Troubleshooting - Nortel

Nortel Ethernet Routing Switch 4500 Series

TroubleshootingRelease: 5.2Document Revision: 02.02

www.nortel.com

NN47205-700.

Nortel Ethernet Routing Switch 4500 SeriesRelease: 5.2Publication: NN47205-700Document release date: 21 January 2009

Copyright © 2007-2009 Nortel NetworksAll Rights Reserved.

Printed in Canada and the United States of America

LEGAL NOTICEWhile the information in this document is believed to be accurate and reliable, except as otherwise expresslyagreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OFANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document aresubject to change without notice.

*Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

All other trademarks are the property of their respective owners.

.

3.

ContentsSoftware license 9Nortel Networks Inc. software license agreement 9

New in this release 13IPv6 13XFPs and SFPs 13IGMP 13BootP/DHCP relay 13RSTP SNMP traps 13Additional troubleshooting tools 14

Other changes 14

Introduction 15

Troubleshooting planning 17

Troubleshooting tools 19Port mirroring 19Port mirroring commands 20Port statistics 20Stack loopback testing 21Stack health check 21Stack Forced Mode 21System logs 26Backup config file 26CPU and memory utilization 27Show commands 27Address Resolution Protocol 28Dynamic ARP inspection 28Dynamic Host Configuration Protocol Relay (DHCP) relay 30Auto Unit Replacement 30Diagnostic Auto Unit Replacement (DAUR) 30Multicast behavior 34IPv6 34Light Emitting Diode (LED) display 35NSNA passive device behavior 35

Nortel Ethernet Routing Switch 4500 SeriesTroubleshooting

NN47205-700 02.0221 January 2009

Copyright © 2007-2009 Nortel Networks

.

4

Nortel SNA and filter use 36Nortel Knowledge and Solution Engine 36

General diagnostic tools 37NNCLI command modes 37

Initial troubleshooting 39Gather information 39

Emergency recovery trees 41Corruption of flash 44Incorrect PVID 45VLAN not tagged to uplink ports 46SNMP 48Stack 51Dynamic Host Configuration Protocol (DHCP) relay 56AAUR: configuration for the units in the stack is not saved on the base unit 57AAUR: Both units display yes for Ready for Replacement 58DAUR 59Stack Forced Mode 60Stack Health Check: Cascade Up and Cascade Down columns display LINK

DOWN or MISSING 61Stack Health Check: Cascade Up and Cascade Down columns display UP WITH

ERRORS 63

General troubleshooting of hardware 65Check power 67

Ensuring the power cord is installed 68Observing an error report on the console 68Reloading the agent code 68Replacing the power cord 69Returning the unit for repair 69

Check cables 69Confirming if the cables are the correct type 70Reviewing stacking configuration documentation 70

Check port 71Viewing port information 73Correcting SFP use and designation 73Enabling the port 73Confirming the cables are working 73

Check fiber port 74Viewing fiber port information 76Enabling the port 76Confirming if cables are working 76Confirming fiber matches SFP/XFP type 77Returning the unit for repair 77


NN47205-700 02.0221 January 2009


.

5

Replace a unit in the stack 77Removing a failed unit 80Confirming AUR is enabled 80Verifying the software version is correct on the new device 80Obtaining the correct software version 81Placing a new unit 81Connecting stacking cables 81Powering on the unit 81Returning the unit for repair 82

Troubleshooting ADAC 83IP phone is not detected 84

Correct filtering 85Reload ADAC MAC in range table 86Reduce LLDP devices 88

Auto configuration is not applied 89Correct auto configuration 90Check status and number of devices 92

Troubleshooting authentication 95EAP client authentication 96

Restore RADIUS connection 98Enable EAP on the PC 100Apply the method 101Enable EAP globally 102

EAP multihost repeated re-authentication issue 104Match EAP-MAC-MAX to EAP users 105Set EAPOL request packet 107

EAP RADIUS VLAN is not being applied 108Configure VLAN at RADIUS 109Configure the switch 111

Configured MAC is not authenticating 116Configure the switch 116

Non-EAP RADIUS MAC not authenticating 121Configure switch 122RADIUS server configuration error 125

Non-EAP MHSA MAC is not authenticating 126Configure switch 127

EAP–non-EAP unexpected port shutdown 131Configure switch 132

Troubleshooting Nortel SNA 137Nortel SNA switch not connected to Nortel SNAS although Nortel SNA is

enabled 139Confirm IP configuration 140Configure Nortel SNA on switch 142


NN47205-700 02.0221 January 2009


.

6

Configure SSH on switch 144Verify SSCP version 146

Client PC/phone cannot connect 148Configure switch on Nortel SNAS 149Restart client and port 151Configure DHCP for Nortel SNAS 153Configure call server 155Enable the port 156

Authentication error or 0.0.0.0 IP after image upgrade 157Configure STP state 158Renewing IP 160

TG client getting red IP 161Portal Login Problem 162

Client gets red IP but browser hangs after opening 164Browser restart 164

Nortel SNA client gets red IP but after login it does not go to yellow or greenstate 165

Client port restart 166Client had green IP but was moved to yellow or red 167

Restart client 168Client PC taking a long time to boot 170

Port configuration 170Mac-Auth client not authenticated or not assigned the correct filter 172

Configure Nortel SNAS 173Client has no DHCP information during initial connection or SSCP

messages 175Disconnect and reconnect client 176

Troubleshooting IPv6 179Device not responding to ping to its IPv6 address 180

Displaying IPv6 interface information 182Enabling IPv6 interface on management VLAN 183Configuring IPv6 address 183Displaying IPv6 global information 184Enabling IPv6 184Setting IPv6 gateway 184Displaying IPv6 interface information 184Showing logging 185Configuring another IPv6 address 185Configuring another link-local ID 185

Cannot ping IPV6 host from device console 186Displaying IPv6 neighbor information 186Checking remote host integrity 187

Duplicate address detected (global IPv6 address) 187Displaying IPv6 neighbor information 188


NN47205-700 02.0221 January 2009


.

7

Checking remote host integrity 188Duplicate address detected (link-local address) 189

Displaying IPv6 interface information 190Viewing the system log 191Changing the link-local address 191

Cannot connect through IPv6 default gateway 191Checking the IPV6 default gateway status 192Pinging the IPv6 default gateway 193Using traceroute to determine network error 193

IPv6 management traffic is not sent/received as expected 193Checking the IPv6 configuration 194Checking the IPv6 statistics 195Checking the ICMPv6 statistics 195

IPV6 telnet/http/ssh to device does not work 195Checking the IPv6 configuration 196Checking TCP statistics 197

UDPv6 communication does not work 197Checking the IPv6 configuration 198Checking UDP statistics 199Checking if the application on the remote host supports UDPv6. 199

Cannot set IPv6 address 199Displaying the IPv6 address interface 200Deleting the IPv6 address 201Configuring new IPv6 address 201Configuring new IPv6 gateway address 201

Troubleshooting XFP/SFP 203XFP/SFP device not detected 203

Confirming device is supported 205Understanding limitations of some SFPs 205Viewing GBIC details 205Replacing device 206

Troubleshooting IGMP 207Multicast packets flooding network 207

Viewing IGMP snoop settings 208Viewing IGMP multicast groups 209Showing settings for flooding multicast packets 210Disabling multicast packets 211

Multicast packets not flooding network 211Viewing IGMP snoop settings 212Viewing IGMP multicast groups 213Showing settings for flooding multicast packets 214Enabling multicast packets 215


NN47205-700 02.0221 January 2009


.

8

Troubleshooting RSTP SNMP traps 217No RSTP SNMP traps are received 217

Viewing RSTP configuration 219Enabling RSTP traps 219Viewing IP manager configuration 220Enabling SNMP 220Viewing trap receiver configuration 220Configuring SNMPv1 trap receiver 221Configuring SNMPv2 trap receiver 221Configuring SNMPv3 trap receiver 222

Troubleshooting DHCP/BootP relay 223Cannot set the forward path 224

Viewing VLAN IP information 224Bootp/DHCP requests from clients do not reach Bootp/DHCP server 225

Viewing IP routing information 228Enabling IP routing globally 228Viewing VLAN information 228Enabling IP routing on VLAN 229Viewing IP static routes 229Configuring IP route 230Viewing global relay setting 230Enabling global relay 230Viewing VLAN relay information 230Enabling VLAN relay 231Viewing forward path settings 231Enabling the forward path 231Selecting the forward path mode 232

Bootp/DHCP replies from server do not reach Bootp/DHCP clients 232Verifying IP connectivity between server and client 233


NN47205-700 02.0221 January 2009


.

9.

Software licenseThis section contains the Nortel Networks software license.

Nortel Networks Inc. software license agreementThis Software License Agreement ("License Agreement") is betweenyou, the end-user ("Customer") and Nortel Networks Corporation andits subsidiaries and affiliates ("Nortel Networks"). PLEASE READ THEFOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSETERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE.USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OFTHIS LICENSE AGREEMENT. If you do not accept these terms andconditions, return the Software, unused and in the original shippingcontainer, within 30 days of purchase to obtain a credit for the fullpurchase price.

"Software" is owned or licensed by Nortel Networks, its parent or one ofits subsidiaries or affiliates, and is copyrighted and licensed, not sold.Software consists of machine-readable instructions, its components, data,audio-visual content (such as images, text, recordings or pictures) andrelated licensed materials including all whole or partial copies. NortelNetworks grants you a license to use the Software only in the countrywhere you acquired the Software. You obtain no rights other than thosegranted to you under this License Agreement. You are responsible for theselection of the Software and for the installation of, use of, and resultsobtained from the Software.

1. Licensed Use of Software. Nortel Networks grants Customer anonexclusive license to use a copy of the Software on only onemachine at any one time or to the extent of the activation or authorizedusage level, whichever is applicable. To the extent Software isfurnished for use with designated hardware or Customer furnishedequipment ("CFE"), Customer is granted a nonexclusive license touse Software only on such hardware or CFE, as applicable. Softwarecontains trade secrets and Customer agrees to treat Software asconfidential information using the same care and discretion Customeruses with its own similar information that it does not wish to disclose,publish or disseminate. Customer will ensure that anyone whouses the Software does so only in compliance with the terms of this


NN47205-700 02.0221 January 2009


.

10 Software license

Agreement. Customer shall not a) use, copy, modify, transfer ordistribute the Software except as expressly authorized; b) reverseassemble, reverse compile, reverse engineer or otherwise translate theSoftware; c) create derivative works or modifications unless expresslyauthorized; or d) sublicense, rent or lease the Software. Licensorsof intellectual property to Nortel Networks are beneficiaries of thisprovision. Upon termination or breach of the license by Customer or inthe event designated hardware or CFE is no longer in use, Customerwill promptly return the Software to Nortel Networks or certify itsdestruction. Nortel Networks may audit by remote polling or otherreasonable means to determine Customer’s Software activation orusage levels. If suppliers of third party software included in Softwarerequire Nortel Networks to include additional or different terms,Customer agrees to abide by such terms provided by Nortel Networkswith respect to such third party software.

2. Warranty. Except as may be otherwise expressly agreed to inwriting between Nortel Networks and Customer, Software is provided"AS IS" without any warranties (conditions) of any kind. NORTELNETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS)FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED,INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEAND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks isnot obligated to provide support of any kind for the Software. Somejurisdictions do not allow exclusion of implied warranties, and, in suchevent, the above exclusions may not apply.

3. Limitation of Remedies. IN NO EVENT SHALL NORTELNETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANYOF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTYCLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS,FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL,PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOSTPROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OROTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OFYOUR USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS,ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIRPOSSIBILITY. The foregoing limitations of remedies also apply to anydeveloper and/or supplier of the Software. Such developer and/orsupplier is an intended beneficiary of this Section. Some jurisdictionsdo not allow these limitations or exclusions and, in such event, theymay not apply.

4. General

— If Customer is the United States Government, the followingparagraph shall apply: All Nortel Networks Software availableunder this License Agreement is commercial computer softwareand commercial computer software documentation and, in theevent Software is licensed for or on behalf of the United StatesGovernment, the respective rights to the software and softwaredocumentation are governed by Nortel Networks standard


NN47205-700 02.0221 January 2009


.

Nortel Networks Inc. software license agreement 11

commercial license in accordance with U.S. Federal Regulationsat 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R.227.7202 (for DoD entities).

— Customer may terminate the license at any time. Nortel Networksmay terminate the license if Customer fails to comply with the termsand conditions of this license. In either event, upon termination,Customer must either return the Software to Nortel Networks orcertify its destruction.

— Customer is responsible for payment of any taxes, includingpersonal property taxes, resulting from Customer’s use of theSoftware. Customer agrees to comply with all applicable lawsincluding all applicable export and import laws and regulations.

— Neither party may bring an action, regardless of form, more thantwo years after the cause of the action arose.

— The terms and conditions of this License Agreement form thecomplete and exclusive agreement between Customer and NortelNetworks.

— This License Agreement is governed by the laws of the country inwhich Customer acquires the Software. If the Software is acquiredin the United States, then this License Agreement is governed bythe laws of the state of New York.


NN47205-700 02.0221 January 2009


.

12 Software license


NN47205-700 02.0221 January 2009


.

13.

New in this releaseThe following sections detail what’s new in Nortel Ethernet Routing Switch4500 Series Troubleshooting (NN47205-700) for Release 5.2.

• "IPv6" (page 13)

• "XFPs and SFPs" (page 13)

• "IGMP" (page 13)

• "BootP/DHCP relay" (page 13)

• "RSTP SNMP traps" (page 13)

• "Additional troubleshooting tools" (page 14)

IPv6The Ethernet Routing Switch 4500 Series offers IPv6 capabilities. Formore information about IPv6 for Release 5.2, see Nortel Ethernet RoutingSwitch 4500 Series Configuration — System (NN47205-500) . Forinformation about troubleshooting IPv6, see "Troubleshooting IPv6" (page179).

XFPs and SFPsFor information about troubleshooting issues related to XFPs and SFPs,see "Troubleshooting XFP/SFP" (page 203).

IGMPFor information about troubleshooting issues related to IGMP, see"Troubleshooting IGMP" (page 207).

BootP/DHCP relayFor information about troubleshooting issues related to BootP/DHCP relay,see "Troubleshooting DHCP/BootP relay" (page 223).

RSTP SNMP trapsFor information about troubleshooting issues related to RSTP SNMP traps,see "Troubleshooting RSTP SNMP traps" (page 217).


NN47205-700 02.0221 January 2009


.

14 New in this release

Additional troubleshooting toolsEthernet Routing Switch 4500 Series, Release 5.2, introduces thefollowing tools that can be helpful as you troubleshoot issues on the switchor stack:

• Stack Forced Mode (see "Stack Forced Mode" (page 21))

• Stack health check (see "Stack health check" (page 21))

• CPU and memory utilization (see "CPU and memory utilization" (page27))

• Diagnostics AUR (see "Diagnostic Auto Unit Replacement (DAUR)"(page 30))

• Enhanced show tech command (see "Show commands" (page 27))

Other changesStack loopback testingUpdated the section Stack loopback testing with technical content. Formore information about Stack loopback testing see "Stack loopbacktesting" (page 21).


NN47205-700 02.0221 January 2009


.

15.

IntroductionUse this document to help you troubleshoot the Ethernet Routing Switch4500 Series.

This document :

• Describes the diagnostic tools and utilities available for troubleshootingthe Nortel Ethernet Routing Switch 4500 Series products using theNortel Networks Command Line Interface (NNCLI).

• Guides you through some common problems to achieve a first tiersolution to these situations

• Advises you what information to compile prior to troubleshooting orcalling Nortel for help.

This documents assumes that you:

• Have basic knowledge of networks, ethernet bridging, and IP routing.

• Are familiar with networking concepts and terminology.

• Have experience with Graphical User Interface (GUI).

• Have basic knowledge of network topologies.

Troubleshooting Tools

The Ethernet Routing Switch 4500 Series products support a rangeof protocols, utilities, and diagnostic tools that you can use to monitorand analyze traffic, monitor laser operating characteristics, capture andanalyze data packets, trace data flows, view statistics, and manage eventmessages.

Certain protocols and tools are tailored for troubleshooting specificEthernet Routing Switch 4500 Series network topologies. Other tools aremore general in their application and can be used to diagnose and monitoringress and egress traffic.


NN47205-700 02.0221 January 2009


.

16 Introduction


NN47205-700 02.0221 January 2009


.

17.

Troubleshooting planningThere are some things you can do to minimize the need fortroubleshooting and to plan for doing it as effectively as possible.

First, use the Ethernet Routing Switch 4500 Series DocumentationRoadmap (NN47205-101) to familiarize yourself with the documentationset, so you know where to get information as you need it.

Second, make sure the system is properly installed and maintained so thatit operates as expected.

Third, make sure you gather and keep up to date the site map, logicalconnections, device configuration information, and other data that you willrequire if you have to troubleshoot.

• A site network map identifies where each device is physically locatedon your site, which helps locate the users and applications that areaffected by a problem. You can use the map to systematically searcheach part of your network for problems.

• You must know how your devices are connected logically andphysically with virtual local area networks (VLAN).

• Maintain online and paper copies of your device configurationinformation. Ensure that all online data is stored with your site’s regulardata backup for your site. If your site has no backup system, copy theinformation about to a backup medium and store the backup offsite.

• Store passwords in a safe place. A good practice is to keep recordsof your previous passwords in case you must restore a device to aprevious software version. You need to use the old password that wasvalid for that version.

• A good practice is to maintain a device inventory, which lists alldevices and relevant information for your network. Use this inventoryto easily see the device types, IP addresses, ports, MAC addresses,and attached devices.

• If your hubs or switches are not managed, you must keep a list of theMAC addresses that correlate to the ports on your hubs and switches.


NN47205-700 02.0221 January 2009


.

18 Troubleshooting planning

• Maintain a change-control system for all critical systems.Permanently store change-control records.

• A good practice is to store the details of all key contacts, suchas support contacts, support numbers, engineer details, andtelephone and fax numbers. Having this information available duringtroubleshooting saves you time.

Fourth, understand the normal network behavior so you can be moreeffective at troubleshooting problems.

• Monitor your network over a period of time sufficient to allow you toobtain statistics and data to see patterns in the traffic flow, such aswhich devices are typically accessed or when peak usage times occur.

• Use a baseline analysis as an important indicator of overall networkhealth. A baseline view of network traffic as it typically is during normaloperation is a reference that you can compare to network traffic datathat you capture during troubleshooting. This speeds the process ofisolating network problems.


NN47205-700 02.0221 January 2009


.

19.

Troubleshooting toolsThis section describes available troubleshooting tools and theirapplications.

Port mirroringEthernet Routing Switch 4500 Series switches have a port mirroringfeature that helps you to monitor and analyze network traffic. The portmirroring feature supports both ingress (incoming traffic) and egress(outgoing traffic) port mirroring. After port mirroring is enabled, the ingressor egress packets of the mirrored (source) port are forwarded normallyand a copy of the packets is sent from the mirrored port to the mirroring(destination) port. Although you can configure Ethernet Routing Switch4500 Series to monitor both ingress and egress traffic, some restrictionsapply:

• For Xtx mode, you can only configure one port as the monitor port andone port as the mirrored port (monitoring traffic transmitted by port X).

• For Xrx mode, you can only configure one port as the monitor port andone port as the mirrored port (monitoring traffic received by port X).

• For XrxorXtx mode, you can only configure one port as the monitor portand one port as the mirrored port (monitoring traffic received by port XOR transmitted by port X).

• For XrxYtx mode, you can only configure one port as the monitorport, one port for mirroring traffic received by port X and one port formirroring traffic transmitted by port Y (monitoring traffic received by portX AND transmitted by port Y).

• For XrxorYtx mode, you can only configure one port as the monitorport, one port for mirroring traffic received by port X and one port formirroring traffic sent by port Y (monitoring traffic received by port X ORtransmitted by port Y).

• For XrxYtxorYrxXtx mode, you can only configure one port as themonitor port, one port for mirroring traffic received/sent by port X andone port for mirroring traffic sent/received by port Y ((traffic received byport X AND transmitted by port Y) OR (monitoring traffic received byport Y AND transmitted by port X)).


NN47205-700 02.0221 January 2009


.

20 Troubleshooting tools

You can also monitor traffic for specified MAC addresses.

• For Adst mode, you can only configure one port as the monitor port anddestination MAC address A. (monitoring traffic with destination MACaddress A).

• For Asrc mode, you can only configure one port as the monitor port andsource MAC address A. (monitoring traffic with source MAC addressA).

• For AsrcBdst mode, you can only configure one port as the monitorport, source MAC address A and destination MAC address B.(monitoring traffic with source MAC address A and destination MACaddress B).

• For AsrcBdstorBsrcAdst mode, you can only configure one port as themonitor port, source MAC address A and destination MAC address B.((monitoring traffic with source MAC address A and destination MACaddress B) OR (source MAC address B and destination MAC addressA).

• For AsrcorAdst mode, you can only configure one port as the monitorport, source/destination MAC address A. (monitoring traffic with sourceOR destination MAC address A).

• For ManytoOneRx, you can only configure one port as the monitor portand up to the rest of the ports as mirrored ports. (monitoring trafficreceived by all mirrored ports).

• For ManytoOneTx, you can only configure one port as the monitor portand up to the rest of the ports as mirrored ports. (monitoring traffictransmitted by all mirrored ports).

• For ManytoOneRxTx, you can only configure one port as the monitorport and up to the rest of the ports as mirrored ports. (monitoring traffictransmitted AND received by all mirrored ports).

You can observe and analyze packet traffic at the mirroring port using anetwork analyzer. A copy of the packet can be captured and analyzed.Unlike other methods that are used to analyze packet traffic, the packettraffic is uninterrupted and packets flow normally through the mirrored port.

Port mirroring commandsSee Nortel Ethernet Routing Switch 4500 Series Configuration — SystemMonitoring (NN47205-502) for port mirroring command information.

Use the port mirroring commands to assist in diagnostics and informationgathering.

Port statisticsUse port statistics commands to display information about received andtransmitted packets at the ports. The ingress and egress counts occur atthe MAC layer. Count updates occur once every second.


NN47205-700 02.0221 January 2009


.

Stack Forced Mode 21

For more information regarding port statistics and commands, see NortelEthernet Routing Switch 4500 Series Configuration — System Monitoring(NN47205-502).

Stack loopback testingThe stack loopback tests help you determine if the cause of your stackingproblem is a bad stack cable or a damaged stack port.

There are two types of stack loopback tests: internal loopback test andexternal loopback test. The purpose of the internal loopback test is toverify that the stack ports are functional in each switch. The purpose of theexternal loopback test is to verify that the stack cables are functional.

For accurate results, the internal loopback test must be run before theexternal loopback test. The stack loopback tests can only be performed ona standalone unit with no traffic running on the unit.

To run the test, first use the stack loopback-test internalcommand. To perform the external loopback test, connect the stackuplink port with the stack downlink port. Use the stack loopback-testexternal command.

For more detail regarding stack loopback testing, see Nortel EthernetRouting Switch 4500 Series Configuration — System Monitoring(NN47205-502).

Stack health checkUse this feature to run a high-level test to confirm stack operation andstack continuity. The stack health check results give you information aboutthe stacking state of the rear ports of each switch, confirm the total numberof switching units in the stack, confirm the number of stacking cables used,and indicate which unit acts as base.

Use NNCLI and Web-based management to inquire about the stack healthstatus. This feature is not available for standalone switching units.

For detailed information about stack health check, see Nortel EthernetRouting Switch 4500 Series Configuration — System Monitoring(NN47205-502).

Stack Forced ModeThe Ethernet Routing Switch 4500 Series may enter Stack Forced Mode(if configured as such) after a stack of two units breaks into one or twostandalone switches. The Stack Forced Mode operation allows the


NN47205-700 02.0221 January 2009


.


standalone device that comes out of a broken stack of two to be managedusing the previous stack IP address. After a stack of two fails, you haveaccess to a device without the need of a standalone IP address.

The Stack Forced Mode applies to a standalone switch that was part of astack of two units. When functioning in this mode, the standalone switchkeeps the previous stack IP settings (IP address, netmask, gateway),which allows you to reach the device using an IP connection such asTelnet, Web-based management, or Device Manager.

Stack Forced Mode can be configured for each device, regardless ofstack or standalone mode. If the Stack Forced Mode is enabled on astack, it is enabled on all switches in that stack. However, this mode onlybecomes active after a stack of two fails and one or both switches becomestandalone.

There are two scenarios in which the stack might be broken. First, one ofthe two units, base or non-base unit, has failed due to power interruptionor other hardware problem. Second, at least one of the stack cablesconnecting the two units has failed.

In the case of a one-unit failure, the remaining unit keeps the previousstack IP settings. The remaining unit issues a gratuitous ARP packet afterentering Stack Forced Mode in order for other devices on the network toupdate their ARP cache.

After entering Stack Forced Mode, the device sends an SNMP trapinforming the administrator that the switch has entered this mode. The trapinformation contains the switch IP and MAC addresses, which allows youto know if two devices are using the same IP address. The format for thistrap is Trap: Device is functioning in Forced Stack Mode –MAC: yy:yy:yy:yy:yy:yy. The yy:yy:yy:yy:yy:yy represents thedevice MAC address.

A device functions in Stack Forced Mode either until the unit is rebooted oruntil the unit joins a stack.

The Stack Forced Mode feature is configurable using NNCLI. Thecommands in Global Configuration Mode are as follows:

• stack forced-mode enables Stack Forced Mode

• no stack forced-mode disables Stack Forced Mode

• default stack forced-mode sets the Stack Forced Mode to thedefault setting. The default is disabled.


NN47205-700 02.0221 January 2009


.


While in PrivExec mode, you can use the show stack forced-modecommand. Depending on the configuration and if the device is currentlyfunctioning in Stack Forced Mode, the output is one of three options:

1. If the Stack Forced Mode is not configured on the device, the output is:Forced-Stack Mode: Disabled

2. If the Stack Forced Mode is configured on the device, but inactive, theoutput is:Forced-Stack Mode: Enabled

3. If the Stack Forced Mode is configured on the device, and the device iscurrently running in Stack Forced Mode, the output is:Forced-Stack Mode: EnabledDevice is currently running in forced stack mode.

The following is a series of failure scenarios and the description of theStack Forced Mode behavior. These scenarios assume the following stacksetup:

Figure 1Forced stack mode example setup

In the following scenario, the non-base unit, if functioning in Stack ForcedMode, keeps the previous stack IP address. In this setup it is impossibleto keep network connectivity without administrator intervention. Clientsconnected to the non-base unit lose WAN connectivity.

Figure 2Remote Branch Office - Failure Scenario 1

In the following scenario the non-base unit of a stack of two fails. Theprevious base unit, if functioning in Stack Forced Mode, keeps theprevious stack IP address, and preserves connectivity to the network.


NN47205-700 02.0221 January 2009


.


In the following scenario, while functioning in Stack Forced Mode, bothbase and non-base units keep using the previous stack IP address. Thenon-base unit is, however, isolated from the rest of the network. Clientsconnected to this unit lose WAN connectivity.

Figure 3Remote Branch Office – Failure Scenario 3

In the following scenario, the possible failures are identical to RemoteBranch Office - Failure Scenarios 1, 2, and 3.

Figure 4Wiring Closet Deployment 1

In the following scenario, the non-base unit continues to use the stack IPaddress. A gratuitous ARP is issued by the non-base unit to update ARPcaches throughout the network. Clients connected to the non-base unitstill have connectivity to the network.


NN47205-700 02.0221 January 2009


.


Figure 5Wiring Closet Deployment 2 – Failure Scenario 1

In the following scenario, the base unit continues to use the stack IPaddress. It issues an ARP request to update the ARP cache throughoutthe network. Clients connected to the base unit maintain networkconnectivity.


In the following scenario, if functioning in Stack Forced Mode, both devicesuse the previous stack IP address. Each device, to detect if the previousstack partner also uses the previous stack IP address, issues an ARPrequest on that IP address before using it. In the scenario where the stackof two is connected to the router through an MLT, both of these devicescontinue using the same IP address. If the switch connects to the corerouting switch through LACP, the two links are not aggregated and theproblem does not arise.


NN47205-700 02.0221 January 2009


.



System logsYou can use the syslog messaging feature of the Ethernet Routing Switch4500 Series products to manage event messages. The Ethernet RoutingSwitch 4500 Series syslog software communicates with a server softwarecomponent named syslogd that resides on your management workstation.

The daemon syslogd is a software component that receives and locallylogs, displays, prints, or forwards messages that originate from sourcesthat are internal and external to the workstation. For example, syslogdsoftware concurrently handles messages received from applicationsrunning on the workstation, as well as messages received from anEthernet Routing Switch 4500 Series device running in a networkaccessible to the workstation.

For more information about system logging, see Nortel Ethernet RoutingSwitch 4500 Series Configuration — System Monitoring (NN47205-502).

Backup config fileThe backup config file feature is transparent. After writing the configurationfile to FLASH, the switch writes to the primary configuration block, updatesthe CRC16 checksum to the Multi Configuration area, and then saves thesame information to the auxiliary configuration block.

After the switch boots, if it detects that the primary configuration fileis corrupted (checksum mismatch), it logs a message to the systemlog. The switch then attempts to load the secondary configuration file ifthe checksum is correct on the auxiliary configuration block and logs amessage to the system log.

If both primary and auxiliary configurations blocks are corrupted, thesettings are restored to default and a message is created in the systemlog.


NN47205-700 02.0221 January 2009


.

Show commands 27

You can check the system log for messages indicating that a configurationblock is corrupted. The following are examples of system logs you mayencounter:

• Error loading primary configuration block <block number>

• Error loading backup configuration block <block number>

• Backup configuration block <block number> is in use

• Configuration files are corrupted. Restored to default

The following messages are loaded to the engineering log menu:

• Backup configuration restored from primaryconfiguration block

• Backup configuration updated for next activeconfiguration block

CPU and memory utilizationThe CPU utilization provides CPU utilization data for the last 10 seconds, 1min, 1 hour, 24 hours, and from system bootup. CPU utilization is providedas a percentage and the information shows how the CPU was loaded forthe specific time average.

The memory utilization provides information about what percentage ofthe dynamic memory is currently used by the system. Also, the memoryutilization shows a low watermark percentage that represents the lowestpercentage of the dynamic memory available since system bootup.

This feature is supported by both NNCLI and Web-based management.For more information about the feature, see Nortel Ethernet RoutingSwitch 4500 Series Configuration — System Monitoring (NN47205-502).

Show commandsThe show tech command has been enhanced to display moreinformation. The show commands that are incorporated are as follows:

• show mac-address-table

• show ip route

• show ip arp

• show ip dhcp-relay

• show lacp aggr

• show lacp port

• show ipv address

• show ipv interface


NN47205-700 02.0221 January 2009


.


Address Resolution ProtocolAddress Resolution Protocol (ARP) is the method for finding a host’shardware address when only its Network Layer address is known.

CAUTIONEvery time an IP interface or link goes up, the driver for thatinterface will typically send a gratuitous ARP to preload theARP tables of all other local hosts. A gratuitous ARP will tell usthat host just has had a link up event, such as a link bounce,a machine just being rebooted or you are just configuring theinterface up. If you see multiple gratuitous ARPs from the samehost frequently, it can be an indication of bad Ethernet hardwareor cabling resulting in frequent link bounces.

Dynamic ARP inspectionARP provides IP communication within a Layer 2 broadcast domainby mapping an IP address to a MAC address. A malicious user canattack hosts, switches, and routers connected to the Layer 2 network bypoisoning the ARP caches of systems connected to the subnet and byintercepting traffic intended for other hosts on the subnet.

Figure 8Dynamic ARP inspection

In the preceding figure, hosts A, B, and C are connected to the switch oninterfaces A, B, and C, all of which are on the same subnet. Their IP andMAC addresses are shown in parentheses; for example, host A uses IPaddress IA and MAC address MA. After Host A needs to communicateto Host B at the IP layer, it broadcasts an ARP request for the MACaddress associated with IP address IB. After the switch and Host B receivethe ARP request, they populate their ARP caches with an ARP bindingfor a host with the IP address IA and a MAC address MA. After Host Bresponds, the switch and Host A populate their ARP caches with a bindingfor a host with the IP address IB and a MAC address MB.

Host C can poison the ARP caches of the switch (Host A and Host B) bybroadcasting forged ARP responses with bindings for a host with an IPaddress of IA (or IB) and a MAC address of MC. Hosts with poisoned ARPcaches use the MAC address MC as the destination MAC address fortraffic intended for IA or IB. This means that Host C intercepts that traffic.


NN47205-700 02.0221 January 2009


.

Dynamic ARP inspection 29

Because Host C knows the true MAC addresses associated with IA andIB, it can forward the intercepted traffic to those hosts by using the correctMAC address as the destination. Host C has inserted itself into the trafficstream from Host A to Host B, the classic man-in-the-middle attack.

Dynamic ARP inspection is a security feature that validates ARP packetsin a network. It intercepts, logs, and discards ARP packets with invalidIP-to-MAC address bindings. This capability protects the network fromcertain man-in-the-middle attacks.

Dynamic ARP inspection ensures that only valid ARP requests andresponses are relayed. The switch performs these activities:

• Intercepts all ARP request and responses on the untrusted ports.

• Verifies that each of these intercepted packets has a valid IP-to-MACaddress binding before updating the local ARP cache or beforeforwarding the packet to the appropriate destination.

• Drops invalid ARP packets.

Dynamic ARP inspection determines the validity of an ARP packet basedon valid IP-to-MAC address bindings stored in a trusted database, theDHCP snooping binding database. This database is built by DHCPsnooping if DHCP snooping is enabled on the VLANs and on the switch.If the ARP packet is received on a trusted interface, the switch forwardsthe packet without checks. On untrusted interfaces, the switch forwardsthe packet only if it is valid.

Dynamic ARP inspection is managed on the base unit. After a newswitch joins the stack, the switch receives the Dynamic ARP inspectionconfiguration from the base unit. After a member leaves the stack, allDHCP address bindings associated with the switch are removed.

After a stack merge occurs, all DHCP bindings in the base unit are lost ifit is no longer the base unit. With a stack partition, the existing base unitis unchanged, and the bindings belonging to the partitioned switches ageout. The new base unit of the partitioned stack begins processing the newincoming DHCP packets

The following NNCLI commands are used for Dynamic ARP Inspection:


NN47205-700 02.0221 January 2009


.


• The show ip arp inspection command displays the Dynamic ARPInspection status.

• The ip arp inspection vlan <VLANID | VLANID range>command enables Dynamic ARP Inspection on the specified VLAN orVLANS.

• The no ip arp inspection vlan <VLANID | VLANID range>command disables Dynamic ARP inspection for the specified VLANor VLANS.

Dynamic Host Configuration Protocol Relay (DHCP) relayThe Ethernet Routing Switch 4500 Series Release 5.2 supports staticroutes. In order for DHCP servers to talk to clients on different VLANs orsubnets, the feature relays client requests to DHCP servers on differentLayer 3 VLANs and a relay server replies back to the clients.

The maximum number of client/server pairs that Release 5.2 supports is256, which is the maximum number of VLANs.

For more information about NNCLI and Web-based management of DHCPrelay, see Nortel Ethernet Routing Switch 4500 Series Configuration — IPRouting and Multicast (NN47205-506).

Auto Unit ReplacementEnable Auto Unit Replacement (AUR) to replace a failed device in a stack.

AUR allows you to replace a failed unit in a stack with a new unit whileretaining the configuration of the previous unit. The stack power must beon during unit replacement.

If the model of the replaced unit is different from the previous unit, the unitis allowed to join the stack. However, the configuration of the previous unitcannot be replicated in the new unit.

AUR can be enabled or disabled from NNCLI and DM. By default, AURis enabled.

For more information about AUR, seeNortel Ethernet Routing Switch 4500Series Configuration — System (NN47205-500).

Diagnostic Auto Unit Replacement (DAUR)DAUR provides the capability of updating the diagnostic image of thenon-base unit with the diagnostic image in the base unit of a stack. Thishappens if the AAUR feature is enabled in the stack.


NN47205-700 02.0221 January 2009


.

Diagnostic Auto Unit Replacement (DAUR) 31

DAUR performs an upgrade of the diagnostic image on inserted unitsin the same way that AAUR performs this function for agent code whenAAUR is enabled.

After you enable the AAUR feature, it triggers a DAUR process if astand-alone unit (with a different version diagnostic image) is connectedto the stack.

There are no commands specifically for DAUR; after AAUR is enabled ordisabled, DAUR is enabled or disabled.

After you enable AAUR on a stack, and you add another unit with adifferent software image, the new unit fails to join the stack and enters instand-alone mode. The new unit sends an AAUR request to its UP-streamport neighbor. If it does not receive an answer, it sends the request onits DOWN-stream port. The switch reboots after the image is properlytransferred.

Attention: If the unit is powered off while the diagnostic image is beingprogrammed to the flash, the diagnostic image is corrupted. The only wayto recover is to download the diagnostic image using the console serialport. At boot time, press “Shift + 3” to accede to the downloading menu.

If you add a unit that has its base switch set to off to a unit that has thebase switch set, the non-base unit retrieves the image from the other unit.

The AAUR enabled/disabled state is ignored for the unit that is added tothe stack under the following conditions:

• If a unit with AAUR disabled is added to a stack that has AAURenabled, then the image transfer process starts.

• If a unit with AAUR enabled is added to a stack that has AAURdisabled, then there is no image transfer.

After the diagnostic image version is updated, an AAUR check isperformed. If the added unit has the same agent image as the stack, theunit reboots. Otherwise, an AAUR is performed.

In the case where a unit with Release 5.0 or Release 5.1 software isadded to a stack having an agent image that exceeds 6M, the agenttransfer is stopped.

You may encounter the following situations:


NN47205-700 02.0221 January 2009


.


• A stack is running the Release 5.2 non_ssh software and 5.2 diagnosticimage:

— If the agent image on the added unit is Release 5.0 or 5.1 and thediagnostic version is also Release 5.0 or 5.1, then, because theRelease 5.2 image size is less than 6M, AAUR starts the agentimage transfer and then the unit reboots. After the reboot, the unithas the new Release 5.2 image that supports DAUR and the 5.2diagnostic image is transferred. The unit reboots again and joinsthe stack.

— If the agent image on the added unit is Release 5.2_ssh softwarewith the Release 5.2.0.1 diagnostic image, then, because bothimages support DAUR, the new added unit does not join the stack. A diagnostic update is performed and, because the agent imagesare different, an agent update is also performed, after which theswitch reboots. The switch joins the stack after reboot.

• A stack with Release 5.3 or newer and Release 5.3 diagnostic image:

— If the agent image on the added unit is Release 5.1 or 5.0 and theRelease 5.1 or 5.0 diagnostic, then, because the 5.3 image sizeis greater than 6M, the AAUR transfer is stopped and a seriouserror message is logged on the Release 5.3 master unit. A manualdownload must be performed for both the diagnostic and agentimages.

— If the agent image on the added unit is Release 5.2 with theRelease 5.2.0.1 diagnostic, then both images support DAUR andthe Release 5.2 diagnostic supports images greater than 6M. Thenew added unit does not join the stack. A diagnostic update is firstperformed and then, because the agent images are different, anagent update is performed and the switch reboots. The switch joinsthe stack after reboot .

Note that an agent or diagnostic image update can be an upgrade or adowngrade. There is no DAUR downgrade if the stack image is Release5.0 or 5.1 (these images do not support DAUR), but AAUR is performed.

• A stack with Release 5.1 or 5.0 software and the Release 5.1 or 5.0diagnostic image

— If the agent image on the added unit is Release 5.2 with theRelease 5.2.0.1 diagnostic image, the new added unit does notjoin stack because the stack does not support DAUR. A diagnosticupgrade or downgrade is not performed and, because agent imagesare different, an agent downgrade is performed and the switchreboots. The switch joins the stack after reboot .

The following table shows the expected behavior for various combinationsof agent and diagnostic images.


NN47205-700 02.0221 January 2009


.

Diagnostic Auto Unit Replacement (DAUR) 33

Stack master imageand diagnosticversion

Slave imagediagnosticversion

Expected behavior

Software 5.0/5.1Diagnostic 5.0/5.1

Same image. Unit joins stack.Software 5.0/5.1Diagnostic 5.0/5.1

Software 5.0/5.1Diagnostic 5.2

Same image. Unit joins stack.

Software 5.0/5.1Diagnostic 5.0/5.1

AAUR is performed. Unit downgrades image,reboots, and then joins the stack. No DAUR isperformed as DAUR is unavailable on 5.0/5.1.


AAUR is performed. AAUR upgrades the unitimage, and then reboots the unit. The unit joinsthe stack because the diagnostic images are thesame.

Software 5.2_nonSSH/SSHDiagnostic 5.1

Because the diagnostic and agent images aredifferent, DAUR upgrades the diagnostic image,and then AAUR transfers the agent. AAUR andDAUR reboot the unit. The unit joins the stackafter the reboot.


Software 5.2_nonSSH/SSHDiagnostic 5.2

AAUR performs the agent image transfer andreboots the unit. The unit joins the stack after thereboot.

The following logs are provided on the unit transferring the image:

• Informational: DAUR - Info: Send request for new diagimage– message logged after a stand-alone unit sends a DAUR request

• Informational: DAUR - Info: Start receive image– message logged after the unit starts to receive an image

• Serious: DAUR - Warning: Diag image check sum ERROR– message logged after the checksum for the receive image is not thesame as the master’s checksum

• Informational: DAUR - Info: Diag transfer finished– message logged after the image is properly transferred andprogrammed to flash.

• Serious: AAUR - Warning: unsupported image size.Please update image manually– message logged after the slave AAUR could not support imagesgreater than 6M.

The following logs are provided on the unit receiving the image:

• Informational: DAUR - Info: Receive request for diagimage. Unable to start transfer– message logged after a unit receives a request for DAUR transferand it does not start transfer. The possible causes are that the AAUR


NN47205-700 02.0221 January 2009


.


feature is disabled, that the diagnostic image of the receiving unit isdifferent from the diagnostic image of this unit, or the message wasreceived by a stand-alone unit (which does not have the base unitswitch selected).

• Informational: DAUR - Info: Receive request for diagimage, start transfer– message logged after a unit receives a request for DAUR transferand it starts transfer.

• Informational: DAUR - Info: Diag transfer finished– message logged after the image is properly transferred.

• Informational: DAUR - Info: Slave refuse transfer– message logged when a slave unit refuses diagnostic transfer.

• Serious: DAUR - Warning: Slave diag image check sumERROR– message logged when the slave announces that the checksum waswrong.

Multicast behaviorIGMP snooping is a technique whereby the switch selectively forwardsmulticast traffic only onto ports where particular IP multicast streamsare expected. The switch can identify those ports by snooping for IGMPcommunication between routers and hosts.

After the switch learns that a client wants a particular stream, it stopsflooding the stream to all ports, and sends only to the client that requestedit.

However, if no clients request the stream, and the switch has not learnedthe multicast address for the stream, the stream has an unknown multicastaddress. The switch broadcasts the traffic to all ports.

This is normal behavior. You can disable multicast flooding using theunknown-mcast-no-flood enable command.

IPv6IPv6 provides dual-stack configuration that allows both IPv4 and IPv6protocol stacks to run simultaneously. Release 5.2 supports IPv6 formanagement purposes only.

Running IPv6 is optional. Release 5.2 provides a maximum of one IPv6interface for the management VLAN only. The IPv6 interface must beenabled on the management VLAN and IPv6 globally enabled on the IPv6stack.


NN47205-700 02.0221 January 2009


.

NSNA passive device behavior 35

You can assign a maximum of one IPv6 global unicast address to theinterface. The link-local IPv6 address for the interface is automaticallyconfigured by the system, but you must configure the default gateway.

The IPv6 protocol runs on the base unit in a stack. The NNCLI commandsmust be issued from the base unit console.

The Neighbor Cache replaces the IPv4 ARP cache becauseICMPv6-based Neighbor Discovery replaces ARP.

For detailed information about IPv6, see Nortel Ethernet Routing Switch4500 Series Configuration — System (NN47205-500).

Light Emitting Diode (LED) displayThe Ethernet Routing Switch 4500 Series displays diagnostic andoperation information through the LEDs on the unit. Familiarize yourselfwith the interpretation of the LEDs on the 4500 series device. Seethe technical document Nortel Ethernet Routing Switch 4500 Series— Installation (NN47205-300) for detailed information regarding theinterpretation of the LEDs.

NSNA passive device behaviorIf you remove a PC or passive device from behind a phone and plug thatPC or passive device behind another phone, the show nsna clientcommand displays the PC or passive device MAC address twice until youplug another device into the first phone.

This is normal behavior and does not indicate a problem.

The following example shows an output from the command thatdemonstrates the behavior.

Figure 9Command output example


NN47205-700 02.0221 January 2009


.


The device with MAC address 00:0f:ea:ef:33:68 was removed from the IPphone on unit one, port nine. The device was then connected to the IPphone on unit three, port sixteen. The MAC address of the device remainsvisible on unit one, port nine until a new device is connected to that port,after which the display shows the new MAC address.

Nortel SNA and filter useNortel recommends that you carefully manage the number of applicationsthat require filters and that run on the switch simultaneously. For example,Nortel recommends that applications such as IP Source Guard be appliedto a small number of ports when used along with the Nortel SNA solutionbecause both applications rely on filters to function correctly.

Nortel Knowledge and Solution EngineThe Knowledge and Solution Engine is a database of Nortel technicaldocuments, troubleshooting solutions, software patches and releases,service cases, and technical bulletins. The Knowledge and SolutionEngine is searchable by natural-language query.


NN47205-700 02.0221 January 2009


.

37.

General diagnostic toolsThe Ethernet Routing Switch 4500 Series device has diagnostic featuresavailable through DM, NNCLI, and Web-based Management. You canuse these diagnostic tools to help you troubleshoot operational andconfiguration issues. You can configure and display files, view and monitorport statistics, trace a route, run loopback and ping tests, test the switchfabric, and view the address resolution table.

This document focuses on using NNCLI to perform the majority oftroubleshooting.

The command line interface is accessed through either a direct consoleconnection to the switch or by using the Telnet or SSH protocols toconnect to the switch remotely.

You can use the Web interface in cases where the troubleshooting stepsrequire corroborating information to ensure diagnosis.

NNCLI command modesNNCLI command modes provide different levels of authority for operation.

The NNCLI has four major command modes, listed in order of increasingprivileges:

• User EXEC

• Privileged EXEC

• Global configuration

• Interface configuration

Each mode provides a specific set of commands. The command set ofa higher-privilege mode is a superset of a lower-privilege mode. Thatis, all lower-privilege mode commands are accessible when using ahigher-privilege mode.

The command modes are as follows:


NN47205-700 02.0221 January 2009


.

38 General diagnostic tools

• User EXEC mode: The User EXEC mode (also referred to as execmode) is the default NNCLI command mode. User EXEC is the initialmode of access when the switch is first turned on and provides alimited subset of NNCLI commands. This mode is the most restrictiveNNCLI mode and has few commands available.

• Privileged EXEC mode: The Privileged EXEC mode (also referredto as privExec mode) enables you to perform basic switch-levelmanagement tasks, such as downloading software images, settingpasswords, and booting the switch. PrivExec is an unrestricted modethat allows you to view all settings on the switch, and if you are loggedin with write access, you have access to all configuration modes andcommands that affect operation of the switch (such as downloadingimages, rebooting, and so on).

• Global configuration mode: In the Global Configuration mode(also referred to as config mode), you can set and display generalconfigurations for the switch such as IP address, SNMP parameters,Telnet access, and VLANs.

• Interface configuration mode:In the Interface Configuration mode(also referred to as config-if mode), you can configure parameters foreach port or VLAN, such as speed, duplex mode, and rate-limiting.

You can move between command modes on a limited basis. For moreinformation about the NNCLI command modes, see Nortel EthernetRouting Switch 4500 Series Fundamentals (NN47205-102) .


NN47205-700 02.0221 January 2009


.

39.

Initial troubleshootingThe types of problems that typically occur with networks involveconnectivity and performance. Using the Open System Interconnection(OSI) network architecture layers, and checking each in sequential order,is usually best when troubleshooting. For example, confirm that thephysical environment, such as the cables and module connections, isoperating without failures before moving up to the network and applicationlayers.

As part of your initial troubleshooting, Nortel recommends that you checkthe Knowledge and Solution Engine on the Nortel Web site for knownissues and solutions related to the problem you are experiencing.

Gather informationBefore contacting Nortel Technical Support, you must gather informationthat can help the Technical Support personnel. This includes the followinginformation:

• Default and current configuration of the switch. To obtain thisinformation, use the show running-config command.

• System status. Obtain this information using the show sys-infocommand. Output from the command displays technical informationabout system status and information about the hardware, software, andswitch operation. For more detail, use the show tech command.

• Information about past events. To obtain this information, review thelog files using the show logging command.

• The software version that is running on the device. To obtain thisinformation, use the show sys-info or show system verbosecommand to display the software version that is running on all devices.

• A network topology diagram: Get an accurate and detailedtopology diagram of your network that shows the nodes andconnections. Your planning and engineering function should have thisdiagram.

• Recent changes: Find out about recent changes or upgrades toyour system, your network, or custom applications (for example, hasconfiguration or code been changed). Get the date and time of the


NN47205-700 02.0221 January 2009


.

40 Initial troubleshooting

changes, and the names of the persons who made them. Get a list ofevents that occurred prior to the trouble, such as an upgrade, a LANchange, increased traffic, or installation of new hardware.

• Connectivity information: To help troubleshoot connectivityproblems, you should always provide source and destination IP pairsto facilitate in troubleshooting. Ten pairs is a good rule of thumb (fiveworking pairs and five pairs with connectivity issues). Use the followingcommands to get connectivity information:

— show tech

— show running-config

— show port-statistics <port>


NN47205-700 02.0221 January 2009


.

41.

Emergency recovery treesEmergency Recovery Trees (ERT) provide a quick reference fortroubleshooting without procedural detail. They are meant to quickly assistyou to find a solution for common failures.

Emergency recovery treesThe following work flow shows the ERTs included in this section. EachERT describes steps to correct a specific issue; the ERTs are notdependant upon each other.


NN47205-700 02.0221 January 2009


.

42 Emergency recovery trees

Figure 10Emergency recovery trees

Navigation• "Corruption of flash" (page 44)

• "Incorrect PVID" (page 45)

• "VLAN not tagged to uplink ports" (page 46)

• "SNMP" (page 48)

• "Stack" (page 51)

• "Dynamic Host Configuration Protocol (DHCP) relay" (page 56)

• "AAUR: configuration for the units in the stack is not saved on the baseunit" (page 57)

• "AAUR: Both units display yes for Ready for Replacement" (page 58)

• "DAUR" (page 59)

• "Stack Forced Mode" (page 60)


NN47205-700 02.0221 January 2009


.

Gather information 43

• "Stack Health Check: Cascade Up and Cascade Down columns displayLINK DOWN or MISSING" (page 61)

• "Stack Health Check: Cascade Up and Cascade Down columns displayUP WITH ERRORS" (page 63)


NN47205-700 02.0221 January 2009


.


Corruption of flashCorruption of the switch configuration file can sometimes occur due to apower outage or because environmental reasons make the configurationof the box corrupt and non-functional. Initializing of the flash is one way toclear a corrupted configuration file and is required before an RMA.

Corruption of flash recovery treeThe following figure shows the recovery tree for issues related to acorrupted flash.

Figure 11Corruption of flash


NN47205-700 02.0221 January 2009


.

Incorrect PVID 45

Incorrect PVIDAn issue can occur where clients cannot communicate to critical serversafter their ports are incorrectly put in the wrong VLAN. If the server VLANis defined as a port based VLAN with a VLAN ID of 3, and the PVID of theport is 2, then loss of communication can occur. This can be verified bychecking that the PVID of the port matches the VLAN setting. One way toavoid this problem is to set VLAN configuration control to autoPVID.

Incorrect PVID recovery treeThe following figure shows the recovery tree for discovering and correctingissues related to an incorrect PVID.

Figure 12Incorrect PVID


NN47205-700 02.0221 January 2009


.


VLAN not tagged to uplink portsAfter a 4500 Series switch is connected to an 8600 Series switch anddevices in a VLAN on the 8600 Series switch are unable to communicatewith devices at the 4500 Series switch in the same VLAN, then it is likelythat the uplink ports are not tagged to the VLAN on the 4500 Seriesswitch.

VLAN not tagged to uplink ports recovery treeThe following figure shows the recovery tree for troubleshooting VLANcommunication issues.


NN47205-700 02.0221 January 2009


.

VLAN not tagged to uplink ports 47

Figure 13VLAN not tagged to uplink ports


NN47205-700 02.0221 January 2009


.


SNMPSNMP failure may be the result of an incorrect configuration of themanagement station or its setup. If you can reach a device, but no trapsare received, then verify the trap configurations (the trap destinationaddress and the traps configured to be sent).

SNMP recovery treeThe following figure shows the SNMP recovery tree.


NN47205-700 02.0221 January 2009


.

SNMP 49

Figure 14SNMP


NN47205-700 02.0221 January 2009


.



NN47205-700 02.0221 January 2009


.

Stack 51

StackStack failure can be the result of a communication error between theindividual units typically due to stack cabling issues. Failures can alsoarise after multiple bases are configured.

Several situation may cause stacking problems, for example:

• No units have a base switch set to the on position.

• Multiple units have the base unit set to the on position.

• Incorrect unit has the base unit set to the on position.

Stack recovery treeThe following figure shows the stack recovery tree.


NN47205-700 02.0221 January 2009


.


Figure 15Stack


NN47205-700 02.0221 January 2009


.

Stack 53


NN47205-700 02.0221 January 2009


.



NN47205-700 02.0221 January 2009


.

Stack 55


NN47205-700 02.0221 January 2009


.


Dynamic Host Configuration Protocol (DHCP) relayDHCP and DHCP relay errors are often on the client-side of thecommunication. In the situation where the DHCP server is not on the samesubnet as the client, the DHCP relay configuration may be at fault. If theDHCP snooping application is enabled, then problems may occur if thisis improperly configured. For example, the ports that provide connectionto the network core or DHCP server are not set as trusted for DHCPsnooping.

DHCP recovery treeThe following figure shows the DHCP relay recovery tree.

Figure 16DHCP


NN47205-700 02.0221 January 2009


.

AAUR: configuration for the units in the stack is not saved on the base unit 57

AAUR: configuration for the units in the stack is not saved on thebase unit

Use the recovery tree in this section if configuration for the units inthe stack is not saved on the base unit. The typical scenario is thatconfiguration for a unit in a stack is not saved on the base unit becausethe AUR Auto-Save is disabled. You can manually save the configurationof a non–base unit to the base unit regardless of the state of the AURfeature.

Configuration for the units in the stack is not saved on the base unitrecovery tree

The following figure shows the recovery tree to save configuration for theunits in the stack to the base unit. Check that AUR is enabled. If AUR isnot enabled, either save the configuration manually or enable AUR.


NN47205-700 02.0221 January 2009


.


Figure 17Configuration for the units in the stack is not saved on the base unit

AAUR: Both units display yes for Ready for ReplacementUse the recovery tree in this section if both units in a stack of two display"yes" for "Ready for Replacement".

Both units display yes for Ready for Replacement recovery treeIn a stack of two units, you enter the show stack auto-unit-replacement command and both units display as ready for replacement (only thenon–base unit should be ready for replacement in a stack of two units).The following figure shows the recovery tree to correct the issue.


NN47205-700 02.0221 January 2009


.

DAUR 59

Figure 18Both units display yes for Ready for Replacement

DAURIf you add a new unit to a stack, and the units have different diagnosticimages, the new unit should start to copy the diagnostic image from theexisting stack. Use the recovery tree in this section if the new unit fails tocopy the diagnostic image.

Diagnostic image transfer does not start recovery treeThe following figure shows the recovery tree to correct issues if a new unitfails to copy the diagnostic image from the stack.


NN47205-700 02.0221 January 2009


.


Figure 19Diagnostic image transfer does not start

Stack Forced ModeIf you enable the Stack Forced Mode feature and a stack of two unitsbreaks, the standalone switch that results from that broken stack of two ismanaged using the previous stack IP address. Use the recovery tree inthis section if you cannot access the standalone switch using the stackIP address.

You cannot access a switch at the stack IP address using ping, Telnet,SSH, Web, or DM recovery tree

If you cannot access a standalone switch in a broken stack of two units,even though you had enabled the Stack Forced Mode feature, check thatthe standalone device still has a physical connection to the network. Thefollowing figure shows the recovery tree for this scenario.


NN47205-700 02.0221 January 2009


.

Stack Health Check: Cascade Up and Cascade Down columns display LINK DOWN or MISSING 61

Figure 20Ping/Telnet/SSH/Web/DM do not work when you use the stack IP address

Stack Health Check: Cascade Up and Cascade Down columnsdisplay LINK DOWN or MISSING

Use the recovery tree in this section if the output from the switch displays"LINK DOWN" or "MISSING" in the Cascade Up or Cascade Downcolumns when you issue the show stack health command.

Cascade Up and Cascade Down columns display LINK DOWN orMISSING recovery tree

The following figure shows the recovery tree to use if the output fromthe switch displays "LINK DOWN" or "MISSING" in the Cascade Upor Cascade Down columns when you issue the show stack healthcommand.


NN47205-700 02.0221 January 2009


.


Figure 21Stack Health Check: Cascade Up and Cascade Down columns display LINK DOWN orMISSING


NN47205-700 02.0221 January 2009


.

Stack Health Check: Cascade Up and Cascade Down columns display UP WITH ERRORS 63

Stack Health Check: Cascade Up and Cascade Down columnsdisplay UP WITH ERRORS

Use the recovery tree in this section if the switch displays “UP WITHERRORS” in the Cascade Up and Cascade Down columns when youissue the show stack health command.

Cascade Up and Cascade Down columns display UP WITH ERRORSrecovery tree

The following figure shows the recovery tree to use if the output from theswitch displays "UP WITH ERRORS" in the Cascade Up and CascadeDown columns when you issue the show stack health command.

Figure 22Stack Health Check: Cascade Up and Cascade Down columns display UP WITH ERRORS


NN47205-700 02.0221 January 2009


.



NN47205-700 02.0221 January 2009


.

65.

General troubleshooting of hardwareUse this section for hardware troubleshooting specific to the EthernetRouting Switch 4500 Series.

Work flow: General troubleshooting of hardwareThe following work flow assists you to determine the solution for somecommon hardware problems.


NN47205-700 02.0221 January 2009


.

66 General troubleshooting of hardware

Figure 23General troubleshooting of hardware

Navigation• "Check power" (page 67)

• "Check cables" (page 69)

• "Check port" (page 71)


NN47205-700 02.0221 January 2009


.

Check power 67

• "Check fiber port" (page 74)

• "Replace a unit in the stack" (page 77)

Check powerConfirm power is being delivered to the device. The Ethernet RoutingSwitch 4500 Series utilizes a universal Power Supply Unit (PSU) thatoperates with voltages between 90v and 260v AC.

Task flow: Check powerThe following task flow assists you to confirm that the Ethernet RoutingSwitch 4500 Series device is powered correctly.

Figure 24Check power


NN47205-700 02.0221 January 2009


.


Navigation

• "Ensuring the power cord is installed" (page 68)

• "Observing an error report on the console" (page 68)

• "Reloading the agent code" (page 68)

• "Returning the unit for repair" (page 69)

Ensuring the power cord is installedConfirm the power cord is properly installed for the device. All power cordsare to be firmly seated. It is important to note that some power cords utilizepower interruption features such as an in-line fuse. Ensure the cords arefree from damage and are fully operational.

See the technical document Nortel Ethernet Routing Switch 4500 SeriesInstallation (NN47205-300) for power cord standards and details.

Observing an error report on the consoleInterpret the message that is sent to the console after a failure.

Procedure Steps

Step Action

1 View the console information and note the details for the RMA.

2 Note the LED status for information:

• Status LED blinking amber: Power On Self Test (POST)failure

• Power LED blinking: corrupt flash

--End--

Reloading the agent codeReload the agent code on the Ethernet Routing Switch 4500 Series deviceto eliminate corrupted or damaged code that causes a partial boot of thedevice.

CAUTIONEnsure you have adequate backup of your configuration prior toreloading software.

Know the current version of your software before reloadingit. Loading incorrect software versions may cause furthercomplications.


NN47205-700 02.0221 January 2009


.

Check cables 69

Procedure Steps

Step Action

1 Use the show sys-info command to view the software version.

2 See Nortel Ethernet Routing Switch 4500 Series Release 5.2Release Notes (NN47205-400) for information about softwareinstallation.

--End--

Replacing the power cordThe power cord should be replaced to ensure the power problem is notwith the cord itself. Ensure you use the same cord model as provided byNortel. Some power cords have a fuse built into them. Ensure you replacea fused cord with the same cord model that has the same power rating.

Procedure Steps

Step Action

1 Remove the power cord from the unit.

2 Replace the power cord with another power cord of the sametype.

--End--

Returning the unit for repairReturn a unit to Nortel for repair.

Contact Nortel for return instructions and RMA information.

Check cablesConfirm the stacking cables are correctly connected. Review the NortelEthernet Routing Switch 4500 Series Installation (NN47205-300) stackingsection for cable requirements.

Task flow: Check cablesThe following task flow assists you to confirm the stacking cables on theEthernet Routing Switch 4500 Series device are installed correctly.


NN47205-700 02.0221 January 2009


.


Figure 25Check cables

Navigation

• "Confirming if the cables are the correct type" (page 70)

• "Reviewing stacking configuration documentation" (page 70)

Confirming if the cables are the correct typeTo create a stack connection, order the appropriate Nortel EthernetRouting Switch 4500 Series cascade cables to ensure fail-safe stacking.A 1.5 foot stacking cable is included with the switch. For stacking threeor more units (maximum eight units in a stack), order the 5-foot (1.5 m),10-foot (3.0 m), 14-foot (4.3 m), or 16.4-foot (4.9 m) cables as applicable.

Reviewing stacking configuration documentationReview the stacking configuration documentation to confirm the correctstacking cabling requirements.

Review the stacking procedure and diagram for your stack configuration(cascade up or down) in the stacking section of Nortel Ethernet RoutingSwitch 4500 Series Installation (NN47205-300).


NN47205-700 02.0221 January 2009


.

Check port 71

Check portConfirm that the port and the Ethernet cable connecting the port are inproper configuration.

Task flow: Check portThe following task flow assists you to check the port and ethernet cables.


NN47205-700 02.0221 January 2009


.


Figure 26Check port

Navigation

• "Viewing port information" (page 73)

• "Correcting SFP use and designation" (page 73)


NN47205-700 02.0221 January 2009


.

Check port 73

• "Enabling the port" (page 73)

• "Confirming the cables are working" (page 73)

Viewing port informationReview the port information to ensure that the port is enabled.

Procedure Steps

Step Action

1 Use the show interfaces <port> command to display theport information.

2 Note the port status.

--End--

Correcting SFP use and designationUse the procedure in this section if you have a combo or shared port thathas an SFP installed and the corresponding SFP is active, but the copperport is not.

For complete information about SFP transceiver use and designation,seeNortel Ethernet Routing Switch 4500 Series Installation — SFPs andXFPs (NN47205-301).

Enabling the portEnable the port.

Procedure Steps

Step Action

1 Go to interface specific mode using the interfacefastethernet <port> command.

2 Use the no shutdown command to change the portconfiguration.

3 Use the show interfaces <port> command to display theport.

4 Note the port administrative status.

--End--

Confirming the cables are workingEnsure that the cables connected to the port are functioning correctly.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Go to interface specific mode using the interfacefastethernet <port> command.



4 Note the operational and link status of the port.

--End--

Check fiber portConfirm the fiber port is working and the cable connecting the port is theproper type.

Task flow: Check fiber portThe following task flow assists you to confirm that the fiber port cable isfunctioning and is of the proper type.


NN47205-700 02.0221 January 2009


.

Check fiber port 75

Figure 27Check fiber port

Navigation

• "Viewing fiber port information" (page 76)

• "Enabling the port" (page 76)


NN47205-700 02.0221 January 2009


.


• "Confirming if cables are working" (page 76)

• "Confirming fiber matches SFP/XFP type" (page 77)


Viewing fiber port informationReview the port information to ensure the port is enabled.

Procedure Steps

Step Action



--End--

Enabling the portEnsure the port on the Ethernet Routing Switch 4500 Series device isenabled.

Procedure Steps

Step Action




--End--

Confirming if cables are workingConfirm that the cables are working on the port.

Procedure Steps

Step Action




NN47205-700 02.0221 January 2009


.

Replace a unit in the stack 77

3 Note the port operational and link status.

--End--

Confirming fiber matches SFP/XFP typeEnsure the fiber is the correct type and that the SFP or XFP is installed.

Procedure Steps

Step Action

1 Inspect the fiber cables to ensure they are the correct type.

2 For more information about the SFP GBICs, see InstallingGigabit Interface Converters, SFPs, and CWDM SFP GigabitInterface Converters (312865).

--End--

Returning the unit for repairReturn unit to Nortel for repair.


Replace a unit in the stackRemove the defective unit and insert the replacement.

CAUTIONDue to physical handling of the device and your physicalproximity to electrical equipment, review and adhere to all safetyinstructions and literature included with the device and in NortelEthernet Routing Switch 4500 Series Regulatory Information(NN47205-100).

The Auto Unit Replacement (AUR) and DAUR features allow replacementof a failed unit in a stack with a new unit, while retaining the configurationof the previous unit. The stack power must be on during unit replacement.

After replacing the base unit, another unit in the stack becomes thedesignated temporary base unit. The replacement base unit does notresume as the base unit automatically. The replacement base unit must beconfigured as the base unit.

The replacement unit to the stack must be running the same software andfirmware versions as the previous unit but with a different MAC address.


NN47205-700 02.0221 January 2009


.


Attention: If the stack is only of two switches, the remaining switchenters Stack Forced Mode if that feature is enabled. Review the section"Stack Forced Mode" (page 21)regarding this feature.

Attention: Different versions of the software and diagnostic images havedifferent behaviors for the software and diagnostic images. Review thesection "Diagnostic Auto Unit Replacement (DAUR)" (page 30) regardingDAUR and its expected results.

Task flow: Replace a unit in the stackThe following task flow assists you to replace one of the Ethernet RoutingSwitch 4500 Series devices in a stack. This is only appropriate if oldsoftware is used or AAUR is disabled. If AAUR is available (and it is turnedon by default in such cases), then the procedures to verify software arenot required.


NN47205-700 02.0221 January 2009


.


Figure 28Replace a unit in the stack

Navigation

• "Removing a failed unit" (page 80)

• "Confirming AUR is enabled" (page 80)

• "Verifying the software version is correct on the new device" (page 80)

• "Obtaining the correct software version" (page 81)

• "Placing a new unit" (page 81)

• "Connecting stacking cables" (page 81)


NN47205-700 02.0221 January 2009


.


• "Powering on the unit" (page 81)


Removing a failed unitRemove the failed unit from the stack.

Procedure Steps

Step Action

1 Maintain power to the stack. Do not power down the stack.

2 Remove the failed device.

--End--

Confirming AUR is enabledConfirm AUR is enabled in the stack.

Procedure Steps

Step Action

1 Enter the show stack auto-unit-replacement command toshow AUR configuration.

2 Enter the stack auto-unit-replacement config saveenable command to enable AUR.

3 Enter the stack auto unit replacement auto-restoreenable command to configure AUR to automatically restore theconfiguration to the new unit.

--End--

Verifying the software version is correct on the new deviceVerify that the new device to be inserted in the stack has the identicalsoftware version.

Procedure Steps

Step Action

1 Connect the new device to the console, independent of stackconnection.

2 Use the show sys-info command to view the software version.

--End--


NN47205-700 02.0221 January 2009


.


Obtaining the correct software versionObtain and install the correct software version.

CAUTIONEnsure you have adequate backup of your configuration prior toreloading software.

Know the Release number of your software before loadingit. Loading incorrect software versions may cause furthercomplications.

Procedure Steps

Step Action

1 See Nortel Ethernet Routing Switch 4500 Series Release5.2 Release Notes (NN47205-400) for software installationinformation.

--End--

Placing a new unitPlace the new unit in the stack where the failed unit was connected.

Place the device in the stack in accordance with procedures outlined inNortel Ethernet Routing Switch 4500 Series Installation (NN47205-300).

Connecting stacking cablesReconnect the stacking cables to correctly stack the device.

Procedure Steps

Step Action

1 Review the stacking section in Nortel Ethernet Routing Switch4500 Series Installation (NN47205-300) for cabling details.

2 Connect the cables in accordance with physical stackrequirements.

--End--

Powering on the unitEnergize the unit after it is connected and ready to integrate.

There is no requirement to reset the entire stack. The single device beingreplaced is the only device that you must power on after integration to thestack.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Connect the power to the unit.

2 Allow time for the new unit to join the stack and for theconfiguration of the failed unit to be replicated on the new unit.

3 Confirm that the new unit has reset itself. This confirms thatreplication has completed.

--End--

Returning the unit for repairReturn the unit to Nortel for repair.



NN47205-700 02.0221 January 2009


.

83.

Troubleshooting ADACAutomatic Detection and Automatic Configuration (ADAC) can encounterdetection and configuration errors that can be easily corrected.

ADAC clarificationsADAC VLAN settings are dynamic and are not saved to nonvolatilememory. After ADAC is enabled, all VLAN settings you manually madeon ADAC uplink or telephony ports are dynamic and are not saved tonon-volatile memory. After the unit is reset, these settings are lost. ADACdetects the ports again and re-applies the default settings for them.

You do not manually create a VLAN to be used as the voice VLAN andthen try to set this VLAN as the ADAC voice VLAN using the commandadac voice-vlan x. ADAC automatically creates the voice VLAN asneeded. Use the adac voice-vlan x command to reserve or set theVLAN number used by ADAC.

After the VLAN number is reserved as the ADAC voice VLAN using theadac voice-vlan x command, even if the ADAC administrative status isdisabled or ADAC is in UTF mode, the VLAN number cannot be used byanyone else in regular VLAN creation.

If you enable the LLDP detection mechanism for telephony ports, thenLLDP itself has to be enabled on the switch. Otherwise, ADAC does notdetect phones.

Work flow: Troubleshooting ADACThe following work flow assists you to identify the type of problem you areencountering.


NN47205-700 02.0221 January 2009


.

84 Troubleshooting ADAC

Figure 29Troubleshooting ADAC

Navigation• "IP phone is not detected" (page 84)

• "Auto configuration is not applied" (page 89)

IP phone is not detectedCorrect an IP phone that is not being detected by ADAC.

Work flow: IP phone not detectedThe following work flow assists you to resolve detection issues.

Figure 30IP phone not detected


NN47205-700 02.0221 January 2009


.

IP phone is not detected 85

Navigation

• "Correct filtering" (page 85)

• "Reload ADAC MAC in range table" (page 86)

• "Reduce LLDP devices" (page 88)

Correct filteringConfigure the VLAN filtering to allow ADAC.

Task flow: Correct filteringThe following task flow assists you to correct the filtering.

Figure 31Correct filtering

Navigation

• "Confirming port belongs to at least one VLAN" (page 85)

• "Disabling the VLAN filtering of unregistered frames" (page 86)

Confirming port belongs to at least one VLANView information to ensure that the port belongs to a VLAN.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Use the show vlan interface info <port> command toview the details.

2 Note the VLANs listed with the port.

--End--

Disabling the VLAN filtering of unregistered framesChange the unregistered frames filtering of the VLAN.

Procedure Steps

Step Action

1 Use the vlan ports <port> filter-unregistered-frames enable command to view the details.

2 Ensure no errors after command execution.

--End--

Reload ADAC MAC in range tableEnsure the ADAC MAC address is properly loaded in the range table.

Task flow: Reload ADAC MAC in range tableThe following task flow assists you to place the ADAC MAC address inthe range table.


NN47205-700 02.0221 January 2009


.

IP phone is not detected 87

Figure 32Reload ADAC MAC in range table

Navigation

• "Disconnecting and reconnecting phone" (page 87)

• "Disabling and enabling the port" (page 87)

Disconnecting and reconnecting phoneRemove the phone and then reconnect it to force a reload of the MACaddress in the range table.

Procedure Steps

Step Action

1 Follow local procedures to disconnect the phone.

2 Follow local procedures to reconnect the phone.

--End--

Disabling and enabling the portDisable ADAC on the port and then enable it to detect the phone. Afterdisabling and re-enabling the port administratively, the MAC addressesalready learned on the respective port are aged out.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Use the no adac enable <port> command to disable ADAC.

2 Use the adac enable <port> command to enable ADAC.

--End--

Reduce LLDP devicesReduce the number of LLDP devices. More than 16 devices may causedetection issues.

Task flow: Reduce LLDP devicesThe following task flow assists you to reduce the number of LLDP deviceson the system.

Figure 33Reduce LLDP devices

Navigation

• "Viewing LLDP information" (page 89)

• "Reducing LLDP enabled devices" (page 89)


NN47205-700 02.0221 January 2009


.

Auto configuration is not applied 89

Viewing LLDP informationDisplay the LLDP devices that are connected to a port.

Procedure Steps

Step Action

1 Use the show lldp port 1 neighbor command to identify theLLDP devices.

2 Note if there are more than 16 LLDP-enabled devices on theport.

--End--

Reducing LLDP enabled devicesReduce the number of LLDP devices on the system.

Procedure Steps

Step Action

1 Follow local procedures and SOPs to reduce the number ofdevices connected.

2 Use the show adac in <port> command to display the ADACinformation for the port to ensure there are less than 16 devicesconnected.

--End--

Auto configuration is not appliedCorrect some common issues that may interfere with auto configuration ofdevices.

Task flow: Auto configuration is not appliedThe following task flow assists you to solve auto configuration issues.


NN47205-700 02.0221 January 2009


.


Figure 34Auto configuration is not applied

Navigation

• "Correct auto configuration" (page 90)

• "Check status and number of devices" (page 92)

Correct auto configurationTagged frames mode may be causing a problem. In tagged frames mode,everything is configured correctly, but auto configuration is not applied on atelephony port.

Task flow: Correct auto configurationThe following task flow assists you to correct auto configuration.


NN47205-700 02.0221 January 2009


.


Figure 35Correct auto configuration

Navigation

• "Viewing ADAC global status" (page 91)

• "Configuring another call server and uplink port" (page 92)

• "Replacing the unit" (page 92)

Viewing ADAC global statusDisplay the global status of ADAC.

Procedure Steps

Step Action

1 Use the show adac command to display the ADAC information.


NN47205-700 02.0221 January 2009


.


2 Note if the oper state is showing as disabled.

--End--

Configuring another call server and uplink portConfiguring another call server and uplink port can assist the autoconfiguration.

Procedure Steps

Step Action

1 Use the adac uplink-port <port> command to assign theuplink port.

2 Use the adac call-server-port <port> command to assignthe call server port.

--End--

Replacing the unitReplace the unit to replicate configuration if AUR is enabled.

Procedure Steps

Step Action

1 Follow the replacement guidelines in Nortel Ethernet RoutingSwitch 4500 Series Configuration — System (NN47205-500).

2 Refer to the unit replacement section in the TroubleshootingHardware section of this document.

--End--

Check status and number of devicesAuto configuration can stop being applied after a unit is removed from thestack.

Task flow: Check status and number of devicesThe following task flow assists you to correct the auto configuration.


NN47205-700 02.0221 January 2009


.


Figure 36Check status and number of devices

Navigation

• "Viewing ADAC port status" (page 93)

• "Reducing the number of devices" (page 94)

• "Disabling and enabling the port" (page 94)

Viewing ADAC port statusDisplay the status of ADAC on the port.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Use the show adac in <port> command to display the ADACinformation for the port.

2 Note if the oper state is disabled and the number of devicesconnected.

--End--

Reducing the number of devicesReduce the number of LLDP devices on the system.

Procedure Steps

Step Action

1 Follow local procedures and Standard Operating Procedures toreduce the number of devices connected.

2 Use the show adac in <port> command to display the ADACinformation for the port to ensure that less than 32 devices areconnected.

--End--

Disabling and enabling the portAdministratively disable and enable the port to initialize the configuration.

Procedure Steps

Step Action

1 Use the no adac enable <port> command to disable ADAC.

2 Use the adac enable <port> command to enable ADAC.

--End--


NN47205-700 02.0221 January 2009


.

95.

Troubleshooting authenticationAuthentication issues can interfere with device operation and function. Thefollowing work flow shows common authentication problems.

Work flow: Troubleshooting authenticationThe following work flow shows typical authentication problems. Thesework flows are not dependant upon each other.

Figure 37Troubleshooting authentication

Navigation• "EAP client authentication " (page 96)

• "EAP multihost repeated re-authentication issue" (page 104)

• "EAP RADIUS VLAN is not being applied " (page 108)

• "Configured MAC is not authenticating" (page 116)


NN47205-700 02.0221 January 2009


.

96 Troubleshooting authentication

• "Non-EAP RADIUS MAC not authenticating" (page 121)

• "Non-EAP MHSA MAC is not authenticating" (page 126)

• "EAP–non-EAP unexpected port shutdown" (page 131)

EAP client authenticationThis section provides troubleshooting guidelines for the EAP and NEAPfeatures on the Ethernet Routing Switch 4500 Series devices.

Work flow: EAP client is not authenticatingThe following work flow assists you to determine the cause and solution ofan EAP client that does not authenticate as expected.


NN47205-700 02.0221 January 2009


.

EAP client authentication 97

Figure 38EAP client is not authenticating

Navigation

• "Restore RADIUS connection" (page 98)

• "Enable EAP on the PC" (page 100)


NN47205-700 02.0221 January 2009


.


• "Apply the method" (page 101)

• "Enable EAP globally" (page 102)

Restore RADIUS connectionEnsure that the RADIUS server has connectivity to the device.

Task flow: Restore RADIUS connectionThe following task flow assists you to restore the connection to theRADIUS server.

Figure 39Restore RADIUS connection


NN47205-700 02.0221 January 2009


.


Navigation

• "Getting correct RADIUS server settings for the switch" (page 99)

• "Viewing RADIUS information" (page 99)

• "Configuring the RADIUS server settings" (page 99)

• "Reconfiguring the shared secret" (page 100)

• "Pinging the RADIUS server" (page 100)

Getting correct RADIUS server settings for the switchThis section provides troubleshooting guidelines for obtaining the RADIUSserver settings.

Procedure Steps

Step Action

1 Obtain network information for the RADIUS server from thePlanning and Engineering documentation.

2 Follow vendor documentation to set the RADIUS authenticationmethod MD5.

--End--

Viewing RADIUS informationReview the RADIUS server settings in the device.

The default server port is 1812/UDP. Older servers may use 1645/UDP,and other older servers do not support UDP at all.

Procedure Steps

Step Action

1 Use the show radius-server command to view the RADIUSserver settings.

2 Refer to the vendor documentation for server configuration.

--End--

Configuring the RADIUS server settingsThe RADIUS server settings must be correct for the network.

Follow vendor documentation to set the RADIUS server settings.


NN47205-700 02.0221 January 2009


.


Reconfiguring the shared secretReset the shared secret in case there was any corruption.

Procedure Steps

Step Action

1 Use the radius-server key command.

2 Refer to the vendor documentation for server configuration.

--End--

Pinging the RADIUS serverPing the RADIUS server to ensure connection exists.

Procedure Steps

Step Action

1 Use the ping <server IP> command to ensure connection.

2 Observe no packet loss to confirm connection.

--End--

Enable EAP on the PCThe PC must have an EAP-enabled device that is correctly configured.

Task flow: Enable EAP on the PCThe following task flow assists you to ensure the PC network card hasEAP enabled.


NN47205-700 02.0221 January 2009


.


Figure 40Enable EAP on the PC

Navigation

• "Enabling EAP on PC network card" (page 101)

Enabling EAP on PC network cardThe PC must have the correct hardware and configuration to support EAP.

Procedure Steps

Step Action

1 See vendor documentation for the PC and network card.

2 Ensure the network card is enabled.

3 Ensure the card is configured to support EAP.

--End--

Apply the methodEnsure you apply the correct EAP method.

Task flow: Apply the methodThe following task flow assists you to apply the correct EAP method.


NN47205-700 02.0221 January 2009


.


Figure 41Apply the method

Navigation

• "Configuring the RADIUS server" (page 102)

Configuring the RADIUS serverConfigure the RADIUS server to authenticate using MD5.

Procedure Steps

Step Action

1 Obtain network information for the RADIUS Server from Planningand Engineering.

2 Save the information for later reference.

--End--

Enable EAP globallyEnable EAP globally on the 4500 Series device.

Task flow: Enable EAP globallyThe following task flow assists you to enable EAP globally on the EthernetRouting Switch 4500 Series device.


NN47205-700 02.0221 January 2009


.


Figure 42Enable EAP globally

Navigation

• "Enabling EAP globally" (page 103)

• "Viewing EAPOL settings" (page 104)

• "Setting EAPOL port administrative status to auto" (page 104)

Enabling EAP globallyEnable EAP globally on the Ethernet Routing Switch 4500 Series device.

Procedure Steps

Step Action

1 Use the eapol enable command to enable EAP globally on theEthernet Routing Switch 4500 Series device.


NN47205-700 02.0221 January 2009


.


2 Ensure that there are no errors after command execution.

--End--

Viewing EAPOL settingsReview the EAPOL settings to ensure EAP is enabled.

Procedure Steps

Step Action

1 Use the show eapol port <port#> command to display theinformation.

2 Observe the output.

--End--

Setting EAPOL port administrative status to autoSet the EAPOL port administrative status to auto.

Procedure Steps

Step Action

1 Use the eapol status auto command to change the portstatus to auto.

2 Ensure that there are no errors after the command execution.

--End--

EAP multihost repeated re-authentication issueEliminate the multiple authentication of users.

EAP multihost repeated re-authentication issueThe following work flow assists you to determine the cause and solution ofan EAP multihost that authenticates repeatedly.


NN47205-700 02.0221 January 2009


.

EAP multihost repeated re-authentication issue 105

Figure 43EAP multihost repeated re-authentication issue

Navigation

• "Match EAP-MAC-MAX to EAP users" (page 105)

• "Set EAPOL request packet" (page 107)

Match EAP-MAC-MAX to EAP usersWhen the number of authenticated users reaches the allowed maximum,lower the eap-mac-max to the exact number of EAP users that may soonenter to halt soliciting EAP users with multicast requests.

Task flow: Match EAP-MAC-MAX to EAP usersThe following task flow assists you to match the EAP-MAC-MAX to thenumber of EAP users.


NN47205-700 02.0221 January 2009


.


Figure 44Match EAP-MAC-MAX to EAP users

Navigation

• "Identifying number of users at allowed max" (page 106)

• "Lowering EAP max MAC" (page 106)

Identifying number of users at allowed maxObtain the exact number of EAP users that may soon enter when thenumber of authenticated users reaches the allowed max.

Procedure Steps

Step Action

1 Use the show eapol multihost status command to displaythe authenticated users.

--End--

Lowering EAP max MACLower the eap-mac-max value to match the users.


NN47205-700 02.0221 January 2009


.

EAP multihost repeated re-authentication issue 107

Procedure Steps

Step Action

1 Use the eapol multihost eap-mac-max command to set themac-max value.

2 Ensure that there are no errors after execution.

--End--

Set EAPOL request packetChange the request packet generation to unicast.

Task flow: Set EAPOL request packetThe following task flow assists you to set the EAPOL request packet tounicast.

Figure 45Set EAPOL request packet

Navigation

• "Setting EAPOL request packet globally" (page 107)

• "Setting EAPOL request packet for a port" (page 108)

Setting EAPOL request packet globallyGlobally change the EAPOL request packet from multicast to unicast.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Use the eapol multihost eap-packet-mode unicastcommand to set the EAPOL request packet to unicast.


--End--

Setting EAPOL request packet for a portChange the EAPOL request packet from multicast to unicast for a specificport.

Procedure Steps

Step Action

1 Enter the Interface Configuration mode.

2 Use the eapol multihost eap-packet-mode unicastcommand to set the EAPOL request packet to unicast for theinterface.

--End--

EAP RADIUS VLAN is not being appliedEnsure that the RADIUS VLAN is applied correctly to support EAP.

Work flow: EAP RADIUS VLAN is not being appliedThe following work flow assists you to determine the cause and solution ofthe RADIUS VLAN not being applied.


NN47205-700 02.0221 January 2009


.

EAP RADIUS VLAN is not being applied 109

Figure 46EAP Radius VLAN is not being applied

Navigation

• "Configure VLAN at RADIUS " (page 109)

• "Configure the switch" (page 111)

Configure VLAN at RADIUSCorrect any discrepancies in VLAN information at the RADIUS server.

Task flow: Configure VLAN at RADIUSThe following task flow assists you to ensure the VLAN is configured atthe RADIUS server.


NN47205-700 02.0221 January 2009


.


Figure 47Configure VLAN at RADIUS

Navigation

• "Getting correct RADIUS server settings" (page 110)

• "Viewing RADIUS information" (page 111)

• "Configuring RADIUS" (page 111)

Getting correct RADIUS server settingsThis section provides troubleshooting guidelines to obtain the correctRADIUS server settings.

Procedure Steps

Step Action

1 Obtain network information from Planning and Engineeringdocumentation to locate server information.


NN47205-700 02.0221 January 2009


.


2 Obtain network information for the RADIUS server.

--End--

Viewing RADIUS informationObtain the RADIUS information to identify its settings.

Use vendor documentation to obtain settings display.

Configuring RADIUSConfigure the RADIUS server with the correct VLAN information.

Use vendor documentation to make the required changes.

There are three attributes that the RADIUS server sends back to theNAS (switch) for RADIUS-assigned VLANs. These attributes are the samefor all RADIUS vendors:

• Tunnel-Medium-Type – 802

• Tunnel-Pvt-Group-ID – <VLAN ID>

• Tunnel-Type – Virtual LANs (VLAN)

Configure the switchThe VLAN must be configured correctly on the Ethernet Routing Switch4500 Series device.

Task flow: Configure switchThe following task flow assists you to configure the VLAN on the device.


NN47205-700 02.0221 January 2009


.


Figure 48Configure switch task


NN47205-700 02.0221 January 2009


.


Navigation

• "Showing EAPOL multihost" (page 113)

• "Enabling use of RADIUS assigned VLANs" (page 114)

• "Showing EAPOL multihost interface" (page 114)

• "Showing VLAN config control" (page 114)

• "Changing VLAN config from strict to flexible" (page 115)

• "Showing spanning tree" (page 115)

• "Adding RADIUS assigned VLAN to desired STG" (page 115)

Showing EAPOL multihostIdentify the EAPOL multihost information.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Use the show eapol multihost command to display themultihost information.

2 Note the state of Allow Use of RADIUS Assigned VLANs.

--End--

Enabling use of RADIUS assigned VLANsChange the "allow RADIUS assigned VLAN" setting to "enable".

Procedure Steps

Step Action

1 Use the eapol multihost use-radius-assigned-vlancommand to allow the use of VLAN IDs assigned by RADIUS.


--End--

Showing EAPOL multihost interfaceDisplay the EAPOL interface information.

Procedure Steps

Step Action

1 Use the show eapol multihost interface <port#>command to display the interface information.

2 Note the status of ALLOW RADIUS VLANs.

--End--

Showing VLAN config controlDisplay the VLAN config control information.

Procedure Steps

Step Action

1 Use the show vlan config control command to displayinformation.


NN47205-700 02.0221 January 2009


.


2 Identify if the config control is set to strict.

--End--

Changing VLAN config from strict to flexibleSet the VLAN config control to flexible to avoid complications with strict.

Procedure Steps

Step Action

1 Use the vlan config control flexible command to setthe VLAN config control to flexible.


--End--

Showing spanning treeView the VLANs added to the desired STG.

If the RADIUS-assigned VLAN and the original VLAN are in the sameSTG, the EAP-enabled port is moved to the RADIUS-assigned VLAN afterEAP authentication succeeds.

Procedure Steps

Step Action

1 Use the show spanning-tree stp <1-8> vlans command todisplay the information.

2 Identify if the RADIUS-assigned VLAN and the original VLAN arein the same STG.

--End--

Adding RADIUS assigned VLAN to desired STGConfigure the VLAN that was assigned by RADIUS to the correct SpanningTree Group.

Procedure Steps

Step Action

1 Use the spanning-tree stp <1-8> vlans command to makethe change.


NN47205-700 02.0221 January 2009


.


2 Review the output to identify that the change was made.

--End--

Configured MAC is not authenticatingCorrect a MAC to allow authentication.

Work flow: Configured MAC is not authenticatingThe following work flow assists you to determine the cause and solution ofa configured MAC that does not authenticate as expected.

Figure 49Configured MAC is not authenticating

Navigation

• "Configure the switch" (page 116)

Configure the switchConfigure the switch to ensure the correct settings are applied to ensurethe MAC is authenticating.

Task flow: Configure the switchThe following task flow assists you to ensure that the MAC isauthenticating on the Ethernet Routing Switch 4500 Series device.


NN47205-700 02.0221 January 2009


.

Configured MAC is not authenticating 117

Figure 50Configure the switch


NN47205-700 02.0221 January 2009


.


Navigation

• "Showing the EAPOL port" (page 118)

• "Setting global EAP enabled and port at eap-auto" (page 119)


• "Enabling allow non-EAPOL clients" (page 119)

• "Showing EAPOL multihost interface " (page 120)

• "Enabling multihost status and allow non-EAPOL clients " (page 120)

• "Showing EAPOL multihost non-eap-mac interface " (page 120)

• "Ensuring MAC is in the list" (page 121)

Showing the EAPOL portDisplay the EAPOL port information


NN47205-700 02.0221 January 2009


.

Configured MAC is not authenticating 119

Procedure Steps

Step Action

1 Use the show eapol port <port> command to display the portinformation.

2 Ensure that EAP is enabled globally, and that the port EAPstatus is set to auto.

--End--

Setting global EAP enabled and port at eap-autoMake corrections to ensure that EAP is enabled globally, and that the portEAP status is set to auto.

Procedure Steps

Step Action

1 Use the eapol enable command to enable EAP globally.

2 Use the eapol status auto command to change port statusto auto.

--End--

Showing EAPOL multihostDisplay the EAPOL multihost information.

Procedure Steps

Step Action

1 Enter the show eapol multihost command to display theinformation.

2 Ensure that Allow Non-EAPOL clients is enabled.

--End--

Enabling allow non-EAPOL clientsCorrect the non-EAPOL client attribute.

Procedure Steps

Step Action

1 Use the eapol multihost allow-non-eap-enablecommand to allow non-EAPOL clients.


NN47205-700 02.0221 January 2009


.



--End--

Showing EAPOL multihost interfaceDisplay the EAPOL multihost interface information.

Procedure Steps

Step Action

1 Enter the show eapol multihost interface <port#>command to display the information.

2 Ensure that allow Non-EAPOL clients is enabled.

3 Ensure that the multihost status is enabled.

--End--

Enabling multihost status and allow non-EAPOL clientsCorrect the non-EAP client attribute.

Procedure Steps

Step Action

1 Use the eapol multihost allow-non-eap-enablecommand to allow non-EAPOL clients.

2 Use the eapol multihost enable command to enablemultihost status.

--End--

Showing EAPOL multihost non-eap-mac interfaceDisplay the EAPOL multihost interface information.

Procedure Steps

Step Action

1 Enter the show eapol multihost non-eap-mac interface<port> command to display the information.

2 Note that the MAC address is in the list.

--End--


NN47205-700 02.0221 January 2009


.

Non-EAP RADIUS MAC not authenticating 121

Ensuring MAC is in the listAdd the MAC address to the list if it was omitted.

Procedure Steps

Step Action

1 Use the show eapol multihost non-eap-mac status<port> command to view MAC addresses.

2 Use the eapol multihost non-eap-mac <H.H.H> <port>command to add a MAC address to the list.

--End--

Non-EAP RADIUS MAC not authenticatingCorrect a non-EAP RADIUS MAC that is not authenticating.

Work flow: Non-EAP RADIUS MAC not authenticatingThe following work flow assists you to determine the cause of and solutionfor a RADIUS MAC that does not authenticate.

Figure 51NEAP RADIUS MAC not authenticating


NN47205-700 02.0221 January 2009


.


Navigation

• "Configure switch" (page 122)

• "RADIUS server configuration error" (page 125)

Configure switchCorrect the switch configuration to correct the issue with RADIUS MAC.

Task flow: Configure switchThe following task flow assists you to configure the Ethernet RoutingSwitch 4500 Series device to correct the RADIUS MAC issue.

Figure 52Configure switch


NN47205-700 02.0221 January 2009


.


Navigation

• "Displaying the EAPOL port" (page 123)

• "Setting global eap enabled and port at eap-auto" (page 124)

• "Displaying EAPOL multihost" (page 124)

• "Enabling RADIUS to authenticate non-EAPOL clients" (page 124)

• "Formatting non-EAPOL RADIUS password attribute" (page 125)

• "Displaying EAPOL multihost interface" (page 125)

• "Enabling RADIUS To Auth non-EAP MACs" (page 125)

Displaying the EAPOL portReview the EAPOL port information.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Enter the show eapol port <port#> command to display theinformation.

2 Ensure that global EAP is enabled and port status is set toeap-auto.

--End--

Setting global eap enabled and port at eap-autoMake required changes to enable EAP globally and to set the port statusto auto.

Procedure Steps

Step Action



--End--

Displaying EAPOL multihostReview the EAPOL multihost information.

Procedure Steps

Step Action

1 Enter the show eapol port multihost command to displaythe information.

2 Note the following:

• Use RADIUS To Authenticate NonEAPOL Clients is enabled.

• Non-EAPOL RADIUS password attribute format isIpAddr.MACAddr.PortNumber

--End--

Enabling RADIUS to authenticate non-EAPOL clientsMake the required changes on the RADIUS server to authenticatenon-EAP clients.


NN47205-700 02.0221 January 2009


.


Apply changes to the RADIUS server using vendor documentation.

Formatting non-EAPOL RADIUS password attributeMake the required changes to the password format on the RADIUS server.

The RADIUS server is to have the format changed to IpAddr.MACAddr.PortNumber.

Displaying EAPOL multihost interfaceReview the EAPOL multihost information.

Procedure Steps

Step Action


2 Verify the following:

• Use RADIUS To Authenticate Non EAP MACs is enabled.

--End--

Enabling RADIUS To Auth non-EAP MACsMake the required changes on the RADIUS server to authenticatenon-EAP clients.

Apply any changes to the RADIUS server using vendor documentation.

RADIUS server configuration errorThe RADIUS server requires that the correct MAC address and passwordfor the Ethernet Routing Switch 4500 Series device be configured.

Task flow: RADIUS server configuration errorThe following task flow assists you to configure the RADIUS server withthe correct MAC and password.


NN47205-700 02.0221 January 2009


.


Figure 53RADIUS server configuration error

Navigation

• "Configuring MAC and password on RADIUS server" (page 126)

Configuring MAC and password on RADIUS serverThe RADIUS server requires that the MAC and password for the EthernetRouting Switch 4500 Series device be correct. If it is incorrect, theEthernet Routing Switch 4500 Series device may not authenticate.

See the vendor documentation for the RADIUS server for details.

Non-EAP MHSA MAC is not authenticatingEnsure that the switch is configured correctly.

Work flow: Non-EAP MHSA MAC is not authenticatingThe following work flow assists you to determine the solution for an MHSAMAC that is not authenticating.


NN47205-700 02.0221 January 2009


.

Non-EAP MHSA MAC is not authenticating 127

Figure 54Non-EAP MHSA MAC is not authenticating

Navigation

• "Configure switch " (page 127)

Configure switchConfigure the switch to enable MHSA.

Task flow: Configure switchThe following task flow assists you to enable MHSA on the EthernetRouting Switch 4500 Series device.


NN47205-700 02.0221 January 2009


.




NN47205-700 02.0221 January 2009


.

Non-EAP MHSA MAC is not authenticating 129

Navigation

• "Showing EAPOL port" (page 130)

• "Setting global EAP enabled and port at eap-auto" (page 130)


• "Formatting non-EAPOL RADIUS password attribute" (page 130)

• "Showing EAPOL multihost interface" (page 131)

• "Enabling RADIUS to authenticate non-EAPOL clients" (page 131)

• "Enabling RADIUS to auth non-EAP MACs" (page 131)


NN47205-700 02.0221 January 2009


.


Showing EAPOL portReview the EAPOL port information.

Procedure Steps

Step Action

1 Enter the show eapol port <port#> command to display theinformation.

2 Ensure that global EAP is enabled and that the port status iseap-auto.

--End--

Setting global EAP enabled and port at eap-autoMake the required changes to ensure that EAP is enabled globally andthat the port status is set to auto.

Procedure Steps

Step Action



--End--

Showing EAPOL multihostReview the EAPOL multihost information.

Procedure Steps

Step Action

1 Enter the show eapol port multihost command to displaythe information.


• Use RADIUS To Authenticate NonEAPOL Clients is enabled.

--End--

Formatting non-EAPOL RADIUS password attributeMake the required changes on the RADIUS server to the password format.


NN47205-700 02.0221 January 2009


.

EAP–non-EAP unexpected port shutdown 131

Use vendor documentation to make required changes on RADIUS serverto change the format to IpAddr.MACAddr.PortNumber.

Enabling RADIUS to authenticate non-EAPOL clientsMake the required changes on the RADIUS server to authenticatenon-EAP clients.


Showing EAPOL multihost interfaceReview the EAPOL multihost information.

Procedure Steps

Step Action



• Allow Auto Non-EAP MHSA: Enabled

--End--

Enabling RADIUS to auth non-EAP MACsMake the required changes on the RADIUS server to authenticatenon-EAP clients.


EAP–non-EAP unexpected port shutdownIdentify the reason for the port shutdown and make configuration changesto avoid future problems.

Work flow: EAP–non-EAP unexpected port shutdownThe following work flow assists you to determine the solution forEAP–non-EAP ports experiencing a shutdown.


NN47205-700 02.0221 January 2009


.


Figure 56EAP-NEAP unexpected port shutdown

Navigation

• "Configure switch" (page 132)

Configure switchConfigure ports to allow more unauthorized clients.

Task flow: Configure switchThe following task flow assists you to allow an increased number ofunauthorized clients on the ports.


NN47205-700 02.0221 January 2009


.



Navigation

• "Showing logs" (page 133)

• "Showing EAP–non-EAP clients on port" (page 134)

• "Showing EAPOL port information" (page 134)

• "Making changes" (page 134)

Showing logsDisplay log information to provide additional information.

Procedure Steps

Step Action

1 Use the show logging command to display the log.


NN47205-700 02.0221 January 2009


.


2 Observe the log output and note anomalies.

--End--

Showing EAP–non-EAP clients on portDisplay EAP–non-EAP client information on the port to provide additionalinformation.

Procedure Steps

Step Action

1 Use the show mac-address-table command to show theclients on the port.


--End--

Showing EAPOL port informationDisplay EAPOL port information for additional information.

Procedure Steps

Step Action

1 Use the show eapol port <port#> command to display theport information.


--End--

Making changesThis section provides troubleshooting guidelines for changing the EAPsettings. It assists in the cleanup of old MAC addresses.

Procedure Steps

Step Action

1 Use the eap-force-unauthorized command to set theadministrative state of the port to forced unauthorized.

2 Use the eapol status auto command to change to eap-auto.


NN47205-700 02.0221 January 2009


.


3 In the Interface Configuration Mode, use the shut/no shutcommands.

--End--


NN47205-700 02.0221 January 2009


.



NN47205-700 02.0221 January 2009


.

137.

Troubleshooting Nortel SNANortel Secure Network Access (SNA) issues can interfere in the deviceoperation and function. The following work flow contains some commonauthentication problems.

Troubleshooting Nortel SNA work flowThe following work flow contains some typical Nortel SNAS problems.These situations are not normally dependant upon each other.


NN47205-700 02.0221 January 2009


.

138 Troubleshooting Nortel SNA

Figure 58Troubleshooting Nortel SNAS

Navigation• "Nortel SNA switch not connected to Nortel SNAS although Nortel SNA

is enabled" (page 139)

• "Client PC/phone cannot connect" (page 148)

• "Authentication error or 0.0.0.0 IP after image upgrade" (page 157)

• "TG client getting red IP" (page 161)

• "Client gets red IP but browser hangs after opening" (page 164)

• "Nortel SNA client gets red IP but after login it does not go to yellowor green state" (page 165)

• "Client had green IP but was moved to yellow or red" (page 167)

• "Client PC taking a long time to boot" (page 170)


NN47205-700 02.0221 January 2009


.

Nortel SNA switch not connected to Nortel SNAS although Nortel SNA is enabled 139

• "Mac-Auth client not authenticated or not assigned the correct filter"(page 172)

• "Client has no DHCP information during initial connection or SSCPmessages" (page 175)

Nortel SNA switch not connected to Nortel SNAS although NortelSNA is enabled

Ensure the Nortel SNAS is displayed as connected to the Ethernet RoutingSwitch 4500 Series device.

The secure image must be running on the device to support Nortel SNAand SSH. If you require these features, see the section on updating switchsoftware in Nortel Ethernet Routing Switch 4500 Series Release 5.2Release Notes (NN47205-400).

Work flow: Nortel SNA switch not connected to Nortel SNAS althoughNortel SNA is enabled

The following work flow assists you to determine the solution for an NortelSNA switch that does not connect to a Nortel SNAS.


NN47205-700 02.0221 January 2009


.


Figure 59Nortel SNA switch not connected to Nortel SNAS although Nortel SNA is enabled

Navigation

• "Confirm IP configuration" (page 140)

• "Configure Nortel SNA on switch" (page 142)

• "Configure SSH on switch" (page 144)

• "Verify SSCP version " (page 146)

Confirm IP configurationCorrect IP connectivity to restore management connectivity.


NN47205-700 02.0221 January 2009


.


Task flow: Confirm IP configurationThe following task flow assists you to correct IP connectivity to restoremanagement connectivity.

Figure 60Confirm IP configuration

Navigation

• "Pinging the Nortel SNAS MIP from switch" (page 141)

• "Checking network connectivity from switch to router to SNAS" (page142)

• "Checking the uplink connectivity management" (page 142)

Pinging the Nortel SNAS MIP from switchConfirm IP connectivity from the switch exists.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Use the ping <IP> command from the switch.

2 Note the ping response displayed.

--End--

Checking network connectivity from switch to router to SNASConfirm network connection from the switch to SNAS exists.

Procedure Steps

Step Action

1 Use the ping <SNAS IP> command from the switch.

2 Note the ping response displayed.

--End--

Checking the uplink connectivity management

Procedure Steps

Step Action

1 Use the cfg/domain 1/switch Y command followed by "cur" .

2 Note the response displayed.

--End--

Configure Nortel SNA on switchConfigure and enable Nortel SNA on the switch.

Task flow: Configure Nortel SNA on switchThe following task flow assists you to ensure the Ethernet Routing Switch4500 Series device has Nortel SNA enabled.


NN47205-700 02.0221 January 2009


.


Figure 61Configure Nortel SNA on switch

Navigation

• "Checking Nortel SNAS configuration" (page 143)

• "Configuring Nortel SNA" (page 143)

Checking Nortel SNAS configurationVerify the current configuration.

Procedure Steps

Step Action

1 Use the cfg/domain 1/switch Y command followed by "cur" .

2 Note if the switch is configured in the Nortel SNAS.

--End--

Configuring Nortel SNAConfigure Nortel SNA for the switch.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Create the VLANs on the switch using the following commands:

• vlan create 210 type port




2 Use the Nortel SNA Nortel SNAs <IP>/<subnet>port <port> command to configure the Nortel SNAS IPaddress/subnet and the TCP communication port.

3 Set the created VLANs as Nortel SNA VoIP, RED, YELLOW,and GREEN VLANs using the following commands:

• Nortel SNA vlan 240 color voip

• Nortel SNA vlan 210 color red filter RED

• Nortel SNA vlan 220 color yellow filter YELLOWyellow-subnet 10.200.201.0/24

• Nortel SNA vlan 230 color green filter GREEN

4 Set ports as Nortel SNA uplink and dynamic using the followingcommands:

• interface fast Ethernet all

• Nortel SNA port 47-48 uplink vlans 210,220,230,240

• Nortel SNA port 1-46 dynamic voip-vlans 240

--End--

Configure SSH on switchCorrect the SSH configuration on the switch.

Task flow: Configure SSH on switchThe following task flow assists you to ensure SSH is configured on theEthernet Routing Switch 4500 Series device.


NN47205-700 02.0221 January 2009


.


Figure 62Configure SSH on switch

Navigation

• "Showing SSH globally" (page 145)

• "Reconfiguring SSH" (page 146)

• "Regenerating SSH key" (page 146)

Showing SSH globallyDisplay the SSH configuration of the switch.

Procedure Steps

Step Action

1 Use the show ssh global command to display the currentconfiguration.


NN47205-700 02.0221 January 2009


.


2 Confirm the SSH setting is correct.

--End--

Reconfiguring SSHChange the SSH settings to be correct.

Procedure Steps

Step Action

1 Use the no ssh dsa-auth-key command to delete the SSHDSA auth key.

2 Use the ssh download-auth-key address <IP> key-namesnaskey.pub command to download the correct Nortel SNASpublic key.

3 Use the ssh command to enable SSH globally.

--End--

Regenerating SSH keyRegenerate the SSH key if all SSH settings are correct and the problemstill exists.

Procedure Steps

Step Action

1 Enter the no Nortel SNA command.

2 Enter the no ssh command.

3 Enter the no ssh dsa-auth-key command.

4 Enter the ssh command.

5 Enter the Nortel SNA enable command.

6 On the Nortel SNAS, navigate to /cfg/domain 1/switch 1/sshkeyand import the switch SSH key using the SSH Key# importcommand.

7 Enter the apply command to keep the changes.

8 Enter the show Nortel SNA command to review the changes.

--End--

Verify SSCP versionEnsure the correct SSCP version is on the switch.


NN47205-700 02.0221 January 2009


.


Task flow: Verify SSCP versionThe following task flow assists you to verify the SSCP version on theEthernet Routing Switch 4500 Series device.

Figure 63Verify SSCP version

Navigation

• "Showing Nortel SNA" (page 147)

• "Contacting Nortel" (page 148)

Showing Nortel SNADisplay the Nortel SNA information for review.

Procedure Steps

Step Action

1 Enter the show Nortel SNA command to display theconfiguration.

2 Enter the /info/local command to display the softwareversion on the Nortel SNAS side.


NN47205-700 02.0221 January 2009


.


3 Ensure the following is on the switch:

• Nortel SNAS Connection Version: SSCPv1

Higher versions are backward compatible.

4 Verify that the SNAS has the following:

• Software version: 1.6.1.2

Higher versions are backward compatible.

--End--

Contacting NortelEngage Nortel in the troubleshooting by advising of the softwarediscrepancy.

Follow the Nortel customer service procedures at your convenience.

Client PC/phone cannot connectUse the procedures in this section to correct connection issues betweenthe PC or phone and the switch.

Work flow: Client PC/phone can not connectThe following work flow assists you to determine the solution for a clientPC or phone that cannot connect.


NN47205-700 02.0221 January 2009


.

Client PC/phone cannot connect 149

Figure 64Client PC/phone can not connect

Navigation

• "Configure switch on Nortel SNAS" (page 149)

• "Restart client and port" (page 151)

• "Configure DHCP for Nortel SNAS" (page 153)

• "Configure call server" (page 155)

• "Enable the port" (page 156)

Configure switch on Nortel SNASConfigure and enable the switch on the Nortel SNAS.


NN47205-700 02.0221 January 2009


.


Task flow: Configure the switch on Nortel SNASThe following task flow assists you to enable the Ethernet Routing Switch4500 Series device on the Nortel SNAS.

Figure 65Configure the switch on Nortel SNAS

Navigation

• "Showing Nortel SNA information" (page 150)

• "Configuring Nortel SNAS" (page 151)

Showing Nortel SNA informationVerify the current configuration.

Procedure Steps

Step Action

1 Use the cfg/domain 1/switch Y command followed by "cur".

2 Note if the switch is configured in the Nortel SNAS.

--End--


NN47205-700 02.0221 January 2009


.


Configuring Nortel SNASConfigure the Nortel SNAS with the settings for the Ethernet RoutingSwitch 4500 Series device.

Procedure Steps

Step Action

1 Review the Nortel SNAS documentation for configurationinformation and procedures.

--End--

Restart client and portEnsure that the client and port are restarted.

Task flow: Restart client and portThe following task flow assists you to restart both the client and port.


NN47205-700 02.0221 January 2009


.


Figure 66Restart client and port

Navigation

• "Showing Nortel SNA client and Nortel SNAS info" (page 152)

• "Completing an IP config release/renew" (page 153)

• "Unplugging/replugging client" (page 153)

• "Restarting client port" (page 153)

Showing Nortel SNA client and Nortel SNAS infoDisplay the Nortel SNA client information

Procedure Steps

Step Action

1 Use the show Nortel SNA client command.

2 Note the output.


NN47205-700 02.0221 January 2009


.


3 Use the info/switch 1 n command on the Nortel SNAS.

4 Both are to be showing a consistent status.

--End--

Completing an IP config release/renewForce a full IP config release and renew of IP information.

Procedure Steps

Step Action

1 Using vendor documentation, perform an ipconfig release on theclient PC.

2 Using vendor documentation, perform an ipconfig renew on theclient PC.

--End--

Unplugging/replugging clientPhysically disconnect the client from the network.

Procedure Steps

Step Action

1 Following local network procedures, unplug the client PC fromthe network.

2 Wait a minimum of 10 seconds.

3 Following local network procedures, connect the client PC to thenetwork.

--End--

Restarting client portShut down the client port, and then restart it.

Follow vendor procedures to shut down and restart the client port.

Configure DHCP for Nortel SNASIf the phone is still not getting an IP, eliminate DHCP configuration issues.

Task flow: Configure DHCP for Nortel SNAThe following task flow assists you to configure DHCP for Nortel SNA.


NN47205-700 02.0221 January 2009


.


Figure 67Configure DHCP for Nortel SNA

Navigation

• "Confirming phone is configured for DHCP" (page 154)

• "Reconfiguring phone" (page 154)

• "Configuring DHCP for Nortel SNA" (page 155)

Confirming phone is configured for DHCPEnsure the phone is configured as a DHCP client.

Review vendor documentation to ensure the phone is properly configuredfor DHCP.

Reconfiguring phoneChange the phone settings so it is configured as a DHCP client.


NN47205-700 02.0221 January 2009


.


Review vendor documentation to change settings of the phone to act asa DHCP client.

Configuring DHCP for Nortel SNAChange the DHCP server to work with Nortel SNA.

Review vendor documentation to change settings of the DHCP server.

Configure call serverEnsure the call server is properly configured.

Task flow: Configure call serverThe following task flow assists you to configure the call server.

Figure 68Configure call server.

Navigation

• "Configuring call server" (page 155)

• "Configuring DHCP server" (page 156)

Configuring call serverEnsure the call server is properly configured.

Review vendor documentation of the call server and ensure allconfigurations are correct.


NN47205-700 02.0221 January 2009


.


Configuring DHCP serverEnsure the DHCP server is properly configured.

Review vendor documentation of the DHCP server and ensure allconfigurations are correct.

Enable the portEnable the port after a new client PC/Phone (behind a hub) is unable toget an IP or connect, or if the Ethernet Routing Switch 4500 Series clientport is down.

Task flow: Enable the portThe following task flow assists you to enable the port.

Figure 69Enable the port

Navigation

• "Checking the switch log" (page 156)

• "Reenabling the port" (page 157)

Checking the switch logReview the switch log to determine if more than 10 intruders have beendetected.


NN47205-700 02.0221 January 2009


.

Authentication error or 0.0.0.0 IP after image upgrade 157

Procedure Steps

Step Action

1 Use the command show logging to view the log messages.

2 Review the information in the log messages.

--End--

Reenabling the portEnable the port after it was shut down due to detected intrusion.

Procedure Steps

Step Action

1 Use the command no shutdown <port> to enable a port thatwas disabled.

2 Observe no errors after execution.

--End--

Authentication error or 0.0.0.0 IP after image upgradeEliminate some common problems after an image upgrade that can leadto errors.

Work flow: Authentication error or 0.0.0.0 IP after image upgradeThe following work flow assists you to determine the solution forauthentication errors or an IP address of 0.0.0.0 immediately following anupgrade of the image.


NN47205-700 02.0221 January 2009


.


Figure 70Authentication error or 0.0.0.0 IP after image upgrade

Navigation

• "Configure STP state" (page 158)

• "Renewing IP" (page 160)

Configure STP statePlace the STP state in fast learning if the ports come up too fast.

Attention: Ensure that you clearly understand the consequences ofperforming this action on an uplink to prevent loops.

Task flow: Configure STP state task flowThe following task flow assists you to configure the STP for fast learning.


NN47205-700 02.0221 January 2009


.

Authentication error or 0.0.0.0 IP after image upgrade 159

Figure 71Configure STP state

Navigation

• "Viewing Router STP state" (page 159)

• "Configuring STP state" (page 160)

Viewing Router STP stateIdentify what the STP state is on the router.

Procedure Steps

Step Action

1 Use the show spanning-tree port command to show therouter STP state.


• STP State is disable or fast

--End--


NN47205-700 02.0221 January 2009


.


Configuring STP stateSet the STP state to fast learning.

Procedure Steps

Step Action

1 Use the spanning-tree port 1 learning fast command toset the STP state to fast learning.

2 Observe no errors after execution.

--End--

Renewing IPRenew the IP properly to restore the connection.

Task flow: Renewing IPThe following task flow assists you to properly release and renew an IPaddress.

Figure 72Renewing IP


NN47205-700 02.0221 January 2009


.

TG client getting red IP 161

Navigation

• "Confirming PC has IP address" (page 161)

• "Completing and ipconfig release and renew" (page 161)

Confirming PC has IP addressConfirm the PC has a proper IP.

Procedure Steps

Step Action

1 Using vendor documentation, use the ipconfg /all commandto view the IP information of the PC.

2 Note the IP address and other IP information.

--End--

Completing and ipconfig release and renewPerform a proper ipconfig /release prior to an ipconfig /renew.

Procedure Steps

Step Action

1 Using vendor documentation, use the ipconfg /releasecommand to release the IP information of the PC.

2 Using vendor documentation, use the ipconfg /renewcommand to renew the IP information of the PC.

--End--

TG client getting red IPEliminate the switch blocking traffic to SNAS.

Work flow: TG Client getting red IPThe following work flow assists you to determine the solution for a TGclient that obtains a red IP.


NN47205-700 02.0221 January 2009


.


Figure 73TG Client getting red IP

Navigation

• "Portal Login Problem" (page 162)

Portal Login ProblemEliminate the location of the interruption to properly configure the NSASport IP if required.

Task flow: Portal login problemThe following task flow assists you to eliminate the interruption to configurethe NSAS port IP.


NN47205-700 02.0221 January 2009


.

TG client getting red IP 163

Figure 74Portal login problem

Navigation

• "Correcting NSAS port IP" (page 163)

• "Investigating network traffic issues" (page 164)

Correcting NSAS port IPMake changes to NSAS port IP.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Use the /info/domain command in the Nortel SNAS CLI.Portal VIP addr(s) for the domain is the IP address.

2 Use the /info/sys command in the Nortel SNAS CLI.Management IP (MIP) address is the IP address.

--End--

Investigating network traffic issuesEliminate network traffic issues that may impede the browser.

Use local documentation and protocol to investigate network traffic issues.The Planning and Engineering document may be of assistance.

Client gets red IP but browser hangs after openingRestart the browser to correct a browser hanging issue.

Work flow: Client gets red IP but browser hangs after openingThe following work flow assists you to determine the solution for a clientthat obtains a red IP but the browser hangs after it appears.

Figure 75Client gets red IP but browser hangs after opening

Navigation

• "Browser restart" (page 164)

Browser restartRestart the browser to regain connectivity.


NN47205-700 02.0221 January 2009


.

Nortel SNA client gets red IP but after login it does not go to yellow or green state 165

Task flow: Browser restartThe following task flow assists you to restart the browser.

Figure 76Browser restart

Navigation

• "Restarting the browser" (page 165)

Restarting the browserFully close and restart a browser.

Procedure Steps

Step Action

1 Following local procedures and guidelines, close all instancesof the browser.

2 Restart the browser.

3 Navigate to the portal.

--End--

Nortel SNA client gets red IP but after login it does not go to yellowor green state

Made corrections to prevent the client from maintaining a red state for toolong due to Nortel SNA communication failure.


NN47205-700 02.0221 January 2009


.


Work flow: Nortel SNA client gets red IP but after login it does not goto yellow or green state

The following work flow assists you to determine the solution for a NortelSNA client that obtains a red IP but fails to move to yellow or green stateafter login.

Figure 77Nortel SNA client gets red IP but after login it does not go to yellow or green state

Navigation

• "Client port restart" (page 166)

Client port restartSet the client link down and then up.

Task flow: Client port restartThe following task flow assists you to restart the client port.


NN47205-700 02.0221 January 2009


.

Client had green IP but was moved to yellow or red 167

Figure 78Client port restart

Navigation

• "Restarting client port link" (page 167)

Restarting client port linkShut down the client port, then restart it.

Follow vendor procedures to shut down and restart the client port.

Client had green IP but was moved to yellow or redCorrect the communication issue causing the IP status to change.

Work flow: Client had green IP but was moved to yellow or redThe following work flow assists you to determine the solution for a clientthat has had a green IP but changes to yellow or red.


NN47205-700 02.0221 January 2009


.


Figure 79Client had green IP but was moved to yellow or red

Navigation

• "Restart client" (page 168)

Restart clientShut down the client, then start to regain proper communication.

Task flow: Restart clientThe following task flow assists you to restart the client.


NN47205-700 02.0221 January 2009


.

Client had green IP but was moved to yellow or red 169

Figure 80Restart client

Navigation

• "Restarting client port link" (page 169)

• "Completing an ipconfig release and renew" (page 169)

Restarting client port linkShut down the client port, then restart it.

Procedure Steps

Step Action

1 Follow vendor procedures to shut down and restart the clientport.

--End--

Completing an ipconfig release and renewPerform a proper ipconfig /release prior to an ipconfig /renew.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action



--End--

Client PC taking a long time to bootCorrect a port configuration issue that is causing the PC to have a longboot time.

Work flow: Client PC taking a long time to bootThe following work flow assists you to determine the solution for a clientPC that takes an unusually long time to boot.

Figure 81Client PC taking a long time to boot

Navigation

• "Port configuration" (page 170)

Port configurationIdentify and open the necessary ports that are being used by the clientPC domain login in the red VLAN.

Task flow: Port configurationThe following task flow assists you to correct the port configuration.


NN47205-700 02.0221 January 2009


.

Client PC taking a long time to boot 171

Figure 82Port configuration

Navigation

• "Obtaining required ports on PC" (page 171)

• "Adding ports to red VLAN for access" (page 171)

Obtaining required ports on PCIdentify the correct ports that are required for the VLAN.

Following local procedures and vendor documentation, identify the portsthat are required for the PC.

Adding ports to red VLAN for accessEnsure the ports identified are added to the red VLAN so all traffic cangain access.

Procedure Steps

Step Action

1 Refer to Nortel Ethernet Routing Switch 4500 SeriesConfiguration — Quality of Service (NN47205-504) for commandsyntax to add ports to the red VLAN.


NN47205-700 02.0221 January 2009


.


2 Repeat previous step as required for multiple ports.

--End--

Example of adding ports to a VLAN

Procedure Steps

Step Action

1 In Global Configuration mode, enter qos nsna classifiername red protocol 17 dst-port-min 427 dst-port-max427 ethertype 0x0800 drop-action disable block REDeval-order 101.

2 In Global Configuration mode, enter qos nsna classifiername red protocol 6 dst-port-min 524 dst-port-max524 ethertype 0x0800 drop-action disable block REDeval-order 102.

--End--

Mac-Auth client not authenticated or not assigned the correct filterCorrect the client that is not authenticating. Authentication can fail if thecorrect filter is not assigned.

Work flow: Mac-Auth client not authenticated or not assigned thecorrect filter

The following work flow assists you to determine the solution for a MACauthentication client that does not authenticate or is not assigned theproper filter.


NN47205-700 02.0221 January 2009


.

Mac-Auth client not authenticated or not assigned the correct filter 173

Figure 83Mac-Auth client not authenticated or not assigned the correct filter

Navigation

• "Configure Nortel SNAS" (page 173)

Configure Nortel SNASChange the Nortel SNAS settings to ensure authentication can occur.

Task flow: Configure Nortel SNASThe following task flow assists you to configure the Nortel SNAS to allowauthentication.


NN47205-700 02.0221 January 2009


.


Figure 84Configure Nortel SNAS

Navigation

• "Pinging Nortel SNAS" (page 174)

• "Checking network connectivity" (page 175)

• "Logging on to Nortel SNAS" (page 175)

• "Adding details to the switch domain" (page 175)

Pinging Nortel SNASVerify the network connectivity using ping.


NN47205-700 02.0221 January 2009


.

Client has no DHCP information during initial connection or SSCP messages 175

Procedure Steps

Step Action

1 Use the ping <Nortel SNASIP> command to ensureconnectivity.

2 Observe the details delivered.

--End--

Checking network connectivityVerify that the network has no other network issues preventing theconnection.

Use local protocol and network information to correct network issues.

Logging on to Nortel SNASLog on to the Nortel SNAS to view more information.

Procedure Steps

Step Action

1 Use vendor procedure to log on to the Nortel SNAS.

2 Observe the following:

• The macdb list for the switch’s domain

--End--

Adding details to the switch domainAdd the MAC address and group details to the switch domain.

Follow vendor documentation to add the mac-address and group details.

Client has no DHCP information during initial connection or SSCPmessages

Reestablish the identification of a client to the SNAS.

Work flow: Client has no DHCP information during initial connectionor SSCP messages

The following work flow assists you to have a client recognized by SNASafter initial connection. If the DHCP information fails to be sent to theclient, you can redo DHCP. If the client starts within five seconds after theconnection is initialized, the client may be unable to log in.


NN47205-700 02.0221 January 2009


.


Figure 85Client has no DHCP information during initial connection or SSCP messages

Navigation

• "Disconnect and reconnect client" (page 176)

Disconnect and reconnect clientShut down the client, then start to regain proper identification.

Task flow: Disconnect and reconnect clientThe following task flow assists you to disconnect and reconnect the client.


NN47205-700 02.0221 January 2009


.

Client has no DHCP information during initial connection or SSCP messages 177

Figure 86Disconnect and reconnect client

Navigation

• "Viewing Nortel SNA information" (page 177)

• "Disconnecting and reconnecting client" (page 177)

• "Restarting IP Config on client" (page 178)

Viewing Nortel SNA informationView the Nortel SNA information for the device or stack.

Procedure Steps

Step Action

1 Use the show nsna command to display the Nortel SNAinformation.

2 Observe the displayed information and identify the client that isnot recognized.

--End--

Disconnecting and reconnecting clientPerform a proper ipconfig /release prior to an ipconfig /renew.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action



--End--

Restarting IP Config on clientPerform a proper ipconfig /release prior to an ipconfig /renew.

Procedure Steps

Step Action



--End--


NN47205-700 02.0221 January 2009


.

179.

Troubleshooting IPv6This chapter contains details about how to troubleshoot common IPv6problems you may encounter.

Troubleshooting IPv6 work flowThis workflow will assist you to identify common scenarios related to IPv6that you can troubleshoot.


NN47205-700 02.0221 January 2009


.

180 Troubleshooting IPv6

Navigation• "Device not responding to ping to its IPv6 address" (page 180)

• "Cannot ping IPV6 host from device console" (page 186)

• "Duplicate address detected (global IPv6 address)" (page 187)

• "Duplicate address detected (link-local address)" (page 189)

• "Cannot connect through IPv6 default gateway" (page 191)

• "IPv6 management traffic is not sent/received as expected" (page 193)

• "IPV6 telnet/http/ssh to device does not work" (page 195)

• "UDPv6 communication does not work" (page 197)

• "Cannot set IPv6 address" (page 199)

Device not responding to ping to its IPv6 addressWhen you ping the IPv6 address from another host, the ping fails.

Device not responding to ping to its IPv6 address task flowUse this task flow to restore the connectivity through IPv6.


NN47205-700 02.0221 January 2009


.

Device not responding to ping to its IPv6 address 181

Figure 87Task flow: Device not responding to ping to its IPv6 address


NN47205-700 02.0221 January 2009


.


Navigation

• "Displaying IPv6 interface information" (page 182)

• "Enabling IPv6 interface on management VLAN" (page 183)

• "Configuring IPv6 address " (page 183)

• "Displaying IPv6 global information " (page 184)

• "Enabling IPv6 " (page 184)

• "Setting IPv6 gateway" (page 184)


• "Showing logging" (page 185)

• "Configuring another IPv6 address" (page 185)

• "Configuring another link-local ID" (page 185)

Displaying IPv6 interface informationUse the procedure in this section to verify that the IPv6 global admin statusis enabled.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Use the show ipv6 global command to display the IPv6 globalstatus.

2 Use the show ipv6 interface command to display the IPv6interface status.

3 Ensure the admin-status is set to enabled.

--End--

Enabling IPv6 interface on management VLANUse this procedure to enable IPv6 on the management VLAN. Theoperational state becomes active about 30 seconds from boot,synchronized with the time when the IPv4 configured address is in use.

Procedure Steps

Step Action

1 Use the show vlan mgmt command to show the managementVLAN.

2 Use the interface vlan <Number> command to configure themanagement VLAN.

3 Use the ipv6 interface enable command to enable IPv6 onthe management VLAN.

4 Ensure the admin-status is set to enabled.

--End--

Configuring IPv6 addressUse the procedure in this section to configure an IPv6 address for thedevice.

Procedure Steps

Step Action

1 Use the ipv6 address switch <IPv6 address> command toassign an IPv6 address to the switch.

2 Ensure the command completes without error.

--End--


NN47205-700 02.0221 January 2009


.


Displaying IPv6 global informationUse the procedure in this section to display IPv6 global information for thedevice.

Procedure Steps

Step Action

1 Use the show ipv6 global command to display the IPv6 globalinformation.

2 Ensure that admin status is enabled.

--End--

Enabling IPv6Use the procedure in this section to enable IPv6 on the device.

Procedure Steps

Step Action

1 Use the ipv6 enable command to enable IPv6 globally.

2 Ensure that the command completes.

--End--

Setting IPv6 gatewayUse the procedure in this section to set the IPv6 gateway.

Procedure Steps

Step Action

1 Use the ipv6 default-gateway <IPv6 address> commandto set the default gateway address.


--End--

Displaying IPv6 interface informationUse the procedure in this section to display the IPv6 interface information.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Use the show ipv6 interface command to display the IPv6interface information.

2 Observe that the global IPv6 address has preferred status.

--End--

Showing loggingUse the procedure in this section to display logging information.

Procedure Steps

Step Action

1 Use the show logging command to display logging information.

2 Look for a message that states that duplicate address detectionfailed.

--End--

Configuring another IPv6 addressUse the procedure in this section to configure a new IPv6 address.

Procedure Steps

Step Action

1 Use the IPv6 address <ipv6_address/prefix_length>command to configure a new IPv6 address.

2 Return to the beginning of the task flow if the issue is notresolved.

--End--

Configuring another link-local IDUse the procedure in this section to configure a new link-local ID.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Use the IPv6 interface link-local <WORD 0-19>command to configure a new link-local ID.

--End--

Cannot ping IPV6 host from device consoleWhen you ping an IPv6 address from the device, the ping fails.

Cannot ping IPV6 host from device console task flowUse this task flow to restore the connectivity through IPv6.

Figure 88Task flow: Cannot ping IPV6 host from device console

Navigation

• "Displaying IPv6 neighbor information" (page 186)

• "Checking remote host integrity" (page 187)

Displaying IPv6 neighbor informationUse the procedure in this section to show the IPv6 neighbor information.


NN47205-700 02.0221 January 2009


.

Duplicate address detected (global IPv6 address) 187

Procedure Steps

Step Action

1 Use the show ipv6 neighbor <IPv6 address> command todisplay the details of the IPv6 neighbor.

2 Identify if the state is INCOMPLETE.

--End--

Checking remote host integrityUse the procedure in this section to check the IPv6 integrity of the remotehost.

Procedure Steps

Step Action

1 Use vendor documentation to ensure the remote host isconfigured correctly for IPv6.

2 Check cabling to ensure that no physical problem exists.

--End--

Duplicate address detected (global IPv6 address)The global address was found to be a duplicate, indicating that anothernode in the link scope already has the same address.

Duplicate address detected (global IPv6 address)Use this task flow to restore the connectivity through IPv6.


NN47205-700 02.0221 January 2009


.


Figure 89Task flow: Duplicate Address Detected (global IPv6 address)

Navigation

• "Displaying IPv6 neighbor information" (page 188)

• "Checking remote host integrity" (page 188)

Displaying IPv6 neighbor informationUse the procedure in this section to show the IPv6 neighbor information.

Procedure Steps

Step Action

1 Use the show ipv6 neighbor <IPv6 address> command todisplay the details of the IPv6 neighbor.

2 Identify if the state is INCOMPLETE.

--End--

Checking remote host integrityUse the procedure in this section to check the IPv6 integrity of the remotehost.


NN47205-700 02.0221 January 2009


.

Duplicate address detected (link-local address) 189

Procedure Steps

Step Action

1 Use vendor documentation to ensure the remote host isconfigured correctly for IPv6.

2 Check cabling to ensure that no physical problem exists.

--End--

Duplicate address detected (link-local address)The global address was found to be a duplicate, indicating that anothernode in the link scope already has the same address.

Duplicate address detected (link-local address)Use this task flow to restore the connectivity through IPv6.


NN47205-700 02.0221 January 2009


.


Figure 90Task flow: Duplicate Address Detected (link-local address)

Navigation


• "Viewing the system log" (page 191)

• "Changing the link-local address" (page 191)

Displaying IPv6 interface informationUse the procedure in this section to show the IPv6 interface information.


NN47205-700 02.0221 January 2009


.

Cannot connect through IPv6 default gateway 191

Procedure Steps

Step Action

1 Use the show ipv6 interface <IPv6 address> command todisplay the details of the IPv6 neighbor.

2 Identify if the state is UNKNOWN.

--End--

Viewing the system logUse the procedure in this section to view the system log.

Procedure Steps

Step Action

1 Use the show logging command to display the system log.

2 Identify an entry: "Duplicate address detection failed."

--End--

Changing the link-local addressUse the procedure in this section to change the 64-bit identifier for thelink-local address.

Procedure Steps

Step Action

1 Use the ipv6 interface link-local <IPv6 address>command to set the 64-bit identifier.

2 Use the show ipv6 interface command to view the interfacedetails.

3 Confirm that the unknown multicast address is displayed.

--End--

Cannot connect through IPv6 default gatewayThis taskflow assists you to correct connections from outside the localsubnet (routed) to or from the device through its IPv6 default gateway.

Cannot connect through IPv6 default gatewayUse this task flow to restore the connectivity through IPv6.


NN47205-700 02.0221 January 2009


.


Figure 91Task flow: Cannot connect through IPv6 default gateway

Navigation

• "Checking the IPV6 default gateway status" (page 192)

• "Pinging the IPv6 default gateway" (page 193)

• "Using traceroute to determine network error" (page 193)

Checking the IPV6 default gateway statusUse the procedure in this section to check the IPv6 default gateway status.

Procedure Steps

Step Action

1 Use the show ipv6 default-gateway command to displaythe status of the gateway.


NN47205-700 02.0221 January 2009


.

IPv6 management traffic is not sent/received as expected 193

2 Confirm that the status is ReachableInRtm.

--End--

Pinging the IPv6 default gatewayUse the procedure in this section to ping the default gateway.

Procedure Steps

Step Action

1 Use the ping <gaterway address> command to ping the64-bit address of the default gateway.

2 Identify if the host is reachable.

--End--

Using traceroute to determine network errorUse the procedure in this section to identify the route to the gateway.

Procedure Steps

Step Action

1 Use the traceroute <IPv6 address> command to identifythe route to the gateway.

2 Use the traceroute documentation to interpret the output.

--End--

IPv6 management traffic is not sent/received as expectedThis taskflow assists you to correct issues with IPv6 management trafficthat is not correctly sent or received.

IPv6 management traffic is not sent/received as expectedUse this task flow to correct issues with IPv6 management traffic that is notcorrectly sent or received.


NN47205-700 02.0221 January 2009


.


Figure 92Task flow: IPv6 management traffic is not sent/received as expected

Navigation

• "Checking the IPv6 configuration" (page 194)

• "Checking the IPv6 statistics" (page 195)

• "Checking the ICMPv6 statistics" (page 195)

Checking the IPv6 configurationUse the procedure in this section to check the IPv6 configuration.


NN47205-700 02.0221 January 2009


.

IPV6 telnet/http/ssh to device does not work 195

Procedure Steps

Step Action


--End--

Checking the IPv6 statisticsUse the procedure in this section to view the IPv6 statistics.

Procedure Steps

Step Action

1 Use the show ipv6 interface statistics command toshow the interface statistics.

2 Observe the command output.

--End--

Checking the ICMPv6 statisticsUse the procedure in this section to view the ICMPv6 statistics.

Procedure Steps

Step Action

1 Use the show ipv6 interface icmpstatistics commandto display the ICMPv6 statistics.


--End--

IPV6 telnet/http/ssh to device does not workThis taskflow assists you to correct IPv6 connectivity for Telnet, Web, orSSH protocols.

IPV6 telnet/http/ssh to device does not workUse this task flow to correct IPv6 connectivity for Telnet, Web, or SSHprotocols.


NN47205-700 02.0221 January 2009


.


Figure 93Task flow: IPV6 telnet/http/ssh to device does not work

Navigation


• "Checking TCP statistics " (page 197)



NN47205-700 02.0221 January 2009


.

UDPv6 communication does not work 197

Procedure Steps

Step Action


--End--

Checking TCP statisticsUse the procedure in this section to view the TCP statistics.

Procedure Steps

Step Action

1 Use the show ipv6 tcp command to show the TCP statistics.

2 Use the show ipv6 tcp connections command to show theTCP connections.

3 Use the show ipv6 tcp listener command to show the TCPlisteners.


--End--

UDPv6 communication does not workThis task flow assists you to correct UDPv6 connectivity issues.

UDPv6 communication does not workUse this task flow to correct IPv6 connectivity issues for Telnet, Web, orSSH protocols.


NN47205-700 02.0221 January 2009


.


Figure 94Task flow: UDPv6 communication does not work

Navigation


• "Checking UDP statistics " (page 199)

• "Checking if the application on the remote host supports UDPv6." (page199)



NN47205-700 02.0221 January 2009


.

Cannot set IPv6 address 199

Procedure Steps

Step Action

1 Use the show ipv6 global command to display IPv6configurations.

--End--

Checking UDP statisticsUse the procedure in this section to view the UDP statistics.

Procedure Steps

Step Action

1 Use the show ipv6 udp command to show the UDP statistics.

2 Use the show ipv6 udp endpoints command to show theUDP endpoints.


--End--

Checking if the application on the remote host supports UDPv6.Use the client documentation to ensure UDPv6 is enabled on the remotehost.

Cannot set IPv6 addressThis taskflow assists you when you set an IPv6 address and it fails withthe following reason: Max IPv6 addresses per interface exceeded.

Cannot set IPv6 addressThis task flow assists you when you set an IPv6 address and it fails withthe following reason: Max IPv6 addresses per interface exceeded.


NN47205-700 02.0221 January 2009


.


Figure 95Task flow: Cannot set IPv6 address

Navigation

• "Displaying the IPv6 address interface" (page 200)

• "Deleting the IPv6 address" (page 201)

• "Configuring new IPv6 address" (page 201)

• "Configuring new IPv6 gateway address" (page 201)

Displaying the IPv6 address interfaceUse the procedure in this section to display the IPv6 address interfaceinformation.


NN47205-700 02.0221 January 2009


.

Cannot set IPv6 address 201

Procedure Steps

Step Action

1 Use the show ipv6 address interface command to displaythe IPv6 address interface information.

--End--

Deleting the IPv6 addressUse the procedure in this section to delete the IPv6 address.

Procedure Steps

Step Action

1 Use the no ipv6 interface address <IPv6 address>command to delete the IPv6 address.


--End--

Configuring new IPv6 addressUse the procedure in this section to configure a new IPv6 address.

Procedure Steps

Step Action

1 Use the ipv6 address <IPv6 address> command toconfigure the IPv6 address.


--End--

Configuring new IPv6 gateway addressUse the procedure in this section to configure a new gateway IPv6address.

Procedure Steps

Step Action

1 Use the ipv6 default-gateway <IPv6 address> commandto configure the gateway IPv6 address.


NN47205-700 02.0221 January 2009


.



--End--


NN47205-700 02.0221 January 2009


.

203.

Troubleshooting XFP/SFPThis sections assists you to resolve a problem detecting supported XFPor SFPdevices.

Troubleshooting XFP/SFP workflowThe following workflow assists you to resolve issues related to detectingSFPs or XFPs.

Figure 96Work flow: Troubleshooting XFP/SFP

Navigation

• "Troubleshooting XFP/SFP" (page 203)

XFP/SFP device not detectedThis section describes how you can ensure an XFP or SFP device isconnected.

XFP/SFP device not detected task flowThis following task flow steps you through the procedures to ensure anXFP or SFP device is connected.


NN47205-700 02.0221 January 2009


.

204 Troubleshooting XFP/SFP

Figure 97Task flow: XFP/SFP device not detected

Navigation

• "Confirming device is supported" (page 205)

• "Understanding limitations of some SFPs" (page 205)

• "Viewing GBIC details" (page 205)

• "Replacing device" (page 206)


NN47205-700 02.0221 January 2009


.

XFP/SFP device not detected 205

Confirming device is supportedSee the following XFP and SFP documentation to confirm that the deviceis supported on the switch:

• Nortel Ethernet Routing Switch 4500 Series Installation — SFPs andXFPs (NN47205-301)

• Nortel Ethernet Routing Switch 4500 Series Release 5.2 ReleaseNotes (NN47205-400)

Understanding limitations of some SFPsUse this procedure to understand some limitations regarding unsupportedXFPs or SFPs.

Procedure Steps

Step Action

1 Use the show stack-info command to display deviceinformation.

2 Use the show interfaces gbic-info command to displaydevice information.

3 Confirm that SFP AA1419075-E6 1-port T1 SFP andAA1419074-E6 1-port 100Base-FX SFP is only connected to a4526T, 4526T-PWR, 4526FX, 4524GT, 4550T , or 4550T-PWR.

--End--

Viewing GBIC detailsUse this procedure to display the GBIC device details.

Procedure Steps

Step Action

1 Enter Global configuration mode.

2 Use the show interfaces gbic-info command to viewdevice information.

3 Use the show interfaces gbic-info port <port number>command to view device information for a specific port.

4 Use Web-based management to view device information bynavigating to Summary, Switch Information, Pluggable Port

5 Identify any unsupported devices.

--End--


NN47205-700 02.0221 January 2009


.

206 Troubleshooting XFP/SFP

Replacing deviceUse this procedure to replace a device.

Procedure Steps

Step Action

1 See XFP and SFP documentation to familiarize yourself with theinstallation instructions.

2 Connect the SFP or XFP to a different SFP or XFP cage.

--End--


NN47205-700 02.0221 January 2009


.

207.

Troubleshooting IGMPThis sections assists you to resolve multicast flooding issues.

Troubleshooting IGMP workflowThe following workflow assists you to resolve multicast flooding.

Navigation

• "Multicast packets flooding network" (page 207)

• "Multicast packets not flooding network" (page 211)

Multicast packets flooding networkThis section describes how you can disable multicast flooding on anetwork.

Multicast packets flooding network task flowThe following task flow steps you through the procedures to disablemulticast flooding on the network.


NN47205-700 02.0221 January 2009


.

208 Troubleshooting IGMP

Figure 98Task flow: Multicast packets flooding network

Navigation

• "Viewing IGMP snoop settings" (page 208)

• "Viewing IGMP multicast groups" (page 209)

• "Showing settings for flooding multicast packets " (page 210)

• "Disabling multicast packets" (page 211)

Viewing IGMP snoop settingsUse this procedure to display general information about IGMP snooping ina specific VLAN.


NN47205-700 02.0221 January 2009


.

Multicast packets flooding network 209

Procedure Steps

Step Action

1 Use the show vlan igmp [vlan ID <value>] command todisplay the information.

2 Observe the displayed information.

--End--

Variable definitions

Variable Definition

vlan ID <value> Specifies the VLAN ID between 1 and 4094.

Job aidThe following table describes the output of the command.

Field Description

Snooping Indicates the status of snooping as eitherenable or disable. Default is disable.

Proxy Indicates the status of igmp proxy. Disabledproxy will allow forwarding of all received hostreports. Default is disable.

Robust Value Indicates how many times a membership queryis sent before a host connection is aged out.The default is 2.

Query Time Indicates how fast a router or a host connectionis aged out. The larger the interval, the longerthe wait. Default is 125 seconds. Age out timeequals “Query Time” times “Robust Value”.

IGMPv1 static Router Ports Indicates the v1 static router ports (set by you)that receive all multicast streams in the VLAN.Static router ports(v1 or v2) never expire.

IGMPv2 static Router Ports Indicates the v2 static router ports (set by you)that receive all multicast streams in the VLAN.

Viewing IGMP multicast groupsUse this procedure to display general information about IGMP snooping ina specific VLAN.

Procedure Steps

Step Action

1 Use the show vlan multicast membership [vlan ID<value>] command to display the information.


NN47205-700 02.0221 January 2009


.



--End--


Variable Definition



Field Description

Number of groups Indicates the number of multicast groupslearned between 0 and 512.

Multicast Group Address Specifies the group IP of a multicast group inthe format a.b.c.d.

Unit Indicates the unit where the group has beenlearned.

Port Indicates the port on which the group has beenlearned.

Showing settings for flooding multicast packetsUse this procedure to display the settings for flooding packets withunknown multicast addresses and the list of multicast MAC addresses forwhich flooding is allowed.

Procedure Steps

Step Action

1 Use the show vlan unknown-mcast-no-flood command toshow unknown multicast flooding status.

2 Use the show vlan igmp unknown-mcast-allow-floodcommand to show multicast addresses.

--End--

Job aidThe following table describes the output of the show vlan igmpunknown-mcast-allow-flood command.


NN47205-700 02.0221 January 2009


.

Multicast packets not flooding network 211

Field Description

Unknown Multicast No-Flood Indicates whether flooding packets withunknown multicast address (addresses forwhich no groups are created) is enabled ordisabled. When it is enabled, all packets thathave as destination a multicast MAC addressfor which an IGMP group is not created arediscarded. Otherwise, if this option is disabled,the unknown multicast traffic is forwarded on allports. Default is disabled.

Job aidThe following table describes the output of the show vlan igmpunknown-mcast-no-flood command.

Field Description

Allowed Multicast Addresses Indicates the MAC addresses for which themulticast traffic is not pruned when the optionigmp unknown-mcast-no-flood is enabled.

Disabling multicast packetsUse this procedure to disable the multicast flooding.

Procedure Steps

Step Action

1 Use the unknown-mcast-no-flood command to disablemulticast flooding.


--End--

Multicast packets not flooding networkThis section describes how you can enable multicast flooding on anetwork.

Multicast packets not flooding network task flowThe following task flow steps you through the procedures to enablemulticast flooding on the network.


NN47205-700 02.0221 January 2009


.


Figure 99Task flow: Multicast packets not flooding network

Navigation

• "Viewing IGMP snoop settings" (page 212)

• "Viewing IGMP multicast groups" (page 213)

• "Showing settings for flooding multicast packets " (page 214)

• "Enabling multicast packets" (page 215)

Viewing IGMP snoop settingsUse this procedure to display general information about IGMP snooping ina specific VLAN.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Use the show vlan igmp [vlan ID <value>] command todisplay the information.


--End--


Variable Definition



Field Description

Snooping Indicates the status of snooping as eitherenable or disable. Default is disable.

Proxy Indicates the status of igmp proxy. Disabledproxy will allow forwarding all received hostreports. Default is disable.

Robust Value Indicates how many times a membership querywill be sent before a host connection is agedout. The default is 2.

Query Time Indicates how fast a router or a host connectionis aged out. The larger the interval, the longerthe wait. Default is 125 seconds. Age out timeequals “Query Time” times “Robust Value”.

IGMPv1 static Router Ports Indicates the v1 static router ports (set by you)that receive all multicast streams in the VLAN.Static router ports(v1 or v2) never expire.

IGMPv2 static Router Ports Indicates the v2 static router ports (set by you)that receive all multicast streams in the VLAN.

Viewing IGMP multicast groupsUse this procedure to display general information about IGMP snooping ina specific VLAN.

Procedure Steps

Step Action

1 Use the show vlan multicast membership [vlan ID<value>] command to display the information.


NN47205-700 02.0221 January 2009


.



--End--


Variable Definition



Field Description

Number of groups Indicates the number of multicast groupslearned between 0 and 512.

Multicast Group Address Specifies the group IP of a multicast group inthe format a.b.c.d.

Unit Indicates the unit where the group has beenlearned.

Port Indicates the port on which the group has beenlearned.

Showing settings for flooding multicast packetsUse this procedure to display the setting for flooding packets with unknownmulticast addresses and the list of multicast MAC addresses for whichflooding is allowed.

Procedure Steps

Step Action

1 Use the show vlan unknown-mcast-no-flood command toshow unknown multicast flooding status.

2 Use the show vlan igmp unknown-mcast-allow-floodcommand to show multicast addresses.

--End--

Job aidThe following table describes the output of the show vlan igmpunknown-mcast-allow-flood command.


NN47205-700 02.0221 January 2009


.


Field Description

Unknown Multicast No-Flood Indicates whether flooding packets withunknown multicast address (addresses forwhich no groups are created) is enabled ordisabled. When it is enabled, all packets thathave as destination a multicast MAC addressfor which an IGMP group is not created arediscarded. Otherwise, if this option is disabled,the unknown multicast traffic is forwarded on allports. Default is disabled.

Job aidThe following table describes the output of the show vlan igmpunknown-mcast-no-flood command.

Field Description

Allowed Multicast Addresses Indicates the MAC addresses for which themulticast traffic is not pruned when the optionigmp unknown-mcast-no-flood is enabled.

Enabling multicast packetsUse this procedure to enable the multicast flooding.

Procedure Steps

Step Action

1 Use the unknown-mcast-allow-flood command to enablemulticast flooding.


--End--


NN47205-700 02.0221 January 2009


.



NN47205-700 02.0221 January 2009


.

217.

Troubleshooting RSTP SNMP trapsThe Rapid Spanning Tree Protocol (RSTP) SNMP traps feature providesthe ability to receive SNMP notification about the RSTP protocol. Theseevents are also logged to syslog.

Troubleshooting RSTP SNMP traps workflowThe following workflow assists you to resolve RSTP trap issues.

Figure 100Work flow: Troubleshooting RSTP SNMP traps

Navigation• "No RSTP SNMP traps are received" (page 217)

No RSTP SNMP traps are receivedUse this task flow to help you ensure that RSTP SNMP traps are received.

No RSTP SNMP traps are received task flowThe following task flow helps you to ensure that RSTP SNMP traps arereceived.


NN47205-700 02.0221 January 2009


.

218 Troubleshooting RSTP SNMP traps

Figure 101Task flow: No RSTP SNMP traps are received


NN47205-700 02.0221 January 2009


.

No RSTP SNMP traps are received 219

Navigation

• "Viewing RSTP configuration" (page 219)

• "Enabling RSTP traps" (page 219)

• "Viewing IP manager configuration" (page 220)

• "Enabling SNMP" (page 220)

• "Viewing trap receiver configuration" (page 220)

• "Configuring SNMPv1 trap receiver" (page 221)



Viewing RSTP configurationUse the procedure in this section to view the existing RSTP configuration.

Procedure Steps

Step Action

1 Use the show spanning-tree rstp config command todisplay the RSTP configuration.


--End--

Job aidThe following is an example of output from the command.

Priority (hex): 8000

Stp Version: Rstp Mode

Bridge Max Age Time: 20 seconds

Bridge Hello Time:2 seconds

Bridge Forward Delay Time: 15 seconds

Tx Hold Count: 3

Path Cost Default Type: 32-bit

STP Traps: Disabled

Enabling RSTP trapsUse the procedure in this section to enable RSTP traps.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Use the spanning-tree rstp traps command to enableRSTP traps.


--End--

Viewing IP manager configurationUse the procedure in this section to display the IP manager configuration.

Procedure Steps

Step Action

1 Use the show ipmgr command to view the IP managerconfiguration.


--End--

Job aidThe following is an example of output from the command.

TELNET Access: Enabled

SNMP Access: Disabled

WEB Access: Enabled

SSH Access: Enabled

Enabling SNMPUse the procedure in this section to enable SNMP.

Procedure Steps

Step Action

1 Use the snmp-server enable command to enable SNMP.


--End--

Viewing trap receiver configurationUse the procedure in this section to display the trap receiver configuration.


NN47205-700 02.0221 January 2009


.

No RSTP SNMP traps are received 221

Procedure Steps

Step Action

1 Use the show snmp-server host command to view the trapreceiver configuration.


--End--

Configuring SNMPv1 trap receiverUse the procedure in this section to configure an SNMPv1 trap receiver.

Procedure Steps

Step Action

1 Use the snmp-server host <IP Address> public commandto configure the SNMPv1 trap receiver.


--End--


Variable Definition

IP address IPv4 address of the server host


Procedure Steps

Step Action

1 Use the snmp-server community notify-view nnclicommand to configure the community string.

2 When prompted, enter and confirm the community string.

3 Use the snmp-server host <IP address> v2c <string>command to configure the community string.

--End--


NN47205-700 02.0221 January 2009


.



Variable Definition


string The community string that has been defined forsending SNMPv2c traps


Procedure Steps

Step Action

1 Use the snmp-server user trapuser notify-view nnclicommand to configure the trap user.

2 Use the snmp-server host <IP address> v3 no-auth<user> command to configure the community string.

--End--


Variable Definition


user The user that has been defined for sendingSNMPv3 traps


NN47205-700 02.0221 January 2009


.

223.

Troubleshooting DHCP/BootP relayBootp/DHCP Relay serves the purpose of IP configuration for Bootp/DHCPclients that do not have a BootP/DHCP Server configured in the samesubnet.

Troubleshooting DHCP/BootP relay work flowThe following workflow helps you to identify some common issues.

Figure 102Work flow: Troubleshooting DHCP/BootP relay

Navigation• "Cannot set the forward path" (page 224)

• "Bootp/DHCP requests from clients do not reach Bootp/DHCP server"(page 225)

• "Bootp/DHCP replies from server do not reach Bootp/DHCP clients"(page 232)


NN47205-700 02.0221 January 2009


.

224 Troubleshooting DHCP/BootP relay

Cannot set the forward pathThis task flow assists you to resolve the following error message if itappears:

•% Cannot modify settings% Error agent/server does not exist

Cannot set the forward path task flowThe following task flow helps you to verify that the relay agent IP addressis the same as the one configured on the VLAN where relay is performed.

Figure 103Task flow: Cannot set the forward path

Navigation

• "Viewing VLAN IP information" (page 224)

Viewing VLAN IP informationUse this procedure to verify that the relay agent IP address from theforward path command is the same as the one on the VLAN where relay isto be performed.

Procedure Steps

Step Action

1 Use the show vlan ip command to display the information.


NN47205-700 02.0221 January 2009


.

Bootp/DHCP requests from clients do not reach Bootp/DHCP server 225

2 Verify that the relay agent IP address from the forward pathcommand is the same as the one on the VLAN where relay is tobe performed.

--End--

Bootp/DHCP requests from clients do not reach Bootp/DHCPserver

This section assists you to identify and correct connectivity issues betweena client and the DHCP or BootP server.

Bootp/DHCP requests from clients do not reach Bootp/DHCP servertask flow

The following task flow identifies the procedures to identify and correctconnectivity issues between a client and the DHCP or BootP server.


NN47205-700 02.0221 January 2009


.


Figure 104Task flow: Bootp/DHCP requests from clients do not reach Bootp/DHCP server


NN47205-700 02.0221 January 2009


.


Navigation

• "Viewing IP routing information" (page 228)

• "Enabling IP routing globally" (page 228)

• "Viewing VLAN information" (page 228)


NN47205-700 02.0221 January 2009


.


• "Enabling IP routing on VLAN" (page 229)

• "Viewing IP static routes" (page 229)

• "Configuring IP route" (page 230)

• "Viewing global relay setting" (page 230)

• "Enabling global relay" (page 230)

• "Viewing VLAN relay information" (page 230)

• "Enabling VLAN relay" (page 231)

• "Viewing forward path settings" (page 231)

• "Enabling the forward path" (page 231)

• "Selecting the forward path mode" (page 232)

Viewing IP routing informationUse the procedure in this section to view IP routing information.

Procedure Steps

Step Action

1 Enter the show ip routing command to view IP routinginformation.

2 Identify that IP routing is enabled.

--End--

Enabling IP routing globallyUse the procedure in this section to enable IP routing globally.

Procedure Steps

Step Action

1 Enter the ip routing command to enable IP routing globally.

2 Enter the show ip routing command to confirm that global IProuting is now enabled.

--End--

Viewing VLAN informationUse the procedure in this section to view VLAN information.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Enter the show vlan ip command to view VLAN information.

2 Verify that the interfaces are enabled under the Offset Routingcolumn.

--End--

Enabling IP routing on VLANUse the procedure in this section to enable IP routing on a VLAN.

Procedure Steps

Step Action

1 Enter the interface vlan <VLANID> command to select theVLAN interface to be modified.

2 Enter the ip routing command to enable IP routing on theinterface.

--End--


Variable Definition

VLANID Unique ID of the VLAN

Viewing IP static routesUse the procedure in this section when the server is not connected to thesame Ethernet Routing Switch and configure a client with static IP forconnectivity purposes. From that client, ping the server. If the ICMP echorequests do not reach the server, verify that a route is configured on theswitch for the server.

Procedure Steps

Step Action

1 Enter the show ip route static command to display the IPstatic route information.


--End--


NN47205-700 02.0221 January 2009


.


Configuring IP routeUse the procedure in this section to configure the IP route.

Procedure Steps

Step Action

1 Enter the ip route <server.ip.address.class><netmask> <next.hop.ip.address> <cost> command toconfigure the IP route.


--End--

Viewing global relay settingUse the procedure in this section to view the global relay configuration.

Procedure Steps

Step Action

1 Enter the show ip dhcp-relay command to display the globalrelay configuration.

2 Observe the command output and confirm DHCP relay isenabled.

--End--

Enabling global relayUse the procedure in this section to enable DHCP relay globally.

Procedure Steps

Step Action

1 Enter the ip dhcp-relay command to enable DHCP relayglobally.


--End--

Viewing VLAN relay informationUse the procedure in this section to display the VLAN relay configuration.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Enter the show vlan dhcp-relay command to display theVLAN relay configuration.


--End--

Enabling VLAN relayUse the procedure in this section to enable VLAN relay.

Procedure Steps

Step Action

1 Enter the interface vlan <VLANID> command to select theVLAN interface to be modified.

2 Enter the ip dhcp-relay command to enable DHCP relay onthe interface.

--End--


Variable Definition

VLANID Unique ID of the VLAN

Viewing forward path settingsUse the procedure in this section to display the forward path settings.

Procedure Steps

Step Action

1 Enter the show ip dhcp-relay fwd-path command to displaythe forward path configuration.

2 Ensure that the interface is enabled.

--End--

Enabling the forward pathUse the procedure in this section to enable the forward path.


NN47205-700 02.0221 January 2009


.


Procedure Steps

Step Action

1 Enter the ip dhcp-relay fwd-path <interface address><server address> enable command to enable the forwardpath.


--End--


Variable Definition

interface address IPv4 address of the interface

server address IPv4 address of the server

Selecting the forward path modeUse the procedure in this section to configure the forward path mode.

Procedure Steps

Step Action

1 Enter the ip dhcp-relay fwd-path <interface address><server address> mode [boot | dhcp | boot-dhcp]command to configure the forward path mode.


--End--


Variable Definition

interface address IPv4 address of the interface

server address IPv4 address of the server

Bootp/DHCP replies from server do not reach Bootp/DHCP clientsThis section helps you to resolve issues related to Bootp/DHCP repliesfrom the server that do not reach Bootp/DHCP clients.

Bootp/DHCP replies from server do not reach Bootp/DHCP clients taskflow

The following task flow identifies the procedure to resolve issues related toBootp/DHCP replies from the server that do not reach Bootp/DHCP clients.


NN47205-700 02.0221 January 2009


.

Bootp/DHCP replies from server do not reach Bootp/DHCP clients 233

Figure 105Task flow: Bootp/DHCP replies from server do not reach Bootp/DHCP clients

Navigation

• "Verifying IP connectivity between server and client" (page 233)

Verifying IP connectivity between server and clientUse the procedure in this section to verify the connectivity between theDHCP server and its client.

Prerequisites

• The server is not connected to the same Ethernet Routing Switch.

Procedure Steps

Step Action

1 Use the show ip route static command to ensure ICMPrequests from the client reach the server.

2 From the server, ping the client configured with a static IPaddress.

3 Verify that a route is configured on the server and the routepoints to the subnet of the client.

4 Using the server documentation, configure the route if it does notexist.

--End--


NN47205-700 02.0221 January 2009


.



NN47205-700 02.0221 January 2009


.

Nortel Ethernet Routing Switch 4500 Series

TroubleshootingCopyright © 2007-2009 Nortel NetworksAll Rights Reserved.

Printed in Canada and the United States of AmericaRelease: 5.2Publication: NN47205-700Document revision: 02.02Document release date: 21 January 2009

To provide feedback or to report a problem in this document, go to www.nortel.com/documentfeedback.

www.nortel.com

LEGAL NOTICEWhile the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writingNORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESSOR IMPLIED. The information and/or products described in this document are subject to change without notice.

*Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

All other trademarks are the property of their respective owners.

.

Documents

Troubleshooting - Nortel