Page 3
Preface The H3C SR6600/SR6600-X documentation set includes 14 configuration guides, which describe the software features for the H3C SR6600/SR6600-X Routers and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
Page 4
bars, from which you select one choice, multiple choices, or none. The argument or keyword and argument combination before the ampersand (&) sign can &<1-n> be entered 1 to n times. A line that starts with a pound (#) sign is comments. GUI conventions Convention Description...
Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] –...
[Technical Support & Documents > Software Download] – Provides the documentation released with the software version. Technical support service@h3c.com http://www.h3c.com Documentation feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
Contents Using ping, tracert, and system debugging ··············································································································· 1 Ping ····················································································································································································· 1 Using a ping command to test network connectivity ···························································································· 1 Ping example ···························································································································································· 1 Tracert ················································································································································································ 3 Prerequisites ······························································································································································ 4 Using a tracert command to identify failed or all nodes in a path ····································································· 4 ...
Page 8
NQA configuration examples ······································································································································ 38 ICMP echo operation configuration example ···································································································· 38 DHCP operation configuration example ············································································································· 40 DNS operation configuration example ··············································································································· 41 FTP operation configuration example ················································································································· 42 HTTP operation configuration example ··············································································································· 43 ...
Page 9
NTP multicast mode configuration example ················································································································ 94 IPv6 NTP multicast mode configuration example ······································································································· 97 Configuration example for NTP client/server mode with authentication ······························································· 100 Configuration example for NTP broadcast mode with authentication ··································································· 101 Configuration example for MPLS VPN time synchronization in client/server mode ············································ 104 ...
Using ping, tracert, and system debugging This chapter covers ping, tracert, and information about debugging the system. Ping Use the ping utility to determine if an address is reachable. Ping sends ICMP echo requests (ECHO-REQUEST) to the destination device. Upon receiving the requests, the destination device responds with ICMP echo replies (ECHO-REPLY) to the source device.
Page 16
Figure 1 Network diagram Configuration procedure # Use the ping command on Device A to test connectivity to Device C. Ping 1.1.2.2 (1.1.2.2): 56 data bytes, press CTRL_C to break 56 bytes from 1.1.2.2: icmp_seq=0 ttl=254 time=2.137 ms 56 bytes from 1.1.2.2: icmp_seq=1 ttl=254 time=2.051 ms 56 bytes from 1.1.2.2: icmp_seq=2 ttl=254 time=1.996 ms 56 bytes from 1.1.2.2: icmp_seq=3 ttl=254 time=1.963 ms 56 bytes from 1.1.2.2: icmp_seq=4 ttl=254 time=1.991 ms...
The source device (Device A) sends an ICMP echo request to the destination device (Device C) with the RR option blank. The intermediate device (Device B) adds the IP address of its outbound interface (1.1.2.1) to the RR option of the ICMP echo request, and forwards the packet. Upon receiving the request, the destination device copies the RR option in the request and adds the IP address of its outbound interface (1.1.2.2) to the RR option.
Enable sending of ICMP timeout packets on the intermediate devices (devices between the source • and destination devices). If the intermediate devices are H3C devices, execute the ip ttl-expires enable command on the devices. For more information about this command, see Layer 3—IP Services Command Reference.
Tracert example Network requirements As shown in Figure 3, Device A failed to Telnet to Device C. Test the network connectivity between Device A and Device C. If they cannot reach each other, locate the failed nodes in the network. Figure 3 Network diagram 1.1.1.1/24 1.1.1.2/24...
<DeviceA> The output shows that Device A can reach Device B but cannot reach Device C. An error has occurred on the connection between Device B and Device C. Use the debugging ip icmp command on Device A and Device C to verify that they can send and receive the specific ICMP packets.
Debugging a feature module Output of debugging commands is memory intensive. To guarantee system performance, enable debugging only for modules that are in an exceptional condition. When debugging is complete, use the undo debugging all command to disable all the debugging functions. To debug a feature module: Step Command...
Configuring NQA Overview Network quality analyzer (NQA) allows you to measure network performance, verify the service levels for IP services and applications, and troubleshoot network problems. It provides the following types of operations: • ICMP echo. DHCP. • DNS. • FTP.
A UDP jitter or a voice operation sends a number of probe packets. The number of probe packets • is set by using the probe packet-number command. An FTP operation uploads or downloads a file. • An HTTP operation gets a Web page. •...
Threshold monitoring Threshold monitoring enables the NQA client to take a predefined action when the NQA operation performance metrics violate the specified thresholds. Table 1 describes the relationships between performance metrics and NQA operation types. Table 1 Performance metrics and NQA operation types Performance metric NQA operation types that can gather the metric All NQA operation types except UDP jitter, UDP...
To configure the NQA server: Step Command Remarks Enter system view. system-view By default, the NQA server Enable the NQA server. nqa server enable is disabled. • TCP listening service: nqa server tcp-connect ip-address You can set the ToS value port-number [ vpn-instance in the IP header of reply vpn-instance-name ] [ tos tos ]...
Tasks at a glance (Optional.) Configuring threshold monitoring (Optional.) Configuring the NQA statistics collection function (Optional.) Configuring the saving of NQA history records (Required.) Scheduling the NQA operation on the NQA client Configuring the ICMP echo operation The ICMP echo operation measures the reachability of a destination device. It has the same function as the ping command, but provides more output information.
Step Command Remarks By default, no source IP address is specified. The requests take the primary IP address of the output interface as their source IP address. • Specify the IP address of the If you configure both the source ip specified interface as the source and source interface commands, IP address:...
Step Command Remarks By default, no source IP address is specified for the request packets. The requests take the IP address of the output interface as their source IP address. The specified source IP address must be the (Optional.) Specify the IP address of a local interface, and the local source IP address of DHCP source ip ip-address...
Use a small file for the FTP operation. A big file might result in transfer failure because of timeout, • or might affect other services for occupying much network bandwidth. To configure the FTP operation: Step Command Remarks Enter system view. system-view Create an NQA operation nqa entry admin-name...
Step Command Remarks Create an NQA operation nqa entry admin-name and enter NQA operation By default, no NQA operation is created. operation-tag view. Specify the HTTP type and type http enter its view. By default, no URL is specified for the destination HTTP server.
Page 31
The destination device takes a time stamp to each packet that it receives, and then sends the packet back to the NQA client. Upon receiving the responses, the NQA client calculates the jitter according to the time stamps. The UDP jitter operation requires both the NQA server and the NQA client. Before you perform the UDP jitter operation, configure the UDP listening service on the NQA server.
Step Command Remarks By default, no source IP address is specified. The source IP address must be the (Optional.) Specify the source source ip ip-address IP address of a local interface, and IP address for UDP packets. the interface must be up. Otherwise, no UDP packets can be sent out.
Step Command Remarks Enter system view. system-view Create an NQA operation nqa entry admin-name By default, no NQA operation is and enter NQA operation operation-tag created. view. Specify the TCP type and type tcp enter its view. By default, no destination IP address is specified.
• Enable sending ICMP time exceeded messages on the intermediate devices between the source and destination devices. If the intermediate devices are H3C devices, use the ip ttl-expires enable command. Enable sending ICMP destination unreachable messages on the destination device. If the •...
Page 35
Step Command Remarks Specify the destination By default, no destination IP address destination ip ip-address address of UDP packets. is configured. By default, the destination port number is 33434. (Optional.) Specify the This port number must be an unused destination port of UDP destination port port-number number on the destination device, so packets.
Configuring the voice operation CAUTION: To ensure successful voice operations and avoid affecting existing services, do not perform the operations on well-known ports from 1 to 1023. The voice operation measures VoIP network performance. The voice operation works as follows: The NQA client sends voice packets at sending intervals to the destination device (NQA server).
Page 37
Step Command Remarks By default, no destination IP address is configured. Specify the destination destination ip ip-address The destination IP address must be address of voice packets. the same as the IP address of the listening service on the NQA server. By default, no destination port number is configured.
Enable sending ICMP time exceeded messages on the intermediate devices between the source • and destination devices. If the intermediate devices are H3C devices, use the ip ttl-expires enable command. Enable sending ICMP destination unreachable messages on the destination device. If the •...
Step Command Remarks (Optional.) Specify the payload data-size size The default setting is 100 bytes. size in each ICMP echo request. (Optional.) Specify the string to The default setting is the hexadecimal be filled in the payload of each data-fill string number ICMP echo request.
Step Command Remarks For a voice or path jitter operation, the default setting is 60000 milliseconds. For other operations, the default setting is 0 Specify the interval at milliseconds. Only one operation is which the NQA operation frequency interval performed. repeats.
Step Command Remarks Create an NQA operation nqa entry admin-name By default, no NQA operation is and enter NQA operation operation-tag created. view. The collaboration function is not type { dhcp | dlsw | dns | ftp | Specify an NQA operation available for the path jitter, UDP http | icmp-echo | snmp | tcp | type and enter its view.
Page 42
The state of a reaction entry can be invalid, over-threshold, or below-threshold. • Before an NQA operation starts, the reaction entry is in invalid state. If the threshold is violated, the state of the entry is set to over-threshold. Otherwise, the state of the •...
Page 43
Step Command Remarks • Monitor the operation duration (not supported in the UDP jitter and voice operations): reaction item-number checked-element probe-duration threshold-type { accumulate accumulate-occurrences | average | consecutive consecutive-occurrences } threshold-value upper-threshold lower-threshold [ action-type { none | trap-only } ] •...
Configuring the NQA statistics collection function NQA forms statistics within the same collection interval as a statistics group. To display information about the statistics groups, use the display nqa statistics command. NQA does not generate any statistics group for the operation that runs once. To set the NQA operation to run only once, use the frequency command to set the interval to 0 milliseconds.
Step Command Remarks Enable the saving of By default, this function is history records for the history-record enable enabled only for the UDP tracert NQA operation. operation. The default setting is 120 (Optional.) Set the minutes. lifetime of history history-record keep-time keep-time A record is deleted when its records.
Configuring the ICMP template A feature that uses the ICMP template performs the ICMP operation to measure the reachability of a destination device. The ICMP template is supported in both IPv4 and IPv6 networks. To configure the ICMP template: Step Command Remarks Enter system view.
To configure the DNS template: Step Command Remarks Enter system view. system-view Create a DNS template and nqa template dns name enter DNS template view. • IPv4 address: (Optional.) Specify the destination ip ip-address By default, no destination destination IPv4 or IPv6 •...
Step Command Remarks Enter system view. system-view Create a TCP template and nqa template tcp name enter its view. By default, no destination • IPv4 address: address is specified. (Optional.) Specify the destination ip ip-address The destination address must be destination IPv4 or IPv6 •...
Step Command Remarks Enter system view. system-view Create an HTTP template and nqa template http name enter its view. By default, no URL is specified for the destination HTTP server. Specify the URL of the Enter the URL in one of the following url url destination HTTP server.
Configure the username and password for the FTP client to log in to the FTP server before you perform an FTP operation. For information about configuring the FTP server, see Fundamentals Configuration Guide. To configure the FTP template: Step Command Remarks Enter system view.
Step Command Remarks Create an NQA template nqa template { dns | ftp | http and enter its view. | icmp | tcp } name Configure a description. description text By default, no description is configured. The default setting is 5000 milliseconds. Specify the interval at If the operation is not completed when the which the NQA operation...
NQA configuration examples ICMP echo operation configuration example Network requirements As shown in Figure 7, configure an ICMP echo operation from the NQA client Device A to Device B to test the round-trip time. The next hop of Device A is Device C. Figure 7 Network diagram Configuration procedure # Assign each interface an IP address.
Page 53
# Configure the ICMP echo operation to repeat at an interval of 5000 milliseconds. [DeviceA-nqa-admin-test1-icmp-echo] frequency 5000 # Enable saving history records. [DeviceA-nqa-admin-test1-icmp-echo] history-record enable # Configure the maximum number of history records that can be saved as 10. [DeviceA-nqa-admin-test1-icmp-echo] history-record number 10 [DeviceA-nqa-admin-test1-icmp-echo] quit # Start the ICMP echo operation.
DHCP operation configuration example Network requirements As shown in Figure 8, configure a DHCP operation to test the time required for Router A to obtain an IP address from the DHCP server. Figure 8 Network diagram NQA client DHCP server 10.1.1.1/16 10.1.1.2/16 Router A...
DNS operation configuration example Network requirements As shown in Figure 9, configure a DNS operation to test whether Device A can perform address resolution through the DNS server and test the resolution time. Figure 9 Network diagram Configuration procedure # Assign each interface an IP address. (Details not shown.) # Configure static routes or a routing protocol to make sure the devices can reach each other.
[DeviceA] display nqa history admin test1 NQA entry (admin admin, tag test) history records: Index Response Status Time Succeeded 2011-11-10 10:49:37.3 The output shows that it took Device A 62 milliseconds to translate domain name host.com into an IP address. FTP operation configuration example Network requirements As shown in...
# After the FTP operation runs for a period of time, stop the operation. [DeviceA] undo nqa schedule admin test1 # Display the most recent result of the FTP operation. [DeviceA] display nqa result admin test1 NQA entry (admin admin, tag test1) test results: Send operation times: 1 Receive response times: 1 Min/Max/Average round trip time: 173/173/173...
# Configure the HTTP operation to get data from the HTTP server. [DeviceA-nqa-admin-test1-http] operation get # Configure the operation to use HTTP version 1.0. [DeviceA-nqa-admin-test1-http] version v1.0 # Enable the saving of history records. [DeviceA-nqa-admin-test1-http] history-record enable [DeviceA-nqa-admin-test1-http] quit # Start the HTTP operation. [DeviceA] nqa schedule admin test1 start-time now lifetime forever # After the HTTP operation runs for a period of time, stop the operation.
Page 59
Configuration procedure Assign each interface an IP address. (Details not shown.) Configure static routes or a routing protocol to make sure the devices can reach each other. (Details not shown.) Configure Device B: # Enable the NQA server. <DeviceB> system-view [DeviceB] nqa server enable # Configure a listening service to listen on the IP address 10.2.2.2 and UDP port 9000.
Min SD delay: 7 Min DS delay: 7 Number of SD delay: 410 Number of DS delay: 410 Sum of SD delay: 3705 Sum of DS delay: 3891 Square-Sum of SD delay: 45987 Square-Sum of DS delay: 49393 SD lost packets: 0 DS lost packets: 0 Lost packets for unknown reason: 0 SNMP operation configuration example...
# Display the most recent result of the SNMP operation. [DeviceA] display nqa result admin test1 NQA entry (admin admin, tag test1) test results: Send operation times: 1 Receive response times: 1 Min/Max/Average round trip time: 50/50/50 Square-Sum of round trip time: 2500 Last succeeded probe time: 2011-11-22 10:24:41.1 Extended results: Packet loss ratio: 0%...
[DeviceA-nqa-admin-test1] type tcp # Configure 10.2.2.2 as the destination IP address and port 9000 as the destination port. [DeviceA-nqa-admin-test1-tcp] destination ip 10.2.2.2 [DeviceA-nqa-admin-test1-tcp] destination port 9000 # Enable the saving of history records. [DeviceA-nqa-admin-test1-tcp] history-record enable [DeviceA-nqa-admin-test1-tcp] quit # Start the TCP operation. [DeviceA] nqa schedule admin test1 start-time now lifetime forever # After the TCP operation runs for a period of time, stop the operation.
Page 64
Configuration procedure Assign each interface an IP address. (Details not shown.) Configure static routes or a routing protocol to make sure the devices can reach each other. (Details not shown.) Configure Device B: # Enable the NQA server. <DeviceB> system-view [DeviceB] nqa server enable # Configure a listening service to listen on the IP address 10.2.2.2 and UDP port 8000.
UDP tracert operation configuration example Network requirements As shown in Figure 16, configure a UDP tracert operation to determine the routing path from Device A to Device B. Figure 16 Network diagram Configuration procedure Assign an IP address to each interface. (Details not shown.) Configure static routes or a routing protocol to make sure the devices can reach each other.
# Display the most recent result of the UDP tracert operation. [DeviceA] display nqa result admin test1 NQA entry (admin admin, tag test1) test results: Send operation times: 6 Receive response times: 6 Min/Max/Average round trip time: 1/1/1 Square-Sum of round trip time: 1 Last succeeded probe time: 2013-09-09 14:46:06.2 Extended results: Packet loss in test: 0%...
Page 67
# Configure a listening service to listen on IP address 10.2.2.2 and UDP port 9000. [DeviceB] nqa server udp-echo 10.2.2.2 9000 Configure Device A: # Create a voice operation. <DeviceA> system-view [DeviceA] nqa entry admin test1 [DeviceA-nqa-admin-test1] type voice # Configure 10.2.2.2 as the destination IP address and port 9000 as the destination port. [DeviceA-nqa-admin-test1-voice] destination ip 10.2.2.2 [DeviceA-nqa-admin-test1-voice] destination port 9000 [DeviceA-nqa-admin-test1-voice] quit...
Page 68
Sum of SD delay: 343 Sum of DS delay: 985 Square-Sum of SD delay: 117649 Square-Sum of DS delay: 970225 SD lost packets: 0 DS lost packets: 0 Lost packets for unknown reason: 0 Voice scores: MOS value: 4.38 ICPIF value: 0 # Display the statistics of the voice operation.
DLSw operation configuration example Network requirements As shown in Figure 18, configure a DLSw operation to test the response time of the DLSw device. Figure 18 Network diagram Configuration procedure # Assign each interface an IP address. (Details not shown.) # Configure static routes or a routing protocol to make sure the devices can reach each other.
NQA entry (admin admin, tag test1) history records: Index Response Status Time Succeeded 2011-11-22 10:40:27.7 The output shows that the response time of the DLSw device is 19 milliseconds. Path jitter operation configuration example Network requirements As shown in Figure 19, configure a path jitter operation to test the round trip time and jitters from Device A to Device B and Device C.
Extended Results Failures due to timeout: 0 Failures due to internal error: 0 Failures due to other errors: 0 Packets out of sequence: 0 Packets arrived late: 0 Path-Jitter Results Jitter number: 9 Min/Max/Average jitter: 1/10/4 Positive jitter number: 6 Min/Max/Average positive jitter: 1/9/4 Sum/Square-Sum positive jitter: 25/173 Negative jitter number: 3...
Page 72
Figure 20 Network diagram Configuration procedure Assign each interface an IP address. (Details not shown.) On Router A, configure a static route, and associate the static route with track entry 1. <RouterA> system-view [RouterA] ip route-static 10.1.1.2 24 10.2.1.1 track 1 On Router A, configure an ICMP echo operation: # Create an NQA operation with the administrator name admin and operation tag test1.
Page 73
# Display brief information about active routes in the routing table on Router A. [RouterA] display ip routing-table Destinations : 13 Routes : 13 Destination/Mask Proto Cost NextHop Interface 0.0.0.0/32 Direct 0 127.0.0.1 InLoop0 10.1.1.0/24 Static 60 10.2.1.1 GE2/0/1 10.2.1.0/24 Direct 0 10.2.1.2 GE2/0/1...
127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 127.255.255.255/32 Direct 0 127.0.0.1 InLoop0 224.0.0.0/4 Direct 0 0.0.0.0 NULL0 224.0.0.0/24 Direct 0 0.0.0.0 NULL0 255.255.255.255/32 Direct 0 127.0.0.1 InLoop0 The output shows that the static route does not exist, and the status of the track entry is negative. ICMP template configuration example Network requirements As shown in...
# If the number of consecutive successful probes reaches 2, the operation succeeds. The NQA client notifies the feature of the successful operation event. [DeviceA-nqatplt-icmp-icmp] reaction trigger probe-pass 2 # If the number of consecutive probe failures reaches 2, the operation fails. The NQA client notifies the feature of the operation failure.
TCP template configuration example Network requirements As shown in Figure 23, configure a TCP template for a feature to perform the TCP operation. The operation tests whether Device A can establish a TCP connection to Device B. Figure 23 Network diagram Configuration procedure Assign each interface an IP address.
Figure 24 Network diagram Configuration procedure # Assign each interface an IP address. (Details not shown.) # Configure static routes or a routing protocol to make sure the devices can reach each other. (Details not shown.) # Create HTTP template http. <DeviceA>...
Page 78
# Specify the URL of the FTP server. [DeviceA-nqatplt-ftp-ftp] url ftp://10.2.2.2 # Specify 10.1.1.1 as the source IP address. [DeviceA-nqatplt-ftp-ftp] source ip 10.1.1.1 # Configure the device to upload file config.txt to the FTP server. [DeviceA-nqatplt-ftp-ftp] operation put [DeviceA-nqatplt-ftp-ftp] filename config.txt # Specify the username for the FTP server login as admin.
Configuring NTP Synchronize your device with a trusted time source by using the Network Time Protocol (NTP) or changing the system time before you run it on a live network. Various tasks, including network management, charging, auditing, and distributed computing depend on an accurate system time setting, because the timestamps of system messages and logs use the system time.
Figure 26 Basic work flow The synchronization process is as follows: Device A sends Device B an NTP message, which is timestamped when it leaves Device A. The time stamp is 10:00:00 am (T1). When this NTP message arrives at Device B, Device B adds a timestamp showing the time when the message arrived at Device B.
Figure 27 NTP architecture Authoritative clock Primary servers (Stratum 1) Secondary servers (Stratum 2) Tertiary servers (Stratum 3) Quaternary servers (Stratum 4) Symmetric Symmetric Broadcast/multicast Broadcast/multicast Server Client peer peer server client Typically, a stratum 1 NTP server gets its time from an authoritative time source, such as an atomic clock. It provides time for other devices as the primary NTP server.
Page 82
Table 2 NTP association modes Mode Working process Principle Application scenario On the client, specify the IP address of the NTP server. A client sends a clock synchronization message to the NTP servers. Upon receiving the Figure 27 shows, this message, the servers A client can synchronize mode is intended for...
Mode Working process Principle Application scenario A broadcast server sends clock synchronization A server periodically sends clock messages to synchronize synchronization messages to the clients in the same subnet. broadcast address Figure 27 shows, 255.255.255.255. Clients listen broadcast mode is to the broadcast messages from intended for configurations A broadcast client can...
If no NTP access control is configured, peer is granted to the local device and peer devices. • • If the IP address of the peer device matches a permit statement in an ACL for more than one access right, the least restrictive access right is granted to the peer device. If a deny statement or no ACL is matched, no access right is granted.
The NTP service and SNTP service are mutually exclusive. You can only enable either NTP service • or SNTP service at a time. To ensure time synchronization accuracy, H3C recommends not specifying more than one reference • source. Doing so might cause frequent time changes or even synchronization failures.
Tasks at a glance (Optional.) Configuring NTP authentication (Optional.) Configuring NTP optional parameters Enabling the NTP service Step Command Remarks Enter system view. system-view By default, the NTP service is not Enable the NTP service. ntp-service enable enabled. Configuring NTP association modes This section describes how to configure NTP association modes.
Step Command Remarks • Specify an NTP server for the device: ntp-service unicast-server { server-name | ip-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | priority | source interface-type interface-number | version Specify an NTP server for the By default, no NTP server is number ] * device.
Step Command Remarks By default, the device does not operate in broadcast server mode. Configure the device to ntp-service broadcast-server After you execute the command, operate in NTP broadcast [ authentication-keyid keyid | the device receives NTP broadcast server mode. version number ] * messages from the specified interface.
Step Command Remarks • Configure the device to operate in multicast server mode: ntp-service multicast-server [ ip-address ] [ authentication-keyid keyid | By default, the device does not ttl ttl-number | version number ] operate in multicast server mode. Configure the device to After you execute the command, operate in multicast server •...
Page 91
Set the key as a trusted key on both client and server. • • Associate the key with the NTP server on the client. The key IDs and key values configured on the server and client must be the same. Otherwise, NTP authentication fails.
Table 3 NTP authentication results Client Server Configure Configure a a key and Authentication Associate the key and Enable NTP configure Enable NTP result key with an NTP configure it authentication it as a authentication server as a trusted trusted Succeeded.
Page 93
Step Command Remarks Enter system view. system-view By default, NTP authentication is Enable NTP authentication. ntp-service authentication enable disabled. ntp-service authentication-keyid Configure an NTP By default, no NTP authentication keyid authentication-mode md5 authentication key. key is configured. { cipher | simple } value Configure the key as a trusted ntp-service reliable By default, no authentication key is...
Active peer Passive peer Configure a Associate Configure a key and the key key and Authentication result Enable NTP Enable NTP configure it with a configure it authentication authentication as a trusted passive as a trusted peer Succeeded. NTP messages can be sent and received correctly.
Page 95
Set the key as a trusted key on both the broadcast client and server. • • Configure an NTP authentication key on the broadcast server. The key IDs and key values configured on the broadcast server and client must be the same. Otherwise, NTP authentication fails.
Table 5 NTP authentication results Broadcast server Broadcast client Configure Configure Associate a key and a key and the key Authentication result Enable NTP configure Enable NTP configure with a authentication it as a authentication it as a broadcast trusted trusted server Succeeded.
Page 97
To configure NTP authentication for a multicast client: Step Command Remarks Enter system view. system-view By default, NTP authentication is Enable NTP authentication. ntp-service authentication enable disabled. ntp-service authentication-keyid Configure an NTP By default, no NTP authentication keyid authentication-mode md5 authentication key.
Table 6 NTP authentication results Multicast server Multicast client Configure a Configure a Associate the Authentication key and key and Enable NTP key with a Enable NTP result configure it configure it authentication multicast authentication as a trusted as a trusted server Succeeded.
Specifying the source interface for NTP messages To prevent interface status changes from causing NTP communication failures, configure the device to use the IP address of an interface that is always up. For example, you can configure the device to use a loopback interface as the source IP address for the NTP messages to be sent.
Configuring the maximum number of dynamic associations NTP has the following types of associations: • Static association—A manually created association. Dynamic association—Temporary association created by the system during NTP operation. A • dynamic association is removed if no messages are exchanged within about 12 minutes. The following describes how an association is established in different association modes: Client/server mode—After you specify an NTP server, the system creates a static association on the •...
Make sure the local clock can provide the time accuracy required for the network. After you • configure the local clock as a reference source, the local clock is synchronized, and can operate as a time server to synchronize other devices in the network. If the local clock is incorrect, timing errors occur.
Configure Device A: # Enable the NTP service. <DeviceA> system-view [DeviceA] ntp-service enable # Specify the local clock as the reference source, with the stratum level 2. [DeviceA] ntp-service refclock-master 2 Configure Device B: # Enable the NTP service. <DeviceB> system-view [DeviceB] ntp-service enable # Specify Device A as the NTP server of Device B so that Device B is synchronized to Device A.
Page 103
Figure 31 Network diagram Configuration procedure Assign an IP address to each interface, and make sure Device A and Device B can reach each other, as shown in Figure 31. (Details not shown.) Configure Device A: # Enable the NTP service. <DeviceA>...
Last receive time: 19 Offset: 0.0 Roundtrip delay: 0.0 Dispersion: 0.0 Total sessions: 1 NTP symmetric active/passive mode configuration example Network requirements As shown in Figure 32, perform the following tasks: Configure the local clock of Device A as a reference source, with the stratum level 2. •...
Leap indicator: 00 Clock jitter: 0.000916 s Stability: 0.000 pps Clock precision: 2^-17 Root delay: 0.00609 ms Root dispersion: 1.95859 ms Reference time: 83aec681.deb6d3e5 Wed, Jan 8 2014 14:33:11.081 # Verify that an IPv4 NTP association has been established between Device B and Device A. [DeviceB] display ntp-service sessions source reference...
# Configure Device B as an IPv6 symmetric passive peer. [DeviceA] ntp-service ipv6 unicast-peer 3000::36 Verify the configuration: # Verify that Device B has synchronized to Device A. [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 System peer: 3000::35 Local mode: sym_passive Reference clock ID: 251.73.79.32 Leap indicator: 11...
Page 107
Figure 34 Network diagram GE2/0/1 3.0.1.31/24 Router C NTP broadcast server GE2/0/1 3.0.1.30/24 Router A NTP broadcast client GE2/0/1 3.0.1.32/24 Router B NTP broadcast client Configuration procedure Assign an IP address to each interface, and make sure Router A, Router B, and Router C can reach each other, as shown in Figure 34.
The following uses Router A as an example to describe configuration verification. # Verify that Router A has synchronized to Router C, and the clock stratum level is 3 on Router A and 2 on Router C. [RouterA-GigabitEthernet2/0/1] display ntp-service status Clock status: synchronized Clock stratum: 3 System peer: 3.0.1.31...
Page 109
Figure 35 Network diagram GE2/0/1 3.0.1.31/24 Router C NTP multicast server GE2/0/1 GE2/0/1 GE2/0/2 1.0.1.11/24 1.0.1.10/24 3.0.1.30/24 Router A Router B NTP multicast client GE2/0/1 3.0.1.32/24 Router D NTP multicast client Configuration procedure Assign an IP address to each interface, and make sure the routers can reach each other, as shown Figure 35.
Page 110
System peer: 3.0.1.31 Local mode: bclient Reference clock ID: 3.0.1.31 Leap indicator: 00 Clock jitter: 0.044281 s Stability: 0.000 pps Clock precision: 2^-10 Root delay: 0.00229 ms Root dispersion: 4.12572 ms Reference time: d0d289fe.ec43c720 Sat, Jan 8 2011 7:00:14.922 # Verify that an IPv4 NTP association has been established between Router D and Router C. [RouterD-GigabitEthernet2/0/1] display ntp-service sessions source reference...
Reference clock ID: 3.0.1.31 Leap indicator: 00 Clock jitter: 0.165741 s Stability: 0.000 pps Clock precision: 2^-10 Root delay: 0.00534 ms Root dispersion: 4.51282 ms Reference time: d0c61289.10b1193f Wed, Dec 29 2010 20:03:21.065 # Verify that an IPv4 NTP association has been established between Router A and Router C. [RouterA-GigabitEthernet2/0/1] display ntp-service sessions source reference...
Page 112
# Enable the NTP service. <RouterC> system-view [RouterC] ntp-service enable # Specify the local clock as the reference source, with the stratum level 2. [RouterC] ntp-service refclock-master 2 # Configure Router C to operate in IPv6 multicast server mode and send multicast messages through GigabitEthernet 2/0/1.
Page 113
Total sessions: 1 Configure Router B: Because Router A and Router C are on different subnets, you must enable the multicast functions on Router B before Router A can receive IPv6 multicast messages from Router C. # Enable the IPv6 multicast function. <RouterB>...
Roundtrip delay: 0.0 Dispersion: 0.0 Total sessions: 1 Configuration example for NTP client/server mode with authentication Network requirements As shown in Figure 37, perform the following tasks: Configure the local clock of Device A as a reference source, with the stratum level 2. •...
Configure NTP authentication on Device A: # Enable NTP authentication. [DeviceA] ntp-service authentication enable # Set an authentication key, and input the key in plain text. [DeviceA] ntp-service authentication-keyid 42 authentication-mode md5 simple aNiceKey # Specify the key as a trusted key. [DeviceA] ntp-service reliable authentication-keyid 42 Verify the configuration: # Verify that Device B has synchronized to Device A, and the clock stratum level is 3 on Device B...
Page 116
Configure NTP authentication on Router A, Router B, and Router C. • Figure 38 Network diagram GE2/0/1 3.0.1.31/24 Router C NTP broadcast server GE2/0/1 3.0.1.30/24 Router A NTP broadcast client GE2/0/1 3.0.1.32/24 Router B NTP broadcast client Configuration procedure Assign an IP address to each interface, and make sure Router A, Router B, and Router C can reach each other, as shown in Figure 38.
Page 117
Configure Router C: # Enable the NTP service. <RouterC> system-view [RouterC] ntp-service enable # Specify the local clock as the reference source, with the stratum level 3. [RouterC] ntp-service refclock-master 3 # Configure Router C to operate in the NTP broadcast server mode and use GigabitEthernet 2/0/1 to send NTP broadcast messages.
[RouterB-GigabitEthernet2/0/1] display ntp-service sessions source reference stra reach poll now offset delay disper ******************************************************************************** [1245]3.0.1.31 127.127.1.0 -0.0 0.0000 Notes: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured. Total sessions: 1 Configuration example for MPLS VPN time synchronization in client/server mode Network requirements As shown in Figure 39, two VPNs are present on PE 1 and PE 2: VPN 1 and VPN 2.
Page 119
Configuration procedure Before you perform the following configuration, be sure you have completed MPLS VPN-related configurations. For information about configuring MPLS VPN, see MPLS Configuration Guide. Assign an IP address to each interface, as shown in Figure 39. Make sure CE 1 and PE 1, PE 1 and PE 2, and PE 2 and CE 3 can reach each other.
RefID 127.127.1.0 Configuration example for MPLS VPN time synchronization in symmetric active/passive mode Network requirements As shown in Figure 40, two VPNs are present on PE 1 and PE 2: VPN 1 and VPN 2. CE 1 and CE 3 belong to VPN 1.
Page 121
<CE1> system-view [CE1] ntp-service enable # Specify the local clock as the reference source, with the stratum level 2. [CE1] ntp-service refclock-master 2 Configure PE 1: # Enable the NTP service. <PE1> system-view [PE1] ntp-service enable # Specify CE 1 in VPN 1 as the symmetric-passive peer of PE 1. [PE1] ntp-service unicast-peer 10.1.1.1 vpn-instance vpn1 Verify the configuration: # Verify that PE 1 has synchronized to CE 1, with the stratum level 3.
Configuring SNTP SNTP is a simplified, client-only version of NTP specified in RFC 4330. SNTP supports only the client/server mode. An SNTP-enabled device can receive time from NTP servers, but cannot provide time services to other devices. SNTP uses the same packet format and packet exchange procedure as NTP, but provides faster synchronization at the price of time accuracy.
Specifying an NTP server for the device Step Command Remarks Enter system view. system-view • For IPv4: sntp unicast-server { server-name | ip-address } [ vpn-instance vpn-instance-name ] By default, no NTP server is [ authentication-keyid keyid | specified for the device. source interface-type interface-number | version Repeat this step to specify multiple...
Step Command Remarks sntp authentication-keyid keyid Configure an SNTP By default, no SNTP authentication authentication-mode md5 { cipher authentication key. key is configured. | simple } value Specify the key as a trusted sntp reliable authentication-keyid By default, no trusted key is key.
Page 125
Configure Device A: # Enable the NTP service. <DeviceA> system-view [DeviceA] ntp-service enable # Configure the local clock of Device A as a reference source, with the stratum level 2. [DeviceA] ntp-service refclock-master 2 # Enable NTP authentication on Device A. [DeviceA] ntp-service authentication enable # Configure an NTP authentication key, with the key ID of 10 and key value of aNiceKey.
Configuring PTP Overview Precision Time Protocol (PTP) synchronizes time among devices. It provides greater accuracy than other time synchronization protocols such as NTP. For more information about NTP, see "Configuring NTP." Basic concepts PTP profile A PTP profile defines the following PTP standards: IEEE 1588 version 2—1588v2 defines high-accuracy clock synchronization mechanisms.
Page 127
Figure 42 Clock nodes in a PTP domain Grandmaster clock PTP domain BC 1 TC 1 TC 2 BC 2 BC 3 OC 1 OC 2 TC 3 TC 4 OC 3 OC 4 OC 5 OC 6 Master port Subordinate port Passive port Besides the three basic types of clock nodes, PTP introduces some hybrid clock nodes.
Clock node with higher time class. Clock node with higher time accuracy. Clock node with higher priority 2. Clock node with a smaller port ID (containing clock number and port number). The master nodes, member nodes, master ports, and subordinate ports are determined during the process.
Page 129
Figure 43 Operation procedure of the Request_Response mechanism Master clock Member clock Timestamps known by member clock t1, t2 t1, t2, t3 t1, t2, t3, t4 Figure 43 shows an example of the Request_Response mechanism in two-step mode. The master clock sends a Sync message to the member clock, and records the sending time t1. Upon receiving the message, the member clock records the receiving time t2.
Figure 44 Operation procedure of the Peer Delay mechanism Master clock Member clock Timestamps known by member clock t1, t2 t1, t2, t3 t1, t2, t3, t4, t6 t1, t2, t3, t4, t5, t6 The Peer Delay mechanism uses Pdelay messages to calculate link delay, which applies only to point-to-point delay measurement.
Feature and hardware compatibility Hardware PTP compatibility SR6602-X SR6604/SR6608/SR6616 SR6604-X/SR6608-X/SR6616-X Configuring clock nodes Before performing the following configurations, define the scope of the PTP domain and the role of every clock node. Configuration task list Tasks at a glance (Required.) Specifying a PTP standard...
Page 132
Tasks at a glance The PTP standard is IEEE 1588 version 2: (Required.) Specifying a clock node type (Optional.) Specifying a PTP domain (Optional.) Configuring an OC to operate only as a member clock (Optional.) Configuring ToD input or output (Optional.) Configuring the role of a PTP port (Optional.)
Tasks at a glance The PTP standard is IEEE 802.1AS (802.1AS): (Required.) Specifying a clock node type (Optional.) Specifying a PTP domain (Optional.) Configuring an OC to operate only as a member clock (Optional.) Configuring ToD input or output (Optional.) Configuring the role of a PTP port (Optional.) Configuring the port type for a TC+OC...
Step Command Remarks Enter system view. system-view Specify a clock node type for ptp mode { bc | e2etc | e2etc-oc | By default, no clock node type is the device. oc | p2ptc | p2ptc-oc } specified. Specifying a PTP domain Within a PTP domain, all devices follow the same rules to communicate with each other.
Hardware ToD input or output compatibility SR6604-X/SR6608-X/SR6616-X To use a ToD clock, you must configure ToD input or output: ToD input—The device obtains clock signals from an external ToD clock and synchronizes ToD to all • devices in the PTP network. ToD output—The device operates as a ToD clock to synchronize ToD to other devices.
Step Command Remarks By default: • If the PTP profile is IEEE 1588 version 2, the default value for Configure the priority for the ptp priority clock-source { local | both priority 1 and priority 2 is specified clock for GM tod0 | tod1 } { priority1 pri1-value 128.
Step Command Remarks Enter system view. system-view Enter Layer 3 Ethernet interface interface-type interface view. interface-number Configure the mode for ptp clock-step { one-step | By default, two-step mode is used. carrying timestamps. two-step } Specifying a delay measurement mechanism for a BC or an PTP defines two transmission delay measurement mechanisms: Request_Response and Peer Delay.
Step Command Remarks Configure the port type for a By default, the port type for all ptp port-mode oc TC+OC as OC. ports on a TC+OC is TC. Configuring the interval for sending announce messages Step Command Remarks Enter system view. system-view Enter Layer 3 Ethernet interface interface-type...
Configuring the interval for sending Pdelay_Req messages Step Command Remarks Enter system view. system-view Enter Layer 3 Ethernet interface interface-type interface view. interface-number Configure the interval for Optional. sending Pdelay_Req ptp pdelay-req-interval value The default is 1 (2 ) second. messages.
Configuring the MAC address for non-pdelay messages Pdelay messages include Pdelay_Req, Pdelay_Resp, and Pdelay_Resp_Follow_Up messages. The destination MAC address of Pdelay messages is 0180-C200-000E by default, which cannot be modified. The destination MAC address of non-Pdelay messages is either 0180-C200-000E or 01 1B- 1 900-0000. To configure the destination MAC address for non-Pdelay messages on every clock node: Step Command...
Step Command Remarks By default, no source IP address is configured for multicast PTP messages. Configure the source IP This command takes effect only address for multicast PTP ptp source ip-address when multicast PTP messages are message transmission over [ vpn-instance vpn-instance-name ] transmitted over UDP (IPv4).
Step Command Remarks Optional. Configure delay correction ptp asymmetry-correction { minus The default is 0 nanoseconds, value. | plus } value which means delay correction is not performed. Configuring the cumulative offset between the UTC and TAI The time displayed on a device is based on the Coordinated Universal Time (UTC). There is an offset between UTC and TAI (International Atomic Time, in English), which is made public periodically.
Step Command Remarks Set a DSCP value for PTP messages transmitted over ptp dscp dscp By default, the DSCP value is 56. UDP (IPv4). Specifying the system time source as PTP Make sure you use the clock protocol command to specify the time protocol as PTP. For more information about the clock protocol command, see Fundamentals Command Reference.
Mean path delay : 0 (ns) Steps removed Local clock time : Sun Jan 15 20:57:29 2011 # Display brief PTP statistics on Device A. [DeviceA] display ptp interface brief Name State Delay mechanism Clock step Asymmetry correction GE2/0/1 Master # Display PTP clock information on Device B.
Page 147
Figure 46 Network diagram P2PTC GE2/0/1 GE2/0/1 GE2/0/2 GE2/0/1 Device A Device B Device C PTP domain Configuration procedure Configure Device A: # Specify the PTP standard as IEEE 1588 version 2. <DeviceA> system-view [DeviceA] ptp profile 1588v2 # Specify the clock node type as OC. [DeviceA] ptp mode oc # Configure the source IP address for multicast PTP message transmission over UDP (IPv4).
Page 148
# Specify the PTP standard as IEEE 1588 version 2. <DeviceC> system-view [DeviceC] ptp profile 1588v2 # Specify the clock node type as OC. [DeviceC] ptp mode oc # Configure the source IP address for multicast PTP message transmission over UDP (IPv4). [DeviceC] ptp source 10.10.10.3 # Specify the system time source as PTP.
Clock ID : 000FE2-FFFE-FF0001 Clock type : Local Clock domain Number of PTP ports : 2 Priority1 : 128 Priority2 : 128 Clock quality : Class : 248 Accuracy : 254 Offset (log variance) : 65535 Offset from master : N/A Mean path delay : N/A Steps removed...
Page 150
[DeviceA] ptp profile 1588v2 # Specify the clock node type as OC. [DeviceA] ptp mode oc # Configure the delay time correction as 1000 nanoseconds for receiving ToD0 clock signals. [DeviceA] ptp tod0 input delay 1000 # Configure priority 1 as 0 for the ToD0 clock. [DeviceA] ptp priority clock-source tod0 priority1 0 # On GigabitEthernet 2/0/1, configure the destination IP address for unicast PTP message transmission over UDP (IPv4), and enable PTP.
Page 151
[DeviceC] clock protocol ptp # On GigabitEthernet 2/0/1, configure the destination IP address for unicast PTP message transmission over UDP (IPv4), and enable PTP. [DeviceC] interface gigabitethernet 2/0/1 [DeviceC-GigabitEthernet2/0/1] ptp transport-protocol udp [DeviceC-GigabitEthernet2/0/1] ptp unicast-destination 11.10.10.2 [DeviceC-GigabitEthernet2/0/1] ptp enable [DeviceC-GigabitEthernet2/0/1] quit Verify the configuration: When the network is stable, perform the following tasks: Use the display ptp clock command to display PTP clock information.
Class : 248 Accuracy : 254 Offset (log variance) : 65535 Offset from master : N/A Mean path delay : N/A Steps removed : N/A Local clock time : Sun Jan 15 20:57:29 2011 # Display brief PTP statistics on Device B. [DeviceB] display ptp interface brief Name State...
Page 153
# Specify the PTP standard as IEEE 802.1AS. <DeviceB> system-view [DeviceB] ptp profile 802.1AS # Specify the clock node type as P2PTC. [DeviceB] ptp mode p2ptc # Specify the system time source as PTP. [DeviceB] clock protocol ptp # Enable PTP for GigabitEthernet 2/0/1. [DeviceB] interface gigabitethernet 2/0/1 [DeviceB-GigabitEthernet2/0/1] ptp enable [DeviceB-GigabitEthernet2/0/1] quit...
Page 154
Offset (log variance) : 16640 Offset from master : 0 (ns) Mean path delay : 0 (ns) Steps removed Local clock time : Sun Jan 15 20:57:29 2011 # Display brief PTP statistics on Device A. [DeviceA] display ptp interface brief Name State Delay mechanism...
Configuring network synchronization Overview The network clock monitoring module provides network clock synchronization for all interface cards in the system. It ensures that all ports on the interface cards operate at the same clock rates for network synchronization. Network synchronization is essential to the efficient, correct operations of most services on networks. If the network devices on a network do not operate at the same clock rate, the network performance decreases.
Clock source priority For a clock source to be selected as the clock reference, assign it a lower priority value than other clock sources. The lower the priority value, the better the clock source. For example, the clock source with a priority of 1 is better than the clock source with a priority of 3.
A port can operate in one of the following clock modes: • Master—The port provides timing to the peer end. The timing signal is derived from the network clock monitoring module. If automatic reference selection is used, the timing signal is derived from the reference clock selected by the network clock monitoring module.
You must perform this task if a line clock input port on a non-default MDC (Optional.) Enabling the reference manually specified on a has been specified as the clock non-default MDC reference source. This task enables the clock reference setting to take effect on all MDCs.
To specify an Sa bit for the SSM of a BITS clock: Step Command Remarks In an MDC environment, you can perform this task only on Enter system view. system-view the default MDC. However, the setting takes effect on all MDCs.
• In standalone mode: By default, the frequency of a network-clock source { bits0 | bits1 } BITS clock is 2 Mbps. frequency { bps-2m | hz-2m } Set the frequency of a BITS This command is configurable • In IRF mode: clock.
To configure the method to set the SSM quality level of a clock source: Step Command Remarks Enter system view. system-view • In standalone mode: By default, the quality level of a network-clock source { bits0 | bits1 | clock source is the user-defined lpuport port-type port-number | ptp } value.
If the SSM quality level contributes to the selection process, the network clock monitoring module • selects a reference from available clock sources by their SSM quality level and priority. If the SSM quality level does not contribute to the selection process, the network clock monitoring •...
Step Command Remarks Verify that the MDC you are specifying display network-clock source This command is available in any view. has clock sources in normal state. Enter system view. system view • In standalone mode: network-clock work-mode manual Enable the clock mdc mdc-id reference manually By default, the clock reference specified...
Network synchronization configuration example Network requirements As shown in Figure 49, configure Device B to derive its timing from Device A through POS 2/2/0. Figure 49 Network diagram Configuration procedure On Device A: # Specify the master clock mode on POS 2/2/0. <DeviceA>...
Configuring synchronous Ethernet Overview Synchronous Ethernet (SyncE) provides high-quality frequency synchronization on Ethernet at the physical layer. It can provide the same level of clock precision as SONET/SDH. Transferring frequency signals at the physical layer, SyncE functions regardless of the network conditions such as congestion, packet loss, and delay.
If the clock reference is from a SyncE port, the system distributes the QL out of all SyncE ports except • for the reference input port. To prevent timing loops, the sent QL is DNU on the timing reference input port. Input QL updating on SyncE ports The default input QL is DNU on a SyncE port.
Setting the clock mode on a copper SyncE GE port By default, a copper SyncE GE port automatically negotiates its clock mode with the remote end. To avoid a negotiation result that conflicts with your clock synchronization trail design, manually set the clock mode.
# On Device B, enable the synchronous mode and ESMC on GigabitEthernet 2/0/1. <DeviceB> system-view [DeviceB] interface gigabitethernet 2/0/1 [DeviceB-GigabitEthernet2/0/1] synchronous mode [DeviceB-GigabitEthernet2/0/1] esmc enable [DeviceB-GigabitEthernet2/0/1] quit Verifying the configuration # Verify that ESMC is enabled and QL information is exchanged correctly. The sample output on Device A shows that the clock QLs of Device A and Device B are QL-PRC and QL-SEC, respectively.
Configuring SNMP Overview Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics, and interconnect technologies. SNMP enables network administrators to read and set the variables on managed devices for state monitoring, troubleshooting, statistics collection, and other management purposes.
A MIB view represents a set of MIB objects (or MIB object hierarchies) with certain access privileges and is identified by a view name. The MIB objects included in the MIB view are accessible while those excluded from the MIB view are inaccessible. A MIB view can have multiple view records each identified by a view-name oid-tree pair.
• The VACM mode requires only the access right from the NMS to MIB objects. H3C recommends the RBAC mode because it is more secure. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode.
Page 172
Step Command Remarks (Optional.) Configure The default system location is snmp-agent sys-info location sys-location the system location. Hangzhou, China. Enable SNMPv1 or snmp-agent sys-info version { all | { v1 | By default, SNMPv3 is enabled. SNMPv2c. v2c } *} (Optional.) Change By default, the local engine ID is snmp-agent local-engineid engineid...
Step Command Remarks (Optional.) Map an By default, no mapping between snmp-agent community-map SNMP community to an SNMP community and an community-name context context-name an SNMP context. SNMP context exists on the device. (Optional.) Configure By default, an SNMP agent can the maximum SNMP send and receive an SNMP packet packet size (in bytes)
Page 174
(Optional.) The default system contact is Configure the system snmp-agent sys-info contact sys-contact Hangzhou H3C Tech. Co., Ltd.. contact. (Optional.) The default system location is Configure the system snmp-agent sys-info location sys-location Hangzhou, China.
Page 175
Step Command Remarks • High encryption in non-FIPS mode: snmp-agent group v3 group-name [ authentication | privacy ] [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl acl-number | acl ipv6 ipv6-acl-number ] * (Optional.) Create By default, no SNMP group an SNMPv3 group.
Step Command Remarks (Optional.) Assign a user role to an snmp-agent usm-user user-name v3 user-role By default, no SNMPv3 users SNMPv3 user role-name are configured in RBAC mode. created in RBAC mode. (Optional.) Create By default, no SNMP context is snmp-agent context context-name an SNMP context.
Configuring SNMP notifications The SNMP Agent sends notifications (traps and informs) to inform the NMS of significant events, such as link state changes and user logins or logouts. Unless otherwise stated, the trap keyword in the command line includes both traps and informs. Enabling SNMP notifications Enable an SNMP notification only if necessary.
Page 179
You can extend standard linkUp/linkDown notifications to include interface description and interface type, but must make sure the NMS supports the extended SNMP messages. To send informs, make sure: The SNMP agent and the NMS use SNMPv2c or SNMPv3. • If SNMPv3 is used, you must configure the SNMP engine ID of the NMS when you configure •...
Step Command Remarks (Optional.) By default, SNMP uses the Configure a source snmp-agent { inform | trap } source interface-type IP address of the outgoing address for { interface-number | interface-number.subnumber } routed interface as the notifications. source IP address. (Optional.) Enable By default, the SNMP extended...
SNMPv1/SNMPv2c configuration example The SNMPv1 configuration procedure is the same as the SNMPv2c configuration procedure. This example uses SNMPv1, and is available only for high encryption in non-FIPS mode. Network requirements As shown in Figure 53, the NMS (1.1.1.2/24) uses SNMPv1 to manage the SNMP agent (1.1.1.1/24), and the agent automatically sends notifications to report events to the NMS.
Verifying the configuration # Try to get the MTU value of NULL0 interface from the agent. The attempt succeeds. Send request to 1.1.1.1/161 ... Protocol version: SNMPv1 Operation: Get Request binding: 1: 1.3.6.1.2.1.2.2.1.4.135471 Response binding: 1: Oid=ifMtu.135471 Syntax=INT Value=1500 Get finished # Use a wrong community name to get the value of a MIB node on the agent.
Page 183
# Configure the IP address of the agent, and make sure the agent and the NMS can reach each other. (Details not shown.) # Create the user role test, and permit test to have read and write access to the snmp node (OID 1.3.6.1.2.1.11).
[Agent] snmp-agent mib-view included test ifTable [Agent] snmp-agent group v3 managev3group privacy read-view test write-view test # Assign the NMS (SNMPv3 group managev3group) read-only access to the objects under the system node (OID 1.3.6.1.2.1.1) and hh3cUIMgt node (OID 1.3.6.1.4.1.25506.2.2) in the test view.
Page 185
1: 1.3.6.1.2.1.1.5.0 Response binding: Session failed ! SNMP: Cannot access variable, No Access, error index=11: Oid=sysName.0 Syntax=OCTETS Value=h3c Set finished The following log appears only if the Set operation is performed by using RBAC mode. %Aug 14 16:13:21:475 2013 Agent SNMP/5/SNMP_SETDENY: -IPAddr=1.1.1.2-SecurityName=managev3user-SecurityModel=SNMPv3-OP=SET-Node=sysName(1.
For more information about SNMP notifications, see "Configuring SNMP." H3C devices provide an embedded RMON agent as the RMON monitor. An NMS can perform basic SNMP operations to access the RMON MIB. RMON groups Among standard RMON groups, H3C implements the statistics group, history group, event group, alarm group, probe configuration group, and user history group.
Page 187
The history table stores traffic statistics collected for each sampling interval. Event group The event group controls the generation and notifications of events triggered by the alarms defined in the alarm group and the private alarm group. The following are RMON alarm event handling methods: Log—Logs event information (including event time and description) in the event log table so the •...
Compares the calculation result with the predefined thresholds, and then takes one of the following actions: Triggers the event associated with the rising alarm event if the result is equal to or greater than the rising threshold. Triggers the event associated with the falling alarm event if the result is equal to or less than the falling threshold.
Step Command Remarks By default, the RMON statistics table does not contain entries. Create an entry for the interface in the rmon statistics entry-number You can create one statistics entry for each RMON statistics [ owner text ] Ethernet interface, and a maximum of 100 table.
History group configuration example Network requirements As shown in Figure 57, create an RMON history control entry on the device to sample traffic statistics for GigabitEthernet 2/0/1 every minute. Figure 57 Network diagram Configuration procedure # Create an RMON history control entry to sample traffic statistics every minute for GigabitEthernet 2/0/1.
Figure 58 Network diagram Configuration procedure # Configure the SNMP agent (the device) with the same SNMP settings as the NMS at 1.1.1.2. This example uses SNMPv1, read community public, and write community private. <Sysname> system-view [Sysname] snmp-agent [Sysname] snmp-agent community read public [Sysname] snmp-agent community write private [Sysname] snmp-agent sys-info version v1 [Sysname] snmp-agent trap enable...
Configuring EAA Overview Embedded Automation Architecture (EAA) is a monitoring framework that enables you to self-define monitored events and actions to take in response to an event. It allows you to create monitor policies by using the CLI or Tcl scripts. EAA framework EAA framework includes a set of event sources, a set of event monitors, a real-time event manager (RTM), and a set of user-defined monitor policies, as shown in...
RTM manages the creation, state machine, and execution of monitor policies. EAA monitor policies A monitor policy specifies the event to monitor and actions to take when the event occurs. You can configure EAA monitor policies by using the CLI or Tcl. A monitor policy contains the following elements: •...
Event type Description SNMP-Notification event occurs when the monitored MIB variable's value in an SNMP SNMP-Notification notification matches the specified condition. For example, the broadcast traffic rate on an Ethernet interface reaches or exceeds 30%. Action You can create a series of order-dependent actions to take in response to the event specified in the monitor policy.
Event-specific variable—Available only for a type of event. • Table 10 shows all system-defined variables. Table 10 System-defined EAA environment variables by event type Variable name Description Any event: _event_id Event ID. _event_type Event type. _event_type_string Event type description. _event_time Time when the event occurs.
Step Command Remarks Enter system view. system-view Configure a By default, no user-defined environment user-defined EAA rtm environment var-name variables are configured. The system provides environment var-value the system-defined variables in Table variable. Configuring a monitor policy You can configure a monitor policy by using the CLI or Tcl. Configuration restrictions and guidelines When you configure monitor policies, follow these restrictions and guidelines: Make sure the actions in different policies do not conflict.
Step Command Remarks • Configure the action to execute a command: action number cli command-line • Configure a reboot action (in standalone By default, a monitor policy does mode): not contain any actions. action number reboot [ slot slot-number Repeat this step to add a [ subslot subslot-number ] ] maximum of 232 actions to the •...
Step Command Remarks By default, the system does not have Tcl policies. This step enables the Tcl-defined policy. Create a Tcl-defined To revise the Tcl script of a policy, you rtm tcl-policy policy-name policy and bind it to must suspend all monitor policies first, and tcl-filename the Tcl script file.
Verifying the configuration # Display information about the policy. [Sysname-rtm-test] display rtm policy registered Total number: 1 Type Event TimeRegistered PolicyName Aug 29 14:56:50 2013 test # Enable the information center to output log messages to the current monitoring terminal. [Sysname-rtm-test] return <Sysname>...
# Add an action that enters system view when the event occurs. [Sysname-rtm-test] action 0 cli system-view # Add an action that creates the interface Loopback 0 and enters loopback interface view. [Sysname-rtm-test] action 1 cli interface loopback 0 # Add an action that assigns the IP address 1.1.1.1 to Loopback 0. The loopback0IP variable is used in the action for IP address assignment.
Page 207
The system executes the command only after it executes the policy successfully. • Figure 60 Network diagram Configuration procedure # Edit a Tcl script file (rtm_tcl_test.tcl, in this example) for EAA to send the message "rtm_tcl_test is running" when a command that contains the display this string is executed. ::comware::rtm::event_register cli sync mode execute pattern display this user-role network-admin ::comware::rtm::action syslog priority 1 facility local4 msg rtm_tcl_test is running...
Monitoring and maintaining processes H3C Comware V7 is a full-featured, modular, and scalable network operating system based on the Linux kernel. Comware V7 software features run the following types of independent processes: • User process—Runs in user space. Most Comware V7 software features run user processes. Each process runs in an independent space so the failure of a process does not affect other processes.
Configuring kernel thread deadloop detection CAUTION: H3C recommends the default settings. Inappropriate configuration of kernel thread deadloop detection can cause service problems or system breakdown. Make sure you understand the impact of this configuration on your network before you configure kernel thread deadloop detection.
Step Command Remarks Enter system view. system-view By default, kernel thread Enable kernel thread monitor kernel deadloop enable [ slot deadloop detection is deadloop detection. slot-number [ cpu cpu-number ] ] disabled. (Optional.) Set the interval monitor kernel deadloop time interval [ slot for identifying a kernel The default is 8 seconds.
Step Command Remarks Enable kernel thread monitor kernel starvation enable [ slot By default, the function is starvation detection. slot-number [ cpu cpu-number ] ] disabled. (Optional.) Set the interval monitor kernel starvation time interval [ slot for identifying a kernel The default is 120 seconds.
Page 213
Task Command Clear kernel thread starvation information. reset kernel starvation [ slot slot-number [ cpu cpu-number ] ] Execute display commands in any view and reset commands in user view (in IRF mode). Task Command display kernel deadloop show-number [ offset ] [ verbose ] Display kernel thread deadloop information.
Configuring samplers A sampler selects a packet from among sequential packets and sends the packet to other service modules for processing. Sampling is useful when you want to limit the volume of traffic to be analyzed. The sampled data is statistically accurate and sampling decreases the impact on the forwarding capacity of the device.
Configure fixed sampling in the inbound direction to select the first packet from among 100 • packets. Configure random sampling in the outbound direction to select one packet randomly from among • 200 packets. Figure 61 Network diagram Configuration procedure # Create sampler 100 in fixed sampling mode, and set the rate to 100.
Configuring port mirroring Overview Port mirroring copies the packets passing through a port to a port that connects to a data monitoring device for packet analysis. Terminology The following terms are used in port mirroring configuration. Mirroring source The mirroring sources can be one or more monitored ports, which are called source ports. Packets passing through mirroring sources are copied to a port connecting to a data monitoring device for packet analysis.
Port mirroring implementation The local port mirroring has the following characteristics: • The mirroring sources and the mirroring destination are on the same device. The source device is directly connected to a data monitoring device. • The source device acts as the destination device to forward mirrored packets to the data monitoring •...
Creating a local mirroring group Step Command Remarks Enter system view. system-view Create a local mirroring By default, no local mirroring mirroring-group group-id local group. group exists. Configuring source ports for the local mirroring group To configure source ports for a local mirroring group, use one of the following methods: •...
Configuring the monitor port for the local mirroring group To configure the monitor port for a mirroring group, use one of the following methods: • Configure the monitor port for the mirroring group in system view. Assign a port to the mirroring group as the monitor port in interface view. •...
Local port mirroring configuration example Network requirements As shown in Figure 63, configure local port mirroring to enable the server to monitor the bidirectional traffic of the Marketing department and the Technical department. Figure 63 Network diagram Configuration procedure # Create local mirroring group 1. <Device>...
NDA can collect data from multiple NSCs. Typically, the NDA features a Web-based system for easy operation. NSC and NDA are typically integrated into a NetStream server. H3C network devices act as NDEs in the NetStream system. This document focuses on NDE configuration.
Figure 64 NetStream system Flow aging NetStream uses flow aging to enable the NDE to export NetStream data to NetStream servers. NetStream creates a NetStream entry for each flow for storing the flow statistics in the cache. When the timer of the entry expires, the NDE performs the following operations: •...
Page 223
For example, when the aggregation mode configured on the NDE is protocol-port, NetStream aggregates the statistics of flow entries by protocol number, source port, and destination port. Four NetStream entries record four TCP flows with the same destination address, source port, and destination port, but with different source addresses.
Page 224
Aggregation mode Aggregation criteria • • Source AS number • Source prefix ToS-source-prefix aggregation • Source address mask length • Inbound interface index • • Destination AS number • Destination address mask length ToS-destination-prefix aggregation • Destination prefix • Outbound interface index •...
NetStream filtering and sampling NetStream filtering NetStream filtering uses an ACL to identify packets. Whether NetStream collects data for identified packets depends on the action in the matching rule. NetStream collects data for packets that match permit rules in the ACL. •...
Step Command Remarks interface interface-type Enter interface view. interface-number Enable NetStream on the By default, NetStream is disabled on ip netstream { inbound | outbound } interface. an interface. Configuring NetStream filtering When you configure NetStream filtering, follow these restrictions and guidelines: When NetStream filtering and sampling are both configured, packets are filtered first, and then the •...
Page 228
Statistics about source AS, destination AS, and peer ASs in version 5 or version 9 format. • • Statistics about BGP next hop only in version 9 format. To configure the NetStream data export format: Step Command Remarks Enter system view. system-view By default: (Optional.) Configure...
Configuring the refresh rate for NetStream version 9 templates Version 9 is template-based and supports user-defined formats. A NetStream-enabled device must periodically resend the updated template to NetStream servers, because the servers do not permanently save the template. The server cannot associate the received statistics with its proper fields when the following conditions exist: •...
Inactive flow aging—A flow is inactive if no packet arrives for this NetStream entry within the • period specified by using the ip netstream timeout inactive command. When the inactive flow aging timer expires, the following situations occur: The inactive flow entry is aged out. The statistics of the flow are sent to NetStream servers.
Step Command Remarks Exit to user view: quit (Optional.) Configure forced aging. Age out NetStream entries: reset ip netstream statistics Configuring the NetStream data export Configuring the NetStream traditional data export Step Command Remarks Enter system view. system-view Specify a destination host ip netstream export host By default, no destination host is for NetStream traditional...
NetStream configuration examples NetStream traditional data export configuration example Network requirements As shown in Figure 67, configure NetStream on Router A to collect statistics on packets passing through Router A. Enable NetStream for incoming traffic on GigabitEthernet 2/0/1 and for outgoing traffic on •...
L2 active flow entries IPL2 active flow entries IP flow entries counted MPLS flow entries counted L2 flow entries counted IPL2 flow entries counted Last statistics resetting time : Never IP packet size distribution (11 packets in total): 1-32 .000 .000 .909 .000 .000 .090 .000 .000 .000 .000 .000 .000 .000 .000 .000 576 1024 1536 2048 2560 3072 3584 4096 4608 >4608 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 Protocol...
Page 235
Router A performs NetStream aggregation in the modes of AS, protocol-port, source-prefix, • destination-prefix, and prefix. Router A exports the aggregation data of different modes to 4.1.1.1, with UDP ports 2000, 3000, • 4000, 6000, and 7000. Figure 68 Network diagram Configuration procedure # Assign an IP address to GigabitEthernet 2/0/1.
Page 236
# Configure the aggregation mode as destination-prefix, and specify the destination host for the aggregation data export. [RouterA] ip netstream aggregation destination-prefix [RouterA-ns-aggregation-dstpre] enable [RouterA-ns-aggregation-dstpre] ip netstream export host 4.1.1.1 6000 [RouterA-ns-aggregation-dstpre] quit # Configure the aggregation mode as prefix, and specify the destination host for the aggregation data export.
Page 237
# Display the statistics of the NetStream data export. [RouterA] display ip netstream export AS aggregation export information: Flow source interface : Not specified Flow destination VPN instance : Not specified Flow destination IP address (UDP) : 4.1.1.1 (2000) Version 8 exported flows number Version 8 exported UDP datagrams number (failed): 2 (0) Version 9 exported flows number Version 9 exported UDP datagrams number (failed): 0(0)
Page 238
Flow source interface : Not specified Flow destination VPN instance : Not specified Flow destination IP address (UDP) : 4.1.1.1 (5000) Version 5 exported flows number : 10 Version 5 exported UDP datagrams number (failed): 10 (0) Version 9 exported flows number Version 9 exported UDP datagrams number (failed): 0 (0)
NDA can collect data from multiple NSCs. Typically, the NDA features a Web-based system for easy operation. NSC and NDA are typically integrated into a NetStream server. H3C network devices act as NDEs in the IPv6 NetStream system. This document focuses on NDE configuration.
Figure 69 IPv6 NetStream system Flow aging IPv6 NetStream uses flow aging to enable the NDE to export IPv6 NetStream data to NetStream servers. IPv6 NetStream creates an IPv6 NetStream entry for each flow for storing the flow statistics in the cache. When the timer of the entry expires, the NDE does the following operations: •...
Table 13 IPv6 NetStream aggregation modes Aggregation mode Aggregation criteria • Source AS number • Destination AS number AS aggregation • Input interface index • Output interface index • Protocol number • Source port Protocol-port aggregation • Destination port • Source AS number •...
IPv6 NetStream sampling IPv6 NetStream sampling collects statistics on fewer packets and is useful when the network has a large amount of traffic. IPv6 NetStream on sampled traffic lessens the impact on the device's performance. For more information about sampling, see "Configuring samplers." IPv6 NetStream configuration task list When you configure IPv6 NetStream, choose the following configurations as needed: Select the device on which you want to enable IPv6 NetStream.
Tasks at a glance (Required.) Enabling IPv6 NetStream (Optional.) Configuring IPv6 NetStream filtering (Optional.) Configuring IPv6 NetStream sampling (Optional.) Configuring attributes of the IPv6 NetStream data export (Optional.) Configuring IPv6 NetStream flow aging (Required.) Perform at least one of the following tasks to configure the IPv6 NetStream data export: •...
Configuring IPv6 NetStream sampling Step Command Remarks Enter system view. system-view For more information sampler sampler-name mode { fixed | random } Create a sampler. about samplers, see packet-interval rate "Configuring samplers." Enter interface view. interface interface-type interface-number Configure IPv6 ipv6 netstream { inbound | outbound } sampler By default, IPv6 NetStream NetStream sampling.
Figure 71 Recorded AS information varies by different keyword configurations To configure the IPv6 NetStream data export format: Step Command Remarks Enter system view. system-view By default: • The version 9 format is used to export IPv6 NetStream traditional data, IPv6 (Optional.) Configure the NetStream aggregation data, IPv6 NetStream data export...
The refresh frequency and the refresh interval can both be configured. The template is resent when either of the conditions is reached. To configure the refresh rate for IPv6 NetStream version 9 templates: Step Command Remarks Enter system view. system-view •...
collect its statistics, which can be displayed by using the display ipv6 netstream cache command. The active flow aging method periodically exports the statistics of active flows to NetStream servers. Forced aging To implement forced aging, use one of the following commands: Use the reset ipv6 netstream statistics command.
IPv6 IPv6 address. ipv6 netstream export source interface NetStream data packets interface-type interface-number H3C recommends that you sent to the NetStream connect the management servers. Ethernet interface to a NetStream server, and configure the interface as the source interface.
Step Command Remarks By default, no source interface is specified for IPv6 NetStream data packets. The packets take the primary IPv6 address of the output interface as the source IPv6 address. (Optional.) Specify the source interface for IPv6 You can configure different ipv6 netstream export source interface NetStream data packets source interfaces in different...
IPv6 NetStream configuration examples IPv6 NetStream traditional data export configuration example Network requirements As shown in Figure 72, configure IPv6 NetStream on Router A to collect statistics on packets passing through Router A. Enable IPv6 NetStream for incoming and outgoing traffic on GigabitEthernet 2/0/1. •...
Page 252
Figure 73 Network diagram Configuration procedure # Assign an IP address to GigabitEthernet 2/0/1. <RouterA> system-view [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] ipv6 address 10::1/64 # Enable IPv6 NetStream for incoming and outgoing traffic on GigabitEthernet 2/0/1. [RouterA-GigabitEthernet2/0/1] ipv6 netstream inbound [RouterA-GigabitEthernet2/0/1] ipv6 netstream outbound [RouterA-GigabitEthernet2/0/1] quit # Specify the export destination host as 40::1 with UDP port 5000.
Page 253
[RouterA-ns6-aggregation-dstpre] ipv6 netstream export host 40::1 6000 [RouterA-ns6-aggregation-dstpre] quit # Configure the aggregation mode as prefix, and specify the destination host for the aggregation data export. [RouterA] ipv6 netstream aggregation prefix [RouterA-ns6-aggregation-prefix] enable [RouterA-ns6-aggregation-prefix] ipv6 netstream export host 40::1 7000 [RouterA-ns6-aggregation-prefix] quit Verifying the configuration # Display the statistics of the IPv6 NetStream data export.
Page 254
Flow source interface : Not specified Flow destination VPN instance : Not specified Flow destination IP address (UDP) : 40::1 (5000) Version 9 exported flows number Version 9 exported UDP datagrams number (failed): 0 (0)
Configuring the information center The information center on a device classifies and manages logs for all modules so that network administrators can monitor network performance and troubleshoot network problems. Overview The information center receives logs generated by source modules and outputs logs to different destinations according to user-defined output rules.
Table 14 Log levels Severity Level Description value Emergency The system is unusable. For example, the system authorization has expired. Action must be taken immediately. For example, traffic on an interface exceeds Alert the upper limit. Critical condition. For example, the device temperature exceeds the upper limit, Critical the power module fails, or the fan tray fails.
Table 16 Default output rule for diagnostic logs Destination Log source modules Output switch Severity Diagnostic log file All supported modules Enabled Debug Default output rules for security logs Security logs can only be output to the security log file, and cannot be filtered by source modules and severity levels.
The actual format varies by the log resolution tool used. Table 21 Log formats Output destination Format Example %Nov 24 14:21:43:502 2010 H3C Console, monitor SYSLOG/6/SYSLOG_RESTART: Prefix Timestamp Sysname terminal, log buffer, or System restarted –-...
Page 259
IP address) You can use the sysname command to modify the name of the device. Indicates that the information was generated by an H3C device. %% (vendor ID) This field exists only in logs sent to the log host.
Table 24 Description of the timestamp parameters Timestamp Description Example parameters Time that has elapsed since system startup, in %0.109391473 Sysname the format of xxx.yyy. xxx represents the FTPD/5/FTPD_LOGIN: User ftp higher 32 bits, and yyy represents the lower (192.168.1.23) has logged in boot 32 bits, of milliseconds elapsed.
Task at a glance • Outputting logs to the log buffer • Saving logs to a log file (Optional.) Managing security logs (Optional.) Saving diagnostic logs to a diagnostic log file (Optional.) Configuring the maximum size of the trace log file (Optional.) Outputting custom NAT444 logs to a log host (Optional.)
Step Command Remarks By default, the information center is Enable the information center. info-center enable enabled. info-center source { module-name | For information about default Configure an output rule for default } { console | monitor | output rules, see "Default output the monitor terminal.
Outputting logs to the log buffer Step Command Remarks Enter system view. system-view By default, the information center is Enable the information center. info-center enable enabled. Enable log output to the log By default, log output to the log info-center logbuffer buffer.
Step Command Remarks By default, the maximum size of a log file is 2 MB. (Optional.) Configure the info-center logfile size-quota size To ensure normal operation, set the maximum size for a log file. size argument to a value between 1 MB and 10 MB.
Step Command Remarks Enter system view. system-view By default, the information center is Enable the information center. info-center enable enabled. Enable the saving of the By default, saving security logs to security logs to the security log info-center security-logfile enable the security log file is disabled.
The device supports multiple diagnostic log files. Each diagnostic log file has a maximum capacity. The diagnostic log files are named as diagfile1.log, diagfile2.log, and so on. When the capacity of diagfile1.log is reached, the system compresses diagfile1.log as diagfile1.log.gz and creates a new log file named diagfile2.log.
Step Command Remarks Enter system view. system-view Set the maximum size of the By default, the maximum size of the info-center trace-logfile quota size trace log file. trace log file is 1 MB. Outputting custom NAT444 logs to a log host Step Command Remarks...
Enabling duplicate log suppression The output of consecutive duplicate logs at an interval of less than 30 seconds wastes system and network resources. With this feature enabled, the system starts a suppression period upon outputting a log: During the suppression period, the system does not output logs that have the same module name, •...
Displaying and maintaining information center Execute display commands in any view and reset commands in user view. Task Command Display the information of each output destination. display info-center Display the state and the log information of the log display logbuffer [ reverse ] [ level severity | size buffer (in standalone mode).
# Enable the display of logs on the console. (This function is enabled by default.) <Device> terminal logging level 6 <Device> terminal monitor The current terminal is enabled to display logs. Now, if the FTP module generates logs, the information center automatically sends the logs to the console, and the console displays the logs.
local4.info /var/log/Device/info.log In this configuration, local4 is the name of the logging facility that the log host uses to receive logs. info is the informational level. The UNIX system records the log information that has a severity level of at least informational to the file /var/log/Device/info.log. NOTE: Follow these guidelines while editing the file /etc/syslog.conf: Comments must be on a separate line and must begin with a pound sign (#).
Page 272
# Configure an output rule to enable output to the log host FTP logs that have a severity level of at least informational. [Device] info-center source ftp loghost level informational Configure the log host: The following configurations were performed on Solaris. Other UNIX operating systems have similar configurations.
Configuring flow log Flow log records users' access to external networks based on flows. Each flow is identified by a 5-tuple of the source IP address, destination IP address, source port, destination port, and protocol number. Flow log creates entries based on NAT sessions. You can export these entries to the information center or log hosts.
Page 274
Field Description Reasons why a flow log was generated: • 0—Reserved. • 1—Flow was ended normally. • 2—Flow was aged out because of aging timer expiration. • 3—Flow was aged out because of configuration change. • 4—Flow was aged out because of insufficient resources. Operator •...
Flow log configuration task list Task at a glance (Optional.) Configuring the flow log version (Optional.) Specifying a source IP address for flow log packets (Optional.) Enabling load balancing for flow log entries (Optional.) Configuring the timestamp of flow logs (Required.) Perform one of the following tasks for flow log export: •...
H3C recommends that you use a Loopback interface's address as the source IP address for flow log packets. A Loopback interface is always up. The setting avoids export failure on interfaces that might go down. To configure the source IP address for flow log packets:...
Specifying a flow log export destination You can export flow log entries to a log host or the information center, but not both. If you configure both methods, the system exports flow log entries to the information center. • If the destination is a log host, flow log entries are sent as binary characters in UDP. One UDP packet can contain multiple log entries.
Flow log configuration example Network requirements As shown in Figure 78, configure flow log on the device to send flow log entries generated for the user to the log host. Figure 78 Network diagram Configuration procedure # Configure IP addresses, as shown in the network diagram. Make sure the device and the log host can reach each other.
Index A C D E F H I L M N O P S T Configuring NTP association modes,72 Configuring NTP authentication,76 Alarm function configuration example,179 Configuring NTP optional parameters,84 Configuring SNMP basic parameters,157 Configuring SNMP logging,163 Configuration example for MPLS VPN time synchronization in client/server mode,104 Configuring SNMP...
Page 282
Setting the frequency of a BITS clock,145 Specifying a source IP address for flow log packets,261 Setting the Sa bit for the SSM of BITS clocks,144 Specifying an NTP server for the device,109 SNMPv1/SNMPv2c configuration example,167 Suspending monitor policies,189 SNMPv3 configuration example,168 SyncE configuration example,153...
Need help?
Do you have a question about the SR6600-X and is the answer not in the manual?
Questions and answers