Page 1 H3C SR6600/SR6600-X Routers Network Management and Monitoring Configuration Guide(V7) Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SR6602X-CMW710-R7103 SR6600X-CMW710-R7103-RSE3 SR6600-CMW710-R7103-RPE3 Document version: 20150715-6PW100...
Page 2 Copyright © 2007-2015, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
Page 3 Preface The H3C SR6600/SR6600-X documentation set includes 14 configuration guides, which describe the software features for the H3C SR6600/SR6600-X Routers and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
Page 4 bars, from which you select one choice, multiple choices, or none. The argument or keyword and argument combination before the ampersand (&) sign can &<1-n> be entered 1 to n times. A line that starts with a pound (#) sign is comments. GUI conventions Convention Description...
Page 5: Obtaining Documentation
Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] –...
Page 6: Technical Support
[Technical Support & Documents > Software Download] – Provides the documentation released with the software version. Technical support service@h3c.com http://www.h3c.com Documentation feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
Page 7: Table Of Contents
Contents Using ping, tracert, and system debugging ··············································································································· 1 Ping ····················································································································································································· 1 Using a ping command to test network connectivity ···························································································· 1 Ping example ···························································································································································· 1 Tracert ················································································································································································ 3 Prerequisites ······························································································································································ 4 Using a tracert command to identify failed or all nodes in a path ····································································· 4 ...
Page 8 NQA configuration examples ······································································································································ 38 ICMP echo operation configuration example ···································································································· 38 DHCP operation configuration example ············································································································· 40 DNS operation configuration example ··············································································································· 41 FTP operation configuration example ················································································································· 42 HTTP operation configuration example ··············································································································· 43 ...
Page 9 NTP multicast mode configuration example ················································································································ 94 IPv6 NTP multicast mode configuration example ······································································································· 97 Configuration example for NTP client/server mode with authentication ······························································· 100 Configuration example for NTP broadcast mode with authentication ··································································· 101 Configuration example for MPLS VPN time synchronization in client/server mode ············································ 104 ...
Page 10 PTP configuration example (IEEE 802.1AS) ·············································································································· 138 Configuring network synchronization ···················································································································· 141 Overview ······································································································································································· 141 Clock sources ······················································································································································· 141 SSM quality levels ··············································································································································· 141 Clock source priority ··········································································································································· 142 Clock reference selection ···································································································································· 142 ...
Page 11 Configuring SNMP notifications ································································································································· 164 Enabling SNMP notifications ····························································································································· 164 Configuring the SNMP agent to send notifications to a host ········································································· 164 Displaying the SNMP settings ····································································································································· 166 SNMPv1/SNMPv2c configuration example ············································································································· 167 Network requirements ········································································································································· 167 ...
Page 12 Displaying and maintaining kernel threads ······································································································ 198 Configuring samplers ·············································································································································· 200 Creating a sampler ······················································································································································ 200 Displaying and maintaining a sampler ····················································································································· 200 Sampler configuration example ································································································································· 200 Network requirements ········································································································································· 200 Configuration procedure ···································································································································· 201 ...
Page 13 IPv6 NetStream configuration task list ······················································································································· 228 Enabling IPv6 NetStream ············································································································································ 229 Configuring IPv6 NetStream filtering ························································································································· 229 Configuring IPv6 NetStream sampling ······················································································································ 230 Configuring attributes of the IPv6 NetStream data export ······················································································ 230 Configuring the IPv6 NetStream data export format ······················································································· 230 ...
Page 14 Configuration prerequisites ········································································································································· 261 Configuring the flow log version ································································································································ 261 Specifying a source IP address for flow log packets ································································································ 261 Enabling load balancing for flow log entries ············································································································ 262 Configuring the timestamp of flow logs ····················································································································· 262 ...
Page 15: Using Ping, Tracert, And System Debugging
Using ping, tracert, and system debugging This chapter covers ping, tracert, and information about debugging the system. Ping Use the ping utility to determine if an address is reachable. Ping sends ICMP echo requests (ECHO-REQUEST) to the destination device. Upon receiving the requests, the destination device responds with ICMP echo replies (ECHO-REPLY) to the source device.
Page 16 Figure 1 Network diagram Configuration procedure # Use the ping command on Device A to test connectivity to Device C. Ping 1.1.2.2 (1.1.2.2): 56 data bytes, press CTRL_C to break 56 bytes from 1.1.2.2: icmp_seq=0 ttl=254 time=2.137 ms 56 bytes from 1.1.2.2: icmp_seq=1 ttl=254 time=2.051 ms 56 bytes from 1.1.2.2: icmp_seq=2 ttl=254 time=1.996 ms 56 bytes from 1.1.2.2: icmp_seq=3 ttl=254 time=1.963 ms 56 bytes from 1.1.2.2: icmp_seq=4 ttl=254 time=1.991 ms...
Page 17: Tracert
The source device (Device A) sends an ICMP echo request to the destination device (Device C) with the RR option blank. The intermediate device (Device B) adds the IP address of its outbound interface (1.1.2.1) to the RR option of the ICMP echo request, and forwards the packet. Upon receiving the request, the destination device copies the RR option in the request and adds the IP address of its outbound interface (1.1.2.2) to the RR option.
Page 18: Prerequisites
Enable sending of ICMP timeout packets on the intermediate devices (devices between the source • and destination devices). If the intermediate devices are H3C devices, execute the ip ttl-expires enable command on the devices. For more information about this command, see Layer 3—IP Services Command Reference.
Page 19: Tracert Example
Tracert example Network requirements As shown in Figure 3, Device A failed to Telnet to Device C. Test the network connectivity between Device A and Device C. If they cannot reach each other, locate the failed nodes in the network. Figure 3 Network diagram 1.1.1.1/24 1.1.1.2/24...
Page 20: System Debugging
<DeviceA> The output shows that Device A can reach Device B but cannot reach Device C. An error has occurred on the connection between Device B and Device C. Use the debugging ip icmp command on Device A and Device C to verify that they can send and receive the specific ICMP packets.
Page 21: Debugging A Feature Module
Debugging a feature module Output of debugging commands is memory intensive. To guarantee system performance, enable debugging only for modules that are in an exceptional condition. When debugging is complete, use the undo debugging all command to disable all the debugging functions. To debug a feature module: Step Command...
Page 22: Configuring Nqa
Configuring NQA Overview Network quality analyzer (NQA) allows you to measure network performance, verify the service levels for IP services and applications, and troubleshoot network problems. It provides the following types of operations: • ICMP echo. DHCP. • DNS. • FTP.
Page 23: Collaboration
A UDP jitter or a voice operation sends a number of probe packets. The number of probe packets • is set by using the probe packet-number command. An FTP operation uploads or downloads a file. • An HTTP operation gets a Web page. •...
Page 24: Threshold Monitoring
Threshold monitoring Threshold monitoring enables the NQA client to take a predefined action when the NQA operation performance metrics violate the specified thresholds. Table 1 describes the relationships between performance metrics and NQA operation types. Table 1 Performance metrics and NQA operation types Performance metric NQA operation types that can gather the metric All NQA operation types except UDP jitter, UDP...
Page 25: Enabling The Nqa Client
To configure the NQA server: Step Command Remarks Enter system view. system-view By default, the NQA server Enable the NQA server. nqa server enable is disabled. • TCP listening service: nqa server tcp-connect ip-address You can set the ToS value port-number [ vpn-instance in the IP header of reply vpn-instance-name ] [ tos tos ]...
Page 26: Configuring The Icmp Echo Operation
Tasks at a glance (Optional.) Configuring threshold monitoring (Optional.) Configuring the NQA statistics collection function (Optional.) Configuring the saving of NQA history records (Required.) Scheduling the NQA operation on the NQA client Configuring the ICMP echo operation The ICMP echo operation measures the reachability of a destination device. It has the same function as the ping command, but provides more output information.
Page 27: Configuring The Dhcp Operation
Step Command Remarks By default, no source IP address is specified. The requests take the primary IP address of the output interface as their source IP address. • Specify the IP address of the If you configure both the source ip specified interface as the source and source interface commands, IP address:...
Page 28: Configuring The Dns Operation
Step Command Remarks By default, no source IP address is specified for the request packets. The requests take the IP address of the output interface as their source IP address. The specified source IP address must be the (Optional.) Specify the IP address of a local interface, and the local source IP address of DHCP source ip ip-address...
Page 29: Configuring The Http Operation
Use a small file for the FTP operation. A big file might result in transfer failure because of timeout, • or might affect other services for occupying much network bandwidth. To configure the FTP operation: Step Command Remarks Enter system view. system-view Create an NQA operation nqa entry admin-name...
Page 30: Configuring The Udp Jitter Operation
Step Command Remarks Create an NQA operation nqa entry admin-name and enter NQA operation By default, no NQA operation is created. operation-tag view. Specify the HTTP type and type http enter its view. By default, no URL is specified for the destination HTTP server.
Page 31 The destination device takes a time stamp to each packet that it receives, and then sends the packet back to the NQA client. Upon receiving the responses, the NQA client calculates the jitter according to the time stamps. The UDP jitter operation requires both the NQA server and the NQA client. Before you perform the UDP jitter operation, configure the UDP listening service on the NQA server.
Page 32: Configuring The Snmp Operation
Step Command Remarks By default, no source IP address is specified. The source IP address must be the (Optional.) Specify the source source ip ip-address IP address of a local interface, and IP address for UDP packets. the interface must be up. Otherwise, no UDP packets can be sent out.
Page 33: Configuring The Udp Echo Operation
Step Command Remarks Enter system view. system-view Create an NQA operation nqa entry admin-name By default, no NQA operation is and enter NQA operation operation-tag created. view. Specify the TCP type and type tcp enter its view. By default, no destination IP address is specified.
Page 34: Configuring The Udp Tracert Operation
• Enable sending ICMP time exceeded messages on the intermediate devices between the source and destination devices. If the intermediate devices are H3C devices, use the ip ttl-expires enable command. Enable sending ICMP destination unreachable messages on the destination device. If the •...
Page 35 Step Command Remarks Specify the destination By default, no destination IP address destination ip ip-address address of UDP packets. is configured. By default, the destination port number is 33434. (Optional.) Specify the This port number must be an unused destination port of UDP destination port port-number number on the destination device, so packets.
Page 36: Configuring The Voice Operation
Configuring the voice operation CAUTION: To ensure successful voice operations and avoid affecting existing services, do not perform the operations on well-known ports from 1 to 1023. The voice operation measures VoIP network performance. The voice operation works as follows: The NQA client sends voice packets at sending intervals to the destination device (NQA server).
Page 37 Step Command Remarks By default, no destination IP address is configured. Specify the destination destination ip ip-address The destination IP address must be address of voice packets. the same as the IP address of the listening service on the NQA server. By default, no destination port number is configured.
Page 38: Configuring The Dlsw Operation
Enable sending ICMP time exceeded messages on the intermediate devices between the source • and destination devices. If the intermediate devices are H3C devices, use the ip ttl-expires enable command. Enable sending ICMP destination unreachable messages on the destination device. If the •...
Page 39: Configuring Optional Parameters For The Nqa Operation
Step Command Remarks (Optional.) Specify the payload data-size size The default setting is 100 bytes. size in each ICMP echo request. (Optional.) Specify the string to The default setting is the hexadecimal be filled in the payload of each data-fill string number ICMP echo request.
Page 40: Configuring The Collaboration Function
Step Command Remarks For a voice or path jitter operation, the default setting is 60000 milliseconds. For other operations, the default setting is 0 Specify the interval at milliseconds. Only one operation is which the NQA operation frequency interval performed. repeats.
Page 41: Configuring Threshold Monitoring
Step Command Remarks Create an NQA operation nqa entry admin-name By default, no NQA operation is and enter NQA operation operation-tag created. view. The collaboration function is not type { dhcp | dlsw | dns | ftp | Specify an NQA operation available for the path jitter, UDP http | icmp-echo | snmp | tcp | type and enter its view.
Page 42 The state of a reaction entry can be invalid, over-threshold, or below-threshold. • Before an NQA operation starts, the reaction entry is in invalid state. If the threshold is violated, the state of the entry is set to over-threshold. Otherwise, the state of the •...
Page 43 Step Command Remarks • Monitor the operation duration (not supported in the UDP jitter and voice operations): reaction item-number checked-element probe-duration threshold-type { accumulate accumulate-occurrences | average | consecutive consecutive-occurrences } threshold-value upper-threshold lower-threshold [ action-type { none | trap-only } ] •...
Page 44: Configuring The Nqa Statistics Collection Function
Configuring the NQA statistics collection function NQA forms statistics within the same collection interval as a statistics group. To display information about the statistics groups, use the display nqa statistics command. NQA does not generate any statistics group for the operation that runs once. To set the NQA operation to run only once, use the frequency command to set the interval to 0 milliseconds.
Page 45: Scheduling The Nqa Operation On The Nqa Client
Step Command Remarks Enable the saving of By default, this function is history records for the history-record enable enabled only for the UDP tracert NQA operation. operation. The default setting is 120 (Optional.) Set the minutes. lifetime of history history-record keep-time keep-time A record is deleted when its records.
Page 46: Configuring The Icmp Template
Configuring the ICMP template A feature that uses the ICMP template performs the ICMP operation to measure the reachability of a destination device. The ICMP template is supported in both IPv4 and IPv6 networks. To configure the ICMP template: Step Command Remarks Enter system view.
Page 47: Configuring The Tcp Template
To configure the DNS template: Step Command Remarks Enter system view. system-view Create a DNS template and nqa template dns name enter DNS template view. • IPv4 address: (Optional.) Specify the destination ip ip-address By default, no destination destination IPv4 or IPv6 •...
Page 48: Configuring The Http Template
Step Command Remarks Enter system view. system-view Create a TCP template and nqa template tcp name enter its view. By default, no destination • IPv4 address: address is specified. (Optional.) Specify the destination ip ip-address The destination address must be destination IPv4 or IPv6 •...
Page 49: Configuring The Ftp Template
Step Command Remarks Enter system view. system-view Create an HTTP template and nqa template http name enter its view. By default, no URL is specified for the destination HTTP server. Specify the URL of the Enter the URL in one of the following url url destination HTTP server.
Page 50: Configuring Optional Parameters For The Nqa Template
Configure the username and password for the FTP client to log in to the FTP server before you perform an FTP operation. For information about configuring the FTP server, see Fundamentals Configuration Guide. To configure the FTP template: Step Command Remarks Enter system view.
Page 51: Displaying And Maintaining Nqa
Step Command Remarks Create an NQA template nqa template { dns | ftp | http and enter its view. | icmp | tcp } name Configure a description. description text By default, no description is configured. The default setting is 5000 milliseconds. Specify the interval at If the operation is not completed when the which the NQA operation...
Page 52: Nqa Configuration Examples
NQA configuration examples ICMP echo operation configuration example Network requirements As shown in Figure 7, configure an ICMP echo operation from the NQA client Device A to Device B to test the round-trip time. The next hop of Device A is Device C. Figure 7 Network diagram Configuration procedure # Assign each interface an IP address.
Page 53 # Configure the ICMP echo operation to repeat at an interval of 5000 milliseconds. [DeviceA-nqa-admin-test1-icmp-echo] frequency 5000 # Enable saving history records. [DeviceA-nqa-admin-test1-icmp-echo] history-record enable # Configure the maximum number of history records that can be saved as 10. [DeviceA-nqa-admin-test1-icmp-echo] history-record number 10 [DeviceA-nqa-admin-test1-icmp-echo] quit # Start the ICMP echo operation.
Page 54: Dhcp Operation Configuration Example
DHCP operation configuration example Network requirements As shown in Figure 8, configure a DHCP operation to test the time required for Router A to obtain an IP address from the DHCP server. Figure 8 Network diagram NQA client DHCP server 10.1.1.1/16 10.1.1.2/16 Router A...
Page 55: Dns Operation Configuration Example
DNS operation configuration example Network requirements As shown in Figure 9, configure a DNS operation to test whether Device A can perform address resolution through the DNS server and test the resolution time. Figure 9 Network diagram Configuration procedure # Assign each interface an IP address. (Details not shown.) # Configure static routes or a routing protocol to make sure the devices can reach each other.
Page 56: Ftp Operation Configuration Example
[DeviceA] display nqa history admin test1 NQA entry (admin admin, tag test) history records: Index Response Status Time Succeeded 2011-11-10 10:49:37.3 The output shows that it took Device A 62 milliseconds to translate domain name host.com into an IP address. FTP operation configuration example Network requirements As shown in...
Page 57: Http Operation Configuration Example
# After the FTP operation runs for a period of time, stop the operation. [DeviceA] undo nqa schedule admin test1 # Display the most recent result of the FTP operation. [DeviceA] display nqa result admin test1 NQA entry (admin admin, tag test1) test results: Send operation times: 1 Receive response times: 1 Min/Max/Average round trip time: 173/173/173...
Page 58: Udp Jitter Operation Configuration Example
# Configure the HTTP operation to get data from the HTTP server. [DeviceA-nqa-admin-test1-http] operation get # Configure the operation to use HTTP version 1.0. [DeviceA-nqa-admin-test1-http] version v1.0 # Enable the saving of history records. [DeviceA-nqa-admin-test1-http] history-record enable [DeviceA-nqa-admin-test1-http] quit # Start the HTTP operation. [DeviceA] nqa schedule admin test1 start-time now lifetime forever # After the HTTP operation runs for a period of time, stop the operation.
Page 59 Configuration procedure Assign each interface an IP address. (Details not shown.) Configure static routes or a routing protocol to make sure the devices can reach each other. (Details not shown.) Configure Device B: # Enable the NQA server. <DeviceB> system-view [DeviceB] nqa server enable # Configure a listening service to listen on the IP address 10.2.2.2 and UDP port 9000.
Page 60 Positive SD average: 10 Positive DS average: 10 Positive SD square-sum: 754 Positive DS square-sum: 460 Min negative SD: 1 Min negative DS: 6 Max negative SD: 13 Max negative DS: 22 Negative SD number: 4 Negative DS number: 5 Negative SD sum: 38 Negative DS sum: 52 Negative SD average: 10...
Page 61: Snmp Operation Configuration Example
Min SD delay: 7 Min DS delay: 7 Number of SD delay: 410 Number of DS delay: 410 Sum of SD delay: 3705 Sum of DS delay: 3891 Square-Sum of SD delay: 45987 Square-Sum of DS delay: 49393 SD lost packets: 0 DS lost packets: 0 Lost packets for unknown reason: 0 SNMP operation configuration example...
Page 62: Tcp Operation Configuration Example
# Display the most recent result of the SNMP operation. [DeviceA] display nqa result admin test1 NQA entry (admin admin, tag test1) test results: Send operation times: 1 Receive response times: 1 Min/Max/Average round trip time: 50/50/50 Square-Sum of round trip time: 2500 Last succeeded probe time: 2011-11-22 10:24:41.1 Extended results: Packet loss ratio: 0%...
Page 63: Udp Echo Operation Configuration Example
[DeviceA-nqa-admin-test1] type tcp # Configure 10.2.2.2 as the destination IP address and port 9000 as the destination port. [DeviceA-nqa-admin-test1-tcp] destination ip 10.2.2.2 [DeviceA-nqa-admin-test1-tcp] destination port 9000 # Enable the saving of history records. [DeviceA-nqa-admin-test1-tcp] history-record enable [DeviceA-nqa-admin-test1-tcp] quit # Start the TCP operation. [DeviceA] nqa schedule admin test1 start-time now lifetime forever # After the TCP operation runs for a period of time, stop the operation.
Page 64 Configuration procedure Assign each interface an IP address. (Details not shown.) Configure static routes or a routing protocol to make sure the devices can reach each other. (Details not shown.) Configure Device B: # Enable the NQA server. <DeviceB> system-view [DeviceB] nqa server enable # Configure a listening service to listen on the IP address 10.2.2.2 and UDP port 8000.
Page 65: Udp Tracert Operation Configuration Example
UDP tracert operation configuration example Network requirements As shown in Figure 16, configure a UDP tracert operation to determine the routing path from Device A to Device B. Figure 16 Network diagram Configuration procedure Assign an IP address to each interface. (Details not shown.) Configure static routes or a routing protocol to make sure the devices can reach each other.
Page 66: Voice Operation Configuration Example
# Display the most recent result of the UDP tracert operation. [DeviceA] display nqa result admin test1 NQA entry (admin admin, tag test1) test results: Send operation times: 6 Receive response times: 6 Min/Max/Average round trip time: 1/1/1 Square-Sum of round trip time: 1 Last succeeded probe time: 2013-09-09 14:46:06.2 Extended results: Packet loss in test: 0%...
Page 67 # Configure a listening service to listen on IP address 10.2.2.2 and UDP port 9000. [DeviceB] nqa server udp-echo 10.2.2.2 9000 Configure Device A: # Create a voice operation. <DeviceA> system-view [DeviceA] nqa entry admin test1 [DeviceA-nqa-admin-test1] type voice # Configure 10.2.2.2 as the destination IP address and port 9000 as the destination port. [DeviceA-nqa-admin-test1-voice] destination ip 10.2.2.2 [DeviceA-nqa-admin-test1-voice] destination port 9000 [DeviceA-nqa-admin-test1-voice] quit...
Page 68 Sum of SD delay: 343 Sum of DS delay: 985 Square-Sum of SD delay: 117649 Square-Sum of DS delay: 970225 SD lost packets: 0 DS lost packets: 0 Lost packets for unknown reason: 0 Voice scores: MOS value: 4.38 ICPIF value: 0 # Display the statistics of the voice operation.
Page 69: Dlsw Operation Configuration Example
DLSw operation configuration example Network requirements As shown in Figure 18, configure a DLSw operation to test the response time of the DLSw device. Figure 18 Network diagram Configuration procedure # Assign each interface an IP address. (Details not shown.) # Configure static routes or a routing protocol to make sure the devices can reach each other.
Page 70: Path Jitter Operation Configuration Example
NQA entry (admin admin, tag test1) history records: Index Response Status Time Succeeded 2011-11-22 10:40:27.7 The output shows that the response time of the DLSw device is 19 milliseconds. Path jitter operation configuration example Network requirements As shown in Figure 19, configure a path jitter operation to test the round trip time and jitters from Device A to Device B and Device C.
Page 71: Nqa Collaboration Configuration Example
Extended Results Failures due to timeout: 0 Failures due to internal error: 0 Failures due to other errors: 0 Packets out of sequence: 0 Packets arrived late: 0 Path-Jitter Results Jitter number: 9 Min/Max/Average jitter: 1/10/4 Positive jitter number: 6 Min/Max/Average positive jitter: 1/9/4 Sum/Square-Sum positive jitter: 25/173 Negative jitter number: 3...
Page 72 Figure 20 Network diagram Configuration procedure Assign each interface an IP address. (Details not shown.) On Router A, configure a static route, and associate the static route with track entry 1. <RouterA> system-view [RouterA] ip route-static 10.1.1.2 24 10.2.1.1 track 1 On Router A, configure an ICMP echo operation: # Create an NQA operation with the administrator name admin and operation tag test1.
Page 73 # Display brief information about active routes in the routing table on Router A. [RouterA] display ip routing-table Destinations : 13 Routes : 13 Destination/Mask Proto Cost NextHop Interface 0.0.0.0/32 Direct 0 127.0.0.1 InLoop0 10.1.1.0/24 Static 60 10.2.1.1 GE2/0/1 10.2.1.0/24 Direct 0 10.2.1.2 GE2/0/1...
Page 74: Icmp Template Configuration Example
127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 127.255.255.255/32 Direct 0 127.0.0.1 InLoop0 224.0.0.0/4 Direct 0 0.0.0.0 NULL0 224.0.0.0/24 Direct 0 0.0.0.0 NULL0 255.255.255.255/32 Direct 0 127.0.0.1 InLoop0 The output shows that the static route does not exist, and the status of the track entry is negative. ICMP template configuration example Network requirements As shown in...
Page 75: Dns Template Configuration Example
# If the number of consecutive successful probes reaches 2, the operation succeeds. The NQA client notifies the feature of the successful operation event. [DeviceA-nqatplt-icmp-icmp] reaction trigger probe-pass 2 # If the number of consecutive probe failures reaches 2, the operation fails. The NQA client notifies the feature of the operation failure.
Page 76: Tcp Template Configuration Example
TCP template configuration example Network requirements As shown in Figure 23, configure a TCP template for a feature to perform the TCP operation. The operation tests whether Device A can establish a TCP connection to Device B. Figure 23 Network diagram Configuration procedure Assign each interface an IP address.
Page 77: Ftp Template Configuration Example
Figure 24 Network diagram Configuration procedure # Assign each interface an IP address. (Details not shown.) # Configure static routes or a routing protocol to make sure the devices can reach each other. (Details not shown.) # Create HTTP template http. <DeviceA>...
Page 78 # Specify the URL of the FTP server. [DeviceA-nqatplt-ftp-ftp] url ftp://10.2.2.2 # Specify 10.1.1.1 as the source IP address. [DeviceA-nqatplt-ftp-ftp] source ip 10.1.1.1 # Configure the device to upload file config.txt to the FTP server. [DeviceA-nqatplt-ftp-ftp] operation put [DeviceA-nqatplt-ftp-ftp] filename config.txt # Specify the username for the FTP server login as admin.
Page 79: Configuring Ntp
Configuring NTP Synchronize your device with a trusted time source by using the Network Time Protocol (NTP) or changing the system time before you run it on a live network. Various tasks, including network management, charging, auditing, and distributed computing depend on an accurate system time setting, because the timestamps of system messages and logs use the system time.
Page 80: Ntp Architecture
Figure 26 Basic work flow The synchronization process is as follows: Device A sends Device B an NTP message, which is timestamped when it leaves Device A. The time stamp is 10:00:00 am (T1). When this NTP message arrives at Device B, Device B adds a timestamp showing the time when the message arrived at Device B.
Page 81: Association Modes
Figure 27 NTP architecture Authoritative clock Primary servers (Stratum 1) Secondary servers (Stratum 2) Tertiary servers (Stratum 3) Quaternary servers (Stratum 4) Symmetric Symmetric Broadcast/multicast Broadcast/multicast Server Client peer peer server client Typically, a stratum 1 NTP server gets its time from an authoritative time source, such as an atomic clock. It provides time for other devices as the primary NTP server.
Page 82 Table 2 NTP association modes Mode Working process Principle Application scenario On the client, specify the IP address of the NTP server. A client sends a clock synchronization message to the NTP servers. Upon receiving the Figure 27 shows, this message, the servers A client can synchronize mode is intended for...
Page 83: Ntp Security
Mode Working process Principle Application scenario A broadcast server sends clock synchronization A server periodically sends clock messages to synchronize synchronization messages to the clients in the same subnet. broadcast address Figure 27 shows, 255.255.255.255. Clients listen broadcast mode is to the broadcast messages from intended for configurations A broadcast client can...
Page 84: Ntp For Mpls L3Vpns
If no NTP access control is configured, peer is granted to the local device and peer devices. • • If the IP address of the peer device matches a permit statement in an ACL for more than one access right, the least restrictive access right is granted to the peer device. If a deny statement or no ACL is matched, no access right is granted.
Page 85: Protocols And Standards
The NTP service and SNTP service are mutually exclusive. You can only enable either NTP service • or SNTP service at a time. To ensure time synchronization accuracy, H3C recommends not specifying more than one reference • source. Doing so might cause frequent time changes or even synchronization failures.
Page 86: Enabling The Ntp Service
Tasks at a glance (Optional.) Configuring NTP authentication (Optional.) Configuring NTP optional parameters Enabling the NTP service Step Command Remarks Enter system view. system-view By default, the NTP service is not Enable the NTP service. ntp-service enable enabled. Configuring NTP association modes This section describes how to configure NTP association modes.
Page 87: Configuring Ntp In Symmetric Active/Passive Mode
Step Command Remarks • Specify an NTP server for the device: ntp-service unicast-server { server-name | ip-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | priority | source interface-type interface-number | version Specify an NTP server for the By default, no NTP server is number ] * device.
Page 88: Configuring Ntp In Broadcast Mode
Step Command Remarks • Specify a symmetric-passive peer: ntp-service unicast-peer { peer-name | ip-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | priority | source interface-type interface-number | version Specify a symmetric-passive By default, no symmetric-passive number ] * peer for the device.
Page 89: Configuring Ntp In Multicast Mode
Step Command Remarks By default, the device does not operate in broadcast server mode. Configure the device to ntp-service broadcast-server After you execute the command, operate in NTP broadcast [ authentication-keyid keyid | the device receives NTP broadcast server mode. version number ] * messages from the specified interface.
Page 90: Configuring Access Control Rights
Step Command Remarks • Configure the device to operate in multicast server mode: ntp-service multicast-server [ ip-address ] [ authentication-keyid keyid | By default, the device does not ttl ttl-number | version number ] operate in multicast server mode. Configure the device to After you execute the command, operate in multicast server •...
Page 91 Set the key as a trusted key on both client and server. • • Associate the key with the NTP server on the client. The key IDs and key values configured on the server and client must be the same. Otherwise, NTP authentication fails.
Page 92: Configuring Ntp Authentication In Symmetric Active/Passive Mode
Table 3 NTP authentication results Client Server Configure Configure a a key and Authentication Associate the key and Enable NTP configure Enable NTP result key with an NTP configure it authentication it as a authentication server as a trusted trusted Succeeded.
Page 93 Step Command Remarks Enter system view. system-view By default, NTP authentication is Enable NTP authentication. ntp-service authentication enable disabled. ntp-service authentication-keyid Configure an NTP By default, no NTP authentication keyid authentication-mode md5 authentication key. key is configured. { cipher | simple } value Configure the key as a trusted ntp-service reliable By default, no authentication key is...
Page 94: Configuring Ntp Authentication In Broadcast Mode
Active peer Passive peer Configure a Associate Configure a key and the key key and Authentication result Enable NTP Enable NTP configure it with a configure it authentication authentication as a trusted passive as a trusted peer Succeeded. NTP messages can be sent and received correctly.
Page 95 Set the key as a trusted key on both the broadcast client and server. • • Configure an NTP authentication key on the broadcast server. The key IDs and key values configured on the broadcast server and client must be the same. Otherwise, NTP authentication fails.
Page 96: Configuring Ntp Authentication In Multicast Mode
Table 5 NTP authentication results Broadcast server Broadcast client Configure Configure Associate a key and a key and the key Authentication result Enable NTP configure Enable NTP configure with a authentication it as a authentication it as a broadcast trusted trusted server Succeeded.
Page 97 To configure NTP authentication for a multicast client: Step Command Remarks Enter system view. system-view By default, NTP authentication is Enable NTP authentication. ntp-service authentication enable disabled. ntp-service authentication-keyid Configure an NTP By default, no NTP authentication keyid authentication-mode md5 authentication key.
Page 98: Configuring Ntp Optional Parameters
Table 6 NTP authentication results Multicast server Multicast client Configure a Configure a Associate the Authentication key and key and Enable NTP key with a Enable NTP result configure it configure it authentication multicast authentication as a trusted as a trusted server Succeeded.
Page 99: Specifying The Source Interface For Ntp Messages
Specifying the source interface for NTP messages To prevent interface status changes from causing NTP communication failures, configure the device to use the IP address of an interface that is always up. For example, you can configure the device to use a loopback interface as the source IP address for the NTP messages to be sent.
Page 100: Configuring The Maximum Number Of Dynamic Associations
Configuring the maximum number of dynamic associations NTP has the following types of associations: • Static association—A manually created association. Dynamic association—Temporary association created by the system during NTP operation. A • dynamic association is removed if no messages are exchanged within about 12 minutes. The following describes how an association is established in different association modes: Client/server mode—After you specify an NTP server, the system creates a static association on the •...
Page 101: Displaying And Maintaining Ntp
Make sure the local clock can provide the time accuracy required for the network. After you • configure the local clock as a reference source, the local clock is synchronized, and can operate as a time server to synchronize other devices in the network. If the local clock is incorrect, timing errors occur.
Page 102: Ipv6 Ntp Client/Server Mode Configuration Example
Configure Device A: # Enable the NTP service. <DeviceA> system-view [DeviceA] ntp-service enable # Specify the local clock as the reference source, with the stratum level 2. [DeviceA] ntp-service refclock-master 2 Configure Device B: # Enable the NTP service. <DeviceB> system-view [DeviceB] ntp-service enable # Specify Device A as the NTP server of Device B so that Device B is synchronized to Device A.
Page 103 Figure 31 Network diagram Configuration procedure Assign an IP address to each interface, and make sure Device A and Device B can reach each other, as shown in Figure 31. (Details not shown.) Configure Device A: # Enable the NTP service. <DeviceA>...
Page 104: Ntp Symmetric Active/Passive Mode Configuration Example
Last receive time: 19 Offset: 0.0 Roundtrip delay: 0.0 Dispersion: 0.0 Total sessions: 1 NTP symmetric active/passive mode configuration example Network requirements As shown in Figure 32, perform the following tasks: Configure the local clock of Device A as a reference source, with the stratum level 2. •...
Page 105: Ipv6 Ntp Symmetric Active/Passive Mode Configuration Example
Leap indicator: 00 Clock jitter: 0.000916 s Stability: 0.000 pps Clock precision: 2^-17 Root delay: 0.00609 ms Root dispersion: 1.95859 ms Reference time: 83aec681.deb6d3e5 Wed, Jan 8 2014 14:33:11.081 # Verify that an IPv4 NTP association has been established between Device B and Device A. [DeviceB] display ntp-service sessions source reference...
Page 106: Ntp Broadcast Mode Configuration Example
# Configure Device B as an IPv6 symmetric passive peer. [DeviceA] ntp-service ipv6 unicast-peer 3000::36 Verify the configuration: # Verify that Device B has synchronized to Device A. [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 System peer: 3000::35 Local mode: sym_passive Reference clock ID: 251.73.79.32 Leap indicator: 11...
Page 107 Figure 34 Network diagram GE2/0/1 3.0.1.31/24 Router C NTP broadcast server GE2/0/1 3.0.1.30/24 Router A NTP broadcast client GE2/0/1 3.0.1.32/24 Router B NTP broadcast client Configuration procedure Assign an IP address to each interface, and make sure Router A, Router B, and Router C can reach each other, as shown in Figure 34.
Page 108: Ntp Multicast Mode Configuration Example
The following uses Router A as an example to describe configuration verification. # Verify that Router A has synchronized to Router C, and the clock stratum level is 3 on Router A and 2 on Router C. [RouterA-GigabitEthernet2/0/1] display ntp-service status Clock status: synchronized Clock stratum: 3 System peer: 3.0.1.31...
Page 109 Figure 35 Network diagram GE2/0/1 3.0.1.31/24 Router C NTP multicast server GE2/0/1 GE2/0/1 GE2/0/2 1.0.1.11/24 1.0.1.10/24 3.0.1.30/24 Router A Router B NTP multicast client GE2/0/1 3.0.1.32/24 Router D NTP multicast client Configuration procedure Assign an IP address to each interface, and make sure the routers can reach each other, as shown Figure 35.
Page 110 System peer: 3.0.1.31 Local mode: bclient Reference clock ID: 3.0.1.31 Leap indicator: 00 Clock jitter: 0.044281 s Stability: 0.000 pps Clock precision: 2^-10 Root delay: 0.00229 ms Root dispersion: 4.12572 ms Reference time: d0d289fe.ec43c720 Sat, Jan 8 2011 7:00:14.922 # Verify that an IPv4 NTP association has been established between Router D and Router C. [RouterD-GigabitEthernet2/0/1] display ntp-service sessions source reference...
Page 111: Ipv6 Ntp Multicast Mode Configuration Example
Reference clock ID: 3.0.1.31 Leap indicator: 00 Clock jitter: 0.165741 s Stability: 0.000 pps Clock precision: 2^-10 Root delay: 0.00534 ms Root dispersion: 4.51282 ms Reference time: d0c61289.10b1193f Wed, Dec 29 2010 20:03:21.065 # Verify that an IPv4 NTP association has been established between Router A and Router C. [RouterA-GigabitEthernet2/0/1] display ntp-service sessions source reference...
Page 112 # Enable the NTP service. <RouterC> system-view [RouterC] ntp-service enable # Specify the local clock as the reference source, with the stratum level 2. [RouterC] ntp-service refclock-master 2 # Configure Router C to operate in IPv6 multicast server mode and send multicast messages through GigabitEthernet 2/0/1.
Page 113 Total sessions: 1 Configure Router B: Because Router A and Router C are on different subnets, you must enable the multicast functions on Router B before Router A can receive IPv6 multicast messages from Router C. # Enable the IPv6 multicast function. <RouterB>...
Page 114: Configuration Example For Ntp Client/Server Mode With Authentication
Roundtrip delay: 0.0 Dispersion: 0.0 Total sessions: 1 Configuration example for NTP client/server mode with authentication Network requirements As shown in Figure 37, perform the following tasks: Configure the local clock of Device A as a reference source, with the stratum level 2. •...
Page 115: Configuration Example For Ntp Broadcast Mode With Authentication
Configure NTP authentication on Device A: # Enable NTP authentication. [DeviceA] ntp-service authentication enable # Set an authentication key, and input the key in plain text. [DeviceA] ntp-service authentication-keyid 42 authentication-mode md5 simple aNiceKey # Specify the key as a trusted key. [DeviceA] ntp-service reliable authentication-keyid 42 Verify the configuration: # Verify that Device B has synchronized to Device A, and the clock stratum level is 3 on Device B...
Page 116 Configure NTP authentication on Router A, Router B, and Router C. • Figure 38 Network diagram GE2/0/1 3.0.1.31/24 Router C NTP broadcast server GE2/0/1 3.0.1.30/24 Router A NTP broadcast client GE2/0/1 3.0.1.32/24 Router B NTP broadcast client Configuration procedure Assign an IP address to each interface, and make sure Router A, Router B, and Router C can reach each other, as shown in Figure 38.
Page 117 Configure Router C: # Enable the NTP service. <RouterC> system-view [RouterC] ntp-service enable # Specify the local clock as the reference source, with the stratum level 3. [RouterC] ntp-service refclock-master 3 # Configure Router C to operate in the NTP broadcast server mode and use GigabitEthernet 2/0/1 to send NTP broadcast messages.
Page 118: Configuration Example For Mpls Vpn Time Synchronization In Client/Server Mode
[RouterB-GigabitEthernet2/0/1] display ntp-service sessions source reference stra reach poll now offset delay disper ******************************************************************************** [1245]3.0.1.31 127.127.1.0 -0.0 0.0000 Notes: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured. Total sessions: 1 Configuration example for MPLS VPN time synchronization in client/server mode Network requirements As shown in Figure 39, two VPNs are present on PE 1 and PE 2: VPN 1 and VPN 2.
Page 119 Configuration procedure Before you perform the following configuration, be sure you have completed MPLS VPN-related configurations. For information about configuring MPLS VPN, see MPLS Configuration Guide. Assign an IP address to each interface, as shown in Figure 39. Make sure CE 1 and PE 1, PE 1 and PE 2, and PE 2 and CE 3 can reach each other.
Page 120: Configuration Example For Mpls Vpn Time Synchronization In Symmetric Active/Passive Mode
RefID 127.127.1.0 Configuration example for MPLS VPN time synchronization in symmetric active/passive mode Network requirements As shown in Figure 40, two VPNs are present on PE 1 and PE 2: VPN 1 and VPN 2. CE 1 and CE 3 belong to VPN 1.
Page 121 <CE1> system-view [CE1] ntp-service enable # Specify the local clock as the reference source, with the stratum level 2. [CE1] ntp-service refclock-master 2 Configure PE 1: # Enable the NTP service. <PE1> system-view [PE1] ntp-service enable # Specify CE 1 in VPN 1 as the symmetric-passive peer of PE 1. [PE1] ntp-service unicast-peer 10.1.1.1 vpn-instance vpn1 Verify the configuration: # Verify that PE 1 has synchronized to CE 1, with the stratum level 3.
Page 122: Configuring Sntp
Configuring SNTP SNTP is a simplified, client-only version of NTP specified in RFC 4330. SNTP supports only the client/server mode. An SNTP-enabled device can receive time from NTP servers, but cannot provide time services to other devices. SNTP uses the same packet format and packet exchange procedure as NTP, but provides faster synchronization at the price of time accuracy.
Page 123: Specifying An Ntp Server For The Device
Specifying an NTP server for the device Step Command Remarks Enter system view. system-view • For IPv4: sntp unicast-server { server-name | ip-address } [ vpn-instance vpn-instance-name ] By default, no NTP server is [ authentication-keyid keyid | specified for the device. source interface-type interface-number | version Repeat this step to specify multiple...
Page 124: Displaying And Maintaining Sntp
Step Command Remarks sntp authentication-keyid keyid Configure an SNTP By default, no SNTP authentication authentication-mode md5 { cipher authentication key. key is configured. | simple } value Specify the key as a trusted sntp reliable authentication-keyid By default, no trusted key is key.
Page 125 Configure Device A: # Enable the NTP service. <DeviceA> system-view [DeviceA] ntp-service enable # Configure the local clock of Device A as a reference source, with the stratum level 2. [DeviceA] ntp-service refclock-master 2 # Enable NTP authentication on Device A. [DeviceA] ntp-service authentication enable # Configure an NTP authentication key, with the key ID of 10 and key value of aNiceKey.
Page 126: Configuring Ptp
Configuring PTP Overview Precision Time Protocol (PTP) synchronizes time among devices. It provides greater accuracy than other time synchronization protocols such as NTP. For more information about NTP, see "Configuring NTP." Basic concepts PTP profile A PTP profile defines the following PTP standards: IEEE 1588 version 2—1588v2 defines high-accuracy clock synchronization mechanisms.
Page 127 Figure 42 Clock nodes in a PTP domain Grandmaster clock PTP domain BC 1 TC 1 TC 2 BC 2 BC 3 OC 1 OC 2 TC 3 TC 4 OC 3 OC 4 OC 5 OC 6 Master port Subordinate port Passive port Besides the three basic types of clock nodes, PTP introduces some hybrid clock nodes.
Page 128: Synchronization Mechanism
Clock node with higher time class. Clock node with higher time accuracy. Clock node with higher priority 2. Clock node with a smaller port ID (containing clock number and port number). The master nodes, member nodes, master ports, and subordinate ports are determined during the process.
Page 129 Figure 43 Operation procedure of the Request_Response mechanism Master clock Member clock Timestamps known by member clock t1, t2 t1, t2, t3 t1, t2, t3, t4 Figure 43 shows an example of the Request_Response mechanism in two-step mode. The master clock sends a Sync message to the member clock, and records the sending time t1. Upon receiving the message, the member clock records the receiving time t2.
Page 130: Protocols And Standards
Figure 44 Operation procedure of the Peer Delay mechanism Master clock Member clock Timestamps known by member clock t1, t2 t1, t2, t3 t1, t2, t3, t4, t6 t1, t2, t3, t4, t5, t6 The Peer Delay mechanism uses Pdelay messages to calculate link delay, which applies only to point-to-point delay measurement.
Page 131: Feature And Hardware Compatibility
Feature and hardware compatibility Hardware PTP compatibility SR6602-X SR6604/SR6608/SR6616 SR6604-X/SR6608-X/SR6616-X Configuring clock nodes Before performing the following configurations, define the scope of the PTP domain and the role of every clock node. Configuration task list Tasks at a glance (Required.) Specifying a PTP standard...
Page 132 Tasks at a glance The PTP standard is IEEE 1588 version 2: (Required.) Specifying a clock node type (Optional.) Specifying a PTP domain (Optional.) Configuring an OC to operate only as a member clock (Optional.) Configuring ToD input or output (Optional.) Configuring the role of a PTP port (Optional.)
Page 133: Specifying A Ptp Standard
Tasks at a glance The PTP standard is IEEE 802.1AS (802.1AS): (Required.) Specifying a clock node type (Optional.) Specifying a PTP domain (Optional.) Configuring an OC to operate only as a member clock (Optional.) Configuring ToD input or output (Optional.) Configuring the role of a PTP port (Optional.) Configuring the port type for a TC+OC...
Page 134: Specifying A Ptp Domain
Step Command Remarks Enter system view. system-view Specify a clock node type for ptp mode { bc | e2etc | e2etc-oc | By default, no clock node type is the device. oc | p2ptc | p2ptc-oc } specified. Specifying a PTP domain Within a PTP domain, all devices follow the same rules to communicate with each other.
Page 135: Configuring Tod Clock Parameters
Hardware ToD input or output compatibility SR6604-X/SR6608-X/SR6616-X To use a ToD clock, you must configure ToD input or output: ToD input—The device obtains clock signals from an external ToD clock and synchronizes ToD to all • devices in the PTP network. ToD output—The device operates as a ToD clock to synchronize ToD to other devices.
Page 136: Configuring The Role Of A Ptp Port
Step Command Remarks By default: • If the PTP profile is IEEE 1588 version 2, the default value for Configure the priority for the ptp priority clock-source { local | both priority 1 and priority 2 is specified clock for GM tod0 | tod1 } { priority1 pri1-value 128.
Page 137: Specifying A Delay Measurement Mechanism For A Bc Or An Oc
Step Command Remarks Enter system view. system-view Enter Layer 3 Ethernet interface interface-type interface view. interface-number Configure the mode for ptp clock-step { one-step | By default, two-step mode is used. carrying timestamps. two-step } Specifying a delay measurement mechanism for a BC or an PTP defines two transmission delay measurement mechanisms: Request_Response and Peer Delay.
Page 138: Configuring The Interval For Sending Announce Messages
Step Command Remarks Configure the port type for a By default, the port type for all ptp port-mode oc TC+OC as OC. ports on a TC+OC is TC. Configuring the interval for sending announce messages Step Command Remarks Enter system view. system-view Enter Layer 3 Ethernet interface interface-type...
Page 139: Configuring The Interval For Sending Pdelay_Req Messages
Configuring the interval for sending Pdelay_Req messages Step Command Remarks Enter system view. system-view Enter Layer 3 Ethernet interface interface-type interface view. interface-number Configure the interval for Optional. sending Pdelay_Req ptp pdelay-req-interval value The default is 1 (2 ) second. messages.
Page 140: Configuring The Mac Address For Non-Pdelay Messages
Configuring the MAC address for non-pdelay messages Pdelay messages include Pdelay_Req, Pdelay_Resp, and Pdelay_Resp_Follow_Up messages. The destination MAC address of Pdelay messages is 0180-C200-000E by default, which cannot be modified. The destination MAC address of non-Pdelay messages is either 0180-C200-000E or 01 1B- 1 900-0000. To configure the destination MAC address for non-Pdelay messages on every clock node: Step Command...
Page 141: Configuring The Destination Ip Address For Unicast Ptp Message Transmission Over Udp (Ipv4)
Step Command Remarks By default, no source IP address is configured for multicast PTP messages. Configure the source IP This command takes effect only address for multicast PTP ptp source ip-address when multicast PTP messages are message transmission over [ vpn-instance vpn-instance-name ] transmitted over UDP (IPv4).
Page 142: Configuring The Cumulative Offset Between The Utc And Tai
Step Command Remarks Optional. Configure delay correction ptp asymmetry-correction { minus The default is 0 nanoseconds, value. | plus } value which means delay correction is not performed. Configuring the cumulative offset between the UTC and TAI The time displayed on a device is based on the Coordinated Universal Time (UTC). There is an offset between UTC and TAI (International Atomic Time, in English), which is made public periodically.
Page 143: Specifying The System Time Source As Ptp
Step Command Remarks Set a DSCP value for PTP messages transmitted over ptp dscp dscp By default, the DSCP value is 56. UDP (IPv4). Specifying the system time source as PTP Make sure you use the clock protocol command to specify the time protocol as PTP. For more information about the clock protocol command, see Fundamentals Command Reference.
Page 144: Ptp Configuration Example (Ieee 1588 Version 2, Ieee 802.3/Ethernet Encapsulation)
Task Command display ptp statistics [ interface interface-type Display PTP statistics. interface-number ] Display PTP clock time properties. display ptp time-property reset ptp statistics [ interface interface-type Clear PTP statistics. interface-number ] PTP configuration example (IEEE 1588 version 2, IEEE 802.3/Ethernet encapsulation) Network requirements As shown in Figure...
Page 145 [DeviceB] ptp profile 1588v2 # Specify the clock node type as E2ETC. [DeviceB] ptp mode e2etc # Specify the system time source as PTP. [DeviceB] clock protocol ptp # Enable PTP for GigabitEthernet 2/0/1. [DeviceB] interface gigabitethernet 2/0/1 [DeviceB-GigabitEthernet2/0/1] ptp enable [DeviceB-GigabitEthernet2/0/1] quit # Enable PTP for GigabitEthernet 2/0/2.
Page 146: Ptp Configuration Example (Ieee 1588 Version 2, Multicast Transmission)
Mean path delay : 0 (ns) Steps removed Local clock time : Sun Jan 15 20:57:29 2011 # Display brief PTP statistics on Device A. [DeviceA] display ptp interface brief Name State Delay mechanism Clock step Asymmetry correction GE2/0/1 Master # Display PTP clock information on Device B.
Page 147 Figure 46 Network diagram P2PTC GE2/0/1 GE2/0/1 GE2/0/2 GE2/0/1 Device A Device B Device C PTP domain Configuration procedure Configure Device A: # Specify the PTP standard as IEEE 1588 version 2. <DeviceA> system-view [DeviceA] ptp profile 1588v2 # Specify the clock node type as OC. [DeviceA] ptp mode oc # Configure the source IP address for multicast PTP message transmission over UDP (IPv4).
Page 148 # Specify the PTP standard as IEEE 1588 version 2. <DeviceC> system-view [DeviceC] ptp profile 1588v2 # Specify the clock node type as OC. [DeviceC] ptp mode oc # Configure the source IP address for multicast PTP message transmission over UDP (IPv4). [DeviceC] ptp source 10.10.10.3 # Specify the system time source as PTP.
Page 149: Ptp Configuration Example (Ieee 1588 Version 2, Unicast Transmission)
Clock ID : 000FE2-FFFE-FF0001 Clock type : Local Clock domain Number of PTP ports : 2 Priority1 : 128 Priority2 : 128 Clock quality : Class : 248 Accuracy : 254 Offset (log variance) : 65535 Offset from master : N/A Mean path delay : N/A Steps removed...
Page 150 [DeviceA] ptp profile 1588v2 # Specify the clock node type as OC. [DeviceA] ptp mode oc # Configure the delay time correction as 1000 nanoseconds for receiving ToD0 clock signals. [DeviceA] ptp tod0 input delay 1000 # Configure priority 1 as 0 for the ToD0 clock. [DeviceA] ptp priority clock-source tod0 priority1 0 # On GigabitEthernet 2/0/1, configure the destination IP address for unicast PTP message transmission over UDP (IPv4), and enable PTP.
Page 151 [DeviceC] clock protocol ptp # On GigabitEthernet 2/0/1, configure the destination IP address for unicast PTP message transmission over UDP (IPv4), and enable PTP. [DeviceC] interface gigabitethernet 2/0/1 [DeviceC-GigabitEthernet2/0/1] ptp transport-protocol udp [DeviceC-GigabitEthernet2/0/1] ptp unicast-destination 11.10.10.2 [DeviceC-GigabitEthernet2/0/1] ptp enable [DeviceC-GigabitEthernet2/0/1] quit Verify the configuration: When the network is stable, perform the following tasks: Use the display ptp clock command to display PTP clock information.
Page 152: Ptp Configuration Example (Ieee 802.1As)
Class : 248 Accuracy : 254 Offset (log variance) : 65535 Offset from master : N/A Mean path delay : N/A Steps removed : N/A Local clock time : Sun Jan 15 20:57:29 2011 # Display brief PTP statistics on Device B. [DeviceB] display ptp interface brief Name State...
Page 153 # Specify the PTP standard as IEEE 802.1AS. <DeviceB> system-view [DeviceB] ptp profile 802.1AS # Specify the clock node type as P2PTC. [DeviceB] ptp mode p2ptc # Specify the system time source as PTP. [DeviceB] clock protocol ptp # Enable PTP for GigabitEthernet 2/0/1. [DeviceB] interface gigabitethernet 2/0/1 [DeviceB-GigabitEthernet2/0/1] ptp enable [DeviceB-GigabitEthernet2/0/1] quit...
Page 154 Offset (log variance) : 16640 Offset from master : 0 (ns) Mean path delay : 0 (ns) Steps removed Local clock time : Sun Jan 15 20:57:29 2011 # Display brief PTP statistics on Device A. [DeviceA] display ptp interface brief Name State Delay mechanism...
Page 155: Configuring Network Synchronization
Configuring network synchronization Overview The network clock monitoring module provides network clock synchronization for all interface cards in the system. It ensures that all ports on the interface cards operate at the same clock rates for network synchronization. Network synchronization is essential to the efficient, correct operations of most services on networks. If the network devices on a network do not operate at the same clock rate, the network performance decreases.
Page 156: Clock Source Priority
Clock source priority For a clock source to be selected as the clock reference, assign it a lower priority value than other clock sources. The lower the priority value, the better the clock source. For example, the clock source with a priority of 1 is better than the clock source with a priority of 3.
Page 157: Feature And Hardware Compatibility
A port can operate in one of the following clock modes: • Master—The port provides timing to the peer end. The timing signal is derived from the network clock monitoring module. If automatic reference selection is used, the timing signal is derived from the reference clock selected by the network clock monitoring module.
Page 158: Configuring Clock Reference Selection
You must perform this task if a line clock input port on a non-default MDC (Optional.) Enabling the reference manually specified on a has been specified as the clock non-default MDC reference source. This task enables the clock reference setting to take effect on all MDCs.
Page 159: Configuring The Timing Direction Of A Bits Clock
To specify an Sa bit for the SSM of a BITS clock: Step Command Remarks In an MDC environment, you can perform this task only on Enter system view. system-view the default MDC. However, the setting takes effect on all MDCs.
Page 160: Specifying A Line Clock Input Port
• In standalone mode: By default, the frequency of a network-clock source { bits0 | bits1 } BITS clock is 2 Mbps. frequency { bps-2m | hz-2m } Set the frequency of a BITS This command is configurable • In IRF mode: clock.
Page 161: Specifying An Ssm Quality Level For A Clock Source
To configure the method to set the SSM quality level of a clock source: Step Command Remarks Enter system view. system-view • In standalone mode: By default, the quality level of a network-clock source { bits0 | bits1 | clock source is the user-defined lpuport port-type port-number | ptp } value.
Page 162: Setting The Priority Of A Clock Source
If the SSM quality level contributes to the selection process, the network clock monitoring module • selects a reference from available clock sources by their SSM quality level and priority. If the SSM quality level does not contribute to the selection process, the network clock monitoring •...
Page 163: Displaying And Maintaining Network Clock Monitoring Module Configuration
Step Command Remarks Verify that the MDC you are specifying display network-clock source This command is available in any view. has clock sources in normal state. Enter system view. system view • In standalone mode: network-clock work-mode manual Enable the clock mdc mdc-id reference manually By default, the clock reference specified...
Page 164: Network Synchronization Configuration Example
Network synchronization configuration example Network requirements As shown in Figure 49, configure Device B to derive its timing from Device A through POS 2/2/0. Figure 49 Network diagram Configuration procedure On Device A: # Specify the master clock mode on POS 2/2/0. <DeviceA>...
Page 165: Configuring Synchronous Ethernet
Configuring synchronous Ethernet Overview Synchronous Ethernet (SyncE) provides high-quality frequency synchronization on Ethernet at the physical layer. It can provide the same level of clock precision as SONET/SDH. Transferring frequency signals at the physical layer, SyncE functions regardless of the network conditions such as congestion, packet loss, and delay.
Page 166: Input Ql Updating On Synce Ports
If the clock reference is from a SyncE port, the system distributes the QL out of all SyncE ports except • for the reference input port. To prevent timing loops, the sent QL is DNU on the timing reference input port. Input QL updating on SyncE ports The default input QL is DNU on a SyncE port.
Page 167: Setting The Clock Mode On A Copper Synce Ge Port
Setting the clock mode on a copper SyncE GE port By default, a copper SyncE GE port automatically negotiates its clock mode with the remote end. To avoid a negotiation result that conflicts with your clock synchronization trail design, manually set the clock mode.
Page 168: Verifying The Configuration
# On Device B, enable the synchronous mode and ESMC on GigabitEthernet 2/0/1. <DeviceB> system-view [DeviceB] interface gigabitethernet 2/0/1 [DeviceB-GigabitEthernet2/0/1] synchronous mode [DeviceB-GigabitEthernet2/0/1] esmc enable [DeviceB-GigabitEthernet2/0/1] quit Verifying the configuration # Verify that ESMC is enabled and QL information is exchanged correctly. The sample output on Device A shows that the clock QLs of Device A and Device B are QL-PRC and QL-SEC, respectively.
Page 169: Configuring Snmp
Configuring SNMP Overview Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics, and interconnect technologies. SNMP enables network administrators to read and set the variables on managed devices for state monitoring, troubleshooting, statistics collection, and other management purposes.
Page 170: Snmp Operations
A MIB view represents a set of MIB objects (or MIB object hierarchies) with certain access privileges and is identified by a view name. The MIB objects included in the MIB view are accessible while those excluded from the MIB view are inaccessible. A MIB view can have multiple view records each identified by a view-name oid-tree pair.
Page 171: Fips Compliance
• The VACM mode requires only the access right from the NMS to MIB objects. H3C recommends the RBAC mode because it is more secure. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode.
Page 172 Step Command Remarks (Optional.) Configure The default system location is snmp-agent sys-info location sys-location the system location. Hangzhou, China. Enable SNMPv1 or snmp-agent sys-info version { all | { v1 | By default, SNMPv3 is enabled. SNMPv2c. v2c } *} (Optional.) Change By default, the local engine ID is snmp-agent local-engineid engineid...
Page 173: Configuring Snmpv3 Basic Parameters
Step Command Remarks (Optional.) Map an By default, no mapping between snmp-agent community-map SNMP community to an SNMP community and an community-name context context-name an SNMP context. SNMP context exists on the device. (Optional.) Configure By default, an SNMP agent can the maximum SNMP send and receive an SNMP packet packet size (in bytes)
Page 174 (Optional.) The default system contact is Configure the system snmp-agent sys-info contact sys-contact Hangzhou H3C Tech. Co., Ltd.. contact. (Optional.) The default system location is Configure the system snmp-agent sys-info location sys-location Hangzhou, China.
Page 175 Step Command Remarks • High encryption in non-FIPS mode: snmp-agent group v3 group-name [ authentication | privacy ] [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl acl-number | acl ipv6 ipv6-acl-number ] * (Optional.) Create By default, no SNMP group an SNMPv3 group.
Page 176 Step Command Remarks • High encryption in non-FIPS mode (in VACM mode): snmp-agent usm-user v3 user-name group-name [ remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher | simple } authentication-mode { md5 | sha } auth-password [ privacy-mode { aes128 | 3des | des56 } priv-password ] ] [ acl acl-number | acl ipv6 ipv6-acl-number ] *...
Page 177: Configuring Snmp Logging
Step Command Remarks (Optional.) Assign a user role to an snmp-agent usm-user user-name v3 user-role By default, no SNMPv3 users SNMPv3 user role-name are configured in RBAC mode. created in RBAC mode. (Optional.) Create By default, no SNMP context is snmp-agent context context-name an SNMP context.
Page 178: Configuring Snmp Notifications
Configuring SNMP notifications The SNMP Agent sends notifications (traps and informs) to inform the NMS of significant events, such as link state changes and user logins or logouts. Unless otherwise stated, the trap keyword in the command line includes both traps and informs. Enabling SNMP notifications Enable an SNMP notification only if necessary.
Page 179 You can extend standard linkUp/linkDown notifications to include interface description and interface type, but must make sure the NMS supports the extended SNMP messages. To send informs, make sure: The SNMP agent and the NMS use SNMPv2c or SNMPv3. • If SNMPv3 is used, you must configure the SNMP engine ID of the NMS when you configure •...
Page 180: Displaying The Snmp Settings
Step Command Remarks (Optional.) By default, SNMP uses the Configure a source snmp-agent { inform | trap } source interface-type IP address of the outgoing address for { interface-number | interface-number.subnumber } routed interface as the notifications. source IP address. (Optional.) Enable By default, the SNMP extended...
Page 181: Snmpv1/Snmpv2C Configuration Example
SNMPv1/SNMPv2c configuration example The SNMPv1 configuration procedure is the same as the SNMPv2c configuration procedure. This example uses SNMPv1, and is available only for high encryption in non-FIPS mode. Network requirements As shown in Figure 53, the NMS (1.1.1.2/24) uses SNMPv1 to manage the SNMP agent (1.1.1.1/24), and the agent automatically sends notifications to report events to the NMS.
Page 182: Verifying The Configuration
Verifying the configuration # Try to get the MTU value of NULL0 interface from the agent. The attempt succeeds. Send request to 1.1.1.1/161 ... Protocol version: SNMPv1 Operation: Get Request binding: 1: 1.3.6.1.2.1.2.2.1.4.135471 Response binding: 1: Oid=ifMtu.135471 Syntax=INT Value=1500 Get finished # Use a wrong community name to get the value of a MIB node on the agent.
Page 183 # Configure the IP address of the agent, and make sure the agent and the NMS can reach each other. (Details not shown.) # Create the user role test, and permit test to have read and write access to the snmp node (OID 1.3.6.1.2.1.11).
Page 184: Verifying The Configuration
[Agent] snmp-agent mib-view included test ifTable [Agent] snmp-agent group v3 managev3group privacy read-view test write-view test # Assign the NMS (SNMPv3 group managev3group) read-only access to the objects under the system node (OID 1.3.6.1.2.1.1) and hh3cUIMgt node (OID 1.3.6.1.4.1.25506.2.2) in the test view.
Page 185 1: 1.3.6.1.2.1.1.5.0 Response binding: Session failed ! SNMP: Cannot access variable, No Access, error index=11: Oid=sysName.0 Syntax=OCTETS Value=h3c Set finished The following log appears only if the Set operation is performed by using RBAC mode. %Aug 14 16:13:21:475 2013 Agent SNMP/5/SNMP_SETDENY: -IPAddr=1.1.1.2-SecurityName=managev3user-SecurityModel=SNMPv3-OP=SET-Node=sysName(1.
Page 186: Configuring Rmon
For more information about SNMP notifications, see "Configuring SNMP." H3C devices provide an embedded RMON agent as the RMON monitor. An NMS can perform basic SNMP operations to access the RMON MIB. RMON groups Among standard RMON groups, H3C implements the statistics group, history group, event group, alarm group, probe configuration group, and user history group.
Page 187 The history table stores traffic statistics collected for each sampling interval. Event group The event group controls the generation and notifications of events triggered by the alarms defined in the alarm group and the private alarm group. The following are RMON alarm event handling methods: Log—Logs event information (including event time and description) in the event log table so the •...
Page 188: Sample Types For The Alarm Group And The Private Alarm Group
Compares the calculation result with the predefined thresholds, and then takes one of the following actions: Triggers the event associated with the rising alarm event if the result is equal to or greater than the rising threshold. Triggers the event associated with the falling alarm event if the result is equal to or less than the falling threshold.
Page 189: Creating An Rmon History Control Entry
Step Command Remarks By default, the RMON statistics table does not contain entries. Create an entry for the interface in the rmon statistics entry-number You can create one statistics entry for each RMON statistics [ owner text ] Ethernet interface, and a maximum of 100 table.
Page 190: Displaying And Maintaining Rmon Settings
Maximum number Entry Parameters to be compared of entries • Alarm variable (alarm-variable) • Sampling interval (sampling-interval) • Sample type (absolute or delta) Alarm • Rising threshold (threshold-value1) • Falling threshold (threshold-value2) • Alarm variable formula (prialarm-formula) • Sampling interval (sampling-interval) •...
Page 191: Ethernet Statistics Group Configuration Example
Task Command Display RMON private alarm display rmon prialarm [ entry-number ] entries. Display RMON event entries. display rmon event [ entry-number ] Display log information for display rmon eventlog [ entry-number ] event entries. Ethernet statistics group configuration example Network requirements As shown in Figure...
Page 192: History Group Configuration Example
History group configuration example Network requirements As shown in Figure 57, create an RMON history control entry on the device to sample traffic statistics for GigabitEthernet 2/0/1 every minute. Figure 57 Network diagram Configuration procedure # Create an RMON history control entry to sample traffic statistics every minute for GigabitEthernet 2/0/1.
Page 193: Alarm Function Configuration Example
Sampling record 4 : dropevents , octets : 933 packets , broadcast packets multicast packets : 7 , CRC alignment errors : 0 undersize packets : 0 , oversize packets fragments , jabbers collisions , utilization Sampling record 5 : dropevents , octets : 898...
Page 194: Configuration Procedure
Figure 58 Network diagram Configuration procedure # Configure the SNMP agent (the device) with the same SNMP settings as the NMS at 1.1.1.2. This example uses SNMPv1, read community public, and write community private. <Sysname> system-view [Sysname] snmp-agent [Sysname] snmp-agent community read public [Sysname] snmp-agent community write private [Sysname] snmp-agent sys-info version v1 [Sysname] snmp-agent trap enable...
Page 195 EtherStatsEntry 1 owned by user1 is VALID. Interface : GigabitEthernet2/0/1<ifIndex.3> etherStatsOctets : 57329 , etherStatsPkts : 455 etherStatsBroadcastPkts : 53 , etherStatsMulticastPkts : 353 etherStatsUndersizePkts , etherStatsOversizePkts etherStatsFragments , etherStatsJabbers etherStatsCRCAlignErrors : 0 , etherStatsCollisions etherStatsDropEvents (insufficient resources): 0 Incoming packets by size : 65-127 : 413 128-255...
Page 196: Configuring Eaa
Configuring EAA Overview Embedded Automation Architecture (EAA) is a monitoring framework that enables you to self-define monitored events and actions to take in response to an event. It allows you to create monitor policies by using the CLI or Tcl scripts. EAA framework EAA framework includes a set of event sources, a set of event monitors, a real-time event manager (RTM), and a set of user-defined monitor policies, as shown in...
Page 197: Elements In A Monitor Policy
RTM manages the creation, state machine, and execution of monitor policies. EAA monitor policies A monitor policy specifies the event to monitor and actions to take when the event occurs. You can configure EAA monitor policies by using the CLI or Tcl. A monitor policy contains the following elements: •...
Page 198: Eaa Environment Variables
Event type Description SNMP-Notification event occurs when the monitored MIB variable's value in an SNMP SNMP-Notification notification matches the specified condition. For example, the broadcast traffic rate on an Ethernet interface reaches or exceeds 30%. Action You can create a series of order-dependent actions to take in response to the event specified in the monitor policy.
Page 199: Configuring A User-Defined Eaa Environment Variable
Event-specific variable—Available only for a type of event. • Table 10 shows all system-defined variables. Table 10 System-defined EAA environment variables by event type Variable name Description Any event: _event_id Event ID. _event_type Event type. _event_type_string Event type description. _event_time Time when the event occurs.
Page 200: Configuring A Monitor Policy
Step Command Remarks Enter system view. system-view Configure a By default, no user-defined environment user-defined EAA rtm environment var-name variables are configured. The system provides environment var-value the system-defined variables in Table variable. Configuring a monitor policy You can configure a monitor policy by using the CLI or Tcl. Configuration restrictions and guidelines When you configure monitor policies, follow these restrictions and guidelines: Make sure the actions in different policies do not conflict.
Page 201 Step Command Remarks • Configure a CLI event: event cli { async [ skip ] | sync } mode { execute | help | tab } pattern regular-exp • Configure a hotplug event (in standalone mode): event hotplug [ insert | remove ] slot slot-number [ subslot subslot-number ] •...
Page 202: Configuring A Monitor Policy By Using Tcl
Step Command Remarks • Configure the action to execute a command: action number cli command-line • Configure a reboot action (in standalone By default, a monitor policy does mode): not contain any actions. action number reboot [ slot slot-number Repeat this step to add a [ subslot subslot-number ] ] maximum of 232 actions to the •...
Page 203: Suspending Monitor Policies
Step Command Remarks By default, the system does not have Tcl policies. This step enables the Tcl-defined policy. Create a Tcl-defined To revise the Tcl script of a policy, you rtm tcl-policy policy-name policy and bind it to must suspend all monitor policies first, and tcl-filename the Tcl script file.
Page 204: Displaying And Maintaining Eaa Settings
Displaying and maintaining EAA settings Execute display commands in any view. Task Command Display user-defined EAA environment variables. display rtm environment [ var-name ] display rtm policy { active | registered [ verbose ] } Display EAA monitor policies. [ policy-name ] EAA configuration examples CLI-defined policy configuration example Network requirements...
Page 205: Cli-Defined Policy With Eaa Environment Variables Configuration Example
Verifying the configuration # Display information about the policy. [Sysname-rtm-test] display rtm policy registered Total number: 1 Type Event TimeRegistered PolicyName Aug 29 14:56:50 2013 test # Enable the information center to output log messages to the current monitoring terminal. [Sysname-rtm-test] return <Sysname>...
Page 206: Tcl-Defined Policy Configuration Example
# Add an action that enters system view when the event occurs. [Sysname-rtm-test] action 0 cli system-view # Add an action that creates the interface Loopback 0 and enters loopback interface view. [Sysname-rtm-test] action 1 cli interface loopback 0 # Add an action that assigns the IP address 1.1.1.1 to Loopback 0. The loopback0IP variable is used in the action for IP address assignment.
Page 207 The system executes the command only after it executes the policy successfully. • Figure 60 Network diagram Configuration procedure # Edit a Tcl script file (rtm_tcl_test.tcl, in this example) for EAA to send the message "rtm_tcl_test is running" when a command that contains the display this string is executed. ::comware::rtm::event_register cli sync mode execute pattern display this user-role network-admin ::comware::rtm::action syslog priority 1 facility local4 msg rtm_tcl_test is running...
Page 208: Monitoring And Maintaining Processes
Monitoring and maintaining processes H3C Comware V7 is a full-featured, modular, and scalable network operating system based on the Linux kernel. Comware V7 software features run the following types of independent processes: • User process—Runs in user space. Most Comware V7 software features run user processes. Each process runs in an independent space so the failure of a process does not affect other processes.
Page 209: Displaying And Maintaining User Processes
Task Command monitor process [ dumbtty ] [ iteration number ] [ chassis chassis-number Monitor process running state. slot slot-number [ cpu cpu-number ] ] monitor thread [ dumbtty ] [ iteration number ] [ chassis chassis-number Monitor thread running state. slot slot-number [ cpu cpu-number ] ] For detailed information about the display memory [ chassis chassis-number slot slot-number ] command, see Fundamentals Command Reference.
Page 210: Monitoring Kernel Threads
Configuring kernel thread deadloop detection CAUTION: H3C recommends the default settings. Inappropriate configuration of kernel thread deadloop detection can cause service problems or system breakdown. Make sure you understand the impact of this configuration on your network before you configure kernel thread deadloop detection.
Page 211: Configuring Kernel Thread Starvation Detection
Step Command Remarks Enter system view. system-view By default, kernel thread Enable kernel thread monitor kernel deadloop enable [ slot deadloop detection is deadloop detection. slot-number [ cpu cpu-number ] ] disabled. (Optional.) Set the interval monitor kernel deadloop time interval [ slot for identifying a kernel The default is 8 seconds.
Page 212: Displaying And Maintaining Kernel Threads
Step Command Remarks Enable kernel thread monitor kernel starvation enable [ slot By default, the function is starvation detection. slot-number [ cpu cpu-number ] ] disabled. (Optional.) Set the interval monitor kernel starvation time interval [ slot for identifying a kernel The default is 120 seconds.
Page 213 Task Command Clear kernel thread starvation information. reset kernel starvation [ slot slot-number [ cpu cpu-number ] ] Execute display commands in any view and reset commands in user view (in IRF mode). Task Command display kernel deadloop show-number [ offset ] [ verbose ] Display kernel thread deadloop information.
Page 214: Configuring Samplers
Configuring samplers A sampler selects a packet from among sequential packets and sends the packet to other service modules for processing. Sampling is useful when you want to limit the volume of traffic to be analyzed. The sampled data is statistically accurate and sampling decreases the impact on the forwarding capacity of the device.
Page 215: Configuration Procedure
Configure fixed sampling in the inbound direction to select the first packet from among 100 • packets. Configure random sampling in the outbound direction to select one packet randomly from among • 200 packets. Figure 61 Network diagram Configuration procedure # Create sampler 100 in fixed sampling mode, and set the rate to 100.
Page 216: Configuring Port Mirroring
Configuring port mirroring Overview Port mirroring copies the packets passing through a port to a port that connects to a data monitoring device for packet analysis. Terminology The following terms are used in port mirroring configuration. Mirroring source The mirroring sources can be one or more monitored ports, which are called source ports. Packets passing through mirroring sources are copied to a port connecting to a data monitoring device for packet analysis.
Page 217: Port Mirroring Implementation
Port mirroring implementation The local port mirroring has the following characteristics: • The mirroring sources and the mirroring destination are on the same device. The source device is directly connected to a data monitoring device. • The source device acts as the destination device to forward mirrored packets to the data monitoring •...
Page 218: Creating A Local Mirroring Group
Creating a local mirroring group Step Command Remarks Enter system view. system-view Create a local mirroring By default, no local mirroring mirroring-group group-id local group. group exists. Configuring source ports for the local mirroring group To configure source ports for a local mirroring group, use one of the following methods: •...
Page 219: Configuring The Monitor Port For The Local Mirroring Group
Configuring the monitor port for the local mirroring group To configure the monitor port for a mirroring group, use one of the following methods: • Configure the monitor port for the mirroring group in system view. Assign a port to the mirroring group as the monitor port in interface view. •...
Page 220: Local Port Mirroring Configuration Example
Local port mirroring configuration example Network requirements As shown in Figure 63, configure local port mirroring to enable the server to monitor the bidirectional traffic of the Marketing department and the Technical department. Figure 63 Network diagram Configuration procedure # Create local mirroring group 1. <Device>...
Page 221: Configuring Netstream
NDA can collect data from multiple NSCs. Typically, the NDA features a Web-based system for easy operation. NSC and NDA are typically integrated into a NetStream server. H3C network devices act as NDEs in the NetStream system. This document focuses on NDE configuration.
Page 222: Flow Aging
Figure 64 NetStream system Flow aging NetStream uses flow aging to enable the NDE to export NetStream data to NetStream servers. NetStream creates a NetStream entry for each flow for storing the flow statistics in the cache. When the timer of the entry expires, the NDE performs the following operations: •...
Page 223 For example, when the aggregation mode configured on the NDE is protocol-port, NetStream aggregates the statistics of flow entries by protocol number, source port, and destination port. Four NetStream entries record four TCP flows with the same destination address, source port, and destination port, but with different source addresses.
Page 224 Aggregation mode Aggregation criteria • • Source AS number • Source prefix ToS-source-prefix aggregation • Source address mask length • Inbound interface index • • Destination AS number • Destination address mask length ToS-destination-prefix aggregation • Destination prefix • Outbound interface index •...
Page 225: Netstream Filtering And Sampling
NetStream filtering and sampling NetStream filtering NetStream filtering uses an ACL to identify packets. Whether NetStream collects data for identified packets depends on the action in the matching rule. NetStream collects data for packets that match permit rules in the ACL. •...
Page 226: Enabling Netstream
Figure 65 NetStream configuration flow Start Enable NetStream Configure NetStream Filter? filtering Configure NetStream Sample? sampling Configure export format Configure flow aging Configure aggregation Aggregate? data export Configure traditional Export? data export To configure NetStream, perform the following tasks: Tasks at a glance (Required.) Enabling NetStream (Optional.) Configuring NetStream filtering...
Page 227: Configuring Netstream Filtering
Step Command Remarks interface interface-type Enter interface view. interface-number Enable NetStream on the By default, NetStream is disabled on ip netstream { inbound | outbound } interface. an interface. Configuring NetStream filtering When you configure NetStream filtering, follow these restrictions and guidelines: When NetStream filtering and sampling are both configured, packets are filtered first, and then the •...
Page 228 Statistics about source AS, destination AS, and peer ASs in version 5 or version 9 format. • • Statistics about BGP next hop only in version 9 format. To configure the NetStream data export format: Step Command Remarks Enter system view. system-view By default: (Optional.) Configure...
Page 229: Configuring The Refresh Rate For Netstream Version 9 Templates
Configuring the refresh rate for NetStream version 9 templates Version 9 is template-based and supports user-defined formats. A NetStream-enabled device must periodically resend the updated template to NetStream servers, because the servers do not permanently save the template. The server cannot associate the received statistics with its proper fields when the following conditions exist: •...
Page 230: Configuration Procedure
Inactive flow aging—A flow is inactive if no packet arrives for this NetStream entry within the • period specified by using the ip netstream timeout inactive command. When the inactive flow aging timer expires, the following situations occur: The inactive flow entry is aged out. The statistics of the flow are sent to NetStream servers.
Page 231: Configuring The Netstream Data Export
Step Command Remarks Exit to user view: quit (Optional.) Configure forced aging. Age out NetStream entries: reset ip netstream statistics Configuring the NetStream data export Configuring the NetStream traditional data export Step Command Remarks Enter system view. system-view Specify a destination host ip netstream export host By default, no destination host is for NetStream traditional...
Page 232: Displaying And Maintaining Netstream
Step Command Remarks ip netstream aggregation { as | destination-prefix | prefix | prefix-port | protocol-port | Enter NetStream source-prefix | tos-as | aggregation mode view. tos-bgp-nexthop | tos-destination-prefix | tos-prefix | tos-protocol-port | tos-source-prefix } By default, no destination host is specified.
Page 233: Netstream Configuration Examples
NetStream configuration examples NetStream traditional data export configuration example Network requirements As shown in Figure 67, configure NetStream on Router A to collect statistics on packets passing through Router A. Enable NetStream for incoming traffic on GigabitEthernet 2/0/1 and for outgoing traffic on •...
Page 234: Netstream Aggregation Data Export Configuration Example
L2 active flow entries IPL2 active flow entries IP flow entries counted MPLS flow entries counted L2 flow entries counted IPL2 flow entries counted Last statistics resetting time : Never IP packet size distribution (11 packets in total): 1-32 .000 .000 .909 .000 .000 .090 .000 .000 .000 .000 .000 .000 .000 .000 .000 576 1024 1536 2048 2560 3072 3584 4096 4608 >4608 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 Protocol...
Page 235 Router A performs NetStream aggregation in the modes of AS, protocol-port, source-prefix, • destination-prefix, and prefix. Router A exports the aggregation data of different modes to 4.1.1.1, with UDP ports 2000, 3000, • 4000, 6000, and 7000. Figure 68 Network diagram Configuration procedure # Assign an IP address to GigabitEthernet 2/0/1.
Page 236 # Configure the aggregation mode as destination-prefix, and specify the destination host for the aggregation data export. [RouterA] ip netstream aggregation destination-prefix [RouterA-ns-aggregation-dstpre] enable [RouterA-ns-aggregation-dstpre] ip netstream export host 4.1.1.1 6000 [RouterA-ns-aggregation-dstpre] quit # Configure the aggregation mode as prefix, and specify the destination host for the aggregation data export.
Page 237 # Display the statistics of the NetStream data export. [RouterA] display ip netstream export AS aggregation export information: Flow source interface : Not specified Flow destination VPN instance : Not specified Flow destination IP address (UDP) : 4.1.1.1 (2000) Version 8 exported flows number Version 8 exported UDP datagrams number (failed): 2 (0) Version 9 exported flows number Version 9 exported UDP datagrams number (failed): 0(0)
Page 238 Flow source interface : Not specified Flow destination VPN instance : Not specified Flow destination IP address (UDP) : 4.1.1.1 (5000) Version 5 exported flows number : 10 Version 5 exported UDP datagrams number (failed): 10 (0) Version 9 exported flows number Version 9 exported UDP datagrams number (failed): 0 (0)
Page 239: Configuring Ipv6 Netstream
NDA can collect data from multiple NSCs. Typically, the NDA features a Web-based system for easy operation. NSC and NDA are typically integrated into a NetStream server. H3C network devices act as NDEs in the IPv6 NetStream system. This document focuses on NDE configuration.
Page 240: Flow Aging
Figure 69 IPv6 NetStream system Flow aging IPv6 NetStream uses flow aging to enable the NDE to export IPv6 NetStream data to NetStream servers. IPv6 NetStream creates an IPv6 NetStream entry for each flow for storing the flow statistics in the cache. When the timer of the entry expires, the NDE does the following operations: •...
Page 241: Ipv6 Netstream Filtering And Sampling
Table 13 IPv6 NetStream aggregation modes Aggregation mode Aggregation criteria • Source AS number • Destination AS number AS aggregation • Input interface index • Output interface index • Protocol number • Source port Protocol-port aggregation • Destination port • Source AS number •...
Page 242: Ipv6 Netstream Configuration Task List
IPv6 NetStream sampling IPv6 NetStream sampling collects statistics on fewer packets and is useful when the network has a large amount of traffic. IPv6 NetStream on sampled traffic lessens the impact on the device's performance. For more information about sampling, see "Configuring samplers." IPv6 NetStream configuration task list When you configure IPv6 NetStream, choose the following configurations as needed: Select the device on which you want to enable IPv6 NetStream.
Page 243: Enabling Ipv6 Netstream
Tasks at a glance (Required.) Enabling IPv6 NetStream (Optional.) Configuring IPv6 NetStream filtering (Optional.) Configuring IPv6 NetStream sampling (Optional.) Configuring attributes of the IPv6 NetStream data export (Optional.) Configuring IPv6 NetStream flow aging (Required.) Perform at least one of the following tasks to configure the IPv6 NetStream data export: •...
Page 244: Configuring Ipv6 Netstream Sampling
Configuring IPv6 NetStream sampling Step Command Remarks Enter system view. system-view For more information sampler sampler-name mode { fixed | random } Create a sampler. about samplers, see packet-interval rate "Configuring samplers." Enter interface view. interface interface-type interface-number Configure IPv6 ipv6 netstream { inbound | outbound } sampler By default, IPv6 NetStream NetStream sampling.
Page 245: Configuring The Refresh Rate For Ipv6 Netstream Version 9 Templates
Figure 71 Recorded AS information varies by different keyword configurations To configure the IPv6 NetStream data export format: Step Command Remarks Enter system view. system-view By default: • The version 9 format is used to export IPv6 NetStream traditional data, IPv6 (Optional.) Configure the NetStream aggregation data, IPv6 NetStream data export...
Page 246: Configuring Mpls-Aware Netstream
The refresh frequency and the refresh interval can both be configured. The template is resent when either of the conditions is reached. To configure the refresh rate for IPv6 NetStream version 9 templates: Step Command Remarks Enter system view. system-view •...
Page 247: Configuration Procedure
collect its statistics, which can be displayed by using the display ipv6 netstream cache command. The active flow aging method periodically exports the statistics of active flows to NetStream servers. Forced aging To implement forced aging, use one of the following commands: Use the reset ipv6 netstream statistics command.
Page 248: Configuring The Ipv6 Netstream Aggregation Data Export
IPv6 IPv6 address. ipv6 netstream export source interface NetStream data packets interface-type interface-number H3C recommends that you sent to the NetStream connect the management servers. Ethernet interface to a NetStream server, and configure the interface as the source interface.
Page 249: Displaying And Maintaining Ipv6 Netstream
Step Command Remarks By default, no source interface is specified for IPv6 NetStream data packets. The packets take the primary IPv6 address of the output interface as the source IPv6 address. (Optional.) Specify the source interface for IPv6 You can configure different ipv6 netstream export source interface NetStream data packets source interfaces in different...
Page 250: Ipv6 Netstream Configuration Examples
IPv6 NetStream configuration examples IPv6 NetStream traditional data export configuration example Network requirements As shown in Figure 72, configure IPv6 NetStream on Router A to collect statistics on packets passing through Router A. Enable IPv6 NetStream for incoming and outgoing traffic on GigabitEthernet 2/0/1. •...
Page 251: Ipv6 Netstream Aggregation Data Export Configuration Example
1-32 .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 576 1024 1536 2048 2560 3072 3584 4096 4608 >4608 .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000 .000 Protocol Total Packets Flows Packets Active(sec) Idle(sec) Flows /sec...
Page 252 Figure 73 Network diagram Configuration procedure # Assign an IP address to GigabitEthernet 2/0/1. <RouterA> system-view [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] ipv6 address 10::1/64 # Enable IPv6 NetStream for incoming and outgoing traffic on GigabitEthernet 2/0/1. [RouterA-GigabitEthernet2/0/1] ipv6 netstream inbound [RouterA-GigabitEthernet2/0/1] ipv6 netstream outbound [RouterA-GigabitEthernet2/0/1] quit # Specify the export destination host as 40::1 with UDP port 5000.
Page 253 [RouterA-ns6-aggregation-dstpre] ipv6 netstream export host 40::1 6000 [RouterA-ns6-aggregation-dstpre] quit # Configure the aggregation mode as prefix, and specify the destination host for the aggregation data export. [RouterA] ipv6 netstream aggregation prefix [RouterA-ns6-aggregation-prefix] enable [RouterA-ns6-aggregation-prefix] ipv6 netstream export host 40::1 7000 [RouterA-ns6-aggregation-prefix] quit Verifying the configuration # Display the statistics of the IPv6 NetStream data export.
Page 254 Flow source interface : Not specified Flow destination VPN instance : Not specified Flow destination IP address (UDP) : 40::1 (5000) Version 9 exported flows number Version 9 exported UDP datagrams number (failed): 0 (0)
Page 255: Configuring The Information Center
Configuring the information center The information center on a device classifies and manages logs for all modules so that network administrators can monitor network performance and troubleshoot network problems. Overview The information center receives logs generated by source modules and outputs logs to different destinations according to user-defined output rules.
Page 256: Log Destinations
Table 14 Log levels Severity Level Description value Emergency The system is unusable. For example, the system authorization has expired. Action must be taken immediately. For example, traffic on an interface exceeds Alert the upper limit. Critical condition. For example, the device temperature exceeds the upper limit, Critical the power module fails, or the fan tray fails.
Page 257: Default Output Rules For Security Logs
Table 16 Default output rule for diagnostic logs Destination Log source modules Output switch Severity Diagnostic log file All supported modules Enabled Debug Default output rules for security logs Security logs can only be output to the security log file, and cannot be filtered by source modules and severity levels.
Page 258: Log Formats
The actual format varies by the log resolution tool used. Table 21 Log formats Output destination Format Example %Nov 24 14:21:43:502 2010 H3C Console, monitor SYSLOG/6/SYSLOG_RESTART: Prefix Timestamp Sysname terminal, log buffer, or System restarted –-...
Page 259 IP address) You can use the sysname command to modify the name of the device. Indicates that the information was generated by an H3C device. %% (vendor ID) This field exists only in logs sent to the log host.
Page 260: Fips Compliance
Table 24 Description of the timestamp parameters Timestamp Description Example parameters Time that has elapsed since system startup, in %0.109391473 Sysname the format of xxx.yyy. xxx represents the FTPD/5/FTPD_LOGIN: User ftp higher 32 bits, and yyy represents the lower (192.168.1.23) has logged in boot 32 bits, of milliseconds elapsed.
Page 261: Outputting Logs To The Console
Task at a glance • Outputting logs to the log buffer • Saving logs to a log file (Optional.) Managing security logs (Optional.) Saving diagnostic logs to a diagnostic log file (Optional.) Configuring the maximum size of the trace log file (Optional.) Outputting custom NAT444 logs to a log host (Optional.)
Page 262: Outputting Logs To A Log Host
Step Command Remarks By default, the information center is Enable the information center. info-center enable enabled. info-center source { module-name | For information about default Configure an output rule for default } { console | monitor | output rules, see "Default output the monitor terminal.
Page 263: Outputting Logs To The Log Buffer
Outputting logs to the log buffer Step Command Remarks Enter system view. system-view By default, the information center is Enable the information center. info-center enable enabled. Enable log output to the log By default, log output to the log info-center logbuffer buffer.
Page 264: Managing Security Logs
Step Command Remarks By default, the maximum size of a log file is 2 MB. (Optional.) Configure the info-center logfile size-quota size To ensure normal operation, set the maximum size for a log file. size argument to a value between 1 MB and 10 MB.
Page 265: Managing The Security Log File
Step Command Remarks Enter system view. system-view By default, the information center is Enable the information center. info-center enable enabled. Enable the saving of the By default, saving security logs to security logs to the security log info-center security-logfile enable the security log file is disabled.
Page 266: Configuring The Maximum Size Of The Trace Log File
The device supports multiple diagnostic log files. Each diagnostic log file has a maximum capacity. The diagnostic log files are named as diagfile1.log, diagfile2.log, and so on. When the capacity of diagfile1.log is reached, the system compresses diagfile1.log as diagfile1.log.gz and creates a new log file named diagfile2.log.
Page 267: Outputting Custom Nat444 Logs To A Log Host
Step Command Remarks Enter system view. system-view Set the maximum size of the By default, the maximum size of the info-center trace-logfile quota size trace log file. trace log file is 1 MB. Outputting custom NAT444 logs to a log host Step Command Remarks...
Page 268: Enabling Duplicate Log Suppression
Enabling duplicate log suppression The output of consecutive duplicate logs at an interval of less than 30 seconds wastes system and network resources. With this feature enabled, the system starts a suppression period upon outputting a log: During the suppression period, the system does not output logs that have the same module name, •...
Page 269: Displaying And Maintaining Information Center
Displaying and maintaining information center Execute display commands in any view and reset commands in user view. Task Command Display the information of each output destination. display info-center Display the state and the log information of the log display logbuffer [ reverse ] [ level severity | size buffer (in standalone mode).
Page 270: Configuration Example For Outputting Logs To A Unix Log Host
# Enable the display of logs on the console. (This function is enabled by default.) <Device> terminal logging level 6 <Device> terminal monitor The current terminal is enabled to display logs. Now, if the FTP module generates logs, the information center automatically sends the logs to the console, and the console displays the logs.
Page 271: Configuration Example For Outputting Logs To A Linux Log Host
local4.info /var/log/Device/info.log In this configuration, local4 is the name of the logging facility that the log host uses to receive logs. info is the informational level. The UNIX system records the log information that has a severity level of at least informational to the file /var/log/Device/info.log. NOTE: Follow these guidelines while editing the file /etc/syslog.conf: Comments must be on a separate line and must begin with a pound sign (#).
Page 272 # Configure an output rule to enable output to the log host FTP logs that have a severity level of at least informational. [Device] info-center source ftp loghost level informational Configure the log host: The following configurations were performed on Solaris. Other UNIX operating systems have similar configurations.
Page 273: Configuring Flow Log
Configuring flow log Flow log records users' access to external networks based on flows. Each flow is identified by a 5-tuple of the source IP address, destination IP address, source port, destination port, and protocol number. Flow log creates entries based on NAT sessions. You can export these entries to the information center or log hosts.
Page 274 Field Description Reasons why a flow log was generated: • 0—Reserved. • 1—Flow was ended normally. • 2—Flow was aged out because of aging timer expiration. • 3—Flow was aged out because of configuration change. • 4—Flow was aged out because of insufficient resources. Operator •...
Page 275: Flow Log Configuration Task List
Flow log configuration task list Task at a glance (Optional.) Configuring the flow log version (Optional.) Specifying a source IP address for flow log packets (Optional.) Enabling load balancing for flow log entries (Optional.) Configuring the timestamp of flow logs (Required.) Perform one of the following tasks for flow log export: •...
Page 276: Enabling Load Balancing For Flow Log Entries
H3C recommends that you use a Loopback interface's address as the source IP address for flow log packets. A Loopback interface is always up. The setting avoids export failure on interfaces that might go down. To configure the source IP address for flow log packets:...
Page 277: Specifying A Flow Log Export Destination
Specifying a flow log export destination You can export flow log entries to a log host or the information center, but not both. If you configure both methods, the system exports flow log entries to the information center. • If the destination is a log host, flow log entries are sent as binary characters in UDP. One UDP packet can contain multiple log entries.
Page 278: Flow Log Configuration Example
Flow log configuration example Network requirements As shown in Figure 78, configure flow log on the device to send flow log entries generated for the user to the log host. Figure 78 Network diagram Configuration procedure # Configure IP addresses, as shown in the network diagram. Make sure the device and the log host can reach each other.
Page 279 Flow: Export flow log as UDP Packet. Version: 3.0 Source address: 2.2.2.2 Log load balance function: Disabled Log host numbers: 1 Log host 1: IP address/Port: 1.2.3.6/2000 Total logs/UDP packets exported: 112/87...
Page 280: Index
Index A C D E F H I L M N O P S T Configuring NTP association modes,72 Configuring NTP authentication,76 Alarm function configuration example,179 Configuring NTP optional parameters,84 Configuring SNMP basic parameters,157 Configuring SNMP logging,163 Configuration example for MPLS VPN time synchronization in client/server mode,104 Configuring SNMP...
Page 281 Displaying and maintaining user processes,195 NetStream configuration examples,219 Displaying the SNMP settings,166 NetStream configuration task list,21 1 Network synchronization configuration example,150 Network synchronization configuration task list,143 EAA configuration examples,190 NQA configuration examples,38 Enabling duplicate log suppression,254 NQA configuration task list,10 Enabling IPv6 NetStream,229 NTP broadcast mode configuration...
Page 282 Setting the frequency of a BITS clock,145 Specifying a source IP address for flow log packets,261 Setting the Sa bit for the SSM of BITS clocks,144 Specifying an NTP server for the device,109 SNMPv1/SNMPv2c configuration example,167 Suspending monitor policies,189 SNMPv3 configuration example,168 SyncE configuration example,153...

This manual is also suitable for:

R6600

H3C SR6600-X Configuration Manual

Quick Links

Need help?

Questions and answers

Related Manuals for H3C SR6600-X

Summary of Contents for H3C SR6600-X