Upload
vunga
View
246
Download
3
Embed Size (px)
Citation preview
ZXR10 ZSR V2Intelligent Integrated Multi-Service Router
Configuration Guide (System Management)
Version: 2.00.10
ZTE CORPORATIONNo. 55, Hi-tech Road South, ShenZhen, P.R.ChinaPostcode: 518057Tel: +86-755-26771900Fax: +86-755-26770801URL: http://ensupport.zte.com.cnE-mail: [email protected]
LEGAL INFORMATIONCopyright © 2013 ZTE CORPORATION.
The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.
All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.
This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.
ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.
ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.
Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information.
The ultimate right to interpret this product resides in ZTE CORPORATION.
Revision History
Revision No. Revision Date Revision Reason
R1.0 2014-05-10 First edition
Serial Number: SJ-20140504150128-007
Publishing Date: 2014-05-10 (R1.0)
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ContentsAbout This Manual ......................................................................................... I
Chapter 1 Device Connection management ............................................ 1-11.1 Connecting the ZXR10 ZSR V2 System............................................................... 1-1
1.2 Configuring Console Port Connection .................................................................. 1-2
1.3 Configuring Telnet Connection ............................................................................ 1-2
1.4 Configuring SSH Connection............................................................................... 1-6
1.5 FTP Connection Configuration .......................................................................... 1-10
1.5.1 Configuring the ZXR10 ZSR V2 as an FTP Server.................................... 1-10
1.5.2 Configuring the ZXR10 ZSR V2 as an FTP Client ..................................... 1-12
1.6 Configuring TFTP Connection ........................................................................... 1-15
1.7 SFTP Connection Configration .......................................................................... 1-17
1.7.1 Configuring the ZXR10 ZSR V2 as an SFTP Server ................................. 1-17
1.7.2 Configuring the ZXR10 ZSR V2 as an SFTP Client................................... 1-18
Chapter 2 File System Management ......................................................... 2-12.1 File System Overview......................................................................................... 2-1
2.2 Configuring File System Management ................................................................. 2-2
2.3 File System Management Configuration Examples ............................................... 2-3
2.3.1 File System Configuration Example ........................................................... 2-3
2.3.2 Configuration Example of Backing Up a Configuration File on a USBFlash Drive ............................................................................................. 2-4
Chapter 3 MIM Configuration .................................................................... 3-13.1 MIM Overview.................................................................................................... 3-1
3.2 Configuring MIM................................................................................................. 3-1
Chapter 4 User Management ..................................................................... 4-14.1 User Management Overview............................................................................... 4-1
4.2 Configuring User Management............................................................................ 4-2
4.3 User Management Configuration Examples ......................................................... 4-7
4.3.1 Local Authentication and Authorization User Configuration Example............ 4-7
4.3.2 RADIUS-LOCAL Authentication and Authorization User ConfigurationExample................................................................................................. 4-8
4.3.3 TACACS+ Authentication and Authorization User ConfigurationExample............................................................................................... 4-10
4.3.4 Configuring a Password Prompt Question for Resetting a Password...........4-11
I
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
4.3.5 Configuring OAM Security Management .................................................. 4-13
4.3.6 Configuring a Password Validity Period.................................................... 4-15
4.3.7 Configuring First-Login Password Modification ........................................ 4-17
4.3.8 Relations Between Raising Privilege Levels and the Enable Command...... 4-18
Chapter 5 Command Privilege Level Classification................................ 5-15.1 Command Privilege Level Overview .................................................................... 5-1
5.2 Configuring Command Privilege ......................................................................... 5-1
5.3 Command Privilege Level Configuration Example................................................. 5-2
Chapter 6 SNMP Configuration................................................................. 6-16.1 SNMP Basic Configuration.................................................................................. 6-1
6.1.1 SNMP Overview....................................................................................... 6-1
6.1.2 Configuring SNMP.................................................................................... 6-1
6.1.3 SNMP Configuration Example................................................................... 6-6
6.2 SNMP Anti-Violence Attack............................................................................... 6-10
6.2.1 SNMP Anti–Brute Force Attack Overview................................................. 6-10
6.2.2 Configuring SNMP Anti–Brute Force Attack ..............................................6-11
6.2.3 SNMP Anti–Brute Force Attack Configuration Example............................. 6-13
Chapter 7 Alarm Management Configuration .......................................... 7-17.1 Alarm Overview.................................................................................................. 7-1
7.2 Configuring the Alarm Function ........................................................................... 7-2
7.3 Alarm Function Configuration Example ................................................................ 7-7
Chapter 8 SYSLOG Configuration ............................................................ 8-18.1 SysLog Overview ............................................................................................... 8-1
8.2 Configuring Syslog ............................................................................................. 8-1
8.3 Syslog Configuration Example ............................................................................ 8-2
Chapter 9 RMON Configuration ................................................................ 9-19.1 RMON Overview ................................................................................................ 9-1
9.2 Configuring RMON............................................................................................. 9-1
9.3 RMON Configuration Example ............................................................................ 9-3
Chapter 10 Clock and Clock Synchronization....................................... 10-110.1 NTP Configuration.......................................................................................... 10-1
10.1.1 NTP Overview...................................................................................... 10-1
10.1.2 Configuring NTP................................................................................... 10-2
10.1.3 NTP Configuration Examples ................................................................ 10-4
10.2 Physical POS Interface Clock Configuratio....................................................... 10-6
10.2.1 Physical POS Interface Clock................................................................ 10-6
II
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
10.2.2 Configuring a Physical POS Interface Clock ........................................... 10-7
10.2.3 Physical POS-Interface Clock Configuration Instance ............................. 10-7
Chapter 11 Performance Statistics ......................................................... 11-111.1 Performance Management Overview ................................................................11-1
11.2 Performance Management Configuration ..........................................................11-1
11.3 Performance Management Configuration Example ............................................11-3
Chapter 12 NetFlow Configuration ......................................................... 12-112.1 NetFlow Overview .......................................................................................... 12-1
12.2 Configuring NetFlow ....................................................................................... 12-3
12.3 NetFlow Configuration Examples..................................................................... 12-9
12.3.1 NetFlow V5 Configuration Example ....................................................... 12-9
12.3.2 NetFlow V8 Configuration Example ......................................................12-11
12.3.3 NetFlow V9 Configuration Example ......................................................12-12
Chapter 13 SQA Configuration................................................................ 13-113.1 SQA Overview ............................................................................................... 13-1
13.2 Configuring SQA ............................................................................................ 13-1
13.3 SQA Configuration Examples .......................................................................... 13-4
13.3.1 ICMP-Type SQA Configuration Example ................................................ 13-4
13.3.2 FTP-Type SQA Configuration Example .................................................. 13-5
13.3.3 TCP-Type SQA Configuration Example.................................................. 13-6
13.3.4 UDP-Type SQA Configuration Example ................................................. 13-8
13.3.5 DNS-Type SQA Configuration Example ................................................. 13-9
Chapter 14 LLDP Configuration.............................................................. 14-114.1 LLDP Overview .............................................................................................. 14-1
14.2 Configuring LLDP........................................................................................... 14-3
14.3 LLDP Configuration Examples......................................................................... 14-5
14.3.1 LLDP Neighbor Configuration Example.................................................. 14-5
14.3.2 LLDP Attribute Configuration Example ................................................... 14-6
Chapter 15 Network Layer Detection...................................................... 15-115.1 Configuring ICMP Fast Response.................................................................... 15-1
15.2 Configuring IP Source Route Option Processing............................................... 15-4
15.3 Configuring ICMP Unreachable Packet Function .............................................. 15-6
15.4 Enabling an Interface to Send ICMP Unreachable Packets ............................... 15-7
15.5 Configuring IP Ping......................................................................................... 15-9
15.6 Configuring IP Trace......................................................................................15-12
15.7 Configuring LSP Ping ....................................................................................15-15
III
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
15.8 Configuring LSP Trace...................................................................................15-21
15.9 Configuring Multicast Ping..............................................................................15-26
15.10 Configuring Multicast Trace ..........................................................................15-30
15.11 Configuring MAC Ping..................................................................................15-32
15.12 Configuring MAC Trace................................................................................15-34
15.13 IP Performance Maintenance .......................................................................15-37
Figures............................................................................................................. I
Glossary .........................................................................................................V
IV
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
About This ManualPurposeThis manual describes functional principles, configuration commands and examplesrelated to ZXR10 ZSR V2 system management.
Intended AudienceThis manual is intended for the following engineers:
l Network planning engineersl Commissioning engineersl Maintaining engineers
What Is in This ManualThis manual contains the following contents:
Chapter Summary
1, Device Connection
Management
Describes several modes (including through a Console port,
TELNET, SSH, FTP , TFTP and SFTP) and configuration commands
to connect to ZXR10 ZSR V2.
2, File System Management Describes operational commands for the file system of the device.
3, MIM Configuration Describes MIM principles, configuration commands and
configuration examples.
4, User Management Describes user management principle, configuration commands and
configuration examples.
5, Command Privilege Level
Classification
Describes user and command privilege level classification principle,
configuration commands and configuration example.
6, SNMP Configuration Describes SNMP principles, configuration commands and
configuration examples.
7, Alarm Management
Configuration
Describes alarm management principle, configuration commands
and configuration example.
8, SYSLOG Configuration Describes SYSLOG principle, configuration commands and
configuration example.
9, RMON Configuration Describes RMON principle, configuration commands and
configuration example.
10, Clock and Clock
Synchronization
Describes clock and clock synchronization principles, configuration
commands and configuration examples.
I
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter Summary
11, Performance Statistics Describes performance statistics principle, configuration commands
and configuration example.
12, NetFlow Configuration Describes NetFlow principle, configuration commands and
configuration examples.
13, SQA Configuration Describes SQA principle, configuration commands and configuration
examples.
14, LLDP Configuration Describes LLDP principles, configuration commands and
configuration examples.
15, Network Layer Detection Describes the principles, configuration commands, and configuration
examples of the network layer detection.
ConventionsThis manual uses the following typographical conventions:
Typeface Meaning
Italics Variables in commands. It may also refer to other related manuals and documents.
Bold Menus, menu options, function names, input fields, option button names, check boxes,
drop-down lists, dialog box names, window names, parameters, and commands.
Constant
width
Text that you type, program codes, filenames, directory names, and function names.
[ ] Optional parameters.
| Separates individual parameter in series of parameters.
Warning: indicates a potentially hazardous situation. Failure to comply can result in
serious injury, equipment damage, or interruption of major services.
Caution: indicates a potentially hazardous situation. Failure to comply can result in
moderate injury, equipment damage, or interruption of minor services.
Note: provides additional information about a certain topic.
II
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 1Device ConnectionmanagementTable of Contents
Connecting the ZXR10 ZSR V2 System .....................................................................1-1Configuring Console Port Connection.........................................................................1-2Configuring Telnet Connection....................................................................................1-2Configuring SSH Connection......................................................................................1-6FTP Connection Configuration .................................................................................1-10Configuring TFTP Connection ..................................................................................1-15SFTP Connection Configration .................................................................................1-17
1.1 Connecting the ZXR10 ZSR V2 SystemThe ZXR10 ZSR V2 provides multiple configuration modes, see Figure 1-1.
Figure 1-1 ZXR10 ZSR V2 Configuration Modes
Users can use different configuration modes for different network types. The configurationmodes are described below:
l Console port mode: This is the primary configuration mode used by users.l Telecommunication Network Protocol (TELNET)/Secure Shell (SSH) mode: Users
can use this mode to configure the ZXR10 ZSR V2 at any accessible place of anetwork.
1-1
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
l Trivial File Transfer Protocol (TFTP)/File Transfer Protocol (FTP) mode: Userscan use this mode to download/upload router configuration files, and update routerconfigurations.
1.2 Configuring Console Port ConnectionThis procedure describes how to connect to the ZXR10 ZSR V2 through the Console port.
Steps1. Configure a Hyperterminal.
For how to configure a Hyperterminal, refer to the "Configuring the Device Through aConsole Port" section in the ZXR10 M6000 Initial Configuration Guide.
2. (Optional) In the configuration mode, run the login authentication command to enablethe Console port connection authentication function.
Caution!
The Console port connection authentication function can be enabled only after ausername and password are configured. If the username and password are notconfigured properly, after the function is enabled, you cannot enter the ZXR10> CLIwhen you connect the device next time.
The following example shows how to enable Console port authentication.
ZXR10(config)#login authentication
Warning:
Please make sure local or remote authentication is correctly configured.
Are you sure to configure console authentication? [yes/no]:y
ZXR10(config)#
/*Enables the Console port connection authentication function.*/
For how to configure a user name and password used in serial port authentication,refer to 4.2 Configuring User Management.
– End of Steps –
1.3 Configuring Telnet ConnectionThis procedure describes how to connect to the ZXR10 ZSR V2 through Telnet.
PrerequisiteThe local terminal can access the remote router network.
1-2
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 1 Device Connection management
ContextTelnet is used for configuring routers remotely. To prevent illegal users from accessing therouter through Telnet, a user name and password have to be set on the router for Telnetaccessing. Only the user who has the preset user name and password can access therouter. For how to configure a user name and password on the ZXR10 ZSR V2 for Telnetlogin, refer to 4.2 Configuring User Management.
Steps1. Connect to the ZXR10 ZSR V2 through Telnet.
Assume that the IP address of a remote router is 192.168.3.1 and that the localterminal (configured with the Windows XP operating system, for example) can accessthe remote router network. The operations on the local terminal are as follows:
a. Start the Run program on the local terminal, and enter the telnet 192.168.3.1command, see Figure 1-2.
Figure 1-2 Run Dialog Box
b. Click OK.
The following information is displayed:
************************************************************
Welcome to ZXR10 Intelligent Integrated Multi-Service Router
of ZTE Corporation
************************************************************
Login at: 19:46:37 03-24-2014
Username:who
Password:
ZXR10>enable 18
Password:
ZXR10#
c. Enter a user name and a password according to the prompt. Then, you can log into the remote router.
2. Configure a Telnet connection.
1-3
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
On the ZXR10 ZSR V2, run the following commands to configure optional Telnetparameters:
Command Function
ZXR10(config)#line console idle-timeout <idle-time> Configures the maximum idle
timeout period of the serial port.
Unit: minute, range: 0–1000,
default: 30.
ZXR10(config)#line console absolute-timeout <absolute-time> Configures the maximum online
timeout period of the serial port.
Unit: minute, range: 0–10000,
default: 1440.
ZXR10(config)#line telnet idle-timeout <idle-time> Configures the maximum idle
timeout period of Telnet. Unit:
minute, range: 0–1000, default:
120.
ZXR10(config)#line telnet absolute-timeout <absolute-time> Configures the maximum online
timeout period of Telnet. Unit:
minute, range: 0–10000, default:
1440.
ZXR10(config)#line telnet access-class {ipv4 | ipv6}<acl-name> Configures the name of an
Access Control List (ACL) bound
to Telnet.
ZXR10(config)#line telnet max-link <max-number> Configures the maximum
number of Telnet links. Range:
1–15, default: 15.
ZXR10#terminal length <length> Configures the terminal window
height. Unit: line, range: 0–24.
ZXR10#line telnet dscp <dscp-value> Specifies the DSCP value of
control plane packets for the
IPv4/IPv6 Telnet server. Range:
0–63, default: 48.
ZXR10#telnet {<dest-address>[{[<source-address
>],[<port-number>],[{vrf <vrf-name>| dcn}],[dscp<dscp-value>]}]|<domain-name>[{[<port-number>],[vrf<vrf-name>],[dscp <dscp-value>]}]}
Enables this router to log in to an
IPv4 Telnet server as a client.
<domain-name>: domain name
(Range: 1–128 characters).
ZXR10#telnet6 {<dest-address>[{[interface <interface-na
me>],[vrf <vrf-name>],[<port-number>],[dscp <dscp-value
>]}]|<domain-name>[{[vrf <vrf-name>],[<port-number>],[dscp<dscp-value>]}]}
Enables this router to log in to an
IPv6 Telnet server as a client.
1-4
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 1 Device Connection management
Command Function
ZXR10(config)#line telnet server enable [listen
{<23>|<49152-65535>}]
Allows terminals to log in to
this router in Telnet mode, and
allows the specification of a port
number.
3. (Optional) Run the telnet command on the ZXR10 ZSR V2 to log in to another devicethrough the local client.
For the format of the telnet command, refer to the following table:
Command Function
ZXR10#telnet {<dest-ipaddress>[vrf< vrf-name>][<source-ipaddress>][<port-number>]|<domain name>[vrf<vrf-name>][<port-number>]}
Configures this router as a client
to log in to another device.
<port-number>: Transfer Control
Protocol (TCP) port number
(range: 0–65535).
4. Verify the configurations.
Command Function
ZXR10#show terminal Displays information on the
current terminal.
ZXR10#show history Displays the last ten history
commands.
ZXR10#show users Displays the login user
information.
ZXR10#who Displays the login user
information.
5. Maintain Telnet connections.
Command Function
ZXR10(config)#line telnet server disable Forbids terminals from logging in
to this router in Telnet mode.
ZXR10#clear line vty <vty-number> Forces the vty user to log out.
<vty-number>: specifies the
terminal number (range: 0–14).
– End of Steps –
ExampleThe following provides a Telnet connection configuration example.
1-5
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
l Configuration Description
It is required to connect a PC to R1 through Telnet, see Figure 1-3.
Figure 1-3 Telnet Connection Configuration Example
l Configuration Flow1. Connect a PC to R1.2. Configure Telnet on R1.3. Configure an ACL on R1 to filter TCP connections.
l Configuration Commands
Run the following commands on R1:
R1(config)#line telnet idle-timeout 120
R1(config)#line telnet absolute-timeout 1440
R1(config)#line telnet access-class ipv4 wd
R1(config)#ipv4-access-list wd
R1(config-ipv4-acl)#rule permit tcp 169.1.108.82 0.0.0.0 any
R1(config-ipv4-acl)#exit
l Configuration Verification
If no ACL is configured, a PC whose IP address is in any network segment can beconnected to R1.
If an ACL is configured, only PCs whose IP addresses are in the Permit column ofthe ACL can be connected to R1.
1.4 Configuring SSH ConnectionThis procedure describes how to connect to the ZXR10 ZSR V2 through SSH.
PrerequisiteThe local terminal can access the remote router network.
ContextSecure Shell (SSH) is defined by the IETF Network Working Group. It is a security protocolestablished on the basis of the application layer and transport layer.
Traditional network service programs such as FTP, POP, and Telnet use clear text totransfer data. Therefore, user names and passwords are vulnerable to man-in-the-middleattacks. Compared with traditional network service programs, SSH is more reliable. Itprovides security for remote login sessions and other network services, and has thefollowing advantages:
1-6
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 1 Device Connection management
l The SSH protocol prevents information leakage in remote management processes.l The SSH protocol encrypts all transferred data, and prevents DNS spoofing and IP
spoofing.l The SSH protocol transfers compressed data, accelerating transmission.l The SSH protocol is usually used to replace Telnet, and provides a secure "channel"
for FTP, POP, or even PPP.
Steps1. Configure SSH.
Step Command Function
1 ZXR10(config)#ssh server enable [listen
{<22>|<49152-65535>}]
Enables the SSH server
function, which is disabled
by default. Allow the
specification of a port
number.
2 ZXR10(config)#ssh server access-class {ipv4 |
ipv6}<acl-name>
Binds an ACL for SSH.
3 ZXR10(config)#ssh server dscp <dscp-value> Specifies the DSCP value
of control plane packets for
the IPv4/IPv6 SSH server.
Default: 48.
4 ZXR10#ssh <dest-address> encrypt {none | aes128 |
blowfish | 3des} compress {none | zlib} mac {none |
sha1 | md5}[{[<source-address>],[<port-number>],[vrf<vrf-name>],[dscp <dscp-value>]}]
Enables this router to log in
as a client to an IPv4 SSH
server in SSH mode.
5 ZXR10#ssh6 <dest-address> encrypt {none | aes128 |
blowfish | 3des} compress {none | zlib} mac {none | sha1
| md5}[{[<port-number>],[vrf <vrf-name>],[interface<interface-name>],[dscp <dscp-value>]}]
Enables this router to log in
as a client to an IPv6 SSH
server in SSH mode.
2. Maintain SSH.
Command Function
ZXR10(config)#ssh server disable Disables the SSH server
function.
3. Configure an SSH client.
The following uses Putty as an example to describe how to configure an SSH client.
a. Enable Putty.exe on the SSH host. Type the IP address of the remote router(such as 192.168.5.3) in the Host Name text box, see Figure 1-4.
1-7
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Figure 1-4 PuTTY Configuration Dialog Box
b. Select 2 for the SSH version, see Figure 1-5.
1-8
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 1 Device Connection management
Figure 1-5 PuTTY Configuration Dialog Box
c. Click Open. The Login dialog box is displayed. Enter the correct user name andpassword to log in to the router, and then configure the router in the command linewindow.login as:zte
Further authentication required
[email protected]'s password:
************************************************************
Welcome to ZXR10 Intelligent Integrated Multi-Service Router
of ZTE Corporation
************************************************************
ZXR10#
4. Verify the configurations.
Command Description
ZXR10#show ssh Shows the configuration state of SSH.
– End of Steps –
1-9
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
ExampleThe following provides an SSH configuration example.
l Configuration Description
It is required to connect a PC to R1 through SSH, see Figure 1-6.
Figure 1-6 SSH Configuration Example
l Configuration Flow1. Connect a PC to R1.2. Configure SSH on R1.3. Configure an ACL on R1 to filter connections.
l Configuration Commands
Run the following commands on R1:
R1(config)#ssh server enable
R1(config)#ssh server access-class ipv4 wd
R1(config)#ipv4-access-list wd
R1(config-ipv4-acl)#rule permit tcp 169.1.108.82 0.0.0.0 any
R1(config-ipv4-acl)#exit
l Configuration Verification
If no ACL is configured, a PC whose IP address is in any network segment can beconnected to R1.
If an ACL is configured, only PCs whose IP addresses are in the Permit column ofthe ACL can be connected to R1.
1.5 FTP Connection Configuration
1.5.1 Configuring the ZXR10 ZSR V2 as an FTP ServerThis procedure describes how to configure the ZXR10 ZSR V2 as an FTP server.
PrerequisiteThe local terminal can access the remote router network.
Steps1. Enable the FTP server function.
1-10
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 1 Device Connection management
Command Function
ZXR10(config)#ftp-server enable [listen<port-number>]
Enables the FTP server function, and
monitors the specified port.
The port range is 21 or 2401–2420.
2. Configure other FTP attributes.
Command Function
ZXR10(config)#ftp-server top-directory
<directory>[{read-only |{[read-write],[copy]}}]
Sets the top-level directory that the
FTP server allows users to access
through FTP. By default, the directory is
/datadisk0/.
ZXR10(config)#ftp-server access-class
[ipv6]<acl-name>
Binds an ACL to the FTP server.
ZXR10(config)#ftp-server max-login <max-number> Configures the maximum number of
online users of the FTP server.
For how to configure an FTP server user name and password, refer to “Chapter 4 UserManagement”.
3. Verify the configurations.
Command Function
ZXR10#show ftp-server Shows the configuration information on
the FTP server.
4. Maintain the FTP Server.
Command Function
ZXR10(config)#ftp-server kick-user <user-id> Disconnects a currently online user. The
parameter value is an online user ID.
– End of Steps –
ExampleThe following gives an FTP server configuration example.
l Configuration Description
As shown in Figure 1-7, ZXR10 ZSR V2 is connected to a PC and operates as an FTPserver. The PC functions as an FTP client that uploads and downloads files.
1-11
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Figure 1-7 FTP Server Configuration Example
l Configuration Flow1. Enable the FTP server function and listening port 21 of the ZXR10 ZSR V2.2. Set the FTP server root directory to /datadisk0/LOG/.3. Set both the FTP server user name and password to zte.4. Upload and download files through the FTP server to verify the FTP server
function.l Configuration Commands
The configuration flow on the ZXR10 ZSR V2 is shown below. For how to configurean FTP server user name and password, refer to “Chapter 4 User Management”.
R1#configure terminal
Enter configuration commands, one per line.End with CTRL/Z.
R1(config)#ftp-server enable
R1(config)#ftp-server top-directory /datadisk0/LOG/
1.5.2 Configuring the ZXR10 ZSR V2 as an FTP ClientThis procedure describes how to configure the ZXR10 ZSR V2 as an FTP client.
PrerequisiteThe ZXR10 ZSR V2 can access the FTP server network.
Steps1. Configure and start an FTP server.
The following takes the WFTPD FTP server software as an example to describe howto configure an FTP server.
a. Run wftpd32.exe. The WFTPD window is displayed, see Figure 1-8.
1-12
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 1 Device Connection management
Figure 1-8 WFTPD Window
b. Select Security > User/Rights…. The User/Rights Security dialog box isdisplayed, see Figure 1-9.
Figure 1-9 User/Rights Security Dialog Box
c. Perform the following steps in the User/Rights Security Dialog dialog box.
i. Click New User… to create a new user such as target, and set a password.
ii. Select target from the User Name drop-down list.
iii. Type a directory such as D: \IMG in the Home Directory text box for savingversion files or configuration files. After the configuration is completed, theuser name and home directory are displayed in the User/Rights SecurityDialog dialog box, seeFigure 1-10.
1-13
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Figure 1-10 User/Rights Security Dialog Box
d. Click Done in Figure 1-10 to start the FTP server.
2. Upload and download a file through the router, which acts as an FTP client.
Command Function
ZXR10#ftp-client source-ip {ipv4 <ipv4-address>| ipv6<ipv6-address>[interface <interface-name>]}
Configures the source address for
copying files when the ZXR10 ZSR V2
functions as an FTP client.
ZXR10#copy ftp [vrf <vrf-name>] //HOST/filename@use
rname:password root: filename or directory&filename
[<listen_port>][ipaddr][interface <interface-name>]
Downloads a file from an FTP server to
the local client.
ZXR10#copy ftp [vrf <vrf-name>] root: filenameor directory&filename //HOST/filename@usern
ame:password [<listen_port>][ipaddr][interface<interface-name>]
Uploads a local file to an FTP server.
– End of Steps –
ExampleThe following example describes how to download or upload a file when the ZXR10 ZSRV2 functions as an FTP client.
A user whose user name is who and password is who uploads the startrun.dat filefrom the sysdisk0/DATA0 directory of the ZXR10 ZSR V2 file system to the FTP serverwhose IP address is 192.168.109.6.
ZXR10#copy ftp root:/sysdisk0/DATA0/startrun.dat
//192.168.109.6/startrun1.dat@who:who
Start copying file
Put file successfully!sent 3492803 bytes!!
1-14
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 1 Device Connection management
A user whose user name is who and password is who downloads the startrun.dat filefrom the FTP server whose IP address is 192.168.109.6, and renames the file as startrun.bak.
ZXR10#copy ftp //192.168.109.6/startrun.dat@who:who
root: /datadisk0/startrun.bak
Start copying file
Got file successfully!Received 3492803 bytes!!
1.6 Configuring TFTP ConnectionBy means of TFTP, router version files and configuration files can be backed up andrestored.
PrerequisiteThe ZXR10 ZSR V2 can access the TFTP server network as a TFTP client.
Steps1. Configure and start a TFTP server.
The following takes the TFTP server software tftpd as an example to describe how toconfigure a TFTP server.
a. Run tftpd.exe. The TFTP server window is displayed, see Figure 1-11.
Figure 1-11 TFTP Server Window
b. Select Tftpd > Configure. The Tftpd Settings dialog box is displayed. ClickBrowse in the dialog box, and select a directory (such as the IMG directory onDisk D) to save version files or configuration files, see Figure 1-12.
1-15
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Figure 1-12 Tftpd Settings Dialog Box
c. Click OK to complete the setting.
2. Upload and download a file through the TFTP client.
Command Function
ZXR10#copy tftp [ipv6][vrf <vrf-name>]//HOST/filename root: filename or directory
[<listen_port>]
Downloads a file from a TFTP server to
the local router.
ZXR10#copy tftp [ipv6][vrf <vrf-name>] root: filenameor directory //HOST/filename [<listen_port>]
Uploads a file from the local router to a
TFTP server.
– End of Steps –
ExampleThe following example describes how to upload the startrun.dat file from the datadisk0 directory of the ZXR10 ZSR V2 file system to the TFTP server whose IP address is192.168.4.244.
ZXR10#copy tftp root: /datadisk0/startrun.dat //192.168.4.244/startrun.dat
Starting copying file
.
File copying successfully.
The following example describes how to download the file startrun.dat from the TFTPserver whose IP address is 192.168.4.244, and to rename the file as startrun.bak.
ZXR10#copy tftp //192.168.4.244/startrun.dat root: /datadisk0/startrun.bak
Starting copying file
.
File copying successfully.
1-16
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 1 Device Connection management
1.7 SFTP Connection Configration
1.7.1 Configuring the ZXR10 ZSR V2 as an SFTP ServerThis procedure describes how to configure the ZXR10 ZSR V2 as an SFTP server.
PrerequisiteThe local terminal can access the remote router network.
Steps1. Configure an SFTP server.
Command Function
ZXR10(config)#sftp-server top-directory <directory> Sets the top-level directory that the
SFTP server allows users access.
For how to configure a login user name and password of an SFTP server, refer to“Chapter 4 User Management”.
2. Verify the configurations.
Command Function
ZXR10#show sftp-server Displays configuration information on
the SFTP server.
– End of Steps –
ExampleThe following gives an example of how to configure an SFTP server.
l Configuration Description
When the ZXR10 ZSR V2 functions as an SFTP server, the client can be a PC oranother type of device that supports the SFTP client function. Two ZXR10 ZSR V2sare connected, one functioning as an SFTP server, the other as an SFTP client thatdownloads files from the server, see Figure 1-13.
Figure 1-13 SFTP Server Configuration Example
l Configuration Flow1. On the SFTP server, enable the SSH function, and configure a listening port.
1-17
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
2. On the SFTP server, set the root directory of SFTP to /datadisk0/BAK/.3. On the SFTP server, configure the zte user name and password.4. Download a file from the SFTP server to verify the SFTP server function.
l Configuration Commands
Run the following commands on the ZXR10 ZSR V2. For how to configure a username and password, refer to “Chapter 4 User Management”.
/*The configuration commands on the SFTP server are as follows:*/
R1#configure terminal
R1(config)#ssh server enable listen 49152
R1(config)#sftp-server top-directory /datadisk0/BAK/
R1#dir BAK
Directory of MPFU-8/0: /datadisk0/BAK
897636 KB total (892760 KB free)
attribute size date time name
1 <DIR> 160 01-15-2014 08:43 .
2 <DIR> 160 01-15-2014 08:43 ..
3 ---- 615 01-15-2014 15:08 0130.txt
/*Downloads a file from the SFTP client.*/
R2#copy sftp vrf mng //169.1.219.14/0130.txt@zte:zte
root: /datadisk0/0130.txt encrypt 3des compress zlib mac md5 49152
Start copying file
.
Got file successfully!
1.7.2 Configuring the ZXR10 ZSR V2 as an SFTP ClientThis procedure describes how to configure the ZXR10 ZSR V2 as an SFTP client.
PrerequisiteThe ZXR10 ZSR V2 can access the SFTP server network.
Steps1. Configure an SFTP.
Start the SFTP server software. Functioning as a client, the ZXR10 ZSR V2communicates with the SFTP server.
2. Upload or download a file through the ZXR10 ZSR V2.
1-18
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 1 Device Connection management
Command Function
ZXR10#copy sftp [vrf <vrf-name>] //HOST/filename@username:password root: filename or
directory&filename encrypt {none | aes128 |
blowfish | 3des} compress {none | zlib} mac {none
| sha1 | md5}[<listen_port>][ipaddr][interface<interface-name>]
Downloads a file from the SFTP server
to the local SFTP client.
ZXR10#copy sftp [vrf <vrf-name>] root: filenameor directory&filename //HOST/filename@u
sername:password encrypt {none | aes128 |
blowfish | 3des} compress {none | zlib} mac {none
| sha1 | md5}[<listen_port>][ipaddr][interface<interface-name>]
Uploads a file from the local SFTP client
to the SFTP server.
– End of Steps –
ExampleA user whose user name is who and password is who uploads the startrun.dat filein the /sysdisk0/DATA0 directory of the ZXR10 ZSR V2 file system to the SFTP serverwhose IP address is 192.168.109.6. The encryption algorithm is aes128, compressionalgorithm is zlib, and MAC check method is sha1.
ZXR10#copy sftp root:/sysdisk0/DATA0/startrun.dat
//192.168.109.6/startrun1.dat @who:who encrypt aes128 compress zlib mac sha1
Start copying file
...
Put file successfully!
A user whose user name is who and password is who downloads the startrun.dat
file from the SFTP server whose IP address is 192.168.109.6, and renames the file asstartrun.bak. The encryption algorithm is aes128, compression algorithm is zlib, andMAC check method is sha1.
ZXR10#copy sftp //192.168.109.6/startrun.dat@who:who root: /
datadisk0/startrun.bak encrypt aes128 compress zlib mac sha1
Start copying file
...
Got file successfully!
1-19
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
This page intentionally left blank.
1-20
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 2File System ManagementTable of Contents
File System Overview.................................................................................................2-1Configuring File System Management ........................................................................2-2File System Management Configuration Examples.....................................................2-3
2.1 File System OverviewThe file system consists of a Flash, a BOOT and an NVRAM. In addition, there are twoUSB interfaces on the front panel of the Main Processing Unit (MPFU), which can be usedto back up or add configuration files, version files, and log files quickly and conveniently.
FlashThe Flash store version files, data files, system breakdown files, and operation logs. It hastwo partitions, which are mapped to the /sysdisk0 and /sysdisk0 folders under theroot directory of the Linux system respectively.
l /sysdisk0 partition: This is the system partition that stores version files, importantlog files, and data files. Users have the read permission, but do not have the writepermission. Users cannot delete and rename files, but can view files by running themore command. The /sysdisk0 partition does not support the format operation.
à /sysdisk0/DATA0: stores the startrun.dat text configuration file. The startrun.dat file is a configuration file in command line form, which is saved whenthe write command is run. When loading is performed, the system reads the startrun.dat file from the /sysdisk0/DATA0 folder, and loads configurationsin command line form. To upgrade the system, the startrun download commandcan be executed to load configuration from the local device or from the network.
à System breakdown files and exception log files: system breakdown files includethe Exc_Omp.txt and Exc_pp.txt files in the /sysdisk0/run_log directoryand the files in the /sysdisk0/run_log/EXCINFO directory.
l /datadisk0 partition: This is the data partition that stores log file and data filesrelevant to users' routine operations and maintenance as well as data files stored byusers as needed. Users have read and write permissions.
Service and alarm log files are stored in the /datadisk0/LOG directory, but thecommand log file (that is, the cmdlog file) is stored in the /sysdisk0/usrcmd_log/directory.
2-1
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
BOOTThe BOOT is used to save the OSIMAGE file for initializing boards and booting MPUs.
NVRAMThe NVRAM is used to save booting information, including the IP address of the devicemanagement port, IP address of an FTP server, and configuration loading mode.
2.2 Configuring File System ManagementThis procedure describes how to manage files and directories, format the hard disk userpartition, and save configuration information on the ZXR10 ZSR V2.
Stepsl Manage files and directories.
Command Function
ZXR10#dir [<filename-or-directory>|[<cpu-n
ame>]]
Displays a file information list:
l If no parameter is entered, the information
list of the files under the current directory is
displayed.
l If parameters are entered, the information list
of the files under the specified directory or the
specified file is displayed.
ZXR10#pwd Displays the current file path of this terminal.
ZXR10#cd <directory>[<cpu-name>] Switches to another file directory.
ZXR10#mkdir <directory>[<cpu-name>] Creates a directory. If the directory already exists,
an error prompt is returned.
ZXR10#rmdir <directory>[<cpu-name>] Deletes the specified directory. If there is a file in
this directory, the deletion fails.
ZXR10#delete <filename>[<cpu-name>] Deletes the specified file.
ZXR10#cp <source-file>[<cpu-name>]<destina
tion-file>[<cpu-name>]
Copies a file from a source directory to a
destination directory.
ZXR10#more <filename>[<cpu-name>][|{begin
| exclude | include}<line>]
Displays the content of the specified file. "|" is the
output flag.
<filename-or-directory>: file name (range: 1–79 characters), path/file name (range:1–159 characters), directory name (range: 1–79 characters), or path/directory name(range: 1–159 characters).
<cpu-name>: CPU name, default: the current board, format: [MPFU-<slot>/<cpu>]."<slot>", and "<cpu>" are the slot number, and CPU number respectively.
2-2
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 2 File System Management
<directory>: directory name (range: 1–79 characters) or path/directory name (range:1–159 characters).
<filename>: file name (range: 1–79 characters) or path/file name (range: 1–159characters)
<source-file>: source file name (range: 1–79 characters) or path/file name (range:1–159 characters)
<destination-file>: destination file name (range: 1–79 characters) or path/file name(range: 1–159 characters)
{begin | exclude | include}<line>: regular expression.l begin: displays the configurations that start with the input character string.l include: displays the configurations that include the character string.l exclude: displays the configurations that do not include the character string.l <line>: configures the filtering character string.
l Modify the configuration loading mode when the ZXR10 ZSR V2 starts up.
Command Function
ZXR10(config)#load-mode null Configures the power-on loading mode to start
without a load.
l Save configurations.
Command Function
ZXR10#write Configures the information save mode.
– End of Steps –
2.3 File System Management Configuration Examples
2.3.1 File System Configuration ExampleEnter the datadisk0 directory, as shown below.
ZXR10#cd /datadisk0
Display the current path, as shown below.
ZXR10#pwd
MPFU-8/0: /datadisk0
List files in the current directory, as shown below.
ZXR10#dir
Directory of MPFU-8/0: /datadisk0
897636 KB total (892760 KB free)
attribute size date time name
2-3
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
1 <DIR> 424 01-15-2014 08:43 .
2 <DIR> 424 01-15-2014 08:43 ..
3 <DIR> 160 01-15-2014 08:43 BAK
4 <DIR> 416 01-02-2014 07:03 LOG
5 <DIR> 160 01-02-2014 07:03 license
ZXR10#
Delete files in the directory, as shown below.
ZXR10#delete /datadisk0/techspt/techspt_cpu-info.txt
Are you sure to delete file(s)?[yes/no]:y
Delete file(s) successfully.
Delete the techspt_cpu-info.txt file in the /datadisk0/techspt directory, as shownbelow.
ZXR10#delete techspt_cpu-info.txt
Are you sure to delete file(s)?[yes/no]:y
Delete file(s) successfully.
Rename “test” to “test_new”, as shown below.
ZXR10#rename test test_new
Rename successfully.
2.3.2 Configuration Example of Backing Up a Configuration Fileon a USB Flash Drive
1. Insert a USB flash drive into a USB interface on the MPU. Then, the systemautomatically mounts the USB flash drive. Run the show filesystem command toview the USB path.ZXR10#show filesystem
MPFU-8/0:
/sysdisk0
/datadisk0
/usb1:1
2. View files in the USB flash drive.ZXR10#dir /usb1:1
Directory of MPFU-8/0: /usb1:1
3739652 KB total (3482228 KB free)
attribute size date time name
1 <DIR> 4096 07-25-2012 19:20 .
2 <DIR> 4096 07-25-2012 19:20 ..
3 ---- 261304 07-23-2012 14:56 techspt_basic-info.txt
4 <DIR> 4096 07-25-2012 19:39 1
3. Run the cp command to copy the startrun.dat configuration file to the USB flashdrive.ZXR10#cp /sysdisk0/DATA0/startrun.dat /usb1:1/startrun.dat
2-4
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 2 File System Management
Copy file successfully.
4. After the backup is completed, run the unmount command, and then remove the USBflash drive.ZXR10#umount usb1
MPFU-8/0: usb1 unmounted successfully!
2-5
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
This page intentionally left blank.
2-6
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 3MIM ConfigurationTable of Contents
MIM Overview ............................................................................................................3-1Configuring MIM.........................................................................................................3-1
3.1 MIM OverviewThe Management Information Model (MIM) refers to storing configuration data accordingto an information model established for service configuration data, checking objectoperations according to the model definition, and performing object operations to modifyconfiguration data. The MIM subsystem meets the unified requirements for configurationterminal command processing interfaces, such as commit, rollback, and CLI/SNMP.
As more and more configuration terminals come into being, the configuration modificationof each Application (APP) needs to support multiple types of configuration terminals.Before the MIM channel is used, an APP has a dedicated configuration processing flowfor each type of configuration terminal. As shown in Figure 3-1, MIM is an extensionof the existing OAM configuration command processing function. First, various typesof configuration commands modify MIM data, and then, MIM sends configurationmodification commands to the APP, which does not need to percept the types ofconfiguration terminals that the configuration commands come from, but only needs toprovide a program for processing MIM object operations.
Figure 3-1 MIM Application
3.2 Configuring MIMThis procedure describes how to configure the MIM function on the ZXR10 ZSR V2.
3-1
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Steps1. Configure MIM.
Command Function
ZXR10#configure exclusive Configures the exclusive
function.
ZXR10#commit-mode {automatic | manual} Sets the commit mode
(automatic-commit mode or
manual-commit mode) for
configuration commands.
Default: automatic-commit.
ZXR10#commit Commits the configuration.
ZXR10#rollback Rolls back a configuration that
has not been committed or has
failed to be committed.
Note:
If a terminal is configured with the manual-commit mode and has configurations thathave not been committed, normal configuration of other terminals may be affected.
2. Verify configurations.
Command Function
ZXR10#show commit-mode Displays the commit mode.
ZXR10#show uncommitted-command Displays all the uncommitted commands
of the current configuration terminal.
ZXR10#show commit-failed Displays the configuration commands that
the current terminal has failed to commit in
manual-commit mode.
ZXR10#show configure exclusive Displays exclusive information.
– End of Steps –
ExampleThe following provides a MIM configuration example.
l Configuration Description
Enter a batch of configuration commands by running a script. Take care to avoidconfiguration collision.
3-2
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 3 MIM Configuration
l Configuration Flow1. Configure the exclusive function to avoid collision.2. Change the command commit mode to the manual mode.3. Enter configuration commands by running a script.4. Commit the commands.
l Configuration CommandsZXR10#configure exclusive
ZXR10#conf t
Enter configuration commands, one per line. End with CTRL/Z.
ZXR10(config)#mu c
%Info 140359: Allow others to configure, must avoid conflict.
ZXR10(config)#commit-mode manual
/*Enters configuration commands by running a script. The process is omitted.*/
ZXR10(config)#commit
l Configuration Verification
Check whether all the commands have been committed and become effective byrunning the show command.
3-3
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
This page intentionally left blank.
3-4
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 4User ManagementTable of Contents
User Management Overview ......................................................................................4-1Configuring User Management...................................................................................4-2User Management Configuration Examples................................................................4-7
4.1 User Management OverviewTo maintain and manage the ZXR10 ZSR V2, users need to log in to it in SSH, Telnet,or FTP mode. User management implements the configuration, authentication, andauthorization of users who have logged in to the ZXR10 ZSR V2.
The user-name command is used to configure or delete users. By running the user-namecommand, you can configure user names and passwords (clear text passwords of 3–32bits long or cipher text passwords of 64 bits long).
By configuring functions related to Authentication, Authorization and Accounting (AAA),user management provides user authentication and authorization in the following modes:
l None-authentication and none-authorizationl Local authentication and authorizationl Remote Authentication Dial In User Service (RADIUS) authentication and
authorizationl Terminal Access Controller Access-Control System Plus (TACACS+) authentication
and authorizationl RADIUS hybrid authentication and authorizationl TACACS+ hybrid authentication and authorization
When a user logs in to the ZXR10 ZSR V2 through SSH, Telnet, or FTP, user managementqueries the authentication template corresponding to the user to obtain the authenticationmode, and authenticates the user. If the authentication is passed, the user is authorized.If the authentication is failed, user management returns failure information.
After the user passes the authentication, user management authorizes the user. Afterthe user successfully logs in and is authorized, user management displays a commandview according to the user's privilege level. Therefore, the user cannot view or runcommands with privilege levels higher than the user's privilege level, but can view andrun commands with privilege levels lower than and equal to the user's privilege level. Thelocal-privilege-level command is used to set user privilege levels, which range fromlevel 0 (the lowest level) to level 15 (the highest level), and are level 0 by default.
4-1
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
4.2 Configuring User ManagementThis procedure describes how to configure user management functions.
Steps1. Enter ADM_MGR configuration mode, and configure user management parameters.
Step Command Function
1 ZXR10(config)#system-user Enters user management
configuration mode.
2 ZXR10(config-system-user)#default-privilege-level
<0-15>
Configures the default
privilege level.
3 ZXR10(config-system-user)#strong-password length
<length> character {[capital][lowercase][number][special
-character]}
Configures a strong password.
Range: 6–32 characters. A
password needs to contain
any one type or several types
of the following characters:
uppercase letters, lowercase
letters, numbers, and special
characters.
4 ZXR10(config-system-user)#user-authen-restriction
fail-time <times> lock-minute <time>Locks the user after user
authentication has failed
consecutively. Range of the
number of failure times: 3–6,
range of locking time period:
1–1440 min.
5 ZXR10(config-system-user)#global-enable-type
{aaa|local} authentication-template <1–128>
Configures the global-enable
mode for users.
6 ZXR10(config-system-user)#account-switch {off | onaccounting-template <2001–2128>}
Configures the global
accounting mode.
7 ZXR10(config-system-user)#user-default Enters the default user
configuration mode.
8 ZXR10(config-system-user)#user-group special
<usergroup-name><username>{<password>| encrypted<password>}
Configures user group
information.
9 ZXR10(config-system-user)#login ascii authentication-
template <1–128> authortication-template<1–128>
Configures the ASCII
authentication template.
2. Configure an authentication template.
4-2
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 4 User Management
Step Command Function
1 ZXR10(config)#aaa-authentication-template <1-2128> Configures an AAA
authentication template,
and enters the configuration
mode of this template.
2 ZXR10(config-aaa-authen-template)#aaa-authenticat
ion-type {none | local | radius | local-radius | radius-local
| radius-none | local-tacacs | tacacs | tacacs-local |
tacac-none| diameter}
Configures an authentication
type under the AAA
authentication template.
3 ZXR10(config)#system-user Enters user management
configuration mode.
4 ZXR10(config-system-user)#authentication-template
<1–128>
Configures a user
management authentication
template, and enters the
configuration mode of this
template.
5 ZXR10(config-system-user-authen-temp)#bind
aaa-authentication-template <2001–2128>
Binds an AAA authentication
template in the configuration
mode of the user management
authentication template.
6 ZXR10(config-system-user-authen-temp)#bind
access-list ipv4/ipv6 <acl-name>
Binds an ACL template in the
configuration mode of the user
management authentication
template.
7 ZXR10(config-system-user-authen-temp)#descript
ion <description>
Adds description information
on the user management
authentication template in the
configuration mode of the user
management authentication
template.
3. Configure an authorization template.
Step Command Function
1 ZXR10(config)#aaa-authorization-template <1–2128> Configures an AAA
authorization template,
and enters the configuration
mode of this template.
2 ZXR10(config-aaa-author-template)#aaa-authorizati
on-type {none | local-radius | local-tacacs | local | radius
| tacacs | tacacs-local | radius-local }
Configures an authorization
type under the AAA
authorization template.
4-3
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Step Command Function
3 ZXR10(config)#system-user Enters user management
configuration mode.
4 ZXR10(config-system-user)#authorization-template
<1–128>
Configures a user
management authorization
template, and enters the
configuration mode of this
template.
5 ZXR10(config-system-user-author-temp)#bind
aaa-authorization-template <2001–2128>
Binds an AAA authorization
template in the configuration
mode of the user management
authorization template.
6 ZXR10(config-system-user-author-temp)#local-privi
lege-level <0-15>
Configures a local
authorization level in the
configuration mode of the user
management authorization
template.
7 ZXR10(config-system-user-author-temp)#descript
ion <description>
Adds description information
on the user management
authorization template in the
configuration mode of the user
management authorization
template.
8 ZXR10(config-system-user-author-temp)#local-cm
dgroup <group>
Binds a local command group
to the authorization template.
9 ZXR10(config-system-user-author-temp)#local-cmd
group-mode exclusive
Defines the command group
use mode as exclusive mode.
Default: appending mode.
10 ZXR10(config-system-user-author-temp)#log
file-allowed {cmd-log | alarm-log | nat-log | li-log |
service-log}[{read-only | none |read-write|copy}]
Configures the types of logs
that the authorization template
is allowed to access and
access privileges.
11 ZXR10(config-system-user-author-temp)#ftp
top-directory <directory>[{read-only |read-write|copy}]
Configures the top directory
that the authorization template
is allowed to access through
FTP and access privileges.
12 ZXR10(config-system-user-author-temp)#sftp
top-directory <directory>{read-only |read-write|copy}
Configures the top directory
that the authorization template
is allowed to access through
SFTP and access privileges.
4-4
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 4 User Management
4. Create a user, and bind an authentication template and authorization template.
Step Command Function
1 ZXR10(config-system-user)#user-name <name> Configures a user name, and
enters use name configuration
mode.
2 ZXR10(config-system-user-username)#bind
authentication-template <1–128>
Binds a user management
authentication template.
3 ZXR10(config-system-user-username)#bind
authorization-template <1–128>
Binds a user management
authorization template.
4 ZXR10(config-system-user-username)#password
{<pwd>|encrypted <pwd>}
Configures a password.
5 ZXR10(config-system-user-username)#password-rec
over-remind
Configures information for
password recovery.
6 ZXR10(config-system-user-username)#password-d
uration <days>
Configures a password
validity period. The parameter
0 indicates never expiration.
Range: 90–360 days.
7 ZXR10(config-system-user-username)#once-passw
ord
Configures a rule that a
password should be changed
at the first login.
5. Configure other parameters in global mode.
Command Function
ZXR10(config)#enable secret level <1-18>{0<unencrypted-password>| 5 <encrypted-password>|<unencrypted-password>}
Sets passwords of all login privilege levels.
ZXR10(config)#login block <block-seconds>
attempts <tries> within <seconds>
Configures and activates the remote login
anti-attack monitoring function.
ZXR10(config)#login quiet-mode < ipv4-access-list |
ipv6-access-list ><access-list-name>
Configures an ACL for the quiet period.
ZXR10(config)#login on-failure alarm [every<failure-tries>]
Configures generating log information
or Trap information when failed login
attempts exist.
6. Verify the configurations.
Command Function
ZXR10#show running-config adm-mgr [all] Displays user management configurations.
ZXR10#show user-group [special <usergroup-name>] Displays configured user group information.
4-5
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Command Function
ZXR10#show authen-restriction userinfo Displays information on locked users and
users who have failed authentication. The
information includes user names, numbers
of authentication failure times, status
(locked or not locked), and remnant locking
time.
ZXR10#show login Displays configurations of the anti-attack
monitoring function.
ZXR10#show login state [{[telnet]|[ssh]|[ftp]}] Displays the status of the anti-attack
monitoring function and its statistical
information.
ZXR10#show login failure [{[telnet]|[ssh]|[ftp]}] Displays information on failed login
attempts of the anti-attack monitoring
function.
– End of Steps –
ExampleThe user-password recover-remind command that is used to configure user passwordrecovery reminders is an interactive command. The following provides examples of thiscommand.
eg1:
ZXR10(config-system-user)#user-password recover-remind zte
password is:***
question:what is your name
answer:***
ZXR10(config-system-user)#
eg2:
ZXR10(config-system-user)#user-password recover-remind zte
password is:***
%Error 59958: Password is wrong!
ZXR10(config-system-user)#
eg3:
ZXR10(config-system-user)#user-password recover-remind zte
password is:***
question:question is 012345678901234567890124567890123456789
%Error 59959: Question has been to upper limit!The limit is 50 characters!
ZXR10(config-system-user)#
4-6
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 4 User Management
eg4:
ZXR10(config-system-user)#user-password recover-remind zte
password is:***
question:what is your name
answer:zte 01234567890123456789012345678901234567890123456
%Error 59960: Answer has been to upper limit!The limit is 50 characters!
ZXR10(config-system-user)#
Descriptions of the command output:
Command Output Description
password is: Requires the input of the password corresponding to the user name. A
clear text password consists of 3–32 characters, and is displayed as
***. If the password is correct, continues to run the command. If the
password is incorrect, displays an error, and ends the command.
question: Requires the input of a prompt question for password recovery. The
question can consist of a maximum of 50 characters including spaces,
but cannot exclusively consist of spaces or include any question mark.
If the question has more than 50 characters, displays an error prompt.
If the question is normal, continues to run the command.
answer: Requires the input of an answer for password recovery. The answer
can consist of a maximum of 50 characters including spaces, but
cannot exclusively consist of spaces or include any question mark. If
the answer has more than 50 characters, displays an error prompt. If
the answer is normal, continues to run the command.
4.3 User Management Configuration Examples
4.3.1 Local Authentication and Authorization User ConfigurationExample
Configuration DescriptionAs shown in Figure 4-1, PC logs in to the router by serial port or Telnet, enters configurationmode and creates a user who uses local authentication mode.
Figure 4-1 Local Authentication and Authorization Configuration
4-7
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Configuration Flow1. Configure an authentication template.2. Configure an authorization template.3. Create a user, bind authentication and authorization templates.
Configuration CommandR1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type local
R1(config-aaa-authen-template)#exit
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type local
R1(config-aaa-author-template)#exit
R1(config)#system-user
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
R1(config-system-user-author-temp)#local-privilege-level 15
R1(config-system-user-author-temp)#exit
R1(config-system-user)#user-name zte
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password zte
R1(config-system-user-username)#exit
R1(config-system-user)#exit
4.3.2 RADIUS-LOCAL Authentication and Authorization UserConfiguration Example
Configuration DescriptionAs shown in Figure 4-2, PC logs in to the router by serial port or Telnet, enters configurationmode and creates a user who uses RADIUS-local authentication mode.
4-8
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 4 User Management
Figure 4-2 RADIUS-LOCAL Authentication and Authorization User Configuration
Configuration Flow1. Configure a RADIUS group.2. Configure an authentication template.3. Configure an authorization template.4. Create a user, bind authentication and authorization templates.
Configuration Command/*This configures radius*/
R1(config)#radius authentication-group 1
R1(config-authgrp-1)#server 1 10.1.1.1 master key zte
R1(config-authgrp-1)#nas-ip-address 10.1.1.100
R1(config-authgrp-1)#algorithm round-robin
R1(config-authgrp-1)#max-retries 3
R1(config-authgrp-1)#timeout 30
R1(config-authgrp-1)#deadtime 0
R1(config-authgrp-1)#exit
/*This configures authentication template.*/
R1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type radius-local
R1(config-aaa-authen-template)#authentication-radius-group 1
R1(config-aaa-authen-template)#exit
/*This configures authorization template.*/
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type radius-local
R1(config-aaa-author-template)#authorization-radius-group 1
R1(config-aaa-author-template)#exit
R1(config)#system-user
/*This binds authorization template.*/
4-9
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
/*This binds authentication template.*/
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
R1(config-system-user-author-temp)#local-privilege-level 15
R1(config-system-user-author-temp)#exit
/*This creates user.*/
R1(config-system-user)#user-name zte
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password zte
R1(config-system-user-username)#exit
R1(config-system-user)#exit
4.3.3 TACACS+ Authentication and Authorization UserConfiguration Example
Configuration DescriptionAs shown in Figure 4-3, PC logs in to the router by serial port or Telnet, enters configurationmode and creates a user who uses TACACS+ authentication mode.
Figure 4-3 TACACS+ Authentication and Authorization User Configuration
Configuration Flow1. Configure a TACACS+2. Configure an authentication template.3. Configure an authorization template.4. Create a user, bind authentication and authorization templates.
4-10
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 4 User Management
Configuration CommandR1(config)#tacacs enable
R1(config)#tacacs-server host 10.1.1.1 key zte
R1(config)#tacplus group-server ztegroup
R1(config-sg)#server 10.1.1.1
R1(config-sg)#exit
R1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type tacacs
R1(config-aaa-authen-template)#authentication-tacacs-group ztegroup
R1(config-aaa-authen-template)#exit
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type tacacs
R1(config-aaa-author-template)#authorization-tacacs-group ztegroup
R1(config-aaa-author-template)#exit
R1(config)#system-user
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
R1(config-system-user-author-temp)#local-privilege-level 15
R1(config-system-user-author-temp)#exit
R1(config-system-user)#user-name zte
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password zte
R1(config-system-user-username)#exit
R1(config-system-user)#exit
4.3.4 Configuring a Password Prompt Question for Resetting aPassword
Configuration DescriptionAs shown in Figure 4-4, a user logs in to the ZXR10 ZSR V2 from a PC through a serialport or Telnet. The user enters configuration mode to create an authentication user. Usersof any authentication mode can configure password recovery information, but passwordrecovery only takes effect for locally authenticated users.
4-11
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Figure 4-4 Configuring a Password Prompt Question for Resetting a Password
Configuration Flow1. Configure an authentication template.2. Configure an authorization template.3. Create a user.4. Configure a password prompt question and an answer.5. Log in for password recovery.
Configuration CommandsRun the following commands on the ZXR10 ZSR V2:
R1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type local
R1(config-aaa-authen-template)#exit
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type none
R1(config-aaa-author-template)#exit
R1(config)#system-user
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
R1(config-system-user-author-temp)#local-privilege-level 15
R1(config-system-user-author-temp)#exit
R1(config-system-user)#user-name who
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password who
R1(config-system-user-username)#password-recover-remind
password is:***
question: who are you
answer:who
R1(config-system-user-username)#
/*Log in to the R1 through Telnet. Use the password prompt
question to reset the password.*/
4-12
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 4 User Management
R1#login
Username:recover-user who
question: who are you
answer: /*The input answer is not displayed.*/
Please input your new password:
Re-enter New password:
The password has been changed successfully,
please remember your new password!
Username:who
Password:
R1#
Note:
Note: If the input answer to the password prompt is correct, user who's password ischanged to a new password.
4.3.5 Configuring OAM Security Management
Configuration DescriptionAs shown in Figure 4-5, a user logs in to the ZXR10 ZSR V2 from a PC through a serialport or Telnet. The user enters configuration mode to create an authentication user. Toprevent user passwords from being cracked or stolen, the ZXR10 ZSR V2 supports settingpassword strength. A user who fails authentication consecutively is locked and forbiddento log in within a given period of time, so that the user cannot try to crack the passwordthrough repeated login attempts.
Figure 4-5 Configuring OAM Security Management
Configuration Flow1. Configure password strength.2. Create a user. Only if the password strength meets the requirements, can the creation
succeed.3. Configure an authentication template.4. Configure an authorization template.5. Configure the number of consecutive user authentication failure times and locking
period.
4-13
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
6. A user who fails authentication consecutively for the set number of times is locked.
Configuration CommandsRun the following commands on the ZXR10 ZSR V2:
R1(config)#system-user
R1(config-system-user)#strong-password length 6 character special-character
/*Configures the minimum password length as 6 characters, and configures that a
password should contain special characters.*/
R1(config-system-user)#user-name zte
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password zte123*
R1(config-system-user-username)#exit
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
R1(config-system-user-author-temp)#local-privilege-level 15
R1(config-system-user-author-temp)#exit
R1(config-system-user)#user-authen-restriction fail-time 3 lock-minute 2
/*Configures the number of consecutive user authentication failure times as 3, and
configures the locking period as 2 min.*/
R1(config-system-user)#exit
R1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type local
R1(config-aaa-authen-template)#exit
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type none
R1(config-aaa-author-template)#exit
/*A user logs in to the R1 through Telnet. The user fails authentication
consecutively for the set number of times, and is locked.*/
R1#login
Username:zte
Password:
% Local password error!
Username:zte
Password:
% Local password error!
4-14
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 4 User Management
Username:zte
Password:
% Local password error!
Still logged in as "who" /*The original login user name is who.*/
R1#login
Username:zte
Password:
% User is locked
R1#show authen-restriction userinfo
Username Failed-time State Remain (minute)
zte 3 locked 1
4.3.6 Configuring a Password Validity Period
Configuration DescriptionAs shown in Figure 4-6, a user logs in to the ZXR10 ZSR V2 from a PC through a serialport or Telnet. The user enters configuration mode to create another user. By default, thepassword of this account never expires. You can set a validity period (90–360 days) forthis account by running a configuration command, and test whether the validity period iseffective by changing the system time.
Figure 4-6 Configuring a Password Validity Period
Configuration Flow1. Create a user.2. Configure an authentication template.3. Configure an authorization template.4. Sets a password validity period.5. Change the system time to test whether the validity period is effective.
Configuration CommandsRun the following commands on the ZXR10 ZSR V2:
R1(config)#system-user
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
4-15
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
R1(config-system-user-author-temp)#local-privilege-level 15
R1(config-system-user-author-temp)#exit
R1(config-system-user)#user-name zte
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password zte
R1(config-system-user-username)#password-duration 90 /*Configures a password
validity period.*/
R1(config-system-user-username)#exit
R1(config-system-user)#exit
R1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type local
R1(config-aaa-authen-template)#exit
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type none
R1(config-aaa-author-template)#end
Configuration VerificationR1#show username
Username Encrypted-Password AuthenNo. AuthorNo. AgingTime Set-Time
zte ce7c04930c52bfe1669f6c22 1 1 89 2012-6-28
9ef61b761ec847e5b3052bdb
51456385bb2a9a57
/*Change the system time, so that the password expires.*/
R1#show clock
17:37:48 UTC Thu Jun 28 2012 /*Current time.*/
R1#clock set 15:10:39 9-20-2013 /*Changes the system time, so that the
password expires.*/
R1#show username /*After the system time is changed, the command output displays
that the password has expired.*/
Username Encrypted-Password AuthenNo. AuthorNo. AgingTime Set-Time
zte ce7c04930c52bfe1669f6c22 1 1 expired 2012-6-28
9ef61b761ec847e5b3052bdb
51456385bb2a9a57
R1#login
Username:zte
Password:
%User password expired /*The password has expired. The user cannot log in to
the R1.*/
4-16
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 4 User Management
4.3.7 Configuring First-Login Password Modification
Configuration DescriptionAs shown in Figure 4-7, a user logs in to the ZXR10 ZSR V2 from a PC through a serialport or Telnet. The user enters configuration mode to create another user, and configuresonce-password (only valid for locally authenticated users). During the next login, the usercan use the self-configured password. The default range of a password is 3–32 characters.
Figure 4-7 Configuring First-Login Password Modification
Configuration Flow1. Create a user.2. Configure an authentication template.3. Configure an authorization template.4. Configure the first login password modification function.5. During login, the user can set a password. The next time, the user can use the new
password to successfully log in.
Configuration CommandsRun the following commands on the ZXR10 ZSR V2:
R1(config)#system-user
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
R1(config-system-user-author-temp)#local-privilege-level 15
R1(config-system-user-author-temp)#exit
R1(config-system-user)#user-name zte
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password zte
R1(config-system-user-username)#once-password /*Configures first-login
password modification.*/
R1(config-system-user-username)#exit
R1(config-system-user)#exit
R1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type local
4-17
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
R1(config-aaa-authen-template)#exit
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type none
R1(config-aaa-author-template)#end
Configuration VerificationR1#login
Username:zte
Password:
Your password has expired.
Enter a new one now.
New password: /*Configure a new password, which is not displayed.*/
Re-enter new password: /*Confirm the new password, which is not displayed.*/
The password has been changed successfully,
Please remember your new password!
R1#login
Username:zte
Password: /*Enter the new password*/
R1# /*The user login is successful.*/
R1#who
Line User Host(s) Idle Location
66 vty 0 who idle 00:01:17 169.1.1.13
* 67 vty 1 zte idle 00:00:00 169.1.1.13
68 vty 2 who idle 00:00:00 169.1.1.10
4.3.8 Relations Between Raising Privilege Levels and the EnableCommand
Configuration DescriptionIn Figure 4-8, a user logs in to the ZXR10 ZSR V2 from a PC through a serial port or Telnet.The user enters configuration mode to create another user and give the user a privilegelevel. If the privilege level is too low, the enable command can be used to raise the level.The default "enable" authentication mode is "local", and the default password is "R1".
Figure 4-8 Configuring the Raising of a Privilege Level
Configuration Flow1. Create a user.
4-18
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 4 User Management
2. Configure an authentication template.3. Configure an authorization template.4. Configure an "enable" password to raise the user's privilege level.
Configuration CommandsRun the following commands on the ZXR10 ZSR V2:
R1(config)#tacacs enable
R1(config)#tacacs-server host 10.1.1.1 key zte
R1(config)#tacplus group-server ztegroup
R1(config-sg)#server 10.1.1.1
R1(config-sg)#exit
R1(config)#system-user
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
R1(config-system-user-author-temp)#local-privilege-level 5
R1(config-system-user-author-temp)#exit
R1(config-system-user)#user-name zte
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password zte
R1(config-system-user-username)#exit
R1(config-system-user)#exit
R1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type tacacs-local
R1(config-aaa-authen-template)#authentication-tacacs-group ztegroup
R1(config-aaa-authen-template)#exit
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type none
R1(config-aaa-author-template)#exit
The following provides a global "enable" authentication configuration mode, which can beset to aaa mode or local mode. The aaa mode means using the "enable" password set bythe server.
R1(config)#system-user
R1(config-system-user)#global-enable-type aaa authentication-template 1
/*Configures user's enable command authentication mode.*/
R1(config-system-user)#exit
4-19
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
There are two methods for configuring an "enable" password to raise user's privilege levelto the highest level:
l In global configuration mode, run the enable secret level command. For details, referto “Chapter 5 Command Privilege Level Classification”.
l In global configuration mode, run the nvram enable-password command. For details,refer to the Setting Configurations Kept in NVRAM section the ZXR10 ZSR V2 InitialConfiguration Guide.
You can configure the recovery function for a password configured in the NVRAM.
R1(config)#enable secret recover-remind
password:*****
question:zte
answer:zte
/*If you forget the local enable password, you can run the recover-enable command
under privilege level 1 to restore the default password.*/
R1>recover-enable
question:zte
answer:***
%Info 40449: Recover-enable ok! New enable password is: zxr10.
Configuration VerificationConfigure a corresponding enable password on the AAA server. After the user logs innormally and passes authentication, the user privilege level is raised.
4-20
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 5Command Privilege LevelClassificationTable of ContentsCommand Privilege Level Overview ...........................................................................5-1Configuring Command Privilege ................................................................................5-1Command Privilege Level Configuration Example ......................................................5-2
5.1 Command Privilege Level OverviewThe ZXR10 ZSR V2 supports the command privilege level function. Command privilegelevel management is used to configure command privileges. Users can run the privilegecommand to configure the privilege of a command.
Command privilege levels range from level 1 to level 15. Different commands can beconfigured with different privilege levels. After a user logs in, a command view is displayedaccording to the user's privilege level. Therefore, the user cannot run commands whoseprivilege levels are higher than the user's level. Users with the highest level (that is,administrators with level 15) can set privilege levels for commands.
5.2 Configuring Command PrivilegeThis procedure describes how to configure command privileges.
Steps1. Configure command privileges.
Command Function
ZXR10(config)#privilege <logic-mode>[all] level {<level>|
default}<command-keywords>
Configures a command privilege
level.
ZXR10(config)#no privilege <logic-mode>[all] node<command-keywords>
Restores the default command
privilege level.
[all]: all commands beginning with this keyword.
level <level>: privilege level, range: 1–15
default: default command privilege level.
<command-keywords>: command keywords, range: 1–200 characters.
5-1
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
2. Verify the configurations.
Command Function
ZXR10#show privilege [{cur-mode | show-mode}{det
ail | level < level>| node <command-keywords>}]Displays the privilege level of the
current terminal or command privilege
configurations.
cur-mode : displays privilege level information in the current command mode.
show-mode: displays privilege level information in show mode.
detail: displays privilege levels of all commands.
level <level>: displays the commands of the specified privilege level, range: 1–18.
<command-keywords>: the privilege level of the specified command, range: 1–200characters.
In user mode, the show privilege command has no parameter. It is used to display theprivilege level of the current terminal.
– End of Steps –
5.3 Command Privilege Level Configuration ExampleConfiguration DescriptionIt is required to configure different privilege levels for two types of users who operate theZXR10 ZSR V2. The privilege level of Type A users is 15, and these users can do alloperations, such as view and configuration. The privilege level of Type B users is 5. Theyneed to use the show clock command to view the system clock.
It is also required to allow Type B users to raise their own privilege level to level 8 byrunning the enable command, so that they can set the time zone.
Configuration Flow1. Change the privilege level of the show clock command to 5 or lower than 5. In this
example, this privilege level is set to 5.2. Change the privilege level of the clock timezone command to 8, or lower than 8 but
higher than 5. In this example, this privilege level is set to 7.3. Create a type A user named ZTE_A and a type B user named ZTE_B. ZTE_A's
privilege level is 15, and ZTE_A'B privilege level is 5.4. Configure the "enable" password that is used to raise user's privilege level to level 8.
Configuration CommandsRun the following commands on the ZXR10 ZSR V2:
ZXR10(config)#privilege show all level 5 show clock
/*Displays the privilege level configuration of the show clock command.*/
5-2
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Command Privilege Level Classification
ZXR10(config)#privilege configure level 7 clock
ZXR10(config)#privilege configure level 7 clock timezone
/*Displays the privilege level configuration of the clock timezone command.*/
ZXR10(config)#system-user
ZXR10(config-system-user)#authentication-template 1
ZXR10(config-system-user-authen-temp)#bind aaa-authentication-template 2001
ZXR10(config-system-user-authen-temp)#exit
ZXR10(config-system-user)#authorization-template 1
ZXR10(config-system-user-author-temp)#bind aaa-authorization-template 2001
ZXR10(config-system-user-author-temp)#local-privilege-level 15
ZXR10(config-system-user-author-temp)#exit
ZXR10(config-system-user)#user-name ZTE_A
ZXR10(config-system-user-username)#bind authentication-template 1
ZXR10(config-system-user-username)#bind authorization-templat 1
ZXR10(config-system-user-username)#password ZTE_A_15
ZXR10(config-system-user-username)#exit
/*Create ZTE_A and configure the user's authorization level.*/
ZXR10(config-system-user)#authentication-template 2
ZXR10(config-system-user-authen-temp)#bind aaa-authentication-template 2002
ZXR10(config-system-user-authen-temp)#exit
ZXR10(config-system-user)#authorization-template 2
ZXR10(config-system-user-author-temp)#bind aaa-authorization-template 2002
ZXR10(config-system-user-author-temp)#local-privilege-level 5
ZXR10(config-system-user-author-temp)#exit
ZXR10(config-system-user)#user-name ZTE_B
ZXR10(config-system-user-username)#bind authentication-template 2
ZXR10(config-system-user-username)#bind authorization-templat 2
ZXR10(config-system-user-username)#password ZTE_B_5
ZXR10(config-system-user-username)#exit
ZXR10(config-system-user)#exit
/*Create ZTE_B and configure the user's authorization level.*/
ZXR10(config)#aaa-authentication-template 2001
ZXR10(config-aaa-authen-template)#aaa-authentication-type local
ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#aaa-authorization-template 2001
ZXR10(config-aaa-author-template)#aaa-authorization-type radius-local
ZXR10(config-aaa-author-template)#exit
/*Configure the authentication and authorization templates of ZTE_A*/
ZXR10(config)#aaa-authentication-template 2002
ZXR10(config-aaa-authen-template)#aaa-authentication-type local
5-3
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#aaa-authorization-template 2002
ZXR10(config-aaa-author-template)#aaa-authorization-type radius-local
ZXR10(config-aaa-author-template)#exit
/*Configure the authentication and authorization templates of ZTE_B*/
ZXR10(config)#enable secret level 8 level-8
/*Configure the password of the level-8 user login privilege.*/
Configuration VerificationRun the following commands to view ZTE_A's privilege level. The execution result isdisplayed as follows:
Username:ZTE_A
Password:
ZXR10#show privilege
Current privilege level is 15
/*Indicates that ZTE_A's privilege level is 15.*/
Exec commands:
alarm-confirm Confirm the alarm by flowid
cd Change current directory
cfm Executing CFM detecting functions
clear Reset functions
clock Manage the system clock
commit Commit the configuration
configure Enter configuration mode
copy Copy from one file to another by ftp/tftp
cp Copy from one file to another locally
debug Debugging functions
delete Delete a file
--More—
ZXR10#configure terminal
Enter configuration commands, one per line. End with CTRL/Z.
ZXR10(config)#?
/*Displays the commands that can be used by ZTE_A in global configuration mode.*/
Configure commands:
aaa-accounting-template AAA accounting template configurations
aaa-authentication-template AAA authentication template configurations
aaa-authorization-template AAA authorization template configurations
alarm Configure the alarm parameters
alarm-mask Configure the alarm-mask parameters
aps Configure APS instance
arp Enter ARP configuration mode
5-4
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Command Privilege Level Classification
banner Terminal line banner
bfd Configure bfd
cfm Enter CFM configuration mode
check Configure intervals of check
class-map Configure H-QoS class map
clock Configure board clock
--More—
Run the following commands to view ZTE_B's privilege level. The execution result isdisplayed as follows:
Username:ZTE_B
Password:
ZXR10#show privilege
Current privilege level is 5
/*Indicates that ZTE_B's privilege level is 5.*/
ZXR10#?
/*Displays the commands that can be used by ZTE_B in privilege configuration mode.*/
Exec commands:
cd Change current directory
cfm Executing CFM detecting functions
clock Manage the system clock
configure Enter configuration mode
debug Debugging functions
dir List files on a filesystem
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
--More—
ZXR10#configure terminal
Enter configuration commands, one per line. End with CTRL/Z.
ZXR10(config)#?
/*Displays the commands that can be used by ZTE_B in global configuration mode.*/
Configure commands:
end Exit from configure mode
exit Exit from configure mode
ping Send echo messages
ping6 Send IPv6 echo messages
show Show running system information
trace Trace route to destination
trace6 Trace route to destination using IPv6
ZXR10(config)#
ZXR10(config)#show ?
clock Show current system clock
5-5
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
privilege Show current privilege level
Raise ZTE_B's privilege level to level 8, as shown below:
Username:ZTE_B
Password:
ZXR10#show privilege
Current privilege level is 5
/*Indicates that the privilege level of ZTE_B is 5.*/
ZXR10#enable 8
Password:
ZXR10#show privilege
Current privilege level is 8
/*Indicates that the privilege level of ZTE_B has been raised to 8.*/
ZXR10#configure terminal
Enter configuration commands, one per line. End with CTRL/Z.
ZXR10(config)#?
Configure commands:
clock Configure board clock
/*Indicates that the clock command has been added to the commands that ZTE_B can use.*/
end Exit from configure mode
exit Exit from configure mode
ping Send echo messages
ping6 Send IPv6 echo messages
show Show running system information
trace Trace route to destination
trace6 Trace route to destination using IPv6
ZXR10(config)#clock ?
timezone Configure time zone
View the configurations on the ZXR10 ZSR V2, as shown below:
ZXR10#enable /*Raises the user's privilege level to the default level, level 15.*/
Password: /*The input password is not displayed.*/
ZXR10#show running-config adm-mgr
! <ADM_MGR>
enable secret level 8 5 52ZJX4aBmmYKbWdVFpSvwg==
system-user
authentication-template 1
bind aaa-authentication-template 2001
$
authentication-template 2
bind aaa-authentication-template 2002
$
authorization-template 1
bind aaa-authorization-template 2001
5-6
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Command Privilege Level Classification
local-privilege-level 15
$
authorization-template 2
bind aaa-authorization-template 2002
local-privilege-level 5
$
username ZTE_A
bind authentication-template 1
bind authorization-template 1
password encrypted 51213031a28daa4a18e939b9cc837320
43f467d88315721af066dc4f1c385a28
$
username ZTE_B
bind authentication-template 2
bind authorization-template 2
password encrypted a5e686cd3e6778917691bb099a4da1d7
9768a6b9752b942fe5b431ec3fff8468
$
$
! </ADM_MGR>
ZXR10#show running-config aaa
! <AAA>
aaa-authentication-template 2001
aaa-authentication-type local
$
aaa-authentication-template 2002
aaa-authentication-type local
$
aaa-authorization-template 2001
aaa-authorization-type radius-local
$
aaa-authorization-template 2002
aaa-authorization-type radius-local
$
! </AAA>
ZXR10#show running-config oam
! <OAM>
privilege show all level 5 show clock
privilege configure level 7 clock
privilege configure level 7 clock timezone
! </OAM>
5-7
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
This page intentionally left blank.
5-8
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 6SNMP ConfigurationTable of Contents
SNMP Basic Configuration .........................................................................................6-1SNMP Anti-Violence Attack ......................................................................................6-10
6.1 SNMP Basic Configuration
6.1.1 SNMP OverviewThe Simple Network Management Protocol (SNMP) is the most popular NetworkManagement System (NMS) protocol, and belongs to the application layer of the TransferControl Protocol/Internet Protocol (TCP/IP) stack. The SNMP module is at the highestlayer of the router system. Administrators use SNMP as a main way to operate, controland maintain the router. In order to perform network management, users use NMSsoftware to send and receive SNMP packets between the managed network elementsand the management station.
The basic process of SNMP network management is as follows:
1. A unique ID (OID) is allocated to the object to be managed in the router. The allocationof OID is determined in a unified way by the Request For Comments (RFC).
2. When users need to read or modify the value of an object, the object OID and operationtype (read or write) are sent to the router as an SNMP request packet.
3. The SNMP agent in the router finds the object data according to the OID, performs thecorresponding operations, and then sends the result as an SNMP response packet tothe user.
By default, SNMP uses UDP as the transmission protocol.
6.1.2 Configuring SNMPThis procedure describes how to configure SNMP during equipment management by usingSNMP.
Steps1. Enable SNMP V1, V2c, and V3.
6-1
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Command Function
ZXR10(config)#snmp-server version {v1 | v2c | v3}
enable
Enables SNMP V1, V2, and V3 for
receiving packets from and sending
packets to clients.
There are two states: enable and
disable. Default: disable.
2. Configure an SNMP packet community.
Command Function
ZXR10(config)#snmp-server community {encrypted<encrypted-para>|<unencrypted-para>[showclear]}[view<view-name>][{ro | rw}][{[ipv4-access-list<ipv4_acl_name>],[ipv6-access-list <ipv6_acl_name>]}]
Configures an SNMP packet
community string.
<encrypted-para>: cipher text community string, 64 characters.
<unencrypted-para>: clear text community string, range: 1–32 characters.
showclear: If this parameter is configured, the community string is displayed in cleartext. If not, the community string is displayed in cipher text.
<view-name>: view name, range: 1–32 characters.
ro | rw: The ro parameter indicates only reading a MIB object. The rw parameterindicates reading and writing a MIB object.
3. Define an SNMP view.
Command Function
ZXR10(config)#snmp-server view <view-name><subtre
e-id>{included | excluded}
Defines an SNMP view.
<subtree-id>: specifies the MIB sub-tree ID or node name of the MIB sub-tree for theview name. Range: 1–79 characters.
included | excluded: The sub-tree is included or excluded.
4. Set MIB object information.
Command Function
ZXR10(config)#contact <mib-syscontact-text> Configures the contact method of the
person who is in charge of the MIB
object. Range: not longer than 200
characters.
ZXR10(config)#location <mib-syslocation-text> Configures the description of the MIB
object system location. Range: not
longer than 200 characters.
6-2
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 6 SNMP Configuration
5. Set the types of Trap and Inform messages that are allowed to be sent.
Command Function
ZXR10(config)#snmp-server enable inform
[<notification-type>]
Enables the agent to send notifications
and sets the types of notifications to
be sent.
The notification types can be all or one
of the bgp, ospf, rmon, snmp, stalarm
and vpn types.
ZXR10(config)#snmp-server enable Trap
[<notification-type>]
Enables the agent to send Trap
messages and sets the types of Trap
messages to be sent.
The Trap message types can be all
or one of the bgp, ospf, rmon, snmp,
stalarm and vpn types.
6. Set the Trap destination host.
Command Function
ZXR10(config)#snmp-server host [ vrf<vrf-name>]<ip-address>{Trap | inform} version {1 | 2c | 3
{auth | noauth | priv}}<community-name/user>[udp-port<udp-port>][<Trap-type>]
Configures the destination for receiving
SNMP notifications. The snmp-server
host command needs to be used
together with the snmp-server enable
command.
vrf <vrf-name>: VRF name, range: 1–31 characters.
<ip-address>: defines the IP address of a host. IPv4 and IPv6 are supported.
Trap | inform: specifies sending Trap messages or notifications to a host.
version 1 | 2c | 3 : the SNMP version (v1, v2c, or v3).
auth: The packets to be sent are authenticated but not encrypted.
noauth: The packets to be sent are not authenticated or encrypted.
priv: The packets to be sent are authenticated and encrypted.
<community-name/user-name>: community name string of SNMP v1/v2 or SNMPv3 username, range: 1–32 characters.
udp-port <udp-port>: number of the UDP port for sending Trap or inform messages,range: 1–65535.
<Trap-type>: Trap or Inform type. The Trap type can be all or one of the bgp, ospf,rmon, snmp, stalarm and vpn types.
7. Enable the system log function.
6-3
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Command Function
ZXR10(config)#logging on Enables the system log function.
8. Set the level of the alarm message sent to the Trap server.
Command Function
ZXR10(config)#logging Trap-enable <alarmlevel> Sets the level of the alarm message
sent to the Trap server.
9. Configure other SNMP parameters.
Command Function
ZXR10(config)#snmp-server engine-id <engine-id> Configures the SNMP local
engine ID. Hexadecimal number,
range: 1–24 characters, default:
830900020300010289d64401. As the
core part of an SNMP entity, the SNMP
engine sends, receives and validates
SNMP messages, extracts Packet Data
Unit (PDU) assembly messages, and
communicates with SNMP application
programs.
ZXR10(config)#snmp-server input-limit <packets> Sets the SNMP packet receiving speed.
Range: 100–1000, default: 200 pps.
ZXR10(config)#snmp-server packetsize
<snmp-packet-max-size>
Configures the maximum length of
SNMP packets. Unit: byte, range:
484–8192, default: 8192.
ZXR10(config)#snmp-server Trap-source <ip-address> Configures the source IP address of all
Traps.
ZXR10(config)#snmp-server access-list {ipv4| ipv6}<
acl-name>
Uses a configured Access Control List
(ACL) to control the hosts that can
access the system through SNMP.
10. Configure SNMPv3.
Step Command Function
1 ZXR10(config)#snmp-server context
<context-name>
Defines the SNMPv3 context name.
Range: 1–16 characters.
6-4
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 6 SNMP Configuration
Step Command Function
2 ZXR10(config)#snmp-server group
<groupname> v3 {auth | noauth|priv}[context<context-name>{match-prefix | match-exact}][read<readview>][write <writeview>][notify<notifyview>]
Configures a new SNMP group
(mapping SNMP users to SNMP
views).
3 ZXR10(config)#snmp-server user <user-na
me><group-name> v3 {encrypted auth {md5 |
sha}<auth-key>[priv des56 |<privacy-key>]|[auth
{md5 | sha}|<auth-password>|[priv des56
|<privacy-password>]]}
Configures an SNMPv3 user.
group <groupname>: name of the SNMP group to be configured, range: 1–32characters.
v3: specifies that the group is to be used in SNMPv3.
auth: specifies that packets are to be authenticated, but not encrypted.
noauth: specifies that packets are not to be authenticated or encrypted.
priv: specifies that packets are to be authenticated and encrypted.
<context-name>: context of the group, range: 1–30 characters.
match-prefix: defines the context matching mode as prefix mode.
match-exact: defines the context matching mode as exact mode.
read <readview>: read view, range: 1–30 characters.
write <writeview>: write view, range: 1–30 characters.
notify <notifyview>: notify view, range: 1–30 characters.
user <username>: SNMP user name, range: 1–32 characters.
<groupname>: group name related to user, range: 1–32 characters.
v3: specifies that the user uses SNMPv3.
encrypted: specifies that the password to be entered is not clear text but cipher text.It is not recommended to use this option.
auth : specifies that the user has the authentication privilege.
md5 | sha: uses Hashed Message Authentication Code with MD5 (HMAC-MD5)–96 asthe authentication mode, or uses HMAC-SHA-96 as the authentication mode.
<auth-key>: authentication password or authentication key, range: 1–30 characters. Ifit is an encrypted password, its range is 32–40 characters.
des56: uses CBC-DES as the encryption mode.
<priv-key>: cipher text encryption password, range: 1–32 characters.
6-5
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
<auth-password>: authentication password (or authentication key), range: 1–31characters. If it is an encrypted password, its range is 32–40 characters.
<priv-password>: clear text encryption password, range: 1–32 characters.
11. Verify the configurations.
Command Function
ZXR10#show snmp Displays SNMP state attributes.
ZXR10#show snmp config Displays the configurable SNMP state
attributes.
ZXR10#show snmp engine-id Displays the local SNMP engine ID.
ZXR10#show snmp group Displays the configured SNMP groups.
ZXR10#show snmp security Displays the configurations of SNMP
security.
ZXR10#show snmp security failures Displays the IP addresses and number of
times of wrong community login attempts
in SNMP detection mode.
ZXR10#show snmp security trust-users Displays the trusted users learned by
SNMP dynamically and configured
manually.
ZXR10#show snmp user Displays the information on configured
SNMP users.
ZXR10#show running-config snmp [|{begin | exclude |
include}<line>]
Displays the configurations of SNMP.
– End of Steps –
6.1.3 SNMP Configuration Example
Configuration DescriptionBy configuring the SNMP function, a user can use a network management server tomanage the devices in the network, see Figure 6-1.
Figure 6-1 SNMP Configuration Example Topology
6-6
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 6 SNMP Configuration
Configuration Flow1. Configure an SNMP packet community string. SNMPv1/v2c uses community string
authentication mode. An SNMP community string is named with a character string,and has an access privilege (read-only or read-write).
2. Designate a view name to the configured community string. Designate the default viewto the community string if the view parameter is not configured. Designate the defaultprivilege (ro) to the community string, if the parameter ro | rw is not configured. Userscan only perform operations in the permitted view range, whether ro or rw is specified.
3. Configure alarm Trap. Configure the types of Trap messages to be sent and thedestination host. Trap messages are actively sent by managed devices to NMS. Theyare used to report urgent and important events. By default, all types of Trap messagesare sent.
Configuration CommandsRan the following commands on the ZXR10 ZSR V2:
R1(config)#snmp-server version v2c enable
R1(config)#location No.68 Zijinghua Rd. Yuhuatai District, Nanjing, China
R1(config)#contact +86-25-52870000
R1(config)#snmp-server packetsize 1400
R1(config)#snmp-server engine-id 830900020300010289d64401
R1(config)#snmp-server community public view AllView ro
R1(config)#snmp-server host 61.139.48.18 inform version 2c public udp-port 162 snmp
R1(config)#snmp-server host 61.139.48.18 Trap version 2c public udp-port 162
R1(config)#snmp-server enable Trap
R1(config)#snmp-server enable inform
R1(config)#logging on
R1(config)#logging Trap-enable warnings
Configuration VerificationRun the show command to check the configurations. The execution result is displayed asfollows.
R1(config)#show snmp config
snmp-server community encrypted
d6ddeaa4dab74523b246fe346c94c31ae58b79ad4776396438ea1e9bb01a9ef3
view AllView ro
snmp-server enable inform snmp
snmp-server enable inform bgp
snmp-server enable inform mac
snmp-server enable inform ospf
snmp-server enable inform stp
snmp-server enable inform ppp
snmp-server enable inform arp
6-7
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
snmp-server enable inform rmon
snmp-server enable inform udld
snmp-server enable inform cfm
snmp-server enable inform efm
snmp-server enable inform lacp
snmp-server enable inform mc-elam
snmp-server enable inform tcp
snmp-server enable inform sctp
snmp-server enable inform stalarm
snmp-server enable inform cps
snmp-server enable inform interface
snmp-server enable inform acl
snmp-server enable inform fib
snmp-server enable inform pim
snmp-server enable inform isis
snmp-server enable inform rip
snmp-server enable inform msdp
snmp-server enable inform aps
snmp-server enable inform config
snmp-server enable inform am
snmp-server enable inform um
snmp-server enable inform system
snmp-server enable inform ldp
snmp-server enable inform pwe3
snmp-server enable inform vpn
snmp-server enable inform mpls-oam
snmp-server enable inform ptp
snmp-server enable inform tunnel-te
snmp-server enable inform radius
snmp-server enable inform dhcp
snmp-server enable inform bfd
snmp-server enable inform ippool
snmp-server enable inform ntp
snmp-server enable inform ssm
snmp-server enable inform sqa
snmp-server enable inform ipsec
snmp-server enable inform cgn
snmp-server enable inform vrrp
snmp-server enable inform ftp_tftp
snmp-server enable inform ping-trace
snmp-server enable inform gm
snmp-server enable Trap snmp
snmp-server enable Trap bgp
snmp-server enable Trap mac
snmp-server enable Trap ospf
6-8
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 6 SNMP Configuration
snmp-server enable Trap stp
snmp-server enable Trap ppp
snmp-server enable Trap arp
snmp-server enable Trap rmon
snmp-server enable Trap udld
snmp-server enable Trap cfm
snmp-server enable Trap efm
snmp-server enable Trap lacp
snmp-server enable Trap mc-elam
snmp-server enable Trap tcp
snmp-server enable Trap sctp
snmp-server enable Trap stalarm
snmp-server enable Trap cps
snmp-server enable Trap interface
snmp-server enable Trap acl
snmp-server enable Trap fib
snmp-server enable Trap pim
snmp-server enable Trap isis
snmp-server enable Trap rip
snmp-server enable Trap msdp
snmp-server enable Trap aps
snmp-server enable Trap config
snmp-server enable Trap am
snmp-server enable Trap um
snmp-server enable Trap system
snmp-server enable Trap ldp
snmp-server enable Trap pwe3
snmp-server enable Trap vpn
snmp-server enable Trap mpls-oam
snmp-server enable Trap ptp
snmp-server enable Trap tunnel-te
snmp-server enable Trap radius
snmp-server enable Trap dhcp
snmp-server enable Trap bfd
snmp-server enable Trap ippool
snmp-server enable Trap ntp
snmp-server enable Trap ssm
snmp-server enable Trap sqa
snmp-server enable Trap ipsec
snmp-server enable Trap cgn
snmp-server enable Trap vrrp
snmp-server enable Trap ftp_tftp
snmp-server enable Trap ping-trace
snmp-server enable Trap gm
snmp-server engine-id is 830900020300010289d64401
6-9
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
snmp-server host 61.139.48.18 Trap version 2c public udp-port 162 snmp bgp mac
ospf stp ppp arp rmon udld cfm efm lacp mc-elam tcp sctp stalarm cps interface
acl fib pim isis rip msdp aps config am um system ldp pwe3 vpn mpls-oam ptp
tunnel-te radius dhcp bfd ippool ntp ssm sqa ipsec cgn vrrp ftp_tftp ping-trace gm
snmp-server host 61.139.48.18 inform version 2c public udp-port 162 snmp
snmp-server packetsize is 1400
snmp-server security dynamic-trust-user idle-timeout 1800
snmp-server view AllView internet included
snmp-server view DefaultView system included
snmp-server version v2c enable
6.2 SNMP Anti-Violence Attack
6.2.1 SNMP Anti–Brute Force Attack Overview
SNMP Anti–Brute Force Attack DescriptionA brute force attack means generating huge numbers of passwords with code generationsoftware, and trying each one. As long as there are enough chances and the passwordhas no protection, the most complicated key can be broken.
The security policy defined in SNMP v1 and SNMP v2 is simple, which uses clear text totransfer community strings, which are passwords between SNMPmanagement processesand agent processes. These passwords can be cracked by attackers using brute forceattacks. The SNMP anti–brute force attack function is used to prevent DoS attacks andbrute force attacks.
SNMP Anti–Brute Force Attack FeaturesThe SNMP anti–brute force attack function has introduced two concepts: block and quietmode. If the detection policy is enabled, the router can reject all SNMP requests in blockmode when finding repeated SNMP community string attempt failures. The block statecan last for a period known as "quiet period".
l To ensure that trusted user can access the ZXR10 ZSR V2 normally, the SNMPsecurity function supports dynamically learning and manually configuring trustedusers. In quiet mode, the ZXR10 ZSR V2 only allows to handle requests from trusteduser (if an ACL is configured in advance, the requests still need to be filtered throughthe ACL first).
l Dynamically-learned trusted users refer to users who have accessed the ZXR10 ZSRV2 and are automatically recorded by it. If these users have not accessed the ZXR10ZSR V2 again until the set period (ageing time) expires, they will be aged by thedevice. Dynamically-learned trusted users can also be manually cleared. Users canconfigure the ageing time, which is 1800 s by default.
6-10
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 6 SNMP Configuration
l In practical applications, some network management user addresses that can beused to access the device are fixed. These users are reliable and do not needautomatic ageing. To meet this requirement, the ZXR10 ZSR V2 allows users tomanually configure trusted users who are not aged, but they can be cleared byrunning the no command.
l To prevent that users unintentionally enter wrong passwords, the ZXR10 ZSR V2supports configuring the condition of enabling monitoring. For example, monitoringwill be enabled only when the number of input failure times reaches 20 in oneminute. By default, monitoring will be enabled only when the number of input failuretimes reaches 50 in one minute. Failure counting does not distinguish between IPaddresses.
l In monitoring period, the total failure times is counted (IP addresses are notdistinguished). If the number of times exceeds the limit, the ZXR10 ZSR V2 entersquiet mode.
In any state, when community string attempts fail, logs and self-defined Trap messagesare generated by default. A Trap message that is sent includes the followinginformation: error community string information, source IP, and current state of SNMP(normal/monitoring/quiet). When a device state is switched, a system log and Trap alarmare automatically generated. This function can be disabled by running a command.
SNMP security state switching is shown in Figure 6-2.
Figure 6-2 State Switching Diagram
6.2.2 Configuring SNMP Anti–Brute Force AttackThis procedure describes how to configure the SNMP anti-brute force attack function.
6-11
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Steps1. Activate the SNMP security function.
Command Function
ZXR10(config)#snmp-server security block <
block-seconds><detect-tries>< detect-seconds>[when<tries><startup-seconds>]
The SNMP security protection function
is disabled by default. This command
is used to activate this function.
block <block-seconds>: block time (length of the quiet period), unit: second, range:1–65535.
< detect-tries>: maximum number of times of failed attempts in monitoringmode, range:1–65535.
< detect-seconds>: maximum detection time in monitoring mode, unit: second, range:1–65535.
<tries>: maximum number of times of failed attempts in normal mode, range: 1–65535,default: 50.
<startup-seconds>: maximum detection time in normal mode, unit: second, range:1–65535, default: 60.
2. Configure the ACL for controlling hosts that access the system through SNMP.
Command Function
ZXR10(config)#snmp-server access-list { ipv4|
ipv6}<acl-name>
Uses a configured ACL to control
hosts that access the system through
SNMP.
3. Configure the ageing time of dynamic trusted users and configure static trusted users.
Step Command Function
1 ZXR10(config)#snmp-server security
dynamic-trust-user idle-timeout <timeout-seconds>
Configures the ageing time of
dynamic trusted users. Range:
1–65535, default: 1800 s.
2 ZXR10(config)#snmp-server security
static-trust-user <static-ip-addr>
Configures static trusted users that
are configured manually.
4. Configure the generation of logs and Trap messages when community string attemptsfail or a state is switched.
Command Function
ZXR10(config)#snmp-server security on-failure log [and
Trap]
Configures the generation of logs
and Trap messages when community
string attempts fail or a state is
switched.
6-12
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 6 SNMP Configuration
5. Verify the configurations.
Command Function
ZXR10#show snmp security [failures | trust-users] Displays SNMP security function
parameters. This command displays
the SNMP security state, configuration
information, current state information and
statistics information in natural language
format.
ZXR10#show running-config snmp [|{begin | exclude |
include}<line>]
Displays SNMP configurations.
failures: optional. If this parameter is selected, the command is used to displaydetailed information on failed attempts.
trust-users: optional. If this parameter is selected, the command is used to displaydetailed information on trusted users, including dynamically learned and manuallyconfigured users.
begin: is used to display the configurations that begin with the input string line.
include: is used to display the configurations that include the string line.
exclude: is used to display the configurations that exclude the string line.
<line>: is used to match the filtered string line.
6. Maintain the SNMP anti–brute force attack function.
Command Function
ZXR10(config)#snmp-server security
dynamic-trust-user clear <dyn-ip-addr>
Clears dynamic trusted users manually.
– End of Steps –
6.2.3 SNMP Anti–Brute Force Attack Configuration ExampleIt is required to configure the SNMP anti–brute force attack function on the ZXR10 ZSRV2, see Figure 6-3.
Figure 6-3 SNMP Anti–Brute Force Attack Configuration Example
6-13
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Configuration Flow1. Enable the SNMP anti–brute force attack function.2. Configure the ageing time for dynamic trusted users.3. Configure static trusted users that are allowed to access the system.4. Configure a Trap message and log that is generated when user attempts fail and a
state is switched.
Configuration CommandRun the following commands on the ZXR10 ZSR V2:
R1(config)#snmp-server security block 180 3 180 when 50 60
R1(config)#snmp-server security dynamic-trust-user idle-timeout 100
R1(config)#snmp-server security static-trust-user 169.1.110.6
R1(config)#snmp-server security on-failure log and Trap
Configuration VerificationRun the following command to check SNMP configurations. The execution result isdisplayed as follows.
R1(config)#show running-config snmp
!<oam_snmp>
snmp-server security block 180 3 180 when 50 60
snmp-server security dynamic-trust-user idle-timeout 100
snmp-server security on-failure log and Trap
snmp-server security static-trust-user 169.1.110.6
!</oam_snmp>
6-14
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 7Alarm ManagementConfigurationTable of Contents
Alarm Overview..........................................................................................................7-1Configuring the Alarm Function ..................................................................................7-2Alarm Function Configuration Example.......................................................................7-7
7.1 Alarm OverviewAlarmmodule residents its alarm agent process in each line card and alarm server processin main control board. Once hardware or program runs improperly, the service applicationswill report the alarm to its alarm agent. Later, alarm agents report the alarm messages toalarm server. Alarm server records alarm messages for back-end querying. The maincontrol board also has alarm agent to process the alarm events occurred in itself.
According to the configuration, alarm server reports the alarm messages selectively to logmdoule, terminal, SNMP and SYSLOG.
The messages processed by alarm module include ordinary alarm and notification.
l Ordinary alarm is recoverable. The alarm which has been reported but not recoveredalready is called current alarm. The alarm which has been reported and recoveredalready is called history alarm
l Notification is only to notify the happening of some event, so there is no current andhistory notifications.
On ZXR10 ZSR V2, you can configure the following alarms:
l CPU, memory, and storage device alarms
The basic principles of CPU, memory and storage device alarms are the same. If thecurrent usage exceeds the configured alarm threshold, the alarms are reported. If thecurrent usage is lower than the configured alarm threshold, the alarms are cleared.Moreover, the reported alarm level can be changed or updated with the increase of theusage by configuring the higher-level middle threshold and high threshold besidesthe default low threshold.
l Temperature alarm
There are different temperature measuring components on each board of the device.Each temperature measuring component has different temperature resistancecharacteristics, so the alarm threshold at each temperature measuring point is
7-1
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
different. The device compares the temperature information obtained at specifiedtime with the corresponding alarm threshold. If the temperature exceeds thethreshold, the alarm is reported. If the temperature is lower than the threshold, thealarm at the corresponding level is cleared.
l Power Voltage Alarm
If the voltage range not in the normal working voltage range, the power voltage alarmis reported.
7.2 Configuring the Alarm FunctionThis procedure describes how to configure the alarm function.
Steps1. Configure the basic alarm function.
Step Command Function
1 ZXR10(config)#logging on Enables the alarm recording function,
so that alarms can be reported to log,
control terminal, SNMP, and SYSLOG.
2 ZXR10(config)#logging buffer < buffer-size> Sets the size of the alarm log buffer.
Unit: KB, range: 100–1000, default:
200.
3 ZXR10(config)#logging timestamps [datetime
localtime | precisetime | uptime]
Sets the display mode of alarm time.
Default: datetime localtime.
4 ZXR10(config)#logging level <level> Configures the level to save alarms
into logs. Alarms whose levels are
higher than this level are recorded in
logs.
Default: INFORMATIONAL (level 7).
5 ZXR10(config)#logging console <level> Configures the level to display alarms
on a console or Telnet terminal.
Alarms whose levels are higher than
this level are displayed on a console
or Telnet terminal.
Default: NOTIFICATIONS (level 6).
6 ZXR10(config)#logging Trap-enable <level> Configures the level to report alarms
to SNMP in Trap mode. Alarms whose
levels are higher than this level are
reported to SNMP in Trap mode. By
default, alarms are not reported.
7-2
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 7 Alarm Management Configuration
Step Command Function
7 ZXR10(config)#logging alarmlog-interval <
minute>
Sets the time interval for writing alarm
records from the buffer to files. Unit:
minute, range: 10–30000, default: 10.
8 ZXR10(config)#logging cmdlog-interval <
second>
Sets the time interval for writing
command logs from the buffer to log
files. Unit: second, range: 2–30000,
default: 2.
9 ZXR10(config)#logging ftp <level>[ vrf<vrf-name>]<ip-address><username><password
>[<filename>]
Configures the level of reporting
alarms to the File Transfer Protocol
(FTP) server, IP address of the FTP
server, username, password, and file
name. By default, alarms are not
reported.
10 ZXR10(config)#logging filesavetime
{interval <time1>| everyday <time2>|
week <weekday><time3>| month<mothday><time4>}[vrf <vrf-name>]<ftp-server><username><password>[<filename>]
Configures the time when alarms
written in files are sent to the FTP
server, IP address, username, and
password of the FTP server, and file
name prefix. By default, alarms are
not reported.
11 ZXR10(config)#logging mode {fullclear |
fullcycle | fullend}
Sets the mode for clearing buffer data
after the alarm buffer is full. Default:
fullcycle.
12 ZXR10(config)#alarm heartbeat-send <type> Sends an alarm heartbeat keep-alive
packet to the configured destination
immediately.
13 ZXR10(config)#alarm heartbeat-period <
minute>< type>
Configures the interval of sending
alarm heartbeat packets. Unit: minute,
range: 0–30000, default: 0 (no
heartbeat packet is sent).
14 ZXR10(config)#alarm level-change
<alarm-code><level>
Modifies the corresponding alarm
level of the alarm code. Each alarm
code has a default level. Range:
1–4294967294.
<level>: the lowest alarm level, range: DEBUGGING (level 8), INFORMATIONAL(level 7), NOTIFICATIONS (level 6), WARNINGS (level 5), ERRORS (level 4),CRITICAL (level 3), ALERTS (level 2), and EMERGENCIES (level 1).
<time1>: interval of reporting to FTP, range: 1:00:00–23:59:59.
<time2>: daily time for reporting to FTP, range: 00:00:00–23:59:59.
7-3
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
<weekday>: day in each week for reporting to FTP, range: Monday, Tuesday, Thursday,Wednesday, Friday, Saturday, and Sunday.
<time3>: time in the day of each week for reporting to FTP, range: 00:00:00–23:59:59.
<mothday>: date in each month for reporting to FTP, range: 1–31.
<time4>: time in the date of each month for reporting to FTP, range:00:00:00–23:59:59.
<filename>: prefix of the filename saved on the FTP server, range: 1–31 characters.
2. Configure CPU, memory, and storage device alarm thresholds.
Step Command Function
1 ZXR10(config)#logging on Enables the alarm recording function,
so that the alarms of different
levels can be reported to different
destinations.
After the command is run, alarms
are generated for CPU usage,
memory usage, storage medium
usage, and voltage value according
to corresponding values. The voltage
module reports alarms according to
the voltage value range.
ZXR10(config)#cpuload-threshold
<percent>[level{low | middle | high}]
Configures the CPU load alarm
threshold. Unit: %, range: 50–100,
default: 95.
Alarm levels corresponding to CPU
load alarm thresholds: low, middleand high. Default: low.
2
ZXR10(config)#check cpu interval <interval> Configures the time interval for CPU
usage alarm checking. Unit: 10 s,
range: 1–20.
ZXR10(config)#memory-threshold
<percent>[level {low | middle | high}]
Configures the memory usage alarm
threshold. Unit: %, range: 1–100,
default: 60.
Alarm levels corresponding to memory
usage alarm threshold values: low,middle, and high. Default: low.
3
ZXR10(config)#check memory interval
<interval>
Configures the interval for memory
usage alarm checking.
7-4
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 7 Alarm Management Configuration
Step Command Function
4 ZXR10(config)#storage-threshold
<percent>[level {low | middle | high}]
Configures the storage medium usage
alarm threshold. Unit: %, range:
50–100, default: 90.
Alarm levels corresponding to storage
medium alarm threshold values: low,middle, and high. Default: low.
5 ZXR10(config)#cpualarm {granularity-10s |
granularity-20s | granularity-30s | granularity-40s
| granularity-50s | granularity-60s}
Configures the CPU usage alarm
granularity. Default: granularity-10s.
3. Verify the configurations.
Command Function
ZXR10#show logging alarm [[level <alarmlevel>][start-time <date><time>][end-time <date><time>][typeid<type>]]
Displays the specified alarms in the
alarm log buffer. Filtering conditions:
level, start-time, end-time, and typeid.
ZXR10#show logfile [[username <string>][start-time< date>< time>][end-time < date>< time>][vtyno <
number>][ip-adress < ip-address>]]
Displays the specified history
configuration commands in the
command log buffer. Filtering
conditions: start-time, end-time,
ipaddress, user, and vtyno.
ZXR10#show logging configuration Displays the current configurations of
the alarm module.
ZXR10#show running-config alarm [all ||{begin | exclude |
include}<line>]
Displays alarm configurations.
level <level>: alarm level, range: DEBUGGING (level 8), INFORMATIONAL (level 7),NOTIFICATIONS (level 6), WARNINGS (level 5), ERRORS (level 4), CRITICAL (level3), ALERTS (level 2), and EMERGENCIES (level 1).
start-time <date><time>: alarm start time, format of <date>: mm-dd-yyyy, range of<date>: 01-01-2001 to 12-31-2037, format of <time>: hh:mm:ss, range of <time>:00:00:00 to 23:59:59.
end-time <date><time>: alarm end time, format of <date>: mm-dd-yyyy, range of<date>: 01-01-2001 to 12-31-2037, format of <time>: hh:mm:ss, range of <time>:00:00:00 to 23:59:59.
typeid <type>: alarm type, range: ACL, BFD, BGP, LDP, and so on (more than 60types).
username <username>: login username, string type, range: 1–32 characters.
7-5
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
start-time <date><time>: command running start time, format of <date>: mm-dd-yyyy,range of <date>: 01-01-2001 to 12-31-2037, format of <time>: hh:mm:ss, range of<time>: 00:00:00 to 23:59:59.
end-time <date><time>: command running end time, format of <date>: mm-dd-yyyy,range of <date>: 01-01-2001 to 12-31-2037, format of <time>: hh:mm:ss, range of<time>: 00:00:00 to 23:59:59.
vtyno <number>: user terminal number, range: 0–15.
{begin | exclude | include}<line>: regular expression. begin is used to displayconfigurations beginning with the input string line. include is used to displayconfigurations that include the string line. exclude is used to display configurationsthat do not include the string line. <line> is used to match the string line.
4. Verify the configurations
Command Function
ZXR10#show cpuload-threshold Displays the CPU usage threshold.
ZXR10#show check cpu interval Displays the time interval of CPU
usage alarm checking.
ZXR10#show memory-threshold Displays the memory usage alarm
threshold.
ZXR10#show check memory interval Displays the time interval of memory
usage alarm checking.
ZXR10#show storage-threshold Displays the storage medium usage
alarm threshold.
ZXR10#show cpualarm Displays the granularity of CPU usage
alarms.
5. View information on shelf management temperature alarms and power supply voltagealarms.
You cannot configure thresholds for temperature alarms and power voltage alarms.Only querying temperature alarms and power voltage alarms by running commandsis supported. On the ZXR10 ZSR V2, run the following commands to view shelfmanagement temperature alarms and power voltage alarms.
Command Function
ZXR10#show temperature detail [<shelf>][<slot>] Displays temperature at the
temperature measuring point of
each board.
ZXR10#show logging alarm type-id temperature Displays the temperature alarms.
ZXR10#show power [<shelf>][<slot>] Displays power information.
7-6
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 7 Alarm Management Configuration
Command Function
ZXR10#show logging alarm type-id power Displays power alarms.
– End of Steps –
7.3 Alarm Function Configuration ExampleConfiguration DescriptionAs shown in Figure 7-1, a PC is connected to R1. Users can view alarm information onR1.
Figure 7-1 Alarm Function Configuration Example
Configuration Flow1. Enable the alarm function.2. Configure alarm levels, levels of alarms printed on a terminal, alarm buffer, alarm
clearing mode when the buffer is full, interval for writing logs, time display mode, andaddress of the server to which alarms are sent.
3. Configure alarm Trap, Trap type and address of the server to which Trap messagesare sent.
Configuration CommandsRun the following commands on R1:
R1(config)#logging on
R1(config)#logging level warnings
R1(config)#logging console warnings
R1(config)#logging buffer 200
R1(config)#logging mode fullcycle
R1(config)#logging cmdlog-interval 2880
R1(config)#logging ftp warnings 192.168.154.253 zte zte ztelog
R1(config)#logging timestamps datetime localtime
R1(config)#logging Trap-enable notifications
R1(config)#snmp-server enable Trap
R1(config)#snmp-server version v2c enable
R1(config)#snmp-server host 192.168.154.253 Trap version 2c zte
7-7
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Configuration VerificationRun the following commands to check alarm configurations. The execution results aredisplayed as follows:
R1(config)#show logging configuration
logging on
logging level warnings
logging console warnings
logging Trap-enable notifications
logging buffer 200
logging mode fullcycle
logging alarmlog-interval 10
logging cmdlog-interval 2880
logging timestamps datetime localtime
syslog level notifications
syslog-server facility local0
logging ftp warnings 192.168.154.253 zte zte ztelog
alarm heartbeat-period 0 snmp
alarm heartbeat-period 0 syslog
alarm heartbeat-period 0 ftp
alarm heartbeat-period 0 console
alarm heartbeat-period 0 all
logging nat buffer 1000
logging nat password encrypted
5f942ecb8d1bf9ff5104c77b19c73cb9c14f151612fef1ac1ca09c19fb98ab8d
logging nat file-size 50 file-num 300
logging nat encrypt off
logging nat description-type basemac
logging nat zip on
logging nat terminal local
R1(config)#show snmp config
snmp-server enable Trap snmp
snmp-server enable Trap bgp
snmp-server enable Trap mac
snmp-server enable Trap ospf
snmp-server enable Trap stp
snmp-server enable Trap ppp
snmp-server enable Trap arp
snmp-server enable Trap rmon
snmp-server enable Trap udld
snmp-server enable Trap cfm
snmp-server enable Trap efm
snmp-server enable Trap lacp
7-8
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 7 Alarm Management Configuration
snmp-server enable Trap mc-elam
snmp-server enable Trap tcp
snmp-server enable Trap sctp
snmp-server enable Trap stalarm
snmp-server enable Trap cps
snmp-server enable Trap interface
snmp-server enable Trap acl
snmp-server enable Trap fib
snmp-server enable Trap pim
snmp-server enable Trap isis
snmp-server enable Trap rip
snmp-server enable Trap msdp
snmp-server enable Trap aps
snmp-server enable Trap config
snmp-server enable Trap am
snmp-server enable Trap um
snmp-server enable Trap system
snmp-server enable Trap ldp
snmp-server enable Trap pwe3
snmp-server enable Trap vpn
snmp-server enable Trap mpls-oam
snmp-server enable Trap ptp
snmp-server enable Trap tunnel-te
snmp-server enable Trap radius
snmp-server enable Trap dhcp
snmp-server enable Trap bfd
snmp-server enable Trap ippool
snmp-server enable Trap ntp
snmp-server enable Trap ssm
snmp-server enable Trap sqa
snmp-server enable Trap ipsec
snmp-server enable Trap cgn
snmp-server enable Trap vrrp
snmp-server enable Trap ftp_tftp
snmp-server enable Trap ping-trace
snmp-server enable Trap gm
snmp-server engine-id is 830900020300010289d64401
snmp-server host 192.168.154.253 Trap version 2c zte udp-port 162 snmp bgp
mac ospf stp ppp arp rmon udld cfm efm lacp mc-elam tcp sctp stalarm cps
interface acl fib pim isis rip msdp aps config am um system ldp pwe3 vpn
mpls-oam ptp tunnel-te radius dhcp bfd ippool ntp ssm sqa ipsec cgn vrrp
ftp_tftp ping-trace gm
snmp-server packetsize is 8192
snmp-server view AllView internet included
snmp-server view DefaultView system included
7-9
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
snmp-server security dynamic-trust-user idle-timeout 1800
snmp-server version v2c enable
snmp-server input-limit 200
R1(config)#show logging alarm
An alarm 100401 ID 100 level 5 cleared at 06:37:35 03-10-2000 sent
by R1 MPFU-8/0
%CPS% The upsend packet flow of control plane reached quota limit!
Interface = gei-8/5, flowtype = multi-hop-access, current value = 0,
quota value = 100
An alarm 100401 ID 100 level 5 occurred at 06:36:55 03-10-2000
sent by R1 MPFU-8/0
%CPS% The upsend packet flow of control plane reached quota limit!
Interface = gei-8/5, flowtype = multi-hop-access,
current value = 12867, quota value = 100
An alarm 50901 ID 99 level 5 cleared at 06:36:44 03-10-2000 sent
by R1 MPFU-8/0 %LACP% LACP interface active status The interface
(index = 66, name = gei-8/6) turns into ACTIVE
An alarm 150101 ID 96 level 5 cleared at 06:36:44 03-10-2000
sent by R1 MPFU-8/0
%IP% Interface status The interface(index=75,name='smartgroup1')
turned into protocol UP
An alarm 50901 ID 99 level 5 occurred at 06:36:26 03-10-2000
sent by R1 MPFU-8/0
%LACP% LACP interface active status
The interface (index = 66, name = gei-8/6) turns into INACTIVE
An alarm 400123 ID 98 level 2 cleared at 06:36:25 03-10-2000 sent
by R1 MPFU-8/0
%BOARD% Slot offline The slot = 4 is online
--More--
The terminal monitor command displays real-time alarms. The show logging alarmcommand displays buffered alarms.
7-10
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 8SYSLOG ConfigurationTable of ContentsSysLog Overview .......................................................................................................8-1Configuring Syslog .....................................................................................................8-1Syslog Configuration Example....................................................................................8-2
8.1 SysLog OverviewSysLog is a kind of log formats, which is used to record the character text to be printed.SysLog is originated from UNIX operating system, and it is used to record system log.
The format of log consists of the following three parts:
l PRI: It is composed by angle brackets and numbers. The numbers represent moduleids and severity. The range of module id is 0–23. The range of severity is 1–8. 1 isthe heaviest, and 8 is the lightest.
l HEADER: It is composed by time and host name.l MSG: It is the detailed content.
SysLog sends data packets to SysLog server by using UDP. The default port is 514 andthe size of UDP packet is less than 1024 bytes.
System decides whether reports the alarm message to SysLog sever according to thealarm level after SysLog function is enabled.
8.2 Configuring SyslogThis procedure describes how to configure the Syslog function.
Steps1. Configure the Syslog function.
Step Command Function
1 ZXR10(config)#syslog level <level> Sets the level in global
configuration mode for
reporting alarms to the Syslog
server.
Alarms whose levels are
higher than or equal to the
set level are reported to the
Syslog server.
8-1
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Step Command Function
2 ZXR10(config)#syslog-server facility <facility> Configures the reporting
source of Syslog messages.
Range: ftp, ntp, user, and so
on, default: local0.
3 ZXR10(config)#syslog-server source {ipv4|ipv6}<sour
ce-ip>
Configures the source
address of reporting Syslog
messages. Type: IPv4 or
IPv6.
4 ZXR10(config)#syslog-server host [vrf <vrf-name>]<server-ip>[fport <fport>][lport <lport>][alarmlog][cmdlog][debugmsg][servicelog][braslog][natlog]
Configures Syslog parameters
including the IP address and
port number of the Syslog
server, the port number of the
client, and the type of sent
logs.
<level>: the lowest alarm level, ranges: DEBUGGING (level 8), INFORMATIONAL(level 7), NOTIFICATIONS (level 6), WARNINGS (level 5), ERRORS (level 4),CRITICAL (level 3), ALERTS (level 2), and EMERGENCIES (level 1), default:NOTIFICATIONS.
<server-ip>: IP address of the Syslog server, type: IPv4 or IPv6.
<fport>: remote port number, range: 1–65535, default: 514.
<lport>: local port number, range: 514, 1024–65535, default: 514.
[alarmlog][cmdlog][debugmsg][servicelog][braslog][natlog]: type of logs reported to theSyslog server.
2. Verify the configurations.
Command Function
ZXR10#show logging configuration Displays all Syslog configurations.
ZXR10#show running-config alarm [all ||{begin |
exclude | include}<line>]
Displays all Syslog configurations by using
a regular expression.
– End of Steps –
8.3 Syslog Configuration ExampleConfiguration DescriptionThe function of Syslog is sending alarms to the Syslog server in the specified format. Afterthe Syslog function is configured on the ZXR10 ZSR V2, alarms will be sent to the Syslogserver, see Figure 8-1.
8-2
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 8 SYSLOG Configuration
Figure 8-1 Syslog Configuration Example Topology
Configuration Flow1. Connect the Syslog server to the ZXR10 ZSR V2.2. Configure the interface on the Syslog server and the interface on the ZXR10 ZSR V2,
which are directly connected in the same network segment.3. Configure the Syslog server alarm level.4. Configure the Syslog type.5. Specify the address of the Syslog server.
Configuration CommandRun the following commands on the ZXR10 ZSR V2:
R1(config)#interface gei-2/1
R1(config-if-gei-2/1)#no shutdown
R1(config-if-gei-2/1)#ip address 1.1.1.2 255.255.255.0
R1(config-if-gei-2/1)#exit
R1(config)#syslog level warnings
/*Configures the alarm level of Syslog as WARNINGS*/
R1(config)#syslog-server facility syslog
/*Configures the type of Syslog as syslog*/
R1(config)#syslog-server host 1.1.1.1
/*Configure an IP address of the Syslog server*/
Configuration VerificationRun the show command to check the configurations. The execution result is displayed asfollows:
R1(config)#show running-config alarm
!<ALARM>
syslog level warnings
syslog-server facility syslog
syslog-server host 1.1.1.1 alarmlog cmdlog debugmsg servicelog
braslog natlog
!</ALARM>
8-3
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
This page intentionally left blank.
8-4
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 9RMON ConfigurationTable of ContentsRMON Overview ........................................................................................................9-1Configuring RMON.....................................................................................................9-1RMON Configuration Example ...................................................................................9-3
9.1 RMON OverviewAs an important enhanced function of SNMP, Remote Network Monitoring (RMON) canmonitor overall subnet traffic information on the Ethernet and token ring network.
The RMON module provides the following functions:
l Configured with the statistics function, it monitors the basic traffic of the specifiedsubnet.
The traffic information refers to traffic data regularly obtained by RMON.
l Configured with the history function, it records traffic information on the specifiedsubnet during the specified interval.
A short sampling interval can be configured to view a sudden traffic change on asubnet. A long interval can be configured to view long-term traffic status of a subnet.
l Configured with the event function, it handles alarm messages by recording themor/and sending Trap messages, so that network administrators can know systemconditions in time.
l Configured with the alarm function and the corresponding event function, it shows thechanges of specified variables such as sysUPTime.0, which is a MIB variable.
If an alarm item is configured, not less than 500 CRC errors (that is, the threshold is500) that appear in 5 min trigger an alarm. In this case, if the corresponding event isconfigured as sending a Trap message, a Trap message is sent to the Trap server.To send Trap messages successfully, you also need to correctly set the IP addressof the Trap server and a community string for SNMP and to enable the SNMP Trapsending function.
9.2 Configuring RMONThis chapter describes how to configure the RMON function.
Steps1. Configure an event that triggers the RMON alarm.
9-1
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Step Command Function
1 ZXR10(config)#rmon Enters RMON mode from
configuration mode.
2 ZXR10(config-rmon)#rmon event <index-nu
mber>[{[log],[Trap <snmp-name>],[description<event-description>],[owner <event-owner>]}]
Configures an event to log alarms
or/and send Trap messages.
3 ZXR10(config-rmon)#rmon alarm <index-number
><mib-subtree-id><monitor-seconds>{delta | absolute}
rising-threshold <rising-thershold-limit>[<outlimit-in
dex-number>] falling-threshold <limit-falling-thersho
ld>[<outlimit-index-number>][owner <alarm-owner>]
Sets aMIB object and alarm events
that are triggered for exceeding
upper and lower thresholds.
Range: upper threshold alarm,
lower threshold alarm, upper or
lower threshold alarm.
<index-number>: index number, range: 1–65535.
log: identification of recording logs.
<snmp-name>: community string used for sending Trap messages, range: 1–32characters.
<event-description>: simple description of this event, range: 1–127 characters, default:zte.
<event-owner>: creator of this event, range: 1–31 characters, default: config.
<mib-subtree-id>: MIB variable to be monitored, range: 1–64 characters. It must be aMIB variable that can be converted into an integer.
<monitor-seconds>: time of monitoring the above MIB variable, unit: second, range:10–2147483.
delta: comparing the delta with the threshold.
absolute: comparing the selected variable value with the threshold.
rising-threshold: rising threshold.
<rising-thershold-limit>: rising threshold of sample statistics, range:-2147483648–2147483647.
<outlimit-index-number>: number of the event triggered for exceeding the rising limit,range: 1–65535.
falling-threshold: falling threshold.
<limit-falling-thershold>: falling threshold of sample statistics, range:-2147483648–2147483647.
<outlimit-index-number>: number of the event triggered for exceeding the falling limit,range: 1–65535.
<alarm-owner>: creator of this alarm, range: 1–312 characters, default: config.
2. Configure RMON statistics or history.
9-2
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 9 RMON Configuration
Step Command Function
1 ZXR10(config)#rmon Enters RMON mode from
configuration mode.
2 ZXR10(config-rmon)#interface <interface-name> Enters RMON interface mode from
RMON mode.
ZXR10(config-rmon-interface)#rmon collection
statistics <index-number>[owner <statistics-owner>]Enables the interface statistics
function (only applicable to
Ethernet interfaces).
3
ZXR10(config-rmon-interface)#rmon
collection history <index-number>[buckets<bucket-number>][interval <interval-seconds>][owner<history-owner>]
Enables the interface history
collection function (only applicable
to Ethernet interfaces).
<interface-name>: interface name, only supporting an Ethernet interface.
<index-number>: index number, range: 1–65535.
<statistics-owner>: the creator of the statistics, range: 1–31 characters, default:monitor.
<bucket-number>: the size of the requested loop bucket, default: 50, range: 1–100.
<event-owner>: the creator of the event, range: 1–31 characters, default: config.
<interval-seconds>: sampling interval, unit: second, range: 10–3600, default: 1800. Itis recommended to use 30 s and 1800 s to collect short-term and long-term networktraffic changes respectively.
<history-owner>: the creator of this line of history, range: 1–31 characters, default:monitor.
3. Verify the configurations.
Command Function
ZXR10(config)#show rmon [[events],[history],[alarms],[s
tatistics]]
Displays RMON configurations and
version information.
ZXR10(config)#show running-config rmon [all ||{begin
| exclude | include}<line>]
Displays RMON configurations.
– End of Steps –
9.3 RMON Configuration ExampleConfiguration DescriptionAs shown in Figure 9-1, it is required to enable the RMON function, monitor the traffic ofthe gei-3/2 interface on the ZXR10 2800-4, and provide the following functions:
9-3
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
l Collecting real-time and history statistics on traffic and the numbers of various typesof packets.
l Monitoring the number of bytes of outgoing traffic, and recording a log if the traffic perminute exceeds the set value.
l Monitoring the number of incoming broadcast and multicast packets, and activelysending an alarm to the NMS if the number of received broadcast and multicastpackets exceeds the set value.
Figure 9-1 RMON Configuration Example
Configuration Flow1. Enable SNMP to allow sending Trap packets, and set the destination IP address and
community name.2. Configure the ROMN statistics table.3. Configure the ROMN history table.4. Configure the ROMN event table.5. Configure the ROMN alarm table.
Configuration CommandsRun the following commands on the ZXR10:
ZXR10(config)#snmp-server version v2c enable
ZXR10(config)#snmp-server enable Trap RMON
ZXR10(config)#snmp-server host 1.0.0.1 Trap version 2c zte rmon
/* Configures SNMP. */
ZXR10(config)#rmon
ZXR10(config-rmon)#interface gei-3/2
ZXR10(config-rmon-if)#rmon collection statistics 1 owner zte
/* Configures the RMON statistics table. */
ZXR10(config-rmon-if)#rmon collection history 1 buckets 10 interval 60 owner zte
/* Configures the ROMN history table with the 60 s sampling period. */
ZXR10(config-rmon-if)#exit
ZXR10(config-rmon)#rmon event 1 description outboundocts log owner zte
ZXR10(config-rmon)#rmon event 2 description inboundnonuni Trap zte owner zte
/* Configures the ROMN event table. Event 1 records logs. Event 2 sends Trap messages.*/
ZXR10(config-rmon)#rmon alarm 1 1.3.6.1.2.1.2.2.1.16.12 60 absolute
rising-threshold 10000000 1 falling-threshold 2000000 1 owner zte
ZXR10(config-rmon)#rmon alarm 2 1.3.6.1.2.1.2.2.1.12.12 60 absolute
9-4
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 9 RMON Configuration
rising-threshold 500 2 falling-threshold 100 2 owner zte
/* Configures the ROMN alarm table. Alarm 1 monitors the number of bytes sent by
the gei-3/2 interface.
Triggers event 1, if the threshold is exceeded. Alarm 2 monitors the total number of
multicast and broadcast packets. Triggers event 2, if the threshold is exceeded.
In this example, 1.3.6.1.2.1.2.2.1.16 is the OID of the ifOutOctets node,
1.3.6.1.2.1.2.2.1.12 is the OID of the ifInNUcastPkts node, and 12 is the index of
the gei-3/2. */
Configuration VerificationRun the following command to view RMON configurations. The execution result isdisplayed as follows:
ZXR10#show running-config rmon
rmon
rmon alarm 1 1.3.6.1.2.1.2.2.1.16.12 60 absolute rising-threshold
10000000 1 falling-threshold 2000000 1 owner zte
rmon alarm 2 1.3.6.1.2.1.2.2.1.12.12 60 absolute rising-threshold
500 2 falling-threshold 100 2 owner zte
rmon event 1 log description outboundocts owner zte
rmon event 2 Trap zte description inboundnonuni owner zte
interface gei-3/2
rmon collection history 1 buckets 10 interval 60 owner zte
rmon collection statistics 1 owner zte
$
$
!</rmon>
Run the following command to view information on the RMON statistics table. Theexecution result is displayed as follows:
ZXR10#show rmon statistics
etherStatsEntry 1 is valid, and owned by monitor
Monitors ifEntry.1.12 (gei-3/2) which has
Received 2661384683 octets, 11170112 packets,
4226009 broadcast and 1032634 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers,
0 CRC alignment errors and 0 collisions,
0 dropped packets (due to lack of resources).
Packets received (in octets):
64:3528697, 65-127:2610624, 128-255:432346,
256-511:268806, 512-1023:193397, 1024-1518:4136242
Run the following command to view information on the RMON history table. The executionresult is displayed as follows:
ZXR10#show rmon history
9-5
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
historyControlEntry 1 is valid, and owned by zte
Monitors ifEntry.1.12 (gei-3/2) every 60 seconds
Requested buckets is 10
Granted buckets is 10
Sample #1 began measuring at 0w4d,03:55:43
Received 131180 octets, 1519 packets,
1121 broadcast and 167 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers,
0 CRC alignment errors and 0 collisions,
0 dropped packets (due to lack of resources).
Network utilization is estimated at 2
Sample #2 began measuring at 0w4d,03:56:43
Received 138272 octets, 1609 packets,
1416 broadcast and 112 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers,
0 CRC alignment errors and 0 collisions,
0 dropped packets (due to lack of resources).
Network utilization is estimated at 2
Sample #3 began measuring at 0w4d,03:57:43
Received 81578 octets, 954 packets,
762 broadcast and 138 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers,
0 CRC alignment errors and 0 collisions,
0 dropped packets (due to lack of resources).
Network utilization is estimated at 1
Sample #4 began measuring at 0w4d,03:58:43
Received 68438 octets, 822 packets,
720 broadcast and 72 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers,
0 CRC alignment errors and 0 collisions,
0 dropped packets (due to lack of resources).
Network utilization is estimated at 1
Run the following command to view information on the RMON event table. The executionresult is displayed as follows:
ZXR10#show rmon events
Event 1 is valid, and owned by zte
Description is outboundocts
Event firing causes log , last fired 0w4d,03:56:54
Current log entries:
Index Time Description
9-6
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 9 RMON Configuration
1 0w4d,03:56:54 outboundocts
Event 2 is valid, and owned by zte
Description is inboundnonuni
Event firing causes trap to community/user zte, last fired 0w4d,03:57:12
Current log entries:
Index Time Description
Run the following command to view information on the RMON alarm table. The executionresult is displayed as follows:
ZXR10#show rmon alarms
Alarm 1 is valid, and owned by zte
Monitors ifEntry.16.12, every 60 second(s)
Taking absolute samples, last value was 13414607
Rising-threshold is 10000000, assigned to event 1
Falling-threshold is 2000000, assigned to event 1
On startup enable rising or falling alarm
Alarm 2 is valid, and owned by zte
Monitors ifEntry.12.12, every 60 second(s)
Taking absolute samples, last value was 5580876
Rising-threshold is 500, assigned to event 2
Falling-threshold is 100, assigned to event 2
On startup enable rising or falling alarm
9-7
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
This page intentionally left blank.
9-8
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 10Clock and ClockSynchronizationTable of Contents
NTP Configuration....................................................................................................10-1Physical POS Interface Clock Configuratio ...............................................................10-6
10.1 NTP Configuration
10.1.1 NTP Overview
NTP IntroductionIn network application, the clocks of network members need to be synchronized. There isnormally one or more minute discrepancy of clocks between systems. For a large-scalenetwork, system administrator can not modify the system clocks manually one by one.
Network Time Protocol (NTP) is a time synchronization protocol applied to different networkmembers. The NTP devices synchronize their clock by exchanging NTP packets, thus tokeep their clocks consistent.
NTP ClientFigure 10-1 shows the main principle of NTP client.
Figure 10-1 NTP Client Work Flow
1. The client sends NTP time request packets to the configured clock server regularlyand waits responses.
2. After receiving NTP response packet, NTP client inspects the packet, extracts thecorresponding time, calculates the time offset and configures the local clock.
10-1
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
NTP SeverAfter a device is configured to be NTP server, it will monitor the NTP time request packetscoming from the client at No.123 UDP port, add its time information to NTP time responsepacket and send the packet to the client.
ZXR10 ZSR V2 can act as NTP server and client and the same time. That is to say, it canreceive time request packets coming from other servers and send its own time informationto other clients, see Figure 10-2.
Figure 10-2 NTP Server and Client
10.1.2 Configuring NTPThis procedure describes how to configure the NTP server and NTP client functions onthe ZXR10 ZSR V2.
Steps1. Configure the NTP Server function.
Step Command Function
1 ZXR10(config)#ntp enable Enables the NTP function.
2 ZXR10(config)#ntp master <stratum> Configures the NTP server
level, range: 1–15. The
smaller the value, the
more reliable the NTP time
published by the server.
2. Configure the NTP Client function.
Step Command Function
1 ZXR10(config)#ntp enable Enables the NTP function.
2 ZXR10(config)#ntp server [{vrf <vrf-name>|mng]<ip-address> priority <lever>[version<number>]|[key <key-number>]|[lock | unlock ]
Defines a time server on the
client. The IP address and
priority are required. Other
parameters are optional.
10-2
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 10 Clock and Clock Synchronization
Step Command Function
3 ZXR10(config)#ntp source ipv4 <ip-address> Configures the source IP
address of packets sent by
NTP on the client.
The source IP address, which
is in dotted decimal format, is
available for the client only.
4 ZXR10(config)#ntp poll-interval <interval> Configures the time interval
of requesting packets sent by
NTP.
Range: 4–14 (2n). For
example, if 4 is configured,
the time interval is 16 seconds.
<ip-address> and priority <1–5> are required. Other parameters are optional.
version <number>: NTP version number, range: 1–4, default: 3 (in IPv4).
key <key-number>: effective key, range: 1–4294967295.
priority<level>: priority value, range: 1–5. The priority of each server is different.
[ lock | unlock ]: whether the server is locked, default: unlock.
3. Configure the NTP authentication function.
Step Command Function
1 ZXR10(config)#ntp authenticate Enables the NTP
authentication function. Only
when the key specified by the
NTP server is successfully
configured, can the NTP
authentication function be
effective.
2 ZXR10(config)#ntp authentication-key <key-number>
md5 {clear <clear-word>|encrypted <encrypted-word>}
Sets the NTP authentication
key and the corresponding
verification code.
3 ZXR10(config)#ntp trusted-key <key-number> Configures the trusted
key number for NTP
authentication.
<key-number>: encrypted key number, range: 1–4294967295.
<clear-word>: MD5 clear text authentication code, range: 1–16 characters.
<encrypted-word>: MD5 cipher text authentication code, range: 1–24 characters.
10-3
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
The NTP authentication function consists of two parts: server and client. Whenconfiguring this function, comply with the following rules:
l If the NTP authentication function is enabled, an NTP MD5 key should beconfigured, and the key should be set to a trusted key. Otherwise, the NTPauthentication function cannot be enabled.
l If the NTP authentication function is not enabled on the client and otherconfigurations are correct, the client can be synchronized with the server(whether the NTP authentication function is enabled on the server or not). Ifthe NTP authentication function is enabled on the client, the client can only besynchronized with a server that provides a trusted key.
l Configurations on the server and those on the client should be consistent.
4. Verify the configurations.
Command Function
ZXR10#show running-config ntp Displays NTP configurations.
ZXR10#show ntp status Displays NTP status attributes.
ZXR10#show clock Displays the system clock.
– End of Steps –
10.1.3 NTP Configuration Examples
10.1.3.1 NTP working as a Client
Configuration DescriptionNTP is used to synchronize the clocks of different network members. As shown in Figure10-3, the NTP client can synchronize the clock with the NTP server.
Figure 10-3 NTP Working as a Client
Configuration Flow1. Connect the NTP server to the router.2. Enable NTP.3. Configure the address of the NTP server.
10-4
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 10 Clock and Clock Synchronization
Configuration CommandConfiguration on R1:
R1(config)#ntp enable
R1(config)#ntp server 192.168.5.93 priority 1
Configuration VerificationAfter the configuration, use the show command to check the configuration.
R1#show running-config ntp
! <ntp>
ntp server 192.168.5.93 priority 1
ntp enable
! </ntp>
10.1.3.2 NTP Working as a Server
Configuration DescriptionThe function of NTP is to synchronize clocks of different network members. As shown inFigure 10-4, NTP works as a server to provide synchronization information for the client.
Figure 10-4 NTP Working as a Server
Configuration Flow1. Enable NTP on R1, and configure the address of the NTP server.2. Enable NTP on R2, and configure a level of the NTP server.
Configuration CommandThe configuration on R1:
R1(config)#ntp enable
R1(config)#ntp server 192.168.5.93 priority 1
The configuration on R2:
R2(config)#ntp enable
R2(config)#ntp master 1
10-5
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Configuration VerificationUse the show running-config ntp command on the client and the server to viewconfiguration. Use the show ntp status command on the client to view the IP address andthe clock of the reference clock (R2). Use the show clock command on the client. Theclock has been synchronized with the clock on the server.
10.2 Physical POS Interface Clock Configuratio
10.2.1 Physical POS Interface Clock
Clock SynchronizationThe first problem to resolve in a digital network is clock synzhronization. Clocksynchronization enables the clock frequency and phase of each network node to belimited to a predefined error tolerance range. The sending and receiving ends canextract/send messages at a specified time to avoid transmission performance degradation(error codes and jitters) due to location inaccuracy in the digital transmission system.
Clock Synchronization ModesTwo clock synchronization modes are provided: pseudo synchronization and master-slavesynchronization.
l Pseudo synchronization refers to that different digital exchanges in the digitalswitching network have different clocks independent of each other. Each clock is aCaesium atom clock having a very high accuracy and stability. Because these clocksare highly accurate, they have different frequencies and phases, which are veryclose. This is pseudo synchronization.
l Master-slave synchronization refers to that a master clock exchange is defined inthe network and has a highly accurate clock, other exchanges are all controlledunder this exchange (tracking the clock of the master exchange and taking themaster exchange clock as the reference). And these exchanges are controlled bythe upper-level exchange respectively till the end NE, the terminating exchange.
In general, pseudo synchronization is used in an international digital network, that meansthis mode is used in the digital network between two countries. For example, if twointernational exchanges in China and America have their own Caesium atom clocks, thetwo exchanges use the pseudo synchronization mode.
Master-slave synchronization is used in digital networks in a country or region. Themaster-slave synchronization clocks in the SDH network can be classified into four levelsby accuracy, corresponding to different usage ranges:
l The master clock used as the time reference of the global networkl Slave clocks used in forwarding exchangesl Slave clocks used in local exchangesl Clocks used in the SDH (clocks built-in the SDH)
10-6
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 10 Clock and Clock Synchronization
Clock Extraction ModesClocks can be extracted in two ways:
l Extracting a clock from the specified clock synchronization circuit which is independentof the equipment, for example, the BITS interface.
l Extracting a clock from a line, for example, 8K clock signals recovered from theSDH/POS interface.
10.2.2 Configuring a Physical POS Interface ClockThis procedure describes how to configure a physical POS interface clock.
Steps1. Configure a physical POS interface clock.
Step Command Function
1 ZXR10(config)#interface <interface-name> Enters the POS interface.
2 ZXR10(config-if-interface-name)#clock mode
internal | line
Configures the clock mode to
internal or line. Default: internal.
3 ZXR10(config)#controller <interface-name> Enters controller configuration
mode of the CPOS.
4 ZXR10(config-ctrl-interface-sdh-tug3-e1)#f
raming sdh
Configures the SDH frame format
in controller mode.
5 ZXR10(config)#clock mode internal | line Configures the clock mode to
internal or line in E1 mode.
Default: internal.
2. Verify the configuration result.
Command Function
ZXR10#show interface <interface-name> Shows the mode configured for the
POS interface clock.
– End of Steps –
10.2.3 Physical POS-Interface Clock Configuration Instance
Configuration DescriptionThe purpose of configuring a POS-interface clock is to synchronize the clock betweendifferent network members, see Figure 10-5.
10-7
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Figure 10-5 Physical POS Interface Clock Configuration Instance
Configuration Flow1. Inter-connect the routers.2. Enter POS-interface clock configuration mode.
Configuration CommandConfigurations on router R1:
R1(config)#interface pos3-1/1
R1(config-if-pos3-1/1)#no shutdown
R1(config-if-pos3-1/1)#clock mode line
R1(config-if-pos3-1/1)#exit
Configurations on router R2:
R2(config)#interface pos3-1/1
R2(config-if-pos3-1/1)#no shutdown
R2(config-if-pos3-1/1)#exit
/*Three clock modes can be configured for two ends of the directly-connected POS interface:
internal——internal, internal——line, line——internal.
Note that the line——line mode is unavailable.
Configuration VerificationAfter the configuration is completed, run the show command to verify the configurations:
R1(config-if-pos3-1/1)#show interface pos3-1/1
pos3-1/1 is down, line protocol is down
Description is none
Hardware is Packet Over SONET/SDH
Internet address is unassigned
IP MTU 4470 bytes
MTU 4600 bytes
BW 155520 Kbits
MPLS MTU 4470 bytes
Physical layer is Packet over (SDH)
Holdtime is 120 sec(s)
CRC 32
Loopback cancel
Clock Source: line
Scramble enable
Encapsulation PPP
10-8
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 10 Clock and Clock Synchronization
Keepalive set: 10 sec(s)
LCP INITIAL, IPCP INITIAL, BCPINITIAL, IPV6CP INITIAL
MPLSCP INITIAL, OSINLCP INITIAL
Last Clear Time : 2000-04-02 01:49:43 Last Refresh Time:2000-04-02 01:49:43
120s input rate : 0Bps 0Pps
120s output rate: 0Bps 0Pps
Intf utilization: input 0% output 0%
HardWareCounters:
In_Bytes 0 In_Packets 0
In_Abort 0 In_OverFlow N/A
In_Runt 0 In_Giant 0
R2(config-if-pos3-1/1)#show interface pos3-1/1
pos3-1/1 is down, line protocol is down
Description is none
Hardware is Packet Over SONET/SDH
Internet address is unassigned
IP MTU 4470 bytes
MTU 4600 bytes
BW 155520 Kbits
MPLS MTU 4470 bytes
Physical layer is Packet over (SDH)
Holdtime is 120 sec(s)
CRC 32
Loopback cancel
Clock Source: internal
Scramble enable
Encapsulation PPP
Keepalive set: 10 sec(s)
LCP INITIAL, IPCP INITIAL, BCPINITIAL, IPV6CP INITIAL
MPLSCP INITIAL, OSINLCP INITIAL
Last Clear Time : 2000-04-02 01:49:43 Last Refresh Time:2000-04-02 01:49:43
120s input rate : 0Bps 0Pps
120s output rate: 0Bps 0Pps
Intf utilization: input 0% output 0%
HardWareCounters:
In_Bytes 0 In_Packets 0
In_Abort 0 In_OverFlow N/A
In_Runt 0 In_Giant 0
10-9
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
This page intentionally left blank.
10-10
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 11Performance StatisticsTable of Contents
Performance Management Overview........................................................................11-1Performance Management Configuration .................................................................11-1Performance Management Configuration Example...................................................11-3
11.1 Performance Management OverviewPerformance management provides the following main functions,
l It accepts the login or logout request coming from service module and collectsperformance data according to the registered performance entries.
l It calculates and saves performance data according to the collection interval.l It gives an alarm when performance collection value exceeds the configured alarm
threshold value. It cancels the alarm when performance collection value is belowthan the configured alarm threshold value.
Performance management uses agent server structure, which is composed of PMServer,PMAgent and PMClient.
l PMServer resides in R-CPU.l Every daughter-card has a PMAgent, and each PMAgent acts as an independent
process.l PMClient resides in every application module.
The service modules of daughter-cards interacts with each other by messages sendingbetween PMClient and PMAgent. In this way, application module can log in, log off orreport performance value to performance management.
There are some applications, which use PMServer to mount CallBack function. Afterregister information is modified, PMServer finishes virtual register / register cancellation,and refreshes performance values after member interface data binding to these servicetypes are changed.
11.2 Performance Management ConfigurationThis procedure describes how to configure the performance management function.
Steps1. Configure performance management.
11-1
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Step Command Function
1 ZXR10(config)#intf-statistics Enters interface statistic
configuration mode.
ZXR10(config-intf-statistics)#one_minute_pe
ak_value {disable | enable}{<interface-name>| default}
Enables or disables the switch to
control the one-minute peak-value
counter on a specific Ethernet
interface or all Ethernet interfaces.
2
ZXR10(config-intf-statistics)#one_minute_pe
ak_value_clear [<interface-name>]
Clears and resets the one-minute
peak-value counter on a specific
Ethernet interface or all Ethernet
interfaces.
3 ZXR10(config-intf-statistics)#traffic-statistics
{enable | disable}
Enables the interface performance
statistic function. Default:
enabled.
4 ZXR10(config)#performance data-save-interval
{15min,5min}
Sets the period for saving data.
Unit: minute, default: 15.
5 ZXR10(config)#performance update-interval
<periodreport><interface-checkPtType>
Sets the interval for sampling data
from a PMA to a PMS. Default:
10 s. Sets the type of a specified
detection point or sets the type of
all detection points by using the
default configuration.
6 ZXR10#clear statistics interface [<interface-name>] Clears the performance value
of a specific interface or the
accumulative performance value
of all interfaces.
2. Collect statistics of performance management.
Command Function
ZXR10#show running-config performance Displays the configuration information
on performance management.
ZXR10# show interface <interface-name> Displays the state of all interfaces or
a specified interface.
ZXR10#show performance one_minute_peak_value
[<interface-name>]
Displays the one-minute peak-value
of an interface.
ZXR10#show performance data-save-interval Displays the period for saving history
performance data.
ZXR10#show ip traffic Displays IP statistics information.
11-2
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 11 Performance Statistics
Command Function
ZXR10#show tcp statistics Displays TCP statistics information.
– End of Steps –
11.3 Performance Management Configuration ExampleConfiguration DescriptionPerformance management can modify interface count update time or set count switchaccording to user requirement. As shown in Figure 11-1, flow is sent from gei-2/1 of R1 togei-2/1 of R2.
Figure 11-1 Performance Management Configuration Example Topology Diagram
Configuration Flow1. Check the count of interface gei-2/1. To check the new count, clear the previous count.2. Modify the time interval of sampling data from PMS to PMA to control count update
time interval of gei-2/1.
Configuration Command1. Clear gei-2/1 interface count:
ZXR10#clear statistics interface gei-2/1
2. Set count update time of physical port such as gei-2/1 as 30 seconds.ZXR10(config)#performance update-interval 30s ethernet
Configuration VerificationCheck whether the configuration is valid.
ZXR10(config)#show running-config performance
! <performance >
performance update-interval 30s ethernet
! </performance >
11-3
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
This page intentionally left blank.
11-4
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 12NetFlow ConfigurationTable of Contents
NetFlow Overview ....................................................................................................12-1Configuring NetFlow.................................................................................................12-3NetFlow Configuration Examples..............................................................................12-9
12.1 NetFlow OverviewNetFlow IntroductionNetFlow is a protocol used to monitor network traffic. There are exporter and collectorused in NetFlow application environment. The exporter collects IP data packets and sendthem to collector. The collector is responsible for analyzing.
Netflow can trace and measure each flow accurately. It brings the following applications,
l Network layout
Netflow can count the information of network flow for a long time. Therefore, it cantrace and estimate the trend of network flow increasing or decreasing. Thus, addor remove route devices or upgrade or degrade the bandwidth of route devices ifrequired. In this way, the network operation is more reasonable.
l Analyze new application
Netflow collects the network usage information of a new application protocol. Bymeans of information analyzing, network resource can be allocated to the newapplication reasonably.
l Network monitor
Netflow has real time network monitor ability. It can locate fault by providinginformation when network has fault, or it can find potential network problem.
NetFlow FeaturesTo accomplish network data collection, NetFlow performs the following task,
l Configure NetFlow service on many interfaces on a router to collect packets whichpass through these interfaces. To reduce system load, set a sample rate on both ofingress and egress on the interfaces. For example, if the sample rate is 2000:1, thensample one packet from every 2000 packets. NetFlow can sample unicast, multicastor Multi Protocol Label Switching (MPLS) packets respectively or hybridly.
l NetFlow analyzes the sampled packet to obtain the following information,
12-1
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
à Packet information: For example, source / destination IP address, Type OfService (ToS) field, source/ destination TCP/UDP port number.
à Route information: For example, next hop IP address.
à Other information: Packet ingress / egress interface index, sample direction.
NetFlow takes flow as statistic object. The packets which belong to the same floware summarized and stored. NetFlow v5 uses octet to define the unique flow, andNetFlow v9 permits that user defines flow by itself. For example, user can usesource and destination IP addresses to define a flow, then all the packets whichhave the source and destination addresses are defined as a flow. People call theoctet (source and destination IP addresses) as key field. User also can configurenon-key field to obtain other information of the flow, such as packet number, bytesand next hop IP address.
l Netflow has buffer. The sampled packets are stored at buffer at first. The size of everyflow is the sum of all key fields and non-key fields. After a packet is analyzed, findwhether the flow already exists according to its key filed.
à If it already exists, then update the flow’s non-key field.
à If it does not exist, add the new flow into buffer.
l When the flow stored at buffer satisfies the following conditions, it will be sent to remoteserver.
à Send all flow information to server when buffer is full.
à A flow is inactive if there is no packet belongs to the flow in a given time. Sendthe flow to server. The given time is called active aging time. It can be configuredby user.
à For a long term active flow, the statistic information is sent to server once in awhile. The interval is called inactive aging time. It can be configured by user.
l At present, ZXR10 ZSR V2 can record flow information in NetFlow v5, NetFlow v8,NetFlow v9 and IPFIX packets to send to the server.
à Since the format of NetFlow v5 is fixed, Netflow v5 only output the fixed field flowinformation.
à The format of NetFlow v8 packet is also fixed. Comparing with NetFlow v5,NetFlow v8 can output multiple types of field flow information. ZXR10 ZSR V2supports the v8 Protocol-PortMatrix packet format.
à NetFlow v9/IPFIX supports user to customize key field or non-key field. TheNetFlow v9/IPFIX packet is based on module. The module includes user-definedkey field and non-key field, and every module has a unique module ID. NetFlowsends module to server circularly. When a server receives the NetFlow v9/IPFIXpacket including flow information, it will find the corresponding module accordingto the contained module ID.
l On NetFlow server, the received flow information is normally stored at database, andNetFlow analysis software can analyze the entity data.
12-2
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 12 NetFlow Configuration
12.2 Configuring NetFlowThis procedure describes how to configure the NetFlow function.
Steps1. Configure NetFlow exporter policies.
Step Command Function
1 ZXR10(config)#flow exporter <exporter-name> Creates a flow exporter policy,
and names the policy. You can
configure up to 200 different flow
exporter policies.
Range of the policy name: 1–32
characters.
2 ZXR10(config-flow-exporter)#destination
{ipv4-address <ip-address>|[vrf <name>]}Configures the IPv4 address of
the NetFlow server.
3 ZXR10(config-flow-exporter)#export-protocol
{netflow-v5 | netflow-v8 | netflow-v9 | ipfix }
Sets the format of NetFlow output
packets.
The output packet format can
be NetFlow v5, v8, v9, or ipfix,
default: netflow-v9 .When the format is set to
v5, the template must be
netflow-original.When the format is v8, the
template must be netflow ipv4protocol-port.
4 ZXR10(config-flow-exporter)#template data
{refresh <packets>| timeout <seconds>}Resends module according to the
number of packets or time.
5 ZXR10(config-flow-exporter)#transport udp
<port>
Sets the NetFlow output protocol
to UDP and sets the port number.
Range: 1–65535, default: 2055.
6 ZXR10(config-flow-exporter)#source
{ipv4-address <ip-address>}Configures the source IPv4
address of NetFlow packets sent.
7 ZXR10(config-flow-exporter)#dscp <value> Sets the TOS field in the IP
header when a Netflow packet is
sent. Range: 0–63, default: 0.
refresh <packets>: the number of output netflow packets, according to which themodule is resent, range: 1–600, default: 20.
timeout <seconds>: time, according to which the module is resent, range: 1–86400,default: 600 seconds.
12-3
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
2. Creates a flow record policy, and sets key and non-key fields.
Step Command Function
1 ZXR10(config)#flow record <record-name> Creates a flow record policy,
and names the policy. You can
configure up to 100 different flow
record policies. Range of the
policy name: 1–32 characters.
ZXR10(config-flow-record)#match datalink mac
{destination-address | source-address}
Sets the source Medium Access
Control (MAC) address or
destination MAC address as a
key field.
ZXR10(config-flow-record)#match flow
{direction|sample-rate}
Sets flow direction or sampling
rate as a key field.
ZXR10(config-flow-record)#match interface
{input | output}
Sets input interface index or
output interface index as a key
field.
ZXR10(config-flow-record)#match ipv4
{[destination address | address-prefixminimum-mask <len>]|[source address |
address-prefix minimum-mask <len>]}
Sets IPv4 information as a key
field.
ZXR10(config-flow-record)#match mpls label
stack section <1–5>
Sets MPLS information as a key
field.
<1–5>: Sets the collection label
to the layer 1, 2, 3, 4, or 5 label.
ZXR10(config-flow-record)#match routing {bgp
as-number {destination | source | next-adjacent |
prev-adjacent}| next-hop-address {ipv4 | ipv6}}
Sets the related route next hop
information as a key field.
ZXR10(config-flow-record)#match transport
{destination-port |icmp {ipv4 | ipv6}{type | code}|
source-port | tcp flags}
Sets transport layer information
as a key field.
icmp {ipv4 | ipv6} {type | code}:
sets the type field of Internet
Control Message Protocol
(ICMP) packets as a collection
field. The field value is ICMPType * 256 + ICMP code.
ZXR10(config-flow-record)#match ip {cos |
protocol | version}
Sets IP information as a key field.
2
ZXR10(config-flow-record)#match ipv6
{[destination address | address-prefixminimum-mask <len>]|[source address |
address-prefix minimum-mask <len>]| flow-label}
Sets IPv6 information as a key
field. Range of len: 1–128.
12-4
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 12 NetFlow Configuration
Step Command Function
ZXR10(config-flow-record)#collect counter {bytes
[long]| packets [long]}
Sets the number and byte number
of flow packets as a non-key
fields.
bytes: This field has 4 bytes.
bytes long: This field has 8 bytes.
packets : This field has 4 bytes.
packets long: This field has 8
bytes.
ZXR10(config-flow-record)#collect datalink mac
{destination-address | source-address}
Sets the source MAC address or
destination MAC address as a
non-key field.
ZXR10(config-flow-record)#collect flow
{direction|sample-rate}
Sets the flow direction or
sampling rate as a non-key field.
ZXR10(config-flow-record)#collect interface
{input | output}
Sets the input interface index
or output interface index as a
non-key field.
ZXR10(config-flow-record)#collect ipv4
{[destination address | address-prefixminimum-mask <len>]|[source address |
address-prefix minimum-mask <len>]}
Sets IPv4 information as a
non-key field.
ZXR10(config-flow-record)#collect mpls label
stack section <1–5>
Sets MPLS information as a
non-key field.
ZXR10(config-flow-record)#collect routing {bgp
as-number {destination | source | next-adjacent |
prev-adjacent}| next-hop-address {ipv4 | ipv6}}
Sets the route next hop
information as a non-key field.
ZXR10(config-flow-record)#collect timestamp
{sys-uptime {first | last}| absolute {first-millisec |
last-millisec}}
Sets the time or absolute time
when a flow is switched for the
first or last time as non-key field.
sys-uptime first: sets the system
power-up time when the flow
arrives at the cache for the first
time as a collected non-key field.
Unit: ms.
sys-uptime last: sets the system
power-up time when the flow is
updated in the cache for the last
time as the collected non-key
field. Unit: ms.
4
12-5
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Step Command Function
ZXR10(config-flow-record)#collect transport
{destination-port | icmp {ipv4 | ipv6}{code | type}|
source-port | tcp flags}
Sets transport layer information
as a non-key field.
ZXR10(config-flow-record)#collect ip {cos|
protocol | version}
Sets IP information as a non-key
field.
ZXR10(config-flow-record)#collect ipv6
{[destination address | address-prefix minimum-mask <len>]|[source addressaddress-prefixminimum-mask <len>]| flow-label}
Sets IPv6 information as a
non-key field. Range of len:1–128.
3. Configure a NetFlow sampling policy.
Step Command Function
1 ZXR10(config)#sampler <sampler-name> Creates a sampler policy,
and names it. Up to 200
different sampler policies can be
configured.
Range of the policy name: 1–12
characters.
2 ZXR10(config-sampler)#mode deterministic
1–––out-of<rate>
Sets the sampling mode and
sampling rate.
deterministic : uses deterministic sampling, that is, if the sampling rate is N, then onepacket out of every N packets is sampled.
<rate>: sampling rate, range: 1–65535, default: 1000.
4. Configure a NetFlow monitoring policy.
Step Command Function
1 ZXR10(config)#flow monitor <monitor-name> Creates a flow monitor policy,
and names it. Up to 60 different
flow monitor policies can be
configured.
Range of the policy name: 1–32
characters
2 ZXR10(config-flow-monitor)#cache {entries<num>| timeout {active | inactive}<seconds>}
Sets cache information.
12-6
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 12 NetFlow Configuration
Step Command Function
3 ZXR10(config-flow-monitor)#exporter
<exporter-name>
Associates a flow exporter policy.
Associates a pre-set flow exporter
policy. That is, the flow monitor
policy uses the flow exporter
policy for the output of netflow
packets. If the flow exporter
policy uses v5 output format,
the template used by the flow
monitor must be the pre-set
netflow-original.
4 ZXR10(config-flow-monitor)#record {<record-nam
e>|netflow ipv4 protocol-port|netflow-original}
Sets the template to be used.
entries <num>: sets the buffer size to num, which represents the number of flows thatcan be stored in the buffer. Range: 16–131072, default: 4096.
timeoutactive<seconds>: active ageing time, unit: second, range: 10–604800, default:1800.
timeoutinactive<seconds>}: inactive ageing time, unit is second, range: 10–604800,default: 1800.
record <record-name>: uses a pre-set flow record policy as the template.
record netflow-original: predefines the v5 template. Collected key and non-key fieldsare consistent with those of netflow v5.
netflow ipv4 protocol-port: predefines the v8 module.
5. Configure a NetFlow interface.
Step Command Function
1 ZXR10(config)#interface <interface-name> Enters interface configuration
mode.
ZXR10(config-if-interface-name)#ip
flow monitor <monitor-name>[sampler<sampler-name>][unicast|multicast|ipv4–access-list<name>]{input|output}
Configures IPv4 packets
sampling on the interface.
ZXR10(config-if-interface-name)#ipv6
flow monitor <monitor-name>[sampler<sampler-name>][unicast |multicast | ipv6–access-list<name>]{input | output}
Configures IPv6 packets
sampling on the interface.
2
ZXR10(config-if-interface-name)#mpls flow
monitor <monitor-name>[sampler <sampler-name>]unicast {input | output}
Configures MPLS packet
sampling on the interface.
12-7
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
ip flow monitor <monitor-name>: applies a pre-set netflow monitoring policy on theinterface. After the command is run, configurations related to the monitor policy, thecache size, template in use, and collected fields of the template cannot be modified. Tomodify the configurations, the flowmonitoring policy must be deleted from the interfacefirst. Flow active/inactive ageing time and the output policy can be modified.
sampler <sampler-name>: applies a pre-set sampling policy on the interface. Thesampling policy cannot be modified after it is applied on the interface. The modificationtakes effect only after it is unbound and then applied on the interface.
unicast | multicast| ipv4–access-list <acl-name>: type of sampled packets. unicastmeans sampling unicast packets. multicast means sampling multicast packets. access-list means sampling packets that are filtered with the ACL rules. Up to six differentACL rules can be used.
In one direction, unicast, multicast, MPLS, and ACL rule packets can be sampledat the same time. Samples from two directions are not mutually exclusive. If ACLrule packets are sampled from one direction, however, unicast and multicast packetscannot be sampled, and vice versa.
6. Verify the configurations.
Command Function
ZXR10#show ip flow exporter [<exporter-name>] Displays a flow exporter policy of the
specified name or all flow exporter
policies.
ZXR10#show ip flow interface [<interface-name>] Displays configurations of the specified
interface or all interfaces.
ZXR10#show ip flow monitor [<monitor-name>] Displays a flow monitoring policy of the
specified name or all flow monitoring
policies.
ZXR10#show ip flow record [<record-name>|
netflow-original | ipv4 protocol-port]
Displays a flow record policy of the
specified name, the pre-defined V5
policy (V5 template: netflow-original), or
all flow record policies.
ZXR10#show ip flow sampler [<sampler-name>] Displays a sampler policy of the
specified name or all sampler policies.
ZXR10#show running-config ipflow [all][|{begin |
exclude | include}<line>]
Displays NetFlow configurations, or all
configurations including default values
of un-configured parameters when the
command carries the all parameter.
ZXR10#show running-config-interface <interface-name
>[all][|{begin | exclude | include}<line>]
Displays interface configurations related
to NetFlow.
12-8
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 12 NetFlow Configuration
Command Function
ZXR10#show ip flow service-cpu Displays information on the service CPU
when the NetFlow function is enabled.
– End of Steps –
12.3 NetFlow Configuration Examples
12.3.1 NetFlow V5 Configuration Example
Configuration DescriptionAs shown in Figure 12-1, configure NetFlow on R1, connect the server to R1, and configurean IP address. Configure a route to the server if necessary so that the NetFlow packetscan be sent to the server.
Figure 12-1 NetFlow V5 Configuration Example
Configuration Flow1. Enable NetFlow Service.2. Configure flow exporter output, including server IP address, port number and protocol
type.3. Configure sampler sampling rate and sampling mode.4. Configure the size of flow monitor cache, active overtime value and inactive overtime
value, bind the configured flow exporter to system v5 module.5. Bind flow monitor policy to interface, configure sampling type and direction.
Configuration CommandConfiguration on R1:
R1#configure terminal
R1(config)#flow exporter exp
R1(config-flow-exporter)#destination ipv4-address 169.1.109.60
R1(config-flow-exporter)#transport udp 2055
R1(config-flow-exporter)#export-protocol netflow-v5
R1(config-flow-exporter)#exit
12-9
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
R1(config)#sampler sam
R1(config-sampler)#mode deterministic 1-out-of 1024
R1(config-sampler)#exit
R1(config)#flow monitor mo
R1(config-flow-monitor)#cache entries 4096
R1(config-flow-monitor)#exporter exp
R1(config-flow-monitor)#record netflow-original
R1(config-flow-monitor)#cache timeout inactive 60
R1(config-flow-monitor)#cache timeout active 10
R1(config-flow-monitor)#exit
R1(config)#interface gei-6/6
R1(config-if-gei-6/6)#no shutdown
R1(config-if-gei-6/6)#ip flow monitor mo sampler sam unicast input
R1(config-if-gei-6/6)#exit
Configuration VerificationCheck the configuration on R1, as shown below.
R1#show running-config ipflow
!<ipflow>
flow exporter exp
destination ipv4-address 169.1.109.60
export-protocol netflow-v5
$
flow monitor mo
cache timeout active 10
cache timeout inactive 60
record netflow-original
exporter exp
$
sampler sam
mode deterministic 1-out-of 1024
$
interface gei-6/6
ip flow monitor mo sampler sam unicast input
$
!</ipflow>
12-10
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 12 NetFlow Configuration
12.3.2 NetFlow V8 Configuration Example
Configuration DescriptionAs shown in Figure 12-2, configure NetFlow on R1, connect the server to R1, and configurean IP address. Configure a route to the server if necessary so that the NetFlow packetscan be sent to the server.
Figure 12-2 NetFlow V8 Configuration Example
Configuration Flow1. Enable NetFlow Service.2. Configure flow exporter output, including the server IP address, port number and
protocol type.3. Configure sampler, setting sampling rate and sampling mode.4. Configure the cache size of flow monitor, the active overtime value and the inactive
overtime value. Bind the configured flow exporter to the system v8 module.5. Bind flow monitor to the interface, and configure the sampling type and direction.
Configuration CommandConfiguration on R1:
R1(config)#flow exporter exp
R1(config-flow-exporter)#destination ipv4-address 169.1.109.60
R1(config-flow-exporter)#transport udp 2055
R1(config-flow-exporter)#export-protocol netflow-v8
R1(config-flow-exporter)#exit
R1(config)#sampler sam
R1(config-sampler)#mode deterministic 1-out-of 1024
R1(config-sampler)#exit
R1(config)#flow monitor mo
R1(config-flow-monitor)#cache entries 4096
R1(config-flow-monitor)#exporter exp
R1(config-flow-monitor)#record netflow ipv4 protocol-port
R1(config-flow-monitor)#cache timeout inactive 60
R1(config-flow-monitor)#cache timeout active 10
R1(config-flow-monitor)#exit
12-11
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
R1(config)#interface gei-6/6
R1(config-if-gei-6/6)#no shutdown
R1(config-if-gei-6/6)#ip flow monitor mo sampler sam unicast input
R1(config-if-gei-6/6)#exit
Configuration VerificationVerify the configuration on R1 as shown below.
R1#show running-config ipflow
! < ipflow >
sampler sam
mode deterministic 1-out-of 1024
$
flow exporter exp
destination ipv4-address 169.1.109.60
export-protocol netflow-v8
$
flow monitor mo
cache timeout active 10
cache timeout inactive 60
record netflow ipv4 protocol-port
exporter exp
$
interface gei-6/6
ip flow monitor mo sampler sam unicast input
$
! </ ipflow >
12.3.3 NetFlow V9 Configuration Example
Configuration DescriptionAs shown in Figure 12-3, configure NetFlow on R1, connect the server to R1, and configurean IP address. Configure a route to the server if necessary so that the NetFlow packetscan be sent to the server.
Figure 12-3 NetFlow V9 Configuration Example
12-12
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 12 NetFlow Configuration
Configuration Flow1. Enable NetFlow Service.2. Configure flow exporter output, including server IP address, port number and protocol
type, module refresh time and refresh rate.3. Configure match and collect of flow record policy.4. Configure the size of flow monitor cache, active overtime value and inactive overtime
value, bind the configured flow exporter policy and flow record policy.5. Configure sampler sampling rate and sampling mode.6. Bind flow monitor policy to interface, configure sampling type and direction.
Configuration CommandConfiguration on R1:
ZXR10(config)#flow exporter exp
R1(config-flow-exporter)#destination ipv4-address 169.1.109.60
R1(config-flow-exporter)#transport udp 2055
R1(config-flow-exporter)#export-protocol netflow-v9
R1(config-flow-exporter)#template data refresh 20
R1(config-flow-exporter)#template data timeout 60
R1(config-flow-exporter)#exit
R1(config)#sampler sam
R1(config-sampler)#mode deterministic 1-out-of 1024
R1(config-sampler)#exit
R1(config)#flow record rec
R1(config-flow-record)#match ipv4 source address
R1(config-flow-record)#match ipv4 destination address
R1(config-flow-record)#match transport source-port
R1(config-flow-record)#match transport destination-port
R1(config-flow-record)#collect counter bytes
R1(config-flow-record)#collect counter packets
R1(config-flow-record)#exit
R1(config)#flow monitor mo
R1(config-flow-monitor)#cache entries 4096
R1(config-flow-monitor)#cache timeout active 60
R1(config-flow-monitor)#cache timeout inactive 10
R1(config-flow-monitor)#exporter exp
R1(config-flow-monitor)#record rec
R1(config-flow-monitor)#exit
R1(config)#interface gei-6/6
R1(config-if-gei-6/6)#no shutdown
R1(config-if-gei-6/6)#ip flow monitor mo sampler sam unicast input
12-13
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
R1(config-if-gei-6/6)#end
Configuration VerificationCheck the configuration on R1, as shown below.
R1#show running-config ipflow
!<ipflow>
sampler sam
mode deterministic 1-out-of 1024
$
flow exporter exp
destination ipv4-address 169.1.109.60
#export-protocol netflow-v9
$
flow record rec
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes
collect counter packets
$
flow monitor mo
cache timeout active 60
cache timeout inactive 10
record rec
exporter exp
$
interface gei-6/6
ip flow monitor mo sampler sam unicast input
$
!</ipflow>
12-14
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 13SQA ConfigurationTable of Contents
SQA Overview..........................................................................................................13-1Configuring SQA ......................................................................................................13-1SQA Configuration Examples ...................................................................................13-4
13.1 SQA OverviewService Quality Analyzer (SQA) is a measured detection technology. Through SQA, userscan obtain more detailed network quality analysis at IP layer, and can also check whetherthe network quality of a specific service meets the requirement of Service Level Agreement(SLA). The functions of SQA are listed below.
l Users can know the network performance quickly and then take correspondingmeasurements according to different network performances.
l Users can use SQA to diagnose and locate network faults, especially for QoS faultsof some applications.
l SQA supports linkage of some protocols. For example, when the quality of a networkworsens to some extent, SQA can enable linkage with policy routing.
Normally, SQA is used to diagnose network faults.
For example, on a mobile IP bearer network, when the quality of phone calls declinesseriously, it is necessary to check whether there is serious voice packet loss, delay andoscillation at the wireless network side and IP bearer network side at the same time. At theIP bearer network side, it is necessary to check whether there is any serious network faultfor the transmission of IP packets between CEs. At the same time, it is also necessaryto use the parameters (such as UDP packet oscillation and delay ) of SQA to determinewhether the fault is on the bearer network side.
SQA can also be used to detect the network qualities of operators periodically to reflect thenetwork qualities in real time, so that operators can master the overall network qualities.
13.2 Configuring SQAThis procedure describes how to configure the SQA function.
Steps1. Configure an SQA instance.
13-1
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Step Command Function
1 ZXR10(config)#sqa-test <number> Selects a test instance
number and enters SQA
configuration mode. The
range of the instance number
is 1–150.
ZXR10(config-sqa)#type-icmp [vrf <vrf-name>]<destination-address>[source <source-address>][repeat <repeat-number>][tos <tos-value>][ttl < ttl-value>][size<size-value>][interval <interval-value>]
Configures an ICMP test
instance in SQA mode.
ZXR10(config-sqa)#type-udp [ vrf <vrf-name>]<destination-address><destination-port>[size <size-value>][interval<interval-value>][repeat <repeat-number>]
Configures a UDP test
instance in SQA mode.
ZXR10(config-sqa)#type-tcp [ vrf <vrf-name>]<destination-address><destination-port>[interval<interval-value>][repeat <repeat-number>]
Configures a TCP test
instance in SQA mode.
ZXR10(config-sqa)#type-ftp copy <destination-address>
uesr-name <user-name> password {encrypted<ftp-server-encrypted-password>|<ftp-server-password>}
file-name <file-name> root <local-path>/<file-name>
Configures an FTP test
instance in SQA mode.
ZXR10(config-sqa)#type-dns [vrf <vrf-name>]destination-url <destination-url> dns-ip<dns-ip-address>[repeat <repeat-number>]
Configures a DNS test
instance in SQA mode.
ZXR10(config-sqa)#type-http [vrf <vrf-name>]{http-ip<http-ip-address>|http-url<http-url> dns-ip<dns-ip-address>}[repeat <repeat-number>]
Configures an HTTP test
instance in SQA mode.
ZXR10(config-sqa)#type-snmp [vrf <vrf-name>]<specify-destination-ip-address>
Configures an SNMP test
instance in SQA mode.
ZXR10(config-sqa)#type-udp-jitter [vrf<vrf-name>]<specify-destination-ip-address><specify
-destination-port>[interval<interval-time>][repeat<repeat-number> size<size-number>| interval<interval-time>][size<size-number> interval<interval-time>|repeat<repeat-number>]
Configures a UDP-JITTER
test instance in SQA mode.
2
ZXR10(config-sqa)#type-icmp-jitter [vrf <vrf-name>]<destination-address>[source <source-address>][repeat <repeat-number>][tos <tos-value>][ttl < ttl-value>][size <size-value>][interval <interval-value>]
Configures an ICMP jitter test
instance in SQA mode.
<repeat-number>: number of repeat times. In an ICMP test, range: 1–65535, default:1. In a UDP test, range: 1–1000, default: 1. In a TCP test, range: 1–200, default: 1.
13-2
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 13 SQA Configuration
In a DNS test, range: 1–10, default: 1. In an ICMP jitter test, range: 1–65535, default:1.
<tos-value>: ToS value, range: 0–255, default: 0.
<ttl-value>: Time To Live (TTL) value, range: 1–255, default: 255.
<size-value>: size of a packet. In an ICMP test, range: 36–8192 bytes, default: 36bytes. In a UDP test, range: 50–1500 bytes, default: 50 bytes. In an ICMP jitter test,range: 40–8192 bytes, default: 40 bytes.
<interval-value>: interval between two packets, unit: ms. In an ICMP test, range:50–65535, default: 100. In a UDP test, range: 50–2000, default: 100. In a TCP test,range: 1000–4000, default: 1000. In an ICMP jitter test, range: 50–65535, default:100.
<destination-port>: Destination port number, range: 1025–65535.
<user-name>: user name of the FTP server, range: 1–31 characters.
<ftp-server-password>: clear text password of the FTP server, range: 1–31 characters.
<ftp-server-encrypted-password>: cipher text password of the FTP server, range: 64characters.
<file-name>: FTP source file name, range: 1–79 characters.
<local-path>/<file-name>: FTP local path and file name, range: 1–151 characters.
<destination-url>: domain name to be resolved, range: 1–128 characters.
<dns-ip-address>: DNS IP address.
2. Start an SQA test, and enable the Trap alarm.
Step Command Function
1 ZXR10(config-sqa)#sqa-begin {now | timerange<timerange-name>}
Starts a test in SQA mode.
The sqa-stop command stops
the test. If now is selected,
the test is started immediately.
2 ZXR10(config-sqa)#send-Trap { enable <percent>} Enables the Trap alarm
in SQA mode. <percent>:
alarm threshold value, range:
1–100.
3. Configure an SQA TCP or UDP server.
Command Function
ZXR10(config)#sqa-tcp-server <ipaddress><port> Configures an SQA TCP server. (This
configuration is required when you
select a TCP test.)
13-3
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Command Function
ZXR10(config)#sqa-udp-server <ipaddress><port> Configures an SQA UDP server. (This
configuration is required when you
select a UDP test.)
4. Verify the configurations.
Command Function
ZXR10#show running-config sqa [all][|begin | exclude
| include}<line>
Displays SQA configurations.
ZXR10#show sqa-test <number> Displays SQA test configurations.
ZXR10#show sqa-server {upd|tcp} Displays SQA server configurations.
ZXR10#show sqa-result {udp | tcp | icmp | ftp | dns | http |
snmp | udpjitter | icmpjitter}
Displays configurations of each SQA
test instance.
– End of Steps –
13.3 SQA Configuration Examples
13.3.1 ICMP-Type SQA Configuration Example
Configuration DescriptionAs shown in Figure 13-1, there is a link between R1 and R3. Packets between R1 and R3can be forwarded properly.
Figure 13-1 ICMP-Type SQA Configuration Example
Configuration Flow1. Create an SQA test instance.2. Enter the SQA test instance, and configure ICMP test attribute for the test instance,
such as the ICMP test destination address .3. Set the SQA test start time as now or at a scheduled time.4. Check the test result.
Configuration CommandThe configuration of R1:
13-4
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 13 SQA Configuration
R1(config)#sqa-test 1
R1(config-sqa-1)#type-icmp 10.1.0.2
R1(config-sqa-1)#sqa-begin now
%Info 757: The sqa test is starting now, please wait a moment for test result......
R1(config-sqa-1)#
Configuration VerificationThe configuration and test result are shown below.
R1#show sqa-test 1
test number:1
test type: ICMP
destination IP: 10.1.0.2
repeat:1
tos:0
ttl: 255
size: 36
interval time:100
send trap:disable
R1#show sqa-result icmp
icmp test[1] result
SendPackets:1 ResponsePackets:1
Completion:success Destination IP Address: 10.1.0.2
Min/Max/Avg/Sum RTT:29/99/39/787ms
Min/Max/Avg/Sum Positive Jitter:1/7/3/9ms
Min/Max/Avg/Sum Negative Jitter:1/70/35/71ms
Min/Max/Avg/Sum Jitter:1/70/16/80ms
Packet loss rate:0%
Last Probe Time:2012-11-18 01:57:38
13.3.2 FTP-Type SQA Configuration Example
Configuration DescriptionAs shown in Figure 13-2, there is a link between the FTP server and R1. Packets betweenthem can be forwarded properly. It is required to enable the FTP server function on FTPserver, and configure a user name and password.
Figure 13-2 FTP-Type SQA Configuration Example
13-5
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Configuration Flow1. Create an SQA test instance.2. Enter the SQA test instance, and configure the FTP test attributes for the test instance
including FTP server address, user name, password, source file name, destinationpath and destination file name.
3. Set the SQA test start time to now or a scheduled time.4. Check the test result.
Configuration CommandRun the following commands on the ZXR10 ZSR V2:
R1(config)#sqa-test 2
R1(config)#type-ftp copy 1.1.1.1 filename abc.txt root /datadisk0/abc.txt
R1(config)#type-ftpusername whopassword who
R1(config-sqa-2)#sqa-begin now
%Info 757: The sqa test is starting now, please wait a moment for test result......
R1(config-sqa-2)#
Configuration VerificationRun the show command to check the configurations and test results. The execution resultis displayed as follows
R1#show sqa-test 2
test number:2
test type: FTP
ftp IP:10.1.0.2
username:who
password: 9654d35c7f907ad5c1a1f803d1e4a21c667d8939cade03478bad7db48099d0e4
/*Encrypted*/
filename:abc.txt
root:/datadisk0/abc.txt
send Trap:disable
R1#show sqa-result ftp
ftp test[2] result
Completion:success
Last RTT:127s Bytes read:4817497
Last Probe Time:2012-07-29 09:22:58
13.3.3 TCP-Type SQA Configuration Example
Configuration DescriptionAs shown in Figure 13-3, there is a link between R1 and R3. Packets between R1 and R3can be forwarded properly. Enable a monitoring port pf SQA-TCP-server on R3.
13-6
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 13 SQA Configuration
Figure 13-3 TCP-Type SQA Configuration Example
Configuration Flow1. Create an SQA test instance.2. Enter the SQA test instance, and configure the TCP test attribute for the test instance,
such as the TCP test destination address and port number.3. Set the SQA test start time as now or at a scheduled time.4. Check the test result.
Configuration CommandThe configuration of R3:
R3(config)#sqa-tcp-server 10.1.0.2 10000
The configuration of R1:
R1(config)#sqa-test 3
R1(config-sqa-3)#type-tcp 10.1.0.2 10000
R1(config-sqa-3)#sqa-begin now
%Info 757: The sqa test is starting now, wait a moment for test result......
R1(config-sqa-3)#
Configuration VerificationThe configuration and test result are shown below.
R1#show sqa-test 3
test number:1
test type: TCP
destination IP:10.1.0.2
desitnation port:10000
interval time:1000
repeat:1
send trap:disable
R1#show sqa-result tcp
tcp test[3] result
SendPackets:1 ResponsePackets:1
Completion:success Destination Ip Address:10.1.0.2
Min/Max/Avg/Sum RTT:5/5/5/5ms
Last Probe Time:2012-07-29 09:45:49
13-7
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
13.3.4 UDP-Type SQA Configuration Example
Configuration DescriptionAs shown in Figure 13-4, there is a link between R1 and R3. Packets between R1 and R3can be forwarded properly. Enable a monitoring port of SQA-UDP-server on R3.
Figure 13-4 UDP-Type SQA Configuration Example
Configuration Flow1. Create an SQA test instance.2. Enter the SQA test instance, and configure the UDP test attribute for the instance,
such as the UDP test destination address and port number.3. Set the SQA test start time as now or at a scheduled time.4. Check the test result.
Configuration CommandThe configuration of R3:
R3(config)#sqa-udp-server 10.1.0.2 10000
The configuration of R1:
R1(config)#sqa-test 4
R1(config-sqa-4)#type-udp 10.1.0.2 10000
R1(config-sqa-4)#sqa-begin now
%Info 757: The sqa test is starting now, wait a moment for test result......
R1(config-sqa-4)#
Configuration VerificationThe configuration and test result are shown below.
R1#show sqa-test 4
test number:1
test type: UDP
destination IP:10.1.0.2
desitnation port:10000
size: 50
interval time:100
repeat:1
send trap:disable
13-8
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 13 SQA Configuration
R1#show sqa-result udp
udp test[4] result
SendPackets:1 ResponsePackets:1
Completion:success Destination IP Address: 10.1.0.2
Min/Max/Avg/Sum RTT:61/63/62/622ms
Min/Max/Avg/Sum Positive Jitter:0/0/0/0ms
Min/Max/Avg/Sum Negative Jitter:1/1/1/2ms
Min/Max/Avg/Sum Jitter:1/1/1/2ms
Packet loss rate:0%
Last Probe Time:2012-09-01 23:52:35
13.3.5 DNS-Type SQA Configuration Example
Configuration DescriptionAs shown in Figure 13-5, configure an SQA test instance on ZXR10 ZSR V2, connect theserver to R1, and configure an IP address. Configure a route to the server if necessary sothat DNS packets can be sent to the server.
Figure 13-5 DNS-Type SQA Configuration Example
Configuration Flow1. Create an SQA test instance.2. Enter the SQA test instance, configure the domain name to be resolved by the DNS
test and the IP address of the DNS server, and set the number of resolution operations.3. Set the SQA test start time as right now or at a scheduled time.4. Check the test result.
Configuration CommandConfiguration of R1:
R1(config)#ip domain lookup
R1(config)#ip domain name-server ipv4-address 10.1.0.1
R1(config)#sqa-test 5
R1(config-sqa-5)#type-dns destination-url abc.cn dns-ip 10.1.0.1
R1(config-sqa-5)#sqa-begin now
%Info 757: The sqa test is starting now, wait a moment for test result......
R1(config-sqa-5)#
13-9
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Configuration VerificationThe configuration information and test result are shown below.
R1#show sqa-test 5
test number:1
test type: DNS
destination-url:abc.cn
dns-ip:10.1.0.1
repeat:1
send trap:disable
R1#show sqa-result dns
dns test[5] result
SendPackets:1 ResponsePackets:1
Completion:success
Destination-url:abc.cn
DNS Interpret IP Address:10.1.0.1
Min/Max/Avg/Sum RTT:1010/1010/1010/1010ms
Last Probe Time:2012-07-29 09:49:36
13-10
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 14LLDP ConfigurationTable of Contents
LLDP Overview ........................................................................................................14-1Configuring LLDP.....................................................................................................14-3LLDP Configuration Examples..................................................................................14-5
14.1 LLDP OverviewLLDP IntroductionWith the wide applications of Ethernet on LAN and Metropolitan Area Network (MAN),users have higher and higher requirements for Ethernet management ability. At present,many network management systems use the automatic discovery function to trace thetopology changes. However, most network management systems can only analyze thenetwork topology up to the network layer. The information, such as the interfaces on adevice, the interfaces connected to other devices, and the paths among clients, networkdevices and servers, need to be collected through the link layer. With enough detailedinformation, users can locate network faults correctly.
Link Layer Discovery Protocol (LLDP) is a protocol defined by IEEE 802.1AB. Networkmanagement systems can know the topology and changes of L2 networks through LLDP.LLDP organizes local device information into Type/Length/Value (TLV) and encapsulatesit in a Link Layer Discovery Protocol Data Unit (LLDPDU) to send it to the direct-connectedneighbor. At the same time, LLDP saves the LLDPPDU sent by neighbors in the standardMIB, so that network management systems can query and determine the communicationstates of links.
LLDP FeaturesLLDP is defined in 802.1AB. As shown in Figure 14-1, LLDP works at the data link layer.It is a neighbor discovery protocol that defines a standard for Ethernet devices (such asswitches, routers and wireless LAN access points). Through LLDP, an Ethernet devicecan advertise its existence to other nodes on the network and save discovery informationof neighbor devices. The device sends the state information to other devices. Theinformation is stored on each port of all devices. If necessary, the device can send updateinformation to the neighbor devices that are connected directly, and the neighbor devicesstore the information in standard SNMP MIBs.
14-1
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Figure 14-1 LLDP System Structure
l Network management systems can query the L2 connection information in the MIB.LLDP does not configure or control network elements or traffic. It just reports theposition of L2. Another function defined in 802.1AB is that network managementsoftware can use the information provided by LLDP to find conflicts at L2 network.At present, IEEE uses the physical topologies, interfaces and entity MISs existing inIETF.
l A device that supports LLDP must support chassis ID advertisements and portID advertisements. Most devices need to support system name advertisements,system description advertisements and system capability advertisements. Systemname advertisements and system description advertisements can provide usefulinformation to collect network traffic. System description advertisements also cancontain information such as the full name of the device, the type of the systemhardware and the version of the software operating system.
l LLDP information is transmitted periodically and it can only be stored for a period.IEEE has defined a recommended transmission frequency, about once per 30seconds. When an LLDP device receives an LLDP packet sent by a neighbor LLDPdevice, it stores the information in the CACHE of SNMP MIB defined by IEEE.The information is invalid during a period. The value of TTL to define the period iscontained in the received packets.
l LLDPmakes network management systems be able to discover and simulate physicalnetwork topologies correctly. LLDP devices send and receive advertisements, so thedevices save the information of the discovered neighbor devices. The advertisementdata, such as the management address, device type and port number of a neighbordevice, is helpful to know the type and interconnected interfaces of the neighbordevice.
14-2
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 14 LLDP Configuration
l An LLDP device advertises its information to direct-connected neighbor devicesperiodically. It also receives, refreshes and saves the advertisements from neighbordevices. The device scans the CACHE every second. If no new packet is receivedduring the hole-time period, the information is aged.
l LLDP defines a general advertisement set, a transport advertisement protocol and amethod of storing all received advertisements. A device that wants to advertise itsinformation can put several advertisements in a LAN packet. The mode to transmitthe packets is the TLV field. The information includes the chassis ID (mandatory), portID (mandatory), system name, system function, system description and some otherattributes.
à Chassis ID is the first mandatory TLV in an LLDPDU. It is the unique ID of adevice that supports to send LLDPDUs. It is recommended to use the chassisMAC address as the chassis ID for a switch, and use the loopback address or aninterface IP address as the chassis ID for a router.
à Port ID is the second mandatory TLV in an LLDPPDU. It is the unique ID of portthat sends LLDPDUs. For a switch, it is recommended to use the port name asthe port ID, such as fei4/1.
à TTL is the third mandatory TLV in an LLDPPDU. It is the living time (in the unitof second) of an LLDPPDU received by the peer. When a peer receives anLLDPPDU of which the TTL is 0, the device deletes all related information.
à End of LLDPDU is the last mandatory TLV in an LLDPPDU. It defines the end ofan LLDPPDU.
14.2 Configuring LLDPThis procedure describes how to configure basic attributes and functions for the LLDP.
Steps1. Configure LLDP.
To configure LLDP on ZXR10 ZSR V2, perform the following steps.
Step Command Function
1 ZXR10(config)#lldp This enters LLDP configuration
mode.
14-3
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Step Command Function
ZXR10(config-lldp)#hellotime <times> This configures the interval to
send LLDP neighbor discovery
packets. It is in the unit of second,
and it is in the range of 5–32768,
the default value is 30.
ZXR10(config-lldp)#holdtime <time> This configures the hold-time of
an LLDP neighbor. The <times>
parameter is a multiple of the
interval to send LLDP neighbor
discovery packets. It is in the
range of 2–10, and the default
value is 4.
2
ZXR10(config-lldp)#maxneighbor <num> This configures the maximum
number of neighbors that can be
discovered by LLDP, in the range
of 1–128, with the default value of
128.
3 ZXR10(config-lldp)#lldp {enable | disable} Enables/Disables LLDP function.
4 ZXR10(config-lldp)#lldp-rx {enable | disable} Enables/Disables LLDP function.
5 ZXR10(config-lldp)#lldp-tx {enable | disable} Enables/Disables LLDP send
function.
ZXR10(config-lldp)#txcreditmax <credit> This configures the maximum
credit number, in the range of
1-10, with the default value of 5.
ZXR10(config-lldp)#txfastinit <num> This configures the packets
number of fast transmit, in the
range of 1-8, with the default value
of 4.
6
ZXR10(config-lldp)#msgfasttx <interval> This configures the interval of fast
transmit packets, in the range of
1-3600, with the default value of
1s.
2. Configure LLDP in interface configuration mode.
Step Command Function
1 ZXR10(config-lldp-if-interface-name)#lldp
{enable | disable}
Enables/Disables LLDP in an
interface.
2 ZXR10(config-lldp-if-interface-name)#lldp-rx
{enable | disable}
Enables/Disables LLDP receive
function in an interface.
14-4
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 14 LLDP Configuration
Step Command Function
3 ZXR10(config-lldp-if-interface-name)#lldp-tx
{enable | disable}
Enables/Disables LLDP send
function in an interface.
4 ZXR10(config-lldp-if-interface-name)#maxne
ighbor <num>
This configures the maximum
number of neighbors that can be
discovered by LLDP, in the range
of 1-8, with the default value of 8.
3. Verify the configurations.
Command Function
ZXR10#show lldp {config [interface <interface-name>]|
entry [interface <interface-name>]| neighbor [interface<interface-name>]| statistic [interface <interface-name>]}
This shows LLDP configuration
information, detailed neighbor
information, brief neighbor
information and statistical
information.
4. Maintain the LLDP.
Command Function
ZXR10#debug lldp { adjacency | event | packets [receive
| send]| all }
This shows LLDP related information,
event information and packets
sending and receiving information.
ZXR10(config-lldp)#clearneighbor This clears an LLDP neighbor
relationship that has been established.
ZXR10(config-lldp)#clearstatistic This clears LLDP statistical
information.
ZXR10(config-if-interface-name)#clearneighbor This clears an LLDP neighbor
relationship that has been established
on an interface.
ZXR10(config-if-interface-name)#clearstatistic This clears LLDP statistical
information on an interface.
– End of Steps –
14.3 LLDP Configuration Examples
14.3.1 LLDP Neighbor Configuration Example
Configuration DescriptionAs shown in Figure 14-2, it is required to configure LLDP on gei-1/1 of R1.
14-5
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Figure 14-2 LLDP Neighbor Configuration Example
Configuration Flow1. Enter LLDP configuration mode.2. Enter an interface.3. Enable LLDP.
Configuration CommandEnter an interface in LLDP configuration mode and then configure LLDP, as shown below.
R1(config)#lldp
R1(config-lldp)#interface gei-1/1
R1(config-lldp-if-gei-1/1)#lldp enable
R1(config-lldp-if-gei-1/1)#end
Configuration VerificationUse the show lldp neighbor command to check the configuration result, as shown below.
R1(config)#show lldp neighbor
Capability Codes:
N - Other, r - Repeater, B - Bridge, W - WLAN Access
Point,
R - Router, T - Telephone, D - DOCSIS Cable Device,
S - Station Only
Local-Port Chassis-ID Holdtime Capability Platform Peer-Port
---------------------------------------------------------------------------
gei-1/1 0023e4221134 103 B R 6800v1.00.20 gei-1/1
14.3.2 LLDP Attribute Configuration Example
Configuration DescriptionAs shown in Figure 14-3, it is required to configure LLDP attributes on R1.
Figure 14-3 LLDP Attribute Configuration Example
14-6
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 14 LLDP Configuration
Configuration Flow1. Enter LLDP configuration mode.2. Configure LLDP attributes.
Configuration CommandThe configuration of R1:
R1(config)#lldp
R1(config-lldp)#maxneighbor 3
/*Configure the maximum number of system neighbors*/
R1(config-lldp)#hellotime 30000
/*Configure the intervals to send LLDP neighbor discovery packets*/
R1(config-lldp)#holdtime 8
/*Configure LLDP neighbor hold-time*/
R1(config-lldp)#lldp enable
/*Enable LLDP*/
R1(config-lldp)#lldp-rx enable
/*Enable LLDP receiving*/
R1(config-lldp)#lldp-tx enable
/*Enable LLDP sending*/
R1(config-lldp)#clearneighbor
/*Clear LLDP neighbor relationship that has been established*/
R1(config-lldp)#clearstatistic
/*Clear LLDP statistical information*/
R1(config-lldp)#end
Configuration VerificationUse the show running-config lldp command to check the configuration result.
ZXR10#show running-config lldp
! <LLDP>
lldp
hellotime 30000
holdtime 8
maxneighbor 3
! </LLDP>
14-7
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
This page intentionally left blank.
14-8
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15Network Layer DetectionTable of Contents
Configuring ICMP Fast Response ............................................................................15-1Configuring IP Source Route Option Processing ......................................................15-4Configuring ICMP Unreachable Packet Function ......................................................15-6Enabling an Interface to Send ICMP Unreachable Packets ......................................15-7Configuring IP Ping ..................................................................................................15-9Configuring IP Trace...............................................................................................15-12Configuring LSP Ping .............................................................................................15-15Configuring LSP Trace ...........................................................................................15-21Configuring Multicast Ping......................................................................................15-26Configuring Multicast Trace ....................................................................................15-30Configuring MAC Ping............................................................................................15-32Configuring MAC Trace ..........................................................................................15-34IP Performance Maintenance .................................................................................15-37
15.1 Configuring ICMP Fast ResponseOverviewOpposite to the ICMP slow response function, the ICMP fast response function reducesdelays and delay jitter of ping packets, and increases the standard-reaching rate of networkdelays.
To detect the connectivity with another node, one node uses the ICMP response function.The source node sends an ICMP Echo Request packet to the destination node. Afterreceiving this packet, the destination node returns an ICMP Echo Reply packet. Whenthe source node receive the corresponding Reply packet, it determines that the network isconnected.
The ICMP slow response function means that a destination node sends received Requestpackets to the control plane, which returns Reply packets. To reduce delays, the ICMPfast response function directly returns Reply packets.
Configuration CommandsTo configure the ICMP fast response function, run the following command on the ZXR10ZSR V2:
15-1
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Command Function
ZXR10(config)#ip icmp-fast-reply Enables the ICMP fast response (ping)
function. This function is enabled by
default.
Maintenance CommandsTo maintain the ICMP fast response function, run the following commands on the ZXR10ZSR V2:
Command Function
ZXR10#debug ip icmp Enables the ICMP debug function, which
displays debug information on ICMP
processing, and at the same time disables
the ICMP fast ping function.
ZXR10#debug ip icmp detail Enables the ICMP debug function, which
displays detailed debug information on
ICMP processing, and at the same time
disables the ICMP fast response function.
ZXR10#debug ip interface<interface-name> Enables the IP debug function on the
configuration interface, which displays
debug information on IP processing, and
at the same time disables the ICMP fast
response function.
ZXR10#debug ip Enables the IP debug function, which
displays debug information on IP-layer
processing, and at the same time disables
the ICMP fast response function.
ZXR10#show debug icmp Displays the enabled ICMP debug
functions.
ZXR10#show debug ip Displays the enabled IP debug functions.
ZXR10#show ip traffic Displays statistics of received and sent
packets at the IP, ICMP, UDP, and TCP
layers.
ZXR10#clear ip traffic Clears statistics of received and sent
packets at the IP, ICMP, UDP, and TCP
layers.
Configuration Examplel Configuration Description
As shown in Figure 15-1, the interface gei-1/1 of R1 is connected to gei-1/1 of R2directly. The ICMP fast response (ping) function is required between R1 and R2.
15-2
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
Figure 15-1 ICMP Fast Response Configuration Example
l Configuration Flow1. Configure IP addresses of R1 and R2 interfaces.2. Test the configuration result to make sure that the ICMP fast response (ping)
function is enabled between R1 and R2.l Configuration Commands
Run the following commands on R1:
R1(config)#interface gei-1/1
R1(config-if-gei-1/1)#no shutdown
R1(config-if-gei-1/1)#ip address 10.1.1.1 255.255.255.0
R1(config-if-gei-1/1)#exit
Run the following commands on R2:
R2(config)#interface gei-1/1
R2(config-if-gei-1/1)#no shutdown
R2(config-if-gei-1/1)#ip address 10.1.1.2 255.255.255.0
R2(config-if-gei-1/1)#exit
l Configuration Verification
Run the following command to check the configurations on R1. The execution resultis displayed as follows:
R1#ping 10.1.1.2
sending 5,100-byte ICMP echoes to 10.1.1.2,timeout is 2 seconds.
!!!!!
Success rate is 100 percent(5/5),round-trip min/avg/max= 1/1/21 ms.
Run the following command to check the configurations on R2. The execution resultis displayed as follows:
R2#ping 10.1.1.1
sending 5,100-byte ICMP echoes to 10.1.1.2,timeout is 2 seconds.
!!!!!
Success rate is 100 percent(5/5),round-trip min/avg/max= 1/1/21 ms.
Note:
The ICMP fast response function is enabled by default. If the corresponding debugfunction is enabled and then ping is performed, the ICMP fast response (ping) functionis disabled.
15-3
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
15.2 Configuring IP Source Route Option ProcessingOverviewIP allows a source host to specify a path through an IP network in advance. This pathis called a source route. If a source route is specified, the software forwards packetsaccording to the source route. This function can be used to force a packet to pass anetwork along a specified route. By default, the software uses a source route.
An IP data packet contains an options field whose length is variable. The options field isused for testing and debugging networks. Each option in this field begins with an optioncode octet that identifies an option type. Option types are listed below:
l Loose source route optionl Strict source route option
The router software checks the IP header options of each packet. If it finds that one ofthe options is valid, the software performs corresponding operations. If it finds an invalidoption, the software drops the packet and sends an ICMP parameter-problem packet tothe packet source.
For example, the option code of the loose source route option is 131. Its length is variable,and is determined by the source. The format is shown in Figure 15-2.
Figure 15-2 Loose Source Route Option Packet Format
The length field represents the length of the option octet (including the option code, lengthand pointer fields). The pointer field points to the source address of the next hop, and theminimum value is 4 (that is, pointing to the IP address of the first hop). The addressesfollowing the pointer field are the hops designated by the source. The packet must passthese hops.
Configuration CommandsTo configure the processing of IP source route options, run the following command on theZXR10 ZSR V2:
Command Function
ZXR10(config)#ip source-route Enables the ZXR10 ZSR V2 processing of
packets with IP source route options.
15-4
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
Maintenance CommandsTo display the IP source route option configuration, run the following command on theZXR10 ZSR V2:
Command Function
ZXR10#show running-config ip all Displays whether the IP source route option
processing function is configured.
Refer to 15.1 Configuring ICMP Fast Response for maintenance commands relevant topacket sending and receiving.
Configuration Examplel Configuration Description
As shown in Figure 15-3, it is required to configure the IP source route optionprocessing function.
Figure 15-3 IP Source Route Option Processing Configuration Example
l Configuration Flow1. Configure IGP and unicast routes so that the routers can ping each other
successfully.2. Configure source route options on R1.3. Make the source send IP packets with correct IP options.4. Make the source send IP packets with incorrect IP options.
l Configuration Command
Run the following commands on R1:
R1(config)#interface gei-1/1
R1(config-if-gei-1/1)#no shutdown
R1(config-if-gei-1/1)#ip address 10.10.20.1 255.255.255.0
R1(config-if-gei-1/1)#exit
R1(config)#router ospf 1
R1(config-ospf-1)#network 10.10.10.0 0.0.0.255 area 0
R1(config-ospf-1)#network 10.10.20.0 0.0.0.255 area 0
R1(config-ospf-1)#exit
R1(config)#ip source-route
Run the following commands on R2:
15-5
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
R2(config)#interface gei-1/1
R2(config-if-gei-1/1)#no shutdown
R2(config-if-gei-1/1)#ip address 10.10.20.2 255.255.255.0
R2(config-if-gei-1/1)#exit
R2(config)#router ospf 1
R2(config-ospf-1)#network 10.10.20.0 0.0.0.255 area 0
R2(config-ospf-1)#network 10.10.50.0 0.0.0.255 area 0
R2(config-ospf-1)#exit
l Configuration Verification
When the source sends IP packets with correct IP options, the traffic is forwardedproperly.
When the source sends IP packets with incorrect IP options, the packets are dropped.
15.3 Configuring ICMP Unreachable Packet FunctionOverviewIf the router receives a non-multicast packet sent by an unknown protocol, the routerreturns an ICMP unreachable packet to the source address. Similarly, if the router receivesa packet that cannot be sent to the destination (because the route to the destination isunknown), it sends an ICMP host unreachable packet to the source address. By default,ICMP unreachable packets are valid.
Configuration CommandsTo configure the ICMP unreachable packet function, run the following commands on theZXR10 ZSR V2:
Command Function
ZXR10(config)#icmp-config Enter ICMP configuration mode.
ZXR10(config-icmp)#interface<interface-name> Enter ICMP interface configuration mode.
ZXR10(config-icmp-if-interface-name)#ip
unreachable
Enables the interface function of sending
ICMP unreachable packets.
Maintenance CommandsTo view detailed information on packet sending and receiving after the ICMP unreachablepacket function is configured, run the following command. For other commands, refer to15.1 Configuring ICMP Fast Response.
Command Function
ZXR10#debug ip icmp detail Displays information on ICMP packets.
15-6
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
Configuration Examplel Configuration Description
As shown in Figure 15-4, R1 receives packets with an unknown protocol, and ICMPunreachable packets are valid.
Figure 15-4 ICMP Unreachable Packet Function Configuration Example
l Configuration Flow1. Enter ICMP configuration mode.2. Enable the ICMP unreachable packet function on a specified interface.3. Configure that interface ICMP unreachable packets are valid.
l Configuration Commands
Run the following commands on R1:
R1(config)#icmp-config
R1(config-icmp)#interface gei-1/1
R1(config-icmp-if-gei-1/1)#ip unreachable
R1(config-icmp-if-gei-1/1)#exit
R1(config-icmp)#exit
R1(config)#interface gei-1/1
R1(config-if-gei-1/1)#ip address 60.0.0.1 255.255.255.0
R1(config-if-gei-1/1)#no shutdown
R1(config-if-gei-1/1)#ip forward unreachable
R1(config-if-gei-1/1)#exit
l Configuration Verification
When the PC sends unknown protocol packets to R1, R1 sends ICMP unreachablepackets to the PC.
15.4 Enabling an Interface to Send ICMP UnreachablePackets
OverviewPackets that are regarded as ICMP unreachable are dropped. To make these packetsvalid, you need to configure this function for the interface. Then, the forwarding planereports a packet whose protocol is unknown or whose route cannot be found to the controlplane. The control plane returns an ICMP unreachable packet to the source node. Thisfunction is disabled by default.
15-7
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Configuration CommandsTo enable an interface to send ICMP unreachable packets, run the following command onthe ZXR10 ZSR V2:
Command Function
ZXR10(config)#interface<interface-name> Enters the interface configuration mode.
ZXR10(config-if-interface-name)#ipforwardunreacha
ble
Enables the interface to send
unreachable packets. Ethernet and
POS interfaces are supported.
Maintenance CommandsTo view information on packet sending and receiving after the configuration is performed,run the following command on the ZXR10 ZSR V2. For other commands, refer to 15.1Configuring ICMP Fast Response.
Command Function
ZXR10#debug ip icmp detail Displays information on ICMP packets.
Configuration Examplel Configuration Description
As shown in Figure 15-5, the interface receives a packet with an unknown destination,and returns an ICMP unreachable packet.
Figure 15-5 Configuration Example of an Interface Sending ICMP UnreachablePackets
l Configuration Flow1. Configure interface addresses for the devices.2. Configure a static route between the two devices that are not directly connected.3. Configure that ICMP unreachable packets are valid on the interface.
l Configuration Commands
Run the following commands on R1:
R1(config)#interface gei-1/1
R1(config-if-gei-1/1)#ip address 10.1.1.1 255.255.255.0
R1(config-if-gei-1/1)#no shutdown
R1(config-if-gei-1/1)#exit
R1(config)#ip route 1.2.3.4 255.255.255.255 10.1.1.2
Run the following commands on R2:
15-8
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
R2(config)#interface gei-1/1
R2(config-if-gei-1/1)#ip address 10.1.1.2 255.255.255.0
R2(config-if-gei-1/1)#no shutdown
R2(config-if-gei-1/1)#ip forward unreachable
R2(config-if-gei-1/1)#exit
R2(config)#icmp-config
R2(config-icmp)#interface gei-1/1
R2(config-icmp-if-gei-1/1)#ip unreachable
R2(config-icmp-if-gei-1/1)#exit
l Configuration Verification
R2 does not have a route to 1.2.3.4/32.
Run the debug ip icmp detail command on R2. Run the ping 1.2.3.4 command onR1. You can see that R2 sends host unreachable packets to R1.
15.5 Configuring IP PingOverviewl Description of Ping
Ping originates from sonar location operation. Ping is used to test whether anotherhost is reachable. The program sends an ICMP Echo Request to the host and waitsfor an ICMP Echo Reply.
If a host cannot be pinged successfully, the host cannot be logged in throughTelecommunication Network Protocol (TELNET) or FTP. On the contrary, if a hostcannot be logged in through TELNET, the ping program can be used to find out theproblem. The ping program also can be used to test the time of a round-trip to thehost, which indicates how far away the host is.
l Characteristics of Ping
The ping command sends an ICMP Echo Request. If the destination receives theICMP Echo Request, it will send an ICMP Echo Reply to the source address of theEcho Request. Therefore, the ping command can be used to diagnose networkconnectivity faults.
The ping program that sends an Echo Request is called a client, and the host thatis pinged is called a server. The kernels of most Transfer Control Protocol/InternetProtocol (TCP/IP) functions support a ping server directly. The server is not a userprocess.
The format of an ICMP Echo Request and an ICMP Echo Reply is shown in Figure15-6.
15-9
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Figure 15-6 Format of an ICMP Echo Request/Reply
If the type code is 8, it is an ICMP Echo Request packet. If the type code is 0, it is anICMP Echo Reply packet.
For other types of ICMP query packets, a server must reply with the identifier and theserial number. In addition, the option sent by a client must be echoed. It is supposedthat the client is interested in the information.
The serial number starts from 0, and it increments by one when a new Echo Requestis sent. The ping program displays the serial number of each returning packet, whichallows users to check whether packets are lost, in disorder or duplicated.
Configuration CommandsTo configure IP ping on the ZXR10 ZSR V2, run the following commands:
Command Function
ZXR10>ping [vrf <vrf-name>]{<ip-address>|domain<domain-name>}
Pings an IP address in user mode.
ZXR10#ping [{dcn|vrf <vrf-name>}]{<ip-address>|domain<domain-name>}[df-bit <don't-frag>][pattern <string>][speed
{limit {0 |<limit-num>}| interval <interval-number>}][repeat<repeat-count>][size <datagram-size>][source <source-addre
ss>][timeout <timeout>][tos <tos>][ttl <ttl>][option {[{loose |strict}<source-route-address>][record <record-hops>][timestamp<record-timestamps>][none]}][interface <interface-name>]
Pings an IP address in privileged
mode.
ZXR10#ping vrf <vrf-name><ip-address> Pings the name of the Virtual
Route Forwarding Table (VRF)
that an IP address belongs to. The
range of the VRF name is 1–32
characters.
ZXR10#ping dcn <ip-address> Pings the name of a Data
Communications Network (DCN)
that an IP address belongs to.
ZXR10#ping domain <domain-name> Pings a Domain Name System
(DNS) domain name.
domain <domain-name>: DNS domain name, range: 1–128 characters.
repeat<repeat-count>: number of retry attempts, range: 1–65535, default: 5.
15-10
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
size <datagram-size>: size of a ping packet, range: 36–8192, default: 100 bytes.
timeout <timeout>: timeout period, unit: second, range: 1–20.
tos <tos>: Type of Service (ToS) of a sent packet, range: 0–255, default: 0.
ttl <ttl>: Time To Live (TTL), range: 1–255.
df-bit <don't-frag>: flag indicating no fragmentation, options: 0, 1, default: 0 (indicatingthat fragmentation is allowed).
pattern <pad>: value of the pad field in a packet.
option: whether to configure the IP options. The value 1 means that IP options can beconfigured.
speed limite <limite-num>: number of ping packets sent per second.
speed interval<interval-seconds>: interval between two data request packets, unit: second,range: 2–10.
loose | strict <source-route-address>: specified source station route, format: dotted decimal.
record <record-hops>: maximum number of hops that needs to be recorded, range: 1–9.
timestamp <record-timestamps>: maximum number of timestamps that needs to berecorded, range: 1–9.
Maintenance CommandsTo maintain IP Ping, run the following command on the ZXR10 ZSR V2:
Command Function
ZXR10#debug ip icmp Displays the information on ICMP packets
sent and received when the ping command
is run.
Configuration Examplel Configuration Description
As shown in Figure 15-7, two interfaces on two devices in the same network segmentuse the ping command to test the connectivity.
Figure 15-7 IP Ping Configuration Example
l Configuration Flow1. Enter interface configuration mode and configure IP addresses on the interfaces
for communication.
15-11
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
2. Run the ping command in privileged mode.l Configuration Commands
Run the following commands on R1:
R1(config)#interface 1/1
R1(config-if-gei-1/1)#no shutdown
R1(config-if-gei-1/1)#ip address 100.0.0.15 255.255.255.0
R1(config-if-gei-1/1)#exit
Run the following commands on R2:
R2(config)#interface gei-1/1
R2(config-if-gei-1/1)#no shutdown
R2(config-if-gei-1/1)#ip address 100.0.0.20 255.255.255.0
R2(config-if-gei-1/1)#exit
l Configuration Verification
Run the ping command on R1 to check the connectivity. The execution result isdisplayed as follows:
R1#ping 100.0.0.20
sending 5,100-byte ICMP echoes to 100.0.0.20,timeout is 2 seconds.
!!!!! /*The result shows that the address can be pinged successfully.*/
Success rate is 100 percent(5/5),round-trip min/avg/max= 17/18/20ms.
R1#ping 100.0.0.21
sending 5,100-byte ICMP echoes to 100.0.0.21,timeout is 2 seconds.
..... /*The result shows that the address cannot be pinged successfully.*/
Success rate is 0 percent(0/5).
15.6 Configuring IP TraceOverviewl Description of IP Trace
The trace command is used for debugging. It displays the route that an IP data packetpasses through from a host to another host. Because the space left to options in an IPheader is limited, the route record option cannot be used. The trace command usesICMP packets and the TTL field in IP headers to accomplish its function.
l Work Flow of IP Trace
IP Trace obtains a router address through the following procedure:
1. The "trace" program sends an IP data packet to the destination host. The valueof the TTL field in the IP header is 1. The first router that receives this packetreduces the value of the TTL field by 1. It drops the packet, and returns a timeoutICMP packet. In this way, the address of the first router is obtained.
15-12
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
2. The "trace" program sends an IP data packet whose TTL field in the IP header is2. In this way, the address of the second router is obtained.
3. The "trace" program continues with this procedure until a packet arrives at thedestination host.
IP Trace identifies the end of "trace" through the following procedure:
1. The "trace" program sends a large-port UDP data packet to the destination host,so that any application on the destination host is impossible to use that port.
2. When the data packet arrives at the host, the UDP module generates an ICMPpacket indicating that the port is unreachable.
3. In this way, by identifying whether the received ICMP packet is a timeout packetor an unreachable port packet, the sending side knows when "trace" ends.
The interfaces between the "trace" module and sub-modules are shown in Figure15-8.
Figure 15-8 Interfaces Between the "Trace" Module and Sub-Modules
Configuration CommandsTo configure IP trace on ZXR10 ZSR V2, run the following commands:
Command Function
ZXR10>trace [vrf <vrf-name>]<ip-address> Traces an IP address in user
mode.
ZXR10#trace [{dcn|vrf <vrf-name>}]{<ip-address>|domain<domain-name>}[source <source-address>][maxttl <ttl>][timeout<timeout>]
Traces an IP address in privileged
mode.
The trace command uses ICMP error packets. An ICMP error packet is generated whena data packet exceeds its TTL value. By sending a data packet whose TTL value is 1, thetrace command triggers the first router to drop the packet and return an error packet. ATTL timeout packet means that an intermediate router receives the packet and the routergives up detection. An ICMP error packet indicating the destination is unreachable meansthat the destination node receives the packet but it cannot submit the packet. If the timerstops before a reply arrives, the "trace" program displays a "*" mark.
15-13
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Maintenance CommandsThe following example shows the output of the trace command used in privileged mode.The trace command traces the path to 168.1.10.100.
ZXR10#trace 168.1.10.100
tracing the route to 168.1.10.100
1 168.1.10.100 2 ms 3 ms 5 ms
[finished]
Descriptions of the command output:
Command Output Description
1 The sequence number of a router along the route to the
destination.
168.1.10.100 The IP address of a router along the route. The last IP
address is the destination.
2 ms 3 ms 5 ms The time of three each round trip for detection.
Configuration Examplel Configuration Description
As shown in Figure 15-9, the trace command is run on R1 to detect the route to R2.
Figure 15-9 IP Trace Configuration Example
l Configuration Flow1. Configure interface addresses and routes.2. Run the trace command in privileged mode.
l Configuration Commands
Run the following commands on R1:
R1(config)#interface gei-1/1
R1(config-if-gei-1/1)#no shutdown
R1(config-if-gei-1/1)#ip address 100.0.0.15 255.255.255.0
R1(config-if-gei-1/1)#exit
R1(config)#router ospf 1
R1(config-ospf-1)#network 100.0.0.0 0.0.0.255 area 0
R1(config-ospf-1)#end
l Configuration Verification
The execution result of the trace command on R1 is displayed as follows:
R1#trace 175.103.59.110
tracing the route to 175.103.59.110 over a maximum of 30 hops:
15-14
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
1 100.0.0.22 55 ms 2 ms 2 ms
/*The IP address on the first-hop device and time delays*/
2 10.17.94.81 176 ms 143 ms 333 ms
3 10.28.5.61 131 ms 133 ms 134 ms
4 * * *
/*The fourth-hop device does not return any packet. There are "*" marks.*/
5 202.70.62.169 151 ms 149 ms 146 ms
6 202.43.177.81 176 ms 162 ms 165 ms
7 218.100.27.30 142 ms 134 ms 159 ms
8 175.103.59.110 140 ms 166 ms 138 ms
[finished]
15.7 Configuring LSP PingOverviewl Description of LSP Ping
On an MPLS network, if IP ping is used, labels are added to ping packets and labelswitching is performed. IP ping, however, only checks connectivity on the IP plane,but cannot check LSPs. On an MPLS network, if a LDP session between two LSRs isdisconnected, labels cannot be forwarded. In this case, IP ping packets are reachable,but the LSP fails.
Various factors cause LSP faults. For example, an LDP session is disconnected, LDPis not enabled on some LSRs, or an exception occurs in an LDP label forwarding table.A mechanism different from IP ping is needed to detect whether an end-to-end LSPis operating properly. Therefore, LSP ping is generated.
LSP ping uses a packet belonging to a specific Forwarding Equivalence Class(FEC) to verify the integrity of the LSP (from the source LSR to the destination LSR)that belongs to this FEC. An LSP ping request packet contains information on thecorresponding FEC.
l Work Flow of LSP Ping
An LSP ping packet is encapsulated in a UDP packet, and contains a serial numberand a time stamp. When processing an LSP ping request packet, MPLS uses thesame forwarding policy as packets of the FEC. When the LSP ping packet reachesan LSP egress, the LSR control plane checks the packet to verify whether this LSP isthe correct egress of the FEC.
Similar to IP ping, LSP ping also uses the Echo Request and Echo Reply mechanism.But the LSP ping packet format is completely different from the IP ping packet format.Packets sent by LSP ping are not ICMP packets but UDP packets whose port numberis 3503. On an MPLS network,
1. A source device sends a UDP Echo Request packet whose port number is 3503.2. LSRs forward the Echo Request packet through label switching.
15-15
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
3. When the packet reaches the destination device, the destination device respondswith a UDP Echo Reply packet whose port number is 3503.
To prevent IP packets from being forwarded when an IP path is operating properlybut an LSP is disconnected, the value of the IP TTL field in an LSP ping EchoRequest packet is set to 1, and the destination address of the packet is set toan address in the 127.0.0.0/8 segment. LSRs do not forward such an IP packetwithout an MPLS label.
An LSP is unidirectional. An LSP ping Echo Request packet is only forwarded alongthe LSP to be tested. The corresponding Echo Reply packet only sends necessaryinformation to the source, and it does not need to go along the same path as that ofthe Echo Request packet. The reply packet can also be an IP packet without a label.
The path of an MPLS Echo Request packet of LSP ping and that of the correspondingEcho Reply packet may be different. The destination address and destination port ofthe Echo Reply packet are the source address and source port of the Echo Requestpacket respectively.
Configuration CommandsTo configure LSP ping on the ZXR10 ZSR V2, run the following commands:
Command Function
ZXR10#ping mpls ipv4 <ip-address><mask-length
>[output-interface <interface-name>][destination<start-ipv4-address>[<end-ipv4-address>][<increment>]][repeat<repeat-count>| size <datagrame-size>| timeout <timeout>| source{<source-ipv4-address>|<source-ipv6-address>}| ttl <ttl>]
Configures IPv4 LDP LSP ping.
ZXR10#ping mpls traffic-eng te_tunnel<id>[{master|slave}][repeat<repeat-count>| size <datagrame-size>| timeout <timeout>| source{<source-ipv4-address>|<source-ipv6-address>}| ttl <ttl>]
Configures RSVP LSP ping.
ZXR10#ping mpls pseudowire [multisegment]<pw-name>[repeat<repeat-count>| size <datagrame-size>| timeout <timeout>| source{<source-ipv4-address>|<source-ipv6-address>}| ttl <ttl>]
Configures PWE3 LSP ping.
<repeat-count>: number of retry attempts, range: 1–65535, default: 5.
<datagram-size>: LSP ping packet size, range: 100-1500, unit: byte, default: 120.
<timeout>: timeout period, unit: second, range: 1–20, default: 2.
master : specifies that the master LSP sends LSP ping packets.
slave : specifies that the slave LSP sends LSP ping packets.
multisegment: enables the ping multisegment pseudowire function.
Maintenance CommandsTo maintain LSP ping on the ZXR10 ZSR V2, run the following command:
15-16
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
Command Function
ZXR10#debug lspv {error | event | packet | tlv | all} Displays information on sent UDP Echo
Request packets and received UDP Echo
Reply packets when LSP ping is performed.
LDP LSP Ping Configuration Examplel Configuration Description
As shown in Figure 15-10, LDP is enabled on R1, R2 and R3. It is required to configureLSP ping on R1 to check connectivity.
Figure 15-10 LDP LSP Ping Configuration Example
l Configuration Flow1. Build an LDP network.2. Perform LDP LSP ping on R1.
l Configuration Commands
For LDP configuration, refer to the MPLS configuration example.
l Configuration Verification
Ping R3 on R1. The result is displayed as follows:
R1#ping mpls ipv4 10.28.0.4 32
sending 5,120-byte MPLS echo(es) to 10.28.0.4,timeout is 2 second(s).
Codes: '!' - success, 'Q' - request not sent, '.' - timeo
ut,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC m
ismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no rx
label,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index, 'X' - unkno
wn return code, 'x' - return code 0
'd' - DDMAP
!!!!!
Success rate is 100 percent(5/5),round-trip min/avg/max= 5/38/151 ms.
Ping R3 (unmatching FEC) on R1. The result is displayed as follows:
R1#ping mpls ipv4 10.28.0.4 30
sending 5,120-byte MPLS echo(es) to 10.28.0.4,timeout is 2 second(s).
15-17
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Codes: '!' - success, 'Q' - request not sent, '.' - timeo
ut,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC m
ismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no rx
label,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index, 'X' - unkno
wn return code, 'x' - return code 0
'd' - DDMAP
QQQQQ
Success rate is 0 percent(0/5).
R1 cannot ping R3 successfully. LSP ping checks whether the "FEC destinationaddress + mask" is correct. If the "FEC destination address + mask" is incorrect,LSP ping fails.
Ping R3 (nonexistent FEC) on R1. The result is displayed as follows:
R1#ping mpls ipv4 9.9.9.8 32
sending 5,120-byte MPLS echo(es) to 9.9.9.8,timeout is 2 second(s).
Codes: '!' - success, 'Q' - request not sent, '.' - timeo
ut,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC m
ismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no rx
label,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index, 'X' - unkno
wn return code, 'x' - return code 0
'd' - DDMAP
QQQQQ
Success rate is 0 percent(0/5).
RSVP LSP Ping Configuration Examplel Configuration Description
As shown in Figure 15-11, RSVP is enabled onR1, R2 andR3. Build anOpen ShortestPath First–Traffic Engineering (OSPF-TE) network. It is required to configure LSP pingon R1 to check connectivity.
15-18
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
Figure 15-11 RSVP LSP Ping Configuration Example
l Configuration Flow1. Build an OSPF-TE network.2. Perform RSVP LSP ping on R1.
l Configuration Command
For RSVP configuration, refer to the OSPF-TE configuration example.
l Configuration Verification
Run the following command to check configurations on R1. The execution result isdisplayed as follows:
R1#show mpls traffic-eng tunnels brief
Signalling Summary:
LSP Tunnels Process: running
RSVP Process: running
Forwarding: enabled
TUNNEL NAME DESTINATION UP IF DOWN IF STATE/PROT
tunnel_4000 10.28.0.5 - unknown up/down
tunnel_1 10.28.0.4 - gei-1/2 up/up
Test connectivity of the tunnel on R1. The execution result is displayed as follows:
R1#ping mpls traffic-eng te_tunnel1 /*TE tunnel of LSP Ping UP on R1*/
sending 5,120-byte MPLS echo(es) to te_tunnel1,timeout is 2 second(s).
Codes: '!' - success, 'Q' - request not sent, '.' - timeo
ut,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC m
ismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no rx
label,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index, 'X' - unkno
wn return code, 'x' - return code 0
'd' - DDMAP
!!!!!
Success rate is 100 percent(5/5),round-trip min/avg/max= 2/3/6 ms.
R1#ping mpls traffic-eng te_tunnel4000 /*TE tunnel of LSP Ping DOWN on R1*/
sending 5,120-byte MPLS echos to te_tunnel4000,timeout is 2 seconds.
15-19
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Codes: '!' - success, 'Q' - request not sent, '.' - timeo
ut,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC m
ismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no rx
label,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index, 'X' - unkno
wn return code, 'x' - return code 0
'd' - DDMAP
QQQQQ
Success rate is 0 percent(0/5).
PWE3 LSP Ping Configuration Examplel Configuration Description
As shown in Figure 15-12, R1, R2 and R3 form an L2 VPN network. It is required toconfigure LSP ping on R1 to check connectivity.
Figure 15-12 PWE3 LSP Ping Configuration Example
l Configuration Flow1. Build an L2 VPN network.2. Perform PWE3 LSP ping on R1.
l Configuration Commands
Basic LDP configuration is omitted here.
l Configuration Verification
Run the following command to check configurations on R1. The execution result isdisplayed as follows:
R1#show l2vpn forwardinfo vpnname zte
Hearders: PWType - Pseudowire type and Pseudowire connection mode
Llabel - Local label, Rlabel - Remote label
VPNowner - owner type and instance name
Codes: H - HUB mode, S - SPOKE mode, L - VPLS, W - VPWS, M – MSPW, MO - MONITOR
$pw - auto_
PWName PeerIP FEC PWType State Llabel Rlabel VPNowner
pw1 10.28.0.4 128 Ethernet H UP 81938 82241 L:zte
15-20
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
Run the following command on R1 to test connectivity. The execution result isdisplayed as follows:
R1#ping mpls pseudowire pw1
sending 5,120-byte MPLS echo(es) to 10.28.0.4,timeout is 2 second(s).
Codes: '!' - success, 'Q' - request not sent, '.' - timeo
ut,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC m
ismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no rx
label,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index, 'X' - unkno
wn return code, 'x' - return code 0
'd' - DDMAP
!!!!!
Success rate is 100 percent(5/5),round-trip min/avg/max= 2/2/2 ms.
15.8 Configuring LSP TraceOverviewl Description of LSP Trace
To make routers on the Internet report errors of the MPLS LSP data plane or provideinformation on unexpected conditions, the MPLS trace function is provided. MPLStrace is a simple and effective method of detecting faults on the MPLS LSP data plane.It can detect some faults that the control plane cannot find. By using this method,users can quickly find and isolate faults such as routing black holes and loss of routes.
LSP trace is based on Echo Request and Echo Reply packets. The packets sent areUDP packets whose port number is 3503 instead of ICMP packets.
LSP trace uses the TTL field in an MPLS packet header. The LSP trace commandincrements the TTL value from 1, and sends an MPLS Echo Request packet to thenext hop. When detecting that TTL expires, an LSR sends an MPLS Echo Replypacket to the source. In such a query procedure, each hop of an LSP can be traced.
l Work Flow of LSP Trace
The LSP trace function can be used to detect different FECs (IPv4 LDP and RSVP).An LSP trace request packet is a UDP packet with a label. The packet uses thewell-known port 3503 as the destination port. The source port is designated by thesender. The IP-layer source address is the IP address of the sender. The destinationaddress is 127.0.0.1, which is used to prevent the packet from being forwardedaccording to an IP route when a fault occurs on an LSP of an intermediate LSR.
The principle of LSP trace is shown in Figure 15-13.
15-21
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Figure 15-13 LSP Trace Work Flow
The MPLS LSP trace procedure between LSR1 and LSR4 is described below:
1. LSR1: LSR1 sends an MPLS Echo Request packet to LSR2. The destinationaddress of the packet is the FEC on LSR4.
In the Echo Request packet, the TTL value in the MPLS header is 1, thedestination address in the IP header is 127.0.0.1, and both the source portnumber and destination port number in the UDP header are 3503.
2. LSR2: When receiving the request packet whose TTL value is 1, LSR2 processesthe packet. It finds that itself is not the destination. Therefore, LSR2 responds toLSR1 with an MPLS Echo Reply packet.
In the Echo Reply packet, LSR2 fills in a corresponding return code. If the returncode is 3, the node is the destination. If the return code is 6, the node is anintermediate node. LSR1 determines whether the packet reaches the destinationaccording to the return code.
3. LSR1: After receiving the Echo Reply packet from LSR2, LSR1 knows theaddress and label information on LSR2. According to the return code, LSR1knows that the packet did not reach the destination. LSR1 sends an MPLS EchoRequest packet to LSR2 again. The destination of the packet is the FEC onLSR4.
In the Echo Request packet, the TTL value in the MPLS header is 2, thedestination address in the IP header is 127.0.0.1, and both the source portnumber and destination port number in the UDP header are 3503.
4. LSR2: After receiving the Echo Request packet whose TTL value is 2, LSR2searches for label information and then forwards the packet to LSR3. The TTLvalue decrements by one.
5. LSR3: After receiving the packet whose TTL value 1, LSR3 finds that itself is notthe destination either. Therefore, LSR3 responds to LSR1 with an MPLS EchoReply packet.
15-22
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
In the Echo Reply packet, the return code is 6, which indicates that the node isan intermediate node. According to the return code, LSR1 knows that the packetdid not reach the destination.
6. LSR1: After receiving the Echo Reply packet from LSR3, LSR1 knows theaddress and label information on LSR3. According to the return code, LSR1knows that the packet did not reach the destination. LSR1 sends an MPLS EchoRequest packet to LSR2 again. The destination is the FEC on LSR4.
In the Echo Request packet, the TTL value in the MPLS header is 3, thedestination address in the IP header is 127.0.0.1, and both the source portnumber and destination port number in the UDP header are 3503.
7. LSR2: After receiving the Echo Request packet whose TTL value is 3, LSR2searches for label information and then forwards the packet to LSR3. The TTLvalue decrements by one.
8. LSR3: After receiving the Echo Request packet whose TTL value is 2, LSR2searches for label information and then forwards the packet to LSR4. The TTLvalue decrements by one.
9. LSR4: After receiving the request packet packet whose TTL value is 1, LSR4processes the packet. It finds that itself is the destination. Therefore, LSR4responds to LSR1 with an MPLS Echo Reply packet.
In the Echo Reply packet, the return code is 3, which indicates that the node isthe destination node.
After the procedure, LSR1 knows the address and label information on LSRs alongthe LSP.
Configuration CommandsTo configure LSP trace on the ZXR10 ZSR V2, run the following commands:
Command Function
ZXR10#trace mpls ipv4 <ip-address><mask-length>[output-interface <interface-name>][destination <start-ipv4-address>[<end-ip
v4-address>][<increment>]][ttl <ttl>| timeout <timeout>| source{<source-ipv4-address>|<source-ipv6-address>}|[{ddmap|dsmap}]]
Enables the IPv4 LDP LSP trace
function.
ZXR10#trace mpls traffic-eng te_tunnel <id>[{master|slave}][ttl<ttl>| timeout <timeout>| source {<source-ipv4-address>|<source-ipv6-address>}|[{ddmap|dsmap}]]
Enables the RSVP LSP trace
function.
ZXR10#trace mpls pseudowire [multisegment]<pw-name>[ttl <ttl>|timeout <timeout>| source {<source-ipv4-address>|<source-ipv6-address>}|[{ddmap|dsmap}]]
Enables the PWE3 LSP trace
function.
master : specifies that the master LSP sends LSP ping packets.
slave : specifies that the slave LSP sends LSP ping packets.
15-23
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
multisegment: enables the ping multisegment pseudowire function.
Maintenance CommandsTo maintain LSP trace, run the following command on the ZXR10 ZSR V2:
Command Function
ZXR10#debug lspv {error | event | packet | tlv | all} Displays information on sent UDP Echo
Request packets and received UDP Echo
Reply packets when LSP trace is performed.
LDP LSP Trace Configuration Examplel Configuration Description
As shown in Figure 15-14, LDP is enabled on R1, R2 and R3. It is required to configureLSP trace on R1 to check connectivity.
Figure 15-14 LDP LSP Trace Configuration Example
l Configuration Flow1. Build an LDP network.2. Perform LDP LSP trace on R1.
l Configuration Command
For LDP configuration, refer to the MPLS configuration example.
l Configuration Verification
Run the following commands on R1 to view configurations. The execution result isdisplayed as follows:
R1#show mpls forwarding-table
Local Outgoing Prefix or Outgoing Next Hop M/S
label label Lspname interface
20 Pop tag 10.28.0.3/32 gei-1/2 10.28.1.6 M
57 49 10.28.0.4/32 gei-1/2 10.28.1.6 M
R1#trace mpls ipv4 10.28.0.3 32
Tracing MPLS Lable Switched to 10.28.0.3,timeout is 3 second(s).
Codes:'!' - success, 'Q' - request not sent, '*' - timeo
ut,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC m
ismatch,
15-24
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no rx
label,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index, 'X' - unkno
wn return code, 'x' - return code 0
'd' - DDMAP
0 10.28.1.5 MTU 1500 [label 3 ]
! 1 10.28.1.6 10 ms
[finished]
Test trace on R1. The execution result is displayed as follows:
R1#trace mpls ipv4 10.28.0.4 32
Tracing MPLS Lable Switched to 10.28.0.4,timeout is 3 second(s).
Codes:'!' - success, 'Q' - request not sent, '*' - timeo
ut,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC m
ismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no rx
label,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index, 'X' - unkno
wn return code, 'x' - return code 0
'd' - DDMAP
0 10.28.1.5 MTU 1500 [label 49 ]
R 1 10.28.1.21 MTU 1500 [label 0 ] 8 ms
! 2 10.28.1.22 7 ms
[finished]
RSVP LSP Trace Configuration Examplel Configuration Description
As shown in Figure 15-15, the Resource ReSerVation Protocol (RSVP) is enabled onR1, R2 and R3. Build an OSPF-TE network. It is required to configure LSP trace onR1 to check connectivity.
Figure 15-15 RSVP LSP Trace Configuration Example
l Configuration Flow1. Build an OSPF-TE network.2. Perform RSVP LSP trace on R1.
15-25
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
l Configuration Commands
For RSVP configuration, refer to the OSPF-TE configuration example.
l Configuration Verification
Run the following commands on R1 to view configurations. The execution result isdisplayed as follows:
R1#show mpls traffic-eng tunnels brief
Signalling Summary:
LSP Tunnels Process: running
RSVP Process: running
Forwarding: enabled
TUNNEL NAME DESTINATION UP IF DOWN IF STATE/PROT
tunnel_1 10.28.0.4 - gei-1/8 up/up
Test trace on R1. The execution result is displayed as follows:
R1#trace mpls traffic-eng te_tunnel1
Tracing MPLS Lable Switched to te_tunnel1,timeout is 3 second(s).
Codes:'!' - success, 'Q' - request not sent, '*' - timeo
ut,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC m
ismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no rx
label,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index, 'X' - unkno
wn return code, 'x' - return code 0
'd' – DDMAP
0 10.28.1.5 MTU 1500 [label 147457 ]
R 1 10.28.1.6 MTU 1500 [label 3 ] 3 ms
! 2 10.28.1.22 4 ms
[finished]
15.9 Configuring Multicast PingOverviewMulticast ping sends an ICMP request packet to a multicast group address and waits for anICMP reply packet from the remote end. Multicast ping is applicable to PIM-SM only, andcan only be initiated by a node in an RPT (excluding a multicast receiver). The destinationaddress is a multicast group address. The request packet is forwarded to a multicastreceiver node through a multicast forwarding path. The receiver node responds with anICMP reply packet through unicast.
The work flow of multicast ping is shown in Figure 15-16.
15-26
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
Figure 15-16 Work Flow of Multicast Ping
1. A router initiates a multicast ping command by sending an ICMP request packet.2. An intermediate node forwards the packet directly because there is no local receiver
directly connected.3. A leaf node where the receiver is located sends and processes the packet, and
responds with a reply packet through unicast.4. The initiator displays the multicast ping result.
Configuration CommandsTo configure multicast ping on the ZXR10 ZSR V2, run the following command:
Command Function
ZXR10#ping [vrf <vrf-name>]<ip-address>{[df-bit <don't-frag>][repeat <repeat-count>][size <datagram-size>][source<source-address>][timeout <timeout>][tos <tos>][ttl<ttl>]option{[{loose | strict}<source-route-address>][record<record-hops>][timestamp <record-timestamps>][none]}][pattern<pad>][speed {limit <limite-num>| interval <interval-seconds>}]}
Configures the multicast ping
command in any other mode
except user mode.
<repeat-count>: number of retry attempts, range: 1–65535, default: 5.
<datagram-size>: size of a ping packet, range: 36-8192, default: 100 octets.
<timeout>: timeout period, unit: second, range: 1–20.
<tos>: ToS of a sent packet, range: 0-255, default: 0.
15-27
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
<ttl>: TTL, range: 1–255.
<don't-frag>: flag indicating no fragmentation, options: 0, 1, default: 0 (indicating thatfragmentation is allowed).
<pad>: value of the pad field in a packet.
option: whether to configure IP options. The value 1 means that IP options can beconfigured.
<limite-num>: number of ping packets sent per second.
<interval-seconds>: interval between two data request packets, unit: second, range: 2–10.
loose | strict <source-route-address>: specified source station route, format: dotted decimal.
<record-hops>: maximum number of hops that needs to be recorded, range: 1–9.
<record-timestamps>: maximum number of timestamps that needs to be recorded, range:1–9.
Maintenance CommandsTo maintain multicast ping on the ZXR10 ZSR V2, run the following command:
Command Function
ZXR10#mtrace <source-address>[<destination-address
>][<group-address>]
Displays information on sent multicast ping
packets and received ICMP packets when
multicast ping is performed.
Configuration Examplel Configuration Description
As shown in Figure 15-17, it is required to check whether the multicast last hop isreachable.
Figure 15-17 Multicast Ping Configuration Example
l Configuration Flow1. Build a network.2. Enable PIM-SM on R1 and R2.3. Add the receiving group to the multicast group.4. Ping the multicast group address on R1.
l Configuration Commands
Run the following commands on R1:
R1(config)#interface gei-1/9
R1(config-if-gei-1/9)#no shutdown
15-28
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
R1(config-if-gei-1/9)#ip address 12.131.1.1 255.255.255.0
R1(config-if-gei-1/9)#exit
R1(config)#interface gei-1/8
R1(config-if-gei-1/8)#no shutdown
R1(config-if-gei-1/8)#ip address 17.1.1.2 255.255.255.0
R1(config-if-gei-1/8)#exit
R1(config)#interface loopback1
R1(config-if-loopback1)#ip address 3.3.3.3 255.255.255.0
R1(config-if-loopback1)#exit
/*Configure a multicast protocol*/
R1(config)#ip multicast-routing
R1(config-mcast)#router pim
R1(config-mcast-pim)#rp-candidate loopback1
R1(config-mcast-pim)#bsr-candidate loopback1
R1(config-mcast-pim)#interface gei-1/9
R1(config-mcast-pim-if-gei-1/9)#pimsm
R1(config-mcast-pim-if-gei-1/9)#exit
R1(config-mcast-pim)#interface gei-1/8
R1(config-mcast-pim-if-gei-1/8)#pimsm
R1(config-mcast-pim-if-gei-1/8)#end
Configurations on R2 are similar to those on R1. Configure an IP address and enablea multicast protocol on R2.
Run the following command on R2 to add a static route to the RP:
R2(config)#ip route 3.3.3.3 255.255.255.255 17.1.1.2
l Configuration Verification
Run the ping command on R1 to check whether the receiving group has joined the225.0.0.1 multicast group. The execution result is displayed as follows:
R1#ping 225.0.0.1
sending 5,100-byte ICMP echoes to 225.0.0.1,timeout is 2 seconds.
Reply to request 1 received from 17.1.1.1, 2 ms
Reply to request 2 received from 17.1.1.1, 2 ms
Reply to request 3 received from 17.1.1.1, 2 ms
Reply to request 4 received from 17.1.1.1, 2 ms
Reply to request 5 received from 17.1.1.1, 2 ms
Success rate is 100 percent(5/5),round-trip min/avg/max= 2/2/2 ms.
15-29
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
15.10 Configuring Multicast TraceOverviewMulticast trace provides a method of monitoring multicast routes and detecting RPF.At present, the multicast trace version is v1.0. Multicast trace checks connectivity of amulticast path by sending and receiving IGMP protocol packets.
Multicast trace is used to detect the reversed path from a destination address to a multicastsource. It uses two methods to search for a next hop route. One is by RPF. The other isby an (S, G) or (*, G) entity, and (S, G) is preferred.
Take Figure 15-18 as an example to describe two multicast trace working flows.
Figure 15-18 Multicast Trace Principle
l When trace 1.1.1.3 2.2.2.2 is configured on R1, R1 finds that the next hop is 1.1.1.1through RPF. Until finding that the next hop route 1.1.1.3 is a source direct-connectedroute, R1 unicasts the destination route 2.2.2.2.
l When trace 1.1.1.3 2.2.2.2 224.1.1.1 is configured on R1, R1 searches for the nexthop route by an (S, G) or (*, G) entity. (S, G) is preferred. Until finding that the nexthop route 1.1.1.3 is a source direct-connected route, R1 unicasts the destination route2.2.2.2.
Configuration CommandsTo configure multicast trace on ZXR10 ZSR V2, use the following command.
Command Function
ZXR10#mtrace <source-address>[<destination-address>][<g
roup-address>]
This displays the reversed path from a
destination address to a multicast source.
Configuration Examplel Configuration Description
It is required to search for a next hop route through an (S, G) or (*, G) entity. Thenetwork topology is shown in Figure 15-19.
Figure 15-19 Multicast Trace Configuration Example
15-30
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
l Configuration Flow1. Enable PIM-SM on R1 and R2.2. The receiving group joins the mutlticast group. The source sends a multicast flow.3. Configure multicast trace on R2.
l Configuration Command
Configuration on R1:
R1(config)#interface gei-1/9
R1(config-if-gei-1/9)#no shutdown
R1(config-if-gei-1/9)#ip address 12.131.1.1 255.255.255.0
R1(config-if-gei-1/9)#exit
R1(config)#interface gei-1/8
R1(config-if-gei-1/8)#no shutdown
R1(config-if-gei-1/8)#ip address 17.1.1.2 255.255.255.0
R1(config-if-gei-1/8)#exit
R1(config)#interface loopback1
R1(config-if-loopback1)#ip address 3.3.3.3 255.255.255.0
R1(config-if-loopback1)#exit
/*Configure a multicast protocol*/
R1(config)#ip multicast-routing
R1(config-mcast)#router pim
R1(config-mcast-pim)#rp-candidate loopback1
R1(config-mcast-pim)#bsr-candidate loopback1
R1(config-mcast-pim)#interface gei-1/9
R1(config-mcast-pim-if-gei-1/9)#pimsm
R1(config-mcast-pim-if-gei-1/9)#exit
R1(config-mcast-pim)#interface gei-1/8
R1(config-mcast-pim-if-gei-1/8)#pimsm
R1(config-mcast-pim-if-gei-1/8)#end
Configuration on R2 is similar to that on R1. Configure an IP address and enable amulticast protocol.
Configure a static route to the RP on R2, as shown below.
R2(config)#ip route 3.3.3.3 255.255.255.255 17.1.1.2
l Configuration Verification
The receiving group joins themutlticast group 225.0.0.1. The source sends amulticastflow.
R2#mtrace 12.131.1.2 17.1.1.1 225.0.0.1
Type escape sequence to abort.
Mtrace from 12.131.1.2 to 17.1.1.1 via group 225.0.0.1
0 17.1.1.1 PIM 21 ms
-1 17.1.1.2 PIM 76 ms
-2 12.131.1.1 PIM 76 ms
[finished]
15-31
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
15.11 Configuring MAC PingOverviewMAC ping provides a method of monitoring performance and detecting errors at the MAClayer. It determines link-layer connectivity by sending and receiving EOAM MAC pingpackets.
OAM information contained in IEEE802.3 is called Ethernet Operation, Administration andMaintenance (EOAM). EOAM provides a ping mechanism for the data link layer.
1. A router sends an Echo Request packet with a specific destination MAC address.The OAM sub-layer sends this ping request packet as an OAM Protocol Data Unit(OAMPDU).
2. After receiving this Echo Request packet, the receiver generates an Echo an EchoResponse OAMPDU.
EOAM-based MAC ping network structure is shown in Figure 15-20.
Figure 15-20 MAC Ping Network Structure
MAC ping supports ping from CE1 to CE2, from PE1 to PE2, from PE1 to CE2, andfrom CE1 to PE2. The parameters in ping commands sent from a CE and from a PEare different.
The following takes ping from CE1 to CE2 and from PE1 to PE2 as examples to describethe procedures.
l Ping from CE1 to CE2
CE1 sends a MAC-layer ping request which contains an egress interface and adestination MAC address. When receiving the request packet, CE2 sends a replypacket. If CE1 receives the reply packet within a specified period, the link layer isoperating properly.
l Ping from PE1 to PE2
PE1 sends a MAC-layer ping request which contains a destination MAC address,Virtual Private LAN Service (VPLS) name and peer ID. When receiving the request
15-32
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
packet, PE2 sends a reply packet. If PE1 receives the reply packet within a specifiedperiod, the link layer is operating properly.
Configuration CommandsTo configure MAC ping on the ZXR10 ZSR V2, run the following command:
Command Function
ZXR10#mac-ping <destination-mac>{interface <out-port>| vpls<vpls-name> peer <peer-address>|vpws<vpws-name> peer<peer-address>}{summary | detail}{[external-vlan <external-vlan>
internal-vlan <internal-vlan>]|[vlan <vlan-id>]}[repeat<repeat-count>][timeout <timeout>]
Checks the connectivity of the
destination MAC address.
<out-port>: egress interface of a request packet on a CE.
summary : briefly displays MAC ping results.
detail: displays MAC ping results in detail.
<repeat-count>: repeat count, range: 1–65536, default: 1.
<peer-address>: remote router ID to be detected on a PE.
Maintenance CommandsTo maintain MAC ping on the ZXR10 ZSR V2, run the following command:
Command Function
ZXR10#debug macping {all |error | event | info | packet} Displays errors, events, information,
packets or all information when MAC ping
packets are received and sent.
Configuration Examplel Configuration Description
For the MAC ping network structure on a VPLS network, see Figure 15-21.
Figure 15-21 MAC Ping Configuration Example
l Configuration Flow1. Configure IP addresses. Enable OSPF between PE1 and PE2.2. Configure LDP between PEs.3. Configuring L2 VPN VPLS.4. Configure MAC ping.
l Configuration Commands
15-33
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Run the following commands on PE1:
PE1(config)#interface loopback1
PE1(config-if-loopback1)#ip address 100.10.10.1 255.255.255.255
PE1(config-if-loopback1)#exit
PE1(config)#interface gei-1/1
PE1(config-if-gei-1/1)#no shutdown
PE1(config-if-gei-1/1)#ip address 10.1.1.1 255.255.255.0
PE1(config-if-gei-1/1)#exit
PE1(config)#router ospf 1
PE1(config-ospf-1)#network 100.10.10.1 0.0.0.0 area 0
PE1(config-ospf-1)#network 10.1.1.1 0.0.0.255 area 0
PE1(config-ospf-1)#exit
PE1(config)#mpls ldp instance 1
PE1(config-ldp-1)#router-id loopback1
PE1(config-ldp-1)#interface gei-1/1
PE1(config-ldp-1-if-gei-1/1)#exit
PE1(config-ldp-1)#exit
PE1(config)#mpls l2vpn enable
PE1(config)#pw pw1
PE1(config)#vpls zte1
PE1(config-vpls-zte1)#pseudo-wire pw1
PE1(config-vpls-zte1–pw-pw1)#neighbour 100.10.10.2 vcid 10
PE1(config-vpls-zte1–pw-pw1–neighbour-100.10.10.2)#end
PE1(config)#zmac-oam enable /*Enable mac-ping(trace) globally.*/
Configurations on PE2 are similar to those on PE1.
l Configuration Verification
Run the mac-ping command on PE1. The execution result is displayed as follows:
PE1#mac-ping 00d0.d000.0500 vpls zte1 peer 100.10.10.2 summary
sending 5,92-byte EOAM echo(es) to 00d0.d000.0500,timeout is 2 seconds.
!!!!!
Success rate is 100 percent(5/5),round-trip min/avg/max= 1/1/2 ms.
15.12 Configuring MAC TraceOverviewMAC trace provides a method of monitoring performance and detecting errors at the MAClayer. It determines whether the nodes at the link layer are operating properly by sendingand receiving EOAM MAC trace packets.
15-34
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
The EOAM function is defined in the 802.3ah draft. This function can be used to detectinformation on the Ethernet link layer defined in IEEE802.3. OAM information containedin IEEE802.3 is called EOAM.
EOAM-based MAC trace network structure is shown in Figure 15-22.
Figure 15-22 Network Structure of MAC Trace
MAC trace supports trace from CE1 to CE2, from PE1 to PE2, and from PE1 to CE2.
l Trace from CE1 to CE2
CE1 sends a MAC trace request. If the link is operating properly, MAC addresses ofcorresponding interfaces on CE1, PE1, PE2 and CE2 are recorded.
l Trace from PE1 to PE2
PE1 sends a MAC trace request. If the link is operating properly, MAC addresses ofcorresponding interfaces on PE1 and PE2 are recorded.
l Trace from PE1 to CE2
PE1 sends a MAC trace request. If the link is operating properly, MAC addresses ofcorresponding interfaces on PE1, PE2 and CE2 are recorded.
Configuration CommandsTo configure MAC trace on ZXR10 ZSR V2, run the following command:
Command Function
ZXR10#mac-trace <destination-mac>{interface <out-port>|[vpls<vpls-name> peer <peer-address>]|[vpws <vpws-name> peer<peer-address>]}[external-vlan <external-vlan-id> internal-vlan<internal-vlan-id>]|[vlan <vlan-id>]
Trace a path to the destination
MAC address on an Ethernet link.
<out-port>: egress interface of a request packet on a CE.
<peer-address>: remote router ID to be detected on a PE.
15-35
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Maintenance CommandsTo maintain MAC trace on the ZXR10 ZSR V2, run the following command:
Command Function
ZXR10#debug macping {all |error | event | info | packet} Displays errors, events, information and
packets or all information when MAC
trace packets are received and sent.
Configuration Examplel Configuration Description
On a VPLS network, the MAC trace network structure is shown in Figure 15-23.
Figure 15-23 MAC Trace Configuration Example
l Configuration Flow1. Configure IP addresses. Enable OSPF between PE1 and PE2.2. Configure LDP between PEs.3. Configuring L2 VPN VPLS.4. Configure MAC trace.
l Configuration Command
Run the following commands on PE1:
PE1(config)#interface loopback1
PE1(config-if-loopback1)#ip address 100.10.10.1 255.255.255.255
PE1(config-if-loopback1)#exit
PE1(config)#interface gei-1/1
PE1(config-if-gei-1/1)#no shutdown
PE1(config-if-gei-1/1)#ip address 17.1.1.1 255.255.255.0
PE1(config-if-gei-1/1)#exit
PE1(config)#router ospf 1
PE1(config-ospf-1)#network 100.10.10.1 0.0.0.0 area 0
PE1(config-ospf-1)#network 17.1.1.1 0.0.0.255 area 0
PE1(config-ospf-1)#exit
PE1(config)#mpls ldp instance 1
PE1(config-ldp-1)#router-id loopback1
PE1(config-ldp-1)#interface gei-1/1
PE1(config-ldp-1-if-gei-1/1)#exit
PE1(config-ldp-1)#exit
15-36
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Chapter 15 Network Layer Detection
PE1(config)#mpls l2vpn enable
PE1(config)#pw pw1
PE1(config)#vpls zte1
PE1(config-vpls-zte1)#pseudo-wire pw1
PE1(config-vpls-zte1-pw-pw1)#neighbour 100.10.10.2 vcid 10
PE1(config-vpls-zte1-pw-pw1-neighbour-100.10.10.2)#end
PE1(config)#zmac-oam enable /*Enable mac-ping (trace) globally.*/
Configurations on PE2 are similar to those on PE1.
l Configuration Verification
Run the mac-trace command on PE1. The execution result is displayed as follows:
PE1#mac-trace 00d0.d000.0500 vpls zte1 peer 100.10.10.2
Starting L2 Trace to 00d0.d000.0500
PE1 :gei-1/1 [002e.33d5.3f51]->
PE2 :gei-1/1 [00d0.d000.0500] !
[finished]
15.13 IP Performance MaintenanceZXR10 ZSR V2 provides the following commands to maintain IP performance.
Command Function
ZXR10#debug ip This enables IP debug function. It displays the debug
information of IP processing and whether the route is
sending or receiving IP packets.
ZXR10#debug ip interface This enables IP debug function in the specified
interface.
ZXR10#show debug ip This shows all the enabled IP debug functions.
15-37
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
This page intentionally left blank.
15-38
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
FiguresFigure 1-1 ZXR10 ZSR V2 Configuration Modes....................................................... 1-1
Figure 1-2 Run Dialog Box........................................................................................ 1-3
Figure 1-3 Telnet Connection Configuration Example................................................ 1-6
Figure 1-4 PuTTY Configuration Dialog Box ............................................................. 1-8
Figure 1-5 PuTTY Configuration Dialog Box ............................................................. 1-9
Figure 1-6 SSH Configuration Example .................................................................. 1-10
Figure 1-7 FTP Server Configuration Example........................................................ 1-12
Figure 1-8 WFTPD Window .................................................................................... 1-13
Figure 1-9 User/Rights Security Dialog Box ............................................................ 1-13
Figure 1-10 User/Rights Security Dialog Box .......................................................... 1-14
Figure 1-11 TFTP Server Window........................................................................... 1-15
Figure 1-12 Tftpd Settings Dialog Box..................................................................... 1-16
Figure 1-13 SFTP Server Configuration Example.................................................... 1-17
Figure 3-1 MIM Application ....................................................................................... 3-1
Figure 4-1 Local Authentication and Authorization Configuration............................... 4-7
Figure 4-2 RADIUS-LOCAL Authentication and Authorization UserConfiguration .......................................................................................... 4-9
Figure 4-3 TACACS+ Authentication and Authorization User Configuration............. 4-10
Figure 4-4 Configuring a Password Prompt Question for Resetting aPassword.............................................................................................. 4-12
Figure 4-5 Configuring OAM Security Management ................................................ 4-13
Figure 4-6 Configuring a Password Validity Period.................................................. 4-15
Figure 4-7 Configuring First-Login Password Modification ...................................... 4-17
Figure 4-8 Configuring the Raising of a Privilege Level ........................................... 4-18
Figure 6-1 SNMP Configuration Example Topology................................................... 6-6
Figure 6-2 State Switching Diagram........................................................................ 6-11
Figure 6-3 SNMP Anti–Brute Force Attack Configuration Example.......................... 6-13
Figure 7-1 Alarm Function Configuration Example .................................................... 7-7
Figure 8-1 Syslog Configuration Example Topology .................................................. 8-3
Figure 9-1 RMON Configuration Example ................................................................. 9-4
Figure 10-1 NTP Client Work Flow.......................................................................... 10-1
Figure 10-2 NTP Server and Client ......................................................................... 10-2
I
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
Figure 10-3 NTP Working as a Client ...................................................................... 10-4
Figure 10-4 NTP Working as a Server .................................................................... 10-5
Figure 10-5 Physical POS Interface Clock Configuration Instance .......................... 10-8
Figure 11-1 Performance Management Configuration Example TopologyDiagram................................................................................................ 11-3
Figure 12-1 NetFlow V5 Configuration Example...................................................... 12-9
Figure 12-2 NetFlow V8 Configuration Example.................................................... 12-11
Figure 12-3 NetFlow V9 Configuration Example.................................................... 12-12
Figure 13-1 ICMP-Type SQA Configuration Example.............................................. 13-4
Figure 13-2 FTP-Type SQA Configuration Example ................................................ 13-5
Figure 13-3 TCP-Type SQA Configuration Example................................................ 13-7
Figure 13-4 UDP-Type SQA Configuration Example ............................................... 13-8
Figure 13-5 DNS-Type SQA Configuration Example ............................................... 13-9
Figure 14-1 LLDP System Structure........................................................................ 14-2
Figure 14-2 LLDP Neighbor Configuration Example................................................ 14-6
Figure 14-3 LLDP Attribute Configuration Example ................................................. 14-6
Figure 15-1 ICMP Fast Response Configuration Example ...................................... 15-3
Figure 15-2 Loose Source Route Option Packet Format ......................................... 15-4
Figure 15-3 IP Source Route Option Processing Configuration Example ................ 15-5
Figure 15-4 ICMP Unreachable Packet Function Configuration Example ................ 15-7
Figure 15-5 Configuration Example of an Interface Sending ICMP UnreachablePackets................................................................................................. 15-8
Figure 15-6 Format of an ICMP Echo Request/Reply............................................ 15-10
Figure 15-7 IP Ping Configuration Example .......................................................... 15-11
Figure 15-8 Interfaces Between the "Trace" Module and Sub-Modules ................. 15-13
Figure 15-9 IP Trace Configuration Example......................................................... 15-14
Figure 15-10 LDP LSP Ping Configuration Example ............................................. 15-17
Figure 15-11 RSVP LSP Ping Configuration Example ........................................... 15-19
Figure 15-12 PWE3 LSP Ping Configuration Example .......................................... 15-20
Figure 15-13 LSP Trace Work Flow ...................................................................... 15-22
Figure 15-14 LDP LSP Trace Configuration Example............................................ 15-24
Figure 15-15 RSVP LSP Trace Configuration Example......................................... 15-25
Figure 15-16 Work Flow of Multicast Ping ............................................................. 15-27
Figure 15-17 Multicast Ping Configuration Example .............................................. 15-28
Figure 15-18 Multicast Trace Principle .................................................................. 15-30
Figure 15-19 Multicast Trace Configuration Example ............................................ 15-30
II
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Figures
Figure 15-20 MAC Ping Network Structure ........................................................... 15-32
Figure 15-21 MAC Ping Configuration Example .................................................... 15-33
Figure 15-22 Network Structure of MAC Trace...................................................... 15-35
Figure 15-23 MAC Trace Configuration Example .................................................. 15-36
III
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
Figures
This page intentionally left blank.
IV
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
GlossaryAAA- Authentication, Authorization and Accounting
ACL- Access Control List
DNS- Domain Name System
FTP- File Transfer Protocol
HMAC-MD5- Hashed Message Authentication Code with MD5
ICMP- Internet Control Message Protocol
IETF- Internet Engineering Task Force
LDP- Label Distribution Protocol
LLDP- Link Layer Discovery Protocol
LLDPDU- Link Layer Discovery Protocol Data Unit
LSP- Label Switched Path
LSR- Label Switch Router
MAC- Media Access Control
MAN- Metropolitan Area Network
MIB- Management Information Base
MPLS- Multiprotocol Label Switching
NMS- Network Management System
V
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential
ZXR10 ZSR V2 Configuration Guide (System Management)
NTP- Network Time Protocol
PDU- Packet Data Unit
POP- Points Of Presence
PPP- Point-to-Point Protocol
RADIUS- Remote Authentication Dial In User Service
RFC- Request For Comments
SLA- Service Level Agreement
SNMP- Simple Network Management Protocol
SSH- Secure Shell
TACACS+- Terminal Access Controller Access-Control System Plus
TCP- Transmission Control Protocol
TCP/IP- Transmission Control Protocol/Internet Protocol
TELNET- Telecommunication Network Protocol
TFTP- Trivial File Transfer Protocol
TLV- Type/Length/Value
TTL- Time To Live
ToS- Type of Service
UDP- User Datagram Protocol
VRF- Virtual Route Forwarding
VI
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential