No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 Troubleshooting Guide V1.0 (VRPv8)

This document provides the maintenance guide of the device, including daily maintenance, emergence maintenance, and typical troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Local Attack Defense Troubleshooting

Local Attack Defense Troubleshooting

This chapter describes common causes of local attack defense faults, and provides the corresponding troubleshooting flowcharts, troubleshooting procedures, alarms, and logs.

Management Plane Protection Malfunctions

This chapter describes common causes of management plane protection malfunctions, and provides the corresponding troubleshooting flowcharts and examples.

Common Causes

This fault is commonly caused by an incorrect protection policy for the management plane.

Troubleshooting Procedure

NOTE:

After the commands are configured to troubleshoot the faults, check the configuration validation mode to ensure that the configurations take effect. Unless otherwise specified, this manual defaults to immediate validation mode.

  • In immediate validation mode, the configurations take effect after the commands are entered.
  • In two-phase validation mode, after the commands are configured, the commit command needs to be run to commit the configurations.

Save the results of each troubleshooting step so that if your troubleshooting attempts fail to correct the fault, you will have a record of your actions to present to Huawei.

Procedure

  1. Check whether any protocol packets are discarded.

    Run the display cpu-defend ma-defend statistics [ slot slot-id ] command to view the statistics about the management plane, and check whether any packets of certain protocols are discarded.

    • If some packets are discarded, go to Step 2.

    • If no protocol packets are discarded, the security module of the device functions properly. If this is the case, contact Huawei.

  2. Check whether the interface-level policy for management plane protection is applied on the management interface.

    Run the display this command in the management interface view to check whether the interface-level policy for management plane protection is applied on the management interface.

    • If the interface-level policy is applied, run the display ma-defend interface-policy interface-policy-id command based on the ID of the interface-level policy to check whether the protocol command is configured with deny, which causes a failure in sending protocol packets to the CPU.

      • If deny is configured, packets cannot be sent to the CPU. If packets must be sent to the CPU, run the protocol { bgp | ftp | ldp | ospf | rip | rsvp | snmp | ssh | telnet | tftp | isis | pimsm } { permit | deny } command in the view of interface-level management plane protection to change deny to permit.

      • If permit is configured, but the protocol packets still cannot be sent to the CPU, contact Huawei.

    • If the interface-level policy for management plane protection is not applied on the management interface, perform Step 2 to check whether the slot-level policy for management plane protection is applied.

  3. Check whether the slot-level policy for management plane protection is applied on the interface board where the management interface resides.

    Run the display this command in the slot view to check whether the slot-level policy for management plane protection is applied on the management interface.

    • If the slot-level policy is applied, run the display ma-defend slot-policy slot-policy-id command based on the ID of the slot-level policy to check whether check the protocol command is configured with deny, which causes a failure in sending protocol packets to the CPU.

      • If deny is configured, packets cannot be sent to the CPU. If packets must be sent to the CPU, run the protocol { bgp | ftp | ldp | ospf | rip | rsvp | snmp | ssh | telnet | tftp | isis | pimsm } permit command in the view of slot-level management plane protection to change deny to permit.

      • If permit is configured, but the protocol packets still cannot be sent to the CPU, contact Huawei.

    • If the slot-level policy for management plane protection is not applied on the management interface, perform Step 2 to check whether the global policy for management plane protection is applied.

  4. Check whether the global policy for management plane protection is applied on the management interface.

    Run the display ma-defend global-policy command to check whether the global policy for management plane protection is applied on the management interface.

    • If the global policy for management plane protection is applied, run the display ma-defend global-policy command to check whether the protocol command is configured with deny, which causes a failure in sending protocol packets to the CPU.

      • If deny is configured, packets cannot be sent to the CPU. If packets must be sent to the CPU, run the protocol { bgp | ftp | ldp | ospf | rip | rsvp | snmp | ssh | telnet | tftp | isis | pimsm } permit command in the view of global management plane protection to change deny to permit.

      • If permit is configured, but the protocol packets still cannot be sent to the CPU, contact Huawei.

    • If the global policy for management plane protection is not applied, management plane protection is not configured. In this situation, management packets are still intercepted, which indicates that the system is faulty. For help on rectifying the fault, contact Huawei.

    After these operations are performed, if management packets still cannot be sent to the CPU, contact Huawei.

Relevant Alarms and Logs

Relevant Alarms

None

Relevant Logs

None

Translation
Download
Updated: 2019-06-11

Document ID: EDOC1000175918

Views: 13648

Downloads: 257

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next