manualshive.com logo in svg

HPE FlexNetwork 10500 SERIES, Configuration Manual

The HPE FlexNetwork 10500 SERIES comes with a comprehensive Configuration Manual that enables users to expertly set up and optimize their network infrastructure. This essential manual is readily available for free download from our website, ensuring easy access to detailed instructions and valuable insights for maximizing network performance.

Share
Download
background image

 

291 

Managing security logs 

Security logs are very important for locating and troubleshooting network problems. Generally, 
security logs are output together with other logs. It is difficult to identify security logs among all logs. 

To solve this problem, you can save security logs to the security log file without affecting the current 
log output rules. 

Saving security logs to the security log file 

After you enable the saving of the security logs to the security log file: 

 

The system first outputs security logs to the security log file buffer. 

 

The system saves logs from the security log file buffer to the security log file at the specified 
interval (a user authorized the security-audit role can also manually save security logs to the 
security log file). 

 

After the security logs are saved, the buffer is cleared immediately. 

The device supports only one security log file. To avoid security log loss, you can set an alarm 
threshold for the security log file usage. When the alarm threshold is reached, the system outputs a 
message to inform the administrator.  The administrator can log in to the device with the 
security-audit user role and back up the security log file to prevent the loss of important data. 

To save security logs to the security log file: 

 

Step 

Command 

Remarks 

1. 

Enter system view. 

system-view 

N/A 

2. 

Enable the information 
center. 

info-center enable 

By default, the information center 
is enabled. 

3. 

Enable the saving of the 
security logs to the security 
log file. 

info-center security-logfile 
enable 

By default, saving security logs to 
the security log file is disabled. 

4. 

Set the interval at which the 
system saves security logs. 

info-center security-logfile 
frequency

 

freq-sec

 

The default saving interval is 
86400 seconds. 

5. 

(Optional.) Set the maximum 
size for the security log file. 

info-center security-logfile 
size-quota size

 

The default setting is 10 MB. 

6. 

(Optional.) Set the alarm 
threshold of the security log 
file usage. 

info-center security-logfile 
alarm-threshold

 

usage

 

By default, the alarm threshold of 
the security log file usage is 80. 
When the usage of the security 
log file reaches 80%, the system 
will inform the user. 

 

Managing the security log file 

To use the security log file management commands in this section, a local user must be authorized 
the security-audit user role. For information about configuring  the security-audit user role,  see 

Security Command Reference

To manage the security log file: 

 

Task 

Command 

Remarks 

Display a summary of the security 
log file. 

display security-logfile 
summary

 

Available in user view. 

Summary of Contents for FlexNetwork 10500 SERIES

Page 1: ...HPE FlexNetwork 10500 Switch Series Network Management and Monitoring Configuration Guide Part number 5200 1904a Software version 10500 CMW710 R7557P01 Document version 6W101 20171020 ...

Page 2: ...nd 12 212 Commercial Computer Software Computer Software Documentation and Technical Data for Commercial Items are licensed to the U S Government under vendor s standard commercial license Links to third party websites take you outside the Hewlett Packard Enterprise website Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise ...

Page 3: ... operation 18 Configuring the TCP operation 19 Configuring the UDP echo operation 20 Configuring the UDP tracert operation 20 Configuring the voice operation 22 Configuring the DLSw operation 24 Configuring the path jitter operation 24 Configuring optional parameters for the NQA operation 25 Configuring the collaboration feature 26 Configuring threshold monitoring 27 Configuring the NQA statistics...

Page 4: ...ity 80 NTP for MPLS L3VPN instances 81 Protocols and standards 82 Configuration restrictions and guidelines 82 Configuration task list 82 Enabling the NTP service 82 Configuring NTP association mode 82 Configuring NTP in client server mode 83 Configuring NTP in symmetric active passive mode 83 Configuring NTP in broadcast mode 84 Configuring NTP in multicast mode 85 Configuring access control righ...

Page 5: ...onfiguring SNMPv1 or SNMPv2c basic parameters 123 Configuring SNMPv3 basic parameters 125 Configuring SNMP logging 129 Configuring SNMP notifications 130 Enabling SNMP notifications 130 Configuring the SNMP agent to send notifications to a host 130 Displaying the SNMP settings 132 SNMPv1 SNMPv2c configuration example 132 Network requirements 132 Configuration procedure 133 Verifying the configurat...

Page 6: ...g configuration data retrieval example 162 Example for retrieving a data entry for the interface table 163 Example for changing the value of a parameter 164 Saving rolling back and loading the configuration 165 Saving the configuration 165 Rolling back the configuration based on a configuration file 165 Rolling back the configuration based on a rollback point 166 Loading the configuration 170 Exam...

Page 7: ...rce ports for the local mirroring group 220 Configuring source CPUs for the local mirroring group 221 Configuring the monitor port for the local mirroring group 222 Configuring Layer 2 remote port mirroring 222 Layer 2 remote port mirroring with configurable reflector port configuration task list 223 Layer 2 remote port mirroring with egress port configuration task list 223 Configuring a remote de...

Page 8: ... Configuring the NetStream aggregation data export 255 Displaying and maintaining NetStream 256 NetStream configuration examples 257 NetStream traditional data export configuration example 257 NetStream aggregation data export configuration example 259 Configuring IPv6 NetStream 263 Overview 263 IPv6 NetStream architecture 263 Flow aging 264 IPv6 NetStream data export 264 Protocols and standards 2...

Page 9: ...ving logs to the log file 290 Managing security logs 291 Saving security logs to the security log file 291 Managing the security log file 291 Saving diagnostic logs to the diagnostic log file 292 Configuring the maximum size of the trace log file 293 Setting the minimum storage period for log files and logs in the log buffer 293 Logs in the log buffer 293 Log files 294 Configuration procedure 294 ...

Page 10: ... 325 VCF fabric configuration task list 326 Enabling VCF fabric topology discovery 326 Configuration restrictions and guidelines 326 Configuration procedure 326 Configuring automated underlay network provisioning 326 Configuration restrictions and guidelines 326 Configuration procedure 327 Configuring automated overlay network deployment 327 Configuration restrictions and guidelines 327 Configurat...

Page 11: ...dure 347 Verifying the configuration 355 Document conventions and icons 356 Conventions 356 Network topology icons 357 Support and other resources 358 Accessing Hewlett Packard Enterprise Support 358 Accessing updates 358 Websites 359 Customer self repair 359 Remote support 359 Documentation feedback 359 Index 361 ...

Page 12: ...nds in any view Task Command Determine if an address in an IP network is reachable When you configure the ping command for a low speed network set a larger value for the timeout timer indicated by the t keyword in the command For IPv4 networks ping ip a source ip c count f h ttl i interface type interface number m interval n p pad q r s packet size t timeout tos tos v vpn instance vpn instance nam...

Page 13: ... route is reachable Get detailed information about routes from Device A to Device C DeviceA ping r 1 1 2 2 Ping 1 1 2 2 1 1 2 2 56 data bytes press CTRL_C to break 56 bytes from 1 1 2 2 icmp_seq 0 ttl 254 time 4 685 ms RR 1 1 2 1 1 1 2 2 1 1 1 2 1 1 1 1 56 bytes from 1 1 2 2 icmp_seq 1 ttl 254 time 4 834 ms same route 56 bytes from 1 1 2 2 icmp_seq 2 ttl 254 time 4 770 ms same route 56 bytes from ...

Page 14: ...rt works as shown in Figure 2 1 The source device sends a UDP packet with a TTL value of 1 to the destination device The destination UDP port is not used by any application on the destination device 2 The first hop Device B the first Layer 3 device that receives the packet responds by sending a TTL expired ICMP error message to the source with its IP address 1 1 1 2 encapsulated This way the sourc...

Page 15: ...nd on the devices For more information about this command see Layer 3 IP Services Command Reference Enable sending of ICMPv6 destination unreachable packets on the destination device If the destination device is an HPE device execute the ipv6 unreachables enable command For more information about this command see Layer 3 IP Services Command Reference Using a tracert command to identify failed or a...

Page 16: ...Device B DeviceB system view DeviceB ip ttl expires enable Enable sending of ICMP destination unreachable packets on Device C DeviceC system view DeviceC ip unreachables enable Execute the tracert command on Device A DeviceA tracert 1 1 2 2 traceroute to 1 1 2 2 1 1 2 2 30 hops at most 40 bytes each packet press CTRL_C to break 1 1 1 1 2 1 1 1 2 1 ms 2 ms 1 ms 2 3 4 5 DeviceA The output shows that...

Page 17: ...a terminal only when both the module debugging switch and the screen output switch are turned on Debugging information is typically displayed on a console You can also send debugging information to other destinations For more information see Configuring the information center Figure 4 Relationship between the module and screen output switch Debugging a feature module Output of debugging commands i...

Page 18: ...7 Step Command Remarks 2 Optional Display the enabled debugging in any view display debugging module name N A ...

Page 19: ...formance and server response time All types of NQA operations require the NQA client but only the TCP UDP echo UDP jitter and voice operations require the NQA server The NQA operations for services that are already provided by the destination device such as FTP do not need the NQA server You can configure the NQA server to listen and respond to specific IP addresses and ports to meet various test ...

Page 20: ...ify application modules of state or performance changes so that the application modules can take predefined actions Figure 6 Collaboration The following describes how a static route destined for 192 168 0 88 is monitored through collaboration 1 NQA monitors the reachability to 192 168 0 88 2 When 192 168 0 88 becomes unreachable NQA notifies the Track module of the change 3 The Track module notifi...

Page 21: ...A server Required for TCP UDP echo UDP jitter and voice operations Required Enabling the NQA client N A Required Perform at least one of the following tasks Configuring NQA operations on the NQA client Configuring NQA templates on the NQA client When you configure an NQA template to analyze network performance the feature that uses the template performs the NQA operation Configuring the NQA server...

Page 22: ...onfiguration task list Tasks at a glance Required Perform at least one of the following tasks Configuring the ICMP echo operation Configuring the ICMP jitter operation Configuring the DHCP operation Configuring the DNS operation Configuring the FTP operation Configuring the HTTP operation Configuring the UDP jitter operation Configuring the SNMP operation Configuring the TCP operation Configuring ...

Page 23: ... string is the hexhexadecimal string 00010203040506070809 7 Optional Specify the output interface for ICMP echo requests out interface interface type interface number By default the output interface for ICMP echo requests is not specified The NQA client determines the output interface based on the routing table lookup 8 Optional Specify the source IP address for ICMP echo requests Use the IP addre...

Page 24: ... Optional Set the number of ICMP packets sent in one ICMP jitter operation probe packet number packet number The default setting is 10 6 Optional Set the interval for sending ICMP packets probe packet interval interval The default setting is 20 milliseconds 7 Optional Specify how long the NQA client waits for a response from the server before it regards the response times out probe packet timeout ...

Page 25: ...ptional Specify the source IP address of DHCP request packets source ip ip address By default the packets take the primary IP address of the output interface as their source IP address The specified source IP address must be the IP address of a local interface and the local interface must be up Otherwise no probe packets can be sent out The NQA client adds the source IP address to the giaddr field...

Page 26: ... NQA operation and enter NQA operation view nqa entry admin name operation tag By default no NQA operations exist 3 Specify the FTP type and enter its view type ftp N A 4 Specify the URL of the destination FTP server url url By default no URL is specified for the destination FTP server Enter the URL in one of the following formats ftp host filename ftp host port filename When you perform the get o...

Page 27: ...esource 5 Specify an HTTP login username username username By default no HTTP login username is specified 6 Specify an HTTP login password password cipher simple string By default no HTTP login password is specified 7 Optional Specify the source IP address of request packets source ip ip address By default the packets take the primary IP address of the output interface as their source IP address T...

Page 28: ...NQA client 3 Upon receiving the responses the NQA client calculates the jitter according to the timestamps The UDP jitter operation requires both the NQA server and the NQA client Before you perform the UDP jitter operation configure the UDP listening service on the NQA server For more information about UDP listening service configuration see Configuring the NQA server To configure a UDP jitter op...

Page 29: ...ets probe packet interval interval The default setting is 20 milliseconds 12 Optional Specify how long the NQA client waits for a response from the server before it regards the response times out probe packet timeout timeout The default setting is 3000 milliseconds NOTE Use the display nqa result or display nqa statistics command to verify the UDP jitter operation The display nqa history command d...

Page 30: ...nformation about the TCP listening service configuration see Configuring the NQA server To configure the TCP operation Step Command Remarks 1 Enter system view system view N A 2 Create an NQA operation and enter NQA operation view nqa entry admin name operation tag By default no NQA operations exist 3 Specify the TCP type and enter its view type tcp N A 4 Specify the destination address of TCP pac...

Page 31: ...number is specified The destination port number must be the same as the port number of the listening service on the NQA server 6 Optional Set the payload size for each UDP packet data size size The default setting is 100 bytes 7 Optional Specify the payload fill string for UDP packets data fill string The default payload fill string is the hexhexadecimal string 00010203040506070809 8 Optional Spec...

Page 32: ...ation device by its IP address destination ip ip address By default no destination IP address or host name is specified 5 Optional Specify the destination port of UDP packets destination port port number By default the destination port number is 33434 This port number must be an unused number on the destination device so that the destination device can reply with ICMP port unreachable messages 6 O...

Page 33: ...2 The destination device time stamps each voice packet it receives and sends it back to the source 3 Upon receiving the packet the source device calculates the jitter and one way delay based on the timestamp The following parameters that reflect VoIP network performance can be calculated by using the metrics gathered by the voice operation Calculated Planning Impairment Factor ICPIF Measures impai...

Page 34: ...ess By default the packets take the primary IP address of the output interface as their source IP address The source IP address must be the IP address of a local interface and the interface must be up Otherwise no voice packets can be sent out 9 Optional Specify the source port number of voice packets source port port number By default no source port number is specified 10 Optional Set the payload...

Page 35: ... can be sent out Configuring the path jitter operation The path jitter operation measures the jitter negative jitters and positive jitters from the NQA client to each hop on the path to the destination Before you configure the path jitter operation perform the following tasks Enable sending ICMP time exceeded messages on the intermediate devices between the source and destination devices If the in...

Page 36: ...sponse times out probe packet timeout timeout The default setting is 3000 milliseconds 11 Optional Specify an LSR path lsr path ip address 1 8 By default no LSR path is specified The path jitter operation uses the tracert to detect the LSR path to the destination and sends ICMP echo requests to each hop on the LSR 12 Optional Perform the path jitter operation only on the destination address target...

Page 37: ...oice operations 8 Set the maximum number of hops that the probe packets can traverse ttl value The default setting is 30 for probe packets of the UDP tracert operation and is 20 for probe packets of other types of operations This command is not available for the DHCP or path jitter operation 9 Set the ToS value in the IP header of probe packets tos value The default setting is 0 10 Enable the rout...

Page 38: ...threshold violation occurs accumulate If the total number of times that the monitored performance metric is out of the specified value range reaches or exceeds the specified threshold a threshold violation occurs consecutive If the number of consecutive times that the monitored performance metric is out of the specified value range reaches or exceeds the specified threshold a threshold violation o...

Page 39: ...A 2 Create an NQA operation and enter NQA operation view nqa entry admin name operation tag By default no NQA operations exist 3 Enter NQA operation view type dhcp dlsw dns ftp http icmp echo icmp jitter snmp tcp udp echo udp jitter udp tracert voice The threshold monitoring feature is not available for the path jitter operation 4 Enable sending traps to the NMS when specific conditions are met re...

Page 40: ...hreshold lower threshold action type none trap only Monitor packet loss only for the ICMP jitter UDP jitter and voice operations reaction item number checked element packet loss threshold type accumulate accumulate occurrences action type none trap only Monitor the one way jitter only for the ICMP jitter UDP jitter and voice operations reaction item number checked element jitter ds jitter sd thres...

Page 41: ...ault setting is 60 minutes 5 Optional Set the maximum number of statistics groups that can be saved statistics max group number The default setting is two groups To disable the NQA statistics collection feature set the maximum number to 0 When the maximum number of statistics groups is reached to save a new statistics group the oldest statistics group is deleted 6 Optional Set the hold time of sta...

Page 42: ...nd guidelines You cannot enter the operation type view or the operation view of a scheduled NQA operation A system time adjustment does not affect started or completed NQA operations It affects only the NQA operations that have not started To schedule the NQA operation on the NQA client Step Command 1 Enter system view system view 2 Specify the scheduling parameters for an NQA operation nqa schedu...

Page 43: ...s of the operation IPv4 address destination ip ip address IPv6 address destination ipv6 ipv6 address By default no destination IP address is configured 4 Optional Set the payload size for each ICMP request data size size The default setting is 100 bytes 5 Optional Specify the payload fill string for requests data fill string The default payload fill string is the hexhexadecimal string 000102030405...

Page 44: ...be returned If the returned IP addresses include the expected address the DNS server is valid and the operation succeeds Otherwise the operation fails Create a mapping between the domain name and an address before you perform the DNS operation For information about configuring the DNS server see Layer 3 IP Services Configuration Guide To configure the DNS template Step Command Remarks 1 Enter syst...

Page 45: ... tests only whether the client can establish a TCP connection to the server The TCP operation requires both the NQA server and the NQA client Before you perform a TCP operation configure a TCP listening service on the NQA server For more information about the TCP listening service configuration see Configuring the NQA server To configure the TCP template Step Command Remarks 1 Enter system view sy...

Page 46: ...f open operation the NQA client sends a TCP ACK packet to the server If the client receives an RST packet it considers that the TCP service is available on the server To configure the TCP half open template Step Command Remarks 1 Enter system view system view N A 2 Create a TCP half open template and enter its view nqa template tcphalfopen name By default no TCP half open templates exist 3 Optiona...

Page 47: ...r and the NQA client Before you perform a UDP operation configure a UDP listening service on the NQA server For more information about the UDP listening service configuration see Configuring the NQA server To configure the UDP template Step Command Remarks 1 Enter system view system view N A 2 Create a UDP template and enter its view nqa template udp name By default no UDP templates exist 3 Option...

Page 48: ... in decimal notation and it includes the status information for the HTTP server The first digit defines the class of response Configure the HTTP server before you perform the HTTP operation To configure the HTTP template Step Command Remarks 1 Enter system view system view N A 2 Create an HTTP template and enter its view nqa template http name By default no HTTP templates exist 3 Specify the URL o...

Page 49: ...red 13 Optional Configure the expected data expect data expression offset number By default no expected data is configured Configuring the HTTPS template A feature that uses the HTTPS template performs the HTTPS operation to measure the time it takes for the NQA client to obtain data from an HTTPS server The expected data is checked only when the expected data is configured and the HTTPS response ...

Page 50: ...e HTTPS request content is not specified 11 Optional Return to HTTPS template view quit The system automatically saves the configuration in raw request view before it returns to HTTPS template view 12 Optional Specify the source IP address for the probe packets IPv4 address source ip ip address IPv6 address source ipv6 ipv6 address By default the packets take the primary IP address of the output i...

Page 51: ...form the put operation This configuration does not take effect for the get operation By default no file is specified 8 Set the data transmission mode mode active passive The default mode is active 9 Optional Specify the source IP address for the probe packets IPv4 address source ip ip address IPv6 address source ipv6 ipv6 address By default the packets take the primary IP address of the output int...

Page 52: ...ername username By default no username is specified 6 Specify a password password cipher simple string By default no password is specified 7 Specify a shared key for secure RADIUS authentication key cipher simple string By default no shared key is specified for RADIUS authentication 8 Optional Specify the source IP address for the probe packets IPv4 address source ip ip address IPv6 address source...

Page 53: ...e To configure optional parameters for an NQA template Step Command Remarks 1 Enter system view system view N A 2 Create an NQA template and enter its view nqa template dns ftp http https icmp ssl tcp tcphalfopen udp name By default no NQA templates exist 3 Configure a description description text By default no description is configured 4 Set the interval at which the NQA operation repeats frequen...

Page 54: ...rations display nqa history admin name operation tag Display the current monitoring results of reaction entries display nqa reaction counters admin name operation tag item number Display the most recent result of the NQA operation display nqa result admin name operation tag Display NQA statistics display nqa statistics admin name operation tag Display NQA server status display nqa server status NQ...

Page 55: ...ion to perform 10 probes DeviceA nqa admin test1 icmp echo probe count 10 Set the probe timeout time to 500 milliseconds for the ICMP echo operation DeviceA nqa admin test1 icmp echo probe timeout 500 Configure the ICMP echo operation to repeat every 5000 milliseconds DeviceA nqa admin test1 icmp echo frequency 5000 Enable saving history records DeviceA nqa admin test1 icmp echo history record ena...

Page 56: ...eded 2007 08 23 15 00 01 2 366 3 Succeeded 2007 08 23 15 00 01 2 365 3 Succeeded 2007 08 23 15 00 01 2 364 3 Succeeded 2007 08 23 15 00 01 1 363 2 Succeeded 2007 08 23 15 00 01 1 362 3 Succeeded 2007 08 23 15 00 01 1 361 2 Succeeded 2007 08 23 15 00 01 1 The output shows that the packets sent by Device A can reach Device B through Device C No packet loss occurs during the operation The minimum max...

Page 57: ...ip time 1 2 1 Square Sum of round trip time 13 Last packet received time 2015 03 09 17 40 29 8 Extended results Packet loss ratio 0 Failures due to timeout 0 Failures due to internal error 0 Failures due to other errors 0 Packets out of sequence 0 Packets arrived late 0 ICMP jitter results RTT number 10 Min positive SD 0 Min positive DS 0 Max positive SD 0 Max positive DS 0 Positive SD number 0 Po...

Page 58: ...ositive DS number 46 Positive SD sum 18 Positive DS sum 49 Positive SD average 1 Positive DS average 1 Positive SD square sum 18 Positive DS square sum 55 Min negative SD 1 Min negative DS 1 Max negative SD 1 Max negative DS 2 Negative SD number 24 Negative DS number 57 Negative SD sum 24 Negative DS sum 58 Negative SD average 1 Negative DS average 1 Negative SD square sum 24 Negative DS square su...

Page 59: ...st1 test results Send operation times 1 Receive response times 1 Min Max Average round trip time 512 512 512 Square Sum of round trip time 262144 Last succeeded probe time 2011 11 22 09 56 03 2 Extended results Packet loss ratio 0 Failures due to timeout 0 Failures due to internal error 0 Failures due to other errors 0 Display the history records of the DHCP operation SwitchA display nqa history a...

Page 60: ...st1 start time now lifetime forever After the DNS operation runs for a period of time stop the operation DeviceA undo nqa schedule admin test1 Display the most recent result of the DNS operation DeviceA display nqa result admin test1 NQA entry admin admin tag test1 test results Send operation times 1 Receive response times 1 Min Max Average round trip time 62 62 62 Square Sum of round trip time 38...

Page 61: ...ice to upload file config txt to the FTP server DeviceA nqa admin test1 ftp operation put DeviceA nqa admin test1 ftp filename config txt Set the username to admin for the FTP operation DeviceA nqa admin test1 ftp username admin Set the password to systemtest for the FTP operation DeviceA nqa admin test1 ftp password simple systemtest Enable the saving of history records DeviceA nqa admin test1 ft...

Page 62: ... IP addresses to interfaces as shown in Figure 12 Details not shown Configure static routes or a routing protocol to make sure the devices can reach each other Details not shown Create an HTTP operation DeviceA system view DeviceA nqa entry admin test1 DeviceA nqa admin test1 type http Specify the URL of the HTTP server DeviceA nqa admin test http url http 10 2 2 2 index htm Configure the HTTP ope...

Page 63: ...ceeded 2011 11 22 10 12 47 9 The output shows that it took Device A 64 milliseconds to obtain data from the HTTP server UDP jitter operation configuration example Network requirements As shown in Figure 13 configure a UDP jitter operation to test the jitter delay and round trip time between Device A and Device B Figure 13 Network diagram Configuration procedure 1 Assign IP addresses to interfaces ...

Page 64: ...ip time 15 32 17 Square Sum of round trip time 3235 Last packet received time 2011 05 29 13 56 17 6 Extended results Packet loss ratio 0 Failures due to timeout 0 Failures due to internal error 0 Failures due to other errors 0 Packets out of sequence 0 Packets arrived late 0 UDP jitter results RTT number 10 Min positive SD 4 Min positive DS 1 Max positive SD 21 Max positive DS 28 Positive SD numbe...

Page 65: ...er 158 Positive SD sum 2602 Positive DS sum 1928 Positive SD average 13 Positive DS average 12 Positive SD square sum 45304 Positive DS square sum 31682 Min negative SD 1 Min negative DS 1 Max negative SD 30 Max negative DS 78 Negative SD number 181 Negative DS number 209 Negative SD sum 181 Negative DS sum 209 Negative SD average 13 Negative DS average 14 Negative SD square sum 46994 Negative DS ...

Page 66: ... Enable the saving of history records DeviceA nqa admin test1 snmp history record enable DeviceA nqa admin test1 snmp quit Start the SNMP operation DeviceA nqa schedule admin test1 start time now lifetime forever After the SNMP operation runs for a period of time stop the operation DeviceA undo nqa schedule admin test1 Display the most recent result of the SNMP operation DeviceA display nqa result...

Page 67: ... TCP port 9000 DeviceB nqa server tcp connect 10 2 2 2 9000 4 Configure Device A Create a TCP operation DeviceA system view DeviceA nqa entry admin test1 DeviceA nqa admin test1 type tcp Specify 10 2 2 2 as the destination IP address DeviceA nqa admin test1 tcp destination ip 10 2 2 2 Set the destination port number to 9000 DeviceA nqa admin test1 tcp destination port 9000 Enable the saving of his...

Page 68: ... a UDP echo operation on the NQA client to test the round trip time to Device B The destination port number is 8000 Figure 16 Network diagram Configuration procedure 1 Assign IP addresses to interfaces as shown in Figure 16 Details not shown 2 Configure static routes or a routing protocol to make sure the devices can reach each other Details not shown 3 Configure Device B Enable the NQA server Dev...

Page 69: ... Failures due to other errors 0 Display the history records of the UDP echo operation DeviceA display nqa history admin test1 NQA entry admin admin tag test1 history records Index Response Status Time 1 25 Succeeded 2011 11 22 10 36 17 9 The output shows that the round trip time between Device A and port 8000 on Device B is 25 milliseconds UDP tracert operation configuration example Network requir...

Page 70: ...e 6 Set the TTL value to 1 for UDP packets in the start round of the UDP tracert operation DeviceA nqa admin test1 udp tracert init ttl 1 Start the UDP tracert operation DeviceA nqa schedule admin test1 start time now lifetime forever After the UDP tracert operation runs for a period of time stop the operation DeviceA undo nqa schedule admin test1 Display the most recent result of the UDP tracert ...

Page 71: ...P port 9000 DeviceB nqa server udp echo 10 2 2 2 9000 4 Configure Device A Create a voice operation DeviceA system view DeviceA nqa entry admin test1 DeviceA nqa admin test1 type voice Specify 10 2 2 2 as the destination IP address DeviceA nqa admin test1 voice destination ip 10 2 2 2 Set the destination port number to 9000 DeviceA nqa admin test1 voice destination port 9000 DeviceA nqa admin test...

Page 72: ...e 2 Negative DS average 6 Negative SD square sum 53655 Negative DS square sum 1691776 One way results Max SD delay 343 Max DS delay 985 Min SD delay 343 Min DS delay 985 Number of SD delay 1 Number of DS delay 1 Sum of SD delay 343 Sum of DS delay 985 Square Sum of SD delay 117649 Square Sum of DS delay 970225 SD lost packets 0 DS lost packets 0 Lost packets for unknown reason 0 Voice scores MOS v...

Page 73: ...of SD delay 1390 Sum of DS delay 1079 Square Sum of SD delay 483202 Square Sum of DS delay 973651 SD lost packets 0 DS lost packets 0 Lost packets for unknown reason 0 Voice scores Max MOS value 4 38 Min MOS value 4 38 Max ICPIF value 0 Min ICPIF value 0 DLSw operation configuration example Network requirements As shown in Figure 19 configure a DLSw operation to test the response time of the DLSw ...

Page 74: ...ures due to internal error 0 Failures due to other errors 0 Display the history records of the DLSw operation DeviceA display nqa history admin test1 NQA entry admin admin tag test1 history records Index Response Status Time 1 19 Succeeded 2011 11 22 10 40 27 7 The output shows that the response time of the DLSw device is 19 milliseconds Path jitter operation configuration example Network requirem...

Page 75: ...in test1 NQA entry admin admin tag test1 test results Hop IP 10 1 1 2 Basic Results Send operation times 10 Receive response times 10 Min Max Average round trip time 9 21 14 Square Sum of round trip time 2419 Extended Results Failures due to timeout 0 Failures due to internal error 0 Failures due to other errors 0 Packets out of sequence 0 Packets arrived late 0 Path Jitter Results Jitter number 9...

Page 76: ...the static route with track entry 1 SwitchA system view SwitchA ip route static 10 1 1 2 24 10 2 1 1 track 1 3 On Switch A configure an ICMP echo operation Create an NQA operation with the administrator name admin and operation tag test1 SwitchA nqa entry admin test1 Configure the NQA operation type as ICMP echo SwitchA nqa admin test1 type icmp echo Specify 10 2 1 1 as the destination IP address ...

Page 77: ... 1 1 Vlan3 10 2 1 0 24 Direct 0 0 10 2 1 2 Vlan3 10 2 1 0 32 Direct 0 0 10 2 1 2 Vlan3 10 2 1 2 32 Direct 0 0 127 0 0 1 InLoop0 10 2 1 255 32 Direct 0 0 10 2 1 2 Vlan3 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 127 255 255 255 32 Direct 0 0 127 0 0 1 InLoop0 224 0 0 0 4 Direct 0 0 0 0 0 0 NULL0 224 0 0 0 24 Direct 0 ...

Page 78: ...op0 127 255 255 255 32 Direct 0 0 127 0 0 1 InLoop0 224 0 0 0 4 Direct 0 0 0 0 0 0 NULL0 224 0 0 0 24 Direct 0 0 0 0 0 0 NULL0 255 255 255 255 32 Direct 0 0 127 0 0 1 InLoop0 The output shows that the static route does not exist and the status of the track entry is negative ICMP template configuration example Network requirements As shown in Figure 22 configure an ICMP template for a feature to pe...

Page 79: ...eA nqatplt icmp icmp reaction trigger probe fail 2 DNS template configuration example Network requirements As shown in Figure 23 configure a DNS template for a feature to perform the DNS operation The operation tests whether Device A can perform the address resolution through the DNS server Figure 23 Network diagram Configuration procedure Assign IP addresses to interfaces as shown in Figure 23 De...

Page 80: ...he devices can reach each other Details not shown 3 Configure Device B Enable the NQA server DeviceB system view DeviceB nqa server enable Configure a listening service to listen to the IP address 10 2 2 2 and TCP port 9000 DeviceB nqa server tcp connect 10 2 2 2 9000 4 Configure Device A Create TCP template tcp DeviceA system view DeviceA nqa template tcp tcp Specify 10 2 2 2 as the destination I...

Page 81: ...consecutive successful probes reaches 2 DeviceA nqatplt tcphalfopen test reaction trigger probe pass 2 Configure the NQA client to notify the feature of the operation failure if the number of consecutive failed probes reaches 2 DeviceA nqatplt tcphalfopen test reaction trigger probe fail 2 UDP template configuration example Network requirements As shown in Figure 26 configure a UDP template for a ...

Page 82: ...n HTTP template for a feature to perform the HTTP operation The operation tests whether the NQA client can get data from the HTTP server Figure 27 Network diagram Configuration procedure Assign IP addresses to interfaces as shown in Figure 27 Details not shown Configure static routes or a routing protocol to make sure the devices can reach each other Details not shown Create the HTTP template http...

Page 83: ...t https https ssl client policy abc Set the HTTPS operation type to get the default HTTPS operation type DeviceA nqatplt https https operation get Set the HTTPS version to 1 0 the default HTTPS version DeviceA nqatplt https https version v1 0 Configure the NQA client to notify the feature of the successful operation event if the number of consecutive successful probes reaches 2 DeviceA nqatplt htt...

Page 84: ...mple systemtest Configure the NQA client to notify the feature of the successful operation event if the number of consecutive successful probes reaches 2 DeviceA nqatplt ftp ftp reaction trigger probe pass 2 Configure the NQA client to notify the feature of the operation failure if the number of consecutive failed probes reaches 2 DeviceA nqatplt ftp ftp reaction trigger probe fail 2 RADIUS templa...

Page 85: ... operation failure if the number of consecutive failed probes reaches 2 DeviceA nqatplt radius radius reaction trigger probe fail 2 SSL template configuration example Network requirements As shown in Figure 31 configure an SSL template for a feature to test whether Device A can establish an SSL connection to the SSL server on Device B Figure 31 Network diagram Configuration procedure Assign IP add...

Page 86: ...sful operation event if the number of consecutive successful probes reaches 2 DeviceA nqatplt ssl ssl reaction trigger probe pass 2 Configure the NQA client to notify the feature of the operation failure if the number of consecutive failed probes reaches 2 DeviceA nqatplt ssl ssl reaction trigger probe fail 2 ...

Page 87: ... time synchronized among devices by changing their system clocks one by one NTP runs over UDP and uses UDP port 123 NOTE NTP is supported only on the following Layer 3 interfaces Layer 3 Ethernet interfaces Layer 3 Ethernet subinterfaces Layer 3 aggregate interfaces Layer 3 aggregate subinterfaces VLAN interfaces and tunnel interfaces How NTP works Figure 32 shows how NTP synchronizes the system t...

Page 88: ...ased on the timestamps The roundtrip delay of the NTP message Delay T4 T1 T3 T2 2 seconds Time difference between Device A and Device B Offset T2 T1 T3 T4 2 1 hour Based on these parameters Device A can be synchronized to Device B This is only a rough description of the work mechanism of NTP For more information see the related protocols and standards NTP architecture NTP uses stratums 1 to 16 to ...

Page 89: ... information about clock selection see the related protocols and standards If the devices in a network cannot synchronize to an authoritative time source you can perform the following tasks Select a device that has a relatively accurate clock from the network Use the local clock of the device as the reference clock to synchronize other devices in the network Association modes NTP supports the foll...

Page 90: ...A symmetric active peer and a symmetric passive peer can be synchronized to each other If both of them are synchronized the peer with a higher stratum is synchronized to the peer with a lower stratum As Figure 33 shows this mode is most often used between servers with the same stratum to operate as a backup for one another If a server fails to communicate with all the servers of a lower stratum th...

Page 91: ...trol queries such as alarms authentication status and time server information and allows the local device to synchronize itself to a peer device Server Allows time requests and NTP control queries but does not allow the local device to synchronize itself to a peer device Synchronization Allows only time requests from a system whose address passes the access list criteria Query Allows only NTP cont...

Page 92: ...passive peer in an MPLS L3VPN instance As shown in Figure 35 users in VPN 1 and VPN 2 are connected to the MPLS backbone network through provider edge PE devices VPN instances vpn1 and vpn2 have been created for VPN 1 and VPN 2 respectively on the PEs Services of the two VPN instances are isolated Time synchronization between PEs and devices in the two VPN instances can be realized if you perform ...

Page 93: ... the clock protocol command on the specfied Multitenant Device Context MDC to specify the time protocol as NTP For more information about the clock protocol command see device management commands in Fundamentals Command Reference You can configure NTP only on one MDC Configuration task list Tasks at a glance Required Enabling the NTP service Required Perform one or both of the following tasks Conf...

Page 94: ...e type interface number version number Specify an IPv6 NTP server for the device ntp service ipv6 unicast server server name ipv6 address vpn instance vpn instance name authentication keyid keyid maxpoll maxpoll interval minpoll minpoll interval priority source interface type interface number By default no NTP server is specified Configuring NTP in symmetric active passive mode Follow these guidel...

Page 95: ...NTP in broadcast mode on both the broadcast server and client Configuring a broadcast client Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number Enter the interface for receiving NTP broadcast messages 3 Configure the device to operate in broadcast client mode ntp service broadcast client By default the device does not operate i...

Page 96: ...e does not operate in any NTP association mode After you execute the command the device receives NTP multicast messages from the specified interface Configuring the multicast server Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number Enter the interface for sending NTP multicast message 3 Configure the device to operate in multi...

Page 97: ...ormation about ACL see ACL and QoS Configuration Guide Configuring NTP authentication This section provides instructions for configuring NTP authentication Configuring NTP authentication in client server mode To ensure a successful NTP authentication configure the same key ID and key value on the server and client To configure NTP authentication for a client Step Command Remarks 1 Enter system vie...

Page 98: ...sha 1 hmac sha 256 hmac sha 384 hmac sha 512 md5 cipher simple string By default no NTP authentication key exists 4 Configure the key as a trusted key ntp service reliable authentication keyid keyid By default no authentication key is configured as a trusted key NTP authentication results differ when different configurations are performed on client and server For more information see Table 3 N A i...

Page 99: ...onfiguring NTP authentication in symmetric active passive mode To ensure a successful NTP authentication configure the same key ID and key value on the active peer and passive peer To configure NTP authentication for an active peer Step Command Remarks 1 Enter system view system view N A 2 Enable NTP authentication ntp service authentication enable By default NTP authentication is disabled 3 Confi...

Page 100: ...md5 cipher simple string By default no NTP authentication key exists 4 Configure the key as a trusted key ntp service reliable authentication keyid keyid By default no authentication key is configured as a trusted key NTP authentication results differ when different configurations are performed on active peer and passive peer For more information see Table 4 N A in the table means that whether the...

Page 101: ...d received correctly No N A N A No N A No authentication NTP messages can be sent and received correctly The active peer has a higher stratum than the passive peer Yes No Yes N A N A Failed NTP messages cannot be sent and received correctly The passive peer has a higher stratum than the active peer Yes No Yes Yes N A Failed NTP messages cannot be sent and received correctly Yes No Yes No N A No au...

Page 102: ...uthentication key exists 4 Configure the key as a trusted key ntp service reliable authentication keyid keyid By default no authentication key is configured as a trusted key 5 Enter interface view interface interface type interface number N A 6 Associate the specified key with the broadcast server ntp service broadcast server authentication keyid keyid By default the broadcast server is not associ...

Page 103: ...nt and received correctly No N A N A No N A No authentication NTP messages can be sent and received correctly Configuring NTP authentication in multicast mode To ensure a successful NTP authentication configure the same key ID and key value on the multicast server and client To configure NTP authentication for a multicast client Step Command Remarks 1 Enter system view system view N A 2 Enable NTP...

Page 104: ...yid Associate the specified key with an IPv6 multicast server ntp service ipv6 multicast server ipv6 multicast address authentication keyid keyid By default no multicast server is associated with the specified key NTP authentication results differ when different configurations are performed on broadcast client and server For more information see Table 6 N A in the table means that whether the conf...

Page 105: ... received correctly Configuring NTP optional parameters The configuration tasks in this section are optional tasks Configure them to improve NTP security performance or reliability Specifying the source interface for NTP messages To prevent interface status changes from causing NTP communication failures configure the device to use the IP address of an interface that is always up For example you c...

Page 106: ...to receive NTP messages Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Disable the interface to receive NTP messages For IPv4 undo ntp service inbound enable For IPv6 undo ntp service ipv6 inbound enable By default an interface receives NTP messages Configuring the maximum number of dynamic associations NTP has the fo...

Page 107: ...fault DSCP value is 48 for IPv4 packets and 56 for IPv6 packets Configuring the local clock as a reference source Follow these guidelines when you configure the local clock as a reference source Make sure the local clock can provide the time accuracy required for the network After you configure the local clock as a reference source the local clock is synchronized and can operate as a time server t...

Page 108: ... stratum level 2 Configure Device B to operate in client mode and Device A to be used as the NTP server for Device B Figure 36 Network diagram Configuration procedure 1 Assign an IP address to each interface and make sure Device A and Device B can reach each other as shown in Figure 36 Details not shown 2 Configure Device A Enable the NTP service DeviceA system view DeviceA ntp service enable Spec...

Page 109: ...figured Total sessions 1 IPv6 NTP client server mode configuration example Network requirements As shown in Figure 37 perform the following tasks Configure the local clock of Device A as a reference source with stratum level 2 Configure Device B to operate in client mode and Device A to be used as the IPv6 NTP server for Device B Figure 37 Network diagram Configuration procedure 1 Assign an IP add...

Page 110: ... Dec 29 2010 19 01 45 598 Verify that an IPv6 NTP association has been established between Device B and Device A DeviceB display ntp service ipv6 sessions Notes 1 source master 2 source peer 3 selected 4 candidate 5 configured Source 12345 3000 34 Reference 127 127 1 0 Clock stratum 2 Reachabilities 15 Poll interval 64 Last receive time 19 Offset 0 0 Roundtrip delay 0 0 Dispersion 0 0 Total sessio...

Page 111: ...eer 3 0 1 31 Local mode sym_passive Reference clock ID 3 0 1 31 Leap indicator 00 Clock jitter 0 000916 s Stability 0 000 pps Clock precision 2 17 Root delay 0 00609 ms Root dispersion 1 95859 ms Reference time 83aec681 deb6d3e5 Wed Jan 8 2014 14 33 11 081 Verify that an IPv4 NTP association has been established between Device B and Device A DeviceB display ntp service sessions source reference st...

Page 112: ...ce B has synchronized to Device A DeviceB display ntp service status Clock status synchronized Clock stratum 3 System peer 3000 35 Local mode sym_passive Reference clock ID 251 73 79 32 Leap indicator 11 Clock jitter 0 000977 s Stability 0 000 pps Clock precision 2 18 Root delay 0 01855 ms Root dispersion 9 23483 ms Reference time d0c6047c 97199f9f Wed Dec 29 2010 19 03 24 590 Verify that an IPv6 ...

Page 113: ...ch B and Switch C can reach each other as shown in Figure 40 Details not shown 2 Configure Switch C Enable the NTP service SwitchC system view SwitchC ntp service enable Specify the local clock as the reference source with stratum level 2 SwitchC ntp service refclock master 2 Configure Switch C to operate in broadcast server mode and send broadcast messages through VLAN interface 2 SwitchC interfa...

Page 114: ...2572 ms Reference time d0d289fe ec43c720 Sat Jan 8 2011 7 00 14 922 Verify that an IPv4 NTP association has been established between Switch A and Switch C SwitchA Vlan interface2 display ntp service sessions source reference stra reach poll now offset delay disper 1245 3 0 1 31 127 127 1 0 2 1 64 519 0 0 0 0022 4 1257 Notes 1 source master 2 source peer 3 selected 4 candidate 5 configured Total se...

Page 115: ... enable Configure Switch D to operate in multicast client mode and receive multicast messages on VLAN interface 2 SwitchD interface vlan interface 2 SwitchD Vlan interface2 ntp service multicast client 4 Verify the configuration Switch D and Switch C are on the same subnet so Switch D can do the following Receive the multicast messages from Switch C without being enabled with the multicast functio...

Page 116: ...st routing and IGMP SwitchB system view SwitchB multicast routing SwitchB mrib quit SwitchB interface vlan interface 2 SwitchB Vlan interface2 pim dm SwitchB Vlan interface2 quit SwitchB vlan 3 SwitchB vlan3 port gigabitethernet 1 0 1 SwitchB vlan3 quit SwitchB interface vlan interface 3 SwitchB Vlan interface3 igmp enable SwitchB Vlan interface3 igmp static group 224 0 1 1 SwitchB Vlan interface3...

Page 117: ...cted 4 candidate 5 configured Total sessions 1 IPv6 NTP multicast mode configuration example Network requirements As shown in Figure 42 Switch C functions as the NTP server for multiple devices on different network segments and synchronizes the time among multiple devices Configure Switch C s local clock as a reference source with stratum level 2 Configure Switch C to operate in IPv6 multicast ser...

Page 118: ...pv6 multicast client ff24 1 4 Verify the configuration Switch D and Switch C are on the same subnet so Switch D can do the following Receive the IPv6 multicast messages from Switch C without being enabled with the IPv6 multicast functions Synchronize to Switch C Verify that Switch D has synchronized to Switch C and the clock stratum level is 3 on Switch D and 2 on Switch C SwitchD Vlan interface2 ...

Page 119: ...3 quit SwitchB mld snooping SwitchB mld snooping quit SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 mld snooping static group ff24 1 vlan 3 6 Configure Switch A Enable the NTP service SwitchA system view SwitchA ntp service enable Configure Switch A to operate in IPv6 multicast client mode and receive IPv6 multicast messages on VLAN interface 3 SwitchA interface vlan interfa...

Page 120: ...to operate in client mode and specify Device A as the NTP server of Device B Configure NTP authentication on both Device A and Device B Figure 43 Network diagram Configuration procedure 1 Assign an IP address to each interface and make sure Device A and Device B can reach each other as shown in Figure 43 Details not shown 2 Configure Device A Enable the NTP service DeviceA system view DeviceA ntp ...

Page 121: ...B display ntp service status Clock status synchronized Clock stratum 3 System peer 1 0 1 11 Local mode client Reference clock ID 1 0 1 11 Leap indicator 00 Clock jitter 0 005096 s Stability 0 000 pps Clock precision 2 18 Root delay 0 00655 ms Root dispersion 1 15869 ms Reference time d0c62687 ab1bba7d Wed Dec 29 2010 21 28 39 668 Verify that an IPv4 NTP association has been established between Dev...

Page 122: ...hentication keyid 88 authentication mode md5 simple 123456 SwitchA ntp service reliable authentication keyid 88 Configure Switch A to operate in NTP broadcast client mode and receive NTP broadcast messages on VLAN interface 2 SwitchA interface vlan interface 2 SwitchA Vlan interface2 ntp service broadcast client 3 Configure Switch B Enable the NTP service SwitchB system view SwitchB ntp service en...

Page 123: ... C Configure an NTP authentication key with the key ID of 88 and key value of 123456 Input the key in plain text and specify it as a trusted key SwitchC ntp service authentication enable SwitchC ntp service authentication keyid 88 authentication mode md5 simple 123456 SwitchC ntp service reliable authentication keyid 88 Specify Switch C as an NTP broadcast server and associate the key 88 with Swit...

Page 124: ... the VPN instance vpn1 as the NTP server of PE 2 Figure 45 Network diagram Configuration procedure Before you perform the following configuration be sure you have completed MPLS L3VPN related configurations For information about configuring MPLS L3VPN see MPLS Configuration Guide 1 Assign an IP address to each interface as shown in Figure 45 Make sure CE 1 and PE 1 PE 1 and PE 2 and PE 2 and CE 3 ...

Page 125: ...now offset delay disper 1245 10 1 1 1 127 127 1 0 2 1 64 519 0 0 0 0065 0 0 Notes 1 source master 2 source peer 3 selected 4 candidate 5 configured Total sessions 1 Verify that server 127 0 0 1 has synchronized to server 10 1 1 1 and server 10 1 1 1 has synchronized to the local clock PE2 display ntp service trace Server 127 0 0 1 Stratum 3 jitter 0 000 synch distance 796 50 Server 10 1 1 1 Stratu...

Page 126: ...el 2 CE1 ntp service refclock master 2 3 Configure PE 1 Enable the NTP service PE1 system view PE1 ntp service enable Specify CE 1 in the VPN instance vpn1 as the symmetric passive peer of PE 1 PE1 ntp service unicast peer 10 1 1 1 vpn instance vpn1 4 Verify the configuration Verify that PE 1 has synchronized to CE 1 with stratum level 3 PE1 display ntp service status Clock status synchronized Clo...

Page 127: ...t delay disper 1245 10 1 1 1 127 127 1 0 2 1 64 519 0 0 0 0000 0 0 Notes 1 source master 2 source peer 3 selected 4 candidate 5 configured Total sessions 1 Verify that server 127 0 0 1 has synchronized to server 10 1 1 1 and server 10 1 1 1 has synchronized to the local clock PE1 display ntp service trace Server 127 0 0 1 Stratum 3 jitter 0 000 synch distance 796 50 Server 10 1 1 1 Stratum 2 jitte...

Page 128: ...SNTP follow these restrictions and guidelines You cannot configure both NTP and SNTP on the same device Make sure you use the clock protocol command on the specfied Multitenant Device Context MDC to specify the time protocol as NTP You can configure SNTP only on one MDC Configuration task list Tasks at a glance Required Enabling the SNTP service Required Specifying an NTP server for the device Opt...

Page 129: ...you configure SNTP authentication Enable authentication on both the NTP server and the SNTP client Configure the SNTP client to use the same authentication key ID and key value as the NTP server and specify the key as a trusted key on both the NTP server and the SNTP client For information about configuring NTP authentication on an NTP server see Configuring NTP Associate the specified key with an...

Page 130: ...sessions SNTP configuration example Network requirements As shown in Figure 47 perform the following tasks Configure the local clock of Device A as a reference source with stratum level 2 Configure Device B to operate in SNTP client mode and specify Device A as the NTP server Configure NTP authentication on Device A and SNTP authentication on Device B Figure 47 Network diagram Configuration proced...

Page 131: ... B DeviceB sntp authentication enable Configure an SNTP authentication key with the key ID of 10 and key value of aNiceKey Input the key in plain text DeviceB sntp authentication keyid 10 authentication mode md5 simple aNiceKey Specify the key as a trusted key DeviceB sntp reliable authentication keyid 10 Specify Device A as the NTP server of Device B and associate the server with key 10 DeviceB s...

Page 132: ...e variables for example interface status and CPU usage maintained by the SNMP agent for the SNMP manager to read and set Figure 48 Relationship between NMS agent and MIB MIB and view based MIB access control A MIB stores variables called nodes or objects in a tree hierarchy and identifies each node with a unique OID An OID is a dotted numeric string that uniquely identifies the path from the root ...

Page 133: ...ackets for integrity authenticity and confidentiality Access control modes SNMP uses the following modes to control access to MIB objects View based Access Control Model VACM mode controls access to MIB objects by assigning MIB views to SNMP communities or users Role based access control RBAC mode controls access to MIB objects by assigning user roles to SNMP communities or users SNMP communities ...

Page 134: ... SNMP agent is enabled when you use any command that begins with snmp agent except for the snmp agent calculate password command 3 Optional Configure the system contact snmp agent sys info contact sys contact The default system contact is Hewlett Packard Enterprise Company 3000 Hanover St Palo Alto CA 94304 4 Optional Configure the system location snmp agent sys info location sys location By defau...

Page 135: ...snmp agent community simple cipher community name user role role name acl ipv4 acl number name ipv4 acl name acl ipv6 ipv6 acl number name ipv6 acl name Method 2 Create an SNMPv1 v2c group and add users to the group a snmp agent group v1 v2c group name read view view name write view view name notify view view name acl ipv4 acl number name ipv4 acl name acl ipv6 ipv6 acl number name ipv6 acl name b...

Page 136: ... are managed in groups All SNMPv3 users in a group share the same security model but can use different authentication and privacy key settings To implement a security model for a user and avoid SNMP communication failures make sure the security model configuration for the group and the security key settings for the user are compliant with Table 7 and match the settings on the NMS Table 7 Basic sec...

Page 137: ...NT After you change the local engine ID the existing SNMPv3 users and encrypted keys become invalid and you must reconfigure them 7 Optional Set an engine ID for a remote SNMP entity snmp agent remote ipv4 address ipv6 ipv6 address vpn instance vpn instance name engineid engineid By default no remote entity engine IDs exist This step is required for the device to send SNMPv3 notifications to a hos...

Page 138: ...view view name write view view name notify view view name acl ipv4 acl number name ipv4 acl name acl ipv6 ipv6 acl number name ipv6 acl name By default no SNMP groups exist 10 Optional Calculate the encrypted form for a key in plaintext form In non FIPS mode snmp agent calculate password plain password mode 3desmd5 3dessha aes192md5 aes192sha aes256md5 aes256sha md5 sha local engineid specified en...

Page 139: ... acl name acl ipv6 ipv6 acl number name ipv6 acl name In FIPS mode in VACM mode snmp agent usm user v3 user name group name remote ipv4 address ipv6 ipv6 address vpn instance vpn instance name cipher simple authentication mode sha auth password privacy mode aes128 aes192 aes256 priv password acl ipv4 acl number name ipv4 acl name acl ipv6 ipv6 acl number name ipv6 acl name In FIPS mode in RBAC mod...

Page 140: ...NMP notifications and SNMP authentication failures but does not log Get responses Get operation The agent logs the IP address of the NMS name of the accessed node and node OID Set operation The agent logs the NMS IP address name of accessed node node OID variable value and error code and index for the Set operation Notification tracking The agent logs the SNMP notifications after sending them to t...

Page 141: ... linkdown linkup warmstart system By default SNMP configuration notifications standard notifications and system notifications are enabled Whether other SNMP notifications are enabled varies by modules 3 Enter interface view interface interface type interface number N A 4 Enable link state notifications enable snmp trap updown By default link state notifications are enabled Configuring the SNMP age...

Page 142: ... address udp domain ipv4 address ipv6 ipv6 address udp port port number vpn instance vpn instance name params securityname security string v3 authentication privacy In non FIPS mode Send informs to the target host snmp agent target host inform address udp domain ipv4 address ipv6 ipv6 address udp port port number vpn instance vpn instance name params securityname security string v2c v3 authenticat...

Page 143: ...their notification enabling status display snmp agent trap list Display SNMPv3 user information display snmp agent usm user engineid engineid username user name group group name Display SNMPv1 or SNMPv2c community information This command is not supported in FIPS mode display snmp agent community read write Display MIB view information display snmp agent mib view exclude include viewname view name...

Page 144: ...s the community name To make sure the NMS can receive traps specify the same SNMP version in the snmp agent target host command as is configured on the NMS Agent snmp agent trap enable Agent snmp agent target host trap address udp domain 1 1 1 2 params securityname public v1 2 Configure the SNMP NMS Specify SNMPv1 Create the read only community public and create the read and write community privat...

Page 145: ...and the privacy key 123456TESTencr Figure 51 Network diagram Configuration procedure Configuring SNMPv3 in RBAC mode 1 Configure the agent Configure the IP address of the agent and make sure the agent and the NMS can reach each other Details not shown Create the user role test and permit test to have read access to the snmpMIB node OID 1 3 6 1 6 3 1 including the linkUp and linkDown objects Agent ...

Page 146: ...er Details not shown Create SNMPv3 group managev3group and assign managev3group read only access to the objects under the snmpMIB node OID 1 3 6 1 6 3 1 in the test view including the linkUp and linkDown objects Agent system view Agent undo snmp agent mib view ViewDefault Agent snmp agent mib view included test snmpMIB Agent snmp agent group v3 managev3group privacy read view test Assign SNMPv3 gr...

Page 147: ... the NMS must match Verifying the configuration Use username RBACtest to access the agent Retrieve the value of the sysName node The value Agent is returned Set the value for the sysName node to Sysname The operation fails because the NMS does not have write access to the node Shut down or bring up an interface on the agent The NMS receives linkUP OID 1 3 6 1 6 3 1 1 5 4 or linkDown OID 1 3 6 1 6 ...

Page 148: ...tics group history group event group alarm group probe configuration group and user history group Hewlett Packard Enterprise also implements a private alarm group which enhances the standard alarm group The probe configuration group and user history group are not configurable from the CLI To configure these two groups you must access the MIB For more information about MIB settings for RMON see Com...

Page 149: ...n or equal to the falling threshold a falling alarm event is triggered The event group defines the action to take on the alarm event If an alarm entry crosses a threshold multiple times in succession the RMON agent generates an alarm event only for the first crossing For example if the value of a sampled alarm variable crosses the rising threshold multiple times before it crosses the falling thres...

Page 150: ...ts the statistics function through the Ethernet statistics group and the history group The Ethernet statistics group provides the cumulative statistic for a variable from the time the statistics entry is created to the current time For more information about the configuration see Creating an RMON Ethernet statistics entry The history group provides statistics that are sampled for a variable for ea...

Page 151: ... guidelines To send notifications to the NMS when an alarm is triggered configure the SNMP agent as described in Configuring SNMP before configuring the RMON alarm function For a new event alarm or private alarm entry to be created The entry must not have the same set of parameters as an existing entry The maximum number of entries is not reached Table 8 shows the parameters to be compared for dup...

Page 152: ...cycle period owner text By default no RMON alarm entries or RMON private alarm entries exist You can associate an alarm with an event that has not been created yet The alarm will trigger the event only after the event is created Displaying and maintaining RMON settings Execute display commands in any view Task Command Display RMON statistics display rmon statistics interface type interface number ...

Page 153: ...ize 64 235 65 127 67 128 255 4 256 511 1 512 1023 0 1024 1518 0 Get the traffic statistics from the NMS through SNMP Details not shown History group configuration example Network requirements As shown in Figure 54 create an RMON history control entry on the device to sample traffic statistics for GigabitEthernet 1 0 1 every minute Figure 54 Network diagram Configuration procedure Create an RMON hi...

Page 154: ...either of the following conditions is met The 5 second delta sample for the traffic statistic crosses the rising threshold 100 The 5 second delta sample for the traffic statistic drops below the falling threshold 50 Figure 55 Network diagram Configuration procedure Configure the SNMP agent the device with the same SNMP settings as the NMS at 1 1 1 2 This example uses SNMPv1 read community public a...

Page 155: ...ser1 is VALID Sample type delta Sampled variable 1 3 6 1 2 1 16 1 1 1 4 1 etherStatsOctets 1 Sampling interval in seconds 5 Rising threshold 100 associated with event 1 Falling threshold 50 associated with event 1 Alarm sent upon entry startup risingOrFallingAlarm Latest value 0 Display statistics for GigabitEthernet 1 0 1 Sysname display rmon statistics gigabitethernet 1 0 1 EtherStatsEntry 1 own...

Page 156: ...be configuration data status data and statistics information For information about the operable data see the NETCONF XML API reference for the device Operations get get config edit config The operations layer defines a set of base operations invoked as RPC methods with XML encoded parameters NETCONF base operations include data retrieval operations configuration operations lock operations and sess...

Page 157: ...filter get bulk rpc NETCONF over SOAP All NETCONF over SOAP messages are XML based and comply with RFC 4741 NETCONF messages are contained in the Body element of SOAP messages NETCONF over SOAP messages also comply with the following rules SOAP messages must use the SOAP Envelope namespaces SOAP messages must use the SOAP Encoding namespaces SOAP messages cannot contain the following information D...

Page 158: ...e to NETCONF messages and sends them to the device to implement NETCONF operations This method is the most commonly used method Custom Web interface N A To use this method you must enable NETCONF over SOAP By default the device cannot interpret Custom Web interfaces URLs For the device to interpret these URLs you must encode the NETCONF messages sent from a custom Web interface in SOAP Protocols a...

Page 159: ...tional Performing the get config get bulk config operation Optional Performing the edit config operation Optional Saving rolling back and loading the configuration Optional Filtering data Optional Performing CLI operations through NETCONF Optional Retrieving NETCONF information Optional Retrieving YANG file contentRetrieving YANG file content Optional Retrieving NETCONF session information Optiona...

Page 160: ...PS traffic netconf soap https acl acl number name acl name By default no ACL is applied to NETCONF over SOAP traffic 5 Specify a mandatory authentication domain for NETCONF users netconf soap domain domain name By default no mandatory authentication domain is specified for NETCONF users For information about authentication domains see Security Configuration Guide Enabling NETCONF over SSH This fea...

Page 161: ...that uses the common namespace the namespace is indicated in the top element and the modules are listed under the top element Example rpc message id 100 xmlns urn ietf Params xml ns netconf base 1 0 get bulk filter type subtree top xmlns http www hp com netconf data 1 0 Ifmgr Interfaces Interfaces Ifmgr top filter get bulk rpc Module specific namespace Each module has its own namespace A packet th...

Page 162: ...u can perform any other NETCONF operations You can use the aaa session limit command to set the maximum number of NETCONF sessions that the device can support If the upper limit is reached new NETCONF users cannot access the device For information about this command see Security Configuration Guide Before performing a NETCONF operation make sure no other users are configuring or managing the devic...

Page 163: ...conf writable runnin g capability capability urn ietf params netconf capability notification 1 0 capabi lity capability urn ietf params netconf capability validate 1 1 capability capabil ity urn ietf params netconf capability interleave 1 0 capability capability urn hp params netconf capability hp netconf ext 1 0 capability capabilities session id 1 session id hello The capabilities parameter repr...

Page 164: ...nts the event stream type supported by the device Only NETCONF is supported The event parameter represents an event to which you subscribe The code parameter represents a mnemonic symbol The group parameter represents the module name The severity parameter represents the severity level of the event The start time parameter represents the start time of the subscription The stop time argument repres...

Page 165: ...01 xmlns urn ietf params xml ns netconf base 1 0 create subscription xmlns urn ietf params xml ns netconf notification 1 0 stream NETCONF stream create subscription rpc Verifying the configuration If the client receives the following response the subscription is successful xml version 1 0 encoding UTF 8 rpc reply xmlns urn ietf params xml ns netconf base 1 0 message id 101 ok rpc reply If fan 1 on...

Page 166: ...olding the lock can change the configuration and other users can only read the configuration In addition only the user holding the lock can release the lock After the lock is released other users can change the current configuration or lock the configuration If the session of the user that holds the lock is terminated the system automatically releases the lock Locking the configuration Copy the fo...

Page 167: ...sname xml Notify the device of the NETCONF capabilities supported on the client hello xmlns urn ietf params xml ns netconf base 1 0 capabilities capability urn ietf params netconf base 1 0 capability capabilities hello Lock the configuration xml version 1 0 encoding UTF 8 rpc message id 101 xmlns urn ietf params xml ns netconf base 1 0 lock target running target lock rpc Verifying the configuratio...

Page 168: ...stion marks before sending the data to the client Performing the get get bulk operation The get operation is used to retrieve device configuration and state information that match the conditions In some cases this operation leads to inefficiency The get bulk operation is used to retrieve a number of data entries starting from the data entry next to the one with the specified index One data entry c...

Page 169: ...milar A get bulk message carries the count and index attributes The following is a get bulk message example xml version 1 0 encoding UTF 8 rpc message id 101 xmlns urn ietf params xml ns netconf base 1 0 xmlns xc http www hp com netconf base 1 0 get bulk filter type subtree top xmlns http www hp com netconf data 1 0 xmlns base http www hp com netconf base 1 0 Syslog Logs xc count 5 Log Index 10 In...

Page 170: ...ig request the device returns a response in the following format if the operation is successful xml version 1 0 rpc reply message id 100 xmlns urn ietf params xml ns netconf base 1 0 data All data matching the specified filter data rpc reply Performing the edit config operation The edit config operation supports the following operation attributes merge create replace remove delete default operatio...

Page 171: ...re Enter XML view Sysname xml Notify the device of the NETCONF capabilities supported on the client hello xmlns urn ietf params xml ns netconf base 1 0 capabilities capability urn ietf params netconf base 1 0 capability capabilities hello Retrieve configuration data for all modules rpc message id 100 xmlns urn ietf params xml ns netconf base 1 0 get config source running source get config rpc Veri...

Page 172: ...Index VlanType 2 VlanType Interface Interface IfIndex 1313 IfIndex VlanType 2 VlanType Interface Interfaces Ifmgr Syslog LogBuffer BufferSize 120 BufferSize LogBuffer Syslog System Device SysName HPE SysName TimeZone Zone Z Zone ZoneName ZoneName TimeZone Device System Fundamentals WebUI SessionAgingTime 98 SessionAgingTime WebUI Fundamentals top data rpc reply ...

Page 173: ...trieve configuration data for the Syslog module rpc message id 100 xmlns urn ietf params xml ns netconf base 1 0 get config source running source filter type subtree top xmlns http www hp com netconf config 1 0 Syslog top filter get config rpc Verifying the configuration If the client receives the following text the get config operation is successful xml version 1 0 encoding UTF 8 rpc reply xmlns ...

Page 174: ...k filter type subtree top xmlns http www hp com netconf data 1 0 xmlns web http www hp com netconf base 1 0 Ifmgr Interfaces web count 1 Interfaces Ifmgr top filter get bulk rpc Verifying the configuration If the client receives the following text the get bulk operation is successful rpc reply xmlns urn ietf params xml ns netconf base 1 0 xmlns web urn ietf params xml ns netconf base 1 0 message i...

Page 175: ...ity urn ietf params netconf base 1 0 capability capabilities hello Change the log buffer size for the Syslog module to 512 rpc message id 101 xmlns urn ietf params xml ns netconf base 1 0 xmlns web urn ietf params xml ns netconf base 1 0 edit config target running target config top xmlns http www hp com netconf config 1 0 web operation merge Syslog LogBuffer BufferSize 512 BufferSize LogBuffer Sys...

Page 176: ...le The OverWrite attribute determines whether to overwrite the specified file if the file already exists If the attribute uses the default value true the current configuration is saved and the original file is overwritten If the attribute value is set to false the current configuration cannot be saved and the system displays an error message After receiving the save request the device returns a re...

Page 177: ...is step to configure multiple rollback points 5 Roll back the configuration based on the rollback point For more information see Performing the save point rollback operation The configuration can also be automatically rolled back based on the most recently configured rollback point when the NETCONF session idle time is longer than the rollback idle timeout time 6 End the rollback configuration For...

Page 178: ...ply Performing the save point rollback operation Copy the following text to the client to roll back the configuration rpc message id 101 xmlns urn ietf params xml ns netconf base 1 0 save point rollback commit id commit index commit label rollback save point rpc The commit id parameter uniquely identifies a rollback point The commit index parameter specifies 50 most recently configured rollback po...

Page 179: ...mit index commit label get commits save point rpc Specify one of the commit id commit index and commit label parameters to get the specified rollback point configuration records If no parameter is specified this operation gets records for all rollback point settings The following text is a save point get commits request example rpc message id 101 xmlns urn ietf params xml ns netconf base 1 0 save ...

Page 180: ...point The compare information parameter is optional If no parameter is specified this operation gets the configuration data corresponding to the most recently configured rollback point The following text is a save point get commit information request example rpc message id 101 xmlns urn ietf params xml ns netconf base 1 0 save point get commit information commit information commit label SUPPORT VL...

Page 181: ... name of the specified configuration file must start with the storage media name and end with the cfg extension After receiving the load request the device returns a response in the following format if the load operation is successful xml version 1 0 encoding UTF 8 rpc reply message id 101 xmlns urn ietf params xml ns netconf base 1 0 ok rpc reply Example for saving the configuration Network requi...

Page 182: ...ng for example IP address filtering The namespace is http www hp com netconf base 1 0 For information about the support for table based match see NETCONF XML API documents Copy the following text to the client to retrieve the longest data with VRF name vpn1 IP address 1 1 1 0 and mask length 24 from the IPv4 routing table rpc message id 100 xmlns urn ietf params xml ns netconf base 1 0 xmlns hp ht...

Page 183: ...he XML message equivalent to the above element value based full match filtering is as follows rpc message id 101 xmlns urn ietf params xml ns netconf base 1 0 get filter type subtree top xmlns http www hp com netconf data 1 0 xmlns data http www hp com netconf data 1 0 Ifmgr Interfaces Interface data AdminStatus 2 Interfaces Ifmgr top filter get rpc The above examples show that both element value ...

Page 184: ...e specified value The supported data types include date digit and character string Not more than match notMore value Not more than the specified value The supported data types include date digit and character string Equal match equal value Equal to the specified value The supported data types include date digit character string OID and BOOL Not equal match notEqual value Not equal to the specified...

Page 185: ...le under the Ifmgr module Configuration procedure Enter XML view Sysname xml Notify the device of the NETCONF capabilities supported on the client hello xmlns urn ietf params xml ns netconf base 1 0 capabilities capability urn ietf params netconf base 1 0 capability capabilities hello Retrieve all data including Gigabit in the Description column of the Interfaces table under the Ifmgr module xml v...

Page 186: ...2685 IfIndex Description GigabitEthernet1 0 2 Interface Description Interface Interface IfIndex 2689 IfIndex Description GigabitEthernet1 0 3 Interface Description Interface Interface Ifmgr top data rpc reply Example for filtering data by conditional match Network requirements Retrieve data in the Name column with the ifindex value not less than 5000 in the Interfaces table under the Ifmgr module ...

Page 187: ...op filter get rpc Verifying the configuration If the client receives the following text the operation is successful xml version 1 0 encoding UTF 8 rpc reply xmlns urn ietf params xml ns netconf base 1 0 xmlns nc http www hp com netconf base 1 0 message id 100 data top xmlns http www hp com netconf data 1 0 Ifmgr Interfaces Interface IfIndex 7241 IfIndex Name NULL0 Name Interface Interface IfIndex ...

Page 188: ...e device returns a response in the following format if the CLI operation is successful xml version 1 0 encoding UTF 8 rpc reply message id 101 xmlns urn ietf params xml ns netconf base 1 0 CLI Execution CDATA Responses to the commands Execution CLI rpc reply CLI operation example Configuration requirements Send the display current configuration command to the device Configuration procedure Enter X...

Page 189: ...ersion 7 1 052 Demo 2501005 sysname Sysname ftp server enable ftp update fast ftp timeout 2000 irf mac address persistent timer irf auto update enable undo irf link delay domain default enable system telnet server enable vlan 1 vlan 1000 radius scheme system primary authentication 127 0 0 1 1645 return Execution CLI rpc reply Retrieving NETCONF information Copy the following text to the client to ...

Page 190: ...lns urn ietf params xml ns netconf base 1 0 data ALL NETCONF information data rpc reply Retrieving YANG file content YANG files save the NETCONF operations supported by the device A user can know the supported operations by retrieving and analyzing the content of YANG files YANG files are integrated in the device software and are named in the format of yang_identifier yang_version yang You cannot ...

Page 191: ...pc reply message id 101 xmlns urn ietf params xml ns netconf base 1 0 get sessions Session SessionID Configuration session ID SessionID Line Line information Line UserName Name of the user creating the session UserName Since Time when the session was created Since LockHeld Whether the session holds a lock LockHeld Session get sessions rpc reply For example to get NETCONF session information Enter ...

Page 192: ... NETCONF session NETCONF allows one client to terminate the NETCONF session of another client The client whose session is terminated returns to user view Configuration procedure Copy the following message to the client to terminate the specified NETCONF session rpc message id 101 xmlns urn ietf params xml ns netconf base 1 0 kill session session id Specified session ID session id kill session rpc ...

Page 193: ... the following text the NETCONF session with session ID 2 has been terminated and the client with session ID 2 has returned from XML view to user view xml version 1 0 encoding UTF 8 rpc reply message id 101 xmlns urn ietf params xml ns netconf base 1 0 ok rpc reply Returning to the CLI To return from XML view to the CLI send the following close session request rpc message id 101 xmlns urn ietf par...

Page 194: ...conf base 1 0 get filter type subtree top xmlns http www hp com netconf data 1 0 Syslog Syslog top filter get rpc get config Retrieves the non default configuration data If non default configuration data does not exist the device returns a response with empty data To retrieve non default configuration data for the interface table rpc message id 100 xmlns urn ietf params xml ns netconf ba se 1 0 xm...

Page 195: ...p xmlns http www hp com netconf data 1 0 Ifmgr Interfaces xc count 5 xmlns xc http www hp com netconf base 1 0 Interface Interfaces Ifmgr top filter get bulk rpc get bulk config Retrieves a number of non default configuration data entries starting from the data entry next to the one with the specified index To retrieve non default configuration for all interfaces rpc message id 100 xmlns urn ietf ...

Page 196: ... For more information see NETCONF XML API documents To add VLANs 1 through 10 to an untagged VLAN list that has untagged VLANs 12 through 15 rpc message id 101 xmlns urn ietf params xml ns netconf ba se 1 0 hp xmlns http www hp com netconf base 1 0 edit config target running target config xmlns xc urn ietf params xml ns netconf base 1 0 top xmlns http www hp com netconf config 1 0 VLAN xc operatio...

Page 197: ... config create Creates a specified target To use the create attribute in the edit config operation you must specify the operation target If the table supports target creation and the specified target does not exist the operation creates and then configures the target If the specified target exists a data exist error message is returned The XML data format is the same as the edit config message wit...

Page 198: ...e syntax is the same as the edit config message with the merge attribute Change the operation attribute from merge to remove edit config delete Deletes the specified configuration If the specified target has only the table index the operation removes all configuration of the specified target and the target itself If the specified target has the table index and configuration data the operation remo...

Page 199: ...ified and the default operation method is specified as replace none Value used when the operation attribute is not specified and the default operation method is specified as none If this value is specified the edit config operation is used only for schema verification rather than issuing a configuration If the schema verification is passed a successful message is returned Otherwise an error messag...

Page 200: ...for two interfaces with the error option element value as continue on error rpc message id 101 xmlns urn ietf params xml ns netconf ba se 1 0 edit config target running target error option continue on error error o ption config xmlns xc urn ietf params xml ns netconf base 1 0 top xmlns http www hp com netconf config 1 0 Ifmgr xc operation merge Interfaces Interface IfIndex 262 IfIndex Description ...

Page 201: ...the configuration for an interface for test purposes rpc message id 101 xmlns urn ietf params xml ns netconf ba se 1 0 edit config target running target test option test only test option config xmlns xc urn ietf params xml ns netconf base 1 0 top xmlns http www hp com netconf config 1 0 Ifmgr xc operation merge Interfaces Interface IfIndex 262 IfIndex Description 222 Description ConfigSpeed 100000...

Page 202: ...1 0 unlock target running target unlock rpc get sessions Retrieves information about all NETCONF sessions in the system To retrieve information about all NETCONF sessions in the system rpc message id 101 xmlns urn ietf params xml ns netconf ba se 1 0 get sessions rpc close session Terminates the NETCONF session for the current user to unlock the configuration and release the resources for example ...

Page 203: ...ent configuration overwrites the original configuration file when the specified file already exists To save the running configuration to file test cfg rpc message id 101 xmlns urn ietf params xml ns netconf ba se 1 0 save OverWrite false file test cfg file save rpc load Loads the configuration After the device finishes the load operation the configuration in the specified file is merged into the c...

Page 204: ...ces Event sources are software or hardware modules that trigger events see Figure 56 For example the CLI module triggers an event when you enter a command The Syslog module the information center triggers an event when it receives a log message Event monitors EAA creates one event monitor to monitor the system for the event specified in each monitor policy An event monitor notifies the RTM to run ...

Page 205: ... as an exception shutdown start or restart Both manual and automatic state changes can cause the event to occur Hotplug Hotplug event occurs when a card is inserted in or removed from the monitored slot Interface Each interface event is associated with two user defined thresholds start and restart An interface event occurs when the monitored interface traffic statistic crosses the start threshold ...

Page 206: ... role required for performing action 2 When the policy is triggered EAA executes only action 1 For more information about user roles see RBAC in Fundamentals Configuration Guide Runtime Policy runtime limits the amount of time that the monitor policy can run from the time it is triggered This setting prevents system resources from being occupied by incorrectly defined policies EAA environment vari...

Page 207: ...ping occurs The device does not support this variable Interface _ifname Interface name SNMP _oid OID of the MIB variable where an SNMP operation is performed _oid_value Value of the MIB variable SNMP trap _oid OID that is included in the SNMP notification Process _process_name Process name User defined variables You can use user defined variables for all types of events User defined variable names...

Page 208: ...s are running concurrently You can assign the same policy name to a CLI defined policy and a Tcl defined policy However you cannot assign the same name to policies that are the same type The system executes the actions in a policy in ascending order of action IDs When you add actions to a policy you must make sure the execution order is correct Configuring a monitor policy from the CLI Step Comman...

Page 209: ...ot slot number In IRF mode Configure a process event event process exception restart shutdown start name process name instance instance id chassis chassis number slot slot number Configure an SNMP event event snmp oid oid monitor obj get next start op start op start val start val restart op restart op restart val restart val interval interval Configure an SNMP Notification event event snmp notific...

Page 210: ...he policy user role role name By default a monitor policy contains user roles that its creator had at the time of policy creation A monitor policy supports a maximum of 64 valid user roles User roles added after this limit is reached do not take effect An EAA policy cannot have both the security audit user role and any other user roles Any previously assigned user roles are automatically removed w...

Page 211: ...15 Tcl script requirements Line Content Requirements Line 1 Event user roles and policy runtime This line must use the following format comware rtm event_register eventname arg1 arg2 arg3 user role role name1 user role role name2 running time running time The arg1 arg2 arg3 arguments represent event matching rules If an argument value contains spaces use double quotation marks to enclose the value...

Page 212: ...tion center Configuration procedure Create CLI defined policy test and enter its view Sysname system view Sysname rtm cli policy test Add a CLI event that occurs when a question mark is entered at any command line that contains letters and digits Sysname rtm test event cli async mode help pattern a zA Z0 9 Add an action that sends the message hello world with a priority of 4 from the logging facil...

Page 213: ...reen Sysname d debugging delete diagnostic logfile dir display Sysname d May 7 02 10 03 218 2013 Sysname RTM 4 RTM_ACTION hello world May 7 02 10 04 176 2013 Sysname RTM 6 RTM_POLICY CLI policy test is running successfully Track event monitor policy configuration example Network requirements As shown in Figure 57 Device A has established BGP sessions with Device D and Device E Traffic from Device ...

Page 214: ...and associate it with the link state of GigabitEthernet 1 0 1 Sysname system view Sysname track 1 interface gigabitethernet 1 0 1 Configure a CLI defined EAA monitor policy so that the system automatically disables session establishment with Device D and Device E when GigabitEthernet 1 0 1 is down Sysname rtm cli policy test Sysname rtm test event track 1 state negative Sysname rtm test action 0 c...

Page 215: ...riable for IP address assignment When the event occurs the system performs the following tasks Creates the Loopback 0 interface Assigns 1 1 1 1 24 to the interface Sends the matching command line to the information center Configuration procedure Configure an EAA environment variable for IP address assignment The variable name is loopback0IP and the variable value is 1 1 1 1 Sysname system view Sys...

Page 216: ...014 Sysname RTM 6 RTM_POLICY CLI policy test is running successfully Verify that Loopback 0 has been created and assigned the IP address 1 1 1 1 Sysname display interface loopback brief Brief information on interfaces in route mode Link ADM administratively down Stby standby Protocol s spoofing Interface Link Protocol Primary IP Description Loop0 UP UP s 1 1 1 1 Sysname Tcl defined policy configur...

Page 217: ...figuration Display information about the policy Sysname display rtm policy registered Total number 1 Type Event TimeRegistered PolicyName TCL CLI Aug 29 14 54 50 2013 test Enable the information center to output log messages to the current monitoring terminal Sysname terminal monitor Execute the display this command Verify that the system displays the rtm_tcl_test is running message and a message ...

Page 218: ...tem identifies a process that consumes excessive memory or CPU resources as an anomaly source In standalone mode To display and maintain processes Task Command Display memory usage display memory slot slot number cpu cpu number Display process state information display process all job job id name process name slot slot number cpu cpu number Display CPU usage for all processes display process cpu s...

Page 219: ... memory block for a user process display process memory heap job job id address starting address length memory length slot slot number cpu cpu number N A Display context information for process exceptions display exception context count value slot slot number cpu cpu number N A Display the core file directory display exception filepath slot slot number cpu cpu number N A Enable or disable a proces...

Page 220: ...les for exceptions and set the maximum number of core files which defaults to 1 process core maxcore value off job job id name process name chassis chassis number slot slot number cpu cpu number By default a process generates a core file for the first exception and does not generate any core files for subsequent exceptions Specify the directory for saving core files the default directory depends o...

Page 221: ...nel thread deadloop monitor kernel deadloop action reboot record only slot slot number cpu cpu number The default action is to log the kernel thread deadloop event In IRF mode To configure kernel thread deadloop detection Step Command Remarks 1 Enter system view system view N A 2 Enable kernel thread deadloop detection monitor kernel deadloop enable chassis chassis number slot slot number cpu cpu ...

Page 222: ... is disabled 3 Optional Set the interval for identifying a kernel thread starvation monitor kernel starvation time time slot slot number cpu cpu number The default is 120 seconds 4 Optional Disable kernel thread starvation detection for a kernel thread monitor kernel starvation exclude thread tid slot slot number cpu cpu number After enabled kernel thread starvation detection monitors all kernel t...

Page 223: ... reset commands in user view Task Command Display kernel thread deadloop information display kernel deadloop show number offset verbose chassis chassis number slot slot number cpu cpu number Display kernel thread deadloop detection configuration display kernel deadloop configuration chassis chassis number slot slot number cpu cpu number Display kernel thread exception information display kernel ex...

Page 224: ...213 ...

Page 225: ...er Step Command Remarks 1 Enter system view system view N A 2 Create a sampler sampler sampler name mode fixed packet interval n power rate By default no samplers exist Displaying and maintaining a sampler Execute display commands in any view Task Command Display configuration information about the sampler in standalone mode display sampler sampler name slot slot number Display configuration infor...

Page 226: ...bound Device GigabitEthernet1 0 2 ip netstream inbound sampler 256 Enable IPv4 NetStream to use sampler 1024 to collect statistics about the outgoing traffic on GigabitEthernet 1 0 2 Device GigabitEthernet1 0 2 ip netstream outbound Device GigabitEthernet1 0 2 ip netstream outbound sampler 1024 Device GigabitEthernet1 0 2 quit Configure the address and port number of the NetStream server as the de...

Page 227: ...n Port 1 when the following conditions exist Port 1 is monitoring bidirectional traffic of Port 2 and Port 3 on the same device The packet travels from Port 2 to Port 3 Destination device The device where the monitor port resides is called the destination device Mirroring direction The mirroring direction specifies the direction of the traffic that is copied on a mirroring source Inbound Copies pa...

Page 228: ...t mirroring implementation As shown in Figure 60 the source port GigabitEthernet 1 0 1 and the monitor port GigabitEthernet 1 0 2 reside on the same device Packets received on GigabitEthernet 1 0 1 are copied to GigabitEthernet 1 0 2 GigabitEthernet 1 0 2 then forwards the packets to the data monitoring device for analysis Remote port mirroring In remote port mirroring the following conditions exi...

Page 229: ...ards the mirrored packets to the data monitoring device through the monitor port A reflector port can be fixed or configurable The switch supports only the configurable reflector port Figure 61 Layer 2 remote port mirroring implementation through the reflector port method Egress port method Packets are mirrored as follows The source device copies packets received on the mirroring sources to the eg...

Page 230: ...For example in a network as shown in Figure 63 Layer 3 remote port mirroring works in the following flow a The source device sends one copy of a packet received on the source port GigabitEthernet 1 0 1 to the tunnel interface The tunnel interface acts as the monitor port in the local mirroring group created on the source device b The tunnel interface on the source device forwards the mirrored pack...

Page 231: ...ew N A 2 Create a local mirroring group mirroring group group id local By default no local mirroring group exists Configuring source ports for the local mirroring group To configure source ports for a local mirroring group use one of the following methods Assign a list of source ports to the mirroring group in system view Assign a port to the mirroring group as a source port in interface view To a...

Page 232: ...irroring group Configuring source ports in interface view Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure the port as a source port for a local mirroring group mirroring group group id mirroring port both inbound outbound By default a port does not act as a source port for any local mirroring groups Configuri...

Page 233: ...m view N A 2 Configure the monitor port for a local mirroring group mirroring group group id monitor port interface type interface number By default no monitor port is configured for a local mirroring group Configuring the monitor port in interface view Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure the port...

Page 234: ...robe VLAN Required Configuring a remote source group on the source device 5 Creating a remote source group 6 Perform at least one of the following tasks Configuring source ports for a remote source group Configuring source CPUs for a remote source group 7 Configuring the reflector port for a remote source group 8 Configuring the remote probe VLAN for a remote source group Layer 2 remote port mirro...

Page 235: ... Do not enable the spanning tree feature on the monitor port For port mirroring to operate correctly do not configure an EVB enabled port as the monitor port For more information about EVB see EVB Configuration Guide For a Layer 2 aggregate interface configured as the monitor port of a mirroring group do not configure its member ports as source ports of the mirroring group Use a monitor port only ...

Page 236: ...t interface interface type interface number N A 3 Assign the port to the remote probe VLAN For an access port port access vlan vlan id For a trunk port port trunk permit vlan vlan id For a hybrid port port hybrid vlan vlan id tagged untagged For more information about the port access vlan port trunk permit vlan and port hybrid vlan commands see Layer 2 LAN Switching Command Reference Configuring a...

Page 237: ...uring a source port for a remote source group in interface view Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure the port as a source port for a remote source group mirroring group group id mirroring port both inbound outbound By default a port does not act as a source port for any remote source groups Configu...

Page 238: ...Technologies Configuration Guide Configuring the reflector port for a remote source group in system view Step Command Remarks 1 Enter system view system view N A 2 Configure the reflector port for a remote source group mirroring group group id reflector port interface type interface number By default no reflector port is configured for a remote source group Configuring the reflector port for a rem...

Page 239: ... remote probe VLAN When a VLAN is configured as a remote probe VLAN use the remote probe VLAN for port mirroring exclusively The remote mirroring groups on the source device and destination device must use the same remote probe VLAN To configure the remote probe VLAN for a remote source group Step Command Remarks 1 Enter system view system view N A 2 Configure the remote probe VLAN for a remote so...

Page 240: ...resses of the tunnel interface as the IP addresses of the physical interfaces on the source and destination devices respectively IP addresses of physical interfaces on SA series interface modules cannot be used as the source or destination IP address for the tunnel interface For more information about tunnel interfaces see Layer 3 IP Services Configuration Guide Configuring local mirroring groups ...

Page 241: ...Enter system view system view N A 2 Configure source ports for a local mirroring group mirroring group group id mirroring port interface list both inbound outbound By default no source port is configured for a local mirroring group Configuring source ports in interface view Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A...

Page 242: ...ctions and guidelines A mirroring group contains only one monitor port Do not enable the spanning tree feature on the monitor port For port mirroring to operate correctly do not configure an EVB enabled port as the monitor port For more information about EVB see EVB Configuration Guide As a best practice use a monitor port only for port mirroring so the data monitoring device receives only the mir...

Page 243: ... system view Device mirroring group 1 local Configure GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as source ports for local mirroring group 1 Device mirroring group 1 mirroring port gigabitethernet 1 0 1 gigabitethernet 1 0 2 both Configure GigabitEthernet 1 0 3 as the monitor port for local mirroring group 1 Device mirroring group 1 monitor port gigabitethernet 1 0 3 Disable the spanning tree...

Page 244: ... Technical department Processed by the CPU of the card in slot 1 of the device Figure 65 Network diagram Configuration procedure Create local mirroring group 1 Device system view Device mirroring group 1 local Configure the CPU of the card in slot 1 of the device as a source CPU for local mirroring group 1 Device mirroring group 1 mirroring cpu slot 1 both Configure GigabitEthernet 1 0 3 as the mo...

Page 245: ...ure Device C the destination device Configure GigabitEthernet 1 0 1 as a trunk port and assign the port to VLAN 2 DeviceC system view DeviceC interface gigabitethernet 1 0 1 DeviceC GigabitEthernet1 0 1 port link type trunk DeviceC GigabitEthernet1 0 1 port trunk permit vlan 2 DeviceC GigabitEthernet1 0 1 quit Create a remote destination group DeviceC mirroring group 2 remote destination Create VL...

Page 246: ...thernet 1 0 2 as a trunk port and assign the port to VLAN 2 DeviceB interface gigabitethernet 1 0 2 DeviceB GigabitEthernet1 0 2 port link type trunk DeviceB GigabitEthernet1 0 2 port trunk permit vlan 2 DeviceB GigabitEthernet1 0 2 quit 3 Configure Device A the source device Create a remote source group DeviceA system view DeviceA mirroring group 1 remote source Create VLAN 2 DeviceA vlan 2 Disab...

Page 247: ... with egress port Network requirements On the Layer 2 network shown in Figure 67 configure Layer 2 remote port mirroring to enable the server to monitor the bidirectional traffic of the Marketing department Figure 67 Network diagram Configuration procedure 1 Configure Device C the destination device Configure GigabitEthernet 1 0 1 as a trunk port and assign the port to VLAN 2 DeviceC system view D...

Page 248: ...an 2 Disable MAC address learning for VLAN 2 DeviceB vlan2 undo mac address mac learning enable DeviceB vlan2 quit Configure GigabitEthernet 1 0 1 as a trunk port and assign the port to VLAN 2 DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 port link type trunk DeviceB GigabitEthernet1 0 1 port trunk permit vlan 2 DeviceB GigabitEthernet1 0 1 quit Configure GigabitEthernet 1 0...

Page 249: ...Remote destination Status Active Monitor port GigabitEthernet1 0 2 Remote probe VLAN 2 Verify the mirroring group configuration on Device A DeviceA display mirroring group all Mirroring group 1 Type Remote source Status Active Mirroring port GigabitEthernet1 0 1 Both Monitor egress port GigabitEthernet1 0 2 Remote probe VLAN 2 Layer 3 remote port mirroring configuration example Network requirement...

Page 250: ...ceA Tunnel1 quit Enable the OSPF protocol DeviceA ospf 1 DeviceA ospf 1 area 0 DeviceA ospf 1 area 0 0 0 0 network 10 1 1 0 0 0 0 255 DeviceA ospf 1 area 0 0 0 0 network 20 1 1 0 0 0 0 255 DeviceA ospf 1 area 0 0 0 0 quit DeviceA ospf 1 quit Create local mirroring group 1 DeviceA mirroring group 1 local Configure GigabitEthernet 1 0 1 as a source port and Tunnel 1 as the monitor port of local mirr...

Page 251: ...40 1 1 0 0 0 0 255 DeviceC ospf 1 area 0 0 0 0 quit DeviceC ospf 1 quit Create local mirroring group 1 DeviceC mirroring group 1 local Configure GigabitEthernet 1 0 1 as a source port for local mirroring group 1 DeviceC mirroring group 1 mirroring port gigabitethernet 1 0 1 inbound Configure GigabitEthernet 1 0 2 as the monitor port for local mirroring group 1 DeviceC mirroring group 1 monitor por...

Page 252: ...re they are received The CPU analyzes the packets or delivers them to upper layers For more information about QoS policies traffic classes and traffic behaviors see ACL and QoS Configuration Guide Flow mirroring configuration task list Tasks at a glance Required Configuring match criteria Required Configuring a traffic behavior Required Configuring a QoS policy Required Applying a QoS policy Apply...

Page 253: ...ss with a traffic behavior in the QoS policy classifier tcl name behavior behavior name By default no traffic behavior is associated with a class 4 Optional Display QoS policy configuration display qos policy Available in any view Applying a QoS policy Applying a QoS policy to an interface By applying a QoS policy to an interface you can mirror the traffic in the specified direction of the interfa...

Page 254: ...traffic in the specified direction of all ports on the control plane To apply a QoS policy to the control plane Step Command 1 Enter system view system view 2 Enter control plane view In standalone mode control plane slot slot number In IRF mode control plane chassis chassis number slot slot number 3 Apply a QoS policy to the control plane qos apply policy policy name inbound outbound Flow mirrori...

Page 255: ...raffic classifier tech_c DeviceA classifier tech_c if match acl 3000 DeviceA classifier tech_c quit Create traffic behavior tech_b configure the action of mirroring traffic to port GigabitEthernet 1 0 3 DeviceA traffic behavior tech_b DeviceA behavior tech_b mirror to interface gigabitethernet 1 0 3 DeviceA behavior tech_b quit Create QoS policy tech_p and associate traffic class tech_c with traff...

Page 256: ...hat the server can monitor the following traffic All traffic sent by the Technical department to access the Internet IP traffic that the Technical department sends to the Marketing department during working hours on weekdays Details not shown ...

Page 257: ...lows by using the 7 tuple elements Collects data from the classified flows Aggregates and exports the data to the NSC NetStream collector A program running in an operation system The NSC parses the packets received from the NDEs and saves the data to its database NetStream data analyzer A network traffic analyzing tool Based on the data in NSC the NDA generates reports for traffic billing network ...

Page 258: ...nd it requires a large cache size Aggregation data export NetStream aggregation merges the flow statistics according to the aggregation criteria of an aggregation mode and it sends the summarized data to NetStream servers The NetStream aggregation data export uses less bandwidth than the traditional data export Table 16 lists the available aggregation modes In each mode the system merges statistic...

Page 259: ...tion prefix destination network address Outbound interface index Prefix aggregation Source AS number Destination AS number Source address mask length Destination address mask length Source prefix Destination prefix Inbound interface index Outbound interface index Prefix port aggregation Source prefix Destination prefix Source address mask length Destination address mask length ToS Protocol number ...

Page 260: ...mat is fixed and cannot be extended Version 9 Based on templates that can be configured according to the template formats defined in RFCs Version 9 supports exporting the NetStream aggregation data and collecting BGP next hop statistics Version 10 Similar to version 9 The difference between version 9 and version 10 is that version 10 export format is compliant with the IPFIX standard NetStream fil...

Page 261: ...A JG378A LSU1GP24TSE0 JC763A JG347A LSU1GP24TXSE0 JC617A JG376A NetStream configuration task list When you configure NetStream choose the following configurations as needed Choose the device on which you want to enable NetStream If multiple service flows are passing through the NDE use an ACL to select the target traffic If the network has a large amount of traffic configure NetStream sampling Det...

Page 262: ...owing tasks to configure NetStream data export Configuring the NetStream traditional data export Configuring the NetStream aggregation data export Enabling NetStream on an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A Configure NetStream filtering Filter Yes No Sample End Configure NetStream sampling Yes No A...

Page 263: ... system view system view N A 2 Create a sampler sampler sampler name mode fixed packet interval n power rate For more information about a sampler see Configuring samplers 3 Enter interface view interface interface type interface number N A 4 Enable NetStream sampling ip netstream inbound outbound sampler sampler name By default NetStream sampling is disabled Configuring attributes of the NetStream...

Page 264: ... NetStream data export format Step Command Remarks 1 Enter system view system view N A 2 Configure the NetStream data export format and specify whether to record AS and BGP next hop information Configure the version 5 format ip netstream export version 5 origin as peer as Configure the version 9 format ip netstream export version 9 origin as peer as bgp nexthop Configure the version 10 format ip n...

Page 265: ...no packet arrives for this NetStream entry within the period specified by using the ip netstream timeout inactive command When the inactive flow aging timer expires the following events occur The inactive flow entry is aged out The statistics of the flow are sent to NetStream servers and are cleared in the cache The statistics can no longer be displayed by using the display ip netstream cache comm...

Page 266: ...he source IP address 4 Optional Limit the data export rate ip netstream export rate rate By default the data export rate is not limited Configuring the NetStream aggregation data export NetStream aggregation can be implemented by software or hardware Unless otherwise noted NetStream aggregation refers to software NetStream aggregation NetStream hardware aggregation uses hardware to directly merge ...

Page 267: ...tination host is specified If you expect only NetStream aggregation data specify the destination host only in the related NetStream aggregation mode view 5 Optional Specify the source interface for NetStream data packets sent to NetStream servers ip netstream export source interface interface type interface number By default no source interface is specified for NetStream data packets The packets t...

Page 268: ...3 configure NetStream on Switch A to collect statistics on packets passing through Switch A Enable NetStream for incoming traffic on Gigabitethernet 1 0 1 and outgoing traffic on GigabitEthernet 1 0 2 Configure the switch to export NetStream traditional data to UDP port 5000 of the NetStream server Figure 73 Network diagram Configuration procedure Assign an IP address to each interface as shown in...

Page 269: ... resetting time Never IP packet size distribution 0 packets in total 1 32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 4608 000 000 000 000 000 000 000 000 000 000 000 000 Protocol Total Packets Flows Packets Active sec Idle sec Flows sec sec flow flow flow Type DstIP Port SrcIP...

Page 270: ...egation in the modes of protocol port source prefix destination prefix and prefix Export the aggregation data of different modes to 4 1 1 1 with UDP ports 3000 4000 6000 and 7000 Figure 74 Network diagram Configuration procedure Assign an IP address to each interface as shown in Figure 74 Details not shown Configure GigabitEthernet 1 0 1 to operate in Layer 3 mode SwitchA system view SwitchA inter...

Page 271: ...stream aggregation destination prefix SwitchA ns aggregation dstpre enable SwitchA ns aggregation dstpre ip netstream export host 4 1 1 1 6000 SwitchA ns aggregation dstpre quit Set the aggregation mode to prefix and specify the destination host for the aggregation data export SwitchA ip netstream aggregation prefix SwitchA ns aggregation prefix enable SwitchA ns aggregation prefix ip netstream ex...

Page 272: ... flow number 0 Version 9 exported UDP datagrams number failed 0 0 source prefix aggregation export information Flow source interface Not specified Flow destination VPN instance Not specified Flow destination IP address UDP 4 1 1 1 4000 Version 8 exported flow number 2 Version 8 exported UDP datagrams number failed 2 0 Version 9 exported flow number 0 Version 9 exported UDP datagrams number failed ...

Page 273: ...low destination IP address UDP 4 1 1 1 5000 Version 5 exported flow number 10 Version 5 exported UDP datagrams number failed 10 0 Version 9 exported flow number 0 Version 9 exported UDP datagrams number failed 0 0 L2 export information Flow source interface Not specified Flow destination VPN instance Not specified Flow destination IP address UDP 4 1 1 1 5000 Version 9 exported flow number 0 Versio...

Page 274: ...ies traffic flows by using the 8 tuple elements Collects data from the classified flows Aggregates and exports the data to the NSC NetStream collector A program running in a Unix or Windows operating system The NSC parses the packets received from the NDEs and saves the data to its database NetStream data analyzer A network traffic analyzing tool Based on the data in NSC the NDA generates reports ...

Page 275: ...ics of each flow and exports the statistics to NetStream servers This method consumes a lot of bandwidth and CPU usage and requires a large cache size In addition you do not need all of the data in most cases Aggregation data export An IPv6 NetStream aggregation mode merges the flow statistics according to the aggregation criteria of the aggregation mode and it sends the summarized data to NetStre...

Page 276: ...If IPv6 packets are not forwarded according to the BGP routing table the AS number or BGP next hop cannot be obtained IPv6 NetStream data export format IPv6 NetStream exports data in the version 9 or version 10 format Both formats are template based and support exporting the IPv6 NetStream aggregation data and collecting BGP next hop statistics The version 10 export format is compliant with the IP...

Page 277: ...n Figure 76 IPv6 NetStream configuration flow To configure IPv6 NetStream perform the following tasks Tasks at a glance Required Enabling IPv6 NetStream on an interface Optional Configuring attributes of the IPv6 NetStream data export Optional Configuring IPv6 NetStream flow aging Required Perform at least one of the following tasks to configure the IPv6 NetStream data export Configuring the IPv6 ...

Page 278: ... source AS of the source address and the destination AS of the destination address peer as Specifies the ASs before and after the AS where the NetStream device resides as the source AS and the destination AS respectively For example as shown in Figure 77 a flow starts at AS 20 passes AS 21 through AS 23 and then reaches AS 24 IPv6 NetStream is enabled on the device in AS 22 The origin as keyword d...

Page 279: ... use correct version 9 or version 10 template configure the time based or packet count based refresh rate If both settings are configured the template is sent when either of the conditions is met To configure the refresh rate for IPv6 NetStream version 9 or version 10 template Step Command Remarks 1 Enter system view system view N A 2 Configure the refresh rate for IPv6 NetStream version 9 or vers...

Page 280: ...et ipv6 netstream statistics command This command ages out all IPv6 NetStream entries and exports and clears the statistics Configuration procedure To configure IPv6 NetStream flow aging Step Command Remarks 1 Enter system view system view N A 2 Optional Configure periodical aging Set the active flow aging timer ipv6 netstream timeout active minutes Set the inactive flow aging timer ipv6 netstream...

Page 281: ...tion entry is aged out the data is exported IPv6 NetStream hardware aggregation reduces resource consumption Configuration restrictions and guidelines When you configure the IPv6 NetStream aggregation data export follow these restrictions and guidelines The IPv6 NetStream hardware aggregation does not take effect in the following situations The destination host is configured for NetStream traditio...

Page 282: ...NetStream aggregation is disabled Displaying and maintaining IPv6 NetStream Execute display commands in any view and reset commands in user view Task Command In standalone mode Display IPv6 NetStream entry information display ipv6 netstream cache verbose type ip ipl2 l2 mpls label position1 label value1 label position2 label value2 label position3 label value3 destination destination ipv6 interfac...

Page 283: ...m for incoming and outgoing traffic on GigabitEthernet 1 0 1 SwitchA GigabitEthernet1 0 1 ipv6 netstream inbound SwitchA GigabitEthernet1 0 1 ipv6 netstream outbound SwitchA GigabitEthernet1 0 1 quit Specify 40 1 as the IPv6 address of the destination host and UDP port 5000 as the export destination port number SwitchA ipv6 netstream export host 40 1 5000 Verifying the configuration Display IPv6 N...

Page 284: ...01 1 1024 2002 1 21 6 0 0x0 GE1 0 1 I 42996 IP 2001 1 1024 2002 1 21 6 0 0x0 GE1 0 1 O 42996 Display the statistics of the IPv6 NetStream data export SwitchA display ipv6 netstream export IPv6 export information Flow source interface Not specified Flow destination VPN instance Not specified Flow destination IP address UDP 40 1 5000 Version 9 exported flow number 10 Version 9 exported UDP datagrams...

Page 285: ...ggregation protocol port SwitchA ns6 aggregation protport enable SwitchA ns6 aggregation protport ipv6 netstream export host 40 1 3000 SwitchA ns6 aggregation protport quit Set the aggregation mode to source prefix and specify the destination host for the aggregation data export SwitchA ipv6 netstream aggregation source prefix SwitchA ns6 aggregation srcpre enable SwitchA ns6 aggregation srcpre ip...

Page 286: ... destination IP address UDP 40 1 4000 Version 9 exported flow number 0 Version 9 exported UDP datagrams number failed 0 0 destination prefix aggregation export information Flow source interface Not specified Flow destination VPN instance Not specified Flow destination IP address UDP 40 1 6000 Version 9 exported flow number 0 Version 9 exported UDP datagrams number failed 0 0 prefix aggregation exp...

Page 287: ...w collector can monitor multiple sFlow agents sFlow provides the following sampling mechanisms Flow sampling Obtains packet information Counter sampling Obtains interface counter information Figure 80 sFlow system Protocols and standards RFC 3176 InMon Corporation s sFlow A Method for Monitoring Traffic in Switched and Routed Networks sFlow org sFlow Version 5 Configuration restrictions and guidel...

Page 288: ...d IP address overwrites the existing one 3 Configure the sFlow collector information sflow collector collector id vpn instance vpn instance name ip ip address ipv6 ipv6 address port port number datagram size size time out seconds description text By default no sFlow collector information is configured The value range for the collector id argument is 1 to 10 4 Optional Specify the source IP address...

Page 289: ...lector collector id By default no sFlow collector is specified for flow sampling Configuring counter sampling Perform this task to configure counter sampling on an Ethernet interface The sFlow agent performs the following tasks 1 Periodically collects the counter information on that interface 2 Encapsulates the counter information into sFlow packets 3 Encapsulates the sFlow packets in the UDP pack...

Page 290: ...e system view Device sflow agent ip 3 3 3 1 Configure information about the sFlow collector Specify the sFlow collector ID as 1 IP address as 3 3 3 2 port number as 6343 default and description as netserver Device sflow collector 1 ip 3 3 3 2 description netserver 3 Configure counter sampling Enable counter sampling and set the counter sampling interval to 120 seconds on GigabitEthernet 1 0 1 Devi...

Page 291: ...w configuration The remote sFlow collector cannot receive sFlow packets Symptom The remote sFlow collector cannot receive sFlow packets Analysis The possible reasons include The sFlow collector is not specified sFlow is not configured on the interface The IP address of the sFlow collector specified on the sFlow agent is different from that of the remote sFlow collector No IP address is configured ...

Page 292: ...ector 3 Verify that the physical link between the device and the sFlow collector is up 4 Verify that the VPN bound to the sFlow collector already exists 5 Verify that the length of an sFlow packet is greater than the sum of the following two values The length of the sFlow packet header The number of bytes as a best practice use the default that flow sampling can copy per packet ...

Page 293: ...ogs in this document refers to common logs Diagnostic logs Record debug messages Security logs Record security information such as authentication and authorization information Hidden logs Record log information not displayed on the terminal such as input commands Trace logs Record system tracing and debug messages which can be viewed only after the devkit package is installed Log levels Logs are c...

Page 294: ... output rule are output to the destination Table 19 shows the default log output rules Table 19 Default output rules Destination Log source modules Output switch Severity Console All supported modules Enabled Debug Monitor terminal All supported modules Disabled Debug Log host All supported modules Enabled Informational Log buffer All supported modules Enabled Informational Log file All supported ...

Page 295: ... Log file All supported modules Enabled Informational Default output rules for trace logs Trace logs can only be output to the trace log file and cannot be filtered by source modules and severity levels Table 23 shows the default output rules for trace logs Table 23 Default output rules for trace logs Destination Log source modules Output switch Severity Trace log file All supported modules Enable...

Page 296: ...cal7 correspond to values 16 through 23 The facility name can be configured using the info center loghost command It is used to identify log sources on the log host and to query and filter the logs from specific log sources level is in the range of 0 to 7 See Table 18 for more information about severity levels Timestamp Records the time when the log was generated Logs sent to the log host and thos...

Page 297: ...ameters Timestamp parameters Description Example boot Time that has elapsed since system startup in the format of xxx yyy xxx represents the higher 32 bits and yyy represents the lower 32 bits of milliseconds elapsed Logs that are sent to all destinations other than a log host support this parameter 0 109391473 Sysname FTPD 5 FTPD_LOGIN User ftp 192 168 1 23 has logged in successfully 0 109391473 ...

Page 298: ...at least one of the following tasks Outputting logs to the console Outputting logs to the monitor terminal Outputting logs to log hosts Outputting logs to the log buffer Saving logs to the log file Optional Managing security logs Optional Saving diagnostic logs to the diagnostic log file Optional Configuring the maximum size of the trace log file Optional Setting the minimum storage period for log...

Page 299: ...fer to terminals that log in to the device through the VTY line To output logs to the monitor terminal Step Command Remarks 1 Enter system view system view N A 2 Enable the information center info center enable By default the information center is enabled 3 Configure an output rule for the monitor terminal info center source module name default console monitor logbuffer logfile loghost deny level ...

Page 300: ...meters info center loghost vpn instance vpn instance name hostname ipv4 address ipv6 ipv6 address port port number facility local number By default no log hosts or related parameters are specified The value for the port number argument must be the same as the value configured on the log host Otherwise the log host cannot receive logs The device supports a maximum of 20 log hosts Outputting logs to...

Page 301: ... of space To save logs to the log file Step Command Remarks 1 Enter system view system view N A 2 Enable the information center info center enable By default the information center is enabled 3 Enable the log file feature info center logfile enable By default the log file feature is enabled 4 Optional Enable log file overwrite protection info center logfile overwrite protection all port powerdown ...

Page 302: ...o prevent the loss of important data To save security logs to the security log file Step Command Remarks 1 Enter system view system view N A 2 Enable the information center info center enable By default the information center is enabled 3 Enable the saving of the security logs to the security log file info center security logfile enable By default saving security logs to the security log file is d...

Page 303: ... named as diagfile1 log diagfile2 log and so on When diagfile1 log is full the system compresses diagfile1 log as diagfile1 log gz and creates a new diagnostic log file named diagfile2 log The process repeats until the last diagnostic log file is full After the last diagnostic log file is full the device repeats the following process 1 The device locates the oldest compressed diagnostic log file d...

Page 304: ...e trace log file When the trace log file is full the device overwrites the oldest trace logs with new ones To set the maximum size for the trace log file Step Command Remarks 1 Enter system view system view N A 2 Set the maximum size for the trace log file info center trace logfile quota size By default the maximum size of the trace log file is 10 MB Setting the minimum storage period for log file...

Page 305: ...ge period is not set Enabling synchronous information output System log output interrupts ongoing configuration operations obscuring previously entered commands Synchronous information output shows the obscured commands It also provides a command prompt in command editing mode or a Y N string in interaction mode so you can continue your operation from where you were stopped To enable synchronous i...

Page 306: ...interface from generating link up or link down logs By default all interfaces generate link up or link down log information when the interface state changes In some cases you might want to disable certain interfaces from generating this information For example You are concerned only about the states of some interfaces In this case you can use this function to disable other interfaces from generati...

Page 307: ... and maintaining information center Execute display commands in any view and reset commands in user view Task Command Display the information of each output destination display info center In standalone mode Display the state and the log information of the log buffer display logbuffer reverse level severity size buffersize slot slot number In IRF mode Display the state and the log information of t...

Page 308: ...The current terminal is enabled to display logs Now if the FTP module generates logs the information center automatically sends the logs to the console and the console displays the logs Configuration example for outputting logs to a UNIX log host Network requirements Configure the device to output to the UNIX log host FTP logs that have a severity level of at least informational Figure 84 Network ...

Page 309: ...tional level The UNIX system records the log information that has a severity level of at least informational to the file var log Device info log NOTE Follow these guidelines while editing the file etc syslog conf Comments must be on a separate line and must begin with a pound sign No redundant spaces are allowed after the file name The logging facility name and the severity level specified in the ...

Page 310: ...o log in the Device directory to save logs of Device mkdir var log Device touch var log Device info log c Edit the file syslog conf in directory etc and add the following contents Device configuration messages local5 info var log Device info log In the above configuration local5 is the name of the logging facility used by the log host to receive logs info is the informational level The Linux syste...

Page 311: ...300 Now the system can record log information to the specified file ...

Page 312: ...ed by default after the device starts Use the diagnostic monitor enable command to enable monitoring diagnostic tests that are disabled by default Use the diagnostic monitor interval command to configure an execution interval for each test The interval you set must be no smaller than the minimum interval for each test You can view the minimum interval for a test by using the display diagnostic con...

Page 313: ...e failure random failure success In IRF mode diagnostic simulation chassis chassis number slot slot number list test test name failure random failure success By default the system runs a test instead of simulating it Configuring the log buffer size GOLD saves test results in the form of logs You can use the display diagnostic event log command to view the logs To configure the GOLD log buffer size...

Page 314: ...er test test name verbose Display statistics for packet related tests display diagnostic result chassis chassis number slot slot number test test name statistics Display configurations for simulated tests display diagnostic simulation chassis chassis number slot slot number Clear GOLD logs reset diagnostic event log Clear test results reset diagnostic result chassis chassis number slot slot number...

Page 315: ...nitoring test NA D Disruptive test Non disruptive test P Per port test NA A I Monitoring test is active Monitoring test is inactive NA Slot 1 Test name HGMonitor Test attributes M PA Test interval 00 01 00 Min interval 00 00 10 Correct action NA Description A Real time test disabled by default that checks link status between ports View the test result Sysname display diagnostic result slot 1 verbo...

Page 316: ...cal file or displays the captured packets on the terminal This mode can also display contents of pcap and pcapng files To use this mode you must install the packet capture feature image by using the boot loader install or issu command For more information about image installation see software upgrade or ISSU in Fundamentals Configuration Guide Only feature image based packet capture requires the p...

Page 317: ...fy a direction qualifier the src or dst qualifier applies src Matches the source IP address field dst Matches the destination IP address field src or dst Matches the source or destination IP address field NOTE The src or dst qualifier applies if you do not specify a direction qualifier For example port 23 is equivalent to src or dst port 23 Type Specifies the direction type host Matches the IP add...

Page 318: ... 1 64 expression matches traffic sent to the IPv6 network 1 64 Capture filter operators Capture filters support logical operators Table 30 arithmetic operators Table 31 and relational operators Table 32 Logical operators can use both alphanumeric and nonalphanumeric symbols The arithmetic and relational operators can use only nonalphanumeric symbols Logical operators are left associative They grou...

Page 319: ...he offset value in the brackets and specify a protocol qualifier For example ip 6 matches the seventh byte of payload in IPv4 packets the byte that is six bytes away from the beginning of the IPv4 payload Table 32 Relational operators for capture filters Nonalphanumeric symbol Description Equal to For example ip 6 0x1c matches an IPv4 packet if its seventh byte of payload is equal to 0x1c Not equa...

Page 320: ... len le 1500 ip len le 02734 ip len le 0x436 Boolean This variable type has two values true or false This variable type applies if you use a packet field string alone to identify the presence of a field in a packet If the field is present the match result is true The filter displays the packet If the field is not present the match result is false The filter does not display the packet For example ...

Page 321: ...y Table 35 Logical operators for display filters Nonalphanumeri c symbol Alphanumeric symbol Description No alphanumeric symbol is available Used with protocol qualifiers For more information see The proto expression not Displays packets that do not match the condition connected to this operator and Joins two conditions Use this operator to display traffic that matches both conditions or Joins two...

Page 322: ...7 The expr relop expr expression Use this type of expression to capture packets that match the result of arithmetic operations This expression contains keywords arithmetic operators expr and relational operators relop For example len 100 200 captures packets that are greater than or equal to 100 bytes The proto expr size expression Use this type of expression to capture packets that match the resu...

Page 323: ... to display packets that contain a specific field Packet field expressions contain only packet field strings For example tcp flags syn displays all TCP packets that contain the SYN bit field The proto expression Use this type of expression to display packets that contain specific field values This type of expression contains the following elements proto Specifies a protocol layer or packet field M...

Page 324: ... autostop filesize kilobytes autostop duration seconds write filepath url url username username password cipher simple string After this command is executed you can still configure other commands from the CLI The operation does not affect the packet capture Configuring remote packet capture Task Command Remarks Configure remote packet capture packet capture remote interface interface type interfac...

Page 325: ...s that are forwarded through chips you must configure flow mirroring to mirror packets to the CPU For more information about flow mirroring see Configuring flow mirroring The capture displays captured packets in real time You can configure the capture to save captured packets to a file or filter packets to display You cannot configure the device from the CLI while the capture is operating To stop ...

Page 326: ...apt expression display filter disp expression limit captured frames limit limit frame size bytes autostop duration seconds raw brief verbose Displaying the contents in a packet file Task Command Remarks Display the contents in a packet file packet capture read filepath verbose display filter disp expression raw brief verbose A packet file must use the pcap or pcapng extension Displaying and mainta...

Page 327: ...st c Enter IP address 10 1 1 1 and port number of 2014 and click OK d Click Start The captured packets are displayed on the Wireshark client Figure 88 Displaying the captured packets on the Wireshark client Feature image based packet capture configuration example Network requirements As shown in Figure 89 capture the following incoming IP packets on GigabitEthernet 1 0 1 Packets forwarded through ...

Page 328: ...tchA interface gigabitethernet 1 0 1 SwitchA GigabitEthernet1 0 1 qos apply policy user1 inbound SwitchA GigabitEthernet1 0 1 quit SwitchA quit Capture incoming traffic on GigabitEthernet 1 0 1 SwitchA packet capture interface gigabitethernet 1 0 1 Capturing on Gigabitethernet1 0 1 1 0 000000 192 168 56 1 192 168 56 2 TCP 62 6325 telnet SYN Seq 0 Win 65535 Len 0 MSS 1460 SACK_PERM 1 2 0 000061 192...

Page 329: ...sh a pcap 1 0 000000 192 168 56 1 192 168 56 2 TCP 62 6325 telnet SYN Seq 0 Win 65535 Len 0 MSS 1460 SACK_PERM 1 2 0 000061 192 168 56 1 192 168 56 2 TCP 60 6325 telnet ACK Seq 1 Ack 1 Win 65535 Len 0 3 0 024370 192 168 56 1 192 168 56 2 TELNET 60 Telnet Data 4 0 024449 192 168 56 1 192 168 56 2 TELNET 78 Telnet Data 5 0 025766 192 168 56 1 192 168 56 2 TELNET 65 Telnet Data 6 0 035096 192 168 56 ...

Page 330: ...e following roles Spine node Connects to leaf nodes Leaf node As shown in Figure 91 a leaf node connects to a server in a typical data center network A shown in Figure 92 a leaf node connects to an access node in a typical campus network Access node As shown in Figure 92 an access node connects to an upstream leaf node and downstream terminal devices in a typical campus network Cascading of access...

Page 331: ...ommunicate with each other through a router Port A connection port A router or a VM connects to a network through a port Router A virtual router that can be created and deleted It performs routing selection and data forwarding Neutron has the following components Neutron server Includes the daemon process neutron server and multiple plug ins neutron plugin The Neutron server provides an API and fo...

Page 332: ...DB Message server such as RabbitMQ server HPE ML2 Driver For more information about HPE ML2 Driver see HPE Neutron ML2 Driver Installation Guide Network node neutron openvswitch agent neutron dhcp agent Compute node neutron openvswitch agent LLDP The following table shows Neutron deployments on a network device Network type Network device Neutron components Centralized gateway deployment Spine neu...

Page 333: ...t Leaf Neutron Server L3 Service Neutron DB Physical Server OpenStack Network Controller My SQL Type Driver Mesh Driver Physical Server Compute Node Vswitch V M V M V M V M V M Physical Server Compute Node Vswitch V M V M V M V M V M Spine Spine Neutron L3 agent L2 agent Leaf L2 agent L3 agent L2 agent Leaf L2 agent L3 agent L2 agent Leaf L2 agent L3 agent L2 agent Leaf L2 agent L3 agent Message S...

Page 334: ...n IP address through a management Ethernet interface after starting up without loading configuration In a campus network the device obtains an IP address through VLAN interface 1 after starting up without loading configuration 2 Install and configure the Director server This step is required if you want to use the Director server to automatically create template files 3 Configure the DHCP server t...

Page 335: ...s and access nodes are automatically aggregated For links between spine nodes and leaf nodes the trunk permit vlan command is automatically executed NOTE On a data center network if the template file contains software version information the device first compares the software version with the current software version If the two versions are inconsistent the device downloads the new software versio...

Page 336: ...reation and port creation It deploys Layer 2 networking to provide Layer 2 connectivity within a virtual network and Layer 2 isolation between different virtual networks Layer 3 agent L3 agent Responds to OpenStack events such as virtual router creation interface creation and gateway configuration It deploys the IP gateways to provide Layer 3 forwarding services for VMs For the device to correctly...

Page 337: ...DP is disabled globally 3 Enable VCF fabric topology discovery vcf fabric topology enable By default VCF fabric topology discovery is disabled Configuring automated underlay network provisioning Configuration restrictions and guidelines When you configure automated underlay network provisioning follow these restrictions and guidelines Automated underlay network configuration can be automatically c...

Page 338: ...P gateway perform this task on both the spine node and the leaf nodes If the network type is VXLAN with distributed IP gateways perform this task on all leaf nodes Make sure the RabbitMQ server settings on the device are the same as those on the controller node If the durable attribute of RabbitMQ queues is set on the Neutron server you must enable creation of RabbitMQ durable queues on the device...

Page 339: ...e device to establish a connection with the RabbitMQ server rabbit password cipher plain string By default the device uses plaintext password guest to establish a connection with the RabbitMQ server 8 Specify a virtual host to provide RabbitMQ services rabbit virtual host hostname By default the virtual host provides RabbitMQ services for the device 9 Specify the username and password used by the ...

Page 340: ...ork requirements As shown in Figure 95 Devices A B and C all connect to the TFTP server and the DHCP server through management Ethernet interfaces VM 1 resides on Compute node 1 VM 2 resides on the Compute node 2 The controller node runs OpenStack Kilo version and Ubuntu14 04 LTS operating system Configure a VCF fabric to meet the following requirements The VCF fabric is a VXLAN network deployed o...

Page 341: ...d variables cannot be the same as system predefined variables User defined variables Defined by the user User defined variables include the following Basic settings Local username and password user role and so on Neutron server settings IP address of the Neutron server the username and password for establishing a connection with the Neutron server and so on Software images for upgrade and the URL ...

Page 342: ...an as the default tenant network type tenant_network_types hpe_vxlan d Add the ml2_type_hpe_vxlan section and specify a VXLAN ID range in the format of vxlan id1 vxlan id2 The value range for VXLAN IDs is 0 to 16777215 ml2_type_hpe_vxlan vni_ranges 10000 60000 3 Configure the database Before you configure the database make sure you have configured the Neutron server openstack localhost sudo hpe_co...

Page 343: ...0 1 1 3 24 from the DHCP server respectively Verifying the configuration Verifying the collected topology of the underlay network Display VCF fabric topology information on Device A DeviceA display vcf fabric topology Topology Information indicates the master spine role among all spines SpineIP Interface Link LeafIP Status 10 11 113 51 GigabitEthernet1 0 1 Up 10 11 113 52 Deploying GigabitEthernet...

Page 344: ...rp learning disable system ntp service enable ntp service unicast peer 10 11 113 136 system netconf soap http enable netconf soap https enable restful http enable restful https enable system ip http enable ip https enable system telnet server enable system info center loghost 10 11 113 136 system local user aaa password service type telnet http https service type ssh authorization attribute user r...

Page 345: ...community write private snmp agent sys info version all interface up down GigabitEthernet1 0 1 GigabitEthernet1 0 5 Loopback0 IP Allocation DEV_MAC LOOPBACK_IP MANAGE_IP STATE a43c adae 0400 10 100 16 17 10 11 113 53 up a43c 9aa7 0100 10 100 16 15 10 11 113 51 up a43c a469 0300 10 100 16 16 10 11 113 52 up bgp configure peer 10 100 16 17 10 100 16 16 Verifying the automated deployment for the over...

Page 346: ... 03 12 00 25 59 Verifying the connectivity between VM 1 and VM 2 Ping VM 2 on Compute node 2 from VM 1 on Compute node 1 ping 10 1 1 3 Ping 10 1 1 3 10 1 1 3 56 data bytes press CTRL_C to break 56 bytes from 10 1 1 3 icmp_seq 0 ttl 254 time 10 000 ms 56 bytes from 10 1 1 3 icmp_seq 1 ttl 254 time 4 000 ms 56 bytes from 10 1 1 3 icmp_seq 2 ttl 254 time 4 000 ms 56 bytes from 10 1 1 3 icmp_seq 3 ttl...

Page 347: ...ustomer premises equipment the managed device in the network DNS server Domain name system server CWMP defines that the ACS and the CPE use URLs to identify and access each other DNS is used to resolve the URLs DHCP server Assigns ACS attributes along with IP addresses to CPEs when the CPEs are powered on DHCP server is optional in CWMP With a DHCP server you do not need to configure ACS attribute...

Page 348: ... validity verification Data backup The ACS can require the CPE to upload a configuration or log file to a specific location The destination location can be the ACS or a file server Status and performance monitoring The CPE allows the ACS to monitor the status and performance objects in Table 37 Table 37 CPE status and performance objects available for the ACS to monitor Category Objects Device inf...

Page 349: ...ic Inform interval The CPE re initiates a connection to the ACS at the Inform interval Expiration of the scheduled connection initiation time The CPE initiates a connection to the ACS at the scheduled time CWMP connection establishment As shown in Figure 97 the CPE and the ACS use the following process to establish a connection 1 After obtaining the basic ACS parameters the CPE initiates a TCP con...

Page 350: ...asks at a glance Remarks Required Enabling CWMP from the CLI To use CWMP you must enable CWMP from the CLI Configuring ACS attributes Required Configuring the preferred ACS attributes Assigning ACS attributes from the DHCP server Configuring the preferred ACS attributes from the CLI Optional Configuring the default ACS attributes from the CLI The preferred ACS attributes are configurable from the ...

Page 351: ...P view cwmp N A 3 Enable CWMP cwmp enable By default CWMP is disabled Configuring ACS attributes You can configure two sets of ACS attributes for the CPE preferred and default The preferred ACS attributes are configurable from the CPE s CLI the DHCP server and ACS For an attribute the CLI and ACS assigned values have higher priority than the DHCP assigned value The CLI and ACS assigned values over...

Page 352: ...372F61637320 NOTE The two ending digits 20 represent the space ACS connect username 1234 3132333420 NOTE The two ending digits 20 represent the space ACS connect password 5678 35363738 For more information about DHCP and DHCP Option 43 see layer 3 IP Services Configuration Guide Configuring the preferred ACS attributes from the CLI Step Command Remarks 1 Enter system view system view N A 2 Enter C...

Page 353: ...thods supported for each CPE attribute see Configuration task list Configuring ACS authentication parameters To protect the CPE against unauthorized access configure a CPE username and password for ACS authentication When an ACS initiates a connection to the CPE the ACS must provide the correct username and password NOTE The password setting is optional You can specify only a username for authenti...

Page 354: ...wing conditions exist The CPE has multiple Layer 3 interfaces The IP addresses of the CWMP connection interface and the ACS are not in the same subnet In this case you need to perform this task to manually set the CWMP connection interface To configure the CWMP connection interface Step Command Remarks 1 Enter system view system view N A 2 Enter CWMP view cwmp N A 3 Specify the interface that conn...

Page 355: ...rm request If the CPE fails to receive a response before the timer expires the CPE resends the Inform request To set the maximum number of connection retries that the CPE can make Step Command Remarks 1 Enter system view system view N A 2 Enter CWMP view cwmp N A 3 Set the maximum number of connection retries cwmp cpe connect retry retries By default the CPE retries a failed connection until the c...

Page 356: ...p Command Remarks 1 Enter system view system view N A 2 Enter CWMP view cwmp N A 3 Enable NAT traversal cwmp cpe stun enable By default NAT traversal is disabled on the CPE Specifying an SSL client policy for HTTPS connection to ACS CWMP uses HTTP or HTTPS for data transmission If the ACS uses HTTPS for secure access its URL begins with https You must configure an SSL client policy for the CPE to ...

Page 357: ...re 98 Network diagram Table 40 shows the ACS attributes for the CPEs to connect to the ACS Table 40 ACS attributes Item Setting Preferred ACS URL http 10 185 10 41 8080 acs ACS username Admin ACS password 12345 Table 41 lists serial numbers of the CPEs Table 41 CPE list Room Device Serial number A Device A 210231A95YH10C000045 Device B 210235AOLNH12000010 Device C 210235AOLNH12000015 Device A Devi...

Page 358: ... 10 185 10 41 8080 imc c On the login page enter the ACS login username and password and then click Login 2 Create a CPE user account a Select Service System Management CPE Authentication User from the top navigation bar The CPE authentication user configuration page appears Figure 99 CPE authentication user configuration page b Click Add c Enter the username and password for authentication to the...

Page 359: ... group name for example DB_1 and then click OK Figure 101 Adding a device group d Select Service Resource Device Class from the top navigation bar e Click Add f On the Add Device Class page enter a device class name for devices in equipment room A and then click OK In this example the device class for devices in equipment room A is Device_A Figure 102 Adding a device class g Repeat the previous tw...

Page 360: ... select basic settings for device A and then click OK c Repeat the previous two steps to add other devices Figure 103 Adding a CPE After the CPE is added successfully a success message is displayed as shown in Figure 104 Figure 104 CPE added successfully 5 Configure the system settings of the ACS as shown in Figure 105 ...

Page 361: ...Templates from the navigation tree Figure 106 Configuring templates page b On the Configuration Templates page click Import c On the Import Configuration Template page select configuration template settings for the Device_A device class add the Device_A class to the Applicable CPEs pane and then click OK d Repeat the previous two steps to configure a configuration template for equipment room B s d...

Page 362: ...mplate After the configuration template is added successfully a success message is displayed as shown in Figure 108 Figure 108 Configuration templates e Select Service BIMS Configuration Management Software Library from the top navigation bar ...

Page 363: ...ass to the Applicable CPEs pane and then click OK h Repeat the previous two steps to configure a software library entry for equipment room B s device class Figure 110 Importing CPE software 7 Add auto deployment tasks a Select Service BIMS Configuration Management Deployment Guide from the top navigation bar b On the Deployment Guide page click By Device Class in the Auto Deploy Configuration pane...

Page 364: ...353 Figure 111 Deployment Guide c On the Auto Deploy Configuration page click Select Class Figure 112 Configuring auto deployment d On the Device Class page select Device_A and then click OK ...

Page 365: ... in equipment room B in the same way you add the deployment task for the devices in equipment room A Configuring the DHCP server In this example an HPE device is operating as the DHCP server 1 Configure an IP address pool to assign IP addresses and DNS server address to the CPEs This example uses subnet 10 185 10 0 24 for IP address assignment Enable DHCP DHCP_server system view DHCP_server dhcp e...

Page 366: ...r dhcp pool 0 option 43 hex 0140687474703A2F2F6163732E64617461626173653A393039302F616373207669636B79203132333 435 Configuring the DNS server Map http acs database 9090 acs to http 10 185 1 41 9090 acs on the DNS server For more information about DNS configuration see DNS server documentation Connecting the CPEs to the network Connect the CPEs to the network and then power on the CPEs Details not s...

Page 367: ...ntax choices separated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field names and menu items are in Boldface For example the New User wind...

Page 368: ...epresents a wireless terminator unit Represents a wireless terminator Represents a mesh access point Represents omnidirectional signals Represents directional signals Represents a security product such as a firewall UTM multiservice security gateway or load balancing device Represents a security module such as a firewall load balancing NetStream SSL VPN IPS or ACG module Examples provided in this ...

Page 369: ...s provide a mechanism for accessing software updates through the product interface Review your product documentation to identify the recommended software update method To download product updates go to either of the following Hewlett Packard Enterprise Support Center Get connected with updates page www hpe com support e updates Software Depot website www hpe com support softwaredepot To view and u...

Page 370: ...r self repair CSR programs allow you to repair your product If a CSR part needs to be replaced it will be shipped directly to you so that you can install it at your convenience Some parts do not qualify for CSR Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR For more information about CSR contact your local service provider or ...

Page 371: ...number edition and publication date located on the front cover of the document For online help content include the product name product version help edition and publication date located on the legal notices page ...

Page 372: ...l plane 243 flow mirroring QoS policy global 243 flow mirroring QoS policy interface 242 flow mirroring QoS policy VLAN 242 architecture IPv6 NetStream 263 NetStream 246 NTP 77 arithmetic capture filter operator 307 arithmetic operator capture filter 305 assigning CWMP ACS attribute preferred CLI 341 CWMP ACS attribute preferred DHCP server 340 port mirroring monitor port to remote probe VLAN 225 ...

Page 373: ...on 84 buffer GOLD log buffer size 302 information center log buffer 289 buffering information center log storage period log buffer 293 C capturing packet capture configuration 305 packet capture configuration feature image based 316 remote packet capture configuration 315 changing NETCONF parameter value 164 classifying port mirroring classification 217 CLI EAA configuration 193 201 EAA event moni...

Page 374: ... 280 common information center common logs 282 comparing capture filter operator 307 display filter operator 310 comparison display filter expression 312 comparison operator capture filter 305 conditional match NETCONF data filtering 175 NETCONF data filtering column based 173 configuring automated underlay network provisioning 326 CWMP 336 339 346 CWMP ACS attribute 340 CWMP ACS attribute default...

Page 375: ... view 221 local port mirroring group source ports system view 221 NETCONF 145 148 NETCONF module specific namespace 150 NETCONF over SOAP 148 NetStream 246 250 257 NetStream data export 255 NetStream data export aggregation 255 259 NetStream data export traditional 255 257 NetStream data export attribute 252 NetStream data export format 252 NetStream filtering 252 NetStream flow aging 254 NetStrea...

Page 376: ...8 NTP symmetric active passive mode MPLS L3VPN network time synchronization on switch 114 packet capture 305 313 315 packet capture feature image based 316 packet capture analyzing 318 PMM kernel thread deadloop detection 209 PMM kernel thread starvation detection 211 port mirroring 232 port mirroring remote destination group monitor port 224 port mirroring remote destination group remote probe VL...

Page 377: ...nnect 338 autoconfiguration server ACS 336 basic functions 336 configuration 336 339 346 connection establishment 338 CPE ACS authentication parameters 342 CPE ACS connection interface 343 CPE ACS provision code 342 CPE attribute configuration 342 CPE NAT traversal 345 customer premise equpment CPE 336 DHCP server 336 DNS server 336 enable 340 how it works 337 network framework 336 RPC methods 337...

Page 378: ...oring local group 229 Layer 3 remote port mirroring local group monitor port 231 Layer 3 remote port mirroring local group source CPU 230 Layer 3 remote port mirroring local group source port 229 local packet capture configuration 313 local port mirroring source CPU mode 233 local port mirroring source port mode 232 local port mirroring configuration 220 local port mirroring group monitor port 222...

Page 379: ... port mirroring outbound 216 disabling information center interface link up link down log generation 295 NTP message receiving 95 discovering VCF fabric topology discovery 323 display filter keyword packet capture 308 display filter operator packet capture 310 displaying CWMP settings 345 EAA settings 201 GOLD 302 information center 296 IPv6 NetStream 271 NetStream 256 NQA 43 NTP 97 packet capture...

Page 380: ... establishing NETCONF session 151 Ethernet CWMP configuration 336 339 346 Layer 2 remote port mirroring configuration 222 Layer 3 remote port mirroring configuration 228 port mirroring configuration 216 232 RMON Ethernet statistics entry 139 RMON Ethernet statistics group configuration 141 RMON statistics configuration 139 RMON statistics group 137 sampler configuration 214 sampler configuration I...

Page 381: ...icy application interface 242 QoS policy application VLAN 242 QoS policy configuration 242 traffic behavior configuration 241 format information center system logs 284 IPv6 NetStream data export 265 IPv6 NetStream data export format 267 IPv6 NetStream v9 v10 template refresh rate 268 NETCONF message 146 NetStream data export format 252 NetStream export 249 NetStream v9 v10 template refresh rate 25...

Page 382: ... port mirroring 216 information center configuration 282 287 296 default output rules diagnostic log 283 default output rules hidden log 284 default output rules security log 283 default output rules trace log 284 diagnostic log save log file 292 display 296 duplicate log suppression 294 FIPS compliance 287 interface link up link down log generation 295 log default output rules 283 log output cons...

Page 383: ...tion configuration SNMP 54 NQA operation configuration TCP 56 NQA operation configuration UDP echo 57 NQA operation configuration UDP jitter 52 NQA operation configuration UDP tracert 58 NQA operation configuration voice 60 NQA template configuration DNS 68 NQA template configuration FTP 72 NQA template configuration HTTP 71 NQA template configuration HTTPS 72 NQA template configuration ICMP 67 NQ...

Page 384: ...log generation 295 information center log default output rules 283 information center log output console 287 information center log output log buffer 289 information center log output log host 289 information center log output monitor terminal 288 information center log output configuration console 296 information center log output configuration Linux log host 298 information center log output con...

Page 385: ...305 sampler fixed 214 sampler random 214 SNMP access control rule based 122 SNMP access control view based 122 module feature module debug 6 information center configuration 282 287 296 NETCONF configuration data retrieval all modules 160 NETCONF configuration data retrieval Syslog module 162 NETCONF module specific namespace 150 monitor terminal information center log output 288 monitoring EAA co...

Page 386: ...ent retrieval 179 NetStream aggregation data export restrictions 255 architecture 246 configuration 246 250 257 data export 247 data export aggregation 247 data export traditional 247 data export attribute configuration 252 data export configuration 255 data export configuration aggregation 255 259 data export configuration traditional 255 257 data export format configuration 252 display 256 enabl...

Page 387: ...echo 12 NQA client operation ICMP jitter 13 NQA client operation path jitter 24 NQA client operation SNMP 18 NQA client operation TCP 19 NQA client operation UDP echo 20 NQA client operation UDP jitter 17 NQA client operation UDP tracert 20 NQA client operation voice 22 NQA client operation optional parameters 25 NQA client operation scheduling 31 NQA client statistics collection 30 NQA client tem...

Page 388: ...capture configuration 305 PMM Linux network 207 port mirroring configuration 216 232 RMON configuration 137 sampler configuration 214 sampler configuration IPv4 NetStream 214 sampler creation 214 sFlow configuration 276 276 279 SNMP configuration 121 SNMPv1 configuration 132 SNMPv2c configuration 132 SNMPv3 configuration 134 VCF fabric configuration 326 VCF fabric configuration automated 329 VCF f...

Page 389: ...on center security log save log file 291 information center synchronous log output 294 information center system log SNMP notification 296 information center system log types 282 information center trace log file max size 293 IPv6 NetStream architecture 263 IPv6 NetStream configuration 263 266 IPv6 NetStream data export 264 IPv6 NetStream data export aggregation 270 273 IPv6 NetStream data export ...

Page 390: ...rt aggregation 255 259 NetStream data export traditional 255 257 NetStream data export attribute configuration 252 NetStream data export format 252 NetStream display 256 NetStream enable 251 NetStream filtering 249 NetStream filtering configuration 252 NetStream flow aging 247 254 NetStream flow aging methods 254 NetStream format 249 NetStream maintain 256 NetStream protocols and standards 250 Net...

Page 391: ... NTP display 97 NTP dynamic associations max 95 NTP enable 82 NTP local clock as reference source 96 NTP message receiving disable 95 NTP message source interface specification 94 NTP multicast association mode 85 NTP multicast association mode configuration on switch 103 NTP multicast mode authentication configuration 92 NTP optional parameter configuration 94 NTP packet DSCP value setting 96 NTP...

Page 392: ... 154 SNMP configuration 121 SNMP host notification send 130 SNMP notification 130 SNMP Notification operation 122 NQA client enable 11 client history record save 30 client operation 11 client operation DHCP 13 client operation DLSw 24 client operation DNS 14 client operation FTP 15 client operation HTTP 16 client operation ICMP echo 12 client operation ICMP jitter 13 client operation path jitter 2...

Page 393: ...switch 113 configuration 76 82 97 configuration restrictions 82 display 97 enable 82 how it works 76 IPv6 client server association mode configuration 98 IPv6 multicast association mode configuration on switch 106 IPv6 symmetric active passive association mode configuration 100 local clock as reference source 96 message receiving disable 95 message source interface specification 94 MPLS L3VPN inst...

Page 394: ...25 NQA client template optional parameters 42 NTP dynamic associations max 95 NTP local clock as reference source 96 NTP message receiving disable 95 NTP message source interface 94 NTP optional parameter configuration 94 SNMP basics configuration 123 SNMPv1 basics configuration 123 SNMPv2c basics configuration 123 SNMPv3 basics configuration 125 path NQA client operation path jitter 24 NQA operat...

Page 395: ...device 216 direction bidirectional 216 direction inbound 216 direction outbound 216 display 231 egress port 216 implementation 217 Layer 2 remote reflector port configurable 223 Layer 2 remote configuration 222 Layer 2 remote configuration egress port 223 Layer 2 remote port mirroring configuration egress port 236 Layer 2 remote port mirroring configuration reflector port configurable 234 Layer 3 ...

Page 396: ...D diagnostics monitoring 301 configuring GOLD log buffer size 302 configuring information center 287 configuring information center log output console 296 configuring information center log output Linux log host 298 configuring information center log output UNIX log host 297 configuring information center log storage period log buffer 293 configuring information center log suppression 295 configur...

Page 397: ...nfiguring NQA client operation path jitter 24 configuring NQA client operation SNMP 18 configuring NQA client operation TCP 19 configuring NQA client operation UDP echo 20 configuring NQA client operation UDP jitter 17 configuring NQA client operation UDP tracert 20 configuring NQA client operation voice 22 configuring NQA client operation optional parameters 25 configuring NQA client statistics c...

Page 398: ...nt 225 configuring port mirroring remote destination group monitor port 224 configuring port mirroring remote destination group on the destination device 224 configuring port mirroring remote destination group remote probe VLAN 225 configuring port mirroring remote source group egress port 227 configuring port mirroring remote source group on source device 225 configuring port mirroring remote sou...

Page 399: ...tion 165 170 locking NETCONF configuration 155 156 maintaining GOLD 302 maintaining information center 296 maintaining IPv6 NetStream 271 maintaining NetStream 256 maintaining PMM 207 maintaining PMM kernel threads 211 maintaining user PMM 208 maintaining VCF fabric 329 managing information center security log 291 managing information center security log file 291 monitoring PMM kernel thread 209 o...

Page 400: ...QoS policy 242 flow mirroring QoS policy application 242 flow mirroring QoS policy application control plane 243 flow mirroring QoS policy application global 243 flow mirroring QoS policy application interface 242 flow mirroring QoS policy application VLAN 242 flow mirroring traffic behavior 241 R RADIUS NQA client template 40 NQA template configuration 73 random mode NMM sampler 214 real time eve...

Page 401: ... session information 180 NETCONF YANG file content 179 returning NETCONF CLI return 182 RMON alarm configuration 140 143 alarm group 138 alarm group sample types 139 configuration 137 Ethernet statistics entry creation 139 Ethernet statistics group 137 Ethernet statistics group configuration 141 event group 138 group 137 history control entry creation 139 history group 137 history group configurat...

Page 402: ...urity logs 282 NTP 80 NTP access control rights 85 NTP authentication 80 86 NTP broadcast mode authentication 90 NTP client server mode authentication 86 NTP multicast mode authentication 92 NTP symmetric active passive mode authentication 88 SNTP authentication 118 server NQA configuration 10 NTP broadcast server configuration 84 NTP multicast server configuration 85 SNTP configuration 82 117 117...

Page 403: ...meter configuration 123 configuration 132 host notification send 130 Notification operation 122 protocol version 122 SNMPv3 basic parameter configuration 125 configuration 134 Notification operation 122 notification send 130 protocol version 122 SNTP authentication 118 configuration 82 117 117 119 configuration restrictions 82 117 display 119 enable 117 NTP server specification 117 SOAP NETCONF me...

Page 404: ... 82 117 117 119 Syslog NETCONF configuration data retrieval Syslog module 162 system default output rules diagnostic log 283 default output rules hidden log 284 default output rules security log 283 default output rules trace log 284 information center duplicate log suppression 294 information center interface link up link down log generation 295 information center log destinations 283 information...

Page 405: ...tion support average type 27 NQA operation support consecutive type 27 NQA operation triggered action none 27 NQA operation triggered action trap only 27 NQA operation triggered action trigger only 27 time NTP configuration 76 82 97 NTP local clock as reference source 96 SNTP configuration 82 117 117 119 timeout NMM NETCONF session idle timeout time 151 timer CWMP ACS close wait timer 344 topology...

Page 406: ...t association mode on switch 103 NTP symmetric active passive association mode 99 NTP symmetric active passive mode MPLS L3VPN network time synchronization on switch 114 sFlow configuration 276 276 279 UNIX information center log host output configuration 297 unlocking NETCONF configuration 155 156 user PMM Linux user 207 V value NETCONF parameter value change 164 variable capture filter keyword 3...

Page 407: ...emote port mirroring configuration 222 Layer 3 remote port mirroring configuration 228 port mirroring configuration 216 232 port mirroring remote probe VLAN 216 port mirroring remote source group remote probe VLAN 228 VCF fabric configuration automated 329 VCF fabric overview 319 voice NQA client operation 22 NQA operation configuration 60 VPN NTP MPLS L3VPN instance support 81 VXLAN VCF fabric co...

Reviews:

No comments

Related manuals for FlexNetwork 10500 SERIES

C&H Technologies EM405-8 Manual preview
EM405-8
Brand: C&H Technologies Pages: 46
JCG Q5 Quick Installation Manual preview
Q5
Brand: JCG Pages: 3
Opengear IMG4216-25 Quick Start Manual preview
IMG4216-25
Brand: Opengear Pages: 2
PairGain PG-FLEX RT FRL-752 Manual preview
PG-FLEX RT FRL-752
Brand: PairGain Pages: 6
Lucent Technologies Cajun P118LX Installation Manual preview
Cajun P118LX
Brand: Lucent Technologies Pages: 20
Buffalo BS-GS2008P Quick Setup Manual preview
BS-GS2008P
Brand: Buffalo Pages: 2
VideoWave Adam Device User Manual preview
Adam Device
Brand: VideoWave Pages: 12
Rosco ND100 User Manual preview
ND100
Brand: Rosco Pages: 20
ActionTec MI424WR MI424WR Upgrade Procedure preview
MI424WR
Brand: ActionTec MI424WR Pages: 3
Erbauer 3663602796282 Original Instructions Manual preview
3663602796282
Brand: Erbauer Pages: 36
SonicWALL Internet Security Appliances Administrator'S Manual preview
Internet Security Appliances
Brand: SonicWALL Pages: 293
ZyXEL Communications NMA1115 User Manual preview
NMA1115
Brand: ZyXEL Communications Pages: 28
Emerson Network Power Specification Sheet preview
Network Power
Brand: Emerson Pages: 4
Emerson Liebert Intellislot IS-WEBCARD Installation Sheet preview
Liebert Intellislot IS-WEBCARD
Brand: Emerson Pages: 2
Emerson SiteI/O 32/0 Specification preview
SiteI/O 32/0
Brand: Emerson Pages: 5
Emerson SiteGate-E ARC156 Specification preview
SiteGate-E ARC156
Brand: Emerson Pages: 8
Emerson ControlWave Remote Ethernet I/O Product Data preview
ControlWave Remote Ethernet I/O
Brand: Emerson Pages: 3
Emerson Liebert ICOM-DO User Manual preview
Liebert ICOM-DO
Brand: Emerson Pages: 12

Brands by name

Popular brands

Load more brands