowest link whenever the link state is up.

Trace level 25 can show the IST messages being exchanged over the IST.

trace level 25 <1-4>trace screen on (CLI or NNCLI)

Also, enabling VLACP on the IST links can guard against link failures,where the link remains up but the link cannot transmit or receive the ISTmessages reliably.

Troubleshooting BPDU filteringThe following sections provide information for troubleshooting BPDUfiltering issues.

No packets received on the portIn order for BPDU filtering to work on a port, BPDU packets must bereceived on that port. To troubleshoot cases when no packets are receivedon a port, use the following procedure.


NN46205-703 03.02 12 April 2010


.


Step Action

1 Display the BPDU filtering status for the port:

show bpdu-filter 4/1 (CLI)

show spanning-tree bpdu-filtering <slot/port>(NNCLI)

Port MLTID Admin Oper Link LinkTrap TimeoutTimerCount BpduFiltering---- ----- ------- ---- ---- -------- -------------------- -------------4/1 Enable Up Up Enabled 120 0 Enabled

In the sample output, BPDU filtering is enabled for port 4/1, andthe BPDU filter Admin State for the port is Enable, but the TimerCounter is 0.

2 Run the following command to see that packets are received onthe port.

show port stats interface extended port <slot/port>(CLI)

show interface <port-type> statistics verbose<slot/port> (NNCLI)

3 Check that the port receives STP packets by checking the stateof the remote port:

show ports info stg main port <slot/port> (CLI)

show spanning-tree port <slot/port> (NNCLI)

===================================================================Port Stg====================================================================ENABLE FORWARD CHANGE SID PORT_NUM PRIO STATE STPFASTSTART PATHCOST TRANSITION DETECTION---------------------------------------------------------------------------------------------------------------------1 2/3 128 forwarding false false 1 0 true

The state for the remote port (in this example, port 2/3) shouldnot be disabled.

--End--


NN46205-703 03.02 12 April 2010


.

Troubleshooting BPDU filtering 339

SNMP trap not receivedTo troubleshoot issues in which an SNMP trap is not received following anerror condition, use the following procedure.

Step Action

1 Display the BPDU filtering status for the port:

show bpdu-filter <slot/port> (CLI)

show spanning-tree bpdu-filtering <slot/port>(NNCLI)

Port MLTID Admin Oper Link LinkTrap TimeoutTimerCount BpduFiltering---- ----- ------- ---- ---- -------- -------------------- ------------- ------------------4/1 Disable Down Down Enabled 120 116 Enabled

In this output, BPDU filtering is enabled on port 4/1, BPDUpackets are received, port 4/1 is disabled, and the TimerCount isincrementing, but no SNMP trap is ever received.

2 Configure the correct SNMP target information on the switch.

config snmp-v3 target-addr create <Target Name> <Ipaddr:port> <Target parm> [timeout <value>] [retry<value>] [taglist <value>] [mask <value>] [mms<value>] [tdomain <value>] (CLI)

snmp-server host <WORD 1-256> port <1-65535>v3 {noAuthnoPriv|authNoPriv|AuthPriv} <WORD1-32> [inform [retries <0-255>] [timeout<0-2147483647>]] [filter <WORD 1-32>] [target-name<WORD 1-32>] (NNCLI)

--End--

Displaying BPDU filtering recordsTo assist in troubleshooting, you can display BPDU filtering records.

Step Action

1 The following command displays BPDU filter records.

show port info int port 4/1

====================================================================Port Interface====================================================================


NN46205-703 03.02 12 April 2010


.


PORT LINK PORT PHYSICAL STATUSNUM INDEX DESCRIPTION TRAP LOCK MTU ADDRESS ADMINOPERATE-----------------------------------------------------------------------------------------------------------------------4/1 256 Gbic850(Sx) true false 1950 00:1a:8f:10:90:c0 down down

--End--


NN46205-703 03.02 12 April 2010


.

341.

Unicast routing troubleshootingUse this section to help you troubleshoot Layer 3 unicast routing problems.

Navigation• “Routing and licensing: protocol will not run” (page 341)

• “IP Multinetting troubleshooting” (page 342)

• “OSPF troubleshooting ” (page 342)

• “BGP+ troubleshooting” (page 347)

• “IP VPN Lite troubleshooting” (page 351)

Routing and licensing: protocol will not runMany routing protocols require a license for operation. If a routing protocolwill not run, check that your license is of the correct type, and that it iscorrectly installed. For more information about licensing issues, see“Licensing problems and recovery” (page 323).

The following table describes the license required to use specific features.For more information about installing or transferring licenses, see NortelEthernet Routing Switch 8600 Administration (NN46205-605).

Table 15License and features

Advanced license Premier license

• Border Gateway Protocol version 4(BGP4) for more than 10 Peers

• Bidirectional Forwarding Detection

• IPv6 Routing

• Multicast Source DiscoveryProtocol (MSDP)

• Packet Capture function (PCAP)

• All Advanced License features

• Virtual Routing and Forwarding Lite(VRF Lite)

• Multi-Protocol Border GatewayProtocol (MP-BGP)

• IP-Virtual Private Network,Multi-Protocol Label Switching(RFC2547) (IP-VPN MPLSRFC2547)


NN46205-703 03.02 12 April 2010


.

342 Unicast routing troubleshooting

Advanced license Premier license

• IP-Virtual Private Network-Lite(IP-VPN-Lite – IP in IP)

• Multicast virtualization for VRF-Lite(IGMP and PIM-SM/SSM)

IP Multinetting troubleshootingWhen troubleshooting IP Multinetting, note that this feature is notsupported for Layer 3 IP Multicast traffic in the current release. Also, notethat a port cannot belong to multiple IP Multinetting VLANs.

To troubleshoot IP Multinetting, you can use the following procedure toshow the IP Multinetting configuration.

Step Action

1 Display the IP Multinetting configuration:

show vlan info port (CLI)show vlan members (NNCLI)

--End--

OSPF troubleshootingDiagnose and correct OSPF problems to optimize OSPF routingoperations.

OSPF troubleshooting navigation

• “Viewing OSPF errors” (page 342)

• “OSPF neighbor state problems” (page 343)

• “OSPF down state or no state problems” (page 345)

• “OSPF Init state problems” (page 346)

• “OSPF ExStart/Exchange problems” (page 347)

Viewing OSPF errorsCheck OSPF errors for administrative and troubleshooting purposes.

Procedure steps

Step Action

1 In the CLI, to display extended information about OSPF errors:


NN46205-703 03.02 12 April 2010


.

OSPF troubleshooting 343

show ports error ospf [<ports>]

2 In the NNCLI, to display extended information about OSPFerrors:

show interfaces fastEthernet ospf [<portList>][<1-4094>]

show interfaces fastEthernet ospfv3 [<portList>][<1-4094>]

show interfaces gigabitEthernet ospf [<portList>][<1-4094>]

show interfaces gigabitEthernet ospfv3 [<portList>][<1-4094>]

--End--

Job aid: OSPF error command output

Table 16Job aid: OSPF error command output

Field Description

PORT NUM Indicates the port number.

VERSION MISMATCH Indicates the number of version mismatchesthis interface receives.

AREA MISMATCH Indicates the number of area mismatches thisinterface receives.

AUTHTYPEMISMATCH Indicates the number of AuthType mismatchesthis interface receives.

AUTH FAILURES Indicates the number of authentication failures.

NET_MASK MISMATCH Indicates the number of net mask mismatchesthis interface receives.

HELLOINT MISMATCH Indicates the number of Hello intervalmismatches this interface receives.

DEADINT MISMATCH Indicates the number of dead intervalmismatches this interface receives.

OPTION MISMATCH Indicates the number of options mismatchesthis interface receives.

OSPF neighbor state problemsYou can view status of all the OSPF neighbors and their current adjacencystate to determine if problems occurred during the router initial startupsequence.


NN46205-703 03.02 12 April 2010


.


Problems with OSPF occur most often during the initial startup, when therouter cannot form adjacencies with other routers and the state is stuck inthe Init or ExStart/Exchange state.

Step Action

1 To view the current state of all OSPF neighbors and their currentstate of adjacency, use the following command in the CLI orNNCLI:

show ip ospf neighbor

--End--

Job aid: OSPF neighbor statesAt initial startup, routers transmit Hello packets in an attempt to find otherOSPF routers with which form adjacencies. After the Hello packets arereceived, the routers perform an initialization process, which causesthe routers to transition through various states before the adjacency isestablished.

The following table describes the various states a router can be in whenforming an adjacency.

Table 17OSPF neighbor states

Step State Description

1 Down Indicates that a neighbor was configured manually, but the routerdid not received any information from the other router. This statecan occur only on NBMA interfaces.

2 Attempt On an NBMA interface, this state occurs when the routerattempts to send unicast Hellos to any configured interfaces.

3 Init The router received a general Hello packet (without its RouterID) from another router.

4 2-Way The router received a Hello directed to it from another router.(The Hello contains its Router ID.)

5 ExStart Indicates the start of the Master/Slave election process.

6 Exchange Indicates the link state database (LSDB) is exchanged

7 Loading Indicates the processing state of the LSDB for input into therouting table. The router can request LSA for missing or corruptroutes.

8 Full Indicates the normal full adjacency state.


NN46205-703 03.02 12 April 2010


.

OSPF troubleshooting 345

OSPF down state or no state problemsIf no state information appears for a neighbor when you enter the show ipospf neighbor command, then the router has not received valid OSPFhello packets from the neighbor.

If a neighbor appears in the down state, that neighbor is typically amanually-configured neighbor (using the config ip ospf neighborcommand). If the router does not receive a hello packet from themanually-configured neighbor within the dead interval, or never receives ahello packet, the neighbor appears in the down state. All OSPF neighborsthat you manually configure must be NBMA neighbors.

To troubleshoot OSPF neighbors in the down state or with no state,perform the following procedure.

Procedure steps

Step Action

1 To verify that OSPF is enabled on the local router and on theneighbor router, enter the following CLI command:

show ip ospf info

OR


show ip ospf

Also, from the command output, verify that the router IDs aredifferent on the local router and the neighbor router.

2 To verify that OSPF is enabled on the local router interface andthe neighbor router interface, enter the following command usingthe CLI or NNCLI:

show ip ospf interface

Also, from the command output, verify that the OSPF interfacesare not configured as passive interfaces.

3 To verify the reachability of the neighbor, enter the followingcommand using the CLI or NNCLI:

ping <neighbor-ip>

4 To verify the reachability of the neighbor through theallSPFRouters address, enter the following CLI command (andsee whether the neighbor responds):

ping 224.0.0.5

5 Verify that the following parameters are configured to thesame values on both interfaces: subnet, hello interval, and


NN46205-703 03.02 12 April 2010


.


dead interval. To display these parameters, enter the followingcommand using the CLI or NNCLI:

show ip ospf int-timers

6 Verify that the following parameters are configured to the samevalues on both interfaces: area ID, area type (for example, stubor NSSA). To display these parameters, enter the followingcommand using the CLI or NNCLI:

show ip ospf area

7 Verify that configured access lists are not affecting OSPF or IPtraffic between the neighbors. To display the ACL configuration,enter the following command using the CLI or NNCLI:

show filter acl config

--End--

OSPF Init state problemsA router can be stuck in Init state and not form an adjacency. There areseveral possible causes for this type of problem:

• Inverse Address Resolution Protocol (ARP) misconfiguration

• Access Lists implemented on routers

• Authentication mismatch or configuration problem

Check that the path is not reachable due to access lists implementedon routers. Ensure the multicast address of 224.0.0.5 is able to traversethe link. If multicast traffic is blocked, you must to configure the EthernetRouting Switch 8600 for OSPF NBMA instead of Broadcast.

Problems arise if there is a mismatch in authentication keys, or if bothsides are not configured for authentication.

Step Action

1 In the CLI, to determine if there is an authentication problem,view the OSPF packets that are received by using the followingcommands:

trace level 6 2

trace screen on

The following example shows the error received when there isan authentication failure:


NN46205-703 03.02 12 April 2010


.

BGP+ troubleshooting 347

[03/24/03 15:55:07:216] tMainTask OSPF: os_recv.c: 710 : verify_ospf_packet: authType mismatch ipa=10.1.1.18

2 In the NNCLI, view the OSPF packets by using the followingcommands:

trace level 6 2

trace screen enable

--End--

OSPF ExStart/Exchange problemsAlthough both routers can recognize each other and have moved beyond2-way state, the routers can be stuck in the ExStart/Exchange state. Tohelp troubleshoot ExStart/Exchange problems, use the trace level6 2 command. A mismatch in maximum transmission unit (MTU) sizesbetween the routers usually causes this type of problem. For example,one router could be set for a high MTU size and the other router’s defaultvalue is a smaller value. Depending on the size of the LSDB, the routerwith the smaller value may not be able to process the larger packets andthus be stuck in ExStart/Exchange state. To avoid this problem, ensurethat the MTU size value for both routers match. This problem is usuallyencountered during interoperations in networks with other vendor devices.

In the Ethernet Routing Switch 8600 Software Release 3.2.0.0 and later,the supported MTU size for OSPF is 1500 bytes by default. IncomingOSPF database description (DBD) packets are dropped if their MTU sizeis greater than 1500 bytes. To allow the Ethernet Routing Switch 8600to accept OSPF database description packets with a different MTU size,enable mtu-ignore.

When mtu-ignore is set to enable, the MTU check on the incomingOSPF DBD packet is not performed. The Ethernet Routing Switch 8600(Software Release 3.2.0.0 and later) automatically checks for OSPF MTUmismatches.

BGP+ troubleshootingThe following sections provide information for troubleshooting BGP+issues.

For additional information on BGP debugging commands, see “UsingBGP debugging commands” (page 144) (CLI) and “Using BGP debuggingcommands” (page 224) (NNCLI).


NN46205-703 03.02 12 April 2010


.


Neighbors not established between the BGP peersIf neighbor states are not establishing BGP peers, use the followingprocedure to troubleshoot the issue.

Step Action

1 First check whether the neighbors are in established state or inactive state:

show ip bgp summary (CLI or NNCLI)

2 If the neighbors are in the active state, then check the BGPconfigurations on both sides and check whether they mismatchin some cases.

show ip bgp conf (CLI or NNCLI)

For iBGP peers, check whether the local autonomous systemnumbers are the same on both switches. For eBGP peers, verifythat the local AS numbers are different.

3 If the problem still persists, then check whether the peerIP address is correct and reachable (using ping). If it isunreachable, check the IP route table.

show ip route info (CLI)

show ip route (NNCLI)

4 If the peer is not a directly attached peer then, check whethermulti-hop is configured.

show ip bgp neighbor info (CLI)

show ip bgp neighbor (NNCLI)

--End--

BGP routes not coming up in the switch routing tableIf BGP routes are not coming up in the switch routing table, use thefollowing procedure to troubleshoot the issue.

Step Action

1 Check in the routing table to see whether the BGP route hascome up



2 Check whether the path exists in the BGP routing table

show ip bgp route (CLI or NNCLI)


NN46205-703 03.02 12 April 2010


.

BGP+ troubleshooting 349

3 Check whether the BGP peer is established with the neighboradvertising the route:

show ip bgp summary (CLI or NNCLI)

4 Check whether the path learned is the best path from an IBGPor EBGP peer.

5 See whether synchronization is turned off.


6 Check whether the nexthop-self is enabled. (In case of eBGPpeers it is always safe to have nexthop-self enabled)

show ip bgp neighbor info (CLI)

show ip bgp neighbor (NNCLI)

--End--

Routes are not advertised to a BGP peerIf routes are not advertised to a BGP peer, use the following procedure totroubleshoot the issue.

Step Action

1 If you use the network command, then check for the routeinformation.



2 If you use a redistribute command to advertise a static or IGProute, check whether auto-summary is enabled.


3 If the problem still persists then check whether any route policy isconfigured on the redistribute command denying the peer:

show ip bgp redistribution (CLI)

show ip bgp redistributed-routes (NNCLI)

4 Check all redistributed routes:

show ip bgp imported-routes (CLI or NNCLI)

--End--

General BGP+ troubleshootingThe following procedure describes additional general troubleshooting stepsfor BGP+.


NN46205-703 03.02 12 April 2010


.


Step Action

1 First try to ping the network and see whether the network isreachable or not.

2 If the network is not reachable, then check for IGP neighbors.See whether any IGP is enabled, and whether IGP connectionsare established.

3 Check the topology to find any possible STP blocking states onthe ports or non-routable interfaces.

4 Also check for ARP entries of the next-hop (in case the next-hopis specified). If there is no ARP entry, then the route is not addedto the route table.

5 Similarly, if Neighbor discovery for a particular IPv6 route fails,then that IPv6 route is not installed in the RTM.

--End--

Enabling trace and debugging for BGP+ troubleshootingIf the preceding sections do not resolve your issue, you can obtainadditional BGP+ information by using the following procedure.

Step Action

1 Run the BGP trace command and see whether there is any errormessage in the trace:

trace level 52 3trace screen on

2 Enable debugging on BGP globally, as well as on the neighbor:

con ip bgp global-debug mask <value>config ip bgp debug-screen onconfig ip bgp neighbor <neighbor-ip> neighbor-debug mask <value> (CLI)

global-debug mask <value>debug-screen onneighbor <neighbor-ip> neighbor-debug mask <value>(NNCLI BGP Router Configuration mode)

3 In addition to BGP trace and debug, you can also run RTMtraces to see if the routes are being lost somewhere during theRTM processing.

trace level 45 3trace screen on (CLI or NNCLI)


NN46205-703 03.02 12 April 2010


.

IP VPN Lite troubleshooting 351

4 When the problem is from the IPv6 side, you can also enableIPv6 traces:

trace ipv6 forwarding on alltrace ipv6 rtm on alltrace screen on (CLI or NNCLI)

--End--

Route policy problemsSometimes there can be a problem with the route policies. In this case,verify that the route policies are configured correctly.

Step Action

1 If there are route-policies for IPv6, then ensure that the ipv6 flaghas been specified in the route-policy

config ip bgp neighbor <neighbor-ip> route-policy{in|out} <policy-name> add ipv6 (CLI)

neighbor <neighbor-ip> {ipv6-in-route-map|ipv6-out-route-map} <map-name> (NNCLI)

2 If the route-policies have been properly applied, you can enableroute-policy trace:

trace le 49 3trace scr on

--End--

IP VPN Lite troubleshootingUse the following information if you experience issues with IP VPN Lite.

Procedure steps

Step Action

1 Ensure that iBGP neighborship is properly established betweenthe two provider edge (PE) routers.

2 Ensure that the proper I/O modules are used. IP VPN Literequires R or RS modules.

3 Ensure that the Import and Export route targets (RT) arematched between PEs

4 Ensure that the route distinguisher (RD) has a network of /32or subnet of less than /32 CLIP configured in the GlobalRouter(VRF 0).


NN46205-703 03.02 12 April 2010


.


5 Ensure that the RD circuitless IP (CLIP) is either OSPF-enabled(if the interior protocol is OSPF) or properly redistributed (if theinterior protocol is RIP or Static).

6 If you use a sniffer, the VPN traffic should have an outer IPheader with the RD as the source and destination IP address.

--End--


NN46205-703 03.02 12 April 2010


.

353.

Multicast routing troubleshootingUse the information in this section to help you troubleshoot multicastrouting problems.

Navigation• “Multicast routing troubleshooting using Enterprise Device Manager”

(page 353)

• “Multicast routing troubleshooting using the CLI” (page 359)

• “Multicast routing troubleshooting using the NNCLI” (page 367)

• “Troubleshooting Multicast VLAN Registration (MVR)” (page 375)

• “Troubleshooting IGMP Layer 2 querier” (page 376)

• “Troubleshooting static mroute ” (page 377)

• “Troubleshooting IGMPv3 backwards compatibility” (page 381)

• “Troubleshooting PIM with SMLT” (page 382)

• “Troubleshooting MSDP” (page 384)

• “Troubleshooting multicast virtualization” (page 387)

Multicast routing troubleshooting using Enterprise Device ManagerUse the information in this section to help you troubleshoot multicastrouting problems using Enterprise Device Manager.

Multicast routing troubleshooting using Enterprise Device Managernavigation

• “Viewing group trace information for IGMP snoop” (page 354)

• “Viewing multicast routes” (page 354)

• “Viewing pruned multicast routes” (page 355)

• “Viewing multicast group sources” (page 356)

• “Viewing multicast routes by egress VLAN” (page 356)


NN46205-703 03.02 12 April 2010


.

354 Multicast routing troubleshooting

• “Viewing IGAP network connectivity information” (page 357)

• “Enabling multicast routing process statistics” (page 358)

Viewing group trace information for IGMP snoopMulticast group trace tracks the data flow path of multicast streams.

Procedure steps

Step Action

1 In the navigation tree, open the following folders Configuration,IP.

2 Double-clickIGMP.

3 Click the Snoop Trace tab.

--End--

Variable definitionsUse the information in the following table to use the Snoop Trace fields.

Variable Value

GrpAddr Displays the IP multicast address of the grouptraversing the router.

SrcAddr Displays the IP source address of the multicastgroup.

OutVlan Displays the egress VLAN ID for the multicastgroup.

InPort Displays the ingress port for the multicast group.

InVlan Displays the ingress VLAN ID for the multicastgroup.

OutPort Displays the egress port of the multicast group.

Viewing multicast routesThe multicast route table contains multicast routing information for allgroup addresses.

Procedure steps

Step Action

1 From the Enterprise Device Manager menu bar, chooseConfiguration, IP, Multicast.


NN46205-703 03.02 12 April 2010


.

Multicast routing troubleshooting using Enterprise Device Manager 355

2 Click the Mroute-HW tab.

--End--

Variable definitionsUse the information in the following table to configure the Mroute-HW tab.

Variable Value

GroupAddress Specifies the IP Multicast group address forthe multicast stream.

SrcSubnet Specifies the network address of the sourcesubnet that has sources sending IP Multicasttraffic to the GroupAddress.

There can be several sources sending to thatGroup. You can use the Source tab to viewthese sources.

Invlan Specifies the ingress VLAN ID where the trafficemanates for the multicast stream.

Pruned Specifies whether the route had been pruned.True indicates that the multicast stream hasbeen pruned.

Viewing pruned multicast routesThe Prunes tab shows all of the prunes received for the Group address inthe multicast stream selected from the Mroute-HW table.

Procedure steps

Step Action

1 From the Enterprise Device Manager menu bar, choose IP,Multicast.


3 Click any row in the table.

4 Click Prunes .

--End--


NN46205-703 03.02 12 April 2010


.



Variable Value

Neighbor The IP address of the downstream neighborfrom whom the prune has been received.

PruneTimer The time left for the neighboringdownstream router to send the graftmessage.

Viewing multicast group sourcesWith the Sources tab, you can view all the sources on the subnet that sendto the particular group selected in the Mroute-HW table.

Procedure steps

Step Action




4 Click Sources .

--End--

Variable definitionsUse the information in the following table to help you understand theSource tab fields.

Variable Value

SourceAddress The IP addresses of the sources on thisparticular subnet sending traffic to themulticast group for the selected entry in theMroute-HW table.

IngressPort The corresponding ingress port in themulticast stream selected from theMroute-HW table.

Viewing multicast routes by egress VLANWith the Egress VLANs tab, you can view the egress VLANs for thestreams corresponding to the selected entry in the Mroute-Hw table.


NN46205-703 03.02 12 April 2010


.

Multicast routing troubleshooting using Enterprise Device Manager 357

Procedure steps

Step Action




4 Click EgressVlans .

--End--

EgressVlans tabUse the information in the following table to help you use the EgressVlanstab.

Variable Value

EgressVlan All the egress VLANs for the particular multicaststream selected from the Mroute-HW table.

EgressVlanPorts The corresponding ports for the particular multicaststream selected from the Mroute-HW table.

Viewing IGAP network connectivity informationIGMP for user Authentication Protocol (IGAP) counters provide networkconnectivity information that you can use to monitor and troubleshoot IGAPinterfaces.

Procedure steps

Step Action


2 Double-clickIGMP.

3 Click the IGAP Counters tab.

--End--

Variable definitionsUse the information in the following table to help you use the IGAPCounters tab.


NN46205-703 03.02 12 April 2010


.


Variable Value

IfIndex Indicates the VLAN name that uniquelyidentifies the interface.

AuthSuccess Indicates the number of authenticationsuccess messages received from theRADIUS server on this interface.

AuthReject Indicates the number of authentication failmessages received from the RADIUS serveron this interface.

RespTimeout Indicates the number of times that theAuthentication Timer timed out. This timercontrols the waiting time from sendingan Authentication request to receiving anAuthentication response.

PapJoinReq Indicates the number of PasswordAuthentication Protocol (PAP) Join requestsreceived for members of this interface.

BasicQuery Indicates the number of Basic Querymessages sent by the Ethernet RoutingSwitch 8600 on an IGAP-enabled interface.

BasicLeave Indicates the number of Basic Leavemessages received by this interface.

Enabling multicast routing process statisticsTo provide additional troubleshooting information, you can enable thecollection of multicast routing process statistics. These statistics are notrelated to the interface (port) statistics. Rather, the statistics are displayedbased on VRF and multicast group classification. To configure multicastrouting process statistics, perform the following procedure. (To display thecollected statistics, you must use the CLI or NNCLI.)

Procedure steps

Step Action


2 Double-clickMulticast.

3 Click the Multicast Stats tab.

4 Select the Enabled check box, and then click Apply.

--End--


NN46205-703 03.02 12 April 2010


.

Multicast routing troubleshooting using the CLI 359

Multicast routing troubleshooting using the CLIUse the information in this section to help you troubleshoot multicastrouting problems using the command line interface (CLI).

Multicast routing troubleshooting using the CLI navigation

• “Viewing multicast group trace information for IGMP snoop” (page 359)

• “Viewing PGM interface errors” (page 360)

• “Viewing PGM negative acknowledgement errors” (page 361)


• “Showing the hardware resource usage ” (page 364)

• “Viewing multicast routing process statistics” (page 365)

Viewing multicast group trace information for IGMP snoopMulticast group trace tracks the data flow path of the multicast streams.

Procedure steps

Step Action

1 Display the multicast group trace for an IGMP snoop-enabledinterface using the following command:

show ip igmp snoop-trace [src <value>] [grp <value>]

--End--

Variable definitionsUse the information in the following table to use the show ip igmpsnoop-trace command.

Variable Value

grp <value> Specifies the source IP address in the formata.b.c.d.

src <value> Specifies the group IP address in the formata.b.c.d.

Procedure job aid: show ip igmp snoop-trace commandThe following figure shows the field descriptions for this command.


NN46205-703 03.02 12 April 2010


.


Table 18show ip igmp snoop-trace command

Field Description

GROUP ADDRESS Indicates the IP multicast group address for which thisentry contains information.

SOURCE ADDRESS Indicates the source of the multicast traffic.

IN VLAN Indicates the incoming VLAN ID.

IN PORT Indicates the incoming port number.

OUT VLAN Indicates the outgoing VLAN ID.

OUT PORT Indicates the outgoing port number.

Viewing PGM interface errorsDisplay general information about PGM errors that occurred on theselected interface.

Procedure steps

Step Action

1 Show PGM interface errors using the following command:

show ip pgm interface error general

--End--

Job aid: show ip pgm interface error general commandThe following table describes fields for this command.

Table 19show ip pgm interface error general parameters

Field Description

CCT Displays the circuit number of the selected interface.

IN_SPM PORTERRORS

Displays the number of SPMs discarded because theywere received on the wrong interface.

IN_RDATA PORTERRORS

Displays the number of RDATA packets discardedbecause they were received on the wrong interface.

IN_RDATANO_SESSIONERRORS

Displays the number of RDATA packets discardedbecause there was no active session.


NN46205-703 03.02 12 April 2010


.


Table 19show ip pgm interface error general parameters (cont’d.)

Field Description

IN_NCF PORTERRORS

Displays the number of NCFs discarded because theywere received on the wrong interface.

IN_NCFNO_SESSIONERRORS

Displays the number of NCFs discarded because therewas no active session.

Viewing PGM negative acknowledgement errorsDisplay information about Pragmatic General Multicast negativeacknowledgment (NAK) and null NAK (NNAK) errors that occurred on theselected interface.

Procedure steps

Step Action

1 Show PGM interface nak errors using the following command:

show ip pgm interface error nak

--End--

Job aid: show ip pgm interface error nak commandThe following table describes fields for this command.

Table 20show ip pgm interface error nak parameters

Field Description

CCT Displays the circuit number of the selectedinterface.

IN_NAKPORT ERRORS

Displays the number of NAKs discarded becausethey were received on the wrong interface.

IN_NAKNO_SESSION ERRORS

Displays the number of NAKs discarded becausethere was no active session.

IN_NAKSEQ ERRORS

Displays the number of NAKs discarded becausethey were out of sequence.

IN_NNAKPORT ERRORS

Displays the number of NNAKs discardedbecause they were received on the wronginterface.


NN46205-703 03.02 12 April 2010


.


Table 20show ip pgm interface error nak parameters (cont’d.)

Field Description

IN_NNAKNO_SESSION ERRORS

Displays the number of NNAKs discardedbecause there was no active session.

PARITYNAK_TG ERRORS

Displays the number of parity NAKs discardedbecause they were out of the parity TG window.


Procedure steps

Step Action

1 Show group trace information using the following command:

show ip mroute-hw group-trace

2 Show group prune state information using the followingcommand:

show ip mroute-hw group-prune-state

--End--

Variable definitionsUse the information in the following table to use the show ip mroute-hwcommands.

Variable Value

group-trace [src<value>] [grp <value>]

Use the show ip mroute-hw group-tracecommand as follows:

• When you use it by itself, the outputincludes all the group entries found in thehardware records.

• When you follow the command with grp<value>, the output includes all the entriescorresponding to the specified groupaddress.

• When you follow the command with src<value> and grp <value>, the output


NN46205-703 03.02 12 April 2010


.


Variable Value

includes only the specified source-grouppair.

group-prune-state [grp<value>]

Use the show ip mroute-hw group-prune-state command as follows:


• When you follow the command with grp<value>, the output includes all the entriescorresponding to the specified groupaddress.

Job aid: show ip mroute-hw command outputUse the information in the following table to help you understand the showip mroute-hw command output.

Table 21show ip mroute-hw group-trace and group-prune-state output fields

Field Description

group-trace

GROUP ADDRESS The IP multicast group address for the multicaststream.

SOURCE ADDRESS The IP addresses of the sources on this particularsubnet sending traffic to the multicast group for theselected entry in the Mroute-HW table.

SENDING SUBNET The network address of the source subnet that hassources sending IP multicast traffic to the groupaddress.

TOTAL SESSIONS One session includes a combination of groupaddress, subnet, and ingress VLAN information.The total number of sessions indicates how manysources in the same subnet are sending traffic for thegiven group address and ingress VLAN.

IN VLAN The ingress VLAN ID where the traffic emanates forthe multicast stream.

IN PORT The corresponding ingress port in the multicaststream selected from the Mroute-HW table.

OUT PORT All the egress VLANs for the particular multicaststream selected from the Mroute-HW table.

OUT PORT The corresponding ports for the particular multicaststream selected from the Mroute-HW table.


NN46205-703 03.02 12 April 2010


.


Table 21show ip mroute-hw group-trace and group-prune-state output fields (cont’d.)

Field Description

group-prune-state

GROUP ADDRESS The IP multicast group address for the multicaststream.

SOURCE ADDRESS The IP addresses of the sources on this particularsubnet sending traffic to the multicast group for theselected entry in the Mroute-HW table.

PRUNED True indicates that the multicast stream is prunedback. False indicates it is not.

TIME LEFT FORGRAFT

The time left (in seconds) for the neighboringdownstream router to send the graft message.

PRUNE RECEIVEDFROM

The IP address of the downstream neighbor fromwhich the prune has been received.

Showing the hardware resource usageThe Ethernet Routing Switch 8600 can query the number of ingressand egress IP Multicast streams traversing your switch. After settingthe thresholds for ingress and egress records, if the record-usage goesbeyond the threshold, you are notified by way of a trap on the console,logged message, or both.

If you do not set the thresholds, the CLI displays only the ingress andegress records that are currently in use.

Procedure steps

Step Action

1 Show the hardware resource usage using the followingcommand:

show ip mroute-hw resource-usage

--End--

Job aid: show ip mroute-hw resource usage commandThe following table shows the field descriptions for this command.


NN46205-703 03.02 12 April 2010


.


Table 22show ip mroute-hw resource-usage parameter

Field Description

EGRESS REC IN-USE Indicates the number of egress records (peps)traversing the switch that are in use.

INGRESS REC IN-USE Indicates the number of source and group recordstraversing the switch that are in use.

EGRESS THRESHOLD Indicates the egress records threshold.

INGRESS THRESHOLD Indicates the source and group records threshold.

LOG MSG ONLY Indicates the status of logging messages only.

SEND TRAP ONLY Indicates the status of sending traps only.

SEND TRAP AND LOG Indicates the status of sending traps and logmessages.

Viewing multicast routing process statisticsTo provide additional troubleshooting information, you can enable thecollection and display of multicast routing process statistics. Thesestatistics are not related to the interface (port) statistics. Rather, thestatistics are displayed based on VRF and multicast group classification.To configure multicast routing process statistics, perform the followingprocedure.

Procedure steps

Step Action

1 To enable or disable the multicast routing process statisticscollection, enter:

config ip mroute stats {enable|disable}

[no] ip mroute stats enable

2 To view the feature configuration, enter:

config ip mroute info

show ip mroute

3 To view the multicast routing process statistics, enter:

show ip mroute stats <grp-ip-list> [vrf <vrf-name>][vrfids <vrfids>]

4 To display statistics at regular intervals (average ofapproximately 5 seconds), enter:

monitor ip mroute stats <grp-ip-list> [vrf <vrf-name>][vrfids <vrfids>]

5 To clear the multicast routing process statistics, enter:


NN46205-703 03.02 12 April 2010


.


clear ip mroute stats

--End--

Variable definitionsUse the information in the following table to use the commands above.

Variable Value

{enable|disable} Enables or disables multicast routing process statisticscollection.

<grp-ip-list> Specifies the multicast group IDs for which to displaystatistics. You can specify a maximum of 10 groups.

[vrf <vrf-name>] Specifies the VRF name for which to display statistics.

[vrfids <vrfids>] Specifies the VRF ID for which to display statistics.

Job aid: show ip mroute stats commandThe following table shows the field descriptions for this command.


Field Description

GroupAddress Specifies the multicast group IP address for whichto display statistics.

SourceCounter Specifies the source number corresponding tothe associated VRF and group IP address in thewhole multicast route records.

ForwardPackets Specifies the number of normally forwardedpackets for the associated VRF and group IPaddress.

ForwardBytes Specifies the number of normally forwarded bytesfor the associated VRF and group IP address.

AverageSize Specifies the average packet length for theassociated VRF and Group IP address. Thisindicates only the forward packet length. It iscalculated using forward packet/ forward byte.

Packets/Second This field is only valid in the monitor CLI output. Itspecifies the average speed in about 5 seconds.It is it calculated from (current forward packet –last forward packet)/monitor interval. With the firstmonitor multicast statistics output, this field is null.Subsequent outputs provide valid values.


NN46205-703 03.02 12 April 2010


.

Multicast routing troubleshooting using the NNCLI 367

Table 23show ip mroute-hw resource-usage parameter (cont’d.)

Field Description

DropPackets Specifies the number of dropped packets for theassociated VRF and Group IP address.

DropBytes Specifies the number of dropped bytes for theassociated VRF and Group IP address.

Multicast routing troubleshooting using the NNCLIUse the information in this section to help you troubleshoot multicastrouting problems using the Nortel command line interface (NNCLI).

Multicast routing troubleshooting using the NNCLI navigation

• “Viewing multicast group trace information for IGMP snoop” (page 367)

• “Viewing PGM interface errors” (page 368)

• “Viewing PGM negative acknowledgement errors” (page 369)


• “Showing the hardware resource usage ” (page 372)

• “Viewing multicast routing process statistics” (page 373)

Viewing multicast group trace information for IGMP snoopMulticast group trace tracks the data flow path of the multicast streams.

Prerequisites


Procedure steps

Step Action

1 Display the multicast group trace for an IGMP snoop-enabledinterface using the following command:

show ip igmp snoop-trace [source <A.B.C.D>] [group<A.B.C.D>]

--End--


NN46205-703 03.02 12 April 2010


.


Variable definitionsUse the information in the following table to use the show ip igmpsnoop-trace command.

Variable Value

group <A.B.C.D> Specifies the source IP address in the formata.b.c.d.

source <A.B.C.D> Specifies the group IP address in the formata.b.c.d.

Job aid: show ip igmp snoop-trace commandThe following figure shows the field descriptions for this command.

Table 24show ip igmp snoop-trace command

Field Description

GROUP ADDRESS Indicates the IP multicast group address for which thisentry contains information.

SOURCE ADDRESS Indicates the source of the multicast traffic.

IN VLAN Indicates the incoming VLAN ID.

IN PORT Indicates the incoming port number.

OUT VLAN Indicates the outgoing VLAN ID.

OUT PORT Indicates the outgoing port number.

Viewing PGM interface errorsDisplay general information about PGM errors that occurred on theselected interface.

Prerequisites


Procedure steps

Step Action

1 Show PGM interface errors using the following command:

show ip pgm interface error

--End--


NN46205-703 03.02 12 April 2010


.


Job aid: show ip pgm interface error general commandThe following table describes fields for this command.

Table 25show ip pgm interface error general parameters

Field Description

CCT Displays the circuit number of the selected interface.

IN_SPM PORTERRORS

Displays the number of SPMs discarded because theywere received on the wrong interface.

IN_RDATA PORTERRORS

Displays the number of RDATA packets discardedbecause they were received on the wrong interface.

IN_RDATANO_SESSIONERRORS

Displays the number of RDATA packets discardedbecause there was no active session.

IN_NCF PORTERRORS

Displays the number of NCFs discarded because theywere received on the wrong interface.

IN_NCFNO_SESSIONERRORS

Displays the number of NCFs discarded because therewas no active session.

Viewing PGM negative acknowledgement errorsDisplay information about Pragmatic General Multicast negativeacknowledgment (NAK) and null NAK (NNAK) errors that occurred on theselected interface.

Prerequisites


Procedure steps

Step Action

1 Show PGM interface NAK errors using the following command:

show ip pgm interface error [nak]

--End--

Job aid: show ip pgm interface error nak commandThe following table describes fields for this command.


NN46205-703 03.02 12 April 2010


.


Table 26show ip pgm interface error nak parameters

Field Description

CCT Displays the circuit number of the selectedinterface.

IN_NAKPORT ERRORS

Displays the number of NAKs discarded becausethey were received on the wrong interface.

IN_NAKNO_SESSION ERRORS

Displays the number of NAKs discarded becausethere was no active session.

IN_NAKSEQ ERRORS

Displays the number of NAKs discarded becausethey were out of sequence.

IN_NNAKPORT ERRORS

Displays the number of NNAKs discardedbecause they were received on the wronginterface.

IN_NNAKNO_SESSION ERRORS

Displays the number of NNAKs discardedbecause there was no active session.

PARITYNAK_TG ERRORS

Displays the number of parity NAKs discardedbecause they were out of the parity TG window.


Prerequisites


Procedure steps

Step Action

1 Show group trace information using the following command:

show ip mroute hw-group-trace [<A.B.C.D>] [<A.B.C.D>]

2 Show group prune state information using the followingcommand:

show ip mroute hw-group-prune-state [<A.B.C.D>]

--End--

Variable definitionsUse the information in the following table to use the show ip mroutecommands.


NN46205-703 03.02 12 April 2010


.


Variable Value

hw-group-trace[<A.B.C.D>] [<A.B.C.D>]

Use the show ip mroute hw-group-tracecommand as follows:


• When you follow the command with[<A.B.C.D>] , the output includes all theentries corresponding to the specified groupaddress.

• When you follow the command with[<A.B.C.D>] [<A.B.C.D>], the outputincludes only the specified source-grouppair.

hw-group-prune-state[<A.B.C.D>]

Use the show ip mroute hw-group-prune-state command as follows:


• When you follow the command with[<A.B.C.D>] , the output includes all theentries corresponding to the specified groupaddress.

Job aid: show ip mroute-hw command outputUse the information in the following table to help you understand the showip mroute-hw command output.

Table 27show ip mroute-hw group-trace and group-prune-state output fields

Field Description

group-trace

GROUP ADDRESS The IP multicast group address for the multicast stream.

SOURCEADDRESS

The IP addresses of the sources on this particular subnetsending traffic to the multicast group for the selectedentry in the Mroute-HW table.

SENDING SUBNET The network address of the source subnet that hassources sending IP multicast traffic to the group address.


NN46205-703 03.02 12 April 2010


.


Table 27show ip mroute-hw group-trace and group-prune-state output fields (cont’d.)

Field Description

TOTAL SESSIONS One session includes a combination of group address,subnet, and ingress VLAN information. The total numberof sessions indicates how many sources in the samesubnet are sending traffic for the given group addressand ingress VLAN.

IN VLAN The ingress VLAN ID where the traffic emanates for themulticast stream.

IN PORT The corresponding ingress port in the multicast streamselected from the Mroute-HW table.

OUT PORT All the egress VLANs for the particular multicast streamselected from the Mroute-HW table.

OUT PORT The corresponding ports for the particular multicaststream selected from the Mroute-HW table.

group-prune-state

GROUP ADDRESS The IP multicast group address for the multicast stream.

SOURCEADDRESS

The IP addresses of the sources on this particular subnetsending traffic to the multicast group for the selectedentry in the Mroute-HW table.

PRUNED True indicates that the multicast stream is pruned back.False indicates it is not.

TIME LEFT FORGRAFT

The time left (in seconds) for the neighboringdownstream router to send the graft message.

PRUNE RECEIVEDFROM

The IP address of the downstream neighbor from whichthe prune has been received.

Showing the hardware resource usageThe Ethernet Routing Switch 8600 can query the number of ingressand egress IP Multicast streams traversing your switch. After settingthe thresholds for ingress and egress records, if the record-usage goesbeyond the threshold, you are notified by way of a trap on the console,logged message, or both.

If you do not set the thresholds, the CLI displays only the ingress andegress records that are currently in use.

Prerequisites



NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 Show the hardware resource usage using the followingcommand:

show ip mroute hw-resource-usage

--End--

Job aid: show ip mroute-hw resource usage commandThe following table shows the field descriptions for this command.


Field Description

EGRESS REC IN-USE Indicates the number of egress records (peps)traversing the switch that are in use.

INGRESS REC IN-USE Indicates the number of source and group recordstraversing the switch that are in use.

EGRESS THRESHOLD Indicates the egress records threshold.

INGRESS THRESHOLD Indicates the source and group records threshold.

LOG MSG ONLY Indicates the status of logging messages only.

SEND TRAP ONLY Indicates the status of sending traps only.

SEND TRAP AND LOG Indicates the status of sending traps and logmessages.

Viewing multicast routing process statisticsTo provide additional troubleshooting information, you can enable thecollection and display of multicast routing process statistics. Thesestatistics are not related to the interface (port) statistics. Rather, thestatistics are displayed based on VRF and multicast group classification.To configure multicast routing process statistics, perform the followingprocedure.

Procedure steps

Step Action

1 To enable or disable the multicast routing process statisticscollection, enter:

[no] ip mroute stats enable

2 To view the feature configuration, enter:


NN46205-703 03.02 12 April 2010


.


show ip mroute

3 To view the multicast routing process statistics, enter:

show ip mroute stats <grp-ip-list> [vrf <vrf-name>][vrfids <vrfids>]

4 To display statistics at regular intervals (average ofapproximately 5 seconds), enter:

monitor ip mroute stats <grp-ip-list> [vrf <vrf-name>][vrfids <vrfids>]

5 To clear the multicast routing process statistics, enter:

clear ip mroute stats

--End--

Variable definitionsUse the information in the following table to use the commands above.

Variable Value

[no] Disables multicast routing process statistics collection.

<grp-ip-list> Specifies the multicast group IDs for which to displaystatistics. You can specify a maximum of 10 groups.

[vrf <vrf-name>] Specifies the VRF name for which to display statistics.

[vrfids <vrfids>] Specifies the VRF ID for which to display statistics.

Job aid: show ip mroute stats commandThe following table shows the field descriptions for this command.


Field Description

GroupAddress Specifies the multicast group IP address for whichstatistics are displayed.

SourceCounter Specifies the source number corresponding tothe associated VRF and group IP address in thewhole multicast route records.

ForwardPackets Specifies the number of normally forwardedpackets for the associated VRF and group IPaddress.

ForwardBytes Specifies the number of normally forwarded bytesfor the associated VRF and group IP address.


NN46205-703 03.02 12 April 2010


.

Troubleshooting Multicast VLAN Registration (MVR) 375

Table 29show ip mroute-hw resource-usage parameter (cont’d.)

Field Description

AverageSize Specifies the average packet length for theassociated VRF and Group IP address. Thisindicates only the forward packet length. It iscalculated using forward packet/forward byte.

Packets/Second This field is only valid in the monitor CLI output. Itspecifies the average speed in about 5 seconds.It is it calculated from (current forward packet –last forward packet)/monitor interval. With the firstmonitor multicast statistics output, this field is null.Subsequent outputs provide valid values.

DropPackets Specifies the number of dropped packets for theassociated VRF and Group IP address.

DropBytes Specifies the number of dropped bytes for theassociated VRF and Group IP address.

Troubleshooting Multicast VLAN Registration (MVR)The following sections provide troubleshooting information for the MVRfeature.

Unable to add a VLAN as a receiver VLANIf you cannot add a VLAN as a receiver VLAN in MVR, use the followingprocedure to troubleshoot the issue.

Step Action

1 As the MVR feature is based on IGMP snoop, check whetherIGMP snoop is enabled on the VLAN:

config vlan <vid> ip igmp info (CLI)

OR

show ip igmp interface vlan <vid> (NNCLI)

If IGMP snoop is disabled, the VLAN cannot be configured asa receiver VLAN.

--End--

Traffic is not passing from the source to the receiverIf traffic is not passing from the source to the receiver, use the followingprocedure to troubleshoot the issue.


NN46205-703 03.02 12 April 2010


.


Step Action

1 Check the IGMP sender on the multicast router and on thesnoop-enabled switch:

show ip igmp sender (CLI or NNCLI)

2 Check the IGMP group on the multicast router and on thesnoop-enabled switch:

show ip igmp group (CLI or NNCLI)

3 On the snoop-enabled switch, you can also check the IGMPgroup using the following command:

show ip igmp multicast-vlan-registration group (CLIor NNCLI)

4 On the multicast router, check the mroute entries :

show ip pim mroute (CLI or NNCLI)

--End--

Enabling trace messages for MVR troubleshootingIf the preceding information does not address your issue, you can also usethe following trace command to view additional MVR-related information:

trace level 23 <level>

Troubleshooting IGMP Layer 2 querierThe following sections provide troubleshooting information for the IGMPLayer 2 querier feature.

Querier not electedIf a querier is not elected, use the following procedure to troubleshoot theissue.

Step Action

1 As the IGMP Layer 2 Querier is based on IGMP snoop, checkwhether IGMP snoop is enabled on the VLAN:

config vlan <vid> ip igmp info (CLI)

OR

show ip igmp interface vlan <vid> (NNCLI)


NN46205-703 03.02 12 April 2010


.

Troubleshooting static mroute 377

If IGMP snoop is disabled, the Layer 2 querier cannot work untilIGMP snoop and IGMP Layer 2 querier are reenabled.

--End--

Enabling trace messages for IGMP Layer 2 querier troubleshootingIf the preceding information does not address your issue, you can alsouse the following trace command to view additional information related toLayer 2 querier:

trace level 23 <1-4>

Troubleshooting static mrouteMulticast routing protocols like PIM-SM, PIM-SSM, and MSDP rely onunicast routing protocols to perform Reverse Path Forwarding (RPF)checks to avoid loops in forwarding multicast data. As a result, multicaststreams are forced to share network paths with the unicast traffic streams.The administrator generally cannot separate the paths for multicast andunicast data streams.

The static mroute feature allows the administrator to configure separatepaths for unicast and multicast streams. To do so, the feature provides aconfigurable static IP route table. This table is used only by the multicastrouting protocols and is not visible to any other protocols. Hence, anyroutes that are added to this table do not affect the switching and routingof IP unicast packets.

An entry in this static IP route table has the following attributes:

• IP prefix/mask denotes the destination network for which the routeis being added.

• RPF address is the equivalent in multicast to the next-hop in theunicast static IP route table. Here it denotes the RPF neighbor towardsthe RP or source.

• Preference is the administrative distance for the given route. Whenthe unicast routing table and the multicast static IP route table havedifferent routes for the same destination network, this administrativedistance is compared with that of the protocol that contributed the routein the unicast routing table. By configuring the administrative distancefor different routes, the administrator can choose different distances fordifferent networks.

• Status indicates the status of the route in this table, and can beenabled and disabled using CLI or NNCLI commands.

The logic used for static mroute selection is as follows:


NN46205-703 03.02 12 April 2010


.


• Direct and local routes for a given destination take precedence overany route for the same destination in the multicast static IP route table.

• If a route is present in the multicast static IP table, and no route existsin the unicast routing table for the given destination, the route in themulticast static IP table is used.

• If no route exists in the multicast static IP route table for the givendestination, then the route from the unicast routing table is used, ifavailable.

• If a route is available in both the unicast routing table and the multicaststatic IP route table, then the route from the multicast static IP routetable is used only if its administrative distance is less than or equal tothat of the unicast route entry.

• The configured static-mroute is selected in the following manner:

— First longest prefix matching route is selected. The lookup ignoresroutes that are administratively disabled.

— If the table has more than one matching route for the samedestination, then the route with the least preference value isselected.

— If more than one route has the same preference value, then theroute with the higher RPF address is selected.

— Finally, the selected static-mroute preference is compared to RTMroute preference, and if the RTM route has the least preference,then the RTM route is selected.

Possible reasons for a configured static mroute not being chosen include:

• The selected route is the direct route.

• The route is not the matching route for the destination.

• The route is not reachable or disabled in the multicast route table.

• The RPF address is not a PIM neighbor.

• The route preference is greater than the RTM route.

Procedure stepsIf a configured static mroute is not chosen even while satisfying all theabove conditions, then use the following procedure to troubleshoot theproblem.


NN46205-703 03.02 12 April 2010


.

Troubleshooting static mroute 379

Step Action

1 To verify whether the configured static-mroute is selected or not,enter the following CLI command:

show ip mroute rpf <ipaddr>

OR


show ip static-mroute rpf <ipaddr>

This command shows the best route to the RP or source fromthe static-mroute or unicast routing table. If the multicast routeis not the selected route, then note the preference value of theselected route.

The following sample output shows that the route to destination20.20.20.2 takes a unicast route.

8600# show ip mroute rpf

========================================================================

Mroute Route - GlobalRouter

========================================================================

DEST MASK RPF PREF OWNER

------------------------------------------------------------------------

20.20.20.2 255.255.255.255 2.2.2.1 20 OSPF

After you properly configure the static-mroute, the route todestination 20.20.20.2 takes the Multicast route, as shown in thefollowing sample output.

8600# show ip mroute rpf

========================================================================

Mroute Route - GlobalRouter

========================================================================

DEST MASK RPF PREF OWNER

------------------------------------------------------------------------

20.20.20.2 255.255.255.255 5.5.5.1 10 MULTICAST

2 To verify whether the configured route is in the static-mroutetable, enter the following CLI command:


NN46205-703 03.02 12 April 2010


.


show ip static-mroute info

OR


show ip static-mroute

This command shows all the configured static mroutes from themulticast static IP route table, as shown in the following sampleoutput.

8600# show ip static-mroute info

========================================================================

IP Static Multicast Route - GlobalRouter

========================================================================

total number of entries:5

DEST MASK NEXT PREF STATUS ENABLE

------------------------------------------------------------------------

20.20.20.2 255.0.0.0 2.2.2.1 50 reachable enabled





3 If the configured route is in the static mroute table, then checkthe status and preference values. Compare the preferencevalues with the preference value of the selected route. If theroute preference is less than the selected route preference value,and the route is reachable, check whether the RPF address forthe route is a PIM neighbor using the following command in CLIor NNCLI:

show ip pim neighbor

Use this command to verify whether the RPF address in theroute is a PIM neighbor. If it is not, then the route is not selected.The following shows sample output for this command.

========================================================================

PIM Neighbor - GlobalRouter

========================================================================


NN46205-703 03.02 12 April 2010


.

Troubleshooting IGMPv3 backwards compatibility 381

INTERFACE ADDRESS UPTIME EXPIRE

------------------------------------------------------------------------

Vlan4 2.2.2.1 1 day(s), 12:29:48 0 day(s), 00:01:28

Vlan5 3.3.3.1 1 day(s), 12:29:48 0 day(s), 00:01:28

Vlan6 4.4.4.1 1 day(s), 12:29:34 0 day(s), 00:01:41

Vlan7 5.5.5.1 1 day(s), 12:29:34 0 day(s), 00:01:41

Total PIM Neighbors = 4

Also verify whether the RPF is reachable. If it is not, then theRPF interface may be down.

4 To show all the routes in the RTM, enter the following CLIcommand:

show ip route info

OR

enter the following NNCLI command

show ip route

Using the output from this command, you can verify whether theselected route is the direct route. If it is a direct route, the PROTfield displays LOC and the TYPE field displays DB.

5 If the route has satisfied all the above conditions and it is still notselected, contact technical support.

--End--

Troubleshooting IGMPv3 backwards compatibilityIf you configure the switch to operate in v2-v3 compatibility mode, theswitch supports all IGMPv2 and v3 messages. The switch parses thegroup address of the messages. If the group address is out of SSMrange and it is a v3 message, the switch drops the message; if it is a v2message, PIM-SM or IGMP snoop processes handle the message.

To troubleshoot issues with the IGMPv3 backwards compatibility feature,perform the following procedure.


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 Verify that the SSM static channel is configured for the v1/v2joins received. To display the configured SSM static channels,enter the following CLI command:

show ip igmp ssm-channel

OR


show ip igmp ssm-map

2 Verify that the SSM group range is configured for the v1/v2 joinsreceived. To display the configured SSM group range, enter thefollowing CLI command:

show ip igmp ssm-global

OR


show ip igmp ssm

3 If the v1/v2 joins are out of SSM range, verify that the RP setexists for groups specified in the v1/v2 joins to allow for thebuilding of a PIM tree. To display the configured RP sets, enterthe following CLI command:

show ip pim rp-set

OR


show ip pim rp-hash

--End--

Troubleshooting PIM with SMLTThe following sections provide information for troubleshooting PIM overSMLT networks.

IGMPv3 groups not listedIf IGMPv3 groups are not getting listed, use the following procedure totroubleshoot the issue.

Step Action

1 First check if a querier is elected for that particular interface:


NN46205-703 03.02 12 April 2010


.

Troubleshooting PIM with SMLT 383

show ip igmp interface (CLI or NNCLI)

2 If no querier is elected, check whether PIM is enabled on thisinterface:

show ip pim interface (CLI or NNCLI)

3 Check whether the group requested in the IGMPv3 reportmessages are in the SSM range configured on the 8600 switch.

show ip igmp ssm-channel (CLI)

show ip igmp ssm-map (NNCLI)

4 In case of IGMP v2/v3 compatibility, check whether the SSMchannel is configured for IGMPv2 reports.

--End--

No (S,G) Mroute record createdIf no (S,G) mroute records are being created, use the following procedureto troubleshoot the issue.

Step Action

1 Verify whether the source is reachable form the host. If not,verify that the unicast routing protocol (like OSPF) has fullyconverged.

2 Check whether the SSM group falls within the SSM rangeconfigured on the 8600 switch. If the multicast group range doesnot fall in the SSM group range, the (S,G) record will not becreated on the receiver side.

show ip igmp ssm-channel (CLI)

show ip igmp ssm-map (NNCLI)

3 Verify whether PIM SSM is enabled globally.

show ip pim info (CLI)

show ip pim (NNCLI)

4 Verify whether PIM SSM is enabled per interface and also verifywhether neighborships are established.

show ip pim interface (CLI or NNCLI)

--End--

Enabling trace messages for IGMP and PIM troubleshootingIf the preceding sections do not resolve your issue, use the followingprocedure to enable trace messages for further troubleshooting.


NN46205-703 03.02 12 April 2010


.


See also “Using PIM debugging commands” (page 143) and “Using PIMdebugging commands” (page 222) for information on additional PIMdebugging commands.

Step Action

1 Run IGMP trace and look for error conditions:

trace level 23 <1-4>trace scr on (CLI or NNCLI)

2 Run PIM trace and look for error conditions:

trace level 48 <1-4>trace level 27 <1-4>trace screen on (CLI or NNCLI)

--End--

Troubleshooting MSDPThis section provides instructions to troubleshoot MSDP. Possible reasonsfor MSDP failure are as follows:

• MSDP is not enabled globally.

• Admin status of MSDP peer is not enabled.

• MSDP peer operational state is disabled.

• MSDP peer connection status is not established.

• If a circuitless IP interface is used to configure the peer, thenconnect-source must be configured for that peer. Otherwise, the peercannot be established.

• MD5 password configuration mismatch.

• MSDP peer is not reachable through the routing table.

Possible reason for MSDP SAs not being received and advertised:

• no active RPs

• no source reachability

• no RP reachability

• originator ID not configured on RP switch

• RPF check failure

See the following sections to troubleshoot the specified MSDP issue:


NN46205-703 03.02 12 April 2010


.

Troubleshooting MSDP 385

• “MSDP peer not established” (page 385)

• “MSDP peer established, but no MSDP local cache and foreign cacheentries” (page 385)

MSDP peer not establishedIf the MSDP peer is not established, perform the following procedure.

Procedure steps

Step Action

1 To verify whether MSDP functionality is enabled globally or not,enter the following command using the CLI or NNCLI:

show ip msdp summary

From the command output, you can also verify whether theMSDP Peer state is established. If not, go to step 2.

2 To verify whether the peer admin status is enabled, enter thefollowing command using the CLI or NNCLI:

show ip msdp peer <peer-address>

If the MSDP interface uses circuitless IP, you can also verify theconnect-source configuration from this command output. Withcircuitless IP interfaces, you must configure the connect-sourcefor proper MSDP peer establishment.

--End--

MSDP peer established, but no MSDP local cache and foreign cacheentries

If the MSDP peer is established, but no MSDP local or foreign cacheentries are present, perform the following procedure.

Procedure steps

Step Action

1 To verify the local cache entries, enter the following commandusing the CLI or NNCLI:

show ip msdp sa-cache local

2 If no local cache entries exist, to check for PIM mroute entries,enter the following command using the CLI or NNCLI:

show ip pim mroute

Check whether the A flag is set in the PIM mroute entries. If theA flag is not set, this indicates that PIM has not provided mroute


NN46205-703 03.02 12 April 2010


.


entries to MSDP. Only when PIM advertises to MSDP can yousee MSDP local cache entries.

3 To check the foreign-cache entries at the receiver, enter thefollowing command using the CLI or NNCLI:

show ip msdp sa-cache

4 If no foreign-cache entries exist, to check whether the RPaddress is the same as the MSDP peer address, enter thefollowing CLI command:

show ip msdp rpf-peer <rp-address>

OR


show ip msdp rpf <rp-address>

5 If the MSDP peer is not the RPF peer, you must configure theoriginator ID. To check the originator ID configuration, enter thefollowing command using the CLI or NNCLI:

show ip msdp summary

6 PING the source and the RP to check for their reachability. Ifeither is not reachable, configure a static or dynamic route forsource and RP reachability.

7 To view the RPF-check for a particular source, group, and RP,enter the following command using the CLI or NNCLI:

show ip msdp sa-check source <source-address> group<group-address> rp <rp-address> [peer <peer-address>]

This check fails if there is an RPF mismatch, which usuallyhappens if the configured originator ID is not the same as theMSDP peer (and hence SAs are not accepted).

8 To display the number of sources and groups that originated inMSDP source-active messages and the number of source-activemessages from an MSDP peer in the source-active cache, enterthe following command using the CLI or NNCLI:

show ip msdp count

9 To display the configured mesh groups, enter the followingcommand using the CLI or NNCLI:

show ip msdp mesh-group

--End--


NN46205-703 03.02 12 April 2010


.

Troubleshooting multicast virtualization 387

Troubleshooting multicast virtualizationIn most cases, a virtualized multicast instance functions in an identicalmanner to a nonvirtualized multicast instance. There are some exceptionsto avoid. For example, a virtualized multicast instance cannot functionproperly in a PIM-DM or DVMRP only network as these protocols are notsupported for virtualization.

Possible reasons for VRF Multicast failures are:

• The system as a whole has reached the maximum number ofsupported multicast streams. These are shared between all VRFs andas such may all be consumed by another multicast instance.

• The VRF instance does not have a supported unicast protocol createdand enabled. A source is not reachable in the appropriate VRFinstance.

• Multicast configuration errors.

• The attached subnet running a multicast protocol is not supported ina virtualized instance. Supported Protocols include IGMP, PIM-SM,and PIM-SSM.

For troubleshooting procedures, refer to the following sections:

• “General multicast virtualization troubleshooting” (page 387)

• “Cannot enable PIM on a VRF” (page 388)

• “Cannot create a PIM instance on a VRF” (page 389)

• “Cannot enable PIM on a VLAN or brouter interface” (page 389)

• “Warning message appears when enabling PIM on an interface” (page390)

• “Cannot enable IGMPv3 on a VLAN” (page 391)

• “Maximum number of PIM neighbors is reached” (page 391)

General multicast virtualization troubleshootingIf a virtualized multicast failure has occurred, run the following diagnosticcommands to determine the status of the multicast instance and identify apotential trigger for the issue.

Procedure steps

Step Action

1 To determine the status of the PIM instance, enter the followingcommand using the CLI or NNCLI:

show ip vrf info [vrf <value>]


NN46205-703 03.02 12 April 2010


.


Verify that the VRF instance exists, that the PIM VRF instanceexists (is TRUE), and that a unicast routing protocol VRFinstance exists.

2 To verify that the VRF instance has IP forwarding enabled, enterthe following CLI command:

show ip forwarding vrf <value>

OR


show ip routing vrf <value>

3 To verify that the PIM VRF instance is enabled, and running inthe proper mode, enter the following CLI command:

show ip pim info vrf <value>

OR


show ip pim vrf <value>

4 To determine if the maximum number of multicast streams hasbeen reached, enter the following command using the CLI orNNCLI:

show ip mroute route vrfids 0-255

A count of the total number of multicast streams in the system isprovided at the end of the output.

--End--

Cannot enable PIM on a VRFIf you cannot enable PIM on a VRF, or you receive the following error:Error: PIM is not instantiated for VRF, a possible cause is that,for all VRFs other than the GRT, you must create a PIM instance beforeyou can begin PIM configuration. To create a PIM instance, perform thefollowing procedure.

Procedure steps

Step Action

1 To create a PIM instance, enter the following CLI command:

config ip vrf <vrf-name> pim create

OR

enter the following NNCLI command (from VRF RouterConfiguration mode):


NN46205-703 03.02 12 April 2010


.


ip pim enable

--End--

Cannot create a PIM instance on a VRFIf you cannot create a PIM instance on a VRF, possible causes includethe following:

• The VRF does not exist.

• The maximum PIM instance count is reached.

To troubleshoot, perform the following procedure.

Procedure steps

Step Action

1 To verify that the VRF exists and that the total PIM instancecount is 63 or less, enter the following CLI command:

show ip vrf info

OR


show ip vrf

2 If the instance count is 64, to delete a PIM instance, enter thefollowing command:

config ip vrf <vrf-name> pim delete

OR

enter the following NNCLI command (from VRF RouterConfiguration mode):

no ip pim enable

--End--

Cannot enable PIM on a VLAN or brouter interfaceIf you cannot enable PIM on a VLAN or brouter interface, a possible causeis that the VLAN is associated with a VRF which does not have a PIMinstance created. To troubleshoot, perform the following procedure.


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 To check the VRF association for the VLAN, enter the followingCLI command:

show vlan info ip

OR


show interface vlan ip

2 To ensure the VRF has a PIM instance created, enter thefollowing CLI command:

show ip vrf info

OR


show ip vrf

--End--

Warning message appears when enabling PIM on an interfaceIf the system is configured with the maximum limit of 200 active PIMinterfaces (distributed between all VRF instances), when you enablePIM on an additional interface, a warning message appears stating thatthe maximum has been reached. To troubleshoot, perform the followingprocedure.

Procedure steps

Step Action

1 To check which VRFs have active PIM interfaces, enter thefollowing command using the CLI or NNCLI:

show ip pim interface vrfids 0-255

2 To lower the number of PIM interfaces, disable PIM on a VLANor brouter on any VRF where it is not required using the followingCLI command:

config vlan <vid> ip pim disable

OR

using the following NNCLI command (from InterfaceConfiguration mode):


NN46205-703 03.02 12 April 2010


.


no ip pim enable

--End--

Cannot enable IGMPv3 on a VLANIf you cannot enable IGMPv3 on a VLAN, a possible cause is that theVLAN is associated with a VRF which does not have a PIM instancecreated. To troubleshoot, perform the following procedure.

Procedure steps

Step Action

1 To check the VRF association for the VLAN, enter

show vlan info ip

OR


show interface vlan ip

2 To ensure the VRF PIM instance is in SSM mode, enter thefollowing CLI command:

show ip pim info vrf <vrf-name>

OR


show ip pim vrf <vrf-name>

--End--

Maximum number of PIM neighbors is reachedIf the system has a maximum of 200 PIM neighbors, a warning messageappears stating that the PIM neighbor limit has been reached. Totroubleshoot, perform the following procedure.

Procedure steps

Step Action

1 To check which VRFs have active PIM neighbors, enter thefollowing command using the CLI or NNCLI:

show ip pim neighbor vrfids 0-255


NN46205-703 03.02 12 April 2010


.


2 To lower the number of PIM neighbors, consider reorganizing thePIM domain, potentially replacing PIM nodes with IGMP Snoopswitches where acceptable.

--End--


NN46205-703 03.02 12 April 2010


.

393.

Upper layer troubleshootingThis section describes troubleshooting for Layer 4 to 7 applications.

Navigation• “SNMP troubleshooting” (page 393)

• “DHCP troubleshooting” (page 394)

• “Troubleshooting BFD” (page 397)

• “Troubleshooting TACACS+” (page 414)

• “Nortel Secure Network Access troubleshooting” (page 419)

SNMP troubleshootingThis section describes methods to troubleshoot the following SimpleNetwork Management Protocol (SNMP) scenario:

• network management station (NMS) not receiving traps

Verify your management configurations for your management station.Also verify your management station setup. If you can reach a devicebut are not receiving traps, verify the trap configurations (that is, the trapdestination address and the traps to be sent).

For a flowchart SNMP recovery tree, see “SNMP failure” (page 321).

Procedure steps

Step Action

1 From the NMS, ping the switch. If you can ping, the IP addressis valid and you may have a problem with the SNMP setup.

If you cannot ping the switch, then there is a problem with eitherthe path or the IP address.

2 Telnet to the switch.

If you can Telnet, the switch IP address is correct.


NN46205-703 03.02 12 April 2010


.

394 Upper layer troubleshooting

3 If Telnet does not work, connect to the device console port usinga serial line connection and ensure that the device IP addresssetting is correct.

4 If your management station is on a separate subnet, make surethat the gateway address and subnet mask are set correctly.

5 Using a management application, perform an SNMP Getand an SNMP Set (that is, try to poll the device or change aconfiguration using management software).

6 If you cannot reach the device using SNMP, access the device’sconsole and make sure that your SNMP community strings andtraps are set correctly.

7 Get sniffer traces to verify that the switch received the poll.

8 Get sniffer trace to verify that the NMS gets the response.

9 Verify that the data in the response is the data that wasrequested.

--End--

DHCP troubleshootingThis section describes methods to troubleshoot the following DynamicHost Configuration Protocol (DHCP) scenarios:

• Client cannot obtain a DHCP address when in the same subnet.

• Client cannot obtain a DHCP address when in different subnets.

When the DHCP server and client are on the different subnets or VLANs,the router must be configured as a DHCP Relay Agent and is responsiblefor forwarding DHCP Requests to the DHCP server. Extra troubleshootingsteps (not included here) are needed to troubleshoot the DHCP RelayAgent.

For a DHCP Relay recovery flowchart, see “DHCP Relay failure” (page320).

Procedure steps

Step Action

1 Check the physical connectivity between the DHCP client andserver.

2 Verify network connectivity by configuring a static IP address ona client workstation.

If the workstation is still not able to reach the network, theproblem is not DHCP. Start troubleshooting network connectivity.


NN46205-703 03.02 12 April 2010


.

Troubleshooting IPv6 DHCP Relay 395

3 Attempt to obtain an IP address from the DHCP server bymanually forcing the client to send a DHCP request.

If the client gets an IP address after the PC has completed itsstartup, the issue is not the DHCP server.

4 Obtain an IP address on the same subnet or VLAN as the DHCPserver.

If DHCP is working on the same subnet or VLAN as the DHCPserver, the DHCP issue may be with the DHCP Relay Agent.If the issue is still there, the problem may be with the DHCPserver.

5 Confirm the DHCP Relay Agent configuration is correct

6 Obtain sniffer traces where the traffic ingresses and egresses theswitch and also on the client side of the network.

--End--

Troubleshooting IPv6 DHCP RelayFor a DHCP Relay recovery flowchart, see “DHCP Relay failure” (page320)

The following sections provide troubleshooting information for IPv6 DHCPRelay

IPv6 DHCP Relay switch side troubleshootingWith DHCP Relay, the Ethernet Routing Switch 8600 only participates inforwarding the requests and replies to and from the client and the DHCPserver. The Ethernet Routing Switch 8600 always acts as the relay agent,on which you configure the forward path to the server.

To troubleshoot DHCP Relay issues on the switch, use the followingprocedure.

Step Action

1 Verify that the DHCP server is reachable using ping. (if ping isworking and the DHCP server is reachable, DHCP should work).

2 Verify that the relay agents and the forward path configured arereachable. (Ping the server and the gateway to the server.)

3 Check that the relay agent configurations are correct. Also verifythat DHCP is enabled on the switch.

show ipv6 dhcp-relay fwd-pathshow ipv6 dhcp-relay interface (CLI or NNCLI)


NN46205-703 03.02 12 April 2010


.


config vlan <vid> ipv6 dhcp-relay info (CLI)

4 Verify that IPv6 forwarding is enabled globally.

show ipv6 info (CLI)

show ipv6 global (NNCLI)

5 Verify that the IPv6 based VLAN where the DHCP relay agentis configured is enabled.

show vlan info ipv6 (CLI)

show ipv6 interface vlan <vid> (NNCLI)

6 In a scenario with VRRP and SMLT, Nortel recommends to havethe VRRP IP configured as the DHCP relay agent.

7 When using the VRRP VRID as the relay agent, make sure theVRRP configurations are proper.

8 To verify that relay forward and relay receive are working, enabletrace for DHCP with IPv6, and grep trace for relay:

trace le 66 3trace grep relaytrace screen on (CLI or NNCLI)

--End--

IPv6 DHCP Relay server side troubleshooting

Step Action

1 Enable the services on the server side, then create an IP pool.This IP pool must have the range of addresses which you wantto assign to the clients. Configure this IP pool with the samenetwork subnet as that of the relay agent.

2 When the configuration is complete, perform an authorization.

3 Check the log file available on the server to verify the reason forpacket drop.

4 Capture the packets on the server side using Ethereal.

5 From the server side, use to ping to verify that the relay agentaddress is reachable.

6 For more configuration aspects, refer to the MS webpage fortroubleshooting and configuration issues.

--End--


NN46205-703 03.02 12 April 2010


.

Troubleshooting BFD 397

IPv6 DHCP Relay client side troubleshootingYou can collect a client console dump, which can be used to analyzewhy the received packet cannot be processed and the allocated addresscannot be used by the client.

In addition, restarting the client can also fix the issue in some cases.

Enabling trace messages for IPv6 DHCP RelayTo troubleshoot IPv6 DHCP Relay, you can enable rcip6 trace messagesusing the following command:

trace level 66 3

You can also enable IPv6 forwarding trace using the following command:

trace ipv6 forwarding enable

Troubleshooting BFDSee the following sections to troubleshoot the specified BFD issue:

• “BFD session stays in down state” (page 397)

• “BFD enabled on OSPF or BGP, but session not created” (page 398)

• “BFD session flaps” (page 398)

• “BFD session goes down when MLT member ports are enabled ordisabled” (page 399)

• “BFD with trace on” (page 400)

BFD session stays in down stateIf the BFD session stays in the down state, perform the following steps:

Procedure steps

Step Action

1 Verify whether the BFD peer is reachable.

ping <peer-ip>

2 To verify whether BFD is enabled on the peer, enter the followingCLI command on the peer:

show ip bfd info

OR

enter the following NNCLI command on the peer:


NN46205-703 03.02 12 April 2010


.


show ip bfd

--End--

BFD enabled on OSPF or BGP, but session not createdIf BFD is enabled on OSPF or BGP, but the BFD session is not created,perform the following steps:

Procedure steps

Step Action

1 For OSPF BFD sessions, to verify whether the OSPF neighbor isin FULL state, enter the following command using CLI or NNCLI:


The OSPF BFD session cannot be created until the neighbor isin the FULL state.

2 For BGP BFD sessions, to verify whether the BGP peer isestablished, enter the following CLI command:

show ip ospf neighbor info

OR



A BGP BFD session cannot be created until the BGP peer isestablished.

3 To verify whether the maximum BFD session number limit isreached, enter the following CLI commands:

show ip bfd infoshow ports info vlacp

OR


show ip bfdshow vlacp interface

The maximum number of total BFD and VLACP sessions cannotexceed 256.

--End--

BFD session flapsIf the BFD session flaps, perform the following steps:


NN46205-703 03.02 12 April 2010


.

Troubleshooting BFD 399

Procedure steps

Step Action

1 To verify whether the multiplier parameter is 3 or higher, enterthe following CLI command:

config {ethernet <portlist> | vlan <vid>} ip bfd info

OR


show ip bfd interfaces {<port-type> <portlist> | vlan<vid>}

2 If the multiplier parameter is less than 3, to change it to 3 orhigher, enter the following CLI command:

config {vlan <vid> | ethernet <portlist>} ip bfdmultiplier <2-20>

OR


(config-if)# ip bfd [port <portlist> | vlan <vid>]multiplier <2-20>

3 Verify whether the detect time is small while too many BFDsessions exist. To increase the detect time by changing therx-interval and tx-interval parameters, enter the following CLIcommand:

config {ethernet <portlist> | vlan <vlan-id>} {rx-interval <milliseconds> | tx-interval <milliseconds>}

OR


(config-if)# ip bfd [ port <portlist> | vlan <vid> ]{min_rx <100-65535> | interval <100-65535>}

4 To check whether the CP usage is very high, enter the followingcommand using CLI or NNCLI:

show sys perf

--End--

BFD session goes down when MLT member ports are enabled ordisabled

If the BFD session is down after you enable or disable MLT member ports,perform the following steps:


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 Verify the multiplier parameter is 3 or higher:

config {ethernet <portlist> | vlan <vid>} ip bfd info

OR


show ip bfd interfaces {<port-type> <portlist>| vlan<vid>}

2 If the multiplier parameter is less than 3, to change it to 3 orhigher, enter the following CLI command:

config {ethernet <portlist> | vlan <vid>} ip bfdmultiplier <2-20>

OR


(config-if)# ip bfd [port <portlist> | vlan <vid>]multiplier <2-20>

3 If more than two ports in an MLT fail at once, the BFD sessionflaps. To remove and readd MLT member ports one by one,enter the following CLI commands:

config mlt <mid> remove ports <portlist>

config mlt <mid> add ports <portlist>

OR


no mlt <mid> member <portlist>

mlt <mid> member <portlist>

--End--

BFD with trace onThe Ethernet Routing Switch 8600 supports only one static or OSPFsession with trace on (trace level 115 3) (CR Q018374647).

Troubleshooting IPv6 VRRPThe following sections describe troubleshooting information for IPv6 VRRP


NN46205-703 03.02 12 April 2010


.

Troubleshooting IPv6 VRRP 401

VRRP transitionsWhen a VRRP transition takes place with the backup taking over as themaster, look for the following message in the syslog on the new master, aswell as the old master. This message provides information to allow you todetermine the cause of the transition.

Vrrp State Transition Trap(Port/Vlan=20, Type=3, Cause=5,VrId=200, VrIpAddr=fe80:0:0:0:1234:5678:abcd:ffff,Addr=fe80::280:2dff:febf:ce01)

In this message, refer to the Type and Cause fields.

The following table describes the VRRP transition types.

Table 30Transition type

Type value Type definition

1 None

2 Master to Backup

3 Backup to Master

4 Initialize to Master

5 Master to initialize

6 Initialize to Backup

7 Backup to Initialize

8 Backup to Backup Master

9 Backup Master to Backup

The following table describes the VRRP transition causes.

Table 31Transition cause

Cause value Cause definition

1 None

2 Higher priority advertisement received

3 Shutdown received

4 VRRP Address and Physical Address match

5 Master Down interval

6 Preemption

7 Critical IP goes down

8 User Disabling VRRP

9 VRRP status synced from primary


NN46205-703 03.02 12 April 2010


.


Table 31Transition cause (cont’d.)

Cause value Cause definition

10 IPv6 interface on which VRRP is configured goes down

11 Lower Priority Advertisement received

12 Advertisement received from Higher interface IP address withEqual Priority

13 Advertisement received from Lower interface IP address withEqual priority

14 User enabled VRRP

15 Transition because of any other cause

Backup master enabled but not routing packetsWith VRRP running on SMLT, if a backup-master is enabled and itsadministrative state is up, the backup should route packets rather thanbridging them, assuming it has the proper information about the next-hopand destination.

When the backup-master state is up, it does not install the VRRP MAC asSELF (like in VRRPv2), but instead it maintains the MAC as LEARNED,while still routing the packets.

Step Action

1 To confirm whether the backup-master is routing the packet ornot, dump MAC records for the module:

dump ercdRecord mac slot <value> (CLI or NNCLI GlobalConfiguration mode)00:00:5e:00:02:1e Mgid 8 isMcast N DestPort 512Rtr Y Ip6Route Y Act Y CpyCpu NiMon N eMon N SrcQos NSrcDiscard N DestDiscard N pktQos 1 Tos 0 RMT 0

Make sure the Ip6Route Bit is set to “Y” when the backupmasterstate is up.

--End--

Enabling trace messages for IPv6 VRRP troubleshootingTo troubleshoot IPv6 VRRP, you can enable RCIP6 trace messages usingthe following command:

trace level 66 3


NN46205-703 03.02 12 April 2010


.

Troubleshooting IPv6 VRRP 403

And to provide additional trace information, you can also enable thefollowing traces:

trace ipv6 nd on alltrace ipv6 base on alltrace ipv6 forwarding on alltrace ipv6 rtm on alltrace ipv6 transport on all

When VRRP is enabled on two routing switches, the Master-Backuprelationship will form with one router taking the responsibility of routing.

If the Master-Backup relationship is not formed between the VRRP virtualrouters, look for the following trace messages to ensure that the master issending the advertisements correctly and the backup is processing them.

On the master router, look for the following RCIP6 trace messages.

• tMainTask RCIP6: rcip6_vrrp.c: 5118: VRF name:GlobalRouter (VRF id 0): ipv6VrrpTic: Am Master forVrid 200 on IfIndex 2053 Timer 1If VRRP is enabled on the interface, this timer kicks off every secondand shows the state for the VRID.

• [11/18/09 15:08:20:383] tMainTask RCIP6: rcip6_vrrp.c: 5924: ipv6VrrpSendAdvertisement: for Vrid 200 onIfIndex 2053[11/18/09 15:08:20:583] tMainTask RCIP6: rcip6_vrrp.c: 5175: VRF name: GlobalRouter (VRF id 0):ipv6VrrpTic: ipv6VrrpSendAdvertisement

The above trace messages show that the VRRP Master is sending theadvertisements correctly at the end of advertisement interval for a VRID.

On the backup router, look for the following RCIP6 trace messages.

• tMainTask RCIP6: rcip6_vrrp.c: 5236: VRF name:GlobalRouter (VRF id 0): ipv6VrrpTic: Am Backup forVrId 200 on IfIndex 2052 Timer 1

• tMainTask RCIP6: rcip6_vrrp.c: 4854: ipv6VrrpIn:Vrid 200 on IfIndex 2052

• tMainTask RCIP6: rcip6_vrrp.c: 5545: VRF name:GlobalRouter (VRF id 0): rcIpVrrpProcessAdvt: Ambackup for Vrid 200 on IfIndex 2052

The above trace messages show that the backup router is receiving theadvertisements sent by the master and correctly processing them.


NN46205-703 03.02 12 April 2010


.


Risks associated with enabling trace messagesWhen traces are enabled on VRRP master, VrrpTic messages are loggedfor every second and any other configured traces keep displaying, so thereis no guarantee that the backup will receive the advertisement from themaster within 3 seconds, so it can transit to Master also. There is also riskof toggling of VRRP states (from backup to master and back again).

Enable the limited traces based on whichever is required.

VRRP with higher priority running as backupThe VRRP router with the higher priority can display as the backup for thefollowing reasons

• Hold-down timer is running

• The configured Critical IP is not reachable or does not exist

If the critical-IP is configured for VRRP Master, and the critical interfacegoes down or is deleted, the Master transitions to the backup state. In thiscase, the Log shows the transition cause as 1 like many other cases.

To determine that the issue is with the critical interface, look for thefollowing trace message.

tMainTask RCIP6: rcip6_vrrp.c: 5152: VRF name:GlobalRouter (VRF id 0): ipv6VrrpTic: Becoming backup forVrid 200 on IfIndex 2052 because of invalid critical IP

If the holddown Timer is configured for VRRP Master, the holddown timerdelays the preemption, giving the device which is becoming the Masterenough time to construct routing tables.

To determine that the device is in holddown timer processing, look for thefollowing trace message:

tMainTask RCIP6: rcip6_vrrp.c: Enter in HoldDownprocessing,Vrid 200 LastRecvd 0 MasterDown 3, Holddown timeremaining 970, Holddownstate 2

Troubleshooting IPv6 RSMLTThe following sections provide information for troubleshooting IPv6 RSMLT


NN46205-703 03.02 12 April 2010


.

Troubleshooting IPv6 RSMLT 405

Configuration considerationsWhen troubleshooting IPv6 RSMLT, note the following configurationconsiderations:

• Running both IPv6 RSMLT and IPv6 VRRP on the same VLAN is notsupported

• You must configure IST peers with the same IPv6 subnets on theSMLT VLANs (same as for IPv4).

• Make sure that IST MLTs on the RSMLT peers contain the same set oflinks (this is very difficult to catch through regular troubleshooting)

• Do not enable transmission of IPv6 ICMP Redirect messages onRSMLT VLANs (ICMP redirect is disabled by default).

• No IPv6 connectivity is expected when the IST is down. Trafficrecovery from an IST going down takes multiple seconds.

RSMLT peers not upIf, after a series of reconfigurations, RSMLT peers do not transition to theup state, use the following procedure to troubleshoot the issue. The issuemay be observed on dual-stack VLANs after multiple delete and re-addsof IPv4 interfaces, or disabling and reenable of IPv6 forwarding or similarconfigurations.

Step Action

1 Display the RSMLT configuration

show ip rsmlt info (CLI)

This command shows whether the peers are up.

2 To recover the peers if they are down, disable and reenableRSMLT on both IST peers:

config vlan <vid> ip rsmlt disableconfig vlan <vid> ip rsmlt enable (CLI)

OR

no ip rsmltip rsmlt (NNCLI from Interface Config mode)

3 If the problem persists, boot from a saved configuration.

--End--

Enabling trace messages for RSMLT troubleshootingIf the preceding information does not resolve the issue, you can use thefollowing command to obtain additional RSMLT-related information:


NN46205-703 03.02 12 April 2010


.


trace level 15 4 (CLI or NNCLI)

ATTENTIONEnabling this trace on a loaded system may slow down the CPU, especially ifexecuted through console. Use Telnet if possible.

Troubleshooting IPv6 connectivity lossIf the switch experiences loss of IPv6 connectivity, use the followingprocedure to troubleshoot the issue.

Step Action

1 Through CLI or NNCLI commands, make sure the requiredroutes are in place and the corresponding neighbor entries areresolved (that is, in REACHABLE, PROBE, DELAY or STALEstate).

2 INCOMPLETE neighbor state indicates a problem if thecorresponding neighbor is used by some of the IPv6 routes. Thisapplies to neighbor entries with link-local addresses. (Note thatglobal addresses are not normally used as next hops; having aglobal IPv6 neighbor entry as INCOMPLETE does not usuallylead to a connectivity issue).

3 If the corresponding route is not in place then this is a routingissue. If the neighbor is not present or is INCOMPLETE, thenfurther debugging is needed on the network level (that is, thestate of other nodes needs to be examined).

4 Disabling and re-enabling IPv6 on the VLAN often recoversconnectivity.

5 Display the RSMLT and MLT status:

show ip rsmlt infoshow mltinfo (CLI)

show ip rsmltshow mlt (NNCLI)

Make sure the RSMLT peer MAC is learned and the IST stateis ist.

6 If the CLI or NNCLI output does not indicate any problems,tracing all packets at the RSP level can sometimes provideadditional insight:

con rsp-trace ingress-pkt-trace port 3/17 state enainterval 10con rsp-trace ingress-pkt-trace port 3/17 state disdump rsp-trace ingress-pkt-trace port 3/17 (CLI)

OR


NN46205-703 03.02 12 April 2010


.

Troubleshooting RADIUS 407

rsp-trace ingress-pkt-trace 3/17 enable 10no rsp-trace ingress-pkt-trace 3/17 disdump rsp-trace ingress-pkt-trace 3/17 (NNCLI GlobalConfiguration Mode)

================================================================================RspPacket Trace================================================================================PKT SRC DST DSTMAC SRCMAC SRCIP DSTIP EGQID ERROR IDPHYPORT PORT ORMGID CONDITION--------------------------------------------------------------------------------11 1 (7) 33:33:00:00:00:05 00:04:38:6e:c2:01 N/AN/A0 141 (7) 33:33:00:00:00:05 00:04:38:6e:c2:01N/AN/A0

7 Display the ingress packet trace:

dump rsp-trace ingress-display-pktport 3/17 pkt-id11 (CLI)

OR

dump rsp-trace ingress-display-pkt 3/17 11 (NNCLI)

Copy packet to Primary CPU. CPU Code=0x0 CPU Code Extension=0x0 Packet PreclassificationInformation:PC Vector1: IPv6. PC Vector2: Control packet.Layer2 Type: Ethernet with q-tag. MAC Type:Unicast(else). Layer3 Type: IPv6. Layer4 Type:ICMP. Ether Protocol Id Offset = 16 bytes fromthe begin of packet. Ingress Packet Trace: VlanRec:0x11600140000a001f Incoming Packet: 3333000000050004 386ec201 8100e014 86dd6000 000000305901fe80 00000000 00000000 00000000 0003ff02 00000000

Highlighted above are the source and part of the destination IPv6address in the packet.

--End--

Troubleshooting RADIUSThe following sections provide information for troubleshooting RADIUSissues.

RADIUS switch side troubleshootingTo troubleshoot RADIUS issues on the Ethernet Routing Switch 8600, usethe following procedure.


NN46205-703 03.02 12 April 2010


.


Step Action

1 Make sure the RADIUS server is reachable from the NAS (or8600 switch).

2 Make sure authentication and accounting are enabled globally inthe address configuration:

radius enableradius server create <ipv4|ipv6> secret <string>enable <true> acct-enable <true> (CLI)

radiusradius server host <WORD 0-46> key <WORD 0-32>used-by {cli|igap|snmp|eapol} acct-enableacct-port <1-65536> enable port <1-65536> priority<1-10> retry <0-6> source-ip <A.B.C.D> timeout<1-60> (NNCLI Global Configuration mode)

3 Make sure the server entry exists for the user. The switch canhave the same server address under different user groups (forexample, cli, igap, snmp, or eapol).

--End--

RADIUS server side troubleshootingTo troubleshoot RADIUS issues on the RADIUS server, use the followingprocedure.

Procedure steps

Step Action

1 Make sure the secret string configured on the server is the sameas that configured on the switch.

2 Make sure the appropriate client network is configured on theserver file (clients.conf).

3 Before sending a RADIUS request to the server, create a userprofile on the server (by modifying the “users” file).

4 Make sure the server is listening for authentication and/oraccounting request packets. (In the radiusd.conf file, set the typeto auth/acct in the listen section.)

5 Depending on the type of interface (IPv4 or IPv6) or the type ofrequest the server receives, modify the listen section accordingly(for example, set either ipaddr = * or ipv6addr = ::).

6 Make sure the client and server are using the same port forauthentication and accounting. (By default, the port used forauthentication and accounting are 1812 and 1813 respectively.)


NN46205-703 03.02 12 April 2010


.

Troubleshooting RADIUS 409

7 If you want the server to listen for authentication/accountingpackets on different ports other than the default ones, modify thelisten section accordingly. (For example, port = <port number>.)

--End--

Sample RADIUS user profileThe following shows a sample configuration in the users file:

test Cleartext-Password := “test“Access-level = RWA

Note: Access-level’s are defined in the file dictionary.passport, whichshould be present under the directory “dictionary”

Sample RADIUS configuration in the clients.conf fileThe following shows a sample IPv4 client configuration in the clients.conffile:

client 192.168.152.125{ secret = secretshortname = localhost }

The following shows a sample IPv6 client configuration in the clients.conffile:

client 3001::4/64{ secret = secretshortname = localhost }

Sample RADIUS configuration in the radiusd.confThe following shows a sample IPv4 configuration in the radiusd.conf file:

listen{ ipaddr = *#ipv6addr = ::port = 1812type = auth# interface = eth0# clients = per_socket_clients }The following shows a sample IPv6 configuration in the radiusd.conf file:


NN46205-703 03.02 12 April 2010


.


listen{ #ipaddr = *ipv6addr = ::port = 1812type = auth# interface = eth0# clients = per_socket_clients }

Enabling trace messages for RADIUS troubleshootingYou can enable RADIUS trace for troubleshooting purposes using thefollowing command:

trace level 41 3 (CLI or NNCLI)

Troubleshooting DHCP SnoopingThe following sections provide information for troubleshooting DHCPSnooping issues.

Client not assigned IP addressIf a client is not assigned an IP address, verify the DHCP client and theDHCP server connectivity.

Step Action

1 Disable global DHCP Snooping and verify that the DHCP clientis able to obtain an address.

config ip dhcp-snooping disable (CLI)

no ip dhcp snooping enable (NNCLI)

If the problem persists with DHCP Snooping disabled, then theissue is outside the scope of the DHCP Snooping feature. In thiscase, check ports, VLANs, and all applicable configurations andconnections between the DHCP client and server.

If the DHCP client and server function properly when DHCPSnooping is disabled, reenable DHCP snooping and continuewith the following steps to verify the configuration.

2 Verify global DHCP Snooping is enabled:

show ip dhcp-snooping info (CLI)

show ip dhcp snooping (NNCLI)

3 Verify that DHCP Snooping is enabled on the VLAN:

show ip dhcp-snooping vlan(CLI)

show ip dhcp snooping vlan (NNCLI)

Verify that access and all core VLANs have DHCP Snoopingenabled.


NN46205-703 03.02 12 April 2010


.

Troubleshooting DHCP Snooping 411

4 Verify that DHCP Snooping trusted and untrusted ports areproperly configured:

show ip dhcp-snooping port [<portlist>] (CLI)

show ip dhcp snooping interface [<interface-type>][<portlist>] (NNCLI)

Verify that the access port is untrusted and all core ports aretrusted. The default value is untrusted.

5 Check the DHCP Snooping binding table:

show ip dhcp-snooping binding (CLI)

show ip dhcp snooping binding (NNCLI)

If there is no entry in the DHCP Snooping binding table, checkwhether the DHCP server has been connected to the DHCPSnooping trusted port.

--End--

DHCP Snooping configured properly but client not assigned IPIf DHCP Snooping is configured properly, but the client is still not assignedan IP address, you can enable a trace for DHCP Snooping events totroubleshoot the source of the problem.

Step Action

1 Enable trace:

trace level 116 4trace screen on (CLI or NNCLI)

2 Verify the trace shows the switch received the DHCP Discoverrequest from the client.

3 Verify the trace shows the switch received the DHCP Offerresponse from the server.

4 Verify the trace shows the switch received the DHCP Requestfrom the client.

5 Verify the trace shows the switch received the DHCP ACKresponse from the client.

--End--

Client assigned IP address but no binding entry createdIf the client is assigned an IP address, but no associated binding entry iscreated, DHCP Snooping may not be configured properly for Layer 3.


NN46205-703 03.02 12 April 2010


.


Step Action

1 Verify ALL VLANS on the core side have DHCP Snoopingenabled.

show ip dhcp-snooping vlan (CLI)

show ip dhcp snooping vlan (NNCLI)

Note that this additional provisioning differs from other vendors.When enabling DHCP Snooping for Layer 3, both the accessside and core side VLANs MUST have DHCP Snooping enabled.

2 Verify ALL core side ports are trusted.

show ip dhcp-snooping port (CLI)

show ip dhcp snooping interface (NNCLI)

--End--

Client not always successfully assigned an IP address.If the client is not always successfully assigned an IP address, DHCPSnooping may not be configured properly.

Step Action

1 Verify that the client is NOT provisioned on an access sideuntrusted MLT port. Untrusted ports cannot be members of anMLT; however, there is no semantic check to protect againstsuch a configuration.

show mlt infoshow ip dhcp-snooping port (CLI)

show mltshow ip dhcp snooping interface (NNCLI)

--End--

Client loses IP address after a switch rebootIn cases where the client loses the IP address after a switch reboot, beaware that the switch does not maintain the DHCP binding entries after areboot. Clients normally send DHCP requests after a switch reboot. DHCPSnooping relies on the client to renew the lease.

Troubleshooting Dynamic ARP InspectionTo troubleshoot specific DAI issues, use the following procedure.


NN46205-703 03.02 12 April 2010


.

Troubleshooting IP Source Guard 413

Step Action

1 If enabling DAI on a DAI untrusted port fails:

• Verify that DHCP snooping is enabled on that VLAN and thatthe port is DHCP untrusted.show ip dhcp-snooping vlanshow ip dhcp-snooping port (CLI)show ip dhcp snooping vlanshow ip dhcp snooping interface (NNCLI)

2 If ARP packets are not dropped as they should be:

• Check the DHCP Snooping table, to determine if theIP-to-MAC binding entry exists.show ip dhcp-snooping binding (CLI)show ip dhcp snooping binding (NNCLI)

• Check whether the ARP entry belongs to the VLAN on whichDAI is enabled.

• If the port is a trunk port, check whether this port belongs tomore than 5 VLANs.show port info vlans (CLI)show port vlans (NNCLI)

--End--

Enabling trace messages for Dynamic ARP Inspection troubleshootingYou can enable Dynamic ARP Inspection trace for troubleshootingpurposes using the following command:

trace level 117 <1-4> (CLI or NNCLI)

Note that this command only traces for configuration changes and HAsynchronization. It does not provide ARP message tracing.

Troubleshooting IP Source GuardTo troubleshoot specific IP Source Guard issues, use the followingprocedure.

Step Action

1 If IP Source Guard cannot be enabled on the port, verify thatDHCP Snooping is enabled globally, on the port, and on allVLANs.


NN46205-703 03.02 12 April 2010


.


show ip dhcp-snooping infoshow ip dhcp-snooping portshow ip dhcp-snooping vlan (CLI)

show ip dhcp snoopingshow ip dhcp snooping interfaceshow ip dhcp snooping vlan (NNCLI)

2 Verify that Dynamic ARP Inspection is enabled on the port, andon all VLANs.

show ip arp-inspection portshow ip arp-inspection vlan (CLI)

show ip arp inspection interfaceshow ip arp inspection vlan (NNCLI)

3 If packets cannot pass through the port, note that only packetswhose source IP match the entry stored in the DHCP Snoopingtable can pass through the port. All packets except DHCP aredropped before the DHCP Snooping table has been set up.

--End--

Enabling trace messages for IP Source Guard troubleshootingYou can enable IP Source Guard trace for troubleshooting purposes usingthe following command:

trace level 116 <1-4> (CLI or NNCLI)

This is the same trace level as for DHCP Snooping.

Troubleshooting TACACS+See the following sections to troubleshoot the specified TACACS+ issue:

• “Customer unable to log on using Telnet or rlogin” (page 415)

• “Customer unable to log on using SSH” (page 415)

• “Customer unable to log on using PPP” (page 416)

• “Customer unable to log on by any means (Telnet, rlogin, SSH, andPPP)” (page 417)

• “Administrator unable to obtain accounting information from theTACACS+ server” (page 417)

• “Administrator unable to receive trap packets from the Ethernet RoutingSwitch 8600” (page 418)

• “User unable to login” (page 418)


NN46205-703 03.02 12 April 2010


.

Troubleshooting TACACS+ 415

Customer unable to log on using Telnet or rloginIf customers are unable to log on using Telnet or rlogin, perform thefollowing steps.

Procedure steps

Step Action

1 Check whether the TACACS+ server is available and reachable.

2 On the TACACS+ server, check whether the privilege level is setcorrectly.

3 On the TACACS+ server, check whether the password and username is configured correctly.

4 On the TACACS+ server, check whether the Ethernet RoutingSwitch 8600 IP address is configured in the trust list.

5 If you can log on to the Ethernet Routing Switch 8600, checkwhether the TACACS+ server configured on the router has thecorrect IP address using the following CLI command:

show tacacs server config

OR

using the following NNCLI command

show tacacs

6 Using the output from the previous step, verify whether thekey field configured on the router is the same as that on theTACACS+ server.

7 Also using the output from the preceding step, verify whether thesingle-connection option is configured on the router, and if so,whether the TACACS+ server supports single-connection.

--End--

Customer unable to log on using SSHIf customers are unable to log on using SSH, perform the following steps.

Procedure steps

Step Action

1 Verify that the network between the customer, the EthernetRouting Switch 8600, and the TACACS+ server is reachable.

2 Verify whether the SSH client is configured correctly.


NN46205-703 03.02 12 April 2010


.


3 To verify whether the SSH function is enabled and configuredcorrectly on the Ethernet Routing Switch 8600, enter thefollowing CLI command:

show sys ssh global

OR


show ssh global

--End--

Customer unable to log on using PPPIf customers are unable to log on using PPP, perform the following steps.

Procedure steps

Step Action

1 Check whether the PPP configure file is written correctly. Tolocate the file, enter the following CLI command:

config bootconfig sio modem info

OR


show boot config sio

2 To restart the PPP task from the Ethernet Routing Switch 8600,enter the following CLI command:

config bootconfig sio modem restart

OR


boot config sio modem restart

Following the restart, check whether error messages are printed.

3 Check whether the physical connection between the EthernetRouting Switch 8600 and the modem is well connected.

4 If customers use the serial port to connect to the EthernetRouting Switch 8600, ensure the DTE port is used on theEthernet Routing Switch 8600 side, and the DCE port is usedon the customer PC side

--End--


NN46205-703 03.02 12 April 2010


.

Troubleshooting TACACS+ 417

Customer unable to log on by any means (Telnet, rlogin, SSH, andPPP)

If customers are unable to log on by any means, perform the followingsteps.

Procedure steps

Step Action

1 Check whether the TACACS+ server is running well and tryrestarting the TACACS+ server.

2 Check whether TACACS+ and Radius are both enabled onthe Ethernet Routing Switch 8600 using the following CLIcommands:

show radius infoshow tacacs info

OR

using the following NNCLI commands:

show radiusshow tacacs

If TACACS+ failed, Radius may take over the AAA process.

3 Check whether the TACACS+ server is configured toun-encrypted mode, as the Ethernet Routing Switch 8600 alwayssends encrypted TACACS+ messages.

--End--

Administrator unable to obtain accounting information from theTACACS+ server

If the administrator is unable to obtain accounting information from theTACACS+ server, perform the following steps.

Procedure steps

Step Action

1 Check whether accounting is enabled on the Ethernet RoutingSwitch 8600:


OR


show tacacs


NN46205-703 03.02 12 April 2010


.


2 Check whether accounting is enabled on TACACS+ server.

--End--

Administrator unable to receive trap packets from the Ethernet RoutingSwitch 8600

If the administrator is unable to receive trap packets from the EthernetRouting Switch 8600, perform the following steps.

Procedure steps

Step Action

1 To check whether the trap server is configured correctly on theEthernet Routing Switch 8600, enter the following CLI command.

show snmp-v3 target-addr

OR



2 Check whether there is a firewall between the Ethernet RoutingSwitch 8600 and the trap server.

--End--

User unable to login

Step Action

1 Check the configurations on the switch, especially the server IPaddress and key, using the following CLI command:


OR


show tacacs

2 If the server is directly connected, then check if theadministrative and operation status of the port is up using thefollowing CLI command:

show port info interface port <slot/port>

OR


show interface <port-type> interface <slot/port>


NN46205-703 03.02 12 April 2010


.

Nortel Secure Network Access troubleshooting 419

3 If the server is connected in a network, check if the switch has aroute configured to the server network using the following CLIcommand:

show ip route info

OR


show ip route

--End--

Nortel Secure Network Access troubleshootingNortel Secure Network Access (NSNA) Release 1.5 provides securitypolicy compliance on all endpoint devices. NSNA has the followingnetwork access levels:

• Green access, which provides full (or with certain restriction per policy)access based on user groups.

• Yellow access, which allows traffic only to remedial networks

• Red access, which restricts access to authentication, DHCP and DNStraffic to the Secure Network Access Switch (SNAS), DHCP and DNSservers.

• VoIP access, which restricts VoIP traffic to VoIP controllers andauthenticated IP phone peers.

For more information about NSNA, see Nortel Ethernet Routing Switch8600 Security (NN46205-601).

Nortel Secure Network Access troubleshooting navigation

• “Monitoring DHCP requests” (page 420)

• “Issue: client unable to reach the DHCP server” (page 420)

• “Issue: SSH session is not established between edge switch andSNAS server ” (page 421)

• “Issue: NSNA connection not established after HA failover ” (page 421)

• “Issue: TG page does not open when client is in Red VLAN” (page422)

• “Issue: page is not automatically redirected to SNAS login page” (page422)


NN46205-703 03.02 12 April 2010


.


• “Issue: client not registered by switch” (page 422)

• “Issue: PC client Web page displays Cannot contact Web Server”(page 423)

Monitoring DHCP requestsYou can monitor DHCP requests to aid in troubleshooting NSNA.

Note that you can check DHCP options on a UNIX server by using the man5 dhcp-options command.

Step Action

1 You can mirror the DHCP port to another port connected to a PCwith a sniffer installed.

2 You can monitor DHCP packets using the following command:

trace level 15 3

3 You can monitor NSNA packets using:

trace level 89 3

--End--

Issue: client unable to reach the DHCP serverUse the following information if the client cannot reach the DHCP server.

Procedure steps

Step Action

1 Check that the DHCP Relay Agent in the network switches iscorrectly configured.

2 Check that the DHCP Server configuration is correct.

3 The routing in the network may not be configured so that DHCPRequest and Reply packets are propagated. Check for routingissues. You can use ping and traceroute.

4 Check that the DHCP pools are correctly configured.

5 If the client cannot reach the server because the link is down,enable Auto-Negotiation on the link.

--End--


NN46205-703 03.02 12 April 2010


.


Issue: SSH session is not established between edge switch and SNASserver

Use the following information if an SSH session is not established betweenthe edge switch and the SNAS server.

Procedure steps

Step Action

1 The likely cause is that the SSH keys are not imported orexported correctly. Ensure that the keys are correctly importedor exported.

--End--

Issue: NSNA connection not established after HA failoverUse the information in this section if an NSNA connection is notestablished after a High Availability failover occurs.

Procedure steps

Step Action

1 Wait until the HA Master and Secondary come up.

2 Check the connection status on the Master using the CLI:

config nsna info

OR

in NNCLI Privileged EXEC mode:

show nsna

3 On the Master, to synchronize the keys on the Master andSecondary, enter the following command:

config nsna sync-ssh-keys

OR

in NNCLI Privileged EXEC mode:

nsna sync-ssh-keys

4 Cross check that the SSH key on the Secondary issynchronized.

5 Perform the failover again.

--End--


NN46205-703 03.02 12 April 2010


.


Issue: TG page does not open when client is in Red VLANUse the following information if the TG page does not open when a clientis in a Red VLAN.

Procedure steps

Step Action

1 Check if the client in the Red VLAN can obtain an IP addresscorrectly.

2 On the client, check if Java is installed correctly.

3 If the error “Unknown IP address” appears, then the edge switchdoes not know the IP address of the client and cannot give theinformation to the SNAS server. The solution is:

• Create an uplink filter on the switch that copies all DHCPpackets to the Master SF/CPU.

• Generate a fresh DHCP request from the client so that theswitch can learn the IP address given by the DHCP server.

• On the edge switch, use the show nsna client commandto see if the client IP address is registered with the switch.

4 Check if the client can ping connected interfaces, and if the clientARP entry is correctly learned on the switch.

--End--

Issue: page is not automatically redirected to SNAS login pageUse the following information if automatic redirection to the SNAS loginpage fails.

Procedure steps

Step Action

1 Configure the DNS server for the Red range as SNAS VIP.

2 Configure HTTP and HTTPS redirect on the SNAS server.

3 Configure the client to automatically configure the DHCP andDNS servers.

--End--

Issue: client not registered by switchUse the following information if a client is not registered by the switch.


NN46205-703 03.02 12 April 2010


.


Procedure steps

Step Action

1 Enable Auto-Negotiation on the client port.

2 Disable and enable the port.

--End--

Issue: PC client Web page displays Cannot contact Web ServerUse the following information if a PC client Web page displays a “Cannotcontact Web Server” message.

Procedure steps

Step Action

1 To check if the default server is listed as an SNAS server andis reachable, on the command prompt of the client, enter thefollowing command:

nslookup www.google.com

2 If the server is unreachable and all other factors are correct,reset SNAS.

--End--


NN46205-703 03.02 12 April 2010


.



NN46205-703 03.02 12 April 2010


.

425.

Software downloadThis section described where to download software or documentation.

Navigation• “Downloading Ethernet Routing Switch 8600 software” (page 425)

• “Downloading Ethernet Routing Switch 8600 documentation” (page425)

Downloading Ethernet Routing Switch 8600 softwareTo download software from the Nortel Web site, go to the following:

http://support.nortel.com/go/main.jsp?cscat=EXTERNAL&extid=findcontent

To download Ethernet Routing Switch 8600 software, see the following:

• Product Category: Routers & Routing Switches

• Product Name: Ethernet Routing Switch 8600

• Content type: Software

• Release: 5.0

Downloading Ethernet Routing Switch 8600 documentationTo download documentation from the Nortel Web site, go to the following:

http://support.nortel.com/go/main.jsp?cscat=EXTERNAL&extid=findcontent

To download Ethernet Routing Switch 8600 software, see the following:

• Product Category: Routers & Routing Switches

• Product Name: Ethernet Routing Switch 8600

• Content type: Documentation

• Release: 5.0


NN46205-703 03.02 12 April 2010


.

426 Software download


NN46205-703 03.02 12 April 2010


.

427.

Technical supportUse the following sections to learn about gathering information before youcontact Nortel for technical support.

Navigation• “Gathering critical information” (page 427)

• “Data collection commands” (page 428)

• “Contacting support” (page 432)

Gathering critical informationBefore contacting Nortel Technical Support, you must gather informationthat can help the technical support personnel when troubleshooting. Thissection identifies all the critical information that should be gathered beforecontacting Nortel Technical Support.

You must attempt to resolve your problem using this troubleshootingguide. Contacting Nortel is a final step taken only when you have beenunable to resolve the issue using the information and steps provided inthis troubleshooting guide.

Gather the following information before contacting Nortel Tech Support.Collecting this information helps Nortel analyze and address the reportedissue.

• Detailed description of the problem.

• Date and time when the problem started.

• Frequency of the problem.

• Is this a new installation?


NN46205-703 03.02 12 April 2010


.

428 Technical support

• Have you search the solutions database? Were any related solutionsfound? Is there currently a workaround for this issue?

• Have you recently changed or upgraded your system, your network,or a custom application? (For example, has any configuration or codebeen changed?)

When were these changes made? Provide the date and time. Whomade these changes? Were the changes made by a partner orcustomer? Provide the names of the individuals who made thechanges.

Also provide Nortel Technical Support with the following information:

• a copy of your configuration files

• a copy of the .000 file from the PCMCIA (or external flash)

• a detailed network topology diagram

• log files

• output of show tech command

Data collection commandsThe following sections describe the commands you can use to collectnecessary troubleshooting data.

General troubleshooting issueTo obtain basic troubleshooting information, use the commands in thefollowing table.

Table 32Basic troubleshooting commands

CLI command NNCLI command Description

show tech show tech Displays all system informationfor this router. Execute theshow tech command twice,one minute apart.

show log file show log file Display and observe problems.Determine when the problemstarted and look at the logs atthat time.

Collecting port statisticsTo collect port statistics for troubleshooting, use the commands in thefollowing table.


NN46205-703 03.02 12 April 2010


.

Data collection commands 429

Table 33Port information commands


show ports errorshow-all

show interface<port-type> errorcollisionshow interface<port-type> errorverbose

Displays port collision andextended error information.

show ports statsinterface main

show interface<port-type> statistics

Displays port statistics.

show port stats stg show interface<port-type> statisticsstg

Displays spanning treetopology changes.

show mlt info show mlt Displays MLT configuration.

show port info state show interface<port-type> state

Displays port state information.

show mlt ist stat show ist stat Displays IST messagestatistics.

show mlt error main show mlt error main Displays main MLT errors.

The preceding commands provide a general health check of the system inaddition to the show tech command. Also check the LED status of the I/Ocard and the CPUs More data may be required when troubleshooting eachspecific issue where in-depth debugging is required.

IP route issuesTo collect IP route information for troubleshooting, use the commands inthe following table.

Table 34IP route information commands


show ip interface show ip interface Displays all configured IPinterfaces. Shows all IPinterfaces, whether they areVLAN or port assigned.

show ip route info show ip route Displays the existing IP routetable for the switch, or specificnetwork or subnet if specified.

show ip static-routeinfo

show ip route static Displays the static IP routes forthe router.


NN46205-703 03.02 12 April 2010


.



show ip arp info show ip arp Displays ARP table withthe MAC and IP address ofmembers that are assigned toVLANs (directly connected tothe router).

show ip arp info<A.B.C.D>

show ip arp <A.B.C.D> If you are able to ping thespecified IP, this commandshows the port to which it isassigned.

show ip vrrp info show ip vrrp address Displays VRRP information forthe interface.

show ip rip info show ip rip Displays RIP information.

show ip rip show-all show ip ripshow ip rip interfaceshow ip rip redistribute

Displays RIP interface andredistribution information.

show ip route-policyinfo

show ip route-map Displays whether there is aroute policy configured.

traceroute <A.B.C.D> traceroute <A.B.C.D> Identifies the path of thepackets to the specifieddestination.

Multi-Link Trunk issuesTo collect Multi-Link Trunk information for troubleshooting, use thecommands in the following table.

Table 35Multi-Link Trunk information commands


show mlt info show mlt Displays the status of the MLT

show smlt info show smlt mltshow smlt <port-type>

Displays MLT and portinformation for SMLTs

show mlt stats show mlt stats Check Layer 2 switchingfunctions. Issue the commandtwice.

config mlt <trunk-id>info

Displays the MLT configurationfor the specified MLT ID.

show mlt error main show mlt error main Flags errors on the physicallayer for MLT.

CPU spike issuesTo collect information to troubleshoot a CPU spike issue, use thecommands in the following table.


NN46205-703 03.02 12 April 2010


.

Data collection commands 431

Table 36CPU spike troubleshooting commands


trace clear clear trace Clears the trace file.

trace screen off trace screen disable Sets the trace screen to off.

trace level 9 3 trace level 9 3 Sets the trace level. Wait for5–10 seconds.

config cli more false terminal more disable Disables more scrolling of thedisplay.

trace info show trace file Shows the trace file. Dump thisto a file.

config cli more true terminal more enable Reenables more scrolling ofthe display.

trace off trace shutdown Disables trace.

trace clear clear trace Clears the trace file.

CAUTIONUsing the trace tool inappropriately can cause primary CPUlockup conditions, loss of access to the switch, loss of protocols,and service degradation. While these occurrences areuncommon, when using the trace level tool, minimize this risk byfollowing these Nortel recommendations:

• In situations where trace data is required concurrently frommultiple modules, troubleshooting during a maintenancewindow should be considered if feasible. A maintenancewindow period should also be considered if the switch isstable but CPU utilization is high and CPU traces (exampletrace levels 9 and 11) are required to diagnose the cause.

• To avoid potential issues due to logging trace data to thePCMCIA (or external flash) card, the trace-logging featureshould be disabled (config bootconfig flags trace-loggingfalse).

• Run trace commands from the console port wheneverthe CPU utilization is already high. While tracing may beenabled or disabled from the console port, the trace infoshould be dumped from a SSH or Telnet connection.

• Activate tracing on one software module at a time Avoidleaving traces active for extended periods of time. Forhigh CPU utilizations, a few seconds (typically less than5 seconds) is generally sufficient to identify the cause forsustained high CPU utilization.


NN46205-703 03.02 12 April 2010


.


Commands for dumping hardware records for MAC, ARP, and routes inlegacy modules

To dump hardware records for MAC, ARP, and routes in legacy modulesfor troubleshooting, use the commands in the following table.


dump ar <octapid-id><record-type><verbosity>

dump ar <octapid-id><record-type><verbosity>

<octpaid-id>: 0-64<record-type>: vlan|ip_subnet|mac_vlan|mac|arp|ip|ipx|ipmc|ip_filter|protocol|sys_rec|all<verbosity>: 0-3

For example, to dump MAC, ARP and route information with verbosity of1 from octapid 1, use the following commands:

dump ar 0 mac 1dump ar 0 arp 1dump ar 0 ip 1

Contacting supportFor a detailed list of options for contacting Nortel technical support, go tothe Nortel Website: www.nortel.com/support. Click the Contact TechnicalSupport link.


NN46205-703 03.02 12 April 2010


.

433.

Customer serviceVisit the Nortel Web site to access the complete range of services andsupport that Nortel provides. Go to www.nortel.com, or go to one of thepages listed in the following sections.

Navigation• “Updated versions of documentation” (page 433)

• “Getting help” (page 433)

• “Express Routing Codes” (page 433)

• “Additional information” (page 434)

Updated versions of documentationYou can download and print the latest versions of Nortel Ethernet RoutingSwitch 8600 NTPs and Release Notes directly from the Internet atwww.nortel.com/documentation.

Getting helpIf you purchased a service contract for your Nortel product from adistributor or authorized reseller, contact the technical support staff for thatdistributor or reseller for assistance.

If you purchased a Nortel service program, you can get help bycontacting one of the Nortel Technical Solutions Centers foundat www.nortel.com/callus; or visit our Technical Support site atwww.nortel.com/support.

Express Routing CodesAn Express Routing Code (ERC) is available for many Nortel products andservices.

When you use an ERC, your call is routed to a technical support personwho specializes in supporting that particular product or service. To locatean ERC for a product or service, go to www.nortel.com/erc.


NN46205-703 03.02 12 April 2010


.

http://www.avaya.com

http://www.avaya.com/documentation

http://www.avaya.com/callus

http://www.avaya.com/support

http://www.avaya.com/erc

434 Customer service

Additional informationUse the information in the following table to access other areas of theNortel Web site.

For information about Contact

Contact Us www.nortel.com/contactus

Documentation feedback www.nortel.com/documentfeedback

Products (marketing) www.nortel.com/products

Partner Information Center (PIC) www.nortel.com/pic

Register www.nortel.com/register

Search www.nortel.com/search

Services www.nortel.com/services

Training www.nortel.com/training


NN46205-703 03.02 12 April 2010


.

http://www.avaya.com/contactus

http://www.avaya.com/documentfeedback

http://www.avaya.com/products

http://www.avaya.com/pic

http://www.avaya.com/register

http://www.avaya.com/search

http://www.avaya.com/services

http://www.avaya.com/training

435.

Safety messagesThis section describes the different precautionary notices used in thisdocument. This section also contains precautionary notices that you mustread for safe operation of the Nortel Ethernet Routing Switch 8600.

NoticesNotice paragraphs alert you about issues that require your attention. Thefollowing sections describe the types of notices.

Attention notice

ATTENTIONAn attention notice provides important information regarding the installation andoperation of Nortel products.

Caution ESD notice

CAUTIONESDESD notices provide information about how to avoid dischargeof static electricity and subsequent damage to Nortel products.

CAUTIONESD (décharge électrostatique)La mention ESD fournit des informations sur les moyens deprévenir une décharge électrostatique et d’éviter d’endommagerles produits Nortel.

CAUTIONACHTUNG ESDESD-Hinweise bieten Information dazu, wie man dieEntladung von statischer Elektrizität und Folgeschäden anNortel-Produkten verhindert.


NN46205-703 03.02 12 April 2010


.

436 Safety messages

CAUTIONPRECAUCIÓN ESD (Descarga electrostática)El aviso de ESD brinda información acerca de cómo evitaruna descarga de electricidad estática y el daño posterior a losproductos Nortel.

CAUTIONCUIDADO ESDOs avisos do ESD oferecem informações sobre como evitardescarga de eletricidade estática e os conseqüentes danos aosprodutos da Nortel.

CAUTIONATTENZIONE ESDLe indicazioni ESD forniscono informazioni per evitare scarichedi elettricità statica e i danni correlati per i prodotti Nortel.

Caution notice

CAUTIONCaution notices provide information about how to avoid possibleservice disruption or damage to Nortel products.

CAUTIONATTENTIONLa mention Attention fournit des informations sur les moyensde prévenir une perturbation possible du service et d’éviterd’endommager les produits Nortel.

CAUTIONACHTUNGAchtungshinweise bieten Informationen dazu, wie man möglicheDienstunterbrechungen oder Schäden an Nortel-Produktenverhindert.

CAUTIONPRECAUCIÓNLos avisos de Precaución brindan información acerca decómo evitar posibles interrupciones del servicio o el daño a losproductos Nortel.

CAUTIONCUIDADOOs avisos de cuidado oferecem informações sobre como evitarpossíveis interrupções do serviço ou danos aos produtos daNortel.


NN46205-703 03.02 12 April 2010


.

Notices 437

CAUTIONATTENZIONELe indicazioni di attenzione forniscono informazioni per evitarepossibili interruzioni del servizio o danni ai prodotti Nortel.


NN46205-703 03.02 12 April 2010


.

438 Safety messages


NN46205-703 03.02 12 April 2010


.

439.

AppendixTraps reference

The Ethernet Routing Switch 8600 generates alarms, traps, and logs. Formore information about logs, see the Ethernet Routing Switch 8600 LogsReference (NN46205-701). This section provides information about traps.

Navigation• “Proprietary traps” (page 439)

• “Standard traps” (page 450)

Proprietary trapsThe following tables describe Nortel proprietary traps for the EthernetRouting Switch 8600. All these traps have a status of current.

Table 371.3.6.1.4.1.2272.1.21.0.xx series

OID Notificationtype

Objects Description

1.3.6.1.4.1.2272.1.21.0.1

rcnCardDown rcCardIndexrcCardAdminStatusrcCardOperStatus

A rcCardDown trap signifies thatthe SNMPv2 entity, acting in anagent role, has detected that thercCardOperStatus object for one ofits cards is about to transition into thedown state.

1.3.6.1.4.1.2272.1.21.0.2

rcnCardUp rcCardIndexrcCardAdminStatusrcCardOperStatus

A rcCardUp trap signifies thatthe SNMPv2 entity, acting in anagent role, has detected that thercCardOperStatus object for one ofits cards is about to transition into theup state.


NN46205-703 03.02 12 April 2010


.

440 Traps reference

Table 371.3.6.1.4.1.2272.1.21.0.xx series (cont’d.)


Objects Description

1.3.6.1.4.1.2272.1.21.0.3

rcnErrorNotification

rcErrorLevelrcErrorCodercErrorText

A rcErrorNotification trap signifiesthat the SNMPv2 entity, acting in anagent role, has detected that an errorcondition has occurred.

1.3.6.1.4.1.2272.1.21.0.4

rcnStpNewRoot rcStgId A rcStpNewRoot trap signifiesthat the SNMPv2 entity, acting inan agent role, has detected theSpanning Tree Protocol has declaredthe device to be the new root of thespanning tree.

1.3.6.1.4.1.2272.1.21.0.5

rcnStpTopologyChange

rcStgIdrcPortIndex

A rcStpTopologyChange trapsignifies that the SNMPv2 entity,acting in an agent role, has detectedthe Spanning Tree Protocol hasgone due a topology change event.

1.3.6.1.4.1.2272.1.21.0.6

rcnChasPowerSupplyDown

rcChasPowerSupplyIdrcChasPowerSupplyOperStatus

A rcChasPowerSupplyDowntrap signifies that the SNMPv2entity, acting in an agentrole, has detected that thercChasPowerSupplyOperStatusobject for one of its power supply unitis about to transition into the downstate.

1.3.6.1.4.1.2272.1.21.0.7

rcnChasFanDown

rcChasFanIdrcChasFanOperStatus

A rcChasFanDown trap signifiesthat the SNMPv2 entity, acting inan agent role, has detected that thercChasFanOperStatus object for oneof its power supply unit is about totransition into the down state.

1.3.6.1.4.1.2272.1.21.0.8

rcnLinkOscillation

rcPortIndex A rcLinkOscillation trap signifiesthat the SNMPv2 entity, acting inan agent role, has detected anexcessive number of link statetransitions on the specified port.

1.3.6.1.4.1.2272.1.21.0.9

rcnMacViolation rcErrorTextrcPortIndex

A rcMacViolation trap signifies thatthe SNMPv2 entity, acting in anagent role, has received a PDU withan invalid source MAC address.

1.3.6.1.4.1.2272.1.21.0.10

rcnSonetTrap rcPortIndexrcPosSonetTrapTypercPosSonetTrapIndication

A rcSonetTrap trap signifies that theSNMPv2 entity, acting in an agentrole, has detected a change of statuson a Sonet port.


NN46205-703 03.02 12 April 2010


.

Proprietary traps 441



Objects Description

1.3.6.1.4.1.2272.1.21.0.11

rcn2kCardDown rc2kCardIndexrc2kCardFrontAdminStatusrc2kCardFrontOperStatus

A rcCardDown trap signifies thatthe SNMPv2 entity, acting in anagent role, has detected that thercCardOperStatus object for one ofits cards is about to transition into thedown state.

1.3.6.1.4.1.2272.1.21.0.12

rcn2kCardUp rc2kCardIndexrc2kCardFrontAdminStatusrc2kCardFrontOperStatus

A rcCardUp trap signifies thatthe SNMPv2 entity, acting in anagent role, has detected that thercCardOperStatus object for one ofits cards is about to transition into theup state.

1.3.6.1.4.1.2272.1.21.0.13

rcn2kTemperature

rc2kChassisTemperature

A rc2kTemperature trap signifiesthat the SNMPv2 entity, acting in anagent role, has detected the chassisis overheating.

1.3.6.1.4.1.2272.1.21.0.14

rcnChasPowerSupplyUp

rcChasPowerSupplyIdrcChasPowerSupplyOperStatus

A rcChasPowerSupplyUp trapsignifies that the SNMPv2entity, acting in an agentrole, has detected that thercChasPowerSupplyOperStatusobject for one of its power supplyunit is about to transition into the upstate.

1.3.6.1.4.1.2272.1.21.0.15

rcn2kAtmPvcLinkStateChange

rc2kAtmPvcIfIndexrc2kAtmPvcVpirc2kAtmPvcVcirc2kAtmPvcOamVcStatus

A rc2kAtmPvcLinkStateChange trapsignifies that the SNMPv2 entity,acting in an agent role, has detectedthat the rc2kAtmPvcOamVcStatusobject for one of PVC is about totransition into different state, eitherfrom up to down or from down to up.

1.3.6.1.4.1.2272.1.21.0.16

rcnStpTCN rcStgIdrcPortIndexrcStgBridgeAddress

A rcStpTopologyChange trapsignifies that the SNMPv2 entity,acting in an agent role, has detectedthe Spanning Tree Protocol hasgone due to a topology changeevent.

1.3.6.1.4.1.2272.1.21.0.17

rcnSmltIstLinkUp

— A rcSmltIstLinkUp trap signifies thatthe split MLT link is from down to up.

1.3.6.1.4.1.2272.1.21.0.18

rcnSmltIstLinkDown

— A rcSmltIstLinkDown trap signifiesthat the split MLT link is from up todown.


NN46205-703 03.02 12 April 2010


.

442 Traps reference



Objects Description

1.3.6.1.4.1.2272.1.21.0.19

rcnSmltLinkUp rcMltSmltId A rcMltSmltId trap signifies that thesplit SMLT link is up.

1.3.6.1.4.1.2272.1.21.0.20

rcnSmltLinkDown

rcMltSmltId A rcMltSmltId trap signifies that thesplit SMLT link is down.

1.3.6.1.4.1.2272.1.21.0.21

rcnChasFanUp rcChasFanIdrcChasFanOperStatus

A rcChasFanUp trap signifies thatthe SNMPv2 entity, acting in anagent role, has detected that thercChasFanOperStatus object for oneof its power supply unit is about totransition into the up state.

1.3.6.1.4.1.2272.1.21.0.22

rcnPasswordChange

rcCliPasswordChangercCliPassChangeResult

A rcPasswordChange trap signifiesthat the SNMPv2 entity, acting in anagent role, has detected that the oneof the cli password is changed.

1.3.6.1.4.1.2272.1.21.0.23

rcnEmError rc2kCardIndexrcChasEmModeError

A rcEmError trap signifies that theSNMPv2 entity, acting in an agentrole, has detected Em error.

1.3.6.1.4.1.2272.1.21.0.25

rcnPcmciaCardRemoved

— A rcPcmciaRemoved trap signifiesthat the SNMPv2 entity, acting inan agent role, has detected that thePCMCIA (or external flash) card isbeing removed.

1.3.6.1.4.1.2272.1.21.0.26

rcnSmartCpldTimerFired

rc2kCardIndex A rcSmartCpldTimerFired trapsignifies that the cpld timer fired.

1.3.6.1.4.1.2272.1.21.0.27

rcnCardCpldNotUpDate

rc2kCardIndex A rcCardCpldNotUpDate trapsignifies that the cpld is not up todate.

1.3.6.1.4.1.2272.1.21.0.28

rcnIgapLogFileFull

— A rcIgapLogFileFull trap signifies thatthe Igap accounting time-out Log Filereach the maximum.

1.3.6.1.4.1.2272.1.21.0.29

rcnCpLimitShutDown

rcPortIndexifAdminStatusifOperStatusrcPortCpLimitShutDown

A rcCpLimitShutDown trap signifiesthat the cp limit for the port isshutting down.

1.3.6.1.4.1.2272.1.21.0.30

rcnSshServerEnabled

rcSshGlobalPort A rcSshServerEnabled trap signifiesthat the SSH server is enabled.

1.3.6.1.4.1.2272.1.21.0.31

rcnSshServerDisabled

rcSshGlobalPort A rcSshServerDisabled trap signifiesthat the SSH server is disabled.


NN46205-703 03.02 12 April 2010


.




Objects Description

1.3.6.1.4.1.2272.1.21.0.32

rcnSshSessionLogin

rcSshGlobalHostIpAddr

A rcSshSessionLogin trap signifiesthat there is a SSH session login.

1.3.6.1.4.1.2272.1.21.0.33

rcnSshSessionLogout


A rcSshSessionLogout trap signifiesthat there is a SSH session logout.

1.3.6.1.4.1.2272.1.21.0.34

rcnSshUnauthorizedAccess


A rcSshUnauthorizedAccess trapsignifies that an unauthorized accesshas occurred.

1.3.6.1.4.1.2272.1.21.0.35

rcnHaCpuState rc2kCardIndexrcL2RedundancyHaCpuState

A rcHaCpuState trap signifies thatthe state of the HA-CPU.

1.3.6.1.4.1.2272.1.21.0.36

rcnInsufficientMemory

rc2kCardIndex A rcInsufficientMemory trap indicatesinsufficient memory on CPU bladefor proper operation. Recommendedmemory = 256 MB available throughNortel Networks upgrade kit

1.3.6.1.4.1.2272.1.21.0.37

rcnSaveConfigAction

rcSysActionL1 A rcSaveConfigAction trapindicates the switch run time orboot configuration is being saved.

1.3.6.1.4.1.2272.1.21.0.38

rcnLoopDetectOnPort

rcVlanIdrcPortIndex

A rcLoopDetectOnPort trap indicatesthat a loop has been detected on aport. The vlan on that port will bedisabled.

1.3.6.1.4.1.2272.1.21.0.39

rcnbgpEstablished

rcIpBgpPeerIpAddressrcIpBgpPeerLastErrorrcIpBgpPeerState

The BGP Established event isgenerated when the BGP FSMenters the ESTABLISHED state.

1.3.6.1.4.1.2272.1.21.0.40

rcnbgpBackwardTransition

rcIpBgpPeerIpAddressrcIpBgpPeerLastErrorrcIpBgpPeerState

The BGPBackwardTransition Eventis generated when the BGP FSMmoves from a higher numbered stateto a lower numbered state.

1.3.6.1.4.1.2272.1.21.0.41

rcnAggLinkUp rcMltId A rcAggLinkUp trap is generatedwhen the operational state of theaggregator changes from down toup.

1.3.6.1.4.1.2272.1.21.0.42

rcnAggLinkDown

rcMltId A rcAggLinkDown trap is generatedwhen the operational state of theaggregator changes from up todown.


NN46205-703 03.02 12 April 2010


.

444 Traps reference



Objects Description

1.3.6.1.4.1.2272.1.21.0.43

rcnIgmpNewGroupMember

rcIgmpGroupIfIndexrcIgmpGroupIpAddressrcIgmpGroupInPortrcIgmpGroupMember

An IgmpNewGroupMember trapsignifies that a new member hascome on an interface.

1.3.6.1.4.1.2272.1.21.0.44

rcnIgmpLossGroupMember

rcIgmpGroupMembersrcIgmpGroupIpAddressrcIgmpGroupInPortrcIgmpGroupIfIndex

An IgmpLossGroupMember trapsignifies that a group member hasbeen lost on an interface.

1.3.6.1.4.1.2272.1.21.0.45

rcnIgmpNewQuerier

igmpInterfaceIfIndexigmpInterfaceQuerier

An igmpNewQuerier trap signifiesthat a new querier has come up onan interface.

1.3.6.1.4.1.2272.1.21.0.46

rcnIgmpQuerierChange

igmpInterfaceIfIndexrcIgmpInterfaceExtnNewQuerierigmpInterfaceQuerier

An rcIgmpQuerierChange trapsignifies that the querier haschanged.

1.3.6.1.4.1.2272.1.21.0.47

rcnDvmrpIfStateChange

dvmrpInterfaceIfIndexdvmrpInterfaceOperState

A rcDvmrpIfStateChange trapsignifies that there has been achange in the state of a DVMRPinterface.

1.3.6.1.4.1.2272.1.21.0.48

rcnDvmrpNewNbrChange

dvmrpNeighborIfIndexdvmrpNeighborAddress

A rcDvmrpNewNbrChange trapsignifies that a new neighbor hascome up on a DVMRP interface.

OID: 1.3.6.1.4.1.2272.1.21.0.49

rcnDvmrpNbrLossChange

dvmrpNeighborIfIndexdvmrpNeighborAddress

A rcDvmrpNbrLossChange trapsignifies that a new neighbor hasgone down on a DVMRP interface.

1.3.6.1.4.1.2272.1.21.0.59

rcnFdbProtectViolation

rcPortIndexrcVlanId

The rcFdbProtectViolation trapsignifies that the has violated theuser configured limit for total numberof fdb-entries learned on that port.

1.3.6.1.4.1.2272.1.21.0.60

rcnLogMsgControl

rcSysMsgLogFrequencyrcSysMsgLogText

A rcMsgControl trap signifieswhether the number of timesof repetition of the particularLog message has exceeded theparticular frequency/count or not.


NN46205-703 03.02 12 April 2010


.




Objects Description

1.3.6.1.4.1.2272.1.21.0.61

rcnSaveConfigFile

rcSysActionL1rcSysConfigFileName

A rcSaveConfig trap signifies thateither the runtime config or the bootconfig has been saved on the switch.

1.3.6.1.4.1.2272.1.21.0.62

rcnDNSRequestResponse

rcSysDnsServerListIpAddrrcSysDnsRequestType

A rcDnsRequestResponse trapsignifies that the switch had sent aquery to the DNS server or it hadreceived a successful response fromthe DNS Server.

1.3.6.1.4.1.2272.1.21.0.63

rcnDuplicateIpAddress

ipNetToMediaNetAddressipNetToMediaPhysAddress

A rcDuplicateIpAddress trap signifiesthat a duplicate IP address isdetected on the subnet.

1.3.6.1.4.1.2272.1.21.0.64

rcnLoopDetectPortDown

rcPortIndexifAdminStatusifOperStatus

A rcLoopDetectPortDown trapsignifies that a loop has beendetected on a port and the port isgoing to shut down.

1.3.6.1.4.1.2272.1.21.0.67

rcnLoopDetectMacDiscard

rcPortIndexrcSysMacFlapLimitTimercSysMacFlapLimitCount

A rcLoopDetectMacDiscard trapsignifies that a loop has beenDetected on a port and the macaddress will be discarded on all portsin that vlan.

1.3.6.1.4.1.2272.1.21.0.68

rcnAutoRecoverPort

rcPortIndex A rcnAutoRecoverPort trap signifiesthat autorecovery has reenabled aport disabled by link flap or cp limit.

1.3.6.1.4.1.2272.1.21.0.69

rcnAutoRecoverLoopDetectedPort

rcVlanNewLoopDetectedAction

A rcnAutoRecoverPort trap signifiesthat autorecovery has cleared theaction taken on a port by loop detect.

1.3.6.1.4.1.2272.1.21.0.70

rcnExtCpLimitShutDown

rcPortIndexifAdminStatus

A rcnExtCpLimitShutDown trapsignifies that port is shut down due toExtended CP-Limit.

1.3.6.1.4.1.2272.1.21.0.71

rcnExtCpLimitSopCongestion

rcSysExtCplimitSysOctapidCongestedrcSysExtCplimitPortsMonitored

A rcnExtCpLimitSopCongestionsignifies that system octapidpolling finds that system octapid iscongested or not. rcSysExtCplimitSysOctapidCongested signifies whethersystem octapid is congested ornot. rcSysExtCplimitPortsMonitoredsignifies whether ports are selectedfor monitoring the ingress trafficutilization.


NN46205-703 03.02 12 April 2010


.

446 Traps reference



Objects Description

1.3.6.1.4.1.2272.1.21.0.80

rcnVlacpPortDown

rcPortIndex A rcnVlacpPortDown trap signifiesthat Vlacp is down on the portspecified.

1.3.6.1.4.1.2272.1.21.0.81

rcnVlacpPortUp rcPortIndex A rcnVlacpPortUp trap signifies thatVlacp is Up on the port specified.

1.3.6.1.4.1.2272.1.21.0.82

rcnExtCpLimitShutDownNormal

— An rcnExtCpLimitShutDownNormaltrap signifies that Ports are shutdown due to Extended CP-Limit inNormal mode.

1.3.6.1.4.1.2272.1.21.0.83

rcnEapMacIntrusion

rcSysIpAddrrcRadiusPaePortNumberrcRadiusEapLastAuthMacrcRadiusEapLastRejMac

A rcnEapMacIntrusion trap signifiesthat an EAP MAC intrusion hasoccurred on this Port.

1.3.6.1.4.1.2272.1.21.0.110

rcnMaxRouteWarnClear

rcVrfName A rcnMaxRouteWarnClear trapsignifies that the number of routes inthe routing table of the Virtual Routerhas dropped below its warningthreshold.

1.3.6.1.4.1.2272.1.21.0.111

rcnMaxRouteWarnSet

rcVrfName A rcnMaxRouteWarnSet trapsignifies that the given Virtual Routerrouting table is reaching its maximumsize. Action should be taken toprevent this.

1.3.6.1.4.1.2272.1.21.0.112

rcnMaxRouteDropClear

rcVrfName A rcnMaxRouteDropClear trapsignifies that the given VirtualRouter routing table is no longerdropping new routes as it is below itsmaximum size.

1.3.6.1.4.1.2272.1.21.0.113

rcnMaxRouteDropSet

rcVrfName A rcnMaxRouteDropSet trap signifiesthat the given Virtual Router routingtable has reached its maximumsize, and is now dropping all newnonstatic routes.


NN46205-703 03.02 12 April 2010


.




Objects Description

1.3.6.1.4.1.2272.1.21.0.117

rcnMstpNewCistRoot

rcStgBridgeAddress A rcMstpNewCistRoot trap signifiesthat the SNMPv2 entity, acting inan agent role, has detected that theMultiple Spanning Tree Protocol hasdeclared the device to be the newroot of the common internal spanningtree.

1.3.6.1.4.1.2272.1.21.0.118

rcnMstpNewMstiRoot

rcStgBridgeAddressrcStgId

A rcMstpNewMstiRoot trap signifiesthat the SNMPv2 entity, acting inan agent role, has detected that theMultiple Spanning Tree Protocol hasdeclared the device to be the newroot of the spanning tree instance.

1.3.6.1.4.1.2272.1.21.0.119

rcnMstpNewCistRegionalRoot

rcStgBridgeAddress A rcMstpNewCistRegionalRoot trapsignifies that the SNMPv2 entity,acting in an agent role, has detectedthat the Multiple Spanning TreeProtocol has declared the deviceto be the new regional root of thecommon internal spanning tree.

1.3.6.1.4.1.2272.1.21.0.120

rcnRstpNewRoot

rcStgBridgeAddress A rcRstpNewRoot trap signifies thatthe SNMPv2 entity, acting in anagent role, has detected that theRapid Spanning Tree Protocol hasdeclared the device to be the newroot of the spanning tree.

1.3.6.1.4.1.2272.1.21.0.124

rcnRsmltEdgePeerModified

rcVlanId A rcnRsmltEdgePeerModified trapsignifies that the RSMLT Peeraddress is different from that of thestored address. A save config isnecessary if EdgeSupport has to usethis info on next reboot.

1.3.6.1.4.1.2272.1.21.0.167

rcnChasPowerSupplyNoRedundancy

— A rcnChasPowerSupplyNoRedundancy trap signifies that the chassisis running on power supply withoutredundancy.

1.3.6.1.4.1.2272.1.21.0.168

rcnChasPowerSupplyRedundancy

— A rcnChasPowerSupplyRedundancytrap signifies that the chassis isrunning on power supply withredundancy.


NN46205-703 03.02 12 April 2010


.

448 Traps reference



Objects Description

1.3.6.1.4.1.2272.1.21.0.171

rcnLicenseTrialPeriodExpired

— A rcnLicenseTrialPeriodExpired trapsignifies that the Trial Period Licensehas expired.

1.3.6.1.4.1.2272.1.21.0.172

rcnLicenseTrialPeriodExpiry

rcSysLicenseTrialDaysLeft

A rcnLicenseTrialPeriodExpiry trapsignifies the time remaining beforethe License Trial Period expires indays.

1.3.6.1.4.1.2272.1.21.0.173

rcnVrfUp rcVrfNamercVrfOperStatus

This notification is generatedwhen the operational status of thespecified VRF is toggled from downto up.

1.3.6.1.4.1.2272.1.21.0.174

rcnVrfDown rcVrfNamercVrfOperStatus

This notification is generatedwhen the operational status of thespecified VRF is toggled from up todown.

1.3.6.1.4.1.2272.1.21.0.175

rcnMrouteIngressThresholdExceeded

rcIpResourceUsageGlobalIngressRecInUsercIpResourceUsageGlobalIngressThreshold

This notification is generated whenthe number of mroute ingressrecords exceeds the ingressthreshold.

1.3.6.1.4.1.2272.1.21.0.176

rcnMrouteEgressThresholdExceeded

rcIpResourceUsageGlobalEgressRecInUsercIpResourceUsageGlobalEgressThreshold

This notification is generated whenthe number of mroute egress recordsexceeds the egress threshold.

1.3.6.1.4.1.2272.1.21.0.177

rcnRemoteMirroringStatus

rcPortRemoteMirroringIndexrcPortRemoteMirroringEnablercPortRemoteMirroringMode

A rcRemoteMirroringStatus trapsignifies whether the remotemirroring is enabled or disabled on aparticular port.

1.3.6.1.4.1.2272.1.21.0.185

rcnChasPowerSupplyRunningLow

— A rcnChasPowerSupplyRunningLowtrap signifies that the chassis isrunning on low power supply.

1.3.6.1.4.1.2272.1.21.0.196

rcnChasFanCoolingLow

rcChasFanOperStatusrcChasFanTypercErrorLevelrcErrorText

A rcnChasFanCoolingLow trapsignifies that the chassis is runningon low fan cooling.


NN46205-703 03.02 12 April 2010


.


Table 381.3.6.1.4.1.45.5.10.x.xx series


Objects Description

1.3.6.1.4.1.45.5.10.0.1

nsnaClosedConnectionToSnas

nsnaClosedConnectionReason

This notification is generatedwhenever the device closesthe connection to the NSNAS.The reason why the connectionis closed is indicated innsnaClosedConnectionReason.

1.3.6.1.4.1.45.5.10.0.2

nsnaStatusQuoIntervalExpired

— This notification is generatedwhenever the status-quo intervalexpires after the connection totheNSNAS has closed. Be awarethat if the configured status-quointerval is 0 (indicating no statusquo interval), this notificationwill be generated at the sametime as the correspondingnsnaClosedConnectionToSnasnotification.

1.3.6.1.4.1.45.5.10.0.3

nsnaInvalidMessageFromSnas

nsnaInvalidMessageHeader

This notification is generatedwhenever the device receives aninvalid message from the NSNAS.This generally means that thereceived message is corrupted.As much of the message headeras is available will be included innsnaInvalidMessageHeader.

Table 391.3.6.1.4.1.2272.1.50.x.xx series


Objects Description

1.3.6.1.4.1.2272.1.50.2.1

rcWisSonetTrapType

sectionAlarm(1)lineAlarm(2)pathAlarm(3)

Used to indicate a particular type of10GE Sonet trap.


NN46205-703 03.02 12 April 2010


.

450 Traps reference

Table 391.3.6.1.4.1.2272.1.50.x.xx series (cont’d.)


Objects Description

1.3.6.1.4.1.2272.1.50.2.2

rcWisSonetTrapIndication

noDefect(1)sectionLossOfSignal(2)sectionLossOfFrame(3)lineAlarmIndication(4)lineRemoteDefectIndication(5)pathLossOfPointer(6)pathAlarmIndication(7)pathRemoteDefectIndication(8)pathUnequipped(9)pathSignalLabelMismatch(10)pathTraceMismatch(11)

Used to indicate an indication for a10GE Sonet trap.

1.3.6.1.4.1.2272.1.64.1.0.1

rcnSlppPortDownEvent

rcSlppPortSlppEnablercSlppVlanSlppEnablercSlppIncomingVlanIdrcSlppSrcMacAddress

A port down event that has occurreddue to SLPP. The user is notified ofthe expected Vlan ID along with theVlan ID and source MAC addressof the packet coming in on the portidentified. The first two objects canbe used to lookup instance info forport ID and VLAN ID.

Standard trapsThe following table describes standard traps that the Ethernet RoutingSwitch 8600 can generate.

Table 40Standard traps


Objects Description

1.3.6.1.2.1.10.166.3.0.1

mplsTunnelUp mplsTunnelAdminStatusmplsTunnelOperStatus

This notification is generated when amplsTunnelOperStatus object for oneof the configured tunnels is about toleave the down state and transitioninto some other state (but not intothe notPresent state). This otherstate is indicated by the includedvalue of mplsTunnelOperStatus.


NN46205-703 03.02 12 April 2010


.

Standard traps 451

Table 40Standard traps (cont’d.)


Objects Description

1.3.6.1.2.1.10.166.3.0.2

mplsTunnelDown

mplsTunnelAdminStatusmplsTunnelOperStatus

This notification is generated whena mplsTunnelOperStatus objectfor one of the configured tunnels isabout to enter the down state fromsome other state (but not from thenotPresent state). This other stateis indicated by the included value ofmplsTunnelOperStatus.

1.3.6.1.2.1.10.166.3.0.3

mplsTunnelRerouted


This notification is generatedwhen a tunnel is rerouted. If themplsTunnelARHopTable is used,then the entry for this tunnel instancein the mplsTunnelARHopTable maycontain the new path for this tunnelsome time after this trap is issued bythe agent.

1.3.6.1.2.1.10.166.3.0.4

mplsTunnelReoptimized


This notification is generated whena tunnel is reoptimized. If themplsTunnelARHopTable is used,then the entry for this tunnel instancein the mplsTunnelARHopTable maycontain the new path for this tunnelsome time after this trap is issued bythe agent.

1.3.6.1.2.1.10.166.4.0.1

mplsLdpInitSessionThresholdExceeded

mplsLdpEntityInitSessionThreshold

This notification is generated whenthe value of the mplsLdpEntityInitSessionThreshold object is not zero, andthe number of Session Initializationmessages exceeds the value of themplsLdpEntityInitSessionThresholdobject.

1.3.6.1.2.1.10.166.4.0.2

mplsLdpPathVectorLimitMismatch

mplsLdpEntityPathVectorLimitmplsLdpPeerPathVectorLimit

This notification is sent when themplsLdpEntityPathVectorLimitdoes not match the value of themplsLdpPeerPathVectorLimit for aspecific Entity. Reference RFC3036,LDP Specification, Section 3.5.3.


NN46205-703 03.02 12 April 2010


.

452 Traps reference



Objects Description

1.3.6.1.2.1.10.166.4.0.3

mplsLdpSessionUp

mplsLdpSessionStatemplsLdpSessionDiscontinuityTimemplsLdpSessionStatsUnknownMesTypeErrorsmplsLdpSessionStatsUnknownTlvErrors

If this notification is sent when thevalue of mplsLdpSessionState entersthe operational(5) state.

1.3.6.1.2.1.10.166.4.0.4

mplsLdpSessionDown

mplsLdpSessionStatemplsLdpSessionDiscontinuityTimemplsLdpSessionStatsUnknownMesTypeErrorsmplsLdpSessionStatsUnknownTlvErrors

This notification is sent when thevalue of mplsLdpSessionState leavesthe operational(5) state.

1.3.6.1.2.1.14.16.2.1

ospfVirtIfStateChange

ospfRouterIdospfVirtIfAreaIdospfVirtIfNeighborospfVirtIfState

An ospfIfStateChange trap signifiesthat there has been a change in thestate of an OSPF virtual interface.This trap should be generated whenthe interface state regresses (forexample, goes from Point-to-Point toDown) or progresses to a terminalstate (that is, Point-to-Point).

1.3.6.1.2.1.14.16.2.2

ospfNbrStateChange

ospfRouterIdospfNbrIpAddrospfNbrAddressLessIndexospfNbrRtrIdospfNbrStat

An ospfNbrStateChange trapsignifies that there has been achange in the state of a non-virtualOSPF neighbor. This trap shouldbe generated when the neighborstate regresses (for example, goesfrom Attempt or Full to 1-Way orDown) or progresses to a terminalstate (for example, 2-Way orFull). When a neighbor transitionsfrom or to Full on nonbroadcastmultiaccess and broadcast networks,the trap should be generated by thedesignated router. A designatedrouter transitioning to Down will benoted by ospfIfStateChange


NN46205-703 03.02 12 April 2010


.

Standard traps 453



Objects Description

1.3.6.1.2.1.14.16.2.3

ospfVirtNbrStateChange

ospfRouterIdospfVirtNbrAreaospfVirtNbrRtrIdospfVirtNbrState

An ospfIfStateChange trap signifiesthat there has been a change in thestate of an OSPF virtual neighbor.This trap should be generated whenthe neighbor state regresses (forexample, goes from Attempt or Fullto 1-Way or Down) or progresses toa terminal state (for example, Full).

1.3.6.1.2.1.14.16.2.4

ospfIfConfigError

ospfRouterIdospfIfIpAddressospfAddressLessIfospfPacketSrcospfConfigErrorTypeospfPacketType

An ospfIfConfigError trap signifiesthat a packet has been received ona nonvirtual interface from a routerwhose configuration parametersconflict with the configurationparameters on the local router. Beaware that the event optionMismatchshould cause a trap only if it preventsan adjacency from forming.

1.3.6.1.2.1.14.16.2.5

ospfVirtIfConfigError

ospfRouterIdospfVirtIfAreaIdospfVirtIfNeighborospfConfigErrorTypeospfPacketType

An ospfConfigError trap signifies thata packet has been received on avirtual interface from a router whoseconfiguration parameters conflict withthe configuration parameters on thelocal router. Be aware that the eventoptionMismatch should cause a traponly if it prevents an adjacency fromforming.

1.3.6.1.2.1.14.16.2.6

ospfIfAuthFailure

ospfRouterIdospfIfIpAddressospfAddressLessIfospfPacketSrcospfConfigErrorTypeauthTypeMismatchauthFailureospfPacketType

An ospfIfAuthFailure trap signifiesthat a packet has been receivedon a nonvirtual interface from arouter whose authentication key orauthentication type conflicts withthis router’s authentication key orauthentication type.

1.3.6.1.2.1.14.16.2.7

ospfVirtIfAuthFailure

ospfRouterIdospfVirtIfAreaIdospfVirtIfNeighborospfConfigErrorTypeauthTypeMismatchauthFailureospfPacketType

An ospfVirtIfAuthFailure trap signifiesthat a packet has been received on avirtual interface from a router whoseauthentication key or authenticationtype conflicts with authentication keyor authentication type on the localrouter.


NN46205-703 03.02 12 April 2010


.

454 Traps reference



Objects Description

1.3.6.1.2.1.14.16.2.16

ospfIfStateChange

ospfRouterIdospfIfIpAddressospfAddressLessIfospfIfState

An ospfIfStateChange trap signifiesthat there has been a change in thestate of a nonvirtual OSPF interface.This trap should be generated whenthe interface state regresses (forexample, goes from Dr to Down) orprogresses to a terminal state (thatis, Point-to-Point, DR Other, Dr, orBackup).

1.3.6.1.2.1.16.0.1

risingAlarm alarmIndexalarmVariablealarmSampleTypealarmValuealarmRisingThreshold

The SNMP trap that is generatedwhen an alarm entry crosses itsrising threshold and generates anevent that is configured for sendingSNMP traps.TRAP TYPE ENTERPRISE rmon

1.3.6.1.2.1.16.0.2

fallingAlarm alarmIndexalarmVariablealarmSampleTypealarmValuealarmFallingThreshold

The SNMP trap that is generatedwhen an alarm entry crosses itsfalling threshold and generates anevent that is configured for sendingSNMP traps.TRAP TYPE ENTERPRISE rmon

1.3.6.1.2.1.46.1.3.0.3

vrrpTrapStateTransition

ifIndexvrrpTrapStateTransitionTypevrrpTrapStateTransitionCausevrrpOperVrIdvrrpOperIpAddripAdEntAddr

A vrrpTrapStateTransition trapsignifies a state transition hasoccurred on a particular vrrpinterface. Implementation of thistrap is optional. vrrpOperIpAddrcontains the IP address of the vrrpinterface while ipAdEntAddr containsthe IP address assigned to physicalinterface.

1.3.6.1.2.1.68.0.1

vrrpTrapNewMaster

vrrpOperMasterIpAddr

The newMaster trap indicates thatthe sending agent has transitioned toMaster state.

1.3.6.1.2.1.68.0.2

vrrpTrapAuthFailure

vrrpTrapPacketSrcvrrpTrapAuthErrorType

A vrrpAuthFailure trap signifies thata packet has been received from arouter whose authentication key orauthentication type conflicts with theauthentication key or authenticationtype on the local router.


NN46205-703 03.02 12 April 2010


.

Standard traps 455



Objects Description

1.3.6.1.2.1.80.0.1

pingProbeFailed

pingCtlTargetAddressTypepingCtlTargetAddresspingResultsOperStatuspingResultsIpTargetAddressTypepingResultsIpTargetAddresspingResultsMinRttpingResultsMaxRttpingResultsAverageRttpingResultsProbeResponsepingResultsSentProbespingResultsRttSumOfSquarespingResultsLastGoodProbe

Generated when a probe failure isdetected when the correspondingpingCtlTrapGeneration objectis set to probeFailure(0)subject to the value ofpingCtlTrapProbeFailureFilter. Theobject pingCtlTrapProbeFailureFiltercan be used to specify the numberof successive probe failures that arerequired before this notification canbe generated.

1.3.6.1.2.1.80.0.2

pingTestFailed pingCtlTargetAddressTypepingCtlTargetAddresspingResultsOperStatuspingResultsIpTargetAddressTypepingResultsIpTargetAddresspingResultsMinRttpingResultsMaxRttpingResultsAverageRttpingResultsProbeResponsespingResultsSentProbespingResultsRttSumOfSquarespingResultsLastGoodProbe

Generated when a ping testis determined to have failedwhen the correspondingpingCtlTrapGeneration object isset to testFailure(1). In this instancepingCtlTrapTestFailureFilter shouldspecify the number of probes in atest required to have failed in orderto consider the test as failed.


NN46205-703 03.02 12 April 2010


.

456 Traps reference



Objects Description

1.3.6.1.2.1.80.0.3

pingTestCompleted

pingCtlTargetAddressTypepingCtlTargetAddresspingResultsOperStatuspingResultsIpTargetAddressTypepingResultsIpTargetAddresspingResultsMinRttpingResultsMaxRttpingResultsAverageRttpingResultsProbeResponsespingResultsSentProbespingResultsRttSumOfSquarespingResultsLastGoodProbe

Generated at the completion of aping test when the correspondingpingCtlTrapGeneration object is setto testCompletion(4).

1.3.6.1.2.1.81.0.1

traceRoutePathChange

traceRouteCtlTargetAddressTypetraceRouteCtlTargetAddresstraceRouteResultsIpTgtAddrTypetraceRouteResultsIpTgtAddr

The path to a target has changed.

1.3.6.1.2.1.81.0.2

traceRouteTestFailed


Could not determine the path to atarget (traceRouteNotifications 2).


NN46205-703 03.02 12 April 2010


.

Standard traps 457



Objects Description

1.3.6.1.2.1.81.0.3

traceRouteTestCompleted


The path to a target has just beendetermined.

1.3.6.1.6.3.1.1.5.1

coldStart — A coldStart trap signifies that theSNMPv2 entity, acting in an agentrole, is reinitializing itself and that itsconfiguration may have been altered.

1.3.6.1.6.3.1.1.5.2

warmStart — A warmStart trap signifies that theSNMPv2 entity, acting in an agentrole, is reinitializing itself such that itsconfiguration is unaltered.

1.3.6.1.6.3.1.1.5.3

linkDown — A linkDown trap signifies that thesending protocol entity recognizes afailure in one of the communicationlinks represented in the agent’sconfiguration.TRAP-TYPE ENTERPRISE snmp

1.3.6.1.6.3.1.1.5.4

linkUp — A linkUp trap signifies that thesending protocol entity recognizesthat one of the communicationlinks represented in the agent’sconfiguration has come up.TRAP-TYPE ENTERPRISE snmp

1.3.6.1.6.3.1.1.5.5

authenticationFailure

— —


NN46205-703 03.02 12 April 2010


.

458 Traps reference


NN46205-703 03.02 12 April 2010


.

459.

Index

AACE

configuring debug actions using theCLI 153

configuring debug actions using theNNCLI 229

configuring mirroring usingEnterprise Device Manager 86

AceListSize 86ACL

configuring actions using the NNCLI 228AclId 85ActId 85address resolution table

clearing using the CLI 189clearing using the NNCLI 247testing using Enterprise Device

Manager 101address resolution table statistics

viewing using Enterprise DeviceManager 102

AdminState 87ARP 32ARP address table

testing using the CLI 188testing using the NNCLI 247

ARP tablesflushing using the CLI 189flushing using the NNCLI 248

auto-traceusing the CLI 125using the NNCLI 205

BBFD troubleshooting 397BGP

debug using the CLI 144

debug using the NNCLI 224BGP debug commands 144

Ccable

Category 5 75crossover 74straight-through 74troubleshooting 74

CLIusing for troubleshooting 120

CLI loggingconfiguring 293

CLI roadmapPCAP 164

configuration filefailure to read 77

connectivity problems 29CPU utilization 122, 202critical information 427crossover cable 74

DDDI 34DDM 34debug commands

global debug commands 145tips for using 224

DefaultAction 86DHCP

troubleshooting 394DNS 33documentation download 425DstMltId 89DstPortList 89DstVlanId 89


NN46205-703 03.02 12 April 2010


.

460

DTE/DCE switchchanging setting of 73

dumpusing dumps in the CLI 121using dumps in the NNCLI 201

DWDM XFP troubleshooting 330

EEgressQueue 88EgressQueue10g 88EgressQueue1g 88EgressQueueNNSC 88Enterprise Device Manager (EDM)

troubleshooting 77ERCD Records Dump

description 49dumping specified records 142, 221

Ffailure to display login prompt 73fiber optic links 329Flags 89

GGBIC 75GlobalAction 86

HHardware troubleshooting 71

IIGAP

viewing IGAP network connectivityinformation using EnterpriseDevice Manager 357

IGMP snoopviewing multicast group trace

information for IGMP snoopusing the CLI 359

viewing multicast group traceinformation for IGMP snoopusing the NNCLI 367

IGMPv3 backwards compatibilitytroubleshooting 381

important data 26IP VPN

traceroute 190IP VPN Lite

troubleshooting 351IP VPN ping 191, 250IP VPN traceroute 194ipfix 86, 229IpfixState 89IPv6 86

redirect next hop 89IPX

ping 191, 249IST failure

troubleshooting using CLI 335troubleshooting using NNCLI 336

KKey Health Indicator

configuring with CLI 128configuring with NNCLI 206

KHIconfiguring with CLI 128configuring with NNCLI 206

LLEDs

power supplies 71problem indications 71

licensing issuesimportant information 323license file lost 324license is not generated 326license will not install 324license will not transfer 325licenses features cannot be

configured 327licensing issues and routing 341login prompt, failure to display 73logs 52

configuring system message controlusing the CLI 291

configuring system message controlusing the NNCLI 314

configuring the remote host addressusing the CLI 287

configuring the remote host addressusing the NNCLI 311

configuring using the CLI 284configuring using the NNCLI 308enabling system logging to a

PCMCIA or external flash 289


NN46205-703 03.02 12 April 2010


.

461

enabling system logging to aPCMCIA or external flashusing the NNCLI 312

extending system message controlusing the CLI 292

extending system message controlusing the NNCLI 315

message format 53Starting system message logging to

a PCMCIA or external flash cardusing the CLI 290

Starting system message logging toa PCMCIA or external flash cardusing the NNCLI 313

syslog files 55viewing using the CLI 285viewing using the NNCLI 309

loopback testperforming an external loopback

test using Enterprise DeviceManager 112

performing an internal loopbacktest using Enterprise DeviceManager 114

MMAC address tables

flushing using the CLI 189flushing using the NNCLI 248

maintenance 25mirroring

global ACL-based using EnterpriseDevice Manager 84

using ACEs 153using an ACL and the CLI 152

MltIndex 88Mode 88module failure 72MPLS

ping 191, 249traceroute 190

MSDP troubleshooting 384multicast

viewing group trace information forIGMP snoop using EnterpriseDevice Manager 354

viewing multicast group sourcesusing Enterprise DeviceManager 356

viewing multicast group traceinformation for IGMP snoopusing the CLI 359

viewing multicast group traceinformation for IGMP snoopusing the NNCLI 367

viewing multicast routes by egressVLAN using Enterprise DeviceManager 356

viewing multicast routes usingEnterprise Device Manager 354

viewing multicast routes using theCLI 362

viewing multicast routes using theNNCLI 370

viewing PGM interface errors usingthe CLI 360

viewing PGM interface errors usingthe NNCLI 368

viewing PGM negativeacknowledgement errors usingthe CLI 361

viewing PGM negativeacknowledgement errors usingthe NNCLI 369

viewing pruned multicast routesusing Enterprise DeviceManager 355

multicast hardware record usageviewing using the CLI 364viewing using the NNCLI 372

multicast routing process statisticsenabling using Enterprise Device

Manager 358viewing using the CLI 365viewing using the NNCLI 373

Multicast virtualization troubleshooting 387

NName 85network behavior 27network map 26NNCLI

troubleshooting using 200NNCLI logging

configuring 316NSNA

issue: client not registered by switch 422issue: client unable to reach the

DHCP server 420


NN46205-703 03.02 12 April 2010


.

462

issue: NSNA connection notestablished after HA failover 421

issue: page is not automaticallyredirected to SNAS login page 422

issue: PC client Web page displaysCannot contact Web Server 423

issue: SSH session is notestablished between edgeswitch and SNAS server 421

issue: TG page does not open whenclient is in Red VLAN 422

monitoring DHCP requests 420NSNA troubleshooting 419

OOperState 88OSI model 32OSPF

down state problems 345ExStart/Exchange problems 347Init state problems 346neighbor state problems 343no state problems 345troubleshooting 342viewing OSPF errors 342

PPCAP

configuration example 177configuring globally using Enterprise

Device Manager 94configuring globally using the CLI 166configuring globally using the

NNCLI 235configuring on a port using

Enterprise Device Manager 95copying saved packets 179copying saved packets using the

NNCLI 244enabling on a port using the CLI 168enabling on a port using the NNCLI 237fundamentals 42modifying parameters using the CLI 180modifying parameters using the

NNCLI 245reset using the CLI 179reset using the NNCLI 245troubleshooting example 184

PCAP advanced filters

configuring using Enterprise DeviceManager 98

PCAP capture filtersconfiguring using CLI 169configuring using NNCLI 238

PCAP considerations 44PCAP dump

using the CLI 178using the NNCLI 243

PCAP filters 44configuring using Enterprise Device

Manager 96PCAP MAC filters

Enabling with Enterprise DeviceManager 100

enabling with the CLI 176enabling with the NNCLI 242

PGMviewing PGM interface errors using

the CLI 360viewing PGM interface errors using

the NNCLI 368viewing PGM negative

acknowledgement errors usingthe CLI 361

viewing PGM negativeacknowledgement errors usingthe NNCLI 369

PIMdebug using the CLI 143debug using the NNCLI 222

Pingusing with CLI 190using with Enterprise Device

Manager 103using with NNCLI 249viewing history using Enterprise

Device Manager 106viewing results using Enterprise

Device Manager 106ping fundamentals 47Ping Snoop

configuring for R series modulesusing Enterprise DeviceManager 114

configuring for R series modulesusing the CLI 194

configuring for R series modulesusing the NNCLI 252

fundamentals 41


NN46205-703 03.02 12 April 2010


.

463

PktType 86Police 88port connections, troubleshooting 74port mirroring 34, 86, 89, 153, 229

ACL ACE configuration example 155and ACLs 38and modules 35configuration on R module

using Enterprise Device Manager 89configuring using Enterprise Device

Manager 83configuring using the CLI 148configuring using the NNCLI 226considerations 39example of configuring R module

TxFilter mode mirroring 154port mirroring: configuring ACL ACE

mirroring using EnterpriseDevice Manager 87

port mirroring: configuring ACL ACEmirroring using NNCLI 230

port mirroring: configuring ACL globalmirroring using CLI 153

port mirroring: configuring ACL globalmirroring using NNCLI 229

PortList 85

RRedirectNextHop 88RedirectNextHopIpv6 89RedirectUnreach 88RemarkDot1Priority 88RemarkDscp 88remote mirroring 39


configuring using the CLI 157configuring using the NNCLI 231

remote mirroring considerations 40roadmap

CLI log commands 283general CLI 118general NNCLI 198log NNCLI commands 307PCAP CLI 164PCAP NNCLI 233port mirroring CLI 147port mirroring NNCLI 225SNMP trap CLI 269SNMP trap NNCLI 295

Route Switch Processor Packet Tracingconfiguring with CLI 138configuring with NNCLI 217description 48See also RSP Packet Tracingdumping 140, 219

routing table problems 29routing tables

flushing by port using EnterpriseDevice Manager 82

flushing by VLAN using EnterpriseDevice Manager 82

flushing using the CLI 189flushing using the NNCLI 248

RSP Packet Tracingconfiguring with CLI 138configuring with NNCLI 217description 48dumping 140, 219

Ssecondary CPU

accessing using the CLI 165accessing using the NNCLI 235

SFP 75SMLT troubleshooting 333SMP 53SNMP

and the NNCLI 297configuring a target table using

Enterprise Device Manager 255configuring a UNIX system log and

syslog host using the CLI 280configuring a UNIX system log and

syslog host using the NNCLI 304configuring notify filter profile table

parameters using EnterpriseDevice Manager 260

configuring notify table usingEnterprise Device Manager 259

configuring SNMP notify filter tableparameters using EnterpriseDevice Manager 261

configuring target table parametersusing Enterprise DeviceManager 257

description 51troubleshooting 393viewing the trap sender table using

Enterprise Device Manager 259


NN46205-703 03.02 12 April 2010


.

464

SNMP hostconfiguring using the NNCLI 299

SNMP host target addressconfiguring using the CLI 273

SNMP interfacesconfiguring using the CLI 278configuring using the NNCLI 302

SNMP notificationsconfiguring using the CLI 272configuring using the NNCLI 298

SNMP notify filter tableconfiguring using the CLI 277configuring using the NNCLI 301

SNMP target tableconfiguring using the CLI 275configuring using the NNCLI 301

SNMP trapsenabling logging using the CLI 279enabling logging using the NNCLI 303enabling using Enterprise Device

Manager 262snmpNotifyFilterTable 297snmpNotifyTable 298snmpTargetAddrTable 298snmpTargetParamsTable 298software download 425software incompatibility 72State 86Static mroute troubleshooting 377StopOnMatch 89straight-through cable 74support 432switch fabric

testing using Enterprise DeviceManager 101

testing using the CLI 187testing using the NNCLI 246

syslogsyslogd daemon 52UNIX messages 52

system log 72configuring the system log table and

severity level mappings usingEnterprise Device Manager 266


TTACACS+ troubleshooting 414trace

using the CLI 122using the NNCLI 202

trace fundamentals 47traceroute

running using the CLI 193running using the NNCLI 251running with Enterprise Device

Manager 107viewing results using Enterprise

Device Manager 110viewing the traceroute probe history

using Enterprise DeviceManager 111

traceroute fundamentals 46traps 52

enabling SNMP trap logging usingthe CLI 279

enabling SNMP trap logging usingthe NNCLI 303

enabling SNMP traps usingEnterprise Device Manager 262

proprietary 439troubleshooting

cables 74LED indications 71

Type 85

VVlanList 85

WWMI

cannot access witch 78


NN46205-703 03.02 12 April 2010


.

Nortel Ethernet Routing Switch 8600

TroubleshootingRelease: 7.0Publication: NN46205-703Document revision: 03.02Document release date: 12 April 2010


While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writingNORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESSOR IMPLIED. The information and/or products described in this document are subject to change without notice.

THE SOFTWARE DESCRIBED IN THIS DOCUMENT IS FURNISHED UNDER A LICENSE AGREEMENT AND MAY BE USEDONLY IN ACCORDANCE WITH THE TERMS OF THAT LICENSE.

Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

All other trademarks are the property of their respective owners.

To provide feedback or to report a problem in this document, go to www.nortel.com/documentfeedback.

www.nortel.com

Documents

NN46205-703 03.02 Troubleshooting