Zte Configuration

ZXR10 ZSR V2
Intelligent Integrated Multi-Service Router

Configuration Guide (System Management)
Version: 2.00.10
ZTE CORPORATION
No. 55, Hi-tech Road South, ShenZhen, P.R.China
Postcode: 518057
Tel: +86-755-26771900
Fax: +86-755-26770801
URL: http://ensupport.zte.com.cn
E-mail: support@zte.com.cn
LEGAL INFORMATION
Copyright 2013 ZTE CORPORATION.
The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.
All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.
This document is provided as is, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.
ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.
ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.
Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information.
The ultimate right to interpret this product resides in ZTE CORPORATION.
Revision History
Revision No. Revision Date Revision Reason
R1.0 2014-05-10 First edition
Serial Number: SJ-20140504150128-007
Publishing Date: 2014-05-10 (R1.0)
SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential

Contents
About This Manual ......................................................................................... I
Chapter 1 Device Connection management ............................................ 1-1
1.1 Connecting the ZXR10 ZSR V2 System............................................................... 1-1
1.2 Configuring Console Port Connection .................................................................. 1-2
1.3 Configuring Telnet Connection ............................................................................ 1-2
1.4 Configuring SSH Connection............................................................................... 1-6
1.5 FTP Connection Configuration .......................................................................... 1-10
1.5.1 Configuring the ZXR10 ZSR V2 as an FTP Server.................................... 1-10
1.5.2 Configuring the ZXR10 ZSR V2 as an FTP Client ..................................... 1-12
1.6 Configuring TFTP Connection ........................................................................... 1-15
1.7 SFTP Connection Configration .......................................................................... 1-17
1.7.1 Configuring the ZXR10 ZSR V2 as an SFTP Server ................................. 1-17
1.7.2 Configuring the ZXR10 ZSR V2 as an SFTP Client................................... 1-18
Chapter 2 File System Management ......................................................... 2-1

2.1 File System Overview ......................................................................................... 2-1
2.2 Configuring File System Management ................................................................. 2-2
2.3 File System Management Configuration Examples ............................................... 2-3
2.3.1 File System Configuration Example ........................................................... 2-3
2.3.2 Configuration Example of Backing Up a Configuration File on a USB
Flash Drive ............................................................................................. 2-4
Chapter 3 MIM Configuration .................................................................... 3-1

3.1 MIM Overview.................................................................................................... 3-1
3.2 Configuring MIM................................................................................................. 3-1
Chapter 4 User Management ..................................................................... 4-1

4.1 User Management Overview ............................................................................... 4-1
4.2 Configuring User Management............................................................................ 4-2
4.3 User Management Configuration Examples ......................................................... 4-7
4.3.1 Local Authentication and Authorization User Configuration Example............ 4-7
4.3.2 RADIUS-LOCAL Authentication and Authorization User Configuration
Example ................................................................................................. 4-8
4.3.3 TACACS+ Authentication and Authorization User Configuration
Example ............................................................................................... 4-10
4.3.4 Configuring a Password Prompt Question for Resetting a Password...........4-11

4.3.5 Configuring OAM Security Management .................................................. 4-13
4.3.6 Configuring a Password Validity Period.................................................... 4-15
4.3.7 Configuring First-Login Password Modification ........................................ 4-17
4.3.8 Relations Between Raising Privilege Levels and the Enable Command...... 4-18
Chapter 5 Command Privilege Level Classification................................ 5-1

5.1 Command Privilege Level Overview .................................................................... 5-1
5.2 Configuring Command Privilege ......................................................................... 5-1
5.3 Command Privilege Level Configuration Example................................................. 5-2
Chapter 6 SNMP Configuration ................................................................. 6-1

6.1 SNMP Basic Configuration.................................................................................. 6-1
6.1.1 SNMP Overview....................................................................................... 6-1
6.1.2 Configuring SNMP.................................................................................... 6-1
6.1.3 SNMP Configuration Example ................................................................... 6-6
6.2 SNMP Anti-Violence Attack............................................................................... 6-10
6.2.1 SNMP AntiBrute Force Attack Overview................................................. 6-10
6.2.2 Configuring SNMP AntiBrute Force Attack ..............................................6-11
6.2.3 SNMP AntiBrute Force Attack Configuration Example............................. 6-13
Chapter 7 Alarm Management Configuration .......................................... 7-1

7.1 Alarm Overview.................................................................................................. 7-1
7.2 Configuring the Alarm Function ........................................................................... 7-2
7.3 Alarm Function Configuration Example ................................................................ 7-7
Chapter 8 SYSLOG Configuration ............................................................ 8-1

8.1 SysLog Overview ............................................................................................... 8-1
8.2 Configuring Syslog ............................................................................................. 8-1
8.3 Syslog Configuration Example ............................................................................ 8-2
Chapter 9 RMON Configuration ................................................................ 9-1

9.1 RMON Overview ................................................................................................ 9-1
9.2 Configuring RMON ............................................................................................. 9-1
9.3 RMON Configuration Example ............................................................................ 9-3
Chapter 10 Clock and Clock Synchronization ....................................... 10-1

10.1 NTP Configuration .......................................................................................... 10-1
10.1.1 NTP Overview...................................................................................... 10-1
10.1.2 Configuring NTP................................................................................... 10-2
10.1.3 NTP Configuration Examples ................................................................ 10-4
10.2 Physical POS Interface Clock Configuratio ....................................................... 10-6
10.2.1 Physical POS Interface Clock................................................................ 10-6
II

10.2.2 Configuring a Physical POS Interface Clock ........................................... 10-7
10.2.3 Physical POS-Interface Clock Configuration Instance ............................. 10-7
Chapter 11 Performance Statistics ......................................................... 11-1

11.1 Performance Management Overview ................................................................11-1
11.2 Performance Management Configuration ..........................................................11-1
11.3 Performance Management Configuration Example ............................................11-3
Chapter 12 NetFlow Configuration ......................................................... 12-1

12.1 NetFlow Overview .......................................................................................... 12-1
12.2 Configuring NetFlow ....................................................................................... 12-3
12.3 NetFlow Configuration Examples..................................................................... 12-9
12.3.1 NetFlow V5 Configuration Example ....................................................... 12-9
12.3.2 NetFlow V8 Configuration Example ...................................................... 12-11
12.3.3 NetFlow V9 Configuration Example ......................................................12-12
Chapter 13 SQA Configuration................................................................ 13-1

13.1 SQA Overview ............................................................................................... 13-1
13.2 Configuring SQA ............................................................................................ 13-1
13.3 SQA Configuration Examples .......................................................................... 13-4
13.3.1 ICMP-Type SQA Configuration Example ................................................ 13-4
13.3.2 FTP-Type SQA Configuration Example .................................................. 13-5
13.3.3 TCP-Type SQA Configuration Example.................................................. 13-6
13.3.4 UDP-Type SQA Configuration Example ................................................. 13-8
13.3.5 DNS-Type SQA Configuration Example ................................................. 13-9
Chapter 14 LLDP Configuration .............................................................. 14-1

14.1 LLDP Overview .............................................................................................. 14-1
14.2 Configuring LLDP ........................................................................................... 14-3
14.3 LLDP Configuration Examples......................................................................... 14-5
14.3.1 LLDP Neighbor Configuration Example .................................................. 14-5
14.3.2 LLDP Attribute Configuration Example ................................................... 14-6
Chapter 15 Network Layer Detection...................................................... 15-1

15.1 Configuring ICMP Fast Response.................................................................... 15-1
15.2 Configuring IP Source Route Option Processing............................................... 15-4
15.3 Configuring ICMP Unreachable Packet Function .............................................. 15-6
15.4 Enabling an Interface to Send ICMP Unreachable Packets ............................... 15-7
15.5 Configuring IP Ping......................................................................................... 15-9
15.6 Configuring IP Trace......................................................................................15-12
15.7 Configuring LSP Ping ....................................................................................15-15
III

15.8 Configuring LSP Trace...................................................................................15-21
15.9 Configuring Multicast Ping..............................................................................15-26
15.10 Configuring Multicast Trace ..........................................................................15-30
15.11 Configuring MAC Ping..................................................................................15-32
15.12 Configuring MAC Trace................................................................................15-34
15.13 IP Performance Maintenance .......................................................................15-37
Figures............................................................................................................. I
Glossary .........................................................................................................V
IV

About This Manual
Purpose
This manual describes functional principles, configuration commands and examples
related to ZXR10 ZSR V2 system management.
Intended Audience
This manual is intended for the following engineers:
l Network planning engineers
l Commissioning engineers
l Maintaining engineers
What Is in This Manual

This manual contains the following contents:
Chapter Summary
1, Device Connection Describes several modes (including through a Console port,

Management TELNET, SSH, FTP , TFTP and SFTP) and configuration commands
to connect to ZXR10 ZSR V2.
2, File System Management Describes operational commands for the file system of the device.
3, MIM Configuration Describes MIM principles, configuration commands and

configuration examples.
4, User Management Describes user management principle, configuration commands and

5, Command Privilege Level Describes user and command privilege level classification principle,
Classification configuration commands and configuration example.
6, SNMP Configuration Describes SNMP principles, configuration commands and

7, Alarm Management Describes alarm management principle, configuration commands

Configuration and configuration example.
8, SYSLOG Configuration Describes SYSLOG principle, configuration commands and

configuration example.
9, RMON Configuration Describes RMON principle, configuration commands and

configuration example.
10, Clock and Clock Describes clock and clock synchronization principles, configuration
Synchronization commands and configuration examples.

Chapter Summary
11, Performance Statistics Describes performance statistics principle, configuration commands

and configuration example.
12, NetFlow Configuration Describes NetFlow principle, configuration commands and

13, SQA Configuration Describes SQA principle, configuration commands and configuration
examples.
14, LLDP Configuration Describes LLDP principles, configuration commands and

15, Network Layer Detection Describes the principles, configuration commands, and configuration
examples of the network layer detection.
Conventions
This manual uses the following typographical conventions:
Typeface Meaning
Italics Variables in commands. It may also refer to other related manuals and documents.
Bold Menus, menu options, function names, input fields, option button names, check boxes,
drop-down lists, dialog box names, window names, parameters, and commands.
Constant Text that you type, program codes, filenames, directory names, and function names.
width
[] Optional parameters.
| Separates individual parameter in series of parameters.
Warning: indicates a potentially hazardous situation. Failure to comply can result in

serious injury, equipment damage, or interruption of major services.
Caution: indicates a potentially hazardous situation. Failure to comply can result in

moderate injury, equipment damage, or interruption of minor services.
Note: provides additional information about a certain topic.
II

Chapter 1
Device Connection
management
Table of Contents
Connecting the ZXR10 ZSR V2 System .....................................................................1-1
Configuring Console Port Connection.........................................................................1-2
Configuring Telnet Connection....................................................................................1-2
Configuring SSH Connection......................................................................................1-6
FTP Connection Configuration .................................................................................1-10
Configuring TFTP Connection ..................................................................................1-15
SFTP Connection Configration .................................................................................1-17
1.1 Connecting the ZXR10 ZSR V2 System

The ZXR10 ZSR V2 provides multiple configuration modes, see Figure 1-1.
Figure 1-1 ZXR10 ZSR V2 Configuration Modes
Users can use different configuration modes for different network types. The configuration
modes are described below:
l Console port mode: This is the primary configuration mode used by users.
l Telecommunication Network Protocol (TELNET)/Secure Shell (SSH) mode: Users
can use this mode to configure the ZXR10 ZSR V2 at any accessible place of a
network.
1-1

ZXR10 ZSR V2 Configuration Guide (System Management)
l Trivial File Transfer Protocol (TFTP)/File Transfer Protocol (FTP) mode: Users
can use this mode to download/upload router configuration files, and update router
configurations.
1.2 Configuring Console Port Connection

This procedure describes how to connect to the ZXR10 ZSR V2 through the Console port.
Steps
1. Configure a Hyperterminal.
For how to configure a Hyperterminal, refer to the "Configuring the Device Through a
Console Port" section in the ZXR10 M6000 Initial Configuration Guide.
2. (Optional) In the configuration mode, run the login authentication command to enable
the Console port connection authentication function.
Caution!
The Console port connection authentication function can be enabled only after a
username and password are configured. If the username and password are not
configured properly, after the function is enabled, you cannot enter the ZXR10> CLI
when you connect the device next time.
The following example shows how to enable Console port authentication.
ZXR10(config)#login authentication
Warning:
Please make sure local or remote authentication is correctly configured.
Are you sure to configure console authentication? [yes/no]:y
ZXR10(config)#
/*Enables the Console port connection authentication function.*/
For how to configure a user name and password used in serial port authentication,
refer to 4.2 Configuring User Management.
End of Steps
1.3 Configuring Telnet Connection

This procedure describes how to connect to the ZXR10 ZSR V2 through Telnet.
Prerequisite
The local terminal can access the remote router network.
1-2

Chapter 1 Device Connection management
Context
Telnet is used for configuring routers remotely. To prevent illegal users from accessing the
router through Telnet, a user name and password have to be set on the router for Telnet
accessing. Only the user who has the preset user name and password can access the
router. For how to configure a user name and password on the ZXR10 ZSR V2 for Telnet
login, refer to 4.2 Configuring User Management.
Steps
1. Connect to the ZXR10 ZSR V2 through Telnet.
Assume that the IP address of a remote router is 192.168.3.1 and that the local
terminal (configured with the Windows XP operating system, for example) can access
the remote router network. The operations on the local terminal are as follows:
a. Start the Run program on the local terminal, and enter the telnet 192.168.3.1
command, see Figure 1-2.
Figure 1-2 Run Dialog Box
b. Click OK.
The following information is displayed:
************************************************************
Welcome to ZXR10 Intelligent Integrated Multi-Service Router
of ZTE Corporation
************************************************************
Login at: 19:46:37 03-24-2014

Username:who
Password:
ZXR10>enable 18
Password:
ZXR10#
c. Enter a user name and a password according to the prompt. Then, you can log in
to the remote router.
2. Configure a Telnet connection.
1-3

On the ZXR10 ZSR V2, run the following commands to configure optional Telnet
parameters:
Command Function
ZXR10(config)#line console idle-timeout <idle-time> Configures the maximum idle

timeout period of the serial port.
Unit: minute, range: 01000,
default: 30.
ZXR10(config)#line console absolute-timeout <absolute-time> Configures the maximum online

timeout period of the serial port.
Unit: minute, range: 010000,
default: 1440.
ZXR10(config)#line telnet idle-timeout <idle-time> Configures the maximum idle

timeout period of Telnet. Unit:
minute, range: 01000, default:
120.
ZXR10(config)#line telnet absolute-timeout <absolute-time> Configures the maximum online

timeout period of Telnet. Unit:
minute, range: 010000, default:
1440.
ZXR10(config)#line telnet access-class {ipv4 | ipv6}<acl-name> Configures the name of an

Access Control List (ACL) bound
to Telnet.
ZXR10(config)#line telnet max-link <max-number> Configures the maximum

number of Telnet links. Range:
115, default: 15.
ZXR10#terminal length <length> Configures the terminal window

height. Unit: line, range: 024.
ZXR10#line telnet dscp <dscp-value> Specifies the DSCP value of

control plane packets for the
IPv4/IPv6 Telnet server. Range:
063, default: 48.
ZXR10#telnet {<dest-address>[{[<source-address Enables this router to log in to an

>],[<port-number>],[{vrf <vrf-name>| dcn}],[dscp IPv4 Telnet server as a client.
<dscp-value>]}]|<domain-name>[{[<port-number>],[vrf <domain-name>: domain name
<vrf-name>],[dscp <dscp-value>]}]} (Range: 1128 characters).
ZXR10#telnet6 {<dest-address>[{[interface <interface-na Enables this router to log in to an

me>],[vrf <vrf-name>],[<port-number>],[dscp <dscp-value IPv6 Telnet server as a client.
>]}]|<domain-name>[{[vrf <vrf-name>],[<port-number>],[dscp
<dscp-value>]}]}
1-4

Command Function
ZXR10(config)#line telnet server enable [listen Allows terminals to log in to

{<23>|<49152-65535>}] this router in Telnet mode, and
allows the specification of a port
number.
3. (Optional) Run the telnet command on the ZXR10 ZSR V2 to log in to another device
through the local client.
For the format of the telnet command, refer to the following table:
Command Function
ZXR10#telnet {<dest-ipaddress>[vrf< vrf-name>][< Configures this router as a client

source-ipaddress>][<port-number>]|<domain name>[vrf<vrf-n to log in to another device.
ame>][<port-number>]} <port-number>: Transfer Control
Protocol (TCP) port number
(range: 065535).
4. Verify the configurations.
Command Function
ZXR10#show terminal Displays information on the

current terminal.
ZXR10#show history Displays the last ten history

commands.
ZXR10#show users Displays the login user

information.
ZXR10#who Displays the login user

information.
5. Maintain Telnet connections.
Command Function
ZXR10(config)#line telnet server disable Forbids terminals from logging in

to this router in Telnet mode.
ZXR10#clear line vty <vty-number> Forces the vty user to log out.
<vty-number>: specifies the
terminal number (range: 014).
End of Steps
Example
The following provides a Telnet connection configuration example.
1-5

l Configuration Description
It is required to connect a PC to R1 through Telnet, see Figure 1-3.
Figure 1-3 Telnet Connection Configuration Example
l Configuration Flow
1. Connect a PC to R1.
2. Configure Telnet on R1.
3. Configure an ACL on R1 to filter TCP connections.
l Configuration Commands
Run the following commands on R1:
R1(config)#line telnet idle-timeout 120
R1(config)#line telnet absolute-timeout 1440
R1(config)#line telnet access-class ipv4 wd
R1(config)#ipv4-access-list wd
R1(config-ipv4-acl)#rule permit tcp 169.1.108.82 0.0.0.0 any
R1(config-ipv4-acl)#exit
l Configuration Verification
If no ACL is configured, a PC whose IP address is in any network segment can be
connected to R1.
If an ACL is configured, only PCs whose IP addresses are in the Permit column of
the ACL can be connected to R1.
1.4 Configuring SSH Connection

This procedure describes how to connect to the ZXR10 ZSR V2 through SSH.
Prerequisite
Context
Secure Shell (SSH) is defined by the IETF Network Working Group. It is a security protocol
established on the basis of the application layer and transport layer.
Traditional network service programs such as FTP, POP, and Telnet use clear text to
transfer data. Therefore, user names and passwords are vulnerable to man-in-the-middle
attacks. Compared with traditional network service programs, SSH is more reliable. It
provides security for remote login sessions and other network services, and has the
following advantages:
1-6

l The SSH protocol prevents information leakage in remote management processes.

l The SSH protocol encrypts all transferred data, and prevents DNS spoofing and IP
spoofing.
l The SSH protocol transfers compressed data, accelerating transmission.
l The SSH protocol is usually used to replace Telnet, and provides a secure "channel"
for FTP, POP, or even PPP.
Steps
1. Configure SSH.
Step Command Function
1 ZXR10(config)#ssh server enable [listen Enables the SSH server

{<22>|<49152-65535>}] function, which is disabled
by default. Allow the
specification of a port
number.
2 ZXR10(config)#ssh server access-class {ipv4 | Binds an ACL for SSH.

ipv6}<acl-name>
3 ZXR10(config)#ssh server dscp <dscp-value> Specifies the DSCP value

of control plane packets for
the IPv4/IPv6 SSH server.
Default: 48.
4 ZXR10#ssh <dest-address> encrypt {none | aes128 | Enables this router to log in

blowfish | 3des} compress {none | zlib} mac {none | as a client to an IPv4 SSH
sha1 | md5}[{[<source-address>],[<port-number>],[vrf server in SSH mode.
<vrf-name>],[dscp <dscp-value>]}]
5 ZXR10#ssh6 <dest-address> encrypt {none | aes128 | Enables this router to log in

blowfish | 3des} compress {none | zlib} mac {none | sha1 as a client to an IPv6 SSH
| md5}[{[<port-number>],[vrf <vrf-name>],[interface server in SSH mode.
<interface-name>],[dscp <dscp-value>]}]
2. Maintain SSH.
Command Function
ZXR10(config)#ssh server disable Disables the SSH server

function.
3. Configure an SSH client.
The following uses Putty as an example to describe how to configure an SSH client.
a. Enable Putty.exe on the SSH host. Type the IP address of the remote router
(such as 192.168.5.3) in the Host Name text box, see Figure 1-4.
1-7

Figure 1-4 PuTTY Configuration Dialog Box
b. Select 2 for the SSH version, see Figure 1-5.
1-8

Figure 1-5 PuTTY Configuration Dialog Box
c. Click Open. The Login dialog box is displayed. Enter the correct user name and
password to log in to the router, and then configure the router in the command line
window.
login as:zte
Further authentication required
zte@192.168.5.3's password:
************************************************************
Welcome to ZXR10 Intelligent Integrated Multi-Service Router
of ZTE Corporation
************************************************************
ZXR10#
Command Description
ZXR10#show ssh Shows the configuration state of SSH.
End of Steps
1-9

Example
The following provides an SSH configuration example.
It is required to connect a PC to R1 through SSH, see Figure 1-6.
Figure 1-6 SSH Configuration Example
1. Connect a PC to R1.
2. Configure SSH on R1.
3. Configure an ACL on R1 to filter connections.
R1(config)#ssh server enable

R1(config)#ssh server access-class ipv4 wd
R1(config)#ipv4-access-list wd
R1(config-ipv4-acl)#rule permit tcp 169.1.108.82 0.0.0.0 any
R1(config-ipv4-acl)#exit
If no ACL is configured, a PC whose IP address is in any network segment can be

connected to R1.
If an ACL is configured, only PCs whose IP addresses are in the Permit column of
the ACL can be connected to R1.
1.5 FTP Connection Configuration

1.5.1 Configuring the ZXR10 ZSR V2 as an FTP Server
This procedure describes how to configure the ZXR10 ZSR V2 as an FTP server.
Prerequisite
Steps
1. Enable the FTP server function.
1-10

Command Function
ZXR10(config)#ftp-server enable [listen Enables the FTP server function, and

<port-number>] monitors the specified port.
The port range is 21 or 24012420.
2. Configure other FTP attributes.
Command Function
ZXR10(config)#ftp-server top-directory Sets the top-level directory that the

<directory>[{read-only |{[read-write],[copy]}}] FTP server allows users to access
through FTP. By default, the directory is
/datadisk0/.
ZXR10(config)#ftp-server access-class Binds an ACL to the FTP server.

[ipv6]<acl-name>
ZXR10(config)#ftp-server max-login <max-number> Configures the maximum number of

online users of the FTP server.
For how to configure an FTP server user name and password, refer to Chapter 4 User
Management.
Command Function
ZXR10#show ftp-server Shows the configuration information on

the FTP server.
4. Maintain the FTP Server.
Command Function
ZXR10(config)#ftp-server kick-user <user-id> Disconnects a currently online user. The

parameter value is an online user ID.
End of Steps
Example
The following gives an FTP server configuration example.
As shown in Figure 1-7, ZXR10 ZSR V2 is connected to a PC and operates as an FTP

server. The PC functions as an FTP client that uploads and downloads files.
1-11

Figure 1-7 FTP Server Configuration Example
1. Enable the FTP server function and listening port 21 of the ZXR10 ZSR V2.
2. Set the FTP server root directory to /datadisk0/LOG/.
3. Set both the FTP server user name and password to zte.
4. Upload and download files through the FTP server to verify the FTP server
function.
The configuration flow on the ZXR10 ZSR V2 is shown below. For how to configure
an FTP server user name and password, refer to Chapter 4 User Management.
R1#configure terminal
Enter configuration commands, one per line.End with CTRL/Z.
R1(config)#ftp-server enable
R1(config)#ftp-server top-directory /datadisk0/LOG/
1.5.2 Configuring the ZXR10 ZSR V2 as an FTP Client

This procedure describes how to configure the ZXR10 ZSR V2 as an FTP client.
Prerequisite
The ZXR10 ZSR V2 can access the FTP server network.
Steps
1. Configure and start an FTP server.
The following takes the WFTPD FTP server software as an example to describe how
to configure an FTP server.
a. Run wftpd32.exe. The WFTPD window is displayed, see Figure 1-8.
1-12

Figure 1-8 WFTPD Window
b. Select Security > User/Rights. The User/Rights Security dialog box is

displayed, see Figure 1-9.
Figure 1-9 User/Rights Security Dialog Box
c. Perform the following steps in the User/Rights Security Dialog dialog box.
i. Click New User to create a new user such as target, and set a password.
ii. Select target from the User Name drop-down list.
iii. Type a directory such as D: \IMG in the Home Directory text box for saving
version files or configuration files. After the configuration is completed, the
user name and home directory are displayed in the User/Rights Security
Dialog dialog box, seeFigure 1-10.
1-13

Figure 1-10 User/Rights Security Dialog Box
d. Click Done in Figure 1-10 to start the FTP server.
2. Upload and download a file through the router, which acts as an FTP client.
Command Function
ZXR10#ftp-client source-ip {ipv4 <ipv4-address>| ipv6 Configures the source address for
<ipv6-address>[interface <interface-name>]} copying files when the ZXR10 ZSR V2
functions as an FTP client.
ZXR10#copy ftp [vrf <vrf-name>] //HOST/filename@use Downloads a file from an FTP server to
rname:password root: filename or directory&filename the local client.
[<listen_port>][ipaddr][interface <interface-name>]
ZXR10#copy ftp [vrf <vrf-name>] root: filename Uploads a local file to an FTP server.
or directory&filename //HOST/filename@usern
ame:password [<listen_port>][ipaddr][interface
<interface-name>]
End of Steps
Example
The following example describes how to download or upload a file when the ZXR10 ZSR
V2 functions as an FTP client.
A user whose user name is who and password is who uploads the startrun.dat file
from the sysdisk0/DATA0 directory of the ZXR10 ZSR V2 file system to the FTP server
whose IP address is 192.168.109.6.
ZXR10#copy ftp root:/sysdisk0/DATA0/startrun.dat
//192.168.109.6/startrun1.dat@who:who
Start copying file
Put file successfully!sent 3492803 bytes!!
1-14

A user whose user name is who and password is who downloads the startrun.dat file
from the FTP server whose IP address is 192.168.109.6, and renames the file as start
run.bak.
ZXR10#copy ftp //192.168.109.6/startrun.dat@who:who
root: /datadisk0/startrun.bak
Start copying file
Got file successfully!Received 3492803 bytes!!
1.6 Configuring TFTP Connection

By means of TFTP, router version files and configuration files can be backed up and
restored.
Prerequisite
The ZXR10 ZSR V2 can access the TFTP server network as a TFTP client.
Steps
1. Configure and start a TFTP server.
The following takes the TFTP server software tftpd as an example to describe how to
configure a TFTP server.
a. Run tftpd.exe. The TFTP server window is displayed, see Figure 1-11.
Figure 1-11 TFTP Server Window
b. Select Tftpd > Configure. The Tftpd Settings dialog box is displayed. Click
Browse in the dialog box, and select a directory (such as the IMG directory on
Disk D) to save version files or configuration files, see Figure 1-12.
1-15

Figure 1-12 Tftpd Settings Dialog Box
c. Click OK to complete the setting.
2. Upload and download a file through the TFTP client.
Command Function
ZXR10#copy tftp [ipv6][vrf <vrf-name>] Downloads a file from a TFTP server to

//HOST/filename root: filename or directory the local router.
[<listen_port>]
ZXR10#copy tftp [ipv6][vrf <vrf-name>] root: filename Uploads a file from the local router to a
or directory //HOST/filename [<listen_port>] TFTP server.
End of Steps
Example
The following example describes how to upload the startrun.dat file from the datad
isk0 directory of the ZXR10 ZSR V2 file system to the TFTP server whose IP address is
192.168.4.244.
ZXR10#copy tftp root: /datadisk0/startrun.dat //192.168.4.244/startrun.dat

Starting copying file
.
File copying successfully.
The following example describes how to download the file startrun.dat from the TFTP
server whose IP address is 192.168.4.244, and to rename the file as startrun.bak.
ZXR10#copy tftp //192.168.4.244/startrun.dat root: /datadisk0/startrun.bak

Starting copying file
.
File copying successfully.
1-16

1.7 SFTP Connection Configration

1.7.1 Configuring the ZXR10 ZSR V2 as an SFTP Server
This procedure describes how to configure the ZXR10 ZSR V2 as an SFTP server.
Prerequisite
Steps
1. Configure an SFTP server.
Command Function
ZXR10(config)#sftp-server top-directory <directory> Sets the top-level directory that the

SFTP server allows users access.
For how to configure a login user name and password of an SFTP server, refer to
Chapter 4 User Management.
Command Function
ZXR10#show sftp-server Displays configuration information on

the SFTP server.
End of Steps
Example
The following gives an example of how to configure an SFTP server.
When the ZXR10 ZSR V2 functions as an SFTP server, the client can be a PC or
another type of device that supports the SFTP client function. Two ZXR10 ZSR V2s
are connected, one functioning as an SFTP server, the other as an SFTP client that
downloads files from the server, see Figure 1-13.
Figure 1-13 SFTP Server Configuration Example
1. On the SFTP server, enable the SSH function, and configure a listening port.
1-17

2. On the SFTP server, set the root directory of SFTP to /datadisk0/BAK/.

3. On the SFTP server, configure the zte user name and password.
4. Download a file from the SFTP server to verify the SFTP server function.
Run the following commands on the ZXR10 ZSR V2. For how to configure a user
name and password, refer to Chapter 4 User Management.
/*The configuration commands on the SFTP server are as follows:*/

R1(config)#ssh server enable listen 49152
R1(config)#sftp-server top-directory /datadisk0/BAK/
R1#dir BAK
Directory of MPFU-8/0: /datadisk0/BAK
897636 KB total (892760 KB free)
attribute size date time name

1 <DIR> 160 01-15-2014 08:43 .
2 <DIR> 160 01-15-2014 08:43 ..
3 ---- 615 01-15-2014 15:08 0130.txt
/*Downloads a file from the SFTP client.*/

R2#copy sftp vrf mng //169.1.219.14/0130.txt@zte:zte
root: /datadisk0/0130.txt encrypt 3des compress zlib mac md5 49152
Start copying file
.
Got file successfully!
1.7.2 Configuring the ZXR10 ZSR V2 as an SFTP Client

This procedure describes how to configure the ZXR10 ZSR V2 as an SFTP client.
Prerequisite
The ZXR10 ZSR V2 can access the SFTP server network.
Steps
1. Configure an SFTP.
Start the SFTP server software. Functioning as a client, the ZXR10 ZSR V2
communicates with the SFTP server.
2. Upload or download a file through the ZXR10 ZSR V2.
1-18

Command Function
ZXR10#copy sftp [vrf <vrf-name>] //HOST/file Downloads a file from the SFTP server
name@username:password root: filename or to the local SFTP client.
directory&filename encrypt {none | aes128 |
blowfish | 3des} compress {none | zlib} mac {none
| sha1 | md5}[<listen_port>][ipaddr][interface
<interface-name>]
ZXR10#copy sftp [vrf <vrf-name>] root: filename Uploads a file from the local SFTP client
or directory&filename //HOST/filename@u to the SFTP server.
sername:password encrypt {none | aes128 |
blowfish | 3des} compress {none | zlib} mac {none
| sha1 | md5}[<listen_port>][ipaddr][interface
<interface-name>]
End of Steps
Example
A user whose user name is who and password is who uploads the startrun.dat file
in the /sysdisk0/DATA0 directory of the ZXR10 ZSR V2 file system to the SFTP server
whose IP address is 192.168.109.6. The encryption algorithm is aes128, compression
algorithm is zlib, and MAC check method is sha1.
ZXR10#copy sftp root:/sysdisk0/DATA0/startrun.dat

//192.168.109.6/startrun1.dat @who:who encrypt aes128 compress zlib mac sha1
Start copying file
...
Put file successfully!
A user whose user name is who and password is who downloads the startrun.dat
file from the SFTP server whose IP address is 192.168.109.6, and renames the file as
startrun.bak. The encryption algorithm is aes128, compression algorithm is zlib, and
MAC check method is sha1.
ZXR10#copy sftp //192.168.109.6/startrun.dat@who:who root: /

datadisk0/startrun.bak encrypt aes128 compress zlib mac sha1
Start copying file
...
Got file successfully!
1-19

This page intentionally left blank.
1-20

Chapter 2
File System Management
Table of Contents
File System Overview.................................................................................................2-1
Configuring File System Management ........................................................................2-2
File System Management Configuration Examples.....................................................2-3
2.1 File System Overview

The file system consists of a Flash, a BOOT and an NVRAM. In addition, there are two
USB interfaces on the front panel of the Main Processing Unit (MPFU), which can be used
to back up or add configuration files, version files, and log files quickly and conveniently.
Flash
The Flash store version files, data files, system breakdown files, and operation logs. It has
two partitions, which are mapped to the /sysdisk0 and /sysdisk0 folders under the
root directory of the Linux system respectively.
l /sysdisk0 partition: This is the system partition that stores version files, important
log files, and data files. Users have the read permission, but do not have the write
permission. Users cannot delete and rename files, but can view files by running the
more command. The /sysdisk0 partition does not support the format operation.
/sysdisk0/DATA0: stores the startrun.dat text configuration file. The sta

rtrun.dat file is a configuration file in command line form, which is saved when
the write command is run. When loading is performed, the system reads the st
artrun.dat file from the /sysdisk0/DATA0 folder, and loads configurations
in command line form. To upgrade the system, the startrun download command
can be executed to load configuration from the local device or from the network.
System breakdown files and exception log files: system breakdown files include
the Exc_Omp.txt and Exc_pp.txt files in the /sysdisk0/run_log directory
and the files in the /sysdisk0/run_log/EXCINFO directory.
l /datadisk0 partition: This is the data partition that stores log file and data files
relevant to users' routine operations and maintenance as well as data files stored by
users as needed. Users have read and write permissions.
Service and alarm log files are stored in the /datadisk0/LOG directory, but the
command log file (that is, the cmdlog file) is stored in the /sysdisk0/usrcmd_log/
directory.
2-1

BOOT
The BOOT is used to save the OSIMAGE file for initializing boards and booting MPUs.
NVRAM
The NVRAM is used to save booting information, including the IP address of the device
management port, IP address of an FTP server, and configuration loading mode.
2.2 Configuring File System Management

This procedure describes how to manage files and directories, format the hard disk user
partition, and save configuration information on the ZXR10 ZSR V2.
Steps
l Manage files and directories.
Command Function
ZXR10#dir [<filename-or-directory>|[<cpu-n Displays a file information list:

ame>]] l If no parameter is entered, the information
list of the files under the current directory is
displayed.
l If parameters are entered, the information list
of the files under the specified directory or the
specified file is displayed.
ZXR10#pwd Displays the current file path of this terminal.
ZXR10#cd <directory>[<cpu-name>] Switches to another file directory.
ZXR10#mkdir <directory>[<cpu-name>] Creates a directory. If the directory already exists,

an error prompt is returned.
ZXR10#rmdir <directory>[<cpu-name>] Deletes the specified directory. If there is a file in

this directory, the deletion fails.
ZXR10#delete <filename>[<cpu-name>] Deletes the specified file.
ZXR10#cp <source-file>[<cpu-name>]<destina Copies a file from a source directory to a

tion-file>[<cpu-name>] destination directory.
ZXR10#more <filename>[<cpu-name>][|{begin Displays the content of the specified file. "|" is the
| exclude | include}<line>] output flag.
<filename-or-directory>: file name (range: 179 characters), path/file name (range:

1159 characters), directory name (range: 179 characters), or path/directory name
(range: 1159 characters).
<cpu-name>: CPU name, default: the current board, format: [MPFU-<slot>/<cpu>].

"<slot>", and "<cpu>" are the slot number, and CPU number respectively.
2-2

Chapter 2 File System Management
<directory>: directory name (range: 179 characters) or path/directory name (range:

1159 characters).
<filename>: file name (range: 179 characters) or path/file name (range: 1159
characters)
<source-file>: source file name (range: 179 characters) or path/file name (range:
1159 characters)
<destination-file>: destination file name (range: 179 characters) or path/file name
(range: 1159 characters)
{begin | exclude | include}<line>: regular expression.
l begin: displays the configurations that start with the input character string.
l include: displays the configurations that include the character string.
l exclude: displays the configurations that do not include the character string.
l <line>: configures the filtering character string.
l Modify the configuration loading mode when the ZXR10 ZSR V2 starts up.
Command Function
ZXR10(config)#load-mode null Configures the power-on loading mode to start

without a load.
l Save configurations.
Command Function
ZXR10#write Configures the information save mode.
End of Steps
2.3 File System Management Configuration Examples

2.3.1 File System Configuration Example
Enter the datadisk0 directory, as shown below.
ZXR10#cd /datadisk0
Display the current path, as shown below.

ZXR10#pwd
MPFU-8/0: /datadisk0
List files in the current directory, as shown below.

ZXR10#dir
Directory of MPFU-8/0: /datadisk0
897636 KB total (892760 KB free)
2-3

1 <DIR> 424 01-15-2014 08:43 .

2 <DIR> 424 01-15-2014 08:43 ..
3 <DIR> 160 01-15-2014 08:43 BAK
4 <DIR> 416 01-02-2014 07:03 LOG
5 <DIR> 160 01-02-2014 07:03 license
ZXR10#
Delete files in the directory, as shown below.

ZXR10#delete /datadisk0/techspt/techspt_cpu-info.txt
Are you sure to delete file(s)?[yes/no]:y
Delete file(s) successfully.
Delete the techspt_cpu-info.txt file in the /datadisk0/techspt directory, as shown

below.
ZXR10#delete techspt_cpu-info.txt
Are you sure to delete file(s)?[yes/no]:y
Delete file(s) successfully.
Rename test to test_new, as shown below.

ZXR10#rename test test_new
Rename successfully.
2.3.2 Configuration Example of Backing Up a Configuration File

on a USB Flash Drive
1. Insert a USB flash drive into a USB interface on the MPU. Then, the system
automatically mounts the USB flash drive. Run the show filesystem command to
view the USB path.
ZXR10#show filesystem
MPFU-8/0:
/sysdisk0
/datadisk0
/usb1:1
2. View files in the USB flash drive.
ZXR10#dir /usb1:1
Directory of MPFU-8/0: /usb1:1
3739652 KB total (3482228 KB free)

1 <DIR> 4096 07-25-2012 19:20 .
2 <DIR> 4096 07-25-2012 19:20 ..
3 ---- 261304 07-23-2012 14:56 techspt_basic-info.txt
4 <DIR> 4096 07-25-2012 19:39 1
3. Run the cp command to copy the startrun.dat configuration file to the USB flash
drive.
ZXR10#cp /sysdisk0/DATA0/startrun.dat /usb1:1/startrun.dat
2-4

Chapter 2 File System Management
Copy file successfully.

4. After the backup is completed, run the unmount command, and then remove the USB
flash drive.
ZXR10#umount usb1
MPFU-8/0: usb1 unmounted successfully!
2-5

2-6

Chapter 3
MIM Configuration
Table of Contents
MIM Overview ............................................................................................................3-1
Configuring MIM.........................................................................................................3-1
3.1 MIM Overview

The Management Information Model (MIM) refers to storing configuration data according
to an information model established for service configuration data, checking object
operations according to the model definition, and performing object operations to modify
configuration data. The MIM subsystem meets the unified requirements for configuration
terminal command processing interfaces, such as commit, rollback, and CLI/SNMP.
As more and more configuration terminals come into being, the configuration modification
of each Application (APP) needs to support multiple types of configuration terminals.
Before the MIM channel is used, an APP has a dedicated configuration processing flow
for each type of configuration terminal. As shown in Figure 3-1, MIM is an extension
of the existing OAM configuration command processing function. First, various types
of configuration commands modify MIM data, and then, MIM sends configuration
modification commands to the APP, which does not need to percept the types of
configuration terminals that the configuration commands come from, but only needs to
provide a program for processing MIM object operations.
Figure 3-1 MIM Application
3.2 Configuring MIM

This procedure describes how to configure the MIM function on the ZXR10 ZSR V2.
3-1

Steps
1. Configure MIM.
Command Function
ZXR10#configure exclusive Configures the exclusive

function.
ZXR10#commit-mode {automatic | manual} Sets the commit mode

(automatic-commit mode or
manual-commit mode) for
configuration commands.
Default: automatic-commit.
ZXR10#commit Commits the configuration.
ZXR10#rollback Rolls back a configuration that

has not been committed or has
failed to be committed.
Note:
If a terminal is configured with the manual-commit mode and has configurations that
have not been committed, normal configuration of other terminals may be affected.
2. Verify configurations.
Command Function
ZXR10#show commit-mode Displays the commit mode.
ZXR10#show uncommitted-command Displays all the uncommitted commands

of the current configuration terminal.
ZXR10#show commit-failed Displays the configuration commands that

the current terminal has failed to commit in
manual-commit mode.
ZXR10#show configure exclusive Displays exclusive information.
End of Steps
Example
The following provides a MIM configuration example.
Enter a batch of configuration commands by running a script. Take care to avoid
configuration collision.
3-2

Chapter 3 MIM Configuration
1. Configure the exclusive function to avoid collision.
2. Change the command commit mode to the manual mode.
3. Enter configuration commands by running a script.
4. Commit the commands.
ZXR10#configure exclusive
ZXR10#conf t
Enter configuration commands, one per line. End with CTRL/Z.
ZXR10(config)#mu c
%Info 140359: Allow others to configure, must avoid conflict.

ZXR10(config)#commit-mode manual
/*Enters configuration commands by running a script. The process is omitted.*/

ZXR10(config)#commit
Check whether all the commands have been committed and become effective by
running the show command.
3-3

3-4

Chapter 4
User Management
Table of Contents
User Management Overview ......................................................................................4-1
Configuring User Management...................................................................................4-2
User Management Configuration Examples................................................................4-7
4.1 User Management Overview

To maintain and manage the ZXR10 ZSR V2, users need to log in to it in SSH, Telnet,
or FTP mode. User management implements the configuration, authentication, and
authorization of users who have logged in to the ZXR10 ZSR V2.
The user-name command is used to configure or delete users. By running the user-name
command, you can configure user names and passwords (clear text passwords of 332
bits long or cipher text passwords of 64 bits long).
By configuring functions related to Authentication, Authorization and Accounting (AAA),
user management provides user authentication and authorization in the following modes:
l None-authentication and none-authorization
l Local authentication and authorization
l Remote Authentication Dial In User Service (RADIUS) authentication and
authorization
l Terminal Access Controller Access-Control System Plus (TACACS+) authentication
and authorization
l RADIUS hybrid authentication and authorization
l TACACS+ hybrid authentication and authorization
When a user logs in to the ZXR10 ZSR V2 through SSH, Telnet, or FTP, user management
queries the authentication template corresponding to the user to obtain the authentication
mode, and authenticates the user. If the authentication is passed, the user is authorized.
If the authentication is failed, user management returns failure information.
After the user passes the authentication, user management authorizes the user. After
the user successfully logs in and is authorized, user management displays a command
view according to the user's privilege level. Therefore, the user cannot view or run
commands with privilege levels higher than the user's privilege level, but can view and
run commands with privilege levels lower than and equal to the user's privilege level. The
local-privilege-level command is used to set user privilege levels, which range from
level 0 (the lowest level) to level 15 (the highest level), and are level 0 by default.
4-1

4.2 Configuring User Management

This procedure describes how to configure user management functions.
Steps
1. Enter ADM_MGR configuration mode, and configure user management parameters.
1 ZXR10(config)#system-user Enters user management

configuration mode.
2 ZXR10(config-system-user)#default-privilege-level Configures the default

<0-15> privilege level.
3 ZXR10(config-system-user)#strong-password length Configures a strong password.

<length> character {[capital][lowercase][number][special Range: 632 characters. A
-character]} password needs to contain
any one type or several types
of the following characters:
uppercase letters, lowercase
letters, numbers, and special
characters.
4 ZXR10(config-system-user)#user-authen-restriction Locks the user after user

fail-time <times> lock-minute <time> authentication has failed
consecutively. Range of the
number of failure times: 36,
range of locking time period:
11440 min.
5 ZXR10(config-system-user)#global-enable-type Configures the global-enable

{aaa|local} authentication-template <1128> mode for users.
6 ZXR10(config-system-user)#account-switch {off | on Configures the global

accounting-template <20012128>} accounting mode.
7 ZXR10(config-system-user)#user-default Enters the default user

configuration mode.
8 ZXR10(config-system-user)#user-group special Configures user group

<usergroup-name><username>{<password>| encrypted information.
<password>}
9 ZXR10(config-system-user)#login ascii authentication- Configures the ASCII

template <1128> authortication-template<1128> authentication template.
2. Configure an authentication template.
4-2

Chapter 4 User Management
1 ZXR10(config)#aaa-authentication-template <1-2128> Configures an AAA

authentication template,
and enters the configuration
mode of this template.
2 ZXR10(config-aaa-authen-template)#aaa-authenticat Configures an authentication

ion-type {none | local | radius | local-radius | radius-local type under the AAA
| radius-none | local-tacacs | tacacs | tacacs-local | authentication template.
tacac-none| diameter}

configuration mode.
4 ZXR10(config-system-user)#authentication-template Configures a user

<1128> management authentication
template, and enters the
configuration mode of this
template.
5 ZXR10(config-system-user-authen-temp)#bind Binds an AAA authentication

aaa-authentication-template <20012128> template in the configuration
mode of the user management
authentication template.
6 ZXR10(config-system-user-authen-temp)#bind Binds an ACL template in the

access-list ipv4/ipv6 <acl-name> configuration mode of the user
management authentication
template.
7 ZXR10(config-system-user-authen-temp)#descript Adds description information

ion <description> on the user management
authentication template in the
configuration mode of the user
management authentication
template.
3. Configure an authorization template.
1 ZXR10(config)#aaa-authorization-template <12128> Configures an AAA

authorization template,
and enters the configuration
mode of this template.
2 ZXR10(config-aaa-author-template)#aaa-authorizati Configures an authorization

on-type {none | local-radius | local-tacacs | local | radius type under the AAA
| tacacs | tacacs-local | radius-local } authorization template.
4-3


configuration mode.
4 ZXR10(config-system-user)#authorization-template Configures a user

<1128> management authorization
template, and enters the
configuration mode of this
template.
5 ZXR10(config-system-user-author-temp)#bind Binds an AAA authorization

aaa-authorization-template <20012128> template in the configuration
mode of the user management
authorization template.
6 ZXR10(config-system-user-author-temp)#local-privi Configures a local

lege-level <0-15> authorization level in the
management authorization
template.
7 ZXR10(config-system-user-author-temp)#descript Adds description information

ion <description> on the user management
authorization template in the
management authorization
template.
8 ZXR10(config-system-user-author-temp)#local-cm Binds a local command group

dgroup <group> to the authorization template.
9 ZXR10(config-system-user-author-temp)#local-cmd Defines the command group

group-mode exclusive use mode as exclusive mode.
Default: appending mode.
10 ZXR10(config-system-user-author-temp)#log Configures the types of logs

file-allowed {cmd-log | alarm-log | nat-log | li-log | that the authorization template
service-log}[{read-only | none |read-write|copy}] is allowed to access and
access privileges.
11 ZXR10(config-system-user-author-temp)#ftp Configures the top directory

top-directory <directory>[{read-only |read-write|copy}] that the authorization template
is allowed to access through
FTP and access privileges.
12 ZXR10(config-system-user-author-temp)#sftp Configures the top directory

top-directory <directory>{read-only |read-write|copy} that the authorization template
is allowed to access through
SFTP and access privileges.
4-4

4. Create a user, and bind an authentication template and authorization template.
1 ZXR10(config-system-user)#user-name <name> Configures a user name, and

enters use name configuration
mode.
2 ZXR10(config-system-user-username)#bind Binds a user management

authentication-template <1128> authentication template.
3 ZXR10(config-system-user-username)#bind Binds a user management

authorization-template <1128> authorization template.
4 ZXR10(config-system-user-username)#password Configures a password.

{<pwd>|encrypted <pwd>}
5 ZXR10(config-system-user-username)#password-rec Configures information for

over-remind password recovery.
6 ZXR10(config-system-user-username)#password-d Configures a password

uration <days> validity period. The parameter
0 indicates never expiration.
Range: 90360 days.
7 ZXR10(config-system-user-username)#once-passw Configures a rule that a

ord password should be changed
at the first login.
5. Configure other parameters in global mode.
Command Function
ZXR10(config)#enable secret level <1-18>{0 Sets passwords of all login privilege levels.
<unencrypted-password>| 5 <encrypted-password>|<un
encrypted-password>}
ZXR10(config)#login block <block-seconds> Configures and activates the remote login

attempts <tries> within <seconds> anti-attack monitoring function.
ZXR10(config)#login quiet-mode < ipv4-access-list | Configures an ACL for the quiet period.
ipv6-access-list ><access-list-name>
ZXR10(config)#login on-failure alarm [every Configures generating log information

<failure-tries>] or Trap information when failed login
attempts exist.
Command Function
ZXR10#show running-config adm-mgr [all] Displays user management configurations.
ZXR10#show user-group [special <usergroup-name>] Displays configured user group information.
4-5

Command Function
ZXR10#show authen-restriction userinfo Displays information on locked users and

users who have failed authentication. The
information includes user names, numbers
of authentication failure times, status
(locked or not locked), and remnant locking
time.
ZXR10#show login Displays configurations of the anti-attack

monitoring function.
ZXR10#show login state [{[telnet]|[ssh]|[ftp]}] Displays the status of the anti-attack

monitoring function and its statistical
information.
ZXR10#show login failure [{[telnet]|[ssh]|[ftp]}] Displays information on failed login

attempts of the anti-attack monitoring
function.
End of Steps
Example
The user-password recover-remind command that is used to configure user password
recovery reminders is an interactive command. The following provides examples of this
command.
eg1:
ZXR10(config-system-user)#user-password recover-remind zte
password is:***
question:what is your name
answer:***
ZXR10(config-system-user)#
eg2:
password is:***
%Error 59958: Password is wrong!
eg3:
password is:***
question:question is 012345678901234567890124567890123456789
%Error 59959: Question has been to upper limit!The limit is 50 characters!
4-6

eg4:
password is:***
question:what is your name
answer:zte 01234567890123456789012345678901234567890123456
%Error 59960: Answer has been to upper limit!The limit is 50 characters!
Descriptions of the command output:
Command Output Description
password is: Requires the input of the password corresponding to the user name. A
clear text password consists of 332 characters, and is displayed as
***. If the password is correct, continues to run the command. If the
password is incorrect, displays an error, and ends the command.
question: Requires the input of a prompt question for password recovery. The
question can consist of a maximum of 50 characters including spaces,
but cannot exclusively consist of spaces or include any question mark.
If the question has more than 50 characters, displays an error prompt.
If the question is normal, continues to run the command.
answer: Requires the input of an answer for password recovery. The answer
can consist of a maximum of 50 characters including spaces, but
cannot exclusively consist of spaces or include any question mark. If
the answer has more than 50 characters, displays an error prompt. If
the answer is normal, continues to run the command.
4.3 User Management Configuration Examples

4.3.1 Local Authentication and Authorization User Configuration
Example
Configuration Description
As shown in Figure 4-1, PC logs in to the router by serial port or Telnet, enters configuration
mode and creates a user who uses local authentication mode.
Figure 4-1 Local Authentication and Authorization Configuration
4-7

Configuration Flow
3. Create a user, bind authentication and authorization templates.
Configuration Command
R1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type local
R1(config-aaa-authen-template)#exit
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type local
R1(config-aaa-author-template)#exit
R1(config)#system-user
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
R1(config-system-user-author-temp)#local-privilege-level 15
R1(config-system-user-author-temp)#exit
R1(config-system-user)#user-name zte
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password zte
R1(config-system-user-username)#exit
R1(config-system-user)#exit
4.3.2 RADIUS-LOCAL Authentication and Authorization User

Configuration Example
mode and creates a user who uses RADIUS-local authentication mode.
4-8

Figure 4-2 RADIUS-LOCAL Authentication and Authorization User Configuration
Configuration Flow
1. Configure a RADIUS group.
/*This configures radius*/
R1(config)#radius authentication-group 1
R1(config-authgrp-1)#server 1 10.1.1.1 master key zte
R1(config-authgrp-1)#nas-ip-address 10.1.1.100
R1(config-authgrp-1)#algorithm round-robin
R1(config-authgrp-1)#max-retries 3
R1(config-authgrp-1)#timeout 30
R1(config-authgrp-1)#deadtime 0
R1(config-authgrp-1)#exit
/*This configures authentication template.*/

R1(config-aaa-authen-template)#aaa-authentication-type radius-local
R1(config-aaa-authen-template)#authentication-radius-group 1
/*This configures authorization template.*/

R1(config-aaa-author-template)#aaa-authorization-type radius-local
R1(config-aaa-author-template)#authorization-radius-group 1
/*This binds authorization template.*/
4-9

/*This binds authentication template.*/

/*This creates user.*/

4.3.3 TACACS+ Authentication and Authorization User

mode and creates a user who uses TACACS+ authentication mode.
Figure 4-3 TACACS+ Authentication and Authorization User Configuration
Configuration Flow
1. Configure a TACACS+
4-10

R1(config)#tacacs enable
R1(config)#tacacs-server host 10.1.1.1 key zte
R1(config)#tacplus group-server ztegroup
R1(config-sg)#server 10.1.1.1
R1(config-sg)#exit
R1(config-aaa-authen-template)#aaa-authentication-type tacacs
R1(config-aaa-authen-template)#authentication-tacacs-group ztegroup
R1(config-aaa-author-template)#aaa-authorization-type tacacs
R1(config-aaa-author-template)#authorization-tacacs-group ztegroup
4.3.4 Configuring a Password Prompt Question for Resetting a

Password
As shown in Figure 4-4, a user logs in to the ZXR10 ZSR V2 from a PC through a serial
port or Telnet. The user enters configuration mode to create an authentication user. Users
of any authentication mode can configure password recovery information, but password
recovery only takes effect for locally authenticated users.
4-11

Figure 4-4 Configuring a Password Prompt Question for Resetting a Password
Configuration Flow
3. Create a user.
4. Configure a password prompt question and an answer.
5. Log in for password recovery.
Configuration Commands
Run the following commands on the ZXR10 ZSR V2:
R1(config-aaa-author-template)#aaa-authorization-type none
R1(config-system-user)#user-name who
R1(config-system-user-username)#password who
R1(config-system-user-username)#password-recover-remind
password is:***
question: who are you
answer:who
R1(config-system-user-username)#
/*Log in to the R1 through Telnet. Use the password prompt

question to reset the password.*/
4-12

R1#login
Username:recover-user who
question: who are you
answer: /*The input answer is not displayed.*/
Please input your new password:
Re-enter New password:
The password has been changed successfully,
please remember your new password!
Username:who
Password:
R1#
Note:
Note: If the input answer to the password prompt is correct, user who's password is
changed to a new password.
4.3.5 Configuring OAM Security Management

port or Telnet. The user enters configuration mode to create an authentication user. To
prevent user passwords from being cracked or stolen, the ZXR10 ZSR V2 supports setting
password strength. A user who fails authentication consecutively is locked and forbidden
to log in within a given period of time, so that the user cannot try to crack the password
through repeated login attempts.
Figure 4-5 Configuring OAM Security Management
Configuration Flow
1. Configure password strength.
2. Create a user. Only if the password strength meets the requirements, can the creation
succeed.
5. Configure the number of consecutive user authentication failure times and locking
period.
4-13

6. A user who fails authentication consecutively for the set number of times is locked.
R1(config-system-user)#strong-password length 6 character special-character
/*Configures the minimum password length as 6 characters, and configures that a
password should contain special characters.*/
R1(config-system-user-username)#password zte123*
R1(config-system-user)#user-authen-restriction fail-time 3 lock-minute 2
/*Configures the number of consecutive user authentication failure times as 3, and
configures the locking period as 2 min.*/
/*A user logs in to the R1 through Telnet. The user fails authentication
consecutively for the set number of times, and is locked.*/
R1#login
Username:zte
Password:
% Local password error!
Username:zte
Password:
4-14

Username:zte
Password:
Still logged in as "who" /*The original login user name is who.*/
R1#login
Username:zte
Password:
% User is locked
R1#show authen-restriction userinfo

Username Failed-time State Remain (minute)
zte 3 locked 1
4.3.6 Configuring a Password Validity Period

port or Telnet. The user enters configuration mode to create another user. By default, the
password of this account never expires. You can set a validity period (90360 days) for
this account by running a configuration command, and test whether the validity period is
effective by changing the system time.
Figure 4-6 Configuring a Password Validity Period
Configuration Flow
1. Create a user.
4. Sets a password validity period.
5. Change the system time to test whether the validity period is effective.
4-15

R1(config-system-user-username)#password-duration 90 /*Configures a password
validity period.*/
R1(config-aaa-author-template)#end
Configuration Verification
R1#show username
Username Encrypted-Password AuthenNo. AuthorNo. AgingTime Set-Time
zte ce7c04930c52bfe1669f6c22 1 1 89 2012-6-28
9ef61b761ec847e5b3052bdb
51456385bb2a9a57
/*Change the system time, so that the password expires.*/

R1#show clock
17:37:48 UTC Thu Jun 28 2012 /*Current time.*/
R1#clock set 15:10:39 9-20-2013 /*Changes the system time, so that the
password expires.*/
R1#show username /*After the system time is changed, the command output displays
that the password has expired.*/
Username Encrypted-Password AuthenNo. AuthorNo. AgingTime Set-Time
zte ce7c04930c52bfe1669f6c22 1 1 expired 2012-6-28
9ef61b761ec847e5b3052bdb
51456385bb2a9a57
R1#login
Username:zte
Password:
%User password expired /*The password has expired. The user cannot log in to
the R1.*/
4-16

4.3.7 Configuring First-Login Password Modification

port or Telnet. The user enters configuration mode to create another user, and configures
once-password (only valid for locally authenticated users). During the next login, the user
can use the self-configured password. The default range of a password is 332 characters.
Figure 4-7 Configuring First-Login Password Modification
Configuration Flow
1. Create a user.
4. Configure the first login password modification function.
5. During login, the user can set a password. The next time, the user can use the new
password to successfully log in.
R1(config-system-user-username)#once-password /*Configures first-login
password modification.*/
4-17

R1(config-aaa-author-template)#end
R1#login
Username:zte
Password:
Your password has expired.
Enter a new one now.
New password: /*Configure a new password, which is not displayed.*/
Re-enter new password: /*Confirm the new password, which is not displayed.*/
The password has been changed successfully,
Please remember your new password!
R1#login
Username:zte
Password: /*Enter the new password*/
R1# /*The user login is successful.*/
R1#who
Line User Host(s) Idle Location
66 vty 0 who idle 00:01:17 169.1.1.13
* 67 vty 1 zte idle 00:00:00 169.1.1.13
68 vty 2 who idle 00:00:00 169.1.1.10
4.3.8 Relations Between Raising Privilege Levels and the Enable

Command
In Figure 4-8, a user logs in to the ZXR10 ZSR V2 from a PC through a serial port or Telnet.
The user enters configuration mode to create another user and give the user a privilege
level. If the privilege level is too low, the enable command can be used to raise the level.
The default "enable" authentication mode is "local", and the default password is "R1".
Figure 4-8 Configuring the Raising of a Privilege Level
Configuration Flow
1. Create a user.
4-18


4. Configure an "enable" password to raise the user's privilege level.
R1(config)#tacacs enable
R1(config)#tacacs-server host 10.1.1.1 key zte
R1(config)#tacplus group-server ztegroup
R1(config-sg)#server 10.1.1.1
R1(config-sg)#exit
R1(config-aaa-authen-template)#aaa-authentication-type tacacs-local
R1(config-aaa-authen-template)#authentication-tacacs-group ztegroup
The following provides a global "enable" authentication configuration mode, which can be
set to aaa mode or local mode. The aaa mode means using the "enable" password set by
the server.
R1(config-system-user)#global-enable-type aaa authentication-template 1
/*Configures user's enable command authentication mode.*/
4-19

There are two methods for configuring an "enable" password to raise user's privilege level
to the highest level:
l In global configuration mode, run the enable secret level command. For details, refer
to Chapter 5 Command Privilege Level Classification.
l In global configuration mode, run the nvram enable-password command. For details,
refer to the Setting Configurations Kept in NVRAM section the ZXR10 ZSR V2 Initial
Configuration Guide.
You can configure the recovery function for a password configured in the NVRAM.
R1(config)#enable secret recover-remind

password:*****
question:zte
answer:zte
/*If you forget the local enable password, you can run the recover-enable command
under privilege level 1 to restore the default password.*/
R1>recover-enable
question:zte
answer:***
%Info 40449: Recover-enable ok! New enable password is: zxr10.
Configure a corresponding enable password on the AAA server. After the user logs in
normally and passes authentication, the user privilege level is raised.
4-20

Chapter 5
Command Privilege Level
Classification
Table of Contents
Command Privilege Level Overview ...........................................................................5-1
Configuring Command Privilege ................................................................................5-1
Command Privilege Level Configuration Example ......................................................5-2
5.1 Command Privilege Level Overview

The ZXR10 ZSR V2 supports the command privilege level function. Command privilege
level management is used to configure command privileges. Users can run the privilege
command to configure the privilege of a command.
Command privilege levels range from level 1 to level 15. Different commands can be
configured with different privilege levels. After a user logs in, a command view is displayed
according to the user's privilege level. Therefore, the user cannot run commands whose
privilege levels are higher than the user's level. Users with the highest level (that is,
administrators with level 15) can set privilege levels for commands.
5.2 Configuring Command Privilege

This procedure describes how to configure command privileges.
Steps
1. Configure command privileges.
Command Function
ZXR10(config)#privilege <logic-mode>[all] level {<level>| Configures a command privilege

default}<command-keywords> level.
ZXR10(config)#no privilege <logic-mode>[all] node Restores the default command

<command-keywords> privilege level.
[all]: all commands beginning with this keyword.

level <level>: privilege level, range: 115
default: default command privilege level.
<command-keywords>: command keywords, range: 1200 characters.
5-1

Command Function
ZXR10#show privilege [{cur-mode | show-mode}{det Displays the privilege level of the

ail | level < level>| node <command-keywords>}] current terminal or command privilege
configurations.
cur-mode : displays privilege level information in the current command mode.

show-mode: displays privilege level information in show mode.
detail: displays privilege levels of all commands.
level <level>: displays the commands of the specified privilege level, range: 118.
<command-keywords>: the privilege level of the specified command, range: 1200
characters.
In user mode, the show privilege command has no parameter. It is used to display the
privilege level of the current terminal.
End of Steps
5.3 Command Privilege Level Configuration Example

It is required to configure different privilege levels for two types of users who operate the
ZXR10 ZSR V2. The privilege level of Type A users is 15, and these users can do all
operations, such as view and configuration. The privilege level of Type B users is 5. They
need to use the show clock command to view the system clock.
It is also required to allow Type B users to raise their own privilege level to level 8 by
running the enable command, so that they can set the time zone.
Configuration Flow
1. Change the privilege level of the show clock command to 5 or lower than 5. In this
example, this privilege level is set to 5.
2. Change the privilege level of the clock timezone command to 8, or lower than 8 but
higher than 5. In this example, this privilege level is set to 7.
3. Create a type A user named ZTE_A and a type B user named ZTE_B. ZTE_A's
privilege level is 15, and ZTE_A'B privilege level is 5.
4. Configure the "enable" password that is used to raise user's privilege level to level 8.
ZXR10(config)#privilege show all level 5 show clock
/*Displays the privilege level configuration of the show clock command.*/
5-2

Chapter 5 Command Privilege Level Classification
ZXR10(config)#privilege configure level 7 clock

ZXR10(config)#privilege configure level 7 clock timezone
/*Displays the privilege level configuration of the clock timezone command.*/
ZXR10(config)#system-user
ZXR10(config-system-user)#authentication-template 1
ZXR10(config-system-user-authen-temp)#bind aaa-authentication-template 2001
ZXR10(config-system-user-authen-temp)#exit
ZXR10(config-system-user)#authorization-template 1
ZXR10(config-system-user-author-temp)#bind aaa-authorization-template 2001
ZXR10(config-system-user-author-temp)#local-privilege-level 15
ZXR10(config-system-user-author-temp)#exit
ZXR10(config-system-user)#user-name ZTE_A
ZXR10(config-system-user-username)#bind authentication-template 1
ZXR10(config-system-user-username)#bind authorization-templat 1
ZXR10(config-system-user-username)#password ZTE_A_15
ZXR10(config-system-user-username)#exit
/*Create ZTE_A and configure the user's authorization level.*/
ZXR10(config-system-user)#authentication-template 2
ZXR10(config-system-user-authen-temp)#bind aaa-authentication-template 2002
ZXR10(config-system-user-authen-temp)#exit
ZXR10(config-system-user)#authorization-template 2
ZXR10(config-system-user-author-temp)#bind aaa-authorization-template 2002
ZXR10(config-system-user-author-temp)#local-privilege-level 5
ZXR10(config-system-user-author-temp)#exit
ZXR10(config-system-user)#user-name ZTE_B
ZXR10(config-system-user-username)#bind authentication-template 2
ZXR10(config-system-user-username)#bind authorization-templat 2
ZXR10(config-system-user-username)#password ZTE_B_5
ZXR10(config-system-user-username)#exit
ZXR10(config-system-user)#exit
/*Create ZTE_B and configure the user's authorization level.*/
ZXR10(config)#aaa-authentication-template 2001
ZXR10(config-aaa-authen-template)#aaa-authentication-type local
ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#aaa-authorization-template 2001
ZXR10(config-aaa-author-template)#aaa-authorization-type radius-local
ZXR10(config-aaa-author-template)#exit
/*Configure the authentication and authorization templates of ZTE_A*/
ZXR10(config)#aaa-authentication-template 2002
ZXR10(config-aaa-authen-template)#aaa-authentication-type local
5-3

ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#aaa-authorization-template 2002
ZXR10(config-aaa-author-template)#aaa-authorization-type radius-local
ZXR10(config-aaa-author-template)#exit
/*Configure the authentication and authorization templates of ZTE_B*/
ZXR10(config)#enable secret level 8 level-8

/*Configure the password of the level-8 user login privilege.*/
Run the following commands to view ZTE_A's privilege level. The execution result is
displayed as follows:
Username:ZTE_A
Password:
ZXR10#show privilege
Current privilege level is 15
/*Indicates that ZTE_A's privilege level is 15.*/
Exec commands:
alarm-confirm Confirm the alarm by flowid
cd Change current directory
cfm Executing CFM detecting functions
clear Reset functions
clock Manage the system clock
commit Commit the configuration
configure Enter configuration mode
copy Copy from one file to another by ftp/tftp
cp Copy from one file to another locally
debug Debugging functions
delete Delete a file
--More
ZXR10#configure terminal
ZXR10(config)#?
/*Displays the commands that can be used by ZTE_A in global configuration mode.*/
Configure commands:
aaa-accounting-template AAA accounting template configurations
aaa-authentication-template AAA authentication template configurations
aaa-authorization-template AAA authorization template configurations
alarm Configure the alarm parameters
alarm-mask Configure the alarm-mask parameters
aps Configure APS instance
arp Enter ARP configuration mode
5-4

banner Terminal line banner

bfd Configure bfd
cfm Enter CFM configuration mode
check Configure intervals of check
class-map Configure H-QoS class map
clock Configure board clock
--More
Run the following commands to view ZTE_B's privilege level. The execution result is
Username:ZTE_B
Password:
/*Indicates that ZTE_B's privilege level is 5.*/
ZXR10#?
/*Displays the commands that can be used by ZTE_B in privilege configuration mode.*/
Exec commands:
cd Change current directory
cfm Executing CFM detecting functions
clock Manage the system clock
configure Enter configuration mode
debug Debugging functions
dir List files on a filesystem
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
--More
ZXR10(config)#?
/*Displays the commands that can be used by ZTE_B in global configuration mode.*/
Configure commands:
end Exit from configure mode
exit Exit from configure mode
ping Send echo messages
ping6 Send IPv6 echo messages
show Show running system information
trace Trace route to destination
trace6 Trace route to destination using IPv6
ZXR10(config)#
ZXR10(config)#show ?
clock Show current system clock
5-5

privilege Show current privilege level
Raise ZTE_B's privilege level to level 8, as shown below:
Username:ZTE_B
Password:
/*Indicates that the privilege level of ZTE_B is 5.*/
ZXR10#enable 8
Password:
/*Indicates that the privilege level of ZTE_B has been raised to 8.*/
ZXR10(config)#?
Configure commands:
clock Configure board clock
/*Indicates that the clock command has been added to the commands that ZTE_B can use.*/
end Exit from configure mode
exit Exit from configure mode
ping Send echo messages
ping6 Send IPv6 echo messages
show Show running system information
trace Trace route to destination
trace6 Trace route to destination using IPv6
ZXR10(config)#clock ?
timezone Configure time zone
View the configurations on the ZXR10 ZSR V2, as shown below:
ZXR10#enable /*Raises the user's privilege level to the default level, level 15.*/
Password: /*The input password is not displayed.*/
ZXR10#show running-config adm-mgr
! <ADM_MGR>
enable secret level 8 5 52ZJX4aBmmYKbWdVFpSvwg==
system-user
authentication-template 1
bind aaa-authentication-template 2001
$
authentication-template 2
bind aaa-authentication-template 2002
$
authorization-template 1
bind aaa-authorization-template 2001
5-6

local-privilege-level 15
$
authorization-template 2
bind aaa-authorization-template 2002
local-privilege-level 5
$
username ZTE_A
bind authentication-template 1
bind authorization-template 1
password encrypted 51213031a28daa4a18e939b9cc837320
43f467d88315721af066dc4f1c385a28
$
username ZTE_B
bind authentication-template 2
bind authorization-template 2
password encrypted a5e686cd3e6778917691bb099a4da1d7
9768a6b9752b942fe5b431ec3fff8468
$
$
! </ADM_MGR>
ZXR10#show running-config aaa
! <AAA>
aaa-authentication-template 2001
aaa-authentication-type local
$
aaa-authentication-template 2002
aaa-authentication-type local
$
aaa-authorization-template 2001
aaa-authorization-type radius-local
$
aaa-authorization-template 2002
aaa-authorization-type radius-local
$
! </AAA>
ZXR10#show running-config oam
! <OAM>
privilege show all level 5 show clock
privilege configure level 7 clock
privilege configure level 7 clock timezone
! </OAM>
5-7

5-8

Chapter 6
SNMP Configuration
Table of Contents
SNMP Basic Configuration .........................................................................................6-1
SNMP Anti-Violence Attack ......................................................................................6-10
6.1 SNMP Basic Configuration

6.1.1 SNMP Overview
The Simple Network Management Protocol (SNMP) is the most popular Network
Management System (NMS) protocol, and belongs to the application layer of the Transfer
Control Protocol/Internet Protocol (TCP/IP) stack. The SNMP module is at the highest
layer of the router system. Administrators use SNMP as a main way to operate, control
and maintain the router. In order to perform network management, users use NMS
software to send and receive SNMP packets between the managed network elements
and the management station.
The basic process of SNMP network management is as follows:
1. A unique ID (OID) is allocated to the object to be managed in the router. The allocation
of OID is determined in a unified way by the Request For Comments (RFC).
2. When users need to read or modify the value of an object, the object OID and operation
type (read or write) are sent to the router as an SNMP request packet.
3. The SNMP agent in the router finds the object data according to the OID, performs the
corresponding operations, and then sends the result as an SNMP response packet to
the user.
By default, SNMP uses UDP as the transmission protocol.
6.1.2 Configuring SNMP

This procedure describes how to configure SNMP during equipment management by using
SNMP.
Steps
1. Enable SNMP V1, V2c, and V3.
6-1

Command Function
ZXR10(config)#snmp-server version {v1 | v2c | v3} Enables SNMP V1, V2, and V3 for
enable receiving packets from and sending
packets to clients.
There are two states: enable and
disable. Default: disable.
2. Configure an SNMP packet community.
Command Function
ZXR10(config)#snmp-server community {encrypted Configures an SNMP packet

<encrypted-para>|<unencrypted-para>[showclear]}[view community string.
<view-name>][{ro | rw}][{[ipv4-access-list
<ipv4_acl_name>],[ipv6-access-list <ipv6_acl_name>]}]
<encrypted-para>: cipher text community string, 64 characters.

<unencrypted-para>: clear text community string, range: 132 characters.
showclear: If this parameter is configured, the community string is displayed in clear
text. If not, the community string is displayed in cipher text.
<view-name>: view name, range: 132 characters.
ro | rw: The ro parameter indicates only reading a MIB object. The rw parameter
indicates reading and writing a MIB object.
3. Define an SNMP view.
Command Function
ZXR10(config)#snmp-server view <view-name><subtre Defines an SNMP view.

e-id>{included | excluded}
<subtree-id>: specifies the MIB sub-tree ID or node name of the MIB sub-tree for the
view name. Range: 179 characters.
included | excluded: The sub-tree is included or excluded.
4. Set MIB object information.
Command Function
ZXR10(config)#contact <mib-syscontact-text> Configures the contact method of the

person who is in charge of the MIB
object. Range: not longer than 200
characters.
ZXR10(config)#location <mib-syslocation-text> Configures the description of the MIB

object system location. Range: not
longer than 200 characters.
6-2

Chapter 6 SNMP Configuration
5. Set the types of Trap and Inform messages that are allowed to be sent.
Command Function
ZXR10(config)#snmp-server enable inform Enables the agent to send notifications

[<notification-type>] and sets the types of notifications to
be sent.
The notification types can be all or one
of the bgp, ospf, rmon, snmp, stalarm
and vpn types.
ZXR10(config)#snmp-server enable Trap Enables the agent to send Trap

[<notification-type>] messages and sets the types of Trap
messages to be sent.
The Trap message types can be all
or one of the bgp, ospf, rmon, snmp,
stalarm and vpn types.
6. Set the Trap destination host.
Command Function
ZXR10(config)#snmp-server host [ vrf Configures the destination for receiving

<vrf-name>]<ip-address>{Trap | inform} version {1 | 2c | 3 SNMP notifications. The snmp-server
{auth | noauth | priv}}<community-name/user>[udp-port host command needs to be used
<udp-port>][<Trap-type>] together with the snmp-server enable
command.
vrf <vrf-name>: VRF name, range: 131 characters.

<ip-address>: defines the IP address of a host. IPv4 and IPv6 are supported.
Trap | inform: specifies sending Trap messages or notifications to a host.
version 1 | 2c | 3 : the SNMP version (v1, v2c, or v3).
auth: The packets to be sent are authenticated but not encrypted.

noauth: The packets to be sent are not authenticated or encrypted.
priv: The packets to be sent are authenticated and encrypted.
<community-name/user-name>: community name string of SNMP v1/v2 or SNMPv3 user

name, range: 132 characters.
udp-port <udp-port>: number of the UDP port for sending Trap or inform messages,
range: 165535.
<Trap-type>: Trap or Inform type. The Trap type can be all or one of the bgp, ospf,
rmon, snmp, stalarm and vpn types.
7. Enable the system log function.
6-3

Command Function
ZXR10(config)#logging on Enables the system log function.
8. Set the level of the alarm message sent to the Trap server.
Command Function
ZXR10(config)#logging Trap-enable <alarmlevel> Sets the level of the alarm message

sent to the Trap server.
9. Configure other SNMP parameters.
Command Function
ZXR10(config)#snmp-server engine-id <engine-id> Configures the SNMP local

engine ID. Hexadecimal number,
range: 124 characters, default:
830900020300010289d64401. As the
core part of an SNMP entity, the SNMP
engine sends, receives and validates
SNMP messages, extracts Packet Data
Unit (PDU) assembly messages, and
communicates with SNMP application
programs.
ZXR10(config)#snmp-server input-limit <packets> Sets the SNMP packet receiving speed.

Range: 1001000, default: 200 pps.
ZXR10(config)#snmp-server packetsize Configures the maximum length of

<snmp-packet-max-size> SNMP packets. Unit: byte, range:
4848192, default: 8192.
ZXR10(config)#snmp-server Trap-source <ip-address> Configures the source IP address of all

Traps.
ZXR10(config)#snmp-server access-list {ipv4| ipv6}< Uses a configured Access Control List

acl-name> (ACL) to control the hosts that can
access the system through SNMP.
10. Configure SNMPv3.
1 ZXR10(config)#snmp-server context Defines the SNMPv3 context name.

<context-name> Range: 116 characters.
6-4

2 ZXR10(config)#snmp-server group Configures a new SNMP group

<groupname> v3 {auth | noauth|priv}[context (mapping SNMP users to SNMP
<context-name>{match-prefix | match-exact}][read views).
<readview>][write <writeview>][notify
<notifyview>]
3 ZXR10(config)#snmp-server user <user-na Configures an SNMPv3 user.

me><group-name> v3 {encrypted auth {md5 |
sha}<auth-key>[priv des56 |<privacy-key>]|[auth
{md5 | sha}|<auth-password>|[priv des56
|<privacy-password>]]}
group <groupname>: name of the SNMP group to be configured, range: 132

characters.
v3: specifies that the group is to be used in SNMPv3.
auth: specifies that packets are to be authenticated, but not encrypted.

noauth: specifies that packets are not to be authenticated or encrypted.
priv: specifies that packets are to be authenticated and encrypted.

<context-name>: context of the group, range: 130 characters.
match-prefix: defines the context matching mode as prefix mode.
match-exact: defines the context matching mode as exact mode.

read <readview>: read view, range: 130 characters.
write <writeview>: write view, range: 130 characters.
notify <notifyview>: notify view, range: 130 characters.
user <username>: SNMP user name, range: 132 characters.

<groupname>: group name related to user, range: 132 characters.
v3: specifies that the user uses SNMPv3.
encrypted: specifies that the password to be entered is not clear text but cipher text.
It is not recommended to use this option.
auth : specifies that the user has the authentication privilege.
md5 | sha: uses Hashed Message Authentication Code with MD5 (HMAC-MD5)96 as
the authentication mode, or uses HMAC-SHA-96 as the authentication mode.
<auth-key>: authentication password or authentication key, range: 130 characters. If

it is an encrypted password, its range is 3240 characters.
des56: uses CBC-DES as the encryption mode.
<priv-key>: cipher text encryption password, range: 132 characters.
6-5

<auth-password>: authentication password (or authentication key), range: 131

characters. If it is an encrypted password, its range is 3240 characters.
<priv-password>: clear text encryption password, range: 132 characters.
Command Function
ZXR10#show snmp Displays SNMP state attributes.
ZXR10#show snmp config Displays the configurable SNMP state

attributes.
ZXR10#show snmp engine-id Displays the local SNMP engine ID.
ZXR10#show snmp group Displays the configured SNMP groups.
ZXR10#show snmp security Displays the configurations of SNMP

security.
ZXR10#show snmp security failures Displays the IP addresses and number of

times of wrong community login attempts
in SNMP detection mode.
ZXR10#show snmp security trust-users Displays the trusted users learned by

SNMP dynamically and configured
manually.
ZXR10#show snmp user Displays the information on configured

SNMP users.
ZXR10#show running-config snmp [|{begin | exclude | Displays the configurations of SNMP.

include}<line>]
End of Steps
6.1.3 SNMP Configuration Example

By configuring the SNMP function, a user can use a network management server to
manage the devices in the network, see Figure 6-1.
Figure 6-1 SNMP Configuration Example Topology
6-6

Configuration Flow
1. Configure an SNMP packet community string. SNMPv1/v2c uses community string
authentication mode. An SNMP community string is named with a character string,
and has an access privilege (read-only or read-write).
2. Designate a view name to the configured community string. Designate the default view
to the community string if the view parameter is not configured. Designate the default
privilege (ro) to the community string, if the parameter ro | rw is not configured. Users
can only perform operations in the permitted view range, whether ro or rw is specified.
3. Configure alarm Trap. Configure the types of Trap messages to be sent and the
destination host. Trap messages are actively sent by managed devices to NMS. They
are used to report urgent and important events. By default, all types of Trap messages
are sent.
Ran the following commands on the ZXR10 ZSR V2:
R1(config)#snmp-server version v2c enable

R1(config)#location No.68 Zijinghua Rd. Yuhuatai District, Nanjing, China
R1(config)#contact +86-25-52870000
R1(config)#snmp-server packetsize 1400
R1(config)#snmp-server engine-id 830900020300010289d64401
R1(config)#snmp-server community public view AllView ro
R1(config)#snmp-server host 61.139.48.18 inform version 2c public udp-port 162 snmp
R1(config)#snmp-server host 61.139.48.18 Trap version 2c public udp-port 162
R1(config)#snmp-server enable Trap
R1(config)#snmp-server enable inform
R1(config)#logging on
R1(config)#logging Trap-enable warnings
Run the show command to check the configurations. The execution result is displayed as
follows.
R1(config)#show snmp config
snmp-server community encrypted

d6ddeaa4dab74523b246fe346c94c31ae58b79ad4776396438ea1e9bb01a9ef3
view AllView ro
snmp-server enable inform snmp
snmp-server enable inform bgp
snmp-server enable inform mac
snmp-server enable inform ospf
snmp-server enable inform stp
snmp-server enable inform ppp
snmp-server enable inform arp
6-7

snmp-server enable inform rmon

snmp-server enable inform udld
snmp-server enable inform cfm
snmp-server enable inform efm
snmp-server enable inform lacp
snmp-server enable inform mc-elam
snmp-server enable inform tcp
snmp-server enable inform sctp
snmp-server enable inform stalarm
snmp-server enable inform cps
snmp-server enable inform interface
snmp-server enable inform acl
snmp-server enable inform fib
snmp-server enable inform pim
snmp-server enable inform isis
snmp-server enable inform rip
snmp-server enable inform msdp
snmp-server enable inform aps
snmp-server enable inform config
snmp-server enable inform am
snmp-server enable inform um
snmp-server enable inform system
snmp-server enable inform ldp
snmp-server enable inform pwe3
snmp-server enable inform vpn
snmp-server enable inform mpls-oam
snmp-server enable inform ptp
snmp-server enable inform tunnel-te
snmp-server enable inform radius
snmp-server enable inform dhcp
snmp-server enable inform bfd
snmp-server enable inform ippool
snmp-server enable inform ntp
snmp-server enable inform ssm
snmp-server enable inform sqa
snmp-server enable inform ipsec
snmp-server enable inform cgn
snmp-server enable inform vrrp
snmp-server enable inform ftp_tftp
snmp-server enable inform ping-trace
snmp-server enable inform gm
snmp-server enable Trap snmp
snmp-server enable Trap bgp
snmp-server enable Trap mac
snmp-server enable Trap ospf
6-8

snmp-server enable Trap stp

snmp-server enable Trap ppp
snmp-server enable Trap arp
snmp-server enable Trap rmon
snmp-server enable Trap udld
snmp-server enable Trap cfm
snmp-server enable Trap efm
snmp-server enable Trap lacp
snmp-server enable Trap mc-elam
snmp-server enable Trap tcp
snmp-server enable Trap sctp
snmp-server enable Trap stalarm
snmp-server enable Trap cps
snmp-server enable Trap interface
snmp-server enable Trap acl
snmp-server enable Trap fib
snmp-server enable Trap pim
snmp-server enable Trap isis
snmp-server enable Trap rip
snmp-server enable Trap msdp
snmp-server enable Trap aps
snmp-server enable Trap config
snmp-server enable Trap am
snmp-server enable Trap um
snmp-server enable Trap system
snmp-server enable Trap ldp
snmp-server enable Trap pwe3
snmp-server enable Trap vpn
snmp-server enable Trap mpls-oam
snmp-server enable Trap ptp
snmp-server enable Trap tunnel-te
snmp-server enable Trap radius
snmp-server enable Trap dhcp
snmp-server enable Trap bfd
snmp-server enable Trap ippool
snmp-server enable Trap ntp
snmp-server enable Trap ssm
snmp-server enable Trap sqa
snmp-server enable Trap ipsec
snmp-server enable Trap cgn
snmp-server enable Trap vrrp
snmp-server enable Trap ftp_tftp
snmp-server enable Trap ping-trace
snmp-server enable Trap gm
snmp-server engine-id is 830900020300010289d64401
6-9

snmp-server host 61.139.48.18 Trap version 2c public udp-port 162 snmp bgp mac
ospf stp ppp arp rmon udld cfm efm lacp mc-elam tcp sctp stalarm cps interface
acl fib pim isis rip msdp aps config am um system ldp pwe3 vpn mpls-oam ptp
tunnel-te radius dhcp bfd ippool ntp ssm sqa ipsec cgn vrrp ftp_tftp ping-trace gm
snmp-server host 61.139.48.18 inform version 2c public udp-port 162 snmp
snmp-server packetsize is 1400
snmp-server security dynamic-trust-user idle-timeout 1800
snmp-server view AllView internet included
snmp-server view DefaultView system included
snmp-server version v2c enable
6.2 SNMP Anti-Violence Attack

6.2.1 SNMP AntiBrute Force Attack Overview
SNMP AntiBrute Force Attack Description
A brute force attack means generating huge numbers of passwords with code generation
software, and trying each one. As long as there are enough chances and the password
has no protection, the most complicated key can be broken.
The security policy defined in SNMP v1 and SNMP v2 is simple, which uses clear text to
transfer community strings, which are passwords between SNMP management processes
and agent processes. These passwords can be cracked by attackers using brute force
attacks. The SNMP antibrute force attack function is used to prevent DoS attacks and
brute force attacks.
SNMP AntiBrute Force Attack Features

The SNMP antibrute force attack function has introduced two concepts: block and quiet
mode. If the detection policy is enabled, the router can reject all SNMP requests in block
mode when finding repeated SNMP community string attempt failures. The block state
can last for a period known as "quiet period".
l To ensure that trusted user can access the ZXR10 ZSR V2 normally, the SNMP
security function supports dynamically learning and manually configuring trusted
users. In quiet mode, the ZXR10 ZSR V2 only allows to handle requests from trusted
user (if an ACL is configured in advance, the requests still need to be filtered through
the ACL first).
l Dynamically-learned trusted users refer to users who have accessed the ZXR10 ZSR
V2 and are automatically recorded by it. If these users have not accessed the ZXR10
ZSR V2 again until the set period (ageing time) expires, they will be aged by the
device. Dynamically-learned trusted users can also be manually cleared. Users can
configure the ageing time, which is 1800 s by default.
6-10

l In practical applications, some network management user addresses that can be

used to access the device are fixed. These users are reliable and do not need
automatic ageing. To meet this requirement, the ZXR10 ZSR V2 allows users to
manually configure trusted users who are not aged, but they can be cleared by
running the no command.
l To prevent that users unintentionally enter wrong passwords, the ZXR10 ZSR V2
supports configuring the condition of enabling monitoring. For example, monitoring
will be enabled only when the number of input failure times reaches 20 in one
minute. By default, monitoring will be enabled only when the number of input failure
times reaches 50 in one minute. Failure counting does not distinguish between IP
addresses.
l In monitoring period, the total failure times is counted (IP addresses are not
distinguished). If the number of times exceeds the limit, the ZXR10 ZSR V2 enters
quiet mode.
In any state, when community string attempts fail, logs and self-defined Trap messages
are generated by default. A Trap message that is sent includes the following
information: error community string information, source IP, and current state of SNMP
(normal/monitoring/quiet). When a device state is switched, a system log and Trap alarm
are automatically generated. This function can be disabled by running a command.
SNMP security state switching is shown in Figure 6-2.
Figure 6-2 State Switching Diagram
6.2.2 Configuring SNMP AntiBrute Force Attack

This procedure describes how to configure the SNMP anti-brute force attack function.
6-11

Steps
1. Activate the SNMP security function.
Command Function
ZXR10(config)#snmp-server security block < The SNMP security protection function

block-seconds><detect-tries>< detect-seconds>[when is disabled by default. This command
<tries><startup-seconds>] is used to activate this function.
block <block-seconds>: block time (length of the quiet period), unit: second, range:
165535.
< detect-tries>: maximum number of times of failed attempts in monitoring mode, range:
165535.
< detect-seconds>: maximum detection time in monitoring mode, unit: second, range:
165535.
<tries>: maximum number of times of failed attempts in normal mode, range: 165535,
default: 50.
<startup-seconds>: maximum detection time in normal mode, unit: second, range:
165535, default: 60.
2. Configure the ACL for controlling hosts that access the system through SNMP.
Command Function
ZXR10(config)#snmp-server access-list { ipv4| Uses a configured ACL to control

ipv6}<acl-name> hosts that access the system through
SNMP.
3. Configure the ageing time of dynamic trusted users and configure static trusted users.
1 ZXR10(config)#snmp-server security Configures the ageing time of

dynamic-trust-user idle-timeout <timeout-seconds> dynamic trusted users. Range:
165535, default: 1800 s.
2 ZXR10(config)#snmp-server security Configures static trusted users that

static-trust-user <static-ip-addr> are configured manually.
4. Configure the generation of logs and Trap messages when community string attempts
fail or a state is switched.
Command Function
ZXR10(config)#snmp-server security on-failure log [and Configures the generation of logs

Trap] and Trap messages when community
string attempts fail or a state is
switched.
6-12

Command Function
ZXR10#show snmp security [failures | trust-users] Displays SNMP security function

parameters. This command displays
the SNMP security state, configuration
information, current state information and
statistics information in natural language
format.
ZXR10#show running-config snmp [|{begin | exclude | Displays SNMP configurations.

include}<line>]
failures: optional. If this parameter is selected, the command is used to display

detailed information on failed attempts.
trust-users: optional. If this parameter is selected, the command is used to display

detailed information on trusted users, including dynamically learned and manually
configured users.
begin: is used to display the configurations that begin with the input string line.
include: is used to display the configurations that include the string line.
exclude: is used to display the configurations that exclude the string line.
<line>: is used to match the filtered string line.

6. Maintain the SNMP antibrute force attack function.
Command Function
ZXR10(config)#snmp-server security Clears dynamic trusted users manually.

dynamic-trust-user clear <dyn-ip-addr>
End of Steps
6.2.3 SNMP AntiBrute Force Attack Configuration Example

It is required to configure the SNMP antibrute force attack function on the ZXR10 ZSR
V2, see Figure 6-3.
Figure 6-3 SNMP AntiBrute Force Attack Configuration Example
6-13

Configuration Flow
1. Enable the SNMP antibrute force attack function.
2. Configure the ageing time for dynamic trusted users.
3. Configure static trusted users that are allowed to access the system.
4. Configure a Trap message and log that is generated when user attempts fail and a
state is switched.
R1(config)#snmp-server security block 180 3 180 when 50 60

R1(config)#snmp-server security dynamic-trust-user idle-timeout 100
R1(config)#snmp-server security static-trust-user 169.1.110.6
R1(config)#snmp-server security on-failure log and Trap
Run the following command to check SNMP configurations. The execution result is
displayed as follows.
R1(config)#show running-config snmp

!<oam_snmp>
snmp-server security block 180 3 180 when 50 60
snmp-server security on-failure log and Trap
snmp-server security static-trust-user 169.1.110.6
!</oam_snmp>
6-14

Chapter 7
Alarm Management
Configuration
Table of Contents
Alarm Overview..........................................................................................................7-1
Configuring the Alarm Function ..................................................................................7-2
Alarm Function Configuration Example.......................................................................7-7
7.1 Alarm Overview

Alarm module residents its alarm agent process in each line card and alarm server process
in main control board. Once hardware or program runs improperly, the service applications
will report the alarm to its alarm agent. Later, alarm agents report the alarm messages to
alarm server. Alarm server records alarm messages for back-end querying. The main
control board also has alarm agent to process the alarm events occurred in itself.
According to the configuration, alarm server reports the alarm messages selectively to log
mdoule, terminal, SNMP and SYSLOG.
The messages processed by alarm module include ordinary alarm and notification.
l Ordinary alarm is recoverable. The alarm which has been reported but not recovered
already is called current alarm. The alarm which has been reported and recovered
already is called history alarm
l Notification is only to notify the happening of some event, so there is no current and
history notifications.
On ZXR10 ZSR V2, you can configure the following alarms:
l CPU, memory, and storage device alarms

The basic principles of CPU, memory and storage device alarms are the same. If the
current usage exceeds the configured alarm threshold, the alarms are reported. If the
current usage is lower than the configured alarm threshold, the alarms are cleared.
Moreover, the reported alarm level can be changed or updated with the increase of the
usage by configuring the higher-level middle threshold and high threshold besides
the default low threshold.
l Temperature alarm
There are different temperature measuring components on each board of the device.
Each temperature measuring component has different temperature resistance
characteristics, so the alarm threshold at each temperature measuring point is
7-1

different. The device compares the temperature information obtained at specified

time with the corresponding alarm threshold. If the temperature exceeds the
threshold, the alarm is reported. If the temperature is lower than the threshold, the
alarm at the corresponding level is cleared.
l Power Voltage Alarm
If the voltage range not in the normal working voltage range, the power voltage alarm
is reported.
7.2 Configuring the Alarm Function

This procedure describes how to configure the alarm function.
Steps
1. Configure the basic alarm function.
1 ZXR10(config)#logging on Enables the alarm recording function,

so that alarms can be reported to log,
control terminal, SNMP, and SYSLOG.
2 ZXR10(config)#logging buffer < buffer-size> Sets the size of the alarm log buffer.
Unit: KB, range: 1001000, default:
200.
3 ZXR10(config)#logging timestamps [datetime Sets the display mode of alarm time.

localtime | precisetime | uptime] Default: datetime localtime.
4 ZXR10(config)#logging level <level> Configures the level to save alarms

into logs. Alarms whose levels are
higher than this level are recorded in
logs.
Default: INFORMATIONAL (level 7).
5 ZXR10(config)#logging console <level> Configures the level to display alarms

on a console or Telnet terminal.
Alarms whose levels are higher than
this level are displayed on a console
or Telnet terminal.
Default: NOTIFICATIONS (level 6).
6 ZXR10(config)#logging Trap-enable <level> Configures the level to report alarms

to SNMP in Trap mode. Alarms whose
levels are higher than this level are
reported to SNMP in Trap mode. By
default, alarms are not reported.
7-2

Chapter 7 Alarm Management Configuration
7 ZXR10(config)#logging alarmlog-interval < Sets the time interval for writing alarm
minute> records from the buffer to files. Unit:
minute, range: 1030000, default: 10.
8 ZXR10(config)#logging cmdlog-interval < Sets the time interval for writing

second> command logs from the buffer to log
files. Unit: second, range: 230000,
default: 2.
9 ZXR10(config)#logging ftp <level>[ vrf Configures the level of reporting

<vrf-name>]<ip-address><username><password alarms to the File Transfer Protocol
>[<filename>] (FTP) server, IP address of the FTP
server, username, password, and file
name. By default, alarms are not
reported.
10 ZXR10(config)#logging filesavetime Configures the time when alarms

{interval <time1>| everyday <time2>| written in files are sent to the FTP
week <weekday><time3>| month server, IP address, username, and
<mothday><time4>}[vrf <vrf-name>]<ftp-se password of the FTP server, and file
rver><username><password>[<filename>] name prefix. By default, alarms are
not reported.
11 ZXR10(config)#logging mode {fullclear | Sets the mode for clearing buffer data
fullcycle | fullend} after the alarm buffer is full. Default:
fullcycle.
12 ZXR10(config)#alarm heartbeat-send <type> Sends an alarm heartbeat keep-alive

packet to the configured destination
immediately.
13 ZXR10(config)#alarm heartbeat-period < Configures the interval of sending

minute>< type> alarm heartbeat packets. Unit: minute,
range: 030000, default: 0 (no
heartbeat packet is sent).
14 ZXR10(config)#alarm level-change Modifies the corresponding alarm

<alarm-code><level> level of the alarm code. Each alarm
code has a default level. Range:
14294967294.
<level>: the lowest alarm level, range: DEBUGGING (level 8), INFORMATIONAL
(level 7), NOTIFICATIONS (level 6), WARNINGS (level 5), ERRORS (level 4),
CRITICAL (level 3), ALERTS (level 2), and EMERGENCIES (level 1).
<time1>: interval of reporting to FTP, range: 1:00:0023:59:59.

<time2>: daily time for reporting to FTP, range: 00:00:0023:59:59.
7-3

<weekday>: day in each week for reporting to FTP, range: Monday, Tuesday, Thursday,
Wednesday, Friday, Saturday, and Sunday.
<time3>: time in the day of each week for reporting to FTP, range: 00:00:0023:59:59.
<mothday>: date in each month for reporting to FTP, range: 131.
<time4>: time in the date of each month for reporting to FTP, range:
00:00:0023:59:59.
<filename>: prefix of the filename saved on the FTP server, range: 131 characters.
2. Configure CPU, memory, and storage device alarm thresholds.
1 ZXR10(config)#logging on Enables the alarm recording function,

so that the alarms of different
levels can be reported to different
destinations.
After the command is run, alarms
are generated for CPU usage,
memory usage, storage medium
usage, and voltage value according
to corresponding values. The voltage
module reports alarms according to
the voltage value range.
2 ZXR10(config)#cpuload-threshold Configures the CPU load alarm

<percent>[level{low | middle | high}] threshold. Unit: %, range: 50100,
default: 95.
Alarm levels corresponding to CPU
load alarm thresholds: low, middle
and high. Default: low.
ZXR10(config)#check cpu interval <interval> Configures the time interval for CPU
usage alarm checking. Unit: 10 s,
range: 120.
3 ZXR10(config)#memory-threshold Configures the memory usage alarm

<percent>[level {low | middle | high}] threshold. Unit: %, range: 1100,
default: 60.
Alarm levels corresponding to memory
usage alarm threshold values: low,
middle, and high. Default: low.
ZXR10(config)#check memory interval Configures the interval for memory

<interval> usage alarm checking.
7-4

4 ZXR10(config)#storage-threshold Configures the storage medium usage

<percent>[level {low | middle | high}] alarm threshold. Unit: %, range:
50100, default: 90.
Alarm levels corresponding to storage
medium alarm threshold values: low,
middle, and high. Default: low.
5 ZXR10(config)#cpualarm {granularity-10s | Configures the CPU usage alarm

granularity-20s | granularity-30s | granularity-40s granularity. Default: granularity-10s.
| granularity-50s | granularity-60s}
Command Function
ZXR10#show logging alarm [[level <alarmlevel>][start Displays the specified alarms in the
-time <date><time>][end-time <date><time>][typeid alarm log buffer. Filtering conditions:
<type>]] level, start-time, end-time, and typeid.
ZXR10#show logfile [[username <string>][start-time Displays the specified history

< date>< time>][end-time < date>< time>][vtyno < configuration commands in the
number>][ip-adress < ip-address>]] command log buffer. Filtering
conditions: start-time, end-time,
ipaddress, user, and vtyno.
ZXR10#show logging configuration Displays the current configurations of

the alarm module.
ZXR10#show running-config alarm [all ||{begin | exclude | Displays alarm configurations.

include}<line>]
level <level>: alarm level, range: DEBUGGING (level 8), INFORMATIONAL (level 7),
NOTIFICATIONS (level 6), WARNINGS (level 5), ERRORS (level 4), CRITICAL (level
3), ALERTS (level 2), and EMERGENCIES (level 1).
start-time <date><time>: alarm start time, format of <date>: mm-dd-yyyy, range of

<date>: 01-01-2001 to 12-31-2037, format of <time>: hh:mm:ss, range of <time>:
00:00:00 to 23:59:59.
end-time <date><time>: alarm end time, format of <date>: mm-dd-yyyy, range of

<date>: 01-01-2001 to 12-31-2037, format of <time>: hh:mm:ss, range of <time>:
00:00:00 to 23:59:59.
typeid <type>: alarm type, range: ACL, BFD, BGP, LDP, and so on (more than 60
types).
username <username>: login username, string type, range: 132 characters.
7-5

start-time <date><time>: command running start time, format of <date>: mm-dd-yyyy,

range of <date>: 01-01-2001 to 12-31-2037, format of <time>: hh:mm:ss, range of
<time>: 00:00:00 to 23:59:59.
end-time <date><time>: command running end time, format of <date>: mm-dd-yyyy,
range of <date>: 01-01-2001 to 12-31-2037, format of <time>: hh:mm:ss, range of
<time>: 00:00:00 to 23:59:59.
vtyno <number>: user terminal number, range: 015.
{begin | exclude | include}<line>: regular expression. begin is used to display

configurations beginning with the input string line. include is used to display
configurations that include the string line. exclude is used to display configurations
that do not include the string line. <line> is used to match the string line.
4. Verify the configurations
Command Function
ZXR10#show cpuload-threshold Displays the CPU usage threshold.
ZXR10#show check cpu interval Displays the time interval of CPU

usage alarm checking.
ZXR10#show memory-threshold Displays the memory usage alarm

threshold.
ZXR10#show check memory interval Displays the time interval of memory

usage alarm checking.
ZXR10#show storage-threshold Displays the storage medium usage

alarm threshold.
ZXR10#show cpualarm Displays the granularity of CPU usage

alarms.
5. View information on shelf management temperature alarms and power supply voltage
alarms.
You cannot configure thresholds for temperature alarms and power voltage alarms.
Only querying temperature alarms and power voltage alarms by running commands
is supported. On the ZXR10 ZSR V2, run the following commands to view shelf
management temperature alarms and power voltage alarms.
Command Function
ZXR10#show temperature detail [<shelf>][<slot>] Displays temperature at the

temperature measuring point of
each board.
ZXR10#show logging alarm type-id temperature Displays the temperature alarms.
ZXR10#show power [<shelf>][<slot>] Displays power information.
7-6

Command Function
ZXR10#show logging alarm type-id power Displays power alarms.
End of Steps
7.3 Alarm Function Configuration Example

As shown in Figure 7-1, a PC is connected to R1. Users can view alarm information on
R1.
Figure 7-1 Alarm Function Configuration Example
Configuration Flow
1. Enable the alarm function.
2. Configure alarm levels, levels of alarms printed on a terminal, alarm buffer, alarm
clearing mode when the buffer is full, interval for writing logs, time display mode, and
address of the server to which alarms are sent.
3. Configure alarm Trap, Trap type and address of the server to which Trap messages
are sent.
R1(config)#logging on
R1(config)#logging level warnings
R1(config)#logging console warnings
R1(config)#logging buffer 200
R1(config)#logging mode fullcycle
R1(config)#logging cmdlog-interval 2880
R1(config)#logging ftp warnings 192.168.154.253 zte zte ztelog
R1(config)#logging timestamps datetime localtime
R1(config)#logging Trap-enable notifications
R1(config)#snmp-server enable Trap
R1(config)#snmp-server version v2c enable
R1(config)#snmp-server host 192.168.154.253 Trap version 2c zte
7-7

Run the following commands to check alarm configurations. The execution results are
R1(config)#show logging configuration

logging on
logging level warnings
logging console warnings
logging Trap-enable notifications
logging buffer 200
logging mode fullcycle
logging alarmlog-interval 10
logging cmdlog-interval 2880
logging timestamps datetime localtime
syslog level notifications
syslog-server facility local0
logging ftp warnings 192.168.154.253 zte zte ztelog
alarm heartbeat-period 0 snmp
alarm heartbeat-period 0 syslog
alarm heartbeat-period 0 ftp
alarm heartbeat-period 0 console
alarm heartbeat-period 0 all
logging nat buffer 1000
logging nat password encrypted
5f942ecb8d1bf9ff5104c77b19c73cb9c14f151612fef1ac1ca09c19fb98ab8d
logging nat file-size 50 file-num 300
logging nat encrypt off
logging nat description-type basemac
logging nat zip on
logging nat terminal local
R1(config)#show snmp config
snmp-server enable Trap snmp

snmp-server enable Trap bgp
snmp-server enable Trap mac
snmp-server enable Trap ospf
snmp-server enable Trap stp
snmp-server enable Trap ppp
snmp-server enable Trap arp
snmp-server enable Trap rmon
snmp-server enable Trap udld
snmp-server enable Trap cfm
snmp-server enable Trap efm
snmp-server enable Trap lacp
7-8

snmp-server enable Trap mc-elam

snmp-server enable Trap tcp
snmp-server enable Trap sctp
snmp-server enable Trap stalarm
snmp-server enable Trap cps
snmp-server enable Trap interface
snmp-server enable Trap acl
snmp-server enable Trap fib
snmp-server enable Trap pim
snmp-server enable Trap isis
snmp-server enable Trap rip
snmp-server enable Trap msdp
snmp-server enable Trap aps
snmp-server enable Trap config
snmp-server enable Trap am
snmp-server enable Trap um
snmp-server enable Trap system
snmp-server enable Trap ldp
snmp-server enable Trap pwe3
snmp-server enable Trap vpn
snmp-server enable Trap mpls-oam
snmp-server enable Trap ptp
snmp-server enable Trap tunnel-te
snmp-server enable Trap radius
snmp-server enable Trap dhcp
snmp-server enable Trap bfd
snmp-server enable Trap ippool
snmp-server enable Trap ntp
snmp-server enable Trap ssm
snmp-server enable Trap sqa
snmp-server enable Trap ipsec
snmp-server enable Trap cgn
snmp-server enable Trap vrrp
snmp-server enable Trap ftp_tftp
snmp-server enable Trap ping-trace
snmp-server enable Trap gm
snmp-server engine-id is 830900020300010289d64401
snmp-server host 192.168.154.253 Trap version 2c zte udp-port 162 snmp bgp
mac ospf stp ppp arp rmon udld cfm efm lacp mc-elam tcp sctp stalarm cps
interface acl fib pim isis rip msdp aps config am um system ldp pwe3 vpn
mpls-oam ptp tunnel-te radius dhcp bfd ippool ntp ssm sqa ipsec cgn vrrp
ftp_tftp ping-trace gm
snmp-server packetsize is 8192
snmp-server view AllView internet included
snmp-server view DefaultView system included
7-9


snmp-server version v2c enable
snmp-server input-limit 200
R1(config)#show logging alarm

An alarm 100401 ID 100 level 5 cleared at 06:37:35 03-10-2000 sent
by R1 MPFU-8/0
%CPS% The upsend packet flow of control plane reached quota limit!
Interface = gei-8/5, flowtype = multi-hop-access, current value = 0,
quota value = 100
An alarm 100401 ID 100 level 5 occurred at 06:36:55 03-10-2000
sent by R1 MPFU-8/0
%CPS% The upsend packet flow of control plane reached quota limit!
Interface = gei-8/5, flowtype = multi-hop-access,
current value = 12867, quota value = 100
by R1 MPFU-8/0 %LACP% LACP interface active status The interface
(index = 66, name = gei-8/6) turns into ACTIVE
An alarm 150101 ID 96 level 5 cleared at 06:36:44 03-10-2000
sent by R1 MPFU-8/0
%IP% Interface status The interface(index=75,name='smartgroup1')
turned into protocol UP
An alarm 50901 ID 99 level 5 occurred at 06:36:26 03-10-2000
sent by R1 MPFU-8/0
%LACP% LACP interface active status
The interface (index = 66, name = gei-8/6) turns into INACTIVE
by R1 MPFU-8/0
%BOARD% Slot offline The slot = 4 is online
--More--
The terminal monitor command displays real-time alarms. The show logging alarm
command displays buffered alarms.
7-10

Chapter 8
SYSLOG Configuration
Table of Contents
SysLog Overview .......................................................................................................8-1
Configuring Syslog .....................................................................................................8-1
Syslog Configuration Example....................................................................................8-2
8.1 SysLog Overview

SysLog is a kind of log formats, which is used to record the character text to be printed.
SysLog is originated from UNIX operating system, and it is used to record system log.
The format of log consists of the following three parts:
l PRI: It is composed by angle brackets and numbers. The numbers represent module
ids and severity. The range of module id is 023. The range of severity is 18. 1 is
the heaviest, and 8 is the lightest.
l HEADER: It is composed by time and host name.
l MSG: It is the detailed content.
SysLog sends data packets to SysLog server by using UDP. The default port is 514 and
the size of UDP packet is less than 1024 bytes.
System decides whether reports the alarm message to SysLog sever according to the
alarm level after SysLog function is enabled.
8.2 Configuring Syslog

This procedure describes how to configure the Syslog function.
Steps
1. Configure the Syslog function.
1 ZXR10(config)#syslog level <level> Sets the level in global

configuration mode for
reporting alarms to the Syslog
server.
Alarms whose levels are
higher than or equal to the
set level are reported to the
Syslog server.
8-1

2 ZXR10(config)#syslog-server facility <facility> Configures the reporting

source of Syslog messages.
Range: ftp, ntp, user, and so
on, default: local0.
3 ZXR10(config)#syslog-server source {ipv4|ipv6}<sour Configures the source

ce-ip> address of reporting Syslog
messages. Type: IPv4 or
IPv6.
4 ZXR10(config)#syslog-server host [vrf <vrf-name>]<serv Configures Syslog parameters

er-ip>[fport <fport>][lport <lport>][alarmlog][cmdlog][de including the IP address and
bugmsg][servicelog][braslog][natlog] port number of the Syslog
server, the port number of the
client, and the type of sent
logs.
<level>: the lowest alarm level, ranges: DEBUGGING (level 8), INFORMATIONAL
(level 7), NOTIFICATIONS (level 6), WARNINGS (level 5), ERRORS (level 4),
CRITICAL (level 3), ALERTS (level 2), and EMERGENCIES (level 1), default:
NOTIFICATIONS.
<server-ip>: IP address of the Syslog server, type: IPv4 or IPv6.
<fport>: remote port number, range: 165535, default: 514.
<lport>: local port number, range: 514, 102465535, default: 514.
[alarmlog][cmdlog][debugmsg][servicelog][braslog][natlog]: type of logs reported to the
Syslog server.
Command Function
ZXR10#show logging configuration Displays all Syslog configurations.
ZXR10#show running-config alarm [all ||{begin | Displays all Syslog configurations by using
exclude | include}<line>] a regular expression.
End of Steps
8.3 Syslog Configuration Example

The function of Syslog is sending alarms to the Syslog server in the specified format. After
the Syslog function is configured on the ZXR10 ZSR V2, alarms will be sent to the Syslog
server, see Figure 8-1.
8-2

Chapter 8 SYSLOG Configuration
Figure 8-1 Syslog Configuration Example Topology
Configuration Flow
1. Connect the Syslog server to the ZXR10 ZSR V2.
2. Configure the interface on the Syslog server and the interface on the ZXR10 ZSR V2,
which are directly connected in the same network segment.
3. Configure the Syslog server alarm level.
4. Configure the Syslog type.
5. Specify the address of the Syslog server.
R1(config)#interface gei-2/1
R1(config-if-gei-2/1)#no shutdown
R1(config-if-gei-2/1)#ip address 1.1.1.2 255.255.255.0
R1(config-if-gei-2/1)#exit
R1(config)#syslog level warnings

/*Configures the alarm level of Syslog as WARNINGS*/
R1(config)#syslog-server facility syslog
/*Configures the type of Syslog as syslog*/
R1(config)#syslog-server host 1.1.1.1
/*Configure an IP address of the Syslog server*/
Run the show command to check the configurations. The execution result is displayed as
follows:
R1(config)#show running-config alarm
!<ALARM>
syslog level warnings
syslog-server facility syslog
syslog-server host 1.1.1.1 alarmlog cmdlog debugmsg servicelog
braslog natlog
!</ALARM>
8-3

8-4

Chapter 9
RMON Configuration
Table of Contents
RMON Overview ........................................................................................................9-1
Configuring RMON .....................................................................................................9-1
RMON Configuration Example ...................................................................................9-3
9.1 RMON Overview

As an important enhanced function of SNMP, Remote Network Monitoring (RMON) can
monitor overall subnet traffic information on the Ethernet and token ring network.
The RMON module provides the following functions:
l Configured with the statistics function, it monitors the basic traffic of the specified
subnet.
The traffic information refers to traffic data regularly obtained by RMON.
l Configured with the history function, it records traffic information on the specified
subnet during the specified interval.
A short sampling interval can be configured to view a sudden traffic change on a
subnet. A long interval can be configured to view long-term traffic status of a subnet.
l Configured with the event function, it handles alarm messages by recording them
or/and sending Trap messages, so that network administrators can know system
conditions in time.
l Configured with the alarm function and the corresponding event function, it shows the
changes of specified variables such as sysUPTime.0, which is a MIB variable.
If an alarm item is configured, not less than 500 CRC errors (that is, the threshold is
500) that appear in 5 min trigger an alarm. In this case, if the corresponding event is
configured as sending a Trap message, a Trap message is sent to the Trap server.
To send Trap messages successfully, you also need to correctly set the IP address
of the Trap server and a community string for SNMP and to enable the SNMP Trap
sending function.
9.2 Configuring RMON

This chapter describes how to configure the RMON function.
Steps
1. Configure an event that triggers the RMON alarm.
9-1

1 ZXR10(config)#rmon Enters RMON mode from

configuration mode.
2 ZXR10(config-rmon)#rmon event <index-nu Configures an event to log alarms

mber>[{[log],[Trap <snmp-name>],[description or/and send Trap messages.
<event-description>],[owner <event-owner>]}]
3 ZXR10(config-rmon)#rmon alarm <index-number Sets a MIB object and alarm events

><mib-subtree-id><monitor-seconds>{delta | absolute} that are triggered for exceeding
rising-threshold <rising-thershold-limit>[<outlimit-in upper and lower thresholds.
dex-number>] falling-threshold <limit-falling-thersho Range: upper threshold alarm,
ld>[<outlimit-index-number>][owner <alarm-owner>] lower threshold alarm, upper or
lower threshold alarm.
<index-number>: index number, range: 165535.

log: identification of recording logs.
<snmp-name>: community string used for sending Trap messages, range: 132
characters.
<event-description>: simple description of this event, range: 1127 characters, default:
zte.
<event-owner>: creator of this event, range: 131 characters, default: config.
<mib-subtree-id>: MIB variable to be monitored, range: 164 characters. It must be a
MIB variable that can be converted into an integer.
<monitor-seconds>: time of monitoring the above MIB variable, unit: second, range:
102147483.
delta: comparing the delta with the threshold.
absolute: comparing the selected variable value with the threshold.
rising-threshold: rising threshold.
<rising-thershold-limit>: rising threshold of sample statistics, range:
-21474836482147483647.
<outlimit-index-number>: number of the event triggered for exceeding the rising limit,
range: 165535.
falling-threshold: falling threshold.
<limit-falling-thershold>: falling threshold of sample statistics, range:
-21474836482147483647.
<outlimit-index-number>: number of the event triggered for exceeding the falling limit,
range: 165535.
<alarm-owner>: creator of this alarm, range: 1312 characters, default: config.
2. Configure RMON statistics or history.
9-2

Chapter 9 RMON Configuration
1 ZXR10(config)#rmon Enters RMON mode from

configuration mode.
2 ZXR10(config-rmon)#interface <interface-name> Enters RMON interface mode from

RMON mode.
3 ZXR10(config-rmon-interface)#rmon collection Enables the interface statistics

statistics <index-number>[owner <statistics-owner>] function (only applicable to
Ethernet interfaces).
ZXR10(config-rmon-interface)#rmon Enables the interface history

collection history <index-number>[buckets collection function (only applicable
<bucket-number>][interval <interval-seconds>][owner to Ethernet interfaces).
<history-owner>]
<interface-name>: interface name, only supporting an Ethernet interface.

<index-number>: index number, range: 165535.
<statistics-owner>: the creator of the statistics, range: 131 characters, default:
monitor.
<bucket-number>: the size of the requested loop bucket, default: 50, range: 1100.
<event-owner>: the creator of the event, range: 131 characters, default: config.
<interval-seconds>: sampling interval, unit: second, range: 103600, default: 1800. It
is recommended to use 30 s and 1800 s to collect short-term and long-term network
traffic changes respectively.
<history-owner>: the creator of this line of history, range: 131 characters, default:
monitor.
Command Function
ZXR10(config)#show rmon [[events],[history],[alarms],[s Displays RMON configurations and

tatistics]] version information.
ZXR10(config)#show running-config rmon [all ||{begin Displays RMON configurations.

| exclude | include}<line>]
End of Steps
9.3 RMON Configuration Example

As shown in Figure 9-1, it is required to enable the RMON function, monitor the traffic of
the gei-3/2 interface on the ZXR10 2800-4, and provide the following functions:
9-3

l Collecting real-time and history statistics on traffic and the numbers of various types
of packets.
l Monitoring the number of bytes of outgoing traffic, and recording a log if the traffic per
minute exceeds the set value.
l Monitoring the number of incoming broadcast and multicast packets, and actively
sending an alarm to the NMS if the number of received broadcast and multicast
packets exceeds the set value.
Figure 9-1 RMON Configuration Example
Configuration Flow
1. Enable SNMP to allow sending Trap packets, and set the destination IP address and
community name.
2. Configure the ROMN statistics table.
3. Configure the ROMN history table.
4. Configure the ROMN event table.
5. Configure the ROMN alarm table.
Run the following commands on the ZXR10:
ZXR10(config)#snmp-server version v2c enable

ZXR10(config)#snmp-server enable Trap RMON
ZXR10(config)#snmp-server host 1.0.0.1 Trap version 2c zte rmon
/* Configures SNMP. */
ZXR10(config)#rmon
ZXR10(config-rmon)#interface gei-3/2
ZXR10(config-rmon-if)#rmon collection statistics 1 owner zte
/* Configures the RMON statistics table. */
ZXR10(config-rmon-if)#rmon collection history 1 buckets 10 interval 60 owner zte
/* Configures the ROMN history table with the 60 s sampling period. */
ZXR10(config-rmon-if)#exit
ZXR10(config-rmon)#rmon event 1 description outboundocts log owner zte
ZXR10(config-rmon)#rmon event 2 description inboundnonuni Trap zte owner zte
/* Configures the ROMN event table. Event 1 records logs. Event 2 sends Trap messages.*/
ZXR10(config-rmon)#rmon alarm 1 1.3.6.1.2.1.2.2.1.16.12 60 absolute
rising-threshold 10000000 1 falling-threshold 2000000 1 owner zte
ZXR10(config-rmon)#rmon alarm 2 1.3.6.1.2.1.2.2.1.12.12 60 absolute
9-4

rising-threshold 500 2 falling-threshold 100 2 owner zte

/* Configures the ROMN alarm table. Alarm 1 monitors the number of bytes sent by
the gei-3/2 interface.
Triggers event 1, if the threshold is exceeded. Alarm 2 monitors the total number of
multicast and broadcast packets. Triggers event 2, if the threshold is exceeded.
In this example, 1.3.6.1.2.1.2.2.1.16 is the OID of the ifOutOctets node,
1.3.6.1.2.1.2.2.1.12 is the OID of the ifInNUcastPkts node, and 12 is the index of
the gei-3/2. */
Run the following command to view RMON configurations. The execution result is
ZXR10#show running-config rmon
rmon
rmon alarm 1 1.3.6.1.2.1.2.2.1.16.12 60 absolute rising-threshold
10000000 1 falling-threshold 2000000 1 owner zte
rmon alarm 2 1.3.6.1.2.1.2.2.1.12.12 60 absolute rising-threshold
500 2 falling-threshold 100 2 owner zte
rmon event 1 log description outboundocts owner zte
rmon event 2 Trap zte description inboundnonuni owner zte
interface gei-3/2
rmon collection history 1 buckets 10 interval 60 owner zte
rmon collection statistics 1 owner zte
$
$
!</rmon>
Run the following command to view information on the RMON statistics table. The
execution result is displayed as follows:
ZXR10#show rmon statistics
etherStatsEntry 1 is valid, and owned by monitor
Monitors ifEntry.1.12 (gei-3/2) which has
Received 2661384683 octets, 11170112 packets,
4226009 broadcast and 1032634 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers,
0 CRC alignment errors and 0 collisions,
0 dropped packets (due to lack of resources).
Packets received (in octets):
64:3528697, 65-127:2610624, 128-255:432346,
256-511:268806, 512-1023:193397, 1024-1518:4136242
Run the following command to view information on the RMON history table. The execution
result is displayed as follows:
ZXR10#show rmon history
9-5

historyControlEntry 1 is valid, and owned by zte

Monitors ifEntry.1.12 (gei-3/2) every 60 seconds
Requested buckets is 10
Granted buckets is 10
Sample #1 began measuring at 0w4d,03:55:43
Network utilization is estimated at 2
Run the following command to view information on the RMON event table. The execution
ZXR10#show rmon events

Event 1 is valid, and owned by zte
Description is outboundocts
Event firing causes log , last fired 0w4d,03:56:54
Current log entries:
Index Time Description
9-6

1 0w4d,03:56:54 outboundocts
Event 2 is valid, and owned by zte
Description is inboundnonuni
Event firing causes trap to community/user zte, last fired 0w4d,03:57:12
Current log entries:
Index Time Description
Run the following command to view information on the RMON alarm table. The execution
ZXR10#show rmon alarms
Alarm 1 is valid, and owned by zte
Monitors ifEntry.16.12, every 60 second(s)
Taking absolute samples, last value was 13414607
Rising-threshold is 10000000, assigned to event 1
Falling-threshold is 2000000, assigned to event 1
On startup enable rising or falling alarm
Alarm 2 is valid, and owned by zte
Monitors ifEntry.12.12, every 60 second(s)
Taking absolute samples, last value was 5580876
Rising-threshold is 500, assigned to event 2
Falling-threshold is 100, assigned to event 2
On startup enable rising or falling alarm
9-7

9-8

Chapter 10
Clock and Clock
Synchronization
Table of Contents
NTP Configuration....................................................................................................10-1
Physical POS Interface Clock Configuratio ...............................................................10-6
10.1 NTP Configuration

10.1.1 NTP Overview
NTP Introduction
In network application, the clocks of network members need to be synchronized. There is
normally one or more minute discrepancy of clocks between systems. For a large-scale
network, system administrator can not modify the system clocks manually one by one.
Network Time Protocol (NTP) is a time synchronization protocol applied to different network
members. The NTP devices synchronize their clock by exchanging NTP packets, thus to
keep their clocks consistent.
NTP Client
Figure 10-1 shows the main principle of NTP client.
Figure 10-1 NTP Client Work Flow
1. The client sends NTP time request packets to the configured clock server regularly
and waits responses.
2. After receiving NTP response packet, NTP client inspects the packet, extracts the
corresponding time, calculates the time offset and configures the local clock.
10-1

NTP Sever
After a device is configured to be NTP server, it will monitor the NTP time request packets
coming from the client at No.123 UDP port, add its time information to NTP time response
packet and send the packet to the client.
ZXR10 ZSR V2 can act as NTP server and client and the same time. That is to say, it can
receive time request packets coming from other servers and send its own time information
to other clients, see Figure 10-2.
Figure 10-2 NTP Server and Client
10.1.2 Configuring NTP

This procedure describes how to configure the NTP server and NTP client functions on
the ZXR10 ZSR V2.
Steps
1. Configure the NTP Server function.
1 ZXR10(config)#ntp enable Enables the NTP function.
2 ZXR10(config)#ntp master <stratum> Configures the NTP server

level, range: 115. The
smaller the value, the
more reliable the NTP time
published by the server.
2. Configure the NTP Client function.
1 ZXR10(config)#ntp enable Enables the NTP function.
2 ZXR10(config)#ntp server [{vrf <vrf-name>| Defines a time server on the

mng]<ip-address> priority <lever>[version client. The IP address and
<number>]|[key <key-number>]|[lock | unlock ] priority are required. Other
parameters are optional.
10-2

Chapter 10 Clock and Clock Synchronization
3 ZXR10(config)#ntp source ipv4 <ip-address> Configures the source IP

address of packets sent by
NTP on the client.
The source IP address, which
is in dotted decimal format, is
available for the client only.
4 ZXR10(config)#ntp poll-interval <interval> Configures the time interval

of requesting packets sent by
NTP.
Range: 414 (2n). For
example, if 4 is configured,
the time interval is 16 seconds.
<ip-address> and priority <15> are required. Other parameters are optional.
version <number>: NTP version number, range: 14, default: 3 (in IPv4).
key <key-number>: effective key, range: 14294967295.
priority<level>: priority value, range: 15. The priority of each server is different.
[ lock | unlock ]: whether the server is locked, default: unlock.
3. Configure the NTP authentication function.
1 ZXR10(config)#ntp authenticate Enables the NTP

authentication function. Only
when the key specified by the
NTP server is successfully
configured, can the NTP
authentication function be
effective.
2 ZXR10(config)#ntp authentication-key <key-number> Sets the NTP authentication

md5 {clear <clear-word>|encrypted <encrypted-word>} key and the corresponding
verification code.
3 ZXR10(config)#ntp trusted-key <key-number> Configures the trusted

key number for NTP
authentication.
<key-number>: encrypted key number, range: 14294967295.

<clear-word>: MD5 clear text authentication code, range: 116 characters.
<encrypted-word>: MD5 cipher text authentication code, range: 124 characters.
10-3

The NTP authentication function consists of two parts: server and client. When
configuring this function, comply with the following rules:
l If the NTP authentication function is enabled, an NTP MD5 key should be

configured, and the key should be set to a trusted key. Otherwise, the NTP
authentication function cannot be enabled.
l If the NTP authentication function is not enabled on the client and other
configurations are correct, the client can be synchronized with the server
(whether the NTP authentication function is enabled on the server or not). If
the NTP authentication function is enabled on the client, the client can only be
synchronized with a server that provides a trusted key.
l Configurations on the server and those on the client should be consistent.
Command Function
ZXR10#show running-config ntp Displays NTP configurations.
ZXR10#show ntp status Displays NTP status attributes.
ZXR10#show clock Displays the system clock.
End of Steps
10.1.3 NTP Configuration Examples

10.1.3.1 NTP working as a Client
NTP is used to synchronize the clocks of different network members. As shown in Figure
10-3, the NTP client can synchronize the clock with the NTP server.
Figure 10-3 NTP Working as a Client
Configuration Flow
1. Connect the NTP server to the router.
2. Enable NTP.
3. Configure the address of the NTP server.
10-4

Configuration on R1:
R1(config)#ntp enable
R1(config)#ntp server 192.168.5.93 priority 1
After the configuration, use the show command to check the configuration.
R1#show running-config ntp

! <ntp>
ntp server 192.168.5.93 priority 1
ntp enable
! </ntp>
10.1.3.2 NTP Working as a Server
The function of NTP is to synchronize clocks of different network members. As shown in
Figure 10-4, NTP works as a server to provide synchronization information for the client.
Figure 10-4 NTP Working as a Server
Configuration Flow
1. Enable NTP on R1, and configure the address of the NTP server.
2. Enable NTP on R2, and configure a level of the NTP server.
The configuration on R1:
R1(config)#ntp server 192.168.5.93 priority 1
The configuration on R2:

R2(config)#ntp master 1
10-5

Use the show running-config ntp command on the client and the server to view
configuration. Use the show ntp status command on the client to view the IP address and
the clock of the reference clock (R2). Use the show clock command on the client. The
clock has been synchronized with the clock on the server.
10.2 Physical POS Interface Clock Configuratio

10.2.1 Physical POS Interface Clock
Clock Synchronization
The first problem to resolve in a digital network is clock synzhronization. Clock
synchronization enables the clock frequency and phase of each network node to be
limited to a predefined error tolerance range. The sending and receiving ends can
extract/send messages at a specified time to avoid transmission performance degradation
(error codes and jitters) due to location inaccuracy in the digital transmission system.
Clock Synchronization Modes

Two clock synchronization modes are provided: pseudo synchronization and master-slave
synchronization.
l Pseudo synchronization refers to that different digital exchanges in the digital
switching network have different clocks independent of each other. Each clock is a
Caesium atom clock having a very high accuracy and stability. Because these clocks
are highly accurate, they have different frequencies and phases, which are very
close. This is pseudo synchronization.
l Master-slave synchronization refers to that a master clock exchange is defined in
the network and has a highly accurate clock, other exchanges are all controlled
under this exchange (tracking the clock of the master exchange and taking the
master exchange clock as the reference). And these exchanges are controlled by
the upper-level exchange respectively till the end NE, the terminating exchange.
In general, pseudo synchronization is used in an international digital network, that means
this mode is used in the digital network between two countries. For example, if two
international exchanges in China and America have their own Caesium atom clocks, the
two exchanges use the pseudo synchronization mode.
Master-slave synchronization is used in digital networks in a country or region. The
master-slave synchronization clocks in the SDH network can be classified into four levels
by accuracy, corresponding to different usage ranges:
l The master clock used as the time reference of the global network
l Slave clocks used in forwarding exchanges
l Slave clocks used in local exchanges
l Clocks used in the SDH (clocks built-in the SDH)
10-6

Clock Extraction Modes

Clocks can be extracted in two ways:
l Extracting a clock from the specified clock synchronization circuit which is independent
of the equipment, for example, the BITS interface.
l Extracting a clock from a line, for example, 8K clock signals recovered from the
SDH/POS interface.
10.2.2 Configuring a Physical POS Interface Clock

This procedure describes how to configure a physical POS interface clock.
Steps
1. Configure a physical POS interface clock.
1 ZXR10(config)#interface <interface-name> Enters the POS interface.
2 ZXR10(config-if-interface-name)#clock mode Configures the clock mode to

internal | line internal or line. Default: internal.
3 ZXR10(config)#controller <interface-name> Enters controller configuration

mode of the CPOS.
4 ZXR10(config-ctrl-interface-sdh-tug3-e1)#f Configures the SDH frame format

raming sdh in controller mode.
5 ZXR10(config)#clock mode internal | line Configures the clock mode to

internal or line in E1 mode.
Default: internal.
2. Verify the configuration result.
Command Function
ZXR10#show interface <interface-name> Shows the mode configured for the

POS interface clock.
End of Steps
10.2.3 Physical POS-Interface Clock Configuration Instance

The purpose of configuring a POS-interface clock is to synchronize the clock between
different network members, see Figure 10-5.
10-7

Figure 10-5 Physical POS Interface Clock Configuration Instance
Configuration Flow
1. Inter-connect the routers.
2. Enter POS-interface clock configuration mode.
Configurations on router R1:
R1(config)#interface pos3-1/1
R1(config-if-pos3-1/1)#no shutdown
R1(config-if-pos3-1/1)#clock mode line
R1(config-if-pos3-1/1)#exit
Configurations on router R2:

R2(config)#interface pos3-1/1
R2(config-if-pos3-1/1)#no shutdown
R2(config-if-pos3-1/1)#exit
/*Three clock modes can be configured for two ends of the directly-connected POS interface:
internalinternal, internalline, lineinternal.
Note that the lineline mode is unavailable.
After the configuration is completed, run the show command to verify the configurations:
R1(config-if-pos3-1/1)#show interface pos3-1/1
pos3-1/1 is down, line protocol is down
Description is none
Hardware is Packet Over SONET/SDH
Internet address is unassigned
IP MTU 4470 bytes
MTU 4600 bytes
BW 155520 Kbits
MPLS MTU 4470 bytes
Physical layer is Packet over (SDH)
Holdtime is 120 sec(s)
CRC 32
Loopback cancel
Clock Source: line
Scramble enable
Encapsulation PPP
10-8

Keepalive set: 10 sec(s)

LCP INITIAL, IPCP INITIAL, BCPINITIAL, IPV6CP INITIAL
MPLSCP INITIAL, OSINLCP INITIAL
Last Clear Time : 2000-04-02 01:49:43 Last Refresh Time:2000-04-02 01:49:43
120s input rate : 0Bps 0Pps
120s output rate: 0Bps 0Pps
Intf utilization: input 0% output 0%
HardWareCounters:
In_Bytes 0 In_Packets 0
In_Abort 0 In_OverFlow N/A
In_Runt 0 In_Giant 0
R2(config-if-pos3-1/1)#show interface pos3-1/1
pos3-1/1 is down, line protocol is down
Description is none
Hardware is Packet Over SONET/SDH
Internet address is unassigned
IP MTU 4470 bytes
MTU 4600 bytes
BW 155520 Kbits
MPLS MTU 4470 bytes
Physical layer is Packet over (SDH)
Holdtime is 120 sec(s)
CRC 32
Loopback cancel
Clock Source: internal
Scramble enable
Encapsulation PPP
Keepalive set: 10 sec(s)
LCP INITIAL, IPCP INITIAL, BCPINITIAL, IPV6CP INITIAL
MPLSCP INITIAL, OSINLCP INITIAL
Last Clear Time : 2000-04-02 01:49:43 Last Refresh Time:2000-04-02 01:49:43
120s input rate : 0Bps 0Pps
120s output rate: 0Bps 0Pps
Intf utilization: input 0% output 0%
HardWareCounters:
In_Bytes 0 In_Packets 0
In_Abort 0 In_OverFlow N/A
In_Runt 0 In_Giant 0
10-9

10-10

Chapter 11
Performance Statistics
Table of Contents
Performance Management Overview........................................................................11-1
Performance Management Configuration .................................................................11-1
Performance Management Configuration Example...................................................11-3
11.1 Performance Management Overview

Performance management provides the following main functions,
l It accepts the login or logout request coming from service module and collects
performance data according to the registered performance entries.
l It calculates and saves performance data according to the collection interval.
l It gives an alarm when performance collection value exceeds the configured alarm
threshold value. It cancels the alarm when performance collection value is below
than the configured alarm threshold value.
Performance management uses agent server structure, which is composed of PMServer,
PMAgent and PMClient.
l PMServer resides in R-CPU.
l Every daughter-card has a PMAgent, and each PMAgent acts as an independent
process.
l PMClient resides in every application module.
The service modules of daughter-cards interacts with each other by messages sending
between PMClient and PMAgent. In this way, application module can log in, log off or
report performance value to performance management.
There are some applications, which use PMServer to mount CallBack function. After
register information is modified, PMServer finishes virtual register / register cancellation,
and refreshes performance values after member interface data binding to these service
types are changed.
11.2 Performance Management Configuration

This procedure describes how to configure the performance management function.
Steps
1. Configure performance management.
11-1

1 ZXR10(config)#intf-statistics Enters interface statistic

configuration mode.
2 ZXR10(config-intf-statistics)#one_minute_pe Enables or disables the switch to

ak_value {disable | enable}{<interface-name>| default} control the one-minute peak-value
counter on a specific Ethernet
interface or all Ethernet interfaces.
ZXR10(config-intf-statistics)#one_minute_pe Clears and resets the one-minute

ak_value_clear [<interface-name>] peak-value counter on a specific
Ethernet interface or all Ethernet
interfaces.
3 ZXR10(config-intf-statistics)#traffic-statistics Enables the interface performance

{enable | disable} statistic function. Default:
enabled.
4 ZXR10(config)#performance data-save-interval Sets the period for saving data.

{15min,5min} Unit: minute, default: 15.
5 ZXR10(config)#performance update-interval Sets the interval for sampling data

<periodreport><interface-checkPtType> from a PMA to a PMS. Default:
10 s. Sets the type of a specified
detection point or sets the type of
all detection points by using the
default configuration.
6 ZXR10#clear statistics interface [<interface-name>] Clears the performance value

of a specific interface or the
accumulative performance value
of all interfaces.
2. Collect statistics of performance management.
Command Function
ZXR10#show running-config performance Displays the configuration information

on performance management.
ZXR10# show interface <interface-name> Displays the state of all interfaces or

a specified interface.
ZXR10#show performance one_minute_peak_value Displays the one-minute peak-value

[<interface-name>] of an interface.
ZXR10#show performance data-save-interval Displays the period for saving history

performance data.
ZXR10#show ip traffic Displays IP statistics information.
11-2

Chapter 11 Performance Statistics
Command Function
ZXR10#show tcp statistics Displays TCP statistics information.
End of Steps
11.3 Performance Management Configuration Example

Performance management can modify interface count update time or set count switch
according to user requirement. As shown in Figure 11-1, flow is sent from gei-2/1 of R1 to
gei-2/1 of R2.
Figure 11-1 Performance Management Configuration Example Topology Diagram
Configuration Flow
1. Check the count of interface gei-2/1. To check the new count, clear the previous count.
2. Modify the time interval of sampling data from PMS to PMA to control count update
time interval of gei-2/1.
1. Clear gei-2/1 interface count:
ZXR10#clear statistics interface gei-2/1
2. Set count update time of physical port such as gei-2/1 as 30 seconds.
ZXR10(config)#performance update-interval 30s ethernet
Check whether the configuration is valid.
ZXR10(config)#show running-config performance

! <performance >
performance update-interval 30s ethernet
! </performance >
11-3

11-4

Chapter 12
NetFlow Configuration
Table of Contents
NetFlow Overview ....................................................................................................12-1
Configuring NetFlow.................................................................................................12-3
NetFlow Configuration Examples..............................................................................12-9
12.1 NetFlow Overview

NetFlow Introduction
NetFlow is a protocol used to monitor network traffic. There are exporter and collector
used in NetFlow application environment. The exporter collects IP data packets and send
them to collector. The collector is responsible for analyzing.
Netflow can trace and measure each flow accurately. It brings the following applications,
l Network layout
Netflow can count the information of network flow for a long time. Therefore, it can
trace and estimate the trend of network flow increasing or decreasing. Thus, add
or remove route devices or upgrade or degrade the bandwidth of route devices if
required. In this way, the network operation is more reasonable.
l Analyze new application
Netflow collects the network usage information of a new application protocol. By

means of information analyzing, network resource can be allocated to the new
application reasonably.
l Network monitor
Netflow has real time network monitor ability. It can locate fault by providing
information when network has fault, or it can find potential network problem.
NetFlow Features
To accomplish network data collection, NetFlow performs the following task,
l Configure NetFlow service on many interfaces on a router to collect packets which

pass through these interfaces. To reduce system load, set a sample rate on both of
ingress and egress on the interfaces. For example, if the sample rate is 2000:1, then
sample one packet from every 2000 packets. NetFlow can sample unicast, multicast
or Multi Protocol Label Switching (MPLS) packets respectively or hybridly.
l NetFlow analyzes the sampled packet to obtain the following information,
12-1

Packet information: For example, source / destination IP address, Type Of

Service (ToS) field, source/ destination TCP/UDP port number.
Route information: For example, next hop IP address.
Other information: Packet ingress / egress interface index, sample direction.
NetFlow takes flow as statistic object. The packets which belong to the same flow
are summarized and stored. NetFlow v5 uses octet to define the unique flow, and
NetFlow v9 permits that user defines flow by itself. For example, user can use
source and destination IP addresses to define a flow, then all the packets which
have the source and destination addresses are defined as a flow. People call the
octet (source and destination IP addresses) as key field. User also can configure
non-key field to obtain other information of the flow, such as packet number, bytes
and next hop IP address.
l Netflow has buffer. The sampled packets are stored at buffer at first. The size of every
flow is the sum of all key fields and non-key fields. After a packet is analyzed, find
whether the flow already exists according to its key filed.
If it already exists, then update the flows non-key field.
If it does not exist, add the new flow into buffer.
l When the flow stored at buffer satisfies the following conditions, it will be sent to remote
server.
Send all flow information to server when buffer is full.
A flow is inactive if there is no packet belongs to the flow in a given time. Send
the flow to server. The given time is called active aging time. It can be configured
by user.
For a long term active flow, the statistic information is sent to server once in a
while. The interval is called inactive aging time. It can be configured by user.
l At present, ZXR10 ZSR V2 can record flow information in NetFlow v5, NetFlow v8,
NetFlow v9 and IPFIX packets to send to the server.
Since the format of NetFlow v5 is fixed, Netflow v5 only output the fixed field flow
information.
The format of NetFlow v8 packet is also fixed. Comparing with NetFlow v5,
NetFlow v8 can output multiple types of field flow information. ZXR10 ZSR V2
supports the v8 Protocol-PortMatrix packet format.
NetFlow v9/IPFIX supports user to customize key field or non-key field. The
NetFlow v9/IPFIX packet is based on module. The module includes user-defined
key field and non-key field, and every module has a unique module ID. NetFlow
sends module to server circularly. When a server receives the NetFlow v9/IPFIX
packet including flow information, it will find the corresponding module according
to the contained module ID.
l On NetFlow server, the received flow information is normally stored at database, and
NetFlow analysis software can analyze the entity data.
12-2

Chapter 12 NetFlow Configuration
12.2 Configuring NetFlow

This procedure describes how to configure the NetFlow function.
Steps
1. Configure NetFlow exporter policies.
1 ZXR10(config)#flow exporter <exporter-name> Creates a flow exporter policy,

and names the policy. You can
configure up to 200 different flow
exporter policies.
Range of the policy name: 132
characters.
2 ZXR10(config-flow-exporter)#destination Configures the IPv4 address of

{ipv4-address <ip-address>|[vrf <name>]} the NetFlow server.
3 ZXR10(config-flow-exporter)#export-protocol Sets the format of NetFlow output

{netflow-v5 | netflow-v8 | netflow-v9 | ipfix } packets.
The output packet format can
be NetFlow v5, v8, v9, or ipfix,
default: netflow-v9 .
When the format is set to
v5, the template must be
netflow-original.
When the format is v8, the
template must be netflow ipv4
protocol-port.
4 ZXR10(config-flow-exporter)#template data Resends module according to the

{refresh <packets>| timeout <seconds>} number of packets or time.
5 ZXR10(config-flow-exporter)#transport udp Sets the NetFlow output protocol

<port> to UDP and sets the port number.
Range: 165535, default: 2055.
6 ZXR10(config-flow-exporter)#source Configures the source IPv4

{ipv4-address <ip-address>} address of NetFlow packets sent.
7 ZXR10(config-flow-exporter)#dscp <value> Sets the TOS field in the IP

header when a Netflow packet is
sent. Range: 063, default: 0.
refresh <packets>: the number of output netflow packets, according to which the
module is resent, range: 1600, default: 20.
timeout <seconds>: time, according to which the module is resent, range: 186400,
default: 600 seconds.
12-3

2. Creates a flow record policy, and sets key and non-key fields.
1 ZXR10(config)#flow record <record-name> Creates a flow record policy,

and names the policy. You can
configure up to 100 different flow
record policies. Range of the
policy name: 132 characters.
2 ZXR10(config-flow-record)#match datalink mac Sets the source Medium Access

{destination-address | source-address} Control (MAC) address or
destination MAC address as a
key field.
ZXR10(config-flow-record)#match flow Sets flow direction or sampling

{direction|sample-rate} rate as a key field.
ZXR10(config-flow-record)#match interface Sets input interface index or

{input | output} output interface index as a key
field.
ZXR10(config-flow-record)#match ipv4 Sets IPv4 information as a key

{[destination address | address-prefix field.
minimum-mask <len>]|[source address |
address-prefix minimum-mask <len>]}
ZXR10(config-flow-record)#match mpls label Sets MPLS information as a key

stack section <15> field.
<15>: Sets the collection label
to the layer 1, 2, 3, 4, or 5 label.
ZXR10(config-flow-record)#match routing {bgp Sets the related route next hop

as-number {destination | source | next-adjacent | information as a key field.
prev-adjacent}| next-hop-address {ipv4 | ipv6}}
ZXR10(config-flow-record)#match transport Sets transport layer information

{destination-port |icmp {ipv4 | ipv6}{type | code}| as a key field.
source-port | tcp flags} icmp {ipv4 | ipv6} {type | code}:
sets the type field of Internet
Control Message Protocol
(ICMP) packets as a collection
field. The field value is ICMP
Type * 256 + ICMP code.
ZXR10(config-flow-record)#match ip {cos | Sets IP information as a key field.

protocol | version}
ZXR10(config-flow-record)#match ipv6 Sets IPv6 information as a key

{[destination address | address-prefix field. Range of len: 1128.
address-prefix minimum-mask <len>]| flow-label}
12-4

4 ZXR10(config-flow-record)#collect counter {bytes Sets the number and byte number

[long]| packets [long]} of flow packets as a non-key
fields.
bytes: This field has 4 bytes.
bytes long: This field has 8 bytes.
packets : This field has 4 bytes.
packets long: This field has 8
bytes.
ZXR10(config-flow-record)#collect datalink mac Sets the source MAC address or

{destination-address | source-address} destination MAC address as a
non-key field.
ZXR10(config-flow-record)#collect flow Sets the flow direction or

{direction|sample-rate} sampling rate as a non-key field.
ZXR10(config-flow-record)#collect interface Sets the input interface index

{input | output} or output interface index as a
non-key field.
ZXR10(config-flow-record)#collect ipv4 Sets IPv4 information as a

{[destination address | address-prefix non-key field.
address-prefix minimum-mask <len>]}
ZXR10(config-flow-record)#collect mpls label Sets MPLS information as a

stack section <15> non-key field.
ZXR10(config-flow-record)#collect routing {bgp Sets the route next hop

as-number {destination | source | next-adjacent | information as a non-key field.
prev-adjacent}| next-hop-address {ipv4 | ipv6}}
ZXR10(config-flow-record)#collect timestamp Sets the time or absolute time

{sys-uptime {first | last}| absolute {first-millisec | when a flow is switched for the
last-millisec}} first or last time as non-key field.
sys-uptime first: sets the system
power-up time when the flow
arrives at the cache for the first
time as a collected non-key field.
Unit: ms.
sys-uptime last: sets the system
power-up time when the flow is
updated in the cache for the last
time as the collected non-key
field. Unit: ms.
12-5

ZXR10(config-flow-record)#collect transport Sets transport layer information

{destination-port | icmp {ipv4 | ipv6}{code | type}| as a non-key field.
source-port | tcp flags}
ZXR10(config-flow-record)#collect ip {cos| Sets IP information as a non-key

protocol | version} field.
ZXR10(config-flow-record)#collect ipv6 Sets IPv6 information as a

{[destination address | address-prefix minimum non-key field. Range of len:
-mask <len>]|[source addressaddress-prefix 1128.
minimum-mask <len>]| flow-label}
3. Configure a NetFlow sampling policy.
1 ZXR10(config)#sampler <sampler-name> Creates a sampler policy,

and names it. Up to 200
different sampler policies can be
configured.
characters.
2 ZXR10(config-sampler)#mode deterministic Sets the sampling mode and

out-of<rate>
1 sampling rate.
deterministic : uses deterministic sampling, that is, if the sampling rate is N, then one
packet out of every N packets is sampled.
<rate>: sampling rate, range: 165535, default: 1000.
4. Configure a NetFlow monitoring policy.
1 ZXR10(config)#flow monitor <monitor-name> Creates a flow monitor policy,

and names it. Up to 60 different
flow monitor policies can be
configured.
characters
2 ZXR10(config-flow-monitor)#cache {entries Sets cache information.

<num>| timeout {active | inactive}<seconds>}
12-6

3 ZXR10(config-flow-monitor)#exporter Associates a flow exporter policy.

<exporter-name> Associates a pre-set flow exporter
policy. That is, the flow monitor
policy uses the flow exporter
policy for the output of netflow
packets. If the flow exporter
policy uses v5 output format,
the template used by the flow
monitor must be the pre-set
netflow-original.
4 ZXR10(config-flow-monitor)#record {<record-nam Sets the template to be used.

e>|netflow ipv4 protocol-port|netflow-original}
entries <num>: sets the buffer size to num, which represents the number of flows that
can be stored in the buffer. Range: 16131072, default: 4096.
timeoutactive<seconds>: active ageing time, unit: second, range: 10604800, default:
1800.
timeoutinactive<seconds>}: inactive ageing time, unit is second, range: 10604800,
default: 1800.
record <record-name>: uses a pre-set flow record policy as the template.

record netflow-original: predefines the v5 template. Collected key and non-key fields
are consistent with those of netflow v5.
netflow ipv4 protocol-port: predefines the v8 module.
5. Configure a NetFlow interface.
1 ZXR10(config)#interface <interface-name> Enters interface configuration

mode.
2 ZXR10(config-if-interface-name)#ip Configures IPv4 packets

flow monitor <monitor-name>[sampler sampling on the interface.
<sampler-name>][unicast|multicast|ipv4access-list
<name>]{input|output}
ZXR10(config-if-interface-name)#ipv6 Configures IPv6 packets

flow monitor <monitor-name>[sampler sampling on the interface.
<sampler-name>][unicast | multicast | ipv6access-list
<name>]{input | output}
ZXR10(config-if-interface-name)#mpls flow Configures MPLS packet

monitor <monitor-name>[sampler <sampler-name>] sampling on the interface.
unicast {input | output}
12-7

ip flow monitor <monitor-name>: applies a pre-set netflow monitoring policy on the

interface. After the command is run, configurations related to the monitor policy, the
cache size, template in use, and collected fields of the template cannot be modified. To
modify the configurations, the flow monitoring policy must be deleted from the interface
first. Flow active/inactive ageing time and the output policy can be modified.
sampler <sampler-name>: applies a pre-set sampling policy on the interface. The

sampling policy cannot be modified after it is applied on the interface. The modification
takes effect only after it is unbound and then applied on the interface.
unicast | multicast| ipv4access-list <acl-name>: type of sampled packets. unicast
means sampling unicast packets. multicast means sampling multicast packets. acces
s-list means sampling packets that are filtered with the ACL rules. Up to six different
ACL rules can be used.
In one direction, unicast, multicast, MPLS, and ACL rule packets can be sampled
at the same time. Samples from two directions are not mutually exclusive. If ACL
rule packets are sampled from one direction, however, unicast and multicast packets
cannot be sampled, and vice versa.
Command Function
ZXR10#show ip flow exporter [<exporter-name>] Displays a flow exporter policy of the

specified name or all flow exporter
policies.
ZXR10#show ip flow interface [<interface-name>] Displays configurations of the specified

interface or all interfaces.
ZXR10#show ip flow monitor [<monitor-name>] Displays a flow monitoring policy of the

specified name or all flow monitoring
policies.
ZXR10#show ip flow record [<record-name>| Displays a flow record policy of the

netflow-original | ipv4 protocol-port] specified name, the pre-defined V5
policy (V5 template: netflow-original), or
all flow record policies.
ZXR10#show ip flow sampler [<sampler-name>] Displays a sampler policy of the

specified name or all sampler policies.
ZXR10#show running-config ipflow [all][|{begin | Displays NetFlow configurations, or all

exclude | include}<line>] configurations including default values
of un-configured parameters when the
command carries the all parameter.
ZXR10#show running-config-interface <interface-name Displays interface configurations related

>[all][|{begin | exclude | include}<line>] to NetFlow.
12-8

Command Function
ZXR10#show ip flow service-cpu Displays information on the service CPU

when the NetFlow function is enabled.
End of Steps
12.3 NetFlow Configuration Examples

12.3.1 NetFlow V5 Configuration Example
As shown in Figure 12-1, configure NetFlow on R1, connect the server to R1, and configure
an IP address. Configure a route to the server if necessary so that the NetFlow packets
can be sent to the server.
Figure 12-1 NetFlow V5 Configuration Example
Configuration Flow
1. Enable NetFlow Service.
2. Configure flow exporter output, including server IP address, port number and protocol
type.
3. Configure sampler sampling rate and sampling mode.
4. Configure the size of flow monitor cache, active overtime value and inactive overtime
value, bind the configured flow exporter to system v5 module.
5. Bind flow monitor policy to interface, configure sampling type and direction.
R1(config)#flow exporter exp

R1(config-flow-exporter)#destination ipv4-address 169.1.109.60
R1(config-flow-exporter)#transport udp 2055
R1(config-flow-exporter)#export-protocol netflow-v5
R1(config-flow-exporter)#exit
12-9

R1(config)#sampler sam
R1(config-sampler)#mode deterministic 1-out-of 1024
R1(config-sampler)#exit
R1(config)#flow monitor mo
R1(config-flow-monitor)#cache entries 4096
R1(config-flow-monitor)#exporter exp
R1(config-flow-monitor)#record netflow-original
R1(config-flow-monitor)#cache timeout inactive 60
R1(config-flow-monitor)#cache timeout active 10
R1(config-flow-monitor)#exit
R1(config-if-gei-6/6)#ip flow monitor mo sampler sam unicast input
Check the configuration on R1, as shown below.
R1#show running-config ipflow

!<ipflow>
flow exporter exp
destination ipv4-address 169.1.109.60
export-protocol netflow-v5
$
flow monitor mo
cache timeout active 10
cache timeout inactive 60
record netflow-original
exporter exp
$
sampler sam
mode deterministic 1-out-of 1024
$
interface gei-6/6
ip flow monitor mo sampler sam unicast input
$
!</ipflow>
12-10


Configuration Flow
2. Configure flow exporter output, including the server IP address, port number and
protocol type.
3. Configure sampler, setting sampling rate and sampling mode.
4. Configure the cache size of flow monitor, the active overtime value and the inactive
overtime value. Bind the configured flow exporter to the system v8 module.
5. Bind flow monitor to the interface, and configure the sampling type and direction.
R1(config)#flow exporter exp
R1(config-flow-monitor)#record netflow ipv4 protocol-port
12-11

Verify the configuration on R1 as shown below.

! < ipflow >
sampler sam
$
flow exporter exp
export-protocol netflow-v8
$
flow monitor mo
record netflow ipv4 protocol-port
exporter exp
$
interface gei-6/6
$
! </ ipflow >

12-12

Configuration Flow
2. Configure flow exporter output, including server IP address, port number and protocol
type, module refresh time and refresh rate.
3. Configure match and collect of flow record policy.
4. Configure the size of flow monitor cache, active overtime value and inactive overtime
value, bind the configured flow exporter policy and flow record policy.
5. Configure sampler sampling rate and sampling mode.
6. Bind flow monitor policy to interface, configure sampling type and direction.
ZXR10(config)#flow exporter exp
R1(config-flow-exporter)#template data refresh 20
R1(config-flow-exporter)#template data timeout 60
R1(config)#flow record rec

R1(config-flow-record)#match ipv4 source address
R1(config-flow-record)#match ipv4 destination address
R1(config-flow-record)#match transport source-port
R1(config-flow-record)#match transport destination-port
R1(config-flow-record)#collect counter bytes
R1(config-flow-record)#collect counter packets
R1(config-flow-record)#exit
R1(config-flow-monitor)#record rec
12-13

R1(config-if-gei-6/6)#end
Check the configuration on R1, as shown below.

!<ipflow>
sampler sam
$
flow exporter exp
#export-protocol netflow-v9
$
flow record rec
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes
collect counter packets
$
flow monitor mo
record rec
exporter exp
$
interface gei-6/6
$
!</ipflow>
12-14

Chapter 13
SQA Configuration
Table of Contents
SQA Overview..........................................................................................................13-1
Configuring SQA ......................................................................................................13-1
SQA Configuration Examples ...................................................................................13-4
13.1 SQA Overview

Service Quality Analyzer (SQA) is a measured detection technology. Through SQA, users
can obtain more detailed network quality analysis at IP layer, and can also check whether
the network quality of a specific service meets the requirement of Service Level Agreement
(SLA). The functions of SQA are listed below.
l Users can know the network performance quickly and then take corresponding
measurements according to different network performances.
l Users can use SQA to diagnose and locate network faults, especially for QoS faults
of some applications.
l SQA supports linkage of some protocols. For example, when the quality of a network
worsens to some extent, SQA can enable linkage with policy routing.
Normally, SQA is used to diagnose network faults.
For example, on a mobile IP bearer network, when the quality of phone calls declines
seriously, it is necessary to check whether there is serious voice packet loss, delay and
oscillation at the wireless network side and IP bearer network side at the same time. At the
IP bearer network side, it is necessary to check whether there is any serious network fault
for the transmission of IP packets between CEs. At the same time, it is also necessary
to use the parameters (such as UDP packet oscillation and delay ) of SQA to determine
whether the fault is on the bearer network side.
SQA can also be used to detect the network qualities of operators periodically to reflect the
network qualities in real time, so that operators can master the overall network qualities.
13.2 Configuring SQA

This procedure describes how to configure the SQA function.
Steps
1. Configure an SQA instance.
13-1

1 ZXR10(config)#sqa-test <number> Selects a test instance

number and enters SQA
configuration mode. The
range of the instance number
is 1150.
2 ZXR10(config-sqa)#type-icmp [vrf <vrf-name>]<des Configures an ICMP test

tination-address>[source <source-address>][repeat < instance in SQA mode.
repeat-number>][tos <tos-value>][ttl < ttl-value>][size
<size-value>][interval <interval-value>]
ZXR10(config-sqa)#type-udp [ vrf <vrf-name>]<destinat Configures a UDP test

ion-address><destination-port>[size <size-value>][interval instance in SQA mode.
<interval-value>][repeat <repeat-number>]
ZXR10(config-sqa)#type-tcp [ vrf <vrf-name Configures a TCP test

>]<destination-address><destination-port>[interval instance in SQA mode.
<interval-value>][repeat <repeat-number>]
ZXR10(config-sqa)#type-ftp copy <destination-address> Configures an FTP test

uesr-name <user-name> password {encrypted instance in SQA mode.
<ftp-server-encrypted-password>|<ftp-server-password>}
file-name <file-name> root <local-path>/<file-name>
ZXR10(config-sqa)#type-dns [vrf <vrf-name>] Configures a DNS test

destination-url <destination-url> dns-ip instance in SQA mode.
<dns-ip-address>[repeat <repeat-number>]
ZXR10(config-sqa)#type-http [vrf <vrf-name>]{h Configures an HTTP test

ttp-ip<http-ip-address>|http-url<http-url> dns-ip instance in SQA mode.
<dns-ip-address>}[repeat <repeat-number>]
ZXR10(config-sqa)#type-snmp [vrf <vrf-name>]<spec Configures an SNMP test

ify-destination-ip-address> instance in SQA mode.
ZXR10(config-sqa)#type-udp-jitter [vrf Configures a UDP-JITTER

<vrf-name>]<specify-destination-ip-address><specify test instance in SQA mode.
-destination-port>[interval<interval-time>][repeat<
repeat-number> size<size-number>| interval<interval-tim
e>][size<size-number> interval<interval-time>|repeat<
repeat-number>]
ZXR10(config-sqa)#type-icmp-jitter [vrf <vrf-name>]<d Configures an ICMP jitter test

estination-address>[source <source-address>][repeat < instance in SQA mode.
repeat-number>][tos <tos-value>][ttl < ttl-value>][size <
size-value>][interval <interval-value>]
<repeat-number>: number of repeat times. In an ICMP test, range: 165535, default:

1. In a UDP test, range: 11000, default: 1. In a TCP test, range: 1200, default: 1.
13-2

Chapter 13 SQA Configuration
In a DNS test, range: 110, default: 1. In an ICMP jitter test, range: 165535, default:
1.
<tos-value>: ToS value, range: 0255, default: 0.
<ttl-value>: Time To Live (TTL) value, range: 1255, default: 255.
<size-value>: size of a packet. In an ICMP test, range: 368192 bytes, default: 36

bytes. In a UDP test, range: 501500 bytes, default: 50 bytes. In an ICMP jitter test,
range: 408192 bytes, default: 40 bytes.
<interval-value>: interval between two packets, unit: ms. In an ICMP test, range:
5065535, default: 100. In a UDP test, range: 502000, default: 100. In a TCP test,
range: 10004000, default: 1000. In an ICMP jitter test, range: 5065535, default:
100.
<destination-port>: Destination port number, range: 102565535.

<user-name>: user name of the FTP server, range: 131 characters.
<ftp-server-password>: clear text password of the FTP server, range: 131 characters.
<ftp-server-encrypted-password>: cipher text password of the FTP server, range: 64

characters.
<file-name>: FTP source file name, range: 179 characters.
<local-path>/<file-name>: FTP local path and file name, range: 1151 characters.
<destination-url>: domain name to be resolved, range: 1128 characters.
<dns-ip-address>: DNS IP address.
2. Start an SQA test, and enable the Trap alarm.
1 ZXR10(config-sqa)#sqa-begin {now | timerange Starts a test in SQA mode.

<timerange-name>} The sqa-stop command stops
the test. If now is selected,
the test is started immediately.
2 ZXR10(config-sqa)#send-Trap { enable <percent>} Enables the Trap alarm

in SQA mode. <percent>:
alarm threshold value, range:
1100.
3. Configure an SQA TCP or UDP server.
Command Function
ZXR10(config)#sqa-tcp-server <ipaddress><port> Configures an SQA TCP server. (This

configuration is required when you
select a TCP test.)
13-3

Command Function
ZXR10(config)#sqa-udp-server <ipaddress><port> Configures an SQA UDP server. (This

configuration is required when you
select a UDP test.)
Command Function
ZXR10#show running-config sqa [all][|begin | exclude Displays SQA configurations.

| include}<line>
ZXR10#show sqa-test <number> Displays SQA test configurations.
ZXR10#show sqa-server {upd|tcp} Displays SQA server configurations.
ZXR10#show sqa-result {udp | tcp | icmp | ftp | dns | http | Displays configurations of each SQA
snmp | udpjitter | icmpjitter} test instance.
End of Steps
13.3 SQA Configuration Examples

13.3.1 ICMP-Type SQA Configuration Example
As shown in Figure 13-1, there is a link between R1 and R3. Packets between R1 and R3
can be forwarded properly.
Figure 13-1 ICMP-Type SQA Configuration Example
Configuration Flow
1. Create an SQA test instance.
2. Enter the SQA test instance, and configure ICMP test attribute for the test instance,
such as the ICMP test destination address .
3. Set the SQA test start time as now or at a scheduled time.
4. Check the test result.
The configuration of R1:
13-4

R1(config)#sqa-test 1
R1(config-sqa-1)#type-icmp 10.1.0.2
R1(config-sqa-1)#sqa-begin now
%Info 757: The sqa test is starting now, please wait a moment for test result......
R1(config-sqa-1)#
The configuration and test result are shown below.
R1#show sqa-test 1
test number:1
test type: ICMP
destination IP: 10.1.0.2
repeat:1
tos:0
ttl: 255
size: 36
interval time:100
send trap:disable
R1#show sqa-result icmp

icmp test[1] result
SendPackets:1 ResponsePackets:1
Completion:success Destination IP Address: 10.1.0.2
Min/Max/Avg/Sum RTT:29/99/39/787ms
Min/Max/Avg/Sum Positive Jitter:1/7/3/9ms
Min/Max/Avg/Sum Negative Jitter:1/70/35/71ms
Min/Max/Avg/Sum Jitter:1/70/16/80ms
Packet loss rate:0%
Last Probe Time:2012-11-18 01:57:38
13.3.2 FTP-Type SQA Configuration Example

As shown in Figure 13-2, there is a link between the FTP server and R1. Packets between
them can be forwarded properly. It is required to enable the FTP server function on FTP
server, and configure a user name and password.
Figure 13-2 FTP-Type SQA Configuration Example
13-5

Configuration Flow
2. Enter the SQA test instance, and configure the FTP test attributes for the test instance
including FTP server address, user name, password, source file name, destination
path and destination file name.
3. Set the SQA test start time to now or a scheduled time.
R1(config)#type-ftp copy 1.1.1.1 filename abc.txt root /datadisk0/abc.txt
R1(config)#type-ftpusername whopassword who
%Info 757: The sqa test is starting now, please wait a moment for test result......
R1(config-sqa-2)#
Run the show command to check the configurations and test results. The execution result
is displayed as follows
R1#show sqa-test 2
test number:2
test type: FTP
ftp IP:10.1.0.2
username:who
password: 9654d35c7f907ad5c1a1f803d1e4a21c667d8939cade03478bad7db48099d0e4
/*Encrypted*/
filename:abc.txt
root:/datadisk0/abc.txt
send Trap:disable
R1#show sqa-result ftp

ftp test[2] result
Completion:success
Last RTT:127s Bytes read:4817497
Last Probe Time:2012-07-29 09:22:58
13.3.3 TCP-Type SQA Configuration Example

can be forwarded properly. Enable a monitoring port pf SQA-TCP-server on R3.
13-6

Figure 13-3 TCP-Type SQA Configuration Example
Configuration Flow
2. Enter the SQA test instance, and configure the TCP test attribute for the test instance,
such as the TCP test destination address and port number.
R3(config)#sqa-tcp-server 10.1.0.2 10000

R1(config-sqa-3)#type-tcp 10.1.0.2 10000
%Info 757: The sqa test is starting now, wait a moment for test result......
R1(config-sqa-3)#
R1#show sqa-test 3
test number:1
test type: TCP
destination IP:10.1.0.2
desitnation port:10000
interval time:1000
repeat:1
send trap:disable
R1#show sqa-result tcp

tcp test[3] result
Completion:success Destination Ip Address:10.1.0.2
Last Probe Time:2012-07-29 09:45:49
13-7

13.3.4 UDP-Type SQA Configuration Example

can be forwarded properly. Enable a monitoring port of SQA-UDP-server on R3.
Figure 13-4 UDP-Type SQA Configuration Example
Configuration Flow
2. Enter the SQA test instance, and configure the UDP test attribute for the instance,
such as the UDP test destination address and port number.
R3(config)#sqa-udp-server 10.1.0.2 10000

R1(config-sqa-4)#type-udp 10.1.0.2 10000
R1(config-sqa-4)#
R1#show sqa-test 4
test number:1
test type: UDP
destination IP:10.1.0.2
desitnation port:10000
size: 50
interval time:100
repeat:1
send trap:disable
13-8

R1#show sqa-result udp

udp test[4] result
Completion:success Destination IP Address: 10.1.0.2
Min/Max/Avg/Sum Positive Jitter:0/0/0/0ms
Min/Max/Avg/Sum Negative Jitter:1/1/1/2ms
Min/Max/Avg/Sum Jitter:1/1/1/2ms
Packet loss rate:0%
Last Probe Time:2012-09-01 23:52:35
13.3.5 DNS-Type SQA Configuration Example

As shown in Figure 13-5, configure an SQA test instance on ZXR10 ZSR V2, connect the
server to R1, and configure an IP address. Configure a route to the server if necessary so
that DNS packets can be sent to the server.
Figure 13-5 DNS-Type SQA Configuration Example
Configuration Flow
2. Enter the SQA test instance, configure the domain name to be resolved by the DNS
test and the IP address of the DNS server, and set the number of resolution operations.
3. Set the SQA test start time as right now or at a scheduled time.
Configuration of R1:
R1(config)#ip domain lookup

R1(config)#ip domain name-server ipv4-address 10.1.0.1
R1(config-sqa-5)#type-dns destination-url abc.cn dns-ip 10.1.0.1
R1(config-sqa-5)#
13-9

The configuration information and test result are shown below.
R1#show sqa-test 5
test number:1
test type: DNS
destination-url:abc.cn
dns-ip:10.1.0.1
repeat:1
send trap:disable
R1#show sqa-result dns

dns test[5] result
Completion:success
Destination-url:abc.cn
DNS Interpret IP Address:10.1.0.1
Last Probe Time:2012-07-29 09:49:36
13-10

Chapter 14
LLDP Configuration
Table of Contents
LLDP Overview ........................................................................................................14-1
Configuring LLDP .....................................................................................................14-3
LLDP Configuration Examples..................................................................................14-5
14.1 LLDP Overview

LLDP Introduction
With the wide applications of Ethernet on LAN and Metropolitan Area Network (MAN),
users have higher and higher requirements for Ethernet management ability. At present,
many network management systems use the automatic discovery function to trace the
topology changes. However, most network management systems can only analyze the
network topology up to the network layer. The information, such as the interfaces on a
device, the interfaces connected to other devices, and the paths among clients, network
devices and servers, need to be collected through the link layer. With enough detailed
information, users can locate network faults correctly.
Link Layer Discovery Protocol (LLDP) is a protocol defined by IEEE 802.1AB. Network
management systems can know the topology and changes of L2 networks through LLDP.
LLDP organizes local device information into Type/Length/Value (TLV) and encapsulates
it in a Link Layer Discovery Protocol Data Unit (LLDPDU) to send it to the direct-connected
neighbor. At the same time, LLDP saves the LLDPPDU sent by neighbors in the standard
MIB, so that network management systems can query and determine the communication
states of links.
LLDP Features
LLDP is defined in 802.1AB. As shown in Figure 14-1, LLDP works at the data link layer.
It is a neighbor discovery protocol that defines a standard for Ethernet devices (such as
switches, routers and wireless LAN access points). Through LLDP, an Ethernet device
can advertise its existence to other nodes on the network and save discovery information
of neighbor devices. The device sends the state information to other devices. The
information is stored on each port of all devices. If necessary, the device can send update
information to the neighbor devices that are connected directly, and the neighbor devices
store the information in standard SNMP MIBs.
14-1

Figure 14-1 LLDP System Structure
l Network management systems can query the L2 connection information in the MIB.
LLDP does not configure or control network elements or traffic. It just reports the
position of L2. Another function defined in 802.1AB is that network management
software can use the information provided by LLDP to find conflicts at L2 network.
At present, IEEE uses the physical topologies, interfaces and entity MISs existing in
IETF.
l A device that supports LLDP must support chassis ID advertisements and port
ID advertisements. Most devices need to support system name advertisements,
system description advertisements and system capability advertisements. System
name advertisements and system description advertisements can provide useful
information to collect network traffic. System description advertisements also can
contain information such as the full name of the device, the type of the system
hardware and the version of the software operating system.
l LLDP information is transmitted periodically and it can only be stored for a period.
IEEE has defined a recommended transmission frequency, about once per 30
seconds. When an LLDP device receives an LLDP packet sent by a neighbor LLDP
device, it stores the information in the CACHE of SNMP MIB defined by IEEE.
The information is invalid during a period. The value of TTL to define the period is
contained in the received packets.
l LLDP makes network management systems be able to discover and simulate physical
network topologies correctly. LLDP devices send and receive advertisements, so the
devices save the information of the discovered neighbor devices. The advertisement
data, such as the management address, device type and port number of a neighbor
device, is helpful to know the type and interconnected interfaces of the neighbor
device.
14-2

Chapter 14 LLDP Configuration
l An LLDP device advertises its information to direct-connected neighbor devices

periodically. It also receives, refreshes and saves the advertisements from neighbor
devices. The device scans the CACHE every second. If no new packet is received
during the hole-time period, the information is aged.
l LLDP defines a general advertisement set, a transport advertisement protocol and a
method of storing all received advertisements. A device that wants to advertise its
information can put several advertisements in a LAN packet. The mode to transmit
the packets is the TLV field. The information includes the chassis ID (mandatory), port
ID (mandatory), system name, system function, system description and some other
attributes.
Chassis ID is the first mandatory TLV in an LLDPDU. It is the unique ID of a

device that supports to send LLDPDUs. It is recommended to use the chassis
MAC address as the chassis ID for a switch, and use the loopback address or an
interface IP address as the chassis ID for a router.
Port ID is the second mandatory TLV in an LLDPPDU. It is the unique ID of port
that sends LLDPDUs. For a switch, it is recommended to use the port name as
the port ID, such as fei4/1.
TTL is the third mandatory TLV in an LLDPPDU. It is the living time (in the unit
of second) of an LLDPPDU received by the peer. When a peer receives an
LLDPPDU of which the TTL is 0, the device deletes all related information.
End of LLDPDU is the last mandatory TLV in an LLDPPDU. It defines the end of
an LLDPPDU.
14.2 Configuring LLDP

This procedure describes how to configure basic attributes and functions for the LLDP.
Steps
1. Configure LLDP.
To configure LLDP on ZXR10 ZSR V2, perform the following steps.
1 ZXR10(config)#lldp This enters LLDP configuration

mode.
14-3

2 ZXR10(config-lldp)#hellotime <times> This configures the interval to

send LLDP neighbor discovery
packets. It is in the unit of second,
and it is in the range of 532768,
the default value is 30.
ZXR10(config-lldp)#holdtime <time> This configures the hold-time of

an LLDP neighbor. The <times>
parameter is a multiple of the
interval to send LLDP neighbor
discovery packets. It is in the
range of 210, and the default
value is 4.
ZXR10(config-lldp)#maxneighbor <num> This configures the maximum

number of neighbors that can be
discovered by LLDP, in the range
of 1128, with the default value of
128.
3 ZXR10(config-lldp)#lldp {enable | disable} Enables/Disables LLDP function.
4 ZXR10(config-lldp)#lldp-rx {enable | disable} Enables/Disables LLDP function.
5 ZXR10(config-lldp)#lldp-tx {enable | disable} Enables/Disables LLDP send

function.
6 ZXR10(config-lldp)#txcreditmax <credit> This configures the maximum

credit number, in the range of
1-10, with the default value of 5.
ZXR10(config-lldp)#txfastinit <num> This configures the packets

number of fast transmit, in the
range of 1-8, with the default value
of 4.
ZXR10(config-lldp)#msgfasttx <interval> This configures the interval of fast

transmit packets, in the range of
1-3600, with the default value of
1s.
2. Configure LLDP in interface configuration mode.
1 ZXR10(config-lldp-if-interface-name)#lldp Enables/Disables LLDP in an

{enable | disable} interface.
2 ZXR10(config-lldp-if-interface-name)#lldp-rx Enables/Disables LLDP receive

{enable | disable} function in an interface.
14-4

3 ZXR10(config-lldp-if-interface-name)#lldp-tx Enables/Disables LLDP send

{enable | disable} function in an interface.
4 ZXR10(config-lldp-if-interface-name)#maxne This configures the maximum

ighbor <num> number of neighbors that can be
discovered by LLDP, in the range
of 1-8, with the default value of 8.
Command Function
ZXR10#show lldp {config [interface <interface-name>]| This shows LLDP configuration

entry [interface <interface-name>]| neighbor [interface information, detailed neighbor
<interface-name>]| statistic [interface <interface-name>]} information, brief neighbor
information and statistical
information.
4. Maintain the LLDP.
Command Function
ZXR10#debug lldp { adjacency | event | packets [receive This shows LLDP related information,
| send]| all } event information and packets
sending and receiving information.
ZXR10(config-lldp)#clearneighbor This clears an LLDP neighbor

relationship that has been established.
ZXR10(config-lldp)#clearstatistic This clears LLDP statistical

information.
ZXR10(config-if-interface-name)#clearneighbor This clears an LLDP neighbor

relationship that has been established
on an interface.
ZXR10(config-if-interface-name)#clearstatistic This clears LLDP statistical

information on an interface.
End of Steps
14.3 LLDP Configuration Examples

14.3.1 LLDP Neighbor Configuration Example
As shown in Figure 14-2, it is required to configure LLDP on gei-1/1 of R1.
14-5

Figure 14-2 LLDP Neighbor Configuration Example
Configuration Flow
1. Enter LLDP configuration mode.
2. Enter an interface.
3. Enable LLDP.
Enter an interface in LLDP configuration mode and then configure LLDP, as shown below.
R1(config)#lldp
R1(config-lldp)#interface gei-1/1
R1(config-lldp-if-gei-1/1)#lldp enable
R1(config-lldp-if-gei-1/1)#end
Use the show lldp neighbor command to check the configuration result, as shown below.
R1(config)#show lldp neighbor

Capability Codes:
N - Other, r - Repeater, B - Bridge, W - WLAN Access
Point,
R - Router, T - Telephone, D - DOCSIS Cable Device,
S - Station Only
Local-Port Chassis-ID Holdtime Capability Platform Peer-Port
---------------------------------------------------------------------------
gei-1/1 0023e4221134 103 B R 6800v1.00.20 gei-1/1
14.3.2 LLDP Attribute Configuration Example

As shown in Figure 14-3, it is required to configure LLDP attributes on R1.
Figure 14-3 LLDP Attribute Configuration Example
14-6

Configuration Flow
1. Enter LLDP configuration mode.
2. Configure LLDP attributes.
R1(config)#lldp
R1(config-lldp)#maxneighbor 3
/*Configure the maximum number of system neighbors*/
R1(config-lldp)#hellotime 30000
/*Configure the intervals to send LLDP neighbor discovery packets*/
R1(config-lldp)#holdtime 8
/*Configure LLDP neighbor hold-time*/
R1(config-lldp)#lldp enable
/*Enable LLDP*/
R1(config-lldp)#lldp-rx enable
/*Enable LLDP receiving*/
R1(config-lldp)#lldp-tx enable
/*Enable LLDP sending*/
R1(config-lldp)#clearneighbor
/*Clear LLDP neighbor relationship that has been established*/
R1(config-lldp)#clearstatistic
/*Clear LLDP statistical information*/
R1(config-lldp)#end
Use the show running-config lldp command to check the configuration result.
ZXR10#show running-config lldp

! <LLDP>
lldp
hellotime 30000
holdtime 8
maxneighbor 3
! </LLDP>
14-7

14-8

Chapter 15
Network Layer Detection
Table of Contents
Configuring ICMP Fast Response ............................................................................15-1
Configuring IP Source Route Option Processing ......................................................15-4
Configuring ICMP Unreachable Packet Function ......................................................15-6
Enabling an Interface to Send ICMP Unreachable Packets ......................................15-7
Configuring IP Ping ..................................................................................................15-9
Configuring IP Trace...............................................................................................15-12
Configuring LSP Ping .............................................................................................15-15
Configuring LSP Trace ...........................................................................................15-21
Configuring Multicast Ping......................................................................................15-26
Configuring Multicast Trace ....................................................................................15-30
Configuring MAC Ping ............................................................................................15-32
Configuring MAC Trace ..........................................................................................15-34
IP Performance Maintenance .................................................................................15-37
15.1 Configuring ICMP Fast Response

Overview
Opposite to the ICMP slow response function, the ICMP fast response function reduces
delays and delay jitter of ping packets, and increases the standard-reaching rate of network
delays.
To detect the connectivity with another node, one node uses the ICMP response function.
The source node sends an ICMP Echo Request packet to the destination node. After
receiving this packet, the destination node returns an ICMP Echo Reply packet. When
the source node receive the corresponding Reply packet, it determines that the network is
connected.
The ICMP slow response function means that a destination node sends received Request
packets to the control plane, which returns Reply packets. To reduce delays, the ICMP
fast response function directly returns Reply packets.
To configure the ICMP fast response function, run the following command on the ZXR10
ZSR V2:
15-1

Command Function
ZXR10(config)#ip icmp-fast-reply Enables the ICMP fast response (ping)

function. This function is enabled by
default.
Maintenance Commands
To maintain the ICMP fast response function, run the following commands on the ZXR10
ZSR V2:
Command Function
ZXR10#debug ip icmp Enables the ICMP debug function, which

displays debug information on ICMP
processing, and at the same time disables
the ICMP fast ping function.
ZXR10#debug ip icmp detail Enables the ICMP debug function, which

displays detailed debug information on
ICMP processing, and at the same time
disables the ICMP fast response function.
ZXR10#debug ip interface<interface-name> Enables the IP debug function on the

configuration interface, which displays
debug information on IP processing, and
at the same time disables the ICMP fast
response function.
ZXR10#debug ip Enables the IP debug function, which

displays debug information on IP-layer
processing, and at the same time disables
the ICMP fast response function.
ZXR10#show debug icmp Displays the enabled ICMP debug

functions.
ZXR10#show debug ip Displays the enabled IP debug functions.
ZXR10#show ip traffic Displays statistics of received and sent

packets at the IP, ICMP, UDP, and TCP
layers.
ZXR10#clear ip traffic Clears statistics of received and sent

packets at the IP, ICMP, UDP, and TCP
layers.
As shown in Figure 15-1, the interface gei-1/1 of R1 is connected to gei-1/1 of R2

directly. The ICMP fast response (ping) function is required between R1 and R2.
15-2

Chapter 15 Network Layer Detection
Figure 15-1 ICMP Fast Response Configuration Example
1. Configure IP addresses of R1 and R2 interfaces.
2. Test the configuration result to make sure that the ICMP fast response (ping)
function is enabled between R1 and R2.

Run the following command to check the configurations on R1. The execution result
is displayed as follows:
R1#ping 10.1.1.2
sending 5,100-byte ICMP echoes to 10.1.1.2,timeout is 2 seconds.
!!!!!
Success rate is 100 percent(5/5),round-trip min/avg/max= 1/1/21 ms.
Run the following command to check the configurations on R2. The execution result
is displayed as follows:
R2#ping 10.1.1.1
!!!!!
Note:
The ICMP fast response function is enabled by default. If the corresponding debug
function is enabled and then ping is performed, the ICMP fast response (ping) function
is disabled.
15-3

15.2 Configuring IP Source Route Option Processing

Overview
IP allows a source host to specify a path through an IP network in advance. This path
is called a source route. If a source route is specified, the software forwards packets
according to the source route. This function can be used to force a packet to pass a
network along a specified route. By default, the software uses a source route.
An IP data packet contains an options field whose length is variable. The options field is
used for testing and debugging networks. Each option in this field begins with an option
code octet that identifies an option type. Option types are listed below:
l Loose source route option
l Strict source route option
The router software checks the IP header options of each packet. If it finds that one of
the options is valid, the software performs corresponding operations. If it finds an invalid
option, the software drops the packet and sends an ICMP parameter-problem packet to
the packet source.
For example, the option code of the loose source route option is 131. Its length is variable,
and is determined by the source. The format is shown in Figure 15-2.
Figure 15-2 Loose Source Route Option Packet Format
The length field represents the length of the option octet (including the option code, length
and pointer fields). The pointer field points to the source address of the next hop, and the
minimum value is 4 (that is, pointing to the IP address of the first hop). The addresses
following the pointer field are the hops designated by the source. The packet must pass
these hops.
To configure the processing of IP source route options, run the following command on the
ZXR10 ZSR V2:
Command Function
ZXR10(config)#ip source-route Enables the ZXR10 ZSR V2 processing of

packets with IP source route options.
15-4

To display the IP source route option configuration, run the following command on the
ZXR10 ZSR V2:
Command Function
ZXR10#show running-config ip all Displays whether the IP source route option

processing function is configured.
Refer to 15.1 Configuring ICMP Fast Response for maintenance commands relevant to
packet sending and receiving.
As shown in Figure 15-3, it is required to configure the IP source route option
processing function.
Figure 15-3 IP Source Route Option Processing Configuration Example
1. Configure IGP and unicast routes so that the routers can ping each other
successfully.
2. Configure source route options on R1.
3. Make the source send IP packets with correct IP options.
4. Make the source send IP packets with incorrect IP options.
l Configuration Command
R1(config)#router ospf 1
R1(config-ospf-1)#network 10.10.10.0 0.0.0.255 area 0
R1(config-ospf-1)#exit
R1(config)#ip source-route
15-5

R2(config-ospf-1)#exit
When the source sends IP packets with correct IP options, the traffic is forwarded
properly.
When the source sends IP packets with incorrect IP options, the packets are dropped.
15.3 Configuring ICMP Unreachable Packet Function

Overview
If the router receives a non-multicast packet sent by an unknown protocol, the router
returns an ICMP unreachable packet to the source address. Similarly, if the router receives
a packet that cannot be sent to the destination (because the route to the destination is
unknown), it sends an ICMP host unreachable packet to the source address. By default,
ICMP unreachable packets are valid.
To configure the ICMP unreachable packet function, run the following commands on the
ZXR10 ZSR V2:
Command Function
ZXR10(config)#icmp-config Enter ICMP configuration mode.
ZXR10(config-icmp)#interface<interface-name> Enter ICMP interface configuration mode.
ZXR10(config-icmp-if-interface-name)#ip Enables the interface function of sending

unreachable ICMP unreachable packets.
To view detailed information on packet sending and receiving after the ICMP unreachable
packet function is configured, run the following command. For other commands, refer to
15.1 Configuring ICMP Fast Response.
Command Function
ZXR10#debug ip icmp detail Displays information on ICMP packets.
15-6

As shown in Figure 15-4, R1 receives packets with an unknown protocol, and ICMP
unreachable packets are valid.
Figure 15-4 ICMP Unreachable Packet Function Configuration Example
1. Enter ICMP configuration mode.
2. Enable the ICMP unreachable packet function on a specified interface.
3. Configure that interface ICMP unreachable packets are valid.
R1(config)#icmp-config
R1(config-icmp)#interface gei-1/1
R1(config-icmp-if-gei-1/1)#ip unreachable
R1(config-icmp-if-gei-1/1)#exit
R1(config-icmp)#exit
R1(config-if-gei-1/1)#ip forward unreachable
When the PC sends unknown protocol packets to R1, R1 sends ICMP unreachable
packets to the PC.
15.4 Enabling an Interface to Send ICMP Unreachable

Packets
Overview
Packets that are regarded as ICMP unreachable are dropped. To make these packets
valid, you need to configure this function for the interface. Then, the forwarding plane
reports a packet whose protocol is unknown or whose route cannot be found to the control
plane. The control plane returns an ICMP unreachable packet to the source node. This
function is disabled by default.
15-7

To enable an interface to send ICMP unreachable packets, run the following command on
the ZXR10 ZSR V2:
Command Function
ZXR10(config)#interface<interface-name> Enters the interface configuration mode.
ZXR10(config-if-interface-name)#ipforwardunreacha Enables the interface to send

ble unreachable packets. Ethernet and
POS interfaces are supported.
To view information on packet sending and receiving after the configuration is performed,
run the following command on the ZXR10 ZSR V2. For other commands, refer to 15.1
Configuring ICMP Fast Response.
Command Function
ZXR10#debug ip icmp detail Displays information on ICMP packets.
As shown in Figure 15-5, the interface receives a packet with an unknown destination,
and returns an ICMP unreachable packet.
Figure 15-5 Configuration Example of an Interface Sending ICMP Unreachable

Packets
1. Configure interface addresses for the devices.
2. Configure a static route between the two devices that are not directly connected.
3. Configure that ICMP unreachable packets are valid on the interface.
R1(config)#ip route 1.2.3.4 255.255.255.255 10.1.1.2
15-8

R2(config-if-gei-1/1)#ip forward unreachable
R2(config)#icmp-config
R2(config-icmp)#interface gei-1/1
R2(config-icmp-if-gei-1/1)#ip unreachable
R2(config-icmp-if-gei-1/1)#exit
R2 does not have a route to 1.2.3.4/32.
Run the debug ip icmp detail command on R2. Run the ping 1.2.3.4 command on
R1. You can see that R2 sends host unreachable packets to R1.
15.5 Configuring IP Ping

Overview
l Description of Ping
Ping originates from sonar location operation. Ping is used to test whether another
host is reachable. The program sends an ICMP Echo Request to the host and waits
for an ICMP Echo Reply.
If a host cannot be pinged successfully, the host cannot be logged in through

Telecommunication Network Protocol (TELNET) or FTP. On the contrary, if a host
cannot be logged in through TELNET, the ping program can be used to find out the
problem. The ping program also can be used to test the time of a round-trip to the
host, which indicates how far away the host is.
l Characteristics of Ping
The ping command sends an ICMP Echo Request. If the destination receives the
ICMP Echo Request, it will send an ICMP Echo Reply to the source address of the
Echo Request. Therefore, the ping command can be used to diagnose network
connectivity faults.
The ping program that sends an Echo Request is called a client, and the host that
is pinged is called a server. The kernels of most Transfer Control Protocol/Internet
Protocol (TCP/IP) functions support a ping server directly. The server is not a user
process.
The format of an ICMP Echo Request and an ICMP Echo Reply is shown in Figure
15-6.
15-9

Figure 15-6 Format of an ICMP Echo Request/Reply
If the type code is 8, it is an ICMP Echo Request packet. If the type code is 0, it is an
ICMP Echo Reply packet.
For other types of ICMP query packets, a server must reply with the identifier and the
serial number. In addition, the option sent by a client must be echoed. It is supposed
that the client is interested in the information.
The serial number starts from 0, and it increments by one when a new Echo Request
is sent. The ping program displays the serial number of each returning packet, which
allows users to check whether packets are lost, in disorder or duplicated.
To configure IP ping on the ZXR10 ZSR V2, run the following commands:
Command Function
ZXR10>ping [vrf <vrf-name>]{<ip-address>|domain Pings an IP address in user mode.

<domain-name>}
ZXR10#ping [{dcn|vrf <vrf-name>}]{<ip-address>|domain Pings an IP address in privileged

<domain-name>}[df-bit <don't-frag>][pattern <string>][speed mode.
{limit {0 |<limit-num>}| interval <interval-number>}][repeat
<repeat-count>][size <datagram-size>][source <source-addre
ss>][timeout <timeout>][tos <tos>][ttl <ttl>][option {[{loose |
strict}<source-route-address>][record <record-hops>][timestamp
<record-timestamps>][none]}][interface <interface-name>]
ZXR10#ping vrf <vrf-name><ip-address> Pings the name of the Virtual

Route Forwarding Table (VRF)
that an IP address belongs to. The
range of the VRF name is 132
characters.
ZXR10#ping dcn <ip-address> Pings the name of a Data

Communications Network (DCN)
that an IP address belongs to.
ZXR10#ping domain <domain-name> Pings a Domain Name System

(DNS) domain name.
domain <domain-name>: DNS domain name, range: 1128 characters.

repeat<repeat-count>: number of retry attempts, range: 165535, default: 5.
15-10

size <datagram-size>: size of a ping packet, range: 368192, default: 100 bytes.
timeout <timeout>: timeout period, unit: second, range: 120.
tos <tos>: Type of Service (ToS) of a sent packet, range: 0255, default: 0.
ttl <ttl>: Time To Live (TTL), range: 1255.
df-bit <don't-frag>: flag indicating no fragmentation, options: 0, 1, default: 0 (indicating
that fragmentation is allowed).
pattern <pad>: value of the pad field in a packet.
option: whether to configure the IP options. The value 1 means that IP options can be
configured.
speed limite <limite-num>: number of ping packets sent per second.
speed interval<interval-seconds>: interval between two data request packets, unit: second,
range: 210.
loose | strict <source-route-address>: specified source station route, format: dotted decimal.
record <record-hops>: maximum number of hops that needs to be recorded, range: 19.
timestamp <record-timestamps>: maximum number of timestamps that needs to be
recorded, range: 19.
To maintain IP Ping, run the following command on the ZXR10 ZSR V2:
Command Function
ZXR10#debug ip icmp Displays the information on ICMP packets

sent and received when the ping command
is run.
As shown in Figure 15-7, two interfaces on two devices in the same network segment
use the ping command to test the connectivity.
Figure 15-7 IP Ping Configuration Example
1. Enter interface configuration mode and configure IP addresses on the interfaces
for communication.
15-11

2. Run the ping command in privileged mode.

R1(config)#interface 1/1
Run the ping command on R1 to check the connectivity. The execution result is
R1#ping 100.0.0.20
!!!!! /*The result shows that the address can be pinged successfully.*/
Success rate is 100 percent(5/5),round-trip min/avg/max= 17/18/20ms.
R1#ping 100.0.0.21
..... /*The result shows that the address cannot be pinged successfully.*/
Success rate is 0 percent(0/5).
15.6 Configuring IP Trace

Overview
l Description of IP Trace
The trace command is used for debugging. It displays the route that an IP data packet
passes through from a host to another host. Because the space left to options in an IP
header is limited, the route record option cannot be used. The trace command uses
ICMP packets and the TTL field in IP headers to accomplish its function.
l Work Flow of IP Trace
IP Trace obtains a router address through the following procedure:
1. The "trace" program sends an IP data packet to the destination host. The value
of the TTL field in the IP header is 1. The first router that receives this packet
reduces the value of the TTL field by 1. It drops the packet, and returns a timeout
ICMP packet. In this way, the address of the first router is obtained.
15-12

2. The "trace" program sends an IP data packet whose TTL field in the IP header is
2. In this way, the address of the second router is obtained.
3. The "trace" program continues with this procedure until a packet arrives at the
destination host.
IP Trace identifies the end of "trace" through the following procedure:
1. The "trace" program sends a large-port UDP data packet to the destination host,
so that any application on the destination host is impossible to use that port.
2. When the data packet arrives at the host, the UDP module generates an ICMP
packet indicating that the port is unreachable.
3. In this way, by identifying whether the received ICMP packet is a timeout packet
or an unreachable port packet, the sending side knows when "trace" ends.
The interfaces between the "trace" module and sub-modules are shown in Figure
15-8.
Figure 15-8 Interfaces Between the "Trace" Module and Sub-Modules
To configure IP trace on ZXR10 ZSR V2, run the following commands:
Command Function
ZXR10>trace [vrf <vrf-name>]<ip-address> Traces an IP address in user

mode.
ZXR10#trace [{dcn|vrf <vrf-name>}]{<ip-address>|domain Traces an IP address in privileged

<domain-name>}[source <source-address>][maxttl <ttl>][timeout mode.
<timeout>]
The trace command uses ICMP error packets. An ICMP error packet is generated when
a data packet exceeds its TTL value. By sending a data packet whose TTL value is 1, the
trace command triggers the first router to drop the packet and return an error packet. A
TTL timeout packet means that an intermediate router receives the packet and the router
gives up detection. An ICMP error packet indicating the destination is unreachable means
that the destination node receives the packet but it cannot submit the packet. If the timer
stops before a reply arrives, the "trace" program displays a "*" mark.
15-13

The following example shows the output of the trace command used in privileged mode.
The trace command traces the path to 168.1.10.100.
ZXR10#trace 168.1.10.100
tracing the route to 168.1.10.100
1 168.1.10.100 2 ms 3 ms 5 ms
[finished]
Descriptions of the command output:
Command Output Description
1 The sequence number of a router along the route to the

destination.
168.1.10.100 The IP address of a router along the route. The last IP

address is the destination.
2 ms 3 ms 5 ms The time of three each round trip for detection.
As shown in Figure 15-9, the trace command is run on R1 to detect the route to R2.
Figure 15-9 IP Trace Configuration Example
1. Configure interface addresses and routes.
2. Run the trace command in privileged mode.
R1(config-ospf-1)#end
The execution result of the trace command on R1 is displayed as follows:
R1#trace 175.103.59.110
tracing the route to 175.103.59.110 over a maximum of 30 hops:
15-14

1 100.0.0.22 55 ms 2 ms 2 ms
/*The IP address on the first-hop device and time delays*/
2 10.17.94.81 176 ms 143 ms 333 ms
3 10.28.5.61 131 ms 133 ms 134 ms
4 * * *
/*The fourth-hop device does not return any packet. There are "*" marks.*/
5 202.70.62.169 151 ms 149 ms 146 ms
6 202.43.177.81 176 ms 162 ms 165 ms
7 218.100.27.30 142 ms 134 ms 159 ms
8 175.103.59.110 140 ms 166 ms 138 ms
[finished]
15.7 Configuring LSP Ping

Overview
l Description of LSP Ping
On an MPLS network, if IP ping is used, labels are added to ping packets and label
switching is performed. IP ping, however, only checks connectivity on the IP plane,
but cannot check LSPs. On an MPLS network, if a LDP session between two LSRs is
disconnected, labels cannot be forwarded. In this case, IP ping packets are reachable,
but the LSP fails.
Various factors cause LSP faults. For example, an LDP session is disconnected, LDP
is not enabled on some LSRs, or an exception occurs in an LDP label forwarding table.
A mechanism different from IP ping is needed to detect whether an end-to-end LSP
is operating properly. Therefore, LSP ping is generated.
LSP ping uses a packet belonging to a specific Forwarding Equivalence Class
(FEC) to verify the integrity of the LSP (from the source LSR to the destination LSR)
that belongs to this FEC. An LSP ping request packet contains information on the
corresponding FEC.
l Work Flow of LSP Ping
An LSP ping packet is encapsulated in a UDP packet, and contains a serial number
and a time stamp. When processing an LSP ping request packet, MPLS uses the
same forwarding policy as packets of the FEC. When the LSP ping packet reaches
an LSP egress, the LSR control plane checks the packet to verify whether this LSP is
the correct egress of the FEC.
Similar to IP ping, LSP ping also uses the Echo Request and Echo Reply mechanism.
But the LSP ping packet format is completely different from the IP ping packet format.
Packets sent by LSP ping are not ICMP packets but UDP packets whose port number
is 3503. On an MPLS network,
1. A source device sends a UDP Echo Request packet whose port number is 3503.
2. LSRs forward the Echo Request packet through label switching.
15-15

3. When the packet reaches the destination device, the destination device responds
with a UDP Echo Reply packet whose port number is 3503.
To prevent IP packets from being forwarded when an IP path is operating properly
but an LSP is disconnected, the value of the IP TTL field in an LSP ping Echo
Request packet is set to 1, and the destination address of the packet is set to
an address in the 127.0.0.0/8 segment. LSRs do not forward such an IP packet
without an MPLS label.
An LSP is unidirectional. An LSP ping Echo Request packet is only forwarded along
the LSP to be tested. The corresponding Echo Reply packet only sends necessary
information to the source, and it does not need to go along the same path as that of
the Echo Request packet. The reply packet can also be an IP packet without a label.
The path of an MPLS Echo Request packet of LSP ping and that of the corresponding
Echo Reply packet may be different. The destination address and destination port of
the Echo Reply packet are the source address and source port of the Echo Request
packet respectively.
To configure LSP ping on the ZXR10 ZSR V2, run the following commands:
Command Function
ZXR10#ping mpls ipv4 <ip-address><mask-length Configures IPv4 LDP LSP ping.

>[output-interface <interface-name>][destination
<start-ipv4-address>[<end-ipv4-address>][<increment>]][repeat
<repeat-count>| size <datagrame-size>| timeout <timeout>| source
{<source-ipv4-address>|<source-ipv6-address>}| ttl <ttl>]
ZXR10#ping mpls traffic-eng te_tunnel<id>[{master|slave}][repeat Configures RSVP LSP ping.

ZXR10#ping mpls pseudowire [multisegment]<pw-name>[repeat Configures PWE3 LSP ping.

<repeat-count>: number of retry attempts, range: 165535, default: 5.

<datagram-size>: LSP ping packet size, range: 100-1500, unit: byte, default: 120.
<timeout>: timeout period, unit: second, range: 120, default: 2.
master : specifies that the master LSP sends LSP ping packets.
slave : specifies that the slave LSP sends LSP ping packets.
multisegment: enables the ping multisegment pseudowire function.
To maintain LSP ping on the ZXR10 ZSR V2, run the following command:
15-16

Command Function
ZXR10#debug lspv {error | event | packet | tlv | all} Displays information on sent UDP Echo
Request packets and received UDP Echo
Reply packets when LSP ping is performed.
LDP LSP Ping Configuration Example

As shown in Figure 15-10, LDP is enabled on R1, R2 and R3. It is required to configure
LSP ping on R1 to check connectivity.
Figure 15-10 LDP LSP Ping Configuration Example
1. Build an LDP network.
2. Perform LDP LSP ping on R1.
For LDP configuration, refer to the MPLS configuration example.
Ping R3 on R1. The result is displayed as follows:
R1#ping mpls ipv4 10.28.0.4 32
sending 5,120-byte MPLS echo(es) to 10.28.0.4,timeout is 2 second(s).
Codes: '!' - success, 'Q' - request not sent, '.' - timeo
ut,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC m
ismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no rx
label,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index, 'X' - unkno
wn return code, 'x' - return code 0
'd' - DDMAP
!!!!!
Ping R3 (unmatching FEC) on R1. The result is displayed as follows:

15-17


ut,
ismatch,
label,
'd' - DDMAP
QQQQQ
R1 cannot ping R3 successfully. LSP ping checks whether the "FEC destination
address + mask" is correct. If the "FEC destination address + mask" is incorrect,
LSP ping fails.
Ping R3 (nonexistent FEC) on R1. The result is displayed as follows:

ut,
ismatch,
label,
'd' - DDMAP
QQQQQ
RSVP LSP Ping Configuration Example

As shown in Figure 15-11, RSVP is enabled on R1, R2 and R3. Build an Open Shortest
Path FirstTraffic Engineering (OSPF-TE) network. It is required to configure LSP ping
on R1 to check connectivity.
15-18

Figure 15-11 RSVP LSP Ping Configuration Example
1. Build an OSPF-TE network.
2. Perform RSVP LSP ping on R1.
For RSVP configuration, refer to the OSPF-TE configuration example.

Run the following command to check configurations on R1. The execution result is
R1#show mpls traffic-eng tunnels brief
Signalling Summary:
LSP Tunnels Process: running
RSVP Process: running
Forwarding: enabled
TUNNEL NAME DESTINATION UP IF DOWN IF STATE/PROT
tunnel_4000 10.28.0.5 - unknown up/down
tunnel_1 10.28.0.4 - gei-1/2 up/up
Test connectivity of the tunnel on R1. The execution result is displayed as follows:
R1#ping mpls traffic-eng te_tunnel1 /*TE tunnel of LSP Ping UP on R1*/

sending 5,120-byte MPLS echo(es) to te_tunnel1,timeout is 2 second(s).

ut,
ismatch,
label,
'd' - DDMAP
!!!!!
R1#ping mpls traffic-eng te_tunnel4000 /*TE tunnel of LSP Ping DOWN on R1*/
sending 5,120-byte MPLS echos to te_tunnel4000,timeout is 2 seconds.
15-19


ut,
ismatch,
label,
'd' - DDMAP
QQQQQ
PWE3 LSP Ping Configuration Example

As shown in Figure 15-12, R1, R2 and R3 form an L2 VPN network. It is required to

configure LSP ping on R1 to check connectivity.
Figure 15-12 PWE3 LSP Ping Configuration Example
1. Build an L2 VPN network.
2. Perform PWE3 LSP ping on R1.
Basic LDP configuration is omitted here.
Run the following command to check configurations on R1. The execution result is
R1#show l2vpn forwardinfo vpnname zte

Hearders: PWType - Pseudowire type and Pseudowire connection mode
Llabel - Local label, Rlabel - Remote label
VPNowner - owner type and instance name
Codes: H - HUB mode, S - SPOKE mode, L - VPLS, W - VPWS, M MSPW, MO - MONITOR
$pw - auto_
PWName PeerIP FEC PWType State Llabel Rlabel VPNowner
pw1 10.28.0.4 128 Ethernet H UP 81938 82241 L:zte
15-20

Run the following command on R1 to test connectivity. The execution result is

R1#ping mpls pseudowire pw1

ut,
ismatch,
label,
'd' - DDMAP
!!!!!
15.8 Configuring LSP Trace

Overview
l Description of LSP Trace
To make routers on the Internet report errors of the MPLS LSP data plane or provide
information on unexpected conditions, the MPLS trace function is provided. MPLS
trace is a simple and effective method of detecting faults on the MPLS LSP data plane.
It can detect some faults that the control plane cannot find. By using this method,
users can quickly find and isolate faults such as routing black holes and loss of routes.
LSP trace is based on Echo Request and Echo Reply packets. The packets sent are
UDP packets whose port number is 3503 instead of ICMP packets.
LSP trace uses the TTL field in an MPLS packet header. The LSP trace command
increments the TTL value from 1, and sends an MPLS Echo Request packet to the
next hop. When detecting that TTL expires, an LSR sends an MPLS Echo Reply
packet to the source. In such a query procedure, each hop of an LSP can be traced.
l Work Flow of LSP Trace
The LSP trace function can be used to detect different FECs (IPv4 LDP and RSVP).
An LSP trace request packet is a UDP packet with a label. The packet uses the
well-known port 3503 as the destination port. The source port is designated by the
sender. The IP-layer source address is the IP address of the sender. The destination
address is 127.0.0.1, which is used to prevent the packet from being forwarded
according to an IP route when a fault occurs on an LSP of an intermediate LSR.
The principle of LSP trace is shown in Figure 15-13.
15-21

Figure 15-13 LSP Trace Work Flow
The MPLS LSP trace procedure between LSR1 and LSR4 is described below:
1. LSR1: LSR1 sends an MPLS Echo Request packet to LSR2. The destination
address of the packet is the FEC on LSR4.
In the Echo Request packet, the TTL value in the MPLS header is 1, the
destination address in the IP header is 127.0.0.1, and both the source port
number and destination port number in the UDP header are 3503.
2. LSR2: When receiving the request packet whose TTL value is 1, LSR2 processes
the packet. It finds that itself is not the destination. Therefore, LSR2 responds to
LSR1 with an MPLS Echo Reply packet.
In the Echo Reply packet, LSR2 fills in a corresponding return code. If the return
code is 3, the node is the destination. If the return code is 6, the node is an
intermediate node. LSR1 determines whether the packet reaches the destination
according to the return code.
3. LSR1: After receiving the Echo Reply packet from LSR2, LSR1 knows the
address and label information on LSR2. According to the return code, LSR1
knows that the packet did not reach the destination. LSR1 sends an MPLS Echo
Request packet to LSR2 again. The destination of the packet is the FEC on
LSR4.
4. LSR2: After receiving the Echo Request packet whose TTL value is 2, LSR2
searches for label information and then forwards the packet to LSR3. The TTL
value decrements by one.
5. LSR3: After receiving the packet whose TTL value 1, LSR3 finds that itself is not
the destination either. Therefore, LSR3 responds to LSR1 with an MPLS Echo
Reply packet.
15-22

In the Echo Reply packet, the return code is 6, which indicates that the node is
an intermediate node. According to the return code, LSR1 knows that the packet
did not reach the destination.
6. LSR1: After receiving the Echo Reply packet from LSR3, LSR1 knows the
address and label information on LSR3. According to the return code, LSR1
knows that the packet did not reach the destination. LSR1 sends an MPLS Echo
Request packet to LSR2 again. The destination is the FEC on LSR4.
9. LSR4: After receiving the request packet packet whose TTL value is 1, LSR4
processes the packet. It finds that itself is the destination. Therefore, LSR4
responds to LSR1 with an MPLS Echo Reply packet.
In the Echo Reply packet, the return code is 3, which indicates that the node is
the destination node.
After the procedure, LSR1 knows the address and label information on LSRs along
the LSP.
To configure LSP trace on the ZXR10 ZSR V2, run the following commands:
Command Function
ZXR10#trace mpls ipv4 <ip-address><mask-length>[output-interf Enables the IPv4 LDP LSP trace
ace <interface-name>][destination <start-ipv4-address>[<end-ip function.
v4-address>][<increment>]][ttl <ttl>| timeout <timeout>| source
{<source-ipv4-address>|<source-ipv6-address>}|[{ddmap|dsmap}]]
ZXR10#trace mpls traffic-eng te_tunnel <id>[{master|slave}][ttl Enables the RSVP LSP trace
<ttl>| timeout <timeout>| source {<source-ipv4-address>|<source-ip function.
v6-address>}|[{ddmap|dsmap}]]
ZXR10#trace mpls pseudowire [multisegment]<pw-name>[ttl <ttl>| Enables the PWE3 LSP trace
timeout <timeout>| source {<source-ipv4-address>|<source-ipv6-ad function.
dress>}|[{ddmap|dsmap}]]
master : specifies that the master LSP sends LSP ping packets.
slave : specifies that the slave LSP sends LSP ping packets.
15-23

multisegment: enables the ping multisegment pseudowire function.
To maintain LSP trace, run the following command on the ZXR10 ZSR V2:
Command Function
ZXR10#debug lspv {error | event | packet | tlv | all} Displays information on sent UDP Echo
Request packets and received UDP Echo
Reply packets when LSP trace is performed.
LDP LSP Trace Configuration Example

As shown in Figure 15-14, LDP is enabled on R1, R2 and R3. It is required to configure
LSP trace on R1 to check connectivity.
Figure 15-14 LDP LSP Trace Configuration Example
1. Build an LDP network.
2. Perform LDP LSP trace on R1.
For LDP configuration, refer to the MPLS configuration example.
Run the following commands on R1 to view configurations. The execution result is
R1#show mpls forwarding-table
Local Outgoing Prefix or Outgoing Next Hop M/S
label label Lspname interface
20 Pop tag 10.28.0.3/32 gei-1/2 10.28.1.6 M
57 49 10.28.0.4/32 gei-1/2 10.28.1.6 M
R1#trace mpls ipv4 10.28.0.3 32

Tracing MPLS Lable Switched to 10.28.0.3,timeout is 3 second(s).
Codes:'!' - success, 'Q' - request not sent, '*' - timeo
ut,
ismatch,
15-24


label,
'd' - DDMAP
0 10.28.1.5 MTU 1500 [label 3 ]
! 1 10.28.1.6 10 ms
[finished]
Test trace on R1. The execution result is displayed as follows:

R1#trace mpls ipv4 10.28.0.4 32
Tracing MPLS Lable Switched to 10.28.0.4,timeout is 3 second(s).
ut,
ismatch,
label,
'd' - DDMAP
0 10.28.1.5 MTU 1500 [label 49 ]
R 1 10.28.1.21 MTU 1500 [label 0 ] 8 ms
! 2 10.28.1.22 7 ms
[finished]
RSVP LSP Trace Configuration Example

As shown in Figure 15-15, the Resource ReSerVation Protocol (RSVP) is enabled on

R1, R2 and R3. Build an OSPF-TE network. It is required to configure LSP trace on
R1 to check connectivity.
Figure 15-15 RSVP LSP Trace Configuration Example
1. Build an OSPF-TE network.
2. Perform RSVP LSP trace on R1.
15-25

For RSVP configuration, refer to the OSPF-TE configuration example.

Run the following commands on R1 to view configurations. The execution result is

R1#show mpls traffic-eng tunnels brief
Signalling Summary:
LSP Tunnels Process: running
RSVP Process: running
Forwarding: enabled
TUNNEL NAME DESTINATION UP IF DOWN IF STATE/PROT
tunnel_1 10.28.0.4 - gei-1/8 up/up
Test trace on R1. The execution result is displayed as follows:
R1#trace mpls traffic-eng te_tunnel1

Tracing MPLS Lable Switched to te_tunnel1,timeout is 3 second(s).
ut,
ismatch,
label,
'd' DDMAP
0 10.28.1.5 MTU 1500 [label 147457 ]
R 1 10.28.1.6 MTU 1500 [label 3 ] 3 ms
! 2 10.28.1.22 4 ms
[finished]
15.9 Configuring Multicast Ping

Overview
Multicast ping sends an ICMP request packet to a multicast group address and waits for an
ICMP reply packet from the remote end. Multicast ping is applicable to PIM-SM only, and
can only be initiated by a node in an RPT (excluding a multicast receiver). The destination
address is a multicast group address. The request packet is forwarded to a multicast
receiver node through a multicast forwarding path. The receiver node responds with an
ICMP reply packet through unicast.
The work flow of multicast ping is shown in Figure 15-16.
15-26

Figure 15-16 Work Flow of Multicast Ping
1. A router initiates a multicast ping command by sending an ICMP request packet.

2. An intermediate node forwards the packet directly because there is no local receiver
directly connected.
3. A leaf node where the receiver is located sends and processes the packet, and
responds with a reply packet through unicast.
4. The initiator displays the multicast ping result.
To configure multicast ping on the ZXR10 ZSR V2, run the following command:
Command Function
ZXR10#ping [vrf <vrf-name>]<ip-address>{[df-bit <don't-fr Configures the multicast ping

ag>][repeat <repeat-count>][size <datagram-size>][source command in any other mode
<source-address>][timeout <timeout>][tos <tos>][ttl except user mode.
<ttl>]option{[{loose | strict}<source-route-address>][record
<record-hops>][timestamp <record-timestamps>][none]}][pattern
<pad>][speed {limit <limite-num>| interval <interval-seconds>}]}
<repeat-count>: number of retry attempts, range: 165535, default: 5.

<datagram-size>: size of a ping packet, range: 36-8192, default: 100 octets.
<timeout>: timeout period, unit: second, range: 120.
<tos>: ToS of a sent packet, range: 0-255, default: 0.
15-27

<ttl>: TTL, range: 1255.

<don't-frag>: flag indicating no fragmentation, options: 0, 1, default: 0 (indicating that
fragmentation is allowed).
<pad>: value of the pad field in a packet.
option: whether to configure IP options. The value 1 means that IP options can be
configured.
<limite-num>: number of ping packets sent per second.
<interval-seconds>: interval between two data request packets, unit: second, range: 210.
loose | strict <source-route-address>: specified source station route, format: dotted decimal.
<record-hops>: maximum number of hops that needs to be recorded, range: 19.
<record-timestamps>: maximum number of timestamps that needs to be recorded, range:
19.
To maintain multicast ping on the ZXR10 ZSR V2, run the following command:
Command Function
ZXR10#mtrace <source-address>[<destination-address Displays information on sent multicast ping

>][<group-address>] packets and received ICMP packets when
multicast ping is performed.
As shown in Figure 15-17, it is required to check whether the multicast last hop is
reachable.
Figure 15-17 Multicast Ping Configuration Example
1. Build a network.
2. Enable PIM-SM on R1 and R2.
3. Add the receiving group to the multicast group.
4. Ping the multicast group address on R1.
15-28


R1(config)#interface loopback1
R1(config-if-loopback1)#ip address 3.3.3.3 255.255.255.0
R1(config-if-loopback1)#exit
/*Configure a multicast protocol*/
R1(config)#ip multicast-routing
R1(config-mcast)#router pim
R1(config-mcast-pim)#rp-candidate loopback1
R1(config-mcast-pim)#bsr-candidate loopback1
R1(config-mcast-pim)#interface gei-1/9
R1(config-mcast-pim-if-gei-1/9)#pimsm
R1(config-mcast-pim-if-gei-1/9)#exit
R1(config-mcast-pim-if-gei-1/8)#end
Configurations on R2 are similar to those on R1. Configure an IP address and enable

a multicast protocol on R2.
Run the following command on R2 to add a static route to the RP:
R2(config)#ip route 3.3.3.3 255.255.255.255 17.1.1.2

Run the ping command on R1 to check whether the receiving group has joined the
225.0.0.1 multicast group. The execution result is displayed as follows:
R1#ping 225.0.0.1
Reply to request 1 received from 17.1.1.1, 2 ms
15-29

15.10 Configuring Multicast Trace

Overview
Multicast trace provides a method of monitoring multicast routes and detecting RPF.
At present, the multicast trace version is v1.0. Multicast trace checks connectivity of a
multicast path by sending and receiving IGMP protocol packets.
Multicast trace is used to detect the reversed path from a destination address to a multicast
source. It uses two methods to search for a next hop route. One is by RPF. The other is
by an (S, G) or (*, G) entity, and (S, G) is preferred.
Take Figure 15-18 as an example to describe two multicast trace working flows.
Figure 15-18 Multicast Trace Principle
l When trace 1.1.1.3 2.2.2.2 is configured on R1, R1 finds that the next hop is 1.1.1.1
through RPF. Until finding that the next hop route 1.1.1.3 is a source direct-connected
route, R1 unicasts the destination route 2.2.2.2.
l When trace 1.1.1.3 2.2.2.2 224.1.1.1 is configured on R1, R1 searches for the next
hop route by an (S, G) or (*, G) entity. (S, G) is preferred. Until finding that the next
hop route 1.1.1.3 is a source direct-connected route, R1 unicasts the destination route
2.2.2.2.
To configure multicast trace on ZXR10 ZSR V2, use the following command.
Command Function
ZXR10#mtrace <source-address>[<destination-address>][<g This displays the reversed path from a

roup-address>] destination address to a multicast source.
It is required to search for a next hop route through an (S, G) or (*, G) entity. The
network topology is shown in Figure 15-19.
Figure 15-19 Multicast Trace Configuration Example
15-30

1. Enable PIM-SM on R1 and R2.
2. The receiving group joins the mutlticast group. The source sends a multicast flow.
3. Configure multicast trace on R2.
R1(config)#interface loopback1
R1(config-if-loopback1)#ip address 3.3.3.3 255.255.255.0
R1(config-if-loopback1)#exit
/*Configure a multicast protocol*/
R1(config)#ip multicast-routing
R1(config-mcast)#router pim
R1(config-mcast-pim)#rp-candidate loopback1
R1(config-mcast-pim)#bsr-candidate loopback1
R1(config-mcast-pim-if-gei-1/9)#exit
R1(config-mcast-pim-if-gei-1/8)#end
Configuration on R2 is similar to that on R1. Configure an IP address and enable a

multicast protocol.
Configure a static route to the RP on R2, as shown below.
R2(config)#ip route 3.3.3.3 255.255.255.255 17.1.1.2

The receiving group joins the mutlticast group 225.0.0.1. The source sends a multicast
flow.
R2#mtrace 12.131.1.2 17.1.1.1 225.0.0.1

Type escape sequence to abort.
Mtrace from 12.131.1.2 to 17.1.1.1 via group 225.0.0.1
0 17.1.1.1 PIM 21 ms
-1 17.1.1.2 PIM 76 ms
-2 12.131.1.1 PIM 76 ms
[finished]
15-31

15.11 Configuring MAC Ping

Overview
MAC ping provides a method of monitoring performance and detecting errors at the MAC
layer. It determines link-layer connectivity by sending and receiving EOAM MAC ping
packets.
OAM information contained in IEEE802.3 is called Ethernet Operation, Administration and
Maintenance (EOAM). EOAM provides a ping mechanism for the data link layer.
1. A router sends an Echo Request packet with a specific destination MAC address.
The OAM sub-layer sends this ping request packet as an OAM Protocol Data Unit
(OAMPDU).
2. After receiving this Echo Request packet, the receiver generates an Echo an Echo
Response OAMPDU.
EOAM-based MAC ping network structure is shown in Figure 15-20.
Figure 15-20 MAC Ping Network Structure
MAC ping supports ping from CE1 to CE2, from PE1 to PE2, from PE1 to CE2, and
from CE1 to PE2. The parameters in ping commands sent from a CE and from a PE
are different.
The following takes ping from CE1 to CE2 and from PE1 to PE2 as examples to describe
the procedures.
l Ping from CE1 to CE2

CE1 sends a MAC-layer ping request which contains an egress interface and a
destination MAC address. When receiving the request packet, CE2 sends a reply
packet. If CE1 receives the reply packet within a specified period, the link layer is
operating properly.
l Ping from PE1 to PE2
PE1 sends a MAC-layer ping request which contains a destination MAC address,
Virtual Private LAN Service (VPLS) name and peer ID. When receiving the request
15-32

packet, PE2 sends a reply packet. If PE1 receives the reply packet within a specified
period, the link layer is operating properly.
To configure MAC ping on the ZXR10 ZSR V2, run the following command:
Command Function
ZXR10#mac-ping <destination-mac>{interface <out-port>| vpls Checks the connectivity of the

<vpls-name> peer <peer-address>|vpws<vpws-name> peer destination MAC address.
<peer-address>}{summary | detail}{[external-vlan <external-vlan>
internal-vlan <internal-vlan>]|[vlan <vlan-id>]}[repeat
<repeat-count>][timeout <timeout>]
<out-port>: egress interface of a request packet on a CE.

summary : briefly displays MAC ping results.
detail: displays MAC ping results in detail.
<repeat-count>: repeat count, range: 165536, default: 1.
<peer-address>: remote router ID to be detected on a PE.
To maintain MAC ping on the ZXR10 ZSR V2, run the following command:
Command Function
ZXR10#debug macping {all |error | event | info | packet} Displays errors, events, information,
packets or all information when MAC ping
packets are received and sent.
For the MAC ping network structure on a VPLS network, see Figure 15-21.
Figure 15-21 MAC Ping Configuration Example
1. Configure IP addresses. Enable OSPF between PE1 and PE2.
2. Configure LDP between PEs.
3. Configuring L2 VPN VPLS.
4. Configure MAC ping.
15-33

Run the following commands on PE1:

PE1(config)#interface loopback1
PE1(config-if-loopback1)#ip address 100.10.10.1 255.255.255.255
PE1(config-if-loopback1)#exit
PE1(config)#interface gei-1/1
PE1(config-if-gei-1/1)#no shutdown
PE1(config-if-gei-1/1)#ip address 10.1.1.1 255.255.255.0
PE1(config-if-gei-1/1)#exit
PE1(config)#router ospf 1
PE1(config-ospf-1)#network 100.10.10.1 0.0.0.0 area 0
PE1(config-ospf-1)#exit
PE1(config)#mpls ldp instance 1

PE1(config-ldp-1)#router-id loopback1
PE1(config-ldp-1)#interface gei-1/1
PE1(config-ldp-1-if-gei-1/1)#exit
PE1(config-ldp-1)#exit
PE1(config)#mpls l2vpn enable

PE1(config)#pw pw1
PE1(config)#vpls zte1
PE1(config-vpls-zte1)#pseudo-wire pw1
PE1(config-vpls-zte1pw-pw1)#neighbour 100.10.10.2 vcid 10
PE1(config-vpls-zte1pw-pw1neighbour-100.10.10.2)#end
PE1(config)#zmac-oam enable /*Enable mac-ping(trace) globally.*/
Configurations on PE2 are similar to those on PE1.

Run the mac-ping command on PE1. The execution result is displayed as follows:
PE1#mac-ping 00d0.d000.0500 vpls zte1 peer 100.10.10.2 summary
sending 5,92-byte EOAM echo(es) to 00d0.d000.0500,timeout is 2 seconds.
!!!!!
15.12 Configuring MAC Trace

Overview
MAC trace provides a method of monitoring performance and detecting errors at the MAC
layer. It determines whether the nodes at the link layer are operating properly by sending
and receiving EOAM MAC trace packets.
15-34

The EOAM function is defined in the 802.3ah draft. This function can be used to detect
information on the Ethernet link layer defined in IEEE802.3. OAM information contained
in IEEE802.3 is called EOAM.
EOAM-based MAC trace network structure is shown in Figure 15-22.
Figure 15-22 Network Structure of MAC Trace
MAC trace supports trace from CE1 to CE2, from PE1 to PE2, and from PE1 to CE2.
l Trace from CE1 to CE2
CE1 sends a MAC trace request. If the link is operating properly, MAC addresses of
corresponding interfaces on CE1, PE1, PE2 and CE2 are recorded.
l Trace from PE1 to PE2
PE1 sends a MAC trace request. If the link is operating properly, MAC addresses of
corresponding interfaces on PE1 and PE2 are recorded.
l Trace from PE1 to CE2
PE1 sends a MAC trace request. If the link is operating properly, MAC addresses of
corresponding interfaces on PE1, PE2 and CE2 are recorded.
To configure MAC trace on ZXR10 ZSR V2, run the following command:
Command Function
ZXR10#mac-trace <destination-mac>{interface <out-port>|[vpls Trace a path to the destination

<vpls-name> peer <peer-address>]|[vpws <vpws-name> peer MAC address on an Ethernet link.
<peer-address>]}[external-vlan <external-vlan-id> internal-vlan
<internal-vlan-id>]|[vlan <vlan-id>]
<out-port>: egress interface of a request packet on a CE.
<peer-address>: remote router ID to be detected on a PE.
15-35

To maintain MAC trace on the ZXR10 ZSR V2, run the following command:
Command Function
ZXR10#debug macping {all |error | event | info | packet} Displays errors, events, information and
packets or all information when MAC
trace packets are received and sent.
On a VPLS network, the MAC trace network structure is shown in Figure 15-23.
Figure 15-23 MAC Trace Configuration Example
1. Configure IP addresses. Enable OSPF between PE1 and PE2.
2. Configure LDP between PEs.
3. Configuring L2 VPN VPLS.
4. Configure MAC trace.
Run the following commands on PE1:
PE1(config)#interface loopback1
PE1(config-if-loopback1)#ip address 100.10.10.1 255.255.255.255
PE1(config-if-loopback1)#exit
PE1(config)#interface gei-1/1
PE1(config-if-gei-1/1)#no shutdown
PE1(config-if-gei-1/1)#ip address 17.1.1.1 255.255.255.0
PE1(config-if-gei-1/1)#exit
PE1(config)#router ospf 1
PE1(config-ospf-1)#exit
PE1(config)#mpls ldp instance 1

PE1(config-ldp-1)#router-id loopback1
PE1(config-ldp-1)#interface gei-1/1
PE1(config-ldp-1-if-gei-1/1)#exit
PE1(config-ldp-1)#exit
15-36

PE1(config)#mpls l2vpn enable

PE1(config)#pw pw1
PE1(config)#vpls zte1
PE1(config-vpls-zte1)#pseudo-wire pw1
PE1(config-vpls-zte1-pw-pw1)#neighbour 100.10.10.2 vcid 10
PE1(config-vpls-zte1-pw-pw1-neighbour-100.10.10.2)#end
PE1(config)#zmac-oam enable /*Enable mac-ping (trace) globally.*/
Configurations on PE2 are similar to those on PE1.
Run the mac-trace command on PE1. The execution result is displayed as follows:
PE1#mac-trace 00d0.d000.0500 vpls zte1 peer 100.10.10.2
Starting L2 Trace to 00d0.d000.0500
PE1 :gei-1/1 [002e.33d5.3f51]->
PE2 :gei-1/1 [00d0.d000.0500] !
[finished]
15.13 IP Performance Maintenance

ZXR10 ZSR V2 provides the following commands to maintain IP performance.
Command Function
ZXR10#debug ip This enables IP debug function. It displays the debug

information of IP processing and whether the route is
sending or receiving IP packets.
ZXR10#debug ip interface This enables IP debug function in the specified

interface.
ZXR10#show debug ip This shows all the enabled IP debug functions.
15-37

15-38

Figures
Figure 1-1 ZXR10 ZSR V2 Configuration Modes....................................................... 1-1
Figure 1-2 Run Dialog Box........................................................................................ 1-3
Figure 1-3 Telnet Connection Configuration Example................................................ 1-6
Figure 1-4 PuTTY Configuration Dialog Box ............................................................. 1-8
Figure 1-5 PuTTY Configuration Dialog Box ............................................................. 1-9
Figure 1-6 SSH Configuration Example .................................................................. 1-10
Figure 1-7 FTP Server Configuration Example........................................................ 1-12
Figure 1-8 WFTPD Window .................................................................................... 1-13
Figure 1-9 User/Rights Security Dialog Box ............................................................ 1-13
Figure 1-10 User/Rights Security Dialog Box .......................................................... 1-14
Figure 1-11 TFTP Server Window ........................................................................... 1-15
Figure 1-12 Tftpd Settings Dialog Box..................................................................... 1-16
Figure 1-13 SFTP Server Configuration Example.................................................... 1-17
Figure 3-1 MIM Application ....................................................................................... 3-1
Figure 4-1 Local Authentication and Authorization Configuration............................... 4-7
Figure 4-2 RADIUS-LOCAL Authentication and Authorization User
Configuration .......................................................................................... 4-9
Figure 4-3 TACACS+ Authentication and Authorization User Configuration............. 4-10
Figure 4-4 Configuring a Password Prompt Question for Resetting a
Password.............................................................................................. 4-12
Figure 4-5 Configuring OAM Security Management ................................................ 4-13
Figure 4-6 Configuring a Password Validity Period.................................................. 4-15
Figure 4-7 Configuring First-Login Password Modification ...................................... 4-17
Figure 4-8 Configuring the Raising of a Privilege Level ........................................... 4-18
Figure 6-1 SNMP Configuration Example Topology................................................... 6-6
Figure 6-2 State Switching Diagram........................................................................ 6-11
Figure 6-3 SNMP AntiBrute Force Attack Configuration Example.......................... 6-13
Figure 7-1 Alarm Function Configuration Example .................................................... 7-7
Figure 8-1 Syslog Configuration Example Topology .................................................. 8-3
Figure 9-1 RMON Configuration Example ................................................................. 9-4
Figure 10-1 NTP Client Work Flow.......................................................................... 10-1
Figure 10-2 NTP Server and Client ......................................................................... 10-2

Figure 10-3 NTP Working as a Client ...................................................................... 10-4

Figure 10-4 NTP Working as a Server .................................................................... 10-5
Figure 10-5 Physical POS Interface Clock Configuration Instance .......................... 10-8
Figure 11-1 Performance Management Configuration Example Topology
Diagram................................................................................................ 11-3
Figure 12-1 NetFlow V5 Configuration Example...................................................... 12-9
Figure 12-2 NetFlow V8 Configuration Example.................................................... 12-11
Figure 12-3 NetFlow V9 Configuration Example.................................................... 12-12
Figure 13-1 ICMP-Type SQA Configuration Example .............................................. 13-4
Figure 13-2 FTP-Type SQA Configuration Example ................................................ 13-5
Figure 13-3 TCP-Type SQA Configuration Example................................................ 13-7
Figure 13-4 UDP-Type SQA Configuration Example ............................................... 13-8
Figure 13-5 DNS-Type SQA Configuration Example ............................................... 13-9
Figure 14-1 LLDP System Structure........................................................................ 14-2
Figure 14-2 LLDP Neighbor Configuration Example................................................ 14-6
Figure 14-3 LLDP Attribute Configuration Example ................................................. 14-6
Figure 15-1 ICMP Fast Response Configuration Example ...................................... 15-3
Figure 15-2 Loose Source Route Option Packet Format ......................................... 15-4
Figure 15-3 IP Source Route Option Processing Configuration Example ................ 15-5
Figure 15-4 ICMP Unreachable Packet Function Configuration Example ................ 15-7
Figure 15-5 Configuration Example of an Interface Sending ICMP Unreachable
Packets................................................................................................. 15-8
Figure 15-6 Format of an ICMP Echo Request/Reply............................................ 15-10
Figure 15-7 IP Ping Configuration Example .......................................................... 15-11
Figure 15-8 Interfaces Between the "Trace" Module and Sub-Modules ................. 15-13
Figure 15-9 IP Trace Configuration Example......................................................... 15-14
Figure 15-10 LDP LSP Ping Configuration Example ............................................. 15-17
Figure 15-11 RSVP LSP Ping Configuration Example ........................................... 15-19
Figure 15-12 PWE3 LSP Ping Configuration Example .......................................... 15-20
Figure 15-13 LSP Trace Work Flow ...................................................................... 15-22
Figure 15-14 LDP LSP Trace Configuration Example............................................ 15-24
Figure 15-15 RSVP LSP Trace Configuration Example ......................................... 15-25
Figure 15-16 Work Flow of Multicast Ping ............................................................. 15-27
Figure 15-17 Multicast Ping Configuration Example .............................................. 15-28
Figure 15-18 Multicast Trace Principle .................................................................. 15-30
Figure 15-19 Multicast Trace Configuration Example ............................................ 15-30
II

Figures
Figure 15-20 MAC Ping Network Structure ........................................................... 15-32

Figure 15-21 MAC Ping Configuration Example .................................................... 15-33
Figure 15-22 Network Structure of MAC Trace...................................................... 15-35
Figure 15-23 MAC Trace Configuration Example .................................................. 15-36
III

Figures
IV

Glossary
AAA
- Authentication, Authorization and Accounting
ACL
- Access Control List
DNS
- Domain Name System
FTP
- File Transfer Protocol
HMAC-MD5
- Hashed Message Authentication Code with MD5
ICMP
- Internet Control Message Protocol
IETF
- Internet Engineering Task Force
LDP
- Label Distribution Protocol
LLDP
- Link Layer Discovery Protocol
LLDPDU
- Link Layer Discovery Protocol Data Unit
LSP
- Label Switched Path
LSR
- Label Switch Router
MAC
- Media Access Control
MAN
- Metropolitan Area Network
MIB
- Management Information Base
MPLS
- Multiprotocol Label Switching
NMS
- Network Management System

NTP
- Network Time Protocol
PDU
- Packet Data Unit
POP
- Points Of Presence
PPP
- Point-to-Point Protocol
RADIUS
- Remote Authentication Dial In User Service
RFC
- Request For Comments
SLA
- Service Level Agreement
SNMP
- Simple Network Management Protocol
SSH
- Secure Shell
TACACS+
- Terminal Access Controller Access-Control System Plus
TCP
- Transmission Control Protocol
TCP/IP
- Transmission Control Protocol/Internet Protocol
TELNET
- Telecommunication Network Protocol
TFTP
- Trivial File Transfer Protocol
TLV
- Type/Length/Value
TTL
- Time To Live
ToS
- Type of Service
UDP
- User Datagram Protocol
VRF
- Virtual Route Forwarding
VI

Zte Configuration

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Zte Configuration

Diunggah oleh

Hak Cipta:

Format Tersedia

ZXR10 ZSR V2

Intelligent Integrated Multi-Service Router

Revision No. Revision Date Revision Reason

R1.0 2014-05-10 First edition

Serial Number: SJ-20140504150128-007

Publishing Date: 2014-05-10 (R1.0)

SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential

Chapter 2 File System Management ......................................................... 2-1

Chapter 3 MIM Configuration .................................................................... 3-1

Chapter 4 User Management ..................................................................... 4-1

SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential

Chapter 5 Command Privilege Level Classification................................ 5-1

Chapter 6 SNMP Configuration ................................................................. 6-1

Chapter 7 Alarm Management Configuration .......................................... 7-1

Chapter 8 SYSLOG Configuration ............................................................ 8-1

Chapter 9 RMON Configuration ................................................................ 9-1

Chapter 10 Clock and Clock Synchronization ....................................... 10-1

SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential

Chapter 11 Performance Statistics ......................................................... 11-1

Chapter 12 NetFlow Configuration ......................................................... 12-1

Chapter 13 SQA Configuration................................................................ 13-1

Chapter 14 LLDP Configuration .............................................................. 14-1

Chapter 15 Network Layer Detection...................................................... 15-1

SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential

SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential

What Is in This Manual

1, Device Connection Describes several modes (including through a Console port,

3, MIM Configuration Describes MIM principles, configuration commands and

4, User Management Describes user management principle, configuration commands and

6, SNMP Configuration Describes SNMP principles, configuration commands and

7, Alarm Management Describes alarm management principle, configuration commands

8, SYSLOG Configuration Describes SYSLOG principle, configuration commands and

9, RMON Configuration Describes RMON principle, configuration commands and

SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential

11, Performance Statistics Describes performance statistics principle, configuration commands

12, NetFlow Configuration Describes NetFlow principle, configuration commands and

14, LLDP Configuration Describes LLDP principles, configuration commands and

| Separates individual parameter in series of parameters.

Warning: indicates a potentially hazardous situation. Failure to comply can result in

Caution: indicates a potentially hazardous situation. Failure to comply can result in

Note: provides additional information about a certain topic.

SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential

1.1 Connecting the ZXR10 ZSR V2 System

Figure 1-1 ZXR10 ZSR V2 Configuration Modes

SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential

1.2 Configuring Console Port Connection

The following example shows how to enable Console port authentication.

1.3 Configuring Telnet Connection

SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential

Figure 1-2 Run Dialog Box

Login at: 19:46:37 03-24-2014

SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential

ZXR10(config)#line console idle-timeout <idle-time> Configures the maximum idle

ZXR10(config)#line console absolute-timeout <absolute-time> Configures the maximum online

ZXR10(config)#line telnet idle-timeout <idle-time> Configures the maximum idle

ZXR10(config)#line telnet absolute-timeout <absolute-time> Configures the maximum online

ZXR10(config)#line telnet access-class {ipv4 | ipv6}<acl-name> Configures the name of an

ZXR10(config)#line telnet max-link <max-number> Configures the maximum

ZXR10#terminal length <length> Configures the terminal window

ZXR10#line telnet dscp <dscp-value> Specifies the DSCP value of

ZXR10#telnet {<dest-address>[{[<source-address Enables this router to log in to an

ZXR10#telnet6 {<dest-address>[{[interface <interface-na Enables this router to log in to an

SJ-20140504150128-007|2014-05-10 (R1.0) ZTE Proprietary and Confidential

ZXR10(config)#line telnet server enable [listen Allows terminals to log in to