Hi dear friends,
This time, I will share a case about the failure of configuring the IPTV service.
Issue description
The IPTV service of a newly created user on the MA5800 is unavailable. (The ONT has been replaced twice for a new user.) After the ONT is replaced, the fault persists. The on-site startup progress is suspended at 50%.
Possible causes:
1. The data configuration is incorrect.
2. The upper-layer device is faulty.
3. The board, control board, upstream board, or shelf hardware is faulty.
4. The STB and ONT on the user side are faulty.
Issue analysis
1. Log in to the device and check whether the Option 82 function is enabled on the device. It is found that the VLAN attribute is stacking and normal users exist on the same PON port. Therefore, cause 1 is excluded.
2. The Option 82 function is enabled on the device. Therefore, packets are sent to the CPU of the device. To check whether user-side packets are reported to the CPU of the control board, perform the following test.
- Perform debugging printing based on service flows. If no response is displayed, packets are not sent to the CPU.
MA5800-X2(diagnose)%ugging dhcp l2 service-port X
MA5800-X2(diagnose)%ugging dhcp l3 packets service-port x
MA5800-X2(config)#dhcp statistics service-port X
MA5800-X2(config)#display dhcp statistics service-port X
MA5800-X2(diagnose)%%terminal debugging
- Print information on the control board. If no response is displayed, packets are not sent to the CPU.
The MA5800 obtains tag information by printing CPU packets and printing DHCP discover packets.
MA5800-X2(diagnose)%ugging drv-cli
USER>sfd cpu diag print-s 2 1 11 10 // The value 2 indicates all modules, the value 1 indicates the transmit direction (0 indicates the receive direction), and the value 43 indicates DHCPv6. (7 indicates PPPoE packets, and 11 indicates DHCPv4 packets.) The value 10 indicates the number of printed packets.
USER>quit
Eliminate cause 2.
3. Check whether user-side packets reach the PON port. In this case, you can collect DHCP statistics based on the user MAC address.
The statistical method is as follows: (Adjust the policy based on different service scenarios. If the Option 82 function is enabled, the upstream port cannot pass the traffic statistics.)
Check whether DHCP Discover packets reach the PON port
MA5800-X2(config)#acl 3000
MA5800-X2(config-acl-adv-3000) #rule 5 permit udp source-port eq68 destination-port eq 67
MA5800-X2(config-acl-adv-3000) #acl 4300
MA5800-X2(config-acl-adv-4300) #rule 5 permit type 0x0800 source XXXX-XXXX-XXXX 0000-0000-0000
MA5800-X2(config-acl-adv-4300) #quit
MA5800-X2(config)#diagnose
MA5800-X2(diagnose)%% traffic-statistic inbound ip-group3000 rule 5 link-group 4300 rule 5 port 0/19/0
//Coupling Layer 3 and Layer 2 ACLs to identify DHCP packets
Check whether the PON receives the DHCP offer packet returned by the BRAS
MA5800-X2(config)#acl 3001
MA5800-X2(config-acl-adv-3001) #rule 5 permit udp source-port eq67 destination-port eq 68
MA5800-X2(config-acl-adv-3001) #acl 4301
MA5800-X2(config-acl-adv-4301) #rule 5 permit type 0x0800destination XXXX-XXXX-XXXX 0000-0000-0000
MA5800-X2(config-acl-adv-4301) #quit
MA5800-X2(config)#diagnose
MA5800-X2(diagnose)%%traffic-statistic outbound ip-group3001 rule 5 link-group 4301 rule 5 port 0/19/0
The result is as follows: User-side DHCP packets have reached the PON port but not the control board.
4. Perform trace-counter based on user MAC addresses.
Command: MA5800(diagnose)%% trace-counter ingress 0/11/3 source b822-4f5b-XXXX
It is found that some packets are received but not sent by the board. The packets are discarded at ID 1733.
Determine the cause of packet discarding as follows: Drop due to antidos port limit
MA5800(diagnose)%%display statistics type 0/11
5. Check the rate limit of the ONT.
The rate is not limited based on service ports and ONTs.
6. Check the anti-dos configuration. It is found that the anti-dos function is enabled globally, which is a universal configuration on the entire network.
Note: After this function is enabled, the number of packets reported by the ONT to the CPU per second cannot exceed 63.
7. Print packets based on the Ptype of the board and check the reported packets.
MA5800(diagnose)%ture ptype board 0/11 upstream 1733 number 10
It is found that a non-STB MAC address on the user side reports a large number of ARP packets.
8. Verify the user-side packet reporting of the fault. Capture packets based on the user MAC address on the OLT.
Packet Capture Method (Adjust based on business scenarios):
- Create an ACL based on user MAC addresses.
MA5800-X2(config)#acl 4000
MA5800-X2(config-acl-adv-4000) #rule 5 permit destination xxxx-xxxx-xxxx 0000-0000-0000
MA5800-X2(config-acl-adv-4000) #rule 10 permit source xxxx-xxxx-xxxx 0000-0000-0000
Mirror the packets on the upstream port to the packet capture port. (PON port 0/11/3, connected to PC port 0/9/0)
MA5800-X2(config)#traffic-mirror outbound link-group 4000 rule 5 port 0/11/3 to port 0/9/0
MA5800-X2(config)#traffic-mirror outbound link-group 4000 rule 10 port 0/11/3 to port 0/9/0
MA5800-X2(config)#traffic-mirror inbound link-group 4000 rule 5 port 0/11/3 to port 0/9/0
MA5800-X2(config)#traffic-mirror inbound link-group 4000 rule 10 port 0/11/3 to port 0/9/0
Conclusion: The user side reports a large number of ARP packets.
Root cause
A large number of ARP packets are sent from the faulty ONT, which exceeds the total number of packets on the board port. As a result, DHCP packets for normal dialup are discarded.
Solution description
Temporary Workaround
- Filtering ARP Packets Based on User MAC Addresses
MA5800-X2(config)#acl 4000
MA5800-X2(config-acl-adv-4000) #rule 30 deny type 0x0806 source c409-3859-XXXX 0000-0000-0000
MA5800-X2(config-acl-adv-4000) #quit
MA5800-X2(config)#packet-filter inbound link-group 4000 rule 30 port 0/11/3
After the filtering, the service is normal.
- Limit the rate of ARP packets so that DHCP packets can pass through.
Check: MA5800-X2(config)#display security anti-dos control-packet rate service-port 3
Limit: MA5800-X2(config)#security anti-dos control-packet arp rate service-port 3 60
Restore the default: MA5800-X2(config)#security anti-dos control-packet arp rate service-port 3 no-limit
Final Solution
Replace the ONT with a new one. Thanks for reading.
Leave a comment