Version: 2.00.10
ZTE CORPORATION
No. 55, Hi-tech Road South, ShenZhen, P.R.China
Postcode: 518057
Tel: +86-755-26771900
Fax: +86-755-26770801
URL: http://ensupport.zte.com.cn
E-mail: support@zte.com.cn
LEGAL INFORMATION
Copyright 2013 ZTE CORPORATION.
The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.
All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.
This document is provided as is, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.
ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.
ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.
Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information.
The ultimate right to interpret this product resides in ZTE CORPORATION.
Revision History
II
III
Figures............................................................................................................. I
Glossary .........................................................................................................V
IV
Intended Audience
This manual is intended for the following engineers:
l Network planning engineers
l Commissioning engineers
l Maintaining engineers
Chapter Summary
2, File System Management Describes operational commands for the file system of the device.
5, Command Privilege Level Describes user and command privilege level classification principle,
Classification configuration commands and configuration example.
10, Clock and Clock Describes clock and clock synchronization principles, configuration
Synchronization commands and configuration examples.
13, SQA Configuration Describes SQA principle, configuration commands and configuration
examples.
15, Network Layer Detection Describes the principles, configuration commands, and configuration
examples of the network layer detection.
Conventions
This manual uses the following typographical conventions:
Typeface Meaning
Italics Variables in commands. It may also refer to other related manuals and documents.
Bold Menus, menu options, function names, input fields, option button names, check boxes,
drop-down lists, dialog box names, window names, parameters, and commands.
Constant Text that you type, program codes, filenames, directory names, and function names.
width
[] Optional parameters.
II
Users can use different configuration modes for different network types. The configuration
modes are described below:
l Console port mode: This is the primary configuration mode used by users.
l Telecommunication Network Protocol (TELNET)/Secure Shell (SSH) mode: Users
can use this mode to configure the ZXR10 ZSR V2 at any accessible place of a
network.
1-1
l Trivial File Transfer Protocol (TFTP)/File Transfer Protocol (FTP) mode: Users
can use this mode to download/upload router configuration files, and update router
configurations.
Steps
1. Configure a Hyperterminal.
For how to configure a Hyperterminal, refer to the "Configuring the Device Through a
Console Port" section in the ZXR10 M6000 Initial Configuration Guide.
2. (Optional) In the configuration mode, run the login authentication command to enable
the Console port connection authentication function.
Caution!
The Console port connection authentication function can be enabled only after a
username and password are configured. If the username and password are not
configured properly, after the function is enabled, you cannot enter the ZXR10> CLI
when you connect the device next time.
ZXR10(config)#login authentication
Warning:
Please make sure local or remote authentication is correctly configured.
Are you sure to configure console authentication? [yes/no]:y
ZXR10(config)#
/*Enables the Console port connection authentication function.*/
For how to configure a user name and password used in serial port authentication,
refer to 4.2 Configuring User Management.
End of Steps
Prerequisite
The local terminal can access the remote router network.
1-2
Context
Telnet is used for configuring routers remotely. To prevent illegal users from accessing the
router through Telnet, a user name and password have to be set on the router for Telnet
accessing. Only the user who has the preset user name and password can access the
router. For how to configure a user name and password on the ZXR10 ZSR V2 for Telnet
login, refer to 4.2 Configuring User Management.
Steps
1. Connect to the ZXR10 ZSR V2 through Telnet.
Assume that the IP address of a remote router is 192.168.3.1 and that the local
terminal (configured with the Windows XP operating system, for example) can access
the remote router network. The operations on the local terminal are as follows:
a. Start the Run program on the local terminal, and enter the telnet 192.168.3.1
command, see Figure 1-2.
b. Click OK.
The following information is displayed:
************************************************************
Welcome to ZXR10 Intelligent Integrated Multi-Service Router
of ZTE Corporation
************************************************************
c. Enter a user name and a password according to the prompt. Then, you can log in
to the remote router.
2. Configure a Telnet connection.
1-3
On the ZXR10 ZSR V2, run the following commands to configure optional Telnet
parameters:
Command Function
1-4
Command Function
3. (Optional) Run the telnet command on the ZXR10 ZSR V2 to log in to another device
through the local client.
For the format of the telnet command, refer to the following table:
Command Function
Command Function
Command Function
ZXR10#clear line vty <vty-number> Forces the vty user to log out.
<vty-number>: specifies the
terminal number (range: 014).
End of Steps
Example
The following provides a Telnet connection configuration example.
1-5
l Configuration Description
It is required to connect a PC to R1 through Telnet, see Figure 1-3.
l Configuration Flow
1. Connect a PC to R1.
2. Configure Telnet on R1.
3. Configure an ACL on R1 to filter TCP connections.
l Configuration Commands
Run the following commands on R1:
R1(config)#line telnet idle-timeout 120
R1(config)#line telnet absolute-timeout 1440
R1(config)#line telnet access-class ipv4 wd
R1(config)#ipv4-access-list wd
R1(config-ipv4-acl)#rule permit tcp 169.1.108.82 0.0.0.0 any
R1(config-ipv4-acl)#exit
l Configuration Verification
If no ACL is configured, a PC whose IP address is in any network segment can be
connected to R1.
If an ACL is configured, only PCs whose IP addresses are in the Permit column of
the ACL can be connected to R1.
Prerequisite
The local terminal can access the remote router network.
Context
Secure Shell (SSH) is defined by the IETF Network Working Group. It is a security protocol
established on the basis of the application layer and transport layer.
Traditional network service programs such as FTP, POP, and Telnet use clear text to
transfer data. Therefore, user names and passwords are vulnerable to man-in-the-middle
attacks. Compared with traditional network service programs, SSH is more reliable. It
provides security for remote login sessions and other network services, and has the
following advantages:
1-6
Steps
1. Configure SSH.
2. Maintain SSH.
Command Function
The following uses Putty as an example to describe how to configure an SSH client.
a. Enable Putty.exe on the SSH host. Type the IP address of the remote router
(such as 192.168.5.3) in the Host Name text box, see Figure 1-4.
1-7
1-8
c. Click Open. The Login dialog box is displayed. Enter the correct user name and
password to log in to the router, and then configure the router in the command line
window.
login as:zte
Further authentication required
zte@192.168.5.3's password:
************************************************************
Welcome to ZXR10 Intelligent Integrated Multi-Service Router
of ZTE Corporation
************************************************************
ZXR10#
Command Description
End of Steps
1-9
Example
The following provides an SSH configuration example.
l Configuration Description
l Configuration Flow
1. Connect a PC to R1.
2. Configure SSH on R1.
3. Configure an ACL on R1 to filter connections.
l Configuration Commands
Run the following commands on R1:
If an ACL is configured, only PCs whose IP addresses are in the Permit column of
the ACL can be connected to R1.
Prerequisite
The local terminal can access the remote router network.
Steps
1. Enable the FTP server function.
1-10
Command Function
Command Function
For how to configure an FTP server user name and password, refer to Chapter 4 User
Management.
3. Verify the configurations.
Command Function
Command Function
End of Steps
Example
The following gives an FTP server configuration example.
l Configuration Description
1-11
l Configuration Flow
1. Enable the FTP server function and listening port 21 of the ZXR10 ZSR V2.
2. Set the FTP server root directory to /datadisk0/LOG/.
3. Set both the FTP server user name and password to zte.
4. Upload and download files through the FTP server to verify the FTP server
function.
l Configuration Commands
The configuration flow on the ZXR10 ZSR V2 is shown below. For how to configure
an FTP server user name and password, refer to Chapter 4 User Management.
R1#configure terminal
Enter configuration commands, one per line.End with CTRL/Z.
R1(config)#ftp-server enable
R1(config)#ftp-server top-directory /datadisk0/LOG/
Prerequisite
The ZXR10 ZSR V2 can access the FTP server network.
Steps
1. Configure and start an FTP server.
The following takes the WFTPD FTP server software as an example to describe how
to configure an FTP server.
1-12
c. Perform the following steps in the User/Rights Security Dialog dialog box.
i. Click New User to create a new user such as target, and set a password.
iii. Type a directory such as D: \IMG in the Home Directory text box for saving
version files or configuration files. After the configuration is completed, the
user name and home directory are displayed in the User/Rights Security
Dialog dialog box, seeFigure 1-10.
1-13
2. Upload and download a file through the router, which acts as an FTP client.
Command Function
ZXR10#ftp-client source-ip {ipv4 <ipv4-address>| ipv6 Configures the source address for
<ipv6-address>[interface <interface-name>]} copying files when the ZXR10 ZSR V2
functions as an FTP client.
ZXR10#copy ftp [vrf <vrf-name>] //HOST/filename@use Downloads a file from an FTP server to
rname:password root: filename or directory&filename the local client.
[<listen_port>][ipaddr][interface <interface-name>]
ZXR10#copy ftp [vrf <vrf-name>] root: filename Uploads a local file to an FTP server.
or directory&filename //HOST/filename@usern
ame:password [<listen_port>][ipaddr][interface
<interface-name>]
End of Steps
Example
The following example describes how to download or upload a file when the ZXR10 ZSR
V2 functions as an FTP client.
A user whose user name is who and password is who uploads the startrun.dat file
from the sysdisk0/DATA0 directory of the ZXR10 ZSR V2 file system to the FTP server
whose IP address is 192.168.109.6.
ZXR10#copy ftp root:/sysdisk0/DATA0/startrun.dat
//192.168.109.6/startrun1.dat@who:who
Start copying file
1-14
A user whose user name is who and password is who downloads the startrun.dat file
from the FTP server whose IP address is 192.168.109.6, and renames the file as start
run.bak.
ZXR10#copy ftp //192.168.109.6/startrun.dat@who:who
root: /datadisk0/startrun.bak
Start copying file
Prerequisite
The ZXR10 ZSR V2 can access the TFTP server network as a TFTP client.
Steps
1. Configure and start a TFTP server.
The following takes the TFTP server software tftpd as an example to describe how to
configure a TFTP server.
a. Run tftpd.exe. The TFTP server window is displayed, see Figure 1-11.
b. Select Tftpd > Configure. The Tftpd Settings dialog box is displayed. Click
Browse in the dialog box, and select a directory (such as the IMG directory on
Disk D) to save version files or configuration files, see Figure 1-12.
1-15
Command Function
ZXR10#copy tftp [ipv6][vrf <vrf-name>] root: filename Uploads a file from the local router to a
or directory //HOST/filename [<listen_port>] TFTP server.
End of Steps
Example
The following example describes how to upload the startrun.dat file from the datad
isk0 directory of the ZXR10 ZSR V2 file system to the TFTP server whose IP address is
192.168.4.244.
The following example describes how to download the file startrun.dat from the TFTP
server whose IP address is 192.168.4.244, and to rename the file as startrun.bak.
1-16
Prerequisite
The local terminal can access the remote router network.
Steps
1. Configure an SFTP server.
Command Function
For how to configure a login user name and password of an SFTP server, refer to
Chapter 4 User Management.
2. Verify the configurations.
Command Function
End of Steps
Example
The following gives an example of how to configure an SFTP server.
l Configuration Description
When the ZXR10 ZSR V2 functions as an SFTP server, the client can be a PC or
another type of device that supports the SFTP client function. Two ZXR10 ZSR V2s
are connected, one functioning as an SFTP server, the other as an SFTP client that
downloads files from the server, see Figure 1-13.
l Configuration Flow
1. On the SFTP server, enable the SSH function, and configure a listening port.
1-17
Run the following commands on the ZXR10 ZSR V2. For how to configure a user
name and password, refer to Chapter 4 User Management.
R1#dir BAK
Directory of MPFU-8/0: /datadisk0/BAK
897636 KB total (892760 KB free)
Prerequisite
The ZXR10 ZSR V2 can access the SFTP server network.
Steps
1. Configure an SFTP.
Start the SFTP server software. Functioning as a client, the ZXR10 ZSR V2
communicates with the SFTP server.
1-18
Command Function
ZXR10#copy sftp [vrf <vrf-name>] //HOST/file Downloads a file from the SFTP server
name@username:password root: filename or to the local SFTP client.
directory&filename encrypt {none | aes128 |
blowfish | 3des} compress {none | zlib} mac {none
| sha1 | md5}[<listen_port>][ipaddr][interface
<interface-name>]
ZXR10#copy sftp [vrf <vrf-name>] root: filename Uploads a file from the local SFTP client
or directory&filename //HOST/filename@u to the SFTP server.
sername:password encrypt {none | aes128 |
blowfish | 3des} compress {none | zlib} mac {none
| sha1 | md5}[<listen_port>][ipaddr][interface
<interface-name>]
End of Steps
Example
A user whose user name is who and password is who uploads the startrun.dat file
in the /sysdisk0/DATA0 directory of the ZXR10 ZSR V2 file system to the SFTP server
whose IP address is 192.168.109.6. The encryption algorithm is aes128, compression
algorithm is zlib, and MAC check method is sha1.
A user whose user name is who and password is who downloads the startrun.dat
file from the SFTP server whose IP address is 192.168.109.6, and renames the file as
startrun.bak. The encryption algorithm is aes128, compression algorithm is zlib, and
MAC check method is sha1.
1-19
1-20
Flash
The Flash store version files, data files, system breakdown files, and operation logs. It has
two partitions, which are mapped to the /sysdisk0 and /sysdisk0 folders under the
root directory of the Linux system respectively.
l /sysdisk0 partition: This is the system partition that stores version files, important
log files, and data files. Users have the read permission, but do not have the write
permission. Users cannot delete and rename files, but can view files by running the
more command. The /sysdisk0 partition does not support the format operation.
System breakdown files and exception log files: system breakdown files include
the Exc_Omp.txt and Exc_pp.txt files in the /sysdisk0/run_log directory
and the files in the /sysdisk0/run_log/EXCINFO directory.
l /datadisk0 partition: This is the data partition that stores log file and data files
relevant to users' routine operations and maintenance as well as data files stored by
users as needed. Users have read and write permissions.
Service and alarm log files are stored in the /datadisk0/LOG directory, but the
command log file (that is, the cmdlog file) is stored in the /sysdisk0/usrcmd_log/
directory.
2-1
BOOT
The BOOT is used to save the OSIMAGE file for initializing boards and booting MPUs.
NVRAM
The NVRAM is used to save booting information, including the IP address of the device
management port, IP address of an FTP server, and configuration loading mode.
Steps
l Manage files and directories.
Command Function
ZXR10#more <filename>[<cpu-name>][|{begin Displays the content of the specified file. "|" is the
| exclude | include}<line>] output flag.
2-2
Command Function
l Save configurations.
Command Function
End of Steps
2-3
2-4
2-5
2-6
3-1
Steps
1. Configure MIM.
Command Function
Note:
If a terminal is configured with the manual-commit mode and has configurations that
have not been committed, normal configuration of other terminals may be affected.
2. Verify configurations.
Command Function
End of Steps
Example
The following provides a MIM configuration example.
l Configuration Description
Enter a batch of configuration commands by running a script. Take care to avoid
configuration collision.
3-2
l Configuration Flow
1. Configure the exclusive function to avoid collision.
2. Change the command commit mode to the manual mode.
3. Enter configuration commands by running a script.
4. Commit the commands.
l Configuration Commands
ZXR10#configure exclusive
ZXR10#conf t
Enter configuration commands, one per line. End with CTRL/Z.
ZXR10(config)#mu c
3-3
3-4
4-1
Steps
1. Enter ADM_MGR configuration mode, and configure user management parameters.
4-2
4-3
4-4
Command Function
ZXR10(config)#enable secret level <1-18>{0 Sets passwords of all login privilege levels.
<unencrypted-password>| 5 <encrypted-password>|<un
encrypted-password>}
ZXR10(config)#login quiet-mode < ipv4-access-list | Configures an ACL for the quiet period.
ipv6-access-list ><access-list-name>
Command Function
4-5
Command Function
End of Steps
Example
The user-password recover-remind command that is used to configure user password
recovery reminders is an interactive command. The following provides examples of this
command.
eg1:
ZXR10(config-system-user)#user-password recover-remind zte
password is:***
question:what is your name
answer:***
ZXR10(config-system-user)#
eg2:
ZXR10(config-system-user)#user-password recover-remind zte
password is:***
%Error 59958: Password is wrong!
ZXR10(config-system-user)#
eg3:
ZXR10(config-system-user)#user-password recover-remind zte
password is:***
question:question is 012345678901234567890124567890123456789
%Error 59959: Question has been to upper limit!The limit is 50 characters!
ZXR10(config-system-user)#
4-6
eg4:
ZXR10(config-system-user)#user-password recover-remind zte
password is:***
question:what is your name
answer:zte 01234567890123456789012345678901234567890123456
%Error 59960: Answer has been to upper limit!The limit is 50 characters!
ZXR10(config-system-user)#
password is: Requires the input of the password corresponding to the user name. A
clear text password consists of 332 characters, and is displayed as
***. If the password is correct, continues to run the command. If the
password is incorrect, displays an error, and ends the command.
question: Requires the input of a prompt question for password recovery. The
question can consist of a maximum of 50 characters including spaces,
but cannot exclusively consist of spaces or include any question mark.
If the question has more than 50 characters, displays an error prompt.
If the question is normal, continues to run the command.
answer: Requires the input of an answer for password recovery. The answer
can consist of a maximum of 50 characters including spaces, but
cannot exclusively consist of spaces or include any question mark. If
the answer has more than 50 characters, displays an error prompt. If
the answer is normal, continues to run the command.
4-7
Configuration Flow
1. Configure an authentication template.
2. Configure an authorization template.
3. Create a user, bind authentication and authorization templates.
Configuration Command
R1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type local
R1(config-aaa-authen-template)#exit
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type local
R1(config-aaa-author-template)#exit
R1(config)#system-user
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
R1(config-system-user-author-temp)#local-privilege-level 15
R1(config-system-user-author-temp)#exit
R1(config-system-user)#user-name zte
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password zte
R1(config-system-user-username)#exit
R1(config-system-user)#exit
4-8
Configuration Flow
1. Configure a RADIUS group.
2. Configure an authentication template.
3. Configure an authorization template.
4. Create a user, bind authentication and authorization templates.
Configuration Command
/*This configures radius*/
R1(config)#radius authentication-group 1
R1(config-authgrp-1)#server 1 10.1.1.1 master key zte
R1(config-authgrp-1)#nas-ip-address 10.1.1.100
R1(config-authgrp-1)#algorithm round-robin
R1(config-authgrp-1)#max-retries 3
R1(config-authgrp-1)#timeout 30
R1(config-authgrp-1)#deadtime 0
R1(config-authgrp-1)#exit
R1(config)#system-user
/*This binds authorization template.*/
4-9
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
Configuration Flow
1. Configure a TACACS+
2. Configure an authentication template.
3. Configure an authorization template.
4. Create a user, bind authentication and authorization templates.
4-10
Configuration Command
R1(config)#tacacs enable
R1(config)#tacacs-server host 10.1.1.1 key zte
R1(config)#tacplus group-server ztegroup
R1(config-sg)#server 10.1.1.1
R1(config-sg)#exit
R1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type tacacs
R1(config-aaa-authen-template)#authentication-tacacs-group ztegroup
R1(config-aaa-authen-template)#exit
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type tacacs
R1(config-aaa-author-template)#authorization-tacacs-group ztegroup
R1(config-aaa-author-template)#exit
R1(config)#system-user
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
R1(config-system-user-author-temp)#local-privilege-level 15
R1(config-system-user-author-temp)#exit
R1(config-system-user)#user-name zte
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password zte
R1(config-system-user-username)#exit
R1(config-system-user)#exit
4-11
Configuration Flow
1. Configure an authentication template.
2. Configure an authorization template.
3. Create a user.
4. Configure a password prompt question and an answer.
5. Log in for password recovery.
Configuration Commands
Run the following commands on the ZXR10 ZSR V2:
R1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type local
R1(config-aaa-authen-template)#exit
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type none
R1(config-aaa-author-template)#exit
R1(config)#system-user
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
R1(config-system-user-author-temp)#local-privilege-level 15
R1(config-system-user-author-temp)#exit
R1(config-system-user)#user-name who
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password who
R1(config-system-user-username)#password-recover-remind
password is:***
question: who are you
answer:who
R1(config-system-user-username)#
4-12
R1#login
Username:recover-user who
question: who are you
answer: /*The input answer is not displayed.*/
Please input your new password:
Re-enter New password:
The password has been changed successfully,
please remember your new password!
Username:who
Password:
R1#
Note:
Note: If the input answer to the password prompt is correct, user who's password is
changed to a new password.
Configuration Flow
1. Configure password strength.
2. Create a user. Only if the password strength meets the requirements, can the creation
succeed.
3. Configure an authentication template.
4. Configure an authorization template.
5. Configure the number of consecutive user authentication failure times and locking
period.
4-13
6. A user who fails authentication consecutively for the set number of times is locked.
Configuration Commands
Run the following commands on the ZXR10 ZSR V2:
R1(config)#system-user
R1(config-system-user)#strong-password length 6 character special-character
/*Configures the minimum password length as 6 characters, and configures that a
password should contain special characters.*/
R1(config-system-user)#user-name zte
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password zte123*
R1(config-system-user-username)#exit
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
R1(config-system-user-author-temp)#local-privilege-level 15
R1(config-system-user-author-temp)#exit
R1(config-system-user)#user-authen-restriction fail-time 3 lock-minute 2
/*Configures the number of consecutive user authentication failure times as 3, and
configures the locking period as 2 min.*/
R1(config-system-user)#exit
R1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type local
R1(config-aaa-authen-template)#exit
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type none
R1(config-aaa-author-template)#exit
/*A user logs in to the R1 through Telnet. The user fails authentication
consecutively for the set number of times, and is locked.*/
R1#login
Username:zte
Password:
% Local password error!
Username:zte
Password:
% Local password error!
4-14
Username:zte
Password:
% Local password error!
Still logged in as "who" /*The original login user name is who.*/
R1#login
Username:zte
Password:
% User is locked
Configuration Flow
1. Create a user.
2. Configure an authentication template.
3. Configure an authorization template.
4. Sets a password validity period.
5. Change the system time to test whether the validity period is effective.
Configuration Commands
Run the following commands on the ZXR10 ZSR V2:
R1(config)#system-user
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
4-15
R1(config-system-user-author-temp)#local-privilege-level 15
R1(config-system-user-author-temp)#exit
R1(config-system-user)#user-name zte
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password zte
R1(config-system-user-username)#password-duration 90 /*Configures a password
validity period.*/
R1(config-system-user-username)#exit
R1(config-system-user)#exit
R1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type local
R1(config-aaa-authen-template)#exit
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type none
R1(config-aaa-author-template)#end
Configuration Verification
R1#show username
Username Encrypted-Password AuthenNo. AuthorNo. AgingTime Set-Time
zte ce7c04930c52bfe1669f6c22 1 1 89 2012-6-28
9ef61b761ec847e5b3052bdb
51456385bb2a9a57
R1#show username /*After the system time is changed, the command output displays
that the password has expired.*/
Username Encrypted-Password AuthenNo. AuthorNo. AgingTime Set-Time
zte ce7c04930c52bfe1669f6c22 1 1 expired 2012-6-28
9ef61b761ec847e5b3052bdb
51456385bb2a9a57
R1#login
Username:zte
Password:
%User password expired /*The password has expired. The user cannot log in to
the R1.*/
4-16
Configuration Flow
1. Create a user.
2. Configure an authentication template.
3. Configure an authorization template.
4. Configure the first login password modification function.
5. During login, the user can set a password. The next time, the user can use the new
password to successfully log in.
Configuration Commands
Run the following commands on the ZXR10 ZSR V2:
R1(config)#system-user
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
R1(config-system-user-author-temp)#local-privilege-level 15
R1(config-system-user-author-temp)#exit
R1(config-system-user)#user-name zte
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password zte
R1(config-system-user-username)#once-password /*Configures first-login
password modification.*/
R1(config-system-user-username)#exit
R1(config-system-user)#exit
R1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type local
4-17
R1(config-aaa-authen-template)#exit
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type none
R1(config-aaa-author-template)#end
Configuration Verification
R1#login
Username:zte
Password:
Your password has expired.
Enter a new one now.
New password: /*Configure a new password, which is not displayed.*/
Re-enter new password: /*Confirm the new password, which is not displayed.*/
The password has been changed successfully,
Please remember your new password!
R1#login
Username:zte
Password: /*Enter the new password*/
R1# /*The user login is successful.*/
R1#who
Line User Host(s) Idle Location
66 vty 0 who idle 00:01:17 169.1.1.13
* 67 vty 1 zte idle 00:00:00 169.1.1.13
68 vty 2 who idle 00:00:00 169.1.1.10
Configuration Flow
1. Create a user.
4-18
Configuration Commands
Run the following commands on the ZXR10 ZSR V2:
R1(config)#tacacs enable
R1(config)#tacacs-server host 10.1.1.1 key zte
R1(config)#tacplus group-server ztegroup
R1(config-sg)#server 10.1.1.1
R1(config-sg)#exit
R1(config)#system-user
R1(config-system-user)#authentication-template 1
R1(config-system-user-authen-temp)#bind aaa-authentication-template 2001
R1(config-system-user-authen-temp)#exit
R1(config-system-user)#authorization-template 1
R1(config-system-user-author-temp)#bind aaa-authorization-template 2001
R1(config-system-user-author-temp)#local-privilege-level 5
R1(config-system-user-author-temp)#exit
R1(config-system-user)#user-name zte
R1(config-system-user-username)#bind authentication-template 1
R1(config-system-user-username)#bind authorization-templat 1
R1(config-system-user-username)#password zte
R1(config-system-user-username)#exit
R1(config-system-user)#exit
R1(config)#aaa-authentication-template 2001
R1(config-aaa-authen-template)#aaa-authentication-type tacacs-local
R1(config-aaa-authen-template)#authentication-tacacs-group ztegroup
R1(config-aaa-authen-template)#exit
R1(config)#aaa-authorization-template 2001
R1(config-aaa-author-template)#aaa-authorization-type none
R1(config-aaa-author-template)#exit
The following provides a global "enable" authentication configuration mode, which can be
set to aaa mode or local mode. The aaa mode means using the "enable" password set by
the server.
R1(config)#system-user
R1(config-system-user)#global-enable-type aaa authentication-template 1
/*Configures user's enable command authentication mode.*/
R1(config-system-user)#exit
4-19
There are two methods for configuring an "enable" password to raise user's privilege level
to the highest level:
l In global configuration mode, run the enable secret level command. For details, refer
to Chapter 5 Command Privilege Level Classification.
l In global configuration mode, run the nvram enable-password command. For details,
refer to the Setting Configurations Kept in NVRAM section the ZXR10 ZSR V2 Initial
Configuration Guide.
You can configure the recovery function for a password configured in the NVRAM.
Configuration Verification
Configure a corresponding enable password on the AAA server. After the user logs in
normally and passes authentication, the user privilege level is raised.
4-20
Steps
1. Configure command privileges.
Command Function
5-1
Command Function
Configuration Flow
1. Change the privilege level of the show clock command to 5 or lower than 5. In this
example, this privilege level is set to 5.
2. Change the privilege level of the clock timezone command to 8, or lower than 8 but
higher than 5. In this example, this privilege level is set to 7.
3. Create a type A user named ZTE_A and a type B user named ZTE_B. ZTE_A's
privilege level is 15, and ZTE_A'B privilege level is 5.
4. Configure the "enable" password that is used to raise user's privilege level to level 8.
Configuration Commands
Run the following commands on the ZXR10 ZSR V2:
ZXR10(config)#privilege show all level 5 show clock
/*Displays the privilege level configuration of the show clock command.*/
5-2
ZXR10(config)#system-user
ZXR10(config-system-user)#authentication-template 1
ZXR10(config-system-user-authen-temp)#bind aaa-authentication-template 2001
ZXR10(config-system-user-authen-temp)#exit
ZXR10(config-system-user)#authorization-template 1
ZXR10(config-system-user-author-temp)#bind aaa-authorization-template 2001
ZXR10(config-system-user-author-temp)#local-privilege-level 15
ZXR10(config-system-user-author-temp)#exit
ZXR10(config-system-user)#user-name ZTE_A
ZXR10(config-system-user-username)#bind authentication-template 1
ZXR10(config-system-user-username)#bind authorization-templat 1
ZXR10(config-system-user-username)#password ZTE_A_15
ZXR10(config-system-user-username)#exit
/*Create ZTE_A and configure the user's authorization level.*/
ZXR10(config-system-user)#authentication-template 2
ZXR10(config-system-user-authen-temp)#bind aaa-authentication-template 2002
ZXR10(config-system-user-authen-temp)#exit
ZXR10(config-system-user)#authorization-template 2
ZXR10(config-system-user-author-temp)#bind aaa-authorization-template 2002
ZXR10(config-system-user-author-temp)#local-privilege-level 5
ZXR10(config-system-user-author-temp)#exit
ZXR10(config-system-user)#user-name ZTE_B
ZXR10(config-system-user-username)#bind authentication-template 2
ZXR10(config-system-user-username)#bind authorization-templat 2
ZXR10(config-system-user-username)#password ZTE_B_5
ZXR10(config-system-user-username)#exit
ZXR10(config-system-user)#exit
/*Create ZTE_B and configure the user's authorization level.*/
ZXR10(config)#aaa-authentication-template 2001
ZXR10(config-aaa-authen-template)#aaa-authentication-type local
ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#aaa-authorization-template 2001
ZXR10(config-aaa-author-template)#aaa-authorization-type radius-local
ZXR10(config-aaa-author-template)#exit
/*Configure the authentication and authorization templates of ZTE_A*/
ZXR10(config)#aaa-authentication-template 2002
ZXR10(config-aaa-authen-template)#aaa-authentication-type local
5-3
ZXR10(config-aaa-authen-template)#exit
ZXR10(config)#aaa-authorization-template 2002
ZXR10(config-aaa-author-template)#aaa-authorization-type radius-local
ZXR10(config-aaa-author-template)#exit
/*Configure the authentication and authorization templates of ZTE_B*/
Configuration Verification
Run the following commands to view ZTE_A's privilege level. The execution result is
displayed as follows:
Username:ZTE_A
Password:
ZXR10#show privilege
Current privilege level is 15
/*Indicates that ZTE_A's privilege level is 15.*/
Exec commands:
alarm-confirm Confirm the alarm by flowid
cd Change current directory
cfm Executing CFM detecting functions
clear Reset functions
clock Manage the system clock
commit Commit the configuration
configure Enter configuration mode
copy Copy from one file to another by ftp/tftp
cp Copy from one file to another locally
debug Debugging functions
delete Delete a file
--More
ZXR10#configure terminal
Enter configuration commands, one per line. End with CTRL/Z.
ZXR10(config)#?
/*Displays the commands that can be used by ZTE_A in global configuration mode.*/
Configure commands:
aaa-accounting-template AAA accounting template configurations
aaa-authentication-template AAA authentication template configurations
aaa-authorization-template AAA authorization template configurations
alarm Configure the alarm parameters
alarm-mask Configure the alarm-mask parameters
aps Configure APS instance
arp Enter ARP configuration mode
5-4
Run the following commands to view ZTE_B's privilege level. The execution result is
displayed as follows:
Username:ZTE_B
Password:
ZXR10#show privilege
Current privilege level is 5
/*Indicates that ZTE_B's privilege level is 5.*/
ZXR10#?
/*Displays the commands that can be used by ZTE_B in privilege configuration mode.*/
Exec commands:
cd Change current directory
cfm Executing CFM detecting functions
clock Manage the system clock
configure Enter configuration mode
debug Debugging functions
dir List files on a filesystem
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
--More
ZXR10#configure terminal
Enter configuration commands, one per line. End with CTRL/Z.
ZXR10(config)#?
/*Displays the commands that can be used by ZTE_B in global configuration mode.*/
Configure commands:
end Exit from configure mode
exit Exit from configure mode
ping Send echo messages
ping6 Send IPv6 echo messages
show Show running system information
trace Trace route to destination
trace6 Trace route to destination using IPv6
ZXR10(config)#
ZXR10(config)#show ?
clock Show current system clock
5-5
Username:ZTE_B
Password:
ZXR10#show privilege
Current privilege level is 5
/*Indicates that the privilege level of ZTE_B is 5.*/
ZXR10#enable 8
Password:
ZXR10#show privilege
Current privilege level is 8
/*Indicates that the privilege level of ZTE_B has been raised to 8.*/
ZXR10#configure terminal
Enter configuration commands, one per line. End with CTRL/Z.
ZXR10(config)#?
Configure commands:
clock Configure board clock
/*Indicates that the clock command has been added to the commands that ZTE_B can use.*/
end Exit from configure mode
exit Exit from configure mode
ping Send echo messages
ping6 Send IPv6 echo messages
show Show running system information
trace Trace route to destination
trace6 Trace route to destination using IPv6
ZXR10(config)#clock ?
timezone Configure time zone
ZXR10#enable /*Raises the user's privilege level to the default level, level 15.*/
Password: /*The input password is not displayed.*/
ZXR10#show running-config adm-mgr
! <ADM_MGR>
enable secret level 8 5 52ZJX4aBmmYKbWdVFpSvwg==
system-user
authentication-template 1
bind aaa-authentication-template 2001
$
authentication-template 2
bind aaa-authentication-template 2002
$
authorization-template 1
bind aaa-authorization-template 2001
5-6
local-privilege-level 15
$
authorization-template 2
bind aaa-authorization-template 2002
local-privilege-level 5
$
username ZTE_A
bind authentication-template 1
bind authorization-template 1
password encrypted 51213031a28daa4a18e939b9cc837320
43f467d88315721af066dc4f1c385a28
$
username ZTE_B
bind authentication-template 2
bind authorization-template 2
password encrypted a5e686cd3e6778917691bb099a4da1d7
9768a6b9752b942fe5b431ec3fff8468
$
$
! </ADM_MGR>
ZXR10#show running-config aaa
! <AAA>
aaa-authentication-template 2001
aaa-authentication-type local
$
aaa-authentication-template 2002
aaa-authentication-type local
$
aaa-authorization-template 2001
aaa-authorization-type radius-local
$
aaa-authorization-template 2002
aaa-authorization-type radius-local
$
! </AAA>
ZXR10#show running-config oam
! <OAM>
privilege show all level 5 show clock
privilege configure level 7 clock
privilege configure level 7 clock timezone
! </OAM>
5-7
5-8
Steps
1. Enable SNMP V1, V2c, and V3.
6-1
Command Function
ZXR10(config)#snmp-server version {v1 | v2c | v3} Enables SNMP V1, V2, and V3 for
enable receiving packets from and sending
packets to clients.
There are two states: enable and
disable. Default: disable.
Command Function
Command Function
<subtree-id>: specifies the MIB sub-tree ID or node name of the MIB sub-tree for the
view name. Range: 179 characters.
included | excluded: The sub-tree is included or excluded.
4. Set MIB object information.
Command Function
6-2
5. Set the types of Trap and Inform messages that are allowed to be sent.
Command Function
Command Function
udp-port <udp-port>: number of the UDP port for sending Trap or inform messages,
range: 165535.
<Trap-type>: Trap or Inform type. The Trap type can be all or one of the bgp, ospf,
rmon, snmp, stalarm and vpn types.
6-3
Command Function
8. Set the level of the alarm message sent to the Trap server.
Command Function
Command Function
6-4
encrypted: specifies that the password to be entered is not clear text but cipher text.
It is not recommended to use this option.
md5 | sha: uses Hashed Message Authentication Code with MD5 (HMAC-MD5)96 as
the authentication mode, or uses HMAC-SHA-96 as the authentication mode.
6-5
Command Function
End of Steps
6-6
Configuration Flow
1. Configure an SNMP packet community string. SNMPv1/v2c uses community string
authentication mode. An SNMP community string is named with a character string,
and has an access privilege (read-only or read-write).
2. Designate a view name to the configured community string. Designate the default view
to the community string if the view parameter is not configured. Designate the default
privilege (ro) to the community string, if the parameter ro | rw is not configured. Users
can only perform operations in the permitted view range, whether ro or rw is specified.
3. Configure alarm Trap. Configure the types of Trap messages to be sent and the
destination host. Trap messages are actively sent by managed devices to NMS. They
are used to report urgent and important events. By default, all types of Trap messages
are sent.
Configuration Commands
Ran the following commands on the ZXR10 ZSR V2:
Configuration Verification
Run the show command to check the configurations. The execution result is displayed as
follows.
6-7
6-8
6-9
snmp-server host 61.139.48.18 Trap version 2c public udp-port 162 snmp bgp mac
ospf stp ppp arp rmon udld cfm efm lacp mc-elam tcp sctp stalarm cps interface
acl fib pim isis rip msdp aps config am um system ldp pwe3 vpn mpls-oam ptp
tunnel-te radius dhcp bfd ippool ntp ssm sqa ipsec cgn vrrp ftp_tftp ping-trace gm
snmp-server host 61.139.48.18 inform version 2c public udp-port 162 snmp
snmp-server packetsize is 1400
snmp-server security dynamic-trust-user idle-timeout 1800
snmp-server view AllView internet included
snmp-server view DefaultView system included
snmp-server version v2c enable
The security policy defined in SNMP v1 and SNMP v2 is simple, which uses clear text to
transfer community strings, which are passwords between SNMP management processes
and agent processes. These passwords can be cracked by attackers using brute force
attacks. The SNMP antibrute force attack function is used to prevent DoS attacks and
brute force attacks.
l To ensure that trusted user can access the ZXR10 ZSR V2 normally, the SNMP
security function supports dynamically learning and manually configuring trusted
users. In quiet mode, the ZXR10 ZSR V2 only allows to handle requests from trusted
user (if an ACL is configured in advance, the requests still need to be filtered through
the ACL first).
l Dynamically-learned trusted users refer to users who have accessed the ZXR10 ZSR
V2 and are automatically recorded by it. If these users have not accessed the ZXR10
ZSR V2 again until the set period (ageing time) expires, they will be aged by the
device. Dynamically-learned trusted users can also be manually cleared. Users can
configure the ageing time, which is 1800 s by default.
6-10
In any state, when community string attempts fail, logs and self-defined Trap messages
are generated by default. A Trap message that is sent includes the following
information: error community string information, source IP, and current state of SNMP
(normal/monitoring/quiet). When a device state is switched, a system log and Trap alarm
are automatically generated. This function can be disabled by running a command.
SNMP security state switching is shown in Figure 6-2.
6-11
Steps
1. Activate the SNMP security function.
Command Function
block <block-seconds>: block time (length of the quiet period), unit: second, range:
165535.
< detect-tries>: maximum number of times of failed attempts in monitoring mode, range:
165535.
< detect-seconds>: maximum detection time in monitoring mode, unit: second, range:
165535.
<tries>: maximum number of times of failed attempts in normal mode, range: 165535,
default: 50.
<startup-seconds>: maximum detection time in normal mode, unit: second, range:
165535, default: 60.
2. Configure the ACL for controlling hosts that access the system through SNMP.
Command Function
3. Configure the ageing time of dynamic trusted users and configure static trusted users.
4. Configure the generation of logs and Trap messages when community string attempts
fail or a state is switched.
Command Function
6-12
Command Function
include: is used to display the configurations that include the string line.
exclude: is used to display the configurations that exclude the string line.
Command Function
End of Steps
6-13
Configuration Flow
1. Enable the SNMP antibrute force attack function.
2. Configure the ageing time for dynamic trusted users.
3. Configure static trusted users that are allowed to access the system.
4. Configure a Trap message and log that is generated when user attempts fail and a
state is switched.
Configuration Command
Run the following commands on the ZXR10 ZSR V2:
Configuration Verification
Run the following command to check SNMP configurations. The execution result is
displayed as follows.
6-14
l Temperature alarm
There are different temperature measuring components on each board of the device.
Each temperature measuring component has different temperature resistance
characteristics, so the alarm threshold at each temperature measuring point is
7-1
If the voltage range not in the normal working voltage range, the power voltage alarm
is reported.
Steps
1. Configure the basic alarm function.
2 ZXR10(config)#logging buffer < buffer-size> Sets the size of the alarm log buffer.
Unit: KB, range: 1001000, default:
200.
7-2
7 ZXR10(config)#logging alarmlog-interval < Sets the time interval for writing alarm
minute> records from the buffer to files. Unit:
minute, range: 1030000, default: 10.
11 ZXR10(config)#logging mode {fullclear | Sets the mode for clearing buffer data
fullcycle | fullend} after the alarm buffer is full. Default:
fullcycle.
<level>: the lowest alarm level, range: DEBUGGING (level 8), INFORMATIONAL
(level 7), NOTIFICATIONS (level 6), WARNINGS (level 5), ERRORS (level 4),
CRITICAL (level 3), ALERTS (level 2), and EMERGENCIES (level 1).
7-3
<weekday>: day in each week for reporting to FTP, range: Monday, Tuesday, Thursday,
Wednesday, Friday, Saturday, and Sunday.
<time3>: time in the day of each week for reporting to FTP, range: 00:00:0023:59:59.
<time4>: time in the date of each month for reporting to FTP, range:
00:00:0023:59:59.
<filename>: prefix of the filename saved on the FTP server, range: 131 characters.
2. Configure CPU, memory, and storage device alarm thresholds.
ZXR10(config)#check cpu interval <interval> Configures the time interval for CPU
usage alarm checking. Unit: 10 s,
range: 120.
7-4
Command Function
ZXR10#show logging alarm [[level <alarmlevel>][start Displays the specified alarms in the
-time <date><time>][end-time <date><time>][typeid alarm log buffer. Filtering conditions:
<type>]] level, start-time, end-time, and typeid.
level <level>: alarm level, range: DEBUGGING (level 8), INFORMATIONAL (level 7),
NOTIFICATIONS (level 6), WARNINGS (level 5), ERRORS (level 4), CRITICAL (level
3), ALERTS (level 2), and EMERGENCIES (level 1).
typeid <type>: alarm type, range: ACL, BFD, BGP, LDP, and so on (more than 60
types).
7-5
Command Function
5. View information on shelf management temperature alarms and power supply voltage
alarms.
You cannot configure thresholds for temperature alarms and power voltage alarms.
Only querying temperature alarms and power voltage alarms by running commands
is supported. On the ZXR10 ZSR V2, run the following commands to view shelf
management temperature alarms and power voltage alarms.
Command Function
7-6
Command Function
End of Steps
Configuration Flow
1. Enable the alarm function.
2. Configure alarm levels, levels of alarms printed on a terminal, alarm buffer, alarm
clearing mode when the buffer is full, interval for writing logs, time display mode, and
address of the server to which alarms are sent.
3. Configure alarm Trap, Trap type and address of the server to which Trap messages
are sent.
Configuration Commands
Run the following commands on R1:
R1(config)#logging on
R1(config)#logging level warnings
R1(config)#logging console warnings
R1(config)#logging buffer 200
R1(config)#logging mode fullcycle
R1(config)#logging cmdlog-interval 2880
R1(config)#logging ftp warnings 192.168.154.253 zte zte ztelog
R1(config)#logging timestamps datetime localtime
R1(config)#logging Trap-enable notifications
R1(config)#snmp-server enable Trap
R1(config)#snmp-server version v2c enable
R1(config)#snmp-server host 192.168.154.253 Trap version 2c zte
7-7
Configuration Verification
Run the following commands to check alarm configurations. The execution results are
displayed as follows:
7-8
7-9
The terminal monitor command displays real-time alarms. The show logging alarm
command displays buffered alarms.
7-10
Steps
1. Configure the Syslog function.
8-1
<level>: the lowest alarm level, ranges: DEBUGGING (level 8), INFORMATIONAL
(level 7), NOTIFICATIONS (level 6), WARNINGS (level 5), ERRORS (level 4),
CRITICAL (level 3), ALERTS (level 2), and EMERGENCIES (level 1), default:
NOTIFICATIONS.
<server-ip>: IP address of the Syslog server, type: IPv4 or IPv6.
<fport>: remote port number, range: 165535, default: 514.
<lport>: local port number, range: 514, 102465535, default: 514.
[alarmlog][cmdlog][debugmsg][servicelog][braslog][natlog]: type of logs reported to the
Syslog server.
2. Verify the configurations.
Command Function
ZXR10#show running-config alarm [all ||{begin | Displays all Syslog configurations by using
exclude | include}<line>] a regular expression.
End of Steps
8-2
Configuration Flow
1. Connect the Syslog server to the ZXR10 ZSR V2.
2. Configure the interface on the Syslog server and the interface on the ZXR10 ZSR V2,
which are directly connected in the same network segment.
3. Configure the Syslog server alarm level.
4. Configure the Syslog type.
5. Specify the address of the Syslog server.
Configuration Command
Run the following commands on the ZXR10 ZSR V2:
R1(config)#interface gei-2/1
R1(config-if-gei-2/1)#no shutdown
R1(config-if-gei-2/1)#ip address 1.1.1.2 255.255.255.0
R1(config-if-gei-2/1)#exit
Configuration Verification
Run the show command to check the configurations. The execution result is displayed as
follows:
R1(config)#show running-config alarm
!<ALARM>
syslog level warnings
syslog-server facility syslog
syslog-server host 1.1.1.1 alarmlog cmdlog debugmsg servicelog
braslog natlog
!</ALARM>
8-3
8-4
Steps
1. Configure an event that triggers the RMON alarm.
9-1
9-2
Command Function
End of Steps
9-3
l Collecting real-time and history statistics on traffic and the numbers of various types
of packets.
l Monitoring the number of bytes of outgoing traffic, and recording a log if the traffic per
minute exceeds the set value.
l Monitoring the number of incoming broadcast and multicast packets, and actively
sending an alarm to the NMS if the number of received broadcast and multicast
packets exceeds the set value.
Configuration Flow
1. Enable SNMP to allow sending Trap packets, and set the destination IP address and
community name.
2. Configure the ROMN statistics table.
3. Configure the ROMN history table.
4. Configure the ROMN event table.
5. Configure the ROMN alarm table.
Configuration Commands
Run the following commands on the ZXR10:
9-4
Configuration Verification
Run the following command to view RMON configurations. The execution result is
displayed as follows:
ZXR10#show running-config rmon
rmon
rmon alarm 1 1.3.6.1.2.1.2.2.1.16.12 60 absolute rising-threshold
10000000 1 falling-threshold 2000000 1 owner zte
rmon alarm 2 1.3.6.1.2.1.2.2.1.12.12 60 absolute rising-threshold
500 2 falling-threshold 100 2 owner zte
rmon event 1 log description outboundocts owner zte
rmon event 2 Trap zte description inboundnonuni owner zte
interface gei-3/2
rmon collection history 1 buckets 10 interval 60 owner zte
rmon collection statistics 1 owner zte
$
$
!</rmon>
Run the following command to view information on the RMON statistics table. The
execution result is displayed as follows:
ZXR10#show rmon statistics
etherStatsEntry 1 is valid, and owned by monitor
Monitors ifEntry.1.12 (gei-3/2) which has
Received 2661384683 octets, 11170112 packets,
4226009 broadcast and 1032634 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers,
0 CRC alignment errors and 0 collisions,
0 dropped packets (due to lack of resources).
Packets received (in octets):
64:3528697, 65-127:2610624, 128-255:432346,
256-511:268806, 512-1023:193397, 1024-1518:4136242
Run the following command to view information on the RMON history table. The execution
result is displayed as follows:
ZXR10#show rmon history
9-5
Run the following command to view information on the RMON event table. The execution
result is displayed as follows:
9-6
1 0w4d,03:56:54 outboundocts
Event 2 is valid, and owned by zte
Description is inboundnonuni
Event firing causes trap to community/user zte, last fired 0w4d,03:57:12
Current log entries:
Index Time Description
Run the following command to view information on the RMON alarm table. The execution
result is displayed as follows:
ZXR10#show rmon alarms
Alarm 1 is valid, and owned by zte
Monitors ifEntry.16.12, every 60 second(s)
Taking absolute samples, last value was 13414607
Rising-threshold is 10000000, assigned to event 1
Falling-threshold is 2000000, assigned to event 1
On startup enable rising or falling alarm
Alarm 2 is valid, and owned by zte
Monitors ifEntry.12.12, every 60 second(s)
Taking absolute samples, last value was 5580876
Rising-threshold is 500, assigned to event 2
Falling-threshold is 100, assigned to event 2
On startup enable rising or falling alarm
9-7
9-8
NTP Client
Figure 10-1 shows the main principle of NTP client.
1. The client sends NTP time request packets to the configured clock server regularly
and waits responses.
2. After receiving NTP response packet, NTP client inspects the packet, extracts the
corresponding time, calculates the time offset and configures the local clock.
10-1
NTP Sever
After a device is configured to be NTP server, it will monitor the NTP time request packets
coming from the client at No.123 UDP port, add its time information to NTP time response
packet and send the packet to the client.
ZXR10 ZSR V2 can act as NTP server and client and the same time. That is to say, it can
receive time request packets coming from other servers and send its own time information
to other clients, see Figure 10-2.
Steps
1. Configure the NTP Server function.
10-2
<ip-address> and priority <15> are required. Other parameters are optional.
version <number>: NTP version number, range: 14, default: 3 (in IPv4).
key <key-number>: effective key, range: 14294967295.
priority<level>: priority value, range: 15. The priority of each server is different.
10-3
The NTP authentication function consists of two parts: server and client. When
configuring this function, comply with the following rules:
Command Function
End of Steps
Configuration Description
NTP is used to synchronize the clocks of different network members. As shown in Figure
10-3, the NTP client can synchronize the clock with the NTP server.
Configuration Flow
1. Connect the NTP server to the router.
2. Enable NTP.
3. Configure the address of the NTP server.
10-4
Configuration Command
Configuration on R1:
R1(config)#ntp enable
R1(config)#ntp server 192.168.5.93 priority 1
Configuration Verification
After the configuration, use the show command to check the configuration.
Configuration Description
The function of NTP is to synchronize clocks of different network members. As shown in
Figure 10-4, NTP works as a server to provide synchronization information for the client.
Configuration Flow
1. Enable NTP on R1, and configure the address of the NTP server.
2. Enable NTP on R2, and configure a level of the NTP server.
Configuration Command
The configuration on R1:
R1(config)#ntp enable
R1(config)#ntp server 192.168.5.93 priority 1
10-5
Configuration Verification
Use the show running-config ntp command on the client and the server to view
configuration. Use the show ntp status command on the client to view the IP address and
the clock of the reference clock (R2). Use the show clock command on the client. The
clock has been synchronized with the clock on the server.
10-6
Steps
1. Configure a physical POS interface clock.
Command Function
End of Steps
10-7
Configuration Flow
1. Inter-connect the routers.
2. Enter POS-interface clock configuration mode.
Configuration Command
Configurations on router R1:
R1(config)#interface pos3-1/1
R1(config-if-pos3-1/1)#no shutdown
R1(config-if-pos3-1/1)#clock mode line
R1(config-if-pos3-1/1)#exit
Configuration Verification
After the configuration is completed, run the show command to verify the configurations:
R1(config-if-pos3-1/1)#show interface pos3-1/1
pos3-1/1 is down, line protocol is down
Description is none
Hardware is Packet Over SONET/SDH
Internet address is unassigned
IP MTU 4470 bytes
MTU 4600 bytes
BW 155520 Kbits
MPLS MTU 4470 bytes
Physical layer is Packet over (SDH)
Holdtime is 120 sec(s)
CRC 32
Loopback cancel
Clock Source: line
Scramble enable
Encapsulation PPP
10-8
10-9
10-10
There are some applications, which use PMServer to mount CallBack function. After
register information is modified, PMServer finishes virtual register / register cancellation,
and refreshes performance values after member interface data binding to these service
types are changed.
Steps
1. Configure performance management.
11-1
Command Function
11-2
Command Function
End of Steps
Configuration Flow
1. Check the count of interface gei-2/1. To check the new count, clear the previous count.
2. Modify the time interval of sampling data from PMS to PMA to control count update
time interval of gei-2/1.
Configuration Command
1. Clear gei-2/1 interface count:
ZXR10#clear statistics interface gei-2/1
2. Set count update time of physical port such as gei-2/1 as 30 seconds.
ZXR10(config)#performance update-interval 30s ethernet
Configuration Verification
Check whether the configuration is valid.
11-3
11-4
NetFlow Features
To accomplish network data collection, NetFlow performs the following task,
12-1
12-2
Steps
1. Configure NetFlow exporter policies.
refresh <packets>: the number of output netflow packets, according to which the
module is resent, range: 1600, default: 20.
timeout <seconds>: time, according to which the module is resent, range: 186400,
default: 600 seconds.
12-3
2. Creates a flow record policy, and sets key and non-key fields.
12-4
12-5
deterministic : uses deterministic sampling, that is, if the sampling rate is N, then one
packet out of every N packets is sampled.
<rate>: sampling rate, range: 165535, default: 1000.
12-6
entries <num>: sets the buffer size to num, which represents the number of flows that
can be stored in the buffer. Range: 16131072, default: 4096.
timeoutactive<seconds>: active ageing time, unit: second, range: 10604800, default:
1800.
timeoutinactive<seconds>}: inactive ageing time, unit is second, range: 10604800,
default: 1800.
12-7
In one direction, unicast, multicast, MPLS, and ACL rule packets can be sampled
at the same time. Samples from two directions are not mutually exclusive. If ACL
rule packets are sampled from one direction, however, unicast and multicast packets
cannot be sampled, and vice versa.
6. Verify the configurations.
Command Function
12-8
Command Function
End of Steps
Configuration Flow
1. Enable NetFlow Service.
2. Configure flow exporter output, including server IP address, port number and protocol
type.
3. Configure sampler sampling rate and sampling mode.
4. Configure the size of flow monitor cache, active overtime value and inactive overtime
value, bind the configured flow exporter to system v5 module.
5. Bind flow monitor policy to interface, configure sampling type and direction.
Configuration Command
Configuration on R1:
R1#configure terminal
12-9
R1(config)#sampler sam
R1(config-sampler)#mode deterministic 1-out-of 1024
R1(config-sampler)#exit
R1(config)#flow monitor mo
R1(config-flow-monitor)#cache entries 4096
R1(config-flow-monitor)#exporter exp
R1(config-flow-monitor)#record netflow-original
R1(config-flow-monitor)#cache timeout inactive 60
R1(config-flow-monitor)#cache timeout active 10
R1(config-flow-monitor)#exit
R1(config)#interface gei-6/6
R1(config-if-gei-6/6)#no shutdown
R1(config-if-gei-6/6)#ip flow monitor mo sampler sam unicast input
R1(config-if-gei-6/6)#exit
Configuration Verification
Check the configuration on R1, as shown below.
12-10
Configuration Flow
1. Enable NetFlow Service.
2. Configure flow exporter output, including the server IP address, port number and
protocol type.
3. Configure sampler, setting sampling rate and sampling mode.
4. Configure the cache size of flow monitor, the active overtime value and the inactive
overtime value. Bind the configured flow exporter to the system v8 module.
5. Bind flow monitor to the interface, and configure the sampling type and direction.
Configuration Command
Configuration on R1:
R1(config)#flow exporter exp
R1(config-flow-exporter)#destination ipv4-address 169.1.109.60
R1(config-flow-exporter)#transport udp 2055
R1(config-flow-exporter)#export-protocol netflow-v8
R1(config-flow-exporter)#exit
R1(config)#sampler sam
R1(config-sampler)#mode deterministic 1-out-of 1024
R1(config-sampler)#exit
R1(config)#flow monitor mo
R1(config-flow-monitor)#cache entries 4096
R1(config-flow-monitor)#exporter exp
R1(config-flow-monitor)#record netflow ipv4 protocol-port
R1(config-flow-monitor)#cache timeout inactive 60
R1(config-flow-monitor)#cache timeout active 10
R1(config-flow-monitor)#exit
12-11
R1(config)#interface gei-6/6
R1(config-if-gei-6/6)#no shutdown
R1(config-if-gei-6/6)#ip flow monitor mo sampler sam unicast input
R1(config-if-gei-6/6)#exit
Configuration Verification
Verify the configuration on R1 as shown below.
12-12
Configuration Flow
1. Enable NetFlow Service.
2. Configure flow exporter output, including server IP address, port number and protocol
type, module refresh time and refresh rate.
3. Configure match and collect of flow record policy.
4. Configure the size of flow monitor cache, active overtime value and inactive overtime
value, bind the configured flow exporter policy and flow record policy.
5. Configure sampler sampling rate and sampling mode.
6. Bind flow monitor policy to interface, configure sampling type and direction.
Configuration Command
Configuration on R1:
ZXR10(config)#flow exporter exp
R1(config-flow-exporter)#destination ipv4-address 169.1.109.60
R1(config-flow-exporter)#transport udp 2055
R1(config-flow-exporter)#export-protocol netflow-v9
R1(config-flow-exporter)#template data refresh 20
R1(config-flow-exporter)#template data timeout 60
R1(config-flow-exporter)#exit
R1(config)#sampler sam
R1(config-sampler)#mode deterministic 1-out-of 1024
R1(config-sampler)#exit
R1(config)#flow monitor mo
R1(config-flow-monitor)#cache entries 4096
R1(config-flow-monitor)#cache timeout active 60
R1(config-flow-monitor)#cache timeout inactive 10
R1(config-flow-monitor)#exporter exp
R1(config-flow-monitor)#record rec
R1(config-flow-monitor)#exit
R1(config)#interface gei-6/6
R1(config-if-gei-6/6)#no shutdown
R1(config-if-gei-6/6)#ip flow monitor mo sampler sam unicast input
12-13
R1(config-if-gei-6/6)#end
Configuration Verification
Check the configuration on R1, as shown below.
12-14
Steps
1. Configure an SQA instance.
13-1
13-2
In a DNS test, range: 110, default: 1. In an ICMP jitter test, range: 165535, default:
1.
<interval-value>: interval between two packets, unit: ms. In an ICMP test, range:
5065535, default: 100. In a UDP test, range: 502000, default: 100. In a TCP test,
range: 10004000, default: 1000. In an ICMP jitter test, range: 5065535, default:
100.
<ftp-server-password>: clear text password of the FTP server, range: 131 characters.
<local-path>/<file-name>: FTP local path and file name, range: 1151 characters.
Command Function
13-3
Command Function
Command Function
ZXR10#show sqa-result {udp | tcp | icmp | ftp | dns | http | Displays configurations of each SQA
snmp | udpjitter | icmpjitter} test instance.
End of Steps
Configuration Flow
1. Create an SQA test instance.
2. Enter the SQA test instance, and configure ICMP test attribute for the test instance,
such as the ICMP test destination address .
3. Set the SQA test start time as now or at a scheduled time.
4. Check the test result.
Configuration Command
The configuration of R1:
13-4
R1(config)#sqa-test 1
R1(config-sqa-1)#type-icmp 10.1.0.2
R1(config-sqa-1)#sqa-begin now
%Info 757: The sqa test is starting now, please wait a moment for test result......
R1(config-sqa-1)#
Configuration Verification
The configuration and test result are shown below.
R1#show sqa-test 1
test number:1
test type: ICMP
destination IP: 10.1.0.2
repeat:1
tos:0
ttl: 255
size: 36
interval time:100
send trap:disable
13-5
Configuration Flow
1. Create an SQA test instance.
2. Enter the SQA test instance, and configure the FTP test attributes for the test instance
including FTP server address, user name, password, source file name, destination
path and destination file name.
3. Set the SQA test start time to now or a scheduled time.
4. Check the test result.
Configuration Command
Run the following commands on the ZXR10 ZSR V2:
R1(config)#sqa-test 2
R1(config)#type-ftp copy 1.1.1.1 filename abc.txt root /datadisk0/abc.txt
R1(config)#type-ftpusername whopassword who
R1(config-sqa-2)#sqa-begin now
%Info 757: The sqa test is starting now, please wait a moment for test result......
R1(config-sqa-2)#
Configuration Verification
Run the show command to check the configurations and test results. The execution result
is displayed as follows
R1#show sqa-test 2
test number:2
test type: FTP
ftp IP:10.1.0.2
username:who
password: 9654d35c7f907ad5c1a1f803d1e4a21c667d8939cade03478bad7db48099d0e4
/*Encrypted*/
filename:abc.txt
root:/datadisk0/abc.txt
send Trap:disable
13-6
Configuration Flow
1. Create an SQA test instance.
2. Enter the SQA test instance, and configure the TCP test attribute for the test instance,
such as the TCP test destination address and port number.
3. Set the SQA test start time as now or at a scheduled time.
4. Check the test result.
Configuration Command
The configuration of R3:
Configuration Verification
The configuration and test result are shown below.
R1#show sqa-test 3
test number:1
test type: TCP
destination IP:10.1.0.2
desitnation port:10000
interval time:1000
repeat:1
send trap:disable
13-7
Configuration Flow
1. Create an SQA test instance.
2. Enter the SQA test instance, and configure the UDP test attribute for the instance,
such as the UDP test destination address and port number.
3. Set the SQA test start time as now or at a scheduled time.
4. Check the test result.
Configuration Command
The configuration of R3:
R3(config)#sqa-udp-server 10.1.0.2 10000
Configuration Verification
The configuration and test result are shown below.
R1#show sqa-test 4
test number:1
test type: UDP
destination IP:10.1.0.2
desitnation port:10000
size: 50
interval time:100
repeat:1
send trap:disable
13-8
Configuration Flow
1. Create an SQA test instance.
2. Enter the SQA test instance, configure the domain name to be resolved by the DNS
test and the IP address of the DNS server, and set the number of resolution operations.
3. Set the SQA test start time as right now or at a scheduled time.
4. Check the test result.
Configuration Command
Configuration of R1:
13-9
Configuration Verification
The configuration information and test result are shown below.
R1#show sqa-test 5
test number:1
test type: DNS
destination-url:abc.cn
dns-ip:10.1.0.1
repeat:1
send trap:disable
13-10
LLDP Features
LLDP is defined in 802.1AB. As shown in Figure 14-1, LLDP works at the data link layer.
It is a neighbor discovery protocol that defines a standard for Ethernet devices (such as
switches, routers and wireless LAN access points). Through LLDP, an Ethernet device
can advertise its existence to other nodes on the network and save discovery information
of neighbor devices. The device sends the state information to other devices. The
information is stored on each port of all devices. If necessary, the device can send update
information to the neighbor devices that are connected directly, and the neighbor devices
store the information in standard SNMP MIBs.
14-1
l Network management systems can query the L2 connection information in the MIB.
LLDP does not configure or control network elements or traffic. It just reports the
position of L2. Another function defined in 802.1AB is that network management
software can use the information provided by LLDP to find conflicts at L2 network.
At present, IEEE uses the physical topologies, interfaces and entity MISs existing in
IETF.
l A device that supports LLDP must support chassis ID advertisements and port
ID advertisements. Most devices need to support system name advertisements,
system description advertisements and system capability advertisements. System
name advertisements and system description advertisements can provide useful
information to collect network traffic. System description advertisements also can
contain information such as the full name of the device, the type of the system
hardware and the version of the software operating system.
l LLDP information is transmitted periodically and it can only be stored for a period.
IEEE has defined a recommended transmission frequency, about once per 30
seconds. When an LLDP device receives an LLDP packet sent by a neighbor LLDP
device, it stores the information in the CACHE of SNMP MIB defined by IEEE.
The information is invalid during a period. The value of TTL to define the period is
contained in the received packets.
l LLDP makes network management systems be able to discover and simulate physical
network topologies correctly. LLDP devices send and receive advertisements, so the
devices save the information of the discovered neighbor devices. The advertisement
data, such as the management address, device type and port number of a neighbor
device, is helpful to know the type and interconnected interfaces of the neighbor
device.
14-2
TTL is the third mandatory TLV in an LLDPPDU. It is the living time (in the unit
of second) of an LLDPPDU received by the peer. When a peer receives an
LLDPPDU of which the TTL is 0, the device deletes all related information.
End of LLDPDU is the last mandatory TLV in an LLDPPDU. It defines the end of
an LLDPPDU.
Steps
1. Configure LLDP.
14-3
14-4
Command Function
Command Function
ZXR10#debug lldp { adjacency | event | packets [receive This shows LLDP related information,
| send]| all } event information and packets
sending and receiving information.
End of Steps
14-5
Configuration Flow
1. Enter LLDP configuration mode.
2. Enter an interface.
3. Enable LLDP.
Configuration Command
Enter an interface in LLDP configuration mode and then configure LLDP, as shown below.
R1(config)#lldp
R1(config-lldp)#interface gei-1/1
R1(config-lldp-if-gei-1/1)#lldp enable
R1(config-lldp-if-gei-1/1)#end
Configuration Verification
Use the show lldp neighbor command to check the configuration result, as shown below.
14-6
Configuration Flow
1. Enter LLDP configuration mode.
2. Configure LLDP attributes.
Configuration Command
The configuration of R1:
R1(config)#lldp
R1(config-lldp)#maxneighbor 3
/*Configure the maximum number of system neighbors*/
R1(config-lldp)#hellotime 30000
/*Configure the intervals to send LLDP neighbor discovery packets*/
R1(config-lldp)#holdtime 8
/*Configure LLDP neighbor hold-time*/
R1(config-lldp)#lldp enable
/*Enable LLDP*/
R1(config-lldp)#lldp-rx enable
/*Enable LLDP receiving*/
R1(config-lldp)#lldp-tx enable
/*Enable LLDP sending*/
R1(config-lldp)#clearneighbor
/*Clear LLDP neighbor relationship that has been established*/
R1(config-lldp)#clearstatistic
/*Clear LLDP statistical information*/
R1(config-lldp)#end
Configuration Verification
Use the show running-config lldp command to check the configuration result.
14-7
14-8
The ICMP slow response function means that a destination node sends received Request
packets to the control plane, which returns Reply packets. To reduce delays, the ICMP
fast response function directly returns Reply packets.
Configuration Commands
To configure the ICMP fast response function, run the following command on the ZXR10
ZSR V2:
15-1
Command Function
Maintenance Commands
To maintain the ICMP fast response function, run the following commands on the ZXR10
ZSR V2:
Command Function
Configuration Example
l Configuration Description
15-2
l Configuration Flow
1. Configure IP addresses of R1 and R2 interfaces.
2. Test the configuration result to make sure that the ICMP fast response (ping)
function is enabled between R1 and R2.
l Configuration Commands
Run the following commands on R1:
R1(config)#interface gei-1/1
R1(config-if-gei-1/1)#no shutdown
R1(config-if-gei-1/1)#ip address 10.1.1.1 255.255.255.0
R1(config-if-gei-1/1)#exit
Run the following command to check the configurations on R2. The execution result
is displayed as follows:
R2#ping 10.1.1.1
sending 5,100-byte ICMP echoes to 10.1.1.2,timeout is 2 seconds.
!!!!!
Success rate is 100 percent(5/5),round-trip min/avg/max= 1/1/21 ms.
Note:
The ICMP fast response function is enabled by default. If the corresponding debug
function is enabled and then ping is performed, the ICMP fast response (ping) function
is disabled.
15-3
The length field represents the length of the option octet (including the option code, length
and pointer fields). The pointer field points to the source address of the next hop, and the
minimum value is 4 (that is, pointing to the IP address of the first hop). The addresses
following the pointer field are the hops designated by the source. The packet must pass
these hops.
Configuration Commands
To configure the processing of IP source route options, run the following command on the
ZXR10 ZSR V2:
Command Function
15-4
Maintenance Commands
To display the IP source route option configuration, run the following command on the
ZXR10 ZSR V2:
Command Function
Refer to 15.1 Configuring ICMP Fast Response for maintenance commands relevant to
packet sending and receiving.
Configuration Example
l Configuration Description
As shown in Figure 15-3, it is required to configure the IP source route option
processing function.
l Configuration Flow
1. Configure IGP and unicast routes so that the routers can ping each other
successfully.
2. Configure source route options on R1.
3. Make the source send IP packets with correct IP options.
4. Make the source send IP packets with incorrect IP options.
l Configuration Command
Run the following commands on R1:
R1(config)#interface gei-1/1
R1(config-if-gei-1/1)#no shutdown
R1(config-if-gei-1/1)#ip address 10.10.20.1 255.255.255.0
R1(config-if-gei-1/1)#exit
R1(config)#router ospf 1
R1(config-ospf-1)#network 10.10.10.0 0.0.0.255 area 0
R1(config-ospf-1)#network 10.10.20.0 0.0.0.255 area 0
R1(config-ospf-1)#exit
R1(config)#ip source-route
15-5
R2(config)#interface gei-1/1
R2(config-if-gei-1/1)#no shutdown
R2(config-if-gei-1/1)#ip address 10.10.20.2 255.255.255.0
R2(config-if-gei-1/1)#exit
R2(config)#router ospf 1
R2(config-ospf-1)#network 10.10.20.0 0.0.0.255 area 0
R2(config-ospf-1)#network 10.10.50.0 0.0.0.255 area 0
R2(config-ospf-1)#exit
l Configuration Verification
When the source sends IP packets with correct IP options, the traffic is forwarded
properly.
When the source sends IP packets with incorrect IP options, the packets are dropped.
Configuration Commands
To configure the ICMP unreachable packet function, run the following commands on the
ZXR10 ZSR V2:
Command Function
Maintenance Commands
To view detailed information on packet sending and receiving after the ICMP unreachable
packet function is configured, run the following command. For other commands, refer to
15.1 Configuring ICMP Fast Response.
Command Function
15-6
Configuration Example
l Configuration Description
As shown in Figure 15-4, R1 receives packets with an unknown protocol, and ICMP
unreachable packets are valid.
l Configuration Flow
1. Enter ICMP configuration mode.
2. Enable the ICMP unreachable packet function on a specified interface.
3. Configure that interface ICMP unreachable packets are valid.
l Configuration Commands
R1(config)#icmp-config
R1(config-icmp)#interface gei-1/1
R1(config-icmp-if-gei-1/1)#ip unreachable
R1(config-icmp-if-gei-1/1)#exit
R1(config-icmp)#exit
R1(config)#interface gei-1/1
R1(config-if-gei-1/1)#ip address 60.0.0.1 255.255.255.0
R1(config-if-gei-1/1)#no shutdown
R1(config-if-gei-1/1)#ip forward unreachable
R1(config-if-gei-1/1)#exit
l Configuration Verification
When the PC sends unknown protocol packets to R1, R1 sends ICMP unreachable
packets to the PC.
15-7
Configuration Commands
To enable an interface to send ICMP unreachable packets, run the following command on
the ZXR10 ZSR V2:
Command Function
Maintenance Commands
To view information on packet sending and receiving after the configuration is performed,
run the following command on the ZXR10 ZSR V2. For other commands, refer to 15.1
Configuring ICMP Fast Response.
Command Function
Configuration Example
l Configuration Description
As shown in Figure 15-5, the interface receives a packet with an unknown destination,
and returns an ICMP unreachable packet.
l Configuration Flow
1. Configure interface addresses for the devices.
2. Configure a static route between the two devices that are not directly connected.
3. Configure that ICMP unreachable packets are valid on the interface.
l Configuration Commands
Run the following commands on R1:
R1(config)#interface gei-1/1
R1(config-if-gei-1/1)#ip address 10.1.1.1 255.255.255.0
R1(config-if-gei-1/1)#no shutdown
R1(config-if-gei-1/1)#exit
15-8
R2(config)#interface gei-1/1
R2(config-if-gei-1/1)#ip address 10.1.1.2 255.255.255.0
R2(config-if-gei-1/1)#no shutdown
R2(config-if-gei-1/1)#ip forward unreachable
R2(config-if-gei-1/1)#exit
R2(config)#icmp-config
R2(config-icmp)#interface gei-1/1
R2(config-icmp-if-gei-1/1)#ip unreachable
R2(config-icmp-if-gei-1/1)#exit
l Configuration Verification
Run the debug ip icmp detail command on R2. Run the ping 1.2.3.4 command on
R1. You can see that R2 sends host unreachable packets to R1.
Ping originates from sonar location operation. Ping is used to test whether another
host is reachable. The program sends an ICMP Echo Request to the host and waits
for an ICMP Echo Reply.
l Characteristics of Ping
The ping command sends an ICMP Echo Request. If the destination receives the
ICMP Echo Request, it will send an ICMP Echo Reply to the source address of the
Echo Request. Therefore, the ping command can be used to diagnose network
connectivity faults.
The ping program that sends an Echo Request is called a client, and the host that
is pinged is called a server. The kernels of most Transfer Control Protocol/Internet
Protocol (TCP/IP) functions support a ping server directly. The server is not a user
process.
The format of an ICMP Echo Request and an ICMP Echo Reply is shown in Figure
15-6.
15-9
If the type code is 8, it is an ICMP Echo Request packet. If the type code is 0, it is an
ICMP Echo Reply packet.
For other types of ICMP query packets, a server must reply with the identifier and the
serial number. In addition, the option sent by a client must be echoed. It is supposed
that the client is interested in the information.
The serial number starts from 0, and it increments by one when a new Echo Request
is sent. The ping program displays the serial number of each returning packet, which
allows users to check whether packets are lost, in disorder or duplicated.
Configuration Commands
To configure IP ping on the ZXR10 ZSR V2, run the following commands:
Command Function
15-10
size <datagram-size>: size of a ping packet, range: 368192, default: 100 bytes.
timeout <timeout>: timeout period, unit: second, range: 120.
tos <tos>: Type of Service (ToS) of a sent packet, range: 0255, default: 0.
ttl <ttl>: Time To Live (TTL), range: 1255.
df-bit <don't-frag>: flag indicating no fragmentation, options: 0, 1, default: 0 (indicating
that fragmentation is allowed).
pattern <pad>: value of the pad field in a packet.
option: whether to configure the IP options. The value 1 means that IP options can be
configured.
speed limite <limite-num>: number of ping packets sent per second.
speed interval<interval-seconds>: interval between two data request packets, unit: second,
range: 210.
loose | strict <source-route-address>: specified source station route, format: dotted decimal.
record <record-hops>: maximum number of hops that needs to be recorded, range: 19.
timestamp <record-timestamps>: maximum number of timestamps that needs to be
recorded, range: 19.
Maintenance Commands
To maintain IP Ping, run the following command on the ZXR10 ZSR V2:
Command Function
Configuration Example
l Configuration Description
As shown in Figure 15-7, two interfaces on two devices in the same network segment
use the ping command to test the connectivity.
l Configuration Flow
1. Enter interface configuration mode and configure IP addresses on the interfaces
for communication.
15-11
R1(config)#interface 1/1
R1(config-if-gei-1/1)#no shutdown
R1(config-if-gei-1/1)#ip address 100.0.0.15 255.255.255.0
R1(config-if-gei-1/1)#exit
R2(config)#interface gei-1/1
R2(config-if-gei-1/1)#no shutdown
R2(config-if-gei-1/1)#ip address 100.0.0.20 255.255.255.0
R2(config-if-gei-1/1)#exit
l Configuration Verification
Run the ping command on R1 to check the connectivity. The execution result is
displayed as follows:
R1#ping 100.0.0.20
sending 5,100-byte ICMP echoes to 100.0.0.20,timeout is 2 seconds.
!!!!! /*The result shows that the address can be pinged successfully.*/
Success rate is 100 percent(5/5),round-trip min/avg/max= 17/18/20ms.
R1#ping 100.0.0.21
sending 5,100-byte ICMP echoes to 100.0.0.21,timeout is 2 seconds.
..... /*The result shows that the address cannot be pinged successfully.*/
Success rate is 0 percent(0/5).
The trace command is used for debugging. It displays the route that an IP data packet
passes through from a host to another host. Because the space left to options in an IP
header is limited, the route record option cannot be used. The trace command uses
ICMP packets and the TTL field in IP headers to accomplish its function.
1. The "trace" program sends an IP data packet to the destination host. The value
of the TTL field in the IP header is 1. The first router that receives this packet
reduces the value of the TTL field by 1. It drops the packet, and returns a timeout
ICMP packet. In this way, the address of the first router is obtained.
15-12
2. The "trace" program sends an IP data packet whose TTL field in the IP header is
2. In this way, the address of the second router is obtained.
3. The "trace" program continues with this procedure until a packet arrives at the
destination host.
1. The "trace" program sends a large-port UDP data packet to the destination host,
so that any application on the destination host is impossible to use that port.
2. When the data packet arrives at the host, the UDP module generates an ICMP
packet indicating that the port is unreachable.
3. In this way, by identifying whether the received ICMP packet is a timeout packet
or an unreachable port packet, the sending side knows when "trace" ends.
The interfaces between the "trace" module and sub-modules are shown in Figure
15-8.
Configuration Commands
To configure IP trace on ZXR10 ZSR V2, run the following commands:
Command Function
The trace command uses ICMP error packets. An ICMP error packet is generated when
a data packet exceeds its TTL value. By sending a data packet whose TTL value is 1, the
trace command triggers the first router to drop the packet and return an error packet. A
TTL timeout packet means that an intermediate router receives the packet and the router
gives up detection. An ICMP error packet indicating the destination is unreachable means
that the destination node receives the packet but it cannot submit the packet. If the timer
stops before a reply arrives, the "trace" program displays a "*" mark.
15-13
Maintenance Commands
The following example shows the output of the trace command used in privileged mode.
The trace command traces the path to 168.1.10.100.
ZXR10#trace 168.1.10.100
tracing the route to 168.1.10.100
1 168.1.10.100 2 ms 3 ms 5 ms
[finished]
Configuration Example
l Configuration Description
As shown in Figure 15-9, the trace command is run on R1 to detect the route to R2.
l Configuration Flow
1. Configure interface addresses and routes.
2. Run the trace command in privileged mode.
l Configuration Commands
Run the following commands on R1:
R1(config)#interface gei-1/1
R1(config-if-gei-1/1)#no shutdown
R1(config-if-gei-1/1)#ip address 100.0.0.15 255.255.255.0
R1(config-if-gei-1/1)#exit
R1(config)#router ospf 1
R1(config-ospf-1)#network 100.0.0.0 0.0.0.255 area 0
R1(config-ospf-1)#end
l Configuration Verification
The execution result of the trace command on R1 is displayed as follows:
R1#trace 175.103.59.110
tracing the route to 175.103.59.110 over a maximum of 30 hops:
15-14
1 100.0.0.22 55 ms 2 ms 2 ms
/*The IP address on the first-hop device and time delays*/
2 10.17.94.81 176 ms 143 ms 333 ms
3 10.28.5.61 131 ms 133 ms 134 ms
4 * * *
/*The fourth-hop device does not return any packet. There are "*" marks.*/
5 202.70.62.169 151 ms 149 ms 146 ms
6 202.43.177.81 176 ms 162 ms 165 ms
7 218.100.27.30 142 ms 134 ms 159 ms
8 175.103.59.110 140 ms 166 ms 138 ms
[finished]
On an MPLS network, if IP ping is used, labels are added to ping packets and label
switching is performed. IP ping, however, only checks connectivity on the IP plane,
but cannot check LSPs. On an MPLS network, if a LDP session between two LSRs is
disconnected, labels cannot be forwarded. In this case, IP ping packets are reachable,
but the LSP fails.
Various factors cause LSP faults. For example, an LDP session is disconnected, LDP
is not enabled on some LSRs, or an exception occurs in an LDP label forwarding table.
A mechanism different from IP ping is needed to detect whether an end-to-end LSP
is operating properly. Therefore, LSP ping is generated.
LSP ping uses a packet belonging to a specific Forwarding Equivalence Class
(FEC) to verify the integrity of the LSP (from the source LSR to the destination LSR)
that belongs to this FEC. An LSP ping request packet contains information on the
corresponding FEC.
An LSP ping packet is encapsulated in a UDP packet, and contains a serial number
and a time stamp. When processing an LSP ping request packet, MPLS uses the
same forwarding policy as packets of the FEC. When the LSP ping packet reaches
an LSP egress, the LSR control plane checks the packet to verify whether this LSP is
the correct egress of the FEC.
Similar to IP ping, LSP ping also uses the Echo Request and Echo Reply mechanism.
But the LSP ping packet format is completely different from the IP ping packet format.
Packets sent by LSP ping are not ICMP packets but UDP packets whose port number
is 3503. On an MPLS network,
1. A source device sends a UDP Echo Request packet whose port number is 3503.
2. LSRs forward the Echo Request packet through label switching.
15-15
3. When the packet reaches the destination device, the destination device responds
with a UDP Echo Reply packet whose port number is 3503.
To prevent IP packets from being forwarded when an IP path is operating properly
but an LSP is disconnected, the value of the IP TTL field in an LSP ping Echo
Request packet is set to 1, and the destination address of the packet is set to
an address in the 127.0.0.0/8 segment. LSRs do not forward such an IP packet
without an MPLS label.
An LSP is unidirectional. An LSP ping Echo Request packet is only forwarded along
the LSP to be tested. The corresponding Echo Reply packet only sends necessary
information to the source, and it does not need to go along the same path as that of
the Echo Request packet. The reply packet can also be an IP packet without a label.
The path of an MPLS Echo Request packet of LSP ping and that of the corresponding
Echo Reply packet may be different. The destination address and destination port of
the Echo Reply packet are the source address and source port of the Echo Request
packet respectively.
Configuration Commands
To configure LSP ping on the ZXR10 ZSR V2, run the following commands:
Command Function
Maintenance Commands
To maintain LSP ping on the ZXR10 ZSR V2, run the following command:
15-16
Command Function
ZXR10#debug lspv {error | event | packet | tlv | all} Displays information on sent UDP Echo
Request packets and received UDP Echo
Reply packets when LSP ping is performed.
l Configuration Flow
1. Build an LDP network.
2. Perform LDP LSP ping on R1.
l Configuration Commands
For LDP configuration, refer to the MPLS configuration example.
l Configuration Verification
Ping R3 on R1. The result is displayed as follows:
R1#ping mpls ipv4 10.28.0.4 32
sending 5,120-byte MPLS echo(es) to 10.28.0.4,timeout is 2 second(s).
Codes: '!' - success, 'Q' - request not sent, '.' - timeo
ut,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC m
ismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no rx
label,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index, 'X' - unkno
wn return code, 'x' - return code 0
'd' - DDMAP
!!!!!
Success rate is 100 percent(5/5),round-trip min/avg/max= 5/38/151 ms.
15-17
R1 cannot ping R3 successfully. LSP ping checks whether the "FEC destination
address + mask" is correct. If the "FEC destination address + mask" is incorrect,
LSP ping fails.
As shown in Figure 15-11, RSVP is enabled on R1, R2 and R3. Build an Open Shortest
Path FirstTraffic Engineering (OSPF-TE) network. It is required to configure LSP ping
on R1 to check connectivity.
15-18
l Configuration Flow
1. Build an OSPF-TE network.
2. Perform RSVP LSP ping on R1.
l Configuration Command
Run the following command to check configurations on R1. The execution result is
displayed as follows:
R1#show mpls traffic-eng tunnels brief
Signalling Summary:
LSP Tunnels Process: running
RSVP Process: running
Forwarding: enabled
TUNNEL NAME DESTINATION UP IF DOWN IF STATE/PROT
tunnel_4000 10.28.0.5 - unknown up/down
tunnel_1 10.28.0.4 - gei-1/2 up/up
Test connectivity of the tunnel on R1. The execution result is displayed as follows:
R1#ping mpls traffic-eng te_tunnel4000 /*TE tunnel of LSP Ping DOWN on R1*/
sending 5,120-byte MPLS echos to te_tunnel4000,timeout is 2 seconds.
15-19
l Configuration Flow
1. Build an L2 VPN network.
2. Perform PWE3 LSP ping on R1.
l Configuration Commands
Basic LDP configuration is omitted here.
l Configuration Verification
Run the following command to check configurations on R1. The execution result is
displayed as follows:
15-20
To make routers on the Internet report errors of the MPLS LSP data plane or provide
information on unexpected conditions, the MPLS trace function is provided. MPLS
trace is a simple and effective method of detecting faults on the MPLS LSP data plane.
It can detect some faults that the control plane cannot find. By using this method,
users can quickly find and isolate faults such as routing black holes and loss of routes.
LSP trace is based on Echo Request and Echo Reply packets. The packets sent are
UDP packets whose port number is 3503 instead of ICMP packets.
LSP trace uses the TTL field in an MPLS packet header. The LSP trace command
increments the TTL value from 1, and sends an MPLS Echo Request packet to the
next hop. When detecting that TTL expires, an LSR sends an MPLS Echo Reply
packet to the source. In such a query procedure, each hop of an LSP can be traced.
The LSP trace function can be used to detect different FECs (IPv4 LDP and RSVP).
An LSP trace request packet is a UDP packet with a label. The packet uses the
well-known port 3503 as the destination port. The source port is designated by the
sender. The IP-layer source address is the IP address of the sender. The destination
address is 127.0.0.1, which is used to prevent the packet from being forwarded
according to an IP route when a fault occurs on an LSP of an intermediate LSR.
15-21
The MPLS LSP trace procedure between LSR1 and LSR4 is described below:
1. LSR1: LSR1 sends an MPLS Echo Request packet to LSR2. The destination
address of the packet is the FEC on LSR4.
In the Echo Request packet, the TTL value in the MPLS header is 1, the
destination address in the IP header is 127.0.0.1, and both the source port
number and destination port number in the UDP header are 3503.
2. LSR2: When receiving the request packet whose TTL value is 1, LSR2 processes
the packet. It finds that itself is not the destination. Therefore, LSR2 responds to
LSR1 with an MPLS Echo Reply packet.
In the Echo Reply packet, LSR2 fills in a corresponding return code. If the return
code is 3, the node is the destination. If the return code is 6, the node is an
intermediate node. LSR1 determines whether the packet reaches the destination
according to the return code.
3. LSR1: After receiving the Echo Reply packet from LSR2, LSR1 knows the
address and label information on LSR2. According to the return code, LSR1
knows that the packet did not reach the destination. LSR1 sends an MPLS Echo
Request packet to LSR2 again. The destination of the packet is the FEC on
LSR4.
In the Echo Request packet, the TTL value in the MPLS header is 2, the
destination address in the IP header is 127.0.0.1, and both the source port
number and destination port number in the UDP header are 3503.
4. LSR2: After receiving the Echo Request packet whose TTL value is 2, LSR2
searches for label information and then forwards the packet to LSR3. The TTL
value decrements by one.
5. LSR3: After receiving the packet whose TTL value 1, LSR3 finds that itself is not
the destination either. Therefore, LSR3 responds to LSR1 with an MPLS Echo
Reply packet.
15-22
In the Echo Reply packet, the return code is 6, which indicates that the node is
an intermediate node. According to the return code, LSR1 knows that the packet
did not reach the destination.
6. LSR1: After receiving the Echo Reply packet from LSR3, LSR1 knows the
address and label information on LSR3. According to the return code, LSR1
knows that the packet did not reach the destination. LSR1 sends an MPLS Echo
Request packet to LSR2 again. The destination is the FEC on LSR4.
In the Echo Request packet, the TTL value in the MPLS header is 3, the
destination address in the IP header is 127.0.0.1, and both the source port
number and destination port number in the UDP header are 3503.
7. LSR2: After receiving the Echo Request packet whose TTL value is 3, LSR2
searches for label information and then forwards the packet to LSR3. The TTL
value decrements by one.
8. LSR3: After receiving the Echo Request packet whose TTL value is 2, LSR2
searches for label information and then forwards the packet to LSR4. The TTL
value decrements by one.
9. LSR4: After receiving the request packet packet whose TTL value is 1, LSR4
processes the packet. It finds that itself is the destination. Therefore, LSR4
responds to LSR1 with an MPLS Echo Reply packet.
In the Echo Reply packet, the return code is 3, which indicates that the node is
the destination node.
After the procedure, LSR1 knows the address and label information on LSRs along
the LSP.
Configuration Commands
To configure LSP trace on the ZXR10 ZSR V2, run the following commands:
Command Function
ZXR10#trace mpls ipv4 <ip-address><mask-length>[output-interf Enables the IPv4 LDP LSP trace
ace <interface-name>][destination <start-ipv4-address>[<end-ip function.
v4-address>][<increment>]][ttl <ttl>| timeout <timeout>| source
{<source-ipv4-address>|<source-ipv6-address>}|[{ddmap|dsmap}]]
ZXR10#trace mpls traffic-eng te_tunnel <id>[{master|slave}][ttl Enables the RSVP LSP trace
<ttl>| timeout <timeout>| source {<source-ipv4-address>|<source-ip function.
v6-address>}|[{ddmap|dsmap}]]
ZXR10#trace mpls pseudowire [multisegment]<pw-name>[ttl <ttl>| Enables the PWE3 LSP trace
timeout <timeout>| source {<source-ipv4-address>|<source-ipv6-ad function.
dress>}|[{ddmap|dsmap}]]
master : specifies that the master LSP sends LSP ping packets.
slave : specifies that the slave LSP sends LSP ping packets.
15-23
Maintenance Commands
To maintain LSP trace, run the following command on the ZXR10 ZSR V2:
Command Function
ZXR10#debug lspv {error | event | packet | tlv | all} Displays information on sent UDP Echo
Request packets and received UDP Echo
Reply packets when LSP trace is performed.
l Configuration Flow
1. Build an LDP network.
2. Perform LDP LSP trace on R1.
l Configuration Command
For LDP configuration, refer to the MPLS configuration example.
l Configuration Verification
Run the following commands on R1 to view configurations. The execution result is
displayed as follows:
R1#show mpls forwarding-table
Local Outgoing Prefix or Outgoing Next Hop M/S
label label Lspname interface
20 Pop tag 10.28.0.3/32 gei-1/2 10.28.1.6 M
57 49 10.28.0.4/32 gei-1/2 10.28.1.6 M
15-24
l Configuration Flow
1. Build an OSPF-TE network.
2. Perform RSVP LSP trace on R1.
15-25
l Configuration Commands
15-26
Configuration Commands
To configure multicast ping on the ZXR10 ZSR V2, run the following command:
Command Function
15-27
Maintenance Commands
To maintain multicast ping on the ZXR10 ZSR V2, run the following command:
Command Function
Configuration Example
l Configuration Description
As shown in Figure 15-17, it is required to check whether the multicast last hop is
reachable.
l Configuration Flow
1. Build a network.
2. Enable PIM-SM on R1 and R2.
3. Add the receiving group to the multicast group.
4. Ping the multicast group address on R1.
l Configuration Commands
Run the following commands on R1:
R1(config)#interface gei-1/9
R1(config-if-gei-1/9)#no shutdown
15-28
15-29
l When trace 1.1.1.3 2.2.2.2 is configured on R1, R1 finds that the next hop is 1.1.1.1
through RPF. Until finding that the next hop route 1.1.1.3 is a source direct-connected
route, R1 unicasts the destination route 2.2.2.2.
l When trace 1.1.1.3 2.2.2.2 224.1.1.1 is configured on R1, R1 searches for the next
hop route by an (S, G) or (*, G) entity. (S, G) is preferred. Until finding that the next
hop route 1.1.1.3 is a source direct-connected route, R1 unicasts the destination route
2.2.2.2.
Configuration Commands
To configure multicast trace on ZXR10 ZSR V2, use the following command.
Command Function
Configuration Example
l Configuration Description
It is required to search for a next hop route through an (S, G) or (*, G) entity. The
network topology is shown in Figure 15-19.
15-30
l Configuration Flow
1. Enable PIM-SM on R1 and R2.
2. The receiving group joins the mutlticast group. The source sends a multicast flow.
3. Configure multicast trace on R2.
l Configuration Command
Configuration on R1:
R1(config)#interface gei-1/9
R1(config-if-gei-1/9)#no shutdown
R1(config-if-gei-1/9)#ip address 12.131.1.1 255.255.255.0
R1(config-if-gei-1/9)#exit
R1(config)#interface gei-1/8
R1(config-if-gei-1/8)#no shutdown
R1(config-if-gei-1/8)#ip address 17.1.1.2 255.255.255.0
R1(config-if-gei-1/8)#exit
R1(config)#interface loopback1
R1(config-if-loopback1)#ip address 3.3.3.3 255.255.255.0
R1(config-if-loopback1)#exit
/*Configure a multicast protocol*/
R1(config)#ip multicast-routing
R1(config-mcast)#router pim
R1(config-mcast-pim)#rp-candidate loopback1
R1(config-mcast-pim)#bsr-candidate loopback1
R1(config-mcast-pim)#interface gei-1/9
R1(config-mcast-pim-if-gei-1/9)#pimsm
R1(config-mcast-pim-if-gei-1/9)#exit
R1(config-mcast-pim)#interface gei-1/8
R1(config-mcast-pim-if-gei-1/8)#pimsm
R1(config-mcast-pim-if-gei-1/8)#end
The receiving group joins the mutlticast group 225.0.0.1. The source sends a multicast
flow.
15-31
MAC ping supports ping from CE1 to CE2, from PE1 to PE2, from PE1 to CE2, and
from CE1 to PE2. The parameters in ping commands sent from a CE and from a PE
are different.
The following takes ping from CE1 to CE2 and from PE1 to PE2 as examples to describe
the procedures.
PE1 sends a MAC-layer ping request which contains a destination MAC address,
Virtual Private LAN Service (VPLS) name and peer ID. When receiving the request
15-32
packet, PE2 sends a reply packet. If PE1 receives the reply packet within a specified
period, the link layer is operating properly.
Configuration Commands
To configure MAC ping on the ZXR10 ZSR V2, run the following command:
Command Function
Maintenance Commands
To maintain MAC ping on the ZXR10 ZSR V2, run the following command:
Command Function
ZXR10#debug macping {all |error | event | info | packet} Displays errors, events, information,
packets or all information when MAC ping
packets are received and sent.
Configuration Example
l Configuration Description
For the MAC ping network structure on a VPLS network, see Figure 15-21.
l Configuration Flow
1. Configure IP addresses. Enable OSPF between PE1 and PE2.
2. Configure LDP between PEs.
3. Configuring L2 VPN VPLS.
4. Configure MAC ping.
l Configuration Commands
15-33
PE1(config)#router ospf 1
PE1(config-ospf-1)#network 100.10.10.1 0.0.0.0 area 0
PE1(config-ospf-1)#network 10.1.1.1 0.0.0.255 area 0
PE1(config-ospf-1)#exit
15-34
The EOAM function is defined in the 802.3ah draft. This function can be used to detect
information on the Ethernet link layer defined in IEEE802.3. OAM information contained
in IEEE802.3 is called EOAM.
EOAM-based MAC trace network structure is shown in Figure 15-22.
MAC trace supports trace from CE1 to CE2, from PE1 to PE2, and from PE1 to CE2.
l Trace from CE1 to CE2
CE1 sends a MAC trace request. If the link is operating properly, MAC addresses of
corresponding interfaces on CE1, PE1, PE2 and CE2 are recorded.
l Trace from PE1 to PE2
PE1 sends a MAC trace request. If the link is operating properly, MAC addresses of
corresponding interfaces on PE1 and PE2 are recorded.
PE1 sends a MAC trace request. If the link is operating properly, MAC addresses of
corresponding interfaces on PE1, PE2 and CE2 are recorded.
Configuration Commands
To configure MAC trace on ZXR10 ZSR V2, run the following command:
Command Function
15-35
Maintenance Commands
To maintain MAC trace on the ZXR10 ZSR V2, run the following command:
Command Function
ZXR10#debug macping {all |error | event | info | packet} Displays errors, events, information and
packets or all information when MAC
trace packets are received and sent.
Configuration Example
l Configuration Description
On a VPLS network, the MAC trace network structure is shown in Figure 15-23.
l Configuration Flow
1. Configure IP addresses. Enable OSPF between PE1 and PE2.
2. Configure LDP between PEs.
3. Configuring L2 VPN VPLS.
4. Configure MAC trace.
l Configuration Command
Run the following commands on PE1:
PE1(config)#interface loopback1
PE1(config-if-loopback1)#ip address 100.10.10.1 255.255.255.255
PE1(config-if-loopback1)#exit
PE1(config)#interface gei-1/1
PE1(config-if-gei-1/1)#no shutdown
PE1(config-if-gei-1/1)#ip address 17.1.1.1 255.255.255.0
PE1(config-if-gei-1/1)#exit
PE1(config)#router ospf 1
PE1(config-ospf-1)#network 100.10.10.1 0.0.0.0 area 0
PE1(config-ospf-1)#network 17.1.1.1 0.0.0.255 area 0
PE1(config-ospf-1)#exit
15-36
l Configuration Verification
Run the mac-trace command on PE1. The execution result is displayed as follows:
PE1#mac-trace 00d0.d000.0500 vpls zte1 peer 100.10.10.2
Starting L2 Trace to 00d0.d000.0500
PE1 :gei-1/1 [002e.33d5.3f51]->
PE2 :gei-1/1 [00d0.d000.0500] !
[finished]
Command Function
15-37
15-38
II
III
IV
LLDP
- Link Layer Discovery Protocol
LLDPDU
- Link Layer Discovery Protocol Data Unit
LSP
- Label Switched Path
LSR
- Label Switch Router
MAC
- Media Access Control
MAN
- Metropolitan Area Network
MIB
- Management Information Base
MPLS
- Multiprotocol Label Switching
NMS
- Network Management System
NTP
- Network Time Protocol
PDU
- Packet Data Unit
POP
- Points Of Presence
PPP
- Point-to-Point Protocol
RADIUS
- Remote Authentication Dial In User Service
RFC
- Request For Comments
SLA
- Service Level Agreement
SNMP
- Simple Network Management Protocol
SSH
- Secure Shell
TACACS+
- Terminal Access Controller Access-Control System Plus
TCP
- Transmission Control Protocol
TCP/IP
- Transmission Control Protocol/Internet Protocol
TELNET
- Telecommunication Network Protocol
TFTP
- Trivial File Transfer Protocol
TLV
- Type/Length/Value
TTL
- Time To Live
ToS
- Type of Service
UDP
- User Datagram Protocol
VRF
- Virtual Route Forwarding
VI