HPE 5820X Series Configuration Manuals
HPE 5820X Series Configuration Manuals

HPE 5820X Series Configuration Manuals

Hide thumbs Also See for 5820X Series:
Table of Contents

Advertisement

HPE 5820X & 5800 Switch Series

Network Management and Monitoring

Configuration Guide

Part number: 5998-7395R
Software version: Release 1810
Document version: 6W100-20160129

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 5820X Series and is the answer not in the manual?

Questions and answers

Summary of Contents for HPE 5820X Series

  • Page 1: Network Management And Monitoring

    HPE 5820X & 5800 Switch Series Network Management and Monitoring Configuration Guide Part number: 5998-7395R Software version: Release 1810 Document version: 6W100-20160129...
  • Page 2 © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
  • Page 3: Table Of Contents

    Contents Using ping, tracert, and system debugging ····················································· 1 Ping ···································································································································································· 1 Using a ping command to test network connectivity ·················································································· 1 Ping example ············································································································································· 1 Tracert ································································································································································ 3 Prerequisites ·············································································································································· 4 Using a tracert command to identify failed or all nodes in a path ······························································· 5 System debugging ·············································································································································...
  • Page 4 FIPS compliance ·············································································································································· 44 Information center configuration task list ········································································································· 44 Outputting system information to the console ·································································································· 45 Outputting system information to the monitor terminal ···················································································· 45 Outputting system information to a log host ····································································································· 46 Outputting system information to the trap buffer ······························································································ 47 Outputting system information to the log buffer ·······························································································...
  • Page 5 Port mirroring classification and implementation ······················································································ 88 Configuring local port mirroring ························································································································ 90 Local port mirroring configuration task list ································································································ 90 Creating a local mirroring group ··············································································································· 91 Configuring source ports for a local mirroring group ················································································ 91 Configuring source CPUs for a local mirroring group ··············································································· 92 Configuring the monitor port for a local mirroring group ···········································································...
  • Page 6 Configuring the collaboration function ···································································································· 132 Configuring threshold monitoring ··········································································································· 133 Configuring the NQA statistics function ·································································································· 136 Configuring the saving function of NQA history records ········································································ 136 Scheduling an NQA operation ················································································································ 137 Displaying and maintaining NQA ··················································································································· 138 NQA configuration examples ·························································································································...
  • Page 7 Terminology ··········································································································································· 177 IPv6 NetStream key technologies ·················································································································· 178 Flow aging ·············································································································································· 178 Data export ············································································································································· 178 IPv6 NetStream export format ················································································································ 179 IPv6 NetStream configuration task list ··········································································································· 179 Enabling IPv6 NetStream on an interface ······································································································ 180 Configuring IPv6 NetStream data export ······································································································· 180 Configuring IPv6 NetStream traditional data export ···············································································...
  • Page 8 Configuring the DNS server ··················································································································· 206 Configuring ACS and CPE attributes through ACS ················································································ 206 Configuring CWMP at the CLI ················································································································ 206 Enabling CWMP ············································································································································· 207 Configuring the ACS attributes ······················································································································ 207 Configuring the ACS URL ······················································································································ 208 Configuring the ACS username and password ······················································································ 208 Configuring CPE attributes ····························································································································...
  • Page 9 Document conventions and icons ······························································· 243 Conventions ··················································································································································· 243 Network topology icons ·································································································································· 244 Support and other resources ······································································ 245 Accessing Hewlett Packard Enterprise Support ···························································································· 245 Accessing updates ········································································································································· 245 Websites ················································································································································ 246 Customer self repair ······························································································································· 246 Remote support ······································································································································ 246 Documentation feedback ·······················································································································...
  • Page 10: Using Ping, Tracert, And System Debugging

    Using ping, tracert, and system debugging Use the ping, tracert, and system debugging utilities to test network connectivity and identify network problems. Ping The ping utility sends ICMP echo requests (ECHO-REQUEST) to the destination device. Upon receiving the requests, the destination device responds with ICMP echo replies (ECHO-REPLY) to the source device.
  • Page 11: Test Procedure

    Figure 1 Network diagram Test procedure # Use the ping command on Device A to test connectivity to Device C. <DeviceA> ping 1.1.2.2 PING 1.1.2.2: 56 data bytes, press CTRL_C to break Reply from 1.1.2.2: bytes=56 Sequence=1 ttl=254 time=205 ms Reply from 1.1.2.2: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 1.1.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 1.1.2.2: bytes=56 Sequence=4 ttl=254 time=1 ms...
  • Page 12: Tracert

    1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=4 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 --- 1.1.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/11/53 ms The test procedure with the ping –r command (see...
  • Page 13: Prerequisites

    Enable sending of ICMP timeout packets on the intermediate devices (devices between the source and destination devices). If the intermediate devices are HPE devices, execute the ip ttl-expires enable command on the devices. For more information about this command, see Layer 3—IP Services Command Reference.
  • Page 14: Using A Tracert Command To Identify Failed Or All Nodes In A Path

    • Enable sending of ICMPv6 timeout packets on the intermediate devices (devices between the source and destination devices). If the intermediate devices are HPE devices, execute the ipv6 hoplimit-expires enable command on the devices. For more information about this command, see Layer 3—IP Services Command Reference.
  • Page 15: Debugging A Feature Module

    Figure 3 Relationship between the protocol-debugging switch and screen-output switch Debugging a feature module Output of debugging commands is memory intensive. To guarantee system performance, enable debugging only for modules that are in an exceptional condition. When debugging is complete, use the undo debugging all command to disable all the debugging functions.
  • Page 16: Ping And Tracert Example

    Ping and tracert example Network requirements As shown in Figure 4, Device A failed to Telnet to Device C. Determine whether Device A and Device C can reach each other. If they cannot reach each other, locate the failed nodes in the network. Figure 4 Network diagram Test procedure Use the ping command to test connectivity between Device A and Device C.
  • Page 17 Use the debugging ip icmp command on Device A and Device C to verify that they can send and receive the specific ICMP packets, or use the display ip routing-table command to verify the availability of active routes between Device A and Device C.
  • Page 18: Configuring Ntp

    Configuring NTP This chapter provides an overview of NTP configuration. Overview NTP is typically used in large networks to dynamically synchronize time among network devices. It guarantees higher clock accuracy than manual system clock setting. In a small network that does not require high clock accuracy, you can keep time synchronized among devices by changing their system clocks one by one.
  • Page 19: Ntp Message Format

    Figure 5 Basic work flow of NTP The synchronization process is as follows: • Device A sends Device B an NTP message, which is timestamped when it leaves Device A. The timestamp is 10:00:00 am (T1). • When this NTP message arrives at Device B, it is timestamped by Device B. The timestamp is 11:00:01 am (T2).
  • Page 20 Figure 6 Clock synchronization message format The main fields are described as follows: • LI (Leap Indicator)—A 2-bit leap indicator. If set to 11, it warns of an alarm condition (clock unsynchronized). If set to any other value, it is not to be processed by NTP. •...
  • Page 21: Operation Modes

    • Originate Timestamp—The local time at which the request departed from the client for the service host. • Receive Timestamp—The local time at which the request arrived at the service host. • Transmit Timestamp—The local time at which the reply departed from the service host for the client.
  • Page 22 Symmetric peers mode Figure 8 Symmetric peers mode In symmetric peers mode, devices that operate in symmetric active mode and symmetric passive mode exchange NTP messages with the Mode field 3 (client mode) and 4 (server mode). Then the device that operates in symmetric active mode periodically sends clock synchronization messages, with the Mode field in the messages set to 1 (symmetric active).
  • Page 23: Ntp For Vpns

    Multicast mode Figure 10 Multicast mode In multicast mode, a server periodically sends clock synchronization messages to the user-configured multicast address, or, if no multicast address is configured, to the default NTP multicast address 224.0.1.1, with the Mode field in the messages set to 5 (multicast mode). Clients listen to the multicast messages from servers.
  • Page 24: Ntp Configuration Task List

    Figure 11 Network diagram NTP configuration task list Task Remarks Configuring NTP operation modes Required. Configuring optional parameters Optional. Configuring the DSCP value for NTP messages Optional. Configuring NTP authentication Optional. Configuring NTP operation modes Devices can implement clock synchronization in one of the following modes: •...
  • Page 25: Configuring The Symmetric Peers Mode

    Step Command Remarks By default, no NTP server is specified. ntp-service unicast-server In this command, the ip-address [ vpn-instance argument must be a unicast vpn-instance-name ] { ip-address address, rather than a broadcast Specify an NTP server for | server-name } address, a multicast address or the device.
  • Page 26: Configuring The Multicast Mode

    broadcast server for sending NTP broadcast messages and on each broadcast client for receiving broadcast messages. Configuring a broadcast client Step Command Remarks Enter system view. system-view Enter Layer 3 Ethernet This command enters the view of interface interface-type interface view or VLAN the interface for sending NTP interface-number interface view.
  • Page 27: Configuring Optional Parameters

    Step Command Remarks Enter Layer 3 Ethernet This command enters the view of interface interface-type interface view or VLAN the interface for sending NTP interface-number multicast messages. interface view. ntp-service multicast-server A multicast server can Configure the device to [ ip-address ] synchronize broadcast clients operate in NTP multicast [ authentication-keyid keyid | ttl...
  • Page 28: Configuring The Allowed Maximum Number Of Dynamic Sessions

    Step Command Remarks Enter Layer 3 Ethernet interface interface-type interface view or VLAN interface-number interface view. Disable the interface from By default, an interface is enabled ntp-service in-interface disable receiving NTP messages. to receive NTP messages. Configuring the allowed maximum number of dynamic sessions NTP has the following types of associations: •...
  • Page 29: Configuring Access-Control Rights

    Configuring access-control rights From the highest to lowest, the NTP service access-control rights are peer, server, synchronization, and query. If a device receives an NTP request, it performs an access-control right match and uses the first matched right. If no matched right is found, the device drops the NTP request.
  • Page 30: Configuring Ntp Authentication In Client/Server Mode

    Configuring NTP authentication in client/server mode Follow these instructions to configure NTP authentication in client/server mode: • A client can synchronize to the server only when you configure all the required tasks on both the client and server. • On the client, if NTP authentication is not enabled or no key is specified to associate with the NTP server, the client is not authenticated.
  • Page 31: Configuring Ntp Authentication In Symmetric Peers Mode

    Configuring NTP authentication in symmetric peers mode Follow these instructions to configure NTP authentication in symmetric peers mode: • An active symmetric peer can synchronize to the passive symmetric peer only when you configure all the required tasks on both the active symmetric peer and passive symmetric peer. •...
  • Page 32: Configuring Ntp Authentication In Broadcast Mode

    Step Command Remarks By default, no NTP authentication key is configured. ntp-service Configure an NTP authentication-keyid keyid Configure the same authentication key. authentication-mode md5 authentication key on the active [ cipher | simple ] value symmetric peer and passive symmetric peer. Configure the key as a ntp-service reliable By default, the authentication key...
  • Page 33: Configuring Ntp Authentication In Multicast Mode

    Step Command Remarks You can associate a non-existing key with the broadcast server. To enable NTP authentication, you Associate the specified key ntp-service broadcast-server must configure the key and with the broadcast server. authentication-keyid keyid specify it as a trusted key after associating the key with the broadcast server.
  • Page 34: Displaying And Maintaining Ntp

    Step Command Remarks You can associate a non-existing key with the multicast server. To enable NTP authentication, you Associate the specified key ntp-service multicast-server must configure the key and with the multicast server. authentication-keyid keyid specify it as a trusted key after associating the key with the multicast server.
  • Page 35: Configuring The Ntp Symmetric Mode

    Clock stratum: 16 Reference clock ID: none Nominal frequency: 64.0000 Hz Actual frequency: 64.0000 Hz Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 0.00 ms Root dispersion: 0.00 ms Peer dispersion: 0.00 ms Reference time: 00:00:00.000 UTC Jan 1 1900 (00000000.00000000) # Specify Device A as the NTP server of Device B so that Device B synchronizes to Device A.
  • Page 36 Figure 13 Network diagram Configuration procedure Configure IP addresses for interfaces. (Details not shown.) Configure Device B: # Specify Device A as the NTP server of Device B. <DeviceB> system-view [DeviceB] ntp-service unicast-server 3.0.1.31 Display the NTP status of Device B after clock synchronization. [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3...
  • Page 37: Configuring Ntp Broadcast Mode

    Clock precision: 2^18 Clock offset: -21.1982 ms Root delay: 15.00 ms Root dispersion: 775.15 ms Peer dispersion: 34.29 ms Reference time: 15:22:47.083 UTC Sep 19 2005 (C6D95647.153F7CED) The output shows that Device C has synchronized to Device B because it has a higher stratum than Device B.
  • Page 38: Configuring Ntp Multicast Mode

    [SwitchC] interface vlan-interface 2 [SwitchC-Vlan-interface2] ntp-service broadcast-server Configure Switch A: # Configure Switch A to operate in broadcast client mode and receive broadcast messages on VLAN-interface 2. <SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ntp-service broadcast-client Configure Switch B: # Configure Switch B to operate in broadcast client mode and receive broadcast messages on VLAN-interface 2.
  • Page 39 • Switch A and Switch D operate in multicast client mode and receive multicast messages through VLAN-interface 3 and VLAN-interface 2 respectively. Figure 15 Network diagram Configuration procedure Set the IP address for each interface as shown in Figure 15. (Details not shown.) Configure Switch C: # Configure Switch C to operate in multicast server mode and send multicast messages through VLAN-interface 2.
  • Page 40 # Display NTP session information for Switch D, which shows that an association has been set up between Switch D and Switch C. [SwitchD-Vlan-interface2] display ntp-service sessions source reference stra reach poll offset delay disper ************************************************************************** [1234] 3.0.1.31 127.127.1.0 -16.0 31.0 16.6 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured...
  • Page 41: Configuring Ntp Client/Server Mode With Authentication

    [SwitchA-Vlan-interface3] display ntp-service sessions source reference stra reach poll offset delay disper ************************************************************************** [1234] 3.0.1.31 127.127.1.0 -16.0 40.0 16.6 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : For more information about configuring IGMP and PIM, see IP Multicast Configuration Guide. Configuring NTP client/server mode with authentication Network requirements As shown in...
  • Page 42: Configuring Ntp Broadcast Mode With Authentication

    Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequency: 64.0000 Hz Actual frequency: 64.0000 Hz Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 31.00 ms Root dispersion: 1.05 ms Peer dispersion: 7.81 ms Reference time: 14:53:27.371 UTC Sep 19 2005 (C6D94F67.5EF9DB22) The output shows that Device B has synchronized to Device A.
  • Page 43 Configuration procedure Set the IP address for each interface as shown in Figure 17. (Details not shown.) Configure Switch A: # Configure Switch A to operate in NTP broadcast client mode and receive NTP broadcast messages on VLAN-interface 2. <SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ntp-service broadcast-client Configure Switch B:...
  • Page 44 # NTP authentication is enabled on Switch B, but not enabled on Switch C, so Switch B cannot synchronize to Switch C. [SwitchB-Vlan-interface2] display ntp-service status Clock status: unsynchronized Clock stratum: 16 Reference clock ID: none Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.0000 ms...
  • Page 45: Configuring Mpls Vpn Time Synchronization In Client/Server Mode

    Clock status: synchronized Clock stratum: 4 Reference clock ID: 3.0.1.31 Nominal frequency: 64.0000 Hz Actual frequency: 64.0000 Hz Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 31.00 ms Root dispersion: 8.31 ms Peer dispersion: 34.30 ms Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02) Configuring MPLS VPN time synchronization in client/server mode Network requirements...
  • Page 46: Configuring Mpls Vpn Time Synchronization In Symmetric Peers Mode

    Configuration procedure Before you perform the following configuration, be sure you have completed MPLS VPN-related configurations, and make sure of the reachability between CE 1 and PE 1, between PE 1 and PE 2, and between PE 2 and CE 3. For information about configuring MPLS VPN, see MPLS Configuration Guide.
  • Page 47 <PE1> system-view [PE1] ntp-service unicast-peer vpn-instance vpn1 10.1.1.1 # Display NTP session information and status information on PE 1 a certain period of time later. This information should show that PE 1 has synchronized to CE 1, with the clock stratum level [PE1] display ntp-service status Clock status: synchronized Clock stratum: 2...
  • Page 48: Configuring The Information Center

    Configuring the information center This chapter describes how to configure the information center. Overview The information center collects and classifies system information as follows: • Receives system information including log, trap, and debugging information from source modules. • Outputs the information to different information channels, according to output rules. •...
  • Page 49: System Information Channels And Output Destinations

    Corresponding Severity Severity Description keyword in value commands Critical condition. For example, the device temperature Critical exceeds the upper limit, the power module fails, or the critical fan tray fails. Error Error condition. For example, the link state changes. errors Warning condition.
  • Page 50: Default Output Rules Of System Information

    Default output rules of system information A default output rule specifies the system information source modules, information type, and severity levels for an output destination. Table 3 shows the default output rules. Table 3 Default output rules Trap Debug Source Destinatio module Status...
  • Page 51 IP address) • If the system information is in the HPE format, the field is displayed as the system name of the device that generated the system information. You can use the sysname command to modify the local system name. For more information, see Fundamentals Command Reference.
  • Page 52 UNICOM format. This optional field identifies the source of the information. It is displayed only when the system information is sent to a log host in HPE format. It can take one of the following values: source •...
  • Page 53: Fips Compliance

    Timestamp Description Example parameters %May 30 05:36:29:579 2003 Sysname FTPD/5/FTPD_LOGIN: User ftp Current date and time, in the format of mm dd hh:mm:ss:xxx yyy. (192.168.1.23) has logged in date successfully. All system information supports this parameter. May 30 05:36:29:579 2003 is a timestamp in the date format.
  • Page 54: Outputting System Information To The Console

    Configurations for the information output destinations function independently. Outputting system information to the console Step Command Remarks Enter system view. system-view Optional. Enable the information info-center enable center. Enabled by default. Optional. info-center channel Specify a name for a channel channel-number name Table 2 for default channel...
  • Page 55: Outputting System Information To A Log Host

    Step Command Remarks Enter system view. system-view Optional. Enable the information info-center enable center. Enabled by default. Optional. info-center channel Specify a name for a channel channel-number name Table 2 for default channel identified by its number. channel-name names. Optional. info-center monitor channel By default, system information is Configure an output channel...
  • Page 56: Outputting System Information To The Trap Buffer

    Set the format to UNICOM: Optional. info-center format unicom Set the system Use either approach. • information format. Set the format to HPE: HPE by default. undo info-center format By default, no log host or related parameters are specified. info-center loghost [ vpn-instance...
  • Page 57: Outputting System Information To The Log Buffer

    Step Command Remarks Optional. info-center channel Specify a name for a channel channel-number name Table 2 for default channel identified by its number. channel-name names. Optional. info-center trapbuffer [ channel Configure an output channel By default, system information is { channel-number | for the trap buffer and set the output to the trap buffer through channel-name } | size buffersize ]...
  • Page 58: Outputting System Information To The Snmp Module

    Outputting system information to the SNMP module The SNMP module receives the trap information only, and discards the log and debugging information. To monitor device running status, trap information is usually sent to the SNMP NMS. For this purpose, you must configure output of traps to the SNMP module, and set the trap sending parameters for the SNMP module.
  • Page 59: Saving System Information To The Log File

    Step Command Remarks Optional. info-center channel Specify a name for a channel channel-number name Table 2 for default channel identified by its number. channel-name names. Optional. info-center syslog channel Configure an output channel By default, system information is { channel-number | for the Web interface.
  • Page 60: Saving Security Logs Into The Security Log File

    Step Command Remarks By default, log file overwrite-protection is disabled. The all-port-powerdown keyword causes the system to shut down all physical ports, including the console port, the info-center logfile management Ethernet port, IRF Enable log file overwrite-protection ports, and ports configured with overwrite-protection.
  • Page 61: Managing The Security Log File

    alarm threshold for the security log file usage. When the alarm threshold is reached, the system outputs a message to inform the administrator. The administrator can log in to the device as the security log administrator and back up the security log file to prevent the loss of important data. By default, security logs are not saved into the security log file.
  • Page 62 Task Command Remarks • Display the contents of the specified file: more file-url • Display information about all files and folders: dir [ /all ] [ file-url ] • Create a folder in a specified directory on the storage medium: mkdir directory •...
  • Page 63: Enabling Synchronous Information Output

    Task Command Remarks • Establish an SFTP connection in an IPv4 network: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange |...
  • Page 64: Disabling An Interface From Generating Link Up/Down Logging Information

    If system information, such as log information, is output before you input any information under the current command line prompt, the system does not display the command line prompt. If system information is output when you are inputting some interactive information (non Y/N confirmation information), the system displays your previous input in a new line but does not display the command line prompt.
  • Page 65: Information Center Configuration Examples

    Task Command Remarks display logbuffer [ reverse ] [ level Display the state and the log severity | size buffersize | slot slot-number ] Available in any view. * [ | { begin | exclude | include } information of the log buffer. regular-expression ] display logbuffer summary [ level Display the summary of the log...
  • Page 66: Outputting Log Information To A Unix Log Host

    [Sysname] info-center source ip channel console log level informational state on [Sysname] quit # Enable the display of log information on the console. (This function is enabled by default.) <Sysname> terminal monitor Info: Current terminal monitor is on. <Sysname> terminal logging Info: Current terminal logging is on.
  • Page 67: Outputting Log Information To A Linux Log Host

    b. Create a subdirectory named Device in directory /var/log/, and then create file info.log in the Device directory to save logs from Device. # mkdir /var/log/Device # touch /var/log/Device/info.log c. Edit the file syslog.conf in directory /etc/ and add the following content. # Device configuration messages local4.info /var/log/Device/info.log...
  • Page 68: Saving Security Logs Into The Security Log File

    # Configure an output rule to output to the log host the log information that has a severity level of at least informational. [Sysname] info-center source default channel loghost log level informational state on debug state off trap state off Disable the output of unnecessary information of all modules on the specified channel in the output rule.
  • Page 69 Figure 23 Network diagram Configuration considerations The configuration in this example includes two parts: Log in to the device as the system administrator Enable saving security logs into the security log file and set the saving interval to one hour. Create a local user seclog with the password 123123123123, and authorize this user as the security log administrator.
  • Page 70 # According to the network plan, the user logs in to the device through SSH or Telnet, so configure the authentication mode of the VTY user interface as scheme. [Sysname] user-interface vty 0 15 [Sysname-ui-vty0-15] authentication-mode scheme [Sysname-ui-vty0-15] quit Configuration performed by the security log administrator # Log in to the device as user seclog.
  • Page 71 # Display the contents of the security log file. <Sysname> more securitylog/seclog.log %@157 Nov 2 16:12:01:750 2009 Sysname SHELL/4/LOGIN: Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1: login from Console %@158 Nov 2 16:12:01:750 2009 Sysname SHELL/5/SHELL_LOGIN:Console logged in from aux0. The content of other logs is not shown. # Back up the security log file onto SFTP server 192.168.1.2.
  • Page 72: Configuring Snmp

    Configuring SNMP This chapter provides an overview of the Simple Network Management Protocol (SNMP) and guides you through the configuration procedure. Overview SNMP is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics and interconnect technologies.
  • Page 73: Snmp Operations

    Figure 25 MIB tree A MIB view represents a set of MIB objects (or MIB object hierarchies) with certain access privilege and is identified by a view name. The MIB objects included in the MIB view are accessible while those excluded from the MIB view are inaccessible. A MIB view can have multiple view records each identified by a view-name oid-tree pair.
  • Page 74: Configuring Snmp Basic Parameters

    Configuring SNMP basic parameters SNMPv3 differs from SNMPv1 and SNMPv2c in many ways. Their configuration procedures are described in separate sections. Configuring SNMPv3 basic parameters Step Command Remarks Enter system view. system-view Optional. By default, the SNMP agent is disabled. You can also enable the SNMP Enable the SNMP agent.
  • Page 75: Configuring Snmpv1 Or Snmpv2C Basic Parameters

    Step Command Remarks snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] Configure an SNMPv3 By default, no SNMP group [ write-view write-view ] group. exists. [ notify-view notify-view ] [ acl acl-number | acl ipv6 ipv6-acl-number ] * snmp-agent calculate-password...
  • Page 76 Step Command Remarks Optional. By default, the SNMP agent is disabled. You can also enable the SNMP agent Enable the SNMP service by using any command that snmp-agent agent. begins with snmp-agent except the snmp-agent calculate-password and snmp-agent ifmib long-ifindex enable commands.
  • Page 77: Switching The Nm-Specific Interface Index Format

    Step Command Remarks Configure the Optional. maximum size (in snmp-agent packet max-size By default, the SNMP agent can receive bytes) of SNMP byte-count and send the SNMP packets up to 1500 packets for the bytes. SNMP agent. Set the DSCP value Optional.
  • Page 78: Configuration Procedure

    • An NM-specific ifindex format change invalidates the NM-specific ifindex dependent settings, and these settings cannot become valid until you switch the format back. To use these settings in the new format, you must re-configure them. For example, if an RMON alarm group or private alarm group has alarm variables in the format OID/variable-name.NM-specific-ifindex, you must reconfigure these variables after an NM-specific ifindex format change.
  • Page 79: Enabling Snmp Traps

    Traps fall into generic traps and vendor-specific traps. Generic traps include authentication, coldstart, linkdown, linkup and warmstart. All other traps are vendor-defined. SNMP traps generated by a module are sent to the information center. You can configure the information center to enable or disable outputting the traps from a module by severity and set output destinations.
  • Page 80 • Complete the basic SNMP settings and verify that they are the same as on the NMS. If SNMPv1 or SNMPv2c is used, you must configure a community name. If SNMPv3 is used, you must configure an SNMPv3 user and MIB view. •...
  • Page 81: Displaying And Maintaining Snmp

    Displaying and maintaining SNMP Task Command Remarks Display SNMP agent system display snmp-agent sys-info [ contact | information, including the location | version ]* [ | { begin | exclude | Available in any view. contact, physical location, and include } regular-expression ] SNMP version.
  • Page 82 Figure 27 Network diagram Configuration procedure Configure the SNMP agent: # Configure the IP address of the agent, and make sure the agent and the NMS can reach each other. (Details not shown.) # Specify SNMPv1 and SNMPv2c, and create a read-only community public and a read and write community private.
  • Page 83: Snmpv3 Configuration Example

    Command = Trap Enterprise = 1.3.6.1.4.1.43.1.16.4.3.50 GenericID = 4 SpecificID = 0 Time Stamp = 8:35:25.68 SNMPv3 configuration example Network requirements As shown in Figure 28, the NMS (1.1.1.2/24) uses SNMPv3 to monitor and manage the interface status of the agent (1.1.1.1/24), and the agent automatically sends traps to report events to the NMS. The NMS and the agent perform authentication when they set up an SNMP session.
  • Page 84: Snmp Logging Configuration Example

    Set the authentication key to 123456TESTauth&! and the privacy key to 123456TESTencr&!. Set the timeout time and maximum number of retries. For information about configuring the NMS, see the NMS manual. NOTE: The SNMP settings on the agent and the NMS must match. Verify the configuration: # Try to get the count of sent traps from the agent.
  • Page 85 Figure 29 Network diagram Configuration procedure This example assumes that you have configured all required SNMP settings for the NMS and the agent (see "SNMPv1/SNMPv2c configuration example" or "SNMPv3 configuration example"). # Enable displaying log messages on the configuration terminal. (This function is enabled by default. Skip this step if you are using the default.) <Agent>...
  • Page 86 Field Description errorStatus Error status, with noError meaning no error. Value set by the SET operation. This field is null for a GET operation. If the value is a character string that has invisible characters value or characters beyond the ASCII range 0 to 127, the string is displayed in hexadecimal format, for example, value = <81-43>[hex].
  • Page 87: Configuring Rmon

    RMON groups Among the RFC 2819 defined RMON groups, HPE device implements the statistics group, history group, event group, and alarm group supported by the public MIB. HPE device also implements a private alarm group, which enhances the standard alarm group.
  • Page 88 The history statistics table records traffic statistics collected for each sampling interval. The sampling interval is user-configurable. Event group The event group defines event indexes and controls the generation and notifications of the events triggered by the alarms defined in the alarm group and the private alarm group. The events can be handled in one of the following ways: •...
  • Page 89: Configuring The Rmon Statistics Function

    If a private alarm entry crosses a threshold multiple times in succession, the RMON agent generates an alarm event only for the first crossing. For example, if the value of a sampled alarm variable crosses the rising threshold multiple times before it crosses the falling threshold, only the first crossing triggers a rising alarm event.
  • Page 90: Configuring The Rmon Alarm Function

    Step Command Create an entry in the RMON history rmon history entry-number buckets number interval control table. sampling-interval [ owner text ] Configuring the RMON alarm function Follow these guidelines when you configure the RMON alarm function: • To send traps to the NMS when an alarm is triggered, configure the SNMP agent as described "Configuring SNMP."...
  • Page 91: Displaying And Maintaining Rmon

    Maximum number of Entry Parameters to be compared entries Alarm variable formula (alarm-variable), sampling interval (sampling-interval), sampling type (absolute, changeratio Prialarm or delta), rising threshold (threshold-value1) and falling threshold (threshold-value2) Displaying and maintaining RMON Task Command Remarks display rmon statistics [ interface-type Display RMON statistics.
  • Page 92: History Group Configuration Example

    [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] rmon statistics 1 owner user1 # Display statistics collected by the RMON agent for GigabitEthernet 1/0/1. <Sysname> display rmon statistics gigabitethernet 1/0/1 EtherStatsEntry 1 owned by user1-rmon is VALID. Interface : GigabitEthernet1/0/1<ifIndex.3> etherStatsOctets : 21657 , etherStatsPkts : 307 etherStatsBroadcastPkts...
  • Page 93 undersize packets : 0 , oversize packets fragments , jabbers collisions , utilization Sampled values of record 2 : dropevents , octets : 962 packets : 10 , broadcast packets multicast packets : 6 , CRC alignment errors : 0 undersize packets : 0 , oversize packets fragments...
  • Page 94: Alarm Group Configuration Example

    multicast packets : 6 , CRC alignment errors : 0 undersize packets : 0 , oversize packets fragments , jabbers collisions , utilization # Get the traffic statistics through SNMP from the terminal. (Details not shown.) Alarm group configuration example Network requirements Configure the RMON alarm group on the RMON agent in Figure 33...
  • Page 95 Sampling interval : 5(sec) Rising threshold : 100(linked with event 1) Falling threshold : 50(linked with event 2) When startup enables : risingOrFallingAlarm Latest value # Display statistics for GigabitEthernet 1/0/1. <Sysname> display rmon statistics gigabitethernet 1/0/1 EtherStatsEntry 1 owned by user1-rmon is VALID. Interface : GigabitEthernet1/0/1<ifIndex.3>...
  • Page 96: Configuring Port Mirroring

    Bidirectional—Copies packets both received and sent on a mirroring source. NOTE: On the HPE 5800&5820X switch series, if incoming traffic is mirrored, the mirrored traffic is sent with the same VLAN tag (if any) as the original traffic. If the outgoing traffic is mirrored, the mirrored traffic carries the same VLAN tag as the original traffic did before it was sent out of the mirroring ports.
  • Page 97: Port Mirroring Classification And Implementation

    The remote probe VLAN specially transmits mirrored packets to the destination device. Both the reflector port and egress port reside on a source device and send mirrored packets to the remote probe VLAN. The egress port must belong to the remote probe VLAN, but the reflector port may not. For more information about the reflector port, egress port, remote probe VLAN, and Layer 2 remote port mirroring, see "Port mirroring classification and...
  • Page 98 remote probe VLAN and transmit the packets to the destination device. When it receives the mirrored packets, the destination device checks whether their VLAN IDs are the same as the remote probe VLAN ID. If yes, the device forwards the packets to the data monitoring device through the monitor port.
  • Page 99: Configuring Local Port Mirroring

    Figure 36 Layer 3 remote port mirroring implementation The source device sends one copy of packets received on the source port GigabitEthernet 1/0/1 to the tunnel interface, which serves as the monitor port in the local mirroring group created on the source device.
  • Page 100: Creating A Local Mirroring Group

    A source port on the HPE 5800 is assigned a maximum of four mirroring resources. Therefore, a port, when serving as a unidirectional source port, can be added to up to four mirroring groups.
  • Page 101: Configuring Source Cpus For A Local Mirroring Group

    Configuring source CPUs for a local mirroring group Step Command Remarks 1. Enter system view. system-view 2. Configure source mirroring-group group-id By default, no source CPU is CPUs local mirroring-cpu slot slot-number-list configured for a local mirroring group. mirroring group. { both | inbound | outbound } NOTE: A mirroring group can contain multiple source CPUs.
  • Page 102: Using The Remote Probe Vlan To Enable Local Mirroring To Support Multiple Monitor Ports

    Step Command Remarks 3. Configure the current port as By default, a port does not serve [ mirroring-group group-id ] the monitor port for a local as the monitor port for any local monitor-port mirroring group. mirroring group. Using the remote probe VLAN to enable local mirroring to support multiple monitor ports In typical local port mirroring configuration, you can configure only one monitor port in a local mirroring group.
  • Page 103: Configuring Layer 2 Remote Port Mirroring

    Configuration procedure To configure local port mirroring with multiple monitor ports: Step Command Remarks 1. Enter system view. system-view 2. Create a remote source mirroring-group group-id By default, no mirroring group mirroring group. remote-source exists on a device. • (Approach 1) In system view: mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound }...
  • Page 104: Configuring A Remote Source Group (On The Source Device)

    resulting in undesired duplicates. For more information about GVRP, see Layer 2—LAN Switching Configuration Guide. Do the following to configure Layer 2 remote port mirroring: • On the source device, configure the source ports/CPUs, the remote probe VLAN, and the egress port for the remote source group.
  • Page 105 A source port on the HPE 5800 is assigned a maximum of four mirroring resources. Therefore, a port, when serving as a unidirectional source port, can be added to up to four mirroring groups.
  • Page 106 Either you can configure the egress port for a mirroring group in system view, or you can assign the current port to it as the egress port in interface view. The two configuration methods lead to the same result. When you configure the egress port for the remote source group, follow these guidelines: •...
  • Page 107: Configuring A Remote Destination Group (On The Destination Device)

    Step Command Remarks mirroring-group group-id By default, no remote probe 2. Configure the remote probe remote-probe vlan VLAN is configured for a remote VLAN. rprobe-vlan-id source group. Configuring a remote destination group (on the destination device) To configure a remote destination group, make the following configurations on the destination device: Creating a remote destination group Step...
  • Page 108: Configuring Layer 3 Remote Port Mirroring

    Step Command Remarks 3. Configure the current port as By default, a port does not serve [ mirroring-group group-id ] the monitor port for a remote as the monitor port for any remote monitor-port destination group. destination group. Configuring the remote probe VLAN for a remote destination group When you configure the remote probe VLAN for the remote destination group, follow these guidelines: •...
  • Page 109: Layer 3 Remote Port Mirroring Configuration Task List

    Layer 3 remote port mirroring configuration task list To configure Layer 3 remote port mirroring, create a local mirroring group on the source device as well as on the destination device, and configure source ports/CPUs and the monitor port for each mirroring group.
  • Page 110: Configuring Source Ports For A Local Mirroring Group

    A source port on the HPE 5800 is assigned a maximum of four mirroring resources. Therefore, a port, when serving as a unidirectional source port, can be added to up to four mirroring groups.
  • Page 111: Configuring The Monitor Port For A Local Mirroring Group

    Step Command Remarks mirroring-group group-id 2. Configure source mirroring-cpu slot By default, no source CPU is configured for CPUs for a local slot-number-list { both | inbound | a local mirroring group. mirroring group. outbound } NOTE: A mirroring group can contain multiple source CPUs. Configuring the monitor port for a local mirroring group CAUTION: Do not enable the spanning tree feature on the monitor port.
  • Page 112: Configuration Restrictions And Guidelines

    Step Command Remarks 3. Configure the current port as By default, a port does not serve [ mirroring-group group-id ] the monitor port for a local as the monitor port for any local monitor-port mirroring group. mirroring group. Configuration restrictions and guidelines •...
  • Page 113: Local Port Mirroring Configuration Example

    Local port mirroring configuration example Network requirements On the network shown in Figure • Device A connects to the marketing department through GigabitEthernet 1/0/1 and to the technical department through GigabitEthernet 1/0/2. It connects to the server through GigabitEthernet 1/0/3. •...
  • Page 114: Local Port Mirroring With Multiple Monitor Ports Configuration Example

    mirroring CPU: monitor port: GigabitEthernet1/0/3 After the configurations are completed, you can monitor all packets received and sent by the marketing department and the technical department on the server. Local port mirroring with multiple monitor ports configuration example Network requirements As shown in Figure 38, Dept.
  • Page 115: Layer 2 Remote Port Mirroring Configuration Example

    [DeviceA] mirroring-group 1 remote-probe vlan 10 Layer 2 remote port mirroring configuration example Network requirements As shown in Figure 39, configure Layer 2 remote port mirroring to enable the server to monitor the bidirectional traffic of the marketing department. Figure 39 Network diagram Configuration procedure Configure Device A (the source device): # Create a remote source group.
  • Page 116 [DeviceB] vlan 2 # Disable MAC address learning for the remote probe VLAN. [DeviceB-vlan2] mac-address mac-learning disable [DeviceB-vlan2] quit # Configure GigabitEthernet 1/0/1 as a trunk port that permits the packets from VLAN 2 to pass through. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 2 [DeviceB-GigabitEthernet1/0/1] quit...
  • Page 117: Layer 3 Remote Port Mirroring Configuration Example

    Layer 3 remote port mirroring configuration example Network requirements As shown in Figure 40, configure Layer 3 remote port mirroring and create a GRE tunnel to enable the server to monitor the bidirectional traffic of the marketing department through a GRE tunnel. Figure 40 Network diagram Configuration procedure Configure IP addresses and subnet masks for related ports and the tunnel interfaces according...
  • Page 118: Mirroring Group

    [DeviceA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255 [DeviceA-ospf-1-area-0.0.0.0] network 50.1.1.0 0.0.0.255 [DeviceA-ospf-1-area-0.0.0.0] quit [DeviceA-ospf-1] quit # Create local mirroring group 1. [DeviceA] mirroring-group 1 local # Configure GigabitEthernet1/0/1 as a source port and Tunnel 0 as the monitor port of local mirroring group 1. [DeviceA] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 both [DeviceA] mirroring-group 1 monitor-port tunnel 0 Enable the OSPF protocol on Device B (the intermediate device).
  • Page 119 # Create local mirroring group 1. [DeviceC] mirroring-group 1 local # Configure GigabitEthernet 1/0/1 as a source port and GigabitEthernet 1/0/2 as the monitor port of local mirroring group 1. [DeviceC] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 inbound [DeviceC] mirroring-group 1 monitor-port gigabitethernet 1/0/2 # Disable the spanning tree feature on the monitor port GigabitEthernet 1/0/2.
  • Page 120: Configuring Flow Mirroring

    Configuring flow mirroring This chapter describes how to configure flow mirroring. Overview Flow mirroring copies specified packets to a specified destination for analysis and monitoring. Flow mirroring is implemented through QoS policies. You can use flow mirroring to flexibly classify packets by defining match criteria and obtain accurate statistics.
  • Page 121: Configuring Flow Mirroring

    In a traffic behavior, you can configure only one type of flow mirroring. Mirroring traffic to an interface On an HPE 5800 switch, you can configure actions of mirroring matching packets to up to four ports in a traffic behavior. On an HPE 5820X switch, you can configure actions of mirroring matching packets to two ports in a traffic behavior.
  • Page 122: Configuring A Qos Policy

    Step Command Remarks By default, no mirroring action is configured for a traffic behavior. mirror-to interface interface-type To configure actions of mirroring interface-number [ destination-ip matching packets to multiple Configure the action of destination-ip-address source-ip ports, execute this command mirroring traffic to an source-ip-address [ dscp multiple times.
  • Page 123: Applying A Qos Policy To The Control Plane

    To apply a QoS policy to an interface: Step Command Remarks 1. Enter system view. system-view • Enter interface view: Use one method. interface interface-type Settings in interface view take interface-number 2. Enter interface view or port effect on the current interface. •...
  • Page 124: Displaying And Maintaining Flow Mirroring

    Step Command 1. Enter system view. system-view 2. Enter control plane view. control-plane slot slot-number 3. Apply a QoS policy to the control plane. qos apply policy policy-name inbound For more information about the control-plane and qos apply policy commands, see ACL and QoS Command Reference.
  • Page 125 Figure 41 Network diagram Configuration procedure Monitor the traffic sent by the technical department to access the Internet: # Create ACL 3000 to allow packets from the technical department (on subnet 192.168.2.0/24) to access the Internet. <DeviceA> system-view [DeviceA] acl number 3000 [DeviceA-acl-adv-3000] rule permit tcp source 192.168.2.0 0.0.0.255 destination-port eq www [DeviceA-acl-adv-3000] quit...
  • Page 126 [DeviceA] acl number 3001 [DeviceA-acl-adv-3001] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 time-range work [DeviceA-acl-adv-3001] quit # Create traffic class mkt_c, and configure the match criterion as ACL 3001. [DeviceA] traffic classifier mkt_c [DeviceA-classifier-mkt_c] if-match acl 3001 [DeviceA-classifier-mkt_c] quit # Create traffic behavior mkt_b, and configure the action of mirroring traffic to port GigabitEthernet 1/0/3.
  • Page 127: Configuring Nqa

    Configuring NQA This chapter provides an overview of NQA configuration. Overview Network quality analyzer (NQA) allows you to monitor link status, measure network performance, verify the service levels for IP services and applications, and troubleshoot network problems. NQA provides the following types of operations. •...
  • Page 128: Threshold Monitoring

    Figure 43 Collaboration Application modules Detection module VRRP Associates with a Associates with detection entry a track entry Track Static routing module Sends the Sends the track detection result entry status Policy-based routing The following describes how a static route destined for 192.168.0.88 is monitored through collaboration.
  • Page 129: Configuring The Nqa Server

    Task Remarks Required for NQA operation types of TCP, UDP echo, UDP Configuring the NQA server jitter, and voice. Complete these tasks to configure the NQA client: Task Remarks Enabling the NQA client Required. Configuring an ICMP echo operation Configuring a DHCP operation Configuring a DNS operation Configuring an FTP operation Configuring an HTTP operation...
  • Page 130: Configuring The Nqa Client

    Step Command Remarks • Approach 1: nqa server tcp-connect ip-address port-number Configure a listening service. Use at least one approach. • Approach 2: nqa server udp-echo ip-address port-number Configure the ToS value in Optional. nqa server { tcp-connect | the packet sent by the TCP udp-echo } tos tos By default, the ToS value is 0.
  • Page 131: Configuring A Dhcp Operation

    Step Command Remarks Optional. Configure the string to be By default, the string is the filled in the payload of each data-fill string hexadecimal number ICMP echo request. 00,010,203,040,506,070,809. Optional. Specify the VPN where the vpn-instance vpn-instance-name By default, the operation is operation is performed.
  • Page 132: Configuring A Dns Operation

    Configuring a DNS operation A DNS operation measures the time the NQA client uses to translate a domain name into an IP address through a DNS server. A DNS operation simulates domain name resolution and does not save the obtained DNS entry. To configure a DNS operation: Step Command...
  • Page 133: Configuring An Http Operation

    Step Command Remarks By default, no source IP address is specified. Configure the source IP The source IP address must be address of FTP request source ip ip-address the IP address of a local interface. packets. The local interface must be up. Otherwise, no FTP requests can be sent.
  • Page 134: Configuring A Udp Jitter Operation

    Step Command Remarks Optional. By default, the operation type for Configure the operation operation { get | post } the HTTP is get, which means type. obtaining data from the HTTP server. Specify the destination url url website URL. Optional. Specify the HTTP version.
  • Page 135: Configuring An Snmp Operation

    Step Command Remarks By default, no destination IP address is configured. Configure the destination The destination IP address must destination ip ip-address address of UDP packets. be the same as that of the listening service on the NQA server. By default, no destination port number is configured.
  • Page 136: Configuring A Tcp Operation

    Step Command Remarks Specify the SNMP type and type snmp enter its view. Configure the destination By default, no destination IP destination ip ip-address address of SNMP packets. address is configured. Optional. Specify the source port of source port port-number By default, no source port number SNMP packets.
  • Page 137: Configuring A Udp Echo Operation

    Step Command Remarks Optional. By default, no source IP address is specified. Configure the source IP The source IP address must be source ip ip-address address of TCP packets. the IP address of a local interface. The local interface must be up. Otherwise, no TCP packets can be sent out.
  • Page 138: Configuring A Voice Operation

    Step Command Remarks Optional. By default, no source IP address is specified. Configure the source IP The source IP address must be source ip ip-address address of UDP packets. that of an interface on the device and the interface must be up. Otherwise, no UDP packets can be sent out.
  • Page 139 Step Command Remarks Enter system view. system-view Create an NQA operation nqa entry admin-name By default, no NQA operation is and enter NQA operation operation-tag created. view. Specify the voice type and type voice enter its view. By default, no destination IP address is configured.
  • Page 140: Configuring A Dlsw Operation

    Step Command Remarks 14. Configure how long the NQA client waits for a response Optional. probe packet-timeout from the server before it packet-timeout The default is 5000 milliseconds. regards the response as timed out. Configuring a DLSw operation A DLSw operation measures the response time of a DLSw device. To configure a DLSw operation: Step Command...
  • Page 141: Configuring The Collaboration Function

    Step Command Remarks Optional. By default, the interval is 0 milliseconds. Only one operation Specify the interval at which frequency interval is performed. the NQA operation repeats. If the operation is not completed when the interval expires, the next operation does not start. Optional.
  • Page 142: Configuring Threshold Monitoring

    Step Command Remarks reaction item-number Not configured by default. checked-element probe-fail Configure a reaction entry. threshold-type consecutive You cannot modify the content of consecutive-occurrences an existing reaction entry. action-type trigger-only Exit to system view. quit See High Availability Associate Track with NQA. Configuration Guide.
  • Page 143 • In voice operation view, the reaction trap command supports only the test-complete keyword. Configuration procedure To configure threshold monitoring: Step Command Remarks Enter system system-view view. Create an NQA By default, no operation and nqa entry admin-name operation-tag NQA operation is enter NQA created.
  • Page 144 Step Command Remarks • Enable sending traps to the NMS when specified conditions are met: reaction trap { probe-failure consecutive-probe-failures | test-complete | test-failure cumulate-probe-failures } • Configure a reaction entry for monitoring the duration of an NQA operation (not supported for UDP jitter and voice operations): reaction item-number checked-element probe-duration threshold-type { accumulate...
  • Page 145: Configuring The Nqa Statistics Function

    Configuring the NQA statistics function NQA collects statistics for an operation in a statistics group. To view information about the statistics groups, use the display nqa statistics command. To set the interval for collecting statistics, use the statistics interval command. If a new statistics group is to be saved when the number of statistics groups reaches the upper limit, the oldest statistics group is deleted.
  • Page 146: Scheduling An Nqa Operation

    Step Command Remarks Create an NQA operation nqa entry admin-name By default, no NQA operation is and enter NQA operation operation-tag created. view. type { dhcp | dlsw | dns | ftp | http | Enter NQA operation type icmp-echo | snmp | tcp | udp-echo view.
  • Page 147: Displaying And Maintaining Nqa

    Displaying and maintaining NQA Task Command Remarks display nqa history [ admin-name Display history records of NQA operation-tag ] [ | { begin | exclude | Available in any view. operations. include } regular-expression ] display nqa reaction counters Display the current monitoring [ admin-name operation-tag [ item-number ] ] Available in any view.
  • Page 148 Configuration procedure # Assign each interface an IP address. (Details not shown.) # Configure static routes or a routing protocol to make sure that the devices can reach each other. (Details not shown.) # Create an ICMP echo operation, and specify 10.2.2.2 as the destination IP address. <DeviceA>...
  • Page 149: Dhcp Operation Configuration Example

    NQA entry (admin admin, tag test1) history record(s): Index Response Status Time Succeeded 2011-08-23 15:00:01.2 Succeeded 2011-08-23 15:00:01.2 Succeeded 2011-08-23 15:00:01.2 Succeeded 2011-08-23 15:00:01.2 Succeeded 2011-08-23 15:00:01.2 Succeeded 2011-08-23 15:00:01.2 Succeeded 2011-08-23 15:00:01.1 Succeeded 2011-08-23 15:00:01.1 Succeeded 2011-08-23 15:00:01.1 Succeeded 2011-08-23 15:00:01.1 The output shows that the packets sent by Device A can reach Device B through Device C.
  • Page 150: Dns Operation Configuration Example

    Last succeeded probe time: 2011-11-22 09:56:03.2 Extended results: Packet loss in test: 0% Failures due to timeout: 0 Failures due to disconnect: 0 Failures due to no connection: 0 Failures due to sequence error: 0 Failures due to internal error: 0 Failures due to other errors: 0 Packet(s) arrived late: 0 # Display the history records of the DHCP operation.
  • Page 151: Ftp Operation Configuration Example

    [DeviceA] nqa schedule admin test1 start-time now lifetime forever # Stop the DNS operation after a period of time. [DeviceA] undo nqa schedule admin test1 # Display the results of the DNS operation. [DeviceA] display nqa result admin test1 NQA entry (admin admin, tag test1) test results: Destination IP address: 10.2.2.2 Send operation times: 1 Receive response times: 1...
  • Page 152 [DeviceA] nqa entry admin test1 [DeviceA-nqa-admin-test1] type ftp # Specify the IP address of the FTP server 10.2.2.2 as the destination IP address. [DeviceA-nqa-admin-test1-ftp] destination ip 10.2.2.2 # Specify 10.1.1.1 as the source IP address. [DeviceA-nqa-admin-test1-ftp] source ip 10.1.1.1 # Set the FTP username to admin, and the password to systemtest. [DeviceA-nqa-admin-test1-ftp] username admin [DeviceA-nqa-admin-test1-ftp] password simple systemtest # Configure the device to upload the file config.txt to the FTP server.
  • Page 153: Http Operation Configuration Example

    HTTP operation configuration example Network requirements As shown in Figure 48, configure an HTTP operation on the NQA client to test the time required to obtain data from the HTTP server. Figure 48 Network diagram Configuration procedure # Assign each interface an IP address. (Details not shown.) # Configure static routes or a routing protocol to make sure that the devices can reach each other.
  • Page 154: Udp Jitter Operation Configuration Example

    Failures due to timeout: 0 Failures due to disconnect: 0 Failures due to no connection: 0 Failures due to sequence error: 0 Failures due to internal error: 0 Failures due to other errors: Packet(s) arrived late: 0 # Display the history records of the HTTP operation. [DeviceA] display nqa history admin test1 NQA entry (admin admin, tag test1) history record(s): Index...
  • Page 155 # Start the UDP jitter operation. [DeviceA] nqa schedule admin test1 start-time now lifetime forever # Stop the UDP jitter operation after a period of time. [DeviceA] undo nqa schedule admin test1 # Display the results of the UDP jitter operation. [DeviceA] display nqa result admin test1 NQA entry (admin admin, tag test1) test results: Destination IP address: 10.2.2.2...
  • Page 156: Snmp Operation Configuration Example

    Start time: 2011-05-29 13:56:14.0 Life time: 47 seconds Send operation times: 410 Receive response times: 410 Min/Max/Average round trip time: 1/93/19 Square-Sum of round trip time: 206176 Extended results: Packet loss in test: 0% Failures due to timeout: 0 Failures due to disconnect: 0 Failures due to no connection: 0 Failures due to sequence error: 0 Failures due to internal error: 0...
  • Page 157 Configuration procedure Assign each interface an IP address. (Details not shown.) Configure static routes or a routing protocol to make sure that the devices can reach each other. (Details not shown.) Configure Device B: # Set the SNMP version to all. <DeviceB>...
  • Page 158: Tcp Operation Configuration Example

    The output shows that Device A uses 50 milliseconds to receive a response from the SNMP agent. TCP operation configuration example Network requirements As shown in Figure 51, configure a TCP operation to test the time the NQA client uses to establish a TCP connection to the NQA server on Device B.
  • Page 159: Udp Echo Operation Configuration Example

    Last succeeded probe time: 2011-11-22 10:27:25.1 Extended results: Packet loss in test: 0% Failures due to timeout: 0 Failures due to disconnect: 0 Failures due to no connection: 0 Failures due to sequence error: 0 Failures due to internal error: 0 Failures due to other errors: 0 Packet(s) arrived late: 0 # Display the history records of the TCP operation.
  • Page 160: Voice Operation Configuration Example

    # Enable the saving of history records. [DeviceA-nqa-admin-test1-udp-echo] history-record enable [DeviceA-nqa-admin-test1-udp-echo] quit # Start the UDP echo operation. [DeviceA] nqa schedule admin test1 start-time now lifetime forever # Stop the UDP echo operation after a period of time. [DeviceA] undo nqa schedule admin test1 # Display the results of the UDP echo operation.
  • Page 161 # Enable the NQA server. <DeviceB> system-view [DeviceB] nqa server enable # Configure a listening service to listen on IP address 10.2.2.2 and UDP port 9000. [DeviceB] nqa server udp-echo 10.2.2.2 9000 Configure Device A: # Create a voice operation. <DeviceA>...
  • Page 162 Negative SD square sum: 53655 Negative DS square sum: 1691776 One way results: Max SD delay: 343 Max DS delay: 985 Min SD delay: 343 Min DS delay: 985 Number of SD delay: 1 Number of DS delay: 1 Sum of SD delay: 343 Sum of DS delay: 985 Square sum of SD delay: 117649 Square sum of DS delay: 970225...
  • Page 163: Dlsw Operation Configuration Example

    Sum of SD delay: 1390 Sum of DS delay: 1079 Square sum of SD delay: 483202 Square sum of DS delay: 973651 SD lost packet(s): 0 DS lost packet(s): 0 Lost packet(s) for unknown reason: 0 Voice scores: Max MOS value: 4.38 Min MOS value: 4.38 Max ICPIF value: 0 Min ICPIF value: 0...
  • Page 164: Nqa Collaboration Configuration Example

    Failures due to no connection: 0 Failures due to sequence error: 0 Failures due to internal error: 0 Failures due to other errors: 0 Packet(s) arrived late: 0 # Display the history records of the DLSw operation. [DeviceA] display nqa history admin test1 NQA entry (admin admin, tag test1) history record(s): Index Response...
  • Page 165: Verifying The Configuration

    [SwitchA-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only [SwitchA-nqa-admin-test1-icmp-echo] quit # Start the ICMP operation. [SwitchA] nqa schedule admin test1 start-time now lifetime forever Create track entry 1, and associate it with reaction entry 1 of the NQA operation on Switch A. [SwitchA] track 1 nqa entry admin test1 reaction 1 Verifying the configuration # On Switch A, display information about all track entries.
  • Page 166 Destination/Mask Proto Cost NextHop Interface 10.2.1.0/24 Direct 0 10.2.1.2 Vlan3 10.2.1.2/32 Direct 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 The output shows that the static route does not exist, and the status of the track entry is negative.
  • Page 167: Configuring Sflow

    Configuring sFlow Sampled Flow (sFlow) is a traffic monitoring technology. As shown in Figure 56, the sFlow system involves an sFlow agent embedded in a device and a remote sFlow collector. The sFlow agent collects interface counter information and packet content information and encapsulates the sampled information in sFlow packets.
  • Page 168: Configuring The Sflow Agent And Sflow Collector Information

    Configuring the sFlow agent and sFlow collector information Step Command Remarks Enter system system-view view. Optional. Not specified by default. The device periodically checks whether the sFlow agent has an IP address. If the sFlow agent has no IP address configured, the device automatically selects an interface IP address Configure an for the sFlow agent but does not save the IP address.
  • Page 169: Configuring Counter Sampling

    Step Command Remarks Optional. Set the maximum number of The default setting is 128 bytes. bytes of a packet (starting sflow flow max-header length Hewlett Packard Enterprise from the packet header) that recommends using the default flow sampling can copy. value.
  • Page 170 Figure 57 Network diagram Configuration procedure Configure the sFlow agent and sFlow collector information: # Configure the IP address 3.3.3.1/16 for GigabitEthernet 1/0/3. <Device> system-view [Device] interface GigabitEthernet 1/0/3 [Device-GigabitEthernet1/0/3] ip address 3.3.3.1 16 [Device-GigabitEthernet1/0/3] quit # Configure the IP address for the sFlow agent. [Device] sflow agent ip 3.3.3.1 # Specify sFlow collector ID 2, IP address 3.3.3.2, and description of netserver for the sFlow collector.
  • Page 171: Troubleshooting Sflow Configuration

    6343 1400 6343 1400 6343 1400 6343 1400 6343 1400 6343 1400 sFlow Port Information: Interface CID Interval(s) FID MaxHLen Rate Mode Status GE1/0/1 4000 Random Active The output shows that GigabitEthernet 1/0/1 enabled with sFlow is active, the counter sampling interval is 120 seconds, and the packet sampling interval is 4000.
  • Page 172: Configuring Netstream

    Configuring NetStream This chapter describes how to configure NetStream. Hardware compatibility The HPE 5820X Switch Series does not support NetStream. Overview Conventional ways to collect traffic statistics, like SNMP and port mirroring, cannot provide precise network management because of inflexible statistical methods or the high cost of required dedicated servers.
  • Page 173: Netstream Key Technologies

    • NSC—Usually a program running in UNIX or Windows. The NSC parses the packets sent from the NDE, and then it stores the statistics to the database for the NDA. The NSC gathers the data from multiple NDEs, and then it filters and aggregates the total received data. •...
  • Page 174 Aggregation data export NetStream aggregation merges the flow statistics according to the aggregation criteria of an aggregation mode, and it sends the summarized data to the NetStream server. This process is the NetStream aggregation data export, which uses less bandwidth than traditional data export. For example, the aggregation mode configured on the NDE is protocol-port, which means that it aggregates statistics about flow entries by protocol number, source port, and destination port.
  • Page 175: Netstream Export Formats

    Aggregation mode Aggregation criteria • • Source prefix • Source address mask length • Destination address mask length ToS- prefix aggregation • Destination prefix • Inbound interface index • Outbound interface index • • Protocol type • Source port ToS-protocol-port aggregation •...
  • Page 176: Enabling Netstream

    • If enormous traffic flows are on the network, configure NetStream sampling. • Decide which export format is used for NetStream data export. • Configure the timer for NetStream flow aging. • To reduce the bandwidth consumption of NetStream data export, configure NetStream aggregation.
  • Page 177: Configuring Netstream Filtering And Sampling

    Step Command Remarks Enter system view. system-view Enter Layer 2 or Layer 3 interface interface-type Ethernet interface view. interface-number Enable NetStream on ip netstream { inbound | outbound } Disabled by default. the interface. Configuring NetStream filtering and sampling Before you configure NetStream filtering and sampling, use the ip netstream command to enable NetStream.
  • Page 178: Configuring Netstream Sampling

    Step Command Quit the class view. quit Create a traffic behavior and enter its view. traffic behavior behavior-name Configure the NetStream filtering action for a netstream filter { deny | permit } traffic behavior. Quit the traffic behavior view. quit Create a policy and enter its view.
  • Page 179: Configuring Netstream Data Export

    Configuring NetStream data export To allow the NDE to export collected statistics to the NetStream server, configure the source interface out of which the data is sent and the destination address to which the data is sent. Configuring traditional data export Step Command Remarks...
  • Page 180 aggregation view are not provided, the configurations in system view apply to the aggregation data export. • The aging of NetStream hardware aggregation entries is exactly the same as the aging of NetStream traditional data entries. • The NetStream hardware aggregation data export and NetStream traditional data export are mutually exclusive.
  • Page 181: Configuring Attributes Of Netstream Data Export

    Configuring attributes of NetStream data export Step Command Remarks Enter system view. system-view Optional. Configure the version ip netstream export version { 5 | for NetStream export By default, NetStream traditional data format. export uses version 5. Configuring the refresh rate for NetStream version 9 templates Version 9 is template-based and supports user-defined formats, so the NetStream-enabled device needs to resend a new template to the NetStream server for an update.
  • Page 182: Configuring Netstream Flow Aging

    Periodical aging Periodical aging uses the following methods: • Inactive flow aging—A flow is considered inactive if no packet for this NetStream entry arrives in the time specified by the ip netstream timeout inactive command. The inactive flow entry remains in the cache until the inactive timer expires. Then the inactive flow is aged out and its statistics, which can no longer be displayed by the display ip netstream cache command, are sent to the NetStream server.
  • Page 183: Netstream Configuration Examples

    Task Command Remarks Display information about NetStream display ip netstream export [ | { begin | Available in any exclude | include } regular-expression ] data export. view. display ip netstream template [ slot Display the configuration and status of Available in any slot-number ] [ | { begin | exclude | the NetStream flow record templates.
  • Page 184 • Device A exports NetStream traditional data in version 5 export format to port 5000 of the NetStream server at 4.1.1.1/16. • Device A performs NetStream aggregation in the modes of protocol-port, source-prefix, destination-prefix, and prefix. Use the version 8 export format to send the aggregation data of different modes to the destination address at 4.1.1.1, with UDP ports 3000, 4000, 6000, and 7000, respectively.
  • Page 185 [DeviceA-ns-aggregation-dstpre] ip netstream export host 4.1.1.1 6000 [DeviceA-ns-aggregation-dstpre] quit # Configure the aggregation mode as prefix, and in aggregation view, configure the destination address and destination UDP port number for the NetStream prefix aggregation data export. [DeviceA] ip netstream aggregation prefix [DeviceA-ns-aggregation-prefix] enable [DeviceA-ns-aggregation-prefix] ip netstream export host 4.1.1.1 7000 [DeviceA-ns-aggregation-prefix] quit...
  • Page 186: Configuring Ipv6 Netstream

    Configuring IPv6 NetStream This chapter describes how to configure IPv6 NetStream. Hardware compatibility The HPE 5820X Switch Series does not support IPv6 NetStream Overview Legacy ways to collect traffic statistics, like SNMP and port mirroring, cannot provide precise network management because of inflexible statistical methods or the high cost of required dedicated servers.
  • Page 187: Ipv6 Netstream Key Technologies

    • NSC—Usually a program running in UNIX or Windows. The NSC parses the packets sent from the NDE, and then it stores the statistics to the database for the NDA. The NSC gathers the data from multiple NDEs. • NDA—A tool for analyzing network traffic. The NDA collects statistics from the NSC, performs further processing, and then generates various reports for applications of traffic billing, network planning, and attack detection and monitoring.
  • Page 188: Ipv6 Netstream Export Format

    The data includes statistics about each flow. However, this method consumes more bandwidth and CPU than the aggregation method, and it requires a large cache size. In most cases, not all statistics are necessary for analysis. Aggregation data export IPv6 NetStream aggregation merges the flow statistics according to the aggregation criteria of an aggregation mode, and it sends the summarized data to the IPv6 NetStream server.
  • Page 189: Enabling Ipv6 Netstream On An Interface

    Task Remarks Select a command as required. Configuring IPv6 NetStream aggregation data export Configuring attributes of IPv6 NetStream data export Optional. Enabling IPv6 NetStream on an interface Step Command Remarks Enter system view. system-view Enter Layer 2 or Layer 3 interface interface-type Ethernet interface view.
  • Page 190: Configuring Ipv6 Netstream Aggregation Data Export

    Configuring IPv6 NetStream aggregation data export IPv6 NetStream aggregation can be implemented by software or hardware. The term of NetStream aggregation refers to the implementation by software, unless otherwise noted. IPv6 NetStream hardware aggregation directly merges the statistics about data flows at the hardware layer according to the aggregation criteria of the specified aggregation mode, and it stores the data in the cache.
  • Page 191: Configuring Attributes Of Ipv6 Netstream Data Export

    Step Command Remarks Optional. By default, the interface connecting to the NetStream server is used as the source interface. • Source interfaces in different Configure the source aggregation views can be different. interface for IPv6 ipv6 netstream export source • If no source interface is configured NetStream interface interface-type...
  • Page 192: Ipv6 Netstream Configuration Examples

    Task Command Remarks display ipv6 netstream cache Display the IPv6 NetStream entry Available in any [ verbose ] [ slot slot-number ] [ | { begin information in the cache. view. | exclude | include } regular-expression ] display ipv6 netstream export [ | Display information about IPv6 NetStream Available in any { begin | exclude | include }...
  • Page 193: Ipv6 Netstream Aggregation Data Export Configuration Example

    IPv6 NetStream aggregation data export configuration example Network requirements As shown in Figure 64, configure IPv6 NetStream on Device A to meet the following requirements: • Device A exports IPv6 NetStream traditional data to port 5000 of the NetStream server at 4.1.1.1/16.
  • Page 194 [DeviceA-ns6-aggregation-srcpre] quit # Configure the aggregation mode as destination-prefix, and in aggregation view, configure the destination address and destination UDP port number for the IPv6 NetStream destination-prefix aggregation data export. [DeviceA] ipv6 netstream aggregation destination-prefix [DeviceA-ns6-aggregation-dstpre] enable [DeviceA-ns6-aggregation-dstpre] ipv6 netstream export host 4.1.1.1 6000 [DeviceA-ns6-aggregation-dstpre] quit # Configure the aggregation mode as prefix, and in aggregation view, configure the destination address and the destination UDP port number for the IPv6 NetStream prefix aggregation data...
  • Page 195: Configuring A Sampler

    For more information about NetStream, see "Configuring NetStream" NOTE: • The device supports only the fixed mode. • The HPE 5820X Switch Series does not support a sampler. Configuration procedure To configure a sampler: Step Command Remarks Enter system view.
  • Page 196: Sampler Configuration Example

    Sampler configuration example Network requirements As shown in Figure 65, configure IPv4 NetStream on Device to collect statistics on incoming and outgoing traffic on GigabitEthernet 1/0/2. The NetStream data is sent to port 5000 on the NSC at 12.110.2.2/16. Configure fixed sampling in the inbound direction to select the first packet out of 256 packets.
  • Page 197: Configuring Ipc

    Configuring IPC This chapter provides an overview of IPC and describes the IPC monitoring commands. Overview Inter-Process Communication (IPC) provides a reliable communication mechanism among processing units, typically CPUs. IPC is typically used on a distributed device or in an IRF fabric to provide reliable inter-card or inter-device transmission.
  • Page 198: Packet Sending Modes

    Figure 66 Relationship between a node, link and channel Packet sending modes IPC uses one of the following modes to send packets for upper layer application modules: • Unicast—One node sends packets to another node. • Multicast—One node sends packets to multiple nodes. This mode includes broadcast, a special multicast.
  • Page 199: Displaying And Maintaining Ipc

    Displaying and maintaining IPC Task Command Remarks display ipc node [ | { begin | exclude | include } Display IPC node information. Available in any view. regular-expression ] display ipc channel { node Display channel information for a node-id | self-node } [ | { begin | Available in any view.
  • Page 200: Configuring Poe

    Configuring PoE Overview IEEE 802.3af-compliant power over Ethernet (PoE) enables a power sourcing equipment (PSE) to supply power to powered devices (PDs) through Ethernet interfaces over straight-through twisted pair cables. Examples of PDs include IP telephones, wireless APs, portable chargers, card readers, Web cameras, and data collectors.
  • Page 201: Enabling Poe For A Poe Interface

    Complete these tasks to configure PoE: Task Remarks Enabling PoE for a PoE interface Required. Detecting PDs: • Enabling the PSE to detect nonstandard PDs Optional. • Configuring a PD disconnection detection mode Optional. Configuring the maximum PoE interface power Optional.
  • Page 202: Detecting Pds

    To enable PoE for a PoE interface: Step Command Remarks Enter system view. system-view interface interface-type Enter PoE interface view. interface-number Enable PoE for the PoE By default, this function is poe enable interface. disabled. Optional. Configure a description for By default, no description for the the PD connected to the PoE poe pd-description text...
  • Page 203: Configuring The Maximum Poe Interface Power

    Configuring the maximum PoE interface power The maximum PoE interface power is the maximum power that the PoE interface can provide to the connected PD. If the PD requires more power than the maximum PoE interface power, the PoE interface does not supply power to the PD. To configure the maximum PSE power: Step Command...
  • Page 204: Configuring The Poe Monitoring Function

    Step Command Remarks Enter system view. system-view Configure PoE interface By default, this policy is not power management priority poe pd-policy priority configured. policy. interface interface-type Enter PoE interface view. interface-number Optional. Configure the power supply poe priority { critical | high | By default, low is the power priority for a PoE interface.
  • Page 205: Configuring A Poe Profile

    The device supports multiple PoE profiles. You can define PoE configurations based on each PD, save the configurations for different PDs into different PoE profiles, and apply the PoE profiles to the access interfaces of PDs accordingly. Configuring a PoE profile If a PoE profile is applied, it cannot be deleted or modified before you cancel its application.
  • Page 206: Upgrading Pse Processing Software In Service

    Step Command Apply the PoE profile to the current PoE apply poe-profile { index index | name interface. profile-name } Upgrading PSE processing software in service You can upgrade the PSE processing software in service in either of the following two modes: •...
  • Page 207: Poe Configuration Example

    Task Command Remarks Display the configurations and display poe-profile [ index index | name profile-name ] [ | { begin | exclude | include } applications of the PoE Available in any view. profile. regular-expression ] Display all information about the configurations and display poe-profile interface interface-type applications of the PoE profile...
  • Page 208: Troubleshooting Poe

    [Sysname-GigabitEthernet1/0/3] poe priority critical [Sysname-GigabitEthernet1/0/3] quit # Enable PoE on GigabitEthernet 1/0/11 and GigabitEthernet 1/0/12, and configure the maximum power of GigabitEthernet 1/0/12 as 9000 milliwatts. [Sysname] interface gigabitethernet 1/0/11 [Sysname-GigabitEthernet1/0/11] poe enable [Sysname-GigabitEthernet1/0/11] quit [Sysname] interface gigabitethernet 1/0/12 [Sysname-GigabitEthernet1/0/12] poe enable [Sysname-GigabitEthernet1/0/12] poe max-power 9000 After the configuration takes effect, the IP telephones and AP devices are powered and can work normally.
  • Page 209 Solution You can drop the AC input undervoltage threshold below the AC input overvoltage threshold.
  • Page 210: Configuring Cwmp

    The basic CWMP network elements include: • ACS—Autoconfiguration server, the management device in the network. In this document, ACS refers to a server installed with the HPE IMC BIMS system. • CPE—Customer premises equipment, the managed device in the network.
  • Page 211: Basic Cwmp Functions

    Basic CWMP functions Automatic configuration file deployment The network administrator can create different configuration files on the ACS for access switches according to their service functions to realize fast configuration. After a connection is established between the ACS and a CPE, the ACS determines the type of the CPE and delivers the corresponding configuration file to the CPE.
  • Page 212: Cwmp Mechanism

    • CPE address (ConnectionRequestURL) • CPE username (ConnectionRequestUsername) • CPE password (ConnectionRequestPassword) CWMP mechanism Autoconnection between ACS and CPE At the first startup, a CPE automatically obtains the following settings from the DHCP server, in addition to an IP address: •...
  • Page 213 RPC methods CWMP provides the following major remote procedure call methods for an ACS to manage or monitor a CPE: • Get—The ACS gets the value of one or more parameters from the CPE. • Set—The ACS sets the value of one or more parameters on the CPE. •...
  • Page 214: Restrictions And Guidelines

    When accessed by the CPE, the DHCP server sends the ACS parameters in DHCP Option 43 to the CPE. If the DHCP server is an HPE switch that supports DHCP Option 43, you can configure the ACS parameters at the CLI with the command option 43 hex 01length URL username password,...
  • Page 215: Configuring The Dns Server

    • length is a hexadecimal string that indicates the total length of the URL username password arguments. No space is allowed between the 01 keyword and the length value. • URL is the ACS address. • username is the ACS username. •...
  • Page 216: Enabling Cwmp

    Task Remarks • Required. Configuring the ACS URL • Optional. Configuring the ACS username and password Configuring CPE attributes: • Configuring the CPE username and password Optional. • Configuring the CWMP connection interface Optional. • Configuring the CWMP connection interface Optional.
  • Page 217: Configuring The Acs Url

    Configuring the ACS URL You can assign only one ACS to a CPE and the ACS URL you configured overwrites the old one, if any. To configure the ACS URL: Step Command Remarks Enter system view. system-view Enter CWMP view. cwmp By default, no ACS URL is Configure the ACS URL.
  • Page 218: Configuring The Cwmp Connection Interface

    Step Command Remarks Enter system view. system-view Enter CWMP view. cwmp Configure the CPE By default, no CPE username is username for connection to cwmp cpe username username configured for connection to the the CPE. CPE. Optional. You can specify a username without a password that is used in Configure the CPE the authentication.
  • Page 219: Configuring The Maximum Number Of Attempts Made To Retry A Connection

    Step Command Remarks Optional. Configure the interval cwmp cpe inform interval By default, the CPE sends an between sending the Inform seconds Inform message every 600 messages. seconds. To configure the CPE to send an Inform message at a specific time: Step Command Remarks...
  • Page 220: Configuring The Cpe Working Mode

    Step Command Remarks Optional. Configure the timeout value cwmp cpe wait timeout seconds of the CPE close-wait timer. The default setting is 30 seconds. Configuring the CPE working mode Configure the device to operate in one of the following CPE modes depending on its position in the network: •...
  • Page 221: Cwmp Configuration Example

    CWMP configuration example Configuration guidelines Before configuring the ACS server, make sure the HPE IMC BIMS software is installed on the server. The BIMS functions and web interface might change along with software updates. If your web interface is different from that in this example, see the user manual came with your server.
  • Page 222: Configuration Procedure

    Configuration procedure Configuring the ACS server ACS server configuration includes the following tasks: • Setting the username and password for accessing the ACS server. • Adding information about CPEs and divide CPEs into different groups. • Binding configuration files to different CPE groups. Other configurations on the ACS server keep their default value.
  • Page 223 b. Select Group Management > Device Group from the navigation tree to enter the device group page. c. Click Add to enter the page for adding a device group. Figure 74 Add Device Group page d. Set the group name and click OK. Add a device class: a.
  • Page 224 Figure 76 Add Device page b. Input device information and click OK. Figure 77 Adding device succeeded Repeat the previous steps to add information about DeviceB and DeviceC to the ACS server, and the adding operation of switches in equipment room A is completed. Bind different configuration files to different CPE groups to realize auto-deployment: a.
  • Page 225 Figure 78 Deployment Guide page Select the configuration file to be deployed and set it as the startup configuration as the deployment strategy on the Auto Deploy Configuration page. Figure 79 Auto Deploy Configuration page Click Select Class and enter the page for selecting device type.
  • Page 226 Figure 80 Selecting a device class Select the Device_A device class and click OK, and the auto deploy configuration page appears. Click OK to complete the task. Figure 81 Deploying task succeeded Configuration of the switches in room B is the same as that of the switches in room A except that you need to perform the following configuration: •...
  • Page 227 Configuring the DHCP server In this example, the DHCP server is an HPE switch supporting the Option 43 function. If your DHCP server is not an HPE switch supporting the Option 43 function, see the user manual came with your server.
  • Page 228 Figure 82 Device Interaction Log page...
  • Page 229: Configuring Cluster Management

    Configuring cluster management Cluster management is supported only in non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. Cluster management overview Why cluster management Cluster management enables managing large numbers of dispersed network devices in groups and offers the following advantages: •...
  • Page 230: How A Cluster Works

    Figure 83 Network diagram Network manager 69.110.1.1/24 IP network Administrator 69.110.1.100/24 Member Cluster Member Member Candidate As shown in Figure 83, the device configured with a public IP address and performing the management function is the management device, the other managed devices are member devices, and the device that does not belong to any cluster but can be added to a cluster is a candidate device.
  • Page 231 Introduction to NDP NDP is used to discover the information about directly connected neighbors, including the device name, software version, and connecting port of the adjacent devices. NDP works in the following ways: • A device running NDP periodically sends NDP packets to its neighbors. An NDP packet carries NDP information (including the device name, software version, and connecting port, etc.) and the holdtime, which indicates how long the receiving devices will keep the NDP information.
  • Page 232 You should specify the management device before creating a cluster. The management device discovers and defines a candidate device through NDP and NTDP protocols. The candidate device can be automatically or manually added to the cluster. After the candidate device is added to the cluster, it can obtain the member number assigned by the management device and the private IP address used for cluster management.
  • Page 233: Cluster Management Configuration Task List

    Management VLAN The management VLAN is a VLAN used for communication in a cluster; it limits the cluster management range. Through configuration of the management VLAN, the following functions can be implemented: • Management packets (including NDP, NTDP and handshake packets) are restricted within the management VLAN, therefore isolated from other packets, which enhances security.
  • Page 234: Configuring The Management Device

    Task Remarks Cluster member management Optional Enabling NDP Required Enabling NTDP Required Configuring the Manually collecting topology information Optional member devices Enabling the cluster function Required Deleting a member device from a cluster Optional Configuring access between the management device and its member Optional devices Adding a candidate device to a cluster...
  • Page 235: Configuring Ndp Parameters

    Step Command Remarks • In system view: ndp enable interface interface-list • Use either command. In Ethernet interface view or Layer 2 Enable the NDP aggregate interface view: By default, NDP is Disabled feature for the port(s). interface interface-type globally and also on all ports. interface-number ndp enable NOTE:...
  • Page 236: Configuring Ntdp Parameters

    Step Command Remarks Optional. Enable NTDP for the port. ntdp enable NTDP is Disabled on all ports by default. NOTE: You are recommended to disable NTDP on the port which connects with the devices that do not need to join the cluster, preventing the management device from adding the device which needs not to join the cluster and collecting the topology information of this device.
  • Page 237: Enabling The Cluster Function

    addition, you can configure to manually initiate topology information collection on the management device or NTDP-enabled device, thus managing and monitoring devices in real time, regardless of whether a cluster is created. To configure to manually collect topology information: Task Command Remarks Manually collect topology...
  • Page 238: Enabling Management Vlan Auto-Negotiation

    Step Command Remarks • Manually establish a cluster: build cluster-name Use either method. Establish a cluster. • Automatically establish a By default, the device is not the cluster: management device. auto-build [ recover ] CAUTION: Handshake packets use UDP port 40000. For a cluster to be established successfully, make sure that the port is not in use before establishing it.
  • Page 239: Configuring Cluster Management Protocol Packets

    the holdtime, it changes the state of the member device to Disconnect. When the communication is recovered, the member device needs to be re-added to the cluster (this process is automatically performed). • If the management device receives handshake packets from the member device within the holdtime, the state of the member device remains Active.
  • Page 240: Cluster Member Management

    Cluster member management You can manually add a candidate device to a cluster, or remove a member device from a cluster. If a member device needs to be rebooted for software upgrade or configuration update, you can remotely reboot it through the management device. Adding a member device Step Command...
  • Page 241: Enabling The Cluster Function

    Enabling the cluster function ”Enabling the cluster function.” Deleting a member device from a cluster Step Command Enter system view. system-view Enter cluster view. cluster Delete a member device from the cluster. undo administrator-address Configuring access between the management device and its member devices After having successfully configured NDP, NTDP and cluster, you can configure, manage and monitor the member devices through the management device.
  • Page 242: Adding A Candidate Device To A Cluster

    Adding a candidate device to a cluster To add a candidate device to a cluster: Step Command Enter system view. system-view Enter cluster view. cluster Add a candidate device to the cluster. administrator-address mac-address name name Configuring advanced cluster management functions This section covers these topics: •...
  • Page 243: Configuring Interaction For A Cluster

    Step Command Remarks Enter cluster view. cluster Add a device to the blacklist. black-list add-mac mac-address Optional. Remove a device from the black-list delete-mac { all | Optional. blacklist. mac-address } topology accept { all [ save-to Confirm the current topology and { ftp-server | local-flash } ] | Optional.
  • Page 244: Snmp Configuration Synchronization Function

    Step Command Remarks snmp-host ip-address Configure the SNMP NM By default, no SNMP host is [ community-string read string1 host shared by the cluster. configured. write string2 ] Configure the NM interface nm-interface vlan-interface Optional. of the management device. interface-name CAUTION: To isolate management protocol packets of a cluster from packets outside the cluster, you are recommended to configure to prohibit packets from the management VLAN from passing the ports...
  • Page 245: Configuring Web User Accounts In Batches

    Configuring web user accounts in batches Configuring web user accounts in batches enables you to configure on the management device the username and password used to log in to the devices (including the management device and member devices) within a cluster through web and synchronize the configurations to the member devices in the whitelist.
  • Page 246: Cluster Management Configuration Example

    Task Command Remarks display cluster current-topology [ mac-address mac-address [ to-mac-address mac-address ] | Display the current topology member-id member-number Available in any view information. [ to-member-id member-number ] ] [ | { begin | exclude | include } regular-expression ] display cluster members Display the information about [ member-number | verbose ] [ | { begin |...
  • Page 247 [DeviceA-GigabitEthernet1/0/1] ndp enable [DeviceA-GigabitEthernet1/0/1] quit # Enable NTDP globally and for port GigabitEthernet 1/0/1. [DeviceA] ntdp enable [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] ntdp enable [DeviceA-GigabitEthernet1/0/1] quit # Enable the cluster function. [DeviceA] cluster enable Configure the member device Device C: As the configurations of the member devices are the same, the configuration procedure of Device C is not shown.
  • Page 248 # Configure ports GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 as Trunk ports and allow packets from the management VLAN to pass. [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] port link-type trunk [DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 10 [DeviceB-GigabitEthernet1/0/2] quit [DeviceB] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] port link-type trunk [DeviceB-GigabitEthernet1/0/3] port trunk permit vlan 10 [DeviceB-GigabitEthernet1/0/3] quit...
  • Page 249: Configuring Packet Capture

    Configuring packet capture The packet capture feature facilitates network problem identification. Packets captured are stored in the packet capture buffer on the device. You can display the packets at the CLI, or export them to a .pcap file and analyze them by using packet analysis software such as Ethereal or Wireshark. Configuring the packet capture function When you configure this function, follow these guidelines: •...
  • Page 250: Displaying And Maintaining Packet Capture

    Step Command Remarks Optional. Stop packet capture before you display, save, or clear the buffered contents. The device automatically stops packet capture when: • The packet capture function operates in linear mode, and Stop packet capture. packet capture stop the packet capture buffer is full.
  • Page 251 Configuration procedure Enable the packet capture function on the switch: # Create an ACL rule for IPv4 basic ACL 2000 to permit packets with a source address in 192.168.1.0/24. <Switch> system-view [Switch] acl number 2000 [Switch-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Switch-acl-basic-2000] quit [Switch] quit # Configure the switch to capture packets based on ACL 2000, and start packet capture...
  • Page 252: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
  • Page 253: Network Topology Icons

    Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
  • Page 254: Support And Other Resources

    Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
  • Page 255: Websites

    Packard Enterprise Support Center. You must have an HP Passport set up with relevant entitlements. Websites Website Link Networking websites Hewlett Packard Enterprise Information Library for www.hpe.com/networking/resourcefinder Networking Hewlett Packard Enterprise Networking website www.hpe.com/info/networking Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking...
  • Page 256: Documentation Feedback

    Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help...
  • Page 257: Index

    Index A C D E F H I N O P R S T U Configuring PoE interface through PoE profile,195 Configuring SNMP basic parameters,65 Accessing Hewlett Packard Enterprise Support,245 Configuring SNMP logging,69 Accessing updates,245 Configuring SNMP traps,69 Adding a candidate device to a cluster,233 Configuring the ACS attributes,207...
  • Page 258 Displaying and maintaining packet capture,241 NQA configuration task list,119 Displaying and maintaining PoE,197 NTP configuration examples,25 Displaying and maintaining port mirroring,103 NTP configuration task list,15 Displaying and maintaining RMON,82 Displaying and maintaining sFlow,160 Outputting system information to a log host,46 Displaying and maintaining SNMP,72 Outputting system information to the...
  • Page 259 Saving security logs into the security log file,51 Saving system information to the log file,50 Tracert,3 sFlow configuration example,160 Troubleshooting PoE,199 sFlow configuration task list,158 Troubleshooting sFlow configuration,162 SNMP configuration examples,72 SNMP configuration task list,64 Upgrading PSE processing software in service,197 Switching the NM-specific interface index format,68...

This manual is also suitable for:

5800 series

Table of Contents