Professional Documents
Culture Documents
netengine5000e
netengine5000e
V800R002C01
Issue 01
Date 2011-10-15
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the System Management feature supported by the
NE5000E device.
This document describes how to configure the Basic Configurations feature.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Symbol Description
Indicates a tip that may help you solve a problem or save time.
Convention Description
&<1-n> The parameter before the & sign can be repeated 1 to n times.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Contents
2 NTP Configuration......................................................................................................................13
2.1 NTP Overview..................................................................................................................................................14
2.2 NTP Features Supported by the NE5000E.......................................................................................................14
2.3 Configuring Basic NTP Functions...................................................................................................................18
2.3.1 Configuring the NTP Primary Clock.......................................................................................................19
2.3.2 Configuring the Unicast Server/Client Mode..........................................................................................20
2.3.3 Configuring the Peer Mode.....................................................................................................................21
2.3.4 Configuring the Broadcast Mode............................................................................................................22
2.3.5 Configuring the Multicast Mode.............................................................................................................23
2.3.6 Disabling the Interface From Receiving NTP Packets............................................................................25
3 SNMP Configuration..................................................................................................................50
3.1 Introduction to SNMP......................................................................................................................................51
3.1.1 SNMP Overview......................................................................................................................................51
3.1.2 SNMP Features Supported by the NE5000E...........................................................................................53
3.2 Configuring a Device to Communicate with an NM Station by Running SNMPv1........................................56
3.2.1 Configuring Basic SNMPv1 Functions...................................................................................................57
3.2.2 (Optional) Controlling the NM Station's Access to the Device...............................................................59
3.2.3 (Optional) Configuring the Trap Function..............................................................................................61
3.2.4 Checking the Configuration.....................................................................................................................62
3.3 Configuring a Device to Communicate with an NM Station by Running SNMPv2c......................................64
3.3.1 Configuring Basic SNMPv2c Functions.................................................................................................65
3.3.2 (Optional) Controlling the NM Station's Access to the Device...............................................................68
3.3.3 (Optional) Configuring the Trap Function..............................................................................................69
3.3.4 (Optional) Configuring the Informs Function.........................................................................................70
3.3.5 Checking the Configuration.....................................................................................................................71
3.4 Configuring a Device to Communicate with an NM Station by Running SNMPv3........................................74
3.4.1 Configuring Basic SNMPv3 Functions...................................................................................................75
3.4.2 (Optional) Controlling the NM Station's Access to the Device...............................................................78
3.4.3 Configuring SNMPv3 Authentication and Privacy.................................................................................80
3.4.4 (Optional) Configuring the Trap Function..............................................................................................81
3.4.5 (Optional) Configuring the Informs Function.........................................................................................82
3.4.6 Checking the Configuration.....................................................................................................................83
3.5 SNMP Configuration Examples.......................................................................................................................86
3.5.1 Example for Configuring a Device to Communicate with an NM Station by Using SNMPv1..............86
3.5.2 Example for Configuring a Device to Communicate with an NM Station by Using SNMPv2c............89
3.5.3 Example for Configuring a Device to Communicate with an NM Station by Using SNMPv3..............93
4 Log Management.........................................................................................................................98
4.1 Log Management Overview.............................................................................................................................99
4.2 Log Management Features that the NE5000E Supports..................................................................................99
4.3 (Optional) Filtering Logs................................................................................................................................101
4.4 Setting the Maximum Number of Logs to Be Displayed...............................................................................102
4.5 Setting the Maximum Number of Traps to Be Displayed..............................................................................103
4.6 Saving Logs to a Local Log File....................................................................................................................104
4.7 Configuring Logs to Be Output to a Log Host...............................................................................................105
4.7.1 Enabling the Information Center...........................................................................................................105
4.7.2 (Optional) Specifying a Source Interface for Sending Logs to a Log Host...........................................106
4.7.3 Configuring Logs to Be Output to a Specified Log Host......................................................................106
4.7.4 Checking the Configuration...................................................................................................................107
4.8 Maintenance....................................................................................................................................................108
4.9 Configuration Examples.................................................................................................................................108
4.9.1 Example for Saving Logs to a Local Log File.......................................................................................108
4.9.2 Example for Configuring Logs to Be Output to a Log Host.................................................................110
5 Fault Management.....................................................................................................................113
5.1 Fault Management Overview.........................................................................................................................114
5.2 FM Supported by the NE5000E.....................................................................................................................114
5.3 Configuring FM..............................................................................................................................................114
5.3.1 Setting the Alarm Severity....................................................................................................................115
5.3.2 Configuring a Suppression Period for an Alarm...................................................................................115
5.3.3 Configuring Alarm Suppression............................................................................................................116
5.3.4 Filtering Out All Alarms........................................................................................................................117
5.3.5 Configuring an Alarm Filtering Table to Filter Out Alarms.................................................................117
5.3.6 Saving Alarms to a Log File..................................................................................................................118
5.3.7 Checking the Configuration...................................................................................................................119
5.4 Maintenance....................................................................................................................................................120
5.4.1 Clearing Alarm Statistics.......................................................................................................................120
5.4.2 Monitoring the Alarm Status.................................................................................................................120
5.5 Configuration Examples.................................................................................................................................121
5.5.1 Example for Configuring FM................................................................................................................121
6 NetStream Configuration.........................................................................................................124
6.1 NetStream Overview......................................................................................................................................126
6.2 NetStream Features Supported by the NE5000E...........................................................................................127
6.3 Collecting Statistics About IPv4 Original Flows...........................................................................................128
6.3.1 Specifying a NetStream Service Processing Mode...............................................................................130
6.3.2 Outputting Original Flows.....................................................................................................................132
6.3.3 (Optional) Adjusting the AS Field Mode and Interface Index Type.....................................................133
6.3.4 (Optional) Enabling Statistics Collection of TCP Flags........................................................................134
1 Device Management
The stable running of the device depends on mature network planning and routine maintenance.
In addition, fast location of potential hazards is necessary. After understanding the concept and
operations of device management, you can manage the device effectively and efficiently.
Concept
The stable running of the router depends on the mature network planning and routine
maintenance. In addition, fast detection of potential hazards is necessary.
The maintenance personnel must check alarm information immediately and deal with faults
properly to keep the device in normal operation and reduce the failure rate. Thus, the system
runs safely, stably, and reliably.
Applicable Environment
Determine the board to be powered off according to the actual situation.
l Power off the MPU.
The device adopts 1:1 redundancy of MPUs. In the operation of the device, one MPU
functions as the active one and the other functions as the standby one. You need to remove
the MPU in any of the following situations:
– The MPU needs maintenance, for example, dust cleaning.
– The hardware of the MPU needs an upgrade, for example, memory capacity expansion.
– The MPU fails.
WARNING
The router cannot work with a single MPU for a long time. If the MPU fails, the entire
system is broken down. Therefore, after the slave MPU is powered off, you must finish
required operations and restore the slave MPU immediately.
Pre-configuration Tasks
Before powering off the board, complete the following tasks:
l Checking the slot of the board to be powered off
l Preparing a slave board if the board needs to be replaced
Procedure
l Powering off the MPU
1. Run the system-view command to enter the system view.
2. (Optional)Run the slave switchover command to perform the master/slave
switchover.
Before powering off the MPU, you need to run the display device command to view
the status of the MPU. If the MPU is the master MPU, perform the master/slave
switchover first.
3. Run the quit command to return to the system view
4. Run the power off slot slot-id-mpu command to power off the slave MPU.
NOTE
If there is no terminal on the deployment site, you can power off the slave MPU by pressing the OFL
button. The OFL button is on the upper part of the panel for the slave MPU. Press and hold the button
for six seconds till the OFL indicator lights. This indicates that the slave MPU is powered off.
l Powering off the SFU
1. Run the power off slot slot-id-sfu command to power off the SFU.
NOTE
If there is no terminal on the deployment site, you can power off the SFU by pressing the OFL button.
The OFL button is on the upper part of the panel of the SFU board. Press and hold the button for six
seconds till the OFL indicator lights. This indicates that the SFU is powered off.
l Powering off the LPU
After preparing a spare LPU, you can power off the LPU.
1. Run the power off slot slot-id-lpu [ card card-id ] command to power off the LPU.
NOTE
If there is no terminal on the deployment site, you can power off the LPU by pressing the OFL button.
The OFL button is in the upper part of the panel of the LPU. Press and hold the button for six seconds.
If the OFL indicator lights, it indicates that the LPU is powered off.
----End
Applicable Environment
You can manage online devices by viewing the information about the device or resetting a board
to ensure that the network works normally
Pre-configuration Tasks
Before managing online devices, complete the following task:
Configuration Procedure
You can choose to configure one of the following configuration tasks according to the applicable
environment.
Procedure
Step 1 Run the display version [ slot slot-id ] command to view versions of the router.
You can run the display version [ slot slot-id ] command in any view to view versions of the
router. Versions of the router include:
----End
Procedure
Step 1 Run the display device [ pic-status | slot-id ] command to view basic information about the
router.
In practice, you can run this command in any view to view basic information about the device.
slot-id specifies the slot ID of a module.
l Choose a board in a certain slot and view basic information about this board.
l Run the display device pic-status command to view basic information about the sub-cards
of each LPU on the router.
----End
Procedure
Step 1 Run the display memory-usage [ threshold ] [ slave | slot slot-id ] command to check the
memory usage of the MPU or LPU.
NOTE
To set the threshold of the memory usage of the MPU or LPU, you can run the set memory-usage
threshold threshold-value [ restore restore-threshold-value ] [ slave | slot slot-id ] command.
----End
Procedure
Step 1 Run the display cpu-usage[ configuration ] [ slave | slot slot-id ] command to check the CPU
usage of an MPU or an LPU.
NOTE
To set the threshold of the CPU usage of the MPU, you can run the set cpu-usage threshold threshold-
value [ restore restore-threshold-value ] [ slave | slot slot-id ] command.
----End
Procedure
Step 1 Run the display temperature [ lpu [ slot slot-id ] | mpu | sfu | slot slot-id ] command to view
the working temperature of a board.
To view the working temperature of each board on the router, you can run the display
temperature command.
In practice, you can run the display temperature command in any view to view the current
working temperatures of the router. The temperature information includes the following
contents:
----End
Procedure
Step 1 Run the display voltage [ lpu [ slot slot-id ] | mpu | sfu | slot slot-id ] command to view the
voltage status of the specified board.
To view the voltage status of each board of the router, you can run the display voltage command.
In practice, you can run the display voltage command in any view to view the voltage status of
all the boards on the router. The voltage information includes the following:
----End
Procedure
Step 1 Run the display power [ { environment-info | manufacture-info } slot slot-id-power | slot
[ slot-id-lpu ] ] command to check the status of the power module for the router.
In practice, you can run this command to view the status of the power module for the router.
The displayed information includes the following:
----End
Procedure
Step 1 Run the display fan command to view the status of the fan module.
In practice, you can run this command to view the fan status. The information includes the
following:
----End
Context
CAUTION
Be cautious to use the reboot command because it can break down the entire network for a short
period. In addition, check whether configuration files need be saved before restarting the device.
Procedure
Step 1 Run:
reboot
After the reboot command is run, the system checks whether the current configuration is
consistent with the configuration saved in the configuration file. If the configuration is
inconsistent wit the configuration saved in the configuration file, the system prompts you to save
the current configuration. The system then prompts you to confirm whether to save the current
configuration in the configuration file to be activated next time.
----End
Background Information
When an operating board of the device fails, you are recommended to reset the board by using
the reset slot command.
WARNING
You need to back up important data before resetting a board.
Procedure
Step 1 Run the reset slot slot-id [ card card-id ]command in the user view to reset the faulty board or
subcard.
NOTE
l If this command is run to reset a master MPU and no slave MPU exists, the master MPU is reset with
the CPU being powered on. If a slave MPU exists, this command performs the master-slave MPU
switchover.
l If the board is still abnormal after being reset, contact Huawei technical support personnel.
----End
Applicable Environment
When the air filter has been running for a period of a cleaning cycle time , the system will create
an alarm for cleaning the air filter. The cleaning cycle for the air filter can be configured.
Pre-configuration Tasks
Before configuring a cleaning cycle for the air filter, complete the following tasks:
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
NOTE
The air filter is a component without memory. All the monitored information is saved on the MPU, which
may be inserted, removed, switched, or replaced during usage. Therefore, the monitoring cycle may differ
from the set cycle, but this does not affect the monitoring function.
----End
Context
The system generates an alarm about cleaning the air filter. After ensuring that the air filter is
cleaned or does not need to be cleaned, you need to clear the alarm and remonitor the cleaning
cycle of the air filter.
Do as follows on the router:
Procedure
Step 1 Run:
reset dustproof run-time
The alarm is cleared. The cleaning cycle of the air filter is monitored.
----End
Procedure
Step 1 Run:
display dustproof
----End
Example
Run the display dustproof command. You can view information about the cleaning cycle of
the air filter, the last time when the air filter was cleaned (referring to the time on the router),
how many days the router had been run since the previous cleaning, and how long the alarm
about cleaning the air filter exists. For example:
Networking Requirements
After checking the alarm information, you find that the hardware on the master MPU fails. Then,
power off the master MPU and check it.
Configuration Notes
CAUTION
On a single NE5000E, interfaces are numbered in the format of slot number/sub-card number/
interface number; whereas in the multi-chassis scenario, interfaces are numbered in the format
of chassis ID/slot number/card number/interface number. This requires the chassis ID to be
specified along with the slot number.
The NE5000E cannot work with a single MPU for a long time. If the MPU fails, the whole
system is broken down. After the slave MPU is powered off, you must finish required operations
and restore the MPU immediately.
Configuration Roadmap
The configuration roadmap is as follows:
1. Switch the master MPU to the slave MPU.
2. Power off the slave MPU.
Data Preparation
To complete the configuration, you need the following data:
l Slot number of the master MPU
Procedure
Step 1 Perform a master/slave switchover on the router.
<HUAWEI> system-view
[~HUAWEI] slave switchover
Before performing the master and slave switchover, check that user interfaces such as AUX,
console, and VTY interfaces are connected to the two MPUs. Otherwise, users that use the
interfaces connected with the former master MPU automatically quit the login after the master
and slave switchover.
[~HUAWEI] quit
----End
Configuration Files
None.
2 NTP Configuration
This section describes the fundamentals, the configuration procedure, and the configuration
examples of Network Time Protocol (NTP).
NTP aims at synchronizing clocks of all the devices in a network. It keeps all the clocks of these
devices consistent, and enables devices to implement various applications based on the uniform
time.
Any local system that runs NTP can be time synchronized by other clock sources, and also
functions as a clock source to synchronize other clocks. In addition, mutual synchronization can
be performed by exchanging NTP packets.
NTP packets are encapsulated in UDP packets for transmission and NTP uses the 123 port.
NTP Application
NTP is applied in the following situations where all the clocks of hosts or routers in a network
need to be consistent:
When all the devices on a network need to be synchronized, it is almost impossible for an
administrator to manually change the system clock by executing commands. This is because the
work load is heavy and clock accuracy cannot be ensured. NTP can quickly synchronize the
clocks of network devices and ensure their precision.
l Defining clock accuracy by means of stratum to synchronize the time of network devices
in a short time
l Supporting access control and MD5 authentication
l Transmitting packets in unicast, multicast or broadcast mode
Basic Concepts
Stratum: measures clock precision. The higher the stratum level, the lower the clock precision.
For example, clocks have 15 stratums and the stratum-1 clock has the highest precision; Stratum
16 indicates that the relevant clock is not synchronized.
Principles of NTP
Figure 2-1 shows the principles of NTP. Router A and Router B are connected through a WAN.
They both have their own system clocks. NTP implements automatic synchronization of their
clocks.
Suppose:
l Before the system clocks of Router A and Router B are synchronized, the clock of
Router A is set to 10:00:00 am and the clock of Router B is set to 11:00:00 am.
l Router B functions as an NTP time server. That is, Router A synchronizes its clock with
that of Router B.
l One-way transmission of data packets between Router A and Router B takes one second.
l Processing of data packets between Router A or Router B takes one second.
Step1: Network
RouterA RouterB
Step2: Network
RouterA RouterB
Step3: Network
RouterA RouterB
Step4: Network
RouterA RouterB
1. Router A sends an NTP packet to Router B. The packet carries the originating timestamp
when it leaves Router A, which is 10:00:00 am (T1).
2. When the NTP packet reaches Router B, Router B adds its receiving timestamp to the NTP
packet, which is 11: 00:01 am (T2).
3. When the NTP packet leaves Router B, Router B adds its transmitting timestamp to the
NTP packet, which is 11:00:02 am (T3).
4. When Router A receives the response packet, it adds a new receiving timestamp to it, which
is 10:00:03 am (T4).
Router A uses the received information to calculate the following two important values:
l Delay for the NTP message cycle: Delay = (T4 - T1) - (T3 - T2).
l Offset of Router A relative to Router B: Offset = ( (T2 - T1) + (T3 - T4) ) / 2.
According to the delay and the offset, Router A sets its own clock again to synchronize
with the clock of Router B.
The preceding example is only a simple description of the NTP operating principle. As
described in RFC 1305, NTP uses a more complex algorithm to ensure the precision of
clock synchronization.
The device that provides standard time is referred to as a time server, and the device that
enjoys the time service is referred to as a client.
Applicable Environment
NTP has four operation modes. Select a proper mode based on the networking topology to
meet various clock synchronization requirements.
In unicast server/client mode and peer mode, NTP packets can have the same source IP address.
Pre-configuration Tasks
Before configuring basic functions of NTP, you need to complete the following tasks:
l Configuring the link layer protocol for the interface
l Configuring an IP address and a routing protocol for the interface to ensure that NTP packets
can reach destinations
Configuration Procedure
Mandatory procedure
Optional procedure
Related Tasks
2.7.2 Example for Configuring NTP Peer Mode
2.7.4 Example for Configuring Multicast Mode
Procedure
Step 1 Run:
system-view
Step 2 Run:
ntp-service refclock-master [ ip-address ] [ stratum ]
ip-address specifies the IP address of the local reference clock. Reference clock addresses are
of the form 127.127.t.u. Here, "t" indicates the clock type and ranges from 0 to 37. Currently,
"t" is the local reference clock and the value is 1. "u" indicates the NTP process number, ranging
from 0 to 3. When no IP address is specified, the local clock whose IP address is 127.127.1.0
functions as the primary NTP clock by default.
stratum specifies the stratum of the local reference clock. If this parameter is not specified, the
default stratum is 8.
Step 3 Run:
commit
----End
Procedure
l Configure the NTP client.
1. Run:
system-view
The specified source interface IP address is used as the source IP address to send NTP
packets irrespective of the out going interface.
3. Run:
ntp-service unicast-server ip-address [ version number | authentication-
keyid key-id | source-interface interface-type interface-number | vpn-
instance vpn-instance-name | preference ] *
ip-address is the IP address of the NTP server. It can be the IP address of the host
rather than a broadcast address, a multicast address, or the IP address of the reference
clock. If the source interface to send NTP packets is specified on the server, the IP
address of the server configured on the client should be the same; otherwise, the client
cannot process NTP packets sent from the server and clock synchronization fails.
Step 2 is optional. If source-interface is specified in both Step 2 and Step 3, use the
source interface specified in Step 3 preferentially.
NOTE
When the unicast NTP server is specified, the local router functions as the client automatically.
The server needs to be configured with only a primary clock.
4. Run:
commit
The specified source interface IP address is used as the source IP address to send NTP
packets irrespective of the out going interface.
Commonly, specify the IP address of the NTP server on the client. The client and
server can then exchange NTP packets using this IP address.
If the source interface to send NTP packets is specified on the server, the IP address
of the server configured on the client should be the same; otherwise, the client cannot
process NTP packets sent from the server and clock synchronization fails.
3. Run:
commit
Procedure
l Configuring the NTP Symmetric Active End
1. Run:
system-view
The specified local source interface is configured to send the NTP packet.
3. Run:
ntp-service unicast-peer ip-address [ version number | authentication-
keyid key-id | source-interface interface-type interface-number | vpn-
instance vpn-instance-name | preference ] *
Step 2 is optional. If source-interface is specified in both Step 2 and Step 3, use the
source interface specified in Step 3 preferentially.
ip-address is the IP address of the NTP peer. It can be the IP address of a host address
rather than a broadcast address, a multicast address, or the IP address of the reference
clock.
NOTE
After the NTP peer is specified, the local router runs in symmetric active mode. The symmetric
passive end does not need to be configured.
4. Run:
commit
The specified local source interface is configured to send the NTP packet.
Commonly, specify the IP address of the NTP symmetric passive on the symmetric
active. The symmetric active and symmetric passive can then exchange NTP packets
using this IP address.
If the source interface to send NTP packets is specified on the symmetric passive end,
the IP address of the NTP peer configured on the symmetric active end should be the
same; otherwise, the active end cannot process NTP packets sent from the passive end
and clock synchronization fails.
3. Run:
commit
----End
Procedure
l Configuring an NTP Broadcast Server
1. Run:
system-view
After the configurations, the local router periodically sends the clock synchronization
packets to the broadcast address 255.255.255.255.
NOTE
Broadcast can be used only in the same LAN.
4. Run:
commit
Running the ntp-service max-dynamic-sessions command does not affect the setup
of NTP sessions. When the number of the sessions reaches or exceeds the maximum,
the new session cannot be set up further.
3. Run:
interface interface-type interface-number
After the configurations, the local router senses the broadcast NTP packets sent from
the server and synchronizes the local clock.
5. Run:
commit
----End
Procedure
l Configuring an NTP Multicast Server
1. Run:
system-view
After the configurations, the local router periodically sends clock synchronization
packets to the configured multicast IP address.
4. Run:
commit
Running the ntp-service max-dynamic-sessions command does not affect the setup
of NTP sessions. When the number of the sessions reaches or exceeds the maximum,
the new session cannot be set up further.
3. Run:
interface interface-type interface-number
After the configurations, the local router senses the multicast NTP packets sent from
the server and synchronizes the local clock.
5. Run:
commit
----End
Procedure
Step 1 Run:
system-view
----End
Prerequisite
All configurations of basic NTP functions are complete.
Procedure
l Run the display ntp-service sessions command to view the details about the configured
and the dynamic NTP sessions.
l Run the display ntp-service status command to view the status of the NTP service.
l Run the display ntp-service trace command to trace the path of reference clock source
from the local device.
l Run the display ntp-service bd-status command to view the status of each board on a
router.
----End
Example
Run the display ntp-service sessions command to view the details about the configured and the
dynamic NTP sessions.
<HUAWEI>display ntp-service sessions
Run the display ntp-service status command to view the status of the NTP service.
<HUAWEI>display ntp-service status
clock status: synchronized
clock stratum: 2
reference clock ID: LOCAL (0)
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^18
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 0.00 ms
peer dispersion: 10.00 ms
reference time: 15:51:36.259 UTC Apr 25 2005 (C6179088.426490A3)
Run the display ntp-service trace command to trace the path of reference clock source from
the local device.
<HUAWEI> display ntp-service trace
server 127.0.0.1,stratum 5, offset 0.024099, synch distance 0.06337,
server 171.1.1.2,stratum 4, offset 0.028786, synch distance 0.04575,
server 201.1.1.2,stratum 3, offset 0.035199, synch distance 0.03075,
server 200.1.7.1,stratum 2, offset 0.039855, synch distance 0.01096,
refid 127.127.1.0
Run the display ntp-service bd-status command to view the status of each board on a router.
<HUAWEI> display ntp-service bd-status
Board ID : 17
Sync Source : 127.127.1.0
NTP Server Configured : No
Clock Status : synchronized
Offset : 0.7 ms
Clock Precision : 2^17
Poll : 8
Reference Time : 17:04:55.236 UTC Sep 11 2009(CE5501B7.3C8D4BAD)
Current Time : 17:05:39.359 UTC Sep 11 2009(CE5501E3.5C0DB270)
Applicable Environment
NTP supports two security mechanisms: access authority and NTP authentication.
l Access authority
Access authority is a type of simple security method provided by the NE5000E to protect
local NTP services.
The NE5000E provides four access authority levels. When an NTP access request packet
reaches the local end, it is matched in an order from the maximum access authority to the
minimum access authority. The first matched authority level takes effect. The matching
order is as follows:
– peer: indicates the maximum access authority. The remote end can send the request of
the local time and the control query to the local end. The local clock can also be
synchronized with that of the remote server.
– server: indicates the remote end can perform the time request and control query to the
local end but the local clock cannot be synchronized with that of the remote end.
– synchronization: indicates that the remote end can perform only the time request to the
local end.
– query: indicates the minimum access authority. The remote end can perform only the
control query to the local end.
l NTP authentication
NTP authentication is required in some networks with high security demands.
The configuration of NTP authentication involves configuring NTP authentication on both,
the client and the server.
During the configuration of NTP authentication, pay attention to the following rules:
– Configure NTP authentication on both the client and the server; otherwise, the
authentication does not take effect.
– If NTP authentication is enabled, a reliable key needs to be configured at the same time.
– The authentication key configured on the server and that on the client should be
consistent.
– In NTP peer mode, the symmetric active end equals the client, and the symmetric passive
end equals the server.
Pre-configuration Tasks
Before configuring NTP security mechanisms, complete the following tasks:
l Configuring the link layer protocol on the interface.
l Configuring the link layer protocol and routing protocol to make the server and client
reachable.
l Configuring ACL rules if the access authority is configured.
Configuration Procedure
Mandatory procedure
Optional procedure
Related Tasks
2.7.1 Example for Configuring NTP Authentication in Unicast Server and Client Mode
2.7.3 Example for Configuring NTP Authentication in Broadcast Mode
Procedure
Step 1 Run:
system-view
Step 2 Run:
ntp-service access { peer | query | server | synchronization } acl-number
Access authority for the NTP service on the local router is configured.
Before specifying an ACL number, make sure you have already created and configured this
ACL.
You can configure the ntp-service access command depending on the actual situation.
NTP multicast mode Synchronizing the client with NTP multicast client
the server
NTP broadcast mode Synchronizing the client with NTP broadcast client
the server
Step 3 Run:
commit
----End
Context
You must enable NTP authentication, and then configure basic NTP functions and specify the
authentication key. Otherwise, the NTP authentication fails.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ntp-service authentication enable
Step 3 Run:
ntp-service authentication-keyid key-id authentication-mode md5 password
Step 4 Run:
ntp-service reliable authentication-keyid key-id
Step 5 Run:
commit
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
The authentication key ID used for synchronizing the server and client clocks is configured.
Step 3 Run:
commit
----End
Procedure
Step 1 Run:
system-view
The authentication key ID for the synchronization of the symmetric active and symmetric passive
clocks is configured.
Step 3 Run:
commit
----End
Procedure
Step 1 Run:
system-view
Step 3 Run:
ntp-service broadcast-server [ authentication-keyid key-id | version number ] *
----End
Procedure
Step 1 Run:
system-view
----End
Prerequisite
All configurations of basic NTP functions are complete.
Procedure
l Run the display ntp-service status command to view the status of the NTP service.
l Run the display ntp-service sessions verbose command to view the status of NTP sessions.
----End
Example
Run the display ntp-service status command to view the status of the NTP service.
<HUAWEI> display ntp-service status
clock status: synchronized
clock stratum: 2
reference clock ID: LOCAL (0)
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^18
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 0.00 ms
peer dispersion: 10.00 ms
reference time: 15:51:36.259 UTC Apr 25 2005 (C6179088.426490A3)
Run the display ntp-service sessions verbose command to view the status of NTP sessions.
<HUAWEI> display ntp-service sessions verbose
clock source: 172.11.12.1
clock stratum: 1
clock status: configured, master, sane, valid
reference clock ID: LOCAL(0)
local mode: client, local poll: 10
peer mode: server, peer poll: 10
offset: -3.2385 ms,delay: 26.97 ms, disper: 14.85 ms
root delay: 0.00 ms, root disper: 10.94 ms
reach: 377, sync dist: 0.058, sync state: 4
precision: 2^18, version: 3, peer interface: wildcard
reftime: 10:01:38.546 UTC Sep 5 2005(C6C69602.8C00DA1A)
orgtime: 10:01:43.463 UTC Sep 5 2005(C6C69607.76ACC921)
rcvtime: 10:01:43.480 UTC Sep 5 2005(C6C69607.7AF4ADBC)
xmttime: 10:01:43.452 UTC Sep 5 2005(C6C69607.73F1E8E6)
filter delay : 0.03 0.02 0.03 0.02 0.02 0.02 0.04 0.02
filter offset: 0.00 -0.01 0.00 0.01 0.00 0.00 0.00 0.00
filter disper: 0.03 0.02 0.00 0.11 0.09 0.08 0.06 0.05
Applicable Environment
NTP provides the provision for configuring the system datetime, timezone and daylight saving
time information.
In the application environment where absolute time is strictly required, the current date and clock
of the router must be set.
Pre-configuration Tasks
None
Procedure
Step 1 Run:
clock datetime time date
Step 2 Run:
system-view
Step 3 Run:
clock timezone time-zone-name { add | minus } offset
Step 4 Run:
or,
----End
Context
In routine maintenance, you can run the following commands in any view to monitor the NTP
running status.
Procedure
l Run the display ntp-service sessions command to view the details about the configured
and the dynamic NTP sessions.
l Run the display ntp-service status command to view the status of the NTP service.
l Run the display ntp-service trace command to trace the path of reference clock source
from the local device.
l Run the display clock command to view the system time.
----End
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
GE 1/0/0
10.0.0.2/24
Configuration Notes
l You must enable NTP authentication on the client prior to specifying the IP address of the
NTP server and authentication key to be sent to the server; otherwise, NTP authentication
is not performed before clock synchronization.
l You must configure the same authentication key on the NTP server and NTP client and
declare that the key is reliable. Otherwise, the NTP authentication fails.
l To implement authentication successfully, configure on both the server and the client.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the clock on Router A to be the NTP primary clock.
2. Configure Router B to synchronize its clock with the clock of Router A.
3. Configure Router C and Router D to synchronize their clocks with the clock of Router B.
4. Enable NTP authentication on all the Routers.
Data Preparation
To complete the configuration, you need the following data:
l IP address of the reference clock
l Stratum of the primary NTP clock
l Authentication key and its ID
Procedure
Step 1 Configure the IP addresses based on Figure 2-4 so that Router A, Router B, Router C, and
Router D are routable. The detailed procedures are not mentioned here.
Step 2 Configure a primary NTP clock on Router A and enable NTP authentication.
# On Router A, set its local clock as a primary NTP clock with stratum being 2.
<RouterA> system-view
[~RouterA] ntp-service refclock-master 2
# Enable NTP authentication, configure the authentication key, and declare the key to be reliable.
[~RouterA] ntp-service authentication enable
NOTE
Authentication keys configured on the server and the client should be the same.
Step 3 Configure a primary NTP clock on Router B and enable NTP authentication.
# On Router B, enable NTP authentication. Configure the authentication key and declare the
key to be reliable.
<RouterB> system-view
[~RouterB] ntp-service authentication enable
[~RouterB] ntp-service authentication-keyid 42 authentication-mode md5 Hello
[~RouterB] ntp-service reliable authentication-keyid 42
# Specify Router A to be the NTP server of Router B and use the authentication key.
[~RouterB] ntp-service unicast-server 2.2.2.2 authentication-keyid 42
[~RouterB] commit
After the configurations, the clock on Router C can be synchronized with the clock on Router
B.
Display the NTP status on Router C and find that the clock is synchronized. The stratum of the
clock is 4, one stratum lower than that on Router B.
[~RouterC] display ntp-service status
Display the NTP status on Router D and find that the clock is synchronized. The stratum of the
clock is 4, one stratum lower than that on Router B.
[~RouterD] display ntp-service status
clock status: synchronized
clock stratum: 4
reference clock ID: 10.0.0.1
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^18
clock offset: 3.8128 ms
root delay: 31.26 ms
root dispersion: 74.20 ms
peer dispersion: 34.30 ms
reference time: 11:55:56.833 UTC Mar 2 2006(C7B15BCC.D5604189)
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
ntp-service authentication-keyid 42 authentication-mode md5 %@ENC;8HX
\#Q=^Q`MAF4<1!!
ntp-service reliable authentication-keyid 42
ntp-service refclock-master 2
ntp-service authentication enable
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 2.2.2.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 2.2.2.0 0.0.0.255
#
return
#
sysname RouterB
#
ntp-service authentication-keyid 42 authentication-mode md5 %@ENC;8HX
\#Q=^Q`MAF4<1!!
ntp-service reliable authentication-keyid 42
ntp-service unicast-server 2.2.2.2 authentication-keyid 42
ntp-service authentication enable
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet2/0/0
undo shutdown
ip address 1.0.1.11 255.255.255.0
#
ospf 1
area 0.0.0.0
network 1.0.1.0 0.0.0.255
network 10.0.0.0 0.0.0.255
#
return
Related Tasks
2.4 Configuring NTP Security Mechanisms
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
l Configure the clock on Router C to be an primary NTP clock with the stratum as 2.
l Router D takes Router C as its NTP server. That is, Router D functions as the client.
l Router E takes Router D as its symmetric passive end. That is, Router E is the symmetric
active end.
GE1/0/0
3.0.1.31/24
GE1/0/0 GE1/0/0
3.0.1.33/24 3.0.1.32/24
RouterE RouterD
Configuration Notes
Before configuring a peer mode, ensure the peer is reachable from host side.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the clock on Router C to be the NTP primary clock. The clock on Router D
should be synchronized to the clock on Router C.
2. Configure Router E and Router D to be NTP peer so that Router E should send clock
synchronization requests to Router D.
3. Finally, the clocks on Router C, Router D and Router E can be synchronized.
Data Preparation
To complete the configuration, you need the following data:
l IP address of Router C
l IP address of Router D
l Stratum of the NTP primary clock
Procedure
Step 1 Configure IP addresses for Router C, Router D, and Router E.
Configure an IP address for each interface based on Figure 2-5. After configurations, the three
Routers can ping through each other.
The detailed procedures are not mentioned here.
Step 2 Configure the NTP server/client mode.
# Configure the clock on Router C to be its own reference clock with the stratum being 2.
<RouterC> system-view
[~RouterC] ntp-service refclock-master 2
[~RouterC] commit
After configurations, the clock on Router D can be synchronized to the clock on Router C.
Display the NTP status on Router D and find that the status is synchronized. The stratum of the
clock on Router D is 3, one stratum lower than that on Router C.
[~RouterD] display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 3.0.1.31
nominal frequency: 64.0029 Hz
actual frequency: 64.0029 Hz
clock precision: 2^7
clock offset: 0.0000 ms
root delay: 62.50 ms
root dispersion: 0.20 ms
peer dispersion: 7.81 ms
reference time: 06:52:33.465 UTC Mar 7 2006(C7B7AC31.773E89A8)
Since no primary clock is configured on Router E, the clock on Router E should be synchronized
to the clock on Router D.
Step 4 Verify the configuration.
View the status of Router E after clock synchronization and you can find that the status is
"synchronized". That is, clock synchronization completes. You can also find that the stratum of
the clock on Router E is 4, one stratum lower than that on Router D.
[~RouterE] display ntp-service status
clock status: synchronized
clock stratum: 4
reference clock ID: 3.0.1.32
nominal frequency: 64.0029 Hz
actual frequency: 64.0029 Hz
clock precision: 2^7
clock offset: 0.0000 ms
root delay: 124.98 ms
root dispersion: 0.15 ms
peer dispersion: 10.96 ms
reference time: 06:55:50.784 UTC Mar 7 2006(C7B7ACF6.C8D002E2)
----End
Configuration Files
l Configuration file of Router C
#
sysname RouterC
#
ntp-service refclock-master 2
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 3.0.1.31 255.255.255.0
#
return
Related Tasks
2.3 Configuring Basic NTP Functions
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
Router C
GE1/0/0 GE2/0/0
1.0.1.11/24 3.0.1.2/24
GE1/0/0
Router A 1.0.1.2/24 Router F
GE1/0/0
3.0.1.32/24
Router D
Configuration Notes
Before configuring key at the client and server side, ensure the key already exists.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure Router C as an NTP broadcast server.
2. Configure Router A and Router D as the NTP broadcast clients.
3. Configure NTP authentication on Router A, Router C, and Router D.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure an IP address for each router.
Configure IP addresses based on Figure 2-6. The detailed procedures are not mentioned here.
Step 2 Configure an NTP broadcast server and enable NTP authentication on it.
# Set the local clock of Router C as a primary NTP clock with stratum being 3.
<RouterC> system-view
[~RouterC] ntp-service refclock-master 3
# Configure Router C to be an NTP broadcast server. Broadcast packets are encrypted by using
the authentication key ID 16 and then sent from GE 1/0/0.
[~RouterC] interface gigabitethernet 1/0/0
[~RouterC-GigabitEthernet1/0/0] ntp-service broadcast-server authentication-keyid
16
[~RouterC-GigabitEthernet1/0/0] commit
[~RouterC-GigabitEthernet1/0/0] quit
Step 3 Configure the NTP broadcast client Router D on the same network segment as that of the NTP
server.
# Enable NTP authentication.
<RouterD> system-view
[~RouterD] ntp-service authentication enable
[~RouterD] ntp-service authentication-keyid 16 authentication-mode md5 Hello
[~RouterD] ntp-service reliable authentication-keyid 16
# Configure Router D to be the NTP broadcast client. Router D senses the broadcast packets on
GE 1/0/0.
[~RouterD] interface gigabitethernet 1/0/0
[~RouterD-GigabitEthernet1/0/0] ntp-service broadcast-client
[~RouterD-GigabitEthernet1/0/0] commit
[~RouterD-GigabitEthernet1/0/0] quit
# Configure Router A to be the NTP broadcast client. Router A senses the NTP broadcast packets
on GE 1/0/0.
[~RouterA] interface gigabitethernet 1/0/0
After the configurations, the clock on Route D can be synchronized to the clock on Router C.
The clock on Router A, however, fails to be synchronized because Router A and Router C are
in different network segments and Router A cannot sense the broadcast packets sent from
Router C.
Check the NTP status on Router D and you can find that the clock status is "synchronized". That
is, clock synchronization completes. The stratum of the clock on Router D is 4, one stratum
lower than that of Router C.
[~RouterD] display ntp-service status
clock status: synchronized
clock stratum: 4
reference clock ID: 3.0.1.31
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^18
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 0.42 ms
peer dispersion: 0.00 ms
reference time: 12:17:21.773 UTC Mar 7 2006(C7B7F851.C5EAF25B)
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
ntp-service authentication-keyid 16 authentication-mode md5 %@ENC;8HX
\#Q=^Q`MAF4<1!!
ntp-service reliable authentication-keyid 16
ntp-service authentication enable
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.0.1.11 255.255.255.0
ntp-service broadcast-client
#
ospf 1
area 0.0.0.0
network 1.0.1.0 0.0.0.255
#
return
#
return
Related Tasks
2.4 Configuring NTP Security Mechanisms
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
l Router C and Router D are in the same network segment; Router A is in another network
segment; Router F connects with the two network segments.
l Router C functions as an NTP multicast server and its clock is a primary NTP clock with
the stratum being 2. Multicast packets are sent out from GE 1/0/0.
l Router D and Router A sense the multicast packets respectively on GE 1/0/0 of them.
Router C
GE1/0/0 GE2/0/0
1.0.1.11/24 3.0.1.2/24
GE1/0/0
Router A 1.0.1.2/24 Router F
GE1/0/0
3.0.1.32/24
Router D
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure Router C as an NTP multicast server.
2. Configure Router A and Router D as NTP multicast clients.
Data Preparation
To complete the configuration, you need the following data:
l IP addresses of Router A, Router C, Router D, and Router F
l Stratum of the NTP primary clock
Procedure
Step 1 Configure an IP address for each Router.
Configure IP addresses based on Figure 2-7. The detailed procedures are not mentioned here.
Step 2 Configure an NTP multicast server.
# Set the local clock on Router C as a primary NTP primary clock with stratum being 2.
<RouterC> system-view
[~RouterC] ntp-service refclock-master 2
# Configure Router C to be an NTP multicast server. NTP multicast packets are sent from GE
1/0/0.
[~RouterC] interface gigabitethernet 1/0/0
[~RouterC-GigabitEthernet1/0/0] ntp-service multicast-server
[~RouterC-GigabitEthernet1/0/0] commit
Step 3 Configure the NTP multicast client Router D in the same network segment as that of the NTP
server.
# Configure Router D to be an NTP multicast client. Router D senses the NTP multicast packets
on GE 1/0/0.
<RouterD> system-view
[~RouterD] interface gigabitethernet 1/0/0
[~RouterD-GigabitEthernet1/0/0] ntp-service multicast-client
[~RouterD-GigabitEthernet1/0/0] commit
Step 4 Configure the NTP multicast client Router A in a network segment different from that of the
NTP server.
# Configure Router A to be an NTP multicast client. Router A senses the NTP multicast packets
on GE 1/0/0.
<RouterA> system-view
[~RouterA] interface gigabitethernet 1/0/0
[~RouterA-GigabitEthernet1/0/0] ntp-service multicast-client
[~RouterA-GigabitEthernet1/0/0] commit
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.0.1.11 255.255.255.0
ntp-service multicast-client
#
return
sysname RouterC
#
ntp-service refclock-master 2
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 3.0.1.31 255.255.255.0
ntp-service multicast-server
#
return
Related Tasks
2.3 Configuring Basic NTP Functions
3 SNMP Configuration
The Simple Network Management Protocol (SNMP) is a standard network management protocol
widely used on TCP/IP networks. It uses a central computer (a network management station)
that runs network management software to manage network elements. There are three SNMP
versions, SNMPv1, SNMPv2c, and SNMPv3. Users can choose to configure one or more
versions if needed.
SNMP Components
An SNMP managed network consists of the following three components:
l NM station: sends various packets to query managed devices and receives alarms from
these devices.
l Agent: is a network-management process on a managed device. An agent has the following
functions:
– Receives and parses query packets sent from the NM station.
– Reads or writes management variables based on the query type, and generates and sends
response packets to the NM station.
– Sends alarms to the NM station when particular events occur. For example, the system
view is displayed or closed, or the device is restarted. Protocol modules on the device
define the conditions that lead to the alarms.
l Managed device: is managed by an NM station and generates and reports alarms to the
NM station.
Figure 3-1 shows the relationship between the NM station and agent.
UDP Port161
Request
Response
NM Station Agent
UDP Port162
NM Station Agent
MIB
To uniquely identify managed objects, SNMP organizes them in a hierarchical tree structure and
identifies each one by a path starting from the tree root, as shown in Figure 3-2. The NM station
uses the MIB to identify and manage device objects. The nodes on the tree are the managed
objects.
1
1 2
1 2
1 B 2
5 6
A
As shown in Figure 3-2, object B is uniquely identified by a string of numbers, {1.2.1.1}. Such
a number string is called an Object Identifier (OID). A MIB tree is used to describe the hierarchy
of data in a MIB that collects the definitions of variables on the managed devices.
A user can use a standard MIB or define a MIB based on certain standards. Using a standard
MIB can reduce the costs on proxy deployment and therefore reduce the costs on the entire
network management system.
SNMP Operations
SNMP uses Get and Set operations to replace a complex command set. The operations used for
device management include GetRequest, GetNextRequest, GetResponse, GetBulk, SetRequest,
and notification from the agent to the NM station. The operations described in Figure 3-3 can
implement all functions.
features. Table 3-4 describes the usage scenarios of SNMP versions, which helps you choose a
proper version for the communication between an NM station and managed devices based on
the network operation conditions.
NOTE
When multiple NM stations using different SNMP versions manage the same device in a network SNMPv1,
SNMPv2c, and SNMPv3 are configured on the device for its communication with all the NM stations.
Feature Description
If you plan to build a network, choose an SNMP version based on your usage scenario. If you
plan to expand or upgrade an existing network, choose an SNMP version to match the SNMP
version running on the NM station to ensure the communication between managed devices and
the NM station.
Applicable Environment
SNMP has to be deployed in a network to allow the NMS to manage network devices.
If the network is secure and has few devices (for example, a campus network or a small enterprise
network), then SNMPv1 can be deployed to ensure communication between the NMS and
managed devices.
Pre-configuration Tasks
Before configuring a device to communicate with an NM station by running SNMPv1, configure
a routing protocol to ensure that at least one route exist between router and NM station.
Configuration Procedure
Context
Steps 3, 4, and 5 are mandatory to configure basic SNMP functions. After the configuration is
complete, basic SNMP communication can be established between the NM station and managed
device.
Procedure
Step 1 Run:
system-view
After SNMPv1 is enabled on the managed device, the device supports both SNMPv1 and
SNMPv3. This means that the device can be monitored and managed by NM stations running
SNMPv1 or SNMPv3.
Step 4 Run:
snmp-agent community { read | write } { community-name | cipher community-name1 }
[ acl acl-number | mib-view view-name ] *
l To configure a destination IPv6 address for the alarms and error codes sent from the device,
run:
snmp-agent target-host trap ipv6 { address udp-domain ipv6-address } [ udp-port
port-number ] params securityname security-name [ v1 ]
The maximum size of an SNMP packet that the device can receive or send is set.
By default, the maximum size of an SNMP packet that the device can receive or send is 1500
bytes.
After the maximum size is set, the device discards any SNMP packet that is larger than the set
size.
Step 8 Run:
commit
----End
Follow-up Procedure
After the configuration is complete, basic communication can be established between the NM
station and managed device.
l Access control allows any NM station that uses the community name to monitor and manage
all the objects on the managed device.
l The managed device sends alarms generated by the modules that are enabled by default to
the NM station.
If finer device management is required, follow directions below to configure a managed device:
l To allow a specified NM station that uses the community name to manage specified objects
on the device, follow the procedure described in Controlling the NM Station's Access to
the Device.
l To allow a specified module on the managed device to report alarms to the NM station,
follow the procedure described in Configuring the Trap Function.
Context
If a device is managed by multiple NM stations that use the same community name, note the
following points:
l If all the NM stations need to have rights to access the objects in the Viewdefault view
(1.3.6.1), skip the following steps.
l If some of the NM stations need to have rights to access the objects in the Viewdefault view
(1.3.6.1), skip Step 5.
l If all the NM stations need to manage specified objects on the device, skip Steps Step 2,
Step 3, and Step 4.
l If some of the NM stations need to manage specified objects on the device, perform all the
following steps.
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl acl-number
A basic ACL is created to filter the NM station users to manage the device.
Step 3 Run:
rule [ rule-id ] { deny | permit } source { source-ip-address source-wildcard |
any }
----End
Follow-up Procedure
After the access rights are configured, especially after the IP address of the NM station is
specified, if the IP address changes (for example, the NM station changes its location, or IP
addresses are reallocated due to network adjustment), you need to change the IP address of the
NM station in the ACL. Otherwise, the NM station cannot access the device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent trap enable
Step 3 Run:
snmp-agent trap enable feature-name feature-name trap-name trap-name
A trap function of a feature module is enabled. This means that an alarm of a specified feature
can be sent to the NM station.
NOTE
If the snmp-agent trap enable command is run to enable the trap functions of all modules, or the snmp-
agent trap enable feature-name command is run to enable three or more trap functions of a module, note
the following points:
l To disable the trap functions of all modules, you need to run the snmp-agent trap disable command.
l To restore the trap functions of all modules to the default status, you need to run the undo snmp-agent
trap enable or undo snmp-agent trap disable command.
l To disable one trap function of a module, you need to run the undo snmp-agent trap enable feature-
name command.
Step 4 Run:
snmp-agent trap source interface-type interface-number
After the source interface is specified, its IP address becomes the source IP address of trap
messages. Configuring the IP address of the local loopback interface as the source interface is
recommended, which can ensure device security.
The source interface specified on the router for trap messages must be consistent with that
specified on the NM station; otherwise, the NM station does not accept the trap messages sent
from the router.
Step 5 Run:
commit
----End
Prerequisite
The configurations of basic SNMPv1 functions are complete.
Procedure
l Run the display snmp-agent community command to check the configured community
name.
l Run the display snmp-agent sys-info version command to check the enabled SNMP
version.
l Run the display acl acl-number command to check the rules in the specified ACL.
l Run the display snmp-agent mib-view command to check the MIB view.
l Run the display snmp-agent sys-info contact command to check the equipment
administrator's contact information.
l Run the display snmp-agent sys-info location command to check the location of the
router.
l Run the display current-configuration | include max-size command to check the
allowable maximum size of an SNMP packet.
l Run the display current-configuration | include trap command to check trap
configuration.
l Run the display snmp-agent vacmgroup command to check all the configured View-
based Access Control Model (VACM) groups.
l Run the display snmp-agent target-host command to check information about the target
host.
----End
Example
When the configuration is complete, run the display snmp-agent community command. You
can view the configured community name.
<HUAWEI> display snmp-agent community
Community name:public
Group name:public
Storage-type: nonVolatile
Community name:private
Group name:private
Storage-type: nonVolatile
Run the display snmp-agent sys-info version command. You can view the SNMP version
running on the agent.
<HUAWEI> display snmp-agent sys-info version
SNMP version running in the system:
SNMPv1 SNMPv3
Run the display acl acl-number command. You can view the rules in the specified ACL.
<HUAWEI> display acl 2000
Run the display snmp-agent mib-view command. You can view the MIB view.
<HUAWEI> display snmp-agent mib-view
View name:ViewDefault
MIB Subtree:internet
Subtree mask:
Storage-type: nonVolatile
View Type:included
View status:active
View name:ViewDefault
MIB Subtree:snmpUsmMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpVacmMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpCommunityMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
Run the display snmp-agent sys-info contact command. You can view the equipment
administrator's contact information.
<HUAWEI> display snmp-agent sys-info contact
The contact person for this managed node:
R&D Beijing, Huawei Technologies co.,Ltd.
Run the display snmp-agent sys-info location command. You can view the location of the
device.
<HUAWEI> display snmp-agent sys-info location
The physical location of this node:
Beijing China
Run the display current-configuration | include max-size command. You can view the
allowable maximum size of an SNMP packet.
<HUAWEI> display current-configuration | include max-size
snmp-agent packet max-size 1800
Run the display current-configuration | include trap command. You can view trap
configuration.
<HUAWEI> display current-configuration | include trap
snmp-agent trap source Ethernet 3/0/7
snmp-agent target-host host-name targetHost_1_25846 trap ipv6 address udp-domain
1:1::1:1 udp-port 111 params securityname htipl
snmp-agent target-host host-name targetHost_2_51321 trap address udp-domain 1.1.
1.1 params securityname htipl
snmp-agent trap enable
--------------------------------------------------
Run the display snmp-agent target-host command. You can view information about the target
host.
<HUAWEI> display snmp-agent target-host
Target-host NO. 1
-----------------------------------------------------------
Host-name : targetHost_1_55062
IP-address : 10.18.27.183
VPN instance : -
Security name : public
Port : 162
Type : trap
Version : v1
Level : No authentication and privacy
NMS type : NMS
-----------------------------------------------------------
Target-host NO. 2
-----------------------------------------------------------
Host-name : targetHost_2_25846
IP-address : 10.18.27.184
VPN instance : -
Security name : private
Port : 162
Type : trap
Version : v1
Level : No authentication and privacy
NMS type : HW NMS
-----------------------------------------------------------
Applicable Environment
SNMP has to be deployed in a network to allow the NMS to manage network devices.
If your network is of a large scale with many devices and its security requirements are not strict
or the network is secure (for example, a VPN network) but services on the network are so busy
that traffic congestion may occur, then the SNMPv2c can be deployed to ensure communication
between the NM station and managed devices.
Pre-configuration Tasks
Before configuring a device to communicate with an NM station by running SNMPv2c,
configure a routing protocol to ensure that at least one route exist between router and NM station.
Configuration Procedure
Context
Steps 3, 4, and 5 are mandatory for the configuration of basic SNMP functions. After the
configuration is complete, basic SNMP communication can be established between the NM
station and managed device.
Procedure
Step 1 Run:
system-view
By default, the SNMP agent function is disabled. By executing the snmp-agent command with
any parameters can enable the SNMP agent function.
Step 3 Run:
snmp-agent sys-info version v2c
– To configure a destination IP address for the informs and error codes sent from the device,
run:
snmp-agent target-host inform address udp-domain ip-address [ udp-port port-
number ] [ vpn-instance vpn-instance-name ] params securityname security-
name [ v2c ]
the parameter udp-port can be used to specify a non-well-known UDP port number. This
ensures communication between the NM station and managed device.
– public-net: If the alarms sent from the managed device to the NM station need to be
transmitted over a public network, the parameter public-net needs to be configured.
– vpn-instance: If the alarms sent from the managed device to the NM station need to be
transmitted over a private network, the parameter vpn-instance vpn-instance-name needs
to be used to specify a VPN that takes over the sending task.
– securityname: Identifies the alarm sender, which helps you learn the alarm source.
l To configure a destination IPv6 address for the alarms and error codes sent from the device,
run:
snmp-agent target-host trap ipv6 { address udp-domain ipv6-address } [ udp-port
port-number ] params securityname security-name [ v2c ]
NOTE
This step is required for the NMS administrator to view contact information and locations of the
equipment administrator when the NM station manages many devices. This helps the NMS
administrator to contact the equipment administrators for fault location and rectification.
The maximum size of an SNMP packet that the device can receive or send is set.
By default, the maximum size of an SNMP packet that the device can receive or send is 1500
bytes.
After the maximum size is set, the device discards any SNMP packet that is larger than the set
size.
Step 8 Run:
commit
----End
Follow-up Procedure
After the configuration is complete, basic communication can be conducted between the NM
station and managed device.
l Access control allows any NM station that uses the community name to monitor and manage
all the objects on the managed device.
l The managed device sends alarms generated by the modules that are open by default to the
NM station.
If finer device management is required, follow directions below to configure the managed
device:
l To allow a specified NM station that uses the community name to manage specified objects
of the device, follow the procedure described in Controlling the NM Station's Access to
the Device.
l To allow a specified module on the managed device to report alarms to the NM station,
follow the procedure described in Configuring the Trap Function or Configuring the
Inform Function.
Context
If a device is managed by multiple NM stations that use the same community name, note the
following points:
l If all the NM stations need to have rights to access the objects in the Viewdefault view,
skip the following steps.
l If some of the NM stations need to have rights to access the objects in the Viewdefault
view, skip Step 5.
l If all the NM stations need to manage specified objects on the device, skip Steps 2, Steps
3, and Steps 4.
l If some of the NM stations need to manage specified objects on the device, perform all the
following steps.
Procedure
Step 1 Run:
system-view
A basic ACL is created to filter the NM station users to manage the device.
Step 3 Run:
rule [ rule-id ] { deny | permit } source { source-ip-address source-wildcard |
any }
----End
Follow-up Procedure
After the access rights are configured, especially after the IP address of the NM station is
specified, if the IP address changes (for example, the NM station changes its location, or IP
addresses are reallocated due to network adjustment), you need to change the IP address of the
NM station in the ACL. Otherwise, the NM station cannot access the device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent trap enable
Step 3 Run:
snmp-agent trap enable feature-name feature-name trap-name trap-name
A trap function of a feature module is enabled. This means that an alarm of a specified feature
can be sent to the NM station.
NOTE
If the snmp-agent trap enable command is run to enable the trap functions of all modules, or the snmp-
agent trap enable feature-name command is run to enable three or more trap functions of a module, note
the following points:
l To disable the trap functions of all modules, you need to run the snmp-agent trap disable command.
l To restore the trap functions of all modules to the default status, you need to run the undo snmp-agent
trap enable or undo snmp-agent trap disable command.
l To disable one trap function of a module, you need to run the undo snmp-agent trap enable feature-
name command.
Step 4 Run:
snmp-agent trap source interface-type interface-number
After the source interface is specified, its IP address becomes the source IP address of trap
messages. Configuring the IP address of the local loopback interface as the source interface is
recommended, which can ensure device security.
The source interface specified on the router for trap messages must be consistent with that
specified on the NM station; otherwise, the NM station does not accept the trap messages sent
from the router.
Step 5 Run:
commit
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent target-host [ host-name host-name ] inform address udp-domain ip-
address [ udp-port port-number ] [ vpn-instance vpn-instance-name ] params
securityname security-name [ v2c | v3 [ authentication | privacy ] ]
NOTE
The IP address of the target host in this command must be an IPv4 address.
The timeout period for waiting for inform Ack messages, number of times to resend informs,
and the maximum pieces of pending informs (Informs need to be acknowledged) are set.
By default, the timeout period for inform Ack messages is 15 seconds, the number of times to
resend informs is 3, and the maximum count of pending informs is 39.
NOTE
If the network is unstable, you need to increase the timeout period. At the same time, you need to increase
the number of times to resend informs and the maximum count of pending informs.
Step 4 Run:
snmp-agent inform { timeout seconds | resend-times times } * [ host-name host-name
| address udp-domain ip-address [ vpn-instance vpn-instance-name ] params
securityname security-name ]
The timeout period for waiting for inform Ack messages and the number of times to resend
informs are set.
By default, the timeout period for waiting for inform Ack messages is 15 seconds and the number
of times to resend informs is 3.
Step 5 Run:
commit
----End
Prerequisite
The configurations of basic SNMPv2c functions are complete.
Procedure
l Run the display snmp-agent community command to check the configured community
name.
l Run the display snmp-agent sys-info version command to check the enabled SNMP
version.
l Run the display acl acl-number command to check the rules in the specified ACL.
l Run the display snmp-agent mib-view command to check the MIB view.
l Run the display snmp-agent sys-info contact command to check the equipment
administrator's contact information.
l Run the display snmp-agent sys-info location command to check the location of the
router.
l Run the display current-configuration | include max-size command to check the
allowable maximum size of an SNMP packet.
l Run the display current-configuration | include trap command to check trap
configuration.
l Run the display snmp-agent target-host command to check information about the target
host.
l Run the display snmp-agent inform command to check inform parameters of all target
hosts.
l Run the display snmp-agent vacmgroup command to check all the configured View-
based Access Control Model (VACM) groups.
----End
Example
When the configuration is complete, run the display snmp-agent community command. You
can view the configured community name.
<HUAWEI> display snmp-agent community
Community name:public
Group name:public
Storage-type: nonVolatile
Community name:private
Group name:private
Storage-type: nonVolatile
Run the display snmp-agent sys-info version command. You can view the SNMP version
running on the agent.
<HUAWEI> display snmp-agent sys-info version
SNMP version running in the system:
SNMPv1 SNMPv3
Run the display acl acl-number command. You can view the rules in the specified ACL.
<HUAWEI> display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
rule 5 permit source 1.1.1.1 0 (0 times matched)
Run the display snmp-agent mib-view command. You can view the MIB view.
<HUAWEI> display snmp-agent mib-view
View name:ViewDefault
MIB Subtree:internet
Subtree mask:
Storage-type: nonVolatile
View Type:included
View status:active
View name:ViewDefault
MIB Subtree:snmpUsmMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpVacmMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpModules.18
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
Run the display snmp-agent sys-info contact command. You can view the equipment
administrator's contact information.
<HUAWEI> display snmp-agent sys-info contact
The contact person for this managed node:
R&D Beijing, Huawei Technologies co.,Ltd.
Run the display snmp-agent sys-info location command. You can view the location of the
device.
<HUAWEI> display snmp-agent sys-info location
The physical location of this node:
Beijing China
Run the display current-configuration | include max-size command. You can view the
allowable maximum size of an SNMP packet.
<HUAWEI> display current-configuration | include max-size
snmp-agent packet max-size 1800
Run the display current-configuration | include trap command. You can view trap
configuration.
<HUAWEI> display current-configuration | include trap
snmp-agent trap source Ethernet 3/0/7
snmp-agent target-host host-name targetHost_1_25846 trap ipv6 address udp-domain
1:1::1:1 udp-port 111 params securityname htipl
snmp-agent target-host host-name targetHost_2_51321 trap address udp-domain 1.1.
1.1 params securityname htipl
snmp-agent trap enable
Run the display snmp-agent target-host command. You can view information about the target
host.
<HUAWEI> display snmp-agent target-host
Target-host NO. 1
-----------------------------------------------------------
Host-name : targetHost_1_55062
IP-address : 10.18.27.183
VPN instance : -
Security name : public
Port : 162
Type : inform
Version : v2c
Level : No authentication and privacy
NMS type : NMS
-----------------------------------------------------------
Target-host NO. 2
-----------------------------------------------------------
Host-name : targetHost_2_25846
IP-address : 10.18.27.184
VPN instance : -
Security name : private
Port : 162
Type : trap
Version : v2c
Level : No authentication and privacy
NMS type : HW NMS
-----------------------------------------------------------
Run the display snmp-agent inform command. You can view the configuration of inform
notifications.
--------------------------------------------------
Applicable Environment
The NM station manages a device by the following ways:
l Sends requests to the managed device to perform the GetRequest, GetNextRequest,
GetResponse, GetBulk, or SetRequest operation, obtaining data or setting values.
l Receives alarms (traps or informs) from the managed device to locate and handle device
faults based on the alarm information.
Pre-configuration Tasks
Before configuring a device to communicate with an NM station by running SNMPv3, configure
a routing protocol to ensure that at least one route exist between router and NM station.
Configuration Procedure
Context
Steps 4, 5, and 6 are mandatory to configure of basic SNMP functions. After the configuration
is complete, basic SNMP communication can be established between the NM station and
managed device.
Procedure
Step 1 Run:
system-view
l To configure a destination IPv4 address for the alarms and error codes sent from the device,
run:
snmp-agent target-host trap address udp-domain ip-address [ udp-port port-
number ] [ public-net | vpn-instance vpn-instance-name ] params securityname
security-name [ v3 [ authentication | privacy ] ] [ private-netmanager ]
l To configure a destination IPv6 address for the alarms and error codes sent from the device,
run:
snmp-agent target-host trap ipv6 address udp-domain ip-address [ udp-port port-
number ] params securityname security-name [ v3 [ authentication | privacy ] ]
The maximum size of an SNMP packet that the device can receive or send is set.
By default, the maximum size of an SNMP packet that the device can receive or send is 1500
bytes.
After the maximum size is set, the device discards any SNMP packet that is larger than the set
size.
Step 10 Run:
commit
----End
Follow-up Procedure
After the steps, basic communication is established between the NM station and managed device.
l Access control allows any NM station in the configured SNMPv3 user group to monitor
and manage all the objects on the managed device.
l The managed device sends alarms generated by the modules that are open by default to the
NM station.=
If finer device management is required, follow directions below to configure the managed
device:
l To allow a specified NM station in an SNMPv3 user group to manage specified objects of
the device, follow the procedure described in Controlling the NM Station's Access to the
Device.
l To allow a specified module on the managed device to report alarms to the NM station,
follow the procedure described in Configuring the Trap Function or Configuring the
Inform Function.
Context
If a device is managed by multiple NM stations that are in the same SNMPv3 user group, note
the following points:
l If all the NM stations need to have rights to access the objects in the Viewdefault view,
skip the following steps.
l If some of the NM stations need to have rights to access the objects in the Viewdefault
view, skip Step 5.
l If all the NM stations need to manage specified objects on the device, skip Step 2, Step
3, and Step 4.
l If some of the NM stations need to manage specified objects on the device, perform all the
following steps.
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl acl-number
A basic ACL is created to filter the NM station users to manage the device.
Step 3 Run:
rule [ rule-id ] { deny | permit } source { source-ip-address source-wildcard |
any }
Step 4 Run:
commit
Step 5 Run:
quit
The read and write permission is configured for the user group.
l read-view needs to be configured in the command if the NM station administrator needs the
read permission in the specified view in some cases. For example, a low-level administrator
needs to read certain data. write-view needs to be configured in the command if the NM
station administrator needs the read and write permissions in the specified view in some
cases. For example, a high-level administrator needs to read and write certain data.
l notify-view needs to be configured in the command if you want to filter out irrelevant alarms
and configure the managed device to send only the alarms of specified MIB objects to the
NM station. If the parameter is configured, only the alarms of the MIB objects specified by
notify-view is sent to the NM station.
l authentication or privacy can be configured in the command to improve security. If
authentication is configured, only authentication is performed. If privacy is configured,
both authentication and privacy are performed.
l If some NM stations that are in the same SNMPv3 user group need to have rights to access
the objects in the Viewdefault view, [ read-view read-view | write-view write-view | notify-
view notify-view ] does not need to be configured in the command.
l acl: If all the NM stations that are in the same SNMPv3 user group need to manage specified
objects on the device, acl acl-number does not need to be configured in the command.
If some of the NM stations that are in the same SNMPv3 user group need to manage specified
objects on the device, then mib-view and acl need to be configured in the command.
Step 8 Run:
commit
----End
Follow-up Procedure
After the access rights are configured, especially after the IP address of the NM station is
specified, if the IP address changes (for example, the NM station changes its location, or IP
addresses are reallocated due to network adjustment), you need to change the IP address of the
NM station in the ACL. Otherwise, the NM station cannot access the device.
Procedure
Step 1 Run:
system-view
Authentication and privacy are configured for SNMPv3 users in a user group.
Step 9 Run:
commit
----End
Procedure
Step 1 Run:
system-view
A trap function of a feature module is enabled. This means that an alarm of a specified feature
can be sent to the NM station.
NOTE
If the snmp-agent trap enable command is run to enable the trap functions of all modules, or the snmp-
agent trap enable feature-name command is run to enable three or more trap functions of a module, note
the following points:
l To disable the trap functions of all modules, you need to run the snmp-agent trap disable command.
l To restore the trap functions of all modules to the default status, you need to run the undo snmp-agent
trap enable or undo snmp-agent trap disable command.
l To disable one trap function of a module, you need to run the undo snmp-agent trap enable feature-
name command.
Step 4 Run:
snmp-agent trap source interface-type interface-number
----End
Procedure
Step 1 Run:
system-view
NOTE
The IP address of the target host in this command must be an IPv4 address.
The timeout period for waiting for inform Ack messages, number of times to resend informs,
and the maximum pieces of pending informs (Informs need to be acknowledged) are set.
By default, the timeout period for inform Ack messages is 15 seconds, the number of times to
resend informs is 3, and the maximum count of pending informs is 39.
NOTE
If the network is unstable, you need to increase the timeout period. At the same time, you need to increase
the number of times to resend informs and the maximum count of pending informs.
Step 4 Run:
The timeout period for waiting for inform Ack messages and the number of times to resend
informs are set.
By default, the timeout period for waiting for inform Ack messages is 15 seconds and the number
of times to resend informs is 3.
Step 5 Run:
commit
----End
Prerequisite
The configurations of basic SNMPv3 functions are complete.
Procedure
l Run the display snmp-agent usm-user [ engineid engineid | group group-name |
username user-name ] * command to check user information.
l Run the display snmp-agent sys-info version command to check the enabled SNMP
version.
l Run the display acl acl-number command to check the rules in the specified ACL.
l Run the display snmp-agent mib-view command to check the MIB view.
l Run the display snmp-agent sys-info contact command to check the equipment
administrator's contact information.
l Run the display snmp-agent sys-info location command to check the location of the
router.
l Run the display current-configuration | include max-size command to check the
allowable maximum size of an SNMP packet.
l Run the display current-configuration | include trap command to check trap
configuration.
l Run the display snmp-agent target-host command to check information about target
hosts.
l Run the display snmp-agent inform [ host-name host-name | [ address udp-domain ip-
address [ vpn-instance vpn-instance-name ] params securityname security-name ] ]
command to check inform parameters of all target hosts or a specified target host and
information about host statistics.
l Run the display snmp-agent vacmgroup command to check all the configured View-
based Access Control Model (VACM) groups.
----End
Example
Run the display snmp-agent usm-user command. You can view SNMP user information.
<HUAWEI> display snmp-agent usm-user
User name: John
Engine ID: 800007DB03360102101100 active
Authentication Protocol: md5
Privacy Protocol: des56
Group-name: group1
Run the display snmp-agent sys-info version command. You can view the SNMP version
running on the agent.
<HUAWEI> display snmp-agent sys-info version
SNMP version running in the system:
SNMPv3
Run the display acl acl-number command. You can view the rules in the specified ACL.
<HUAWEI> display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
rule 5 permit source 1.1.1.1 0 (0 times matched)
Run the display snmp-agent mib-view command. You can view the MIB view.
<HUAWEI> display snmp-agent mib-view
View name:ViewDefault
MIB Subtree:internet
Subtree mask:
Storage-type: nonVolatile
View Type:included
View status:active
View name:ViewDefault
MIB Subtree:snmpUsmMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpVacmMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpCommunityMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
Run the display snmp-agent sys-info contact command. You can view the equipment
administrator's contact information.
<HUAWEI> display snmp-agent sys-info contact
The contact person for this managed node:
R&D Beijing, Huawei Technologies co.,Ltd.
Run the display snmp-agent sys-info location command. You can view the location of the
device.
<HUAWEI> display snmp-agent sys-info location
The physical location of this node:
Beijing China
Run the display current-configuration | include max-size command. You can view the
allowable maximum size of an SNMP packet.
<HUAWEI> display current-configuration | include max-size
snmp-agent packet max-size 1800
Run the display current-configuration | include trap command. You can view trap
configuration.
<HUAWEI> display current-configuration | include trap
snmp-agent trap source Ethernet 3/0/7
snmp-agent target-host host-name targetHost_1_25846 trap ipv6 address udp-domain
1:1::1:1 udp-port 111 params securityname htipl
snmp-agent target-host host-name targetHost_2_51321 trap address udp-domain 1.1.
1.1 params securityname htipl
snmp-agent trap enable
Run the display snmp-agent target-host command. You can view information about the target
host.
<HUAWEI> display snmp-agent target-host
Target-host NO. 1
-----------------------------------------------------------
Host-name : targetHost_1_55062
IP-address : 10.18.27.183
VPN instance : -
Security name : public
Port : 162
Type : inform
Version : v3
Level : No authentication and privacy
NMS type : NMS
-----------------------------------------------------------
Target-host NO. 2
-----------------------------------------------------------
Host-name : targetHost_2_25846
IP-address : 10.18.27.184
VPN instance : -
Security name : private
Port : 162
Type : trap
Version : v3
Level : No authentication and privacy
NMS type : HW NMS
-----------------------------------------------------------
Run the display snmp-agent inform command. You can view the configuration of inform
notifications.
<HUAWEI> display snmp-agent inform
Global config: resend-times 3, timeout 15s, pending 39
Global status: current notification count 0
Target-host ID: Host name/VPN instance/IP-Address/Security name
targetHost_1_36305/-/1.2.1.2/public:
Config: resend-times 3, timeout 15s
Status: retries 0, pending 0, sent 0, dropped 0, failed 0, confirmed 0
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. In the multi-chassis scenario, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
As shown in Figure 3-7, two NM stations (NMS1 and NMS2) and the router are connected
across a public network. According to the network planning, NMS2 can manage every MIB
object except HGMP on the router, and NMS1 does not manage the router.
On the router, only the modules that are enabled by default are allowed to send alarms to NMS2.
This prevents an excess of unwanted alarms from being sent to NMS2. Excessive alarms make
fault location difficult.
Contact information of the equipment administrator needs to be configured on the router. This
helps the NMS administrator to contact the equipment administrator if a fault occurs.
Figure 3-7 Networking diagram for configuring a device to communicate with an NM station
by using SNMPv1
NMS1
1.1.1.1/24 GE1/0/0
IP Network 1.1.2.1/24
Router
NMS2
1.1.1.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the SNMP agent.
2. Configure the router to run SNMPv1.
3. Configure an ACL to allow NMS2 to manage every MIB object except HGMP on the
router.
4. Configure the trap function to allow the router to send alarms to NMS2.
5. Configure the contact information of the equipment administrator on the router.
6. Configure NMS2.
Data Preparation
To complete the configuration, you need the following data:
l SNMP version
l Community name
l ACL number
l IP address of the NM station
l Contact information of the equipment administrator
Procedure
Step 1 Configure available routes between the router and the NM stations. Details for the configuration
procedure are not provided here.
Step 2 Enable the SNMP agent.
<HUAWEI> system-view
[~HUAWEI] snmp-agent
[~HUAWEI] commit
# Configure a MIB view and allow NMS2 to manage every MIB object except HGMP on the
router.
[~HUAWEI] snmp-agent mib-view excluded allexthgmp 1.3.6.1.4.1.2011.6.7
[~HUAWEI] commit
# Configure a community name to allow NMS2 to manage the objects in the MIB view.
----End
Configuration Files
Configuration file of the router
#
acl number 2001
rule 5 permit source 1.1.1.2 0.0.0.0
rule 6 deny source 1.1.1.1 0.0.0.0
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.2.1 255.255.255.0
#
interface loopback0
ip address 1.1.3.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
network 1.1.3.1 0.0.0.0
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
snmp-agent community write adminnms2 mib-view allexthgmp acl 2001
#
snmp-agent sys-info contact call Operator at 010-12345678
snmp-agent sys-info version v1 v3
snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname
1.1.3.1
#
snmp-agent mib-view excluded allexthgmp hwCluster
#
snmp-agent trap enable
#
return
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. In the multi-chassis scenario, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
As shown in Figure 3-8, two NM stations (NMS1 and NMS2) and the router are connected
across a public network. According to the network planning, NMS2 can manage every MIB
object except HGMP on the router, and NMS1 does not manage the router.
On the router, only the modules that are enabled by default are allowed to send alarms to NMS2.
This prevents an excess of unwanted alarms from being sent to NMS2. Excessive alarms can
make fault location difficult. Informs need to be used to ensure that alarms are received by NMS2
because alarms sent by the router have to travel across the public network to reach NMS2.
Contact information of the equipment administrator needs to be configured on the router. This
helps the NMS administrator to contact the equipment administrator if a fault occurs.
Figure 3-8 Networking diagram for configuring a device to communicate with an NM station
by using SNMPv2c
NMS1
1.1.1.1/24 GE1/0/0
IP Network 1.1.2.1/24
Router
NMS2
1.1.1.2/24
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
l SNMP version
l Community name
l ACL number
l IP address of the NM station
l Contact information of the equipment administrator
Procedure
Step 1 Configure available routes between the router and the NM stations. Details for the configuration
procedure are not provided here.
Step 2 Enable the SNMP agent.
<HUAWEI> system-view
[~HUAWEI] snmp-agent
[~HUAWEI] commit
# Configure a community name to allow NMS2 to manage the objects in the MIB view.
[~HUAWEI] snmp-agent community write adminnms2 mib-view allexthgmp acl 2001
[~HUAWEI] commit
----End
Configuration Files
Configuration file of the router
#
acl number 2001
rule 5 permit source 1.1.1.2 0.0.0.0
rule 6 deny source 1.1.1.1 0.0.0.0
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.2.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. In the multi-chassis scenario, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
As shown in Figure 3-9, two NM stations (NMS1 and NMS2) and the router are connected
across a public network. According to the network planning, NMS2 can manage every MIB
object except HGMP on the router, and NMS1 does not manage the router.
On the router, only the modules that are enabled by default are allowed to send alarms to NMS2.
This prevents an excess of unwanted alarms from being sent to NMS2. Excessive alarms can
make fault location difficult.
The data transmitted between NMS2 and the router needs to be encrypted and the NMS
administrator needs to be authenticated because the data has to travel across the public network.
Contact information of the equipment administrator needs to be configured on the router. This
helps the NMS administrator to contact the equipment administrator if a fault occurs.
Figure 3-9 Networking diagram for configuring a device to communicate with an NM station
by using SNMPv3
NMS1
1.1.1.1/24 GE1/0/0
IP Network 1.1.2.1/24
Router
NMS2
1.1.1.2/24
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
l SNMP version
l User group name
l User name and password
l Authentication and privacy algorithms
l ACL number
l IP address of the NM station
l Contact information of the equipment administrator
Procedure
Step 1 Configure available routes between the router and the NM stations. Details for the configuration
procedure are not provided here.
# Configure an SNMPv3 user group and add a user to the group, and configure authentication
for the NMS administrator and privacy for the data transmitted between the router and NMS2.
[~HUAWEI] snmp-agent usm-user v3 nms2-admin admin authentication-mode md5 87654321
privacy-mode des56 87654321
[~HUAWEI] snmp-agent group v3 admin privacy write-view allexthgmp acl 2001
[~HUAWEI] commit
Writeview: allexthgmp
Notifyview :<no specified>
Storage-type: nonVolatile
Acl:2001
----End
Configuration Files
Configuration file of the router
#
acl number 2001
rule 5 permit source 1.1.1.2 0.0.0.0
rule 6 deny source 1.1.1.1 0.0.0.0
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.2.1 255.255.255.0
#
interface loopback0
ip address 1.1.3.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
network 1.1.3.1 0.0.0.0
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
#
snmp-agent sys-info contact call Operator at 010-12345678
snmp-agent sys-info version v3
snmp-agent group v3 admin privacy write-view allexthgmp acl 2001
snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname 1.1.3.1
v3
#
snmp-agent mib-view excluded allexthgmp hwHgmp
snmp-agent usm-user v3 nms2-admin admin authentication-mode md5 `,+VK;'MYJF=,/
<97^aP^1!! privacy-mode des56 `,+VK;'MYJF=,/<97^aP^1!!
#
return
4 Log Management
Log management refines log classifications and effectively filters output information. Log
management allows you to set the maximum number of logs to be displayed, save logs to a local
log file, and configure logs to be output to a log host.
The following part describes the log classification, levels, and format.
Log Naming
As shown in Table 4-1, logs are divided into the following types.
Naming Description
Method
Log Format
Figure 4-1 shows the format in which logs are output.
<Int_16> Leading character Indicates that a log will be sent to a log host. A log
to be saved on a local device does not have a
leading character.
TIMESTAMP Timestamp Indicates the time when a log is output. The value
is in the yyyy-mm-dd hh:mm:ss format:
l yyyy-mm-dd indicates the date.
l hh:mm:ss indicates the time. The value of hh
(hour) ranges from 00 to 23.
The timestamp and the host name are separated by
a space.
AAA Module name Indicates the name of the module that outputs the
log to the information center.
YYYY Descriptor Indicates the log contents that are output to the
information center by each module. The descriptor
is filled in by each module every time a log is
output.
Context
After a specified log is filtered out, the router no longer records or displays this log, or outputs
this log to a log host.
Procedure
Step 1 Run:
system-view
One or multiple logs specified in this command are filtered out. Log IDs or alias names in this
command must be separated by spaces.
Step 3 Run:
commit
----End
Applicable Environment
The system logs information about device operations in real time. You can view logs in the log
buffer to understand what happened during system operations.
Pre-configuration Tasks
Before setting the maximum number of logs to be displayed, complete the following tasks:
l Making sure that the device is powered on
l Ensuring that the device self-check succeeds
Procedure
Step 1 Run:
system-view
----End
Applicable Environment
In the case of urgent and important events (such as the restart of the managed device), the device
generates logs and sends trap messages to the NMS through SNMP agent. Trap messages are
sent to the NMS from the managed device without any request. Users can view trap messages
on the device.
Pre-configuration Tasks
Before setting the number of trap messages to be displayed, complete the following tasks:
l Confirming that the device is powered on correctly and the self-test is successful
Procedure
Step 1 Run:
system-view
----End
Applicable Environment
The system records operation status to the log buffer in real time. Logs can be saved to a log file
by using the specified command. You can query the log file to understand what happened during
system operations.
Procedure
Step 1 In the user view, run:
save logfile
If you need to save logs in the log buffer into a log file when the log buffer is not full or the timer
does not expire, run the save logfile command.
----End
Related Tasks
4.9.1 Example for Saving Logs to a Local Log File
Applicable Environment
The system logs information about device operations in real time. After configuring logs to be
output to a log host, you can view logs saved on the log host to assist in understanding the
operation status of the device.
Pre-configuration Tasks
Before configuring logs to be output to a log host, complete the following tasks:
l Making sure that the device is powered on
l Ensuring that the device self-check succeeds
Configuration Procedures
Configure logs to be
output to a specified log
host
Mandatory procedure
Optional procedure
Related Tasks
4.9.2 Example for Configuring Logs to Be Output to a Log Host
Context
The system outputs system information to a log host only after the information center is enabled.
If the system needs to classify and output large volumes of information, system performance
will be affected.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center enable
Step 3 Run:
commit
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center loghost source interface-type interface-number
An interface on the router is specified as the source interface for sending logs to the log host.
After the source interface is specified, if the router sends logs to the log host, the logs carry the
IP address of this interface as the source address. This helps the log host locate the router from
which the logs come, facilitating log search.
By default, the source interface is the interface that sends out logs.
Step 3 Run:
commit
----End
Context
The system logs device operations in real time. After enabling the information center, you can
specify the UDP port number, facility, and log severity level of a log host with a specified IP
address to output logs to the log host. This facilitates saving and querying logs, helps the network
administrator monitor device operations, and provides evidence for fault location.
Procedure
Step 1 Run:
system-view
By default, the device does not output logs to any log host.
The system can output logs to a maximum of eight log hosts at the same time. This allows backup
among log hosts.
Step 3 Run:
commit
----End
Prerequisite
The configurations of outputting logs to a specified log host are complete.
Procedure
l Run the display this command in the system view to check the ID of the log to be filtered
out, IP address of a log host, and source interface for sending logs to the log host.
----End
Example
l Run the display this command. The command output shows the configuration for
outputting logs to a specified log host.
<HUAWEI> system view
[~HUAWEI] display this
#
info-center loghost source GigabitEthernet1/0/1
4.8 Maintenance
The system generates logs or traps and send them to the information buffer for user query. To
delete information in the information buffer, run the following commands:
Context
CAUTION
Information stored by the information buffer cannot be restored after you clear them. Exercise
caution when running the commands.
Procedure
l To delete information in the log buffer, run the reset logbuffer command in the user view.
l To delete information in the trap buffer, run the reset trapbuffer command in the user
view.
----End
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the following format: slot number/card
number/interface number. On an NE5000E cluster, an interface is numbered in the format of
chassis ID/slot number/card number/interface number, and a slot is numbered in the format of
chassis ID/slot number.
On the network shown in Figure 4-3, you can save logs on Router A into log files. A large
number of log files consume significant memory resources. To save memory resources, you can
upload log files to an FTP server. Maintenance personnel query and maintain logs saved on the
FTP server to understand the operation status of Router A and locate faults in Router A.
Figure 4-3 Networking diagram for saving logs to a local log file
10.2.1.1/16
GE1/0/0 IP network
Configuration Roadmap
The configuration roadmap is as follows:
1. Save logs to a log file.
2. Upload the log file to the FTP server.
Data Preparation
To complete the configuration, you need the following data:
l IP address of the FTP server
l User name and password used on the FTP server
Procedure
Step 1 Configure a routing protocol to make the router and the FTP server reachable. (The configuration
details are not provided here.)
Step 2 Configure user name and password used on the FTP server. (The configuration details are not
provided here.)
Step 3 Save logs to a log file.
<RouterA> save logfile
<RouterA>
# View the received logs on the FTP server. (The configuration details are not provided here.)
----End
Related Tasks
4.6 Saving Logs to a Local Log File
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the following format: slot number/card
number/interface number. On an NE5000E cluster, an interface is numbered in the format of
chassis ID/slot number/card number/interface number, and a slot is numbered in the format of
chassis ID/slot number.
The router can generate a large number of logs, which may exceed limited storage space of the
router. To address this problem, a log host can be configured to store all logs.
On the network shown in Figure 4-4, the router is required to send logs to the log host Server
1. Server 2 is required to serve as a backup host for Server 1.
The configurations need to be performed on both the router and the log host.
POS1/0/0
172.168.0.1/24
Router
Server 2
10.2.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
l IP address of a log host
Procedure
Step 1 Configure a routing protocol and an IP address for the router to make the router and log host
reachable. (The configuration details are not provided here.)
Step 2 Enable the information center.
<HUAWEI> system-view
[~HUAWEI] info-center enable
Step 4 Specify a source interface for sending logs to the log host.
# Assign an IP address to Loopback 0 and specify Loopback 0 as the source interface for sending
logs to a log host.
[~HUAWEI] interface loopback 0
[~HUAWEI-loopback0] ip address 1.1.1.1 255.255.255.255
[~HUAWEI-loopback0] quit
[~HUAWEI] info-center loghost source loopback 0
l If the host runs a third party's log software, the log software can be configured to collect log
information.
For details about log configurations on Huawei iManager U2000, see the iManager U2000
Operation Guide for Common Features.
Step 7 Verify the configuration.
# View the received logs on the network management system. (The configuration details are not
provided here.)
----End
Configuration Files
#
info-center loghost source Loopback0
info-center loghost 10.1.1.1
info-center loghost 10.1.1.2
#
sysname HUAWEI
#
interface Loopback0
ip address 1.1.1.1 255.255.255.0
#
return
Related Tasks
4.7 Configuring Logs to Be Output to a Log Host
5 Fault Management
When a fault occurs on a device or network, the device sends relevant information to the fault
management (FM) module. The FM module then determines whether to generate and report
alarms.
5.3 Configuring FM
Users can configure FM on a device to use the alarm filtering, alarm delivery, and alarm
suppression functions.
Pre-configuration Tasks
Before configuring FM, complete the following tasks:
l Installing the router and powering it on properly
l Completing the alarm definition on the NE5000E
Configuration Procedures
Choose one or more configuration tasks (excluding "Checking the Configuration") as needed.
Related Tasks
5.5.1 Example for Configuring FM
Procedure
Step 1 Run:
system-view
Step 4 Run:
commit
----End
Procedure
Step 1 Run:
system-view
After a suppression period is configured for an alarm, the following operations are implemented:
l During this period, this alarm is not reported to the NMS immediately after it is generated.
If the alarm is generated but its clear alarm is not generated, the system reports this alarm to
the NMS host when the period expires.
l If both the alarm and its clear alarm are generated during this period, they are both deleted
from the alarm queue and will not be reported to the NMS host.
You can use the parameter cause-period cause-seconds to set the period after which a generated
alarm is reported.
You can use the parameter clear-period clear-seconds to set the period after which a generated
clear alarm is reported.
Step 4 Run:
commit
----End
Context
The impacts of alarm suppression on the system are as follows:
l When alarm suppression is enabled, alarm suppression takes effect, and you can configure
an alarm suppression period.
l When alarm suppression is disabled, alarm suppression does not take effect in the system.
Procedure
Step 1 Run:
system-view
Step 2 Run:
alarm
Step 3 Run:
suppression enable
To disable alarm suppression, you can run the undo suppression enable command.
CAUTION
Disable alarm suppression immediately after it is not required. Otherwise, a large number of
redundant alarms will be generated.
Step 4 Run:
commit
----End
Context
Terminal users include command line users and NMS users. If terminal users do not expect any
alarms sent from the device, they can filter out all alarms.
Procedure
l Command line users run the undo terminal alarm command in the user view to filter out
all alarms.
l NMS users on the host named host-name perform the following operations to filter out all
alarms:
1. Run the system-view command to enter the system view.
2. Run the alarm command to enter the alarm management view.
3. Run the undo alarm snmp target-host host-name command to filter out all alarms.
----End
Context
Terminal users include command line users and NMS users. Different users are concerned about
different types of alarms. Terminal users can configure an alarm filtering table to filter out the
unwanted alarms.
Flexible filtering rules can be defined in an alarm filtering table.
l Filtering out alarms with the specific severity, such as alarms with the severity lower than
Major
l Filtering out alarms that are generated for a specific service, such as alarms for the MPLS
service
l Filtering out alarms with specific names, such as an LDP session alarm
Different terminal users can share the same alarm filtering table, but each terminal user can use
only one alarm filtering table.
Procedure
Step 1 Run:
system-view
----End
Applicable Environment
The system records fault information to the log buffer in real time. After running the command
to save alarms to a log file, you can query the log file to locate the fault.
Procedure
Step 1 Run:
save logfile
----End
Prerequisite
The FM configurations are complete.
Procedure
l Run the display alarm information [ name alarm-name ] [ brief ] command to verify the
validity of the alarm suppression parameters.
----End
Example
Display the basic information about an alarm named PmThresholdAlarm.
<HUAWEI> display alarm information name pmthresholdalarm brief
feature : PMSERVER
alarmName : PmThresholdAlarm
alarmId : 177209348
severity : Major
cause suppress time : 1
clear suppress time : 1
5.4 Maintenance
You can use maintenance commands to collect statistics about faults and clear them after further
analysis.
Context
In routine maintenance, you can run the following commands in the alarm management view to
clear alarm statistics.
CAUTION
Alarm statistics cannot be restored after you clear them. Therefore, exercise caution when
running this command.
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run:
display alarm information [ name alarm-name ] [ brief ]
The keyword brief is configured in this command to display the basic information about
an alarm, such as the feature for which the alarm is generated, alarm name, alarm ID, alarm
severity, and alarm suppression period.If the keyword brief is not configured in this
command, the reason why this alarm is generated and rectification solution are displayed,
in addition to the basic information.
l Run:
display alarm statistics [ name alarm-name ]
If an alarm name is specified in this command, only the statistics about the specified alarm
are displayed. If no alarm name is specified in this command, statistics about all alarms are
clarified and displayed.
----End
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. In the multi-chassis scenario, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
When a fault occurs on a network, FM can be configured to help users rapidly locate the fault
and rectify the fault.
Configuration Roadmap
The configuration roadmap is as follows:
l Configure a suppression period for an alarm
l Edit and applying an alarm filtering table
Data Preparation
To complete the configuration, you need the following data:
l Alarm name
l Alarm suppression period
l Name of the alarm filtering table
l Alarm severity
l Name of the NMS host
Procedure
Step 1 Enter the alarm management view.
<HUAWEI> system-view
[~HUAWEI] alarm
Step 2 Configure the severity and suppression period of the alarm named hwOpticalInvalid.
# Set the severity of the alarm named hwOpticalInvalid to Critical.
[~HUAWEI-alarm] alarm name hwbfdSessReachLimit severity critical
# Set the generation period to 5s and clearing period to 15s for the alarm named hwOpticalInvalid
in alarm suppression.
[~HUAWEI-alarm] suppression name hwBfdSessReachLimit cause-period 5
[~HUAWEI-alarm] suppression name hwBfdSessReachLimit clear-period 15
[~HUAWEI-alarm] commit
After the configuration is complete, run the display alarm information name
hwBfdSessReachLimit command to verify the configuration.
[~HUAWEI-alarm] display alarm information name hwBfdSessReachLimit
alarmDictionaryQuery
--------------------------------------------------------------------------------
feature : BFD
alarmName : hwBfdSessReachLimit
alarmId : 152043522
severity : Critical
cause suppress time : 5
clear suppress time : 15
--------------------------------------------------------------------------------
[~HUAWEI-alarm-mask1] commit
# After the configuration is complete, run the display this command in the mask1 view to verify
the configuration.
[~HUAWEI-alarm-mask1] display this
mask alarm-name PmThresholdAlarm
mask severity Minor
mask severity Warning
return
# After the configuration is complete, run the display this command in the alarm management
view to verify the configuration.
[~HUAWEI-alarm] display this
snmp target-host target-host1 mask name mask1
----End
Example
#
sysname HUAWEI
#
alarm
suppression name hwBfdSessReachLimit cause-period 5
suppression name hwBfdSessReachLimit clear-period 15
alarm name hwBfdSessReachLimit severity Critical
snmp target-host target-host1 mask name mask1
#
mask name mask1
mask severity Minor
mask severity Warning
mask alarm-name PmThresholdAlarm
#
return
Related Tasks
5.3 Configuring FM
6 NetStream Configuration
NetStream is a technology that samples and releases traffic information on the network. By
collecting traffic statistics based on the traffic volume and resource consumption on the network,
NetStream helps users implement management and accounting on various services.
6.1 NetStream Overview
As the Internet develops rapidly, more bandwidth resources are provided from users and at the
same time a higher requirement for delicate network monitoring and management is raised. A
technology is needed to address such a requirement. NetStream is a technology that provides
highly granular per-flow statistics on network traffic. It classifies statistics about traffic flows
and resource usage on the network. NetStream can also help monitor and manage the network
based on the types of services and resources.
6.2 NetStream Features Supported by the NE5000E
This section describes the usage scenarios of NetStream features supported by the NE5000E and
available NetStream functions.
6.3 Collecting Statistics About IPv4 Original Flows
Before collecting statistics about IPv4 original flows, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.
6.4 Collecting Statistics About IPv4 Aggregated Flows
Before collecting statistics about IPv4 aggregated flows, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.
6.5 Collecting Statistics About IPv6 Original Flows
Before collecting statistics about IPv6 original flows, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.
6.6 Collecting Statistics About IPv6 Aggregated Flows
Before collecting statistics about IPv6 aggregated flows, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.
6.7 Collecting Statistics About MPLS IPv4 Packets
Collecting packet statistics on MPLS networks helps you to monitor MPLS network conditions.
6.8 Collecting Statistics About MPLS IPv6 Packets
Collecting packet statistics on MPLS networks helps you to monitor MPLS network conditions.
6.9 Collecting Statistics About BGP/MPLS VPN Flows
Collecting traffic statistics on BGP/MPLS VPN networks helps users to monitor the BGP/MPLS
VPN network condition.
6.10 Maintaining NetStream
This section describes how to maintain NetStream.
6.11 Configuration Examples
This section provides NetStream configuration examples in different scenarios.
l Accounting
NetStream provides detailed accounting statistics, including the IP address, number of
packets, number of bytes, time, Type of Service (ToS), and application type. Based on the
collected statistics, the Internet Service Provider (ISP) can charge users flexibly based on
the resource usage (such as time periods, bandwidth, application, or QoS) and enterprises
can count their expenses or assign costs to make effective use of resources.
l Network planning and analysis
NetStream provides key information for advanced network management tools to optimize
the network design and planning. This helps to obtain the best network performance and
reliability with the lowest network operation cost.
l Network monitoring
NetStream provides real-time monitoring of network traffic. It uses the remote monitoring
(RMON), RMON-2, and flow-based analysis technology to visually represent the traffic
mode of a single router and all routers on the network, and provides functions such as
proactive fault detection, effective fault rectification, and rapid problem solution.
l Application monitoring and analysis
NetStream provides detailed network application information. For example, it allows the
network administrator to view the proportion of each application, such as Web, the File
Transfer Protocol (FTP), Telnet, and other TCP/IP applications, to communication traffic.
Based on the information, the Internet Content Provider (ICP) and ISP can properly plan
and allocate network application resources to meet users' requirements.
l Abnormal traffic detection
By analyzing NetStream flows, the NMS can detect abnormal traffic (such as different
types of attacks) on the network in real time. Based on alarm information on the NMS and
the association between the NMS and devices, network security can be guaranteed.
The NE5000E is used as an NDE to sample packets, aggregate flows, and output flows.
The following figure shows the relationship among the NDE, NSC, and NDA.
RouterA NSC
NDA
RouterB NSC
Sampling Modes
The NE5000E supports the fixed packet sampling. The sampling mode and sampling ratio can
be configured in the system view, interface view, or ACL view.
Aging Modes
A NetStream flow can be aged in one of the following modes:
l Inactive time-based aging
The inactive time refers to the time period from when the last packet is cached on the LPU
to the current time. The inactive time can be set, and if the set value is exceeded, the system
ages flows in the buffer.
l Active time-based aging
The active time refers to the time period from when the first packet is cached on the LPU
to the current time. If the duration of flows in the buffer is longer than the active time, these
flows will be aged when new flows need to be cached.
l TCP disconnection-based aging
After a packet carrying the FIN or RST flag is transmitted over a TCP connection, the TCP
connection is torn down. When a packet carrying the FIN or RST flag is sampled and added
to an existing TCP flow, the system ages the TCP flow.
l Byte counts-based aging
Bytes of flows cached in the buffer are counted. If the flow bytes in a buffer exceed the
upper threshold, the buffer overflows. If the flow bytes cached in the buffer on the router
exceed the threshold, the system ages flows in the buffer.
l Forcible aging
Original flows cached in the buffer can be forcibly aged by using command lines.
Applicable Environment
As shown in Figure 6-2, carriers can enable NetStream on the router to obtain detailed network
application information. Such information can guide carriers in monitoring abnormal network
traffic, analyzing users' operation mode, and planning the network between ASs.
Statistics about original flows are collected based on the 7-tuple information of packets. The
NDE samples IPv4 flows passing through it, collects statistics about sampled flows, and
encapsulates the aged NetStream original flows into UDP packets and sends the packets to the
NSC for subsequent processing. Unlike collecting the statistics about aggregated flows,
collecting the statistics about original flows has less impact on the NDE performance. Original
flows consume more storage space and network bandwidth resources because the data volume
of original flows is far greater than that of aggregated flows.
NSC
NDA
NSC
Traffic
NDE NDE
Pre-configuration Tasks
Before collecting the statistics about IPv4 original flows, complete the following task:
l Configuring the static route or enabling an IGP to ensure that IP routes between nodes are
reachable
Configuration Procedures
To collect the statistics about IPv4 original flows, perform the procedures as shown in the
following flowchart.
Figure 6-3 Flowchart of collecting the statistics about IPv4 original flows
Configure the netstream service
processing mode
Mandatory procedure
Optional procedure
Context
NetStream services can be processed in either of the following modes:
l Distributed mode
In this mode, a single LPU can perform NetStream functions independently, including
packet sampling, flow aggregation, and flow output.
l Integrated mode
In this mode, the LPU only samples packets and sends sampled packets to the NetStream
service processing board. Flow aggregation and flow output are performed on the
NetStream service processing board. If the data volume collected by the router is beyond
the processing capability of a single NetStream service processing board, additional
NetStream service processing boards for load balancing can be installed.
The ip netstream sampler command has the same function as the ipv6 netstream sampler
command.
l The execution of either command takes effect on all packets and there is no need to
configure both of them. If it is required to configure both of them, ensure that sampling
modes and sampling ratios configured by the ip netstream sampler and ipv6 netstream
sampler commands are identical.
l Packets are sampled at the set sampling ratio, regardless of packet types. For example, if
the sampling ratio in fixed packet sampling mode is set to 1000:1, one packet will be
sampled every 1000 packets, regardless of these packets are IPv4 or IPv6 packets.
Procedure
l Configure the distributed NetStream service processing mode.
1. Run:
system-view
The view of the slot where the LPU for NetStream sampling resides is displayed.
3. Run:
ip netstream sampler to slot self
4. Run:
commit
The view of the slot where the LPU for NetStream sampling resides is displayed.
3. Run:
ip netstream sampler to slot slot-id1
The integrated NetStream service processing mode is configured and the NetStream
service processing board is specified.
4. (Optional) Run:
ip netstream sampler to slot slot-id2 backup
The integrated NetStream service processing mode is configured and the backup
NetStream service processing board is specified.
If there are several NetStream service processing boards, you can specify a master
service processing board and a backup service processing board as needed. For the
purpose of load balancing, LPUs that are dual homed to different NetStream service
processing boards can back up each other.
5. Run:
commit
----End
Procedure
Step 1 Run:
system-view
NetStream original flows can be output in either V5 or V9 format. V9 is not compatible with
V5.
The V9 format allows the output original flows to carry more variable statistics, expand newly-
defined flow elements more flexibly, and generate new records more easily.
The V5 format is fixed, and thus the system cost is low. In most cases, NetStream original flows
are output in V5 format. In any of the following situations, however, NetStream original flows
must be output in V9 format:
l NetStream original flows need to carry BGP next-hop information.
l Interface indexes carried in the output NetStream original flows need to be extended from
16 bits to 32 bits.
The interval at which the template for outputting original flows in V9 format is refreshed.
Step 4 Run:
ip netstream export source ip-address
Step 5 Configure the destination IP address and UDP port number of the peer NSC for NetStream
original flows in the system or slot view.
l In the system view:
Run:
ip netstream export host ip-address port
The destination IP address and UDP port number of the peer NSC are configured for
NetStream original flows to be output.
l In the slot view:
1. Run:
slot slot-id
The view of the slot where the LPU for NetStream sampling resides is displayed.
2. Run:
ip netstream export host ip-address port
The destination IP address and UDP port number of the peer NSC are configured for
NetStream original flows to be output.
3. Run:
quit
A maximum of two destination IP addresses can be configured for NSC backup. If the router
already has two destination IP addresses, delete one of the existing destination IP addresses
before changing the destination IP address of the output NetStream original flows.
NOTE
If both the system view and slot view are configured with destination IP addresses, the destination IP address
on the slot view is preferred.
Step 7 Run:
commit
----End
Context
To enable the NSC to normally receive and parse NetStream packets output from the NDE,
ensure that the AS field modes and interface index types on the NDE and NSC are the same.
l AS field mode: As defined in the pertaining protocol, the length of the AS field in IP packets
is 16 bits. On networks in some areas, however, the length of the AS field in IP packets is
32 bits. If different AS field modes exist on a network, you need to convert the AS field
mode when configuring NetStream. Otherwise, NetStream cannot sample inter-AS traffic.
CAUTION
On a network where the 32-bit AS field mode is used, the NMS needs to identify the 32-
bit AS field. Otherwise, the NMS will fail to identify inter-AS traffic sent from devices.
l Interface index: The NMS uses the interface index carried in the NetStream packet output
from the NDE to query information about the interface from which the packet is output.
The interface index can be of 16 bits or 32 bits, which is determined by NMS devices of
different vendors. Therefore, the NDE needs to use a proper interface index type according
to the index parsing capability of the NMS. For example, if the NMS can parse a 32-bit
interface index, the interface index carried in the NetStream packet must be a 32-bit value.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip netstream as-mode { 16 | 32 }
Step 3 Run:
ip netstream export index-switch { 16 | 32 }
The type of the interface index carried in the NetStream packet output from the router is
configured.
By default, the interface index carried in the NetStream packet output from the router is of 16
bits. Before converting an interface index from 16 bits to 32 bits, ensure that the following
conditions are met:
l Original flows are output in V9 format.
l The NetStream packet format for all aggregated flows is V9.
----End
Procedure
Step 1 Run:
system-view
----End
Context
By default, NetStream enabled on an interface can sample and collect the statistics about the
following packets:
l Unicast packets
l Multicast packets
l Packets discarded by the uRPF/RPF check
l Fragmented packets (only the first fragment of each packet will be sampled)
NOTE
If a NetStream-enabled interface is bound to a VPN instance, all packets in the VPN instance will be
sampled.
Procedure
Step 1 Run:
system-view
The sampling mode and sampling ratio are configured for the interface.
By default, NetStream is disabled from packet sampling.
NOTE
The sampling mode and sampling ratio configured in the system view are applicable to all interfaces on
the device. The sampling mode and sampling ratio configured in the interface view takes precedence over
those configured in the system view.
Step 5 Run:
ip netstream { inbound | outbound }
NetStream is enabled on the interface. Statistics about packets' BGP next-hop information can
also be collected. Original flows output in V5 format.
By default, NetStream is disabled from collecting the statistics about incoming and outgoing
unicast flows.
Step 6 Run:
commit
----End
Procedure
l Run the display ip netstream cache origin slot slot-id command to check information
about the NetStream buffer.
l Run the display ip netstream statistics slot slot-id command to view statistics about
NetStream flows.
l Run the display netstream { all | global | interface interface-type interface-number }
command to check NetStream configurations in different views.
----End
Example
Run the display ip netstream cache origin slot 3 command. If NetStream is successfully
configured, you can view various statistics about IP packets cached in the NetStream buffer on
the router.
<HUAWEI> display ip netstream cache origin slot 3
Show information of IP and MPLS cache of slot 3 is starting.
get show cache user data success.
Unknown 20 0 6 0 0 1
Unknown 10 0
0.0.0.0 in
58.1.1.2 0
55.67.121.72 0
0.0.0.0 0
0 0 0
0 0 0
0 0 0
0.0.0.0 0
Run the display ip netstream statistics slot slot-id command, and you can view statistics about
NetStream flows.
[~HUAWEI] display ip netstream statistics slot 1
Netstream statistic information on slot 1:
--------------------------------------------------------------------------------
length of packets Number Protocol Number
--------------------------------------------------------------------------------
1 ~ 64 : 0 IPV4 : 97796860
65 ~ 128 : 32001407 IPV6 : 31457284
129 ~ 256 : 0 MPLS : 0
257 ~ 512 : 97252737 L2 : 0
513 ~ 1024 : 0 Total : 129254144
1025 ~ 1500 : 0
longer than 1500 : 0
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Aggregation Current Streams Aged Streams
Created Streams Exported Packets Exported Streams
--------------------------------------------------------------------------------
origin 510246 97773954
98284200 3986446 67875459
as 2 34
36 25 27
as-tos 2 34
36 25 27
protport 2 34
36 23 26
protporttos 2 34
36 26 29
srcprefix 60772 840324
901096 19736 787346
srcpretos 60786 825402
886188 19461 776353
dstprefix 2 33
35 24 26
dstpretos 2 32
34 24 26
prefix 60602 818776
879378 25830 773607
prefix-tos 60536 812587
873123 25589 766331
mpls-label 0 0
0 0 0
bgp-nhp-tos 2 31
33 23 25
index-tos 2 31
33 24 26
--------------------------------------------------------------------------------
srcprefix = source-prefix, srcpretos = source-prefix-tos,
dstprefix = destination-prefix, dstpretos = destination-prefix-tos,
Run the display netstream { all | global | interface interface-type interface-number } command,
and you can check NetStream configurations in different views.
<HUAWEI> display netstream all
system
ip netstream timeout active 50
ip netstream timeout inactive 10
ip netstream export version 9 origin-as
ip netstream export source 10.1.1.1
ip netstream export host 100.1.1.3 10000
ip netstream aggregation as
export version 9
enable
ip netstream export source 1.1.1.2
ip netstream export host 3.3.3.3 555
ip netstream export host 1.1.1.2 55
slot 8
GigabitEthernet8/0/3
ip netstream sampler fix-packets 1000 inbound
Slot
Slot 8:ip netstream sampler to slot 1
Applicable Environment
As shown in Figure 6-4, carriers can enable NetStream on the router to obtain detailed network
application information. Such information can guide carriers in monitoring abnormal network
traffic, analyzing users' operation mode, and planning the network between ASs.
Statistics collection of NetStream aggregated flows collects statistics about original flows with
the same attributes, whereas statistics collection of NetStream original flows collects statistics
about sampled packets. The data volume generated by aggregated flow statistics collection is
therefore greater than that generated by original flow statistics collection.
NSC
NDA
NSC
Traffic
NDE NDE
Pre-configuration Tasks
Before collecting statistics about IPv4 aggregated flows, complete the following tasks:
l Configuring the static route or enabling an IGP to ensure that IP routes between nodes are
reachable
l Enabling statistics collection of NetStream original flows
Configuration Procedures
To collect statistics about IPv4 aggregated flows, perform the procedures as described in the
following flowchart.
Mandatory procedure
Optional procedure
Context
NetStream services can be processed in either of the following modes:
l Distributed mode
In this mode, a single LPU can perform NetStream functions independently, including
packet sampling, flow aggregation, and flow output.
l Integrated mode
In this mode, the LPU only samples packets and sends sampled packets to the NetStream
service processing board. Flow aggregation and flow output are performed on the
NetStream service processing board. If the data volume collected by the router is beyond
the processing capability of a single NetStream service processing board, additional
NetStream service processing boards for load balancing can be installed.
The ip netstream sampler command has the same function as the ipv6 netstream sampler
command.
l The execution of either command takes effect on all packets and there is no need to
configure both of them. If it is required to configure both of them, ensure that sampling
modes and sampling ratios configured by the ip netstream sampler and ipv6 netstream
sampler commands are identical.
l Packets are sampled at the set sampling ratio, regardless of packet types. For example, if
the sampling ratio in fixed packet sampling mode is set to 1000:1, one packet will be
sampled every 1000 packets, regardless of these packets are IPv4 or IPv6 packets.
Procedure
l Configure the distributed NetStream service processing mode.
1. Run:
system-view
The view of the slot where the LPU for NetStream sampling resides is displayed.
3. Run:
ip netstream sampler to slot self
4. Run:
commit
The view of the slot where the LPU for NetStream sampling resides is displayed.
3. Run:
ip netstream sampler to slot slot-id1
The integrated NetStream service processing mode is configured and the NetStream
service processing board is specified.
4. (Optional) Run:
ip netstream sampler to slot slot-id2 backup
The integrated NetStream service processing mode is configured and the backup
NetStream service processing board is specified.
If there are several NetStream service processing boards, you can specify a master
service processing board and a backup service processing board as needed. For the
purpose of load balancing, LPUs that are dual homed to different NetStream service
processing boards can back up each other.
5. Run:
commit
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip netstream aggregation { as | as-tos | bgp-nexthop-tos | destination-prefix |
destination-prefix-tos | index-tos | prefix | prefix-tos | protocol-port | protocol-
port-tos | source-prefix | source-prefix-tos }
NOTE
If the NetStream flow aggregation function is enabled on a device, the device classifies and aggregates
original flows based on certain rules and sends the aggregated flows to the NDA for analysis. Aggregating
original flows can reduce the consumption of network bandwidths, CPU resources, and storage space. Flow
characteristics based on which flows are aggregated vary according to flow aggregation modes. For
mapping relationships between aggregation modes and flow characteristics, see the following table.
protocol-port NetStream flows with the same protocol number, source port,
and destination port are aggregated as one flow and one
aggregation record is generated.
protocol-port-tos NetStream flows with the same protocol number, source port,
destination port, ToS, inbound interface index, and outbound
interface index are aggregated as one flow and one aggregation
record is generated.
Step 3 Run:
enable
The length of the aggregate mask is set. The mask used by the system is the higher mask between
the mask in the FIB table and the set mask. If no aggregate mask is set, the system uses the mask
in the FIB table for flow aggregation.
NOTE
The aggregate mask takes effect only for aggregation modes of destination-prefix, destination-prefix-tos,
prefix, prefix-tos, source-prefix, and source-prefix-tos.
Step 5 Run:
commit
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip netstream export host ip-address port
If the destination IP address is configured in both the system view and the aggregation view, the
configuration in the aggregation view takes effect.
Step 3 Run:
ip netstream aggregation { as | as-tos | bgp-nexthop-tos | destination-prefix |
destination-prefix-tos | index-tos | mpls-label | prefix | prefix-tos | protocol-
port | protocol-port-tos | source-prefix | source-prefix-tos }
NOTE
The export version command does not make sense for flows aggregated in bgp-nhp-tos, or index-tos
mode. The default output format for these aggregated flows is V9.
The interval at which the template for outputting aggregated flows in V9 format is refreshed is
set.
Step 6 Run:
ip netstream export source ip-address
The source IP address configured in the aggregation view takes precedence over that configured
in the system view. If no source IP address is configured in the aggregation view, the source IP
address configured in the system view takes effect.
Step 7 Run:
ip netstream export host ip-address port
NOTE
l You can configure two destination IP addresses in the system view and the IPv4 NetStream aggregation
view.
l The destination IP address configured in the system view takes precedence over that configured in the
NetStream aggregation view.
Step 9 Run:
commit
----End
Context
To enable the NSC to normally receive and parse NetStream packets output from the NDE,
ensure that the AS field modes and interface index types on the NDE and NSC are the same.
l AS field mode: As defined in the pertaining protocol, the length of the AS field in IP packets
is 16 bits. On networks in some areas, however, the length of the AS field in IP packets is
32 bits. If different AS field modes exist on a network, you need to convert the AS field
mode when configuring NetStream. Otherwise, NetStream cannot sample inter-AS traffic.
CAUTION
On a network where the 32-bit AS field mode is used, the NMS needs to identify the 32-
bit AS field. Otherwise, the NMS will fail to identify inter-AS traffic sent from devices.
l Interface index: The NMS uses the interface index carried in the NetStream packet output
from the NDE to query information about the interface from which the packet is output.
The interface index can be of 16 bits or 32 bits, which is determined by NMS devices of
different vendors. Therefore, the NDE needs to use a proper interface index type according
to the index parsing capability of the NMS. For example, if the NMS can parse a 32-bit
interface index, the interface index carried in the NetStream packet must be a 32-bit value.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip netstream as-mode { 16 | 32 }
Step 3 Run:
ip netstream export index-switch { 16 | 32 }
The type of the interface index carried in the NetStream packet output from the router is
configured.
By default, the interface index carried in the NetStream packet output from the router is of 16
bits. Before converting an interface index from 16 bits to 32 bits, ensure that the following
conditions are met:
l Original flows are output in V9 format.
l The NetStream packet format for all aggregated flows is V9.
----End
Context
By default, NetStream enabled on an interface can sample and collect the statistics about the
following packets:
l Unicast packets
l Multicast packets
l Packets discarded by the uRPF/RPF check
l Fragmented packets (only the first fragment of each packet will be sampled)
NOTE
If a NetStream-enabled interface is bound to a VPN instance, all packets in the VPN instance will be
sampled.
Procedure
Step 1 Run:
system-view
Step 3 Run:
interface interface-type interface-number
The sampling mode and sampling ratio are configured for the interface.
NOTE
The sampling mode and sampling ratio configured in the system view are applicable to all interfaces on
the device. The sampling mode and sampling ratio configured in the interface view takes precedence over
those configured in the system view.
Step 5 Run:
ip netstream { inbound | outbound }
NetStream is enabled on the interface. Statistics about packets' BGP next-hop information can
also be collected. Original flows output in V5 format.
By default, NetStream is disabled from collecting the statistics about incoming and outgoing
unicast flows.
Step 6 Run:
commit
----End
Procedure
l Run the display ip netstream cache { as | as-tos | bgp-nexthop-tos | destination-prefix
| destination-prefix-tos | index-tos | mpls-label | prefix | prefix-tos | protocol-port |
protocol-port-tos | source-prefix | source-prefix-tos } slot slot-id command to view flows
aggregated in different modes in the buffer.
l Run the display ip netstream statistics slot slot-id command to view statistics about
NetStream flows.
l Run the display netstream { all | global | interface interface-type interface-number }
command to check NetStream configurations in different views.
----End
Example
Run the display ip netstream cache destination-prefix slot 3 command. If the destination IP
address and prefix-aggregation mode are configured, you can view statistics about destination
addresses, AS numbers, masks, and prefixes of IP or MPLS packets in the NetStream flow buffer.
<HUAWEI> display ip netstream cache destination-prefix slot 3
Show information of IP and MPLS cache of slot 1 is starting.
get show cache user data success.
Run the display ip netstream statistics slot slot-id command, and you can view statistics about
NetStream flows.
[~HUAWEI] display ip netstream statistics slot 1
Netstream statistic information on slot 1:
--------------------------------------------------------------------------------
length of packets Number Protocol Number
--------------------------------------------------------------------------------
1 ~ 64 : 0 IPV4 : 97796860
65 ~ 128 : 32001407 IPV6 : 31457284
129 ~ 256 : 0 MPLS : 0
257 ~ 512 : 97252737 L2 : 0
513 ~ 1024 : 0 Total : 129254144
1025 ~ 1500 : 0
longer than 1500 : 0
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Aggregation Current Streams Aged Streams
Created Streams Exported Packets Exported Streams
--------------------------------------------------------------------------------
origin 510246 97773954
98284200 3986446 67875459
as 2 34
36 25 27
as-tos 2 34
36 25 27
protport 2 34
36 23 26
protporttos 2 34
36 26 29
srcprefix 60772 840324
901096 19736 787346
Run the display netstream { all | global | interface interface-type interface-number } command,
and you can check NetStream configurations in different views.
<HUAWEI> display netstream all
system
ip netstream timeout active 50
ip netstream timeout inactive 10
ip netstream export version 9 origin-as
ip netstream export source 10.1.1.1
ip netstream export host 100.1.1.3 10000
ip netstream aggregation as
export version 9
enable
ip netstream export source 1.1.1.2
ip netstream export host 3.3.3.3 555
ip netstream export host 1.1.1.2 55
slot 8
GigabitEthernet8/0/3
ip netstream sampler fix-packets 1000 inbound
Slot
Slot 8:ip netstream sampler to slot 1
Applicable Environment
As shown in Figure 6-6, carriers can enable NetStream on the router to obtain detailed network
application information. Such information can guide carriers in monitoring abnormal network
traffic, analyzing users' operation mode, and planning the network between ASs.
Statistics about original flows are collected based on the 7-tuple information of packets. The
NDE samples IPv6 flows passing through it, collects statistics about sampled flows, and
encapsulates the aged NetStream original flows into UDP packets and sends the packets to the
NSC for subsequent processing. Unlike collecting the statistics about aggregated flows,
collecting the statistics about original flows has less impact on the NDE performance. Original
flows consume more storage space and network bandwidth resources because the data volume
of original flows is far greater than that of aggregated flows.
NSC
NDA
NSC
Traffic
NDE NDE
Pre-configuration Tasks
Before collecting the statistics about IPv6 original flows, complete the following task:
l Configuring parameters of the link layer protocol and IP addresses for interfaces to ensure
that the link layer protocol on the interfaces is Up
l Configuring the static route or enabling an IGP to ensure that IP routes between nodes are
reachable
Configuration Procedures
To collect the statistics about IPv6 original flows, perform the procedures as shown in the
following flowchart.
Figure 6-7 Flowchart of collecting the statistics about IPv6 original flows
Mandatory procedure
Optional procedure
Context
NetStream services can be processed in either of the following modes:
l Distributed mode
In this mode, a single LPU can perform NetStream functions independently, including
packet sampling, flow aggregation, and flow output.
l Integrated mode
In this mode, the LPU only samples packets and sends sampled packets to the NetStream
service processing board. Flow aggregation and flow output are performed on the
NetStream service processing board. If the data volume collected by the router is beyond
the processing capability of a single NetStream service processing board, additional
NetStream service processing boards for load balancing can be installed.
The ip netstream sampler command has the same function as the ipv6 netstream sampler
command.
l The execution of either command takes effect on all packets and there is no need to
configure both of them. If it is required to configure both of them, ensure that sampling
modes and sampling ratios configured by the ip netstream sampler and ipv6 netstream
sampler commands are identical.
l Packets are sampled at the set sampling ratio, regardless of packet types. For example, if
the sampling ratio in fixed packet sampling mode is set to 1000:1, one packet will be
sampled every 1000 packets, regardless of these packets are IPv4 or IPv6 packets.
Procedure
l Configure the distributed NetStream service processing mode.
1. Run:
system-view
The view of the slot where the LPU for NetStream sampling resides is displayed.
3. Run:
ipv6 netstream sampler to slot self
4. Run:
commit
The view of the slot where the LPU for NetStream sampling resides is displayed.
3. Run:
ipv6 netstream sampler to slot slot-id1
The integrated NetStream service processing mode is configured and the NetStream
service processing board is specified.
4. (Optional) Run:
ipv6 netstream sampler to slot slot-id2 backup
The integrated NetStream service processing mode is configured and the backup
NetStream service processing board is specified.
If there are several NetStream service processing boards, you can specify a master
service processing board and a backup service processing board as needed. For the
purpose of load balancing, LPUs that are dual homed to different NetStream service
processing boards can back up each other.
5. Run:
commit
----End
Context
IPv6 original flows can be output only in V9 format.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ipv6 netstream export version 9 [ origin-as | peer-as ] [ bgp-nexthop ]
The interval at which the template for outputting original flows in V9 format is refreshed.
Step 4 Run:
ipv6 netstream export source ip-address
Step 5 Configure the destination IP address and UDP port number of the peer NSC for NetStream
original flows in the system or slot view.
l In the system view:
Run:
ipv6 netstream export host ip-address port
The destination IP address and UDP port number of the peer NSC are configured for
NetStream original flows to be output.
l In the slot view:
1. Run:
slot slot-id
The view of the slot where the LPU for NetStream sampling resides is displayed.
2. Run:
ipv6 netstream export host ip-address port
The destination IP address and UDP port number of the peer NSC are configured for
NetStream original flows to be output.
3. Run:
quit
A maximum of two destination IP addresses can be configured for NSC backup. If the router
already has two destination IP addresses, delete one of the existing destination IP addresses
before changing the destination IP address of the output NetStream original flows.
Step 7 Run:
commit
----End
Context
To enable the NSC to normally receive and parse NetStream packets output from the NDE,
ensure that the AS field modes and interface index types on the NDE and NSC are the same.
l AS field mode: As defined in the pertaining protocol, the length of the AS field in IP packets
is 16 bits. On networks in some areas, however, the length of the AS field in IP packets is
32 bits. If different AS field modes exist on a network, you need to convert the AS field
mode when configuring NetStream. Otherwise, NetStream cannot sample inter-AS traffic.
CAUTION
On a network where the 32-bit AS field mode is used, the NMS needs to identify the 32-
bit AS field. Otherwise, the NMS will fail to identify inter-AS traffic sent from devices.
l Interface index: The NMS uses the interface index carried in the NetStream packet output
from the NDE to query information about the interface from which the packet is output.
The interface index can be of 16 bits or 32 bits, which is determined by NMS devices of
different vendors. Therefore, the NDE needs to use a proper interface index type according
to the index parsing capability of the NMS. For example, if the NMS can parse a 32-bit
interface index, the interface index carried in the NetStream packet must be a 32-bit value.
Procedure
Step 1 Run:
system-view
The type of the interface index carried in the NetStream packet output from the router is
configured.
By default, the interface index carried in the NetStream packet output from the router is of 16
bits. Before converting an interface index from 16 bits to 32 bits, ensure that the following
conditions are met:
l Original flows are output in V9 format.
l Aggregated flows are output in V9 format.
----End
Context
Do as follows on the router where TCP flag statistics are to be collected.
By enabling statistics collection of TCP flags, you can extract the TCP-flag information from
network packets and send it to the NMS. The NMS can thus determine whether there are flood
attacks on the network.
Procedure
Step 1 Run:
system-view
Step 3 Run:
commit
----End
Context
By default, NetStream enabled on an interface can sample and collect the statistics about the
following packets:
l Unicast packets
l Multicast packets
l Packets discarded by the uRPF/RPF check
l Fragmented packets
NOTE
If a NetStream-enabled interface is bound to a VPN instance, all packets in the VPN instance will be
sampled.
Procedure
Step 1 Run:
system-view
By default, NetStream is disabled from packet sampling. Instead, it collects the statistics about
each packet.
Step 3 Run:
interface interface-type interface-number
The sampling mode and sampling ratio are configured for the interface.
By default, NetStream is disabled from packet sampling. Instead, it collects the statistics about
each packet.
NOTE
The sampling mode and sampling ratio configured in the system view are applicable to all interfaces on
the device. The sampling mode and sampling ratio configured in the interface view takes precedence over
those configured in the system view.
The ip netstream sampler command has the same function as the ipv6 netstream sampler
command.
l The execution of either command takes effect on all packets and there is no need to configure
both of them. If it is required to configure both of them, ensure that sampling modes and
sampling ratios configured by the ip netstream sampler and ipv6 netstream sampler
commands are identical.
l Packets are sampled at the set sampling ratio, regardless of packet types. For example, if the
sampling ratio in fixed packet sampling mode is set to 1000:1, one packet will be sampled
every 1000 packets, regardless of these packets are IPv4 or IPv6 packets.
Step 5 Run:
ipv6 netstream { inbound | outbound }
----End
Prerequisite
NetStream configurations are complete.
Procedure
l Run the display ipv6 netstream cache origin slot slot-id command to view information
about the NetStream buffer.
l Run the display ipv6 netstream statistics slot slot-id command to view statistics about
NetStream flows.
----End
Example
Run the display ipv6 netstream cache origin slot 3 command. If NetStream is successfully
configured, you can view various statistics about IP packets cached in the NetStream buffer on
the router.
Run the display ipv6 netstream statistics slot slot-id command, and you can view statistics
about NetStream flows.
[~HUAWEI] display ipv6 netstream statistics slot 1
Netstream statistic information on slot 1:
--------------------------------------------------------------------------------
length of packets Number Protocol Number
--------------------------------------------------------------------------------
1 ~ 64 : 0 IPV4 : 11214946
65 ~ 128 : 544123 IPV6 : 0
129 ~ 256 : 0 MPLS : 0
257 ~ 512 : 10670823 L2 : 0
513 ~ 1024 : 0 Total : 11214946
1025 ~ 1500 : 0
longer than 1500 : 0
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Aggregation Current Streams Aged Streams
Created Streams Exported Packets Exported Streams
--------------------------------------------------------------------------------
origin 0 0
0 0 0
as 0 0
0 0 0
as-tos 0 0
0 0 0
protport 0 0
0 0 0
protporttos 0 0
0 0 0
srcprefix 0 0
0 0 0
srcpretos 0 0
0 0 0
dstprefix 0 0
0 0 0
dstpretos 0 0
0 0 0
prefix 0 0
0 0 0
prefix-tos 0 0
0 0 0
mpls-label 0 0
0 0 0
bgp-nhp-tos 0 0
0 0 0
index-tos 0 0
0 0 0
--------------------------------------------------------------------------------
srcprefix = source-prefix, srcpretos = source-prefix-tos,
dstprefix = destination-prefix, dstpretos = destination-prefix-tos,
protport = protocol-port, protporttos = protocol-port-tos,
all-aggre = all aggregation streams,
"---" means that the current board is not supported.
Applicable Environment
As shown in Figure 6-8, carriers can enable NetStream on the router to obtain detailed network
application information. Such information can guide carriers in monitoring abnormal network
traffic, analyzing users' operation mode, and planning the network between ASs.
Statistics collection of NetStream aggregated flows collects statistics about original flows with
the same attributes, whereas statistics collection of NetStream original flows collects statistics
about sampled packets. The data volume generated by aggregated flow statistics collection is
therefore greater than that generated by original flow statistics collection.
NSC
NDA
NSC
Traffic
NDE NDE
Pre-configuration Tasks
Before collecting statistics about IPv6 aggregated flows, complete the following tasks:
l Configuring parameters of the link layer protocol and IP addresses for interfaces to ensure
that the link layer protocol on the interfaces is Up
l Configuring the static route or enabling an IGP to ensure that IP routes between nodes are
reachable
l Enabling statistics collection of NetStream original flows
Configuration Procedures
To collect statistics about IPv6 aggregated flows, perform the procedures as described in the
following flowchart.
Mandatory procedure
Optional procedure
Context
NetStream services can be processed in either of the following modes:
l Distributed mode
In this mode, a single LPU can perform NetStream functions independently, including
packet sampling, flow aggregation, and flow output.
l Integrated mode
In this mode, the LPU only samples packets and sends sampled packets to the NetStream
service processing board. Flow aggregation and flow output are performed on the
NetStream service processing board. If the data volume collected by the router is beyond
Procedure
l Configure the distributed NetStream service processing mode.
1. Run:
system-view
The view of the slot where the LPU for NetStream sampling resides is displayed.
3. Run:
ipv6 netstream sampler to slot self
4. Run:
commit
The view of the slot where the LPU for NetStream sampling resides is displayed.
3. Run:
ipv6 netstream sampler to slot slot-id1
The integrated NetStream service processing mode is configured and the NetStream
service processing board is specified.
4. (Optional) Run:
ipv6 netstream sampler to slot slot-id2 backup
The integrated NetStream service processing mode is configured and the backup
NetStream service processing board is specified.
If there are several NetStream service processing boards, you can specify a master
service processing board and a backup service processing board as needed. For the
purpose of load balancing, LPUs that are dual homed to different NetStream service
processing boards can back up each other.
5. Run:
commit
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
ipv6 netstream aggregation { as | as-tos | bgp-nexthop-tos | destination-prefix |
destination-prefix-tos | index-tos | prefix | prefix-tos | protocol-port | protocol-
port-tos | source-prefix | source-prefix-tos }
NOTE
After collecting statistics about NetStream original flows, the system aggregates original flows into
aggregated flows based on certain rules, encapsulates aggregated flows into UDP packets, and sends UDP
packets after the aging timer expires. Aggregating original flows can reduce the consumption of network
bandwidths, CPU resources, and storage space. Characteristics based on which flows are aggregated vary
according to aggregation modes. The mapping relationship between characteristics and aggregation modes
is described in the following table.
protocol-port NetStream flows with the same protocol number, source port,
and destination port are aggregated as one flow and one
aggregation record is generated.
protocol-port-tos NetStream flows with the same protocol number, source port,
destination port, ToS, inbound interface index, and outbound
interface index are aggregated as one flow and one aggregation
record is generated.
Step 3 Run:
enable
The mask used by the system is the higher mask between the mask in the FIB table and the set
mask. If no aggregate mask is set, the system uses the mask in the FIB table for flow aggregation.
NOTE
The aggregate mask takes effect only for aggregation modes of destination-prefix, destination-prefix-tos,
prefix, prefix-tos, source-prefix, and source-prefix-tos.
Step 5 Run:
commit
----End
Context
IPv6 aggregated flows can be output only in V9 format.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ipv6 netstream export host ip-address port
The destination IP address configured in the system view takes precedence over that configured
in the NetStream aggregation view.
Step 3 Run:
ipv6 netstream aggregation { as | as-tos | destination-prefix | destination-prefix-
tos | prefix | prefix-tos | protocol-port | protocol-port-tos | source-prefix |
source-prefix-tos }
The interval at which the template for outputting aggregated flows in V9 format is refreshed is
set.
Step 5 Run:
ipv6 netstream export source ip-address
The source IP address configured in the aggregation view takes precedence over that configured
in the system view. If no source IP address is configured in the aggregation view, the source IP
address configured in the system view takes effect.
Step 6 Run:
ipv6 netstream export host ip-address port
NOTE
l You can configure two destination IP addresses in the system view , the IPv4 NetStream aggregation
view and the IPv4 NetStream aggregation view.
l The destination IP address configured in the system view takes precedence over that configured in the
NetStream aggregation view.
----End
Context
To enable the NSC to normally receive and parse NetStream packets output from the NDE,
ensure that the AS field modes and interface index types on the NDE and NSC are the same.
l AS field mode: As defined in the pertaining protocol, the length of the AS field in IP packets
is 16 bits. On networks in some areas, however, the length of the AS field in IP packets is
32 bits. If different AS field modes exist on a network, you need to convert the AS field
mode when configuring NetStream. Otherwise, NetStream cannot sample inter-AS traffic.
CAUTION
On a network where the 32-bit AS field mode is used, the NMS needs to identify the 32-
bit AS field. Otherwise, the NMS will fail to identify inter-AS traffic sent from devices.
l Interface index: The NMS uses the interface index carried in the NetStream packet output
from the NDE to query information about the interface from which the packet is output.
The interface index can be of 16 bits or 32 bits, which is determined by NMS devices of
different vendors. Therefore, the NDE needs to use a proper interface index type according
to the index parsing capability of the NMS. For example, if the NMS can parse a 32-bit
interface index, the interface index carried in the NetStream packet must be a 32-bit value.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ipv6 netstream as-mode { 16 | 32 }
Step 3 Run:
ipv6 netstream export index-switch { 16 | 32 }
The type of the interface index carried in the NetStream packet output from the router is
configured.
By default, the interface index carried in the NetStream packet output from the router is of 16
bits. Before converting an interface index from 16 bits to 32 bits, ensure that the following
conditions are met:
l Original flows are output in V9 format.
l Aggregated flows are output in V9 format.
----End
Context
By default, NetStream enabled on an interface can sample and collect the statistics about the
following packets:
l Unicast packets
l Multicast packets
l Packets discarded by the uRPF/RPF check
l Fragmented packets
NOTE
If a NetStream-enabled interface is bound to a VPN instance, all packets in the VPN instance will be
sampled.
Procedure
Step 1 Run:
system-view
By default, NetStream is disabled from packet sampling. Instead, it collects the statistics about
each packet.
Step 3 Run:
interface interface-type interface-number
The sampling mode and sampling ratio are configured for the interface.
By default, NetStream is disabled from packet sampling. Instead, it collects the statistics about
each packet.
NOTE
The sampling mode and sampling ratio configured in the system view are applicable to all interfaces on
the device. The sampling mode and sampling ratio configured in the interface view takes precedence over
those configured in the system view.
The ip netstream sampler command has the same function as the ipv6 netstream sampler
command.
l The execution of either command takes effect on all packets and there is no need to configure
both of them. If it is required to configure both of them, ensure that sampling modes and
sampling ratios configured by the ip netstream sampler and ipv6 netstream sampler
commands are identical.
l Packets are sampled at the set sampling ratio, regardless of packet types. For example, if the
sampling ratio in fixed packet sampling mode is set to 1000:1, one packet will be sampled
every 1000 packets, regardless of these packets are IPv4 or IPv6 packets.
Step 5 Run:
ipv6 netstream { inbound | outbound }
Statistics about packets' BGP next-hop information can also be collected. Original flows output
in V5 format, however, cannot carry the BGP next-hop information.
By default, NetStream is disabled from collecting the statistics about incoming and outgoing
unicast flows.
Step 6 Run:
commit
----End
Context
Run the following command to check the previous configuration.
Procedure
l Run the display ipv6 netstream cache { as | as-tos | destination-prefix | destination-
prefix-tos | prefix | prefix-tos | protocol-port | protocol-port-tos | source-prefix | source-
prefix-tos |mpls-label } slot slot-id command to view various aggregated flows in the
buffer.
l Run the display ipv6 netstream statistics slot slot-id command to view statistics about
NetStream flows.
----End
Example
Run the display ipv6 netstream cache destination-prefix slot 3 command. If the destination
IP address and prefix aggregation mode have been successfully configured, you can view
statistics about destination IP addresses, AS numbers, masks, and prefixes of IP or MPLS packets
in the buffer on the router.
<HUAWEI> display ipv6 netstream cache destination-prefix slot 3
Show information of IP and MPLS cache of slot 3 is starting.
get show cache user data success.
GI5/0/10 0 64 1114::
GI5/0/0 0 128 1000::200:0:3701:5EA4
1 1 in
GI5/0/10 0 64 1114::
GI5/0/23 0 128 1000::200:0:3701:5EA4
1 1 out
Run the display ipv6 netstream statistics slot slot-id command, and you can view statistics
about NetStream flows.
[~HUAWEI] display ipv6 netstream statistics slot 1
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Aggregation Current Streams Aged Streams
Created Streams Exported Packets Exported Streams
--------------------------------------------------------------------------------
origin 0 0
0 0 0
as 0 0
0 0 0
as-tos 0 0
0 0 0
protport 0 0
0 0 0
protporttos 0 0
0 0 0
srcprefix 0 0
0 0 0
srcpretos 0 0
0 0 0
dstprefix 0 0
0 0 0
dstpretos 0 0
0 0 0
prefix 0 0
0 0 0
prefix-tos 0 0
0 0 0
mpls-label 0 0
0 0 0
bgp-nhp-tos 0 0
0 0 0
index-tos 0 0
0 0 0
--------------------------------------------------------------------------------
srcprefix = source-prefix, srcpretos = source-prefix-tos,
dstprefix = destination-prefix, dstpretos = destination-prefix-tos,
protport = protocol-port, protporttos = protocol-port-tos,
all-aggre = all aggregation streams,
"---" means that the current board is not supported.
Applicable Environment
As shown in Figure 6-10, carriers can enable NetStream on the router to obtain detailed network
application information. Such information can guide carriers in monitoring abnormal network
traffic, analyzing users' operation mode, and planning the network between ASs.
If statistics about MPLS packets are collected on the P, the P sends statistics to inform the NSC
of the MPLS label-specific traffic volume.
NSC
NDA
NSC
Traffic
NDE NDE
Context
Before collecting statistics about MPLS IPv4 packets, complete the following task:
l Enabling MPLS on the device and interfaces, and configuring the MPLS network
Procedure
Step 1 Run:
system-view
Step 2 Output statistics about MPLS IPv4 packets in the form of original flows or aggregated flows as
needed.
NOTE
MPLS original flows and aggregated flows can be output only in V9 format.
l Statistics about original flows
1. Run:
ip netstream mpls-aware { label-only | ip-only | label-and-ip }
----End
l Run the display ip netstream statistics slot slot-id command to view statistics about
NetStream flows.
<HUAWEI> display ip netstream statistics slot 6
Netstream statistic information on slot 6:
------------------------------------------------------------------------------
--
length of packets Number Protocol Number
------------------------------------------------------------------------------
--
1 ~ 64 : 0 IPV4 : 159655229
65 ~ 128 : 159655229 IPV6 : 0
129 ~ 256 : 0 MPLS : 0
257 ~ 512 : 0 L2 : 0
513 ~ 1024 : 0 Total : 159655229
1025 ~ 1500 : 0
longer than 1500 : 0
------------------------------------------------------------------------------
--
------------------------------------------------------------------------------
--
Aggregation Current Streams Aged Streams
Created Streams Exported Packets Exported Streams
------------------------------------------------------------------------------
--
origin 2 188
190 0 0
as 0 6
6 0 0
as-tos 0 0
0 0 0
protport 0 0
0 0 0
protporttos 0 0
0 0 0
srcprefix 0 0
0 0 0
srcpretos 0 0
0 0 0
dstprefix 0 0
0 0 0
dstpretos 0 0
0 0 0
prefix 0 5
5 0 0
prefix-tos 0 0
0 0 0
mpls-label 0 0
0 0 0
bgp-nhp-tos 0 0
0 0 0
index-tos 0 6
6 0 0
l Run the display netstream { all | global | interface interface-type interface-number }
command to check NetStream configurations in different views.
<HUAWEI> display netstream all
system
ip netstream timeout active 50
ip netstream timeout inactive 10
ip netstream export version 9 origin-as
ip netstream export source 10.1.1.1
ip netstream export host 100.1.1.3 10000
ip netstream aggregation as
export version 9
enable
ip netstream export source 1.1.1.2
ip netstream export host 3.3.3.3 555
ip netstream export host 1.1.1.2 55
slot 8
GigabitEthernet8/0/3
Applicable Environment
As shown in Figure 6-11, carriers can enable NetStream on the router to obtain detailed network
application information. Such information can guide carriers in monitoring abnormal network
traffic, analyzing users' operation mode, and planning the network between ASs.
If statistics about MPLS packets are collected on the P (NDE), the P sends statistics to inform
the NSC of the MPLS label-specific traffic volume.
NSC
NDA
NSC
Traffic
NDE NDE
Context
Before collecting statistics about MPLS IPv6 packets, complete the following task:
l Enabling MPLS on the device and interfaces, and configuring the MPLS network
Procedure
Step 1 Run:
system-view
When sampling MPLS packets, choose one of the following sampling modes as needed:
Step 3 Output statistics about MPLS IPv6 packets in the form of original flows or aggregated flows as
needed. For detailed applications, see 6.5 Collecting Statistics About IPv6 Original Flows and
6.6 Collecting Statistics About IPv6 Aggregated Flows.
NOTE
MPLS original flows and aggregated flows can be output only in V9 format.
----End
Run the display ipv6 netstream cache origin slot 3 command. If NetStream is successfully
configured, you can view various statistics about MPLS packets cached in the NetStream buffer
on the router.
<HUAWEI> display ipv6 netstream cache origin slot 3
Show information of IP and MPLS cache of slot 3 is starting.
get show cache user data success.
Unknown 0 0 59 0 0 1
GI5/0/0 0 0
0.0.0.0 in
1114::200:0:3A01:102 0
1000::200:0:3701:44AC 0
0.0.0.0 0
0 0 0
0 0 0
0 0 0
0.0.0.0 0
GI5/0/10 0 0 59 0 0 1
Unknown 0 0
0.0.0.0 out
1114::200:0:3A01:102 0
1000::200:0:3701:44AB
Applicable Environment
As shown in Figure 6-12, statistics about MPLS flows sent from the P to the NSC inform the
NSC of the traffic volume and traffic type corresponding to each label. Such statistics, however,
cannot tell to which VPN each traffic belongs. In this case, the PE sends the meaning of each
label to the NSC so that the NSC can determine to which VPN the received traffic belongs. In
this manner, the NSC can analyze the traffic data of each VPN and display the result to users.
Figure 6-12 Networking diagram of collecting statistics about BGP/VPLS VPN flows
NSC NSA
MPLS statistics:
Out-label: 400
In-label: 1024
PE-address: 10.1.1.1
TAL information:
Router-id: 1.1.1.1
Label:1024
PE1 PE2
P
BGP/MPLS VPN
Context
Before collecting statistics about BGP/VPLS VPN flows, complete the following task:
Procedure
l Enable statistics collection of MPLS flows on the P.
Follow the configuration procedures described in 6.7 Collecting Statistics About MPLS
IPv4 Packets or 6.8 Collecting Statistics About MPLS IPv6 Packets as needed.
l Enable the output of TAL options on the PE.
1. Run:
ip netstream export template option application-label
The output of TAL options is enabled, and the corresponding TAL option template is
sent to the NSC.
By default, the output of TAL options is disabled.
2. Run:
ip netstream export template option { refresh-rate packet-number | timeout-
rate timeout-interval }
The packet interval and time interval at which the TAL option template is refreshed
are set.
TAL option packets are separately output to the NSC in V9 format. To ensure that the
NSC can successfully parse the TAL option packets, it is required that the
corresponding TAL option template be sent to the NSC.
The TAL option template can be refreshed at both the fixed packet and time intervals.
Packet and time intervals can both be configured, without affecting each other.
– refresh-rate packet-number: indicates that the TAL option template is refreshed
at the fixed packet interval.
– timeout-rate timeout-interval: indicates that the TAL option template is refreshed
at the fixed time interval.
By default, the TAL option template is refreshed at intervals of 20 packets and 30
minutes.
----End
Context
CAUTION
Commands for aging IPv4 and IPv6 original flows are different. Therefore, use a proper
command as needed.
Before forcibly aging original flows in the buffer, run the undo ip netstream { inbound |
outbound } command or the undo ipv6 netstream { inbound | outbound } command in the
interface view to temporarily disable the sampling function. Otherwise, within 30 seconds after
the reset ip netstream cache command or the reset ipv6 netstream cache command is run,
sampled original flows are forcibly output without aggregation.
The sampling function can be re-enabled 30 seconds after the reset ip netstream cache
command or the reset ipv6 netstream cache command is run.
Procedure
l Run:
system-view
Procedure
l Run:
display ip netstream cache origin slot slot-id
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On the NE5000E cluster, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. If the slot number is specified, the chassis ID of
the slot must also be specified.
As shown in Figure 6-13, NetStream can collect statistics about the source IP address,
destination IP address, port, and protocol information of network packets at the user side. Such
statistics help analyze users' behaviors and detect the worm-infected terminals, source and
destination of DoS/DDos attacks, source of junk mails, and unauthorized web sites. In addition,
NetStream allows users to rapidly identify the virus type and locate the IP address of abnormal
traffic. Based on other characteristics of NetStream flows, uses can take proper actions to filter
out virus-infected traffic and prevent it from spreading on the network.
Figure 6-13 Networking diagram of collecting statistics about abnormal IPv4 flows at the user
side
192.168.1.2/24 192.168.1.1/24
POS1/0/0 POS1/0/0
LAN IP backnone
PE
CE GE2/0/0
192.168.2.1/24
192.168.2.2/24
NSC&NDA
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure PEs and CEs to communicate with each other over the network between them.
2. Configure NetStream to collect statistics about incoming and outgoing flows on the user-
side interface of the PE.
Data Preparation
To complete the configuration, you need the following data:
l User-side interface of the PE
l Output format of NetStream flows
l Destination IP address, destination port number, and source IP address of NetStream flows
to be output
l Number of the slot where the NetStream service processing board resides (In this example,
the NetStream service processing board is in slot 4.)
Procedure
Step 1 Configure PEs and CEs to communicate with each other over the network between them.
# Configure the IP address and mask of each interface as described in Figure 6-13. Details for
the configuration procedure are not provided here.
Step 2 Enable the NetStream statistics collection function on POS 1/0/0 of the PE.
# Configure the LPU to process NetStream services in integrated mode.
<PE> system-view
[~PE] slot 1
[~PE-slot-1] ip netstream sampler to slot 4
[~PE-slot-1]quit
# Configure the destination address, destination port number, and source address for NetStream
flows output in V5 format
[~PE] ip netstream export host 192.168.2.2 9001
[~PE] ip netstream export source 192.168.2.1
# Enable NetStream sampling and configure the fixed packet sampling mode.
[~PE] ip netstream sampler fix-packets 10000 inbound
[~PE] ip netstream sampler fix-packets 10000 outbound
[~PE] commit
# Configure NetStream to collect statistics about incoming and outgoing flows on POS 1/0/0 of
the PE.
[~PE] interface pos 1/0/0
[~PE-Pos1/0/0] undo shutdown
[~PE-Pos1/0/0] ip netstream inbound
[~PE-Pos1/0/0] ip netstream outbound
[~PE-Pos1/0/0] quit
[~PE] commit
Unknown 20 0 6 0 0 1
PO2/0/0 10 0
0.0.0.0 in
58.1.1.2 0
55.67.121.72 0
0.0.0.0 0
0 0 0
0 0 0
0 0 0
0.0.0.0 0
Unknown 20 0 6 0 0 1
PO1/0/0 10 0
0.0.0.0 in
58.1.1.2 0
55.67.121.70 0
0.0.0.0 0
0 0 0
0 0 0
0 0 0
0.0.0.0 0
PO2/0/0 20 0 6 0 0 1
PO1/0/0 10 0
0.0.0.0 out
58.1.1.2 0
55.67.121.68 0
0.0.0.0 0
0 0 0
0 0 0
0 0 0
0.0.0.0 0
----End
Configuration Files
l Configuration file of the CE
#
sysname CE
#
interface Pos 1/0/0
ip address 192.168.1.2 255.255.255.0
#
return
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On the NE5000E cluster, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. If the slot number is specified, the chassis ID of
the slot must also be specified.
As shown in Figure 6-14, Router D connects network A and network B to the Wide Area
Network (WAN). Flows are sampled and aggregated on Router D and then sent to the NSC.
Figure 6-14 Networking diagram of collecting statistics about IPv4 flows aggregated based on
the AS number
NSC&NDA
RouterC
GE 1/0/0
RouterA 3.3.3.2/24
3.3.3.1/24
POS 1/0/0 GE 2/0/0
172.168.0.1/24
RouterD
A WAN
GE 1/0/0
POS 1/0/0 1.1.1.1/24
172.168.0.2/24 POS 2/0/0
172..1.1.2/24
172.1.1.1/24
POS 1/0/0
RouterB
B
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure reachable routes between the egress router of the LAN and the WAN.
2. Configure reachable routes between the ingress router of the LAN and the NSC.
3. Configure the ingress router of the LAN to sent traffic statistics to the specified NSC.
4. Configure the ingress router of the LAN to sent traffic statistics to the inbound interface
on the NSC.
5. Aggregate sampled flows to reduce the data volume sent to the NSC.
6. Enable NetStream on the inbound interface of the ingress router.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure an IP address for the interface on each router. Details for the configuration procedure
are not provided here.
Step 2 Configure reachable routes between the WAN, router A, and router B.
# Configure reachable routes between router A and router D.
<RouterA> system-view
[~RouterA] ip route-static 1.1.1.1 24 pos 1/0/0
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
interface Pos1/0/0
link-protocol ppp
ip address 172.168.0.1 255.255.0.0
#
ip route-static 1.1.1.1 2555.255.0 POS1/0/0
#
return
#
ip netstream aggregation as
enable
export version 9
ip netstream export source 3.3.3.1
ip netstream export host 2.2.2.1 3000
#
return
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On the NE5000E cluster, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. If the slot number is specified, the chassis ID of
the slot must also be specified.
As shown in Figure 6-15, Router A, Router B, and Router C support MPLS and use OSPF as
the IGP protocol on the MPLS backbone network.
Local LDP sessions are established between Router A and Router B, and between Router B and
Router C. A remote LDP session is established between Router A and Router C. NetStream is
enabled on Router B to collect statistics about MPLS flows.
Figure 6-15 Networking diagram of collecting statistics about MPLS original flows
Loopback1 Loopback1 Loopback1
1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
POS1/0/0 POS2/0/0 GE1/0/0 192.168.1.2/24
10.1.1.1/24 10.1.2.1/24 192.168.1.1/24
POS1/0/0 POS1/0/0
RouterA10.1.1.2/24 RouterB 10.1.2.2/24 RouterC
NSC&NDA
CE1 CE2
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
l IP addresses of interfaces on each router as shown in Figure 6-15, OSPF process 1, and
Area 0
l Remote peer of router A, whose name is router c and the IP address is 3.3.3.9.
l Remote peer of router C, whose name is router a and the IP address is 1.1.1.9.
l Number of the slot where the NetStream service processing board resides (In this example,
the NetStream service processing board is in slot 4.)
Procedure
Step 1 Configure an IP address for each interface.
# Configure an IP address and a mask for each interface (including loopback interfaces) as
described in Figure 6-15. Details for the configuration procedure are not provided here.
Step 2 Configure the LDP session between every two Routers.
# Configure OSPF to advertise the host routes of the specified LSR ID and of the network
segments to which interfaces on the router are connected. Enable basic MPLS functions on each
router and its interfaces.
For configurations of the static MPLS TE tunnel, see the chapter "MPLS Basic Configurations"
in the HUAWEI NetEngine5000E Core Router Configuration Guide - MPLS.
Step 3 Enable NetStream on POS 1/0/0 of Router B.
# Configure the NetStream service processing mode on an LPU.
<RouterB> system-view
[~RouterB] slot 1
[~RouterB-slot-1] ip netstream sampler to slot 4
[~RouterB-slot-1] return
# Configure NetStream to collect statistics about incoming and outgoing packets on POS 1/0/0
of Router B.
[~RouterB] interface pos 1/0/0
[~RouterB-Pos1/0/0] ip netstream inbound
[~RouterB-Pos1/0/0] ip netstream outbound
[~RouterB-Pos1/0/0] quit
# Configure NetStream to sample both inner IP packets and labels of MPLS packets.
[~RouterB] ip netstream mpls-aware label-and-ip
# Configure the destination address, destination port number, and source address for NetStream
flows output in V5 format.
[~RouterB] ip netstream export host 192.168.1.2 2100
[~RouterB] ip netstream export source 10.1.2.1
# Enable NetStream sampling and configure the fixed packet sampling mode.
[~RouterB] ip netstream sampler fix-packets 10000 inbound
[~RouterB] ip netstream sampler fix-packets 10000 outbound
[~RouterB] commit
Unknown 20 0 6 0 0 1
PO2/0/0 10 0
0.0.0.0 in
58.1.1.2 0
55.67.121.72 0
0.0.0.0 0
1011 2 1
0 0 0
0 0 0
1.1.1.9 0
Unknown 20 0 6 0 0 1
PO1/0/0 10 0
0.0.0.0 in
58.1.1.2 0
55.67.121.70 0
0.0.0.0 0
1001 2 1
0 0 0
0 0 0
10.1.1.9 0
PO2/0/0 20 0 6 0 0 1
PO1/0/0 10 0
0.0.0.0 out
58.1.1.2 0
55.67.121.68 0
0.0.0.0 0
1021 2 1
0 0 0
0 0 0
20.1.1.9 0
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
mpls lsr-id 1.1.1.9
#
mpls
lsp-trigger all
#
mpls ldp
#
mpls ldp remote-peer Routerc
remote-ip 3.3.3.9
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l Configuration file of Router B
#
slot 1
ip netstream sampler to slot 4
#
sysname RouterB
#
ip netstream sampler fix-packets 10000 inbound
ip netstream sampler fix-packets 10000 outbound
ip netstream export source 10.1.2.1
ip netstream export host 192.168.1.2 9001
#
mpls lsr-id 2.2.2.9
#
mpls
lsp-trigger all
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
ip netstream inbound
ip netstream outbound
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On the NE5000E cluster, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. If the slot number is specified, the chassis ID of
the slot must also be specified.
With the development of L3VPN services, users and carriers increasingly demand higher Quality
of Service (QoS). After voice over IP and video over IP services are promoted, carriers and users
all tend to sign Service Level Agreements (SLAs). Deploying NetStream on the BGP/MPLS IP
VPN network allows users to analyze the LSP traffic between PEs and adjust the network
accordingly to better meet service requirements.
NSC&NDA
172.3.1.2/24 192.168.2.2/24
POS3/0/0
172.3.1.1/24
GE1/0/0
POS1/0/0 POS2/0/0 192.168.2.1/24
Loopback1 172.1.1.2/24 172.2.1.1/24 Loopback1
1.1.1.9/32 POS3/0/0 POS3/0/0 3.3.3.9/32
GE1/0/0 172.1.1.1/24 172.2.1.2/24 GE2/0/0
10.2.1.2/24 PE1 P Loopback1 PE2 10.4.1.2/24
2.2.2.9/32
MPLS backbone
AS: 100
GE1/0/0 GE1/0/0
10.2.1.1/24 10.4.1.1/24
CE2 CE4
VPN-A VPN-A
AS: 65420 AS: 65440
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
l Destination IP address, destination port number, and source IP address of NetStream flows
to be output
l Number of the slot where the NetStream service processing board resides (In this example,
the NetStream service processing board is in slot 4.)
Procedure
Step 1 Configure an IP address for each interface.
Configure an IP address and a mask for each interface (including loopback interfaces) as
described in Figure 6-16. Details for the configuration procedure are not provided here.
For configuration details, see the chapter "BGP/MPLS IP VPN Configuration" in the HUAWEI
NetEngine5000E Core Router Configuration Guide - VPN.
Step 3 Enable NetStream to sample packets with specified application labels on PE2.
# Configure PE2 to send information about L3VPN application labels to the NMS.
[~PE2] ip netstream export template option application-label
# Configure the destination address, destination port number, and source address for NetStream
flows output in V9 format.
[~PE2] ip netstream export version 9
[~PE2] ip netstream export host 192.168.2.2 9000
[~PE2] ip netstream export source 192.168.2.1
Step 4 Enable NetStream to collect statistics about incoming and outgoing packets with specified
application labels on the P.
# Collect statistics about incoming and outgoing packets on POS 2/0/0 of the P.
[~P] interface Pos 2/0/0
[~P-Pos2/0/0] ip netstream inbound
[~P-Pos2/0/0] ip netstream outbound
[~P-Pos2/0/0] quit
# Configure NetStream to sample both inner IP packets and labels of MPLS packets.
[~P] ip netstream mpls-aware label-and-ip
# Configure the destination address, destination port number, and source address for NetStream
flows output in V9 format.
[~P] ip netstream export version 9
[~P] ip netstream export host 192.168.2.2 9001
[~P] ip netstream export source 172.2.1.1
# Enable NetStream sampling and configure the fixed packet sampling mode.
# Run the display ip netstream cache origin slot 4 command in the user view. If the
configuration succeeds, you can view IP- and MPLS-related information about VPN packets
cached in the NetStream flow buffer.
<P> display ip netstream cache origin slot 4
Show information of IP and MPLS cache of slot 4 is starting.
get show cache user data success.
Unknown 20 0 6 0 0 1
PO2/0/0 10 0
0.0.0.0 in
58.1.1.2 0
55.67.121.72 0
0.0.0.0 0
1011 2 1
0 0 0
0 0 0
1.1.1.9 0
Unknown 20 0 6 0 0 1
PO1/0/0 10 0
0.0.0.0 in
58.1.1.2 0
55.67.121.70 0
0.0.0.0 0
1001 2 1
0 0 0
0 0 0
10.1.1.9 0
PO2/0/0 20 0 6 0 0 1
PO1/0/0 10 0
0.0.0.0 out
58.1.1.2 0
55.67.121.68 0
0.0.0.0 0
1021 2 1
0 0 0
0 0 0
20.1.1.9 0
----End
Configuration Files
l Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpna
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
ip address 10.2.1.2 255.255.255.0
#
interface Pos3/0/0
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.1.1.1 as-number 65440
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l Configuration file of the P
slot 2
ip netstream sampler to slot 4
#
sysname P
#
ip netstream mpls-aware label-and-ip
ip netstream export version 9
ip netstream sampler fix-packets 10000 inbound
ip netstream sampler fix-packets 10000 outbound
ip netstream export source 172.3.1.1
ip netstream export host 172.3.1.2 9001
#
mpls lsr-id 2.2.2.9
#
mpls
lsp-trigger all
#
mpls ldp
#
interface Pos1/0/0
link-protocol ppp