TroubleshootingNetwork Extenders

Zhone IPD Troubleshooting

TNE / ENE Questions?Unable to login Remote TNE / ENE

• 1)The first thing to verify is that you have the correct default gateway configured in the TNE / ENE unit.

• 2)Can you get web access to the unit from the Ethernet ports of the TNE / ENE unit?

• 3) Is this the only TNE unit that you can't access?• 4) Do you have other TNE units that you can web into?• 5) Are you trying to access the TNE through the T1 ports?• 6) If you can't access any other units, do you have a firewall

between you and the TNE unit?• 7) Do you have a duplicate IP address in your network?• 8) What is the IP address, mask, and gateway of the TNE?• 9) If you can get access to the ethernet ports of the TNE and can

access web management from there, can you send me the nvr_backup file from the unit? To get this file, you need to tftp it.

• 10)The command is: tftp -i 192.168.254.252 get nvr_backup.bin.Password where the IP address is the address of your TNE unit, and the Password is your superuser password for the unit.

IPD Performance Issues with TNEs:

• If performance is really bad…• 1.On TNExxxx or other network extender:• Check provider vs subscriber setup. On the TIM1500

card this is set to Provider, so the endpoint has to be Subscriber.

• Any upgrades or modifications to this unit recently? • Check TIM1500 line card and check for dropped

packets. Look at line rates.• Are other TNEs doing this?• Check code level. Try a downgrade if recently upgraded.

%Utilization, Rate, Max, Ave,Packet Count, Octet Count• WAN Non-Unicast RX• WAN Non-Unicast TX• WAN Unicast RX• WAN Unicast TX

%Utilization and Rate • Total RX• Total TX

Loop detect – Count, MAC, Loc.

• Up Time (Slot and Port)• Down Time & Link Down Count• Total Link Up and Down Time• Near End RSI (ADSL/ADSL2+)• Far End RSI (ADSL/ADSL2+)• WAN Error Count Rx• Dropped Pkts Tx Overflow• Packet Drop from Config

Port Level Statistics

IPD Management Dropped packets explained:

• The Statistics Information page of a DSL port displays information about the DSL port. The Stats counters will never reset unless you clear them with the reset button or reset the BSX or management card.

• The [WAN Error Count RX] is any packet that is being dropped on the DSL line from the modem to the Access card. Ex: AIM24000-48

• The [Dropped Packets TX Overflow] are packets that are dropped if there is more ethernet traffic than the DSL port can forward. Ex: If your DSL port is set to 1Mb in the downstream direction and you try to send 2Mbs of data, you will see the TX Overflow increment.

• The [Dropped Packet Count] is the total number of packets that were dropped due to the 9 reasons listed below it on the Stats screen. The counters will roll over to 0 once they hit the maximum 4,294,967,295 which is the decimal equivalent of 32 bits or 1’s (1111111111111111111111111111111) binary.

• Dropped packet Counts Explained:• Definitions:• Ingress - An Ingress packet are packets that are coming from the modem to the

Access card.• Egress – Packets that are coming from the network or Uplink and going to the

modem.

IPD Management Dropped packets explained:

• Protocol Filter Ingress: Packets that are dropped from the modem because they don’t fall within the Protocol filter setting(s) on the Configuration page for that port. Ex: If 0800 and 0806 are set, all other traffic types will be dropped

• Protocol Filter Egress: Packets that are being dropped from the core of the network to the modem because they don’t conform to the Protocol filter that was set.

• IP Range (Ingress): Packets from the modem are dropped if they don’t fall into any of the 4 IP Filter Ranges that are available

• QoS VLAN Config ingress: Packets coming from the modem that do NOT fall into any QoS VLAN Rule. With the release of firmware 1.02.02 on the BSX card, limiting the Unlearned unicast, broadcast, and multicast traffic will also increment this counter if the value set is exceeded.

• QoS VLAN Config Egress: Packets coming from the network to the modem that do NOT fall into any QoS VLAN rule. With the release of firmware 1.02.02 on the BSX card, limiting the Unlearned unicast, broadcast, and multicast traffic will also increment this counter if the value set is exceeded.

IPD Management Dropped packets explained:

• QoS VLAN Config Egress: Packets coming from the network to the modem that do NOT fall into any QoS VLAN rule. With the release of firmware 1.02.02 on the BSX card, limiting the Unlearned unicast, broadcast, and multicast traffic will also increment this counter if the value set is exceeded.

• Database trusted/untrusted violation: If a Loop is detected in the chassis this box will be checked. A packet coming from the network is considered “Trusted” and traffic coming from a modem is “Untrusted” If a trusted MAC address (coming from the Network) moves to a DSL port (Untrusted), it will be blocked for a minimum of 5 minutes and will increment the “Dropped packet” counter for every packet from that source MAC address. Only the MAC address that is looped will be blocked and not be able to be forwarded to the backplane. A hard loop facing a T1 port in the DSLAM for example will cause all packets to be dropped on that port.

• Database – layer 2 port filter static or dynamic mac violation: If a MAC filter is configured on a port this box will be checked if an unauthorized MAC address enters the port

• Database – static mac moved from a configured port: This box will be checked if the MAC Address from a configured port moves to another DSL port.

• Other drop reason: Line errors or a port dropping link can cause this box to be checked.

Duplicate MAC & Network Loop Detection and Prevention

• When a source MAC address has been learned on an uplink port, that same MAC will not be allowed to source traffic from a DSL or T1/E1 subscriber port until the MAC has aged from the uplink (MAC is aged from the port 5 minutes after it has last sourced traffic). When a source MAC is learned on a DSL or T1/E1 subscriber port and then on an uplink port, the uplink port is always trusted over the subscriber port, disallowing that MAC from transmitting traffic from the subscriber port until it has aged from the uplink (5 minutes).

• A source MAC address defined in the L2 Filters table of one subscriber port will not be allowed to source traffic from any other subscriber port until the L2 filter entry is deleted.

• Learned source MAC addresses which are NOT defined in any subscriber L2 filter tables are allowed to move freely between subscriber ports on the same line card. Learned source MAC addresses not defined in any subscriber L2 filter tables are allowed to move between different line card subscriber ports as long as the source MAC has not been flooded between line cards from “VLAN Flood” or the source MAC is transmitting to an unknown destination – This causes the source MAC to be learned on the line card backplane connection (or uplink).

Duplicate MAC & Network Loop Detection and Prevention

• When two subscriber ports are accidentally bridged together or some other type of adverse condition creates or simulates a “network loop,” where a source MAC address is learned from multiple locations, the same logic mentioned above will occur:

A. If the source MAC is duplicated on subscriber ports, but not learned on an uplink port, the MAC is allowed to source traffic from the first learned subscriber port, but not on the second learned subscriber port until it has aged from the first.

B. If the source MAC is learned on both a subscriber port and an uplink port, the MAC is allowed to source traffic from the uplink but not from the subscriber port until it has aged from the uplink.

• Source MAC address duplication will cause an SNMP trap to be sent (if snmpSecurity_Events Trap is enabled) and the port LED in web management to change to “orange,” indicating a MAC movement/duplication violation where traffic from the duplicated source MAC has been blocked. The “SNMP Trap,” “Diagnostics Loop Detect/MAC Movement Summary,” and “Port Statistics” indicate the “orange LED” slot and port, the number of times packets have been dropped due to the violation, and the valid slot/port location of the source MAC address. The port LED will remain “orange” in web management until the port statistics have been reset AND the duplicate MAC stops sourcing traffic until it has aged from the original port.

Duplicate MAC & Network Loop• The slot/port location is only meaningful when the valid location of the source MAC is

on another subscriber port. When the valid location of the source MAC is located on an uplink port, the slot/port will indicate the slot of the violated MAC and the backplane port number of the violated MAC (a port number higher than the number of front panel ports available for that slot).

protocol filter ingress packet received by BLC subscriber port dropped from protocol filter match/mismatch.

protocol filter egress packet destined out BLC subscriber port dropped from protocol filter match/mismatch.

IP range (ingress) packet received by BLC subscriber port dropped from IP filter mismatch.QoS VLAN config ingress packet received by BLC subscriber port dropped because incoming VLAN

tag does not match port VLAN configurationQoS VLAN config egress packet destined out BLC subscriber port dropped because VLAN tag does

not match port VLAN configurationDatabase trusted/untrusted violation source MAC address learned on BLC uplink has also been

learned on the subscriber port. Traffic originating from this source MAC on this subscriber port will be dropped until the MAC has been aged from the BLC uplink port (5 minute age time). The purpose of this feature is to prevent subscribers from spoofing the MAC addresses of important network resources (such as default gateway and servers).

Database – static mac moved from a configured port a MAC address defined in a layer 2 port filter has been learned on a port other than the one where the layer 2 port filter has been defined. This source MAC will not be allowed to transmit on any subscriber port other than the one where the filter for this particular MAC has been defined.

Other drop reason packets dropped during DSL link up or there is no destination for the packet

IPD12000/4000 Traffic Flow

• SUBSCRIBER PORT to UPLINK PORT (Default)• By default, all subscriber traffic entering the line card (DSL or

T1/E1), gets forwarded out the [BSX8000-5] uplink ports only. No communication takes place between line card subscriber ports. Traffic entering the BSX8000-5 uplink ports with a known (learned) destination address only gets forwarded to the subscriber port of that address. Traffic with an unknown destination address and broadcast traffic entering the BSX8000-5 uplink port gets forwarded to all subscriber ports. If 802.1q VLAN tagging is used, this unknown and broadcast traffic only gets forwarded to subscriber ports configured with a matching VLAN ID. By default, all VLAN tagged traffic and untagged traffic is allowed to pass through all uplink ports.

IPD12000/4000 Traffic Flow

• SUBSCRIBER PORT to SUBSCRIBER PORT and UPLINK PORT• The line card ports may be configured to override this default behavior to allow communication

between subscriber ports using a feature called “VLAN Flood.” Groups of subscriber ports may be configured with a common VLAN ID with the VLAN mode set to “VLAN Flood.” This allows communication between subscriber ports configured with the same VLAN ID AND to the [BSX8000-5] uplink ports.

Enable “VLAN Flood” for Subscriber-to-Subscriber Traffic

IPD12000/4000 Traffic Flow• SUBSCRIBER PORT to SUBSCRIBER PORT but NOT to UPLINK PORT• If it is desirable to allow communication between subscriber ports, but not to the uplink ports,

“VLAN Flood” may be enabled as described in the previous slide, and the BSX8000-5 uplink ports may be configured to “disallow” specified VLAN IDs on a port-by-port basis.

Uplink VLAN Membership Configuration

Backups & New Code Upgrades• Check code release and what is the size of the file? To upgrade the

IPD unit, you need a TFTP client, not a server.

• > tftp -i 192.168.254.252 get nvr_backup.bin.Password • where the IP address is the address of your IPD unit, and the Password is

your superuser password for the unit.

• Do you use the command " get nvr_backup.bin.Password to get the backup file?

• If you used the command "get nvr_cfg.bin.Password, this would not save the

management configurations such as the IP address and subnet mask. • Example of TFTP on PC:• If you have a Windows PC the command to use is:• tftp -i 192.168.254.252 put c:\ethX_01_01.bin where the IP

address is the IP of the ETHX box and the ethx1_01_01.bin is the filename.