You are on page 1of 108

Ethernet Routing Switch 2500 Series

Troubleshooting
Release: 4.1 Document Revision: 01.01

www.nortel.com

NN47215-700
.

324605-A

Ethernet Routing Switch 2500 Series Release: 4.1 Publication: NN47215-700 Document status: Standard Document release date: 06 May 2008 Copyright © 2008 Nortel Networks All Rights Reserved. Sourced in Canada The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. This document is protected by copyright laws and international treaties. All information, copyrights and any other intellectual property rights contained in this document are the property of Nortel Networks. Except as expressly authorized in writing by Nortel Networks, the holder is granted no rights to use the information contained herein and this document shall not be published, copied, produced or reproduced, modified, translated, compiled, distributed, displayed or transmitted, in whole or part, in any form or media. Sourced in Canada, the United States of America, and India. *Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks. All other trademarks are the property of their respective owners.

ATTENTION: Before troubleshooting the Ethernet Routing Switch 2500 Series, ensure you read the legal statements in the first chapter of this guide.

.

.

3

Contents
Legal information
Restricted rights legend 5 Statement of conditions 5 Nortel Networks software license agreement

5

6

New in this release
Stacking 9 Stacking licensing 9 Stacking functionality and rear ports 10 Stack Licensing – rear port mode 10 Power over Ethernet (POE) limitations 11

9

Introduction Troubleshooting planning Troubleshooting tools
Port Mirroring 17 Port mirroring limitations 17 Port mirroring commands 18 Port statistics 18 System logs 18 Auto Unit Replacement (AUR) 18 Nortel knowledge and solution engine 19

13 15 17

General diagnostic tools
CLI command modes 21

21 23 25

Initial troubleshooting
Gather information 23

Emergency recovery trees
Corruption of flash 26 Incorrect PVID 27 Uplink ports not tagged to VLAN SNMP 30 Stack 33

28

Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008
Copyright © 2008 Nortel Networks

.

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .4 Troubleshooting hardware Check power 41 Check cables 44 Check port 45 Check fiber port 47 Replace unit 50 39 Troubleshooting ADAC IP phone is not detected 56 Correct filtering 57 Reload ADAC MAC in range table 58 Reduce LLDP devices 60 Auto configuration is not applied 61 Correct auto configuration 62 Check status and number of devices 64 55 Troubleshooting authentication EAP client authentication 68 Restore RADIUS connection 70 Enable EAP on The PC 72 Apply the method 73 Enable EAP globally 74 EAP multihost repeated re-authentication issue Match EAP-MAC-MAX to EAP users 76 Set EAPOL request packet 78 EAP RADIUS VLAN is not being applied 79 Configure VLAN at RADIUS 80 Configure switch 82 Configured MAC is not authenticating 87 Configure the switch 87 NEAP RADIUS MAC not authenticating 92 Configure switch 93 RADIUS server configuration error 96 NEAP MHSA MAC is not authenticating 97 Configure switch 98 EAP-NEAP unexpected port shutdown 102 Configure switch 103 67 76 Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. .

INCLUDING. Berkeley. Notwithstanding any other license agreement that may pertain to. or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252. Nortel Networks does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein. Statement of conditions In the interest of improving internal design. Redistribution and use in source and binary forms of such portions are permitted. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. . and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52. Regents of the University of California. All rights reserved. duplication..227-19. 5 Legal information Restricted rights legend Use. Portions of the code in this software product may be Copyright © 1988. and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California. WITHOUT LIMITATION. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. reproduction. advertising materials. and/or reliability. operational function. Nortel Networks reserves the right to make changes to the products described in this document without notice. SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES.227-7013. or accompany the delivery of. provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . the rights of the United States Government regarding its use. this computer software.

not sold. You obtain no rights other than those granted to you under this License Agreement. data. Customer shall not a) use. or d) sublicense. 1. within 30 days of purchase to obtain a credit for the full purchase price. "Software" is owned or licensed by Nortel Networks. b) reverse assemble. unused and in the original shipping container. as applicable. the end-user ("Customer") and Nortel Networks Corporation and its subsidiaries and affiliates ("Nortel Networks"). recordings or pictures) and related licensed materials including all whole or partial copies. reverse compile. the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties). copy. and is copyrighted and licensed.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. Nortel Networks software license agreement This Software License Agreement ("License Agreement") is between you. PLEASE READ THE FOLLOWING CAREFULLY. text. publish or disseminate. Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose. Customer will promptly return the Software to Nortel Networks or certify its Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. whichever is applicable. modify. audio-visual content (such as images. If you do not accept these terms and conditions. You are responsible for the selection of the Software and for the installation of. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level. . and results obtained from the Software. Software consists of machine-readable instructions. rent or lease the Software. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use. its components. Nortel Networks grants you a license to use the Software only in the country where you acquired the Software. Customer is granted a nonexclusive license to use Software only on such hardware or CFE. its parent or one of its subsidiaries or affiliates. Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement. To the extent Software is furnished for use with designated hardware or Customer furnished equipment ("CFE").6 Legal information In addition. use of. Licensors of intellectual property to Nortel Networks are beneficiaries of this provision. transfer or distribute the Software except as expressly authorized. Licensed Use of Software. c) create derivative works or modifications unless expressly authorized. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. reverse engineer or otherwise translate the Software. return the Software.

4. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM. . EITHER EXPRESS OR IMPLIED. Federal Regulations at 48 C. Such developer and/or supplier is an intended beneficiary of this Section. the above exclusions may not apply. INCIDENTAL. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. 3. Software is provided "AS IS" without any warranties (conditions) of any kind. Warranty. they may not apply. Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s Software activation or usage levels.F. 2. FILES OR DATA. the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U. The foregoing limitations of remedies also apply to any developer and/or supplier of the Software. Nortel Networks is not obligated to provide support of any kind for the Software. WHETHER IN CONTRACT. General — If Customer is the United States Government. INCLUDING. b) LOSS OF. in the event Software is licensed for or on behalf of the United States Government. CUSTOMER’S RECORDS.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .Nortel Networks software license agreement 7 destruction. SPECIAL. If suppliers of third party software included in Software require Nortel Networks to include additional or different terms. PUNITIVE.R. ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. Sections 12. in such event. upon termination. — Customer may terminate the license at any time. EVEN IF NORTEL NETWORKS. Some jurisdictions do not allow exclusion of implied warranties. Some jurisdictions do not allow these limitations or exclusions and.R.7202 (for DoD entities). OR DAMAGE TO. the following paragraph shall apply: All Nortel Networks Software available under this License Agreement is commercial computer software and commercial computer software documentation and. in such event. Customer agrees to abide by such terms provided by Nortel Networks with respect to such third party software. INDIRECT. BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. 227. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE.212 (for non-DoD entities) and 48 C. and. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license.F. OR c) DIRECT. OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS).S. Limitation of Remedies. In either event. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer. Customer must either return the Software to Nortel Networks or certify its destruction. TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE.

including personal property taxes. regardless of form. then this License Agreement is governed by the laws of the state of New York. — Neither party may bring an action. resulting from Customer’s use of the Software. — This License Agreement is governed by the laws of the country in which Customer acquires the Software. — The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer and Nortel Networks. If the Software is acquired in the United States. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations. .01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . more than two years after the cause of the action arose. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.8 Legal information — Customer is responsible for payment of any taxes.

JDM. Second. These devices do not use or require a license for the feature. First. Stacking licensing There are four variants of Stacking License Kits that are available for standalone switches. a standalone unit can have the stacking feature enabled through the use of a Stacking License Kit that includes a license certificate and a License Authorization code (LAC) for use on the Nortel Licensing Portal. The stack enabled units are identifiable through CLI. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Each kit contains a license certificate and LAC. These devices have the rear ports set to stacking mode as default in the factory. downloaded and installed on each standalone ERS 2500 Series device that requires stacking functionality.1 feature content.. or WebUI. First. . 9 New in this release This is the first standard release of the ERS 2500 series Troubleshooting Guide. It is important to note that stack enabled switches can be stacked regardless of the method the stacking was enabled on them. by purchasing a stack enabled device.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . The license file management and generation is through the Nortel Licensing Portal. when the licenses are removed (#clear license) the stack continues to work until the second reset. There are two cases that may be encountered. Stacking functionality is available through two methods. The instructions are located on the license certificate. The license file unlocks stacking functionality and allows the ports on the rear of the switch to be set to Stacking Mode.1 has the capability to stack up to eight units in a stack. the license file is removed. Should you set a non stack enabled device to default. The license file is generated. License files can be added and removed from the switch. when the stack is reset to default (#boot default) the switches continues to function in stack indefinitely. This document supports Release 4. Second. Stacking The ERS 2500 Series software release v4.

. 50. Figure 1 License Schema Stacking functionality and rear ports Stacking mode must be configured on the rear ports before the switches are connected together.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Also available for purchase are additional cables of 1.5 m (5 ft) and 3 m (10 ft) and are similar to stack return cables. or 100 devices. The ERS 2500 Series licensing has a more intuitive LAC schema.5 ft) stacking cable. The base unit must have the unit select switch set to on. You are permitted to use your own cables and longer lengths up to 100m. 10. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. The memo field in the license is also populated as part of the license file generation on the licensing portal. Stack Licensing – rear port mode The rear ports on the ERS 2500 series are configurable via NNCLI and JDM in ‘config’ mode. Spare stacking cables are available on the price list for additional purchase. The stacking cable is a black Cat5E cable. There is no auto-detection for the stacking function. Figure 2 ERS 2500 rear ports Each ERS 2500 Series device ships with a 46 cm (1.10 New in this release Stack License Kits are available for 1. This is at your own risk and is not officially supported by GNTS.

the rear ports are be grayed out and not selectable in the switch view if the ports are in stacking mode.3af compliant mode). under PrivExec mode. you can use the following commands: • • default rear-ports mode [unit <1-8>] {standalone | stacking} to set the operating mode. Figure 3 ERS 2500 JDM display Power over Ethernet (POE) limitations The status for the PoE port can appear incorrectly as InvalidPD rather than detecting. Under JDM. This occurs if the PD detect type on an ERS 2500-PWR is set to 802. cabling.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. show rear-ports mode displays the operating mode of the rear ports. The default is standalone.Power over Ethernet (POE) limitations 11 In NNCLI. dependent on the environment. Be aware that this is a hardware limitation that is caused by the capacitive detection method used in the legacy mode (versus resistive/current based detection used in 802.3af and legacy while a PoE port on the switch is connected to a non-PoE device. . etc. Some devices are always errantly detected because they match the capacitive signature.

.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .12 New in this release Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

1. and diagnostic tools that you can use to monitor and analyze traffic. monitor laser operating characteristics.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. 13 Introduction This document is the first troubleshooting guide for the ERS 2500 series software Release v4.. . This documents assumes that you: • • • • Have basic knowledge of networks. capture and analyze data packets. Troubleshooting Tools The ERS 2500 Series products support a range of protocols. utilities. Are familiar with networking concepts and terminology. trace data flows. Guides you through some common problems to achieve a first tier solution to these situations Advises you what information to compile prior to troubleshooting or calling Nortel for help. and IP routing. and manage event messages. Have experience with Graphical User Interface (GUI). Certain protocols and tools are tailored for troubleshooting specific ERS 2500 Series network topologies. ethernet bridging.. Have basic knowledge of network topologies. Other tools are more general in their application and can be used to diagnose and monitor ingress and egress traffic. This document : • • • Describes the diagnostic tools and utilities available for troubleshooting the Nortel ERS 2500 Series products including the Nortel Networks Command Line Interface (NNCLI) and Java Device Manager (JDM). view statistics.

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .14 Introduction Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. .

so you know where to get information when you need it.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . If your site has no backup system. You must know how your devices are connected logically and physically with virtual local area networks (VLAN). and attached devices. • • • • • Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. You need to use the old password that was valid for that version. If your hubs or switches are not managed. use the Ethernet Routing Switch 2500 Series Documentation Roadmap to familiarize yourself with the documentation set. You should maintain online and paper copies of your device configuration information. and other data that you will require if you have to troubleshoot. 15 Troubleshooting planning There are some things you can do to minimize the need for troubleshooting and to plan for doing it as effectively as possible. It is a good practice to keep records of your previous passwords in case you must restore a device to a previous software version. . • A site network map identifies where each device is physically located on your site. make sure the system is properly installed and maintained so that it operates as expected. It is a good practice to maintain a device inventory. logical connections. First. MAC addresses. IP addresses. you must keep a list of the MAC addresses that correlate to the ports on your hubs and switches. copy the information onto a backup medium and store the backup offsite. Store passwords in a safe place.. which helps locate the users and applications that are affected by a problem. Ensure that all online data is stored with your site’s regular data backup for your site. make sure you gather and keep up to date the site map. which list all devices and relevant information for your network. Use this inventory to easily see the device types. device configuration information. Third. Second. ports. You can use the map to systematically search each part of your network for problems.

Permanently store change-control records. Use a baseline analysis as an important indicator of overall network health. engineer details. such as support contacts. such as which devices are typically accessed or when peak usage times occur. understand the normal network behavior so you can be more effective at troubleshooting problems. A baseline view of network traffic as it typically is during normal operation is a reference that you can compare to network traffic data that you capture during troubleshooting. • • Monitor your network over a period of time sufficient to allow you to obtain statistics and data to see patterns in the traffic flow. Having this information available during troubleshooting saves you time.16 Troubleshooting planning • • Maintain a change-control system for all critical systems. Fourth. and telephone and fax numbers. . Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . It is a good practice to store the details of all key contacts. This should speed the process of isolating network problems. support numbers.

When port mirroring is enabled. While as a standalone or a stack. . First.. You can observe and analyze packet traffic at the mirroring port using a network analyzer. Unlike other methods that are used to analyze packet traffic. the packet traffic is uninterrupted and packets flow normally through the mirrored port. in a stack. Port mirroring limitations The ERS 2500 series supports port mirroring in the following three modes: • • • Ingress mode (XRX or ->Port X) Egress mode (XTX or Port X ->) Ingress and Egress Mode (XRX or XTX or <->Port X) There are limitations to the Egress mode. 17 Troubleshooting tools These are the available troubleshooting tools and their applications. The port mirroring feature supports both ingress (incoming traffic) and egress (outgoing traffic) port mirroring. the same limitation on the XTX portion also applies to this mode. both the monitor and mirror port should be on the same unit. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Second. Port Mirroring ERS 2500 Series switches have a port mirroring feature that helps you to monitor and analyze network traffic. the ingress or egress packets of the mirrored (source) port are forwarded normally and a copy of the packets is sent from the mirrored port to the mirroring (destination) port. There are also limitations on Ingress and Egress modes. A copy of the packet can be captured and analyzed.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . port-mirroring mode XTX mirrors egress traffic on the mirrored port but does not mirror control packets generated by the switch. The monitor port does not receive copies of the generated control packets that egress from the mirrored port.

However. AUR is enabled. Auto Unit Replacement (AUR) You must understand AUR to replace a failed device in the stack if AUR is enabled. The stack power must be on during unit replacement. Port statistics Use port statistics commands to display information on received and transmitted packets at the ports. By default. as well as messages received from an ERS 2500 Series device running in a network accessible to the workstation. For example. displays. while retaining the configuration of the previous unit. The ingress and egress counts occur at the MAC layer. the unit is allowed to join the stack. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.18 Troubleshooting tools Port mirroring commands Please refer to the Nortel Ethernet Routing Switch 2500 Series Configuration — System (NN47215-500) for port mirroring command information You can use the port mirroring commands to assist in diagnostics and information gathering. prints. The daemon syslogd is a software component that receives and locally logs. If the hardware version of the replaced unit is different from the previous unit. The Auto Unit Replacement (AUR) feature allows replacement of a failed unit in a stack with a new unit. or forwards messages that originate from sources that are internal and external to the workstation. the configuration of the previous unit is not replicated in the new unit.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . . The new unit must be running the same software and firmware versions as the previous unit but with a different MAC address. System logs You can use the syslog messaging feature of the ERS 2500 Series products to manage event messages. AUR can be enabled or disabled from the NNCLI and JDM. The ERS 2500 Series syslog software communicates with a server software component named syslogd that resides on your management workstation. syslogd software concurrently handles messages received from applications running on the workstation.

. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. software patches and releases.Nortel knowledge and solution engine 19 Nortel knowledge and solution engine The Knowledge and Solution Engine is a database of Nortel technical documents. service cases. and technical bulletins. troubleshooting solutions.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . It is searchable by natural-language query.

20 Troubleshooting tools Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . .

Refer to the Nortel Ethernet Routing Switch 2500 Series Configuration — System (NN47215-500) for command mode information. For purposes of using this document. run loopback and ping tests. You can use these diagnostic tools to help you troubleshoot operational and configuration issues. listed in order of increasing privileges: • • • • User EXEC Privileged EXEC Global configuration Interface configuration Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. CLI and NNCLI are interchangeable. You can use the web Interface in cases where the troubleshooting steps require corroborating information to ensure diagnosis. NNCLI. The command line interface is accessed through either a direct console connection to the switch or by using the Telnet or SSH protocols to connect to the switch remotely.. test the switch fabric.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . and view the address resolution table. The CLI has four major command modes. . You can configure and display files. This document focuses on using the CLI to perform the majority of troubleshooting. and a Web Interface. 21 General diagnostic tools The ERS 2500 Series device has diagnostic features available with the JDM. trace a route. view and monitor port statistics. CLI command modes CLI command modes provide different levels of authority for operation.

Telnet access. and VLANs. Privileged EXEC mode: The Privileged EXEC mode (also referred to as privExec mode) enables the user to perform basic switch-level management tasks. such as speed. etc. rebooting. That is. SNMP parameters.22 General diagnostic tools Each mode provides a specific set of commands. it also allows you to access all configuration modes and commands that affect operation of the switch (such as downloading images. User EXEC is the initial mode of access when the switch is first turned on and provides a limited subset of CLI commands. The command set of a higher-privilege mode is a superset of a lower-privilege mode. such as downloading software images. • • • It is possible to move between command modes on a limited basis. The command modes are as follows: • User EXEC mode: The User EXEC mode (also referred to as exec mode) is the default CLI command mode. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. and booting the switch.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . . This mode is the most restrictive CLI mode and has few commands available. Interface configuration mode:The Interface Configuration mode (also referred to as config-if mode) enables the user to configure parameters for each port or VLAN. This is explained in the Common Procedures section of this document. and rate-limiting.). privExec is an unrestricted mode that allows you to view all settings on the switch. duplex mode. and if you are logged in with write access. setting passwords. all lower-privilege mode commands are accessible when using a higher-privilege mode. Global configuration mode: The Global Configuration mode (also referred to as config mode) enables the user to set and display general configurations for the switch such as IP address.

Gather information Before contacting Nortel Technical Support. System status: Displays technical information about system status and information about the hardware.. Recent changes: Find out about recent changes or upgrades to your system.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . This includes the following information: • • Default and current configuration of the switch. and switch operation output from the show sys-info command. For more detail. 23 Initial troubleshooting The types of problems that typically occur with networks involve connectivity and performance. is operating without any failures before moving up to the network and application layers. Get a list of • • • • Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Your planning and engineering function should have this diagram. has configuration or code been changed?). such as the cables and module connections. A network topology diagram: Get an accurate and detailed topology diagram of your network that shows the nodes and connections. you can use the show running-config command. As part of your initial troubleshooting. or custom applications (for example. your network. Confirm that the physical environment. To do this. software. To do this. you must gather information that can help the Technical Support personnel. Get the date and time of the changes. Nortel recommends that you check the Knowledge and Solution Engine on the Nortel web site for known issues and solutions related to the problem you are experiencing. review the log files using the show logging command. Information about past events. It is usually best to follow the Open System Interconnection (OSI) network architecture layers. To do this. and the names of the persons who made them. use the show sys-info or show system verbose commands to display the software version. use the show tech command. The software version that is running on the device. .

. a LAN change. • Connectivity information: When connectivity problems occur.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . such as an upgrade. get information on at least five working source and destination IP pairs and five IP pairs with connectivity issues. To do this. use these commands: — show tech — show running-config — show port-statistics <port> Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.24 Initial troubleshooting events that occurred prior to the trouble. or installation of new hardware. increased traffic.

They are meant to quickly assist you through some common failures for a solution.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . These situations are not dependant upon each other. . Figure 4 Emergency recovery trees Navigation • • • • • "Corruption of flash" (page 26) "Incorrect PVID" (page 27) "Uplink ports not tagged to VLAN" (page 28) "SNMP" (page 30) "Stack " (page 33) Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. 25 Emergency recovery trees Emergency Recovery Trees (ERT) provide a quick reference for troubleshooting without procedural detail. Emergency recovery trees The following work flow contains some typical problems..

Initializing of the flash is one way to clear a corrupted configuration file and is required before an RMA. Corruption of flash recovery tree Figure 5 Corruption of flash Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. .26 Emergency recovery trees Corruption of flash Corruption of the switch configuration file can sometimes occur due to power outage or environmental reasons makes the configuration of the box corrupt and non-functional.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

Incorrect PVID

27

Incorrect PVID
An issue can occur where clients cannot communicate to critical servers when their ports are put in wrong VLAN. If the server is plugged in VLAN-3 and the PVID of the port is 2 then loss of communication can occur. This can be verified by checking the PVID of the ports.

Incorrect PVID Recovery Tree
Figure 6 Incorrect PVID

Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008
Copyright © 2008 Nortel Networks

.

28 Emergency recovery trees

Uplink ports not tagged to VLAN
When an ERS 2500 series switch is connected to an ERS 8600 series switch and devices in a VLAN on the ERS 8600 series switch are not able to communicate with devices at the ERS 2500 series switch in the same VLAN, then it is likely that the uplink ports are not tagged to the VLAN on the ERS 2500 series switch.

Uplink ports not tagged to VLAN recovery tree

Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008
Copyright © 2008 Nortel Networks

.

Uplink ports not tagged to VLAN Figure 7 Uplink ports not tagged to VLAN

29

Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008
Copyright © 2008 Nortel Networks

.

SNMP recovery tree Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. verify the trap configurations (the trap destination address and the traps configured to be sent). .30 Emergency recovery trees SNMP SNMP failure may be the result of an incorrect configuration of the management station or its setup. If you can reach a device but no traps are received.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .SNMP Figure 8 SNMP 31 Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. .

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .32 Emergency recovery trees Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. .

Failures can also arise when there are multiple bases configured. . Stack Recovery Tree Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .Stack 33 Stack Stack failure can be the result of a communication error between the individual units due to configuration or cabling.

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .34 Emergency recovery trees Figure 9 Stack Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. .

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . .Stack 35 Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . .36 Emergency recovery trees Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

Stack 37 Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. .01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .38 Emergency recovery trees Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. . 39 Troubleshooting hardware Complete hardware troubleshooting specific to the ERS 2500 series. Work flow: Troubleshooting hardware The following work flow assists you to determine the solution for some common hardware problems.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

.40 Troubleshooting hardware Figure 10 Troubleshooting hardware Navigation • • • "Check power" (page 41) "Check cables" (page 44) "Check port" (page 45) Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

Check power 41 • • Check power "Check fiber port" (page 47) "Replace unit" (page 50) Confirm power is being delivered to the device.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Task flow: Check power The following task flow assists you to confirm that the ERS 2500 series device is powered correctly. .

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .42 Troubleshooting hardware Figure 11 Check power Navigation • • • • • "Correcting voltage source" (page 43) "Ensuring power cord is installed" (page 43) "Observing error report on console" (page 43) "Reloading agent code" (page 43) "Returning unit for repair" (page 43) Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. .

Observing error report on console Interpret the message that is sent to console when it fails. Loading incorrect software versions may cause further complications. Procedure Steps Step 1 2 Action View console information and note any details for the RMA. Procedure Steps Step 1 2 Action Use the show sys-info command view the software version. Ensuring power cord is installed Confirm the power cord is properly installed for the device. Note the LED status for information: • • Status LED blinking amber: Power On Self Test (POST) failure Power LED blinking: corrupt flash --End-- Reloading agent code Reload the agent code on the ERS 2500 series device to eliminate corrupted or damaged code that causes a partial boot of the device. . Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. --End-- Returning unit for repair Return unit to Nortel for repair. Refer to the Nortel Ethernet Routing Switch 2500 Series Configuration — System (NN47215-500) for software installation. Know the current version of your software before reloading it. CAUTION Ensure you have adequate backup of your configuration prior to reloading software.Check power 43 Correcting voltage source Confirm the power cord is connected to the appropriate voltage source.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

Figure 12 Check cables Navigation • • "Confirming cables are correct type" (page 44) "Reviewing configuration documentation" (page 45) Confirming cables are correct type Ensure the cables are RJ45 connectors. The ERS 2500 series software Release v4.1 supports the use of both straight and crossover Cat5e cabling. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Task flow: Check cables The following task flow assists you to confirm the stacking cables on the ERS 2500 series device are installed correctly.44 Troubleshooting hardware Contact Nortel for return instructions and RMA information.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Check cables Confirm the stacking cables are correctly connected. .

Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Task flow: Check port The following task flow assists you to check the port and ethernet cables.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .Check port 45 Reviewing configuration documentation Review the stacking procedures in the Nortel Ethernet Routing Switch 2500 Series Configuration — System (NN47215-500). Cascade cable (used for return) Check port Confirm the port and ethernet cable connecting the port are in proper configuration. Figure 13 Stack configuration 1. Base unit 2. . Cascade cable 3.

. Procedure Steps Step 1 Action Use the show interfaces <port> command to display the port information. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .46 Troubleshooting hardware Figure 14 Check port Navigation • • • • "Viewing port information" (page 46) "Enabling the port" (page 47) "Confirming the cables are working" (page 47) "Confirming the cables are working" (page 47) Viewing port information Review the port information to ensure it is enabled.

Use the show interfaces <port> command to display the port. . Note the operational and link status of the port. Use the show interfaces <port> command to display the port. Procedure Steps Step 1 2 3 4 Action Go to interface specific mode using the interface fastethernet <port> command. Use the no shutdown command to change the port configuration. Use the no shutdown command to change the port configuration. Note the port administrative status. --End-- Enabling the port Enable the port. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. --End-- Confirming the cables are working Ensure that the cables connecting to the port are functioning correctly.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . --End-- Check fiber port Confirm the fiber port is working and the cable connecting the port are the proper type. Procedure Steps Step 1 2 3 4 Action Go to interface specific mode using the interface fastethernet <port> command.Check fiber port 47 2 Note the port status.

. Figure 15 Check fiber port Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.48 Troubleshooting hardware Task flow: Check fiber port The following task flow assists you to confirm the fiber port cable is functioning and is of the proper type.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

Procedure Steps Step 1 2 Action Use the show interfaces <port> command to display the port information Note the port status. Procedure Steps Step 1 Action Use the no shutdown command to change the port configuration. Procedure Steps Step 1 2 3 Action Use the no shutdown command to change the port configuration. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Use the show interfaces <port> command to display the port information.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . --End-- Confirming cables working Confirm that the cables are working on the port. Note the port status. --End-- Enabling port Ensure the port on the ERS 2500 series device is enabled. .Check fiber port 49 Navigation • • • • "Viewing fiber port information" (page 49) "Enabling port" (page 49) "Confirming cables working" (page 49) "Returning unit for repair" (page 50) Viewing fiber port information Review the port information to ensure it is enabled.

The stack power must be on during unit replacement. review and adhere to all safety instructions and literature included with device and in Nortel Ethernet Routing Switch 2500 Series — Regulatory Information (NN47215-100). then the verify software procedures are not required. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. while retaining the configuration of the previous unit. CAUTION Due to physical handling of the device and your physical proximity to electrical equipment. AUR is not designed for the situation of removing and reinserting the same switch (with the same MAC address). . Replace unit Remove defective unit and insert the replacement.1 software or later). In order for AUR to function properly. Note the port operational and link status.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .50 Troubleshooting hardware 2 3 Use the show interfaces <port> command to display the port. Task flow: Replace unit The following task flow assists you to replace one of the ERS 2500 series devices. The Auto Unit Replacement (AUR) feature allows replacement of a failed unit in a stack with a new unit. For detailed information regarding AUR refer to Nortel Ethernet Routing Switch 2500 Series Configuration — System (NN47215-500) Auto Unit Replacement section. If AAUR is available (and it is turned on by default in such cases). the new unit and the existing units in the stack must all be running the same version of software (Release 4. This in only appropriate if old software is used or AAUR is disabled. --End-- Returning unit for repair Return unit to Nortel for repair Contact Nortel for return instructions and RMA information.

Replace unit Figure 16 Replace unit 51 Navigation • • • • • • • "Removing failed unit" (page 52) "Verifying software version is correct on new device" (page 52) "Obtaining correct software version" (page 52) "Placing new unit" (page 52) "Connecting stacking cables" (page 52) "Powering on unit" (page 53) "Returning unit for repair" (page 53) Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . .

Know the proper version of your software before loading it. Loading incorrect software versions may cause further complications. --End-- Obtaining correct software version Obtain and install correct software version CAUTION Ensure you have adequate backup of your configuration prior to reloading software. --End-- Verifying software version is correct on new device Verify that the new device to be inserted has the identical software version. . independent of stack connection. Do not power down stack. Use the show sys-info command view the software version. Remove the failed device. Procedure Steps Action Refer to the Nortel Ethernet Routing Switch 2500 Series Configuration — System (NN47215-500) for software installation.52 Troubleshooting hardware Removing failed unit Remove the failed unit from the stack.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Procedure Steps Step 1 2 Action Connect the new device to the console. Connecting stacking cables Reconnect the stacking cables to correctly stack the device. Placing new unit Place the new unit in the stack where the failed unit was connected. Procedure Steps Step 1 2 Action Maintain power to the stack. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . . The configuration of the failed unit to be replicated on the new unit. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Procedure Steps Step 1 2 3 Action Connect the power to the unit. This confirms that replication has completed. There is no requirement to reset the entire stack. The single device being replaced is the only device having such action placed on it. --End-- 2 Powering on unit Energize the unit once it is connected and ready to integrate. Allow time for the new unit to join the stack. --End-- Returning unit for repair Return unit to Nortel for repair Contact Nortel for return instructions and RMA information.Replace unit 53 Procedure Steps Step 1 Action Review the stacking section in Nortel Ethernet Routing Switch 2500 Series Configuration — System (NN47215-500) for cabling details. Confirm that the new unit has reset itself. Connect the cables in accordance with physical stack requirements.

.54 Troubleshooting hardware Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

When ADAC is enabled. When the unit is reset. Work flow: Troubleshooting ADAC The following work flow assists you to identify the type of problem you are encountering. . If you enable the LLDP detection mechanism for telephony ports. all VLAN settings manually made by user on ADAC uplink or telephony ports are dynamic and are not saved to non-volatile memory. Once the VLAN number is reserved for ADAC voice-vlan with the adac voice-vlan x command.. ADAC redetects the ports and re-applies the default settings for them. these settings are lost. You do not manually create a VLAN to be used as the voice VLAN and then try to set this VLAN as ADAC voice VLAN using the command adac voice-vlan x. the VLAN number cannot be used by user in regular VLAN creation. then LLDP itself has to be enabled on the switch. There is no requirement to create a voice VLAN manually. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. ADAC automatically creates the voice VLAN when needed. even if ADAC admin status is disabled or ADAC is in UTF mode. 55 Troubleshooting ADAC Automatic Detection and Automatic Configuration (ADAC) may can encounter some detection and configuration errors that can be easily corrected. Otherwise ADAC won’t detect any phone. You only have to reserve or set the VLAN number used by ADAC with the adac voice-vlan x command.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . ADAC clarifications ADAC VLAN settings are dynamic and are not saved to nonvolatile memory.

Work flow: IP phone not detected The following work flow assists you to resolve some detection issues.56 Troubleshooting ADAC Figure 17 Troubleshooting ADAC Navigation • • "IP phone is not detected" (page 56) "Auto configuration is not applied" (page 61) IP phone is not detected Correct an IP phone that is not being detected by ADAC. .01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Figure 18 IP phone not detected Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

Task flow: Correct filtering The following task flow assists you to correct the filtering. . Figure 19 Correct filtering Navigation • • "Confirming port belongs to at least one VLAN" (page 57) "Disabling VLAN filter unregistered frames" (page 58) Confirming port belongs to at least one VLAN View information to ensure the port belongs to a VLAN. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .IP phone is not detected 57 Navigation • • • "Correct filtering" (page 57) "Reload ADAC MAC in range table" (page 58) "Reduce LLDP devices" (page 60) Correct filtering Configure the VLAN filtering allow ADAC.

Task flow: Reload ADAC MAC in range table The following task flow assists you place the ADAC MAC in the range table. Note the VLANs listed with the port. Procedure Steps Step 1 2 Action Use the vlan ports <port> filter-unregistered-fram es enable command to view the details.. . --End-- Reload ADAC MAC in range table Ensure the ADAC mac is properly loaded in the range table. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Ensure no errors after command execution.58 Troubleshooting ADAC Procedure Steps Step 1 2 Action Use the show vlan interface info <port> command to view the details.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . --End-- Disabling VLAN filter unregistered frames Change the unregistered frames filtering of the VLAN.

Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. When disable and re-enable the port administratively. Follow local procedures to reconnect the phone. the MAC Addresses already learned on the respective port to be aged out.IP phone is not detected Figure 20 Reload ADAC MAC in range table 59 Navigation • • "Disconnecting and reconnecting phone" (page 59) "Disabling and enabling the port" (page 59) Disconnecting and reconnecting phone Remove the phone and the reconnect it to force a reload of the MAC in the range table. --End-- Disabling and enabling the port Disable the ADAC on the port and then enable it to detect the phone.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Procedure Steps Step 1 2 Action Follow local procedure to disconnect the phone. .

Use the adac enable <port> command to enable ADAC. . Figure 21 Reduce LLDP devices Navigation • • "Viewing LLDP information" (page 61) "Reducing LLDP enabled devices" (page 61) Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.60 Troubleshooting ADAC Procedure Steps Step 1 2 Action Use the no adac enable <port> command to disable ADAC. More than 16 devices may cause detection issues. --End-- Reduce LLDP devices Reduce the number of LLDP devices. Task flow: Reduce LLDP devices The following task flow assists you to reduce the number of LLDP devices on the system.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

Procedure Steps Step 1 2 Action Use the show lldp port 1 neighbor command to identify the LLDP devices. --End-- Reducing LLDP enabled devices Disable the ADAC on the port and then enable it to detect the phone.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Note if there are more than 16 LLDP enabled devices on the port. --End-- Auto configuration is not applied Correct some common issues that may interfere with auto configuration of devices. Task flow: Auto configuration is not applied The following task flow assists you to solve auto configuration issues.Auto configuration is not applied 61 Viewing LLDP information Display the LLDP devices that are connected to a port. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. . Use the adac enable <port> command to enable ADAC. Procedure Steps Step 1 2 Action Use the no adac enable <port> command to disable ADAC.

Task flow: Correct auto configuration The following task flow assists you to correct the auto configuration.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . In tagged frames mode. everything is configured correctly but auto configuration is not applied on a telephony port.62 Troubleshooting ADAC Figure 22 Auto configuration is not applied Navigation • • "Correct auto configuration" (page 62) "Check status and number of devices" (page 64) Correct auto configuration Tagged frames mode may be causing the problem. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. .

Procedure Steps Step 1 Action Use the show adac command to display the ADAC information. . Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.Auto configuration is not applied Figure 23 Correct auto configuration 63 Navigation • • • "Viewing ADAC global status" (page 63) "Configuring another CS/UP" (page 64) "Replacing Unit" (page 64) Viewing ADAC global status Display the global status of ADAC.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

Task flow: Check status and number of devices The following task flow assists you to correct the auto configuration. . Procedure Steps Step 1 2 Action Follow the replacement guidelines in the Nortel Ethernet Routing Switch 2500 Series — System Configuration (NN47215-500). Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Refer to the unit replacement section in the Troubleshooting Hardware section in this document. --End-- Replacing Unit Replace unit to replicate configuration is AUR is enabled.64 Troubleshooting ADAC 2 Note if the oper state is showing as disabled. Procedure Steps Step 1 2 Action Use the adac uplink-port <port> command to assign the uplink port. Use the adac call-server-port <port> command to assign the call server port. --End-- Check status and number of devices Auto configuration can stop being applied after a unit is removed from the stack. --End-- Configuring another CS/UP Configuring another call server and uplink port can assist the auto configuration.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . .Auto configuration is not applied Figure 24 Check status and number of devices 65 Navigation • • • "Viewing ADAC port status" (page 65) "Reducing the number of devices" (page 66) "Disabling and enabling the port. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01." (page 66) Viewing ADAC port status Display the status of ADAC on the port.

Administratively disable and enable to port to initialize configuration. . Use the show adac in <port> command to display the ADAC information for the port to ensure there are less than 32 devices connected. --End-- Reducing the number of devices Configuring another call server and uplink port can assist the auto configuration. Use the adac enable <port> command to enable ADAC. --End-- Disabling and enabling the port. Procedure Steps Step 1 2 Action Follow local procedures and SOP to reduce the number of devices connected.66 Troubleshooting ADAC Procedure Steps Step 1 2 Action Use the show adac in <port> command to display the ADAC information for the port.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Procedure Steps Step 1 2 Action Use the no adac enable <port> command to disable ADAC. --End-- Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Note if the oper state is disabled and the number of devices connected.

. Work flow: Troubleshooting authentication The following work flow contains some typical authentication problems. Figure 25 Troubleshooting authentication Navigation • • • • "EAP client authentication " (page 68) "EAP multihost repeated re-authentication issue" (page 76) "EAP RADIUS VLAN is not being applied " (page 79) "Configured MAC is not authenticating" (page 87) Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. These situations are not dependant upon each other. 67 Troubleshooting authentication Authentication issues can interfere with device operation and function. The following work flow contains some common authentication problems.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . .

68 Troubleshooting authentication • • • "NEAP RADIUS MAC not authenticating" (page 92) "NEAP MHSA MAC is not authenticating" (page 97) "EAP-NEAP unexpected port shutdown" (page 102) EAP client authentication This section provides troubleshooting guidelines for the EAP and NEAP features on the ERS 2500 Series devices. Work flow: EAP client is not authenticating The following work flow assists you to determine the cause and solution of an EAP client that does not authenticate as expected.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. .

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . .EAP client authentication Figure 26 EAP client is not authenticating 69 Navigation • • "Restore RADIUS connection" (page 70) "Enable EAP on The PC" (page 72) Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

.70 Troubleshooting authentication • • "Apply the method" (page 73) "Enable EAP globally" (page 74) Restore RADIUS connection Ensure that the RADIUS server has connectivity to the device Task flow: Restore RADIUS connection The following task flow assists you to restore the connection to the RADIUS server.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Figure 27 Restore RADIUS connection Navigation • • "Getting correct RADIUS server settings for the switch" (page 71) "Viewing RADIUS information" (page 71) Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

The default server port is 1812/UDP. Follow vendor documentation to set the RADIUS authentication method MD5. --End-- Viewing RADIUS information To review the RADIUS server settings in the device.EAP client authentication 71 • • "Configuring the RADIUS server settings" (page 71) "Pinging the RADIUS server" (page 72) Getting correct RADIUS server settings for the switch This section provides troubleshooting guidelines for obtaining the RADIUS server settings Procedure Steps Step 1 2 Action Obtain network information for the RADIUS server from the Planning and Engineering documentation. Older servers may use 1645/UDP.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . --End-- Configuring the RADIUS server settings The RADIUS server settings is to be set to be correct for the network. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Refer to the vendor documentation for server configuration. Reconfiguring the shared secret The shared secret is to be reset in case there was any corruption Procedure Steps Step 1 Action Use the radius-server key command. Some older servers do not support UDP. Procedure Steps Step 1 2 Action Use the show radius-server command to view the RADIUS server settings. . Follow vendor documentation to set the RADIUS server settings.

Procedure Steps Step 1 2 Action Use the ping <server IP> command to ensure connection. --End-- Enable EAP on The PC The PC has to have an EAP enabled device that is correctly configured. Task flow: Enable EAP on the PC The following task flow assists you to ensure the PC network card has EAP enabled. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. . --End-- Pinging the RADIUS server Ping the RADIUS server to ensure connection exists. Observe no packet loss to confirm connection. Figure 28 Enable EAP on the PC Navigation • "Enabling EAP on PC network card" (page 72) Enabling EAP on PC network card The PC must have the correct hardware and configuration to support EAP.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .72 Troubleshooting authentication 2 Refer to the vendor documentation for server configuration.

Ensure card is configured to support EAP. Figure 29 Apply the method Navigation • "Configuring the RADIUS server" (page 73) Configuring the RADIUS server The RADIUS server is to be configured to authenticate using MD5. Task flow: Apply the method The following task flow assists you to apply the correct EAP method.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . .EAP client authentication 73 Procedure Steps Step 1 2 3 Action Reference vendor documentation for PC and network card. Ensure card is enabled. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. --End-- Apply the method The correct EAP method needs to be applied.

Save the information for reference.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .74 Troubleshooting authentication Procedure Steps Step 1 2 Action Obtain Network information for Radius Server from Planning and Engineering. Task flow: Enable EAP globally The following task flow assists you to enable EAP globally on the ERS 2500 series device. . --End-- Enable EAP globally EAP is to be globally enabled on the ERS 2500 series device. Figure 30 Enable EAP globally Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

Procedure Steps Step 1 2 Action Use the show eapol port <port#> command to display the information.EAP client authentication 75 Navigation • • • "Enabling EAP globally" (page 75) "Viewing EAPOL settings" (page 75) "Setting EAPOL port administrative status to auto" (page 75) Enabling EAP globally The EAP is to be globally enabled on the ERS 2500 series device. . Procedure Steps Step 1 2 Action Use the eapol status auto command to change the port status to auto. Observe the output.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . --End-- Viewing EAPOL settings The EAPOL settings is to be reviewed to ensure EAP is enabled. --End-- Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Procedure Steps Step 1 2 Action Use the eapol enable command to enable EAP globally on the ERS 2500 series device. --End-- Setting EAPOL port administrative status to auto The port is to be included in the port list. Observe no errors after the command execution. Observe no errors after command execution.

Figure 31 EAP multihost repeated re-authentication issue Navigation • • "Match EAP-MAC-MAX to EAP users" (page 76) "Set EAPOL request packet" (page 78) Match EAP-MAC-MAX to EAP users Lower the eap-mac-max to the exact number of EAP users that may soon enter when the number of authenticated users reaches the allowed maximum in order to halt soliciting EAP users with multicast requests. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .76 Troubleshooting authentication EAP multihost repeated re-authentication issue Eliminate the multiple authentication of users. . EAP multihost repeated re-authentication issue The following work flow assists you to determine the cause and solution of an EAP multihost has repeated authentication.

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Figure 32 Match EAP-MAC-MAX to EAP users Navigation • • "Identifying number users at allowed max" (page 77) "Lowering EAP max MAC" (page 77) Identifying number users at allowed max Obtain the exact number of eap-users that may soon enter when the number of authenticated users reaches the allowed max. Procedure Steps Action Use the show eapol multihost status command to display the authenticated users. Lowering EAP max MAC Lower the mac-max value to match the users.EAP multihost repeated re-authentication issue 77 Task flow: Match EAP-MAC-MAX to EAP users The following task flow assists you to match the EAP-MAC-MAX to the number of EAP users. .

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Figure 33 Set EAPOL request packet Navigation • • "Setting EAPOL request packet globally" (page 78) "Setting EAPOL request packet per port" (page 79) Setting EAPOL request packet globally Globally change the EAPOL request packet from multicast to unicast. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Task flow: Set EAPOL request packet The following task flow assists you to set the EAPOL request packet for unicast. --End-- Set EAPOL request packet Change the request packet generation to unicast.78 Troubleshooting authentication Procedure Steps Step 1 2 Action Use the eapol multihost eap-mac-max command to set the mac-max value. . Observe no errors after execution.

Procedure Steps Step 1 2 Action Enter the interface configuration mode.EAP RADIUS VLAN is not being applied 79 Procedure Steps Step 1 2 Action Use the eapol multihost eap-packet-mode unicast command to set the EAPOL request packet to unicast. . Observe no errors after execution. Use the eapol multihost eap-packet-mode unicast command to set the EAPOL request packet to unicast for the interface. Work flow: EAP RADIUS VLAN is not being applied The following work flow assists you to determine the cause and solution of the RADIUS VLAN is applied. --End-- EAP RADIUS VLAN is not being applied Ensure that the RADIUS VLAN is applied correctly to support EAP. --End-- Setting EAPOL request packet per port Change the EAPOL request packet from multicast to unicast for a specific port.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

.80 Troubleshooting authentication Figure 34 EAP Radius VLAN is not being applied Navigation • • "Configure VLAN at RADIUS " (page 80) "Configure switch" (page 82) Configure VLAN at RADIUS Correct any discrepancy at the RADIUS server for the VLAN information. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Task flow: Configure VLAN at RADIUS The following task flow assists you to ensure the VLAN is configured at the RADIUS server.

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Procedure Steps Step 1 Action Obtain network information from Planning and Engineering documentation locate server information Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.EAP RADIUS VLAN is not being applied Figure 35 Configure VLAN at RADIUS 81 Navigation • • • "Getting correct RADIUS server settings" (page 81) "Viewing RADIUS information" (page 82) "Configuring RADIUS" (page 82) Getting correct RADIUS server settings This section provides troubleshooting guidelines to obtain what the RADIUS server settings are to be. .

• • • Configure switch Tunnel-Medium-Type – 802 Tunnel-Pvt-Group-ID – <VLAN ID> Tunnel-Type – Virtual LANs (VLAN) The VLAN has to be configured correctly on the ERS 2500 series device. Use vendor documentation to obtain settings display. . It is the same for all RADIUS vendors. Task flow: Configure switch The following task flow assists you to configure the VLAN on the device. --End-- Viewing RADIUS information Obtain the radius information to identify its settings. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Use vendor documentation to make the required changes. There are three attributes that the RADIUS server sends back to the NAS(switch) for RADIUS assigned VLANs.82 Troubleshooting authentication 2 Obtain network information for RADIUS server. Configuring RADIUS Configure the RADIUS server with the correct VLAN information.

EAP RADIUS VLAN is not being applied Figure 36 Configure switch task 83 Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . .

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . .84 Troubleshooting authentication Navigation • • • • • • • "Showing EAPOL multihost" (page 84) "Enabling use of RADIUS assigned VLANs" (page 85) "Showing EAPOL multihost interface" (page 85) "Showing VLAN config control" (page 85) "Changing VLAN config from strict to flexible" (page 86) "Showing spanning tree" (page 86) "Adding RADIUS assigned VLAN to desired STG" (page 86) Showing EAPOL multihost Identify the EAPOL multihost information. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

--End-- Showing VLAN config control Display the VLAN config control information. --End-- Enabling use of RADIUS assigned VLANs Change the allow RADIUS assigned VLAN to enable. Note the status of ALLOW RADIUS VLANs. Procedure Steps Step 1 Action Use the show vlan config control command to display the information. Procedure Steps Step 1 2 Action Use eapol multihost use-radius-assigned-vlan command to allow the use of VLAN IDs assigned by RADIUS. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. .EAP RADIUS VLAN is not being applied 85 Procedure Steps Step 1 2 Action Use the show eapol multihost command to display the multihost information. Note the state of Allow Use of RADIUS Assigned VLANs. Procedure Steps Step 1 2 Action Use the show eapol multihost interface <port#> command to display the interface information. --End-- Showing EAPOL multihost interface Display the EAPOL Interface.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Observe no errors after execution.

Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. --End-- Changing VLAN config from strict to flexible Set the VLAN config control to flexible to avoid complications with strict. . Procedure Steps Step 1 2 Action Use the show spanning-tree stp <1-8> vlans command to display the information.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Identify if RADIUS assigned VLAN and original VLAN are in the same STG. Procedure Steps Step 1 Action Use the spanning-tree stp <1-8> vlanscommand to make the change. the EAP enabled port is moved to RADIUS assigned VLAN after EAP authentication succeeds. If the RADIUS assigned VLAN and the original VLAN are in the same STG.86 Troubleshooting authentication 2 Identify if config control is set to strict. --End-- Adding RADIUS assigned VLAN to desired STG Configure VLAN that was assigned by RADIUS to correct Spanning Tree Group. Procedure Steps Step 1 2 Action Use the vlan config control flexible command to set the VLAN config control to flexible. --End-- Showing spanning tree Display the VLANs added to the desired STG. Observe no errors after execution.

Figure 37 Configured MAC is not authenticating Navigation • "Configure the switch" (page 87) Configure the switch Configure the switch to ensure the correct settings are set to ensure the MAC is authenticating. . Task flow: Configure the switch The following task flow assists you to ensure the MAC is authenticating on the ERS 2500 series device. --End-- Configured MAC is not authenticating Correct a MAC to allow authentication.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .Configured MAC is not authenticating 2 87 Review output to identify that the change was made. Work flow: Configured MAC is not authenticating The following work flow assists you to determine the cause and solution of a configured MAC that does not authenticate as expected. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .88 Troubleshooting authentication Figure 38 Configure the switch Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .Configured MAC is not authenticating 89 Navigation • • • • • • • • "Showing EAPOL port" (page 89) "Setting global EAP enabled and port at eap-auto" (page 90) "Showing EAPOL multihost" (page 90) "Enabling allow Non-EAPOL clients" (page 90) "Showing EAPOL multihost interface " (page 91) "Enabling multihost status and allow non-EAPOL clients " (page 91) "Showing EAPOL multihost non-eap-mac interface " (page 91) "Ensuring MAC in the list" (page 92) Showing EAPOL port Display the EAPOL port information Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

90 Troubleshooting authentication Procedure Steps Step 1 2 Action Use the command show eapol port <port> to display the port information. . and port at EAP is set to auto. Procedure Steps Step 1 Action Use the eapol multihost allow-non-eap-enable command to enable. Note that Allow Non-EAPOL clients is enabled. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. --End-- Setting global EAP enabled and port at eap-auto Make the corrections to ensure the settings as required. --End-- Enabling allow Non-EAPOL clients Correct the Non-EAPOL client attribute. Use the eapol status auto command to change port status to auto. --End-- Showing EAPOL multihost Display the EAPOL multihost information. Note that EAP is to be enabled globally. Procedure Steps Step 1 2 Action Use the eapol enable command to enable EAP globally. Procedure Steps Step 1 2 Action Enter the show eapol multihost command to display the information.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

Procedure Steps Step 1 2 Action Enter the show eapol multihost non-eap-mac interface <port> command to display the information.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .Configured MAC is not authenticating 2 91 Observe no errors after execution. --End-- Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. --End-- Showing EAPOL multihost interface Display the EAPOL multihost interface information. Note that Multihost status is enabled. Procedure Steps Step 1 2 Action Use the eapol multihost allow-non-eap-enable command to enable. Note that Allow Non-EAPOL clients is enabled. --End-- Enabling multihost status and allow non-EAPOL clients Correct the Non-EAP client attribute. --End-- Showing EAPOL multihost non-eap-mac interface Display the EAPOL multihost interface information. . Use the eapol multihost enable command to enable multihost status. Note the MAC is in the list. Procedure Steps Step 1 2 3 Action Enter the show eapol multihost interface <port#> command to display the information.

Work flow: NEAP RADIUS MAC not authenticating The following work flow assists you to determine the cause of and solution for a RADIUS MAC that does not authenticate.92 Troubleshooting authentication Ensuring MAC in the list Add the MAC to the list if the case it was omitted.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .H> <port> command to add a mac address to the list. Use the eapol multihost non-eap-mac <H. Figure 39 NEAP RADIUS MAC not authenticating Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. . Procedure Steps Step 1 2 Action Use the show eapol multihost non-eap-mac status <port> command to view mac addresses.H. --End-- NEAP RADIUS MAC not authenticating Correct a NEAP RADIUS MAC that is not authenticating.

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .NEAP RADIUS MAC not authenticating 93 Navigation • • "Configure switch" (page 93) "RADIUS server configuration error" (page 96) Configure switch Correct switch configuration to correct issue with RADIUS MAC. . Task flow: Configure switch The following task flow assists you to configure the ERS 2500 series device to correct the RADIUS MAC issue. Figure 40 Configure switch Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.94 Troubleshooting authentication Navigation • • • • • • • "Displaying EAPOL port" (page 94) "Setting global eap enabled and port at eap-auto" (page 95) "Displaying EAPOL multihost" (page 95) "Enabling RADIUS to authenticate non-EAPOL clients" (page 95) "Formatting non-EAPOL RADIUS password attribute" (page 96) "Displaying EAPOL multihost interface" (page 96) "Enabling RADIUS To Auth Non-EAP MACs" (page 96) Displaying EAPOL port Display the EAPOL port information for review. .01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

Procedure Steps Step 1 2 Action Enter the show eapol port multihost command to display the information.MACAddr. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. --End-- Setting global eap enabled and port at eap-auto Make the required changes to ensure the settings are correct. .PortNumber --End-- Enabling RADIUS to authenticate non-EAPOL clients Make the required changes on the RADIUS server to authenticate Non-EAP clients. Note the global eap is enabled and port is eap-auto. Note the following: • • Use RADIUS To Authenticate NonEAPOL Clients is enabled Non-EAPOL RADIUS Password Attribute Format: IpAddr. Procedure Steps Step 1 2 Action Use the eapol enable command to enable EAP globally.NEAP RADIUS MAC not authenticating 95 Procedure Steps Step 1 2 Action Enter the show eapol port <port#> command to display the information. --End-- Displaying EAPOL multihost Display the EAPOL Multihost information for review.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Apply changes to RADIUS server using vendor documentation. Use the eapol status auto command to change port status to auto.

Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. Displaying EAPOL multihost interface Display the EAPOL Multihost information for review.MACAddr.PortN umber. Apply changes to RADIUS server using vendor documentation. .01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . RADIUS server is to have the format changed to IpAddr. Task flow: RADIUS server configuration error The following task flow assists you to configure the RADIUS server with the correct MAC and password. Procedure Steps Step 1 2 Action Enter the show eapol multihost interface <port#> command to display the information Verify the following: • Use RADIUS To Authenticate Non EAP MACs is enabled --End-- Enabling RADIUS To Auth Non-EAP MACs Make the required changes on the RADIUS server to authenticate Non-EAP clients.96 Troubleshooting authentication Formatting non-EAPOL RADIUS password attribute Make the required changes on the RADIUS server to the password format. RADIUS server configuration error The RADIUS server requires that the correct MAC address and password for the ERS 2500 series device be configured.

If it is not correct the ERS 2500 series device may not authenticate.NEAP MHSA MAC is not authenticating Figure 41 RADIUS server configuration error 97 Navigation • "Configuring MAC and password on RADIUS server" (page 97) Configuring MAC and password on RADIUS server The RADIUS server requires that the MAC and password for the ERS 2500 series device be correct. . Reference the vendor documentation for the RADIUS server NEAP MHSA MAC is not authenticating Ensure that the switch is configured correctly. Work flow: NEAP MHSA MAC is not authenticating The following work flow assists you to determine the solution for an MHSA MAC not authenticating. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Task flow: Configure switch The following task flow assists you to enable MHSA on the ERS 2500 series device.98 Troubleshooting authentication Figure 42 NEAP MHSA MAC is not authenticating Navigation • "Configure switch " (page 98) Configure switch Configure the switch to enable MHSA. .

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .NEAP MHSA MAC is not authenticating Figure 43 Configure switch 99 Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01. .

100 Troubleshooting authentication Navigation • • • • • • "Showing EAPOL port" (page 100) "Setting global EAP enabled and port at eap-auto" (page 101) "Showing EAPOL multihost" (page 101) "Formatting non-EAPOL RADIUS password attribute" (page 101) "Showing EAPOL multihost interface" (page 102) "Enabling RADIUS to auth non-EAP MACs" (page 102) Showing EAPOL port Display the EAPOL port information for review. . Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

--End-- Setting global EAP enabled and port at eap-auto Make the required changes to ensure the settings are correct.NEAP MHSA MAC is not authenticating 101 Procedure Steps Step 1 2 Action Enter the show eapol port <port#> command to display the information.PortNumber. Use vendor documentation to make required changes on RADIUS server to change the format to IpAddr. Note the following: • Use RADIUS To Authenticate NonEAPOL Clients is enabled --End-- Formatting non-EAPOL RADIUS password attribute Make the required changes on the RADIUS server to the password format. --End-- Showing EAPOL multihost Display the EAPOL Multihost information for review. Use the eapol status auto command to change port status to auto. Procedure Steps Step 1 2 Action Enter the show eapol port multihost command to display the information. Procedure Steps Step 1 2 Action Use the eapol enable command to enable EAP globally. Note the global eap is enabled and port is eap-auto. . Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.MACAddr.01 Standard 30 April 2008 Copyright © 2008 Nortel Networks .

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Procedure Steps Step 1 2 Action Enter the show eapol multihost interface <port#> command to display the information.102 Troubleshooting authentication Enabling RADIUS to Authenticate NON-EAPOL Clients Make the required changes on the RADIUS server to authenticate Non-EAP clients. . Apply changes to RADIUS server using vendor documentation. Showing EAPOL multihost interface Display the EAPOL Multihost information for review. EAP-NEAP unexpected port shutdown Identify the reason for the port shutdown and make configuration changes to avoid future problems. Work flow: EAP-NEAP unexpected port shutdown The following work flow assists you to determine the solution for EAP-NEAP ports experiencing a shutdown. Note the following: • Allow Auto Non-EAP MHSA: Enabled --End-- Enabling RADIUS to auth non-EAP MACs Make the required changes on the RADIUS server to authenticate Non-EAP clients Apply changes to RADIUS server using vendor documentation. Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.

EAP-NEAP unexpected port shutdown Figure 44 EAP-NEAP unexpected port shutdown

103

Navigation

"Configure switch" (page 103)

Configure switch
Configure ports to allow more unauthorized clients.

Task flow: Configure switch
The following task flow assists you to allow an increased number of unauthorized clients on the ports.

Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008
Copyright © 2008 Nortel Networks

.

104

Troubleshooting authentication

Figure 45 Configure switch

Navigation

• • • •

"Showing Logs" (page 104) "Showing EAP-NEAP clients on port" (page 105) "Showing EAPOL port information" (page 105) "Making changes" (page 105)

Showing Logs
Display log information for detailed information to provide any additional information.

Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008
Copyright © 2008 Nortel Networks

.

EAP-NEAP unexpected port shutdown

105

Procedure Steps Step
1 2

Action Use the show logging command to display the log. Observe the log output and note any anomalies.
--End--

Showing EAP-NEAP clients on port
Display EAP-NEAP client information on the port to provide additional information. Procedure Steps Step
1 2

Action Use the show mac-address-table command to show the clients on the port. Observe the log output and note any anomalies.
--End--

Showing EAPOL port information
Display EAPOL port information for detailed information to provide any additional information. Procedure Steps Step
1 2

Action Use the show mac-address-table command to show the clients on the port. Observe the log output and note any anomalies.
--End--

Making changes
This section provides troubleshooting guidelines for changing the EAP settings. It may clean up old MACs.

Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.01 Standard 30 April 2008
Copyright © 2008 Nortel Networks

.

01 Standard 30 April 2008 Copyright © 2008 Nortel Networks . Use the shut/no shut commands in the Interface Exec Mode. . --End-- Ethernet Routing Switch 2500 Series Troubleshooting NN47215-700 01.106 Troubleshooting authentication Procedure Steps Step 1 2 3 Action Use the eap-force-unauthorised command to set the administrative state of the port to forced unauthorized. Use the eapol status auto command to change to eap-auto to start.

.

01 Document release date: 06 May 2008 To provide feedback or to report a problem in this document. All information. Users must take full responsibility for their applications of any products specified in this document. go to www. configurations.nortel. and the Globemark are trademarks of Nortel Networks. compiled.com The information in this document is subject to change without notice. distributed.nortel. *Nortel. Printed in Canada Release: 4.Ethernet Routing Switch 2500 Series Troubleshooting Copyright © 2008 Nortel Networks All Rights Reserved. This document is protected by copyright laws and international treaties. modified. displayed or transmitted. and India. Except as expressly authorized in writing by Nortel Networks. translated. in any form or media. All other trademarks are the property of their respective owners. the Nortel logo. . but are presented without express or implied warranty. technical data. copyrights and any other intellectual property rights contained in this document are the property of Nortel Networks. The statements. and recommendations in this document are believed to be accurate and reliable. in whole or part. www.com/documentfeedback. Sourced in Canada.1 Publication: NN47215-700 Document status: Standard Document revision: 01. the United States of America. . copied. produced or reproduced. the holder is granted no rights to use the information contained herein and this document shall not be published.