ZXR10 ZSR V2. Configuration Guide (System Management) Intelligent Integrated Multi-Service Router. Version:

ZXR10 ZSR V2 Intelligent Integrated Multi-Service Router Configuration Guide (System Management) Version: 2.00.10 ZTE CORPORATION No. 55, Hi-tech Ro...
Author: John Wright
1 downloads 0 Views 2MB Size
ZXR10 ZSR V2 Intelligent Integrated Multi-Service Router

Configuration Guide (System Management) Version: 2.00.10

ZTE CORPORATION No. 55, Hi-tech Road South, ShenZhen, P.R.China Postcode: 518057 Tel: +86-755-26771900 Fax: +86-755-26770801 URL: http://ensupport.zte.com.cn E-mail: [email protected]

LEGAL INFORMATION Copyright © 2013 ZTE CORPORATION. The contents of this document are protected by copyright laws and international treaties. Any reproduction or distribution of this document or any portion of this document, in any form by any means, without the prior written consent of ZTE CORPORATION is prohibited.

Additionally, the contents of this document are protected by

contractual confidentiality obligations. All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE CORPORATION or of their respective owners. This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose, title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the use of or reliance on the information contained herein. ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications covering the subject matter of this document. Except as expressly provided in any written license between ZTE CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter herein. ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice. Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information. The ultimate right to interpret this product resides in ZTE CORPORATION.

Revision History Revision No.

Revision Date

Revision Reason

R1.0

2014-05-10

First edition

Serial Number: SJ-20140504150128-007 Publishing Date: 2014-05-10 (R1.0)

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Contents About This Manual ......................................................................................... I Chapter 1 Device Connection management ............................................ 1-1 1.1 Connecting the ZXR10 ZSR V2 System............................................................... 1-1 1.2 Configuring Console Port Connection .................................................................. 1-2 1.3 Configuring Telnet Connection ............................................................................ 1-2 1.4 Configuring SSH Connection............................................................................... 1-6 1.5 FTP Connection Configuration .......................................................................... 1-10 1.5.1 Configuring the ZXR10 ZSR V2 as an FTP Server.................................... 1-10 1.5.2 Configuring the ZXR10 ZSR V2 as an FTP Client ..................................... 1-12 1.6 Configuring TFTP Connection ........................................................................... 1-15 1.7 SFTP Connection Configration .......................................................................... 1-17 1.7.1 Configuring the ZXR10 ZSR V2 as an SFTP Server ................................. 1-17 1.7.2 Configuring the ZXR10 ZSR V2 as an SFTP Client................................... 1-18

Chapter 2 File System Management ......................................................... 2-1 2.1 File System Overview ......................................................................................... 2-1 2.2 Configuring File System Management ................................................................. 2-2 2.3 File System Management Configuration Examples ............................................... 2-3 2.3.1 File System Configuration Example ........................................................... 2-3 2.3.2 Configuration Example of Backing Up a Configuration File on a USB Flash Drive ............................................................................................. 2-4

Chapter 3 MIM Configuration .................................................................... 3-1 3.1 MIM Overview.................................................................................................... 3-1 3.2 Configuring MIM................................................................................................. 3-1

Chapter 4 User Management ..................................................................... 4-1 4.1 User Management Overview ............................................................................... 4-1 4.2 Configuring User Management............................................................................ 4-2 4.3 User Management Configuration Examples ......................................................... 4-7 4.3.1 Local Authentication and Authorization User Configuration Example............ 4-7 4.3.2 RADIUS-LOCAL Authentication and Authorization User Configuration Example ................................................................................................. 4-8 4.3.3 TACACS+ Authentication and Authorization User Configuration Example ............................................................................................... 4-10 4.3.4 Configuring a Password Prompt Question for Resetting a Password...........4-11

I SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

4.3.5 Configuring OAM Security Management .................................................. 4-13 4.3.6 Configuring a Password Validity Period.................................................... 4-15 4.3.7 Configuring First-Login Password Modification ........................................ 4-17 4.3.8 Relations Between Raising Privilege Levels and the Enable Command...... 4-18

Chapter 5 Command Privilege Level Classification................................ 5-1 5.1 Command Privilege Level Overview .................................................................... 5-1 5.2 Configuring Command Privilege ......................................................................... 5-1 5.3 Command Privilege Level Configuration Example................................................. 5-2

Chapter 6 SNMP Configuration ................................................................. 6-1 6.1 SNMP Basic Configuration.................................................................................. 6-1 6.1.1 SNMP Overview....................................................................................... 6-1 6.1.2 Configuring SNMP.................................................................................... 6-1 6.1.3 SNMP Configuration Example ................................................................... 6-6 6.2 SNMP Anti-Violence Attack............................................................................... 6-10 6.2.1 SNMP Anti–Brute Force Attack Overview................................................. 6-10 6.2.2 Configuring SNMP Anti–Brute Force Attack ..............................................6-11 6.2.3 SNMP Anti–Brute Force Attack Configuration Example............................. 6-13

Chapter 7 Alarm Management Configuration .......................................... 7-1 7.1 Alarm Overview.................................................................................................. 7-1 7.2 Configuring the Alarm Function ........................................................................... 7-2 7.3 Alarm Function Configuration Example ................................................................ 7-7

Chapter 8 SYSLOG Configuration ............................................................ 8-1 8.1 SysLog Overview ............................................................................................... 8-1 8.2 Configuring Syslog ............................................................................................. 8-1 8.3 Syslog Configuration Example ............................................................................ 8-2

Chapter 9 RMON Configuration ................................................................ 9-1 9.1 RMON Overview ................................................................................................ 9-1 9.2 Configuring RMON ............................................................................................. 9-1 9.3 RMON Configuration Example ............................................................................ 9-3

Chapter 10 Clock and Clock Synchronization ....................................... 10-1 10.1 NTP Configuration .......................................................................................... 10-1 10.1.1 NTP Overview...................................................................................... 10-1 10.1.2 Configuring NTP................................................................................... 10-2 10.1.3 NTP Configuration Examples ................................................................ 10-4 10.2 Physical POS Interface Clock Configuratio ....................................................... 10-6 10.2.1 Physical POS Interface Clock................................................................ 10-6 II SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

10.2.2 Configuring a Physical POS Interface Clock ........................................... 10-7 10.2.3 Physical POS-Interface Clock Configuration Instance ............................. 10-7

Chapter 11 Performance Statistics ......................................................... 11-1 11.1 Performance Management Overview ................................................................11-1 11.2 Performance Management Configuration ..........................................................11-1 11.3 Performance Management Configuration Example ............................................11-3

Chapter 12 NetFlow Configuration ......................................................... 12-1 12.1 NetFlow Overview .......................................................................................... 12-1 12.2 Configuring NetFlow ....................................................................................... 12-3 12.3 NetFlow Configuration Examples..................................................................... 12-9 12.3.1 NetFlow V5 Configuration Example ....................................................... 12-9 12.3.2 NetFlow V8 Configuration Example ...................................................... 12-11 12.3.3 NetFlow V9 Configuration Example ......................................................12-12

Chapter 13 SQA Configuration................................................................ 13-1 13.1 SQA Overview ............................................................................................... 13-1 13.2 Configuring SQA ............................................................................................ 13-1 13.3 SQA Configuration Examples .......................................................................... 13-4 13.3.1 ICMP-Type SQA Configuration Example ................................................ 13-4 13.3.2 FTP-Type SQA Configuration Example .................................................. 13-5 13.3.3 TCP-Type SQA Configuration Example.................................................. 13-6 13.3.4 UDP-Type SQA Configuration Example ................................................. 13-8 13.3.5 DNS-Type SQA Configuration Example ................................................. 13-9

Chapter 14 LLDP Configuration .............................................................. 14-1 14.1 LLDP Overview .............................................................................................. 14-1 14.2 Configuring LLDP ........................................................................................... 14-3 14.3 LLDP Configuration Examples......................................................................... 14-5 14.3.1 LLDP Neighbor Configuration Example .................................................. 14-5 14.3.2 LLDP Attribute Configuration Example ................................................... 14-6

Chapter 15 Network Layer Detection...................................................... 15-1 15.1 Configuring ICMP Fast Response.................................................................... 15-1 15.2 Configuring IP Source Route Option Processing............................................... 15-4 15.3 Configuring ICMP Unreachable Packet Function .............................................. 15-6 15.4 Enabling an Interface to Send ICMP Unreachable Packets ............................... 15-7 15.5 Configuring IP Ping......................................................................................... 15-9 15.6 Configuring IP Trace......................................................................................15-12 15.7 Configuring LSP Ping ....................................................................................15-15

III SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

15.8 Configuring LSP Trace...................................................................................15-21 15.9 Configuring Multicast Ping..............................................................................15-26 15.10 Configuring Multicast Trace ..........................................................................15-30 15.11 Configuring MAC Ping..................................................................................15-32 15.12 Configuring MAC Trace................................................................................15-34 15.13 IP Performance Maintenance .......................................................................15-37

Figures............................................................................................................. I Glossary .........................................................................................................V

IV SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

About This Manual Purpose This manual describes functional principles, configuration commands and examples related to ZXR10 ZSR V2 system management.

Intended Audience This manual is intended for the following engineers: l l l

Network planning engineers Commissioning engineers Maintaining engineers

What Is in This Manual This manual contains the following contents: Chapter

Summary

1, Device Connection

Describes several modes (including through a Console port,

Management

TELNET, SSH, FTP , TFTP and SFTP) and configuration commands to connect to ZXR10 ZSR V2.

2, File System Management

Describes operational commands for the file system of the device.

3, MIM Configuration

Describes MIM principles, configuration commands and configuration examples.

4, User Management

Describes user management principle, configuration commands and configuration examples.

5, Command Privilege Level

Describes user and command privilege level classification principle,

Classification

configuration commands and configuration example.

6, SNMP Configuration

Describes SNMP principles, configuration commands and configuration examples.

7, Alarm Management

Describes alarm management principle, configuration commands

Configuration

and configuration example.

8, SYSLOG Configuration

Describes SYSLOG principle, configuration commands and configuration example.

9, RMON Configuration

Describes RMON principle, configuration commands and configuration example.

10, Clock and Clock

Describes clock and clock synchronization principles, configuration

Synchronization

commands and configuration examples.

I SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter

Summary

11, Performance Statistics

Describes performance statistics principle, configuration commands and configuration example.

12, NetFlow Configuration

Describes NetFlow principle, configuration commands and configuration examples.

13, SQA Configuration

Describes SQA principle, configuration commands and configuration examples.

14, LLDP Configuration

Describes LLDP principles, configuration commands and configuration examples.

15, Network Layer Detection

Describes the principles, configuration commands, and configuration examples of the network layer detection.

Conventions This manual uses the following typographical conventions: Typeface

Meaning

Italics

Variables in commands. It may also refer to other related manuals and documents.

Bold

Menus, menu options, function names, input fields, option button names, check boxes, drop-down lists, dialog box names, window names, parameters, and commands.

Constant

Text that you type, program codes, filenames, directory names, and function names.

width []

Optional parameters.

|

Separates individual parameter in series of parameters. Warning: indicates a potentially hazardous situation. Failure to comply can result in serious injury, equipment damage, or interruption of major services. Caution: indicates a potentially hazardous situation. Failure to comply can result in moderate injury, equipment damage, or interruption of minor services. Note: provides additional information about a certain topic.

II SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 1

Device Connection management Table of Contents Connecting the ZXR10 ZSR V2 System .....................................................................1-1 Configuring Console Port Connection.........................................................................1-2 Configuring Telnet Connection....................................................................................1-2 Configuring SSH Connection......................................................................................1-6 FTP Connection Configuration .................................................................................1-10 Configuring TFTP Connection ..................................................................................1-15 SFTP Connection Configration .................................................................................1-17

1.1 Connecting the ZXR10 ZSR V2 System The ZXR10 ZSR V2 provides multiple configuration modes, see Figure 1-1. Figure 1-1 ZXR10 ZSR V2 Configuration Modes

Users can use different configuration modes for different network types. The configuration modes are described below: l l

Console port mode: This is the primary configuration mode used by users. Telecommunication Network Protocol (TELNET)/Secure Shell (SSH) mode: Users can use this mode to configure the ZXR10 ZSR V2 at any accessible place of a network.

1-1 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

l

Trivial File Transfer Protocol (TFTP)/File Transfer Protocol (FTP) mode: Users can use this mode to download/upload router configuration files, and update router configurations.

1.2 Configuring Console Port Connection This procedure describes how to connect to the ZXR10 ZSR V2 through the Console port.

Steps 1. Configure a Hyperterminal. For how to configure a Hyperterminal, refer to the "Configuring the Device Through a Console Port" section in the ZXR10 M6000 Initial Configuration Guide. 2. (Optional) In the configuration mode, run the login authentication command to enable the Console port connection authentication function.

Caution! The Console port connection authentication function can be enabled only after a username and password are configured. If the username and password are not configured properly, after the function is enabled, you cannot enter the ZXR10> CLI when you connect the device next time.

The following example shows how to enable Console port authentication. ZXR10(config)#login authentication Warning: Please make sure local or remote authentication is correctly configured. Are you sure to configure console authentication? [yes/no]:y ZXR10(config)# /*Enables the Console port connection authentication function.*/

For how to configure a user name and password used in serial port authentication, refer to 4.2 Configuring User Management. – End of Steps –

1.3 Configuring Telnet Connection This procedure describes how to connect to the ZXR10 ZSR V2 through Telnet.

Prerequisite The local terminal can access the remote router network.

1-2 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 1 Device Connection management

Context Telnet is used for configuring routers remotely. To prevent illegal users from accessing the router through Telnet, a user name and password have to be set on the router for Telnet accessing. Only the user who has the preset user name and password can access the router. For how to configure a user name and password on the ZXR10 ZSR V2 for Telnet login, refer to 4.2 Configuring User Management.

Steps 1. Connect to the ZXR10 ZSR V2 through Telnet. Assume that the IP address of a remote router is 192.168.3.1 and that the local terminal (configured with the Windows XP operating system, for example) can access the remote router network. The operations on the local terminal are as follows: a. Start the Run program on the local terminal, and enter the telnet 192.168.3.1 command, see Figure 1-2. Figure 1-2 Run Dialog Box

b. Click OK. The following information is displayed: ************************************************************ Welcome to ZXR10 Intelligent Integrated Multi-Service Router of ZTE Corporation ************************************************************

Login at: 19:46:37 03-24-2014 Username:who Password: ZXR10>enable 18 Password: ZXR10#

c. Enter a user name and a password according to the prompt. Then, you can log in to the remote router. 2. Configure a Telnet connection. 1-3 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

On the ZXR10 ZSR V2, run the following commands to configure optional Telnet parameters: Command

Function

ZXR10(config)#line console idle-timeout

Configures the maximum idle timeout period of the serial port. Unit: minute, range: 0–1000, default: 30.

ZXR10(config)#line console absolute-timeout

Configures the maximum online timeout period of the serial port. Unit: minute, range: 0–10000, default: 1440.

ZXR10(config)#line telnet idle-timeout

Configures the maximum idle timeout period of Telnet. Unit: minute, range: 0–1000, default: 120.

ZXR10(config)#line telnet absolute-timeout

Configures the maximum online timeout period of Telnet. Unit: minute, range: 0–10000, default: 1440.

ZXR10(config)#line telnet access-class {ipv4 | ipv6}

Configures the name of an Access Control List (ACL) bound to Telnet.

ZXR10(config)#line telnet max-link

Configures the maximum number of Telnet links. Range: 1–15, default: 15.

ZXR10#terminal length

Configures the terminal window height. Unit: line, range: 0–24.

ZXR10#line telnet dscp

Specifies the DSCP value of control plane packets for the IPv4/IPv6 Telnet server. Range: 0–63, default: 48.

ZXR10#telnet {[{[],[],[{vrf | dcn}],[dscp

IPv4 Telnet server as a client.

]}]|[{[],[vrf

: domain name

],[dscp ]}]}

(Range: 1–128 characters).

ZXR10#telnet6 {[{[interface ],[vrf ],[],[dscp ]}]|[{[vrf ],[],[dscp ]}]}

1-4 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 1 Device Connection management

Command

Function

ZXR10(config)#line telnet server enable [listen

Allows terminals to log in to

{|}]

this router in Telnet mode, and allows the specification of a port number.

3. (Optional) Run the telnet command on the ZXR10 ZSR V2 to log in to another device through the local client. For the format of the telnet command, refer to the following table: Command

Function

ZXR10#telnet {[vrf< vrf-name>][
][]|[vrf][]}

: Transfer Control Protocol (TCP) port number (range: 0–65535).

4. Verify the configurations. Command

Function

ZXR10#show terminal

Displays information on the current terminal. Displays the last ten history

ZXR10#show history

commands. Displays the login user

ZXR10#show users

information. Displays the login user

ZXR10#who

information.

5. Maintain Telnet connections. Command

Function

ZXR10(config)#line telnet server disable

Forbids terminals from logging in to this router in Telnet mode.

ZXR10#clear line vty

Forces the vty user to log out. : specifies the terminal number (range: 0–14).

– End of Steps –

Example The following provides a Telnet connection configuration example. 1-5 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

l

Configuration Description It is required to connect a PC to R1 through Telnet, see Figure 1-3. Figure 1-3 Telnet Connection Configuration Example

l

l

Configuration Flow 1. Connect a PC to R1. 2. Configure Telnet on R1. 3. Configure an ACL on R1 to filter TCP connections. Configuration Commands Run the following commands on R1: R1(config)#line telnet idle-timeout 120 R1(config)#line telnet absolute-timeout 1440 R1(config)#line telnet access-class ipv4 wd R1(config)#ipv4-access-list wd R1(config-ipv4-acl)#rule permit tcp 169.1.108.82 0.0.0.0 any R1(config-ipv4-acl)#exit

l

Configuration Verification If no ACL is configured, a PC whose IP address is in any network segment can be connected to R1. If an ACL is configured, only PCs whose IP addresses are in the Permit column of the ACL can be connected to R1.

1.4 Configuring SSH Connection This procedure describes how to connect to the ZXR10 ZSR V2 through SSH.

Prerequisite The local terminal can access the remote router network.

Context Secure Shell (SSH) is defined by the IETF Network Working Group. It is a security protocol established on the basis of the application layer and transport layer. Traditional network service programs such as FTP, POP, and Telnet use clear text to transfer data. Therefore, user names and passwords are vulnerable to man-in-the-middle attacks. Compared with traditional network service programs, SSH is more reliable. It provides security for remote login sessions and other network services, and has the following advantages: 1-6 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 1 Device Connection management

l l l l

The SSH protocol prevents information leakage in remote management processes. The SSH protocol encrypts all transferred data, and prevents DNS spoofing and IP spoofing. The SSH protocol transfers compressed data, accelerating transmission. The SSH protocol is usually used to replace Telnet, and provides a secure "channel" for FTP, POP, or even PPP.

Steps 1. Configure SSH. Step

Command

Function

1

ZXR10(config)#ssh server enable [listen

Enables the SSH server

{|}]

function, which is disabled by default. Allow the specification of a port number.

2

ZXR10(config)#ssh server access-class {ipv4 |

Binds an ACL for SSH.

ipv6} 3

ZXR10(config)#ssh server dscp

Specifies the DSCP value of control plane packets for the IPv4/IPv6 SSH server. Default: 48.

4

ZXR10#ssh encrypt {none | aes128 |

Enables this router to log in

blowfish | 3des} compress {none | zlib} mac {none |

as a client to an IPv4 SSH

sha1 | md5}[{[],[],[vrf

server in SSH mode.

],[dscp ]}] 5

ZXR10#ssh6 encrypt {none | aes128 |

Enables this router to log in

blowfish | 3des} compress {none | zlib} mac {none | sha1

as a client to an IPv6 SSH

| md5}[{[],[vrf ],[interface

server in SSH mode.

],[dscp ]}]

2. Maintain SSH. Command

Function

ZXR10(config)#ssh server disable

Disables the SSH server function.

3. Configure an SSH client. The following uses Putty as an example to describe how to configure an SSH client. a. Enable Putty.exe on the SSH host. Type the IP address of the remote router (such as 192.168.5.3) in the Host Name text box, see Figure 1-4.

1-7 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Figure 1-4 PuTTY Configuration Dialog Box

b. Select 2 for the SSH version, see Figure 1-5.

1-8 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 1 Device Connection management

Figure 1-5 PuTTY Configuration Dialog Box

c. Click Open. The Login dialog box is displayed. Enter the correct user name and password to log in to the router, and then configure the router in the command line window. login as:zte Further authentication required [email protected]'s password: ************************************************************ Welcome to ZXR10 Intelligent Integrated Multi-Service Router of ZTE Corporation ************************************************************

ZXR10#

4. Verify the configurations. Command

Description

ZXR10#show ssh

Shows the configuration state of SSH.

– End of Steps –

1-9 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Example The following provides an SSH configuration example. l

Configuration Description It is required to connect a PC to R1 through SSH, see Figure 1-6. Figure 1-6 SSH Configuration Example

l

l

Configuration Flow 1. Connect a PC to R1. 2. Configure SSH on R1. 3. Configure an ACL on R1 to filter connections. Configuration Commands Run the following commands on R1: R1(config)#ssh server enable R1(config)#ssh server access-class ipv4 wd R1(config)#ipv4-access-list wd R1(config-ipv4-acl)#rule permit tcp 169.1.108.82 0.0.0.0 any R1(config-ipv4-acl)#exit

l

Configuration Verification If no ACL is configured, a PC whose IP address is in any network segment can be connected to R1. If an ACL is configured, only PCs whose IP addresses are in the Permit column of the ACL can be connected to R1.

1.5 FTP Connection Configuration 1.5.1 Configuring the ZXR10 ZSR V2 as an FTP Server This procedure describes how to configure the ZXR10 ZSR V2 as an FTP server.

Prerequisite The local terminal can access the remote router network.

Steps 1. Enable the FTP server function.

1-10 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 1 Device Connection management

Command

Function

ZXR10(config)#ftp-server enable [listen

Enables the FTP server function, and

]

monitors the specified port. The port range is 21 or 2401–2420.

2. Configure other FTP attributes. Command

Function

ZXR10(config)#ftp-server top-directory

Sets the top-level directory that the

[{read-only |{[read-write],[copy]}}]

FTP server allows users to access through FTP. By default, the directory is /datadisk0/.

ZXR10(config)#ftp-server access-class

Binds an ACL to the FTP server.

[ipv6] ZXR10(config)#ftp-server max-login

Configures the maximum number of online users of the FTP server.

For how to configure an FTP server user name and password, refer to “Chapter 4 User Management”. 3. Verify the configurations. Command

Function

ZXR10#show ftp-server

Shows the configuration information on the FTP server.

4. Maintain the FTP Server. Command

Function

ZXR10(config)#ftp-server kick-user

Disconnects a currently online user. The parameter value is an online user ID.

– End of Steps –

Example The following gives an FTP server configuration example. l

Configuration Description As shown in Figure 1-7, ZXR10 ZSR V2 is connected to a PC and operates as an FTP server. The PC functions as an FTP client that uploads and downloads files.

1-11 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Figure 1-7 FTP Server Configuration Example

l

l

Configuration Flow 1. Enable the FTP server function and listening port 21 of the ZXR10 ZSR V2. 2. Set the FTP server root directory to /datadisk0/LOG/. 3. Set both the FTP server user name and password to zte. 4. Upload and download files through the FTP server to verify the FTP server function. Configuration Commands The configuration flow on the ZXR10 ZSR V2 is shown below. For how to configure an FTP server user name and password, refer to “Chapter 4 User Management”. R1#configure terminal Enter configuration commands, one per line.End with CTRL/Z. R1(config)#ftp-server enable R1(config)#ftp-server top-directory /datadisk0/LOG/

1.5.2 Configuring the ZXR10 ZSR V2 as an FTP Client This procedure describes how to configure the ZXR10 ZSR V2 as an FTP client.

Prerequisite The ZXR10 ZSR V2 can access the FTP server network.

Steps 1. Configure and start an FTP server. The following takes the WFTPD FTP server software as an example to describe how to configure an FTP server. a. Run wftpd32.exe. The WFTPD window is displayed, see Figure 1-8.

1-12 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 1 Device Connection management

Figure 1-8 WFTPD Window

b. Select Security > User/Rights…. displayed, see Figure 1-9.

The User/Rights Security dialog box is

Figure 1-9 User/Rights Security Dialog Box

c. Perform the following steps in the User/Rights Security Dialog dialog box. i.

Click New User… to create a new user such as target, and set a password.

ii.

Select target from the User Name drop-down list.

iii. Type a directory such as D: \IMG in the Home Directory text box for saving version files or configuration files. After the configuration is completed, the user name and home directory are displayed in the User/Rights Security Dialog dialog box, seeFigure 1-10.

1-13 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Figure 1-10 User/Rights Security Dialog Box

d. Click Done in Figure 1-10 to start the FTP server. 2. Upload and download a file through the router, which acts as an FTP client. Command

Function

ZXR10#ftp-client source-ip {ipv4 | ipv6

Configures the source address for

[interface ]}

copying files when the ZXR10 ZSR V2 functions as an FTP client.

ZXR10#copy ftp [vrf ] //HOST/filename@use

Downloads a file from an FTP server to

rname:password root: filename or directory&filename

the local client.

[][ipaddr][interface ] ZXR10#copy ftp [vrf ] root: filename

Uploads a local file to an FTP server.

or directory&filename //HOST/filename@usern ame:password [][ipaddr][interface ]

– End of Steps –

Example The following example describes how to download or upload a file when the ZXR10 ZSR V2 functions as an FTP client. A user whose user name is who and password is who uploads the startrun.dat file from the sysdisk0/DATA0 directory of the ZXR10 ZSR V2 file system to the FTP server whose IP address is 192.168.109.6. ZXR10#copy ftp root:/sysdisk0/DATA0/startrun.dat //192.168.109.6/startrun1.dat@who:who Start copying file

Put file successfully!sent 3492803 bytes!!

1-14 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 1 Device Connection management

A user whose user name is who and password is who downloads the startrun.dat file from the FTP server whose IP address is 192.168.109.6, and renames the file as start run.bak. ZXR10#copy ftp //192.168.109.6/startrun.dat@who:who root: /datadisk0/startrun.bak Start copying file

Got file successfully!Received 3492803 bytes!!

1.6 Configuring TFTP Connection By means of TFTP, router version files and configuration files can be backed up and restored.

Prerequisite The ZXR10 ZSR V2 can access the TFTP server network as a TFTP client.

Steps 1. Configure and start a TFTP server. The following takes the TFTP server software tftpd as an example to describe how to configure a TFTP server. a. Run tftpd.exe. The TFTP server window is displayed, see Figure 1-11. Figure 1-11 TFTP Server Window

b. Select Tftpd > Configure. The Tftpd Settings dialog box is displayed. Click Browse in the dialog box, and select a directory (such as the IMG directory on Disk D) to save version files or configuration files, see Figure 1-12. 1-15 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Figure 1-12 Tftpd Settings Dialog Box

c. Click OK to complete the setting. 2. Upload and download a file through the TFTP client. Command

Function

ZXR10#copy tftp [ipv6][vrf ]

Downloads a file from a TFTP server to

//HOST/filename root: filename or directory

the local router.

[] ZXR10#copy tftp [ipv6][vrf ] root: filename

Uploads a file from the local router to a

or directory //HOST/filename []

TFTP server.

– End of Steps –

Example The following example describes how to upload the startrun.dat file from the datad isk0 directory of the ZXR10 ZSR V2 file system to the TFTP server whose IP address is 192.168.4.244. ZXR10#copy tftp root: /datadisk0/startrun.dat //192.168.4.244/startrun.dat Starting copying file . File copying successfully.

The following example describes how to download the file startrun.dat from the TFTP server whose IP address is 192.168.4.244, and to rename the file as startrun.bak. ZXR10#copy tftp //192.168.4.244/startrun.dat root: /datadisk0/startrun.bak Starting copying file . File copying successfully.

1-16 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 1 Device Connection management

1.7 SFTP Connection Configration 1.7.1 Configuring the ZXR10 ZSR V2 as an SFTP Server This procedure describes how to configure the ZXR10 ZSR V2 as an SFTP server.

Prerequisite The local terminal can access the remote router network.

Steps 1. Configure an SFTP server. Command

Function

ZXR10(config)#sftp-server top-directory

Sets the top-level directory that the SFTP server allows users access.

For how to configure a login user name and password of an SFTP server, refer to “Chapter 4 User Management”. 2. Verify the configurations. Command

Function

ZXR10#show sftp-server

Displays configuration information on the SFTP server.

– End of Steps –

Example The following gives an example of how to configure an SFTP server. l

Configuration Description When the ZXR10 ZSR V2 functions as an SFTP server, the client can be a PC or another type of device that supports the SFTP client function. Two ZXR10 ZSR V2s are connected, one functioning as an SFTP server, the other as an SFTP client that downloads files from the server, see Figure 1-13. Figure 1-13 SFTP Server Configuration Example

l

Configuration Flow 1. On the SFTP server, enable the SSH function, and configure a listening port. 1-17

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

l

2. On the SFTP server, set the root directory of SFTP to /datadisk0/BAK/. 3. On the SFTP server, configure the zte user name and password. 4. Download a file from the SFTP server to verify the SFTP server function. Configuration Commands Run the following commands on the ZXR10 ZSR V2. For how to configure a user name and password, refer to “Chapter 4 User Management”. /*The configuration commands on the SFTP server are as follows:*/ R1#configure terminal R1(config)#ssh server enable listen 49152 R1(config)#sftp-server top-directory /datadisk0/BAK/

R1#dir BAK Directory of MPFU-8/0: /datadisk0/BAK 897636

KB total (892760 KB free)

attribute

size

date

time

name

1



160

01-15-2014

08:43

.

2



160

01-15-2014

08:43

..

3

----

615

01-15-2014

15:08

0130.txt

/*Downloads a file from the SFTP client.*/ R2#copy sftp vrf mng //169.1.219.14/0130.txt@zte:zte root: /datadisk0/0130.txt encrypt 3des compress zlib mac md5 49152 Start copying file . Got file successfully!

1.7.2 Configuring the ZXR10 ZSR V2 as an SFTP Client This procedure describes how to configure the ZXR10 ZSR V2 as an SFTP client.

Prerequisite The ZXR10 ZSR V2 can access the SFTP server network.

Steps 1. Configure an SFTP. Start the SFTP server software. Functioning as a client, the ZXR10 ZSR V2 communicates with the SFTP server. 2. Upload or download a file through the ZXR10 ZSR V2.

1-18 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 1 Device Connection management

Command

Function

ZXR10#copy sftp [vrf ] //HOST/file

Downloads a file from the SFTP server

name@username:password root: filename or

to the local SFTP client.

directory&filename encrypt {none | aes128 | blowfish | 3des} compress {none | zlib} mac {none | sha1 | md5}[][ipaddr][interface ] ZXR10#copy sftp [vrf ] root: filename

Uploads a file from the local SFTP client

or directory&filename //HOST/filename@u

to the SFTP server.

sername:password encrypt {none | aes128 | blowfish | 3des} compress {none | zlib} mac {none | sha1 | md5}[][ipaddr][interface ]

– End of Steps –

Example A user whose user name is who and password is who uploads the startrun.dat file in the /sysdisk0/DATA0 directory of the ZXR10 ZSR V2 file system to the SFTP server whose IP address is 192.168.109.6. The encryption algorithm is aes128, compression algorithm is zlib, and MAC check method is sha1. ZXR10#copy sftp root:/sysdisk0/DATA0/startrun.dat //192.168.109.6/startrun1.dat @who:who encrypt aes128 compress zlib mac sha1 Start copying file ... Put file successfully!

A user whose user name is who and password is who downloads the startrun.dat file from the SFTP server whose IP address is 192.168.109.6, and renames the file as startrun.bak. The encryption algorithm is aes128, compression algorithm is zlib, and MAC check method is sha1. ZXR10#copy sftp //192.168.109.6/startrun.dat@who:who root: / datadisk0/startrun.bak encrypt aes128 compress zlib mac sha1 Start copying file ... Got file successfully!

1-19 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

This page intentionally left blank.

1-20 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 2

File System Management Table of Contents File System Overview.................................................................................................2-1 Configuring File System Management ........................................................................2-2 File System Management Configuration Examples.....................................................2-3

2.1 File System Overview The file system consists of a Flash, a BOOT and an NVRAM. In addition, there are two USB interfaces on the front panel of the Main Processing Unit (MPFU), which can be used to back up or add configuration files, version files, and log files quickly and conveniently.

Flash The Flash store version files, data files, system breakdown files, and operation logs. It has two partitions, which are mapped to the /sysdisk0 and /sysdisk0 folders under the root directory of the Linux system respectively. l

l

/sysdisk0 partition: This is the system partition that stores version files, important log files, and data files. Users have the read permission, but do not have the write permission. Users cannot delete and rename files, but can view files by running the more command. The /sysdisk0 partition does not support the format operation. à

/sysdisk0/DATA0: stores the startrun.dat text configuration file. The sta rtrun.dat file is a configuration file in command line form, which is saved when the write command is run. When loading is performed, the system reads the st artrun.dat file from the /sysdisk0/DATA0 folder, and loads configurations in command line form. To upgrade the system, the startrun download command can be executed to load configuration from the local device or from the network.

à

System breakdown files and exception log files: system breakdown files include the Exc_Omp.txt and Exc_pp.txt files in the /sysdisk0/run_log directory and the files in the /sysdisk0/run_log/EXCINFO directory.

/datadisk0 partition: This is the data partition that stores log file and data files relevant to users' routine operations and maintenance as well as data files stored by users as needed. Users have read and write permissions. Service and alarm log files are stored in the /datadisk0/LOG directory, but the command log file (that is, the cmdlog file) is stored in the /sysdisk0/usrcmd_log/ directory.

2-1 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

BOOT The BOOT is used to save the OSIMAGE file for initializing boards and booting MPUs.

NVRAM The NVRAM is used to save booting information, including the IP address of the device management port, IP address of an FTP server, and configuration loading mode.

2.2 Configuring File System Management This procedure describes how to manage files and directories, format the hard disk user partition, and save configuration information on the ZXR10 ZSR V2.

Steps l

Manage files and directories. Command

Function

ZXR10#dir [|[]]

l

If no parameter is entered, the information list of the files under the current directory is displayed.

l

If parameters are entered, the information list of the files under the specified directory or the specified file is displayed.

ZXR10#pwd

Displays the current file path of this terminal.

ZXR10#cd []

Switches to another file directory.

ZXR10#mkdir []

Creates a directory. If the directory already exists, an error prompt is returned.

ZXR10#rmdir []

Deletes the specified directory. If there is a file in this directory, the deletion fails.

ZXR10#delete []

Deletes the specified file.

ZXR10#cp [][]

destination directory.

ZXR10#more [][|{begin

Displays the content of the specified file. "|" is the

| exclude | include}]

output flag.

: file name (range: 1–79 characters), path/file name (range: 1–159 characters), directory name (range: 1–79 characters), or path/directory name (range: 1–159 characters). : CPU name, default: the current board, format: [MPFU-/]. "", and "" are the slot number, and CPU number respectively. 2-2 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 2 File System Management

: directory name (range: 1–79 characters) or path/directory name (range: 1–159 characters). : file name (range: 1–79 characters) or path/file name (range: 1–159 characters) : source file name (range: 1–79 characters) or path/file name (range: 1–159 characters) : destination file name (range: 1–79 characters) or path/file name (range: 1–159 characters) {begin | exclude | include}: regular expression. l begin: displays the configurations that start with the input character string. l include: displays the configurations that include the character string. l exclude: displays the configurations that do not include the character string. l : configures the filtering character string. l

Modify the configuration loading mode when the ZXR10 ZSR V2 starts up. Command

Function

ZXR10(config)#load-mode null

Configures the power-on loading mode to start without a load.

l

Save configurations. Command

Function

ZXR10#write

Configures the information save mode.

– End of Steps –

2.3 File System Management Configuration Examples 2.3.1 File System Configuration Example Enter the datadisk0 directory, as shown below. ZXR10#cd /datadisk0

Display the current path, as shown below. ZXR10#pwd MPFU-8/0: /datadisk0

List files in the current directory, as shown below. ZXR10#dir Directory of MPFU-8/0: /datadisk0 897636

KB total (892760 KB free)

attribute

size

date

time

name

2-3 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management) 1



424

01-15-2014

08:43

.

2



424

01-15-2014

08:43

..

3



160

01-15-2014

08:43

BAK

4



416

01-02-2014

07:03

LOG

5



160

01-02-2014

07:03

license

ZXR10#

Delete files in the directory, as shown below. ZXR10#delete /datadisk0/techspt/techspt_cpu-info.txt Are you sure to delete file(s)?[yes/no]:y Delete file(s) successfully.

Delete the techspt_cpu-info.txt file in the /datadisk0/techspt directory, as shown below. ZXR10#delete techspt_cpu-info.txt Are you sure to delete file(s)?[yes/no]:y Delete file(s) successfully.

Rename “test” to “test_new”, as shown below. ZXR10#rename test test_new Rename successfully.

2.3.2 Configuration Example of Backing Up a Configuration File on a USB Flash Drive 1. Insert a USB flash drive into a USB interface on the MPU. Then, the system automatically mounts the USB flash drive. Run the show filesystem command to view the USB path. ZXR10#show filesystem MPFU-8/0: /sysdisk0 /datadisk0 /usb1:1

2. View files in the USB flash drive. ZXR10#dir /usb1:1 Directory of MPFU-8/0: /usb1:1 3739652

KB total (3482228 KB free)

date

time

name

1

attribute

size 4096

07-25-2012

19:20

.

2



4096

07-25-2012

19:20

..

3

----

261304

07-23-2012

14:56

techspt_basic-info.txt

4



4096

07-25-2012

19:39

1

3. Run the cp command to copy the startrun.dat configuration file to the USB flash drive. ZXR10#cp /sysdisk0/DATA0/startrun.dat /usb1:1/startrun.dat

2-4 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 2 File System Management Copy file successfully.

4. After the backup is completed, run the unmount command, and then remove the USB flash drive. ZXR10#umount usb1 MPFU-8/0: usb1 unmounted successfully!

2-5 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

This page intentionally left blank.

2-6 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 3

MIM Configuration Table of Contents MIM Overview ............................................................................................................3-1 Configuring MIM.........................................................................................................3-1

3.1 MIM Overview The Management Information Model (MIM) refers to storing configuration data according to an information model established for service configuration data, checking object operations according to the model definition, and performing object operations to modify configuration data. The MIM subsystem meets the unified requirements for configuration terminal command processing interfaces, such as commit, rollback, and CLI/SNMP. As more and more configuration terminals come into being, the configuration modification of each Application (APP) needs to support multiple types of configuration terminals. Before the MIM channel is used, an APP has a dedicated configuration processing flow for each type of configuration terminal. As shown in Figure 3-1, MIM is an extension of the existing OAM configuration command processing function. First, various types of configuration commands modify MIM data, and then, MIM sends configuration modification commands to the APP, which does not need to percept the types of configuration terminals that the configuration commands come from, but only needs to provide a program for processing MIM object operations. Figure 3-1 MIM Application

3.2 Configuring MIM This procedure describes how to configure the MIM function on the ZXR10 ZSR V2. 3-1 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Steps 1. Configure MIM. Command

Function

ZXR10#configure exclusive

Configures the exclusive function.

ZXR10#commit-mode {automatic | manual}

Sets the commit mode (automatic-commit mode or manual-commit mode) for configuration commands. Default: automatic-commit.

ZXR10#commit

Commits the configuration.

ZXR10#rollback

Rolls back a configuration that has not been committed or has failed to be committed.

Note: If a terminal is configured with the manual-commit mode and has configurations that have not been committed, normal configuration of other terminals may be affected.

2. Verify configurations. Command

Function

ZXR10#show commit-mode

Displays the commit mode.

ZXR10#show uncommitted-command

Displays all the uncommitted commands of the current configuration terminal. Displays the configuration commands that

ZXR10#show commit-failed

the current terminal has failed to commit in manual-commit mode. Displays exclusive information.

ZXR10#show configure exclusive

– End of Steps –

Example The following provides a MIM configuration example. l

Configuration Description Enter a batch of configuration commands by running a script. Take care to avoid configuration collision. 3-2

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 3 MIM Configuration

l

l

Configuration Flow 1. Configure the exclusive function to avoid collision. 2. Change the command commit mode to the manual mode. 3. Enter configuration commands by running a script. 4. Commit the commands. Configuration Commands ZXR10#configure exclusive ZXR10#conf t Enter configuration commands, one per line.

End with CTRL/Z.

ZXR10(config)#mu c

%Info 140359: Allow others to configure, must avoid conflict. ZXR10(config)#commit-mode manual

/*Enters configuration commands by running a script. The process is omitted.*/ ZXR10(config)#commit

l

Configuration Verification Check whether all the commands have been committed and become effective by running the show command.

3-3 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

This page intentionally left blank.

3-4 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 4

User Management Table of Contents User Management Overview ......................................................................................4-1 Configuring User Management...................................................................................4-2 User Management Configuration Examples................................................................4-7

4.1 User Management Overview To maintain and manage the ZXR10 ZSR V2, users need to log in to it in SSH, Telnet, or FTP mode. User management implements the configuration, authentication, and authorization of users who have logged in to the ZXR10 ZSR V2. The user-name command is used to configure or delete users. By running the user-name command, you can configure user names and passwords (clear text passwords of 3–32 bits long or cipher text passwords of 64 bits long). By configuring functions related to Authentication, Authorization and Accounting (AAA), user management provides user authentication and authorization in the following modes: l l l l l l

None-authentication and none-authorization Local authentication and authorization Remote Authentication Dial In User Service (RADIUS) authentication and authorization Terminal Access Controller Access-Control System Plus (TACACS+) authentication and authorization RADIUS hybrid authentication and authorization TACACS+ hybrid authentication and authorization

When a user logs in to the ZXR10 ZSR V2 through SSH, Telnet, or FTP, user management queries the authentication template corresponding to the user to obtain the authentication mode, and authenticates the user. If the authentication is passed, the user is authorized. If the authentication is failed, user management returns failure information. After the user passes the authentication, user management authorizes the user. After the user successfully logs in and is authorized, user management displays a command view according to the user's privilege level. Therefore, the user cannot view or run commands with privilege levels higher than the user's privilege level, but can view and run commands with privilege levels lower than and equal to the user's privilege level. The local-privilege-level command is used to set user privilege levels, which range from level 0 (the lowest level) to level 15 (the highest level), and are level 0 by default.

4-1 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

4.2 Configuring User Management This procedure describes how to configure user management functions.

Steps 1. Enter ADM_MGR configuration mode, and configure user management parameters. Step

Command

Function

1

ZXR10(config)#system-user

Enters user management configuration mode.

2

3

ZXR10(config-system-user)#default-privilege-level

Configures the default



privilege level.

ZXR10(config-system-user)#strong-password length

Configures a strong password.

character {[capital][lowercase][number][special

Range: 6–32 characters. A

-character]}

password needs to contain any one type or several types of the following characters: uppercase letters, lowercase letters, numbers, and special characters.

4

ZXR10(config-system-user)#user-authen-restriction

Locks the user after user

fail-time lock-minute

authentication has failed consecutively. Range of the number of failure times: 3–6, range of locking time period: 1–1440 min.

5

6

7

ZXR10(config-system-user)#global-enable-type

Configures the global-enable

{aaa|local} authentication-template

mode for users.

ZXR10(config-system-user)#account-switch {off | on

Configures the global

accounting-template }

accounting mode.

ZXR10(config-system-user)#user-default

Enters the default user configuration mode.

8

ZXR10(config-system-user)#user-group special

Configures user group

{| encrypted

information.

} 9

ZXR10(config-system-user)#login ascii authentication-

Configures the ASCII

template authortication-template

authentication template.

2. Configure an authentication template.

4-2 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 4 User Management

Step

Command

Function

1

ZXR10(config)#aaa-authentication-template

Configures an AAA authentication template, and enters the configuration mode of this template.

2

ZXR10(config-aaa-authen-template)#aaa-authenticat

Configures an authentication

ion-type {none | local | radius | local-radius | radius-local

type under the AAA

| radius-none | local-tacacs | tacacs | tacacs-local |

authentication template.

tacac-none| diameter} 3

Enters user management

ZXR10(config)#system-user

configuration mode. 4

ZXR10(config-system-user)#authentication-template

Configures a user



management authentication template, and enters the configuration mode of this template.

5

ZXR10(config-system-user-authen-temp)#bind

Binds an AAA authentication

aaa-authentication-template

template in the configuration mode of the user management authentication template.

6

ZXR10(config-system-user-authen-temp)#bind

Binds an ACL template in the

access-list ipv4/ipv6

configuration mode of the user management authentication template.

7

ZXR10(config-system-user-authen-temp)#descript

Adds description information

ion

on the user management authentication template in the configuration mode of the user management authentication template.

3. Configure an authorization template. Step

Command

Function

1

ZXR10(config)#aaa-authorization-template

Configures an AAA authorization template, and enters the configuration mode of this template.

2

ZXR10(config-aaa-author-template)#aaa-authorizati

Configures an authorization

on-type {none | local-radius | local-tacacs | local | radius

type under the AAA

| tacacs | tacacs-local | radius-local }

authorization template.

4-3 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Step

Command

Function

3

ZXR10(config)#system-user

Enters user management configuration mode.

4

ZXR10(config-system-user)#authorization-template

Configures a user



management authorization template, and enters the configuration mode of this template.

5

ZXR10(config-system-user-author-temp)#bind

Binds an AAA authorization

aaa-authorization-template

template in the configuration mode of the user management authorization template.

6

ZXR10(config-system-user-author-temp)#local-privi

Configures a local

lege-level

authorization level in the configuration mode of the user management authorization template.

7

ZXR10(config-system-user-author-temp)#descript

Adds description information

ion

on the user management authorization template in the configuration mode of the user management authorization template.

8

9

ZXR10(config-system-user-author-temp)#local-cm

Binds a local command group

dgroup

to the authorization template.

ZXR10(config-system-user-author-temp)#local-cmd

Defines the command group

group-mode exclusive

use mode as exclusive mode. Default: appending mode.

10

ZXR10(config-system-user-author-temp)#log

Configures the types of logs

file-allowed {cmd-log | alarm-log | nat-log | li-log |

that the authorization template

service-log}[{read-only | none |read-write|copy}]

is allowed to access and access privileges.

11

ZXR10(config-system-user-author-temp)#ftp

Configures the top directory

top-directory [{read-only |read-write|copy}]

that the authorization template is allowed to access through FTP and access privileges.

12

ZXR10(config-system-user-author-temp)#sftp

Configures the top directory

top-directory {read-only |read-write|copy}

that the authorization template is allowed to access through SFTP and access privileges.

4-4 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 4 User Management

4. Create a user, and bind an authentication template and authorization template. Step

Command

Function

1

ZXR10(config-system-user)#user-name

Configures a user name, and enters use name configuration mode.

2

3

4

ZXR10(config-system-user-username)#bind

Binds a user management

authentication-template

authentication template.

ZXR10(config-system-user-username)#bind

Binds a user management

authorization-template

authorization template.

ZXR10(config-system-user-username)#password

Configures a password.

{|encrypted } 5

6

ZXR10(config-system-user-username)#password-rec

Configures information for

over-remind

password recovery.

ZXR10(config-system-user-username)#password-d

Configures a password

uration

validity period. The parameter 0 indicates never expiration. Range: 90–360 days.

7

ZXR10(config-system-user-username)#once-passw

Configures a rule that a

ord

password should be changed at the first login.

5. Configure other parameters in global mode. Command

Function

ZXR10(config)#enable secret level {0

Sets passwords of all login privilege levels.

| 5 |} ZXR10(config)#login block

Configures and activates the remote login

attempts within

anti-attack monitoring function.

ZXR10(config)#login quiet-mode < ipv4-access-list |

Configures an ACL for the quiet period.

ipv6-access-list > ZXR10(config)#login on-failure alarm [every

Configures generating log information

]

or Trap information when failed login attempts exist.

6. Verify the configurations. Command

Function

ZXR10#show running-config adm-mgr [all]

Displays user management configurations.

ZXR10#show user-group [special ]

Displays configured user group information.

4-5 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Command

Function

ZXR10#show authen-restriction userinfo

Displays information on locked users and users who have failed authentication. The information includes user names, numbers of authentication failure times, status (locked or not locked), and remnant locking time. Displays configurations of the anti-attack

ZXR10#show login

monitoring function. ZXR10#show login state [{[telnet]|[ssh]|[ftp]}]

Displays the status of the anti-attack monitoring function and its statistical information.

ZXR10#show login failure [{[telnet]|[ssh]|[ftp]}]

Displays information on failed login attempts of the anti-attack monitoring function.

– End of Steps –

Example The user-password recover-remind command that is used to configure user password recovery reminders is an interactive command. The following provides examples of this command. eg1: ZXR10(config-system-user)#user-password recover-remind zte password is:*** question:what is your name answer:*** ZXR10(config-system-user)#

eg2: ZXR10(config-system-user)#user-password recover-remind zte password is:*** %Error 59958: Password is wrong! ZXR10(config-system-user)#

eg3: ZXR10(config-system-user)#user-password recover-remind zte password is:*** question:question is 012345678901234567890124567890123456789 %Error 59959: Question has been to upper limit!The limit is 50 characters! ZXR10(config-system-user)#

4-6 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 4 User Management eg4: ZXR10(config-system-user)#user-password recover-remind zte password is:*** question:what is your name answer:zte 01234567890123456789012345678901234567890123456 %Error 59960: Answer has been to upper limit!The limit is 50 characters! ZXR10(config-system-user)#

Descriptions of the command output: Command Output

Description

password is:

Requires the input of the password corresponding to the user name. A clear text password consists of 3–32 characters, and is displayed as ***. If the password is correct, continues to run the command. If the password is incorrect, displays an error, and ends the command.

question:

Requires the input of a prompt question for password recovery. The question can consist of a maximum of 50 characters including spaces, but cannot exclusively consist of spaces or include any question mark. If the question has more than 50 characters, displays an error prompt. If the question is normal, continues to run the command.

answer:

Requires the input of an answer for password recovery. The answer can consist of a maximum of 50 characters including spaces, but cannot exclusively consist of spaces or include any question mark. If the answer has more than 50 characters, displays an error prompt. If the answer is normal, continues to run the command.

4.3 User Management Configuration Examples 4.3.1 Local Authentication and Authorization User Configuration Example Configuration Description As shown in Figure 4-1, PC logs in to the router by serial port or Telnet, enters configuration mode and creates a user who uses local authentication mode. Figure 4-1 Local Authentication and Authorization Configuration

4-7 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Configuration Flow 1. Configure an authentication template. 2. Configure an authorization template. 3. Create a user, bind authentication and authorization templates.

Configuration Command R1(config)#aaa-authentication-template 2001 R1(config-aaa-authen-template)#aaa-authentication-type local R1(config-aaa-authen-template)#exit

R1(config)#aaa-authorization-template 2001 R1(config-aaa-author-template)#aaa-authorization-type local R1(config-aaa-author-template)#exit

R1(config)#system-user R1(config-system-user)#authentication-template 1 R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001 R1(config-system-user-authen-temp)#exit

R1(config-system-user)#authorization-template 1 R1(config-system-user-author-temp)#bind aaa-authorization-template 2001 R1(config-system-user-author-temp)#local-privilege-level 15 R1(config-system-user-author-temp)#exit

R1(config-system-user)#user-name zte R1(config-system-user-username)#bind authentication-template 1 R1(config-system-user-username)#bind authorization-templat 1 R1(config-system-user-username)#password zte R1(config-system-user-username)#exit R1(config-system-user)#exit

4.3.2 RADIUS-LOCAL Authentication and Authorization User Configuration Example Configuration Description As shown in Figure 4-2, PC logs in to the router by serial port or Telnet, enters configuration mode and creates a user who uses RADIUS-local authentication mode.

4-8 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 4 User Management

Figure 4-2 RADIUS-LOCAL Authentication and Authorization User Configuration

Configuration Flow 1. 2. 3. 4.

Configure a RADIUS group. Configure an authentication template. Configure an authorization template. Create a user, bind authentication and authorization templates.

Configuration Command /*This configures radius*/ R1(config)#radius authentication-group 1 R1(config-authgrp-1)#server 1 10.1.1.1 master key zte R1(config-authgrp-1)#nas-ip-address 10.1.1.100 R1(config-authgrp-1)#algorithm round-robin R1(config-authgrp-1)#max-retries 3 R1(config-authgrp-1)#timeout 30 R1(config-authgrp-1)#deadtime 0 R1(config-authgrp-1)#exit

/*This configures authentication template.*/ R1(config)#aaa-authentication-template 2001 R1(config-aaa-authen-template)#aaa-authentication-type radius-local R1(config-aaa-authen-template)#authentication-radius-group 1 R1(config-aaa-authen-template)#exit

/*This configures authorization template.*/ R1(config)#aaa-authorization-template 2001 R1(config-aaa-author-template)#aaa-authorization-type radius-local R1(config-aaa-author-template)#authorization-radius-group 1 R1(config-aaa-author-template)#exit

R1(config)#system-user /*This binds authorization template.*/

4-9 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management) R1(config-system-user)#authentication-template 1 R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001 R1(config-system-user-authen-temp)#exit

/*This binds authentication template.*/ R1(config-system-user)#authorization-template 1 R1(config-system-user-author-temp)#bind aaa-authorization-template 2001 R1(config-system-user-author-temp)#local-privilege-level 15 R1(config-system-user-author-temp)#exit

/*This creates user.*/ R1(config-system-user)#user-name zte R1(config-system-user-username)#bind authentication-template 1 R1(config-system-user-username)#bind authorization-templat 1 R1(config-system-user-username)#password zte R1(config-system-user-username)#exit R1(config-system-user)#exit

4.3.3 TACACS+ Authentication and Authorization User Configuration Example Configuration Description As shown in Figure 4-3, PC logs in to the router by serial port or Telnet, enters configuration mode and creates a user who uses TACACS+ authentication mode. Figure 4-3 TACACS+ Authentication and Authorization User Configuration

Configuration Flow 1. 2. 3. 4.

Configure a TACACS+ Configure an authentication template. Configure an authorization template. Create a user, bind authentication and authorization templates. 4-10

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 4 User Management

Configuration Command R1(config)#tacacs enable R1(config)#tacacs-server host 10.1.1.1 key zte R1(config)#tacplus group-server ztegroup R1(config-sg)#server 10.1.1.1 R1(config-sg)#exit

R1(config)#aaa-authentication-template 2001 R1(config-aaa-authen-template)#aaa-authentication-type tacacs R1(config-aaa-authen-template)#authentication-tacacs-group ztegroup R1(config-aaa-authen-template)#exit

R1(config)#aaa-authorization-template 2001 R1(config-aaa-author-template)#aaa-authorization-type tacacs R1(config-aaa-author-template)#authorization-tacacs-group ztegroup R1(config-aaa-author-template)#exit

R1(config)#system-user R1(config-system-user)#authentication-template 1 R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001 R1(config-system-user-authen-temp)#exit

R1(config-system-user)#authorization-template 1 R1(config-system-user-author-temp)#bind aaa-authorization-template 2001 R1(config-system-user-author-temp)#local-privilege-level 15 R1(config-system-user-author-temp)#exit

R1(config-system-user)#user-name zte R1(config-system-user-username)#bind authentication-template 1 R1(config-system-user-username)#bind authorization-templat 1 R1(config-system-user-username)#password zte R1(config-system-user-username)#exit R1(config-system-user)#exit

4.3.4 Configuring a Password Prompt Question for Resetting a Password Configuration Description As shown in Figure 4-4, a user logs in to the ZXR10 ZSR V2 from a PC through a serial port or Telnet. The user enters configuration mode to create an authentication user. Users of any authentication mode can configure password recovery information, but password recovery only takes effect for locally authenticated users.

4-11 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Figure 4-4 Configuring a Password Prompt Question for Resetting a Password

Configuration Flow 1. 2. 3. 4. 5.

Configure an authentication template. Configure an authorization template. Create a user. Configure a password prompt question and an answer. Log in for password recovery.

Configuration Commands Run the following commands on the ZXR10 ZSR V2: R1(config)#aaa-authentication-template 2001 R1(config-aaa-authen-template)#aaa-authentication-type local R1(config-aaa-authen-template)#exit R1(config)#aaa-authorization-template 2001 R1(config-aaa-author-template)#aaa-authorization-type none R1(config-aaa-author-template)#exit

R1(config)#system-user R1(config-system-user)#authentication-template 1 R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001 R1(config-system-user-authen-temp)#exit R1(config-system-user)#authorization-template 1 R1(config-system-user-author-temp)#bind aaa-authorization-template 2001 R1(config-system-user-author-temp)#local-privilege-level 15 R1(config-system-user-author-temp)#exit

R1(config-system-user)#user-name who R1(config-system-user-username)#bind authentication-template 1 R1(config-system-user-username)#bind authorization-templat 1 R1(config-system-user-username)#password who R1(config-system-user-username)#password-recover-remind password is:*** question: who are you answer:who R1(config-system-user-username)#

/*Log in to the R1 through Telnet. Use the password prompt question to reset the password.*/

4-12 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 4 User Management R1#login Username:recover-user who question: who are you answer:

/*The input answer is not displayed.*/

Please input your new password: Re-enter New password: The password has been changed successfully, please remember your new password! Username:who Password: R1#

Note: Note: If the input answer to the password prompt is correct, user who's password is changed to a new password.

4.3.5 Configuring OAM Security Management Configuration Description As shown in Figure 4-5, a user logs in to the ZXR10 ZSR V2 from a PC through a serial port or Telnet. The user enters configuration mode to create an authentication user. To prevent user passwords from being cracked or stolen, the ZXR10 ZSR V2 supports setting password strength. A user who fails authentication consecutively is locked and forbidden to log in within a given period of time, so that the user cannot try to crack the password through repeated login attempts. Figure 4-5 Configuring OAM Security Management

Configuration Flow 1. Configure password strength. 2. Create a user. Only if the password strength meets the requirements, can the creation succeed. 3. Configure an authentication template. 4. Configure an authorization template. 5. Configure the number of consecutive user authentication failure times and locking period. 4-13 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

6. A user who fails authentication consecutively for the set number of times is locked.

Configuration Commands Run the following commands on the ZXR10 ZSR V2: R1(config)#system-user R1(config-system-user)#strong-password length 6 character special-character /*Configures the minimum password length as 6 characters, and configures that a password should contain special characters.*/ R1(config-system-user)#user-name zte R1(config-system-user-username)#bind authentication-template 1 R1(config-system-user-username)#bind authorization-templat 1 R1(config-system-user-username)#password zte123* R1(config-system-user-username)#exit

R1(config-system-user)#authentication-template 1 R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001 R1(config-system-user-authen-temp)#exit R1(config-system-user)#authorization-template 1 R1(config-system-user-author-temp)#bind aaa-authorization-template 2001 R1(config-system-user-author-temp)#local-privilege-level 15 R1(config-system-user-author-temp)#exit R1(config-system-user)#user-authen-restriction fail-time 3 lock-minute 2 /*Configures the number of consecutive user authentication failure times as 3, and configures the locking period as 2 min.*/ R1(config-system-user)#exit

R1(config)#aaa-authentication-template 2001 R1(config-aaa-authen-template)#aaa-authentication-type local R1(config-aaa-authen-template)#exit R1(config)#aaa-authorization-template 2001 R1(config-aaa-author-template)#aaa-authorization-type none R1(config-aaa-author-template)#exit

/*A user logs in to the R1 through Telnet. The user fails authentication consecutively for the set number of times, and is locked.*/ R1#login Username:zte Password: % Local password error!

Username:zte Password: % Local password error!

4-14 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 4 User Management Username:zte Password: % Local password error! Still logged in as "who"

/*The original login user name is who.*/

R1#login Username:zte Password: % User is locked

R1#show authen-restriction Username zte

userinfo

Failed-time

State

3

Remain (minute)

locked

1

4.3.6 Configuring a Password Validity Period Configuration Description As shown in Figure 4-6, a user logs in to the ZXR10 ZSR V2 from a PC through a serial port or Telnet. The user enters configuration mode to create another user. By default, the password of this account never expires. You can set a validity period (90–360 days) for this account by running a configuration command, and test whether the validity period is effective by changing the system time. Figure 4-6 Configuring a Password Validity Period

Configuration Flow 1. 2. 3. 4. 5.

Create a user. Configure an authentication template. Configure an authorization template. Sets a password validity period. Change the system time to test whether the validity period is effective.

Configuration Commands Run the following commands on the ZXR10 ZSR V2: R1(config)#system-user R1(config-system-user)#authentication-template 1 R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001 R1(config-system-user-authen-temp)#exit R1(config-system-user)#authorization-template 1 R1(config-system-user-author-temp)#bind aaa-authorization-template 2001

4-15 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management) R1(config-system-user-author-temp)#local-privilege-level 15 R1(config-system-user-author-temp)#exit R1(config-system-user)#user-name zte R1(config-system-user-username)#bind authentication-template 1 R1(config-system-user-username)#bind authorization-templat 1 R1(config-system-user-username)#password zte R1(config-system-user-username)#password-duration 90

/*Configures a password

validity period.*/ R1(config-system-user-username)#exit R1(config-system-user)#exit

R1(config)#aaa-authentication-template 2001 R1(config-aaa-authen-template)#aaa-authentication-type local R1(config-aaa-authen-template)#exit R1(config)#aaa-authorization-template 2001 R1(config-aaa-author-template)#aaa-authorization-type none R1(config-aaa-author-template)#end

Configuration Verification R1#show username Username

Encrypted-Password

AuthenNo. AuthorNo. AgingTime Set-Time

zte

ce7c04930c52bfe1669f6c22 1

1

89

2012-6-28

9ef61b761ec847e5b3052bdb 51456385bb2a9a57

/*Change the system time, so that the password expires.*/ R1#show clock 17:37:48 UTC Thu Jun 28 2012

/*Current time.*/

R1#clock set 15:10:39 9-20-2013

/*Changes the system time, so that the

password expires.*/

R1#show username

/*After the system time is changed, the command output displays

that the password has expired.*/ Username

Encrypted-Password

zte

ce7c04930c52bfe1669f6c22 1

AuthenNo. AuthorNo. AgingTime Set-Time 1

expired

2012-6-28

9ef61b761ec847e5b3052bdb 51456385bb2a9a57

R1#login Username:zte Password: %User password expired

/*The password has expired. The user cannot log in to

the R1.*/

4-16 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 4 User Management

4.3.7 Configuring First-Login Password Modification Configuration Description As shown in Figure 4-7, a user logs in to the ZXR10 ZSR V2 from a PC through a serial port or Telnet. The user enters configuration mode to create another user, and configures once-password (only valid for locally authenticated users). During the next login, the user can use the self-configured password. The default range of a password is 3–32 characters. Figure 4-7 Configuring First-Login Password Modification

Configuration Flow 1. 2. 3. 4. 5.

Create a user. Configure an authentication template. Configure an authorization template. Configure the first login password modification function. During login, the user can set a password. The next time, the user can use the new password to successfully log in.

Configuration Commands Run the following commands on the ZXR10 ZSR V2: R1(config)#system-user R1(config-system-user)#authentication-template 1 R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001 R1(config-system-user-authen-temp)#exit R1(config-system-user)#authorization-template 1 R1(config-system-user-author-temp)#bind aaa-authorization-template 2001 R1(config-system-user-author-temp)#local-privilege-level 15 R1(config-system-user-author-temp)#exit R1(config-system-user)#user-name zte R1(config-system-user-username)#bind authentication-template 1 R1(config-system-user-username)#bind authorization-templat 1 R1(config-system-user-username)#password zte R1(config-system-user-username)#once-password

/*Configures first-login

password modification.*/ R1(config-system-user-username)#exit R1(config-system-user)#exit

R1(config)#aaa-authentication-template 2001 R1(config-aaa-authen-template)#aaa-authentication-type local

4-17 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management) R1(config-aaa-authen-template)#exit R1(config)#aaa-authorization-template 2001 R1(config-aaa-author-template)#aaa-authorization-type none R1(config-aaa-author-template)#end

Configuration Verification R1#login Username:zte Password: Your password has expired. Enter a new one now. New password:

/*Configure a new password, which is not displayed.*/

Re-enter new password:

/*Confirm the new password, which is not displayed.*/

The password has been changed successfully, Please remember your new password!

R1#login Username:zte Password: R1#

/*Enter the new password*/

/*The user login

is successful.*/

R1#who Line

User

Host(s)

Idle

Location

66 vty 0

who

idle

00:01:17

169.1.1.13

* 67 vty 1

zte

idle

00:00:00

169.1.1.13

68 vty 2

who

idle

00:00:00

169.1.1.10

4.3.8 Relations Between Raising Privilege Levels and the Enable Command Configuration Description In Figure 4-8, a user logs in to the ZXR10 ZSR V2 from a PC through a serial port or Telnet. The user enters configuration mode to create another user and give the user a privilege level. If the privilege level is too low, the enable command can be used to raise the level. The default "enable" authentication mode is "local", and the default password is "R1". Figure 4-8 Configuring the Raising of a Privilege Level

Configuration Flow 1. Create a user. 4-18 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 4 User Management

2. Configure an authentication template. 3. Configure an authorization template. 4. Configure an "enable" password to raise the user's privilege level.

Configuration Commands Run the following commands on the ZXR10 ZSR V2: R1(config)#tacacs enable R1(config)#tacacs-server host 10.1.1.1 key zte R1(config)#tacplus group-server ztegroup R1(config-sg)#server 10.1.1.1 R1(config-sg)#exit

R1(config)#system-user R1(config-system-user)#authentication-template 1 R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001 R1(config-system-user-authen-temp)#exit R1(config-system-user)#authorization-template 1 R1(config-system-user-author-temp)#bind aaa-authorization-template 2001 R1(config-system-user-author-temp)#local-privilege-level 5 R1(config-system-user-author-temp)#exit R1(config-system-user)#user-name zte R1(config-system-user-username)#bind authentication-template 1 R1(config-system-user-username)#bind authorization-templat 1 R1(config-system-user-username)#password zte R1(config-system-user-username)#exit R1(config-system-user)#exit

R1(config)#aaa-authentication-template 2001 R1(config-aaa-authen-template)#aaa-authentication-type tacacs-local R1(config-aaa-authen-template)#authentication-tacacs-group ztegroup R1(config-aaa-authen-template)#exit

R1(config)#aaa-authorization-template 2001 R1(config-aaa-author-template)#aaa-authorization-type none R1(config-aaa-author-template)#exit

The following provides a global "enable" authentication configuration mode, which can be set to aaa mode or local mode. The aaa mode means using the "enable" password set by the server. R1(config)#system-user R1(config-system-user)#global-enable-type aaa authentication-template 1 /*Configures user's enable command authentication mode.*/ R1(config-system-user)#exit

4-19 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

There are two methods for configuring an "enable" password to raise user's privilege level to the highest level: l l

In global configuration mode, run the enable secret level command. For details, refer to “Chapter 5 Command Privilege Level Classification”. In global configuration mode, run the nvram enable-password command. For details, refer to the Setting Configurations Kept in NVRAM section the ZXR10 ZSR V2 Initial Configuration Guide.

You can configure the recovery function for a password configured in the NVRAM. R1(config)#enable secret recover-remind password:***** question:zte answer:zte /*If you forget the local enable password, you can run the recover-enable command under privilege level 1 to restore the default password.*/ R1>recover-enable question:zte answer:*** %Info 40449: Recover-enable ok! New enable password is: zxr10.

Configuration Verification Configure a corresponding enable password on the AAA server. After the user logs in normally and passes authentication, the user privilege level is raised.

4-20 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 5

Command Privilege Level Classification Table of Contents Command Privilege Level Overview ...........................................................................5-1 Configuring Command Privilege ................................................................................5-1 Command Privilege Level Configuration Example ......................................................5-2

5.1 Command Privilege Level Overview The ZXR10 ZSR V2 supports the command privilege level function. Command privilege level management is used to configure command privileges. Users can run the privilege command to configure the privilege of a command. Command privilege levels range from level 1 to level 15. Different commands can be configured with different privilege levels. After a user logs in, a command view is displayed according to the user's privilege level. Therefore, the user cannot run commands whose privilege levels are higher than the user's level. Users with the highest level (that is, administrators with level 15) can set privilege levels for commands.

5.2 Configuring Command Privilege This procedure describes how to configure command privileges.

Steps 1. Configure command privileges. Command

Function

ZXR10(config)#privilege [all] level {|

Configures a command privilege

default}

level.

ZXR10(config)#no privilege [all] node

Restores the default command



privilege level.

[all]: all commands beginning with this keyword. level : privilege level, range: 1–15 default: default command privilege level. : command keywords, range: 1–200 characters. 5-1 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

2. Verify the configurations. Command

Function

ZXR10#show privilege [{cur-mode | show-mode}{det

Displays the privilege level of the

ail | level < level>| node }]

current terminal or command privilege configurations.

cur-mode : displays privilege level information in the current command mode. show-mode: displays privilege level information in show mode. detail: displays privilege levels of all commands. level : displays the commands of the specified privilege level, range: 1–18. : the privilege level of the specified command, range: 1–200 characters. In user mode, the show privilege command has no parameter. It is used to display the privilege level of the current terminal. – End of Steps –

5.3 Command Privilege Level Configuration Example Configuration Description It is required to configure different privilege levels for two types of users who operate the ZXR10 ZSR V2. The privilege level of Type A users is 15, and these users can do all operations, such as view and configuration. The privilege level of Type B users is 5. They need to use the show clock command to view the system clock. It is also required to allow Type B users to raise their own privilege level to level 8 by running the enable command, so that they can set the time zone.

Configuration Flow 1. Change the privilege level of the show clock command to 5 or lower than 5. In this example, this privilege level is set to 5. 2. Change the privilege level of the clock timezone command to 8, or lower than 8 but higher than 5. In this example, this privilege level is set to 7. 3. Create a type A user named ZTE_A and a type B user named ZTE_B. ZTE_A's privilege level is 15, and ZTE_A'B privilege level is 5. 4. Configure the "enable" password that is used to raise user's privilege level to level 8.

Configuration Commands Run the following commands on the ZXR10 ZSR V2: ZXR10(config)#privilege show all level 5 show clock /*Displays the privilege level configuration of the show clock command.*/

5-2 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 5 Command Privilege Level Classification

ZXR10(config)#privilege configure level 7 clock ZXR10(config)#privilege configure level 7 clock timezone /*Displays the privilege level configuration of the clock timezone command.*/

ZXR10(config)#system-user ZXR10(config-system-user)#authentication-template 1 ZXR10(config-system-user-authen-temp)#bind aaa-authentication-template 2001 ZXR10(config-system-user-authen-temp)#exit ZXR10(config-system-user)#authorization-template 1 ZXR10(config-system-user-author-temp)#bind aaa-authorization-template 2001 ZXR10(config-system-user-author-temp)#local-privilege-level 15 ZXR10(config-system-user-author-temp)#exit ZXR10(config-system-user)#user-name ZTE_A ZXR10(config-system-user-username)#bind authentication-template 1 ZXR10(config-system-user-username)#bind authorization-templat 1 ZXR10(config-system-user-username)#password ZTE_A_15 ZXR10(config-system-user-username)#exit /*Create ZTE_A and configure the user's authorization level.*/

ZXR10(config-system-user)#authentication-template 2 ZXR10(config-system-user-authen-temp)#bind aaa-authentication-template 2002 ZXR10(config-system-user-authen-temp)#exit ZXR10(config-system-user)#authorization-template 2 ZXR10(config-system-user-author-temp)#bind aaa-authorization-template 2002 ZXR10(config-system-user-author-temp)#local-privilege-level 5 ZXR10(config-system-user-author-temp)#exit ZXR10(config-system-user)#user-name ZTE_B ZXR10(config-system-user-username)#bind authentication-template 2 ZXR10(config-system-user-username)#bind authorization-templat 2 ZXR10(config-system-user-username)#password ZTE_B_5 ZXR10(config-system-user-username)#exit ZXR10(config-system-user)#exit /*Create ZTE_B and configure the user's authorization level.*/

ZXR10(config)#aaa-authentication-template 2001 ZXR10(config-aaa-authen-template)#aaa-authentication-type local ZXR10(config-aaa-authen-template)#exit ZXR10(config)#aaa-authorization-template 2001 ZXR10(config-aaa-author-template)#aaa-authorization-type radius-local ZXR10(config-aaa-author-template)#exit /*Configure the authentication and authorization templates of ZTE_A*/

ZXR10(config)#aaa-authentication-template 2002 ZXR10(config-aaa-authen-template)#aaa-authentication-type local

5-3 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management) ZXR10(config-aaa-authen-template)#exit ZXR10(config)#aaa-authorization-template 2002 ZXR10(config-aaa-author-template)#aaa-authorization-type radius-local ZXR10(config-aaa-author-template)#exit /*Configure the authentication and authorization templates of ZTE_B*/

ZXR10(config)#enable secret level 8 level-8 /*Configure the password of the level-8 user login privilege.*/

Configuration Verification Run the following commands to view ZTE_A's privilege level. The execution result is displayed as follows: Username:ZTE_A Password: ZXR10#show privilege Current privilege level is 15 /*Indicates that ZTE_A's privilege level is 15.*/

Exec commands: alarm-confirm

Confirm the alarm by flowid

cd

Change current directory

cfm

Executing CFM detecting functions

clear

Reset functions

clock

Manage the system clock

commit

Commit the configuration

configure

Enter configuration mode

copy

Copy from one file to another by ftp/tftp

cp

Copy from one file to another locally

debug

Debugging functions

delete

Delete a file

--More—

ZXR10#configure terminal Enter configuration commands, one per line.

End with CTRL/Z.

ZXR10(config)#? /*Displays the commands that can be used by ZTE_A in global configuration mode.*/ Configure commands: aaa-accounting-template

AAA accounting template configurations

aaa-authentication-template

AAA authentication template configurations

aaa-authorization-template

AAA authorization template configurations

alarm

Configure the alarm parameters

alarm-mask

Configure the alarm-mask parameters

aps

Configure APS instance

arp

Enter ARP configuration mode

5-4 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 5 Command Privilege Level Classification banner

Terminal line banner

bfd

Configure bfd

cfm

Enter CFM configuration mode

check

Configure intervals of check

class-map

Configure H-QoS class map

clock

Configure board clock

--More—

Run the following commands to view ZTE_B's privilege level. The execution result is displayed as follows: Username:ZTE_B Password: ZXR10#show privilege Current privilege level is 5 /*Indicates that ZTE_B's privilege level is 5.*/

ZXR10#? /*Displays the commands that can be used by ZTE_B in privilege configuration mode.*/ Exec commands: cd

Change current directory

cfm Executing CFM detecting functions clock

Manage the system clock

configure

Enter configuration mode

debug

Debugging functions

dir

List files on a filesystem

disable

Turn off privileged commands

enable

Turn on privileged commands

exit

Exit from the EXEC

--More—

ZXR10#configure terminal Enter configuration commands, one per line.

End with CTRL/Z.

ZXR10(config)#? /*Displays the commands that can be used by ZTE_B in global configuration mode.*/ Configure commands: end

Exit from configure mode

exit

Exit from configure mode

ping ping6 show

Send echo messages Send IPv6 echo messages Show running system information

trace

Trace route to destination

trace6

Trace route to destination using IPv6

ZXR10(config)# ZXR10(config)#show ? clock

Show current system clock

5-5 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management) privilege

Show current privilege level

Raise ZTE_B's privilege level to level 8, as shown below: Username:ZTE_B Password: ZXR10#show privilege Current privilege level is 5 /*Indicates that the privilege level of ZTE_B is 5.*/ ZXR10#enable 8 Password: ZXR10#show privilege Current privilege level is 8 /*Indicates that the privilege level of ZTE_B has been raised to 8.*/ ZXR10#configure terminal Enter configuration commands, one per line.

End with CTRL/Z.

ZXR10(config)#? Configure commands: clock

Configure board clock

/*Indicates that the clock command has been added to the commands that ZTE_B can use.*/ end

Exit from configure mode

exit

Exit from configure mode

ping

Send echo messages

ping6

Send IPv6 echo messages

show

Show running system information

trace

Trace route to destination

trace6

Trace route to destination using IPv6

ZXR10(config)#clock ? timezone

Configure time zone

View the configurations on the ZXR10 ZSR V2, as shown below: ZXR10#enable Password:

/*Raises the user's privilege level to the default level, level 15.*/ /*The input password is not displayed.*/

ZXR10#show running-config adm-mgr ! enable secret level 8 5 52ZJX4aBmmYKbWdVFpSvwg== system-user authentication-template 1 bind aaa-authentication-template 2001 $ authentication-template 2 bind aaa-authentication-template 2002 $ authorization-template 1 bind aaa-authorization-template 2001

5-6 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 5 Command Privilege Level Classification local-privilege-level 15 $ authorization-template 2 bind aaa-authorization-template 2002 local-privilege-level 5 $ username ZTE_A bind authentication-template 1 bind authorization-template 1 password encrypted 51213031a28daa4a18e939b9cc837320 43f467d88315721af066dc4f1c385a28 $ username ZTE_B bind authentication-template 2 bind authorization-template 2 password encrypted a5e686cd3e6778917691bb099a4da1d7 9768a6b9752b942fe5b431ec3fff8468 $ $ ! ZXR10#show running-config aaa ! aaa-authentication-template 2001 aaa-authentication-type local $ aaa-authentication-template 2002 aaa-authentication-type local $ aaa-authorization-template 2001 aaa-authorization-type radius-local $ aaa-authorization-template 2002 aaa-authorization-type radius-local $ ! ZXR10#show running-config oam ! privilege show all level 5 show clock privilege configure level 7 clock privilege configure level 7 clock timezone !

5-7 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

This page intentionally left blank.

5-8 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 6

SNMP Configuration Table of Contents SNMP Basic Configuration .........................................................................................6-1 SNMP Anti-Violence Attack ......................................................................................6-10

6.1 SNMP Basic Configuration 6.1.1 SNMP Overview The Simple Network Management Protocol (SNMP) is the most popular Network Management System (NMS) protocol, and belongs to the application layer of the Transfer Control Protocol/Internet Protocol (TCP/IP) stack. The SNMP module is at the highest layer of the router system. Administrators use SNMP as a main way to operate, control and maintain the router. In order to perform network management, users use NMS software to send and receive SNMP packets between the managed network elements and the management station. The basic process of SNMP network management is as follows: 1. A unique ID (OID) is allocated to the object to be managed in the router. The allocation of OID is determined in a unified way by the Request For Comments (RFC). 2. When users need to read or modify the value of an object, the object OID and operation type (read or write) are sent to the router as an SNMP request packet. 3. The SNMP agent in the router finds the object data according to the OID, performs the corresponding operations, and then sends the result as an SNMP response packet to the user. By default, SNMP uses UDP as the transmission protocol.

6.1.2 Configuring SNMP This procedure describes how to configure SNMP during equipment management by using SNMP.

Steps 1. Enable SNMP V1, V2c, and V3.

6-1 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Command

Function

ZXR10(config)#snmp-server version {v1 | v2c | v3}

Enables SNMP V1, V2, and V3 for

enable

receiving packets from and sending packets to clients. There are two states: enable and disable. Default: disable.

2. Configure an SNMP packet community. Command

Function

ZXR10(config)#snmp-server community {encrypted

Configures an SNMP packet

|[showclear]}[view

community string.

][{ro | rw}][{[ipv4-access-list ],[ipv6-access-list ]}]

: cipher text community string, 64 characters. : clear text community string, range: 1–32 characters. showclear: If this parameter is configured, the community string is displayed in clear text. If not, the community string is displayed in cipher text. : view name, range: 1–32 characters. ro | rw: The ro parameter indicates only reading a MIB object. The rw parameter indicates reading and writing a MIB object. 3. Define an SNMP view. Command

Function

ZXR10(config)#snmp-server view {included | excluded}

: specifies the MIB sub-tree ID or node name of the MIB sub-tree for the view name. Range: 1–79 characters. included | excluded: The sub-tree is included or excluded. 4. Set MIB object information. Command

Function

ZXR10(config)#contact

Configures the contact method of the person who is in charge of the MIB object. Range: not longer than 200 characters.

ZXR10(config)#location

Configures the description of the MIB object system location. Range: not longer than 200 characters.

6-2 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 6 SNMP Configuration

5. Set the types of Trap and Inform messages that are allowed to be sent. Command

Function

ZXR10(config)#snmp-server enable inform

Enables the agent to send notifications

[]

and sets the types of notifications to be sent. The notification types can be all or one of the bgp, ospf, rmon, snmp, stalarm and vpn types.

ZXR10(config)#snmp-server enable Trap

Enables the agent to send Trap

[]

messages and sets the types of Trap messages to be sent. The Trap message types can be all or one of the bgp, ospf, rmon, snmp, stalarm and vpn types.

6. Set the Trap destination host. Command

Function

ZXR10(config)#snmp-server host [ vrf

Configures the destination for receiving

]{Trap | inform} version {1 | 2c | 3

SNMP notifications. The snmp-server

{auth | noauth | priv}}[udp-port

host command needs to be used

][]

together with the snmp-server enable command.

vrf : VRF name, range: 1–31 characters. : defines the IP address of a host. IPv4 and IPv6 are supported. Trap | inform: specifies sending Trap messages or notifications to a host. version 1 | 2c | 3 : the SNMP version (v1, v2c, or v3). auth: The packets to be sent are authenticated but not encrypted. noauth: The packets to be sent are not authenticated or encrypted. priv: The packets to be sent are authenticated and encrypted. : community name string of SNMP v1/v2 or SNMPv3 user name, range: 1–32 characters. udp-port : number of the UDP port for sending Trap or inform messages, range: 1–65535. : Trap or Inform type. The Trap type can be all or one of the bgp, ospf, rmon, snmp, stalarm and vpn types. 7. Enable the system log function.

6-3 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Command

Function

ZXR10(config)#logging on

Enables the system log function.

8. Set the level of the alarm message sent to the Trap server. Command

Function

ZXR10(config)#logging Trap-enable

Sets the level of the alarm message sent to the Trap server.

9. Configure other SNMP parameters. Command

Function

ZXR10(config)#snmp-server engine-id

Configures the SNMP local engine ID. Hexadecimal number, range: 1–24 characters, default: 830900020300010289d64401. As the core part of an SNMP entity, the SNMP engine sends, receives and validates SNMP messages, extracts Packet Data Unit (PDU) assembly messages, and communicates with SNMP application programs.

ZXR10(config)#snmp-server input-limit

Sets the SNMP packet receiving speed. Range: 100–1000, default: 200 pps.

ZXR10(config)#snmp-server packetsize

Configures the maximum length of



SNMP packets. Unit: byte, range: 484–8192, default: 8192.

ZXR10(config)#snmp-server Trap-source

Configures the source IP address of all Traps.

ZXR10(config)#snmp-server access-list {ipv4| ipv6}


(ACL) to control the hosts that can access the system through SNMP.

10. Configure SNMPv3. Step

Command

Function

1

ZXR10(config)#snmp-server context

Defines the SNMPv3 context name.



Range: 1–16 characters.

6-4 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 6 SNMP Configuration

Step

Command

Function

2

ZXR10(config)#snmp-server group

Configures a new SNMP group

v3 {auth | noauth|priv}[context

(mapping SNMP users to SNMP

{match-prefix | match-exact}][read

views).

][write ][notify ] 3

ZXR10(config)#snmp-server user v3 {encrypted auth {md5 | sha}[priv des56 |]|[auth {md5 | sha}||[priv des56 |]]}

group : name of the SNMP group to be configured, range: 1–32 characters. v3: specifies that the group is to be used in SNMPv3. auth: specifies that packets are to be authenticated, but not encrypted. noauth: specifies that packets are not to be authenticated or encrypted. priv: specifies that packets are to be authenticated and encrypted. : context of the group, range: 1–30 characters. match-prefix: defines the context matching mode as prefix mode. match-exact: defines the context matching mode as exact mode. read : read view, range: 1–30 characters. write : write view, range: 1–30 characters. notify : notify view, range: 1–30 characters. user : SNMP user name, range: 1–32 characters. : group name related to user, range: 1–32 characters. v3: specifies that the user uses SNMPv3. encrypted: specifies that the password to be entered is not clear text but cipher text. It is not recommended to use this option. auth : specifies that the user has the authentication privilege. md5 | sha: uses Hashed Message Authentication Code with MD5 (HMAC-MD5)–96 as the authentication mode, or uses HMAC-SHA-96 as the authentication mode. : authentication password or authentication key, range: 1–30 characters. If it is an encrypted password, its range is 32–40 characters. des56: uses CBC-DES as the encryption mode. : cipher text encryption password, range: 1–32 characters. 6-5 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

: authentication password (or authentication key), range: 1–31 characters. If it is an encrypted password, its range is 32–40 characters. : clear text encryption password, range: 1–32 characters. 11. Verify the configurations. Command

Function

ZXR10#show snmp

Displays SNMP state attributes.

ZXR10#show snmp config

Displays the configurable SNMP state attributes.

ZXR10#show snmp engine-id

Displays the local SNMP engine ID.

ZXR10#show snmp group

Displays the configured SNMP groups.

ZXR10#show snmp security

Displays the configurations of SNMP security. Displays the IP addresses and number of

ZXR10#show snmp security failures

times of wrong community login attempts in SNMP detection mode. ZXR10#show snmp security trust-users

Displays the trusted users learned by SNMP dynamically and configured manually. Displays the information on configured

ZXR10#show snmp user

SNMP users. ZXR10#show running-config snmp [|{begin | exclude |

Displays the configurations of SNMP.

include}]

– End of Steps –

6.1.3 SNMP Configuration Example Configuration Description By configuring the SNMP function, a user can use a network management server to manage the devices in the network, see Figure 6-1. Figure 6-1 SNMP Configuration Example Topology

6-6 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 6 SNMP Configuration

Configuration Flow 1. Configure an SNMP packet community string. SNMPv1/v2c uses community string authentication mode. An SNMP community string is named with a character string, and has an access privilege (read-only or read-write). 2. Designate a view name to the configured community string. Designate the default view to the community string if the view parameter is not configured. Designate the default privilege (ro) to the community string, if the parameter ro | rw is not configured. Users can only perform operations in the permitted view range, whether ro or rw is specified. 3. Configure alarm Trap. Configure the types of Trap messages to be sent and the destination host. Trap messages are actively sent by managed devices to NMS. They are used to report urgent and important events. By default, all types of Trap messages are sent.

Configuration Commands Ran the following commands on the ZXR10 ZSR V2: R1(config)#snmp-server version v2c enable R1(config)#location No.68 Zijinghua Rd. Yuhuatai District, Nanjing, China R1(config)#contact +86-25-52870000 R1(config)#snmp-server packetsize 1400 R1(config)#snmp-server engine-id 830900020300010289d64401 R1(config)#snmp-server community public view AllView ro R1(config)#snmp-server host 61.139.48.18 inform version 2c public udp-port 162 snmp R1(config)#snmp-server host 61.139.48.18 Trap version 2c public udp-port 162 R1(config)#snmp-server enable Trap R1(config)#snmp-server enable inform R1(config)#logging on R1(config)#logging Trap-enable warnings

Configuration Verification Run the show command to check the configurations. The execution result is displayed as follows. R1(config)#show snmp config

snmp-server community encrypted d6ddeaa4dab74523b246fe346c94c31ae58b79ad4776396438ea1e9bb01a9ef3 view AllView ro snmp-server enable inform snmp snmp-server enable inform bgp snmp-server enable inform mac snmp-server enable inform ospf snmp-server enable inform stp snmp-server enable inform ppp snmp-server enable inform arp

6-7 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management) snmp-server enable inform rmon snmp-server enable inform udld snmp-server enable inform cfm snmp-server enable inform efm snmp-server enable inform lacp snmp-server enable inform mc-elam snmp-server enable inform tcp snmp-server enable inform sctp snmp-server enable inform stalarm snmp-server enable inform cps snmp-server enable inform interface snmp-server enable inform acl snmp-server enable inform fib snmp-server enable inform pim snmp-server enable inform isis snmp-server enable inform rip snmp-server enable inform msdp snmp-server enable inform aps snmp-server enable inform config snmp-server enable inform am snmp-server enable inform um snmp-server enable inform system snmp-server enable inform ldp snmp-server enable inform pwe3 snmp-server enable inform vpn snmp-server enable inform mpls-oam snmp-server enable inform ptp snmp-server enable inform tunnel-te snmp-server enable inform radius snmp-server enable inform dhcp snmp-server enable inform bfd snmp-server enable inform ippool snmp-server enable inform ntp snmp-server enable inform ssm snmp-server enable inform sqa snmp-server enable inform ipsec snmp-server enable inform cgn snmp-server enable inform vrrp snmp-server enable inform ftp_tftp snmp-server enable inform ping-trace snmp-server enable inform gm snmp-server enable Trap snmp snmp-server enable Trap bgp snmp-server enable Trap mac snmp-server enable Trap ospf

6-8 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 6 SNMP Configuration snmp-server enable Trap stp snmp-server enable Trap ppp snmp-server enable Trap arp snmp-server enable Trap rmon snmp-server enable Trap udld snmp-server enable Trap cfm snmp-server enable Trap efm snmp-server enable Trap lacp snmp-server enable Trap mc-elam snmp-server enable Trap tcp snmp-server enable Trap sctp snmp-server enable Trap stalarm snmp-server enable Trap cps snmp-server enable Trap interface snmp-server enable Trap acl snmp-server enable Trap fib snmp-server enable Trap pim snmp-server enable Trap isis snmp-server enable Trap rip snmp-server enable Trap msdp snmp-server enable Trap aps snmp-server enable Trap config snmp-server enable Trap am snmp-server enable Trap um snmp-server enable Trap system snmp-server enable Trap ldp snmp-server enable Trap pwe3 snmp-server enable Trap vpn snmp-server enable Trap mpls-oam snmp-server enable Trap ptp snmp-server enable Trap tunnel-te snmp-server enable Trap radius snmp-server enable Trap dhcp snmp-server enable Trap bfd snmp-server enable Trap ippool snmp-server enable Trap ntp snmp-server enable Trap ssm snmp-server enable Trap sqa snmp-server enable Trap ipsec snmp-server enable Trap cgn snmp-server enable Trap vrrp snmp-server enable Trap ftp_tftp snmp-server enable Trap ping-trace snmp-server enable Trap gm snmp-server engine-id is 830900020300010289d64401

6-9 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management) snmp-server host 61.139.48.18 Trap version 2c public udp-port 162 snmp bgp mac ospf stp ppp arp rmon udld cfm efm lacp mc-elam tcp sctp stalarm cps interface acl fib pim isis rip msdp aps config am um system ldp pwe3 vpn mpls-oam ptp tunnel-te radius dhcp bfd ippool ntp ssm sqa ipsec cgn vrrp ftp_tftp ping-trace gm snmp-server host 61.139.48.18 inform version 2c public udp-port 162 snmp snmp-server packetsize is 1400 snmp-server security dynamic-trust-user idle-timeout 1800 snmp-server view AllView internet included snmp-server view DefaultView system included snmp-server version v2c enable

6.2 SNMP Anti-Violence Attack 6.2.1 SNMP Anti–Brute Force Attack Overview SNMP Anti–Brute Force Attack Description A brute force attack means generating huge numbers of passwords with code generation software, and trying each one. As long as there are enough chances and the password has no protection, the most complicated key can be broken. The security policy defined in SNMP v1 and SNMP v2 is simple, which uses clear text to transfer community strings, which are passwords between SNMP management processes and agent processes. These passwords can be cracked by attackers using brute force attacks. The SNMP anti–brute force attack function is used to prevent DoS attacks and brute force attacks.

SNMP Anti–Brute Force Attack Features The SNMP anti–brute force attack function has introduced two concepts: block and quiet mode. If the detection policy is enabled, the router can reject all SNMP requests in block mode when finding repeated SNMP community string attempt failures. The block state can last for a period known as "quiet period". l

l

To ensure that trusted user can access the ZXR10 ZSR V2 normally, the SNMP security function supports dynamically learning and manually configuring trusted users. In quiet mode, the ZXR10 ZSR V2 only allows to handle requests from trusted user (if an ACL is configured in advance, the requests still need to be filtered through the ACL first). Dynamically-learned trusted users refer to users who have accessed the ZXR10 ZSR V2 and are automatically recorded by it. If these users have not accessed the ZXR10 ZSR V2 again until the set period (ageing time) expires, they will be aged by the device. Dynamically-learned trusted users can also be manually cleared. Users can configure the ageing time, which is 1800 s by default.

6-10 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 6 SNMP Configuration

l

l

l

In practical applications, some network management user addresses that can be used to access the device are fixed. These users are reliable and do not need automatic ageing. To meet this requirement, the ZXR10 ZSR V2 allows users to manually configure trusted users who are not aged, but they can be cleared by running the no command. To prevent that users unintentionally enter wrong passwords, the ZXR10 ZSR V2 supports configuring the condition of enabling monitoring. For example, monitoring will be enabled only when the number of input failure times reaches 20 in one minute. By default, monitoring will be enabled only when the number of input failure times reaches 50 in one minute. Failure counting does not distinguish between IP addresses. In monitoring period, the total failure times is counted (IP addresses are not distinguished). If the number of times exceeds the limit, the ZXR10 ZSR V2 enters quiet mode.

In any state, when community string attempts fail, logs and self-defined Trap messages are generated by default. A Trap message that is sent includes the following information: error community string information, source IP, and current state of SNMP (normal/monitoring/quiet). When a device state is switched, a system log and Trap alarm are automatically generated. This function can be disabled by running a command. SNMP security state switching is shown in Figure 6-2. Figure 6-2 State Switching Diagram

6.2.2 Configuring SNMP Anti–Brute Force Attack This procedure describes how to configure the SNMP anti-brute force attack function. 6-11 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Steps 1. Activate the SNMP security function. Command

Function

ZXR10(config)#snmp-server security block
< detect-seconds>[when

is disabled by default. This command

]

is used to activate this function.

block : block time (length of the quiet period), unit: second, range: 1–65535. < detect-tries>: maximum number of times of failed attempts in monitoring mode, range: 1–65535. < detect-seconds>: maximum detection time in monitoring mode, unit: second, range: 1–65535. : maximum number of times of failed attempts in normal mode, range: 1–65535, default: 50. : maximum detection time in normal mode, unit: second, range: 1–65535, default: 60. 2. Configure the ACL for controlling hosts that access the system through SNMP. Command

Function

ZXR10(config)#snmp-server access-list { ipv4|

Uses a configured ACL to control

ipv6}

hosts that access the system through SNMP.

3. Configure the ageing time of dynamic trusted users and configure static trusted users. Step

Command

Function

1

ZXR10(config)#snmp-server security

Configures the ageing time of

dynamic-trust-user idle-timeout

dynamic trusted users. Range: 1–65535, default: 1800 s.

2

ZXR10(config)#snmp-server security

Configures static trusted users that

static-trust-user

are configured manually.

4. Configure the generation of logs and Trap messages when community string attempts fail or a state is switched. Command

Function

ZXR10(config)#snmp-server security on-failure log [and

Configures the generation of logs

Trap]

and Trap messages when community string attempts fail or a state is switched. 6-12

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 6 SNMP Configuration

5. Verify the configurations. Command

Function

ZXR10#show snmp security [failures | trust-users]

Displays SNMP security function parameters. This command displays the SNMP security state, configuration information, current state information and statistics information in natural language format.

ZXR10#show running-config snmp [|{begin | exclude |

Displays SNMP configurations.

include}]

failures: optional. If this parameter is selected, the command is used to display detailed information on failed attempts. trust-users: optional. If this parameter is selected, the command is used to display detailed information on trusted users, including dynamically learned and manually configured users. begin: is used to display the configurations that begin with the input string line. include: is used to display the configurations that include the string line. exclude: is used to display the configurations that exclude the string line. : is used to match the filtered string line. 6. Maintain the SNMP anti–brute force attack function. Command

Function

ZXR10(config)#snmp-server security

Clears dynamic trusted users manually.

dynamic-trust-user clear

– End of Steps –

6.2.3 SNMP Anti–Brute Force Attack Configuration Example It is required to configure the SNMP anti–brute force attack function on the ZXR10 ZSR V2, see Figure 6-3. Figure 6-3 SNMP Anti–Brute Force Attack Configuration Example

6-13 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Configuration Flow 1. 2. 3. 4.

Enable the SNMP anti–brute force attack function. Configure the ageing time for dynamic trusted users. Configure static trusted users that are allowed to access the system. Configure a Trap message and log that is generated when user attempts fail and a state is switched.

Configuration Command Run the following commands on the ZXR10 ZSR V2: R1(config)#snmp-server security block 180 3 180 when 50 60 R1(config)#snmp-server security dynamic-trust-user idle-timeout 100 R1(config)#snmp-server security static-trust-user 169.1.110.6 R1(config)#snmp-server security on-failure log and Trap

Configuration Verification Run the following command to check SNMP configurations. The execution result is displayed as follows. R1(config)#show running-config snmp ! snmp-server security block 180 3 180 when 50 60 snmp-server security dynamic-trust-user idle-timeout 100 snmp-server security on-failure log and Trap snmp-server security static-trust-user 169.1.110.6 !

6-14 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 7

Alarm Management Configuration Table of Contents Alarm Overview..........................................................................................................7-1 Configuring the Alarm Function ..................................................................................7-2 Alarm Function Configuration Example.......................................................................7-7

7.1 Alarm Overview Alarm module residents its alarm agent process in each line card and alarm server process in main control board. Once hardware or program runs improperly, the service applications will report the alarm to its alarm agent. Later, alarm agents report the alarm messages to alarm server. Alarm server records alarm messages for back-end querying. The main control board also has alarm agent to process the alarm events occurred in itself. According to the configuration, alarm server reports the alarm messages selectively to log mdoule, terminal, SNMP and SYSLOG. The messages processed by alarm module include ordinary alarm and notification. l

l

Ordinary alarm is recoverable. The alarm which has been reported but not recovered already is called current alarm. The alarm which has been reported and recovered already is called history alarm Notification is only to notify the happening of some event, so there is no current and history notifications.

On ZXR10 ZSR V2, you can configure the following alarms: l

CPU, memory, and storage device alarms The basic principles of CPU, memory and storage device alarms are the same. If the current usage exceeds the configured alarm threshold, the alarms are reported. If the current usage is lower than the configured alarm threshold, the alarms are cleared. Moreover, the reported alarm level can be changed or updated with the increase of the usage by configuring the higher-level middle threshold and high threshold besides the default low threshold.

l

Temperature alarm There are different temperature measuring components on each board of the device. Each temperature measuring component has different temperature resistance characteristics, so the alarm threshold at each temperature measuring point is 7-1

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

different. The device compares the temperature information obtained at specified time with the corresponding alarm threshold. If the temperature exceeds the threshold, the alarm is reported. If the temperature is lower than the threshold, the alarm at the corresponding level is cleared. l

Power Voltage Alarm If the voltage range not in the normal working voltage range, the power voltage alarm is reported.

7.2 Configuring the Alarm Function This procedure describes how to configure the alarm function.

Steps 1. Configure the basic alarm function. Step

Command

Function

1

ZXR10(config)#logging on

Enables the alarm recording function, so that alarms can be reported to log, control terminal, SNMP, and SYSLOG.

2

ZXR10(config)#logging buffer < buffer-size>

Sets the size of the alarm log buffer. Unit: KB, range: 100–1000, default: 200.

3

4

ZXR10(config)#logging timestamps [datetime

Sets the display mode of alarm time.

localtime | precisetime | uptime]

Default: datetime localtime.

ZXR10(config)#logging level

Configures the level to save alarms into logs. Alarms whose levels are higher than this level are recorded in logs. Default: INFORMATIONAL (level 7).

5

ZXR10(config)#logging console

Configures the level to display alarms on a console or Telnet terminal. Alarms whose levels are higher than this level are displayed on a console or Telnet terminal. Default: NOTIFICATIONS (level 6).

6

ZXR10(config)#logging Trap-enable

Configures the level to report alarms to SNMP in Trap mode. Alarms whose levels are higher than this level are reported to SNMP in Trap mode. By default, alarms are not reported.

7-2 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 Alarm Management Configuration

Step

Command

Function

7

ZXR10(config)#logging alarmlog-interval


records from the buffer to files. Unit: minute, range: 10–30000, default: 10.

8

ZXR10(config)#logging cmdlog-interval


command logs from the buffer to log files. Unit: second, range: 2–30000, default: 2.

9

ZXR10(config)#logging ftp [ vrf

Configures the level of reporting

][]

(FTP) server, IP address of the FTP server, username, password, and file name. By default, alarms are not reported.

10

ZXR10(config)#logging filesavetime

Configures the time when alarms

{interval | everyday |

written in files are sent to the FTP

week | month

server, IP address, username, and

}[vrf ][]

name prefix. By default, alarms are not reported.

11

ZXR10(config)#logging mode {fullclear |

Sets the mode for clearing buffer data

fullcycle | fullend}

after the alarm buffer is full. Default: fullcycle.

12

ZXR10(config)#alarm heartbeat-send

Sends an alarm heartbeat keep-alive packet to the configured destination immediately.

13

ZXR10(config)#alarm heartbeat-period
< type>

alarm heartbeat packets. Unit: minute, range: 0–30000, default: 0 (no heartbeat packet is sent).

14

ZXR10(config)#alarm level-change

Modifies the corresponding alarm



level of the alarm code. Each alarm code has a default level. Range: 1–4294967294.

: the lowest alarm level, range: DEBUGGING (level 8), INFORMATIONAL (level 7), NOTIFICATIONS (level 6), WARNINGS (level 5), ERRORS (level 4), CRITICAL (level 3), ALERTS (level 2), and EMERGENCIES (level 1). : interval of reporting to FTP, range: 1:00:00–23:59:59. : daily time for reporting to FTP, range: 00:00:00–23:59:59.

7-3 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

: day in each week for reporting to FTP, range: Monday, Tuesday, Thursday, Wednesday, Friday, Saturday, and Sunday. : time in the day of each week for reporting to FTP, range: 00:00:00–23:59:59. : date in each month for reporting to FTP, range: 1–31. : time in the date of each month for reporting to FTP, range: 00:00:00–23:59:59. : prefix of the filename saved on the FTP server, range: 1–31 characters. 2. Configure CPU, memory, and storage device alarm thresholds. Step

Command

Function

1

ZXR10(config)#logging on

Enables the alarm recording function, so that the alarms of different levels can be reported to different destinations. After the command is run, alarms are generated for CPU usage, memory usage, storage medium usage, and voltage value according to corresponding values. The voltage module reports alarms according to the voltage value range.

2

ZXR10(config)#cpuload-threshold

Configures the CPU load alarm

[level{low | middle | high}]

threshold. Unit: %, range: 50–100, default: 95. Alarm levels corresponding to CPU load alarm thresholds: low, middle and high. Default: low.

ZXR10(config)#check cpu interval

Configures the time interval for CPU usage alarm checking. Unit: 10 s, range: 1–20.

3

ZXR10(config)#memory-threshold

Configures the memory usage alarm

[level {low | middle | high}]

threshold. Unit: %, range: 1–100, default: 60. Alarm levels corresponding to memory usage alarm threshold values: low, middle, and high. Default: low.

ZXR10(config)#check memory interval

Configures the interval for memory



usage alarm checking.

7-4 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 Alarm Management Configuration

Step

Command

Function

4

ZXR10(config)#storage-threshold

Configures the storage medium usage

[level {low | middle | high}]

alarm threshold. Unit: %, range: 50–100, default: 90. Alarm levels corresponding to storage medium alarm threshold values: low, middle, and high. Default: low.

5

ZXR10(config)#cpualarm {granularity-10s |

Configures the CPU usage alarm

granularity-20s | granularity-30s | granularity-40s

granularity. Default: granularity-10s.

| granularity-50s | granularity-60s}

3. Verify the configurations. Command

Function

ZXR10#show logging alarm [[level ][start

Displays the specified alarms in the

-time ][end-time ][typeid

alarm log buffer. Filtering conditions:

]]

level, start-time, end-time, and typeid.

ZXR10#show logfile [[username ][start-time

Displays the specified history

< date>< time>][end-time < date>< time>][vtyno
][ip-adress < ip-address>]]

command log buffer. Filtering conditions: start-time, end-time, ipaddress, user, and vtyno. Displays the current configurations of

ZXR10#show logging configuration

the alarm module. ZXR10#show running-config alarm [all ||{begin | exclude |

Displays alarm configurations.

include}]

level : alarm level, range: DEBUGGING (level 8), INFORMATIONAL (level 7), NOTIFICATIONS (level 6), WARNINGS (level 5), ERRORS (level 4), CRITICAL (level 3), ALERTS (level 2), and EMERGENCIES (level 1). start-time : alarm start time, format of : mm-dd-yyyy, range of : 01-01-2001 to 12-31-2037, format of : hh:mm:ss, range of : 00:00:00 to 23:59:59. end-time : alarm end time, format of : mm-dd-yyyy, range of : 01-01-2001 to 12-31-2037, format of : hh:mm:ss, range of : 00:00:00 to 23:59:59. typeid : alarm type, range: ACL, BFD, BGP, LDP, and so on (more than 60 types). username : login username, string type, range: 1–32 characters.

7-5 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

start-time : command running start time, format of : mm-dd-yyyy, range of : 01-01-2001 to 12-31-2037, format of : hh:mm:ss, range of : 00:00:00 to 23:59:59. end-time : command running end time, format of : mm-dd-yyyy, range of : 01-01-2001 to 12-31-2037, format of : hh:mm:ss, range of : 00:00:00 to 23:59:59. vtyno : user terminal number, range: 0–15. {begin | exclude | include}: regular expression. begin is used to display configurations beginning with the input string line. include is used to display configurations that include the string line. exclude is used to display configurations that do not include the string line. is used to match the string line. 4. Verify the configurations Command

Function

ZXR10#show cpuload-threshold

Displays the CPU usage threshold.

ZXR10#show check cpu interval

Displays the time interval of CPU usage alarm checking. Displays the memory usage alarm

ZXR10#show memory-threshold

threshold. Displays the time interval of memory

ZXR10#show check memory interval

usage alarm checking. Displays the storage medium usage

ZXR10#show storage-threshold

alarm threshold. Displays the granularity of CPU usage

ZXR10#show cpualarm

alarms.

5. View information on shelf management temperature alarms and power supply voltage alarms. You cannot configure thresholds for temperature alarms and power voltage alarms. Only querying temperature alarms and power voltage alarms by running commands is supported. On the ZXR10 ZSR V2, run the following commands to view shelf management temperature alarms and power voltage alarms. Command

Function

ZXR10#show temperature detail [][]

Displays temperature at the temperature measuring point of each board.

ZXR10#show logging alarm type-id temperature

Displays the temperature alarms.

ZXR10#show power [][]

Displays power information.

7-6 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 Alarm Management Configuration

Command

Function

ZXR10#show logging alarm type-id power

Displays power alarms.

– End of Steps –

7.3 Alarm Function Configuration Example Configuration Description As shown in Figure 7-1, a PC is connected to R1. Users can view alarm information on R1. Figure 7-1 Alarm Function Configuration Example

Configuration Flow 1. Enable the alarm function. 2. Configure alarm levels, levels of alarms printed on a terminal, alarm buffer, alarm clearing mode when the buffer is full, interval for writing logs, time display mode, and address of the server to which alarms are sent. 3. Configure alarm Trap, Trap type and address of the server to which Trap messages are sent.

Configuration Commands Run the following commands on R1: R1(config)#logging on R1(config)#logging level warnings R1(config)#logging console warnings R1(config)#logging buffer 200 R1(config)#logging mode fullcycle R1(config)#logging cmdlog-interval 2880 R1(config)#logging ftp warnings 192.168.154.253 zte zte ztelog R1(config)#logging timestamps datetime localtime R1(config)#logging Trap-enable notifications R1(config)#snmp-server enable Trap R1(config)#snmp-server version v2c enable R1(config)#snmp-server host 192.168.154.253 Trap version 2c zte

7-7 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Configuration Verification Run the following commands to check alarm configurations. The execution results are displayed as follows: R1(config)#show logging configuration logging on logging level warnings logging console warnings logging Trap-enable notifications logging buffer 200 logging mode fullcycle logging alarmlog-interval 10 logging cmdlog-interval 2880 logging timestamps datetime localtime syslog level notifications syslog-server facility local0 logging ftp warnings 192.168.154.253 zte zte ztelog alarm heartbeat-period 0 snmp alarm heartbeat-period 0 syslog alarm heartbeat-period 0 ftp alarm heartbeat-period 0 console alarm heartbeat-period 0 all logging nat buffer 1000 logging nat password encrypted 5f942ecb8d1bf9ff5104c77b19c73cb9c14f151612fef1ac1ca09c19fb98ab8d logging nat file-size 50 file-num 300 logging nat encrypt off logging nat description-type basemac logging nat zip on logging nat terminal local

R1(config)#show snmp config

snmp-server enable Trap snmp snmp-server enable Trap bgp snmp-server enable Trap mac snmp-server enable Trap ospf snmp-server enable Trap stp snmp-server enable Trap ppp snmp-server enable Trap arp snmp-server enable Trap rmon snmp-server enable Trap udld snmp-server enable Trap cfm snmp-server enable Trap efm snmp-server enable Trap lacp

7-8 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 7 Alarm Management Configuration snmp-server enable Trap mc-elam snmp-server enable Trap tcp snmp-server enable Trap sctp snmp-server enable Trap stalarm snmp-server enable Trap cps snmp-server enable Trap interface snmp-server enable Trap acl snmp-server enable Trap fib snmp-server enable Trap pim snmp-server enable Trap isis snmp-server enable Trap rip snmp-server enable Trap msdp snmp-server enable Trap aps snmp-server enable Trap config snmp-server enable Trap am snmp-server enable Trap um snmp-server enable Trap system snmp-server enable Trap ldp snmp-server enable Trap pwe3 snmp-server enable Trap vpn snmp-server enable Trap mpls-oam snmp-server enable Trap ptp snmp-server enable Trap tunnel-te snmp-server enable Trap radius snmp-server enable Trap dhcp snmp-server enable Trap bfd snmp-server enable Trap ippool snmp-server enable Trap ntp snmp-server enable Trap ssm snmp-server enable Trap sqa snmp-server enable Trap ipsec snmp-server enable Trap cgn snmp-server enable Trap vrrp snmp-server enable Trap ftp_tftp snmp-server enable Trap ping-trace snmp-server enable Trap gm snmp-server engine-id is 830900020300010289d64401 snmp-server host 192.168.154.253 Trap version 2c zte udp-port 162 snmp bgp mac ospf stp ppp arp rmon udld cfm efm lacp mc-elam tcp sctp stalarm cps interface acl fib pim isis rip msdp aps config am um system ldp pwe3 vpn mpls-oam ptp tunnel-te radius dhcp bfd ippool ntp ssm sqa ipsec cgn vrrp ftp_tftp ping-trace gm snmp-server packetsize is 8192 snmp-server view AllView internet included snmp-server view DefaultView system included

7-9 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management) snmp-server security dynamic-trust-user idle-timeout 1800 snmp-server version v2c enable snmp-server input-limit 200

R1(config)#show logging alarm An alarm 100401 ID 100 level 5 cleared at 06:37:35 03-10-2000 sent by R1 MPFU-8/0 %CPS% The upsend packet flow of control plane reached quota limit! Interface = gei-8/5, flowtype = multi-hop-access, current value = 0, quota value = 100 An alarm 100401 ID 100 level 5 occurred at 06:36:55 03-10-2000 sent by R1 MPFU-8/0 %CPS% The upsend packet flow of control plane reached quota limit! Interface = gei-8/5, flowtype = multi-hop-access, current value = 12867, quota value = 100 An alarm 50901 ID 99 level 5 cleared at 06:36:44 03-10-2000 sent by R1 MPFU-8/0 %LACP% LACP interface active status The interface (index = 66, name = gei-8/6) turns into ACTIVE An alarm 150101 ID 96 level 5 cleared at 06:36:44 03-10-2000 sent by R1 MPFU-8/0 %IP% Interface status The interface(index=75,name='smartgroup1') turned into protocol UP An alarm 50901 ID 99 level 5 occurred at 06:36:26 03-10-2000 sent by R1 MPFU-8/0 %LACP% LACP interface active status The interface (index = 66, name = gei-8/6) turns into INACTIVE An alarm 400123 ID 98 level 2 cleared at 06:36:25 03-10-2000 sent by R1 MPFU-8/0 %BOARD% Slot offline The slot = 4 is online --More--

The terminal monitor command displays real-time alarms. command displays buffered alarms.

The show logging alarm

7-10 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 8

SYSLOG Configuration Table of Contents SysLog Overview .......................................................................................................8-1 Configuring Syslog .....................................................................................................8-1 Syslog Configuration Example....................................................................................8-2

8.1 SysLog Overview SysLog is a kind of log formats, which is used to record the character text to be printed. SysLog is originated from UNIX operating system, and it is used to record system log. The format of log consists of the following three parts: l

l l

PRI: It is composed by angle brackets and numbers. The numbers represent module ids and severity. The range of module id is 0–23. The range of severity is 1–8. 1 is the heaviest, and 8 is the lightest. HEADER: It is composed by time and host name. MSG: It is the detailed content.

SysLog sends data packets to SysLog server by using UDP. The default port is 514 and the size of UDP packet is less than 1024 bytes. System decides whether reports the alarm message to SysLog sever according to the alarm level after SysLog function is enabled.

8.2 Configuring Syslog This procedure describes how to configure the Syslog function.

Steps 1. Configure the Syslog function. Step

Command

Function

1

ZXR10(config)#syslog level

Sets the level in global configuration mode for reporting alarms to the Syslog server. Alarms whose levels are higher than or equal to the set level are reported to the Syslog server.

8-1 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Step

Command

Function

2

ZXR10(config)#syslog-server facility

Configures the reporting source of Syslog messages. Range: ftp, ntp, user, and so on, default: local0.

3

ZXR10(config)#syslog-server source {ipv4|ipv6}

address of reporting Syslog messages. Type: IPv4 or IPv6.

4

ZXR10(config)#syslog-server host [vrf ][fport ][lport ][alarmlog][cmdlog][de

including the IP address and

bugmsg][servicelog][braslog][natlog]

port number of the Syslog server, the port number of the client, and the type of sent logs.

: the lowest alarm level, ranges: DEBUGGING (level 8), INFORMATIONAL (level 7), NOTIFICATIONS (level 6), WARNINGS (level 5), ERRORS (level 4), CRITICAL (level 3), ALERTS (level 2), and EMERGENCIES (level 1), default: NOTIFICATIONS. : IP address of the Syslog server, type: IPv4 or IPv6. : remote port number, range: 1–65535, default: 514. : local port number, range: 514, 1024–65535, default: 514. [alarmlog][cmdlog][debugmsg][servicelog][braslog][natlog]: type of logs reported to the Syslog server. 2. Verify the configurations. Command

Function

ZXR10#show logging configuration

Displays all Syslog configurations.

ZXR10#show running-config alarm [all ||{begin |

Displays all Syslog configurations by using

exclude | include}]

a regular expression.

– End of Steps –

8.3 Syslog Configuration Example Configuration Description The function of Syslog is sending alarms to the Syslog server in the specified format. After the Syslog function is configured on the ZXR10 ZSR V2, alarms will be sent to the Syslog server, see Figure 8-1. 8-2 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 8 SYSLOG Configuration

Figure 8-1 Syslog Configuration Example Topology

Configuration Flow 1. Connect the Syslog server to the ZXR10 ZSR V2. 2. Configure the interface on the Syslog server and the interface on the ZXR10 ZSR V2, which are directly connected in the same network segment. 3. Configure the Syslog server alarm level. 4. Configure the Syslog type. 5. Specify the address of the Syslog server.

Configuration Command Run the following commands on the ZXR10 ZSR V2: R1(config)#interface gei-2/1 R1(config-if-gei-2/1)#no shutdown R1(config-if-gei-2/1)#ip address 1.1.1.2 255.255.255.0 R1(config-if-gei-2/1)#exit

R1(config)#syslog level warnings /*Configures the alarm level of Syslog as WARNINGS*/ R1(config)#syslog-server facility syslog /*Configures the type of Syslog as syslog*/ R1(config)#syslog-server host 1.1.1.1 /*Configure an IP address of the Syslog server*/

Configuration Verification Run the show command to check the configurations. The execution result is displayed as follows: R1(config)#show running-config alarm

! syslog level warnings syslog-server facility syslog syslog-server host 1.1.1.1 alarmlog cmdlog debugmsg servicelog braslog natlog !

8-3 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

This page intentionally left blank.

8-4 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 9

RMON Configuration Table of Contents RMON Overview ........................................................................................................9-1 Configuring RMON .....................................................................................................9-1 RMON Configuration Example ...................................................................................9-3

9.1 RMON Overview As an important enhanced function of SNMP, Remote Network Monitoring (RMON) can monitor overall subnet traffic information on the Ethernet and token ring network. The RMON module provides the following functions: l

Configured with the statistics function, it monitors the basic traffic of the specified subnet. The traffic information refers to traffic data regularly obtained by RMON.

l

Configured with the history function, it records traffic information on the specified subnet during the specified interval. A short sampling interval can be configured to view a sudden traffic change on a subnet. A long interval can be configured to view long-term traffic status of a subnet.

l

l

Configured with the event function, it handles alarm messages by recording them or/and sending Trap messages, so that network administrators can know system conditions in time. Configured with the alarm function and the corresponding event function, it shows the changes of specified variables such as sysUPTime.0, which is a MIB variable. If an alarm item is configured, not less than 500 CRC errors (that is, the threshold is 500) that appear in 5 min trigger an alarm. In this case, if the corresponding event is configured as sending a Trap message, a Trap message is sent to the Trap server. To send Trap messages successfully, you also need to correctly set the IP address of the Trap server and a community string for SNMP and to enable the SNMP Trap sending function.

9.2 Configuring RMON This chapter describes how to configure the RMON function.

Steps 1. Configure an event that triggers the RMON alarm. 9-1 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Step

Command

Function

1

ZXR10(config)#rmon

Enters RMON mode from configuration mode.

2

ZXR10(config-rmon)#rmon event [{[log],[Trap ],[description

or/and send Trap messages.

],[owner ]}] 3

ZXR10(config-rmon)#rmon alarm {delta | absolute}

that are triggered for exceeding

rising-threshold [] falling-threshold [][owner ]

lower threshold alarm, upper or lower threshold alarm.

: index number, range: 1–65535. log: identification of recording logs. : community string used for sending Trap messages, range: 1–32 characters. : simple description of this event, range: 1–127 characters, default: zte. : creator of this event, range: 1–31 characters, default: config. : MIB variable to be monitored, range: 1–64 characters. It must be a MIB variable that can be converted into an integer. : time of monitoring the above MIB variable, unit: second, range: 10–2147483. delta: comparing the delta with the threshold. absolute: comparing the selected variable value with the threshold. rising-threshold: rising threshold. : rising -2147483648–2147483647.

threshold

of

sample

statistics,

range:

: number of the event triggered for exceeding the rising limit, range: 1–65535. falling-threshold: falling threshold. : falling -2147483648–2147483647.

threshold

of

sample

statistics,

range:

: number of the event triggered for exceeding the falling limit, range: 1–65535. : creator of this alarm, range: 1–312 characters, default: config. 2. Configure RMON statistics or history. 9-2 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 9 RMON Configuration

Step

Command

Function

1

ZXR10(config)#rmon

Enters RMON mode from configuration mode.

2

ZXR10(config-rmon)#interface

Enters RMON interface mode from RMON mode.

3

ZXR10(config-rmon-interface)#rmon collection

Enables the interface statistics

statistics [owner ]

function (only applicable to Ethernet interfaces).

ZXR10(config-rmon-interface)#rmon

Enables the interface history

collection history [buckets

collection function (only applicable

][interval ][owner

to Ethernet interfaces).

]

: interface name, only supporting an Ethernet interface. : index number, range: 1–65535. : the creator of the statistics, range: 1–31 characters, default: monitor. : the size of the requested loop bucket, default: 50, range: 1–100. : the creator of the event, range: 1–31 characters, default: config. : sampling interval, unit: second, range: 10–3600, default: 1800. It is recommended to use 30 s and 1800 s to collect short-term and long-term network traffic changes respectively. : the creator of this line of history, range: 1–31 characters, default: monitor. 3. Verify the configurations. Command

Function

ZXR10(config)#show rmon [[events],[history],[alarms],[s

Displays RMON configurations and

tatistics]]

version information.

ZXR10(config)#show running-config rmon [all ||{begin

Displays RMON configurations.

| exclude | include}]

– End of Steps –

9.3 RMON Configuration Example Configuration Description As shown in Figure 9-1, it is required to enable the RMON function, monitor the traffic of the gei-3/2 interface on the ZXR10 2800-4, and provide the following functions: 9-3 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

l l l

Collecting real-time and history statistics on traffic and the numbers of various types of packets. Monitoring the number of bytes of outgoing traffic, and recording a log if the traffic per minute exceeds the set value. Monitoring the number of incoming broadcast and multicast packets, and actively sending an alarm to the NMS if the number of received broadcast and multicast packets exceeds the set value.

Figure 9-1 RMON Configuration Example

Configuration Flow 1. Enable SNMP to allow sending Trap packets, and set the destination IP address and community name. 2. Configure the ROMN statistics table. 3. Configure the ROMN history table. 4. Configure the ROMN event table. 5. Configure the ROMN alarm table.

Configuration Commands Run the following commands on the ZXR10: ZXR10(config)#snmp-server version v2c enable ZXR10(config)#snmp-server enable Trap RMON ZXR10(config)#snmp-server host 1.0.0.1 Trap version 2c zte rmon /* Configures SNMP. */ ZXR10(config)#rmon ZXR10(config-rmon)#interface gei-3/2 ZXR10(config-rmon-if)#rmon collection statistics 1 owner zte /* Configures the RMON statistics table. */ ZXR10(config-rmon-if)#rmon collection history 1 buckets 10 interval 60 owner zte /* Configures the ROMN history table with the 60 s sampling period. */ ZXR10(config-rmon-if)#exit ZXR10(config-rmon)#rmon event 1 description outboundocts log owner zte ZXR10(config-rmon)#rmon event 2 description inboundnonuni Trap zte owner zte /* Configures the ROMN event table. Event 1 records logs. Event 2 sends Trap messages.*/ ZXR10(config-rmon)#rmon alarm 1 1.3.6.1.2.1.2.2.1.16.12 60 absolute rising-threshold 10000000 1 falling-threshold 2000000 1 owner zte ZXR10(config-rmon)#rmon alarm 2 1.3.6.1.2.1.2.2.1.12.12 60 absolute

9-4 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 9 RMON Configuration rising-threshold 500 2 falling-threshold 100 2 owner zte /* Configures the ROMN alarm table. Alarm 1 monitors the number of bytes sent by the gei-3/2 interface. Triggers event 1, if the threshold is exceeded. Alarm 2 monitors the total number of multicast and broadcast packets. Triggers event 2, if the threshold is exceeded. In this example, 1.3.6.1.2.1.2.2.1.16 is the OID of the ifOutOctets node, 1.3.6.1.2.1.2.2.1.12 is the OID of the ifInNUcastPkts node, and 12 is the index of the gei-3/2. */

Configuration Verification Run the following command to view RMON configurations. displayed as follows:

The execution result is

ZXR10#show running-config rmon rmon rmon alarm 1 1.3.6.1.2.1.2.2.1.16.12 60 absolute rising-threshold 10000000 1 falling-threshold 2000000 1 owner zte rmon alarm 2 1.3.6.1.2.1.2.2.1.12.12 60 absolute rising-threshold 500 2 falling-threshold 100 2 owner zte rmon event 1 log description outboundocts owner zte rmon event 2 Trap zte description inboundnonuni owner zte interface gei-3/2 rmon collection history 1 buckets 10 interval 60 owner zte rmon collection statistics 1 owner zte $ $ !

Run the following command to view information on the RMON statistics table. execution result is displayed as follows:

The

ZXR10#show rmon statistics etherStatsEntry 1 is valid, and owned by monitor Monitors ifEntry.1.12 (gei-3/2) which has Received 2661384683 octets, 11170112 packets, 4226009 broadcast and 1032634 multicast packets, 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers, 0 CRC alignment errors and 0 collisions, 0 dropped packets (due to lack of resources). Packets received (in octets): 64:3528697, 65-127:2610624, 128-255:432346, 256-511:268806, 512-1023:193397, 1024-1518:4136242

Run the following command to view information on the RMON history table. The execution result is displayed as follows: ZXR10#show rmon history

9-5 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management) historyControlEntry 1 is valid, and owned by zte Monitors ifEntry.1.12 (gei-3/2) every 60 seconds Requested buckets is 10 Granted buckets is 10 Sample #1 began measuring at 0w4d,03:55:43 Received 131180 octets, 1519 packets, 1121 broadcast and 167 multicast packets, 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers, 0 CRC alignment errors and 0 collisions, 0 dropped packets (due to lack of resources). Network utilization is estimated at 2 Sample #2 began measuring at 0w4d,03:56:43 Received 138272 octets, 1609 packets, 1416 broadcast and 112 multicast packets, 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers, 0 CRC alignment errors and 0 collisions, 0 dropped packets (due to lack of resources). Network utilization is estimated at 2 Sample #3 began measuring at 0w4d,03:57:43 Received 81578 octets, 954 packets, 762 broadcast and 138 multicast packets, 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers, 0 CRC alignment errors and 0 collisions, 0 dropped packets (due to lack of resources). Network utilization is estimated at 1 Sample #4 began measuring at 0w4d,03:58:43 Received 68438 octets, 822 packets, 720 broadcast and 72 multicast packets, 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers, 0 CRC alignment errors and 0 collisions, 0 dropped packets (due to lack of resources). Network utilization is estimated at 1

Run the following command to view information on the RMON event table. The execution result is displayed as follows: ZXR10#show rmon events Event 1 is valid, and owned by zte Description is outboundocts Event firing causes log , last fired 0w4d,03:56:54 Current log entries: Index

Time

Description

9-6 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 9 RMON Configuration 1

0w4d,03:56:54

outboundocts

Event 2 is valid, and owned by zte Description is inboundnonuni Event firing causes trap to community/user zte, last fired 0w4d,03:57:12 Current log entries: Index

Time

Description

Run the following command to view information on the RMON alarm table. The execution result is displayed as follows: ZXR10#show rmon alarms Alarm 1 is valid, and owned by zte Monitors ifEntry.16.12, every 60 second(s) Taking absolute samples, last value was 13414607 Rising-threshold is 10000000, assigned to event 1 Falling-threshold is 2000000, assigned to event 1 On startup enable rising or falling alarm Alarm 2 is valid, and owned by zte Monitors ifEntry.12.12, every 60 second(s) Taking absolute samples, last value was 5580876 Rising-threshold is 500, assigned to event 2 Falling-threshold is 100, assigned to event 2 On startup enable rising or falling alarm

9-7 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

This page intentionally left blank.

9-8 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 10

Clock and Clock Synchronization Table of Contents NTP Configuration....................................................................................................10-1 Physical POS Interface Clock Configuratio ...............................................................10-6

10.1 NTP Configuration 10.1.1 NTP Overview NTP Introduction In network application, the clocks of network members need to be synchronized. There is normally one or more minute discrepancy of clocks between systems. For a large-scale network, system administrator can not modify the system clocks manually one by one. Network Time Protocol (NTP) is a time synchronization protocol applied to different network members. The NTP devices synchronize their clock by exchanging NTP packets, thus to keep their clocks consistent.

NTP Client Figure 10-1 shows the main principle of NTP client. Figure 10-1 NTP Client Work Flow

1. The client sends NTP time request packets to the configured clock server regularly and waits responses. 2. After receiving NTP response packet, NTP client inspects the packet, extracts the corresponding time, calculates the time offset and configures the local clock.

10-1 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

NTP Sever After a device is configured to be NTP server, it will monitor the NTP time request packets coming from the client at No.123 UDP port, add its time information to NTP time response packet and send the packet to the client. ZXR10 ZSR V2 can act as NTP server and client and the same time. That is to say, it can receive time request packets coming from other servers and send its own time information to other clients, see Figure 10-2. Figure 10-2 NTP Server and Client

10.1.2 Configuring NTP This procedure describes how to configure the NTP server and NTP client functions on the ZXR10 ZSR V2.

Steps 1. Configure the NTP Server function. Step

Command

Function

1

ZXR10(config)#ntp enable

Enables the NTP function.

2

ZXR10(config)#ntp master

Configures the NTP server level, range: 1–15. The smaller the value, the more reliable the NTP time published by the server.

2. Configure the NTP Client function. Step

Command

Function

1

ZXR10(config)#ntp enable

Enables the NTP function.

2

ZXR10(config)#ntp server [{vrf |

Defines a time server on the

mng] priority [version

client. The IP address and

]|[key ]|[lock | unlock ]

priority are required. Other parameters are optional.

10-2 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 10 Clock and Clock Synchronization

Step

Command

Function

3

ZXR10(config)#ntp source ipv4

Configures the source IP address of packets sent by NTP on the client. The source IP address, which is in dotted decimal format, is available for the client only.

4

ZXR10(config)#ntp poll-interval

Configures the time interval of requesting packets sent by NTP. Range: 4–14 (2n). For example, if 4 is configured, the time interval is 16 seconds.

and priority are required. Other parameters are optional. version : NTP version number, range: 1–4, default: 3 (in IPv4). key : effective key, range: 1–4294967295. priority: priority value, range: 1–5. The priority of each server is different. [ lock | unlock ]: whether the server is locked, default: unlock. 3. Configure the NTP authentication function. Step

Command

Function

1

ZXR10(config)#ntp authenticate

Enables the NTP authentication function. Only when the key specified by the NTP server is successfully configured, can the NTP authentication function be effective.

2

ZXR10(config)#ntp authentication-key

Sets the NTP authentication

md5 {clear |encrypted }

key and the corresponding verification code.

3

ZXR10(config)#ntp trusted-key

Configures the trusted key number for NTP authentication.

: encrypted key number, range: 1–4294967295. : MD5 clear text authentication code, range: 1–16 characters. : MD5 cipher text authentication code, range: 1–24 characters. 10-3 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

The NTP authentication function consists of two parts: server and client. When configuring this function, comply with the following rules: l

l

l

If the NTP authentication function is enabled, an NTP MD5 key should be configured, and the key should be set to a trusted key. Otherwise, the NTP authentication function cannot be enabled. If the NTP authentication function is not enabled on the client and other configurations are correct, the client can be synchronized with the server (whether the NTP authentication function is enabled on the server or not). If the NTP authentication function is enabled on the client, the client can only be synchronized with a server that provides a trusted key. Configurations on the server and those on the client should be consistent.

4. Verify the configurations. Command

Function

ZXR10#show running-config ntp

Displays NTP configurations.

ZXR10#show ntp status

Displays NTP status attributes.

ZXR10#show clock

Displays the system clock.

– End of Steps –

10.1.3 NTP Configuration Examples 10.1.3.1 NTP working as a Client Configuration Description NTP is used to synchronize the clocks of different network members. As shown in Figure 10-3, the NTP client can synchronize the clock with the NTP server. Figure 10-3 NTP Working as a Client

Configuration Flow 1. Connect the NTP server to the router. 2. Enable NTP. 3. Configure the address of the NTP server.

10-4 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 10 Clock and Clock Synchronization

Configuration Command Configuration on R1: R1(config)#ntp enable R1(config)#ntp server 192.168.5.93 priority 1

Configuration Verification After the configuration, use the show command to check the configuration. R1#show running-config ntp ! ntp server 192.168.5.93 priority 1 ntp enable !

10.1.3.2 NTP Working as a Server Configuration Description The function of NTP is to synchronize clocks of different network members. As shown in Figure 10-4, NTP works as a server to provide synchronization information for the client. Figure 10-4 NTP Working as a Server

Configuration Flow 1. Enable NTP on R1, and configure the address of the NTP server. 2. Enable NTP on R2, and configure a level of the NTP server.

Configuration Command The configuration on R1: R1(config)#ntp enable R1(config)#ntp server 192.168.5.93

priority

1

The configuration on R2: R2(config)#ntp enable R2(config)#ntp master 1

10-5 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Configuration Verification Use the show running-config ntp command on the client and the server to view configuration. Use the show ntp status command on the client to view the IP address and the clock of the reference clock (R2). Use the show clock command on the client. The clock has been synchronized with the clock on the server.

10.2 Physical POS Interface Clock Configuratio 10.2.1 Physical POS Interface Clock Clock Synchronization The first problem to resolve in a digital network is clock synzhronization. Clock synchronization enables the clock frequency and phase of each network node to be limited to a predefined error tolerance range. The sending and receiving ends can extract/send messages at a specified time to avoid transmission performance degradation (error codes and jitters) due to location inaccuracy in the digital transmission system.

Clock Synchronization Modes Two clock synchronization modes are provided: pseudo synchronization and master-slave synchronization. l

l

Pseudo synchronization refers to that different digital exchanges in the digital switching network have different clocks independent of each other. Each clock is a Caesium atom clock having a very high accuracy and stability. Because these clocks are highly accurate, they have different frequencies and phases, which are very close. This is pseudo synchronization. Master-slave synchronization refers to that a master clock exchange is defined in the network and has a highly accurate clock, other exchanges are all controlled under this exchange (tracking the clock of the master exchange and taking the master exchange clock as the reference). And these exchanges are controlled by the upper-level exchange respectively till the end NE, the terminating exchange.

In general, pseudo synchronization is used in an international digital network, that means this mode is used in the digital network between two countries. For example, if two international exchanges in China and America have their own Caesium atom clocks, the two exchanges use the pseudo synchronization mode. Master-slave synchronization is used in digital networks in a country or region. The master-slave synchronization clocks in the SDH network can be classified into four levels by accuracy, corresponding to different usage ranges: l l l l

The master clock used as the time reference of the global network Slave clocks used in forwarding exchanges Slave clocks used in local exchanges Clocks used in the SDH (clocks built-in the SDH) 10-6

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 10 Clock and Clock Synchronization

Clock Extraction Modes Clocks can be extracted in two ways: l l

Extracting a clock from the specified clock synchronization circuit which is independent of the equipment, for example, the BITS interface. Extracting a clock from a line, for example, 8K clock signals recovered from the SDH/POS interface.

10.2.2 Configuring a Physical POS Interface Clock This procedure describes how to configure a physical POS interface clock.

Steps 1. Configure a physical POS interface clock. Step

Command

Function

1

ZXR10(config)#interface

Enters the POS interface.

2

ZXR10(config-if-interface-name)#clock mode

Configures the clock mode to

internal | line

internal or line. Default: internal.

ZXR10(config)#controller

Enters controller configuration

3

mode of the CPOS. 4

5

ZXR10(config-ctrl-interface-sdh-tug3-e1)#f

Configures the SDH frame format

raming sdh

in controller mode.

ZXR10(config)#clock mode internal | line

Configures the clock mode to internal or line in E1 mode. Default: internal.

2. Verify the configuration result. Command

Function

ZXR10#show interface

Shows the mode configured for the POS interface clock.

– End of Steps –

10.2.3 Physical POS-Interface Clock Configuration Instance Configuration Description The purpose of configuring a POS-interface clock is to synchronize the clock between different network members, see Figure 10-5.

10-7 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Figure 10-5 Physical POS Interface Clock Configuration Instance

Configuration Flow 1. Inter-connect the routers. 2. Enter POS-interface clock configuration mode.

Configuration Command Configurations on router R1: R1(config)#interface pos3-1/1 R1(config-if-pos3-1/1)#no shutdown R1(config-if-pos3-1/1)#clock mode line R1(config-if-pos3-1/1)#exit

Configurations on router R2: R2(config)#interface pos3-1/1 R2(config-if-pos3-1/1)#no shutdown R2(config-if-pos3-1/1)#exit /*Three clock modes can be configured for two ends of the directly-connected POS interface: internal——internal, internal——line, line——internal. Note that the line——line mode is unavailable.

Configuration Verification After the configuration is completed, run the show command to verify the configurations: R1(config-if-pos3-1/1)#show interface pos3-1/1 pos3-1/1 is down, line protocol is down Description is none Hardware is Packet Over SONET/SDH Internet address is unassigned IP MTU 4470 bytes MTU 4600 bytes BW 155520 Kbits MPLS MTU 4470 bytes Physical layer is Packet over (SDH) Holdtime is 120 sec(s) CRC 32 Loopback cancel Clock Source: line Scramble enable Encapsulation PPP

10-8 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 10 Clock and Clock Synchronization Keepalive set: 10 sec(s) LCP INITIAL, IPCP INITIAL, BCPINITIAL, IPV6CP INITIAL MPLSCP INITIAL, OSINLCP INITIAL Last Clear Time : 2000-04-02 01:49:43 Last Refresh Time:2000-04-02 01:49:43 120s input rate : 0Bps 0Pps 120s output rate: 0Bps 0Pps Intf utilization: input 0% output 0% HardWareCounters: In_Bytes 0 In_Packets 0 In_Abort 0 In_OverFlow N/A In_Runt 0 In_Giant 0 R2(config-if-pos3-1/1)#show interface pos3-1/1 pos3-1/1 is down, line protocol is down Description is none Hardware is Packet Over SONET/SDH Internet address is unassigned IP MTU 4470 bytes MTU 4600 bytes BW 155520 Kbits MPLS MTU 4470 bytes Physical layer is Packet over (SDH) Holdtime is 120 sec(s) CRC 32 Loopback cancel Clock Source: internal Scramble enable Encapsulation PPP Keepalive set: 10 sec(s) LCP INITIAL, IPCP INITIAL, BCPINITIAL, IPV6CP INITIAL MPLSCP INITIAL, OSINLCP INITIAL Last Clear Time : 2000-04-02 01:49:43 Last Refresh Time:2000-04-02 01:49:43 120s input rate : 0Bps 0Pps 120s output rate: 0Bps 0Pps Intf utilization: input 0% output 0% HardWareCounters: In_Bytes 0 In_Packets 0 In_Abort 0 In_OverFlow N/A In_Runt 0 In_Giant 0

10-9 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

This page intentionally left blank.

10-10 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 11

Performance Statistics Table of Contents Performance Management Overview........................................................................11-1 Performance Management Configuration .................................................................11-1 Performance Management Configuration Example...................................................11-3

11.1 Performance Management Overview Performance management provides the following main functions, l l l

It accepts the login or logout request coming from service module and collects performance data according to the registered performance entries. It calculates and saves performance data according to the collection interval. It gives an alarm when performance collection value exceeds the configured alarm threshold value. It cancels the alarm when performance collection value is below than the configured alarm threshold value.

Performance management uses agent server structure, which is composed of PMServer, PMAgent and PMClient. l l l

PMServer resides in R-CPU. Every daughter-card has a PMAgent, and each PMAgent acts as an independent process. PMClient resides in every application module.

The service modules of daughter-cards interacts with each other by messages sending between PMClient and PMAgent. In this way, application module can log in, log off or report performance value to performance management. There are some applications, which use PMServer to mount CallBack function. After register information is modified, PMServer finishes virtual register / register cancellation, and refreshes performance values after member interface data binding to these service types are changed.

11.2 Performance Management Configuration This procedure describes how to configure the performance management function.

Steps 1. Configure performance management.

11-1 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Step

Command

Function

1

ZXR10(config)#intf-statistics

Enters interface statistic configuration mode.

2

ZXR10(config-intf-statistics)#one_minute_pe

Enables or disables the switch to

ak_value {disable | enable}{| default}

control the one-minute peak-value counter on a specific Ethernet interface or all Ethernet interfaces.

ZXR10(config-intf-statistics)#one_minute_pe

Clears and resets the one-minute

ak_value_clear []

peak-value counter on a specific Ethernet interface or all Ethernet interfaces.

3

ZXR10(config-intf-statistics)#traffic-statistics

Enables the interface performance

{enable | disable}

statistic function. Default: enabled.

4

5

ZXR10(config)#performance data-save-interval

Sets the period for saving data.

{15min,5min}

Unit: minute, default: 15.

ZXR10(config)#performance update-interval

Sets the interval for sampling data



from a PMA to a PMS. Default: 10 s. Sets the type of a specified detection point or sets the type of all detection points by using the default configuration.

6

ZXR10#clear statistics interface []

Clears the performance value of a specific interface or the accumulative performance value of all interfaces.

2. Collect statistics of performance management. Command

Function

ZXR10#show running-config performance

Displays the configuration information on performance management.

ZXR10# show interface

Displays the state of all interfaces or a specified interface.

ZXR10#show performance one_minute_peak_value

Displays the one-minute peak-value

[]

of an interface.

ZXR10#show performance data-save-interval

Displays the period for saving history performance data. Displays IP statistics information.

ZXR10#show ip traffic

11-2 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 11 Performance Statistics

Command

Function

ZXR10#show tcp statistics

Displays TCP statistics information.

– End of Steps –

11.3 Performance Management Configuration Example Configuration Description Performance management can modify interface count update time or set count switch according to user requirement. As shown in Figure 11-1, flow is sent from gei-2/1 of R1 to gei-2/1 of R2. Figure 11-1 Performance Management Configuration Example Topology Diagram

Configuration Flow 1. Check the count of interface gei-2/1. To check the new count, clear the previous count. 2. Modify the time interval of sampling data from PMS to PMA to control count update time interval of gei-2/1.

Configuration Command 1. Clear gei-2/1 interface count: ZXR10#clear statistics interface gei-2/1

2. Set count update time of physical port such as gei-2/1 as 30 seconds. ZXR10(config)#performance update-interval 30s ethernet

Configuration Verification Check whether the configuration is valid. ZXR10(config)#show running-config performance ! performance update-interval 30s ethernet !

11-3 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

This page intentionally left blank.

11-4 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 12

NetFlow Configuration Table of Contents NetFlow Overview ....................................................................................................12-1 Configuring NetFlow.................................................................................................12-3 NetFlow Configuration Examples..............................................................................12-9

12.1 NetFlow Overview NetFlow Introduction NetFlow is a protocol used to monitor network traffic. There are exporter and collector used in NetFlow application environment. The exporter collects IP data packets and send them to collector. The collector is responsible for analyzing. Netflow can trace and measure each flow accurately. It brings the following applications, l

Network layout Netflow can count the information of network flow for a long time. Therefore, it can trace and estimate the trend of network flow increasing or decreasing. Thus, add or remove route devices or upgrade or degrade the bandwidth of route devices if required. In this way, the network operation is more reasonable.

l

Analyze new application Netflow collects the network usage information of a new application protocol. By means of information analyzing, network resource can be allocated to the new application reasonably.

l

Network monitor Netflow has real time network monitor ability. It can locate fault by providing information when network has fault, or it can find potential network problem.

NetFlow Features To accomplish network data collection, NetFlow performs the following task, l

l

Configure NetFlow service on many interfaces on a router to collect packets which pass through these interfaces. To reduce system load, set a sample rate on both of ingress and egress on the interfaces. For example, if the sample rate is 2000:1, then sample one packet from every 2000 packets. NetFlow can sample unicast, multicast or Multi Protocol Label Switching (MPLS) packets respectively or hybridly. NetFlow analyzes the sampled packet to obtain the following information, 12-1

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management) à

Packet information: For example, source / destination IP address, Type Of Service (ToS) field, source/ destination TCP/UDP port number.

à

Route information: For example, next hop IP address.

à

Other information: Packet ingress / egress interface index, sample direction. NetFlow takes flow as statistic object. The packets which belong to the same flow are summarized and stored. NetFlow v5 uses octet to define the unique flow, and NetFlow v9 permits that user defines flow by itself. For example, user can use source and destination IP addresses to define a flow, then all the packets which have the source and destination addresses are defined as a flow. People call the octet (source and destination IP addresses) as key field. User also can configure non-key field to obtain other information of the flow, such as packet number, bytes and next hop IP address.

l

l

l

l

Netflow has buffer. The sampled packets are stored at buffer at first. The size of every flow is the sum of all key fields and non-key fields. After a packet is analyzed, find whether the flow already exists according to its key filed. à

If it already exists, then update the flow’s non-key field.

à

If it does not exist, add the new flow into buffer.

When the flow stored at buffer satisfies the following conditions, it will be sent to remote server. à

Send all flow information to server when buffer is full.

à

A flow is inactive if there is no packet belongs to the flow in a given time. Send the flow to server. The given time is called active aging time. It can be configured by user.

à

For a long term active flow, the statistic information is sent to server once in a while. The interval is called inactive aging time. It can be configured by user.

At present, ZXR10 ZSR V2 can record flow information in NetFlow v5, NetFlow v8, NetFlow v9 and IPFIX packets to send to the server. à

Since the format of NetFlow v5 is fixed, Netflow v5 only output the fixed field flow information.

à

The format of NetFlow v8 packet is also fixed. Comparing with NetFlow v5, NetFlow v8 can output multiple types of field flow information. ZXR10 ZSR V2 supports the v8 Protocol-PortMatrix packet format.

à

NetFlow v9/IPFIX supports user to customize key field or non-key field. The NetFlow v9/IPFIX packet is based on module. The module includes user-defined key field and non-key field, and every module has a unique module ID. NetFlow sends module to server circularly. When a server receives the NetFlow v9/IPFIX packet including flow information, it will find the corresponding module according to the contained module ID.

On NetFlow server, the received flow information is normally stored at database, and NetFlow analysis software can analyze the entity data. 12-2

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 12 NetFlow Configuration

12.2 Configuring NetFlow This procedure describes how to configure the NetFlow function.

Steps 1. Configure NetFlow exporter policies. Step

Command

Function

1

ZXR10(config)#flow exporter

Creates a flow exporter policy, and names the policy. You can configure up to 200 different flow exporter policies. Range of the policy name: 1–32 characters.

2

3

ZXR10(config-flow-exporter)#destination

Configures the IPv4 address of

{ipv4-address |[vrf ]}

the NetFlow server.

ZXR10(config-flow-exporter)#export-protocol

Sets the format of NetFlow output

{netflow-v5 | netflow-v8 | netflow-v9 | ipfix }

packets. The output packet format can be NetFlow v5, v8, v9, or ipfix, default: netflow-v9 . When the format is set to v5, the template must be netflow-original. When the format is v8, the template must be netflow ipv4 protocol-port.

4

5

ZXR10(config-flow-exporter)#template data

Resends module according to the

{refresh | timeout }

number of packets or time.

ZXR10(config-flow-exporter)#transport udp

Sets the NetFlow output protocol



to UDP and sets the port number. Range: 1–65535, default: 2055.

6

7

ZXR10(config-flow-exporter)#source

Configures the source IPv4

{ipv4-address }

address of NetFlow packets sent.

ZXR10(config-flow-exporter)#dscp

Sets the TOS field in the IP header when a Netflow packet is sent. Range: 0–63, default: 0.

refresh : the number of output netflow packets, according to which the module is resent, range: 1–600, default: 20. timeout : time, according to which the module is resent, range: 1–86400, default: 600 seconds. 12-3 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

2. Creates a flow record policy, and sets key and non-key fields. Step

Command

Function

1

ZXR10(config)#flow record

Creates a flow record policy, and names the policy. You can configure up to 100 different flow record policies. Range of the policy name: 1–32 characters.

2

ZXR10(config-flow-record)#match datalink mac

Sets the source Medium Access

{destination-address | source-address}

Control (MAC) address or destination MAC address as a key field.

ZXR10(config-flow-record)#match flow

Sets flow direction or sampling

{direction|sample-rate}

rate as a key field.

ZXR10(config-flow-record)#match interface

Sets input interface index or

{input | output}

output interface index as a key field.

ZXR10(config-flow-record)#match ipv4

Sets IPv4 information as a key

{[destination address | address-prefix

field.

minimum-mask ]|[source address | address-prefix minimum-mask ]} ZXR10(config-flow-record)#match mpls label

Sets MPLS information as a key

stack section

field. : Sets the collection label to the layer 1, 2, 3, 4, or 5 label.

ZXR10(config-flow-record)#match routing {bgp

Sets the related route next hop

as-number {destination | source | next-adjacent |

information as a key field.

prev-adjacent}| next-hop-address {ipv4 | ipv6}} ZXR10(config-flow-record)#match transport

Sets transport layer information

{destination-port |icmp {ipv4 | ipv6}{type | code}|

as a key field.

source-port | tcp flags}

icmp {ipv4 | ipv6} {type | code}: sets the type field of Internet Control Message Protocol (ICMP) packets as a collection field. The field value is ICMP Type * 256 + ICMP code.

ZXR10(config-flow-record)#match ip {cos |

Sets IP information as a key field.

protocol | version} ZXR10(config-flow-record)#match ipv6

Sets IPv6 information as a key

{[destination address | address-prefix

field. Range of len: 1–128.

minimum-mask ]|[source address | address-prefix minimum-mask ]| flow-label} 12-4 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 12 NetFlow Configuration

Step

Command

Function

4

ZXR10(config-flow-record)#collect counter {bytes

Sets the number and byte number

[long]| packets [long]}

of flow packets as a non-key fields. bytes: This field has 4 bytes. bytes long: This field has 8 bytes. packets : This field has 4 bytes. packets long: This field has 8 bytes.

ZXR10(config-flow-record)#collect datalink mac

Sets the source MAC address or

{destination-address | source-address}

destination MAC address as a non-key field.

ZXR10(config-flow-record)#collect flow

Sets the flow direction or

{direction|sample-rate}

sampling rate as a non-key field.

ZXR10(config-flow-record)#collect interface

Sets the input interface index

{input | output}

or output interface index as a non-key field.

ZXR10(config-flow-record)#collect ipv4

Sets IPv4 information as a

{[destination address | address-prefix

non-key field.

minimum-mask ]|[source address | address-prefix minimum-mask ]} ZXR10(config-flow-record)#collect mpls label

Sets MPLS information as a

stack section

non-key field.

ZXR10(config-flow-record)#collect routing {bgp

Sets the route next hop

as-number {destination | source | next-adjacent |

information as a non-key field.

prev-adjacent}| next-hop-address {ipv4 | ipv6}} ZXR10(config-flow-record)#collect timestamp

Sets the time or absolute time

{sys-uptime {first | last}| absolute {first-millisec |

when a flow is switched for the

last-millisec}}

first or last time as non-key field. sys-uptime first: sets the system power-up time when the flow arrives at the cache for the first time as a collected non-key field. Unit: ms. sys-uptime last: sets the system power-up time when the flow is updated in the cache for the last time as the collected non-key field. Unit: ms.

12-5 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Step

Command

Function

ZXR10(config-flow-record)#collect transport

Sets transport layer information

{destination-port | icmp {ipv4 | ipv6}{code | type}|

as a non-key field.

source-port | tcp flags} ZXR10(config-flow-record)#collect ip {cos|

Sets IP information as a non-key

protocol | version}

field.

ZXR10(config-flow-record)#collect ipv6

Sets IPv6 information as a

{[destination address | address-prefix minimum

non-key field. Range of len:

-mask ]|[source addressaddress-prefix

1–128.

minimum-mask ]| flow-label}

3. Configure a NetFlow sampling policy. Step

Command

Function

1

ZXR10(config)#sampler

Creates a sampler policy, and names it. Up to 200 different sampler policies can be configured. Range of the policy name: 1–12 characters.

2

ZXR10(config-sampler)#mode deterministic

Sets the sampling mode and

–out-of 1–

sampling rate.

deterministic : uses deterministic sampling, that is, if the sampling rate is N, then one packet out of every N packets is sampled. : sampling rate, range: 1–65535, default: 1000. 4. Configure a NetFlow monitoring policy. Step

Command

Function

1

ZXR10(config)#flow monitor

Creates a flow monitor policy, and names it. Up to 60 different flow monitor policies can be configured. Range of the policy name: 1–32 characters

2

ZXR10(config-flow-monitor)#cache {entries

Sets cache information.

| timeout {active | inactive}}

12-6 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 12 NetFlow Configuration

Step

Command

Function

3

ZXR10(config-flow-monitor)#exporter

Associates a flow exporter policy.



Associates a pre-set flow exporter policy. That is, the flow monitor policy uses the flow exporter policy for the output of netflow packets. If the flow exporter policy uses v5 output format, the template used by the flow monitor must be the pre-set netflow-original.

4

ZXR10(config-flow-monitor)#record {|netflow ipv4 protocol-port|netflow-original}

entries : sets the buffer size to num, which represents the number of flows that can be stored in the buffer. Range: 16–131072, default: 4096. timeoutactive: active ageing time, unit: second, range: 10–604800, default: 1800. timeoutinactive}: inactive ageing time, unit is second, range: 10–604800, default: 1800. record : uses a pre-set flow record policy as the template. record netflow-original: predefines the v5 template. Collected key and non-key fields are consistent with those of netflow v5. netflow ipv4 protocol-port: predefines the v8 module. 5. Configure a NetFlow interface. Step

Command

Function

1

ZXR10(config)#interface

Enters interface configuration mode.

2

ZXR10(config-if-interface-name)#ip

Configures IPv4 packets

flow monitor [sampler

sampling on the interface.

][unicast|multicast|ipv4–access-list ]{input|output} ZXR10(config-if-interface-name)#ipv6

Configures IPv6 packets

flow monitor [sampler

sampling on the interface.

][unicast | multicast | ipv6–access-list ]{input | output} ZXR10(config-if-interface-name)#mpls flow

Configures MPLS packet

monitor [sampler ]

sampling on the interface.

unicast {input | output}

12-7 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

ip flow monitor : applies a pre-set netflow monitoring policy on the interface. After the command is run, configurations related to the monitor policy, the cache size, template in use, and collected fields of the template cannot be modified. To modify the configurations, the flow monitoring policy must be deleted from the interface first. Flow active/inactive ageing time and the output policy can be modified. sampler : applies a pre-set sampling policy on the interface. The sampling policy cannot be modified after it is applied on the interface. The modification takes effect only after it is unbound and then applied on the interface. unicast | multicast| ipv4–access-list : type of sampled packets. unicast means sampling unicast packets. multicast means sampling multicast packets. acces s-list means sampling packets that are filtered with the ACL rules. Up to six different ACL rules can be used. In one direction, unicast, multicast, MPLS, and ACL rule packets can be sampled at the same time. Samples from two directions are not mutually exclusive. If ACL rule packets are sampled from one direction, however, unicast and multicast packets cannot be sampled, and vice versa. 6. Verify the configurations. Command

Function

ZXR10#show ip flow exporter []

Displays a flow exporter policy of the specified name or all flow exporter policies.

ZXR10#show ip flow interface []

Displays configurations of the specified interface or all interfaces.

ZXR10#show ip flow monitor []

Displays a flow monitoring policy of the specified name or all flow monitoring policies.

ZXR10#show ip flow record [|

Displays a flow record policy of the

netflow-original | ipv4 protocol-port]

specified name, the pre-defined V5 policy (V5 template: netflow-original), or all flow record policies.

ZXR10#show ip flow sampler []

Displays a sampler policy of the specified name or all sampler policies.

ZXR10#show running-config ipflow [all][|{begin |

Displays NetFlow configurations, or all

exclude | include}]

configurations including default values of un-configured parameters when the command carries the all parameter.

ZXR10#show running-config-interface [all][|{begin | exclude | include}]

to NetFlow.

12-8 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 12 NetFlow Configuration

Command

Function

ZXR10#show ip flow service-cpu

Displays information on the service CPU when the NetFlow function is enabled.

– End of Steps –

12.3 NetFlow Configuration Examples 12.3.1 NetFlow V5 Configuration Example Configuration Description As shown in Figure 12-1, configure NetFlow on R1, connect the server to R1, and configure an IP address. Configure a route to the server if necessary so that the NetFlow packets can be sent to the server. Figure 12-1 NetFlow V5 Configuration Example

Configuration Flow 1. Enable NetFlow Service. 2. Configure flow exporter output, including server IP address, port number and protocol type. 3. Configure sampler sampling rate and sampling mode. 4. Configure the size of flow monitor cache, active overtime value and inactive overtime value, bind the configured flow exporter to system v5 module. 5. Bind flow monitor policy to interface, configure sampling type and direction.

Configuration Command Configuration on R1: R1#configure terminal

R1(config)#flow exporter exp R1(config-flow-exporter)#destination ipv4-address 169.1.109.60 R1(config-flow-exporter)#transport udp 2055 R1(config-flow-exporter)#export-protocol netflow-v5 R1(config-flow-exporter)#exit

12-9 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

R1(config)#sampler sam R1(config-sampler)#mode deterministic 1-out-of 1024 R1(config-sampler)#exit

R1(config)#flow monitor mo R1(config-flow-monitor)#cache entries 4096 R1(config-flow-monitor)#exporter exp R1(config-flow-monitor)#record netflow-original R1(config-flow-monitor)#cache timeout inactive 60 R1(config-flow-monitor)#cache timeout active 10 R1(config-flow-monitor)#exit

R1(config)#interface gei-6/6 R1(config-if-gei-6/6)#no shutdown R1(config-if-gei-6/6)#ip flow monitor mo sampler sam unicast input R1(config-if-gei-6/6)#exit

Configuration Verification Check the configuration on R1, as shown below. R1#show running-config ipflow ! flow exporter exp destination ipv4-address 169.1.109.60 export-protocol netflow-v5 $ flow monitor mo cache timeout active 10 cache timeout inactive 60 record netflow-original exporter exp $ sampler sam mode deterministic 1-out-of 1024 $ interface

gei-6/6

ip flow monitor mo sampler sam unicast input $ !

12-10 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 12 NetFlow Configuration

12.3.2 NetFlow V8 Configuration Example Configuration Description As shown in Figure 12-2, configure NetFlow on R1, connect the server to R1, and configure an IP address. Configure a route to the server if necessary so that the NetFlow packets can be sent to the server. Figure 12-2 NetFlow V8 Configuration Example

Configuration Flow 1. Enable NetFlow Service. 2. Configure flow exporter output, including the server IP address, port number and protocol type. 3. Configure sampler, setting sampling rate and sampling mode. 4. Configure the cache size of flow monitor, the active overtime value and the inactive overtime value. Bind the configured flow exporter to the system v8 module. 5. Bind flow monitor to the interface, and configure the sampling type and direction.

Configuration Command Configuration on R1: R1(config)#flow exporter exp R1(config-flow-exporter)#destination ipv4-address 169.1.109.60 R1(config-flow-exporter)#transport udp 2055 R1(config-flow-exporter)#export-protocol netflow-v8 R1(config-flow-exporter)#exit

R1(config)#sampler sam R1(config-sampler)#mode deterministic 1-out-of 1024 R1(config-sampler)#exit

R1(config)#flow monitor mo R1(config-flow-monitor)#cache entries 4096 R1(config-flow-monitor)#exporter exp R1(config-flow-monitor)#record netflow ipv4 protocol-port R1(config-flow-monitor)#cache timeout inactive 60 R1(config-flow-monitor)#cache timeout active 10 R1(config-flow-monitor)#exit

12-11 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

R1(config)#interface gei-6/6 R1(config-if-gei-6/6)#no shutdown R1(config-if-gei-6/6)#ip flow monitor mo sampler sam unicast input R1(config-if-gei-6/6)#exit

Configuration Verification Verify the configuration on R1 as shown below. R1#show running-config ipflow ! < ipflow > sampler sam mode deterministic 1-out-of 1024 $ flow exporter exp destination ipv4-address 169.1.109.60 export-protocol netflow-v8 $ flow monitor mo cache timeout active 10 cache timeout inactive 60 record netflow ipv4 protocol-port exporter exp $ interface gei-6/6 ip flow monitor mo sampler sam unicast input $ !

12.3.3 NetFlow V9 Configuration Example Configuration Description As shown in Figure 12-3, configure NetFlow on R1, connect the server to R1, and configure an IP address. Configure a route to the server if necessary so that the NetFlow packets can be sent to the server. Figure 12-3 NetFlow V9 Configuration Example

12-12 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 12 NetFlow Configuration

Configuration Flow 1. Enable NetFlow Service. 2. Configure flow exporter output, including server IP address, port number and protocol type, module refresh time and refresh rate. 3. Configure match and collect of flow record policy. 4. Configure the size of flow monitor cache, active overtime value and inactive overtime value, bind the configured flow exporter policy and flow record policy. 5. Configure sampler sampling rate and sampling mode. 6. Bind flow monitor policy to interface, configure sampling type and direction.

Configuration Command Configuration on R1: ZXR10(config)#flow exporter exp R1(config-flow-exporter)#destination ipv4-address 169.1.109.60 R1(config-flow-exporter)#transport udp 2055 R1(config-flow-exporter)#export-protocol netflow-v9 R1(config-flow-exporter)#template data refresh 20 R1(config-flow-exporter)#template data timeout 60 R1(config-flow-exporter)#exit

R1(config)#sampler sam R1(config-sampler)#mode deterministic 1-out-of 1024 R1(config-sampler)#exit

R1(config)#flow record rec R1(config-flow-record)#match ipv4 source address R1(config-flow-record)#match ipv4 destination address R1(config-flow-record)#match transport source-port R1(config-flow-record)#match transport destination-port R1(config-flow-record)#collect counter bytes R1(config-flow-record)#collect counter packets R1(config-flow-record)#exit

R1(config)#flow monitor mo R1(config-flow-monitor)#cache entries 4096 R1(config-flow-monitor)#cache timeout active 60 R1(config-flow-monitor)#cache timeout inactive 10 R1(config-flow-monitor)#exporter exp R1(config-flow-monitor)#record rec R1(config-flow-monitor)#exit

R1(config)#interface gei-6/6 R1(config-if-gei-6/6)#no shutdown R1(config-if-gei-6/6)#ip flow monitor mo sampler sam unicast input

12-13 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management) R1(config-if-gei-6/6)#end

Configuration Verification Check the configuration on R1, as shown below. R1#show running-config ipflow ! sampler sam mode deterministic 1-out-of 1024 $ flow exporter exp destination ipv4-address 169.1.109.60 #export-protocol netflow-v9 $ flow record rec match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port collect counter bytes collect counter packets $ flow monitor mo cache timeout active 60 cache timeout inactive 10 record rec exporter exp $ interface

gei-6/6

ip flow monitor mo sampler sam unicast input $ !

12-14 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 13

SQA Configuration Table of Contents SQA Overview..........................................................................................................13-1 Configuring SQA ......................................................................................................13-1 SQA Configuration Examples ...................................................................................13-4

13.1 SQA Overview Service Quality Analyzer (SQA) is a measured detection technology. Through SQA, users can obtain more detailed network quality analysis at IP layer, and can also check whether the network quality of a specific service meets the requirement of Service Level Agreement (SLA). The functions of SQA are listed below. l l l

Users can know the network performance quickly and then take corresponding measurements according to different network performances. Users can use SQA to diagnose and locate network faults, especially for QoS faults of some applications. SQA supports linkage of some protocols. For example, when the quality of a network worsens to some extent, SQA can enable linkage with policy routing.

Normally, SQA is used to diagnose network faults. For example, on a mobile IP bearer network, when the quality of phone calls declines seriously, it is necessary to check whether there is serious voice packet loss, delay and oscillation at the wireless network side and IP bearer network side at the same time. At the IP bearer network side, it is necessary to check whether there is any serious network fault for the transmission of IP packets between CEs. At the same time, it is also necessary to use the parameters (such as UDP packet oscillation and delay ) of SQA to determine whether the fault is on the bearer network side. SQA can also be used to detect the network qualities of operators periodically to reflect the network qualities in real time, so that operators can master the overall network qualities.

13.2 Configuring SQA This procedure describes how to configure the SQA function.

Steps 1. Configure an SQA instance.

13-1 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Step

Command

Function

1

ZXR10(config)#sqa-test

Selects a test instance number and enters SQA configuration mode. The range of the instance number is 1–150.

2

ZXR10(config-sqa)#type-icmp [vrf ][source ][repeat
][tos ][ttl < ttl-value>][size ][interval ] ZXR10(config-sqa)#type-udp [ vrf ][size ][interval

instance in SQA mode.

][repeat ] ZXR10(config-sqa)#type-tcp [ vrf ][interval

instance in SQA mode.

][repeat ] ZXR10(config-sqa)#type-ftp copy

Configures an FTP test

uesr-name password {encrypted

instance in SQA mode.

|} file-name root / ZXR10(config-sqa)#type-dns [vrf ]

Configures a DNS test

destination-url dns-ip

instance in SQA mode.

[repeat ] ZXR10(config-sqa)#type-http [vrf ]{h

Configures an HTTP test

ttp-ip|http-url dns-ip

instance in SQA mode.

}[repeat ] ZXR10(config-sqa)#type-snmp [vrf ]

instance in SQA mode.

ZXR10(config-sqa)#type-udp-jitter [vrf

Configures a UDP-JITTER

][interval][repeat< repeat-number> size| interval][size interval|repeat< repeat-number>] ZXR10(config-sqa)#type-icmp-jitter [vrf ][source ][repeat
][tos ][ttl < ttl-value>][size < size-value>][interval ]

: number of repeat times. In an ICMP test, range: 1–65535, default: 1. In a UDP test, range: 1–1000, default: 1. In a TCP test, range: 1–200, default: 1. 13-2 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 13 SQA Configuration

In a DNS test, range: 1–10, default: 1. In an ICMP jitter test, range: 1–65535, default: 1. : ToS value, range: 0–255, default: 0. : Time To Live (TTL) value, range: 1–255, default: 255. : size of a packet. In an ICMP test, range: 36–8192 bytes, default: 36 bytes. In a UDP test, range: 50–1500 bytes, default: 50 bytes. In an ICMP jitter test, range: 40–8192 bytes, default: 40 bytes. : interval between two packets, unit: ms. In an ICMP test, range: 50–65535, default: 100. In a UDP test, range: 50–2000, default: 100. In a TCP test, range: 1000–4000, default: 1000. In an ICMP jitter test, range: 50–65535, default: 100. : Destination port number, range: 1025–65535. : user name of the FTP server, range: 1–31 characters. : clear text password of the FTP server, range: 1–31 characters. : cipher text password of the FTP server, range: 64 characters. : FTP source file name, range: 1–79 characters. /: FTP local path and file name, range: 1–151 characters. : domain name to be resolved, range: 1–128 characters. : DNS IP address. 2. Start an SQA test, and enable the Trap alarm. Step

Command

Function

1

ZXR10(config-sqa)#sqa-begin {now | timerange

Starts a test in SQA mode.

}

The sqa-stop command stops the test. If now is selected, the test is started immediately.

2

ZXR10(config-sqa)#send-Trap { enable }

Enables the Trap alarm in SQA mode. : alarm threshold value, range: 1–100.

3. Configure an SQA TCP or UDP server. Command

Function

ZXR10(config)#sqa-tcp-server

Configures an SQA TCP server. (This configuration is required when you select a TCP test.)

13-3 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Command

Function

ZXR10(config)#sqa-udp-server

Configures an SQA UDP server. (This configuration is required when you select a UDP test.)

4. Verify the configurations. Command

Function

ZXR10#show running-config sqa [all][|begin | exclude

Displays SQA configurations.

| include} ZXR10#show sqa-test

Displays SQA test configurations.

ZXR10#show sqa-server {upd|tcp}

Displays SQA server configurations.

ZXR10#show sqa-result {udp | tcp | icmp | ftp | dns | http |

Displays configurations of each SQA

snmp | udpjitter | icmpjitter}

test instance.

– End of Steps –

13.3 SQA Configuration Examples 13.3.1 ICMP-Type SQA Configuration Example Configuration Description As shown in Figure 13-1, there is a link between R1 and R3. Packets between R1 and R3 can be forwarded properly. Figure 13-1 ICMP-Type SQA Configuration Example

Configuration Flow 1. Create an SQA test instance. 2. Enter the SQA test instance, and configure ICMP test attribute for the test instance, such as the ICMP test destination address . 3. Set the SQA test start time as now or at a scheduled time. 4. Check the test result.

Configuration Command The configuration of R1: 13-4 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 13 SQA Configuration R1(config)#sqa-test 1 R1(config-sqa-1)#type-icmp 10.1.0.2 R1(config-sqa-1)#sqa-begin now %Info 757: The sqa test is starting now, please wait a moment for test result...... R1(config-sqa-1)#

Configuration Verification The configuration and test result are shown below. R1#show sqa-test 1 test number:1 test type: ICMP destination IP: 10.1.0.2 repeat:1 tos:0 ttl: 255 size: 36 interval time:100 send trap:disable

R1#show sqa-result icmp icmp test[1] result SendPackets:1

ResponsePackets:1

Completion:success

Destination IP Address: 10.1.0.2

Min/Max/Avg/Sum RTT:29/99/39/787ms Min/Max/Avg/Sum Positive Jitter:1/7/3/9ms Min/Max/Avg/Sum Negative Jitter:1/70/35/71ms Min/Max/Avg/Sum Jitter:1/70/16/80ms Packet loss rate:0% Last Probe Time:2012-11-18 01:57:38

13.3.2 FTP-Type SQA Configuration Example Configuration Description As shown in Figure 13-2, there is a link between the FTP server and R1. Packets between them can be forwarded properly. It is required to enable the FTP server function on FTP server, and configure a user name and password. Figure 13-2 FTP-Type SQA Configuration Example

13-5 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Configuration Flow 1. Create an SQA test instance. 2. Enter the SQA test instance, and configure the FTP test attributes for the test instance including FTP server address, user name, password, source file name, destination path and destination file name. 3. Set the SQA test start time to now or a scheduled time. 4. Check the test result.

Configuration Command Run the following commands on the ZXR10 ZSR V2: R1(config)#sqa-test 2 R1(config)#type-ftp copy 1.1.1.1 filename abc.txt root /datadisk0/abc.txt R1(config)#type-ftpusername whopassword who R1(config-sqa-2)#sqa-begin now %Info 757: The sqa test is starting now, please wait a moment for test result...... R1(config-sqa-2)#

Configuration Verification Run the show command to check the configurations and test results. The execution result is displayed as follows R1#show sqa-test 2 test number:2 test type: FTP ftp IP:10.1.0.2 username:who password: 9654d35c7f907ad5c1a1f803d1e4a21c667d8939cade03478bad7db48099d0e4 /*Encrypted*/ filename:abc.txt root:/datadisk0/abc.txt send Trap:disable

R1#show sqa-result ftp ftp test[2] result Completion:success Last RTT:127s

Bytes read:4817497

Last Probe Time:2012-07-29 09:22:58

13.3.3 TCP-Type SQA Configuration Example Configuration Description As shown in Figure 13-3, there is a link between R1 and R3. Packets between R1 and R3 can be forwarded properly. Enable a monitoring port pf SQA-TCP-server on R3. 13-6 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 13 SQA Configuration

Figure 13-3 TCP-Type SQA Configuration Example

Configuration Flow 1. Create an SQA test instance. 2. Enter the SQA test instance, and configure the TCP test attribute for the test instance, such as the TCP test destination address and port number. 3. Set the SQA test start time as now or at a scheduled time. 4. Check the test result.

Configuration Command The configuration of R3: R3(config)#sqa-tcp-server 10.1.0.2 10000

The configuration of R1: R1(config)#sqa-test 3 R1(config-sqa-3)#type-tcp 10.1.0.2 10000 R1(config-sqa-3)#sqa-begin now %Info 757: The sqa test is starting now, wait a moment for test result...... R1(config-sqa-3)#

Configuration Verification The configuration and test result are shown below. R1#show sqa-test 3 test number:1 test type: TCP destination IP:10.1.0.2 desitnation port:10000 interval time:1000 repeat:1 send trap:disable

R1#show sqa-result tcp tcp test[3] result SendPackets:1

ResponsePackets:1

Completion:success

Destination Ip Address:10.1.0.2

Min/Max/Avg/Sum RTT:5/5/5/5ms Last Probe Time:2012-07-29 09:45:49

13-7 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

13.3.4 UDP-Type SQA Configuration Example Configuration Description As shown in Figure 13-4, there is a link between R1 and R3. Packets between R1 and R3 can be forwarded properly. Enable a monitoring port of SQA-UDP-server on R3. Figure 13-4 UDP-Type SQA Configuration Example

Configuration Flow 1. Create an SQA test instance. 2. Enter the SQA test instance, and configure the UDP test attribute for the instance, such as the UDP test destination address and port number. 3. Set the SQA test start time as now or at a scheduled time. 4. Check the test result.

Configuration Command The configuration of R3: R3(config)#sqa-udp-server 10.1.0.2 10000

The configuration of R1: R1(config)#sqa-test 4 R1(config-sqa-4)#type-udp 10.1.0.2 10000 R1(config-sqa-4)#sqa-begin now %Info 757: The sqa test is starting now, wait a moment for test result...... R1(config-sqa-4)#

Configuration Verification The configuration and test result are shown below. R1#show sqa-test 4 test number:1 test type: UDP destination IP:10.1.0.2 desitnation port:10000 size: 50 interval time:100 repeat:1 send trap:disable

13-8 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 13 SQA Configuration R1#show sqa-result udp udp test[4] result SendPackets:1

ResponsePackets:1

Completion:success

Destination IP Address: 10.1.0.2

Min/Max/Avg/Sum RTT:61/63/62/622ms Min/Max/Avg/Sum Positive Jitter:0/0/0/0ms Min/Max/Avg/Sum Negative Jitter:1/1/1/2ms Min/Max/Avg/Sum Jitter:1/1/1/2ms Packet loss rate:0% Last Probe Time:2012-09-01 23:52:35

13.3.5 DNS-Type SQA Configuration Example Configuration Description As shown in Figure 13-5, configure an SQA test instance on ZXR10 ZSR V2, connect the server to R1, and configure an IP address. Configure a route to the server if necessary so that DNS packets can be sent to the server. Figure 13-5 DNS-Type SQA Configuration Example

Configuration Flow 1. Create an SQA test instance. 2. Enter the SQA test instance, configure the domain name to be resolved by the DNS test and the IP address of the DNS server, and set the number of resolution operations. 3. Set the SQA test start time as right now or at a scheduled time. 4. Check the test result.

Configuration Command Configuration of R1: R1(config)#ip domain lookup R1(config)#ip domain name-server ipv4-address 10.1.0.1 R1(config)#sqa-test 5 R1(config-sqa-5)#type-dns destination-url abc.cn dns-ip 10.1.0.1 R1(config-sqa-5)#sqa-begin now %Info 757: The sqa test is starting now, wait a moment for test result...... R1(config-sqa-5)#

13-9 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Configuration Verification The configuration information and test result are shown below. R1#show sqa-test 5 test number:1 test type: DNS destination-url:abc.cn dns-ip:10.1.0.1 repeat:1 send trap:disable

R1#show sqa-result dns dns test[5] result SendPackets:1

ResponsePackets:1

Completion:success Destination-url:abc.cn DNS Interpret IP Address:10.1.0.1 Min/Max/Avg/Sum RTT:1010/1010/1010/1010ms Last Probe Time:2012-07-29 09:49:36

13-10 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 14

LLDP Configuration Table of Contents LLDP Overview ........................................................................................................14-1 Configuring LLDP .....................................................................................................14-3 LLDP Configuration Examples..................................................................................14-5

14.1 LLDP Overview LLDP Introduction With the wide applications of Ethernet on LAN and Metropolitan Area Network (MAN), users have higher and higher requirements for Ethernet management ability. At present, many network management systems use the automatic discovery function to trace the topology changes. However, most network management systems can only analyze the network topology up to the network layer. The information, such as the interfaces on a device, the interfaces connected to other devices, and the paths among clients, network devices and servers, need to be collected through the link layer. With enough detailed information, users can locate network faults correctly. Link Layer Discovery Protocol (LLDP) is a protocol defined by IEEE 802.1AB. Network management systems can know the topology and changes of L2 networks through LLDP. LLDP organizes local device information into Type/Length/Value (TLV) and encapsulates it in a Link Layer Discovery Protocol Data Unit (LLDPDU) to send it to the direct-connected neighbor. At the same time, LLDP saves the LLDPPDU sent by neighbors in the standard MIB, so that network management systems can query and determine the communication states of links.

LLDP Features LLDP is defined in 802.1AB. As shown in Figure 14-1, LLDP works at the data link layer. It is a neighbor discovery protocol that defines a standard for Ethernet devices (such as switches, routers and wireless LAN access points). Through LLDP, an Ethernet device can advertise its existence to other nodes on the network and save discovery information of neighbor devices. The device sends the state information to other devices. The information is stored on each port of all devices. If necessary, the device can send update information to the neighbor devices that are connected directly, and the neighbor devices store the information in standard SNMP MIBs.

14-1 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Figure 14-1 LLDP System Structure

l

l

l

l

Network management systems can query the L2 connection information in the MIB. LLDP does not configure or control network elements or traffic. It just reports the position of L2. Another function defined in 802.1AB is that network management software can use the information provided by LLDP to find conflicts at L2 network. At present, IEEE uses the physical topologies, interfaces and entity MISs existing in IETF. A device that supports LLDP must support chassis ID advertisements and port ID advertisements. Most devices need to support system name advertisements, system description advertisements and system capability advertisements. System name advertisements and system description advertisements can provide useful information to collect network traffic. System description advertisements also can contain information such as the full name of the device, the type of the system hardware and the version of the software operating system. LLDP information is transmitted periodically and it can only be stored for a period. IEEE has defined a recommended transmission frequency, about once per 30 seconds. When an LLDP device receives an LLDP packet sent by a neighbor LLDP device, it stores the information in the CACHE of SNMP MIB defined by IEEE. The information is invalid during a period. The value of TTL to define the period is contained in the received packets. LLDP makes network management systems be able to discover and simulate physical network topologies correctly. LLDP devices send and receive advertisements, so the devices save the information of the discovered neighbor devices. The advertisement data, such as the management address, device type and port number of a neighbor device, is helpful to know the type and interconnected interfaces of the neighbor device.

14-2 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 14 LLDP Configuration

l

l

An LLDP device advertises its information to direct-connected neighbor devices periodically. It also receives, refreshes and saves the advertisements from neighbor devices. The device scans the CACHE every second. If no new packet is received during the hole-time period, the information is aged. LLDP defines a general advertisement set, a transport advertisement protocol and a method of storing all received advertisements. A device that wants to advertise its information can put several advertisements in a LAN packet. The mode to transmit the packets is the TLV field. The information includes the chassis ID (mandatory), port ID (mandatory), system name, system function, system description and some other attributes. à

Chassis ID is the first mandatory TLV in an LLDPDU. It is the unique ID of a device that supports to send LLDPDUs. It is recommended to use the chassis MAC address as the chassis ID for a switch, and use the loopback address or an interface IP address as the chassis ID for a router.

à

Port ID is the second mandatory TLV in an LLDPPDU. It is the unique ID of port that sends LLDPDUs. For a switch, it is recommended to use the port name as the port ID, such as fei4/1.

à

TTL is the third mandatory TLV in an LLDPPDU. It is the living time (in the unit of second) of an LLDPPDU received by the peer. When a peer receives an LLDPPDU of which the TTL is 0, the device deletes all related information.

à

End of LLDPDU is the last mandatory TLV in an LLDPPDU. It defines the end of an LLDPPDU.

14.2 Configuring LLDP This procedure describes how to configure basic attributes and functions for the LLDP.

Steps 1. Configure LLDP. To configure LLDP on ZXR10 ZSR V2, perform the following steps. Step

Command

Function

1

ZXR10(config)#lldp

This enters LLDP configuration mode.

14-3 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Step

Command

Function

2

ZXR10(config-lldp)#hellotime

This configures the interval to send LLDP neighbor discovery packets. It is in the unit of second, and it is in the range of 5–32768, the default value is 30.

ZXR10(config-lldp)#holdtime

This configures the hold-time of an LLDP neighbor. The parameter is a multiple of the interval to send LLDP neighbor discovery packets. It is in the range of 2–10, and the default value is 4.

ZXR10(config-lldp)#maxneighbor

This configures the maximum number of neighbors that can be discovered by LLDP, in the range of 1–128, with the default value of 128.

3

ZXR10(config-lldp)#lldp {enable | disable}

Enables/Disables LLDP function.

4

ZXR10(config-lldp)#lldp-rx {enable | disable}

Enables/Disables LLDP function.

5

ZXR10(config-lldp)#lldp-tx {enable | disable}

Enables/Disables LLDP send function.

6

ZXR10(config-lldp)#txcreditmax

This configures the maximum credit number, in the range of 1-10, with the default value of 5.

ZXR10(config-lldp)#txfastinit

This configures the packets number of fast transmit, in the range of 1-8, with the default value of 4.

ZXR10(config-lldp)#msgfasttx

This configures the interval of fast transmit packets, in the range of 1-3600, with the default value of 1s.

2. Configure LLDP in interface configuration mode. Step

Command

Function

1

ZXR10(config-lldp-if-interface-name)#lldp

Enables/Disables LLDP in an

{enable | disable}

interface.

ZXR10(config-lldp-if-interface-name)#lldp-rx

Enables/Disables LLDP receive

{enable | disable}

function in an interface.

2

14-4 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 14 LLDP Configuration

Step

Command

Function

3

ZXR10(config-lldp-if-interface-name)#lldp-tx

Enables/Disables LLDP send

{enable | disable}

function in an interface.

ZXR10(config-lldp-if-interface-name)#maxne

This configures the maximum

ighbor

number of neighbors that can be

4

discovered by LLDP, in the range of 1-8, with the default value of 8.

3. Verify the configurations. Command

Function

ZXR10#show lldp {config [interface ]|

This shows LLDP configuration

entry [interface ]| neighbor [interface

information, detailed neighbor

]| statistic [interface ]}

information, brief neighbor information and statistical information.

4. Maintain the LLDP. Command

Function

ZXR10#debug lldp { adjacency | event | packets [receive

This shows LLDP related information,

| send]| all }

event information and packets sending and receiving information.

ZXR10(config-lldp)#clearneighbor

This clears an LLDP neighbor relationship that has been established. This clears LLDP statistical

ZXR10(config-lldp)#clearstatistic

information. ZXR10(config-if-interface-name)#clearneighbor

This clears an LLDP neighbor relationship that has been established on an interface.

ZXR10(config-if-interface-name)#clearstatistic

This clears LLDP statistical information on an interface.

– End of Steps –

14.3 LLDP Configuration Examples 14.3.1 LLDP Neighbor Configuration Example Configuration Description As shown in Figure 14-2, it is required to configure LLDP on gei-1/1 of R1. 14-5 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Figure 14-2 LLDP Neighbor Configuration Example

Configuration Flow 1. Enter LLDP configuration mode. 2. Enter an interface. 3. Enable LLDP.

Configuration Command Enter an interface in LLDP configuration mode and then configure LLDP, as shown below. R1(config)#lldp R1(config-lldp)#interface gei-1/1 R1(config-lldp-if-gei-1/1)#lldp enable R1(config-lldp-if-gei-1/1)#end

Configuration Verification Use the show lldp neighbor command to check the configuration result, as shown below. R1(config)#show lldp neighbor Capability Codes: N - Other, r - Repeater, B - Bridge, W - WLAN Access Point, R - Router, T - Telephone, D - DOCSIS Cable Device, S - Station Only Local-Port

Chassis-ID

Holdtime Capability

Platform

Peer-Port

--------------------------------------------------------------------------gei-1/1

0023e4221134

103

B R

6800v1.00.20

gei-1/1

14.3.2 LLDP Attribute Configuration Example Configuration Description As shown in Figure 14-3, it is required to configure LLDP attributes on R1. Figure 14-3 LLDP Attribute Configuration Example

14-6 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 14 LLDP Configuration

Configuration Flow 1. Enter LLDP configuration mode. 2. Configure LLDP attributes.

Configuration Command The configuration of R1: R1(config)#lldp R1(config-lldp)#maxneighbor 3 /*Configure the maximum number of system neighbors*/ R1(config-lldp)#hellotime 30000 /*Configure the intervals to send LLDP neighbor discovery packets*/ R1(config-lldp)#holdtime 8 /*Configure LLDP neighbor hold-time*/ R1(config-lldp)#lldp enable /*Enable LLDP*/ R1(config-lldp)#lldp-rx enable /*Enable LLDP receiving*/ R1(config-lldp)#lldp-tx enable /*Enable LLDP sending*/ R1(config-lldp)#clearneighbor /*Clear LLDP neighbor relationship that has been established*/ R1(config-lldp)#clearstatistic /*Clear LLDP statistical information*/ R1(config-lldp)#end

Configuration Verification Use the show running-config lldp command to check the configuration result. ZXR10#show running-config lldp ! lldp hellotime 30000 holdtime 8 maxneighbor 3 !

14-7 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

This page intentionally left blank.

14-8 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15

Network Layer Detection Table of Contents Configuring ICMP Fast Response ............................................................................15-1 Configuring IP Source Route Option Processing ......................................................15-4 Configuring ICMP Unreachable Packet Function ......................................................15-6 Enabling an Interface to Send ICMP Unreachable Packets ......................................15-7 Configuring IP Ping ..................................................................................................15-9 Configuring IP Trace...............................................................................................15-12 Configuring LSP Ping .............................................................................................15-15 Configuring LSP Trace ...........................................................................................15-21 Configuring Multicast Ping......................................................................................15-26 Configuring Multicast Trace ....................................................................................15-30 Configuring MAC Ping ............................................................................................15-32 Configuring MAC Trace ..........................................................................................15-34 IP Performance Maintenance .................................................................................15-37

15.1 Configuring ICMP Fast Response Overview Opposite to the ICMP slow response function, the ICMP fast response function reduces delays and delay jitter of ping packets, and increases the standard-reaching rate of network delays. To detect the connectivity with another node, one node uses the ICMP response function. The source node sends an ICMP Echo Request packet to the destination node. After receiving this packet, the destination node returns an ICMP Echo Reply packet. When the source node receive the corresponding Reply packet, it determines that the network is connected. The ICMP slow response function means that a destination node sends received Request packets to the control plane, which returns Reply packets. To reduce delays, the ICMP fast response function directly returns Reply packets.

Configuration Commands To configure the ICMP fast response function, run the following command on the ZXR10 ZSR V2:

15-1 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Command

Function

ZXR10(config)#ip icmp-fast-reply

Enables the ICMP fast response (ping) function. This function is enabled by default.

Maintenance Commands To maintain the ICMP fast response function, run the following commands on the ZXR10 ZSR V2: Command

Function

ZXR10#debug ip icmp

Enables the ICMP debug function, which displays debug information on ICMP processing, and at the same time disables the ICMP fast ping function. Enables the ICMP debug function, which

ZXR10#debug ip icmp detail

displays detailed debug information on ICMP processing, and at the same time disables the ICMP fast response function. ZXR10#debug ip interface

Enables the IP debug function on the configuration interface, which displays debug information on IP processing, and at the same time disables the ICMP fast response function. Enables the IP debug function, which

ZXR10#debug ip

displays debug information on IP-layer processing, and at the same time disables the ICMP fast response function. Displays the enabled ICMP debug

ZXR10#show debug icmp

functions. ZXR10#show debug ip

Displays the enabled IP debug functions.

ZXR10#show ip traffic

Displays statistics of received and sent packets at the IP, ICMP, UDP, and TCP layers. Clears statistics of received and sent

ZXR10#clear ip traffic

packets at the IP, ICMP, UDP, and TCP layers.

Configuration Example l

Configuration Description As shown in Figure 15-1, the interface gei-1/1 of R1 is connected to gei-1/1 of R2 directly. The ICMP fast response (ping) function is required between R1 and R2. 15-2

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection

Figure 15-1 ICMP Fast Response Configuration Example

l

l

Configuration Flow 1. Configure IP addresses of R1 and R2 interfaces. 2. Test the configuration result to make sure that the ICMP fast response (ping) function is enabled between R1 and R2. Configuration Commands Run the following commands on R1: R1(config)#interface gei-1/1 R1(config-if-gei-1/1)#no shutdown R1(config-if-gei-1/1)#ip address 10.1.1.1 255.255.255.0 R1(config-if-gei-1/1)#exit

Run the following commands on R2: R2(config)#interface gei-1/1 R2(config-if-gei-1/1)#no shutdown R2(config-if-gei-1/1)#ip address 10.1.1.2 255.255.255.0 R2(config-if-gei-1/1)#exit

l

Configuration Verification Run the following command to check the configurations on R1. The execution result is displayed as follows: R1#ping 10.1.1.2 sending 5,100-byte ICMP echoes to 10.1.1.2,timeout is 2 seconds. !!!!! Success rate is 100 percent(5/5),round-trip min/avg/max= 1/1/21 ms.

Run the following command to check the configurations on R2. The execution result is displayed as follows: R2#ping 10.1.1.1 sending 5,100-byte ICMP echoes to 10.1.1.2,timeout is 2 seconds. !!!!! Success rate is 100 percent(5/5),round-trip min/avg/max= 1/1/21 ms.

Note: The ICMP fast response function is enabled by default. If the corresponding debug function is enabled and then ping is performed, the ICMP fast response (ping) function is disabled.

15-3 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

15.2 Configuring IP Source Route Option Processing Overview IP allows a source host to specify a path through an IP network in advance. This path is called a source route. If a source route is specified, the software forwards packets according to the source route. This function can be used to force a packet to pass a network along a specified route. By default, the software uses a source route. An IP data packet contains an options field whose length is variable. The options field is used for testing and debugging networks. Each option in this field begins with an option code octet that identifies an option type. Option types are listed below: l l

Loose source route option Strict source route option

The router software checks the IP header options of each packet. If it finds that one of the options is valid, the software performs corresponding operations. If it finds an invalid option, the software drops the packet and sends an ICMP parameter-problem packet to the packet source. For example, the option code of the loose source route option is 131. Its length is variable, and is determined by the source. The format is shown in Figure 15-2. Figure 15-2 Loose Source Route Option Packet Format

The length field represents the length of the option octet (including the option code, length and pointer fields). The pointer field points to the source address of the next hop, and the minimum value is 4 (that is, pointing to the IP address of the first hop). The addresses following the pointer field are the hops designated by the source. The packet must pass these hops.

Configuration Commands To configure the processing of IP source route options, run the following command on the ZXR10 ZSR V2: Command

Function

ZXR10(config)#ip source-route

Enables the ZXR10 ZSR V2 processing of packets with IP source route options. 15-4

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection

Maintenance Commands To display the IP source route option configuration, run the following command on the ZXR10 ZSR V2: Command

Function

ZXR10#show running-config ip all

Displays whether the IP source route option processing function is configured.

Refer to 15.1 Configuring ICMP Fast Response for maintenance commands relevant to packet sending and receiving.

Configuration Example l

Configuration Description As shown in Figure 15-3, it is required to configure the IP source route option processing function. Figure 15-3 IP Source Route Option Processing Configuration Example

l

l

Configuration Flow 1. Configure IGP and unicast routes so that the routers can ping each other successfully. 2. Configure source route options on R1. 3. Make the source send IP packets with correct IP options. 4. Make the source send IP packets with incorrect IP options. Configuration Command Run the following commands on R1: R1(config)#interface gei-1/1 R1(config-if-gei-1/1)#no shutdown R1(config-if-gei-1/1)#ip address 10.10.20.1 255.255.255.0 R1(config-if-gei-1/1)#exit R1(config)#router ospf 1 R1(config-ospf-1)#network 10.10.10.0 0.0.0.255 area 0 R1(config-ospf-1)#network 10.10.20.0 0.0.0.255 area 0 R1(config-ospf-1)#exit R1(config)#ip source-route

Run the following commands on R2: 15-5 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management) R2(config)#interface gei-1/1 R2(config-if-gei-1/1)#no shutdown R2(config-if-gei-1/1)#ip address 10.10.20.2 255.255.255.0 R2(config-if-gei-1/1)#exit R2(config)#router ospf 1 R2(config-ospf-1)#network 10.10.20.0 0.0.0.255 area 0 R2(config-ospf-1)#network 10.10.50.0 0.0.0.255 area 0 R2(config-ospf-1)#exit

l

Configuration Verification When the source sends IP packets with correct IP options, the traffic is forwarded properly. When the source sends IP packets with incorrect IP options, the packets are dropped.

15.3 Configuring ICMP Unreachable Packet Function Overview If the router receives a non-multicast packet sent by an unknown protocol, the router returns an ICMP unreachable packet to the source address. Similarly, if the router receives a packet that cannot be sent to the destination (because the route to the destination is unknown), it sends an ICMP host unreachable packet to the source address. By default, ICMP unreachable packets are valid.

Configuration Commands To configure the ICMP unreachable packet function, run the following commands on the ZXR10 ZSR V2: Command

Function

ZXR10(config)#icmp-config

Enter ICMP configuration mode.

ZXR10(config-icmp)#interface

Enter ICMP interface configuration mode.

ZXR10(config-icmp-if-interface-name)#ip

Enables the interface function of sending

unreachable

ICMP unreachable packets.

Maintenance Commands To view detailed information on packet sending and receiving after the ICMP unreachable packet function is configured, run the following command. For other commands, refer to 15.1 Configuring ICMP Fast Response. Command

Function

ZXR10#debug ip icmp detail

Displays information on ICMP packets.

15-6 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection

Configuration Example l

Configuration Description As shown in Figure 15-4, R1 receives packets with an unknown protocol, and ICMP unreachable packets are valid. Figure 15-4 ICMP Unreachable Packet Function Configuration Example

l

l

Configuration Flow 1. Enter ICMP configuration mode. 2. Enable the ICMP unreachable packet function on a specified interface. 3. Configure that interface ICMP unreachable packets are valid. Configuration Commands Run the following commands on R1: R1(config)#icmp-config R1(config-icmp)#interface gei-1/1 R1(config-icmp-if-gei-1/1)#ip unreachable R1(config-icmp-if-gei-1/1)#exit R1(config-icmp)#exit

R1(config)#interface gei-1/1 R1(config-if-gei-1/1)#ip address 60.0.0.1 255.255.255.0 R1(config-if-gei-1/1)#no shutdown R1(config-if-gei-1/1)#ip forward unreachable R1(config-if-gei-1/1)#exit

l

Configuration Verification When the PC sends unknown protocol packets to R1, R1 sends ICMP unreachable packets to the PC.

15.4 Enabling an Interface to Send ICMP Unreachable Packets Overview Packets that are regarded as ICMP unreachable are dropped. To make these packets valid, you need to configure this function for the interface. Then, the forwarding plane reports a packet whose protocol is unknown or whose route cannot be found to the control plane. The control plane returns an ICMP unreachable packet to the source node. This function is disabled by default. 15-7 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Configuration Commands To enable an interface to send ICMP unreachable packets, run the following command on the ZXR10 ZSR V2: Command

Function

ZXR10(config)#interface

Enters the interface configuration mode.

ZXR10(config-if-interface-name)#ipforwardunreacha

Enables the interface to send

ble

unreachable packets. Ethernet and POS interfaces are supported.

Maintenance Commands To view information on packet sending and receiving after the configuration is performed, run the following command on the ZXR10 ZSR V2. For other commands, refer to 15.1 Configuring ICMP Fast Response. Command

Function

ZXR10#debug ip icmp detail

Displays information on ICMP packets.

Configuration Example l

Configuration Description As shown in Figure 15-5, the interface receives a packet with an unknown destination, and returns an ICMP unreachable packet. Figure 15-5 Configuration Example of an Interface Sending ICMP Unreachable Packets

l

l

Configuration Flow 1. Configure interface addresses for the devices. 2. Configure a static route between the two devices that are not directly connected. 3. Configure that ICMP unreachable packets are valid on the interface. Configuration Commands Run the following commands on R1: R1(config)#interface gei-1/1 R1(config-if-gei-1/1)#ip address 10.1.1.1 255.255.255.0 R1(config-if-gei-1/1)#no shutdown R1(config-if-gei-1/1)#exit

R1(config)#ip route 1.2.3.4 255.255.255.255 10.1.1.2

Run the following commands on R2: 15-8 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection R2(config)#interface gei-1/1 R2(config-if-gei-1/1)#ip address 10.1.1.2 255.255.255.0 R2(config-if-gei-1/1)#no shutdown R2(config-if-gei-1/1)#ip forward unreachable R2(config-if-gei-1/1)#exit

R2(config)#icmp-config R2(config-icmp)#interface gei-1/1 R2(config-icmp-if-gei-1/1)#ip unreachable R2(config-icmp-if-gei-1/1)#exit

l

Configuration Verification R2 does not have a route to 1.2.3.4/32. Run the debug ip icmp detail command on R2. Run the ping 1.2.3.4 command on R1. You can see that R2 sends host unreachable packets to R1.

15.5 Configuring IP Ping Overview l

Description of Ping Ping originates from sonar location operation. Ping is used to test whether another host is reachable. The program sends an ICMP Echo Request to the host and waits for an ICMP Echo Reply. If a host cannot be pinged successfully, the host cannot be logged in through Telecommunication Network Protocol (TELNET) or FTP. On the contrary, if a host cannot be logged in through TELNET, the ping program can be used to find out the problem. The ping program also can be used to test the time of a round-trip to the host, which indicates how far away the host is.

l

Characteristics of Ping The ping command sends an ICMP Echo Request. If the destination receives the ICMP Echo Request, it will send an ICMP Echo Reply to the source address of the Echo Request. Therefore, the ping command can be used to diagnose network connectivity faults. The ping program that sends an Echo Request is called a client, and the host that is pinged is called a server. The kernels of most Transfer Control Protocol/Internet Protocol (TCP/IP) functions support a ping server directly. The server is not a user process. The format of an ICMP Echo Request and an ICMP Echo Reply is shown in Figure 15-6.

15-9 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Figure 15-6 Format of an ICMP Echo Request/Reply

If the type code is 8, it is an ICMP Echo Request packet. If the type code is 0, it is an ICMP Echo Reply packet. For other types of ICMP query packets, a server must reply with the identifier and the serial number. In addition, the option sent by a client must be echoed. It is supposed that the client is interested in the information. The serial number starts from 0, and it increments by one when a new Echo Request is sent. The ping program displays the serial number of each returning packet, which allows users to check whether packets are lost, in disorder or duplicated.

Configuration Commands To configure IP ping on the ZXR10 ZSR V2, run the following commands: Command

Function

ZXR10>ping [vrf ]{|domain

Pings an IP address in user mode.

} ZXR10#ping [{dcn|vrf }]{|domain

Pings an IP address in privileged

}[df-bit : flag indicating no fragmentation, options: 0, 1, default: 0 (indicating that fragmentation is allowed). pattern : value of the pad field in a packet. option: whether to configure the IP options. The value 1 means that IP options can be configured. speed limite : number of ping packets sent per second. speed interval: interval between two data request packets, unit: second, range: 2–10. loose | strict : specified source station route, format: dotted decimal. record : maximum number of hops that needs to be recorded, range: 1–9. timestamp : recorded, range: 1–9.

maximum number of timestamps that needs to be

Maintenance Commands To maintain IP Ping, run the following command on the ZXR10 ZSR V2: Command

Function

ZXR10#debug ip icmp

Displays the information on ICMP packets sent and received when the ping command is run.

Configuration Example l

Configuration Description As shown in Figure 15-7, two interfaces on two devices in the same network segment use the ping command to test the connectivity. Figure 15-7 IP Ping Configuration Example

l

Configuration Flow 1. Enter interface configuration mode and configure IP addresses on the interfaces for communication. 15-11

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

l

2. Run the ping command in privileged mode. Configuration Commands Run the following commands on R1: R1(config)#interface 1/1 R1(config-if-gei-1/1)#no shutdown R1(config-if-gei-1/1)#ip address 100.0.0.15 255.255.255.0 R1(config-if-gei-1/1)#exit

Run the following commands on R2: R2(config)#interface gei-1/1 R2(config-if-gei-1/1)#no shutdown R2(config-if-gei-1/1)#ip address 100.0.0.20 255.255.255.0 R2(config-if-gei-1/1)#exit

l

Configuration Verification Run the ping command on R1 to check the connectivity. The execution result is displayed as follows: R1#ping 100.0.0.20 sending 5,100-byte ICMP echoes to 100.0.0.20,timeout is 2 seconds. !!!!!

/*The result shows that the address can be pinged successfully.*/

Success rate is 100 percent(5/5),round-trip min/avg/max= 17/18/20ms.

R1#ping 100.0.0.21 sending 5,100-byte ICMP echoes to 100.0.0.21,timeout is 2 seconds. .....

/*The result shows that the address cannot be pinged successfully.*/

Success rate is 0 percent(0/5).

15.6 Configuring IP Trace Overview l

Description of IP Trace The trace command is used for debugging. It displays the route that an IP data packet passes through from a host to another host. Because the space left to options in an IP header is limited, the route record option cannot be used. The trace command uses ICMP packets and the TTL field in IP headers to accomplish its function.

l

Work Flow of IP Trace IP Trace obtains a router address through the following procedure: 1. The "trace" program sends an IP data packet to the destination host. The value of the TTL field in the IP header is 1. The first router that receives this packet reduces the value of the TTL field by 1. It drops the packet, and returns a timeout ICMP packet. In this way, the address of the first router is obtained.

15-12 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection

2. The "trace" program sends an IP data packet whose TTL field in the IP header is 2. In this way, the address of the second router is obtained. 3. The "trace" program continues with this procedure until a packet arrives at the destination host. IP Trace identifies the end of "trace" through the following procedure: 1. The "trace" program sends a large-port UDP data packet to the destination host, so that any application on the destination host is impossible to use that port. 2. When the data packet arrives at the host, the UDP module generates an ICMP packet indicating that the port is unreachable. 3. In this way, by identifying whether the received ICMP packet is a timeout packet or an unreachable port packet, the sending side knows when "trace" ends. The interfaces between the "trace" module and sub-modules are shown in Figure 15-8. Figure 15-8 Interfaces Between the "Trace" Module and Sub-Modules

Configuration Commands To configure IP trace on ZXR10 ZSR V2, run the following commands: Command

Function

ZXR10>trace [vrf ]

Traces an IP address in user mode.

ZXR10#trace [{dcn|vrf }]{|domain

Traces an IP address in privileged

}[source ][maxttl ][timeout

mode.

]

The trace command uses ICMP error packets. An ICMP error packet is generated when a data packet exceeds its TTL value. By sending a data packet whose TTL value is 1, the trace command triggers the first router to drop the packet and return an error packet. A TTL timeout packet means that an intermediate router receives the packet and the router gives up detection. An ICMP error packet indicating the destination is unreachable means that the destination node receives the packet but it cannot submit the packet. If the timer stops before a reply arrives, the "trace" program displays a "*" mark.

15-13 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Maintenance Commands The following example shows the output of the trace command used in privileged mode. The trace command traces the path to 168.1.10.100. ZXR10#trace 168.1.10.100 tracing the route to 168.1.10.100 1

168.1.10.100

2 ms

3 ms

5 ms

[finished]

Descriptions of the command output: Command Output

Description

1

The sequence number of a router along the route to the destination.

168.1.10.100

The IP address of a router along the route. The last IP address is the destination.

2 ms 3 ms 5 ms

The time of three each round trip for detection.

Configuration Example l

Configuration Description As shown in Figure 15-9, the trace command is run on R1 to detect the route to R2. Figure 15-9 IP Trace Configuration Example

l

l

Configuration Flow 1. Configure interface addresses and routes. 2. Run the trace command in privileged mode. Configuration Commands Run the following commands on R1: R1(config)#interface gei-1/1 R1(config-if-gei-1/1)#no shutdown R1(config-if-gei-1/1)#ip address 100.0.0.15 255.255.255.0 R1(config-if-gei-1/1)#exit R1(config)#router ospf 1 R1(config-ospf-1)#network 100.0.0.0 0.0.0.255 area 0 R1(config-ospf-1)#end

l

Configuration Verification The execution result of the trace command on R1 is displayed as follows: R1#trace 175.103.59.110 tracing the route to 175.103.59.110

over a maximum of 30 hops:

15-14 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection 1

100.0.0.22 55 ms 2 ms 2 ms /*The IP address on the first-hop device and time delays*/

2

10.17.94.81 176 ms 143 ms 333 ms

3

10.28.5.61 131 ms 133 ms 134 ms

4

*

*

*

/*The fourth-hop device does not return any packet. There are "*" marks.*/ 5

202.70.62.169 151 ms 149 ms 146 ms

6

202.43.177.81 176 ms 162 ms 165 ms

7

218.100.27.30 142 ms 134 ms 159 ms

8

175.103.59.110 140 ms 166 ms 138 ms [finished]

15.7 Configuring LSP Ping Overview l

Description of LSP Ping On an MPLS network, if IP ping is used, labels are added to ping packets and label switching is performed. IP ping, however, only checks connectivity on the IP plane, but cannot check LSPs. On an MPLS network, if a LDP session between two LSRs is disconnected, labels cannot be forwarded. In this case, IP ping packets are reachable, but the LSP fails. Various factors cause LSP faults. For example, an LDP session is disconnected, LDP is not enabled on some LSRs, or an exception occurs in an LDP label forwarding table. A mechanism different from IP ping is needed to detect whether an end-to-end LSP is operating properly. Therefore, LSP ping is generated. LSP ping uses a packet belonging to a specific Forwarding Equivalence Class (FEC) to verify the integrity of the LSP (from the source LSR to the destination LSR) that belongs to this FEC. An LSP ping request packet contains information on the corresponding FEC.

l

Work Flow of LSP Ping An LSP ping packet is encapsulated in a UDP packet, and contains a serial number and a time stamp. When processing an LSP ping request packet, MPLS uses the same forwarding policy as packets of the FEC. When the LSP ping packet reaches an LSP egress, the LSR control plane checks the packet to verify whether this LSP is the correct egress of the FEC. Similar to IP ping, LSP ping also uses the Echo Request and Echo Reply mechanism. But the LSP ping packet format is completely different from the IP ping packet format. Packets sent by LSP ping are not ICMP packets but UDP packets whose port number is 3503. On an MPLS network, 1. A source device sends a UDP Echo Request packet whose port number is 3503. 2. LSRs forward the Echo Request packet through label switching. 15-15

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

3. When the packet reaches the destination device, the destination device responds with a UDP Echo Reply packet whose port number is 3503. To prevent IP packets from being forwarded when an IP path is operating properly but an LSP is disconnected, the value of the IP TTL field in an LSP ping Echo Request packet is set to 1, and the destination address of the packet is set to an address in the 127.0.0.0/8 segment. LSRs do not forward such an IP packet without an MPLS label. An LSP is unidirectional. An LSP ping Echo Request packet is only forwarded along the LSP to be tested. The corresponding Echo Reply packet only sends necessary information to the source, and it does not need to go along the same path as that of the Echo Request packet. The reply packet can also be an IP packet without a label. The path of an MPLS Echo Request packet of LSP ping and that of the corresponding Echo Reply packet may be different. The destination address and destination port of the Echo Reply packet are the source address and source port of the Echo Request packet respectively.

Configuration Commands To configure LSP ping on the ZXR10 ZSR V2, run the following commands: Command

Function

ZXR10#ping mpls ipv4 [output-interface ][destination [][]][repeat | size | timeout | source {|}| ttl ] ZXR10#ping mpls traffic-eng te_tunnel[{master|slave}][repeat

Configures RSVP LSP ping.

| size | timeout | source {|}| ttl ] ZXR10#ping mpls pseudowire [multisegment][repeat

Configures PWE3 LSP ping.

| size | timeout | source {|}| ttl ]

: number of retry attempts, range: 1–65535, default: 5. : LSP ping packet size, range: 100-1500, unit: byte, default: 120. : timeout period, unit: second, range: 1–20, default: 2. master : specifies that the master LSP sends LSP ping packets. slave : specifies that the slave LSP sends LSP ping packets. multisegment: enables the ping multisegment pseudowire function.

Maintenance Commands To maintain LSP ping on the ZXR10 ZSR V2, run the following command: 15-16 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection

Command

Function

ZXR10#debug lspv {error | event | packet | tlv | all}

Displays information on sent UDP Echo Request packets and received UDP Echo Reply packets when LSP ping is performed.

LDP LSP Ping Configuration Example l

Configuration Description As shown in Figure 15-10, LDP is enabled on R1, R2 and R3. It is required to configure LSP ping on R1 to check connectivity. Figure 15-10 LDP LSP Ping Configuration Example

l

l

Configuration Flow 1. Build an LDP network. 2. Perform LDP LSP ping on R1. Configuration Commands For LDP configuration, refer to the MPLS configuration example.

l

Configuration Verification Ping R3 on R1. The result is displayed as follows: R1#ping mpls ipv4 10.28.0.4 32 sending 5,120-byte MPLS echo(es) to 10.28.0.4,timeout is 2 second(s). Codes: '!' - success,

'Q' - request not sent,

'.' - timeo

ut, 'L' - labeled output interface, 'B' - unlabeled output interface, 'D' - DS Map mismatch,

'F' - no FEC mapping,

'f' - FEC m

'm' - unsupported tlvs,

'N' - no rx

ismatch, 'M' - malformed request, label, 'P' - no rx intf label prot,

'p' - premature termination of LSP,

'R' - transit router,

'I' - unknown upstream index, 'X' - unkno

wn return code, 'x' - return code 0 'd' - DDMAP !!!!! Success rate is 100 percent(5/5),round-trip min/avg/max= 5/38/151 ms.

Ping R3 (unmatching FEC) on R1. The result is displayed as follows: R1#ping mpls ipv4 10.28.0.4 30 sending 5,120-byte MPLS echo(es) to 10.28.0.4,timeout is 2 second(s).

15-17 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management) Codes: '!' - success,

'Q' - request not sent,

'.' - timeo

ut, 'L' - labeled output interface, 'B' - unlabeled output interface, 'D' - DS Map mismatch,

'F' - no FEC mapping,

'f' - FEC m

'm' - unsupported tlvs,

'N' - no rx

ismatch, 'M' - malformed request, label, 'P' - no rx intf label prot,

'p' - premature termination of LSP,

'R' - transit router,

'I' - unknown upstream index, 'X' - unkno

wn return code, 'x' - return code 0 'd' - DDMAP QQQQQ Success rate is 0 percent(0/5).

R1 cannot ping R3 successfully. LSP ping checks whether the "FEC destination address + mask" is correct. If the "FEC destination address + mask" is incorrect, LSP ping fails. Ping R3 (nonexistent FEC) on R1. The result is displayed as follows: R1#ping mpls ipv4 9.9.9.8 32 sending 5,120-byte MPLS echo(es) to 9.9.9.8,timeout is 2 second(s). Codes: '!' - success,

'Q' - request not sent,

'.' - timeo

ut, 'L' - labeled output interface, 'B' - unlabeled output interface, 'D' - DS Map mismatch,

'F' - no FEC mapping,

'f' - FEC m

'm' - unsupported tlvs,

'N' - no rx

ismatch, 'M' - malformed request, label, 'P' - no rx intf label prot,

'p' - premature termination of LSP,

'R' - transit router,

'I' - unknown upstream index, 'X' - unkno

wn return code, 'x' - return code 0 'd' - DDMAP QQQQQ Success rate is 0 percent(0/5).

RSVP LSP Ping Configuration Example l

Configuration Description As shown in Figure 15-11, RSVP is enabled on R1, R2 and R3. Build an Open Shortest Path First–Traffic Engineering (OSPF-TE) network. It is required to configure LSP ping on R1 to check connectivity.

15-18 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection

Figure 15-11 RSVP LSP Ping Configuration Example

l

l

Configuration Flow 1. Build an OSPF-TE network. 2. Perform RSVP LSP ping on R1. Configuration Command For RSVP configuration, refer to the OSPF-TE configuration example.

l

Configuration Verification Run the following command to check configurations on R1. The execution result is displayed as follows: R1#show mpls traffic-eng tunnels brief Signalling Summary: LSP Tunnels Process:

running

RSVP Process:

running

Forwarding:

enabled

TUNNEL NAME

DESTINATION

UP IF DOWN IF

tunnel_4000

10.28.0.5

-

unknown

STATE/PROT up/down

tunnel_1

10.28.0.4

-

gei-1/2

up/up

Test connectivity of the tunnel on R1. The execution result is displayed as follows: R1#ping mpls traffic-eng te_tunnel1 /*TE tunnel of LSP Ping UP on R1*/ sending 5,120-byte MPLS echo(es) to te_tunnel1,timeout is 2 second(s).

Codes: '!' - success,

'Q' - request not sent,

'.' - timeo

ut, 'L' - labeled output interface, 'B' - unlabeled output interface, 'D' - DS Map mismatch,

'F' - no FEC mapping,

'f' - FEC m

'm' - unsupported tlvs,

'N' - no rx

ismatch, 'M' - malformed request, label, 'P' - no rx intf label prot,

'p' - premature termination of LSP,

'R' - transit router,

'I' - unknown upstream index, 'X' - unkno

wn return code, 'x' - return code 0 'd' - DDMAP !!!!! Success rate is 100 percent(5/5),round-trip min/avg/max= 2/3/6 ms.

R1#ping mpls traffic-eng te_tunnel4000 /*TE tunnel of LSP Ping DOWN on R1*/ sending 5,120-byte MPLS echos to te_tunnel4000,timeout is 2 seconds.

15-19 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Codes: '!' - success,

'Q' - request not sent,

'.' - timeo

ut, 'L' - labeled output interface, 'B' - unlabeled output interface, 'D' - DS Map mismatch,

'F' - no FEC mapping,

'f' - FEC m

'm' - unsupported tlvs,

'N' - no rx

ismatch, 'M' - malformed request, label, 'P' - no rx intf label prot,

'p' - premature termination of LSP,

'R' - transit router,

'I' - unknown upstream index, 'X' - unkno

wn return code, 'x' - return code 0 'd' - DDMAP QQQQQ Success rate is 0 percent(0/5).

PWE3 LSP Ping Configuration Example l

Configuration Description As shown in Figure 15-12, R1, R2 and R3 form an L2 VPN network. It is required to configure LSP ping on R1 to check connectivity. Figure 15-12 PWE3 LSP Ping Configuration Example

l

l

Configuration Flow 1. Build an L2 VPN network. 2. Perform PWE3 LSP ping on R1. Configuration Commands Basic LDP configuration is omitted here.

l

Configuration Verification Run the following command to check configurations on R1. The execution result is displayed as follows: R1#show l2vpn forwardinfo vpnname zte Hearders: PWType - Pseudowire type and Pseudowire connection mode Llabel - Local label, Rlabel - Remote label VPNowner - owner type and instance name Codes:

H - HUB mode, S - SPOKE mode, L - VPLS, W - VPWS, M – MSPW, MO - MONITOR $pw - auto_

PWName

PeerIP

pw1

10.28.0.4

FEC PWType 128 Ethernet

State Llabel H UP

81938

Rlabel

82241

VPNowner

L:zte

15-20 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection

Run the following command on R1 to test connectivity. The execution result is displayed as follows: R1#ping mpls pseudowire pw1 sending 5,120-byte MPLS echo(es) to 10.28.0.4,timeout is 2 second(s). Codes: '!' - success,

'Q' - request not sent,

'.' - timeo

ut, 'L' - labeled output interface, 'B' - unlabeled output interface, 'D' - DS Map mismatch,

'F' - no FEC mapping,

'f' - FEC m

'm' - unsupported tlvs,

'N' - no rx

ismatch, 'M' - malformed request, label, 'P' - no rx intf label prot,

'p' - premature termination of LSP,

'R' - transit router,

'I' - unknown upstream index, 'X' - unkno

wn return code, 'x' - return code 0 'd' - DDMAP !!!!! Success rate is 100 percent(5/5),round-trip min/avg/max= 2/2/2 ms.

15.8 Configuring LSP Trace Overview l

Description of LSP Trace To make routers on the Internet report errors of the MPLS LSP data plane or provide information on unexpected conditions, the MPLS trace function is provided. MPLS trace is a simple and effective method of detecting faults on the MPLS LSP data plane. It can detect some faults that the control plane cannot find. By using this method, users can quickly find and isolate faults such as routing black holes and loss of routes. LSP trace is based on Echo Request and Echo Reply packets. The packets sent are UDP packets whose port number is 3503 instead of ICMP packets. LSP trace uses the TTL field in an MPLS packet header. The LSP trace command increments the TTL value from 1, and sends an MPLS Echo Request packet to the next hop. When detecting that TTL expires, an LSR sends an MPLS Echo Reply packet to the source. In such a query procedure, each hop of an LSP can be traced.

l

Work Flow of LSP Trace The LSP trace function can be used to detect different FECs (IPv4 LDP and RSVP). An LSP trace request packet is a UDP packet with a label. The packet uses the well-known port 3503 as the destination port. The source port is designated by the sender. The IP-layer source address is the IP address of the sender. The destination address is 127.0.0.1, which is used to prevent the packet from being forwarded according to an IP route when a fault occurs on an LSP of an intermediate LSR. The principle of LSP trace is shown in Figure 15-13. 15-21

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Figure 15-13 LSP Trace Work Flow

The MPLS LSP trace procedure between LSR1 and LSR4 is described below: 1. LSR1: LSR1 sends an MPLS Echo Request packet to LSR2. The destination address of the packet is the FEC on LSR4. In the Echo Request packet, the TTL value in the MPLS header is 1, the destination address in the IP header is 127.0.0.1, and both the source port number and destination port number in the UDP header are 3503. 2. LSR2: When receiving the request packet whose TTL value is 1, LSR2 processes the packet. It finds that itself is not the destination. Therefore, LSR2 responds to LSR1 with an MPLS Echo Reply packet. In the Echo Reply packet, LSR2 fills in a corresponding return code. If the return code is 3, the node is the destination. If the return code is 6, the node is an intermediate node. LSR1 determines whether the packet reaches the destination according to the return code. 3. LSR1: After receiving the Echo Reply packet from LSR2, LSR1 knows the address and label information on LSR2. According to the return code, LSR1 knows that the packet did not reach the destination. LSR1 sends an MPLS Echo Request packet to LSR2 again. The destination of the packet is the FEC on LSR4. In the Echo Request packet, the TTL value in the MPLS header is 2, the destination address in the IP header is 127.0.0.1, and both the source port number and destination port number in the UDP header are 3503. 4. LSR2: After receiving the Echo Request packet whose TTL value is 2, LSR2 searches for label information and then forwards the packet to LSR3. The TTL value decrements by one. 5. LSR3: After receiving the packet whose TTL value 1, LSR3 finds that itself is not the destination either. Therefore, LSR3 responds to LSR1 with an MPLS Echo Reply packet. 15-22 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection

In the Echo Reply packet, the return code is 6, which indicates that the node is an intermediate node. According to the return code, LSR1 knows that the packet did not reach the destination. 6. LSR1: After receiving the Echo Reply packet from LSR3, LSR1 knows the address and label information on LSR3. According to the return code, LSR1 knows that the packet did not reach the destination. LSR1 sends an MPLS Echo Request packet to LSR2 again. The destination is the FEC on LSR4. In the Echo Request packet, the TTL value in the MPLS header is 3, the destination address in the IP header is 127.0.0.1, and both the source port number and destination port number in the UDP header are 3503. 7. LSR2: After receiving the Echo Request packet whose TTL value is 3, LSR2 searches for label information and then forwards the packet to LSR3. The TTL value decrements by one. 8. LSR3: After receiving the Echo Request packet whose TTL value is 2, LSR2 searches for label information and then forwards the packet to LSR4. The TTL value decrements by one. 9. LSR4: After receiving the request packet packet whose TTL value is 1, LSR4 processes the packet. It finds that itself is the destination. Therefore, LSR4 responds to LSR1 with an MPLS Echo Reply packet. In the Echo Reply packet, the return code is 3, which indicates that the node is the destination node. After the procedure, LSR1 knows the address and label information on LSRs along the LSP.

Configuration Commands To configure LSP trace on the ZXR10 ZSR V2, run the following commands: Command

Function

ZXR10#trace mpls ipv4 [output-interf

Enables the IPv4 LDP LSP trace

ace ][destination [][]][ttl | timeout | source {|}|[{ddmap|dsmap}]] ZXR10#trace mpls traffic-eng te_tunnel [{master|slave}][ttl

Enables the RSVP LSP trace

| timeout | source {|}|[{ddmap|dsmap}]] ZXR10#trace mpls pseudowire [multisegment][ttl |

Enables the PWE3 LSP trace

timeout | source {|}|[{ddmap|dsmap}]]

master : specifies that the master LSP sends LSP ping packets. slave : specifies that the slave LSP sends LSP ping packets. 15-23 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

multisegment: enables the ping multisegment pseudowire function.

Maintenance Commands To maintain LSP trace, run the following command on the ZXR10 ZSR V2: Command

Function

ZXR10#debug lspv {error | event | packet | tlv | all}

Displays information on sent UDP Echo Request packets and received UDP Echo Reply packets when LSP trace is performed.

LDP LSP Trace Configuration Example l

Configuration Description As shown in Figure 15-14, LDP is enabled on R1, R2 and R3. It is required to configure LSP trace on R1 to check connectivity. Figure 15-14 LDP LSP Trace Configuration Example

l

l

Configuration Flow 1. Build an LDP network. 2. Perform LDP LSP trace on R1. Configuration Command For LDP configuration, refer to the MPLS configuration example.

l

Configuration Verification Run the following commands on R1 to view configurations. The execution result is displayed as follows: R1#show mpls forwarding-table Local

Outgoing

Prefix or

Outgoing

label

label

Lspname

interface

Next Hop

M/S

20

Pop tag

10.28.0.3/32

gei-1/2

10.28.1.6

M

57

49

10.28.0.4/32

gei-1/2

10.28.1.6

M

R1#trace mpls ipv4 10.28.0.3 32 Tracing MPLS Lable Switched to 10.28.0.3,timeout is 3 second(s). Codes:'!' - success,

'Q' - request not sent,

'*' - timeo

ut, 'L' - labeled output interface, 'B' - unlabeled output interface, 'D' - DS Map mismatch,

'F' - no FEC mapping,

'f' - FEC m

ismatch,

15-24 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection 'M' - malformed request,

'm' - unsupported tlvs,

'N' - no rx

label, 'P' - no rx intf label prot,

'p' - premature termination of LSP,

'R' - transit router,

'I' - unknown upstream index, 'X' - unkno

wn return code, 'x' - return code 0 'd' - DDMAP

!

0

10.28.1.5 MTU 1500 [label 3 ]

1

10.28.1.6

10 ms

[finished]

Test trace on R1. The execution result is displayed as follows: R1#trace mpls ipv4 10.28.0.4 32 Tracing MPLS Lable Switched to 10.28.0.4,timeout is 3 second(s). Codes:'!' - success,

'Q' - request not sent,

'*' - timeo

ut, 'L' - labeled output interface, 'B' - unlabeled output interface, 'D' - DS Map mismatch,

'F' - no FEC mapping,

'f' - FEC m

'm' - unsupported tlvs,

'N' - no rx

ismatch, 'M' - malformed request, label, 'P' - no rx intf label prot,

'p' - premature termination of LSP,

'R' - transit router,

'I' - unknown upstream index, 'X' - unkno

wn return code, 'x' - return code 0 'd' - DDMAP 0

10.28.1.5 MTU 1500 [label 49 ]

R

1

10.28.1.21 MTU 1500 [label 0 ]

!

2

10.28.1.22

8 ms

7 ms

[finished]

RSVP LSP Trace Configuration Example l

Configuration Description As shown in Figure 15-15, the Resource ReSerVation Protocol (RSVP) is enabled on R1, R2 and R3. Build an OSPF-TE network. It is required to configure LSP trace on R1 to check connectivity. Figure 15-15 RSVP LSP Trace Configuration Example

l

Configuration Flow 1. Build an OSPF-TE network. 2. Perform RSVP LSP trace on R1. 15-25

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

l

Configuration Commands For RSVP configuration, refer to the OSPF-TE configuration example.

l

Configuration Verification Run the following commands on R1 to view configurations. The execution result is displayed as follows: R1#show mpls traffic-eng tunnels brief Signalling Summary: LSP Tunnels Process:

running

RSVP Process:

running

Forwarding:

enabled

TUNNEL NAME

DESTINATION

UP IF DOWN IF

STATE/PROT

tunnel_1

10.28.0.4

-

up/up

gei-1/8

Test trace on R1. The execution result is displayed as follows: R1#trace

mpls traffic-eng te_tunnel1

Tracing MPLS Lable Switched to te_tunnel1,timeout is 3 second(s). Codes:'!' - success,

'Q' - request not sent,

'*' - timeo

ut, 'L' - labeled output interface, 'B' - unlabeled output interface, 'D' - DS Map mismatch,

'F' - no FEC mapping,

'f' - FEC m

'm' - unsupported tlvs,

'N' - no rx

ismatch, 'M' - malformed request, label, 'P' - no rx intf label prot,

'p' - premature termination of LSP,

'R' - transit router,

'I' - unknown upstream index, 'X' - unkno

wn return code, 'x' - return code 0 'd' – DDMAP 0

10.28.1.5 MTU 1500 [label 147457 ]

R

1

10.28.1.6 MTU 1500 [label 3 ]

!

2

10.28.1.22 4 ms

3 ms

[finished]

15.9 Configuring Multicast Ping Overview Multicast ping sends an ICMP request packet to a multicast group address and waits for an ICMP reply packet from the remote end. Multicast ping is applicable to PIM-SM only, and can only be initiated by a node in an RPT (excluding a multicast receiver). The destination address is a multicast group address. The request packet is forwarded to a multicast receiver node through a multicast forwarding path. The receiver node responds with an ICMP reply packet through unicast. The work flow of multicast ping is shown in Figure 15-16. 15-26 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection

Figure 15-16 Work Flow of Multicast Ping

1. A router initiates a multicast ping command by sending an ICMP request packet. 2. An intermediate node forwards the packet directly because there is no local receiver directly connected. 3. A leaf node where the receiver is located sends and processes the packet, and responds with a reply packet through unicast. 4. The initiator displays the multicast ping result.

Configuration Commands To configure multicast ping on the ZXR10 ZSR V2, run the following command: Command

Function

ZXR10#ping [vrf ]{[df-bit : flag indicating no fragmentation, options: 0, 1, default: 0 (indicating that fragmentation is allowed). : value of the pad field in a packet. option: whether to configure IP options. The value 1 means that IP options can be configured. : number of ping packets sent per second. : interval between two data request packets, unit: second, range: 2–10. loose | strict : specified source station route, format: dotted decimal. : maximum number of hops that needs to be recorded, range: 1–9. : maximum number of timestamps that needs to be recorded, range: 1–9.

Maintenance Commands To maintain multicast ping on the ZXR10 ZSR V2, run the following command: Command

Function

ZXR10#mtrace [][]

packets and received ICMP packets when multicast ping is performed.

Configuration Example l

Configuration Description As shown in Figure 15-17, it is required to check whether the multicast last hop is reachable. Figure 15-17 Multicast Ping Configuration Example

l

l

Configuration Flow 1. Build a network. 2. Enable PIM-SM on R1 and R2. 3. Add the receiving group to the multicast group. 4. Ping the multicast group address on R1. Configuration Commands Run the following commands on R1: R1(config)#interface gei-1/9 R1(config-if-gei-1/9)#no shutdown

15-28 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection R1(config-if-gei-1/9)#ip address 12.131.1.1 255.255.255.0 R1(config-if-gei-1/9)#exit R1(config)#interface gei-1/8 R1(config-if-gei-1/8)#no shutdown R1(config-if-gei-1/8)#ip address 17.1.1.2 255.255.255.0 R1(config-if-gei-1/8)#exit R1(config)#interface loopback1 R1(config-if-loopback1)#ip address 3.3.3.3 255.255.255.0 R1(config-if-loopback1)#exit /*Configure a multicast protocol*/ R1(config)#ip multicast-routing R1(config-mcast)#router pim R1(config-mcast-pim)#rp-candidate loopback1 R1(config-mcast-pim)#bsr-candidate loopback1 R1(config-mcast-pim)#interface gei-1/9 R1(config-mcast-pim-if-gei-1/9)#pimsm R1(config-mcast-pim-if-gei-1/9)#exit R1(config-mcast-pim)#interface gei-1/8 R1(config-mcast-pim-if-gei-1/8)#pimsm R1(config-mcast-pim-if-gei-1/8)#end

Configurations on R2 are similar to those on R1. Configure an IP address and enable a multicast protocol on R2. Run the following command on R2 to add a static route to the RP: R2(config)#ip route 3.3.3.3 255.255.255.255 17.1.1.2

l

Configuration Verification Run the ping command on R1 to check whether the receiving group has joined the 225.0.0.1 multicast group. The execution result is displayed as follows: R1#ping 225.0.0.1 sending 5,100-byte ICMP echoes to 225.0.0.1,timeout is 2 seconds. Reply to request 1 received from 17.1.1.1, 2 ms Reply to request 2 received from 17.1.1.1, 2 ms Reply to request 3 received from 17.1.1.1, 2 ms Reply to request 4 received from 17.1.1.1, 2 ms Reply to request 5 received from 17.1.1.1, 2 ms

Success rate is 100 percent(5/5),round-trip min/avg/max= 2/2/2 ms.

15-29 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

15.10 Configuring Multicast Trace Overview Multicast trace provides a method of monitoring multicast routes and detecting RPF. At present, the multicast trace version is v1.0. Multicast trace checks connectivity of a multicast path by sending and receiving IGMP protocol packets. Multicast trace is used to detect the reversed path from a destination address to a multicast source. It uses two methods to search for a next hop route. One is by RPF. The other is by an (S, G) or (*, G) entity, and (S, G) is preferred. Take Figure 15-18 as an example to describe two multicast trace working flows. Figure 15-18 Multicast Trace Principle

l

l

When trace 1.1.1.3 2.2.2.2 is configured on R1, R1 finds that the next hop is 1.1.1.1 through RPF. Until finding that the next hop route 1.1.1.3 is a source direct-connected route, R1 unicasts the destination route 2.2.2.2. When trace 1.1.1.3 2.2.2.2 224.1.1.1 is configured on R1, R1 searches for the next hop route by an (S, G) or (*, G) entity. (S, G) is preferred. Until finding that the next hop route 1.1.1.3 is a source direct-connected route, R1 unicasts the destination route 2.2.2.2.

Configuration Commands To configure multicast trace on ZXR10 ZSR V2, use the following command. Command

Function

ZXR10#mtrace [][]

destination address to a multicast source.

Configuration Example l

Configuration Description It is required to search for a next hop route through an (S, G) or (*, G) entity. The network topology is shown in Figure 15-19. Figure 15-19 Multicast Trace Configuration Example

15-30 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection

l

l

Configuration Flow 1. Enable PIM-SM on R1 and R2. 2. The receiving group joins the mutlticast group. The source sends a multicast flow. 3. Configure multicast trace on R2. Configuration Command Configuration on R1: R1(config)#interface gei-1/9 R1(config-if-gei-1/9)#no shutdown R1(config-if-gei-1/9)#ip address 12.131.1.1 255.255.255.0 R1(config-if-gei-1/9)#exit R1(config)#interface gei-1/8 R1(config-if-gei-1/8)#no shutdown R1(config-if-gei-1/8)#ip address 17.1.1.2 255.255.255.0 R1(config-if-gei-1/8)#exit R1(config)#interface loopback1 R1(config-if-loopback1)#ip address 3.3.3.3 255.255.255.0 R1(config-if-loopback1)#exit /*Configure a multicast protocol*/ R1(config)#ip multicast-routing R1(config-mcast)#router pim R1(config-mcast-pim)#rp-candidate loopback1 R1(config-mcast-pim)#bsr-candidate loopback1 R1(config-mcast-pim)#interface gei-1/9 R1(config-mcast-pim-if-gei-1/9)#pimsm R1(config-mcast-pim-if-gei-1/9)#exit R1(config-mcast-pim)#interface gei-1/8 R1(config-mcast-pim-if-gei-1/8)#pimsm R1(config-mcast-pim-if-gei-1/8)#end

Configuration on R2 is similar to that on R1. Configure an IP address and enable a multicast protocol. Configure a static route to the RP on R2, as shown below. R2(config)#ip route 3.3.3.3 255.255.255.255 17.1.1.2

l

Configuration Verification The receiving group joins the mutlticast group 225.0.0.1. The source sends a multicast flow. R2#mtrace 12.131.1.2

17.1.1.1

225.0.0.1

Type escape sequence to abort. Mtrace from 12.131.1.2 to 17.1.1.1 via group 225.0.0.1 0 17.1.1.1 PIM -1 17.1.1.2 PIM

21 ms 76 ms

-2 12.131.1.1 PIM

76 ms

[finished]

15-31 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

15.11 Configuring MAC Ping Overview MAC ping provides a method of monitoring performance and detecting errors at the MAC layer. It determines link-layer connectivity by sending and receiving EOAM MAC ping packets. OAM information contained in IEEE802.3 is called Ethernet Operation, Administration and Maintenance (EOAM). EOAM provides a ping mechanism for the data link layer. 1. A router sends an Echo Request packet with a specific destination MAC address. The OAM sub-layer sends this ping request packet as an OAM Protocol Data Unit (OAMPDU). 2. After receiving this Echo Request packet, the receiver generates an Echo an Echo Response OAMPDU. EOAM-based MAC ping network structure is shown in Figure 15-20. Figure 15-20 MAC Ping Network Structure

MAC ping supports ping from CE1 to CE2, from PE1 to PE2, from PE1 to CE2, and from CE1 to PE2. The parameters in ping commands sent from a CE and from a PE are different. The following takes ping from CE1 to CE2 and from PE1 to PE2 as examples to describe the procedures. l

Ping from CE1 to CE2 CE1 sends a MAC-layer ping request which contains an egress interface and a destination MAC address. When receiving the request packet, CE2 sends a reply packet. If CE1 receives the reply packet within a specified period, the link layer is operating properly.

l

Ping from PE1 to PE2 PE1 sends a MAC-layer ping request which contains a destination MAC address, Virtual Private LAN Service (VPLS) name and peer ID. When receiving the request

15-32 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection

packet, PE2 sends a reply packet. If PE1 receives the reply packet within a specified period, the link layer is operating properly.

Configuration Commands To configure MAC ping on the ZXR10 ZSR V2, run the following command: Command

Function

ZXR10#mac-ping {interface | vpls

Checks the connectivity of the

peer |vpws peer

destination MAC address.

}{summary | detail}{[external-vlan internal-vlan ]|[vlan ]}[repeat ][timeout ]

: egress interface of a request packet on a CE. summary : briefly displays MAC ping results. detail: displays MAC ping results in detail. : repeat count, range: 1–65536, default: 1. : remote router ID to be detected on a PE.

Maintenance Commands To maintain MAC ping on the ZXR10 ZSR V2, run the following command: Command

Function

ZXR10#debug macping {all |error | event | info | packet}

Displays errors, events, information, packets or all information when MAC ping packets are received and sent.

Configuration Example l

Configuration Description For the MAC ping network structure on a VPLS network, see Figure 15-21. Figure 15-21 MAC Ping Configuration Example

l

l

Configuration Flow 1. Configure IP addresses. Enable OSPF between PE1 and PE2. 2. Configure LDP between PEs. 3. Configuring L2 VPN VPLS. 4. Configure MAC ping. Configuration Commands 15-33

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Run the following commands on PE1: PE1(config)#interface loopback1 PE1(config-if-loopback1)#ip address 100.10.10.1 255.255.255.255 PE1(config-if-loopback1)#exit PE1(config)#interface gei-1/1 PE1(config-if-gei-1/1)#no shutdown PE1(config-if-gei-1/1)#ip address 10.1.1.1 255.255.255.0 PE1(config-if-gei-1/1)#exit

PE1(config)#router ospf 1 PE1(config-ospf-1)#network 100.10.10.1 0.0.0.0 area 0 PE1(config-ospf-1)#network 10.1.1.1 0.0.0.255 area 0 PE1(config-ospf-1)#exit

PE1(config)#mpls ldp instance 1 PE1(config-ldp-1)#router-id loopback1 PE1(config-ldp-1)#interface gei-1/1 PE1(config-ldp-1-if-gei-1/1)#exit PE1(config-ldp-1)#exit

PE1(config)#mpls l2vpn enable PE1(config)#pw pw1 PE1(config)#vpls zte1 PE1(config-vpls-zte1)#pseudo-wire pw1 PE1(config-vpls-zte1–pw-pw1)#neighbour 100.10.10.2 vcid 10 PE1(config-vpls-zte1–pw-pw1–neighbour-100.10.10.2)#end

PE1(config)#zmac-oam enable /*Enable mac-ping(trace) globally.*/

Configurations on PE2 are similar to those on PE1. l

Configuration Verification Run the mac-ping command on PE1. The execution result is displayed as follows: PE1#mac-ping 00d0.d000.0500 vpls zte1 peer 100.10.10.2 summary sending 5,92-byte EOAM echo(es) to 00d0.d000.0500,timeout is 2 seconds. !!!!! Success rate is 100 percent(5/5),round-trip min/avg/max= 1/1/2 ms.

15.12 Configuring MAC Trace Overview MAC trace provides a method of monitoring performance and detecting errors at the MAC layer. It determines whether the nodes at the link layer are operating properly by sending and receiving EOAM MAC trace packets. 15-34 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection

The EOAM function is defined in the 802.3ah draft. This function can be used to detect information on the Ethernet link layer defined in IEEE802.3. OAM information contained in IEEE802.3 is called EOAM. EOAM-based MAC trace network structure is shown in Figure 15-22. Figure 15-22 Network Structure of MAC Trace

MAC trace supports trace from CE1 to CE2, from PE1 to PE2, and from PE1 to CE2. l

Trace from CE1 to CE2 CE1 sends a MAC trace request. If the link is operating properly, MAC addresses of corresponding interfaces on CE1, PE1, PE2 and CE2 are recorded.

l

Trace from PE1 to PE2 PE1 sends a MAC trace request. If the link is operating properly, MAC addresses of corresponding interfaces on PE1 and PE2 are recorded.

l

Trace from PE1 to CE2 PE1 sends a MAC trace request. If the link is operating properly, MAC addresses of corresponding interfaces on PE1, PE2 and CE2 are recorded.

Configuration Commands To configure MAC trace on ZXR10 ZSR V2, run the following command: Command

Function

ZXR10#mac-trace {interface |[vpls

Trace a path to the destination

peer ]|[vpws peer

MAC address on an Ethernet link.

]}[external-vlan internal-vlan ]|[vlan ]

: egress interface of a request packet on a CE. : remote router ID to be detected on a PE.

15-35 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Maintenance Commands To maintain MAC trace on the ZXR10 ZSR V2, run the following command: Command

Function

ZXR10#debug macping {all |error | event | info | packet}

Displays errors, events, information and packets or all information when MAC trace packets are received and sent.

Configuration Example l

Configuration Description On a VPLS network, the MAC trace network structure is shown in Figure 15-23. Figure 15-23 MAC Trace Configuration Example

l

l

Configuration Flow 1. Configure IP addresses. Enable OSPF between PE1 and PE2. 2. Configure LDP between PEs. 3. Configuring L2 VPN VPLS. 4. Configure MAC trace. Configuration Command Run the following commands on PE1: PE1(config)#interface loopback1 PE1(config-if-loopback1)#ip address 100.10.10.1 255.255.255.255 PE1(config-if-loopback1)#exit PE1(config)#interface gei-1/1 PE1(config-if-gei-1/1)#no shutdown PE1(config-if-gei-1/1)#ip address 17.1.1.1 255.255.255.0 PE1(config-if-gei-1/1)#exit

PE1(config)#router ospf 1 PE1(config-ospf-1)#network 100.10.10.1 0.0.0.0 area 0 PE1(config-ospf-1)#network 17.1.1.1

0.0.0.255 area 0

PE1(config-ospf-1)#exit

PE1(config)#mpls ldp instance 1 PE1(config-ldp-1)#router-id loopback1 PE1(config-ldp-1)#interface gei-1/1 PE1(config-ldp-1-if-gei-1/1)#exit PE1(config-ldp-1)#exit

15-36 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Chapter 15 Network Layer Detection PE1(config)#mpls l2vpn enable PE1(config)#pw pw1 PE1(config)#vpls zte1 PE1(config-vpls-zte1)#pseudo-wire pw1 PE1(config-vpls-zte1-pw-pw1)#neighbour 100.10.10.2 vcid 10 PE1(config-vpls-zte1-pw-pw1-neighbour-100.10.10.2)#end

PE1(config)#zmac-oam enable

/*Enable mac-ping (trace) globally.*/

Configurations on PE2 are similar to those on PE1. l

Configuration Verification Run the mac-trace command on PE1. The execution result is displayed as follows: PE1#mac-trace 00d0.d000.0500 vpls zte1 peer 100.10.10.2 Starting L2 Trace to 00d0.d000.0500 PE1

:gei-1/1

[002e.33d5.3f51]->

PE2

:gei-1/1

[00d0.d000.0500] !

[finished]

15.13 IP Performance Maintenance ZXR10 ZSR V2 provides the following commands to maintain IP performance. Command

Function

ZXR10#debug ip

This enables IP debug function. It displays the debug information of IP processing and whether the route is sending or receiving IP packets. This enables IP debug function in the specified

ZXR10#debug ip interface

interface. This shows all the enabled IP debug functions.

ZXR10#show debug ip

15-37 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

This page intentionally left blank.

15-38 SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Figures Figure 1-1 ZXR10 ZSR V2 Configuration Modes....................................................... 1-1 Figure 1-2 Run Dialog Box........................................................................................ 1-3 Figure 1-3 Telnet Connection Configuration Example................................................ 1-6 Figure 1-4 PuTTY Configuration Dialog Box ............................................................. 1-8 Figure 1-5 PuTTY Configuration Dialog Box ............................................................. 1-9 Figure 1-6 SSH Configuration Example .................................................................. 1-10 Figure 1-7 FTP Server Configuration Example........................................................ 1-12 Figure 1-8 WFTPD Window .................................................................................... 1-13 Figure 1-9 User/Rights Security Dialog Box ............................................................ 1-13 Figure 1-10 User/Rights Security Dialog Box .......................................................... 1-14 Figure 1-11 TFTP Server Window ........................................................................... 1-15 Figure 1-12 Tftpd Settings Dialog Box..................................................................... 1-16 Figure 1-13 SFTP Server Configuration Example.................................................... 1-17 Figure 3-1 MIM Application ....................................................................................... 3-1 Figure 4-1 Local Authentication and Authorization Configuration............................... 4-7 Figure 4-2 RADIUS-LOCAL Authentication and Authorization User Configuration .......................................................................................... 4-9 Figure 4-3 TACACS+ Authentication and Authorization User Configuration............. 4-10 Figure 4-4 Configuring a Password Prompt Question for Resetting a Password.............................................................................................. 4-12 Figure 4-5 Configuring OAM Security Management ................................................ 4-13 Figure 4-6 Configuring a Password Validity Period.................................................. 4-15 Figure 4-7 Configuring First-Login Password Modification ...................................... 4-17 Figure 4-8 Configuring the Raising of a Privilege Level ........................................... 4-18 Figure 6-1 SNMP Configuration Example Topology................................................... 6-6 Figure 6-2 State Switching Diagram........................................................................ 6-11 Figure 6-3 SNMP Anti–Brute Force Attack Configuration Example.......................... 6-13 Figure 7-1 Alarm Function Configuration Example .................................................... 7-7 Figure 8-1 Syslog Configuration Example Topology .................................................. 8-3 Figure 9-1 RMON Configuration Example ................................................................. 9-4 Figure 10-1 NTP Client Work Flow.......................................................................... 10-1 Figure 10-2 NTP Server and Client ......................................................................... 10-2

I SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

Figure 10-3

NTP Working as a Client ...................................................................... 10-4

Figure 10-4

NTP Working as a Server .................................................................... 10-5

Figure 10-5

Physical POS Interface Clock Configuration Instance .......................... 10-8

Figure 11-1

Performance Management Configuration Example Topology Diagram................................................................................................ 11-3

Figure 12-1

NetFlow V5 Configuration Example...................................................... 12-9

Figure 12-2

NetFlow V8 Configuration Example.................................................... 12-11

Figure 12-3

NetFlow V9 Configuration Example.................................................... 12-12

Figure 13-1

ICMP-Type SQA Configuration Example .............................................. 13-4

Figure 13-2

FTP-Type SQA Configuration Example ................................................ 13-5

Figure 13-3

TCP-Type SQA Configuration Example................................................ 13-7

Figure 13-4

UDP-Type SQA Configuration Example ............................................... 13-8

Figure 13-5

DNS-Type SQA Configuration Example ............................................... 13-9

Figure 14-1

LLDP System Structure........................................................................ 14-2

Figure 14-2

LLDP Neighbor Configuration Example................................................ 14-6

Figure 14-3

LLDP Attribute Configuration Example ................................................. 14-6

Figure 15-1

ICMP Fast Response Configuration Example ...................................... 15-3

Figure 15-2

Loose Source Route Option Packet Format ......................................... 15-4

Figure 15-3

IP Source Route Option Processing Configuration Example ................ 15-5

Figure 15-4

ICMP Unreachable Packet Function Configuration Example ................ 15-7

Figure 15-5

Configuration Example of an Interface Sending ICMP Unreachable Packets................................................................................................. 15-8

Figure 15-6

Format of an ICMP Echo Request/Reply............................................ 15-10

Figure 15-7

IP Ping Configuration Example .......................................................... 15-11

Figure 15-8

Interfaces Between the "Trace" Module and Sub-Modules ................. 15-13

Figure 15-9

IP Trace Configuration Example......................................................... 15-14

Figure 15-10

LDP LSP Ping Configuration Example ............................................. 15-17

Figure 15-11

RSVP LSP Ping Configuration Example ........................................... 15-19

Figure 15-12

PWE3 LSP Ping Configuration Example .......................................... 15-20

Figure 15-13

LSP Trace Work Flow ...................................................................... 15-22

Figure 15-14

LDP LSP Trace Configuration Example............................................ 15-24

Figure 15-15

RSVP LSP Trace Configuration Example ......................................... 15-25

Figure 15-16

Work Flow of Multicast Ping ............................................................. 15-27

Figure 15-17

Multicast Ping Configuration Example .............................................. 15-28

Figure 15-18

Multicast Trace Principle .................................................................. 15-30

Figure 15-19

Multicast Trace Configuration Example ............................................ 15-30 II

SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Figures

Figure 15-20

MAC Ping Network Structure ........................................................... 15-32

Figure 15-21

MAC Ping Configuration Example .................................................... 15-33

Figure 15-22

Network Structure of MAC Trace...................................................... 15-35

Figure 15-23

MAC Trace Configuration Example .................................................. 15-36

III SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Figures

This page intentionally left blank.

IV SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

Glossary AAA - Authentication, Authorization and Accounting ACL - Access Control List DNS - Domain Name System FTP - File Transfer Protocol HMAC-MD5 - Hashed Message Authentication Code with MD5 ICMP - Internet Control Message Protocol IETF - Internet Engineering Task Force LDP - Label Distribution Protocol LLDP - Link Layer Discovery Protocol LLDPDU - Link Layer Discovery Protocol Data Unit LSP - Label Switched Path LSR - Label Switch Router MAC - Media Access Control MAN - Metropolitan Area Network MIB - Management Information Base MPLS - Multiprotocol Label Switching NMS - Network Management System V SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential

ZXR10 ZSR V2 Configuration Guide (System Management)

NTP - Network Time Protocol PDU - Packet Data Unit POP - Points Of Presence PPP - Point-to-Point Protocol RADIUS - Remote Authentication Dial In User Service RFC - Request For Comments SLA - Service Level Agreement SNMP - Simple Network Management Protocol SSH - Secure Shell TACACS+ - Terminal Access Controller Access-Control System Plus TCP - Transmission Control Protocol TCP/IP - Transmission Control Protocol/Internet Protocol TELNET - Telecommunication Network Protocol TFTP - Trivial File Transfer Protocol TLV - Type/Length/Value TTL - Time To Live ToS - Type of Service UDP - User Datagram Protocol VRF - Virtual Route Forwarding VI SJ-20140504150128-007|2014-05-10 (R1.0)

ZTE Proprietary and Confidential