HPE FlexNetwork 10500 series Configuration Manual
  1. Manuals
  2. Brands
  3. HPE Manuals
  4. Switch
  5. FlexNetwork 10500 SERIES
  6. Configuration manual
HPE FlexNetwork 10500 series Configuration Manual

HPE FlexNetwork 10500 series Configuration Manual

Network management and monitoring
Hide thumbs Also See for FlexNetwork 10500 series:
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
Table of Contents

Advertisement

Quick Links

Download this manual See also: Troubleshooting Manual, Installation Manual
HPE FlexNetwork 10500 Switch Series

Network Management and Monitoring

Configuration Guide

Part number: 5200-1904a
Software version: 10500-CMW710-R7557P01
Document version: 6W101-20171020

Advertisement

Table of Contents
loading

Related Manuals for HPE FlexNetwork 10500 series

Summary of Contents for HPE FlexNetwork 10500 series

  • Page 1: Network Management And Monitoring

    HPE FlexNetwork 10500 Switch Series Network Management and Monitoring Configuration Guide Part number: 5200-1904a Software version: 10500-CMW710-R7557P01 Document version: 6W101-20171020...
  • Page 2 © Copyright 2017 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

  • Page 3: Table Of Contents

    Contents Using ping, tracert, and system debugging ···················································· 1 Ping ···································································································································································· 1 Using a ping command to test network connectivity ·················································································· 1 Ping example ············································································································································· 1 Tracert ································································································································································ 3 Prerequisites ·············································································································································· 4 Using a tracert command to identify failed or all nodes in a path ······························································· 4 Tracert example ·········································································································································...
  • Page 4 ICMP echo operation configuration example ··························································································· 43 ICMP jitter operation configuration example ···························································································· 45 DHCP operation configuration example ··································································································· 47 DNS operation configuration example ····································································································· 48 FTP operation configuration example ······································································································ 50 HTTP operation configuration example ···································································································· 51 UDP jitter operation configuration example······························································································ 52 SNMP operation configuration example ···································································································...
  • Page 5 IPv6 NTP multicast mode configuration example ·················································································· 106 Configuration example for NTP client/server mode with authentication················································· 109 Configuration example for NTP broadcast mode with authentication ···················································· 110 Configuration example for MPLS L3VPN network time synchronization in client/server mode ············· 113 Configuration example for MPLS L3VPN network time synchronization in symmetric active/passive mode ·······························································································································································...
  • Page 6 How to use NETCONF ··························································································································· 147 Protocols and standards ························································································································ 147 FIPS compliance ············································································································································ 148 NETCONF configuration task list ··················································································································· 148 Configuring NETCONF over SOAP ··············································································································· 148 Enabling NETCONF over SSH ······················································································································ 149 Enabling NETCONF logging ·························································································································· 149 Configuring NETCONF to use module-specific namespaces ········································································ 150 About module-specific namespaces for NETCONF ···············································································...
  • Page 7 Configuration restrictions and guidelines ······························································································· 197 Configuring a monitor policy from the CLI ······························································································ 197 Configuring a monitor policy by using Tcl ······························································································ 199 Suspending monitor policies ·························································································································· 200 Displaying and maintaining EAA settings······································································································· 201 EAA configuration examples ·························································································································· 201 CLI event monitor policy configuration example ····················································································...
  • Page 8 Applying a QoS policy ···································································································································· 242 Applying a QoS policy to an interface ···································································································· 242 Applying a QoS policy to a VLAN ··········································································································· 242 Applying a QoS policy globally ··············································································································· 243 Applying a QoS policy to the control plane ···························································································· 243 Flow mirroring configuration example ············································································································...
  • Page 9 Configuration restrictions and guidelines ······································································································· 276 sFlow configuration task list ··························································································································· 276 Configuring the sFlow agent and sFlow collector information ········································································ 277 Configuring flow sampling ······························································································································ 277 Configuring counter sampling ························································································································ 278 Displaying and maintaining sFlow ·················································································································· 278 sFlow configuration example·························································································································· 279 Network requirements ····························································································································...
  • Page 10 Configuring the packet capture ·································································· 305 Overview ························································································································································ 305 Packet capture modes ··························································································································· 305 Filter elements ········································································································································ 305 Building a capture filter ··························································································································· 311 Building a display filter ··························································································································· 312 Configuration restrictions and guidelines ······································································································· 312 Packet capture configuration task list············································································································· 313 Configuring local packet capture ····················································································································...
  • Page 11 Displaying and maintaining CWMP ················································································································ 345 CWMP configuration example························································································································ 346 Network requirements ···························································································································· 346 Configuration procedure ························································································································· 347 Verifying the configuration ······················································································································ 355 Document conventions and icons ······························································ 356 Conventions ··················································································································································· 356 Network topology icons ·································································································································· 357 Support and other resources ····································································· 358 Accessing Hewlett Packard Enterprise Support·····························································································...

  • Page 12: Using Ping, Tracert, And System Debugging

    Using ping, tracert, and system debugging This chapter covers ping, tracert, and information about debugging the system. Ping Use the ping utility to determine if an address is reachable. Ping sends ICMP echo requests (ECHO-REQUEST) to the destination device. Upon receiving the requests, the destination device responds with ICMP echo replies (ECHO-REPLY) to the source device.
  • Page 13 Figure 1 Network diagram Device A Device B Device C 1.1.1.1/24 1.1.2.1/24 1.1.1.2/24 1.1.2.2/24 ECHO-REQUEST (NULL) ECHO-REQUEST 1st=1.1.2.1 ECHO-REPLY ECHO-REPLY 1st=1.1.2.1 ECHO-REPLY 1st=1.1.2.1 2nd=1.1.2.2 1st=1.1.2.1 2nd=1.1.2.2 2nd=1.1.2.2 3rd=1.1.1.2 3rd=1.1.1.2 4th=1.1.1.1 Configuration procedure # Use the ping command on Device A to test connectivity to Device C. <DeviceA>...

  • Page 14: Tracert

    The source device (Device A) sends an ICMP echo request to the destination device (Device C) with the RR option blank. The intermediate device (Device B) adds the IP address of its outbound interface (1.1.2.1) to the RR option of the ICMP echo request, and forwards the packet. Upon receiving the request, the destination device copies the RR option in the request and adds the IP address of its outbound interface (1.1.2.2) to the RR option.

  • Page 15: Prerequisites

    Enable sending of ICMP timeout packets on the intermediate devices (devices between the source and destination devices). If the intermediate devices are HPE devices, execute the ip ttl-expires enable command on the devices. For more information about this command, see Layer 3—IP Services Command Reference.
  • Page 16 Figure 3 Network diagram 1.1.1.1/24 1.1.1.2/24 1.1.2.1/24 1.1.2.2/24 Device A Device B Device C Configuration procedure Configure the IP addresses for devices as shown in Figure Configure a static route on Device A. <DeviceA> system-view [DeviceA] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 [DeviceA] quit Use the ping command to test connectivity between Device A and Device C.

  • Page 17: System Debugging

    System debugging The device supports debugging for the majority of protocols and features, and provides debugging information to help users diagnose errors. Debugging information control switches The following switches control the display of debugging information: • Module debugging switch—Controls whether to generate the module-specific debugging information.
  • Page 18 Step Command Remarks (Optional.) Display the display debugging enabled debugging in any [ module-name ] view.

  • Page 19: Configuring Nqa

    Configuring NQA Overview Network quality analyzer (NQA) allows you to measure network performance, verify the service levels for IP services and applications, and troubleshoot network problems. It provides the following types of operations: • ICMP echo. • ICMP jitter. • DHCP.

  • Page 20: Collaboration

    • An HTTP operation gets a Web page. • A DHCP operation gets an IP address through DHCP. • A DNS operation translates a domain name to an IP address. • An ICMP echo operation sends an ICMP echo request. •...

  • Page 21: Nqa Configuration Task List

    Table 1 Performance metrics and NQA operation types NQA operation types that can gather the Performance metric metric All NQA operation types except UDP jitter, UDP Probe duration tracert, path jitter, and voice All NQA operation types except UDP jitter, UDP Number of probe failures tracert, path jitter, and voice Round-trip time...

  • Page 22: Enabling The Nqa Client

    Step Command Remarks • TCP listening service: nqa server tcp-connect ip-address The default ToS value is port-number [ vpn-instance vpn-instance-name ] [ tos tos ] Configure a TCP or UDP You can set the ToS value • listening service. UDP listening service: in the IP header of reply nqa server udp-echo ip-address packets sent by the NQA...

  • Page 23: Configuring The Icmp Echo Operation

    Configuring the ICMP echo operation The ICMP echo operation measures the reachability of a destination device. It has the same function as the ping command, but provides more output information. In addition, if multiple paths exist between the source and destination devices, you can specify the next hop for the ICMP echo operation.

  • Page 24: Configuring The Icmp Jitter Operation

    Configuring the ICMP jitter operation The ICMP jitter operation measures unidirectional and bidirectional jitters. The operation result helps you to determine whether the network can carry jitter-sensitive services such as real-time voice and video services. The ICMP jitter operation works as follows: The NQA client sends ICMP packets to the destination device.

  • Page 25: Configuring The Dns Operation

    The NQA client simulates the DHCP relay agent to forward DHCP requests for IP address acquisition from the DHCP server. The interface that performs the DHCP operation does not change its IP address. When the DHCP operation completes, the NQA client sends a packet to release the obtained IP address.

  • Page 26: Configuring The Ftp Operation

    Step Command Remarks Specify the domain name to By default, no domain name is resolve-target domain-name be translated. specified. Configuring the FTP operation The FTP operation measures the time for the NQA client to transfer a file to or download a file from an FTP server.

  • Page 27: Configuring The Http Operation

    Step Command Remarks By default, no file is specified. (Optional.) Specify the name of a file to be filename file-name This step is required if you perform the transferred. put operation. 10. Set the data transmission mode { active | passive } The default mode is active.

  • Page 28: Configuring The Udp Jitter Operation

    Step Command Remarks By default, no contents are specified. 11. (Optional.) Specify the HTTP Enter or paste the content. This step is required for the raw request content. operation. 12. Save the input and return to quit HTTP operation view. Configuring the UDP jitter operation CAUTION: To ensure successful UDP jitter operations and avoid affecting existing services, do not perform the...

  • Page 29: Configuring The Snmp Operation

    Step Command Remarks By default, the packets take the primary IP address of the output interface as their source IP address. (Optional.) Specify the source IP address for UDP source ip ip-address The source IP address must be packets. the IP address of a local interface, and the interface must be up.

  • Page 30: Configuring The Tcp Operation

    Step Command Remarks By default, the packets take the primary IP address of the output interface as their source IP address. (Optional.) Specify the source IP address of SNMP source ip ip-address The source IP address must be the IP packets.

  • Page 31: Configuring The Udp Echo Operation

    Before you configure the UDP tracert operation, perform the following tasks: • Enable sending ICMP time exceeded messages on the intermediate devices between the source and destination devices. If the intermediate devices are HPE devices, use the ip ttl-expires enable command.
  • Page 32 • Enable sending ICMP destination unreachable messages on the destination device. If the destination device is an HPE device, use the ip unreachables enable command. For more information about the ip ttl-expires enable and ip unreachables enable commands, see Layer 3—IP Services Command Reference.

  • Page 33: Configuring The Voice Operation

    Step Command Remarks By default, the packets take the primary IP address of the output • interface as their source IP address. Specify the IP address of the specified interface as If you execute the source ip and the source IP address: source interface commands source interface 12.
  • Page 34 Step Command Remarks Enter system view. system-view Create an NQA operation nqa entry admin-name and enter NQA operation By default, no NQA operations exist. operation-tag view. Specify the voice type and type voice enter its view. By default, no destination IP address is configured.

  • Page 35: Configuring The Dlsw Operation

    Before you configure the path jitter operation, perform the following tasks: • Enable sending ICMP time exceeded messages on the intermediate devices between the source and destination devices. If the intermediate devices are HPE devices, use the ip ttl-expires enable command. •...

  • Page 36: Configuring Optional Parameters For The Nqa Operation

    Step Command Remarks (Optional.) Set the payload size data-size size The default setting is 100 bytes. for each ICMP echo request. (Optional.) Specify the payload The default payload fill string is the fill string for ICMP echo data-fill string hexhexadecimal string requests.

  • Page 37: Configuring The Collaboration Feature

    Step Command Remarks For a voice or path jitter operation, the default setting is 60000 milliseconds. For other types of operations, the default Set the interval at which setting is 0 milliseconds, and only one the NQA operation frequency interval operation is performed.

  • Page 38: Configuring Threshold Monitoring

    Step Command Remarks Create an NQA operation nqa entry admin-name By default, no NQA operations and enter NQA operation operation-tag exist. view. The collaboration feature is not type { dhcp | dlsw | dns | ftp | Specify an NQA operation available for the ICMP jitter, path http | icmp-echo | snmp | tcp | type and enter its view.
  • Page 39 • If the threshold is violated, the state of the entry is set to over-threshold. Otherwise, the state of the entry is set to below-threshold. If the action is trap-only for a reaction entry, a trap message is sent to the NMS when the state of the entry changes.
  • Page 40 Step Command Remarks • Monitor the operation duration (not supported in the ICMP jitter, UDP jitter, UDP tracert, or voice operations): reaction item-number checked-element probe-duration threshold-type { accumulate accumulate-occurrences | average | consecutive consecutive-occurrences } threshold-value upper-threshold lower-threshold [ action-type { none | trap-only } ] •...

  • Page 41: Configuring The Nqa Statistics Collection Feature

    Configuring the NQA statistics collection feature NQA forms statistics within the same collection interval as a statistics group. To display information about the statistics groups, use the display nqa statistics command. If you use the frequency command to set the interval to 0 milliseconds for an NQA operation, NQA does not generate any statistics group for the operation.

  • Page 42: Scheduling The Nqa Operation On The Nqa Client

    Step Command Remarks The default setting is 120 (Optional.) Set the minutes. lifetime of history history-record keep-time keep-time A record is deleted when its records. lifetime is reached. The default setting is 50. (Optional.) Set the If the maximum number of maximum number of history records for an NQA history-record number number...

  • Page 43: Nqa Template Configuration Task List

    NQA template configuration task list Tasks at a glance (Required.) Perform at least one of the following tasks: • Configuring the ICMP template • Configuring the DNS template • Configuring the TCP template • Configuring the TCP half open template •...

  • Page 44: Configuring The Dns Template

    Step Command Remarks • IPv4 address: (Optional.) Specify the next-hop ip ip-address By default, no IP address of the next next hop IP address for • hop is configured. IPv6 address: ICMP echo requests. next-hop ipv6 ipv6-address By default, the probe result is sent to the feature that uses the template after three consecutive failed or successful probes.

  • Page 45: Configuring The Tcp Template

    Step Command Remarks By default, the packets take the primary IP address of the output interface as their source IP • IPv4 address: address. (Optional.) Specify the source source ip ip-address IP address for the probe The source IP address must be •...

  • Page 46: Configuring The Tcp Half Open Template

    Step Command Remarks By default, the packets take the primary IP • IPv4 address: address of the output interface as their source ip ip-address source IP address. (Optional.) Specify the • source IP address for the IPv6 address: The source IP address must be the IP probe packets.

  • Page 47: Configuring The Udp Template

    Step Command Remarks By default, the probe result is sent to the feature that uses the template after three consecutive failed or successful probes. If you execute the reaction trigger per-probe and reaction trigger probe-pass (Optional.) Configure the commands multiple times, the probe result sending on a reaction trigger per-probe most recent configuration takes...

  • Page 48: Configuring The Http Template

    Step Command Remarks By default, the packets take the primary IP • IPv4 address: address of the output interface as their source ip ip-address source IP address. (Optional.) Specify the • source IP address for the IPv6 address: The source IP address must be the IP probe packets.

  • Page 49: Configuring The Https Template

    Step Command Remarks This step is required for the raw operation. (Optional.) Enter raw request raw-request Every time you enter the raw request view. view, the existing request content configuration is removed. This step is required for the raw (Optional.) Enter or paste the operation.

  • Page 50: Configuring The Ftp Template

    Step Command Remarks Specify an HTTPS login By default, no HTTPS login username username username username. is specified. Specify an HTTPS login password { cipher | By default, no HTTPS login password is password. simple } string specified. ssl-client-policy By default, no SSL client policy is Specify an SSL client policy.

  • Page 51: Configuring The Radius Template

    Step Command Remarks Enter system view. system-view Create an FTP template nqa template ftp name By default, no FTP templates exist. and enter its view. By default, no URL is specified for the destination FTP server. Enter the URL in one of the following formats: •...

  • Page 52: Configuring The Ssl Template

    If the NQA client can receive the Access-Accept packet from the RADIUS server, the authentication service is available on the RADIUS server. Otherwise, the authentication service is not available on the RADIUS server. Before you configure the RADIUS template, specify a username, password, and shared key on the RADIUS server.

  • Page 53: Configuring Optional Parameters For The Nqa Template

    Step Command Remarks • IPv4 address: destination ip ip-address (Optional.) Specify the By default, no destination IP address is • destination IP address of IPv6 address: configured. the operation. destination ipv6 ipv6-address (Optional.) Specify the By default, the destination port number destination port number destination port port-number is not specified.

  • Page 54: Displaying And Maintaining Nqa

    Step Command Remarks The default setting is 3. 10. Set the number of If the number of consecutive probe consecutive probe reaction trigger probe-fail failures for an NQA operation is reached, failures to determine an count the NQA client notifies the feature that operation failure.
  • Page 55 Figure 7 Network diagram Device C 10.1.1.2/24 10.2.2.1/24 NQA client 10.1.1.1/24 10.2.2.2/24 10.3.1.1/24 10.4.1.2/24 Device A Device B 10.3.1.2/24 10.4.1.1/24 Device D Configuration procedure # Assign IP addresses to interfaces, as shown in Figure 7. (Details not shown.) # Configure static routes or a routing protocol to make sure the devices can reach each other. (Details not shown.) # Create an ICMP echo operation.

  • Page 56: Icmp Jitter Operation Configuration Example

    [DeviceA] undo nqa schedule admin test1 # Display the most recent result of the ICMP echo operation. [DeviceA] display nqa result admin test1 NQA entry (admin admin, tag test1) test results: Send operation times: 10 Receive response times: 10 Min/Max/Average round trip time: 2/5/3 Square-Sum of round trip time: 96 Last succeeded probe time: 2011-08-23 15:00:01.2 Extended results:...
  • Page 57 # Create an ICMP jitter operation. <DeviceA> system-view [DeviceA] nqa entry admin test1 [DeviceA-nqa-admin-test1] type icmp-jitter # Specify 10.2.2.2 as the destination address for the operation. [DeviceA-nqa-admin-test1-icmp-jitter] destination ip 10.2.2.2 # Configure the operation to repeat every 1000 milliseconds. [DeviceA-nqa-admin-test1-icmp-jitter] frequency 1000 [DeviceA-nqa-admin-test1-icmp-jitter] quit # Start the ICMP jitter operation.

  • Page 58: Dhcp Operation Configuration Example

    # Display the statistics of the ICMP jitter operation. [DeviceA] display nqa statistics admin test1 NQA entry (admin admin, tag test1) test statistics: NO. : 1 Start time: 2015-03-09 17:42:10.7 Life time: 156 seconds Send operation times: 1560 Receive response times: 1560 Min/Max/Average round trip time: 1/2/1 Square-Sum of round trip time: 1563 Extended results:...

  • Page 59: Dns Operation Configuration Example

    Figure 9 Network diagram NQA client DHCP server Vlan-int2 Vlan-int2 10.1.1.1/16 10.1.1.2/16 Switch A Switch B Configuration procedure # Create a DHCP operation. <SwitchA> system-view [SwitchA] nqa entry admin test1 [SwitchA-nqa-admin-test1] type dhcp # Specify the DHCP server address 10.1.1.2 as the destination address. [SwitchA-nqa-admin-test1-dhcp] destination ip 10.1.1.2 # Enable the saving of history records.
  • Page 60 Figure 10 Network diagram DNS server NQA client 10.1.1.1/16 10.2.2.2/16 IP network Device A Configuration procedure # Assign IP addresses to interfaces, as shown in Figure 10. (Details not shown.) # Configure static routes or a routing protocol to make sure the devices can reach each other. (Details not shown.) # Create a DNS operation.

  • Page 61: Ftp Operation Configuration Example

    FTP operation configuration example Network requirements As shown in Figure 11, configure an FTP operation to test the time required for Device A to upload a file to the FTP server. The login username and password are admin and systemtest, respectively. The file to be transferred to the FTP server is config.txt.

  • Page 62: Http Operation Configuration Example

    Extended results: Packet loss ratio: 0% Failures due to timeout: 0 Failures due to disconnect: 0 Failures due to no connection: 0 Failures due to internal error: 0 Failures due to other errors: 0 # Display the history records of the FTP operation. [DeviceA] display nqa history admin test1 NQA entry (admin admin, tag test1) history records: Index...

  • Page 63: Udp Jitter Operation Configuration Example

    [DeviceA] undo nqa schedule admin test1 # Display the most recent result of the HTTP operation. [DeviceA] display nqa result admin test1 NQA entry (admin admin, tag test1) test results: Send operation times: 1 Receive response times: 1 Min/Max/Average round trip time: 64/64/64 Square-Sum of round trip time: 4096 Last succeeded probe time: 2011-11-22 10:12:47.9 Extended results:...
  • Page 64 [DeviceA] nqa entry admin test1 [DeviceA-nqa-admin-test1] type udp-jitter # Specify 10.2.2.2 as the destination address of the operation. [DeviceA-nqa-admin-test1-udp-jitter] destination ip 10.2.2.2 # Set the destination port number to 9000. [DeviceA-nqa-admin-test1-udp-jitter] destination port 9000 # Configure the operation to repeat every 1000 milliseconds. [DeviceA-nqa-admin-test1-udp-jitter] frequency 1000 [DeviceA-nqa-admin-test1-udp-jitter] quit # Start the UDP jitter operation.

  • Page 65: Snmp Operation Configuration Example

    Lost packets for unknown reason: 0 # Display the statistics of the UDP jitter operation. [DeviceA] display nqa statistics admin test1 NQA entry (admin admin, tag test1) test statistics: NO. : 1 Start time: 2011-05-29 13:56:14.0 Life time: 47 seconds Send operation times: 410 Receive response times: 410 Min/Max/Average round trip time: 1/93/19...
  • Page 66 Figure 14 Network diagram NQA client SNMP agent 10.1.1.1/16 10.2.2.2/16 IP network Device A Device B Configuration procedure Assign IP addresses to interfaces, as shown in Figure 14. (Details not shown.) Configure static routes or a routing protocol to make sure the devices can reach each other. (Details not shown.) Configure the SNMP agent (Device B): # Set the SNMP version to all.

  • Page 67: Tcp Operation Configuration Example

    Index Response Status Time Succeeded 2011-11-22 10:24:41.1 The output shows that it took Device A 50 milliseconds to receive a response from the SNMP agent. TCP operation configuration example Network requirements As shown in Figure 15, configure a TCP operation to test the time required for Device A to establish a TCP connection with Device B.

  • Page 68: Udp Echo Operation Configuration Example

    Min/Max/Average round trip time: 13/13/13 Square-Sum of round trip time: 169 Last succeeded probe time: 2011-11-22 10:27:25.1 Extended results: Packet loss ratio: 0% Failures due to timeout: 0 Failures due to disconnect: 0 Failures due to no connection: 0 Failures due to internal error: 0 Failures due to other errors: 0 # Display the history records of the TCP operation.

  • Page 69: Udp Tracert Operation Configuration Example

    [DeviceA-nqa-admin-test1-udp-echo] destination port 8000 # Enable the saving of history records. [DeviceA-nqa-admin-test1-udp-echo] history-record enable [DeviceA-nqa-admin-test1-udp-echo] quit # Start the UDP echo operation. [DeviceA] nqa schedule admin test1 start-time now lifetime forever # After the UDP echo operation runs for a period of time, stop the operation. [DeviceA] undo nqa schedule admin test1 # Display the most recent result of the UDP echo operation.
  • Page 70 <DeviceA> system-view [DeviceA] nqa entry admin test1 [DeviceA-nqa-admin-test1] type udp-tracert # Specify 10.2.2.2 as the destination IP address. [DeviceA-nqa-admin-test1-udp-tracert] destination ip 10.2.2.2 # Set the destination port number to 33434. [DeviceA-nqa-admin-test1-udp-tracert] destination port 33434 # Configure Device A to perform three probes to each hop. [DeviceA-nqa-admin-test1-udp-tracert] probe count 3 # Set the probe timeout time to 500 milliseconds.

  • Page 71: Voice Operation Configuration Example

    10.2.2.2 Succeeded 2013-09-09 14:46:04.2 3.1.1.1 Succeeded 2013-09-09 14:46:03.2 3.1.1.1 Succeeded 2013-09-09 14:46:02.2 3.1.1.1 Succeeded 2013-09-09 14:46:01.2 Voice operation configuration example Network requirements As shown in Figure 18, configure a voice operation to test jitters, delay, MOS, and ICPIF between Device A and Device B. Figure 18 Network diagram NQA client NQA server...
  • Page 72 Last packet received time: 2011-06-13 09:49:31.1 Extended results: Packet loss ratio: 0% Failures due to timeout: 0 Failures due to internal error: 0 Failures due to other errors: 0 Packets out of sequence: 0 Packets arrived late: 0 Voice results: RTT number: 1000 Min positive SD: 1 Min positive DS: 1...

  • Page 73: Dlsw Operation Configuration Example

    Packets arrived late: 0 Voice results: RTT number: 4000 Min positive SD: 1 Min positive DS: 1 Max positive SD: 360 Max positive DS: 1297 Positive SD number: 1030 Positive DS number: 1024 Positive SD sum: 4363 Positive DS sum: 5423 Positive SD average: 4 Positive DS average: 5 Positive SD square-sum: 497725...

  • Page 74: Path Jitter Operation Configuration Example

    # Enable the saving of history records. [DeviceA-nqa-admin-test1-dlsw] history-record enable [DeviceA-nqa-admin-test1-dlsw] quit # Start the DLSw operation. [DeviceA] nqa schedule admin test1 start-time now lifetime forever # After the DLSw operation runs for a period of time, stop the operation. [DeviceA] undo nqa schedule admin test1 # Display the most recent result of the DLSw operation.
  • Page 75 # Create a path jitter operation. <DeviceA> system-view [DeviceA] nqa entry admin test1 [DeviceA-nqa-admin-test1] type path-jitter # Specify 10.2.2.2 as the destination IP address of ICMP echo requests. [DeviceA-nqa-admin-test1-path-jitter] destination ip 10.2.2.2 # Configure the path jitter operation to repeat every 10000 milliseconds. [DeviceA-nqa-admin-test1-path-jitter] frequency 10000 [DeviceA-nqa-admin-test1-path-jitter] quit # Start the path jitter operation.

  • Page 76: Nqa Collaboration Configuration Example

    Packets arrived late: 0 Path-Jitter Results Jitter number: 9 Min/Max/Average jitter: 1/10/4 Positive jitter number: 6 Min/Max/Average positive jitter: 1/9/4 Sum/Square-Sum positive jitter: 25/173 Negative jitter number: 3 Min/Max/Average negative jitter: 2/10/6 Sum/Square-Sum positive jitter: 19/153 NQA collaboration configuration example Network requirements As shown in Figure...
  • Page 77 # Start the ICMP operation. [SwitchA] nqa schedule admin test1 start-time now lifetime forever On Switch A, create track entry 1, and associate it with reaction entry 1 of the NQA operation. [SwitchA] track 1 nqa entry admin test1 reaction 1 Verifying the configuration # Display information about all the track entries on Switch A.

  • Page 78: Icmp Template Configuration Example

    Reaction: 1 # Display brief information about active routes in the routing table on Switch A. [SwitchA] display ip routing-table Destinations : 12 Routes : 12 Destination/Mask Proto Cost NextHop Interface 0.0.0.0/32 Direct 0 127.0.0.1 InLoop0 10.2.1.0/24 Direct 0 10.2.1.2 Vlan3 10.2.1.0/32 Direct 0...

  • Page 79: Dns Template Configuration Example

    # Configure static routes or a routing protocol to make sure the devices can reach each other. (Details not shown.) # Create ICMP template icmp. <DeviceA> system-view [DeviceA] nqa template icmp icmp # Specify 10.2.2.2 as the destination IP address of ICMP echo requests. [DeviceA-nqatplt-icmp-icmp] destination ip 10.2.2.2 # Set the probe timeout time to 500 milliseconds for the ICMP echo operation.

  • Page 80: Tcp Template Configuration Example

    # Configure the NQA client to notify the feature of the successful operation event if the number of consecutive successful probes reaches 2. [DeviceA-nqatplt-dns-dns] reaction trigger probe-pass 2 # Configure the NQA client to notify the feature of the operation failure if the number of consecutive failed probes reaches 2.

  • Page 81: Tcp Half Open Template Configuration Example

    TCP half open template configuration example Network requirements As shown in Figure 25, configure a TCP half open template for a feature to test whether Device B can provide the TCP service for Device A. Figure 25 Network diagram NQA client NQA server 10.1.1.1/16 10.2.2.2/16...

  • Page 82: Http Template Configuration Example

    [DeviceB] nqa server enable # Configure a listening service to listen to the IP address 10.2.2.2 and UDP port 9000. [DeviceB] nqa server udp-echo 10.2.2.2 9000 Configure Device A: # Create UDP template udp. <DeviceA> system-view [DeviceA] nqa template udp udp # Specify 10.2.2.2 as the destination IP address.

  • Page 83: Https Template Configuration Example

    HTTPS template configuration example Network requirements As shown in Figure 28, configure an HTTPS template for a feature to test whether the NQA client can get data from the HTTPS server (Device B). Figure 28 Network diagram NQA client HTTPS server 10.1.1.1/16 10.2.2.2/16 IP network...

  • Page 84: Radius Template Configuration Example

    Figure 29 Network diagram NQA client FTP server 10.1.1.1/16 10.2.2.2/16 IP network Device A Device B Configuration procedure # Assign IP addresses to interfaces, as shown in Figure 29. (Details not shown.) # Configure static routes or a routing protocol to make sure the devices can reach each other. (Details not shown.) # Create FTP template ftp.

  • Page 85: Ssl Template Configuration Example

    # Configure static routes or a routing protocol to make sure the devices can reach each other. (Details not shown.) # Configure the RADIUS server. (Details not shown.) # Create RADIUS template radius. <DeviceA> system-view [DeviceA] nqa template radius radius # Specify 10.2.2.2 as the destination IP address of the operation.
  • Page 86 [DeviceA-nqatplt-ssl-ssl] ssl-client-policy abc # Configure the NQA client to notify the feature of the successful operation event if the number of consecutive successful probes reaches 2. [DeviceA-nqatplt-ssl-ssl] reaction trigger probe-pass 2 # Configure the NQA client to notify the feature of the operation failure if the number of consecutive failed probes reaches 2.

  • Page 87: Configuring Ntp

    Configuring NTP Synchronize your device with a trusted time source by using the Network Time Protocol (NTP) or changing the system time before you run it on a live network. Various tasks, including network management, charging, auditing, and distributed computing depend on an accurate system time setting, because the timestamps of system messages and logs use the system time.

  • Page 88: Ntp Architecture

    Figure 32 Basic work flow IP network Device A Device B NTP message 10:00:00 am NTP message 10:00:00 am 11:00:01 am NTP message 10:00:00 am 11:00:01 am 11:00:02 am NTP message 10:00:00 am 11:00:01 am 11:00:02 am Device A receives the NTP message at 10:00:03 am The synchronization process is as follows: Device A sends Device B an NTP message, which is timestamped when it leaves Device A.

  • Page 89: Association Modes

    Figure 33 NTP architecture Authoritative clock Primary servers (Stratum 1) Secondary servers (Stratum 2) Tertiary servers (Stratum 3) Quaternary servers (Stratum 4) Symmetric Symmetric Broadcast/multicast Broadcast/multicast Server Client peer peer server client A stratum 1 NTP server gets its time from an authoritative time source, such as an atomic clock. It provides time for other devices as the primary NTP server.
  • Page 90 Table 2 NTP association mode Mode Working process Principle Application scenario On the client, specify the IP address of the NTP server. A client sends a clock synchronization message to the Figure 33 shows, this NTP servers. Upon receiving the message, the servers mode is intended for A client can synchronize...

  • Page 91: Ntp Security

    Mode Working process Principle Application scenario A multicast server can provide time A multicast server periodically synchronization for clients sends clock synchronization A multicast client can in the same subnet or in messages to the user-configured synchronize to a different subnets. multicast address.

  • Page 92: Ntp For Mpls L3Vpn Instances

    Figure 34 NTP authentication Key value Message Message Sends to the Message receiver Key ID Compute the Digest digest Compute the Digest Key ID digest Digest Compare Key value Sender Receiver As shown in Figure 34, NTP authentication works as follows: The sender uses the MD5 algorithm to calculate the NTP message according to the key identified by a key ID.

  • Page 93: Protocols And Standards

    Protocols and standards • RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis • RFC 5905, Network Time Protocol Version 4: Protocol and Algorithms Specification Configuration restrictions and guidelines When you configure NTP, follow these restrictions and guidelines: •...

  • Page 94: Configuring Ntp In Client/Server Mode

    Configuring NTP in client/server mode Follow these guidelines when you configure an NTP client: • For the client to synchronize to an NTP server, make sure the server is synchronized by other devices or uses its local clock as a reference source. •...

  • Page 95: Configuring Ntp In Broadcast Mode

    Step Command Remarks • Specify a symmetric-passive peer: ntp-service unicast-peer { peer-name | ip-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | maxpoll maxpoll-interval | minpoll minpoll-interval | priority | source Specify a interface-type interface-number | version By default, no symmetric-passiv number ] * symmetric-passive peer is...

  • Page 96: Configuring Ntp In Multicast Mode

    Configuring NTP in multicast mode For a multicast client to synchronize to a multicast server, make sure the multicast server is synchronized by other devices or uses its local clock as a reference source. Configure NTP in multicast mode on both the multicast server and client. Configuring a multicast client Step Command...

  • Page 97: Configuring Ntp Authentication

    Step Command Remarks • Configure the right for peer devices to access the IPv4 NTP services on the local device: ntp-service access { peer | query | server | synchronization } acl By default, the right for peer Configure the right for peer ipv4-acl-number devices to access the NTP devices to access the NTP...
  • Page 98 Step Command Remarks • Associate the specified key with an NTP server: ntp-service unicast-server { server-name | ip-address } [ vpn-instance vpn-instance-name ] authentication-keyid keyid • Associate the specified key Associate the specified key with an NTP server. with an IPv6 NTP server: ntp-service ipv6 unicast-server { server-name |...

  • Page 99: Configuring Ntp Authentication In Symmetric Active/Passive Mode

    Client Server Configur Configure e a key Authentication Enable NTP Associate the Enable NTP a key and result authenticatio configure key with an authenticatio configure it as a NTP server it as a trusted trusted key Failed. NTP messages cannot be sent and received correctly.
  • Page 100 Step Command Remarks • Associate the specified key with a passive peer: ntp-service unicast-peer { ip-address | peer-name } [ vpn-instance vpn-instance-name ] authentication-keyid keyid Associate the specified key • with a passive peer. Associate the specified key with a passive peer: ntp-service ipv6 unicast-peer { ipv6-address | peer-name } [ vpn-instance...

  • Page 101: Configuring Ntp Authentication In Broadcast Mode

    Active peer Passive peer Configure Configure Associat a key and Authentication Enable NTP Enable NTP a key and e the key configure result authenticatio configure with a authenticatio it as a it as a passive trusted trusted key peer Failed. NTP messages cannot be sent and received correctly.
  • Page 102 Step Command Remarks ntp-service authentication By default, NTP authentication is Enable NTP authentication. enable disabled. ntp-service authentication-keyid keyid Configure an NTP authentication-mode By default, no NTP authentication authentication key. { hmac-sha-1 | hmac-sha-256 | key exists. hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string Configure the key as a ntp-service reliable...

  • Page 103: Configuring Ntp Authentication In Multicast Mode

    Broadcast server Broadcast client Configur Configur Associat e a key e a key Enable NTP e the key Enable NTP Authentication result authenticatio configure with a authenticatio configure it as a broadcas it as a trusted t server trusted Failed. NTP messages cannot be sent and received correctly.
  • Page 104 Step Command Remarks Enter system view. system-view ntp-service authentication By default, NTP authentication is Enable NTP authentication. enable disabled. ntp-service authentication-keyid keyid Configure an NTP authentication-mode By default, no NTP authentication authentication key. { hmac-sha-1 | hmac-sha-256 | key exists. hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string Configure the key as a...

  • Page 105: Configuring Ntp Optional Parameters

    Multicast server Multicast client Configure Configure Associate Authentication Enable NTP Enable NTP a key and a key and the key with result authenticatio configure authenticatio configure a multicast it as a it as a server trusted key trusted key Failed. NTP messages cannot be sent and received...

  • Page 106: Disabling An Interface To Receive Ntp Messages

    ntp-service [ ipv6 ] unicast-server or ntp-service [ ipv6 ] unicast-peer command works as the source interface for NTP messages. • If you have configured the ntp-service broadcast-server or ntp-service [ ipv6 ] multicast-server command, the source interface for the broadcast or multicast NTP messages is the interface configured with the respective command.

  • Page 107: Setting A Dscp Value For Ntp Packets

    • Broadcast or multicast mode—Static associations are created on the server, and dynamic associations are created on the client. A single device can have a maximum of 128 concurrent associations, including static associations and dynamic associations. Perform this task to restrict the number of dynamic associations to prevent dynamic associations from occupying too many system resources.

  • Page 108: Displaying And Maintaining Ntp

    Displaying and maintaining NTP Execute display commands in any view. Task Command Display information about IPv6 NTP associations. display ntp-service ipv6 sessions [ verbose ] Display information about IPv4 NTP associations. display ntp-service sessions [ verbose ] Display information about NTP service status. display ntp-service status Display brief information about the NTP servers from display ntp-service trace [ source interface-type...

  • Page 109: Ipv6 Ntp Client/Server Mode Configuration Example

    [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 System peer: 1.0.1.11 Local mode: client Reference clock ID: 1.0.1.11 Leap indicator: 00 Clock jitter: 0.000977 s Stability: 0.000 pps Clock precision: 2^-18 Root delay: 0.00383 ms Root dispersion: 16.26572 ms Reference time: d0c6033f.b9923965 Wed, Dec 29 2010 18:58:07.724 # Verify that an IPv4 NTP association has been established between Device B and Device A.

  • Page 110: Ntp Symmetric Active/Passive Mode Configuration Example

    [DeviceB] ntp-service enable # Specify Device A as the IPv6 NTP server of Device B so that Device B is synchronized to Device A. [DeviceB] ntp-service ipv6 unicast-server 3000::34 Verify the configuration: # Verify that Device B has synchronized to Device A, and the clock stratum level is 3 on Device B and 2 on Device A.

  • Page 111: Ipv6 Ntp Symmetric Active/Passive Mode Configuration Example

    Configuration procedure Assign an IP address to each interface, and make sure Device A and Device B can reach each other, as shown in Figure 38. (Details not shown.) Configure Device B: # Enable the NTP service. <DeviceB> system-view [DeviceB] ntp-service enable Configure Device A: # Enable the NTP service.
  • Page 112 Figure 39 Network diagram Symmetric active peer Symmetric passive peer 3000::35/64 3000::36/64 Device A Device B Configuration procedure Assign an IP address to each interface, and make sure Device A and Device B can reach each other, as shown in Figure 39.

  • Page 113: Ntp Broadcast Mode Configuration Example

    Total sessions: 1 NTP broadcast mode configuration example Network requirements As shown in Figure 40, Switch C functions as the NTP server for multiple devices on a network segment and synchronizes the time among multiple devices. • Configure Switch C's local clock as a reference source, with stratum level 2. •...

  • Page 114: Ntp Multicast Mode Configuration Example

    [SwitchA-Vlan-interface2] ntp-service broadcast-client Configure Switch B: # Enable the NTP service. <SwitchB> system-view [SwitchB] ntp-service enable # Configure Switch B to operate in broadcast client mode and receive broadcast messages on VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ntp-service broadcast-client Verify the configuration: # Verify that Switch A has synchronized to Switch C, and the clock stratum level is 3 on Switch A and 2 on Switch C.
  • Page 115 Figure 41 Network diagram Vlan-int2 3.0.1.31/24 Switch C NTP multicast server Vlan-int3 Vlan-int3 Vlan-int2 1.0.1.11/24 1.0.1.10/24 3.0.1.30/24 Switch A Switch B NTP multicast client Vlan-int2 3.0.1.32/24 Switch D NTP multicast client Configuration procedure Assign an IP address to each interface, and make sure the switches can reach each other, as shown in Figure 41.
  • Page 116 Local mode: bclient Reference clock ID: 3.0.1.31 Leap indicator: 00 Clock jitter: 0.044281 s Stability: 0.000 pps Clock precision: 2^-18 Root delay: 0.00229 ms Root dispersion: 4.12572 ms Reference time: d0d289fe.ec43c720 Sat, Jan 8 2011 7:00:14.922 # Verify that an IPv4 NTP association has been established between Switch D and Switch C. [SwitchD-Vlan-interface2] display ntp-service sessions source reference...

  • Page 117: Ipv6 Ntp Multicast Mode Configuration Example

    [SwitchA-Vlan-interface3] display ntp-service status Clock status: synchronized Clock stratum: 3 System peer: 3.0.1.31 Local mode: bclient Reference clock ID: 3.0.1.31 Leap indicator: 00 Clock jitter: 0.165741 s Stability: 0.000 pps Clock precision: 2^-18 Root delay: 0.00534 ms Root dispersion: 4.51282 ms Reference time: d0c61289.10b1193f Wed, Dec 29 2010 20:03:21.065 # Verify that an IPv4 NTP association has been established between Switch A and Switch C.
  • Page 118 Configuration procedure Assign an IP address to each interface, and make sure the switches can reach each other, as shown in Figure 42. (Details not shown.) Configure Switch C: # Enable the NTP service. <SwitchC> system-view [SwitchC] ntp-service enable # Specify the local clock as the reference source, with stratum level 2. [SwitchC] ntp-service refclock-master 2 # Configure Switch C to operate in IPv6 multicast server mode and send multicast messages through VLAN-interface 2.
  • Page 119 Last receive time: 23 Offset: -0.0 Roundtrip delay: 0.0 Dispersion: 0.0 Total sessions: 1 Configure Switch B: Because Switch A and Switch C are on different subnets, you must enable the IPv6 multicast functions on Switch B before Switch A can receive IPv6 multicast messages from Switch C. # Enable IPv6 multicast functions.

  • Page 120: Configuration Example For Ntp Client/Server Mode With Authentication

    Reference time: d0c61289.10b1193f Wed, Dec 29 2010 20:03:21.065 # Verify that an IPv6 NTP association has been established between Switch A and Switch C. [SwitchA-Vlan-interface3] display ntp-service ipv6 sessions Notes: 1 source(master), 2 source(peer), 3 selected, 4 candidate, 5 configured. Source: [124]3000::2 Reference: 127.127.1.0...

  • Page 121: Configuration Example For Ntp Broadcast Mode With Authentication

    # Specify the key as a trusted key. [DeviceB] ntp-service reliable authentication-keyid 42 # Specify Device A as the NTP server of Device B, and associate the server with key 42. [DeviceB] ntp-service unicast-server 1.0.1.11 authentication-keyid 42 Before Device B can synchronize its clock to that of Device A, enable NTP authentication for Device A.
  • Page 122 • Configure Switch C to operate in broadcast server mode and send broadcast messages from VLAN-interface 2. • Configure Switch A and Switch B to operate in broadcast client mode and receive broadcast messages through VLAN-interface 2. • Enable NTP authentication on Switch A, Switch B, and Switch C. Figure 44 Network diagram Vlan-int2 3.0.1.31/24...
  • Page 123 [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ntp-service broadcast-client Configure Switch C: # Enable the NTP service. <SwitchC> system-view [SwitchC] ntp-service enable # Specify the local clock as the reference source, with stratum level 3. [SwitchC] ntp-service refclock-master 3 # Configure Switch C to operate in NTP broadcast server mode and use VLAN-interface 2 to send NTP broadcast packets.

  • Page 124: Configuration Example For Mpls L3Vpn Network Time Synchronization In Client/Server Mode

    source reference stra reach poll now offset delay disper ******************************************************************************** [1245]3.0.1.31 127.127.1.0 -0.0 0.0000 Notes: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured. Total sessions: 1 Configuration example for MPLS L3VPN network time synchronization in client/server mode Network requirements As shown in Figure 45, two MPLS L3VPN instances are present on PE 1 and PE 2: vpn1 and vpn2.

  • Page 125: Configuration Example For Mpls L3Vpn Network Time Synchronization In Symmetric Active/Passive Mode

    [PE2] ntp-service enable # Specify CE 1 in the VPN instance vpn1 as the NTP server of PE 2. [PE2] ntp-service unicast-server 10.1.1.1 vpn-instance vpn1 Verify the configuration: # Verify that PE 2 has synchronized to CE 1, with stratum level 3. [PE2] display ntp-service status Clock status: synchronized Clock stratum: 3...
  • Page 126 Figure 46 Network diagram VPN 1 VPN 1 CE 1 CE 3 Symmetric passive peer 10.1.1.1/24 10.3.1.1/24 PE 1 Symmetric PE 2 active peer 10.1.1.2/24 MPLS backbone CE 2 CE 4 VPN 2 VPN 2 Configuration procedure Before you perform the following configuration, be sure you have completed MPLS L3VPN-related configurations.
  • Page 127 Root dispersion: 1.15869 ms Reference time: d0c62687.ab1bba7d Wed, Dec 29 2010 21:28:39.668 # Verify that an IPv4 NTP association has been established between PE 1 and CE 1. [PE1] display ntp-service sessions source reference stra reach poll now offset delay disper ******************************************************************************** [1245]10.1.1.1 127.127.1.0...

  • Page 128: Configuring Sntp

    Configuring SNTP SNTP is a simplified, client-only version of NTP specified in RFC 4330. SNTP supports only the client/server mode. An SNTP-enabled device can receive time from NTP servers, but cannot provide time services to other devices. SNTP uses the same packet format and packet exchange procedure as NTP, but provides faster synchronization at the price of time accuracy.

  • Page 129: Configuring Sntp Authentication

    Step Command Remarks • For IPv4: sntp unicast-server { server-name | ip-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid By default, no NTP server is keyid | source interface-type specified for the device. interface-number | version Repeat this step to specify number ] * Specify an NTP server for multiple NTP servers.

  • Page 130: Displaying And Maintaining Sntp

    Step Command Remarks • For IPv4: sntp unicast-server { server-name | ip-address } [ vpn-instance vpn-instance-name ] authentication-keyid keyid Associate the SNTP By default, no NTP server is • authentication key with an For IPv6: specified. NTP server. sntp ipv6 unicast-server { server-name | ipv6-address } [ vpn-instance...
  • Page 131 [DeviceA] ntp-service refclock-master 2 # Enable NTP authentication on Device A. [DeviceA] ntp-service authentication enable # Configure an NTP authentication key, with the key ID of 10 and key value of aNiceKey. Input the key in plain text. [DeviceA] ntp-service authentication-keyid 10 authentication-mode md5 simple aNiceKey # Specify the key as a trusted key.

  • Page 132: Configuring Snmp

    Configuring SNMP Overview Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics, and interconnect technologies. SNMP enables network administrators to read and set the variables on managed devices for state monitoring, troubleshooting, statistics collection, and other management purposes.

  • Page 133: Snmp Operations

    SNMP operations SNMP provides the following basic operations: • Get—NMS retrieves the SNMP object nodes in an agent MIB. • Set—NMS modifies the value of an object node in an agent MIB. • Notification—SNMP agent sends traps or informs to report events to the NMS. The difference between these two types of notification is that informs require acknowledgment but traps do not.

  • Page 134: Configuring Snmp Basic Parameters

    Configuring SNMP basic parameters SNMPv3 differs from SNMPv1 and SNMPv2c in many ways. Their configuration procedures are described in separate sections. Configuring SNMPv1 or SNMPv2c basic parameters SNMPv1 and SNMPv2c settings are not supported in FIPS mode. Only users with the network-admin, mdc-admin, or level-15 user role can create SNMPv1 or SNMPv2c communities, users, or groups.
  • Page 135 Step Command Remarks By default, the MIB view ViewDefault is predefined. In this view, all the MIB objects in the iso subtree but the snmpUsmMIB, snmpVacmMIB, and snmpModules.18 subtrees are accessible. snmp-agent mib-view { excluded | (Optional.) Create or Each view-name oid-tree pair included } view-name oid-tree [ mask update a MIB view.

  • Page 136: Configuring Snmpv3 Basic Parameters

    Step Command Remarks 12. (Optional.) Configure By default, the maximum SNMP the maximum SNMP snmp-agent packet max-size packet size (in bytes) that the packet size (in bytes) byte-count SNMP agent can handle is 1500 that the SNMP agent bytes. can handle. 13.
  • Page 137 Step Command Remarks By default, the SNMP agent is disabled. The SNMP agent is enabled when (Optional.) Enable the snmp-agent you use any command that begins SNMP agent. with snmp-agent except for the snmp-agent calculate-password command. The default system contact is (Optional.) Configure snmp-agent sys-info contact Hewlett Packard Enterprise...
  • Page 138 Step Command Remarks • In non-FIPS mode: snmp-agent group v3 group-name [ authentication | privacy ] [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] * (Optional.) Create an By default, no SNMP groups exist.
  • Page 139 Step Command Remarks • In non-FIPS mode (in VACM mode): snmp-agent usm-user v3 user-name group-name [ remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher | simple } authentication-mode { md5 | sha } auth-password [ privacy-mode { 3des | aes128 | aes192 | aes256 | des56 } priv-password ] ] [ acl...

  • Page 140: Configuring Snmp Logging

    Step Command Remarks 12. (Optional.) Assign a By default, an SNMPv3 user has user role to an snmp-agent usm-user v3 user-name the user role assigned to it at its SNMPv3 user created user-role role-name creation. in RBAC mode. 13. (Optional.) Create an By default, no SNMP contexts snmp-agent context context-name SNMP context.

  • Page 141: Configuring Snmp Notifications

    Configuring SNMP notifications The SNMP Agent sends notifications (traps and informs) to inform the NMS of significant events, such as link state changes and user logins or logouts. Unless otherwise stated, the trap keyword in the command line includes both traps and informs. Enabling SNMP notifications Enable an SNMP notification only if necessary.
  • Page 142 • If SNMPv3 is used, you must configure the SNMP engine ID of the NMS when you configure SNMPv3 basic settings. Also, specify the IP address of the SNMP engine when you create the SNMPv3 user. Configuration prerequisites Configure the SNMP agent with the same basic SNMP settings as the NMS. If SNMPv1 or SNMPv2c is used, you must configure a community name.

  • Page 143: Displaying The Snmp Settings

    Step Command Remarks (Optional.) Set the The default notification snmp-agent trap life seconds notification lifetime. lifetime is 120 seconds. Displaying the SNMP settings Execute display commands in any view. Task Command display snmp-agent sys-info [ contact | location | Display SNMP agent system information. version ] * display snmp-agent statistics Display SNMP agent statistics.

  • Page 144: Configuration Procedure

    Figure 50 Network diagram Agent 1.1.1.2/24 1.1.1.1/24 Configuration procedure Configure the SNMP agent: # Configure the IP address of the agent and make sure the agent and the NMS can reach each other. (Details not shown.) # Specify SNMPv1, and create the read-only community public and the read and write community private.

  • Page 145: Snmpv3 Configuration Example

    # Use a wrong community name to get the value of a MIB node on the agent. You can see an authentication failure trap on the NMS. 1.1.1.1/2934 V1 Trap = authenticationFailure SNMP Version = V1 Community = public Command = Trap Enterprise = 1.3.6.1.4.1.43.1.16.4.3.50 GenericID = 4 SpecificID = 0...
  • Page 146 [Agent] snmp-agent usm-user v3 RBACtest user-role test simple authentication-mode sha 123456TESTauth&! privacy-mode aes128 123456TESTencr&! # Configure contact and physical location information for the agent. [Agent] snmp-agent sys-info contact Mr.Wang-Tel:3306 [Agent] snmp-agent sys-info location telephone-closet,3rd-floor # Enable notifications, specify the NMS at 1.1.1.2 as a notification destination, and set the username to RBACtest for the notifications.

  • Page 147: Verifying The Configuration

    [Agent] snmp-agent trap enable [Agent] snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname managev3user v3 privacy Configure the SNMP NMS: Specify SNMPv3.  Create the SNMPv3 user VACMtest.  Enable both authentication and privacy functions.  Use SHA-1 for authentication and AES for encryption. ...

  • Page 148: Configuring Rmon

    For more information about SNMP notifications, see "Configuring SNMP." HPE devices provide an embedded RMON agent as the RMON monitor. An NMS can perform basic SNMP operations to access the RMON MIB. RMON groups Among standard RMON groups, Hewlett Packard Enterprise implements the statistics group, history group, event group, alarm group, probe configuration group, and user history group.
  • Page 149 Event group The event group controls the generation and notifications of events triggered by the alarms defined in the alarm group and the private alarm group. The following are RMON alarm event handling methods: • Log—Logs event information (including event time and description) in the event log table so the management device can get the logs through SNMP.

  • Page 150: Sample Types For The Alarm Group And The Private Alarm Group

    Triggers the event associated with the falling alarm event if the result is equal to or less than  the falling threshold. If a private alarm entry crosses a threshold multiple times in succession, the RMON agent generates an alarm event only for the first crossing. For example, if the value of a sampled alarm variable crosses the rising threshold multiple times before it crosses the falling threshold, only the first crossing triggers a rising alarm event.

  • Page 151: Configuring The Rmon Alarm Function

    You can create a history control entry successfully even if the specified bucket size exceeds the available history table size. RMON will set the bucket size as closely to the expected bucket size as possible. To create an RMON history control entry: Step Command Remarks...

  • Page 152: Displaying And Maintaining Rmon Settings

    Step Command Remarks Enter system view. system-view rmon event entry-number [ description string ] { log (Optional.) Create an By default, no RMON | log-trap security-string | none | trap RMON event entry. event entries exist. security-string } [ owner text ] •...

  • Page 153: History Group Configuration Example

    Figure 53 Network diagram GE1/0/1 Server Device 1.1.1.2 Configuration procedure # Create an RMON Ethernet statistics entry for GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] rmon statistics 1 owner user1 # Display statistics collected for GigabitEthernet 1/0/1. <Sysname> display rmon statistics gigabitethernet 1/0/1 EtherStatsEntry 1 owned by user1 is VALID.

  • Page 154: Alarm Function Configuration Example

    Sampled interface : GigabitEthernet1/0/1<ifIndex.3> Sampling interval : 60(sec) with 8 buckets max Sampling record 1 : dropevents , octets : 834 packets , broadcast packets multicast packets : 6 , CRC alignment errors : 0 undersize packets : 0 , oversize packets fragments , jabbers collisions...
  • Page 155 # Create an RMON event entry and an RMON alarm entry to send SNMP notifications when the delta sample for 1.3.6.1.2.1.16.1.1.1.4.1 exceeds 100 or drops below 50. [Sysname] rmon event 1 trap public owner user1 [Sysname] rmon alarm 1 1.3.6.1.2.1.16.1.1.1.4.1 5 delta rising-threshold 100 1 falling-threshold 50 1 owner user1 NOTE: The string 1.3.6.1.2.1.16.1.1.1.4.1 is the object instance for GigabitEthernet 1/0/1.

  • Page 156: Configuring Netconf

    Configuring NETCONF Overview Network Configuration Protocol (NETCONF) is an XML-based network management protocol with filtering capabilities. It provides programmable mechanisms to manage and configure network devices. Through NETCONF, you can configure device parameters, retrieve parameter values, and get statistics information. In NETCONF messages, each data item is contained in a fixed element.

  • Page 157: Netconf Message Format

    NETCONF message format NETCONF All NETCONF messages are XML-based and comply with RFC 4741. Any incoming NETCONF messages must pass XML Schema check before it can be processed. If a NETCONF message fails XML Schema check, the device sends an error message to the client. For information about the NETCONF operations supported by the device and the operable data, see the NETCONF XML API reference for the device.

  • Page 158: How To Use Netconf

    <Ifmgr> <Interfaces> <Interface/> </Interfaces> </Ifmgr> </top> </filter> </get-bulk> </rpc> </env:Body> </env:Envelope> How to use NETCONF You can use NETCONF to manage and configure the device by using the methods in Table Table 10 NETCONF methods for configuring the device Configuration tool Login method Remarks To implement NETCONF operations, copy valid...

  • Page 159: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see Security Configuration Guide) and non-FIPS mode. NETCONF configuration task list Tasks at a glance (Optional.) Configuring NETCONF over SOAP (Optional.)

  • Page 160: Enabling Netconf Over Ssh

    Step Command Remark • Enable NETCONF over SOAP over HTTP (not available in FIPS mode): Enable NETCONF over By default, the NETCONF over netconf soap http enable SOAP. SOAP feature is disabled. • Enable NETCONF over SOAP over HTTPS: netconf soap https enable •...

  • Page 161: Configuring Netconf To Use Module-Specific Namespaces

    To enable NETCONF logging: Step Command Remarks Enter system view. system-view netconf log source { all | { agent | soap | web } * } { protocol-operation { all | By default, NETCONF logging is Enable NETCONF logging. { action | config | get | set | disabled.

  • Page 162: Configuration Restrictions And Guidelines

    The common namespace is incompatible with module-specific namespaces. To set up a NETCONF session, the device and the client must use the same type of namespaces. By default, the common namespace is used. If the client does not support the common namespace, use this feature to configure the device to use module-specific namespaces.

  • Page 163: Entering Xml View

    Entering XML view Task Command Remarks Available in user view. To configure NETCONF in XML view, copy and paste a NETCONF message to ensure the format correctness of the NETCONF message. Do not enter the message manually. While the device is performing a NETCONF operation, do not perform any other operations, Enter XML view.

  • Page 164: Subscription Procedure

    information about which event notifications you can subscribe to, see the system log messages reference for the device. A subscription takes effect only on the current session. If the session is terminated, the subscription is automatically canceled. You can send multiple subscription messages to subscribe to notification of multiple events. Subscription procedure # Copy the following message to the client to complete the subscription: <?xml version="1.0"...

  • Page 165: Example For Subscribing To Event Notifications

    </rpc-error> </rpc-reply> For more information about error messages, see RFC 4741. Example for subscribing to event notifications Network requirements Configure a client to subscribe to all events with no time limitation. After the subscription is successful, all events on the device are sent to the client before the session between the device and client is terminated.

  • Page 166: Locking/Unlocking The Configuration

    # When another client (192.168.100.130) logs in to the device, the device sends a notification to the client that has subscribed to all events: <?xml version="1.0" encoding="UTF-8"?> <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> <eventTime>2011-01-04T12:30:52</eventTime> <event xmlns="http://www.hp.com/netconf/event:1.0"> <Group>SHELL</Group> <Code>SHELL_LOGIN</Code> <Slot>6</Slot> <Severity>Notification</Severity> <context>VTY logged in from 192.168.100.130.</context> </event>...

  • Page 167: Example For Locking The Configuration

    <unlock> <target> <running/> </target> </unlock> </rpc> After receiving the unlock request, the device returns a response in the following format if the unlock operation is successful: <?xml version="1.0" encoding="UTF-8"?> <rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <ok/> </rpc-reply> Example for locking the configuration Network requirements Lock the device configuration so that other users cannot change the device configuration.

  • Page 168: Performing Service Operations

    <?xml version="1.0" encoding="UTF-8"?> <rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <rpc-error> <error-type>protocol</error-type> <error-tag>lock-denied</error-tag> <error-severity>error</error-severity> <error-message xml:lang="en"> Lock failed because the NETCONF lock is held by another session.</error-message> <error-info> <session-id>1</session-id> </error-info> </rpc-error> </rpc-reply> The output shows that the lock operation failed because the client with session ID 1 held the lock, and only the client holding the lock can release the lock.
  • Page 169 </filter> </getoperation> </rpc> The <getoperation> parameter can be <get> or <get-bulk>. The <filter> element is used to filter data, and it can contain module name, submodule name, table name, and column name. • If the module name and the submodule name are not provided, the operation retrieves the data for all modules and submodules.

  • Page 170: Performing The Get-Config/Get-Bulk-Config Operation

    Performing the get-config/get-bulk-config operation The get-config and get-bulk-config operations are used to retrieve all non-default settings, which are configured by means of CLI, MIB, and Web. The <get-config> and <get-bulk-config> messages can contain the <filter> element for filtering data. The <get-config> and <get-bulk-config> messages are similar. The following is a <get-config> message example: <?xml version="1.0"?>...

  • Page 171: All-Module Configuration Data Retrieval Example

    </edit-config> </rpc> After receiving the edit-config request, the device returns a response in the following format if the operation is successful: <?xml version="1.0"> <rpc-reply message-id="100" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <ok/> </rpc-reply> # Perform the get operation to verify that the current value of the parameter is the same as the value specified through the edit-config operation.
  • Page 172 <Interface> <IfIndex>1308</IfIndex> <Shutdown>1</Shutdown> </Interface> <Interface> <IfIndex>1309</IfIndex> <Shutdown>1</Shutdown> </Interface> <Interface> <IfIndex>1311</IfIndex> <VlanType>2</VlanType> </Interface> <Interface> <IfIndex>1313</IfIndex> <VlanType>2</VlanType> </Interface> </Interfaces> </Ifmgr> <Syslog> <LogBuffer> <BufferSize>120</BufferSize> </LogBuffer> </Syslog> <System> <Device> <SysName>HPE</SysName> <TimeZone> <Zone>Z</Zone> <ZoneName></ZoneName> </TimeZone> </Device> </System> <Fundamentals> <WebUI> <SessionAgingTime>98</SessionAgingTime> </WebUI> </Fundamentals> </top> </data> </rpc-reply>...

  • Page 173: Syslog Configuration Data Retrieval Example

    Syslog configuration data retrieval example Network requirements Retrieve configuration data for the Syslog module. Configuration procedure # Enter XML view. <Sysname> xml # Notify the device of the NETCONF capabilities supported on the client. <hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <capabilities> <capability> urn:ietf:params:netconf:base:1.0 </capability> </capabilities>...

  • Page 174: Example For Retrieving A Data Entry For The Interface Table

    Example for retrieving a data entry for the interface table Network requirements Retrieve a data entry for the interface table. Configuration procedure # Enter XML view. <Sysname> xml # Notify the device of the NETCONF capabilities supported on the client. <hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">...

  • Page 175: Example For Changing The Value Of A Parameter

    <ActualSpeed>100000</ActualSpeed> <ConfigDuplex>3</ConfigDuplex> <ActualDuplex>1</ActualDuplex> </Interface> </Interfaces> </Ifmgr> </top> </data> </rpc-reply> Example for changing the value of a parameter Network requirements Change the log buffer size for the Syslog module to 512. Configuration procedure # Enter XML view. <Sysname> xml # Notify the device of the NETCONF capabilities supported on the client. <hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">...

  • Page 176: Saving, Rolling Back, And Loading The Configuration

    Saving, rolling back, and loading the configuration Use NETCONF to save, roll back, or load the configuration. Performing the save, rollback, or load operation consumes a lot of system resources. Do not perform these operations when the system resources are heavily occupied. Saving the configuration # Copy the following text to the client to save the device configuration to the specified file: <?xml version="1.0"...

  • Page 177: Rolling Back The Configuration Based On A Rollback Point

    Rolling back the configuration based on a rollback point You can roll back the running configuration based on a rollback point when one of the following situations occurs: • A NETCONF client sends a rollback request. • The NETCONF session idle time is longer than the rollback idle timeout time. •...
  • Page 178 </data> </rpc-reply> Performing the save-point/commit operation The system supports a maximum of 50 rollback points. When the limit is reached, you must specify the force attribute to overwrite the earliest rollback point. # Copy the following text to the client to configure the rollback point: <rpc message-id="101"...
  • Page 179 <ok></ok> </rpc-reply> Performing the save-point/end operation # Copy the following text to the client to end the rollback configuration: <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <save-point> <end/> </save-point> </rpc> After receiving the end request, the device returns a response in the following format if the end operation is successful: <rpc-reply message-id="100"...
  • Page 180 </data> </rpc-reply> Performing the save-point/get-commit-information operation # Copy the following text to the client to get the system configuration data corresponding to a rollback point: <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <save-point> <get-commit-information> <commit-information> <commit-id/> <commit-index/> <commit-label/> </commit-information> <compare-information> <commit-id/> <commit-index/> <commit-label/> </compare-information </get-commit-information>...

  • Page 181: Loading The Configuration

    Loading the configuration After you perform the load operation, the loaded settings are merged into the current configuration as follows: • New settings are directly loaded. • Settings that already exist in the current configuration are replaced by those loaded from the configuration file.

  • Page 182: Filtering Data

    </save> </rpc> Verifying the configuration If the client receives the following response, the save operation is successful: <?xml version="1.0" encoding="UTF-8"?> <rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <ok/> </rpc-reply> Filtering data You can define a filter to filter information when you perform a get, get-bulk, get-config, or get-bulk-config operation.
  • Page 183 Full match filtering You can specify an element value in an XML message to implement full match filtering. If multiple element values are provided, the system returns the data that matches all the specified values. # Copy the following text to the client to retrieve configuration data of all interfaces in UP state: <rpc message-id ="101"...
  • Page 184 <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:hp="http://www.hp.com/netconf/base:1.0"> <get-config> <source> <running/> </source> <filter type="subtree"> <top xmlns="http://www.hp.com/netconf/config:1.0"> <Ifmgr> <Interfaces> <Interface> <Description hp:regExp="^[A-Z]*$"/> </Interface> </Interfaces> </Ifmgr> </top> </filter> </get-config> </rpc> Conditional match filtering To implement a complex data filtering with digits and character strings, you can add a match attribute for a specific element.

  • Page 185: Example For Filtering Data With Regular Expression Match

    <rpc message-id="100" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:hp="http://www.hp.com/netconf/base:1.0"> <get> <filter type="subtree"> <top xmlns="http://www.hp.com/netconf/data:1.0"> <Device> <ExtPhysicalEntities> <Entity> <CpuUsage hp:match="more:50"></CpuUsage> </Entity> </ExtPhysicalEntities> </Device> </top> </filter> </get> </rpc> Example for filtering data with regular expression match Network requirements Retrieve all data including Gigabit in the Description column of the Interfaces table under the Ifmgr module.

  • Page 186: Example For Filtering Data By Conditional Match

    </Ifmgr> </top> </filter> </get> </rpc> Verifying the configuration If the client receives the following text, the operation is successful: <?xml version="1.0" encoding="UTF-8"?> <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:reg="http://www.hp.com/netconf/base:1.0" message-id="100"> <data> <top xmlns="http://www.hp.com/netconf/data:1.0"> <Ifmgr> <Interfaces> <Interface> <IfIndex>2681</IfIndex> <Description>GigabitEthernet1/0/1 Interface</Description> </Interface> <Interface> <IfIndex>2685</IfIndex> <Description>GigabitEthernet1/0/2 Interface</Description> </Interface>...

  • Page 187: Performing Cli Operations Through Netconf

    </hello> # Retrieve data in the Name column with the ifindex value not less than 5000 in the Interfaces table under the Ifmgr module. <rpc message-id="100" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nc="http://www.hp.com/netconf/base:1.0"> <get> <filter type="subtree"> <top xmlns="http://www.hp.com/netconf/data:1.0"> <Ifmgr> <Interfaces> <Interface> <IfIndex hp:match="notLess:5000"/> <Name/> </Interface> </Interfaces>...

  • Page 188: Configuration Procedure

    Performing CLI operations through NETCONF is resource intensive. As a best practice, do not perform the following tasks: • Enclose multiple command lines in one XML message. • Use NETCONF to perform a CLI operation when other users are performing NETCONF CLI operations.

  • Page 189: Retrieving Netconf Information

    <CLI> <Execution> display current-configuration </Execution> </CLI> </rpc> Verifying the configuration If the client receives the following text, the operation is successful: <?xml version="1.0" encoding="UTF-8"?> <rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <CLI> <Execution><![CDATA[ <Sysname>display current-configuration version 7.1.052, Demo 2501005 sysname Sysname ftp server enable ftp update fast ftp timeout 2000 irf mac-address persistent timer...

  • Page 190: Retrieving Yang File Content

    <get> <filter type='subtree'> <netconf-state xmlns='urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring'> <getType/> </netconf-state> </filter> </get> </rpc> The value for the <getType> parameter can be one of the following operations: • capabilities—Retrieves device capabilities. • datastores—Retrieves databases from the device. • schemas—Retrieves the list of the YANG file names from the device. •...

  • Page 191: Retrieving Netconf Session Information

    <rpc-reply message-id="100" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <data> Content of the specified YANG file </data> </rpc-reply> Retrieving NETCONF session information You can use the get-sessions operation to retrieve NETCONF session information of the device. # Copy the following message to the client to retrieve NETCONF session information from the device: <?xml version="1.0"...

  • Page 192: Terminating Another Netconf Session

    If the client receives a message as follows, the operation is successful: <?xml version="1.0" encoding="UTF-8"?> <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101"> <get-sessions> <Session> <SessionID>1</SessionID> <Line>vty0</Line> <UserName></UserName> <Since>2011-01-05T00:24:57</Since> <LockHeld>false</LockHeld> </Session> </get-sessions> </rpc-reply> The output shows the following information: • The session ID of an existing NETCONF session is 1. •...

  • Page 193: Returning To The Cli

    Configuration procedure # Enter XML view. <Sysname> xml # Notify the device of the NETCONF capabilities supported on the client. <hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <capabilities> <capability> urn:ietf:params:netconf:base:1.0 </capability> </capabilities> </hello> # Terminate the session with session ID 2. <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <kill-session> <session-id>2</session-id>...

  • Page 194: Appendix

    Appendix Appendix A Supported NETCONF operations Table 12 lists the NETCONF operations available with Comware 7. Table 12 NETCONF operations Operation Description XML example To retrieve device configuration and state information for the Syslog module: <rpc message-id ="101" xmlns="urn:ietf:params:xml:ns:netconf:ba se:1.0" xmlns:xc="http://www.hp.com/netconf/base :1.0">...
  • Page 195 Operation Description XML example To retrieve device configuration and state information for all interface: <rpc message-id ="100" xmlns="urn:ietf:params:xml:ns:netconf:ba se:1.0"> <get-bulk> <filter type="subtree"> <top xmlns="http://www.hp.com/netconf/data:1. Retrieves a number of data 0"> entries (including device configuration and state <Ifmgr> get-bulk information) starting from the <Interfaces xc:count="5"...
  • Page 196 Operation Description XML example To add VLANs 1 through 10 to an untagged VLAN list that has untagged VLANs 12 through 15: <rpc message-id ="101" xmlns="urn:ietf:params:xml:ns:netconf:ba se:1.0" hp:xmlns="http://www.hp.com/netconf/base :1.0"> <edit-config> <target> Adds configuration data to a <running/> column without affecting the </target>...
  • Page 197 Operation Description XML example To change the buffer size to 120: <rpc message-id ="101" xmlns="urn:ietf:params:xml:ns:netconf:ba se:1.0" xmlns:xc="urn:ietf:params:xml:ns:netconf Changes the running :base:1.0"> configuration. <edit-config> To use the merge attribute in <target> the edit-config operation, you must specify the operation <running/> target (on a specified level): </target>...
  • Page 198 Operation Description XML example Removes the specified configuration. • If the specified target has only the table index, the operation removes all configuration of the specified target, and the target itself. • The syntax is the same as the edit-config message If the specified target has edit-config: with the merge attribute.
  • Page 199 Operation Description XML example Modifies the current configuration of the device using the default operation method. To issue an empty operation for schema verification If you do not specify an purposes: operation attribute for an edit-config message, <rpc message-id ="101" NETCONF uses one of the xmlns="urn:ietf:params:xml:ns:netconf:ba following default operation...
  • Page 200 Operation Description XML example To issue the configuration for two interfaces with the error-option element value as continue-on-error: <rpc message-id ="101" xmlns="urn:ietf:params:xml:ns:netconf:ba se:1.0"> <edit-config> <target> <running/> </target> <error-option>continue-on-error</error-o ption> <config xmlns:xc="urn:ietf:params:xml:ns:netconf :base:1.0"> <top xmlns="http://www.hp.com/netconf/config: Determines the action to take in 1.0">...
  • Page 201 Operation Description XML example To issue the configuration for an interface for test purposes: <rpc message-id ="101" xmlns="urn:ietf:params:xml:ns:netconf:ba se:1.0"> <edit-config> <target> Determines whether to issue a <running/> configuration item in the </target> edit-configure operation. The <test-option>test-only</test-option> test-option element has one of <config the following values: xmlns:xc="urn:ietf:params:xml:ns:netconf...
  • Page 202 Operation Description XML example To lock the configuration: Locks the configuration data <rpc message-id="101" that can be changed by the edit-config operation. Other xmlns="urn:ietf:params:xml:ns:netconf:ba configuration data are not se:1.0"> limited by the lock operation. <lock> lock After a user locks the <target>...
  • Page 203 Operation Description XML example Executes CLI operations. A request message encloses commands in the <CLI> To execute the display this command in system element, and a response view: message encloses the command output in the <CLI> <rpc message-id="101" element. xmlns="urn:ietf:params:xml:ns:netconf:ba NETCONF supports the se:1.0">...

  • Page 204: Configuring Eaa

    Configuring EAA Overview Embedded Automation Architecture (EAA) is a monitoring framework that enables you to self-define monitored events and actions to take in response to an event. It allows you to create monitor policies by using the CLI or Tcl scripts. EAA framework EAA framework includes a set of event sources, a set of event monitors, a real-time event manager (RTM), and a set of user-defined monitor policies, as shown in...

  • Page 205: Elements In A Monitor Policy

    EAA monitor policies A monitor policy specifies the event to monitor and actions to take when the event occurs. You can configure EAA monitor policies by using the CLI or Tcl. A monitor policy contains the following elements: • One event. •...

  • Page 206: Eaa Environment Variables

    Event type Description Track event occurs when the state of the track entry changes from Positive to Negative or Negative to Positive. If you specify multiple track entries for a policy, EAA triggers the policy only when the state of all the track entries changes from Positive to Negative or Negative to Positive.

  • Page 207: Configuring A User-Defined Eaa Environment Variable

    Table 14 shows all system-defined variables. Table 14 System-defined EAA environment variables by event type Variable name Description Any event: _event_id Event ID. _event_type Event type. _event_type_string Event type description. _event_time Time when the event occurs. _event_severity Severity level of an event. CLI: _cmd Commands that are matched.

  • Page 208: Configuring A Monitor Policy

    Step Command Remarks Enter system system-view view. By default, no user-defined environment Configure a variables exist. user-defined EAA rtm environment var-name environment var-value The system provides the system-defined variable. variables in Table Configuring a monitor policy You can configure a monitor policy by using the CLI or Tcl. Configuration restrictions and guidelines When you configure monitor policies, follow these restrictions and guidelines: •...
  • Page 209 Step Command Remarks • Configure a CLI event: event cli { async [ skip ] | sync } mode { execute | help | tab } pattern regular-exp • (In standalone mode.) Configure a hotplug event: event hotplug [ insert | remove ] slot slot-number [ subslot subslot-number ] •...

  • Page 210: Configuring A Monitor Policy By Using Tcl

    Step Command Remarks • Configure a CLI action: action number cli command-line By default, a monitor policy does • (In standalone mode.) Configure a not contain any actions. reboot action: action number reboot [ slot Repeat this step to add a slot-number [ subslot maximum of 232 actions to the subslot-number ] ]...

  • Page 211: Suspending Monitor Policies

    Step Command Remarks Enter system view. system-view By default, no Tcl policies exist. Make sure the script file is saved on all MPUs. This practice ensures that the policy can run correctly after an active/standby or master/standby switchover occurs or the MPU where the script file resides fails or is removed.

  • Page 212: Displaying And Maintaining Eaa Settings

    Displaying and maintaining EAA settings Execute display commands except for the display this command in any view. Task Command Display user-defined EAA environment display rtm environment [ var-name ] variables. display rtm policy { active | registered [ verbose ] } Display EAA monitor policies.

  • Page 213: Track Event Monitor Policy Configuration Example

    Verifying the configuration # Display information about the policy. [Sysname-rtm-test] display rtm policy registered Total number: 1 Type Event TimeRegistered PolicyName Aug 29 14:56:50 2013 test # Enable the information center to output log messages to the current monitoring terminal. [Sysname-rtm-test] return <Sysname>...

  • Page 214: Configuration Procedures

    Figure 57 Network diagram IP network Device C 10.2.1.2 Device A Device B GE1/0/1 GE1/0/1 Device D Device E 10.3.1.2 10.3.2.2 Configuration procedures # Display BGP peer information for Device A. <Sysname> display bgp peer ipv4 BGP local router ID: 1.1.1.1 Local AS number: 100 Total number of peers: 3 Peers in established state: 3...

  • Page 215: Cli-Defined Policy With Eaa Environment Variables Configuration Example

    [Sysname-rtm-test] user-role network-admin [Sysname-rtm-test] commit [Sysname-rtm-test] quit Verifying the configuration # Shut down GigabitEthernet 1/0/1. [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] shutdown # Display BGP peer information. <Sysname> display bgp peer ipv4 BGP local router ID: 1.1.1.1 Local AS number: 100 Total number of peers: 0 Peers in established state: 0 * - Dynamically created peer...

  • Page 216: Tcl-Defined Policy Configuration Example

    [Sysname-rtm-test] action 2 cli ip address $loopback0IP 24 # Add an action that sends the matching loopback0 command with a priority of 0 from the logging facility local7 when the event occurs. [Sysname-rtm-test] action 3 syslog priority 0 facility local7 msg $_cmd # Specify the network-admin user role for executing the policy.
  • Page 217 ::comware::rtm::event_register cli sync mode execute pattern display this user-role network-admin ::comware::rtm::action syslog priority 1 facility local4 msg rtm_tcl_test is running # Download the Tcl script file from the TFTP server at 1.2.1.1. <Sysname> tftp 1.2.1.1 get rtm_tcl_test.tcl # Create Tcl-defined policy test and bind it to the Tcl script file. <Sysname>...

  • Page 218: Monitoring And Maintaining Processes

    Monitoring and maintaining processes The system software of the device is a full-featured, modular, and scalable network operating system based on the Linux kernel. The system software features run the following types of independent processes: • User process—Runs in user space. Most system software features run user processes. Each process runs in an independent space so the failure of a process does not affect other processes.

  • Page 219: Displaying And Maintaining User Processes

    Task Command monitor thread [ dumbtty ] [ iteration number ] [ chassis Monitor thread running state. chassis-number slot slot-number [ cpu cpu-number ] ] For more information about the display memory [ chassis chassis-number slot slot-number ] command, see Fundamentals Command Reference. Displaying and maintaining user processes (In standalone mode.) Execute display commands in any view and other commands in user view.

  • Page 220: Monitoring Kernel Threads

    Task Command Remarks display process memory Display memory usage for all user [ chassis chassis-number slot processes. slot-number [ cpu cpu-number ] ] display process memory heap job job-id [ verbose ] [ chassis Display heap memory usage for a chassis-number slot slot-number user process.
  • Page 221 This feature enables the device to detect deadloops. If a thread occupies the CPU for a specific interval, the device considers that a deadloop has occurred and takes the specified deadloop protection action. (In standalone mode.) To configure kernel thread deadloop detection: Step Command Remarks...

  • Page 222: Configuring Kernel Thread Starvation Detection

    Configuring kernel thread starvation detection CAUTION: The system detects whether or not kernel thread starvation occurs after the device is powered up. Inappropriate configuration of kernel thread starvation detection can cause service problems or system breakdown. Make sure you understand the impact of this configuration on your network before you configure kernel thread starvation detection.
  • Page 223 Task Command display kernel deadloop show-number [ offset ] Display kernel thread deadloop information. [ verbose ] [ slot slot-number [ cpu cpu-number ] ] Display kernel thread deadloop detection display kernel deadloop configuration [ slot slot-number [ cpu cpu-number ] ] configuration.

  • Page 225: Configuring Samplers

    Configuring samplers A sampler selects a packet from sequential packets and sends the packet to other service modules for processing. Sampling is useful when you want to limit the volume of traffic to be analyzed. The sampled data is statistically accurate and sampling decreases the impact on the forwarding capacity of the device.

  • Page 226: Configuration Procedure

    Figure 59 Network diagram GE1/0/1 GE1/0/2 11.110.2.1/16 12.110.2.1/16 Network Device NetStream server 12.110.2.2/16 Configuration procedure # Create sampler 256 in fixed sampling mode, and set the rate to 8. The first packet of 256 (2 to the 8th power) packets is selected. <Device>...

  • Page 227: Configuring Port Mirroring

    Configuring port mirroring Overview Port mirroring copies the packets passing through a port or CPU to a port that connects to a data monitoring device for packet analysis. Terminology The following terms are used in port mirroring configuration. Mirroring source The mirroring sources can be one or more monitored ports or CPUs.

  • Page 228: Port Mirroring Classification And Implementation

    NOTE: On port mirroring devices, all ports except source, destination, reflector, and egress ports are called common ports. Port mirroring classification and implementation Port mirroring includes local port mirroring and remote port mirroring. • Local port mirroring—The mirroring sources and the mirroring destination are on the same device.
  • Page 229 Remote port mirroring includes Layer 2 and Layer 3 remote port mirroring. • Layer 2 remote port mirroring—The mirroring sources and the mirroring destination are located on different devices on a same Layer 2 network. Layer 2 remote port mirroring can be implemented when a reflector port or an egress port is available on the source device.
  • Page 230 Figure 62 Layer 2 remote port mirroring implementation through the egress port method Mirroring process in the device GE1/0/1 GE1/0/2 GE1/0/2 GE1/0/1 GE1/0/2 GE1/0/1 Source Destination Intermediate device Remote Remote GE1/0/1 GE1/0/2 device device probe VLAN probe VLAN Data monitoring Host device Original packets...

  • Page 231: Configuring Local Port Mirroring

    Figure 63 Layer 3 remote port mirroring implementation Tunnel Tunnel Source Destination interface interface device device GRE tunnel IP network GE1/0/2 GE1/0/1 GE1/0/1 GE1/0/2 Data monitoring Host device Original packets Source port Monitor port Mirrored packets Common port Configuring local port mirroring A local mirroring group takes effect only when you configure the monitor port and the source ports or source CPUs for the local mirroring group.

  • Page 232: Configuring Source Cpus For The Local Mirroring Group

    • A mirroring group can contain multiple source ports. • Layer 2 or Layer 3 aggregate interfaces cannot be configured as source ports for mirroring groups. • For port mirroring to operate correctly, do not configure an EVB-enabled port as a source port. For more information about EVB, see EVB Configuration Guide.

  • Page 233: Configuring The Monitor Port For The Local Mirroring Group

    Configuring the monitor port for the local mirroring group To configure the monitor port for a mirroring group, use one of the following methods: • Configure the monitor port for the mirroring group in system view. • Assign a port to the mirroring group as the monitor port in interface view. Configuration restrictions and guidelines When you configure the monitor port for a local mirroring group, follow these restrictions and guidelines:...

  • Page 234: Layer 2 Remote Port Mirroring With Configurable Reflector Port Configuration Task List

    • For a mirrored packet to successfully arrive at the remote destination device, make sure its VLAN ID is not removed or changed. • Do not configure both MVRP and Layer 2 remote port mirroring. Otherwise, MVRP might register the remote probe VLAN with incorrect ports, which would cause the monitor port to receive undesired copies.

  • Page 235: Configuring A Remote Destination Group On The Destination Device

    Configuring a remote destination group on the destination device Restrictions and guidelines for remote destination group configuration You can configure a remote destination group on an IRF fabric with member devices connected through multiple IRF physical interfaces. In this case, the monitor port of the remote destination group and the port that receives the mirrored traffic must reside on the same member device.

  • Page 236: Configuring A Remote Source Group On The Source Device

    Configuring the remote probe VLAN for a remote destination group When you configure the remote probe VLAN for a remote destination group, follow these restrictions and guidelines: • Only an existing static VLAN can be configured as a remote probe VLAN. •...
  • Page 237 • Do not assign a source port of a mirroring group to the remote probe VLAN of the mirroring group. • For port mirroring to operate correctly, do not configure an EVB-enabled port as a source port. For more information about EVB, see EVB Configuration Guide. •...
  • Page 238 • Configure the reflector port for the remote source group in system view. • Assign a port to the remote source group as the reflector port in interface view. When you configure the reflector port for a remote source group, follow these restrictions and guidelines: •...

  • Page 239: Configuring Layer 3 Remote Port Mirroring

    • A port of an existing mirroring group cannot be configured as an egress port. Configuring the egress port for a remote source group in system view Step Command Remarks Enter system view. system-view mirroring-group group-id By default, no egress port is Configure the egress port for monitor-egress interface-type configured for a remote source...

  • Page 240: Layer 3 Remote Port Mirroring Configuration Task List

    On the destination device, perform the following tasks: • Configure the physical interface corresponding to the tunnel interface as the source port. • Configure the port that connects the data monitoring device as the monitor port. Layer 3 remote port mirroring configuration task list Tasks at a glance (Required.) Configuring the source device: Configuring local mirroring groups...

  • Page 241: Configuring Source Cpus For A Local Mirroring Group

    To assign multiple ports to the mirroring group as source ports in interface view, repeat the operation. Configuration restrictions and guidelines When you configure source ports for a local mirroring group, follow these restrictions and guidelines: • A mirroring group can contain multiple source ports. •...

  • Page 242: Configuring The Monitor Port For A Local Mirroring Group

    Step Command Remarks • In standalone mode: mirroring-group group-id mirroring-cpu slot slot-number-list { both | inbound | outbound } Configure source CPUs By default, no source CPU is • for a local mirroring configured for a local In IRF mode: group.

  • Page 243: Port Mirroring Configuration Examples

    Task Command display mirroring-group { group-id | all | local | Display mirroring group information. remote-destination | remote-source } Port mirroring configuration examples Local port mirroring configuration example (in source port mode) Network requirements As shown in Figure 64, configure local port mirroring in source port mode to enable the server to monitor the bidirectional traffic of the Marketing department and the Technical department.

  • Page 244: Local Port Mirroring Configuration Example (In Source Cpu Mode)

    [Device] display mirroring-group all Mirroring group 1: Type: Local Status: Active Mirroring port: GigabitEthernet1/0/1 Both GigabitEthernet1/0/2 Both Monitor port: GigabitEthernet1/0/3 Local port mirroring configuration example (in source CPU mode) Network requirements As shown in Figure 65, GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are located on the card in slot 1.

  • Page 245: Layer 2 Remote Port Mirroring Configuration Example (Reflector Port Configurable)

    [Device-GigabitEthernet1/0/3] quit Verifying the configuration # Verify the mirroring group configuration. [Device] display mirroring-group all Mirroring group 1: Type: Local Status: Active Mirroring CPU: Slot 1 Both Monitor port: GigabitEthernet1/0/3 Layer 2 remote port mirroring configuration example (reflector port configurable) Network requirements As shown in Figure...
  • Page 246 # Configure VLAN 2 as the remote probe VLAN for the mirroring group. [DeviceC] mirroring-group 2 remote-probe vlan 2 # Configure GigabitEthernet 1/0/2 as the monitor port for the mirroring group. [DeviceC] interface gigabitethernet 1/0/2 [DeviceC-GigabitEthernet1/0/2] mirroring-group 2 monitor-port # Disable the spanning tree feature on GigabitEthernet 1/0/2. [DeviceC-GigabitEthernet1/0/2] undo stp enable # Assign GigabitEthernet 1/0/2 to VLAN 2.

  • Page 247: Layer 2 Remote Port Mirroring Configuration Example (With Egress Port)

    [DeviceA-GigabitEthernet1/0/2] quit Verifying the configuration # Verify the mirroring group configuration on Device C. [DeviceC] display mirroring-group all Mirroring group 2: Type: Remote destination Status: Active Monitor port: GigabitEthernet1/0/2 Remote probe VLAN: 2 # Verify the mirroring group configuration on Device A. [DeviceA] display mirroring-group all Mirroring group 1: Type: Remote source...
  • Page 248 [DeviceC-GigabitEthernet1/0/1] quit # Create a remote destination group. [DeviceC] mirroring-group 2 remote-destination # Create VLAN 2. [DeviceC] vlan 2 # Disable MAC address learning for VLAN 2. [DeviceC-vlan2] undo mac-address mac-learning enable [DeviceC-vlan2] quit # Configure VLAN 2 as the remote probe VLAN for the mirroring group. [DeviceC] mirroring-group 2 remote-probe vlan 2 # Configure GigabitEthernet 1/0/2 as the monitor port for the mirroring group.

  • Page 249: Layer 3 Remote Port Mirroring Configuration Example

    [DeviceA] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 both # Configure GigabitEthernet 1/0/2 as the egress port for the mirroring group. [DeviceA] mirroring-group 1 monitor-egress gigabitethernet 1/0/2 # Configure port GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLAN 2. [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] port link-type trunk [DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 2...
  • Page 250 Configuration procedure Configure IP addresses for the tunnel interfaces and related ports on the devices. (Details not shown.) Configure Device A (the source device): # Create a service loopback group 1 and specify the unicast tunnel service for the group. <DeviceA>...
  • Page 251 [DeviceC-GigabitEthernet1/0/3] port service-loopback group 1 All configurations on the interface will be lost. Continue?[Y/N]:y [DeviceC-GigabitEthernet1/0/3] quit # Create tunnel interface Tunnel 1 that operates in GRE mode, and configure an IP address and subnet mask for the interface. [DeviceC] interface tunnel 1 mode gre [DeviceC-Tunnel1] ip address 50.1.1.2 24 # Configure source and destination IP addresses for Tunnel 1.

  • Page 252: Configuring Flow Mirroring

    Configuring flow mirroring Flow mirroring copies packets matching a class to a destination for packet analyzing and monitoring. It is implemented through QoS policies. To configure flow mirroring, perform the following tasks: • Define traffic classes and configure match criteria to classify packets to be mirrored. Flow mirroring allows you to flexibly classify packets to be analyzed by defining match criteria.

  • Page 253: Configuring A Qos Policy

    Step Command Remarks Enter system view. system-view Create a traffic behavior and By default, no traffic behavior traffic behavior behavior-name enter traffic behavior view. exists. • Mirror traffic to an interface: mirror-to interface interface-type Configure a mirroring action By default, no mirroring action is interface-number for the traffic behavior.

  • Page 254: Applying A Qos Policy Globally

    Step Command Enter system view. system-view qos vlan-policy policy-name vlan vlan-id-list { inbound Apply a QoS policy to a VLAN. | outbound } Applying a QoS policy globally You can apply a QoS policy globally to mirror the traffic in the specified direction on all ports. To apply a QoS policy globally: Step Command...

  • Page 255: Configuration Procedure

    Figure 69 Network diagram Internet GE1/0/1 Device A GE1/0/2 GE1/0/4 GE1/0/3 Marketing Dept. Technical Dept. 192.168.1.0/24 192.168.2.0/24 Host A Host B Server Host C Host D Configuration procedure # Create working hour range work, in which working hours are from 8:00 to 18:00 on weekdays. <DeviceA>...

  • Page 256: Verifying The Configuration

    Verifying the configuration # Verify that the server can monitor the following traffic: • All traffic sent by the Technical department to access the Internet. • IP traffic that the Technical department sends to the Marketing department during working hours on weekdays. (Details not shown.)

  • Page 257: Configuring Netstream

    The NDA can collect data from multiple NSCs. Typically, the NDA features a Web-based system for easy operation. NSC and NDA are typically integrated into a NetStream server. HPE network devices act as NDEs in the NetStream system. This document focuses on NDE configuration.

  • Page 258: Flow Aging

    Figure 70 NetStream system Flow aging NetStream uses flow aging to enable the NDE to export NetStream data to NetStream servers. NetStream creates a NetStream entry for each flow for storing the flow statistics in the cache. When a flow is aged out, the NDE performs the following operations: •...
  • Page 259 destination port, but with different source addresses. In the aggregation mode, only one NetStream aggregation entry is created and sent to NetStream servers. Table 16 NetStream aggregation modes Aggregation mode Aggregation criteria • Protocol number • Source port Protocol-port aggregation •...

  • Page 260: Netstream Filtering

    Aggregation mode Aggregation criteria • • Source AS number • Source prefix • Source address mask length • Destination AS number ToS-prefix aggregation • Destination address mask length • Destination prefix • Inbound interface index • Outbound interface index • •...

  • Page 261: Protocols And Standards

    Protocols and standards RFC 5101, Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information Feature and hardware compatibility The NetStream feature is available on the following interface modules: • EA, EB, and EC. •...

  • Page 262: Enabling Netstream On An Interface

    Figure 71 NetStream configuration flow Start Enable NetStream Configure NetStream Filter? filtering Configure NetStream Sample? sampling Configure export format Configure flow aging Configure aggregation Aggregate? data export Configure traditional Traditional data export? data export To configure NetStream, perform the following tasks: Tasks at a glance (Required.) Enabling NetStream on an interface...

  • Page 263: Configuring Netstream Filtering

    Step Command Remarks Enable NetStream on ip netstream { inbound | By default, NetStream is disabled on the interface. outbound } an interface. Configuring NetStream filtering When NetStream filtering and sampling are both configured, packets are filtered first, and then the permitted packets are sampled.
  • Page 264 • origin-as—Specifies the source AS of the source address and the destination AS of the destination address. • peer-as—Specifies the ASs before and after the AS where the NetStream device resides as the source AS and the destination AS, respectively. For example, as shown in Figure 72, a flow starts at AS 20, passes AS 21 through AS 23, and then...

  • Page 265: Configuring The Refresh Rate For Netstream Version 9 Or Version 10 Template

    Configuring the refresh rate for NetStream version 9 or version 10 template Version 9 and version 10 are template-based and support user-defined formats. A NetStream device must send the template to NetStream servers regularly, because the servers do not permanently save the templates.

  • Page 266: Configuring The Netstream Data Export

    Step Command Remarks • Set the aging timer for active By default: flows: ip netstream timeout active • The aging timer for active minutes (Optional.) Configure periodical flows is 5 minutes. • aging. • Set the aging timer for The aging timer for inactive flows: inactive flows is 300 ip netstream timeout...

  • Page 267: Displaying And Maintaining Netstream

    configurations in NetStream aggregation mode view are not provided, the configurations in system view apply to the NetStream aggregation data export. • If the version 5 format is configured to export NetStream data, NetStream aggregation data export uses the version 8 format. Configuration procedure To configure the NetStream aggregation data export: Step...

  • Page 268: Netstream Configuration Examples

    Task Command display ip netstream cache [ verbose ] [ type { ip | ipl2 | l2 | mpls [ label-position1 label-value1 [ label-position2 label-value2 (In IRF mode.) Display NetStream [ label-position3 label-value3 ] ] ] } ] [ destination destination-ip | entry information.
  • Page 269 [SwitchA-GigabitEthernet1/0/2] ip netstream outbound [SwitchA-GigabitEthernet1/0/2] quit # Specify 12.110.2.2 as the IP address of the destination host and UDP port 5000 as the export destination port number. [SwitchA] ip netstream export host 12.110.2.2 5000 Verifying the configuration # Display NetStream entry information. [SwitchA] display ip netstream cache IP NetStream cache information: Active flow timeout...

  • Page 270: Netstream Aggregation Data Export Configuration Example

    Version 9 exported flow number : 10 Version 9 exported UDP datagrams number (failed): 10 (0) L2 export information: Flow source interface : Not specified Flow destination VPN instance : Not specified Flow destination IP address (UDP) : 12.110.2.2 (5000) Version 9 exported flow number Version 9 exported UDP datagram number (failed) : 0 (0) NetStream aggregation data export configuration example...
  • Page 271 # Specify 4.1.1.1 as the IP address of the destination host and UDP port 5000 as the export destination port number. [SwitchA] ip netstream export host 4.1.1.1 5000 # Set the aggregation mode to protocol-port, and specify the destination host for the aggregation data export.
  • Page 272 576 1024 1536 2048 2560 3072 3584 4096 4608 >4608 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 Protocol Total Packets Flows Packets Active(sec) Idle(sec) Flows /sec /sec /flow /flow /flow --------------------------------------------------------------------------- Type DstIP(Port) SrcIP(Port) Pro ToS If(Direct) Pkts DstMAC(VLAN) SrcMAC(VLAN)
  • Page 273 Version 8 exported UDP datagrams number (failed): 2 (0) Version 9 exported flow number Version 9 exported UDP datagrams number (failed): 0 (0) IP export information: Flow source interface : Not specified Flow destination VPN instance : Not specified Flow destination IP address (UDP) : 4.1.1.1 (5000) Version 5 exported flow number : 10...

  • Page 274: Configuring Ipv6 Netstream

    The NDA can collect data from multiple NSCs. Typically, the NDA features a Web-based system for easy operation. NSC and NDA are typically integrated into a NetStream server. HPE network devices act as NDEs in the IPv6 NetStream system. This document focuses on NDE configuration.

  • Page 275: Flow Aging

    Figure 75 IPv6 NetStream system Flow aging IPv6 NetStream uses flow aging to enable the NDE to export IPv6 NetStream data to NetStream servers. IPv6 NetStream creates an IPv6 NetStream entry for each flow for storing the flow statistics in the cache. When a flow is aged out, the NDE does the following operations: •...

  • Page 276: Protocols And Standards

    Table 17 IPv6 NetStream aggregation modes Aggregation mode Aggregation criteria • Protocol number • Source port Protocol-port aggregation • Destination port • Source AS number • Source mask Source-prefix • aggregation Source prefix (source network address) • Input interface index •...

  • Page 277: Ipv6 Netstream Configuration Task List

    IPv6 NetStream configuration task list When you configure IPv6 NetStream, choose the following configurations as needed: • Select the device on which you want to enable IPv6 NetStream. • If multiple service flows are passing through the NDE, use an ACL to select the target data. •...

  • Page 278: Enabling Ipv6 Netstream On An Interface

    Enabling IPv6 NetStream on an interface Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Enable IPv6 NetStream By default, IPv6 NetStream is ipv6 netstream { inbound | outbound } on the interface. disabled on an interface. Configuring attributes of the IPv6 NetStream data export Configuring the IPv6 NetStream data export format...

  • Page 279: Configuring The Refresh Rate For Ipv6 Netstream Version 9 Or Version 10 Template

    To configure the IPv6 NetStream data export format: Step Command Remarks Enter system view. system-view • Configure the version 9 By default: format: • ipv6 netstream export The version 9 format is used Configure the IPv6 version 9 { origin-as | to export IPv6 NetStream NetStream data export peer-as } [ bgp-nexthop ]...

  • Page 280: Configuration Procedure

    The statistics of the flow are sent to NetStream servers and are cleared in the cache. The  statistics can no longer be displayed by using the display ipv6 netstream cache command. When you use the inactive flow aging method, the cache is large enough for new flow entries. •...

  • Page 281: Configuring The Ipv6 Netstream Aggregation Data Export

    Step Command Remarks By default, no source interface is specified for IPv6 NetStream data packets. The packets take the IPv6 address of the output (Optional.) Specify the interface as the source IPv6 source interface for IPv6 ipv6 netstream export source address.

  • Page 282: Displaying And Maintaining Ipv6 Netstream

    Step Command Remarks By default, no destination host is specified. Specify a destination ipv6 netstream export host If you expect only IPv6 host for IPv6 NetStream { ipv4-address | ipv6-address } udp-port NetStream aggregation data, aggregation data export. [ vpn-instance vpn-instance-name ] specify the destination host only in the related IPv6 NetStream aggregation mode view.

  • Page 283: Ipv6 Netstream Configuration Examples

    IPv6 NetStream configuration examples IPv6 NetStream traditional data export configuration example Network requirements As shown in Figure 78, configure NetStream on Switch A to collect statistics on packets passing through Switch A. • Enable NetStream for incoming and outgoing traffic on GigabitEthernet 1/0/1. •...

  • Page 284: Ipv6 Netstream Aggregation Data Export Configuration Example

    1-32 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 576 1024 1536 2048 2560 3072 3584 4096 4608 >4608 .000 .000 .000 .000 .027 .000 .000 .000 .000 .000 .000 .000 Protocol Total Packets Flows Packets Active(sec) Idle(sec) Flows /sec...
  • Page 285 Figure 79 Network diagram Switch A AS 100 GE1/0/1 10::1/64 Network Network GE1/0/2 40::2/64 IPv6 NetStream server 40::1/64 Configuration procedure # Assign an IPv6 address to each interface, as shown in Figure 79. (Details not shown.) # Configure GigabitEthernet 1/0/1 to operate in Layer 3 mode. <SwitchA>...
  • Page 286 [SwitchA-ns6-aggregation-prefix] enable [SwitchA-ns6-aggregation-prefix] ipv6 netstream export host 40::1 7000 [SwitchA-ns6-aggregation-prefix] quit Verifying the configuration # Display information about the IPv6 NetStream data export. [SwitchA] display ipv6 netstream export protocol-port aggregation export information: Flow source interface : Not specified Flow destination VPN instance : Not specified Flow destination IP address (UDP) : 40::1 (3000)

  • Page 287: Configuring Sflow

    Configuring sFlow sFlow is a traffic monitoring technology. As shown in Figure 80, the sFlow system involves an sFlow agent embedded in a device and a remote sFlow collector. The sFlow agent collects interface counter information and packet information and encapsulates the sampled information in sFlow packets. When the sFlow packet buffer is full, or the aging timer (fixed to 1 second) expires, the sFlow agent performs the following actions: •...

  • Page 288: Configuring The Sflow Agent And Sflow Collector Information

    Tasks at a glance Perform at least one of the following tasks: • Configuring flow sampling • Configuring counter sampling Configuring the sFlow agent and sFlow collector information Step Command Remarks Enter system view. system-view By default, no IP address is configured for the sFlow agent.

  • Page 289: Configuring Counter Sampling

    Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view or Layer 3 interface-number Ethernet interface view. By default, random sampling is used. (Optional.) Set the flow sflow sampling-mode The determine keyword is not sampling mode. { determine | random } supported in the current software version.

  • Page 290: Sflow Configuration Example

    Task Command display sflow Display sFlow configuration. sFlow configuration example Network requirements As shown in Figure 81, perform the following tasks: • Configure flow sampling in random mode and counter sampling on GigabitEthernet 1/0/1 of the device to monitor traffic on the port. •...

  • Page 291: Verifying The Configurations

    [Device-GigabitEthernet1/0/1] sflow sampling-rate 4000 # Specify sFlow collector 1 for flow sampling. [Device-GigabitEthernet1/0/1] sflow flow collector 1 Verifying the configurations # Verify the following items: • GigabitEthernet 1/0/1 enabled with sFlow is active. • The counter sampling interval is 120 seconds. •...
  • Page 292 Use the display sflow command to verify that sFlow is correctly configured. Verify that a correct IP address is configured for the device to communicate with the sFlow collector. Verify that the physical link between the device and the sFlow collector is up. Verify that the VPN bound to the sFlow collector already exists.

  • Page 293: Configuring The Information Center

    Configuring the information center The information center on a device classifies and manages logs for all modules so that network administrators can monitor network performance and troubleshoot network problems. Overview The information center receives logs generated by source modules and outputs logs to different destinations according to user-defined output rules.

  • Page 294: Log Destinations

    Severity value Level Description Error Error condition. For example, the link state changes. Warning condition. For example, an interface is disconnected, or Warning the memory resources are used up. Normal but significant condition. For example, a terminal logs in to Notification the device, or the device reboots.

  • Page 295: Default Output Rules For Hidden Logs

    Table 21 Default output rule for security logs Destination Log source modules Output switch Severity Security log file All supported modules Disabled Debug Default output rules for hidden logs Hidden logs can be output to the log host, the log buffer, and the log file. Table 22 shows the default output rules for hidden logs.
  • Page 296 IP address) log. You can use the sysname command to modify the name of the device. Indicates that the information was generated by an HPE device. %% (vendor ID) This field exists only in logs sent to the log host.
  • Page 297 Field Description Specifies the name of the module that generated the log. You can enter the Module info-center source ? command in system view to view the module list. Identifies the level of the log. See Table 18 for more information about severity Level levels.

  • Page 298: Fips Compliance

    Timestamp Description Example parameters <189>May 30 06:44:22 Current date and time without year Sysname %%10FTPD/5/FTPD_LOGIN(l): information, in the format of MMM DD User ftp (192.168.1.23) has logged in hh:mm:ss:xxx. no-year-date successfully. Only logs that are sent to a log host support May 30 06:44:22 is a timestamp in the this parameter.

  • Page 299: Outputting Logs To The Monitor Terminal

    Step Command Remarks info-center source { module-name | default } For information about default Configure an output rule for { console | monitor | logbuffer | output rules, see "Default output the console. logfile | loghost } { deny | level rules for logs."...

  • Page 300: Outputting Logs To Log Hosts

    Outputting logs to log hosts Step Command Remarks Enter system view. system-view Enable the information By default, the information center is info-center enable center. enabled. info-center source { module-name | default } For information about default output Configure an output rule { console | monitor | logbuffer | rules, see "Default output rules for...

  • Page 301: Saving Logs To The Log File

    Saving logs to the log file By default, the log file feature saves logs from the log file buffer to the log file every 24 hours. You can adjust the saving interval or manually save logs to the log file. After saving logs to the log file, the system clears the log file buffer.

  • Page 302: Managing Security Logs

    Managing security logs Security logs are very important for locating and troubleshooting network problems. Generally, security logs are output together with other logs. It is difficult to identify security logs among all logs. To solve this problem, you can save security logs to the security log file without affecting the current log output rules.

  • Page 303: Saving Diagnostic Logs To The Diagnostic Log File

    Task Command Remarks By default, the security log file is saved in the seclog directory in the root directory of the storage device. system-view (In standalone mode.) This Change the directory of the info-center command cannot survive a reboot security log file. security-logfile directory or an active/standby switchover.

  • Page 304: Configuring The Maximum Size Of The Trace Log File

    Step Command Remarks By default, the diagnostic log file is saved in the diagfile directory under the root directory of the storage device. (Optional.) Specify the (In standalone mode.) This info-center diagnostic-logfile directory to save the command cannot survive a reboot directory dir-name diagnostic log file.

  • Page 305: Log Files

    Log files By default, when the last log file is full, the device locates the oldest compressed log file logfileX.log.gz and creates a new file using the same name (logfileX.log). After the minimum storage period is set, the system identifies the storage period of the compressed log file before creating a new log file with the same name.

  • Page 306: Configuring Log Suppression For A Module

    Outputs the suppressed log and the number of times the log is suppressed.  Outputs the different log and starts a suppression period for that log.  To enable duplicate log suppression: Step Command Remarks Enter system view. system-view Enable duplicate log info-center logging suppress By default, duplicate log suppression.

  • Page 307: Enabling Snmp Notifications For System Logs

    Enabling SNMP notifications for system logs This feature enables the device to send an SNMP notification for each log message it outputs. The device encapsulates the logs in SNMP notifications and then sends them to the SNMP module and the log trap buffer. You can configure the SNMP module to send received SNMP notifications in SNMP traps or informs to remote hosts.

  • Page 308: Configuration Example For Outputting Logs To A Unix Log Host

    Figure 83 Network diagram Console Device Configuration procedure # Enable the information center. <Device> system-view [Device] info-center enable # Disable log output to the console. [Device] info-center source default console deny To avoid output of unnecessary information, disable all modules from outputting log information to the specified destination (console in this example) before you configure the output rule.

  • Page 309: Configuration Example For Outputting Logs To A Linux Log Host

    To avoid output of unnecessary information, disable all modules from outputting logs to the specified destination (loghost in this example) before you configure an output rule. # Configure an output rule to output to the log host FTP logs that have a severity level of at least informational.
  • Page 310 Configuration procedure Before the configuration, make sure the device and the log host can reach each other. (Details not shown.) Configure the device: # Enable the information center. <Device> system-view [Device] info-center enable # Specify the log host 1.2.0.1/16, and specify local5 as the logging facility. [Device] info-center loghost 1.2.0.1 facility local5 # Disable log output to the log host.
  • Page 311 Now, the system can record log information to the specified file.

  • Page 312: Configuring Gold

    Configuring GOLD Generic Online Diagnostics (GOLD) performs the following operations: • Runs diagnostic tests on a device to inspect device ports, RAM, chip, connectivity, forwarding paths, and control paths for hardware faults. • Reports the problems to the system. The device supports only monitoring diagnostics. Monitoring diagnostics run diagnostic tests periodically when the system is in operation and record test results.

  • Page 313: Simulating Test Results

    Step Command Remarks By default, the settings for this diagnostic monitor interval command vary by test. Use the chassis chassis-number slot Set the execution interval. display diagnostic content slot-number-list [ test test-name ] command to view the execution time interval interval for a test.

  • Page 314: Gold Configuration Example

    Task Command display diagnostic result [ slot slot-number [ test Display test results. test-name ] ] [ verbose ] display diagnostic result [ slot slot-number [ test Display statistics for packet-related tests. test-name ] ] statistics Display configurations for simulated tests. display diagnostic simulation [ slot slot-number ] reset diagnostic event-log Clear GOLD logs.

  • Page 315: Verifying The Configuration

    Test interval : 00:00:10 Min interval : 00:00:10 Correct-action : -NA- Description : A Real-time test, disabled by default that checks link status between ports. # Enable test HGMonitor on slot 1. <Sysname> system-view [Sysname] diagnostic monitor enable slot 1 test HGMonitor # Set the execution interval to 1 minute.

  • Page 316: Configuring The Packet Capture

    Configuring the packet capture Overview The packet capture feature captures incoming packets that are to be forwarded in CPU. The feature displays the captured packets in real time, and allows you to save the captured packets to a .pcap file for future analysis.
  • Page 317 • Relational operators—Indicate the relation between keyword strings. For example, the = operator indicates equality. This document provides basic information about these elements. For more information about capture and display filters, go to the following websites: • http://wiki.wireshark.org/CaptureFilters. • http://wiki.wireshark.org/DisplayFilters. Capture filter keywords Table 28 Table 29...
  • Page 318 NOTE: The broadcast, multicast, and all protocol qualifiers cannot modify variables. Table 29 Variable types for capture filters Variable type Description Examples The port 23 expression matches traffic sent to or Represented in binary, octal, Integer decimal, or hexadecimal notation. from port number 23.
  • Page 319 Table 31 Arithmetic operators for capture filters Nonalphanumeric Description symbol Adds two values. Subtracts one value from another. Multiplies one value by another. Divides one value by another. Returns the result of the bitwise AND operation on two integral values in binary &...
  • Page 320 Table 33 Qualifiers for display filters Category Description Examples • eth—Matches Ethernet. • ftp—Matches FTP. • http—Matches HTTP. • icmp—Matches ICMP. • ip—Matches IPv4. Protocol Matches a protocol. • ipv6—Matches IPv6. • tcp—Matches TCP. • telnet—Matches Telnet. • udp—Matches UDP. •...
  • Page 321 Variable Description type Represented in colon hexadecimal notation. For example: IPv6 • address To display IPv6 packets that are sent to or from 1::1, use ipv6.addr==1::1. • To display IPv6 packets that are sent to or from 1::/64, use ipv6.addr==1::/64. Character string.

  • Page 322: Building A Capture Filter

    Nonalphanumeric Alphanumeric Description symbol symbol Greater than or equal to. >= For example, frame.len ge 0x100 displays frames with a length greater than or equal to 256 bytes. Less than or equal to. <= For example, frame.len le 0x100 displays frames with a length less than or equal to 256 bytes.

  • Page 323: Building A Display Filter

    This type of expression contains the vlan vlan_id keywords and logical operators. The vlan_id variable is an integer that specifies a VLAN ID. For example, vlan 1 and ip6 captures IPv6 packets in VLAN 1. To capture 802.1Q tagged traffic, you must use the vlan vlan_id expression prior to any other expressions.

  • Page 324: Packet Capture Configuration Task List

    • Interfaces on an LSUM1TGS48SG0 (JH197A, JH205A) interface module do not support packet capture. Packet capture configuration task list Tasks at a glance Remarks Configuring local packet capture Configuring remote packet capture Perform one of the tasks. Configuring feature image-based packet capture Configuring local packet capture To display the captured packets on the local device, use the packet-capture read command.

  • Page 325: Configuring Feature Image-Based Packet Capture

    Figure 86 Configuring Wireshark capture options Configuring feature image-based packet capture IMPORTANT: To capture or display desired packets, make sure the filter expressions do not conflict. The system does not check for logic errors. Feature image-based packet capture captures only packets that are forwarded through CPU. To capture packets that are forwarded through chips, you must configure flow mirroring to mirror packets to the CPU.

  • Page 326: Displaying The Contents In A Packet File

    Task Command • Save captured packets to a file: packet-capture interface interface-type interface-number [ capture-filter capt-expression | limit-captured-frames limit | limit-frame-size bytes | autostop filesize kilobytes | autostop duration seconds | autostop files numbers | capture-ring-buffer filesize kilobytes | capture-ring-buffer duration seconds | Capture incoming packets capture-ring-buffer files numbers ] * write filepath [ raw | { brief | on an interface.

  • Page 327: Feature Image-Based Packet Capture Configuration Example

    Figure 87 Network diagram GE1/0/1 10.1.1.1/24 Network Network Switch Wireshark client Configuration procedure Configure remote packet capture on GigabitEthernet 1/0/1. Set the RPCAP service port number to 2014. <Switch> packet-capture remote interface gigabitethernet 1/0/1 port 2014 Display captured packets on the PC: a.
  • Page 328 Figure 89 Network diagram GE1/0/1 Network Network Switch A Configuration procedure # Create an IPv4 advanced ACL to match packets that are sourced from 192.168.56.1 0. <SwitchA> system-view [SwitchA] acl advanced 3000 [SwitchA-acl-ipv4-adv-3000] rule permit ip source 192.168.56.1 0 [SwitchA-acl-ipv4-adv-3000] quit # Configure a traffic behavior to mirror traffic to the CPU.

  • Page 329: Packet File Display Configuration Example

    k=440 Win=65096 Len=0 10 packets captured Packet file display configuration example Network requirements As shown in Figure • Capture 10 incoming packets on GigabitEthernet 1/0/1 and save the packets to a packet file. • Display contents in the file. Figure 90 Network diagram GE1/0/1 Network Network...

  • Page 330: Configuring Vcf Fabric

    Configuring VCF fabric Overview IT infrastructure which contains clouds, networks, and terminal devices is undergoing a deep transform. The IT infrastructure is migrating to the cloud with the aims of implementing the elastic expansion of computing resources and providing IT services on demand. In this context, Hewlett Packard Enterprise developed the Virtual Converged Framework (VCF) solution.

  • Page 331: Neutron Concepts And Components

    Figure 92 VCF fabric topology for a campus network Spine Spine VXLAN/VLAN Border Leaf Leaf Leaf Access Access Access Access Neutron concepts and components Neutron is a component in OpenStack architecture. It provides networking services for VMs, manages virtual network resources (including networks, subnets, DHCP, virtual routers), and creates an isolated virtual network for each tenant.

  • Page 332: Neutron Deployment

    • Neutron server • Neutron DB • Controller node Message server (such as RabbitMQ server) • HPE ML2 Driver (For more information about HPE ML2 Driver, see HPE Neutron ML2 Driver Installation Guide.) • neutron-openvswitch-agent Network node • neutron-dhcp-agent •...

  • Page 333: Automated Vcf Fabric Provisioning And Deployment

    Figure 93 Example of Neutron deployment for centralized gateway deployment Compute Node Compute Node OpenStack Network Controller Vswitch Vswitch Neutron Server Neutron Type Driver L3 Service Mesh Driver (My SQL) Physical Server Physical Server Physical Server Message Server (RabbitMQ) Neutron L2 agent Neutron L2 agent Neutron L3 agent Neutron L3 agent...

  • Page 334: Topology Discovery

    • Automated underlay network provisioning. • Automated overlay network deployment. Topology discovery In a VCF fabric, each device uses LLDP to collect local topology information from directly-connected peer devices. The local topology information includes connection interfaces, roles, MAC addresses, and management interface addresses of the peer devices. If multiple spine nodes exist in a VCF fabric, a master spine node is specified to collect the topology for the entire network.
  • Page 335 If the two SN codes are the same, the device uses the device role and system description in  the tag file. If the two SN codes are different, the device does not use the device role and system  description.

  • Page 336: Automated Overlay Network Deployment

    • Static configurations—Static configurations are independent from the VCF fabric topology and can be directly executed. The following are examples of static configurations: #STATICCFG clock timezone newyork add 08:00:00 lldp global enable stp global enable • Dynamic configurations—Dynamic configurations are dependent on the VCF fabric topology. The device first obtains the topology information and then executes dynamic configurations.

  • Page 337: Vcf Fabric Configuration Task List

    VCF fabric configuration task list Tasks at a glance (Required.) Enabling VCF fabric topology discovery (Optional.) Configuring automated underlay network provisioning (Optional.) Configuring automated overlay network deployment Enabling VCF fabric topology discovery Configuration restrictions and guidelines VCF fabric topology discovery can be automatically enabled by executing configurations in the template file or be manually enabled at the CLI.

  • Page 338: Configuration Procedure

    Configuration procedure Step Command Remarks Enter system view. system-view (Optional.) Specify the role of vcf-fabric role { access | leaf | By default, the role of the device in the device in the VCF fabric. spine } the VCF fabric is spine. Specify the template file for By default, no template file is vcf-fabric underlay...

  • Page 339: Configuration Procedure

    Configuration procedure Step Command Remarks Enter system view. system-view Enable Neutron and enter neutron By default, Neutron is disabled. Neutron view. By default, no IPv4 address or Specify the IPv4 address, rabbit host ip ipv4-address [ port MPLS L3VPN instance of a port number, and MPLS port-number ] [ vpn-instance RabbitMQ server is specified, and...

  • Page 340: Displaying And Maintaining Vcf Fabric

    Step Command Remarks 16. (Optional.) Enable local By default, local proxy ARP is proxy-arp enable proxy ARP. disabled. 17. (Optional.) Configure the By default, no MAC address is MAC address of VSI vsi-mac mac-address configured for VSI interfaces. interfaces. Displaying and maintaining VCF fabric Execute display commands in any view.

  • Page 341: Configuration Procedure

    Figure 95 Network diagram TFTP server DHCP server Controller node Device A (Spine) IP:10.11.113.51 GE1/0/5 GE1/0/1 VXLAN GE1/0/1 GE1/0/5 Device C(Leaf) Device B(Leaf) IP: 10.11.113.53 IP: 10.11.113.52 GE1/0/2 GE1/0/2 Compute node1 Compute node2 Configuration procedure Configuring the DHCP server Perform the following tasks on the DHCP server: Configure a DHCP address pool to dynamically assign IP addresses on subnet 10.11.113.0/24 to the devices.
  • Page 342 Configuring the controller node Install OpenStack Neutron related components: a. Install Neutron, Image, Dashboard, Networking, and RabbitMQ. b. Install HPE ML2 Driver. For more information, see HPE Neutron ML2 Driver Installation Guide. c. Configure LLDP. Configure the network as a VXLAN network: Edit the /etc/neutron/plugin/ml2/ml2_conf.ini file as follows:...

  • Page 343: Verifying The Configuration

    Create a network named Network. Create subnets: # Create a subnet named subnet-1 and assign network address range 10.10.1.0/24 to the subnet. (Details not shown.) # Create a subnet named subnet-2, and assign network address range 10.1.1.0/24 to the subnet. (Details not shown.) In this example, VM 1 and VM 2 obtain IP addresses from the DHCP server.
  • Page 344 ospf 1 graceful-restart ietf area 0.0.0.0 system interface LoopBack0 system ip vpn-instance global route-distinguisher 1:1 vpn-target 1:1 import-extcommunity system l2vpn enable system vxlan tunnel mac-learning disable vxlan tunnel arp-learning disable system ntp-service enable ntp-service unicast-peer 10.11.113.136 system netconf soap http enable netconf soap https enable restful http enable restful https enable...
  • Page 345 authentication-mode scheme user-role network-admin system bgp 100 graceful-restart address-family l2vpn evpn undo policy vpn-target system vcf-fabric topology enable system neutron rabbit user openstack rabbit password ****** rabbit host ip 10.11.113.136 restful user aaa password ****** network-type centralized-vxlan vpn-target 1:1 export-extcommunity l2agent enable l3agent enable system...
  • Page 346 vpn-target auto export-extcommunity vpn-target auto import-extcommunity return [DeviceA] display current-configuration interface Vsi-interface interface Vsi-interface8190 ip binding vpn-instance neutron-1024 ip address 11.1.1.1 255.255.255.0 sub ip address 10.10.1.1 255.255.255.0 sub return [DeviceA] display ip vpn-instance Total VPN-Instances configured : 1 VPN-Instance Name Create time neutron-1024 1024:1024...

  • Page 347: Configuring Cwmp

    Configuring CWMP Overview CPE WAN Management Protocol (CWMP), also called "TR-069," is a DSL Forum technical specification for remote management of home network devices. The protocol was initially designed to provide remote autoconfiguration through a server for large numbers of dispersed end-user devices in DSL networks. However, it has been increasingly used on other types of networks, including Ethernet, for remote autoconfiguration.

  • Page 348: How Cwmp Works

    • Transfers the configuration file to the CPE, and specifies the file as the next-startup configuration file. At a reboot, the CPE starts up with the ACS-specified configuration file. • Runs the configuration in the CPE's RAM. The configuration takes effect immediately on the CPE.
  • Page 349 Table 38 RPC methods RPC method Description The ACS obtains the values of parameters on the CPE. The ACS modifies the values of parameters on the CPE. The CPE sends an Inform message to the ACS for the following purposes: •...

  • Page 350: Configuration Task List

    Figure 97 CWMP message interaction procedure (1) Open TCP connection (2) SSL initiation (3) HTTP post (Inform) (4) HTTP response (Inform response) (5) HTTP post (empty) (6) HTTP response (GetParameterValues request) (7) HTTP post (GetParameterValues response) (8) HTTP response (SetParameterValues request) (9) HTTP post (SetParameterValues response) (10) HTTP response (empty) (11) Close connection...

  • Page 351: Enabling Cwmp From The Cli

    You can use DHCP option 43 to assign the ACS URL and ACS login authentication username and password. If the DHCP server is an HPE device, you can configure DHCP option 43 by using the option 43 hex 01length URL username password command.
  • Page 352 • URL—ACS URL. • username—Username for the CPE to authenticate to the ACS. • password—Password for the CPE to authenticate to the ACS. NOTE: The ACS URL, username and password must use the hexadecimal format and be space separated. The following example configures the ACS address as http://169.254.76.31:7547/acs, username as 1234, and password as 5678: <Sysname>...

  • Page 353: Configuring The Default Acs Attributes From The Cli

    Configuring the default ACS attributes from the CLI Step Command Remarks Enter system view. system-view Enter CWMP view. cwmp Configure the default ACS By default, no default ACS URL cwmp acs default url url URL. has been configured. Configure the username for By default, no username has been cwmp acs default username authentication to the default...

  • Page 354: Configuring The Cwmp Connection Interface

    ACS. For information about the support of your ACS for provision codes, see the ACS documentation. To configure the provision code: Step Command Remarks Enter system view. system-view Enter CWMP view. cwmp Configure the provision cwmp cpe provision-code The default provision code is code.
  • Page 355 Step Command Remarks By default, the CPE sends an (Optional.) Set the Inform cwmp cpe inform interval Inform message to start a session interval. interval every 600 seconds. Scheduling a connection initiation To connect to the ACS for configuration or software update at a scheduled time: Step Command Remarks...

  • Page 356: Enabling Nat Traversal For The Cpe

    Enabling NAT traversal for the CPE For the connection request initiated from the ACS to reach the CPE, you must enable NAT traversal feature on the CPE when a NAT gateway resides between the CPE and the ACS. The NAT traversal feature complies with RFC 3489 Simple Traversal of UDP Through NATs (STUN). The feature enables the CPE to discover the NAT gateway, and obtain an open NAT binding (a public IP address and port binding) through which the ACS can send unsolicited packets.

  • Page 357: Cwmp Configuration Example

    As shown in Figure 98, use HPE IMC BIMS as the ACS to bulk-configure the devices (CPEs), and assign ACS attributes to the CPEs from the DHCP server. The configuration files for the devices in equipment rooms A and B are configure1.cfg and configure2.cfg, respectively.

  • Page 358: Configuration Procedure

    Room Device Serial number Device D 210235AOLNH12000017 Device E 210235AOLNH12000020 Device F 210235AOLNH12000022 Configuration procedure Configuring the ACS Log in to the ACS: a. Launch a Web browser on the ACS configuration terminal. b. In the address bar of the Web browser, enter the ACS URL and port number. This example uses http://10.185.10.41:8080/imc.
  • Page 359 This example assigns all devices to the same device group, and assigns the devices in two equipment rooms to different device classes. a. Select Service > Resource > Device Group from the top navigation bar. b. Click Add. c. On the Add Device Group page, enter a service group name (for example, DB_1), and then click OK.
  • Page 360 Add the devices as CPEs: a. Select Service > BIMS > Add CPE from the top navigation bar. b. On the Add CPE page, enter or select basic settings for device A, and then click OK. c. Repeat the previous two steps to add other devices. Figure 103 Adding a CPE After the CPE is added successfully, a success message is displayed, as shown in Figure...
  • Page 361 Figure 105 Configuring the system settings of the ACS Add configuration templates and software library entries for the two classes of devices: a. Select Service > BIMS > Configuration Management > Configuration Templates from the navigation tree. Figure 106 Configuring templates page b.
  • Page 362 Figure 107 Importing configuration template After the configuration template is added successfully, a success message is displayed, as shown in Figure 108. Figure 108 Configuration templates e. Select Service > BIMS > Configuration Management > Software Library from the top navigation bar.
  • Page 363 Figure 109 Configuring software library f. On the Software Library page, click Import…. g. On the Import CPE Software page, select the software images for the Device_A device class, add the Device_A class to the Applicable CPEs pane, and then click OK. h.
  • Page 364 Figure 111 Deployment Guide c. On the Auto Deploy Configuration page, click Select Class. Figure 112 Configuring auto deployment d. On the Device Class page, select Device_A, and then click OK.
  • Page 365 A. Configuring the DHCP server In this example, an HPE device is operating as the DHCP server. Configure an IP address pool to assign IP addresses and DNS server address to the CPEs.

  • Page 366: Verifying The Configuration

    # Enable DHCP server on VLAN-interface 1. [DHCP_server] interface vlan-interface 1 [DHCP_server-Vlan-interface1] dhcp select server [DHCP_server-Vlan-interface1] quit # Exclude the DNS server address 10.185.10.60 and the ACS IP address 10.185.10.41 from dynamic allocation. [DHCP_server] dhcp server forbidden-ip 10.185.10.41 [DHCP_server] dhcp server forbidden-ip 10.185.10.60 # Create DHCP address pool 0.

  • Page 367: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional.

  • Page 368: Network Topology Icons

    Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 369: Support And Other Resources

    Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...

  • Page 370: Websites

    For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
  • Page 371 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.

  • Page 372: Index

    Index flow mirroring QoS policy (interface), flow mirroring QoS policy (VLAN), access control architecture SNMP MIB, IPv6 NetStream, SNMP view-based MIB, NetStream, accessing NTP, NTP access control, arithmetic NTP access control rights, capture filter operator, SNMP access control mode, arithmetic operator accounting capture filter, IPv6 NetStream configuration,...
  • Page 373 NTP broadcast authentication, buffering NTP broadcast mode+authentication (on information center log storage period (log buffer), switch), NTP client/server mode authentication, NTP client/server mode+authentication, capturing NTP configuration, packet capture configuration, NTP multicast authentication, packet capture configuration (feature NTP security, image-based), NTP symmetric active/passive mode remote packet capture configuration, authentication, changing...
  • Page 374 NQA client template (UDP), comparison NQA client template optional parameters, display filter expression, NQA client threshold monitoring, 9, 27 comparison operator NQA client+Track collaboration, capture filter, NQA collaboration configuration, conditional match NQA enable, NETCONF data filtering, NQA operation, NETCONF data filtering (column-based), NQA operation configuration (DHCP), configuring automated underlay network provisioning,...
  • Page 375 IPv6 NetStream data export (traditional), 269, NetStream data export (aggregation), 255, 259 NetStream data export (traditional), 255, 257 IPv6 NetStream data export attribute, NetStream data export attribute, IPv6 NetStream data export format, NetStream data export format, IPv6 NetStream flow aging, NetStream filtering, IPv6 NetStream v9/v10 template refresh rate, NetStream flow aging,...
  • Page 376 NQA operation (SNMP), packet capture analyzing, NQA operation (TCP), PMM kernel thread deadloop detection, NQA operation (UDP echo), PMM kernel thread starvation detection, NQA operation (UDP jitter), port mirroring, NQA operation (UDP tracert), port mirroring remote destination group monitor port, NQA operation (voice), port mirroring remote destination group remote NQA server,...
  • Page 377 connecting connection establishment, CWMP ACS connection initiation, CPE ACS authentication parameters, CWMP ACS connection retry max number, CPE ACS connection interface, CPE ACS provision code, CWMP CPE ACS connection interface, CPE attribute configuration, console CPE NAT traversal, information center log output, customer premise equpment (CPE), information center log output configuration, DHCP server,...
  • Page 378 feature module, Layer 3 remote port mirroring configuration, 228, system, Layer 3 remote port mirroring local group, system maintenance, Layer 3 remote port mirroring local group monitor default port, information center log default output rules, Layer 3 remote port mirroring local group source CPU, system information default output rules Layer 3 remote port mirroring local group source...
  • Page 379 packet capture configuration (feature CWMP settings, image-based), EAA settings, port mirroring configuration, 216, 232 GOLD, port mirroring remote destination group, information center, port mirroring remote source group, IPv6 NetStream, port mirroring remote source group egress NetStream, port, NQA, port mirroring remote source group reflector NTP, port, packet capture,...
  • Page 380 event monitor policy user role, CWMP configuration, 336, 339, 346 event source, Layer 2 remote port mirroring configuration, how it works, Layer 3 remote port mirroring configuration, monitor policy, port mirroring configuration, 216, 232 monitor policy configuration, RMON Ethernet statistics entry, monitor policy configuration (CLI), RMON Ethernet statistics group configuration, monitor policy configuration...
  • Page 381 display filter expression, information center system logs, display filter keyword, IPv6 NetStream data export, file IPv6 NetStream data export format, information center diagnostic log output IPv6 NetStream v9/v10 template refresh rate, destination, NETCONF message, information center log save (log file), NetStream data export format, information center log storage period (log NetStream export,...
  • Page 382 VCF fabric topology enabling, information center configuration, 282, 287, 296 default output rules (diagnostic log), hardware default output rules (hidden log), GOLD configuration, 301, 303 default output rules (security log), GOLD diagnostic test simulation, default output rules (trace log), GOLD diagnostics (monitoring), diagnostic log save (log file), hidden log (information center), display,...
  • Page 383 NQA client history record save, NQA template configuration (HTTPS), NQA client operation (DHCP), NQA template configuration (ICMP), NQA client operation (DLSw), NQA template configuration (RADIUS), NQA client operation (DNS), NQA template configuration (SSL), NQA client operation (FTP), NQA template configuration (TCP half open), NQA client operation (HTTP), NQA template configuration (TCP), NQA client operation (ICMP echo),...
  • Page 384 remote port mirroring (reflector port information center log default output rules, configurable), 223, 234 information center log output (console), remote port mirroring configuration, information center log output (log buffer), Layer 3 information center log output (log host), port mirroring configuration, 216, 232 information center log output (monitor terminal), remote port mirroring configuration,...
  • Page 385 PMM, SNMP access control (view-based), PMM kernel threads, module PMM Linux, feature module debug, process monitoring and maintenance. See information center configuration, 282, 287, 296 NETCONF configuration data retrieval (all user PMM, modules), VCF fabric, NETCONF configuration data retrieval (Syslog module), Management Information Base.
  • Page 386 CLI operations, 176, 177 configuration, 246, 250, 257 CLI return, data export, configuration, 145, 148 data export (aggregation), configuration data retrieval (all modules), data export (traditional), configuration data retrieval (Syslog module), data export attribute configuration, data export configuration, configuration load, 165, 170 data export configuration (aggregation), 255, 259...
  • Page 387 information center log output configuration NQA client operation (ICMP jitter), (UNIX log host), NQA client operation (path jitter), information center log storage period (log NQA client operation (SNMP), buffer), NQA client operation (TCP), information center log suppression, NQA client operation (UDP echo), information center security log file NQA client operation (UDP jitter), management,...
  • Page 388 port mirroring remote source group, sampler configuration (IPv4 NetStream), port mirroring remote source group egress sampler creation, port, sFlow configuration, 276, 276, 279 port mirroring remote source group reflector SNMP configuration, port, SNMPv1 configuration, port mirroring remote source group remote SNMPv2c configuration, probe VLAN, SNMPv3 configuration,...
  • Page 389 feature module debug, information center security log save (log file), flow mirroring configuration, 241, 241, 243 information center synchronous log output, flow mirroring match criteria, information center system log SNMP notification, flow mirroring QoS policy, information center system log types, flow mirroring QoS policy application, information center trace log file max size, flow mirroring QoS policy application (control...
  • Page 390 NETCONF CLI operations, 176, 177 NetStream data export format, NETCONF CLI return, NetStream display, NETCONF configuration, 145, 148 NetStream enable, NETCONF configuration data retrieval (all NetStream filtering, modules), NetStream filtering configuration, NETCONF configuration data retrieval NetStream flow aging, 247, 254 (Syslog module), NetStream flow aging methods, NETCONF configuration load,...
  • Page 391 NQA operation configuration (DLSw), NTP message receiving disable, NQA operation configuration (DNS), NTP message source interface specification, NQA operation configuration (FTP), NTP multicast association mode, NQA operation configuration (HTTP), NTP multicast association mode configuration (on switch), NQA operation configuration (ICMP echo), NTP multicast mode authentication configuration, NQA operation configuration (ICMP jitter), NQA operation configuration (path jitter),...
  • Page 392 SNMP access control mode, SNMP Notification operation, SNMP basics configuration, SNMP configuration, client enable, SNMP framework, client history record save, SNMP Get operation, client operation, SNMP host notification send, client operation (DHCP), SNMP logging configuration, client operation (DLSw), SNMP MIB, client operation (DNS), client operation (FTP), SNMP notification,...
  • Page 393 operation configuration (UDP echo), display, operation configuration (UDP jitter), enable, operation configuration (UDP tracert), how it works, operation configuration (voice), IPv6 client/server association mode configuration, server configuration, IPv6 multicast association mode configuration (on supported operations, switch), template configuration (DNS), IPv6 symmetric active/passive association mode template configuration (FTP), configuration, template configuration (HTTP),...
  • Page 394 information logs (console), NTP local clock as reference source, information logs (log host), NTP message receiving disable, information logs (monitor terminal), NTP message source interface, NTP optional parameter configuration, SNMP basics configuration, packet SNMPv1 basics configuration, flow mirroring configuration, 241, 241, 243 SNMPv2c basics configuration, flow mirroring match criteria, SNMPv3 basics configuration,...
  • Page 395 EAA monitor policy configuration, display, EAA monitor policy configuration (CLI), egress port, EAA monitor policy configuration implementation, (CLI-defined+environment variables), Layer 2 remote (reflector port configurable), EAA monitor policy configuration (Tcl), Layer 2 remote configuration, EAA monitor policy configuration (Tcl-defined), Layer 2 remote configuration (egress port), Layer 2 remote port mirroring configuration EAA monitor policy suspension, (egress port),...
  • Page 396 applying flow mirroring QoS policy (VLAN), configuring GOLD diagnostics (monitoring), configuring GOLD log buffer size, assigning CWMP ACS attribute configuring information center, (preferred)(CLI), configuring information center log output assigning CWMP ACS attribute (console), (preferred)(DHCP server), configuring information center log output (Linux changing NETCONF parameter value, log host), configuration NETCONF module-specific...
  • Page 397 configuring Layer 3 remote port mirroring local configuring NQA client operation (path jitter), mirroring group monitor port, configuring NQA client operation (SNMP), configuring Layer 3 remote port mirroring local configuring NQA client operation (TCP), mirroring group source CPU, configuring NQA client operation (UDP echo), configuring local packet capture, configuring NQA client operation (UDP jitter), configuring local port mirroring,...
  • Page 398 configuring NQA template (TCP), configuring port mirroring remote destination group monitor port, configuring NQA template (UDP), configuring port mirroring remote destination configuring NTP, group on the destination device, configuring NTP access control rights, configuring port mirroring remote destination configuring NTP association mode, group remote probe VLAN, configuring NTP broadcast association mode, configuring port mirroring remote source group...
  • Page 399 creating RMON history control entry, locking NETCONF configuration, 155, 156 creating sampler, maintaining GOLD, debugging feature module, maintaining information center, determining ping address reachability, maintaining IPv6 NetStream, disabling information center interface link maintaining NetStream, up/link down log generation, maintaining PMM, disabling NTP message interface receiving, maintaining PMM kernel threads, maintaining user PMM,...
  • Page 400 saving information center diagnostic logs (log flow mirroring QoS policy, file), flow mirroring QoS policy application, saving information center log (log file), flow mirroring QoS policy application (control saving information center security logs (log plane), file), flow mirroring QoS policy application (global), saving NETCONF configuration, 165, 165, flow mirroring QoS policy application (interface),...
  • Page 401 port mirroring source group, alarm group sample types, port mirroring source group creation, configuration, port mirroring source group egress port, Ethernet statistics entry creation, port mirroring source group reflector port, Ethernet statistics group, port mirroring source group remote probe Ethernet statistics group configuration, VLAN, event group, port mirroring source group source CPU,...
  • Page 402 NTP, CWMP RPC methods, NTP access control rights, NTP authentication, 80, 86 EAA, NTP broadcast mode authentication, EAA configuration, 193, 201 NTP client/server mode authentication, rule NTP multicast mode authentication, information center log default output rules, NTP symmetric active/passive mode authentication, SNMP access control (rule-based), SNTP authentication,...
  • Page 403 troubleshoot, Notification operation, troubleshoot remote collector cannot receive protocol version, packets, SNMPv3 Simple Network Management Protocol. Use basic parameter configuration, SNMP configuration, Simplified NTP. See SNTP Notification operation, simulating notification send, GOLD diagnostic test simulation, protocol version, SNMP SNTP access control mode, authentication, agent, configuration,...
  • Page 404 sampler creation, NETCONF configuration data retrieval (Syslog module), sFlow agent+collector information configuration, system sFlow configuration, 276, 276, 279 default output rules (diagnostic log), default output rules (hidden log), sFlow counter sampling configuration, sFlow flow sampling configuration, default output rules (security log), storage default output rules (trace log), information center log storage period (log...
  • Page 405 table NQA operation triggered action trigger-only, NETCONF data entry retrieval (interface time table), NTP configuration, 76, 82, 97 NTP local clock as reference source, EAA configuration, 193, 201 SNTP configuration, 82, 117, 117, 119 EAA monitor policy configuration, 199, 205 timeout NMM NETCONF session idle timeout time, NQA client operation,...
  • Page 406 sFlow flow sampling configuration, information center log host output configuration, trapping unlocking information center system log SNMP notification, NETCONF configuration, 155, 156 user SNMP notification, triggering PMM Linux user, NQA operation threshold triggered action none, value NQA operation threshold triggered action NETCONF parameter value change, trap-only, variable...
  • Page 407 IPv6 NetStream v9 data export format, IPv6 NetStream v9/v10 template refresh rate, YANG NETCONF YANG file content retrieval, NetStream v10 export format, NetStream v5 export format, NetStream v8 export format, NetStream v9 export format, NetStream v9/v10 template refresh rate, view SNMP access control (view-based), Virtual converged framework.

Table of Contents