ConfigurationGuide(SystemManagement) - ZTE … · ZXR10ZSRV2 IntelligentIntegratedMulti-ServiceRouter ConfigurationGuide(SystemManagement) Version:2.00.10 ZTECORPORATION No.55,Hi-techRoadSouth,ShenZhen,P.R.China

ZXR10 ZSR V2Intelligent Integrated Multi-Service Router

Configuration Guide (System Management)

Version: 2.00.10

ZTE CORPORATIONNo. 55, Hi-tech Road South, ShenZhen, P.R.ChinaPostcode: 518057Tel: +86-755-26771900Fax: +86-755-26770801URL: http://ensupport.zte.com.cnE-mail: [email protected]

LEGAL INFORMATIONCopyright © 2013 ZTE CORPORATION.

The contents of this document are protected by copyright laws and international treaties. Any reproduction or

distribution of this document or any portion of this document, in any form by any means, without the prior written

consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by

contractual confidentiality obligations.

All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE

CORPORATION or of their respective owners.

This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions

are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,

title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the

use of or reliance on the information contained herein.

ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications

covering the subject matter of this document. Except as expressly provided in any written license between ZTE

CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter

herein.

ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.

Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information.

The ultimate right to interpret this product resides in ZTE CORPORATION.

Revision History

Revision No. Revision Date Revision Reason

R1.0 2014-05-10 First edition

Serial Number: SJ-20140504150128-007

Publishing Date: 2014-05-10 (R1.0)

SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential

ContentsAbout This Manual ......................................................................................... I

Chapter 1 Device Connection management ............................................ 1-11.1 Connecting the ZXR10 ZSR V2 System............................................................... 1-1

1.2 Configuring Console Port Connection .................................................................. 1-2

1.3 Configuring Telnet Connection ............................................................................ 1-2

1.4 Configuring SSH Connection............................................................................... 1-6

1.5 FTP Connection Configuration .......................................................................... 1-10

1.5.1 Configuring the ZXR10 ZSR V2 as an FTP Server.................................... 1-10

1.5.2 Configuring the ZXR10 ZSR V2 as an FTP Client ..................................... 1-12

1.6 Configuring TFTP Connection ........................................................................... 1-15

1.7 SFTP Connection Configration .......................................................................... 1-17

1.7.1 Configuring the ZXR10 ZSR V2 as an SFTP Server ................................. 1-17

1.7.2 Configuring the ZXR10 ZSR V2 as an SFTP Client................................... 1-18

Chapter 2 File System Management ......................................................... 2-12.1 File System Overview......................................................................................... 2-1

2.2 Configuring File System Management ................................................................. 2-2

2.3 File System Management Configuration Examples ............................................... 2-3

2.3.1 File System Configuration Example ........................................................... 2-3

2.3.2 Configuration Example of Backing Up a Configuration File on a USBFlash Drive ............................................................................................. 2-4

Chapter 3 MIM Configuration .................................................................... 3-13.1 MIM Overview.................................................................................................... 3-1

3.2 Configuring MIM................................................................................................. 3-1

Chapter 4 User Management ..................................................................... 4-14.1 User Management Overview............................................................................... 4-1

4.2 Configuring User Management............................................................................ 4-2

4.3 User Management Configuration Examples ......................................................... 4-7

4.3.1 Local Authentication and Authorization User Configuration Example............ 4-7

4.3.2 RADIUS-LOCAL Authentication and Authorization User ConfigurationExample................................................................................................. 4-8

4.3.3 TACACS+ Authentication and Authorization User ConfigurationExample............................................................................................... 4-10

4.3.4 Configuring a Password Prompt Question for Resetting a Password...........4-11

I


4.3.5 Configuring OAM Security Management .................................................. 4-13

4.3.6 Configuring a Password Validity Period.................................................... 4-15

4.3.7 Configuring First-Login Password Modification ........................................ 4-17

4.3.8 Relations Between Raising Privilege Levels and the Enable Command...... 4-18

Chapter 5 Command Privilege Level Classification................................ 5-15.1 Command Privilege Level Overview .................................................................... 5-1

5.2 Configuring Command Privilege ......................................................................... 5-1

5.3 Command Privilege Level Configuration Example................................................. 5-2

Chapter 6 SNMP Configuration................................................................. 6-16.1 SNMP Basic Configuration.................................................................................. 6-1

6.1.1 SNMP Overview....................................................................................... 6-1

6.1.2 Configuring SNMP.................................................................................... 6-1

6.1.3 SNMP Configuration Example................................................................... 6-6

6.2 SNMP Anti-Violence Attack............................................................................... 6-10

6.2.1 SNMP Anti–Brute Force Attack Overview................................................. 6-10

6.2.2 Configuring SNMP Anti–Brute Force Attack ..............................................6-11

6.2.3 SNMP Anti–Brute Force Attack Configuration Example............................. 6-13

Chapter 7 Alarm Management Configuration .......................................... 7-17.1 Alarm Overview.................................................................................................. 7-1

7.2 Configuring the Alarm Function ........................................................................... 7-2

7.3 Alarm Function Configuration Example ................................................................ 7-7

Chapter 8 SYSLOG Configuration ............................................................ 8-18.1 SysLog Overview ............................................................................................... 8-1

8.2 Configuring Syslog ............................................................................................. 8-1

8.3 Syslog Configuration Example ............................................................................ 8-2

Chapter 9 RMON Configuration ................................................................ 9-19.1 RMON Overview ................................................................................................ 9-1

9.2 Configuring RMON............................................................................................. 9-1

9.3 RMON Configuration Example ............................................................................ 9-3

Chapter 10 Clock and Clock Synchronization....................................... 10-110.1 NTP Configuration.......................................................................................... 10-1

10.1.1 NTP Overview...................................................................................... 10-1

10.1.2 Configuring NTP................................................................................... 10-2

10.1.3 NTP Configuration Examples ................................................................ 10-4

10.2 Physical POS Interface Clock Configuratio....................................................... 10-6

10.2.1 Physical POS Interface Clock................................................................ 10-6

II


10.2.2 Configuring a Physical POS Interface Clock ........................................... 10-7

10.2.3 Physical POS-Interface Clock Configuration Instance ............................. 10-7

Chapter 11 Performance Statistics ......................................................... 11-111.1 Performance Management Overview ................................................................11-1

11.2 Performance Management Configuration ..........................................................11-1

11.3 Performance Management Configuration Example ............................................11-3

Chapter 12 NetFlow Configuration ......................................................... 12-112.1 NetFlow Overview .......................................................................................... 12-1

12.2 Configuring NetFlow ....................................................................................... 12-3

12.3 NetFlow Configuration Examples..................................................................... 12-9

12.3.1 NetFlow V5 Configuration Example ....................................................... 12-9

12.3.2 NetFlow V8 Configuration Example ......................................................12-11

12.3.3 NetFlow V9 Configuration Example ......................................................12-12

Chapter 13 SQA Configuration................................................................ 13-113.1 SQA Overview ............................................................................................... 13-1

13.2 Configuring SQA ............................................................................................ 13-1

13.3 SQA Configuration Examples .......................................................................... 13-4

13.3.1 ICMP-Type SQA Configuration Example ................................................ 13-4

13.3.2 FTP-Type SQA Configuration Example .................................................. 13-5

13.3.3 TCP-Type SQA Configuration Example.................................................. 13-6

13.3.4 UDP-Type SQA Configuration Example ................................................. 13-8

13.3.5 DNS-Type SQA Configuration Example ................................................. 13-9

Chapter 14 LLDP Configuration.............................................................. 14-114.1 LLDP Overview .............................................................................................. 14-1

14.2 Configuring LLDP........................................................................................... 14-3

14.3 LLDP Configuration Examples......................................................................... 14-5

14.3.1 LLDP Neighbor Configuration Example.................................................. 14-5

14.3.2 LLDP Attribute Configuration Example ................................................... 14-6

Chapter 15 Network Layer Detection...................................................... 15-115.1 Configuring ICMP Fast Response.................................................................... 15-1

15.2 Configuring IP Source Route Option Processing............................................... 15-4

15.3 Configuring ICMP Unreachable Packet Function .............................................. 15-6

15.4 Enabling an Interface to Send ICMP Unreachable Packets ............................... 15-7

15.5 Configuring IP Ping......................................................................................... 15-9

15.6 Configuring IP Trace......................................................................................15-12

15.7 Configuring LSP Ping ....................................................................................15-15

III


15.8 Configuring LSP Trace...................................................................................15-21

15.9 Configuring Multicast Ping..............................................................................15-26

15.10 Configuring Multicast Trace ..........................................................................15-30

15.11 Configuring MAC Ping..................................................................................15-32

15.12 Configuring MAC Trace................................................................................15-34

15.13 IP Performance Maintenance .......................................................................15-37

Figures............................................................................................................. I

Glossary .........................................................................................................V

IV


About This ManualPurposeThis manual describes functional principles, configuration commands and examplesrelated to ZXR10 ZSR V2 system management.

Intended AudienceThis manual is intended for the following engineers:

l Network planning engineersl Commissioning engineersl Maintaining engineers

What Is in This ManualThis manual contains the following contents:

Chapter Summary

1, Device Connection

Management

Describes several modes (including through a Console port,

TELNET, SSH, FTP , TFTP and SFTP) and configuration commands

to connect to ZXR10 ZSR V2.

2, File System Management Describes operational commands for the file system of the device.

3, MIM Configuration Describes MIM principles, configuration commands and

configuration examples.

4, User Management Describes user management principle, configuration commands and


5, Command Privilege Level

Classification

Describes user and command privilege level classification principle,

configuration commands and configuration example.

6, SNMP Configuration Describes SNMP principles, configuration commands and


7, Alarm Management

Configuration

Describes alarm management principle, configuration commands

and configuration example.

8, SYSLOG Configuration Describes SYSLOG principle, configuration commands and

configuration example.

9, RMON Configuration Describes RMON principle, configuration commands and

configuration example.

10, Clock and Clock

Synchronization

Describes clock and clock synchronization principles, configuration

commands and configuration examples.

I


Chapter Summary

11, Performance Statistics Describes performance statistics principle, configuration commands

and configuration example.

12, NetFlow Configuration Describes NetFlow principle, configuration commands and


13, SQA Configuration Describes SQA principle, configuration commands and configuration

examples.

14, LLDP Configuration Describes LLDP principles, configuration commands and


15, Network Layer Detection Describes the principles, configuration commands, and configuration

examples of the network layer detection.

ConventionsThis manual uses the following typographical conventions:

Typeface Meaning

Italics Variables in commands. It may also refer to other related manuals and documents.

Bold Menus, menu options, function names, input fields, option button names, check boxes,

drop-down lists, dialog box names, window names, parameters, and commands.

Constant

width

Text that you type, program codes, filenames, directory names, and function names.

[ ] Optional parameters.

| Separates individual parameter in series of parameters.

Warning: indicates a potentially hazardous situation. Failure to comply can result in

serious injury, equipment damage, or interruption of major services.

Caution: indicates a potentially hazardous situation. Failure to comply can result in

moderate injury, equipment damage, or interruption of minor services.

Note: provides additional information about a certain topic.

II


Chapter 1Device ConnectionmanagementTable of Contents

Connecting the ZXR10 ZSR V2 System .....................................................................1-1Configuring Console Port Connection.........................................................................1-2Configuring Telnet Connection....................................................................................1-2Configuring SSH Connection......................................................................................1-6FTP Connection Configuration .................................................................................1-10Configuring TFTP Connection ..................................................................................1-15SFTP Connection Configration .................................................................................1-17

1.1 Connecting the ZXR10 ZSR V2 SystemThe ZXR10 ZSR V2 provides multiple configuration modes, see Figure 1-1.

Figure 1-1 ZXR10 ZSR V2 Configuration Modes

Users can use different configuration modes for different network types. The configurationmodes are described below:

l Console port mode: This is the primary configuration mode used by users.l Telecommunication Network Protocol (TELNET)/Secure Shell (SSH) mode: Users

can use this mode to configure the ZXR10 ZSR V2 at any accessible place of anetwork.

1-1


ZXR10 ZSR V2 Configuration Guide (System Management)

l Trivial File Transfer Protocol (TFTP)/File Transfer Protocol (FTP) mode: Userscan use this mode to download/upload router configuration files, and update routerconfigurations.

1.2 Configuring Console Port ConnectionThis procedure describes how to connect to the ZXR10 ZSR V2 through the Console port.

Steps1. Configure a Hyperterminal.

For how to configure a Hyperterminal, refer to the "Configuring the Device Through aConsole Port" section in the ZXR10 M6000 Initial Configuration Guide.

2. (Optional) In the configuration mode, run the login authentication command to enablethe Console port connection authentication function.

Caution!

The Console port connection authentication function can be enabled only after ausername and password are configured. If the username and password are notconfigured properly, after the function is enabled, you cannot enter the ZXR10> CLIwhen you connect the device next time.

The following example shows how to enable Console port authentication.

ZXR10(config)#login authentication

Warning:

Please make sure local or remote authentication is correctly configured.

Are you sure to configure console authentication? [yes/no]:y

ZXR10(config)#

/*Enables the Console port connection authentication function.*/

For how to configure a user name and password used in serial port authentication,refer to 4.2 Configuring User Management.

– End of Steps –

1.3 Configuring Telnet ConnectionThis procedure describes how to connect to the ZXR10 ZSR V2 through Telnet.

PrerequisiteThe local terminal can access the remote router network.

1-2


Chapter 1 Device Connection management

ContextTelnet is used for configuring routers remotely. To prevent illegal users from accessing therouter through Telnet, a user name and password have to be set on the router for Telnetaccessing. Only the user who has the preset user name and password can access therouter. For how to configure a user name and password on the ZXR10 ZSR V2 for Telnetlogin, refer to 4.2 Configuring User Management.

Steps1. Connect to the ZXR10 ZSR V2 through Telnet.

Assume that the IP address of a remote router is 192.168.3.1 and that the localterminal (configured with the Windows XP operating system, for example) can accessthe remote router network. The operations on the local terminal are as follows:

a. Start the Run program on the local terminal, and enter the telnet 192.168.3.1command, see Figure 1-2.

Figure 1-2 Run Dialog Box

b. Click OK.

The following information is displayed:

************************************************************

Welcome to ZXR10 Intelligent Integrated Multi-Service Router

of ZTE Corporation

************************************************************

Login at: 19:46:37 03-24-2014

Username:who

Password:

ZXR10>enable 18

Password:

ZXR10#

c. Enter a user name and a password according to the prompt. Then, you can log into the remote router.

2. Configure a Telnet connection.

1-3



On the ZXR10 ZSR V2, run the following commands to configure optional Telnetparameters:

Command Function

ZXR10(config)#line console idle-timeout <idle-time> Configures the maximum idle

timeout period of the serial port.

Unit: minute, range: 0–1000,

default: 30.

ZXR10(config)#line console absolute-timeout <absolute-time> Configures the maximum online

timeout period of the serial port.

Unit: minute, range: 0–10000,

default: 1440.

ZXR10(config)#line telnet idle-timeout <idle-time> Configures the maximum idle

timeout period of Telnet. Unit:

minute, range: 0–1000, default:

120.

ZXR10(config)#line telnet absolute-timeout <absolute-time> Configures the maximum online

timeout period of Telnet. Unit:

minute, range: 0–10000, default:

1440.

ZXR10(config)#line telnet access-class {ipv4 | ipv6}<acl-name> Configures the name of an

Access Control List (ACL) bound

to Telnet.

ZXR10(config)#line telnet max-link <max-number> Configures the maximum

number of Telnet links. Range:

1–15, default: 15.

ZXR10#terminal length <length> Configures the terminal window

height. Unit: line, range: 0–24.

ZXR10#line telnet dscp <dscp-value> Specifies the DSCP value of

control plane packets for the

IPv4/IPv6 Telnet server. Range:

0–63, default: 48.

ZXR10#telnet {<dest-address>[{[<source-address

>],[<port-number>],[{vrf <vrf-name>| dcn}],[dscp<dscp-value>]}]|<domain-name>[{[<port-number>],[vrf<vrf-name>],[dscp <dscp-value>]}]}

Enables this router to log in to an

IPv4 Telnet server as a client.

<domain-name>: domain name

(Range: 1–128 characters).

ZXR10#telnet6 {<dest-address>[{[interface <interface-na

me>],[vrf <vrf-name>],[<port-number>],[dscp <dscp-value

>]}]|<domain-name>[{[vrf <vrf-name>],[<port-number>],[dscp<dscp-value>]}]}

Enables this router to log in to an

IPv6 Telnet server as a client.

1-4



Command Function

ZXR10(config)#line telnet server enable [listen

{<23>|<49152-65535>}]

Allows terminals to log in to

this router in Telnet mode, and

allows the specification of a port

number.

3. (Optional) Run the telnet command on the ZXR10 ZSR V2 to log in to another devicethrough the local client.

For the format of the telnet command, refer to the following table:

Command Function

ZXR10#telnet {<dest-ipaddress>[vrf< vrf-name>][<source-ipaddress>][<port-number>]|<domain name>[vrf<vrf-name>][<port-number>]}

Configures this router as a client

to log in to another device.

<port-number>: Transfer Control

Protocol (TCP) port number

(range: 0–65535).

4. Verify the configurations.

Command Function

ZXR10#show terminal Displays information on the

current terminal.

ZXR10#show history Displays the last ten history

commands.

ZXR10#show users Displays the login user

information.

ZXR10#who Displays the login user

information.

5. Maintain Telnet connections.

Command Function

ZXR10(config)#line telnet server disable Forbids terminals from logging in

to this router in Telnet mode.

ZXR10#clear line vty <vty-number> Forces the vty user to log out.

<vty-number>: specifies the

terminal number (range: 0–14).


ExampleThe following provides a Telnet connection configuration example.

1-5



l Configuration Description

It is required to connect a PC to R1 through Telnet, see Figure 1-3.

Figure 1-3 Telnet Connection Configuration Example

l Configuration Flow1. Connect a PC to R1.2. Configure Telnet on R1.3. Configure an ACL on R1 to filter TCP connections.

l Configuration Commands

Run the following commands on R1:

R1(config)#line telnet idle-timeout 120

R1(config)#line telnet absolute-timeout 1440

R1(config)#line telnet access-class ipv4 wd

R1(config)#ipv4-access-list wd

R1(config-ipv4-acl)#rule permit tcp 169.1.108.82 0.0.0.0 any

R1(config-ipv4-acl)#exit

l Configuration Verification

If no ACL is configured, a PC whose IP address is in any network segment can beconnected to R1.

If an ACL is configured, only PCs whose IP addresses are in the Permit column ofthe ACL can be connected to R1.

1.4 Configuring SSH ConnectionThis procedure describes how to connect to the ZXR10 ZSR V2 through SSH.


ContextSecure Shell (SSH) is defined by the IETF Network Working Group. It is a security protocolestablished on the basis of the application layer and transport layer.

Traditional network service programs such as FTP, POP, and Telnet use clear text totransfer data. Therefore, user names and passwords are vulnerable to man-in-the-middleattacks. Compared with traditional network service programs, SSH is more reliable. Itprovides security for remote login sessions and other network services, and has thefollowing advantages:

1-6



l The SSH protocol prevents information leakage in remote management processes.l The SSH protocol encrypts all transferred data, and prevents DNS spoofing and IP

spoofing.l The SSH protocol transfers compressed data, accelerating transmission.l The SSH protocol is usually used to replace Telnet, and provides a secure "channel"

for FTP, POP, or even PPP.

Steps1. Configure SSH.

Step Command Function

1 ZXR10(config)#ssh server enable [listen

{<22>|<49152-65535>}]

Enables the SSH server

function, which is disabled

by default. Allow the

specification of a port

number.

2 ZXR10(config)#ssh server access-class {ipv4 |

ipv6}<acl-name>

Binds an ACL for SSH.

3 ZXR10(config)#ssh server dscp <dscp-value> Specifies the DSCP value

of control plane packets for

the IPv4/IPv6 SSH server.

Default: 48.

4 ZXR10#ssh <dest-address> encrypt {none | aes128 |

blowfish | 3des} compress {none | zlib} mac {none |

sha1 | md5}[{[<source-address>],[<port-number>],[vrf<vrf-name>],[dscp <dscp-value>]}]

Enables this router to log in

as a client to an IPv4 SSH

server in SSH mode.

5 ZXR10#ssh6 <dest-address> encrypt {none | aes128 |

blowfish | 3des} compress {none | zlib} mac {none | sha1

| md5}[{[<port-number>],[vrf <vrf-name>],[interface<interface-name>],[dscp <dscp-value>]}]

Enables this router to log in

as a client to an IPv6 SSH

server in SSH mode.

2. Maintain SSH.

Command Function

ZXR10(config)#ssh server disable Disables the SSH server

function.

3. Configure an SSH client.

The following uses Putty as an example to describe how to configure an SSH client.

a. Enable Putty.exe on the SSH host. Type the IP address of the remote router(such as 192.168.5.3) in the Host Name text box, see Figure 1-4.

1-7



Figure 1-4 PuTTY Configuration Dialog Box

b. Select 2 for the SSH version, see Figure 1-5.

1-8



Figure 1-5 PuTTY Configuration Dialog Box

c. Click Open. The Login dialog box is displayed. Enter the correct user name andpassword to log in to the router, and then configure the router in the command linewindow.login as:zte

Further authentication required

[email protected]'s password:

************************************************************

Welcome to ZXR10 Intelligent Integrated Multi-Service Router

of ZTE Corporation

************************************************************

ZXR10#


Command Description

ZXR10#show ssh Shows the configuration state of SSH.


1-9



ExampleThe following provides an SSH configuration example.


It is required to connect a PC to R1 through SSH, see Figure 1-6.

Figure 1-6 SSH Configuration Example

l Configuration Flow1. Connect a PC to R1.2. Configure SSH on R1.3. Configure an ACL on R1 to filter connections.



R1(config)#ssh server enable

R1(config)#ssh server access-class ipv4 wd

R1(config)#ipv4-access-list wd

R1(config-ipv4-acl)#rule permit tcp 169.1.108.82 0.0.0.0 any

R1(config-ipv4-acl)#exit


If no ACL is configured, a PC whose IP address is in any network segment can beconnected to R1.

If an ACL is configured, only PCs whose IP addresses are in the Permit column ofthe ACL can be connected to R1.

1.5 FTP Connection Configuration

1.5.1 Configuring the ZXR10 ZSR V2 as an FTP ServerThis procedure describes how to configure the ZXR10 ZSR V2 as an FTP server.


Steps1. Enable the FTP server function.

1-10



Command Function

ZXR10(config)#ftp-server enable [listen<port-number>]

Enables the FTP server function, and

monitors the specified port.

The port range is 21 or 2401–2420.

2. Configure other FTP attributes.

Command Function

ZXR10(config)#ftp-server top-directory

<directory>[{read-only |{[read-write],[copy]}}]

Sets the top-level directory that the

FTP server allows users to access

through FTP. By default, the directory is

/datadisk0/.

ZXR10(config)#ftp-server access-class

[ipv6]<acl-name>

Binds an ACL to the FTP server.

ZXR10(config)#ftp-server max-login <max-number> Configures the maximum number of

online users of the FTP server.

For how to configure an FTP server user name and password, refer to “Chapter 4 UserManagement”.


Command Function

ZXR10#show ftp-server Shows the configuration information on

the FTP server.

4. Maintain the FTP Server.

Command Function

ZXR10(config)#ftp-server kick-user <user-id> Disconnects a currently online user. The

parameter value is an online user ID.


ExampleThe following gives an FTP server configuration example.


As shown in Figure 1-7, ZXR10 ZSR V2 is connected to a PC and operates as an FTPserver. The PC functions as an FTP client that uploads and downloads files.

1-11



Figure 1-7 FTP Server Configuration Example

l Configuration Flow1. Enable the FTP server function and listening port 21 of the ZXR10 ZSR V2.2. Set the FTP server root directory to /datadisk0/LOG/.3. Set both the FTP server user name and password to zte.4. Upload and download files through the FTP server to verify the FTP server

function.l Configuration Commands

The configuration flow on the ZXR10 ZSR V2 is shown below. For how to configurean FTP server user name and password, refer to “Chapter 4 User Management”.

R1#configure terminal

Enter configuration commands, one per line.End with CTRL/Z.

R1(config)#ftp-server enable

R1(config)#ftp-server top-directory /datadisk0/LOG/

1.5.2 Configuring the ZXR10 ZSR V2 as an FTP ClientThis procedure describes how to configure the ZXR10 ZSR V2 as an FTP client.

PrerequisiteThe ZXR10 ZSR V2 can access the FTP server network.

Steps1. Configure and start an FTP server.

The following takes the WFTPD FTP server software as an example to describe howto configure an FTP server.

a. Run wftpd32.exe. The WFTPD window is displayed, see Figure 1-8.

1-12



Figure 1-8 WFTPD Window

b. Select Security > User/Rights…. The User/Rights Security dialog box isdisplayed, see Figure 1-9.

Figure 1-9 User/Rights Security Dialog Box

c. Perform the following steps in the User/Rights Security Dialog dialog box.

i. Click New User… to create a new user such as target, and set a password.

ii. Select target from the User Name drop-down list.

iii. Type a directory such as D: \IMG in the Home Directory text box for savingversion files or configuration files. After the configuration is completed, theuser name and home directory are displayed in the User/Rights SecurityDialog dialog box, seeFigure 1-10.

1-13



Figure 1-10 User/Rights Security Dialog Box

d. Click Done in Figure 1-10 to start the FTP server.

2. Upload and download a file through the router, which acts as an FTP client.

Command Function

ZXR10#ftp-client source-ip {ipv4 <ipv4-address>| ipv6<ipv6-address>[interface <interface-name>]}

Configures the source address for

copying files when the ZXR10 ZSR V2

functions as an FTP client.

ZXR10#copy ftp [vrf <vrf-name>] //HOST/filename@use

rname:password root: filename or directory&filename

[<listen_port>][ipaddr][interface <interface-name>]

Downloads a file from an FTP server to

the local client.

ZXR10#copy ftp [vrf <vrf-name>] root: filenameor directory&filename //HOST/filename@usern

ame:password [<listen_port>][ipaddr][interface<interface-name>]

Uploads a local file to an FTP server.


ExampleThe following example describes how to download or upload a file when the ZXR10 ZSRV2 functions as an FTP client.

A user whose user name is who and password is who uploads the startrun.dat filefrom the sysdisk0/DATA0 directory of the ZXR10 ZSR V2 file system to the FTP serverwhose IP address is 192.168.109.6.

ZXR10#copy ftp root:/sysdisk0/DATA0/startrun.dat

//192.168.109.6/startrun1.dat@who:who

Start copying file

Put file successfully!sent 3492803 bytes!!

1-14



A user whose user name is who and password is who downloads the startrun.dat filefrom the FTP server whose IP address is 192.168.109.6, and renames the file as startrun.bak.

ZXR10#copy ftp //192.168.109.6/startrun.dat@who:who

root: /datadisk0/startrun.bak

Start copying file

Got file successfully!Received 3492803 bytes!!

1.6 Configuring TFTP ConnectionBy means of TFTP, router version files and configuration files can be backed up andrestored.

PrerequisiteThe ZXR10 ZSR V2 can access the TFTP server network as a TFTP client.

Steps1. Configure and start a TFTP server.

The following takes the TFTP server software tftpd as an example to describe how toconfigure a TFTP server.

a. Run tftpd.exe. The TFTP server window is displayed, see Figure 1-11.

Figure 1-11 TFTP Server Window

b. Select Tftpd > Configure. The Tftpd Settings dialog box is displayed. ClickBrowse in the dialog box, and select a directory (such as the IMG directory onDisk D) to save version files or configuration files, see Figure 1-12.

1-15



Figure 1-12 Tftpd Settings Dialog Box

c. Click OK to complete the setting.

2. Upload and download a file through the TFTP client.

Command Function

ZXR10#copy tftp [ipv6][vrf <vrf-name>]//HOST/filename root: filename or directory

[<listen_port>]

Downloads a file from a TFTP server to

the local router.

ZXR10#copy tftp [ipv6][vrf <vrf-name>] root: filenameor directory //HOST/filename [<listen_port>]

Uploads a file from the local router to a

TFTP server.


ExampleThe following example describes how to upload the startrun.dat file from the datadisk0 directory of the ZXR10 ZSR V2 file system to the TFTP server whose IP address is192.168.4.244.

ZXR10#copy tftp root: /datadisk0/startrun.dat //192.168.4.244/startrun.dat

Starting copying file

.

File copying successfully.

The following example describes how to download the file startrun.dat from the TFTPserver whose IP address is 192.168.4.244, and to rename the file as startrun.bak.

ZXR10#copy tftp //192.168.4.244/startrun.dat root: /datadisk0/startrun.bak

Starting copying file

.

File copying successfully.

1-16



1.7 SFTP Connection Configration

1.7.1 Configuring the ZXR10 ZSR V2 as an SFTP ServerThis procedure describes how to configure the ZXR10 ZSR V2 as an SFTP server.


Steps1. Configure an SFTP server.

Command Function

ZXR10(config)#sftp-server top-directory <directory> Sets the top-level directory that the

SFTP server allows users access.

For how to configure a login user name and password of an SFTP server, refer to“Chapter 4 User Management”.


Command Function

ZXR10#show sftp-server Displays configuration information on

the SFTP server.


ExampleThe following gives an example of how to configure an SFTP server.


When the ZXR10 ZSR V2 functions as an SFTP server, the client can be a PC oranother type of device that supports the SFTP client function. Two ZXR10 ZSR V2sare connected, one functioning as an SFTP server, the other as an SFTP client thatdownloads files from the server, see Figure 1-13.

Figure 1-13 SFTP Server Configuration Example

l Configuration Flow1. On the SFTP server, enable the SSH function, and configure a listening port.

1-17



2. On the SFTP server, set the root directory of SFTP to /datadisk0/BAK/.3. On the SFTP server, configure the zte user name and password.4. Download a file from the SFTP server to verify the SFTP server function.


Run the following commands on the ZXR10 ZSR V2. For how to configure a username and password, refer to “Chapter 4 User Management”.

/*The configuration commands on the SFTP server are as follows:*/


R1(config)#ssh server enable listen 49152

R1(config)#sftp-server top-directory /datadisk0/BAK/

R1#dir BAK

Directory of MPFU-8/0: /datadisk0/BAK

897636 KB total (892760 KB free)

attribute size date time name

1 <DIR> 160 01-15-2014 08:43 .

2 <DIR> 160 01-15-2014 08:43 ..

3 ---- 615 01-15-2014 15:08 0130.txt

/*Downloads a file from the SFTP client.*/

R2#copy sftp vrf mng //169.1.219.14/0130.txt@zte:zte

root: /datadisk0/0130.txt encrypt 3des compress zlib mac md5 49152

Start copying file

.

Got file successfully!

1.7.2 Configuring the ZXR10 ZSR V2 as an SFTP ClientThis procedure describes how to configure the ZXR10 ZSR V2 as an SFTP client.

PrerequisiteThe ZXR10 ZSR V2 can access the SFTP server network.

Steps1. Configure an SFTP.

Start the SFTP server software. Functioning as a client, the ZXR10 ZSR V2communicates with the SFTP server.

2. Upload or download a file through the ZXR10 ZSR V2.

1-18



Command Function

ZXR10#copy sftp [vrf <vrf-name>] //HOST/filename@username:password root: filename or

directory&filename encrypt {none | aes128 |

blowfish | 3des} compress {none | zlib} mac {none

| sha1 | md5}[<listen_port>][ipaddr][interface<interface-name>]

Downloads a file from the SFTP server

to the local SFTP client.

ZXR10#copy sftp [vrf <vrf-name>] root: filenameor directory&filename //HOST/filename@u

sername:password encrypt {none | aes128 |

blowfish | 3des} compress {none | zlib} mac {none

| sha1 | md5}[<listen_port>][ipaddr][interface<interface-name>]

Uploads a file from the local SFTP client

to the SFTP server.


ExampleA user whose user name is who and password is who uploads the startrun.dat filein the /sysdisk0/DATA0 directory of the ZXR10 ZSR V2 file system to the SFTP serverwhose IP address is 192.168.109.6. The encryption algorithm is aes128, compressionalgorithm is zlib, and MAC check method is sha1.

ZXR10#copy sftp root:/sysdisk0/DATA0/startrun.dat

//192.168.109.6/startrun1.dat @who:who encrypt aes128 compress zlib mac sha1

Start copying file

...

Put file successfully!

A user whose user name is who and password is who downloads the startrun.dat

file from the SFTP server whose IP address is 192.168.109.6, and renames the file asstartrun.bak. The encryption algorithm is aes128, compression algorithm is zlib, andMAC check method is sha1.

ZXR10#copy sftp //192.168.109.6/startrun.dat@who:who root: /

datadisk0/startrun.bak encrypt aes128 compress zlib mac sha1

Start copying file

...

Got file successfully!

1-19



This page intentionally left blank.

1-20


Chapter 2File System ManagementTable of Contents

File System Overview.................................................................................................2-1Configuring File System Management ........................................................................2-2File System Management Configuration Examples.....................................................2-3

2.1 File System OverviewThe file system consists of a Flash, a BOOT and an NVRAM. In addition, there are twoUSB interfaces on the front panel of the Main Processing Unit (MPFU), which can be usedto back up or add configuration files, version files, and log files quickly and conveniently.

FlashThe Flash store version files, data files, system breakdown files, and operation logs. It hastwo partitions, which are mapped to the /sysdisk0 and /sysdisk0 folders under theroot directory of the Linux system respectively.

l /sysdisk0 partition: This is the system partition that stores version files, importantlog files, and data files. Users have the read permission, but do not have the writepermission. Users cannot delete and rename files, but can view files by running themore command. The /sysdisk0 partition does not support the format operation.

à /sysdisk0/DATA0: stores the startrun.dat text configuration file. The startrun.dat file is a configuration file in command line form, which is saved whenthe write command is run. When loading is performed, the system reads the startrun.dat file from the /sysdisk0/DATA0 folder, and loads configurationsin command line form. To upgrade the system, the startrun download commandcan be executed to load configuration from the local device or from the network.

à System breakdown files and exception log files: system breakdown files includethe Exc_Omp.txt and Exc_pp.txt files in the /sysdisk0/run_log directoryand the files in the /sysdisk0/run_log/EXCINFO directory.

l /datadisk0 partition: This is the data partition that stores log file and data filesrelevant to users' routine operations and maintenance as well as data files stored byusers as needed. Users have read and write permissions.

Service and alarm log files are stored in the /datadisk0/LOG directory, but thecommand log file (that is, the cmdlog file) is stored in the /sysdisk0/usrcmd_log/directory.

2-1



BOOTThe BOOT is used to save the OSIMAGE file for initializing boards and booting MPUs.

NVRAMThe NVRAM is used to save booting information, including the IP address of the devicemanagement port, IP address of an FTP server, and configuration loading mode.

2.2 Configuring File System ManagementThis procedure describes how to manage files and directories, format the hard disk userpartition, and save configuration information on the ZXR10 ZSR V2.

Stepsl Manage files and directories.

Command Function

ZXR10#dir [<filename-or-directory>|[<cpu-n

ame>]]

Displays a file information list:

l If no parameter is entered, the information

list of the files under the current directory is

displayed.

l If parameters are entered, the information list

of the files under the specified directory or the

specified file is displayed.

ZXR10#pwd Displays the current file path of this terminal.

ZXR10#cd <directory>[<cpu-name>] Switches to another file directory.

ZXR10#mkdir <directory>[<cpu-name>] Creates a directory. If the directory already exists,

an error prompt is returned.

ZXR10#rmdir <directory>[<cpu-name>] Deletes the specified directory. If there is a file in

this directory, the deletion fails.

ZXR10#delete <filename>[<cpu-name>] Deletes the specified file.

ZXR10#cp <source-file>[<cpu-name>]<destina

tion-file>[<cpu-name>]

Copies a file from a source directory to a

destination directory.

ZXR10#more <filename>[<cpu-name>][|{begin

| exclude | include}<line>]

Displays the content of the specified file. "|" is the

output flag.

<filename-or-directory>: file name (range: 1–79 characters), path/file name (range:1–159 characters), directory name (range: 1–79 characters), or path/directory name(range: 1–159 characters).

<cpu-name>: CPU name, default: the current board, format: [MPFU-<slot>/<cpu>]."<slot>", and "<cpu>" are the slot number, and CPU number respectively.

2-2


Chapter 2 File System Management

<directory>: directory name (range: 1–79 characters) or path/directory name (range:1–159 characters).

<filename>: file name (range: 1–79 characters) or path/file name (range: 1–159characters)

<source-file>: source file name (range: 1–79 characters) or path/file name (range:1–159 characters)

<destination-file>: destination file name (range: 1–79 characters) or path/file name(range: 1–159 characters)

{begin | exclude | include}<line>: regular expression.l begin: displays the configurations that start with the input character string.l include: displays the configurations that include the character string.l exclude: displays the configurations that do not include the character string.l <line>: configures the filtering character string.

l Modify the configuration loading mode when the ZXR10 ZSR V2 starts up.

Command Function

ZXR10(config)#load-mode null Configures the power-on loading mode to start

without a load.

l Save configurations.

Command Function

ZXR10#write Configures the information save mode.


2.3 File System Management Configuration Examples

2.3.1 File System Configuration ExampleEnter the datadisk0 directory, as shown below.

ZXR10#cd /datadisk0

Display the current path, as shown below.

ZXR10#pwd

MPFU-8/0: /datadisk0

List files in the current directory, as shown below.

ZXR10#dir

Directory of MPFU-8/0: /datadisk0

897636 KB total (892760 KB free)


2-3



1 <DIR> 424 01-15-2014 08:43 .

2 <DIR> 424 01-15-2014 08:43 ..

3 <DIR> 160 01-15-2014 08:43 BAK

4 <DIR> 416 01-02-2014 07:03 LOG

5 <DIR> 160 01-02-2014 07:03 license

ZXR10#

Delete files in the directory, as shown below.

ZXR10#delete /datadisk0/techspt/techspt_cpu-info.txt

Are you sure to delete file(s)?[yes/no]:y

Delete file(s) successfully.

Delete the techspt_cpu-info.txt file in the /datadisk0/techspt directory, as shownbelow.

ZXR10#delete techspt_cpu-info.txt

Are you sure to delete file(s)?[yes/no]:y

Delete file(s) successfully.

Rename “test” to “test_new”, as shown below.

ZXR10#rename test test_new

Rename successfully.

2.3.2 Configuration Example of Backing Up a Configuration Fileon a USB Flash Drive

1. Insert a USB flash drive into a USB interface on the MPU. Then, the systemautomatically mounts the USB flash drive. Run the show filesystem command toview the USB path.ZXR10#show filesystem

MPFU-8/0:

/sysdisk0

/datadisk0

/usb1:1

2. View files in the USB flash drive.ZXR10#dir /usb1:1

Directory of MPFU-8/0: /usb1:1

3739652 KB total (3482228 KB free)


1 <DIR> 4096 07-25-2012 19:20 .

2 <DIR> 4096 07-25-2012 19:20 ..

3 ---- 261304 07-23-2012 14:56 techspt_basic-info.txt

4 <DIR> 4096 07-25-2012 19:39 1

3. Run the cp command to copy the startrun.dat configuration file to the USB flashdrive.ZXR10#cp /sysdisk0/DATA0/startrun.dat /usb1:1/startrun.dat

2-4


Chapter 2 File System Management

Copy file successfully.

4. After the backup is completed, run the unmount command, and then remove the USBflash drive.ZXR10#umount usb1

MPFU-8/0: usb1 unmounted successfully!

2-5




2-6


Chapter 3MIM ConfigurationTable of Contents

MIM Overview ............................................................................................................3-1Configuring MIM.........................................................................................................3-1

3.1 MIM OverviewThe Management Information Model (MIM) refers to storing configuration data accordingto an information model established for service configuration data, checking objectoperations according to the model definition, and performing object operations to modifyconfiguration data. The MIM subsystem meets the unified requirements for configurationterminal command processing interfaces, such as commit, rollback, and CLI/SNMP.

As more and more configuration terminals come into being, the configuration modificationof each Application (APP) needs to support multiple types of configuration terminals.Before the MIM channel is used, an APP has a dedicated configuration processing flowfor each type of configuration terminal. As shown in Figure 3-1, MIM is an extensionof the existing OAM configuration command processing function. First, various typesof configuration commands modify MIM data, and then, MIM sends configurationmodification commands to the APP, which does not need to percept the types ofconfiguration terminals that the configuration commands come from, but only needs toprovide a program for processing MIM object operations.

Figure 3-1 MIM Application

3.2 Configuring MIMThis procedure describes how to configure the MIM function on the ZXR10 ZSR V2.

3-1



Steps1. Configure MIM.

Command Function

ZXR10#configure exclusive Configures the exclusive

function.

ZXR10#commit-mode {automatic | manual} Sets the commit mode

(automatic-commit mode or

manual-commit mode) for

configuration commands.

Default: automatic-commit.

ZXR10#commit Commits the configuration.

ZXR10#rollback Rolls back a configuration that

has not been committed or has

failed to be committed.

Note:

If a terminal is configured with the manual-commit mode and has configurations thathave not been committed, normal configuration of other terminals may be affected.

2. Verify configurations.

Command Function

ZXR10#show commit-mode Displays the commit mode.

ZXR10#show uncommitted-command Displays all the uncommitted commands

of the current configuration terminal.

ZXR10#show commit-failed Displays the configuration commands that

the current terminal has failed to commit in

manual-commit mode.

ZXR10#show configure exclusive Displays exclusive information.


ExampleThe following provides a MIM configuration example.


Enter a batch of configuration commands by running a script. Take care to avoidconfiguration collision.

3-2


Chapter 3 MIM Configuration

l Configuration Flow1. Configure the exclusive function to avoid collision.2. Change the command commit mode to the manual mode.3. Enter configuration commands by running a script.4. Commit the commands.

l Configuration CommandsZXR10#configure exclusive

ZXR10#conf t

Enter configuration commands, one per line. End with CTRL/Z.

ZXR10(config)#mu c

%Info 140359: Allow others to configure, must avoid conflict.

ZXR10(config)#commit-mode manual

/*Enters configuration commands by running a script. The process is omitted.*/

ZXR10(config)#commit


Check whether all the commands have been committed and become effective byrunning the show command.

3-3




3-4


Chapter 4User ManagementTable of Contents

User Management Overview ......................................................................................4-1Configuring User Management...................................................................................4-2User Management Configuration Examples................................................................4-7

4.1 User Management OverviewTo maintain and manage the ZXR10 ZSR V2, users need to log in to it in SSH, Telnet,or FTP mode. User management implements the configuration, authentication, andauthorization of users who have logged in to the ZXR10 ZSR V2.

The user-name command is used to configure or delete users. By running the user-namecommand, you can configure user names and passwords (clear text passwords of 3–32bits long or cipher text passwords of 64 bits long).

By configuring functions related to Authentication, Authorization and Accounting (AAA),user management provides user authentication and authorization in the following modes:

l None-authentication and none-authorizationl Local authentication and authorizationl Remote Authentication Dial In User Service (RADIUS) authentication and

authorizationl Terminal Access Controller Access-Control System Plus (TACACS+) authentication

and authorizationl RADIUS hybrid authentication and authorizationl TACACS+ hybrid authentication and authorization

When a user logs in to the ZXR10 ZSR V2 through SSH, Telnet, or FTP, user managementqueries the authentication template corresponding to the user to obtain the authenticationmode, and authenticates the user. If the authentication is passed, the user is authorized.If the authentication is failed, user management returns failure information.

After the user passes the authentication, user management authorizes the user. Afterthe user successfully logs in and is authorized, user management displays a commandview according to the user's privilege level. Therefore, the user cannot view or runcommands with privilege levels higher than the user's privilege level, but can view andrun commands with privilege levels lower than and equal to the user's privilege level. Thelocal-privilege-level command is used to set user privilege levels, which range fromlevel 0 (the lowest level) to level 15 (the highest level), and are level 0 by default.

4-1



4.2 Configuring User ManagementThis procedure describes how to configure user management functions.

Steps1. Enter ADM_MGR configuration mode, and configure user management parameters.


1 ZXR10(config)#system-user Enters user management

configuration mode.

2 ZXR10(config-system-user)#default-privilege-level

<0-15>

Configures the default

privilege level.

3 ZXR10(config-system-user)#strong-password length

<length> character {[capital][lowercase][number][special

-character]}

Configures a strong password.

Range: 6–32 characters. A

password needs to contain

any one type or several types

of the following characters:

uppercase letters, lowercase

letters, numbers, and special

characters.

4 ZXR10(config-system-user)#user-authen-restriction

fail-time <times> lock-minute <time>Locks the user after user

authentication has failed

consecutively. Range of the

number of failure times: 3–6,

range of locking time period:

1–1440 min.

5 ZXR10(config-system-user)#global-enable-type

{aaa|local} authentication-template <1–128>

Configures the global-enable

mode for users.

6 ZXR10(config-system-user)#account-switch {off | onaccounting-template <2001–2128>}

Configures the global

accounting mode.

7 ZXR10(config-system-user)#user-default Enters the default user

configuration mode.

8 ZXR10(config-system-user)#user-group special

<usergroup-name><username>{<password>| encrypted<password>}

Configures user group

information.

9 ZXR10(config-system-user)#login ascii authentication-

template <1–128> authortication-template<1–128>

Configures the ASCII

authentication template.

2. Configure an authentication template.

4-2


Chapter 4 User Management


1 ZXR10(config)#aaa-authentication-template <1-2128> Configures an AAA

authentication template,

and enters the configuration

mode of this template.

2 ZXR10(config-aaa-authen-template)#aaa-authenticat

ion-type {none | local | radius | local-radius | radius-local

| radius-none | local-tacacs | tacacs | tacacs-local |

tacac-none| diameter}

Configures an authentication

type under the AAA



configuration mode.

4 ZXR10(config-system-user)#authentication-template

<1–128>

Configures a user

management authentication

template, and enters the

configuration mode of this

template.

5 ZXR10(config-system-user-authen-temp)#bind

aaa-authentication-template <2001–2128>

Binds an AAA authentication

template in the configuration

mode of the user management


6 ZXR10(config-system-user-authen-temp)#bind

access-list ipv4/ipv6 <acl-name>

Binds an ACL template in the

configuration mode of the user


template.

7 ZXR10(config-system-user-authen-temp)#descript

ion <description>

Adds description information

on the user management

authentication template in the



template.

3. Configure an authorization template.


1 ZXR10(config)#aaa-authorization-template <1–2128> Configures an AAA

authorization template,

and enters the configuration

mode of this template.

2 ZXR10(config-aaa-author-template)#aaa-authorizati

on-type {none | local-radius | local-tacacs | local | radius

| tacacs | tacacs-local | radius-local }

Configures an authorization

type under the AAA

authorization template.

4-3





configuration mode.

4 ZXR10(config-system-user)#authorization-template

<1–128>

Configures a user

management authorization

template, and enters the

configuration mode of this

template.

5 ZXR10(config-system-user-author-temp)#bind

aaa-authorization-template <2001–2128>

Binds an AAA authorization

template in the configuration

mode of the user management


6 ZXR10(config-system-user-author-temp)#local-privi

lege-level <0-15>

Configures a local

authorization level in the



template.

7 ZXR10(config-system-user-author-temp)#descript

ion <description>

Adds description information

on the user management

authorization template in the



template.

8 ZXR10(config-system-user-author-temp)#local-cm

dgroup <group>

Binds a local command group

to the authorization template.

9 ZXR10(config-system-user-author-temp)#local-cmd

group-mode exclusive

Defines the command group

use mode as exclusive mode.

Default: appending mode.

10 ZXR10(config-system-user-author-temp)#log

file-allowed {cmd-log | alarm-log | nat-log | li-log |

service-log}[{read-only | none |read-write|copy}]

Configures the types of logs

that the authorization template

is allowed to access and

access privileges.

11 ZXR10(config-system-user-author-temp)#ftp

top-directory <directory>[{read-only |read-write|copy}]

Configures the top directory


is allowed to access through

FTP and access privileges.

12 ZXR10(config-system-user-author-temp)#sftp

top-directory <directory>{read-only |read-write|copy}

Configures the top directory


is allowed to access through

SFTP and access privileges.

4-4



4. Create a user, and bind an authentication template and authorization template.


1 ZXR10(config-system-user)#user-name <name> Configures a user name, and

enters use name configuration

mode.

2 ZXR10(config-system-user-username)#bind

authentication-template <1–128>

Binds a user management


3 ZXR10(config-system-user-username)#bind

authorization-template <1–128>

Binds a user management


4 ZXR10(config-system-user-username)#password

{<pwd>|encrypted <pwd>}

Configures a password.

5 ZXR10(config-system-user-username)#password-rec

over-remind

Configures information for

password recovery.

6 ZXR10(config-system-user-username)#password-d

uration <days>

Configures a password

validity period. The parameter

0 indicates never expiration.

Range: 90–360 days.

7 ZXR10(config-system-user-username)#once-passw

ord

Configures a rule that a

password should be changed

at the first login.

5. Configure other parameters in global mode.

Command Function

ZXR10(config)#enable secret level <1-18>{0<unencrypted-password>| 5 <encrypted-password>|<unencrypted-password>}

Sets passwords of all login privilege levels.

ZXR10(config)#login block <block-seconds>

attempts <tries> within <seconds>

Configures and activates the remote login

anti-attack monitoring function.

ZXR10(config)#login quiet-mode < ipv4-access-list |

ipv6-access-list ><access-list-name>

Configures an ACL for the quiet period.

ZXR10(config)#login on-failure alarm [every<failure-tries>]

Configures generating log information

or Trap information when failed login

attempts exist.


Command Function

ZXR10#show running-config adm-mgr [all] Displays user management configurations.

ZXR10#show user-group [special <usergroup-name>] Displays configured user group information.

4-5



Command Function

ZXR10#show authen-restriction userinfo Displays information on locked users and

users who have failed authentication. The

information includes user names, numbers

of authentication failure times, status

(locked or not locked), and remnant locking

time.

ZXR10#show login Displays configurations of the anti-attack

monitoring function.

ZXR10#show login state [{[telnet]|[ssh]|[ftp]}] Displays the status of the anti-attack

monitoring function and its statistical

information.

ZXR10#show login failure [{[telnet]|[ssh]|[ftp]}] Displays information on failed login

attempts of the anti-attack monitoring

function.


ExampleThe user-password recover-remind command that is used to configure user passwordrecovery reminders is an interactive command. The following provides examples of thiscommand.

eg1:

ZXR10(config-system-user)#user-password recover-remind zte

password is:***

question:what is your name

answer:***

ZXR10(config-system-user)#

eg2:


password is:***

%Error 59958: Password is wrong!


eg3:


password is:***

question:question is 012345678901234567890124567890123456789

%Error 59959: Question has been to upper limit!The limit is 50 characters!


4-6



eg4:


password is:***

question:what is your name

answer:zte 01234567890123456789012345678901234567890123456

%Error 59960: Answer has been to upper limit!The limit is 50 characters!


Descriptions of the command output:

Command Output Description

password is: Requires the input of the password corresponding to the user name. A

clear text password consists of 3–32 characters, and is displayed as

***. If the password is correct, continues to run the command. If the

password is incorrect, displays an error, and ends the command.

question: Requires the input of a prompt question for password recovery. The

question can consist of a maximum of 50 characters including spaces,

but cannot exclusively consist of spaces or include any question mark.

If the question has more than 50 characters, displays an error prompt.

If the question is normal, continues to run the command.

answer: Requires the input of an answer for password recovery. The answer

can consist of a maximum of 50 characters including spaces, but

cannot exclusively consist of spaces or include any question mark. If

the answer has more than 50 characters, displays an error prompt. If

the answer is normal, continues to run the command.

4.3 User Management Configuration Examples

4.3.1 Local Authentication and Authorization User ConfigurationExample

Configuration DescriptionAs shown in Figure 4-1, PC logs in to the router by serial port or Telnet, enters configurationmode and creates a user who uses local authentication mode.

Figure 4-1 Local Authentication and Authorization Configuration

4-7



Configuration Flow1. Configure an authentication template.2. Configure an authorization template.3. Create a user, bind authentication and authorization templates.

Configuration CommandR1(config)#aaa-authentication-template 2001

R1(config-aaa-authen-template)#aaa-authentication-type local

R1(config-aaa-authen-template)#exit

R1(config)#aaa-authorization-template 2001

R1(config-aaa-author-template)#aaa-authorization-type local

R1(config-aaa-author-template)#exit

R1(config)#system-user

R1(config-system-user)#authentication-template 1

R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001

R1(config-system-user-authen-temp)#exit

R1(config-system-user)#authorization-template 1

R1(config-system-user-author-temp)#bind aaa-authorization-template 2001

R1(config-system-user-author-temp)#local-privilege-level 15

R1(config-system-user-author-temp)#exit

R1(config-system-user)#user-name zte

R1(config-system-user-username)#bind authentication-template 1

R1(config-system-user-username)#bind authorization-templat 1

R1(config-system-user-username)#password zte

R1(config-system-user-username)#exit

R1(config-system-user)#exit

4.3.2 RADIUS-LOCAL Authentication and Authorization UserConfiguration Example

Configuration DescriptionAs shown in Figure 4-2, PC logs in to the router by serial port or Telnet, enters configurationmode and creates a user who uses RADIUS-local authentication mode.

4-8



Figure 4-2 RADIUS-LOCAL Authentication and Authorization User Configuration

Configuration Flow1. Configure a RADIUS group.2. Configure an authentication template.3. Configure an authorization template.4. Create a user, bind authentication and authorization templates.

Configuration Command/*This configures radius*/

R1(config)#radius authentication-group 1

R1(config-authgrp-1)#server 1 10.1.1.1 master key zte

R1(config-authgrp-1)#nas-ip-address 10.1.1.100

R1(config-authgrp-1)#algorithm round-robin

R1(config-authgrp-1)#max-retries 3

R1(config-authgrp-1)#timeout 30

R1(config-authgrp-1)#deadtime 0

R1(config-authgrp-1)#exit

/*This configures authentication template.*/

R1(config)#aaa-authentication-template 2001

R1(config-aaa-authen-template)#aaa-authentication-type radius-local

R1(config-aaa-authen-template)#authentication-radius-group 1


/*This configures authorization template.*/


R1(config-aaa-author-template)#aaa-authorization-type radius-local

R1(config-aaa-author-template)#authorization-radius-group 1



/*This binds authorization template.*/

4-9






/*This binds authentication template.*/





/*This creates user.*/







4.3.3 TACACS+ Authentication and Authorization UserConfiguration Example

Configuration DescriptionAs shown in Figure 4-3, PC logs in to the router by serial port or Telnet, enters configurationmode and creates a user who uses TACACS+ authentication mode.

Figure 4-3 TACACS+ Authentication and Authorization User Configuration

Configuration Flow1. Configure a TACACS+2. Configure an authentication template.3. Configure an authorization template.4. Create a user, bind authentication and authorization templates.

4-10



Configuration CommandR1(config)#tacacs enable

R1(config)#tacacs-server host 10.1.1.1 key zte

R1(config)#tacplus group-server ztegroup

R1(config-sg)#server 10.1.1.1

R1(config-sg)#exit


R1(config-aaa-authen-template)#aaa-authentication-type tacacs

R1(config-aaa-authen-template)#authentication-tacacs-group ztegroup



R1(config-aaa-author-template)#aaa-authorization-type tacacs

R1(config-aaa-author-template)#authorization-tacacs-group ztegroup
















4.3.4 Configuring a Password Prompt Question for Resetting aPassword

Configuration DescriptionAs shown in Figure 4-4, a user logs in to the ZXR10 ZSR V2 from a PC through a serialport or Telnet. The user enters configuration mode to create an authentication user. Usersof any authentication mode can configure password recovery information, but passwordrecovery only takes effect for locally authenticated users.

4-11



Figure 4-4 Configuring a Password Prompt Question for Resetting a Password

Configuration Flow1. Configure an authentication template.2. Configure an authorization template.3. Create a user.4. Configure a password prompt question and an answer.5. Log in for password recovery.

Configuration CommandsRun the following commands on the ZXR10 ZSR V2:





R1(config-aaa-author-template)#aaa-authorization-type none










R1(config-system-user)#user-name who



R1(config-system-user-username)#password who

R1(config-system-user-username)#password-recover-remind

password is:***

question: who are you

answer:who

R1(config-system-user-username)#

/*Log in to the R1 through Telnet. Use the password prompt

question to reset the password.*/

4-12



R1#login

Username:recover-user who

question: who are you

answer: /*The input answer is not displayed.*/

Please input your new password:

Re-enter New password:

The password has been changed successfully,

please remember your new password!

Username:who

Password:

R1#

Note:

Note: If the input answer to the password prompt is correct, user who's password ischanged to a new password.

4.3.5 Configuring OAM Security Management

Configuration DescriptionAs shown in Figure 4-5, a user logs in to the ZXR10 ZSR V2 from a PC through a serialport or Telnet. The user enters configuration mode to create an authentication user. Toprevent user passwords from being cracked or stolen, the ZXR10 ZSR V2 supports settingpassword strength. A user who fails authentication consecutively is locked and forbiddento log in within a given period of time, so that the user cannot try to crack the passwordthrough repeated login attempts.

Figure 4-5 Configuring OAM Security Management

Configuration Flow1. Configure password strength.2. Create a user. Only if the password strength meets the requirements, can the creation

succeed.3. Configure an authentication template.4. Configure an authorization template.5. Configure the number of consecutive user authentication failure times and locking

period.

4-13



6. A user who fails authentication consecutively for the set number of times is locked.



R1(config-system-user)#strong-password length 6 character special-character

/*Configures the minimum password length as 6 characters, and configures that a

password should contain special characters.*/




R1(config-system-user-username)#password zte123*









R1(config-system-user)#user-authen-restriction fail-time 3 lock-minute 2

/*Configures the number of consecutive user authentication failure times as 3, and

configures the locking period as 2 min.*/








/*A user logs in to the R1 through Telnet. The user fails authentication

consecutively for the set number of times, and is locked.*/

R1#login

Username:zte

Password:

% Local password error!

Username:zte

Password:


4-14



Username:zte

Password:


Still logged in as "who" /*The original login user name is who.*/

R1#login

Username:zte

Password:

% User is locked

R1#show authen-restriction userinfo

Username Failed-time State Remain (minute)

zte 3 locked 1

4.3.6 Configuring a Password Validity Period

Configuration DescriptionAs shown in Figure 4-6, a user logs in to the ZXR10 ZSR V2 from a PC through a serialport or Telnet. The user enters configuration mode to create another user. By default, thepassword of this account never expires. You can set a validity period (90–360 days) forthis account by running a configuration command, and test whether the validity period iseffective by changing the system time.

Figure 4-6 Configuring a Password Validity Period

Configuration Flow1. Create a user.2. Configure an authentication template.3. Configure an authorization template.4. Sets a password validity period.5. Change the system time to test whether the validity period is effective.








4-15









R1(config-system-user-username)#password-duration 90 /*Configures a password

validity period.*/








R1(config-aaa-author-template)#end

Configuration VerificationR1#show username

Username Encrypted-Password AuthenNo. AuthorNo. AgingTime Set-Time

zte ce7c04930c52bfe1669f6c22 1 1 89 2012-6-28

9ef61b761ec847e5b3052bdb

51456385bb2a9a57

/*Change the system time, so that the password expires.*/

R1#show clock

17:37:48 UTC Thu Jun 28 2012 /*Current time.*/

R1#clock set 15:10:39 9-20-2013 /*Changes the system time, so that the

password expires.*/

R1#show username /*After the system time is changed, the command output displays

that the password has expired.*/

Username Encrypted-Password AuthenNo. AuthorNo. AgingTime Set-Time

zte ce7c04930c52bfe1669f6c22 1 1 expired 2012-6-28

9ef61b761ec847e5b3052bdb

51456385bb2a9a57

R1#login

Username:zte

Password:

%User password expired /*The password has expired. The user cannot log in to

the R1.*/

4-16



4.3.7 Configuring First-Login Password Modification

Configuration DescriptionAs shown in Figure 4-7, a user logs in to the ZXR10 ZSR V2 from a PC through a serialport or Telnet. The user enters configuration mode to create another user, and configuresonce-password (only valid for locally authenticated users). During the next login, the usercan use the self-configured password. The default range of a password is 3–32 characters.

Figure 4-7 Configuring First-Login Password Modification

Configuration Flow1. Create a user.2. Configure an authentication template.3. Configure an authorization template.4. Configure the first login password modification function.5. During login, the user can set a password. The next time, the user can use the new

password to successfully log in.














R1(config-system-user-username)#once-password /*Configures first-login

password modification.*/





4-17






R1(config-aaa-author-template)#end

Configuration VerificationR1#login

Username:zte

Password:

Your password has expired.

Enter a new one now.

New password: /*Configure a new password, which is not displayed.*/

Re-enter new password: /*Confirm the new password, which is not displayed.*/

The password has been changed successfully,

Please remember your new password!

R1#login

Username:zte

Password: /*Enter the new password*/

R1# /*The user login is successful.*/

R1#who

Line User Host(s) Idle Location

66 vty 0 who idle 00:01:17 169.1.1.13

* 67 vty 1 zte idle 00:00:00 169.1.1.13

68 vty 2 who idle 00:00:00 169.1.1.10

4.3.8 Relations Between Raising Privilege Levels and the EnableCommand

Configuration DescriptionIn Figure 4-8, a user logs in to the ZXR10 ZSR V2 from a PC through a serial port or Telnet.The user enters configuration mode to create another user and give the user a privilegelevel. If the privilege level is too low, the enable command can be used to raise the level.The default "enable" authentication mode is "local", and the default password is "R1".

Figure 4-8 Configuring the Raising of a Privilege Level

Configuration Flow1. Create a user.

4-18



2. Configure an authentication template.3. Configure an authorization template.4. Configure an "enable" password to raise the user's privilege level.


R1(config)#tacacs enable

R1(config)#tacacs-server host 10.1.1.1 key zte

R1(config)#tacplus group-server ztegroup

R1(config-sg)#server 10.1.1.1

R1(config-sg)#exit
















R1(config-aaa-authen-template)#aaa-authentication-type tacacs-local

R1(config-aaa-authen-template)#authentication-tacacs-group ztegroup





The following provides a global "enable" authentication configuration mode, which can beset to aaa mode or local mode. The aaa mode means using the "enable" password set bythe server.


R1(config-system-user)#global-enable-type aaa authentication-template 1

/*Configures user's enable command authentication mode.*/


4-19



There are two methods for configuring an "enable" password to raise user's privilege levelto the highest level:

l In global configuration mode, run the enable secret level command. For details, referto “Chapter 5 Command Privilege Level Classification”.

l In global configuration mode, run the nvram enable-password command. For details,refer to the Setting Configurations Kept in NVRAM section the ZXR10 ZSR V2 InitialConfiguration Guide.

You can configure the recovery function for a password configured in the NVRAM.

R1(config)#enable secret recover-remind

password:*****

question:zte

answer:zte

/*If you forget the local enable password, you can run the recover-enable command

under privilege level 1 to restore the default password.*/

R1>recover-enable

question:zte

answer:***

%Info 40449: Recover-enable ok! New enable password is: zxr10.

Configuration VerificationConfigure a corresponding enable password on the AAA server. After the user logs innormally and passes authentication, the user privilege level is raised.

4-20


Chapter 5Command Privilege LevelClassificationTable of ContentsCommand Privilege Level Overview ...........................................................................5-1Configuring Command Privilege ................................................................................5-1Command Privilege Level Configuration Example ......................................................5-2

5.1 Command Privilege Level OverviewThe ZXR10 ZSR V2 supports the command privilege level function. Command privilegelevel management is used to configure command privileges. Users can run the privilegecommand to configure the privilege of a command.

Command privilege levels range from level 1 to level 15. Different commands can beconfigured with different privilege levels. After a user logs in, a command view is displayedaccording to the user's privilege level. Therefore, the user cannot run commands whoseprivilege levels are higher than the user's level. Users with the highest level (that is,administrators with level 15) can set privilege levels for commands.

5.2 Configuring Command PrivilegeThis procedure describes how to configure command privileges.

Steps1. Configure command privileges.

Command Function

ZXR10(config)#privilege <logic-mode>[all] level {<level>|

default}<command-keywords>

Configures a command privilege

level.

ZXR10(config)#no privilege <logic-mode>[all] node<command-keywords>

Restores the default command

privilege level.

[all]: all commands beginning with this keyword.

level <level>: privilege level, range: 1–15

default: default command privilege level.

<command-keywords>: command keywords, range: 1–200 characters.

5-1




Command Function

ZXR10#show privilege [{cur-mode | show-mode}{det

ail | level < level>| node <command-keywords>}]Displays the privilege level of the

current terminal or command privilege

configurations.

cur-mode : displays privilege level information in the current command mode.

show-mode: displays privilege level information in show mode.

detail: displays privilege levels of all commands.

level <level>: displays the commands of the specified privilege level, range: 1–18.

<command-keywords>: the privilege level of the specified command, range: 1–200characters.

In user mode, the show privilege command has no parameter. It is used to display theprivilege level of the current terminal.


5.3 Command Privilege Level Configuration ExampleConfiguration DescriptionIt is required to configure different privilege levels for two types of users who operate theZXR10 ZSR V2. The privilege level of Type A users is 15, and these users can do alloperations, such as view and configuration. The privilege level of Type B users is 5. Theyneed to use the show clock command to view the system clock.

It is also required to allow Type B users to raise their own privilege level to level 8 byrunning the enable command, so that they can set the time zone.

Configuration Flow1. Change the privilege level of the show clock command to 5 or lower than 5. In this

example, this privilege level is set to 5.2. Change the privilege level of the clock timezone command to 8, or lower than 8 but

higher than 5. In this example, this privilege level is set to 7.3. Create a type A user named ZTE_A and a type B user named ZTE_B. ZTE_A's

privilege level is 15, and ZTE_A'B privilege level is 5.4. Configure the "enable" password that is used to raise user's privilege level to level 8.


ZXR10(config)#privilege show all level 5 show clock

/*Displays the privilege level configuration of the show clock command.*/

5-2


Chapter 5 Command Privilege Level Classification

ZXR10(config)#privilege configure level 7 clock

ZXR10(config)#privilege configure level 7 clock timezone

/*Displays the privilege level configuration of the clock timezone command.*/

ZXR10(config)#system-user

ZXR10(config-system-user)#authentication-template 1

ZXR10(config-system-user-authen-temp)#bind aaa-authentication-template 2001

ZXR10(config-system-user-authen-temp)#exit

ZXR10(config-system-user)#authorization-template 1

ZXR10(config-system-user-author-temp)#bind aaa-authorization-template 2001

ZXR10(config-system-user-author-temp)#local-privilege-level 15

ZXR10(config-system-user-author-temp)#exit

ZXR10(config-system-user)#user-name ZTE_A

ZXR10(config-system-user-username)#bind authentication-template 1

ZXR10(config-system-user-username)#bind authorization-templat 1

ZXR10(config-system-user-username)#password ZTE_A_15

ZXR10(config-system-user-username)#exit

/*Create ZTE_A and configure the user's authorization level.*/

ZXR10(config-system-user)#authentication-template 2

ZXR10(config-system-user-authen-temp)#bind aaa-authentication-template 2002

ZXR10(config-system-user-authen-temp)#exit

ZXR10(config-system-user)#authorization-template 2

ZXR10(config-system-user-author-temp)#bind aaa-authorization-template 2002

ZXR10(config-system-user-author-temp)#local-privilege-level 5

ZXR10(config-system-user-author-temp)#exit

ZXR10(config-system-user)#user-name ZTE_B

ZXR10(config-system-user-username)#bind authentication-template 2

ZXR10(config-system-user-username)#bind authorization-templat 2

ZXR10(config-system-user-username)#password ZTE_B_5

ZXR10(config-system-user-username)#exit

ZXR10(config-system-user)#exit

/*Create ZTE_B and configure the user's authorization level.*/

ZXR10(config)#aaa-authentication-template 2001

ZXR10(config-aaa-authen-template)#aaa-authentication-type local

ZXR10(config-aaa-authen-template)#exit

ZXR10(config)#aaa-authorization-template 2001

ZXR10(config-aaa-author-template)#aaa-authorization-type radius-local

ZXR10(config-aaa-author-template)#exit

/*Configure the authentication and authorization templates of ZTE_A*/

ZXR10(config)#aaa-authentication-template 2002

ZXR10(config-aaa-authen-template)#aaa-authentication-type local

5-3



ZXR10(config-aaa-authen-template)#exit

ZXR10(config)#aaa-authorization-template 2002

ZXR10(config-aaa-author-template)#aaa-authorization-type radius-local

ZXR10(config-aaa-author-template)#exit

/*Configure the authentication and authorization templates of ZTE_B*/

ZXR10(config)#enable secret level 8 level-8

/*Configure the password of the level-8 user login privilege.*/

Configuration VerificationRun the following commands to view ZTE_A's privilege level. The execution result isdisplayed as follows:

Username:ZTE_A

Password:

ZXR10#show privilege

Current privilege level is 15

/*Indicates that ZTE_A's privilege level is 15.*/

Exec commands:

alarm-confirm Confirm the alarm by flowid

cd Change current directory

cfm Executing CFM detecting functions

clear Reset functions

clock Manage the system clock

commit Commit the configuration

configure Enter configuration mode

copy Copy from one file to another by ftp/tftp

cp Copy from one file to another locally

debug Debugging functions

delete Delete a file

--More—

ZXR10#configure terminal


ZXR10(config)#?

/*Displays the commands that can be used by ZTE_A in global configuration mode.*/

Configure commands:

aaa-accounting-template AAA accounting template configurations

aaa-authentication-template AAA authentication template configurations

aaa-authorization-template AAA authorization template configurations

alarm Configure the alarm parameters

alarm-mask Configure the alarm-mask parameters

aps Configure APS instance

arp Enter ARP configuration mode

5-4



banner Terminal line banner

bfd Configure bfd

cfm Enter CFM configuration mode

check Configure intervals of check

class-map Configure H-QoS class map

clock Configure board clock

--More—

Run the following commands to view ZTE_B's privilege level. The execution result isdisplayed as follows:

Username:ZTE_B

Password:



/*Indicates that ZTE_B's privilege level is 5.*/

ZXR10#?

/*Displays the commands that can be used by ZTE_B in privilege configuration mode.*/

Exec commands:

cd Change current directory

cfm Executing CFM detecting functions

clock Manage the system clock

configure Enter configuration mode

debug Debugging functions

dir List files on a filesystem

disable Turn off privileged commands

enable Turn on privileged commands

exit Exit from the EXEC

--More—



ZXR10(config)#?

/*Displays the commands that can be used by ZTE_B in global configuration mode.*/

Configure commands:

end Exit from configure mode

exit Exit from configure mode

ping Send echo messages

ping6 Send IPv6 echo messages

show Show running system information

trace Trace route to destination

trace6 Trace route to destination using IPv6

ZXR10(config)#

ZXR10(config)#show ?

clock Show current system clock

5-5



privilege Show current privilege level

Raise ZTE_B's privilege level to level 8, as shown below:

Username:ZTE_B

Password:



/*Indicates that the privilege level of ZTE_B is 5.*/

ZXR10#enable 8

Password:



/*Indicates that the privilege level of ZTE_B has been raised to 8.*/



ZXR10(config)#?

Configure commands:

clock Configure board clock

/*Indicates that the clock command has been added to the commands that ZTE_B can use.*/

end Exit from configure mode

exit Exit from configure mode

ping Send echo messages

ping6 Send IPv6 echo messages

show Show running system information

trace Trace route to destination

trace6 Trace route to destination using IPv6

ZXR10(config)#clock ?

timezone Configure time zone

View the configurations on the ZXR10 ZSR V2, as shown below:

ZXR10#enable /*Raises the user's privilege level to the default level, level 15.*/

Password: /*The input password is not displayed.*/

ZXR10#show running-config adm-mgr

! <ADM_MGR>

enable secret level 8 5 52ZJX4aBmmYKbWdVFpSvwg==

system-user

authentication-template 1

bind aaa-authentication-template 2001

$

authentication-template 2

bind aaa-authentication-template 2002

$

authorization-template 1

bind aaa-authorization-template 2001

5-6



local-privilege-level 15

$

authorization-template 2

bind aaa-authorization-template 2002

local-privilege-level 5

$

username ZTE_A

bind authentication-template 1

bind authorization-template 1

password encrypted 51213031a28daa4a18e939b9cc837320

43f467d88315721af066dc4f1c385a28

$

username ZTE_B

bind authentication-template 2

bind authorization-template 2

password encrypted a5e686cd3e6778917691bb099a4da1d7

9768a6b9752b942fe5b431ec3fff8468

$

$

! </ADM_MGR>

ZXR10#show running-config aaa

! <AAA>

aaa-authentication-template 2001

aaa-authentication-type local

$

aaa-authentication-template 2002

aaa-authentication-type local

$

aaa-authorization-template 2001

aaa-authorization-type radius-local

$

aaa-authorization-template 2002

aaa-authorization-type radius-local

$

! </AAA>

ZXR10#show running-config oam

! <OAM>

privilege show all level 5 show clock

privilege configure level 7 clock

privilege configure level 7 clock timezone

! </OAM>

5-7




5-8


Chapter 6SNMP ConfigurationTable of Contents

SNMP Basic Configuration .........................................................................................6-1SNMP Anti-Violence Attack ......................................................................................6-10

6.1 SNMP Basic Configuration

6.1.1 SNMP OverviewThe Simple Network Management Protocol (SNMP) is the most popular NetworkManagement System (NMS) protocol, and belongs to the application layer of the TransferControl Protocol/Internet Protocol (TCP/IP) stack. The SNMP module is at the highestlayer of the router system. Administrators use SNMP as a main way to operate, controland maintain the router. In order to perform network management, users use NMSsoftware to send and receive SNMP packets between the managed network elementsand the management station.

The basic process of SNMP network management is as follows:

1. A unique ID (OID) is allocated to the object to be managed in the router. The allocationof OID is determined in a unified way by the Request For Comments (RFC).

2. When users need to read or modify the value of an object, the object OID and operationtype (read or write) are sent to the router as an SNMP request packet.

3. The SNMP agent in the router finds the object data according to the OID, performs thecorresponding operations, and then sends the result as an SNMP response packet tothe user.

By default, SNMP uses UDP as the transmission protocol.

6.1.2 Configuring SNMPThis procedure describes how to configure SNMP during equipment management by usingSNMP.

Steps1. Enable SNMP V1, V2c, and V3.

6-1



Command Function

ZXR10(config)#snmp-server version {v1 | v2c | v3}

enable

Enables SNMP V1, V2, and V3 for

receiving packets from and sending

packets to clients.

There are two states: enable and

disable. Default: disable.

2. Configure an SNMP packet community.

Command Function

ZXR10(config)#snmp-server community {encrypted<encrypted-para>|<unencrypted-para>[showclear]}[view<view-name>][{ro | rw}][{[ipv4-access-list<ipv4_acl_name>],[ipv6-access-list <ipv6_acl_name>]}]

Configures an SNMP packet

community string.

<encrypted-para>: cipher text community string, 64 characters.

<unencrypted-para>: clear text community string, range: 1–32 characters.

showclear: If this parameter is configured, the community string is displayed in cleartext. If not, the community string is displayed in cipher text.

<view-name>: view name, range: 1–32 characters.

ro | rw: The ro parameter indicates only reading a MIB object. The rw parameterindicates reading and writing a MIB object.

3. Define an SNMP view.

Command Function

ZXR10(config)#snmp-server view <view-name><subtre

e-id>{included | excluded}

Defines an SNMP view.

<subtree-id>: specifies the MIB sub-tree ID or node name of the MIB sub-tree for theview name. Range: 1–79 characters.

included | excluded: The sub-tree is included or excluded.

4. Set MIB object information.

Command Function

ZXR10(config)#contact <mib-syscontact-text> Configures the contact method of the

person who is in charge of the MIB

object. Range: not longer than 200

characters.

ZXR10(config)#location <mib-syslocation-text> Configures the description of the MIB

object system location. Range: not

longer than 200 characters.

6-2


Chapter 6 SNMP Configuration

5. Set the types of Trap and Inform messages that are allowed to be sent.

Command Function

ZXR10(config)#snmp-server enable inform

[<notification-type>]

Enables the agent to send notifications

and sets the types of notifications to

be sent.

The notification types can be all or one

of the bgp, ospf, rmon, snmp, stalarm

and vpn types.

ZXR10(config)#snmp-server enable Trap

[<notification-type>]

Enables the agent to send Trap

messages and sets the types of Trap

messages to be sent.

The Trap message types can be all

or one of the bgp, ospf, rmon, snmp,

stalarm and vpn types.

6. Set the Trap destination host.

Command Function

ZXR10(config)#snmp-server host [ vrf<vrf-name>]<ip-address>{Trap | inform} version {1 | 2c | 3

{auth | noauth | priv}}<community-name/user>[udp-port<udp-port>][<Trap-type>]

Configures the destination for receiving

SNMP notifications. The snmp-server

host command needs to be used

together with the snmp-server enable

command.

vrf <vrf-name>: VRF name, range: 1–31 characters.

<ip-address>: defines the IP address of a host. IPv4 and IPv6 are supported.

Trap | inform: specifies sending Trap messages or notifications to a host.

version 1 | 2c | 3 : the SNMP version (v1, v2c, or v3).

auth: The packets to be sent are authenticated but not encrypted.

noauth: The packets to be sent are not authenticated or encrypted.

priv: The packets to be sent are authenticated and encrypted.

<community-name/user-name>: community name string of SNMP v1/v2 or SNMPv3 username, range: 1–32 characters.

udp-port <udp-port>: number of the UDP port for sending Trap or inform messages,range: 1–65535.

<Trap-type>: Trap or Inform type. The Trap type can be all or one of the bgp, ospf,rmon, snmp, stalarm and vpn types.

7. Enable the system log function.

6-3



Command Function

ZXR10(config)#logging on Enables the system log function.

8. Set the level of the alarm message sent to the Trap server.

Command Function

ZXR10(config)#logging Trap-enable <alarmlevel> Sets the level of the alarm message

sent to the Trap server.

9. Configure other SNMP parameters.

Command Function

ZXR10(config)#snmp-server engine-id <engine-id> Configures the SNMP local

engine ID. Hexadecimal number,

range: 1–24 characters, default:

830900020300010289d64401. As the

core part of an SNMP entity, the SNMP

engine sends, receives and validates

SNMP messages, extracts Packet Data

Unit (PDU) assembly messages, and

communicates with SNMP application

programs.

ZXR10(config)#snmp-server input-limit <packets> Sets the SNMP packet receiving speed.

Range: 100–1000, default: 200 pps.

ZXR10(config)#snmp-server packetsize

<snmp-packet-max-size>

Configures the maximum length of

SNMP packets. Unit: byte, range:

484–8192, default: 8192.

ZXR10(config)#snmp-server Trap-source <ip-address> Configures the source IP address of all

Traps.

ZXR10(config)#snmp-server access-list {ipv4| ipv6}<

acl-name>

Uses a configured Access Control List

(ACL) to control the hosts that can

access the system through SNMP.

10. Configure SNMPv3.


1 ZXR10(config)#snmp-server context

<context-name>

Defines the SNMPv3 context name.

Range: 1–16 characters.

6-4




2 ZXR10(config)#snmp-server group

<groupname> v3 {auth | noauth|priv}[context<context-name>{match-prefix | match-exact}][read<readview>][write <writeview>][notify<notifyview>]

Configures a new SNMP group

(mapping SNMP users to SNMP

views).

3 ZXR10(config)#snmp-server user <user-na

me><group-name> v3 {encrypted auth {md5 |

sha}<auth-key>[priv des56 |<privacy-key>]|[auth

{md5 | sha}|<auth-password>|[priv des56

|<privacy-password>]]}

Configures an SNMPv3 user.

group <groupname>: name of the SNMP group to be configured, range: 1–32characters.

v3: specifies that the group is to be used in SNMPv3.

auth: specifies that packets are to be authenticated, but not encrypted.

noauth: specifies that packets are not to be authenticated or encrypted.

priv: specifies that packets are to be authenticated and encrypted.

<context-name>: context of the group, range: 1–30 characters.

match-prefix: defines the context matching mode as prefix mode.

match-exact: defines the context matching mode as exact mode.

read <readview>: read view, range: 1–30 characters.

write <writeview>: write view, range: 1–30 characters.

notify <notifyview>: notify view, range: 1–30 characters.

user <username>: SNMP user name, range: 1–32 characters.

<groupname>: group name related to user, range: 1–32 characters.

v3: specifies that the user uses SNMPv3.

encrypted: specifies that the password to be entered is not clear text but cipher text.It is not recommended to use this option.

auth : specifies that the user has the authentication privilege.

md5 | sha: uses Hashed Message Authentication Code with MD5 (HMAC-MD5)–96 asthe authentication mode, or uses HMAC-SHA-96 as the authentication mode.

<auth-key>: authentication password or authentication key, range: 1–30 characters. Ifit is an encrypted password, its range is 32–40 characters.

des56: uses CBC-DES as the encryption mode.

<priv-key>: cipher text encryption password, range: 1–32 characters.

6-5



<auth-password>: authentication password (or authentication key), range: 1–31characters. If it is an encrypted password, its range is 32–40 characters.

<priv-password>: clear text encryption password, range: 1–32 characters.


Command Function

ZXR10#show snmp Displays SNMP state attributes.

ZXR10#show snmp config Displays the configurable SNMP state

attributes.

ZXR10#show snmp engine-id Displays the local SNMP engine ID.

ZXR10#show snmp group Displays the configured SNMP groups.

ZXR10#show snmp security Displays the configurations of SNMP

security.

ZXR10#show snmp security failures Displays the IP addresses and number of

times of wrong community login attempts

in SNMP detection mode.

ZXR10#show snmp security trust-users Displays the trusted users learned by

SNMP dynamically and configured

manually.

ZXR10#show snmp user Displays the information on configured

SNMP users.

ZXR10#show running-config snmp [|{begin | exclude |

include}<line>]

Displays the configurations of SNMP.


6.1.3 SNMP Configuration Example

Configuration DescriptionBy configuring the SNMP function, a user can use a network management server tomanage the devices in the network, see Figure 6-1.

Figure 6-1 SNMP Configuration Example Topology

6-6



Configuration Flow1. Configure an SNMP packet community string. SNMPv1/v2c uses community string

authentication mode. An SNMP community string is named with a character string,and has an access privilege (read-only or read-write).

2. Designate a view name to the configured community string. Designate the default viewto the community string if the view parameter is not configured. Designate the defaultprivilege (ro) to the community string, if the parameter ro | rw is not configured. Userscan only perform operations in the permitted view range, whether ro or rw is specified.

3. Configure alarm Trap. Configure the types of Trap messages to be sent and thedestination host. Trap messages are actively sent by managed devices to NMS. Theyare used to report urgent and important events. By default, all types of Trap messagesare sent.

Configuration CommandsRan the following commands on the ZXR10 ZSR V2:

R1(config)#snmp-server version v2c enable

R1(config)#location No.68 Zijinghua Rd. Yuhuatai District, Nanjing, China

R1(config)#contact +86-25-52870000

R1(config)#snmp-server packetsize 1400

R1(config)#snmp-server engine-id 830900020300010289d64401

R1(config)#snmp-server community public view AllView ro

R1(config)#snmp-server host 61.139.48.18 inform version 2c public udp-port 162 snmp

R1(config)#snmp-server host 61.139.48.18 Trap version 2c public udp-port 162

R1(config)#snmp-server enable Trap

R1(config)#snmp-server enable inform

R1(config)#logging on

R1(config)#logging Trap-enable warnings

Configuration VerificationRun the show command to check the configurations. The execution result is displayed asfollows.

R1(config)#show snmp config

snmp-server community encrypted

d6ddeaa4dab74523b246fe346c94c31ae58b79ad4776396438ea1e9bb01a9ef3

view AllView ro

snmp-server enable inform snmp

snmp-server enable inform bgp

snmp-server enable inform mac

snmp-server enable inform ospf

snmp-server enable inform stp

snmp-server enable inform ppp

snmp-server enable inform arp

6-7



snmp-server enable inform rmon

snmp-server enable inform udld

snmp-server enable inform cfm

snmp-server enable inform efm

snmp-server enable inform lacp

snmp-server enable inform mc-elam

snmp-server enable inform tcp

snmp-server enable inform sctp

snmp-server enable inform stalarm

snmp-server enable inform cps

snmp-server enable inform interface

snmp-server enable inform acl

snmp-server enable inform fib

snmp-server enable inform pim

snmp-server enable inform isis

snmp-server enable inform rip

snmp-server enable inform msdp

snmp-server enable inform aps

snmp-server enable inform config

snmp-server enable inform am

snmp-server enable inform um

snmp-server enable inform system

snmp-server enable inform ldp

snmp-server enable inform pwe3

snmp-server enable inform vpn

snmp-server enable inform mpls-oam

snmp-server enable inform ptp

snmp-server enable inform tunnel-te

snmp-server enable inform radius

snmp-server enable inform dhcp

snmp-server enable inform bfd

snmp-server enable inform ippool

snmp-server enable inform ntp

snmp-server enable inform ssm

snmp-server enable inform sqa

snmp-server enable inform ipsec

snmp-server enable inform cgn

snmp-server enable inform vrrp

snmp-server enable inform ftp_tftp

snmp-server enable inform ping-trace

snmp-server enable inform gm

snmp-server enable Trap snmp

snmp-server enable Trap bgp

snmp-server enable Trap mac

snmp-server enable Trap ospf

6-8



snmp-server enable Trap stp

snmp-server enable Trap ppp

snmp-server enable Trap arp

snmp-server enable Trap rmon

snmp-server enable Trap udld

snmp-server enable Trap cfm

snmp-server enable Trap efm

snmp-server enable Trap lacp

snmp-server enable Trap mc-elam

snmp-server enable Trap tcp

snmp-server enable Trap sctp

snmp-server enable Trap stalarm

snmp-server enable Trap cps

snmp-server enable Trap interface

snmp-server enable Trap acl

snmp-server enable Trap fib

snmp-server enable Trap pim

snmp-server enable Trap isis

snmp-server enable Trap rip

snmp-server enable Trap msdp

snmp-server enable Trap aps

snmp-server enable Trap config

snmp-server enable Trap am

snmp-server enable Trap um

snmp-server enable Trap system

snmp-server enable Trap ldp

snmp-server enable Trap pwe3

snmp-server enable Trap vpn

snmp-server enable Trap mpls-oam

snmp-server enable Trap ptp

snmp-server enable Trap tunnel-te

snmp-server enable Trap radius

snmp-server enable Trap dhcp

snmp-server enable Trap bfd

snmp-server enable Trap ippool

snmp-server enable Trap ntp

snmp-server enable Trap ssm

snmp-server enable Trap sqa

snmp-server enable Trap ipsec

snmp-server enable Trap cgn

snmp-server enable Trap vrrp

snmp-server enable Trap ftp_tftp

snmp-server enable Trap ping-trace

snmp-server enable Trap gm

snmp-server engine-id is 830900020300010289d64401

6-9



snmp-server host 61.139.48.18 Trap version 2c public udp-port 162 snmp bgp mac

ospf stp ppp arp rmon udld cfm efm lacp mc-elam tcp sctp stalarm cps interface

acl fib pim isis rip msdp aps config am um system ldp pwe3 vpn mpls-oam ptp

tunnel-te radius dhcp bfd ippool ntp ssm sqa ipsec cgn vrrp ftp_tftp ping-trace gm

snmp-server host 61.139.48.18 inform version 2c public udp-port 162 snmp

snmp-server packetsize is 1400

snmp-server security dynamic-trust-user idle-timeout 1800

snmp-server view AllView internet included

snmp-server view DefaultView system included

snmp-server version v2c enable

6.2 SNMP Anti-Violence Attack

6.2.1 SNMP Anti–Brute Force Attack Overview

SNMP Anti–Brute Force Attack DescriptionA brute force attack means generating huge numbers of passwords with code generationsoftware, and trying each one. As long as there are enough chances and the passwordhas no protection, the most complicated key can be broken.

The security policy defined in SNMP v1 and SNMP v2 is simple, which uses clear text totransfer community strings, which are passwords between SNMPmanagement processesand agent processes. These passwords can be cracked by attackers using brute forceattacks. The SNMP anti–brute force attack function is used to prevent DoS attacks andbrute force attacks.

SNMP Anti–Brute Force Attack FeaturesThe SNMP anti–brute force attack function has introduced two concepts: block and quietmode. If the detection policy is enabled, the router can reject all SNMP requests in blockmode when finding repeated SNMP community string attempt failures. The block statecan last for a period known as "quiet period".

l To ensure that trusted user can access the ZXR10 ZSR V2 normally, the SNMPsecurity function supports dynamically learning and manually configuring trustedusers. In quiet mode, the ZXR10 ZSR V2 only allows to handle requests from trusteduser (if an ACL is configured in advance, the requests still need to be filtered throughthe ACL first).

l Dynamically-learned trusted users refer to users who have accessed the ZXR10 ZSRV2 and are automatically recorded by it. If these users have not accessed the ZXR10ZSR V2 again until the set period (ageing time) expires, they will be aged by thedevice. Dynamically-learned trusted users can also be manually cleared. Users canconfigure the ageing time, which is 1800 s by default.

6-10



l In practical applications, some network management user addresses that can beused to access the device are fixed. These users are reliable and do not needautomatic ageing. To meet this requirement, the ZXR10 ZSR V2 allows users tomanually configure trusted users who are not aged, but they can be cleared byrunning the no command.

l To prevent that users unintentionally enter wrong passwords, the ZXR10 ZSR V2supports configuring the condition of enabling monitoring. For example, monitoringwill be enabled only when the number of input failure times reaches 20 in oneminute. By default, monitoring will be enabled only when the number of input failuretimes reaches 50 in one minute. Failure counting does not distinguish between IPaddresses.

l In monitoring period, the total failure times is counted (IP addresses are notdistinguished). If the number of times exceeds the limit, the ZXR10 ZSR V2 entersquiet mode.

In any state, when community string attempts fail, logs and self-defined Trap messagesare generated by default. A Trap message that is sent includes the followinginformation: error community string information, source IP, and current state of SNMP(normal/monitoring/quiet). When a device state is switched, a system log and Trap alarmare automatically generated. This function can be disabled by running a command.

SNMP security state switching is shown in Figure 6-2.

Figure 6-2 State Switching Diagram

6.2.2 Configuring SNMP Anti–Brute Force AttackThis procedure describes how to configure the SNMP anti-brute force attack function.

6-11



Steps1. Activate the SNMP security function.

Command Function

ZXR10(config)#snmp-server security block <

block-seconds><detect-tries>< detect-seconds>[when<tries><startup-seconds>]

The SNMP security protection function

is disabled by default. This command

is used to activate this function.

block <block-seconds>: block time (length of the quiet period), unit: second, range:1–65535.

< detect-tries>: maximum number of times of failed attempts in monitoringmode, range:1–65535.

< detect-seconds>: maximum detection time in monitoring mode, unit: second, range:1–65535.

<tries>: maximum number of times of failed attempts in normal mode, range: 1–65535,default: 50.

<startup-seconds>: maximum detection time in normal mode, unit: second, range:1–65535, default: 60.

2. Configure the ACL for controlling hosts that access the system through SNMP.

Command Function

ZXR10(config)#snmp-server access-list { ipv4|

ipv6}<acl-name>

Uses a configured ACL to control

hosts that access the system through

SNMP.

3. Configure the ageing time of dynamic trusted users and configure static trusted users.


1 ZXR10(config)#snmp-server security

dynamic-trust-user idle-timeout <timeout-seconds>

Configures the ageing time of

dynamic trusted users. Range:

1–65535, default: 1800 s.

2 ZXR10(config)#snmp-server security

static-trust-user <static-ip-addr>

Configures static trusted users that

are configured manually.

4. Configure the generation of logs and Trap messages when community string attemptsfail or a state is switched.

Command Function

ZXR10(config)#snmp-server security on-failure log [and

Trap]

Configures the generation of logs

and Trap messages when community

string attempts fail or a state is

switched.

6-12




Command Function

ZXR10#show snmp security [failures | trust-users] Displays SNMP security function

parameters. This command displays

the SNMP security state, configuration

information, current state information and

statistics information in natural language

format.

ZXR10#show running-config snmp [|{begin | exclude |

include}<line>]

Displays SNMP configurations.

failures: optional. If this parameter is selected, the command is used to displaydetailed information on failed attempts.

trust-users: optional. If this parameter is selected, the command is used to displaydetailed information on trusted users, including dynamically learned and manuallyconfigured users.

begin: is used to display the configurations that begin with the input string line.

include: is used to display the configurations that include the string line.

exclude: is used to display the configurations that exclude the string line.

<line>: is used to match the filtered string line.

6. Maintain the SNMP anti–brute force attack function.

Command Function

ZXR10(config)#snmp-server security

dynamic-trust-user clear <dyn-ip-addr>

Clears dynamic trusted users manually.


6.2.3 SNMP Anti–Brute Force Attack Configuration ExampleIt is required to configure the SNMP anti–brute force attack function on the ZXR10 ZSRV2, see Figure 6-3.

Figure 6-3 SNMP Anti–Brute Force Attack Configuration Example

6-13



Configuration Flow1. Enable the SNMP anti–brute force attack function.2. Configure the ageing time for dynamic trusted users.3. Configure static trusted users that are allowed to access the system.4. Configure a Trap message and log that is generated when user attempts fail and a

state is switched.

Configuration CommandRun the following commands on the ZXR10 ZSR V2:

R1(config)#snmp-server security block 180 3 180 when 50 60

R1(config)#snmp-server security dynamic-trust-user idle-timeout 100

R1(config)#snmp-server security static-trust-user 169.1.110.6

R1(config)#snmp-server security on-failure log and Trap

Configuration VerificationRun the following command to check SNMP configurations. The execution result isdisplayed as follows.

R1(config)#show running-config snmp

!<oam_snmp>

snmp-server security block 180 3 180 when 50 60


snmp-server security on-failure log and Trap

snmp-server security static-trust-user 169.1.110.6

!</oam_snmp>

6-14


Chapter 7Alarm ManagementConfigurationTable of Contents

Alarm Overview..........................................................................................................7-1Configuring the Alarm Function ..................................................................................7-2Alarm Function Configuration Example.......................................................................7-7

7.1 Alarm OverviewAlarmmodule residents its alarm agent process in each line card and alarm server processin main control board. Once hardware or program runs improperly, the service applicationswill report the alarm to its alarm agent. Later, alarm agents report the alarm messages toalarm server. Alarm server records alarm messages for back-end querying. The maincontrol board also has alarm agent to process the alarm events occurred in itself.

According to the configuration, alarm server reports the alarm messages selectively to logmdoule, terminal, SNMP and SYSLOG.

The messages processed by alarm module include ordinary alarm and notification.

l Ordinary alarm is recoverable. The alarm which has been reported but not recoveredalready is called current alarm. The alarm which has been reported and recoveredalready is called history alarm

l Notification is only to notify the happening of some event, so there is no current andhistory notifications.

On ZXR10 ZSR V2, you can configure the following alarms:

l CPU, memory, and storage device alarms

The basic principles of CPU, memory and storage device alarms are the same. If thecurrent usage exceeds the configured alarm threshold, the alarms are reported. If thecurrent usage is lower than the configured alarm threshold, the alarms are cleared.Moreover, the reported alarm level can be changed or updated with the increase of theusage by configuring the higher-level middle threshold and high threshold besidesthe default low threshold.

l Temperature alarm

There are different temperature measuring components on each board of the device.Each temperature measuring component has different temperature resistancecharacteristics, so the alarm threshold at each temperature measuring point is

7-1



different. The device compares the temperature information obtained at specifiedtime with the corresponding alarm threshold. If the temperature exceeds thethreshold, the alarm is reported. If the temperature is lower than the threshold, thealarm at the corresponding level is cleared.

l Power Voltage Alarm

If the voltage range not in the normal working voltage range, the power voltage alarmis reported.

7.2 Configuring the Alarm FunctionThis procedure describes how to configure the alarm function.

Steps1. Configure the basic alarm function.


1 ZXR10(config)#logging on Enables the alarm recording function,

so that alarms can be reported to log,

control terminal, SNMP, and SYSLOG.

2 ZXR10(config)#logging buffer < buffer-size> Sets the size of the alarm log buffer.

Unit: KB, range: 100–1000, default:

200.

3 ZXR10(config)#logging timestamps [datetime

localtime | precisetime | uptime]

Sets the display mode of alarm time.

Default: datetime localtime.

4 ZXR10(config)#logging level <level> Configures the level to save alarms

into logs. Alarms whose levels are

higher than this level are recorded in

logs.

Default: INFORMATIONAL (level 7).

5 ZXR10(config)#logging console <level> Configures the level to display alarms

on a console or Telnet terminal.

Alarms whose levels are higher than

this level are displayed on a console

or Telnet terminal.

Default: NOTIFICATIONS (level 6).

6 ZXR10(config)#logging Trap-enable <level> Configures the level to report alarms

to SNMP in Trap mode. Alarms whose

levels are higher than this level are

reported to SNMP in Trap mode. By

default, alarms are not reported.

7-2


Chapter 7 Alarm Management Configuration


7 ZXR10(config)#logging alarmlog-interval <

minute>

Sets the time interval for writing alarm

records from the buffer to files. Unit:

minute, range: 10–30000, default: 10.

8 ZXR10(config)#logging cmdlog-interval <

second>

Sets the time interval for writing

command logs from the buffer to log

files. Unit: second, range: 2–30000,

default: 2.

9 ZXR10(config)#logging ftp <level>[ vrf<vrf-name>]<ip-address><username><password

>[<filename>]

Configures the level of reporting

alarms to the File Transfer Protocol

(FTP) server, IP address of the FTP

server, username, password, and file

name. By default, alarms are not

reported.

10 ZXR10(config)#logging filesavetime

{interval <time1>| everyday <time2>|

week <weekday><time3>| month<mothday><time4>}[vrf <vrf-name>]<ftp-server><username><password>[<filename>]

Configures the time when alarms

written in files are sent to the FTP

server, IP address, username, and

password of the FTP server, and file

name prefix. By default, alarms are

not reported.

11 ZXR10(config)#logging mode {fullclear |

fullcycle | fullend}

Sets the mode for clearing buffer data

after the alarm buffer is full. Default:

fullcycle.

12 ZXR10(config)#alarm heartbeat-send <type> Sends an alarm heartbeat keep-alive

packet to the configured destination

immediately.

13 ZXR10(config)#alarm heartbeat-period <

minute>< type>

Configures the interval of sending

alarm heartbeat packets. Unit: minute,

range: 0–30000, default: 0 (no

heartbeat packet is sent).

14 ZXR10(config)#alarm level-change

<alarm-code><level>

Modifies the corresponding alarm

level of the alarm code. Each alarm

code has a default level. Range:

1–4294967294.

<level>: the lowest alarm level, range: DEBUGGING (level 8), INFORMATIONAL(level 7), NOTIFICATIONS (level 6), WARNINGS (level 5), ERRORS (level 4),CRITICAL (level 3), ALERTS (level 2), and EMERGENCIES (level 1).

<time1>: interval of reporting to FTP, range: 1:00:00–23:59:59.

<time2>: daily time for reporting to FTP, range: 00:00:00–23:59:59.

7-3



<weekday>: day in each week for reporting to FTP, range: Monday, Tuesday, Thursday,Wednesday, Friday, Saturday, and Sunday.

<time3>: time in the day of each week for reporting to FTP, range: 00:00:00–23:59:59.

<mothday>: date in each month for reporting to FTP, range: 1–31.

<time4>: time in the date of each month for reporting to FTP, range:00:00:00–23:59:59.

<filename>: prefix of the filename saved on the FTP server, range: 1–31 characters.

2. Configure CPU, memory, and storage device alarm thresholds.


1 ZXR10(config)#logging on Enables the alarm recording function,

so that the alarms of different

levels can be reported to different

destinations.

After the command is run, alarms

are generated for CPU usage,

memory usage, storage medium

usage, and voltage value according

to corresponding values. The voltage

module reports alarms according to

the voltage value range.

ZXR10(config)#cpuload-threshold

<percent>[level{low | middle | high}]

Configures the CPU load alarm

threshold. Unit: %, range: 50–100,

default: 95.

Alarm levels corresponding to CPU

load alarm thresholds: low, middleand high. Default: low.

2

ZXR10(config)#check cpu interval <interval> Configures the time interval for CPU

usage alarm checking. Unit: 10 s,

range: 1–20.

ZXR10(config)#memory-threshold

<percent>[level {low | middle | high}]

Configures the memory usage alarm

threshold. Unit: %, range: 1–100,

default: 60.

Alarm levels corresponding to memory

usage alarm threshold values: low,middle, and high. Default: low.

3

ZXR10(config)#check memory interval

<interval>

Configures the interval for memory

usage alarm checking.

7-4




4 ZXR10(config)#storage-threshold

<percent>[level {low | middle | high}]

Configures the storage medium usage

alarm threshold. Unit: %, range:

50–100, default: 90.

Alarm levels corresponding to storage

medium alarm threshold values: low,middle, and high. Default: low.

5 ZXR10(config)#cpualarm {granularity-10s |

granularity-20s | granularity-30s | granularity-40s

| granularity-50s | granularity-60s}

Configures the CPU usage alarm

granularity. Default: granularity-10s.


Command Function

ZXR10#show logging alarm [[level <alarmlevel>][start-time <date><time>][end-time <date><time>][typeid<type>]]

Displays the specified alarms in the

alarm log buffer. Filtering conditions:

level, start-time, end-time, and typeid.

ZXR10#show logfile [[username <string>][start-time< date>< time>][end-time < date>< time>][vtyno <

number>][ip-adress < ip-address>]]

Displays the specified history

configuration commands in the

command log buffer. Filtering

conditions: start-time, end-time,

ipaddress, user, and vtyno.

ZXR10#show logging configuration Displays the current configurations of

the alarm module.

ZXR10#show running-config alarm [all ||{begin | exclude |

include}<line>]

Displays alarm configurations.

level <level>: alarm level, range: DEBUGGING (level 8), INFORMATIONAL (level 7),NOTIFICATIONS (level 6), WARNINGS (level 5), ERRORS (level 4), CRITICAL (level3), ALERTS (level 2), and EMERGENCIES (level 1).

start-time <date><time>: alarm start time, format of <date>: mm-dd-yyyy, range of<date>: 01-01-2001 to 12-31-2037, format of <time>: hh:mm:ss, range of <time>:00:00:00 to 23:59:59.

end-time <date><time>: alarm end time, format of <date>: mm-dd-yyyy, range of<date>: 01-01-2001 to 12-31-2037, format of <time>: hh:mm:ss, range of <time>:00:00:00 to 23:59:59.

typeid <type>: alarm type, range: ACL, BFD, BGP, LDP, and so on (more than 60types).

username <username>: login username, string type, range: 1–32 characters.

7-5



start-time <date><time>: command running start time, format of <date>: mm-dd-yyyy,range of <date>: 01-01-2001 to 12-31-2037, format of <time>: hh:mm:ss, range of<time>: 00:00:00 to 23:59:59.

end-time <date><time>: command running end time, format of <date>: mm-dd-yyyy,range of <date>: 01-01-2001 to 12-31-2037, format of <time>: hh:mm:ss, range of<time>: 00:00:00 to 23:59:59.

vtyno <number>: user terminal number, range: 0–15.

{begin | exclude | include}<line>: regular expression. begin is used to displayconfigurations beginning with the input string line. include is used to displayconfigurations that include the string line. exclude is used to display configurationsthat do not include the string line. <line> is used to match the string line.

4. Verify the configurations

Command Function

ZXR10#show cpuload-threshold Displays the CPU usage threshold.

ZXR10#show check cpu interval Displays the time interval of CPU


ZXR10#show memory-threshold Displays the memory usage alarm

threshold.

ZXR10#show check memory interval Displays the time interval of memory


ZXR10#show storage-threshold Displays the storage medium usage

alarm threshold.

ZXR10#show cpualarm Displays the granularity of CPU usage

alarms.

5. View information on shelf management temperature alarms and power supply voltagealarms.

You cannot configure thresholds for temperature alarms and power voltage alarms.Only querying temperature alarms and power voltage alarms by running commandsis supported. On the ZXR10 ZSR V2, run the following commands to view shelfmanagement temperature alarms and power voltage alarms.

Command Function

ZXR10#show temperature detail [<shelf>][<slot>] Displays temperature at the

temperature measuring point of

each board.

ZXR10#show logging alarm type-id temperature Displays the temperature alarms.

ZXR10#show power [<shelf>][<slot>] Displays power information.

7-6



Command Function

ZXR10#show logging alarm type-id power Displays power alarms.


7.3 Alarm Function Configuration ExampleConfiguration DescriptionAs shown in Figure 7-1, a PC is connected to R1. Users can view alarm information onR1.

Figure 7-1 Alarm Function Configuration Example

Configuration Flow1. Enable the alarm function.2. Configure alarm levels, levels of alarms printed on a terminal, alarm buffer, alarm

clearing mode when the buffer is full, interval for writing logs, time display mode, andaddress of the server to which alarms are sent.

3. Configure alarm Trap, Trap type and address of the server to which Trap messagesare sent.

Configuration CommandsRun the following commands on R1:

R1(config)#logging on

R1(config)#logging level warnings

R1(config)#logging console warnings

R1(config)#logging buffer 200

R1(config)#logging mode fullcycle

R1(config)#logging cmdlog-interval 2880

R1(config)#logging ftp warnings 192.168.154.253 zte zte ztelog

R1(config)#logging timestamps datetime localtime

R1(config)#logging Trap-enable notifications

R1(config)#snmp-server enable Trap

R1(config)#snmp-server version v2c enable

R1(config)#snmp-server host 192.168.154.253 Trap version 2c zte

7-7



Configuration VerificationRun the following commands to check alarm configurations. The execution results aredisplayed as follows:

R1(config)#show logging configuration

logging on

logging level warnings

logging console warnings

logging Trap-enable notifications

logging buffer 200

logging mode fullcycle

logging alarmlog-interval 10

logging cmdlog-interval 2880

logging timestamps datetime localtime

syslog level notifications

syslog-server facility local0

logging ftp warnings 192.168.154.253 zte zte ztelog

alarm heartbeat-period 0 snmp

alarm heartbeat-period 0 syslog

alarm heartbeat-period 0 ftp

alarm heartbeat-period 0 console

alarm heartbeat-period 0 all

logging nat buffer 1000

logging nat password encrypted

5f942ecb8d1bf9ff5104c77b19c73cb9c14f151612fef1ac1ca09c19fb98ab8d

logging nat file-size 50 file-num 300

logging nat encrypt off

logging nat description-type basemac

logging nat zip on

logging nat terminal local

R1(config)#show snmp config

snmp-server enable Trap snmp

snmp-server enable Trap bgp

snmp-server enable Trap mac

snmp-server enable Trap ospf

snmp-server enable Trap stp

snmp-server enable Trap ppp

snmp-server enable Trap arp

snmp-server enable Trap rmon

snmp-server enable Trap udld

snmp-server enable Trap cfm

snmp-server enable Trap efm

snmp-server enable Trap lacp

7-8



snmp-server enable Trap mc-elam

snmp-server enable Trap tcp

snmp-server enable Trap sctp

snmp-server enable Trap stalarm

snmp-server enable Trap cps

snmp-server enable Trap interface

snmp-server enable Trap acl

snmp-server enable Trap fib

snmp-server enable Trap pim

snmp-server enable Trap isis

snmp-server enable Trap rip

snmp-server enable Trap msdp

snmp-server enable Trap aps

snmp-server enable Trap config

snmp-server enable Trap am

snmp-server enable Trap um

snmp-server enable Trap system

snmp-server enable Trap ldp

snmp-server enable Trap pwe3

snmp-server enable Trap vpn

snmp-server enable Trap mpls-oam

snmp-server enable Trap ptp

snmp-server enable Trap tunnel-te

snmp-server enable Trap radius

snmp-server enable Trap dhcp

snmp-server enable Trap bfd

snmp-server enable Trap ippool

snmp-server enable Trap ntp

snmp-server enable Trap ssm

snmp-server enable Trap sqa

snmp-server enable Trap ipsec

snmp-server enable Trap cgn

snmp-server enable Trap vrrp

snmp-server enable Trap ftp_tftp

snmp-server enable Trap ping-trace

snmp-server enable Trap gm

snmp-server engine-id is 830900020300010289d64401

snmp-server host 192.168.154.253 Trap version 2c zte udp-port 162 snmp bgp

mac ospf stp ppp arp rmon udld cfm efm lacp mc-elam tcp sctp stalarm cps

interface acl fib pim isis rip msdp aps config am um system ldp pwe3 vpn

mpls-oam ptp tunnel-te radius dhcp bfd ippool ntp ssm sqa ipsec cgn vrrp

ftp_tftp ping-trace gm

snmp-server packetsize is 8192

snmp-server view AllView internet included

snmp-server view DefaultView system included

7-9




snmp-server version v2c enable

snmp-server input-limit 200

R1(config)#show logging alarm

An alarm 100401 ID 100 level 5 cleared at 06:37:35 03-10-2000 sent

by R1 MPFU-8/0

%CPS% The upsend packet flow of control plane reached quota limit!

Interface = gei-8/5, flowtype = multi-hop-access, current value = 0,

quota value = 100

An alarm 100401 ID 100 level 5 occurred at 06:36:55 03-10-2000

sent by R1 MPFU-8/0

%CPS% The upsend packet flow of control plane reached quota limit!

Interface = gei-8/5, flowtype = multi-hop-access,

current value = 12867, quota value = 100


by R1 MPFU-8/0 %LACP% LACP interface active status The interface

(index = 66, name = gei-8/6) turns into ACTIVE

An alarm 150101 ID 96 level 5 cleared at 06:36:44 03-10-2000

sent by R1 MPFU-8/0

%IP% Interface status The interface(index=75,name='smartgroup1')

turned into protocol UP

An alarm 50901 ID 99 level 5 occurred at 06:36:26 03-10-2000

sent by R1 MPFU-8/0

%LACP% LACP interface active status

The interface (index = 66, name = gei-8/6) turns into INACTIVE


by R1 MPFU-8/0

%BOARD% Slot offline The slot = 4 is online

--More--

The terminal monitor command displays real-time alarms. The show logging alarmcommand displays buffered alarms.

7-10


Chapter 8SYSLOG ConfigurationTable of ContentsSysLog Overview .......................................................................................................8-1Configuring Syslog .....................................................................................................8-1Syslog Configuration Example....................................................................................8-2

8.1 SysLog OverviewSysLog is a kind of log formats, which is used to record the character text to be printed.SysLog is originated from UNIX operating system, and it is used to record system log.

The format of log consists of the following three parts:

l PRI: It is composed by angle brackets and numbers. The numbers represent moduleids and severity. The range of module id is 0–23. The range of severity is 1–8. 1 isthe heaviest, and 8 is the lightest.

l HEADER: It is composed by time and host name.l MSG: It is the detailed content.

SysLog sends data packets to SysLog server by using UDP. The default port is 514 andthe size of UDP packet is less than 1024 bytes.

System decides whether reports the alarm message to SysLog sever according to thealarm level after SysLog function is enabled.

8.2 Configuring SyslogThis procedure describes how to configure the Syslog function.

Steps1. Configure the Syslog function.


1 ZXR10(config)#syslog level <level> Sets the level in global

configuration mode for

reporting alarms to the Syslog

server.

Alarms whose levels are

higher than or equal to the

set level are reported to the

Syslog server.

8-1




2 ZXR10(config)#syslog-server facility <facility> Configures the reporting

source of Syslog messages.

Range: ftp, ntp, user, and so

on, default: local0.

3 ZXR10(config)#syslog-server source {ipv4|ipv6}<sour

ce-ip>

Configures the source

address of reporting Syslog

messages. Type: IPv4 or

IPv6.

4 ZXR10(config)#syslog-server host [vrf <vrf-name>]<server-ip>[fport <fport>][lport <lport>][alarmlog][cmdlog][debugmsg][servicelog][braslog][natlog]

Configures Syslog parameters

including the IP address and

port number of the Syslog

server, the port number of the

client, and the type of sent

logs.

<level>: the lowest alarm level, ranges: DEBUGGING (level 8), INFORMATIONAL(level 7), NOTIFICATIONS (level 6), WARNINGS (level 5), ERRORS (level 4),CRITICAL (level 3), ALERTS (level 2), and EMERGENCIES (level 1), default:NOTIFICATIONS.

<server-ip>: IP address of the Syslog server, type: IPv4 or IPv6.

<fport>: remote port number, range: 1–65535, default: 514.

<lport>: local port number, range: 514, 1024–65535, default: 514.

[alarmlog][cmdlog][debugmsg][servicelog][braslog][natlog]: type of logs reported to theSyslog server.


Command Function

ZXR10#show logging configuration Displays all Syslog configurations.

ZXR10#show running-config alarm [all ||{begin |

exclude | include}<line>]

Displays all Syslog configurations by using

a regular expression.


8.3 Syslog Configuration ExampleConfiguration DescriptionThe function of Syslog is sending alarms to the Syslog server in the specified format. Afterthe Syslog function is configured on the ZXR10 ZSR V2, alarms will be sent to the Syslogserver, see Figure 8-1.

8-2


Chapter 8 SYSLOG Configuration

Figure 8-1 Syslog Configuration Example Topology

Configuration Flow1. Connect the Syslog server to the ZXR10 ZSR V2.2. Configure the interface on the Syslog server and the interface on the ZXR10 ZSR V2,

which are directly connected in the same network segment.3. Configure the Syslog server alarm level.4. Configure the Syslog type.5. Specify the address of the Syslog server.


R1(config)#interface gei-2/1

R1(config-if-gei-2/1)#no shutdown

R1(config-if-gei-2/1)#ip address 1.1.1.2 255.255.255.0

R1(config-if-gei-2/1)#exit

R1(config)#syslog level warnings

/*Configures the alarm level of Syslog as WARNINGS*/

R1(config)#syslog-server facility syslog

/*Configures the type of Syslog as syslog*/

R1(config)#syslog-server host 1.1.1.1

/*Configure an IP address of the Syslog server*/

Configuration VerificationRun the show command to check the configurations. The execution result is displayed asfollows:

R1(config)#show running-config alarm

!<ALARM>

syslog level warnings

syslog-server facility syslog

syslog-server host 1.1.1.1 alarmlog cmdlog debugmsg servicelog

braslog natlog

!</ALARM>

8-3




8-4


Chapter 9RMON ConfigurationTable of ContentsRMON Overview ........................................................................................................9-1Configuring RMON.....................................................................................................9-1RMON Configuration Example ...................................................................................9-3

9.1 RMON OverviewAs an important enhanced function of SNMP, Remote Network Monitoring (RMON) canmonitor overall subnet traffic information on the Ethernet and token ring network.

The RMON module provides the following functions:

l Configured with the statistics function, it monitors the basic traffic of the specifiedsubnet.

The traffic information refers to traffic data regularly obtained by RMON.

l Configured with the history function, it records traffic information on the specifiedsubnet during the specified interval.

A short sampling interval can be configured to view a sudden traffic change on asubnet. A long interval can be configured to view long-term traffic status of a subnet.

l Configured with the event function, it handles alarm messages by recording themor/and sending Trap messages, so that network administrators can know systemconditions in time.

l Configured with the alarm function and the corresponding event function, it shows thechanges of specified variables such as sysUPTime.0, which is a MIB variable.

If an alarm item is configured, not less than 500 CRC errors (that is, the threshold is500) that appear in 5 min trigger an alarm. In this case, if the corresponding event isconfigured as sending a Trap message, a Trap message is sent to the Trap server.To send Trap messages successfully, you also need to correctly set the IP addressof the Trap server and a community string for SNMP and to enable the SNMP Trapsending function.

9.2 Configuring RMONThis chapter describes how to configure the RMON function.

Steps1. Configure an event that triggers the RMON alarm.

9-1




1 ZXR10(config)#rmon Enters RMON mode from

configuration mode.

2 ZXR10(config-rmon)#rmon event <index-nu

mber>[{[log],[Trap <snmp-name>],[description<event-description>],[owner <event-owner>]}]

Configures an event to log alarms

or/and send Trap messages.

3 ZXR10(config-rmon)#rmon alarm <index-number

><mib-subtree-id><monitor-seconds>{delta | absolute}

rising-threshold <rising-thershold-limit>[<outlimit-in

dex-number>] falling-threshold <limit-falling-thersho

ld>[<outlimit-index-number>][owner <alarm-owner>]

Sets aMIB object and alarm events

that are triggered for exceeding

upper and lower thresholds.

Range: upper threshold alarm,

lower threshold alarm, upper or

lower threshold alarm.

<index-number>: index number, range: 1–65535.

log: identification of recording logs.

<snmp-name>: community string used for sending Trap messages, range: 1–32characters.

<event-description>: simple description of this event, range: 1–127 characters, default:zte.

<event-owner>: creator of this event, range: 1–31 characters, default: config.

<mib-subtree-id>: MIB variable to be monitored, range: 1–64 characters. It must be aMIB variable that can be converted into an integer.

<monitor-seconds>: time of monitoring the above MIB variable, unit: second, range:10–2147483.

delta: comparing the delta with the threshold.

absolute: comparing the selected variable value with the threshold.

rising-threshold: rising threshold.

<rising-thershold-limit>: rising threshold of sample statistics, range:-2147483648–2147483647.

<outlimit-index-number>: number of the event triggered for exceeding the rising limit,range: 1–65535.

falling-threshold: falling threshold.

<limit-falling-thershold>: falling threshold of sample statistics, range:-2147483648–2147483647.

<outlimit-index-number>: number of the event triggered for exceeding the falling limit,range: 1–65535.

<alarm-owner>: creator of this alarm, range: 1–312 characters, default: config.

2. Configure RMON statistics or history.

9-2


Chapter 9 RMON Configuration


1 ZXR10(config)#rmon Enters RMON mode from

configuration mode.

2 ZXR10(config-rmon)#interface <interface-name> Enters RMON interface mode from

RMON mode.

ZXR10(config-rmon-interface)#rmon collection

statistics <index-number>[owner <statistics-owner>]Enables the interface statistics

function (only applicable to

Ethernet interfaces).

3

ZXR10(config-rmon-interface)#rmon

collection history <index-number>[buckets<bucket-number>][interval <interval-seconds>][owner<history-owner>]

Enables the interface history

collection function (only applicable

to Ethernet interfaces).

<interface-name>: interface name, only supporting an Ethernet interface.

<index-number>: index number, range: 1–65535.

<statistics-owner>: the creator of the statistics, range: 1–31 characters, default:monitor.

<bucket-number>: the size of the requested loop bucket, default: 50, range: 1–100.

<event-owner>: the creator of the event, range: 1–31 characters, default: config.

<interval-seconds>: sampling interval, unit: second, range: 10–3600, default: 1800. Itis recommended to use 30 s and 1800 s to collect short-term and long-term networktraffic changes respectively.

<history-owner>: the creator of this line of history, range: 1–31 characters, default:monitor.


Command Function

ZXR10(config)#show rmon [[events],[history],[alarms],[s

tatistics]]

Displays RMON configurations and

version information.

ZXR10(config)#show running-config rmon [all ||{begin

| exclude | include}<line>]

Displays RMON configurations.


9.3 RMON Configuration ExampleConfiguration DescriptionAs shown in Figure 9-1, it is required to enable the RMON function, monitor the traffic ofthe gei-3/2 interface on the ZXR10 2800-4, and provide the following functions:

9-3



l Collecting real-time and history statistics on traffic and the numbers of various typesof packets.

l Monitoring the number of bytes of outgoing traffic, and recording a log if the traffic perminute exceeds the set value.

l Monitoring the number of incoming broadcast and multicast packets, and activelysending an alarm to the NMS if the number of received broadcast and multicastpackets exceeds the set value.

Figure 9-1 RMON Configuration Example

Configuration Flow1. Enable SNMP to allow sending Trap packets, and set the destination IP address and

community name.2. Configure the ROMN statistics table.3. Configure the ROMN history table.4. Configure the ROMN event table.5. Configure the ROMN alarm table.

Configuration CommandsRun the following commands on the ZXR10:

ZXR10(config)#snmp-server version v2c enable

ZXR10(config)#snmp-server enable Trap RMON

ZXR10(config)#snmp-server host 1.0.0.1 Trap version 2c zte rmon

/* Configures SNMP. */

ZXR10(config)#rmon

ZXR10(config-rmon)#interface gei-3/2

ZXR10(config-rmon-if)#rmon collection statistics 1 owner zte

/* Configures the RMON statistics table. */

ZXR10(config-rmon-if)#rmon collection history 1 buckets 10 interval 60 owner zte

/* Configures the ROMN history table with the 60 s sampling period. */

ZXR10(config-rmon-if)#exit

ZXR10(config-rmon)#rmon event 1 description outboundocts log owner zte

ZXR10(config-rmon)#rmon event 2 description inboundnonuni Trap zte owner zte

/* Configures the ROMN event table. Event 1 records logs. Event 2 sends Trap messages.*/

ZXR10(config-rmon)#rmon alarm 1 1.3.6.1.2.1.2.2.1.16.12 60 absolute

rising-threshold 10000000 1 falling-threshold 2000000 1 owner zte

ZXR10(config-rmon)#rmon alarm 2 1.3.6.1.2.1.2.2.1.12.12 60 absolute

9-4



rising-threshold 500 2 falling-threshold 100 2 owner zte

/* Configures the ROMN alarm table. Alarm 1 monitors the number of bytes sent by

the gei-3/2 interface.

Triggers event 1, if the threshold is exceeded. Alarm 2 monitors the total number of

multicast and broadcast packets. Triggers event 2, if the threshold is exceeded.

In this example, 1.3.6.1.2.1.2.2.1.16 is the OID of the ifOutOctets node,

1.3.6.1.2.1.2.2.1.12 is the OID of the ifInNUcastPkts node, and 12 is the index of

the gei-3/2. */

Configuration VerificationRun the following command to view RMON configurations. The execution result isdisplayed as follows:

ZXR10#show running-config rmon

rmon

rmon alarm 1 1.3.6.1.2.1.2.2.1.16.12 60 absolute rising-threshold

10000000 1 falling-threshold 2000000 1 owner zte

rmon alarm 2 1.3.6.1.2.1.2.2.1.12.12 60 absolute rising-threshold

500 2 falling-threshold 100 2 owner zte

rmon event 1 log description outboundocts owner zte

rmon event 2 Trap zte description inboundnonuni owner zte

interface gei-3/2

rmon collection history 1 buckets 10 interval 60 owner zte

rmon collection statistics 1 owner zte

$

$

!</rmon>

Run the following command to view information on the RMON statistics table. Theexecution result is displayed as follows:

ZXR10#show rmon statistics

etherStatsEntry 1 is valid, and owned by monitor

Monitors ifEntry.1.12 (gei-3/2) which has

Received 2661384683 octets, 11170112 packets,

4226009 broadcast and 1032634 multicast packets,

0 undersized and 0 oversized packets,

0 fragments and 0 jabbers,

0 CRC alignment errors and 0 collisions,

0 dropped packets (due to lack of resources).

Packets received (in octets):

64:3528697, 65-127:2610624, 128-255:432346,

256-511:268806, 512-1023:193397, 1024-1518:4136242

Run the following command to view information on the RMON history table. The executionresult is displayed as follows:

ZXR10#show rmon history

9-5



historyControlEntry 1 is valid, and owned by zte

Monitors ifEntry.1.12 (gei-3/2) every 60 seconds

Requested buckets is 10

Granted buckets is 10

Sample #1 began measuring at 0w4d,03:55:43







Network utilization is estimated at 2

























Run the following command to view information on the RMON event table. The executionresult is displayed as follows:

ZXR10#show rmon events

Event 1 is valid, and owned by zte

Description is outboundocts

Event firing causes log , last fired 0w4d,03:56:54

Current log entries:

Index Time Description

9-6



1 0w4d,03:56:54 outboundocts

Event 2 is valid, and owned by zte

Description is inboundnonuni

Event firing causes trap to community/user zte, last fired 0w4d,03:57:12

Current log entries:

Index Time Description

Run the following command to view information on the RMON alarm table. The executionresult is displayed as follows:

ZXR10#show rmon alarms

Alarm 1 is valid, and owned by zte

Monitors ifEntry.16.12, every 60 second(s)

Taking absolute samples, last value was 13414607

Rising-threshold is 10000000, assigned to event 1

Falling-threshold is 2000000, assigned to event 1

On startup enable rising or falling alarm

Alarm 2 is valid, and owned by zte

Monitors ifEntry.12.12, every 60 second(s)

Taking absolute samples, last value was 5580876

Rising-threshold is 500, assigned to event 2

Falling-threshold is 100, assigned to event 2

On startup enable rising or falling alarm

9-7




9-8


Chapter 10Clock and ClockSynchronizationTable of Contents

NTP Configuration....................................................................................................10-1Physical POS Interface Clock Configuratio ...............................................................10-6

10.1 NTP Configuration

10.1.1 NTP Overview

NTP IntroductionIn network application, the clocks of network members need to be synchronized. There isnormally one or more minute discrepancy of clocks between systems. For a large-scalenetwork, system administrator can not modify the system clocks manually one by one.

Network Time Protocol (NTP) is a time synchronization protocol applied to different networkmembers. The NTP devices synchronize their clock by exchanging NTP packets, thus tokeep their clocks consistent.

NTP ClientFigure 10-1 shows the main principle of NTP client.

Figure 10-1 NTP Client Work Flow

1. The client sends NTP time request packets to the configured clock server regularlyand waits responses.

2. After receiving NTP response packet, NTP client inspects the packet, extracts thecorresponding time, calculates the time offset and configures the local clock.

10-1



NTP SeverAfter a device is configured to be NTP server, it will monitor the NTP time request packetscoming from the client at No.123 UDP port, add its time information to NTP time responsepacket and send the packet to the client.

ZXR10 ZSR V2 can act as NTP server and client and the same time. That is to say, it canreceive time request packets coming from other servers and send its own time informationto other clients, see Figure 10-2.

Figure 10-2 NTP Server and Client

10.1.2 Configuring NTPThis procedure describes how to configure the NTP server and NTP client functions onthe ZXR10 ZSR V2.

Steps1. Configure the NTP Server function.


1 ZXR10(config)#ntp enable Enables the NTP function.

2 ZXR10(config)#ntp master <stratum> Configures the NTP server

level, range: 1–15. The

smaller the value, the

more reliable the NTP time

published by the server.

2. Configure the NTP Client function.


1 ZXR10(config)#ntp enable Enables the NTP function.

2 ZXR10(config)#ntp server [{vrf <vrf-name>|mng]<ip-address> priority <lever>[version<number>]|[key <key-number>]|[lock | unlock ]

Defines a time server on the

client. The IP address and

priority are required. Other

parameters are optional.

10-2


Chapter 10 Clock and Clock Synchronization


3 ZXR10(config)#ntp source ipv4 <ip-address> Configures the source IP

address of packets sent by

NTP on the client.

The source IP address, which

is in dotted decimal format, is

available for the client only.

4 ZXR10(config)#ntp poll-interval <interval> Configures the time interval

of requesting packets sent by

NTP.

Range: 4–14 (2n). For

example, if 4 is configured,

the time interval is 16 seconds.

<ip-address> and priority <1–5> are required. Other parameters are optional.

version <number>: NTP version number, range: 1–4, default: 3 (in IPv4).

key <key-number>: effective key, range: 1–4294967295.

priority<level>: priority value, range: 1–5. The priority of each server is different.

[ lock | unlock ]: whether the server is locked, default: unlock.

3. Configure the NTP authentication function.


1 ZXR10(config)#ntp authenticate Enables the NTP

authentication function. Only

when the key specified by the

NTP server is successfully

configured, can the NTP

authentication function be

effective.

2 ZXR10(config)#ntp authentication-key <key-number>

md5 {clear <clear-word>|encrypted <encrypted-word>}

Sets the NTP authentication

key and the corresponding

verification code.

3 ZXR10(config)#ntp trusted-key <key-number> Configures the trusted

key number for NTP

authentication.

<key-number>: encrypted key number, range: 1–4294967295.

<clear-word>: MD5 clear text authentication code, range: 1–16 characters.

<encrypted-word>: MD5 cipher text authentication code, range: 1–24 characters.

10-3



The NTP authentication function consists of two parts: server and client. Whenconfiguring this function, comply with the following rules:

l If the NTP authentication function is enabled, an NTP MD5 key should beconfigured, and the key should be set to a trusted key. Otherwise, the NTPauthentication function cannot be enabled.

l If the NTP authentication function is not enabled on the client and otherconfigurations are correct, the client can be synchronized with the server(whether the NTP authentication function is enabled on the server or not). Ifthe NTP authentication function is enabled on the client, the client can only besynchronized with a server that provides a trusted key.

l Configurations on the server and those on the client should be consistent.


Command Function

ZXR10#show running-config ntp Displays NTP configurations.

ZXR10#show ntp status Displays NTP status attributes.

ZXR10#show clock Displays the system clock.


10.1.3 NTP Configuration Examples

10.1.3.1 NTP working as a Client

Configuration DescriptionNTP is used to synchronize the clocks of different network members. As shown in Figure10-3, the NTP client can synchronize the clock with the NTP server.

Figure 10-3 NTP Working as a Client

Configuration Flow1. Connect the NTP server to the router.2. Enable NTP.3. Configure the address of the NTP server.

10-4



Configuration CommandConfiguration on R1:

R1(config)#ntp enable

R1(config)#ntp server 192.168.5.93 priority 1

Configuration VerificationAfter the configuration, use the show command to check the configuration.

R1#show running-config ntp

! <ntp>

ntp server 192.168.5.93 priority 1

ntp enable

! </ntp>

10.1.3.2 NTP Working as a Server

Configuration DescriptionThe function of NTP is to synchronize clocks of different network members. As shown inFigure 10-4, NTP works as a server to provide synchronization information for the client.

Figure 10-4 NTP Working as a Server

Configuration Flow1. Enable NTP on R1, and configure the address of the NTP server.2. Enable NTP on R2, and configure a level of the NTP server.

Configuration CommandThe configuration on R1:


R1(config)#ntp server 192.168.5.93 priority 1

The configuration on R2:


R2(config)#ntp master 1

10-5



Configuration VerificationUse the show running-config ntp command on the client and the server to viewconfiguration. Use the show ntp status command on the client to view the IP address andthe clock of the reference clock (R2). Use the show clock command on the client. Theclock has been synchronized with the clock on the server.

10.2 Physical POS Interface Clock Configuratio

10.2.1 Physical POS Interface Clock

Clock SynchronizationThe first problem to resolve in a digital network is clock synzhronization. Clocksynchronization enables the clock frequency and phase of each network node to belimited to a predefined error tolerance range. The sending and receiving ends canextract/send messages at a specified time to avoid transmission performance degradation(error codes and jitters) due to location inaccuracy in the digital transmission system.

Clock Synchronization ModesTwo clock synchronization modes are provided: pseudo synchronization and master-slavesynchronization.

l Pseudo synchronization refers to that different digital exchanges in the digitalswitching network have different clocks independent of each other. Each clock is aCaesium atom clock having a very high accuracy and stability. Because these clocksare highly accurate, they have different frequencies and phases, which are veryclose. This is pseudo synchronization.

l Master-slave synchronization refers to that a master clock exchange is defined inthe network and has a highly accurate clock, other exchanges are all controlledunder this exchange (tracking the clock of the master exchange and taking themaster exchange clock as the reference). And these exchanges are controlled bythe upper-level exchange respectively till the end NE, the terminating exchange.

In general, pseudo synchronization is used in an international digital network, that meansthis mode is used in the digital network between two countries. For example, if twointernational exchanges in China and America have their own Caesium atom clocks, thetwo exchanges use the pseudo synchronization mode.

Master-slave synchronization is used in digital networks in a country or region. Themaster-slave synchronization clocks in the SDH network can be classified into four levelsby accuracy, corresponding to different usage ranges:

l The master clock used as the time reference of the global networkl Slave clocks used in forwarding exchangesl Slave clocks used in local exchangesl Clocks used in the SDH (clocks built-in the SDH)

10-6



Clock Extraction ModesClocks can be extracted in two ways:

l Extracting a clock from the specified clock synchronization circuit which is independentof the equipment, for example, the BITS interface.

l Extracting a clock from a line, for example, 8K clock signals recovered from theSDH/POS interface.

10.2.2 Configuring a Physical POS Interface ClockThis procedure describes how to configure a physical POS interface clock.

Steps1. Configure a physical POS interface clock.


1 ZXR10(config)#interface <interface-name> Enters the POS interface.

2 ZXR10(config-if-interface-name)#clock mode

internal | line

Configures the clock mode to

internal or line. Default: internal.

3 ZXR10(config)#controller <interface-name> Enters controller configuration

mode of the CPOS.

4 ZXR10(config-ctrl-interface-sdh-tug3-e1)#f

raming sdh

Configures the SDH frame format

in controller mode.

5 ZXR10(config)#clock mode internal | line Configures the clock mode to

internal or line in E1 mode.

Default: internal.

2. Verify the configuration result.

Command Function

ZXR10#show interface <interface-name> Shows the mode configured for the

POS interface clock.


10.2.3 Physical POS-Interface Clock Configuration Instance

Configuration DescriptionThe purpose of configuring a POS-interface clock is to synchronize the clock betweendifferent network members, see Figure 10-5.

10-7



Figure 10-5 Physical POS Interface Clock Configuration Instance

Configuration Flow1. Inter-connect the routers.2. Enter POS-interface clock configuration mode.

Configuration CommandConfigurations on router R1:

R1(config)#interface pos3-1/1

R1(config-if-pos3-1/1)#no shutdown

R1(config-if-pos3-1/1)#clock mode line

R1(config-if-pos3-1/1)#exit

Configurations on router R2:

R2(config)#interface pos3-1/1

R2(config-if-pos3-1/1)#no shutdown

R2(config-if-pos3-1/1)#exit

/*Three clock modes can be configured for two ends of the directly-connected POS interface:

internal——internal, internal——line, line——internal.

Note that the line——line mode is unavailable.

Configuration VerificationAfter the configuration is completed, run the show command to verify the configurations:

R1(config-if-pos3-1/1)#show interface pos3-1/1

pos3-1/1 is down, line protocol is down

Description is none

Hardware is Packet Over SONET/SDH

Internet address is unassigned

IP MTU 4470 bytes

MTU 4600 bytes

BW 155520 Kbits

MPLS MTU 4470 bytes

Physical layer is Packet over (SDH)

Holdtime is 120 sec(s)

CRC 32

Loopback cancel

Clock Source: line

Scramble enable

Encapsulation PPP

10-8



Keepalive set: 10 sec(s)

LCP INITIAL, IPCP INITIAL, BCPINITIAL, IPV6CP INITIAL

MPLSCP INITIAL, OSINLCP INITIAL

Last Clear Time : 2000-04-02 01:49:43 Last Refresh Time:2000-04-02 01:49:43

120s input rate : 0Bps 0Pps

120s output rate: 0Bps 0Pps

Intf utilization: input 0% output 0%

HardWareCounters:

In_Bytes 0 In_Packets 0

In_Abort 0 In_OverFlow N/A

In_Runt 0 In_Giant 0

R2(config-if-pos3-1/1)#show interface pos3-1/1

pos3-1/1 is down, line protocol is down

Description is none

Hardware is Packet Over SONET/SDH

Internet address is unassigned

IP MTU 4470 bytes

MTU 4600 bytes

BW 155520 Kbits

MPLS MTU 4470 bytes

Physical layer is Packet over (SDH)

Holdtime is 120 sec(s)

CRC 32

Loopback cancel

Clock Source: internal

Scramble enable

Encapsulation PPP

Keepalive set: 10 sec(s)

LCP INITIAL, IPCP INITIAL, BCPINITIAL, IPV6CP INITIAL

MPLSCP INITIAL, OSINLCP INITIAL

Last Clear Time : 2000-04-02 01:49:43 Last Refresh Time:2000-04-02 01:49:43

120s input rate : 0Bps 0Pps

120s output rate: 0Bps 0Pps

Intf utilization: input 0% output 0%

HardWareCounters:

In_Bytes 0 In_Packets 0

In_Abort 0 In_OverFlow N/A

In_Runt 0 In_Giant 0

10-9




10-10


Chapter 11Performance StatisticsTable of Contents

Performance Management Overview........................................................................11-1Performance Management Configuration .................................................................11-1Performance Management Configuration Example...................................................11-3

11.1 Performance Management OverviewPerformance management provides the following main functions,

l It accepts the login or logout request coming from service module and collectsperformance data according to the registered performance entries.

l It calculates and saves performance data according to the collection interval.l It gives an alarm when performance collection value exceeds the configured alarm

threshold value. It cancels the alarm when performance collection value is belowthan the configured alarm threshold value.

Performance management uses agent server structure, which is composed of PMServer,PMAgent and PMClient.

l PMServer resides in R-CPU.l Every daughter-card has a PMAgent, and each PMAgent acts as an independent

process.l PMClient resides in every application module.

The service modules of daughter-cards interacts with each other by messages sendingbetween PMClient and PMAgent. In this way, application module can log in, log off orreport performance value to performance management.

There are some applications, which use PMServer to mount CallBack function. Afterregister information is modified, PMServer finishes virtual register / register cancellation,and refreshes performance values after member interface data binding to these servicetypes are changed.

11.2 Performance Management ConfigurationThis procedure describes how to configure the performance management function.

Steps1. Configure performance management.

11-1




1 ZXR10(config)#intf-statistics Enters interface statistic

configuration mode.

ZXR10(config-intf-statistics)#one_minute_pe

ak_value {disable | enable}{<interface-name>| default}

Enables or disables the switch to

control the one-minute peak-value

counter on a specific Ethernet

interface or all Ethernet interfaces.

2

ZXR10(config-intf-statistics)#one_minute_pe

ak_value_clear [<interface-name>]

Clears and resets the one-minute

peak-value counter on a specific

Ethernet interface or all Ethernet

interfaces.

3 ZXR10(config-intf-statistics)#traffic-statistics

{enable | disable}

Enables the interface performance

statistic function. Default:

enabled.

4 ZXR10(config)#performance data-save-interval

{15min,5min}

Sets the period for saving data.

Unit: minute, default: 15.

5 ZXR10(config)#performance update-interval

<periodreport><interface-checkPtType>

Sets the interval for sampling data

from a PMA to a PMS. Default:

10 s. Sets the type of a specified

detection point or sets the type of

all detection points by using the

default configuration.

6 ZXR10#clear statistics interface [<interface-name>] Clears the performance value

of a specific interface or the

accumulative performance value

of all interfaces.

2. Collect statistics of performance management.

Command Function

ZXR10#show running-config performance Displays the configuration information

on performance management.

ZXR10# show interface <interface-name> Displays the state of all interfaces or

a specified interface.

ZXR10#show performance one_minute_peak_value

[<interface-name>]

Displays the one-minute peak-value

of an interface.

ZXR10#show performance data-save-interval Displays the period for saving history

performance data.

ZXR10#show ip traffic Displays IP statistics information.

11-2


Chapter 11 Performance Statistics

Command Function

ZXR10#show tcp statistics Displays TCP statistics information.


11.3 Performance Management Configuration ExampleConfiguration DescriptionPerformance management can modify interface count update time or set count switchaccording to user requirement. As shown in Figure 11-1, flow is sent from gei-2/1 of R1 togei-2/1 of R2.

Figure 11-1 Performance Management Configuration Example Topology Diagram

Configuration Flow1. Check the count of interface gei-2/1. To check the new count, clear the previous count.2. Modify the time interval of sampling data from PMS to PMA to control count update

time interval of gei-2/1.

Configuration Command1. Clear gei-2/1 interface count:

ZXR10#clear statistics interface gei-2/1

2. Set count update time of physical port such as gei-2/1 as 30 seconds.ZXR10(config)#performance update-interval 30s ethernet

Configuration VerificationCheck whether the configuration is valid.

ZXR10(config)#show running-config performance

! <performance >

performance update-interval 30s ethernet

! </performance >

11-3




11-4


Chapter 12NetFlow ConfigurationTable of Contents

NetFlow Overview ....................................................................................................12-1Configuring NetFlow.................................................................................................12-3NetFlow Configuration Examples..............................................................................12-9

12.1 NetFlow OverviewNetFlow IntroductionNetFlow is a protocol used to monitor network traffic. There are exporter and collectorused in NetFlow application environment. The exporter collects IP data packets and sendthem to collector. The collector is responsible for analyzing.

Netflow can trace and measure each flow accurately. It brings the following applications,

l Network layout

Netflow can count the information of network flow for a long time. Therefore, it cantrace and estimate the trend of network flow increasing or decreasing. Thus, addor remove route devices or upgrade or degrade the bandwidth of route devices ifrequired. In this way, the network operation is more reasonable.

l Analyze new application

Netflow collects the network usage information of a new application protocol. Bymeans of information analyzing, network resource can be allocated to the newapplication reasonably.

l Network monitor

Netflow has real time network monitor ability. It can locate fault by providinginformation when network has fault, or it can find potential network problem.

NetFlow FeaturesTo accomplish network data collection, NetFlow performs the following task,

l Configure NetFlow service on many interfaces on a router to collect packets whichpass through these interfaces. To reduce system load, set a sample rate on both ofingress and egress on the interfaces. For example, if the sample rate is 2000:1, thensample one packet from every 2000 packets. NetFlow can sample unicast, multicastor Multi Protocol Label Switching (MPLS) packets respectively or hybridly.

l NetFlow analyzes the sampled packet to obtain the following information,

12-1



à Packet information: For example, source / destination IP address, Type OfService (ToS) field, source/ destination TCP/UDP port number.

à Route information: For example, next hop IP address.

à Other information: Packet ingress / egress interface index, sample direction.

NetFlow takes flow as statistic object. The packets which belong to the same floware summarized and stored. NetFlow v5 uses octet to define the unique flow, andNetFlow v9 permits that user defines flow by itself. For example, user can usesource and destination IP addresses to define a flow, then all the packets whichhave the source and destination addresses are defined as a flow. People call theoctet (source and destination IP addresses) as key field. User also can configurenon-key field to obtain other information of the flow, such as packet number, bytesand next hop IP address.

l Netflow has buffer. The sampled packets are stored at buffer at first. The size of everyflow is the sum of all key fields and non-key fields. After a packet is analyzed, findwhether the flow already exists according to its key filed.

à If it already exists, then update the flow’s non-key field.

à If it does not exist, add the new flow into buffer.

l When the flow stored at buffer satisfies the following conditions, it will be sent to remoteserver.

à Send all flow information to server when buffer is full.

à A flow is inactive if there is no packet belongs to the flow in a given time. Sendthe flow to server. The given time is called active aging time. It can be configuredby user.

à For a long term active flow, the statistic information is sent to server once in awhile. The interval is called inactive aging time. It can be configured by user.

l At present, ZXR10 ZSR V2 can record flow information in NetFlow v5, NetFlow v8,NetFlow v9 and IPFIX packets to send to the server.

à Since the format of NetFlow v5 is fixed, Netflow v5 only output the fixed field flowinformation.

à The format of NetFlow v8 packet is also fixed. Comparing with NetFlow v5,NetFlow v8 can output multiple types of field flow information. ZXR10 ZSR V2supports the v8 Protocol-PortMatrix packet format.

à NetFlow v9/IPFIX supports user to customize key field or non-key field. TheNetFlow v9/IPFIX packet is based on module. The module includes user-definedkey field and non-key field, and every module has a unique module ID. NetFlowsends module to server circularly. When a server receives the NetFlow v9/IPFIXpacket including flow information, it will find the corresponding module accordingto the contained module ID.

l On NetFlow server, the received flow information is normally stored at database, andNetFlow analysis software can analyze the entity data.

12-2


Chapter 12 NetFlow Configuration

12.2 Configuring NetFlowThis procedure describes how to configure the NetFlow function.

Steps1. Configure NetFlow exporter policies.


1 ZXR10(config)#flow exporter <exporter-name> Creates a flow exporter policy,

and names the policy. You can

configure up to 200 different flow

exporter policies.

Range of the policy name: 1–32

characters.

2 ZXR10(config-flow-exporter)#destination

{ipv4-address <ip-address>|[vrf <name>]}Configures the IPv4 address of

the NetFlow server.

3 ZXR10(config-flow-exporter)#export-protocol

{netflow-v5 | netflow-v8 | netflow-v9 | ipfix }

Sets the format of NetFlow output

packets.

The output packet format can

be NetFlow v5, v8, v9, or ipfix,

default: netflow-v9 .When the format is set to

v5, the template must be

netflow-original.When the format is v8, the

template must be netflow ipv4protocol-port.

4 ZXR10(config-flow-exporter)#template data

{refresh <packets>| timeout <seconds>}Resends module according to the

number of packets or time.

5 ZXR10(config-flow-exporter)#transport udp

<port>

Sets the NetFlow output protocol

to UDP and sets the port number.

Range: 1–65535, default: 2055.

6 ZXR10(config-flow-exporter)#source

{ipv4-address <ip-address>}Configures the source IPv4

address of NetFlow packets sent.

7 ZXR10(config-flow-exporter)#dscp <value> Sets the TOS field in the IP

header when a Netflow packet is

sent. Range: 0–63, default: 0.

refresh <packets>: the number of output netflow packets, according to which themodule is resent, range: 1–600, default: 20.

timeout <seconds>: time, according to which the module is resent, range: 1–86400,default: 600 seconds.

12-3



2. Creates a flow record policy, and sets key and non-key fields.


1 ZXR10(config)#flow record <record-name> Creates a flow record policy,

and names the policy. You can

configure up to 100 different flow

record policies. Range of the

policy name: 1–32 characters.

ZXR10(config-flow-record)#match datalink mac

{destination-address | source-address}

Sets the source Medium Access

Control (MAC) address or

destination MAC address as a

key field.

ZXR10(config-flow-record)#match flow

{direction|sample-rate}

Sets flow direction or sampling

rate as a key field.

ZXR10(config-flow-record)#match interface

{input | output}

Sets input interface index or

output interface index as a key

field.

ZXR10(config-flow-record)#match ipv4

{[destination address | address-prefixminimum-mask <len>]|[source address |

address-prefix minimum-mask <len>]}

Sets IPv4 information as a key

field.

ZXR10(config-flow-record)#match mpls label

stack section <1–5>

Sets MPLS information as a key

field.

<1–5>: Sets the collection label

to the layer 1, 2, 3, 4, or 5 label.

ZXR10(config-flow-record)#match routing {bgp

as-number {destination | source | next-adjacent |

prev-adjacent}| next-hop-address {ipv4 | ipv6}}

Sets the related route next hop

information as a key field.

ZXR10(config-flow-record)#match transport

{destination-port |icmp {ipv4 | ipv6}{type | code}|

source-port | tcp flags}

Sets transport layer information

as a key field.

icmp {ipv4 | ipv6} {type | code}:

sets the type field of Internet

Control Message Protocol

(ICMP) packets as a collection

field. The field value is ICMPType * 256 + ICMP code.

ZXR10(config-flow-record)#match ip {cos |

protocol | version}

Sets IP information as a key field.

2

ZXR10(config-flow-record)#match ipv6


address-prefix minimum-mask <len>]| flow-label}

Sets IPv6 information as a key

field. Range of len: 1–128.

12-4




ZXR10(config-flow-record)#collect counter {bytes

[long]| packets [long]}

Sets the number and byte number

of flow packets as a non-key

fields.

bytes: This field has 4 bytes.

bytes long: This field has 8 bytes.

packets : This field has 4 bytes.

packets long: This field has 8

bytes.

ZXR10(config-flow-record)#collect datalink mac

{destination-address | source-address}

Sets the source MAC address or

destination MAC address as a

non-key field.

ZXR10(config-flow-record)#collect flow

{direction|sample-rate}

Sets the flow direction or

sampling rate as a non-key field.

ZXR10(config-flow-record)#collect interface

{input | output}

Sets the input interface index

or output interface index as a

non-key field.

ZXR10(config-flow-record)#collect ipv4


address-prefix minimum-mask <len>]}

Sets IPv4 information as a

non-key field.

ZXR10(config-flow-record)#collect mpls label

stack section <1–5>

Sets MPLS information as a

non-key field.

ZXR10(config-flow-record)#collect routing {bgp

as-number {destination | source | next-adjacent |

prev-adjacent}| next-hop-address {ipv4 | ipv6}}

Sets the route next hop

information as a non-key field.

ZXR10(config-flow-record)#collect timestamp

{sys-uptime {first | last}| absolute {first-millisec |

last-millisec}}

Sets the time or absolute time

when a flow is switched for the

first or last time as non-key field.

sys-uptime first: sets the system

power-up time when the flow

arrives at the cache for the first

time as a collected non-key field.

Unit: ms.

sys-uptime last: sets the system

power-up time when the flow is

updated in the cache for the last

time as the collected non-key

field. Unit: ms.

4

12-5




ZXR10(config-flow-record)#collect transport

{destination-port | icmp {ipv4 | ipv6}{code | type}|

source-port | tcp flags}

Sets transport layer information

as a non-key field.

ZXR10(config-flow-record)#collect ip {cos|

protocol | version}

Sets IP information as a non-key

field.

ZXR10(config-flow-record)#collect ipv6

{[destination address | address-prefix minimum-mask <len>]|[source addressaddress-prefixminimum-mask <len>]| flow-label}

Sets IPv6 information as a

non-key field. Range of len:1–128.

3. Configure a NetFlow sampling policy.


1 ZXR10(config)#sampler <sampler-name> Creates a sampler policy,

and names it. Up to 200

different sampler policies can be

configured.


characters.

2 ZXR10(config-sampler)#mode deterministic

1–––out-of<rate>

Sets the sampling mode and

sampling rate.

deterministic : uses deterministic sampling, that is, if the sampling rate is N, then onepacket out of every N packets is sampled.

<rate>: sampling rate, range: 1–65535, default: 1000.

4. Configure a NetFlow monitoring policy.


1 ZXR10(config)#flow monitor <monitor-name> Creates a flow monitor policy,

and names it. Up to 60 different

flow monitor policies can be

configured.


characters

2 ZXR10(config-flow-monitor)#cache {entries<num>| timeout {active | inactive}<seconds>}

Sets cache information.

12-6




3 ZXR10(config-flow-monitor)#exporter

<exporter-name>

Associates a flow exporter policy.

Associates a pre-set flow exporter

policy. That is, the flow monitor

policy uses the flow exporter

policy for the output of netflow

packets. If the flow exporter

policy uses v5 output format,

the template used by the flow

monitor must be the pre-set

netflow-original.

4 ZXR10(config-flow-monitor)#record {<record-nam

e>|netflow ipv4 protocol-port|netflow-original}

Sets the template to be used.

entries <num>: sets the buffer size to num, which represents the number of flows thatcan be stored in the buffer. Range: 16–131072, default: 4096.

timeoutactive<seconds>: active ageing time, unit: second, range: 10–604800, default:1800.

timeoutinactive<seconds>}: inactive ageing time, unit is second, range: 10–604800,default: 1800.

record <record-name>: uses a pre-set flow record policy as the template.

record netflow-original: predefines the v5 template. Collected key and non-key fieldsare consistent with those of netflow v5.

netflow ipv4 protocol-port: predefines the v8 module.

5. Configure a NetFlow interface.


1 ZXR10(config)#interface <interface-name> Enters interface configuration

mode.

ZXR10(config-if-interface-name)#ip

flow monitor <monitor-name>[sampler<sampler-name>][unicast|multicast|ipv4–access-list<name>]{input|output}

Configures IPv4 packets

sampling on the interface.

ZXR10(config-if-interface-name)#ipv6

flow monitor <monitor-name>[sampler<sampler-name>][unicast |multicast | ipv6–access-list<name>]{input | output}

Configures IPv6 packets


2

ZXR10(config-if-interface-name)#mpls flow

monitor <monitor-name>[sampler <sampler-name>]unicast {input | output}

Configures MPLS packet


12-7



ip flow monitor <monitor-name>: applies a pre-set netflow monitoring policy on theinterface. After the command is run, configurations related to the monitor policy, thecache size, template in use, and collected fields of the template cannot be modified. Tomodify the configurations, the flowmonitoring policy must be deleted from the interfacefirst. Flow active/inactive ageing time and the output policy can be modified.

sampler <sampler-name>: applies a pre-set sampling policy on the interface. Thesampling policy cannot be modified after it is applied on the interface. The modificationtakes effect only after it is unbound and then applied on the interface.

unicast | multicast| ipv4–access-list <acl-name>: type of sampled packets. unicastmeans sampling unicast packets. multicast means sampling multicast packets. access-list means sampling packets that are filtered with the ACL rules. Up to six differentACL rules can be used.

In one direction, unicast, multicast, MPLS, and ACL rule packets can be sampledat the same time. Samples from two directions are not mutually exclusive. If ACLrule packets are sampled from one direction, however, unicast and multicast packetscannot be sampled, and vice versa.


Command Function

ZXR10#show ip flow exporter [<exporter-name>] Displays a flow exporter policy of the

specified name or all flow exporter

policies.

ZXR10#show ip flow interface [<interface-name>] Displays configurations of the specified

interface or all interfaces.

ZXR10#show ip flow monitor [<monitor-name>] Displays a flow monitoring policy of the

specified name or all flow monitoring

policies.

ZXR10#show ip flow record [<record-name>|

netflow-original | ipv4 protocol-port]

Displays a flow record policy of the

specified name, the pre-defined V5

policy (V5 template: netflow-original), or

all flow record policies.

ZXR10#show ip flow sampler [<sampler-name>] Displays a sampler policy of the

specified name or all sampler policies.

ZXR10#show running-config ipflow [all][|{begin |

exclude | include}<line>]

Displays NetFlow configurations, or all

configurations including default values

of un-configured parameters when the

command carries the all parameter.

ZXR10#show running-config-interface <interface-name

>[all][|{begin | exclude | include}<line>]

Displays interface configurations related

to NetFlow.

12-8



Command Function

ZXR10#show ip flow service-cpu Displays information on the service CPU

when the NetFlow function is enabled.


12.3 NetFlow Configuration Examples

12.3.1 NetFlow V5 Configuration Example

Configuration DescriptionAs shown in Figure 12-1, configure NetFlow on R1, connect the server to R1, and configurean IP address. Configure a route to the server if necessary so that the NetFlow packetscan be sent to the server.

Figure 12-1 NetFlow V5 Configuration Example

Configuration Flow1. Enable NetFlow Service.2. Configure flow exporter output, including server IP address, port number and protocol

type.3. Configure sampler sampling rate and sampling mode.4. Configure the size of flow monitor cache, active overtime value and inactive overtime

value, bind the configured flow exporter to system v5 module.5. Bind flow monitor policy to interface, configure sampling type and direction.



R1(config)#flow exporter exp

R1(config-flow-exporter)#destination ipv4-address 169.1.109.60

R1(config-flow-exporter)#transport udp 2055

R1(config-flow-exporter)#export-protocol netflow-v5

R1(config-flow-exporter)#exit

12-9



R1(config)#sampler sam

R1(config-sampler)#mode deterministic 1-out-of 1024

R1(config-sampler)#exit

R1(config)#flow monitor mo

R1(config-flow-monitor)#cache entries 4096

R1(config-flow-monitor)#exporter exp

R1(config-flow-monitor)#record netflow-original

R1(config-flow-monitor)#cache timeout inactive 60

R1(config-flow-monitor)#cache timeout active 10

R1(config-flow-monitor)#exit



R1(config-if-gei-6/6)#ip flow monitor mo sampler sam unicast input


Configuration VerificationCheck the configuration on R1, as shown below.

R1#show running-config ipflow

!<ipflow>

flow exporter exp

destination ipv4-address 169.1.109.60

export-protocol netflow-v5

$

flow monitor mo

cache timeout active 10

cache timeout inactive 60

record netflow-original

exporter exp

$

sampler sam

mode deterministic 1-out-of 1024

$

interface gei-6/6

ip flow monitor mo sampler sam unicast input

$

!</ipflow>

12-10






Configuration Flow1. Enable NetFlow Service.2. Configure flow exporter output, including the server IP address, port number and

protocol type.3. Configure sampler, setting sampling rate and sampling mode.4. Configure the cache size of flow monitor, the active overtime value and the inactive

overtime value. Bind the configured flow exporter to the system v8 module.5. Bind flow monitor to the interface, and configure the sampling type and direction.


R1(config)#flow exporter exp











R1(config-flow-monitor)#record netflow ipv4 protocol-port




12-11







Configuration VerificationVerify the configuration on R1 as shown below.


! < ipflow >

sampler sam


$

flow exporter exp


export-protocol netflow-v8

$

flow monitor mo



record netflow ipv4 protocol-port

exporter exp

$

interface gei-6/6


$

! </ ipflow >




12-12



Configuration Flow1. Enable NetFlow Service.2. Configure flow exporter output, including server IP address, port number and protocol

type, module refresh time and refresh rate.3. Configure match and collect of flow record policy.4. Configure the size of flow monitor cache, active overtime value and inactive overtime

value, bind the configured flow exporter policy and flow record policy.5. Configure sampler sampling rate and sampling mode.6. Bind flow monitor policy to interface, configure sampling type and direction.


ZXR10(config)#flow exporter exp




R1(config-flow-exporter)#template data refresh 20

R1(config-flow-exporter)#template data timeout 60





R1(config)#flow record rec

R1(config-flow-record)#match ipv4 source address

R1(config-flow-record)#match ipv4 destination address

R1(config-flow-record)#match transport source-port

R1(config-flow-record)#match transport destination-port

R1(config-flow-record)#collect counter bytes

R1(config-flow-record)#collect counter packets

R1(config-flow-record)#exit






R1(config-flow-monitor)#record rec





12-13



R1(config-if-gei-6/6)#end

Configuration VerificationCheck the configuration on R1, as shown below.


!<ipflow>

sampler sam


$

flow exporter exp


#export-protocol netflow-v9

$

flow record rec

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

collect counter bytes

collect counter packets

$

flow monitor mo



record rec

exporter exp

$

interface gei-6/6


$

!</ipflow>

12-14


Chapter 13SQA ConfigurationTable of Contents

SQA Overview..........................................................................................................13-1Configuring SQA ......................................................................................................13-1SQA Configuration Examples ...................................................................................13-4

13.1 SQA OverviewService Quality Analyzer (SQA) is a measured detection technology. Through SQA, userscan obtain more detailed network quality analysis at IP layer, and can also check whetherthe network quality of a specific service meets the requirement of Service Level Agreement(SLA). The functions of SQA are listed below.

l Users can know the network performance quickly and then take correspondingmeasurements according to different network performances.

l Users can use SQA to diagnose and locate network faults, especially for QoS faultsof some applications.

l SQA supports linkage of some protocols. For example, when the quality of a networkworsens to some extent, SQA can enable linkage with policy routing.

Normally, SQA is used to diagnose network faults.

For example, on a mobile IP bearer network, when the quality of phone calls declinesseriously, it is necessary to check whether there is serious voice packet loss, delay andoscillation at the wireless network side and IP bearer network side at the same time. At theIP bearer network side, it is necessary to check whether there is any serious network faultfor the transmission of IP packets between CEs. At the same time, it is also necessaryto use the parameters (such as UDP packet oscillation and delay ) of SQA to determinewhether the fault is on the bearer network side.

SQA can also be used to detect the network qualities of operators periodically to reflect thenetwork qualities in real time, so that operators can master the overall network qualities.

13.2 Configuring SQAThis procedure describes how to configure the SQA function.

Steps1. Configure an SQA instance.

13-1




1 ZXR10(config)#sqa-test <number> Selects a test instance

number and enters SQA

configuration mode. The

range of the instance number

is 1–150.

ZXR10(config-sqa)#type-icmp [vrf <vrf-name>]<destination-address>[source <source-address>][repeat <repeat-number>][tos <tos-value>][ttl < ttl-value>][size<size-value>][interval <interval-value>]

Configures an ICMP test

instance in SQA mode.

ZXR10(config-sqa)#type-udp [ vrf <vrf-name>]<destination-address><destination-port>[size <size-value>][interval<interval-value>][repeat <repeat-number>]

Configures a UDP test


ZXR10(config-sqa)#type-tcp [ vrf <vrf-name>]<destination-address><destination-port>[interval<interval-value>][repeat <repeat-number>]

Configures a TCP test


ZXR10(config-sqa)#type-ftp copy <destination-address>

uesr-name <user-name> password {encrypted<ftp-server-encrypted-password>|<ftp-server-password>}

file-name <file-name> root <local-path>/<file-name>

Configures an FTP test


ZXR10(config-sqa)#type-dns [vrf <vrf-name>]destination-url <destination-url> dns-ip<dns-ip-address>[repeat <repeat-number>]

Configures a DNS test


ZXR10(config-sqa)#type-http [vrf <vrf-name>]{http-ip<http-ip-address>|http-url<http-url> dns-ip<dns-ip-address>}[repeat <repeat-number>]

Configures an HTTP test


ZXR10(config-sqa)#type-snmp [vrf <vrf-name>]<specify-destination-ip-address>

Configures an SNMP test


ZXR10(config-sqa)#type-udp-jitter [vrf<vrf-name>]<specify-destination-ip-address><specify

-destination-port>[interval<interval-time>][repeat<repeat-number> size<size-number>| interval<interval-time>][size<size-number> interval<interval-time>|repeat<repeat-number>]

Configures a UDP-JITTER

test instance in SQA mode.

2

ZXR10(config-sqa)#type-icmp-jitter [vrf <vrf-name>]<destination-address>[source <source-address>][repeat <repeat-number>][tos <tos-value>][ttl < ttl-value>][size <size-value>][interval <interval-value>]

Configures an ICMP jitter test


<repeat-number>: number of repeat times. In an ICMP test, range: 1–65535, default:1. In a UDP test, range: 1–1000, default: 1. In a TCP test, range: 1–200, default: 1.

13-2


Chapter 13 SQA Configuration

In a DNS test, range: 1–10, default: 1. In an ICMP jitter test, range: 1–65535, default:1.

<tos-value>: ToS value, range: 0–255, default: 0.

<ttl-value>: Time To Live (TTL) value, range: 1–255, default: 255.

<size-value>: size of a packet. In an ICMP test, range: 36–8192 bytes, default: 36bytes. In a UDP test, range: 50–1500 bytes, default: 50 bytes. In an ICMP jitter test,range: 40–8192 bytes, default: 40 bytes.

<interval-value>: interval between two packets, unit: ms. In an ICMP test, range:50–65535, default: 100. In a UDP test, range: 50–2000, default: 100. In a TCP test,range: 1000–4000, default: 1000. In an ICMP jitter test, range: 50–65535, default:100.

<destination-port>: Destination port number, range: 1025–65535.

<user-name>: user name of the FTP server, range: 1–31 characters.

<ftp-server-password>: clear text password of the FTP server, range: 1–31 characters.

<ftp-server-encrypted-password>: cipher text password of the FTP server, range: 64characters.

<file-name>: FTP source file name, range: 1–79 characters.

<local-path>/<file-name>: FTP local path and file name, range: 1–151 characters.

<destination-url>: domain name to be resolved, range: 1–128 characters.

<dns-ip-address>: DNS IP address.

2. Start an SQA test, and enable the Trap alarm.


1 ZXR10(config-sqa)#sqa-begin {now | timerange<timerange-name>}

Starts a test in SQA mode.

The sqa-stop command stops

the test. If now is selected,

the test is started immediately.

2 ZXR10(config-sqa)#send-Trap { enable <percent>} Enables the Trap alarm

in SQA mode. <percent>:

alarm threshold value, range:

1–100.

3. Configure an SQA TCP or UDP server.

Command Function

ZXR10(config)#sqa-tcp-server <ipaddress><port> Configures an SQA TCP server. (This

configuration is required when you

select a TCP test.)

13-3



Command Function

ZXR10(config)#sqa-udp-server <ipaddress><port> Configures an SQA UDP server. (This

configuration is required when you

select a UDP test.)


Command Function

ZXR10#show running-config sqa [all][|begin | exclude

| include}<line>

Displays SQA configurations.

ZXR10#show sqa-test <number> Displays SQA test configurations.

ZXR10#show sqa-server {upd|tcp} Displays SQA server configurations.

ZXR10#show sqa-result {udp | tcp | icmp | ftp | dns | http |

snmp | udpjitter | icmpjitter}

Displays configurations of each SQA

test instance.


13.3 SQA Configuration Examples

13.3.1 ICMP-Type SQA Configuration Example

Configuration DescriptionAs shown in Figure 13-1, there is a link between R1 and R3. Packets between R1 and R3can be forwarded properly.

Figure 13-1 ICMP-Type SQA Configuration Example

Configuration Flow1. Create an SQA test instance.2. Enter the SQA test instance, and configure ICMP test attribute for the test instance,

such as the ICMP test destination address .3. Set the SQA test start time as now or at a scheduled time.4. Check the test result.

Configuration CommandThe configuration of R1:

13-4



R1(config)#sqa-test 1

R1(config-sqa-1)#type-icmp 10.1.0.2

R1(config-sqa-1)#sqa-begin now

%Info 757: The sqa test is starting now, please wait a moment for test result......

R1(config-sqa-1)#

Configuration VerificationThe configuration and test result are shown below.

R1#show sqa-test 1

test number:1

test type: ICMP

destination IP: 10.1.0.2

repeat:1

tos:0

ttl: 255

size: 36

interval time:100

send trap:disable

R1#show sqa-result icmp

icmp test[1] result

SendPackets:1 ResponsePackets:1

Completion:success Destination IP Address: 10.1.0.2

Min/Max/Avg/Sum RTT:29/99/39/787ms

Min/Max/Avg/Sum Positive Jitter:1/7/3/9ms

Min/Max/Avg/Sum Negative Jitter:1/70/35/71ms

Min/Max/Avg/Sum Jitter:1/70/16/80ms

Packet loss rate:0%

Last Probe Time:2012-11-18 01:57:38

13.3.2 FTP-Type SQA Configuration Example

Configuration DescriptionAs shown in Figure 13-2, there is a link between the FTP server and R1. Packets betweenthem can be forwarded properly. It is required to enable the FTP server function on FTPserver, and configure a user name and password.

Figure 13-2 FTP-Type SQA Configuration Example

13-5



Configuration Flow1. Create an SQA test instance.2. Enter the SQA test instance, and configure the FTP test attributes for the test instance

including FTP server address, user name, password, source file name, destinationpath and destination file name.

3. Set the SQA test start time to now or a scheduled time.4. Check the test result.



R1(config)#type-ftp copy 1.1.1.1 filename abc.txt root /datadisk0/abc.txt

R1(config)#type-ftpusername whopassword who


%Info 757: The sqa test is starting now, please wait a moment for test result......

R1(config-sqa-2)#

Configuration VerificationRun the show command to check the configurations and test results. The execution resultis displayed as follows

R1#show sqa-test 2

test number:2

test type: FTP

ftp IP:10.1.0.2

username:who

password: 9654d35c7f907ad5c1a1f803d1e4a21c667d8939cade03478bad7db48099d0e4

/*Encrypted*/

filename:abc.txt

root:/datadisk0/abc.txt

send Trap:disable

R1#show sqa-result ftp

ftp test[2] result

Completion:success

Last RTT:127s Bytes read:4817497

Last Probe Time:2012-07-29 09:22:58

13.3.3 TCP-Type SQA Configuration Example

Configuration DescriptionAs shown in Figure 13-3, there is a link between R1 and R3. Packets between R1 and R3can be forwarded properly. Enable a monitoring port pf SQA-TCP-server on R3.

13-6



Figure 13-3 TCP-Type SQA Configuration Example

Configuration Flow1. Create an SQA test instance.2. Enter the SQA test instance, and configure the TCP test attribute for the test instance,

such as the TCP test destination address and port number.3. Set the SQA test start time as now or at a scheduled time.4. Check the test result.


R3(config)#sqa-tcp-server 10.1.0.2 10000

The configuration of R1:


R1(config-sqa-3)#type-tcp 10.1.0.2 10000


%Info 757: The sqa test is starting now, wait a moment for test result......

R1(config-sqa-3)#


R1#show sqa-test 3

test number:1

test type: TCP

destination IP:10.1.0.2

desitnation port:10000

interval time:1000

repeat:1

send trap:disable

R1#show sqa-result tcp

tcp test[3] result


Completion:success Destination Ip Address:10.1.0.2


Last Probe Time:2012-07-29 09:45:49

13-7



13.3.4 UDP-Type SQA Configuration Example

Configuration DescriptionAs shown in Figure 13-4, there is a link between R1 and R3. Packets between R1 and R3can be forwarded properly. Enable a monitoring port of SQA-UDP-server on R3.

Figure 13-4 UDP-Type SQA Configuration Example

Configuration Flow1. Create an SQA test instance.2. Enter the SQA test instance, and configure the UDP test attribute for the instance,

such as the UDP test destination address and port number.3. Set the SQA test start time as now or at a scheduled time.4. Check the test result.


R3(config)#sqa-udp-server 10.1.0.2 10000

The configuration of R1:


R1(config-sqa-4)#type-udp 10.1.0.2 10000



R1(config-sqa-4)#


R1#show sqa-test 4

test number:1

test type: UDP

destination IP:10.1.0.2

desitnation port:10000

size: 50

interval time:100

repeat:1

send trap:disable

13-8



R1#show sqa-result udp

udp test[4] result


Completion:success Destination IP Address: 10.1.0.2


Min/Max/Avg/Sum Positive Jitter:0/0/0/0ms

Min/Max/Avg/Sum Negative Jitter:1/1/1/2ms

Min/Max/Avg/Sum Jitter:1/1/1/2ms

Packet loss rate:0%

Last Probe Time:2012-09-01 23:52:35

13.3.5 DNS-Type SQA Configuration Example

Configuration DescriptionAs shown in Figure 13-5, configure an SQA test instance on ZXR10 ZSR V2, connect theserver to R1, and configure an IP address. Configure a route to the server if necessary sothat DNS packets can be sent to the server.

Figure 13-5 DNS-Type SQA Configuration Example

Configuration Flow1. Create an SQA test instance.2. Enter the SQA test instance, configure the domain name to be resolved by the DNS

test and the IP address of the DNS server, and set the number of resolution operations.3. Set the SQA test start time as right now or at a scheduled time.4. Check the test result.

Configuration CommandConfiguration of R1:

R1(config)#ip domain lookup

R1(config)#ip domain name-server ipv4-address 10.1.0.1


R1(config-sqa-5)#type-dns destination-url abc.cn dns-ip 10.1.0.1



R1(config-sqa-5)#

13-9



Configuration VerificationThe configuration information and test result are shown below.

R1#show sqa-test 5

test number:1

test type: DNS

destination-url:abc.cn

dns-ip:10.1.0.1

repeat:1

send trap:disable

R1#show sqa-result dns

dns test[5] result


Completion:success

Destination-url:abc.cn

DNS Interpret IP Address:10.1.0.1


Last Probe Time:2012-07-29 09:49:36

13-10


Chapter 14LLDP ConfigurationTable of Contents

LLDP Overview ........................................................................................................14-1Configuring LLDP.....................................................................................................14-3LLDP Configuration Examples..................................................................................14-5

14.1 LLDP OverviewLLDP IntroductionWith the wide applications of Ethernet on LAN and Metropolitan Area Network (MAN),users have higher and higher requirements for Ethernet management ability. At present,many network management systems use the automatic discovery function to trace thetopology changes. However, most network management systems can only analyze thenetwork topology up to the network layer. The information, such as the interfaces on adevice, the interfaces connected to other devices, and the paths among clients, networkdevices and servers, need to be collected through the link layer. With enough detailedinformation, users can locate network faults correctly.

Link Layer Discovery Protocol (LLDP) is a protocol defined by IEEE 802.1AB. Networkmanagement systems can know the topology and changes of L2 networks through LLDP.LLDP organizes local device information into Type/Length/Value (TLV) and encapsulatesit in a Link Layer Discovery Protocol Data Unit (LLDPDU) to send it to the direct-connectedneighbor. At the same time, LLDP saves the LLDPPDU sent by neighbors in the standardMIB, so that network management systems can query and determine the communicationstates of links.

LLDP FeaturesLLDP is defined in 802.1AB. As shown in Figure 14-1, LLDP works at the data link layer.It is a neighbor discovery protocol that defines a standard for Ethernet devices (such asswitches, routers and wireless LAN access points). Through LLDP, an Ethernet devicecan advertise its existence to other nodes on the network and save discovery informationof neighbor devices. The device sends the state information to other devices. Theinformation is stored on each port of all devices. If necessary, the device can send updateinformation to the neighbor devices that are connected directly, and the neighbor devicesstore the information in standard SNMP MIBs.

14-1



Figure 14-1 LLDP System Structure

l Network management systems can query the L2 connection information in the MIB.LLDP does not configure or control network elements or traffic. It just reports theposition of L2. Another function defined in 802.1AB is that network managementsoftware can use the information provided by LLDP to find conflicts at L2 network.At present, IEEE uses the physical topologies, interfaces and entity MISs existing inIETF.

l A device that supports LLDP must support chassis ID advertisements and portID advertisements. Most devices need to support system name advertisements,system description advertisements and system capability advertisements. Systemname advertisements and system description advertisements can provide usefulinformation to collect network traffic. System description advertisements also cancontain information such as the full name of the device, the type of the systemhardware and the version of the software operating system.

l LLDP information is transmitted periodically and it can only be stored for a period.IEEE has defined a recommended transmission frequency, about once per 30seconds. When an LLDP device receives an LLDP packet sent by a neighbor LLDPdevice, it stores the information in the CACHE of SNMP MIB defined by IEEE.The information is invalid during a period. The value of TTL to define the period iscontained in the received packets.

l LLDPmakes network management systems be able to discover and simulate physicalnetwork topologies correctly. LLDP devices send and receive advertisements, so thedevices save the information of the discovered neighbor devices. The advertisementdata, such as the management address, device type and port number of a neighbordevice, is helpful to know the type and interconnected interfaces of the neighbordevice.

14-2


Chapter 14 LLDP Configuration

l An LLDP device advertises its information to direct-connected neighbor devicesperiodically. It also receives, refreshes and saves the advertisements from neighbordevices. The device scans the CACHE every second. If no new packet is receivedduring the hole-time period, the information is aged.

l LLDP defines a general advertisement set, a transport advertisement protocol and amethod of storing all received advertisements. A device that wants to advertise itsinformation can put several advertisements in a LAN packet. The mode to transmitthe packets is the TLV field. The information includes the chassis ID (mandatory), portID (mandatory), system name, system function, system description and some otherattributes.

à Chassis ID is the first mandatory TLV in an LLDPDU. It is the unique ID of adevice that supports to send LLDPDUs. It is recommended to use the chassisMAC address as the chassis ID for a switch, and use the loopback address or aninterface IP address as the chassis ID for a router.

à Port ID is the second mandatory TLV in an LLDPPDU. It is the unique ID of portthat sends LLDPDUs. For a switch, it is recommended to use the port name asthe port ID, such as fei4/1.

à TTL is the third mandatory TLV in an LLDPPDU. It is the living time (in the unitof second) of an LLDPPDU received by the peer. When a peer receives anLLDPPDU of which the TTL is 0, the device deletes all related information.

à End of LLDPDU is the last mandatory TLV in an LLDPPDU. It defines the end ofan LLDPPDU.

14.2 Configuring LLDPThis procedure describes how to configure basic attributes and functions for the LLDP.

Steps1. Configure LLDP.

To configure LLDP on ZXR10 ZSR V2, perform the following steps.


1 ZXR10(config)#lldp This enters LLDP configuration

mode.

14-3




ZXR10(config-lldp)#hellotime <times> This configures the interval to

send LLDP neighbor discovery

packets. It is in the unit of second,

and it is in the range of 5–32768,

the default value is 30.

ZXR10(config-lldp)#holdtime <time> This configures the hold-time of

an LLDP neighbor. The <times>

parameter is a multiple of the

interval to send LLDP neighbor

discovery packets. It is in the

range of 2–10, and the default

value is 4.

2

ZXR10(config-lldp)#maxneighbor <num> This configures the maximum

number of neighbors that can be

discovered by LLDP, in the range

of 1–128, with the default value of

128.

3 ZXR10(config-lldp)#lldp {enable | disable} Enables/Disables LLDP function.

4 ZXR10(config-lldp)#lldp-rx {enable | disable} Enables/Disables LLDP function.

5 ZXR10(config-lldp)#lldp-tx {enable | disable} Enables/Disables LLDP send

function.

ZXR10(config-lldp)#txcreditmax <credit> This configures the maximum

credit number, in the range of

1-10, with the default value of 5.

ZXR10(config-lldp)#txfastinit <num> This configures the packets

number of fast transmit, in the

range of 1-8, with the default value

of 4.

6

ZXR10(config-lldp)#msgfasttx <interval> This configures the interval of fast

transmit packets, in the range of

1-3600, with the default value of

1s.

2. Configure LLDP in interface configuration mode.


1 ZXR10(config-lldp-if-interface-name)#lldp

{enable | disable}

Enables/Disables LLDP in an

interface.

2 ZXR10(config-lldp-if-interface-name)#lldp-rx

{enable | disable}

Enables/Disables LLDP receive

function in an interface.

14-4




3 ZXR10(config-lldp-if-interface-name)#lldp-tx

{enable | disable}

Enables/Disables LLDP send

function in an interface.

4 ZXR10(config-lldp-if-interface-name)#maxne

ighbor <num>

This configures the maximum

number of neighbors that can be

discovered by LLDP, in the range

of 1-8, with the default value of 8.


Command Function

ZXR10#show lldp {config [interface <interface-name>]|

entry [interface <interface-name>]| neighbor [interface<interface-name>]| statistic [interface <interface-name>]}

This shows LLDP configuration

information, detailed neighbor

information, brief neighbor

information and statistical

information.

4. Maintain the LLDP.

Command Function

ZXR10#debug lldp { adjacency | event | packets [receive

| send]| all }

This shows LLDP related information,

event information and packets

sending and receiving information.

ZXR10(config-lldp)#clearneighbor This clears an LLDP neighbor

relationship that has been established.

ZXR10(config-lldp)#clearstatistic This clears LLDP statistical

information.

ZXR10(config-if-interface-name)#clearneighbor This clears an LLDP neighbor

relationship that has been established

on an interface.

ZXR10(config-if-interface-name)#clearstatistic This clears LLDP statistical

information on an interface.


14.3 LLDP Configuration Examples

14.3.1 LLDP Neighbor Configuration Example

Configuration DescriptionAs shown in Figure 14-2, it is required to configure LLDP on gei-1/1 of R1.

14-5



Figure 14-2 LLDP Neighbor Configuration Example

Configuration Flow1. Enter LLDP configuration mode.2. Enter an interface.3. Enable LLDP.

Configuration CommandEnter an interface in LLDP configuration mode and then configure LLDP, as shown below.

R1(config)#lldp

R1(config-lldp)#interface gei-1/1

R1(config-lldp-if-gei-1/1)#lldp enable

R1(config-lldp-if-gei-1/1)#end

Configuration VerificationUse the show lldp neighbor command to check the configuration result, as shown below.

R1(config)#show lldp neighbor

Capability Codes:

N - Other, r - Repeater, B - Bridge, W - WLAN Access

Point,

R - Router, T - Telephone, D - DOCSIS Cable Device,

S - Station Only

Local-Port Chassis-ID Holdtime Capability Platform Peer-Port

---------------------------------------------------------------------------

gei-1/1 0023e4221134 103 B R 6800v1.00.20 gei-1/1

14.3.2 LLDP Attribute Configuration Example

Configuration DescriptionAs shown in Figure 14-3, it is required to configure LLDP attributes on R1.

Figure 14-3 LLDP Attribute Configuration Example

14-6



Configuration Flow1. Enter LLDP configuration mode.2. Configure LLDP attributes.


R1(config)#lldp

R1(config-lldp)#maxneighbor 3

/*Configure the maximum number of system neighbors*/

R1(config-lldp)#hellotime 30000

/*Configure the intervals to send LLDP neighbor discovery packets*/

R1(config-lldp)#holdtime 8

/*Configure LLDP neighbor hold-time*/

R1(config-lldp)#lldp enable

/*Enable LLDP*/

R1(config-lldp)#lldp-rx enable

/*Enable LLDP receiving*/

R1(config-lldp)#lldp-tx enable

/*Enable LLDP sending*/

R1(config-lldp)#clearneighbor

/*Clear LLDP neighbor relationship that has been established*/

R1(config-lldp)#clearstatistic

/*Clear LLDP statistical information*/

R1(config-lldp)#end

Configuration VerificationUse the show running-config lldp command to check the configuration result.

ZXR10#show running-config lldp

! <LLDP>

lldp

hellotime 30000

holdtime 8

maxneighbor 3

! </LLDP>

14-7




14-8


Chapter 15Network Layer DetectionTable of Contents

Configuring ICMP Fast Response ............................................................................15-1Configuring IP Source Route Option Processing ......................................................15-4Configuring ICMP Unreachable Packet Function ......................................................15-6Enabling an Interface to Send ICMP Unreachable Packets ......................................15-7Configuring IP Ping ..................................................................................................15-9Configuring IP Trace...............................................................................................15-12Configuring LSP Ping .............................................................................................15-15Configuring LSP Trace ...........................................................................................15-21Configuring Multicast Ping......................................................................................15-26Configuring Multicast Trace ....................................................................................15-30Configuring MAC Ping............................................................................................15-32Configuring MAC Trace ..........................................................................................15-34IP Performance Maintenance .................................................................................15-37

15.1 Configuring ICMP Fast ResponseOverviewOpposite to the ICMP slow response function, the ICMP fast response function reducesdelays and delay jitter of ping packets, and increases the standard-reaching rate of networkdelays.

To detect the connectivity with another node, one node uses the ICMP response function.The source node sends an ICMP Echo Request packet to the destination node. Afterreceiving this packet, the destination node returns an ICMP Echo Reply packet. Whenthe source node receive the corresponding Reply packet, it determines that the network isconnected.

The ICMP slow response function means that a destination node sends received Requestpackets to the control plane, which returns Reply packets. To reduce delays, the ICMPfast response function directly returns Reply packets.

Configuration CommandsTo configure the ICMP fast response function, run the following command on the ZXR10ZSR V2:

15-1



Command Function

ZXR10(config)#ip icmp-fast-reply Enables the ICMP fast response (ping)

function. This function is enabled by

default.

Maintenance CommandsTo maintain the ICMP fast response function, run the following commands on the ZXR10ZSR V2:

Command Function

ZXR10#debug ip icmp Enables the ICMP debug function, which

displays debug information on ICMP

processing, and at the same time disables

the ICMP fast ping function.

ZXR10#debug ip icmp detail Enables the ICMP debug function, which

displays detailed debug information on

ICMP processing, and at the same time

disables the ICMP fast response function.

ZXR10#debug ip interface<interface-name> Enables the IP debug function on the

configuration interface, which displays

debug information on IP processing, and

at the same time disables the ICMP fast

response function.

ZXR10#debug ip Enables the IP debug function, which

displays debug information on IP-layer

processing, and at the same time disables

the ICMP fast response function.

ZXR10#show debug icmp Displays the enabled ICMP debug

functions.

ZXR10#show debug ip Displays the enabled IP debug functions.

ZXR10#show ip traffic Displays statistics of received and sent

packets at the IP, ICMP, UDP, and TCP

layers.

ZXR10#clear ip traffic Clears statistics of received and sent

packets at the IP, ICMP, UDP, and TCP

layers.

Configuration Examplel Configuration Description

As shown in Figure 15-1, the interface gei-1/1 of R1 is connected to gei-1/1 of R2directly. The ICMP fast response (ping) function is required between R1 and R2.

15-2


Chapter 15 Network Layer Detection

Figure 15-1 ICMP Fast Response Configuration Example

l Configuration Flow1. Configure IP addresses of R1 and R2 interfaces.2. Test the configuration result to make sure that the ICMP fast response (ping)

function is enabled between R1 and R2.l Configuration Commands












Run the following command to check the configurations on R1. The execution resultis displayed as follows:

R1#ping 10.1.1.2

sending 5,100-byte ICMP echoes to 10.1.1.2,timeout is 2 seconds.

!!!!!

Success rate is 100 percent(5/5),round-trip min/avg/max= 1/1/21 ms.

Run the following command to check the configurations on R2. The execution resultis displayed as follows:

R2#ping 10.1.1.1


!!!!!


Note:

The ICMP fast response function is enabled by default. If the corresponding debugfunction is enabled and then ping is performed, the ICMP fast response (ping) functionis disabled.

15-3



15.2 Configuring IP Source Route Option ProcessingOverviewIP allows a source host to specify a path through an IP network in advance. This pathis called a source route. If a source route is specified, the software forwards packetsaccording to the source route. This function can be used to force a packet to pass anetwork along a specified route. By default, the software uses a source route.

An IP data packet contains an options field whose length is variable. The options field isused for testing and debugging networks. Each option in this field begins with an optioncode octet that identifies an option type. Option types are listed below:

l Loose source route optionl Strict source route option

The router software checks the IP header options of each packet. If it finds that one ofthe options is valid, the software performs corresponding operations. If it finds an invalidoption, the software drops the packet and sends an ICMP parameter-problem packet tothe packet source.

For example, the option code of the loose source route option is 131. Its length is variable,and is determined by the source. The format is shown in Figure 15-2.

Figure 15-2 Loose Source Route Option Packet Format

The length field represents the length of the option octet (including the option code, lengthand pointer fields). The pointer field points to the source address of the next hop, and theminimum value is 4 (that is, pointing to the IP address of the first hop). The addressesfollowing the pointer field are the hops designated by the source. The packet must passthese hops.

Configuration CommandsTo configure the processing of IP source route options, run the following command on theZXR10 ZSR V2:

Command Function

ZXR10(config)#ip source-route Enables the ZXR10 ZSR V2 processing of

packets with IP source route options.

15-4



Maintenance CommandsTo display the IP source route option configuration, run the following command on theZXR10 ZSR V2:

Command Function

ZXR10#show running-config ip all Displays whether the IP source route option

processing function is configured.

Refer to 15.1 Configuring ICMP Fast Response for maintenance commands relevant topacket sending and receiving.


As shown in Figure 15-3, it is required to configure the IP source route optionprocessing function.

Figure 15-3 IP Source Route Option Processing Configuration Example

l Configuration Flow1. Configure IGP and unicast routes so that the routers can ping each other

successfully.2. Configure source route options on R1.3. Make the source send IP packets with correct IP options.4. Make the source send IP packets with incorrect IP options.

l Configuration Command






R1(config)#router ospf 1

R1(config-ospf-1)#network 10.10.10.0 0.0.0.255 area 0


R1(config-ospf-1)#exit

R1(config)#ip source-route


15-5










R2(config-ospf-1)#exit


When the source sends IP packets with correct IP options, the traffic is forwardedproperly.

When the source sends IP packets with incorrect IP options, the packets are dropped.

15.3 Configuring ICMP Unreachable Packet FunctionOverviewIf the router receives a non-multicast packet sent by an unknown protocol, the routerreturns an ICMP unreachable packet to the source address. Similarly, if the router receivesa packet that cannot be sent to the destination (because the route to the destination isunknown), it sends an ICMP host unreachable packet to the source address. By default,ICMP unreachable packets are valid.

Configuration CommandsTo configure the ICMP unreachable packet function, run the following commands on theZXR10 ZSR V2:

Command Function

ZXR10(config)#icmp-config Enter ICMP configuration mode.

ZXR10(config-icmp)#interface<interface-name> Enter ICMP interface configuration mode.

ZXR10(config-icmp-if-interface-name)#ip

unreachable

Enables the interface function of sending

ICMP unreachable packets.

Maintenance CommandsTo view detailed information on packet sending and receiving after the ICMP unreachablepacket function is configured, run the following command. For other commands, refer to15.1 Configuring ICMP Fast Response.

Command Function

ZXR10#debug ip icmp detail Displays information on ICMP packets.

15-6




As shown in Figure 15-4, R1 receives packets with an unknown protocol, and ICMPunreachable packets are valid.

Figure 15-4 ICMP Unreachable Packet Function Configuration Example

l Configuration Flow1. Enter ICMP configuration mode.2. Enable the ICMP unreachable packet function on a specified interface.3. Configure that interface ICMP unreachable packets are valid.



R1(config)#icmp-config

R1(config-icmp)#interface gei-1/1

R1(config-icmp-if-gei-1/1)#ip unreachable

R1(config-icmp-if-gei-1/1)#exit

R1(config-icmp)#exit




R1(config-if-gei-1/1)#ip forward unreachable



When the PC sends unknown protocol packets to R1, R1 sends ICMP unreachablepackets to the PC.

15.4 Enabling an Interface to Send ICMP UnreachablePackets

OverviewPackets that are regarded as ICMP unreachable are dropped. To make these packetsvalid, you need to configure this function for the interface. Then, the forwarding planereports a packet whose protocol is unknown or whose route cannot be found to the controlplane. The control plane returns an ICMP unreachable packet to the source node. Thisfunction is disabled by default.

15-7



Configuration CommandsTo enable an interface to send ICMP unreachable packets, run the following command onthe ZXR10 ZSR V2:

Command Function

ZXR10(config)#interface<interface-name> Enters the interface configuration mode.

ZXR10(config-if-interface-name)#ipforwardunreacha

ble

Enables the interface to send

unreachable packets. Ethernet and

POS interfaces are supported.

Maintenance CommandsTo view information on packet sending and receiving after the configuration is performed,run the following command on the ZXR10 ZSR V2. For other commands, refer to 15.1Configuring ICMP Fast Response.

Command Function

ZXR10#debug ip icmp detail Displays information on ICMP packets.


As shown in Figure 15-5, the interface receives a packet with an unknown destination,and returns an ICMP unreachable packet.

Figure 15-5 Configuration Example of an Interface Sending ICMP UnreachablePackets

l Configuration Flow1. Configure interface addresses for the devices.2. Configure a static route between the two devices that are not directly connected.3. Configure that ICMP unreachable packets are valid on the interface.







R1(config)#ip route 1.2.3.4 255.255.255.255 10.1.1.2


15-8






R2(config-if-gei-1/1)#ip forward unreachable


R2(config)#icmp-config

R2(config-icmp)#interface gei-1/1

R2(config-icmp-if-gei-1/1)#ip unreachable

R2(config-icmp-if-gei-1/1)#exit


R2 does not have a route to 1.2.3.4/32.

Run the debug ip icmp detail command on R2. Run the ping 1.2.3.4 command onR1. You can see that R2 sends host unreachable packets to R1.

15.5 Configuring IP PingOverviewl Description of Ping

Ping originates from sonar location operation. Ping is used to test whether anotherhost is reachable. The program sends an ICMP Echo Request to the host and waitsfor an ICMP Echo Reply.

If a host cannot be pinged successfully, the host cannot be logged in throughTelecommunication Network Protocol (TELNET) or FTP. On the contrary, if a hostcannot be logged in through TELNET, the ping program can be used to find out theproblem. The ping program also can be used to test the time of a round-trip to thehost, which indicates how far away the host is.

l Characteristics of Ping

The ping command sends an ICMP Echo Request. If the destination receives theICMP Echo Request, it will send an ICMP Echo Reply to the source address of theEcho Request. Therefore, the ping command can be used to diagnose networkconnectivity faults.

The ping program that sends an Echo Request is called a client, and the host thatis pinged is called a server. The kernels of most Transfer Control Protocol/InternetProtocol (TCP/IP) functions support a ping server directly. The server is not a userprocess.

The format of an ICMP Echo Request and an ICMP Echo Reply is shown in Figure15-6.

15-9



Figure 15-6 Format of an ICMP Echo Request/Reply

If the type code is 8, it is an ICMP Echo Request packet. If the type code is 0, it is anICMP Echo Reply packet.

For other types of ICMP query packets, a server must reply with the identifier and theserial number. In addition, the option sent by a client must be echoed. It is supposedthat the client is interested in the information.

The serial number starts from 0, and it increments by one when a new Echo Requestis sent. The ping program displays the serial number of each returning packet, whichallows users to check whether packets are lost, in disorder or duplicated.

Configuration CommandsTo configure IP ping on the ZXR10 ZSR V2, run the following commands:

Command Function

ZXR10>ping [vrf <vrf-name>]{<ip-address>|domain<domain-name>}

Pings an IP address in user mode.

ZXR10#ping [{dcn|vrf <vrf-name>}]{<ip-address>|domain<domain-name>}[df-bit <don't-frag>][pattern <string>][speed

{limit {0 |<limit-num>}| interval <interval-number>}][repeat<repeat-count>][size <datagram-size>][source <source-addre

ss>][timeout <timeout>][tos <tos>][ttl <ttl>][option {[{loose |strict}<source-route-address>][record <record-hops>][timestamp<record-timestamps>][none]}][interface <interface-name>]

Pings an IP address in privileged

mode.

ZXR10#ping vrf <vrf-name><ip-address> Pings the name of the Virtual

Route Forwarding Table (VRF)

that an IP address belongs to. The

range of the VRF name is 1–32

characters.

ZXR10#ping dcn <ip-address> Pings the name of a Data

Communications Network (DCN)

that an IP address belongs to.

ZXR10#ping domain <domain-name> Pings a Domain Name System

(DNS) domain name.

domain <domain-name>: DNS domain name, range: 1–128 characters.

repeat<repeat-count>: number of retry attempts, range: 1–65535, default: 5.

15-10



size <datagram-size>: size of a ping packet, range: 36–8192, default: 100 bytes.

timeout <timeout>: timeout period, unit: second, range: 1–20.

tos <tos>: Type of Service (ToS) of a sent packet, range: 0–255, default: 0.

ttl <ttl>: Time To Live (TTL), range: 1–255.

df-bit <don't-frag>: flag indicating no fragmentation, options: 0, 1, default: 0 (indicatingthat fragmentation is allowed).

pattern <pad>: value of the pad field in a packet.

option: whether to configure the IP options. The value 1 means that IP options can beconfigured.

speed limite <limite-num>: number of ping packets sent per second.

speed interval<interval-seconds>: interval between two data request packets, unit: second,range: 2–10.

loose | strict <source-route-address>: specified source station route, format: dotted decimal.

record <record-hops>: maximum number of hops that needs to be recorded, range: 1–9.

timestamp <record-timestamps>: maximum number of timestamps that needs to berecorded, range: 1–9.

Maintenance CommandsTo maintain IP Ping, run the following command on the ZXR10 ZSR V2:

Command Function

ZXR10#debug ip icmp Displays the information on ICMP packets

sent and received when the ping command

is run.


As shown in Figure 15-7, two interfaces on two devices in the same network segmentuse the ping command to test the connectivity.

Figure 15-7 IP Ping Configuration Example

l Configuration Flow1. Enter interface configuration mode and configure IP addresses on the interfaces

for communication.

15-11



2. Run the ping command in privileged mode.l Configuration Commands


R1(config)#interface 1/1










Run the ping command on R1 to check the connectivity. The execution result isdisplayed as follows:

R1#ping 100.0.0.20


!!!!! /*The result shows that the address can be pinged successfully.*/

Success rate is 100 percent(5/5),round-trip min/avg/max= 17/18/20ms.

R1#ping 100.0.0.21


..... /*The result shows that the address cannot be pinged successfully.*/

Success rate is 0 percent(0/5).

15.6 Configuring IP TraceOverviewl Description of IP Trace

The trace command is used for debugging. It displays the route that an IP data packetpasses through from a host to another host. Because the space left to options in an IPheader is limited, the route record option cannot be used. The trace command usesICMP packets and the TTL field in IP headers to accomplish its function.

l Work Flow of IP Trace

IP Trace obtains a router address through the following procedure:

1. The "trace" program sends an IP data packet to the destination host. The valueof the TTL field in the IP header is 1. The first router that receives this packetreduces the value of the TTL field by 1. It drops the packet, and returns a timeoutICMP packet. In this way, the address of the first router is obtained.

15-12



2. The "trace" program sends an IP data packet whose TTL field in the IP header is2. In this way, the address of the second router is obtained.

3. The "trace" program continues with this procedure until a packet arrives at thedestination host.

IP Trace identifies the end of "trace" through the following procedure:

1. The "trace" program sends a large-port UDP data packet to the destination host,so that any application on the destination host is impossible to use that port.

2. When the data packet arrives at the host, the UDP module generates an ICMPpacket indicating that the port is unreachable.

3. In this way, by identifying whether the received ICMP packet is a timeout packetor an unreachable port packet, the sending side knows when "trace" ends.

The interfaces between the "trace" module and sub-modules are shown in Figure15-8.

Figure 15-8 Interfaces Between the "Trace" Module and Sub-Modules

Configuration CommandsTo configure IP trace on ZXR10 ZSR V2, run the following commands:

Command Function

ZXR10>trace [vrf <vrf-name>]<ip-address> Traces an IP address in user

mode.

ZXR10#trace [{dcn|vrf <vrf-name>}]{<ip-address>|domain<domain-name>}[source <source-address>][maxttl <ttl>][timeout<timeout>]

Traces an IP address in privileged

mode.

The trace command uses ICMP error packets. An ICMP error packet is generated whena data packet exceeds its TTL value. By sending a data packet whose TTL value is 1, thetrace command triggers the first router to drop the packet and return an error packet. ATTL timeout packet means that an intermediate router receives the packet and the routergives up detection. An ICMP error packet indicating the destination is unreachable meansthat the destination node receives the packet but it cannot submit the packet. If the timerstops before a reply arrives, the "trace" program displays a "*" mark.

15-13



Maintenance CommandsThe following example shows the output of the trace command used in privileged mode.The trace command traces the path to 168.1.10.100.

ZXR10#trace 168.1.10.100

tracing the route to 168.1.10.100

1 168.1.10.100 2 ms 3 ms 5 ms

[finished]

Descriptions of the command output:

Command Output Description

1 The sequence number of a router along the route to the

destination.

168.1.10.100 The IP address of a router along the route. The last IP

address is the destination.

2 ms 3 ms 5 ms The time of three each round trip for detection.


As shown in Figure 15-9, the trace command is run on R1 to detect the route to R2.

Figure 15-9 IP Trace Configuration Example

l Configuration Flow1. Configure interface addresses and routes.2. Run the trace command in privileged mode.









R1(config-ospf-1)#end


The execution result of the trace command on R1 is displayed as follows:

R1#trace 175.103.59.110

tracing the route to 175.103.59.110 over a maximum of 30 hops:

15-14



1 100.0.0.22 55 ms 2 ms 2 ms

/*The IP address on the first-hop device and time delays*/

2 10.17.94.81 176 ms 143 ms 333 ms

3 10.28.5.61 131 ms 133 ms 134 ms

4 * * *

/*The fourth-hop device does not return any packet. There are "*" marks.*/

5 202.70.62.169 151 ms 149 ms 146 ms

6 202.43.177.81 176 ms 162 ms 165 ms

7 218.100.27.30 142 ms 134 ms 159 ms

8 175.103.59.110 140 ms 166 ms 138 ms

[finished]

15.7 Configuring LSP PingOverviewl Description of LSP Ping

On an MPLS network, if IP ping is used, labels are added to ping packets and labelswitching is performed. IP ping, however, only checks connectivity on the IP plane,but cannot check LSPs. On an MPLS network, if a LDP session between two LSRs isdisconnected, labels cannot be forwarded. In this case, IP ping packets are reachable,but the LSP fails.

Various factors cause LSP faults. For example, an LDP session is disconnected, LDPis not enabled on some LSRs, or an exception occurs in an LDP label forwarding table.A mechanism different from IP ping is needed to detect whether an end-to-end LSPis operating properly. Therefore, LSP ping is generated.

LSP ping uses a packet belonging to a specific Forwarding Equivalence Class(FEC) to verify the integrity of the LSP (from the source LSR to the destination LSR)that belongs to this FEC. An LSP ping request packet contains information on thecorresponding FEC.

l Work Flow of LSP Ping

An LSP ping packet is encapsulated in a UDP packet, and contains a serial numberand a time stamp. When processing an LSP ping request packet, MPLS uses thesame forwarding policy as packets of the FEC. When the LSP ping packet reachesan LSP egress, the LSR control plane checks the packet to verify whether this LSP isthe correct egress of the FEC.

Similar to IP ping, LSP ping also uses the Echo Request and Echo Reply mechanism.But the LSP ping packet format is completely different from the IP ping packet format.Packets sent by LSP ping are not ICMP packets but UDP packets whose port numberis 3503. On an MPLS network,

1. A source device sends a UDP Echo Request packet whose port number is 3503.2. LSRs forward the Echo Request packet through label switching.

15-15



3. When the packet reaches the destination device, the destination device respondswith a UDP Echo Reply packet whose port number is 3503.

To prevent IP packets from being forwarded when an IP path is operating properlybut an LSP is disconnected, the value of the IP TTL field in an LSP ping EchoRequest packet is set to 1, and the destination address of the packet is set toan address in the 127.0.0.0/8 segment. LSRs do not forward such an IP packetwithout an MPLS label.

An LSP is unidirectional. An LSP ping Echo Request packet is only forwarded alongthe LSP to be tested. The corresponding Echo Reply packet only sends necessaryinformation to the source, and it does not need to go along the same path as that ofthe Echo Request packet. The reply packet can also be an IP packet without a label.

The path of an MPLS Echo Request packet of LSP ping and that of the correspondingEcho Reply packet may be different. The destination address and destination port ofthe Echo Reply packet are the source address and source port of the Echo Requestpacket respectively.

Configuration CommandsTo configure LSP ping on the ZXR10 ZSR V2, run the following commands:

Command Function

ZXR10#ping mpls ipv4 <ip-address><mask-length

>[output-interface <interface-name>][destination<start-ipv4-address>[<end-ipv4-address>][<increment>]][repeat<repeat-count>| size <datagrame-size>| timeout <timeout>| source{<source-ipv4-address>|<source-ipv6-address>}| ttl <ttl>]

Configures IPv4 LDP LSP ping.

ZXR10#ping mpls traffic-eng te_tunnel<id>[{master|slave}][repeat<repeat-count>| size <datagrame-size>| timeout <timeout>| source{<source-ipv4-address>|<source-ipv6-address>}| ttl <ttl>]

Configures RSVP LSP ping.

ZXR10#ping mpls pseudowire [multisegment]<pw-name>[repeat<repeat-count>| size <datagrame-size>| timeout <timeout>| source{<source-ipv4-address>|<source-ipv6-address>}| ttl <ttl>]

Configures PWE3 LSP ping.

<repeat-count>: number of retry attempts, range: 1–65535, default: 5.

<datagram-size>: LSP ping packet size, range: 100-1500, unit: byte, default: 120.

<timeout>: timeout period, unit: second, range: 1–20, default: 2.

master : specifies that the master LSP sends LSP ping packets.

slave : specifies that the slave LSP sends LSP ping packets.

multisegment: enables the ping multisegment pseudowire function.

Maintenance CommandsTo maintain LSP ping on the ZXR10 ZSR V2, run the following command:

15-16



Command Function

ZXR10#debug lspv {error | event | packet | tlv | all} Displays information on sent UDP Echo

Request packets and received UDP Echo

Reply packets when LSP ping is performed.

LDP LSP Ping Configuration Examplel Configuration Description

As shown in Figure 15-10, LDP is enabled on R1, R2 and R3. It is required to configureLSP ping on R1 to check connectivity.

Figure 15-10 LDP LSP Ping Configuration Example

l Configuration Flow1. Build an LDP network.2. Perform LDP LSP ping on R1.


For LDP configuration, refer to the MPLS configuration example.


Ping R3 on R1. The result is displayed as follows:

R1#ping mpls ipv4 10.28.0.4 32

sending 5,120-byte MPLS echo(es) to 10.28.0.4,timeout is 2 second(s).

Codes: '!' - success, 'Q' - request not sent, '.' - timeo

ut,

'L' - labeled output interface, 'B' - unlabeled output interface,

'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC m

ismatch,

'M' - malformed request, 'm' - unsupported tlvs, 'N' - no rx

label,

'P' - no rx intf label prot, 'p' - premature termination of LSP,

'R' - transit router, 'I' - unknown upstream index, 'X' - unkno

wn return code, 'x' - return code 0

'd' - DDMAP

!!!!!


Ping R3 (unmatching FEC) on R1. The result is displayed as follows:



15-17




ut,



ismatch,


label,




'd' - DDMAP

QQQQQ


R1 cannot ping R3 successfully. LSP ping checks whether the "FEC destinationaddress + mask" is correct. If the "FEC destination address + mask" is incorrect,LSP ping fails.

Ping R3 (nonexistent FEC) on R1. The result is displayed as follows:




ut,



ismatch,


label,




'd' - DDMAP

QQQQQ


RSVP LSP Ping Configuration Examplel Configuration Description

As shown in Figure 15-11, RSVP is enabled onR1, R2 andR3. Build anOpen ShortestPath First–Traffic Engineering (OSPF-TE) network. It is required to configure LSP pingon R1 to check connectivity.

15-18



Figure 15-11 RSVP LSP Ping Configuration Example

l Configuration Flow1. Build an OSPF-TE network.2. Perform RSVP LSP ping on R1.


For RSVP configuration, refer to the OSPF-TE configuration example.


Run the following command to check configurations on R1. The execution result isdisplayed as follows:

R1#show mpls traffic-eng tunnels brief

Signalling Summary:

LSP Tunnels Process: running

RSVP Process: running

Forwarding: enabled

TUNNEL NAME DESTINATION UP IF DOWN IF STATE/PROT

tunnel_4000 10.28.0.5 - unknown up/down

tunnel_1 10.28.0.4 - gei-1/2 up/up

Test connectivity of the tunnel on R1. The execution result is displayed as follows:

R1#ping mpls traffic-eng te_tunnel1 /*TE tunnel of LSP Ping UP on R1*/

sending 5,120-byte MPLS echo(es) to te_tunnel1,timeout is 2 second(s).


ut,



ismatch,


label,




'd' - DDMAP

!!!!!


R1#ping mpls traffic-eng te_tunnel4000 /*TE tunnel of LSP Ping DOWN on R1*/

sending 5,120-byte MPLS echos to te_tunnel4000,timeout is 2 seconds.

15-19




ut,



ismatch,


label,




'd' - DDMAP

QQQQQ


PWE3 LSP Ping Configuration Examplel Configuration Description

As shown in Figure 15-12, R1, R2 and R3 form an L2 VPN network. It is required toconfigure LSP ping on R1 to check connectivity.

Figure 15-12 PWE3 LSP Ping Configuration Example

l Configuration Flow1. Build an L2 VPN network.2. Perform PWE3 LSP ping on R1.


Basic LDP configuration is omitted here.


Run the following command to check configurations on R1. The execution result isdisplayed as follows:

R1#show l2vpn forwardinfo vpnname zte

Hearders: PWType - Pseudowire type and Pseudowire connection mode

Llabel - Local label, Rlabel - Remote label

VPNowner - owner type and instance name

Codes: H - HUB mode, S - SPOKE mode, L - VPLS, W - VPWS, M – MSPW, MO - MONITOR

$pw - auto_

PWName PeerIP FEC PWType State Llabel Rlabel VPNowner

pw1 10.28.0.4 128 Ethernet H UP 81938 82241 L:zte

15-20



Run the following command on R1 to test connectivity. The execution result isdisplayed as follows:

R1#ping mpls pseudowire pw1



ut,



ismatch,


label,




'd' - DDMAP

!!!!!


15.8 Configuring LSP TraceOverviewl Description of LSP Trace

To make routers on the Internet report errors of the MPLS LSP data plane or provideinformation on unexpected conditions, the MPLS trace function is provided. MPLStrace is a simple and effective method of detecting faults on the MPLS LSP data plane.It can detect some faults that the control plane cannot find. By using this method,users can quickly find and isolate faults such as routing black holes and loss of routes.

LSP trace is based on Echo Request and Echo Reply packets. The packets sent areUDP packets whose port number is 3503 instead of ICMP packets.

LSP trace uses the TTL field in an MPLS packet header. The LSP trace commandincrements the TTL value from 1, and sends an MPLS Echo Request packet to thenext hop. When detecting that TTL expires, an LSR sends an MPLS Echo Replypacket to the source. In such a query procedure, each hop of an LSP can be traced.

l Work Flow of LSP Trace

The LSP trace function can be used to detect different FECs (IPv4 LDP and RSVP).An LSP trace request packet is a UDP packet with a label. The packet uses thewell-known port 3503 as the destination port. The source port is designated by thesender. The IP-layer source address is the IP address of the sender. The destinationaddress is 127.0.0.1, which is used to prevent the packet from being forwardedaccording to an IP route when a fault occurs on an LSP of an intermediate LSR.

The principle of LSP trace is shown in Figure 15-13.

15-21



Figure 15-13 LSP Trace Work Flow

The MPLS LSP trace procedure between LSR1 and LSR4 is described below:

1. LSR1: LSR1 sends an MPLS Echo Request packet to LSR2. The destinationaddress of the packet is the FEC on LSR4.

In the Echo Request packet, the TTL value in the MPLS header is 1, thedestination address in the IP header is 127.0.0.1, and both the source portnumber and destination port number in the UDP header are 3503.

2. LSR2: When receiving the request packet whose TTL value is 1, LSR2 processesthe packet. It finds that itself is not the destination. Therefore, LSR2 responds toLSR1 with an MPLS Echo Reply packet.

In the Echo Reply packet, LSR2 fills in a corresponding return code. If the returncode is 3, the node is the destination. If the return code is 6, the node is anintermediate node. LSR1 determines whether the packet reaches the destinationaccording to the return code.

3. LSR1: After receiving the Echo Reply packet from LSR2, LSR1 knows theaddress and label information on LSR2. According to the return code, LSR1knows that the packet did not reach the destination. LSR1 sends an MPLS EchoRequest packet to LSR2 again. The destination of the packet is the FEC onLSR4.


4. LSR2: After receiving the Echo Request packet whose TTL value is 2, LSR2searches for label information and then forwards the packet to LSR3. The TTLvalue decrements by one.

5. LSR3: After receiving the packet whose TTL value 1, LSR3 finds that itself is notthe destination either. Therefore, LSR3 responds to LSR1 with an MPLS EchoReply packet.

15-22



In the Echo Reply packet, the return code is 6, which indicates that the node isan intermediate node. According to the return code, LSR1 knows that the packetdid not reach the destination.

6. LSR1: After receiving the Echo Reply packet from LSR3, LSR1 knows theaddress and label information on LSR3. According to the return code, LSR1knows that the packet did not reach the destination. LSR1 sends an MPLS EchoRequest packet to LSR2 again. The destination is the FEC on LSR4.




9. LSR4: After receiving the request packet packet whose TTL value is 1, LSR4processes the packet. It finds that itself is the destination. Therefore, LSR4responds to LSR1 with an MPLS Echo Reply packet.

In the Echo Reply packet, the return code is 3, which indicates that the node isthe destination node.

After the procedure, LSR1 knows the address and label information on LSRs alongthe LSP.

Configuration CommandsTo configure LSP trace on the ZXR10 ZSR V2, run the following commands:

Command Function

ZXR10#trace mpls ipv4 <ip-address><mask-length>[output-interface <interface-name>][destination <start-ipv4-address>[<end-ip

v4-address>][<increment>]][ttl <ttl>| timeout <timeout>| source{<source-ipv4-address>|<source-ipv6-address>}|[{ddmap|dsmap}]]

Enables the IPv4 LDP LSP trace

function.

ZXR10#trace mpls traffic-eng te_tunnel <id>[{master|slave}][ttl<ttl>| timeout <timeout>| source {<source-ipv4-address>|<source-ipv6-address>}|[{ddmap|dsmap}]]

Enables the RSVP LSP trace

function.

ZXR10#trace mpls pseudowire [multisegment]<pw-name>[ttl <ttl>|timeout <timeout>| source {<source-ipv4-address>|<source-ipv6-address>}|[{ddmap|dsmap}]]

Enables the PWE3 LSP trace

function.

master : specifies that the master LSP sends LSP ping packets.

slave : specifies that the slave LSP sends LSP ping packets.

15-23



multisegment: enables the ping multisegment pseudowire function.

Maintenance CommandsTo maintain LSP trace, run the following command on the ZXR10 ZSR V2:

Command Function

ZXR10#debug lspv {error | event | packet | tlv | all} Displays information on sent UDP Echo

Request packets and received UDP Echo

Reply packets when LSP trace is performed.

LDP LSP Trace Configuration Examplel Configuration Description

As shown in Figure 15-14, LDP is enabled on R1, R2 and R3. It is required to configureLSP trace on R1 to check connectivity.

Figure 15-14 LDP LSP Trace Configuration Example

l Configuration Flow1. Build an LDP network.2. Perform LDP LSP trace on R1.


For LDP configuration, refer to the MPLS configuration example.


Run the following commands on R1 to view configurations. The execution result isdisplayed as follows:

R1#show mpls forwarding-table

Local Outgoing Prefix or Outgoing Next Hop M/S

label label Lspname interface

20 Pop tag 10.28.0.3/32 gei-1/2 10.28.1.6 M

57 49 10.28.0.4/32 gei-1/2 10.28.1.6 M

R1#trace mpls ipv4 10.28.0.3 32

Tracing MPLS Lable Switched to 10.28.0.3,timeout is 3 second(s).

Codes:'!' - success, 'Q' - request not sent, '*' - timeo

ut,



ismatch,

15-24




label,




'd' - DDMAP

0 10.28.1.5 MTU 1500 [label 3 ]

! 1 10.28.1.6 10 ms

[finished]

Test trace on R1. The execution result is displayed as follows:

R1#trace mpls ipv4 10.28.0.4 32

Tracing MPLS Lable Switched to 10.28.0.4,timeout is 3 second(s).


ut,



ismatch,


label,




'd' - DDMAP

0 10.28.1.5 MTU 1500 [label 49 ]

R 1 10.28.1.21 MTU 1500 [label 0 ] 8 ms

! 2 10.28.1.22 7 ms

[finished]

RSVP LSP Trace Configuration Examplel Configuration Description

As shown in Figure 15-15, the Resource ReSerVation Protocol (RSVP) is enabled onR1, R2 and R3. Build an OSPF-TE network. It is required to configure LSP trace onR1 to check connectivity.

Figure 15-15 RSVP LSP Trace Configuration Example

l Configuration Flow1. Build an OSPF-TE network.2. Perform RSVP LSP trace on R1.

15-25




For RSVP configuration, refer to the OSPF-TE configuration example.


Run the following commands on R1 to view configurations. The execution result isdisplayed as follows:

R1#show mpls traffic-eng tunnels brief

Signalling Summary:

LSP Tunnels Process: running

RSVP Process: running

Forwarding: enabled

TUNNEL NAME DESTINATION UP IF DOWN IF STATE/PROT

tunnel_1 10.28.0.4 - gei-1/8 up/up

Test trace on R1. The execution result is displayed as follows:

R1#trace mpls traffic-eng te_tunnel1

Tracing MPLS Lable Switched to te_tunnel1,timeout is 3 second(s).


ut,



ismatch,


label,




'd' – DDMAP

0 10.28.1.5 MTU 1500 [label 147457 ]

R 1 10.28.1.6 MTU 1500 [label 3 ] 3 ms

! 2 10.28.1.22 4 ms

[finished]

15.9 Configuring Multicast PingOverviewMulticast ping sends an ICMP request packet to a multicast group address and waits for anICMP reply packet from the remote end. Multicast ping is applicable to PIM-SM only, andcan only be initiated by a node in an RPT (excluding a multicast receiver). The destinationaddress is a multicast group address. The request packet is forwarded to a multicastreceiver node through a multicast forwarding path. The receiver node responds with anICMP reply packet through unicast.

The work flow of multicast ping is shown in Figure 15-16.

15-26



Figure 15-16 Work Flow of Multicast Ping

1. A router initiates a multicast ping command by sending an ICMP request packet.2. An intermediate node forwards the packet directly because there is no local receiver

directly connected.3. A leaf node where the receiver is located sends and processes the packet, and

responds with a reply packet through unicast.4. The initiator displays the multicast ping result.

Configuration CommandsTo configure multicast ping on the ZXR10 ZSR V2, run the following command:

Command Function

ZXR10#ping [vrf <vrf-name>]<ip-address>{[df-bit <don't-frag>][repeat <repeat-count>][size <datagram-size>][source<source-address>][timeout <timeout>][tos <tos>][ttl<ttl>]option{[{loose | strict}<source-route-address>][record<record-hops>][timestamp <record-timestamps>][none]}][pattern<pad>][speed {limit <limite-num>| interval <interval-seconds>}]}

Configures the multicast ping

command in any other mode

except user mode.

<repeat-count>: number of retry attempts, range: 1–65535, default: 5.

<datagram-size>: size of a ping packet, range: 36-8192, default: 100 octets.

<timeout>: timeout period, unit: second, range: 1–20.

<tos>: ToS of a sent packet, range: 0-255, default: 0.

15-27



<ttl>: TTL, range: 1–255.

<don't-frag>: flag indicating no fragmentation, options: 0, 1, default: 0 (indicating thatfragmentation is allowed).

<pad>: value of the pad field in a packet.

option: whether to configure IP options. The value 1 means that IP options can beconfigured.

<limite-num>: number of ping packets sent per second.

<interval-seconds>: interval between two data request packets, unit: second, range: 2–10.

loose | strict <source-route-address>: specified source station route, format: dotted decimal.

<record-hops>: maximum number of hops that needs to be recorded, range: 1–9.

<record-timestamps>: maximum number of timestamps that needs to be recorded, range:1–9.

Maintenance CommandsTo maintain multicast ping on the ZXR10 ZSR V2, run the following command:

Command Function

ZXR10#mtrace <source-address>[<destination-address

>][<group-address>]

Displays information on sent multicast ping

packets and received ICMP packets when

multicast ping is performed.


As shown in Figure 15-17, it is required to check whether the multicast last hop isreachable.

Figure 15-17 Multicast Ping Configuration Example

l Configuration Flow1. Build a network.2. Enable PIM-SM on R1 and R2.3. Add the receiving group to the multicast group.4. Ping the multicast group address on R1.





15-28









R1(config)#interface loopback1

R1(config-if-loopback1)#ip address 3.3.3.3 255.255.255.0

R1(config-if-loopback1)#exit

/*Configure a multicast protocol*/

R1(config)#ip multicast-routing

R1(config-mcast)#router pim

R1(config-mcast-pim)#rp-candidate loopback1

R1(config-mcast-pim)#bsr-candidate loopback1

R1(config-mcast-pim)#interface gei-1/9

R1(config-mcast-pim-if-gei-1/9)#pimsm

R1(config-mcast-pim-if-gei-1/9)#exit



R1(config-mcast-pim-if-gei-1/8)#end

Configurations on R2 are similar to those on R1. Configure an IP address and enablea multicast protocol on R2.

Run the following command on R2 to add a static route to the RP:

R2(config)#ip route 3.3.3.3 255.255.255.255 17.1.1.2


Run the ping command on R1 to check whether the receiving group has joined the225.0.0.1 multicast group. The execution result is displayed as follows:

R1#ping 225.0.0.1


Reply to request 1 received from 17.1.1.1, 2 ms






15-29



15.10 Configuring Multicast TraceOverviewMulticast trace provides a method of monitoring multicast routes and detecting RPF.At present, the multicast trace version is v1.0. Multicast trace checks connectivity of amulticast path by sending and receiving IGMP protocol packets.

Multicast trace is used to detect the reversed path from a destination address to a multicastsource. It uses two methods to search for a next hop route. One is by RPF. The other isby an (S, G) or (*, G) entity, and (S, G) is preferred.

Take Figure 15-18 as an example to describe two multicast trace working flows.

Figure 15-18 Multicast Trace Principle

l When trace 1.1.1.3 2.2.2.2 is configured on R1, R1 finds that the next hop is 1.1.1.1through RPF. Until finding that the next hop route 1.1.1.3 is a source direct-connectedroute, R1 unicasts the destination route 2.2.2.2.

l When trace 1.1.1.3 2.2.2.2 224.1.1.1 is configured on R1, R1 searches for the nexthop route by an (S, G) or (*, G) entity. (S, G) is preferred. Until finding that the nexthop route 1.1.1.3 is a source direct-connected route, R1 unicasts the destination route2.2.2.2.

Configuration CommandsTo configure multicast trace on ZXR10 ZSR V2, use the following command.

Command Function

ZXR10#mtrace <source-address>[<destination-address>][<g

roup-address>]

This displays the reversed path from a

destination address to a multicast source.


It is required to search for a next hop route through an (S, G) or (*, G) entity. Thenetwork topology is shown in Figure 15-19.

Figure 15-19 Multicast Trace Configuration Example

15-30



l Configuration Flow1. Enable PIM-SM on R1 and R2.2. The receiving group joins the mutlticast group. The source sends a multicast flow.3. Configure multicast trace on R2.


Configuration on R1:









R1(config)#interface loopback1

R1(config-if-loopback1)#ip address 3.3.3.3 255.255.255.0

R1(config-if-loopback1)#exit

/*Configure a multicast protocol*/

R1(config)#ip multicast-routing

R1(config-mcast)#router pim

R1(config-mcast-pim)#rp-candidate loopback1

R1(config-mcast-pim)#bsr-candidate loopback1



R1(config-mcast-pim-if-gei-1/9)#exit



R1(config-mcast-pim-if-gei-1/8)#end

Configuration on R2 is similar to that on R1. Configure an IP address and enable amulticast protocol.

Configure a static route to the RP on R2, as shown below.

R2(config)#ip route 3.3.3.3 255.255.255.255 17.1.1.2


The receiving group joins themutlticast group 225.0.0.1. The source sends amulticastflow.

R2#mtrace 12.131.1.2 17.1.1.1 225.0.0.1

Type escape sequence to abort.

Mtrace from 12.131.1.2 to 17.1.1.1 via group 225.0.0.1

0 17.1.1.1 PIM 21 ms

-1 17.1.1.2 PIM 76 ms

-2 12.131.1.1 PIM 76 ms

[finished]

15-31



15.11 Configuring MAC PingOverviewMAC ping provides a method of monitoring performance and detecting errors at the MAClayer. It determines link-layer connectivity by sending and receiving EOAM MAC pingpackets.

OAM information contained in IEEE802.3 is called Ethernet Operation, Administration andMaintenance (EOAM). EOAM provides a ping mechanism for the data link layer.

1. A router sends an Echo Request packet with a specific destination MAC address.The OAM sub-layer sends this ping request packet as an OAM Protocol Data Unit(OAMPDU).

2. After receiving this Echo Request packet, the receiver generates an Echo an EchoResponse OAMPDU.

EOAM-based MAC ping network structure is shown in Figure 15-20.

Figure 15-20 MAC Ping Network Structure

MAC ping supports ping from CE1 to CE2, from PE1 to PE2, from PE1 to CE2, andfrom CE1 to PE2. The parameters in ping commands sent from a CE and from a PEare different.

The following takes ping from CE1 to CE2 and from PE1 to PE2 as examples to describethe procedures.

l Ping from CE1 to CE2

CE1 sends a MAC-layer ping request which contains an egress interface and adestination MAC address. When receiving the request packet, CE2 sends a replypacket. If CE1 receives the reply packet within a specified period, the link layer isoperating properly.

l Ping from PE1 to PE2

PE1 sends a MAC-layer ping request which contains a destination MAC address,Virtual Private LAN Service (VPLS) name and peer ID. When receiving the request

15-32



packet, PE2 sends a reply packet. If PE1 receives the reply packet within a specifiedperiod, the link layer is operating properly.

Configuration CommandsTo configure MAC ping on the ZXR10 ZSR V2, run the following command:

Command Function

ZXR10#mac-ping <destination-mac>{interface <out-port>| vpls<vpls-name> peer <peer-address>|vpws<vpws-name> peer<peer-address>}{summary | detail}{[external-vlan <external-vlan>

internal-vlan <internal-vlan>]|[vlan <vlan-id>]}[repeat<repeat-count>][timeout <timeout>]

Checks the connectivity of the

destination MAC address.

<out-port>: egress interface of a request packet on a CE.

summary : briefly displays MAC ping results.

detail: displays MAC ping results in detail.

<repeat-count>: repeat count, range: 1–65536, default: 1.

<peer-address>: remote router ID to be detected on a PE.

Maintenance CommandsTo maintain MAC ping on the ZXR10 ZSR V2, run the following command:

Command Function

ZXR10#debug macping {all |error | event | info | packet} Displays errors, events, information,

packets or all information when MAC ping

packets are received and sent.


For the MAC ping network structure on a VPLS network, see Figure 15-21.

Figure 15-21 MAC Ping Configuration Example

l Configuration Flow1. Configure IP addresses. Enable OSPF between PE1 and PE2.2. Configure LDP between PEs.3. Configuring L2 VPN VPLS.4. Configure MAC ping.


15-33



Run the following commands on PE1:

PE1(config)#interface loopback1

PE1(config-if-loopback1)#ip address 100.10.10.1 255.255.255.255

PE1(config-if-loopback1)#exit

PE1(config)#interface gei-1/1

PE1(config-if-gei-1/1)#no shutdown

PE1(config-if-gei-1/1)#ip address 10.1.1.1 255.255.255.0

PE1(config-if-gei-1/1)#exit

PE1(config)#router ospf 1

PE1(config-ospf-1)#network 100.10.10.1 0.0.0.0 area 0


PE1(config-ospf-1)#exit

PE1(config)#mpls ldp instance 1

PE1(config-ldp-1)#router-id loopback1

PE1(config-ldp-1)#interface gei-1/1

PE1(config-ldp-1-if-gei-1/1)#exit

PE1(config-ldp-1)#exit

PE1(config)#mpls l2vpn enable

PE1(config)#pw pw1

PE1(config)#vpls zte1

PE1(config-vpls-zte1)#pseudo-wire pw1

PE1(config-vpls-zte1–pw-pw1)#neighbour 100.10.10.2 vcid 10

PE1(config-vpls-zte1–pw-pw1–neighbour-100.10.10.2)#end

PE1(config)#zmac-oam enable /*Enable mac-ping(trace) globally.*/

Configurations on PE2 are similar to those on PE1.


Run the mac-ping command on PE1. The execution result is displayed as follows:

PE1#mac-ping 00d0.d000.0500 vpls zte1 peer 100.10.10.2 summary

sending 5,92-byte EOAM echo(es) to 00d0.d000.0500,timeout is 2 seconds.

!!!!!


15.12 Configuring MAC TraceOverviewMAC trace provides a method of monitoring performance and detecting errors at the MAClayer. It determines whether the nodes at the link layer are operating properly by sendingand receiving EOAM MAC trace packets.

15-34



The EOAM function is defined in the 802.3ah draft. This function can be used to detectinformation on the Ethernet link layer defined in IEEE802.3. OAM information containedin IEEE802.3 is called EOAM.

EOAM-based MAC trace network structure is shown in Figure 15-22.

Figure 15-22 Network Structure of MAC Trace

MAC trace supports trace from CE1 to CE2, from PE1 to PE2, and from PE1 to CE2.

l Trace from CE1 to CE2

CE1 sends a MAC trace request. If the link is operating properly, MAC addresses ofcorresponding interfaces on CE1, PE1, PE2 and CE2 are recorded.

l Trace from PE1 to PE2

PE1 sends a MAC trace request. If the link is operating properly, MAC addresses ofcorresponding interfaces on PE1 and PE2 are recorded.

l Trace from PE1 to CE2

PE1 sends a MAC trace request. If the link is operating properly, MAC addresses ofcorresponding interfaces on PE1, PE2 and CE2 are recorded.

Configuration CommandsTo configure MAC trace on ZXR10 ZSR V2, run the following command:

Command Function

ZXR10#mac-trace <destination-mac>{interface <out-port>|[vpls<vpls-name> peer <peer-address>]|[vpws <vpws-name> peer<peer-address>]}[external-vlan <external-vlan-id> internal-vlan<internal-vlan-id>]|[vlan <vlan-id>]

Trace a path to the destination

MAC address on an Ethernet link.

<out-port>: egress interface of a request packet on a CE.

<peer-address>: remote router ID to be detected on a PE.

15-35



Maintenance CommandsTo maintain MAC trace on the ZXR10 ZSR V2, run the following command:

Command Function

ZXR10#debug macping {all |error | event | info | packet} Displays errors, events, information and

packets or all information when MAC

trace packets are received and sent.


On a VPLS network, the MAC trace network structure is shown in Figure 15-23.

Figure 15-23 MAC Trace Configuration Example

l Configuration Flow1. Configure IP addresses. Enable OSPF between PE1 and PE2.2. Configure LDP between PEs.3. Configuring L2 VPN VPLS.4. Configure MAC trace.


Run the following commands on PE1:

PE1(config)#interface loopback1

PE1(config-if-loopback1)#ip address 100.10.10.1 255.255.255.255

PE1(config-if-loopback1)#exit

PE1(config)#interface gei-1/1

PE1(config-if-gei-1/1)#no shutdown

PE1(config-if-gei-1/1)#ip address 17.1.1.1 255.255.255.0

PE1(config-if-gei-1/1)#exit

PE1(config)#router ospf 1



PE1(config-ospf-1)#exit

PE1(config)#mpls ldp instance 1

PE1(config-ldp-1)#router-id loopback1

PE1(config-ldp-1)#interface gei-1/1

PE1(config-ldp-1-if-gei-1/1)#exit

PE1(config-ldp-1)#exit

15-36



PE1(config)#mpls l2vpn enable

PE1(config)#pw pw1

PE1(config)#vpls zte1

PE1(config-vpls-zte1)#pseudo-wire pw1

PE1(config-vpls-zte1-pw-pw1)#neighbour 100.10.10.2 vcid 10

PE1(config-vpls-zte1-pw-pw1-neighbour-100.10.10.2)#end

PE1(config)#zmac-oam enable /*Enable mac-ping (trace) globally.*/

Configurations on PE2 are similar to those on PE1.


Run the mac-trace command on PE1. The execution result is displayed as follows:

PE1#mac-trace 00d0.d000.0500 vpls zte1 peer 100.10.10.2

Starting L2 Trace to 00d0.d000.0500

PE1 :gei-1/1 [002e.33d5.3f51]->

PE2 :gei-1/1 [00d0.d000.0500] !

[finished]

15.13 IP Performance MaintenanceZXR10 ZSR V2 provides the following commands to maintain IP performance.

Command Function

ZXR10#debug ip This enables IP debug function. It displays the debug

information of IP processing and whether the route is

sending or receiving IP packets.

ZXR10#debug ip interface This enables IP debug function in the specified

interface.

ZXR10#show debug ip This shows all the enabled IP debug functions.

15-37




15-38


FiguresFigure 1-1 ZXR10 ZSR V2 Configuration Modes....................................................... 1-1

Figure 1-2 Run Dialog Box........................................................................................ 1-3

Figure 1-3 Telnet Connection Configuration Example................................................ 1-6

Figure 1-4 PuTTY Configuration Dialog Box ............................................................. 1-8

Figure 1-5 PuTTY Configuration Dialog Box ............................................................. 1-9

Figure 1-6 SSH Configuration Example .................................................................. 1-10

Figure 1-7 FTP Server Configuration Example........................................................ 1-12

Figure 1-8 WFTPD Window .................................................................................... 1-13

Figure 1-9 User/Rights Security Dialog Box ............................................................ 1-13

Figure 1-10 User/Rights Security Dialog Box .......................................................... 1-14

Figure 1-11 TFTP Server Window........................................................................... 1-15

Figure 1-12 Tftpd Settings Dialog Box..................................................................... 1-16

Figure 1-13 SFTP Server Configuration Example.................................................... 1-17

Figure 3-1 MIM Application ....................................................................................... 3-1

Figure 4-1 Local Authentication and Authorization Configuration............................... 4-7

Figure 4-2 RADIUS-LOCAL Authentication and Authorization UserConfiguration .......................................................................................... 4-9

Figure 4-3 TACACS+ Authentication and Authorization User Configuration............. 4-10

Figure 4-4 Configuring a Password Prompt Question for Resetting aPassword.............................................................................................. 4-12

Figure 4-5 Configuring OAM Security Management ................................................ 4-13

Figure 4-6 Configuring a Password Validity Period.................................................. 4-15

Figure 4-7 Configuring First-Login Password Modification ...................................... 4-17

Figure 4-8 Configuring the Raising of a Privilege Level ........................................... 4-18

Figure 6-1 SNMP Configuration Example Topology................................................... 6-6

Figure 6-2 State Switching Diagram........................................................................ 6-11

Figure 6-3 SNMP Anti–Brute Force Attack Configuration Example.......................... 6-13

Figure 7-1 Alarm Function Configuration Example .................................................... 7-7

Figure 8-1 Syslog Configuration Example Topology .................................................. 8-3

Figure 9-1 RMON Configuration Example ................................................................. 9-4

Figure 10-1 NTP Client Work Flow.......................................................................... 10-1

Figure 10-2 NTP Server and Client ......................................................................... 10-2

I



Figure 10-3 NTP Working as a Client ...................................................................... 10-4

Figure 10-4 NTP Working as a Server .................................................................... 10-5

Figure 10-5 Physical POS Interface Clock Configuration Instance .......................... 10-8

Figure 11-1 Performance Management Configuration Example TopologyDiagram................................................................................................ 11-3

Figure 12-1 NetFlow V5 Configuration Example...................................................... 12-9

Figure 12-2 NetFlow V8 Configuration Example.................................................... 12-11

Figure 12-3 NetFlow V9 Configuration Example.................................................... 12-12

Figure 13-1 ICMP-Type SQA Configuration Example.............................................. 13-4

Figure 13-2 FTP-Type SQA Configuration Example ................................................ 13-5

Figure 13-3 TCP-Type SQA Configuration Example................................................ 13-7

Figure 13-4 UDP-Type SQA Configuration Example ............................................... 13-8

Figure 13-5 DNS-Type SQA Configuration Example ............................................... 13-9

Figure 14-1 LLDP System Structure........................................................................ 14-2

Figure 14-2 LLDP Neighbor Configuration Example................................................ 14-6

Figure 14-3 LLDP Attribute Configuration Example ................................................. 14-6

Figure 15-1 ICMP Fast Response Configuration Example ...................................... 15-3

Figure 15-2 Loose Source Route Option Packet Format ......................................... 15-4

Figure 15-3 IP Source Route Option Processing Configuration Example ................ 15-5

Figure 15-4 ICMP Unreachable Packet Function Configuration Example ................ 15-7

Figure 15-5 Configuration Example of an Interface Sending ICMP UnreachablePackets................................................................................................. 15-8

Figure 15-6 Format of an ICMP Echo Request/Reply............................................ 15-10

Figure 15-7 IP Ping Configuration Example .......................................................... 15-11

Figure 15-8 Interfaces Between the "Trace" Module and Sub-Modules ................. 15-13

Figure 15-9 IP Trace Configuration Example......................................................... 15-14

Figure 15-10 LDP LSP Ping Configuration Example ............................................. 15-17

Figure 15-11 RSVP LSP Ping Configuration Example ........................................... 15-19

Figure 15-12 PWE3 LSP Ping Configuration Example .......................................... 15-20

Figure 15-13 LSP Trace Work Flow ...................................................................... 15-22

Figure 15-14 LDP LSP Trace Configuration Example............................................ 15-24

Figure 15-15 RSVP LSP Trace Configuration Example......................................... 15-25

Figure 15-16 Work Flow of Multicast Ping ............................................................. 15-27

Figure 15-17 Multicast Ping Configuration Example .............................................. 15-28

Figure 15-18 Multicast Trace Principle .................................................................. 15-30

Figure 15-19 Multicast Trace Configuration Example ............................................ 15-30

II


Figures

Figure 15-20 MAC Ping Network Structure ........................................................... 15-32

Figure 15-21 MAC Ping Configuration Example .................................................... 15-33

Figure 15-22 Network Structure of MAC Trace...................................................... 15-35

Figure 15-23 MAC Trace Configuration Example .................................................. 15-36

III


Figures


IV


GlossaryAAA- Authentication, Authorization and Accounting

ACL- Access Control List

DNS- Domain Name System

FTP- File Transfer Protocol

HMAC-MD5- Hashed Message Authentication Code with MD5

ICMP- Internet Control Message Protocol

IETF- Internet Engineering Task Force

LDP- Label Distribution Protocol

LLDP- Link Layer Discovery Protocol

LLDPDU- Link Layer Discovery Protocol Data Unit

LSP- Label Switched Path

LSR- Label Switch Router

MAC- Media Access Control

MAN- Metropolitan Area Network

MIB- Management Information Base

MPLS- Multiprotocol Label Switching

NMS- Network Management System

V



NTP- Network Time Protocol

PDU- Packet Data Unit

POP- Points Of Presence

PPP- Point-to-Point Protocol

RADIUS- Remote Authentication Dial In User Service

RFC- Request For Comments

SLA- Service Level Agreement

SNMP- Simple Network Management Protocol

SSH- Secure Shell

TACACS+- Terminal Access Controller Access-Control System Plus

TCP- Transmission Control Protocol

TCP/IP- Transmission Control Protocol/Internet Protocol

TELNET- Telecommunication Network Protocol

TFTP- Trivial File Transfer Protocol

TLV- Type/Length/Value

TTL- Time To Live

ToS- Type of Service

UDP- User Datagram Protocol

VRF- Virtual Route Forwarding

VI


Documents

ConfigurationGuide(SystemManagement) - ZTE … · ZXR10ZSRV2 IntelligentIntegratedMulti-ServiceRouter ConfigurationGuide(SystemManagement) Version:2.00.10 ZTECORPORATION No.55,Hi-techRoadSouth,ShenZhen,P.R.China