Management

Transcription

Management

Management
Content
1
SNMP
6
NQA
2
NTP
7
AAA
3
HGMP
8
RMON
4
LLDP
9
Syslog
5
Ping&Tracert
10
For IPV6
1
1: SNMP
Introduction:
The Simple Network Management Protocol (SNMP) is a standard
network management protocol widely used on TCP/IP networks. It
uses a central computer (a network management station) that runs
network management software to manage network elements.
There are three SNMP versions:
SNMPv1 & SNMPv2c & and SNMPv3
(S97 support both depend on configuration. V3 is default.)
2
1: SNMP
Three components are used in SNMP device management:
NM station: sends various query packets to query managed devices and receives alarms from
these devices.(HUAWEI eSight, HP OpenView,IBM Tivoli,…)
Agent: is a network-management process on a managed device. An agent has the following
functions:
– Receives and parses query packets sent from the NM station.
– Reads or writes management variables based on the query type, and generates and sends
response packets to the NM station.
– Sends an alarm to the NM station when triggering conditions defined on each protocol
module corresponding to the alarm are met. For example, the system view is displayed or
closed, or the device is restarted.
Managed device: is managed by an NM station and generates and reports alarms to the NM
station.( Router, Switch Firewall,…)
3
1: SNMP
SNMP
structure
Schematic diagram of
SNMP operations
SNMP packets are encapsulated in UDP packets for transmission and the port used by the SNMP
protocol is 161 & 162
4
1: SNMP
SNMP operations
Operation
Function
GetRequest
Retrieves the value of a variable. The NM station sends the request to
a managed device to obtain the value of an object on the device.
GetNextRequest
Retrieves the value of the next variable. The NM station sends the
request to a managed device to obtain the status of the next object on
the device.
GetResponse
Responds to GetRequest, GetNextRequest, and SetRequest operations.
It is sent from the managed device to the NM station.
GetBulk
Is an NMS-to-agent request, equaling continuous GetNext operations.
SetRequest
Sets the value of a variable. The NM station sends the request to a
managed device to adjust the status of an object on the device.
Trap
Reports an event to the NM station.
5
1: SNMP
Description of features supported by SNMP(1)
Operation
Function
Access control
This function is used to restrict a user's device administration rights. It
gives specific users the rights to manage specified objects on devices and
therefore provides fine management.
Authentication
and encryption
Packets transmitted between the NM station and managed devices are
authenticated and encrypted. This prevents data packets from being
intercepted or modified, improving data sending security.
Error code
Error codes are used to identify particular faults. They help an
administrator quickly locate and rectify faults. The larger the variety of
error codes, the more greatly they help an administrator in device
management.
Trap
Traps are sent from managed devices to the NM station. These traps allow
an administrator to discover device faults immediately.
The managed devices do not require the acknowledgement from the NM
station after sending traps.
6
1: SNMP
Description of features supported by SNMP(2)
Operation
Inform
GetBulk
Function
Informs are sent from managed devices to the NM station.
The managed devices require the acknowledgement from the NM station
after sending informs. If a managed device does not receive an
acknowledgement after sending an inform, it will resend the inform to the NM
station and generate alarm logs. Even if the NM station restarts, it can still
synchronize the informs sent during the restart process.
If the device does not receive an acknowledgement from the NM station after
sending an inform, it will store the inform in its memory. In this regard, using
informs may consume lots of system resources.
GetBulk allows an administrator to perform Get-next operation in batches. In a
large-scale network, GetBulk reduces the administrator's workload and
improves management efficiency.
7
1: SNMP
Different SNMP versions' support for the features
Feature
Access control
SNMPv1
Community-namebased
access control
supported
SNMPv2c
SNMPv3
Community-namebased
access control
supported
User or user-group-based
access control supported
Authentication and
encryption
Not supported
Not supported
Supported, and the supported
authentication and encryption modes are
as follows:
Authentication mode:
 MD5
 SHA
Encryption mode: DES56
Error code
6 error codes
supported
16 error codes
supported
16 error codes
supported
Trap
Supported
Supported
Supported
Inform
Not supported
Supported
Not supported
GetBulk
Not supported
Supported
Supported
8
1: SNMP
Usage scenarios of different SNMP versions
Version
Usage Scenario
SNMPv1
This version is applicable to small-scale networks whose networking is simple and
security requirements are low or whose security and stability are good, such as campus
networks and small enterprise networks.
SNMPv2c
This version is applicable to medium and large-scale networks whose security
requirements are not strict or whose security is good (for example, VPNs) but whose
services are so busy that traffic congestion may occur.
Using informs can ensure that the messages sent from managed devices are received
by the NM station.
SNMPv3
This version is applicable to networks of various scales, especially the networks that
have strict requirements on security and can be managed only by authorized
administrators, such as the scenario where data between the NM station and managed
devices needs to be transmitted over a public network.
9
1: Configuring SNMP
Applicable Environment

SNMP needs to be deployed in a network to allow the NM station to manage network devices.

Pre-configuration Tasks

MP needs to be deployed in a network to allow the NM station to manage network devices.
Data Preparation
No.
Data
1
SNMP version, SNMP community name, destination address of alarm messages,
administrator's contact information and location, and SNMP packet size
2
(Optional) ACL number, IP address of the NM station, and MIB object
3
(Optional) Name of the alarm-sending module, source address of trap messages, queue
length for trap messages, and lifetime of trap messages
4
(Optional) Number of interfaces indexed by fixed numbers
10
1: How to configure SNMP(1)
1 Configuring Basic SNMP Functions
*SNMPv1*
Step1: [Quidway]snmp-agent
Step2: [Quidway]snmp-agent sys-info version v1
* By default, SNMPv3 is enabled. And now, the device supports both SNMPv1 and
SNMPv3 *
Step3: [Quidway]snmp-agent community { read | write } community-name
Step4: [Quidway]snmp-agent target-host trap address udp-domain ip-add
[Quidway]snmp-agent target-host trap ipv6 address udp-domain ip-add
11
*SNMPv2c*
Step2: [Quidway]snmp-agent sys-info version v2c
* By default, SNMPv3 is enabled. And now, the device supports both SNMPv2 and
SNMPv3 *
Step3: [Quidway]snmp-agent community { read | write } community-name
12
*SNMPv3*
Step2: [Quidway]snmp-agent sys-info version v3
*optional*
* By default, SNMPv3 is enabled. So this step is optional.
Step3: [Quidway]snmp-agent group v3 group-name [ authentication | privacy ]
Step4: [Quidway]snmp-agent usm-user v3 user-name group-name
13
2 (Optional) Controlling the NM Station's Access to the Device
Step1: [Quidway]acl acl-number
Step2: [Quidway]rule
Step3: [Quidway]snmp-agent mib-view { excluded | included } view-name oid-tree
Step4: [Quidway]snmp-agent community { read | write } { community-name |
cipher community-name }
14
3 (Optional) Enabling the SNMP Extended Error Code Function
Step1: [Quidway]snmp-agent extend error-code enable
*when both the NM station and managed device are Huawei products. After this
function is enabled, more types of error codes are provided to help you locate and
rectify faults more quickly and accurately.*
15
4 (Optional) Configuring the Trap Function
Step1: [Quidway]snmp-agent trap enable
Step2: [Quidway]snmp-agent trap enable feature-name feature-name
Step3: [Quidway]snmp-agent trap source interface-type interface-number
Step4: [Quidway]snmp-agent trap queue-size size
Step5: [Quidway]snmp-agent trap life seconds
16
5 (Optional) Configuring the Constant Interface Index Feature
Step1: [Quidway]ifindex constant
Step2: [Quidway]set constant-ifindex max-number number
Step3: [Quidway]set constant-ifindex subinterface { dense-mode | sparse-mode
}
17
1: SNMPv1-How to check

display snmp-agent community *check the configured community name.*

display snmp-agent sys-info version *check the enabled SNMP version*

display acl acl-number *check the rules in the specified ACL*

display snmp-agent mib-view *check the MIB view*

display snmp-agent sys-info contact *check the equipment administrator's contact information.*

display snmp-agent sys-info location *check the location of the device*

display snmp-agent target-host *check the information about the target host*

display snmp-agent extend error-code status *check whether the SNMP extended error code
feature is enabled*

display constant-ifindex configuration *check the constant interface index function and relevant
configuration information*
18
1: SNMPv2c-How to check

display snmp-agent community *check the configured community name.*







display snmp-agent inform * check inform parameters and device statistics with the NM station being specified or
not *

display snmp-agent notification-log info * check alarm logs stored in the log buffer. *

display snmp-agent extend error-code status * check whether the SNMP extended error code feature is enabled. *

display constant-ifindex configuration *check the constant interface index function and relevant configuration
information*
19
1: SNMPv3-How to check
How to check:

display snmp-agent usm-user
* check user information*







display snmp-agent extend error-code status *check whether the SNMP extended error code feature is enabled*

information*

information*
20
1: SNMPv1 Configuration
21
1: SNMPv2c Configuration
22
1: SNMPv3 Configuration
23
1: SNMP Recommanded parameters

Device: CPU,Memory

Interface: inbound & outbound traffic, frame, packet,
broadcast

Host: the IP & MAC address connect to interface
24
1: SNMP
Reference Document
Protocol
Specification
SNMP v1
RFC 1157
SNMP v2c
RFC1905，RFC1906，RFC1907
SNMP v3
RFC2571，RFC2572，RFC2573，RFC2574，
RFC2575
MIB
RFC1155，RFC2578：RFC2579：RFC2580
25
Content
1
SNMP
6
NQA
2
NTP
7
AAA
3
HGMP
8
RMON
4
LLDP
9
Syslog
5
Ping&Tracert
10
For IPV6
26
2: NTP
Introduction:

NTP(Network Time Protocol)

Aim: synchronizing clocks of all devices in a network. It keeps all the clocks
of these devices consistent, and enables devices to implement various
applications based on the uniform time.

NTP packets are encapsulated in UDP packets for transmission and the port
used by the NTP protocol is 123.
27
2: NTP-Application

Network management: Analysis on logs or debugging information collected from
different switches should be performed based on time.

Charging system: requires the clocks of all devices to be consistent.

Completing certain functions: For example, timing restart of all the switches in a
network requires the clocks of all the switches be consistent.

Several systems working together on the same complicate event: Systems
have to take the same clock for reference to ensure a proper sequence of
implementation.

Incremental backup between the backup server and clients: Clocks on the
backup server and clients should be synchronized.
28
2: NTP
Advantages :

Defining clock accuracy by means of stratum to synchronize the time of
network devices in a short time

Supporting access control and MD5 authentication

Transmitting packets in unicast, peer, multicast, or broadcast mode
29
2: NTP Working mode
Mode
Unicast
Server/Client
Mode
How To Work
the client can be synchronized to the server but the server cannot be
synchronized to the client.
Peer Mode
The symmetric active end and symmetric passive end can be
synchronized with each other. the clock with a lower stratum is
synchronized to the one with a higher stratum.
Broadcast Mode
The server periodically sends clock synchronization packets to the
255.255.255.255. The client exchanging messages with the remote
server and then synchronize the local clock.
Multicast Mode
The server periodically sends clock synchronization packets to the
multicast address 224.0.1.1, The client exchanging messages with the
remote server and then synchronize the local clock.
30
2: NTP Configuration(1)
Pre-configuration Tasks :

Configuring the link layer protocol for the interface

Configuring an IP address and a routing protocol for the interface to ensure
that NTP packets can reach destinations

Configuring the link layer protocol for the interface

Configuring an IP address and a routing protocol for the interface to ensure
that NTP packets can reach destinations
31
2: NTP Configuring Information Center
Data Preparation
No.
Data
1
Primary NTP clock and its stratum
2
Interfaces to send and receive NTP packets
3
NTP version
4
Preparing the data according to the operation mode
 Server/client mode: IP address of the server and the VPN instance that the server belongs to
 Peer mode: IP address of the symmetric passive end and the VPN instance that it belongs to
 Broadcast mode: interfaces to send and receive broadcast NTP packets and the maximum
sessions set up dynamically on the client
 Multicast mode: IP address of the multicast group, the TTL value of the multicast packets, the
interfaces to send and receive the multicast packets, and the maximum number of the session
dynamically set up on the client
5
Interface disabled from receiving NTP packets
32
2: How to configure NTP (1)
1 Configuring the NTP Primary Clock
Step1: [Quidway]ntp-service refclock-master [ ip-address ] [ stratum ]
2 Configuring the Mode
(Unicast Server/Client & Peer & Broadcast & Multicast)
3 Disabling the Interface From Receiving NTP Packets
4 (Optional) Setting the Maximum Number of Dynamic NTP Sessions
33
2 Configuring the Unicast Mode
Step1: [Quidway]ntp-service source-interface interface-type interface-number
Step2: [Quidway]ntp-service unicast-server ip-address
-----------------------------------------------------Client---------------------------------------------------Step3: [Quidway]ntp-service source-interface interface-type interface-number
-----------------------------------------------------Server---------------------------------------------------
34
2 Configuring the Peer Mode
Step1: [Quidway]ntp-service source-interface interface-type interface-number
Step2: [Quidway]ntp-service unicast-peer ip-address
----------------------------------------- Symmetric Active End ----------------------------------------Step3: [Quidway]ntp-service source-interface interface-type interface-number
---------------------------------------- Symmetric Passive End-----------------------------------------
35
2 Configuring the Broadcast Mode
Step1: [Quidway]vlan vlan-id
Step2: [Quidway]interface vlanif vlan-id
Step3: [Quidway] ntp-service broadcast-server
-------------------------------------------- Broadcast Server ----------------------------------------Step4: [Quidway]vlan vlan-id
Step6: [Quidway]ntp-service broadcast-client [ ip-address ]
--------------------------------------------- Broadcast Client------------------------------------------
36
2 Configuring the Multicast Mode
Step1: [Quidway]vlan vlan-id
Step3: [Quidway]ntp-service in-interface disable
37
2 Configuring the Multicast Mode
4 (Optional) Setting the Maximum Number of Dynamic NTP
Sessions
Step1: [Quidway]ntp-service max-dynamic-sessions number
38
2: NTP-How to check
39
2: NTP
Reference Information
Protocol
Specification
Basic protocol
RFC 1305
NTP Clock
Synchronization accuracy
NTP clock
synchronization time
LAN: 1ms
WAN: XXms
active synchronization of time <= 16s
passive synchronization of time <= 900s
The Version Contain 1—3
S9700 Support Version 3, Compatible version of 1 & 2
NTP Version support
40
Content
1
SNMP
6
NQA
2
NTP
7
AAA
3
HGMP
8
RMON
4
LLDP
9
Syslog
5
Ping&Tracert
10
For IPV6
41
3: HGMP-Introduction
The Huawei Group Management Protocol (HGMP) is developed to manage a group
of Ethernet switches. By running HGMP, you can appoint a switch as the
administrator in a cluster to perform integrated management and configurations
over other switches added to the cluster.
Aim: Simplifies management
Save IP addresses
42
3: HGMP Character
NDP
In HGMP, Neighbor Discovery Protocol
(NDP) packets are used to collect
information about the directly
connected neighbors, including the
device model, software version,
hardware version, connection
interface, member number, private IP
address used for communication
within a cluster, and hardware
platform.
43
NTDP
In HGMP, Network Topology
Discovery Protocol (NTDP) packets
are used to collect
information about topologies.
According to the neighbor
information in the NDP table, the
device sends and forwards
requests for topology collection,
and then collects entries in the
NDP table of each device in a
certain network segment.
3: HGMP-4 rules

administrator switch

member switch

candidate switch: is a device that has the cluster function but does not
join any cluster
44
3: HGMP-Rule transformation
candidate
switch
Specifies the
administrator
switches
Join the
cluster
Cancel the
Administrator
switch
Remove
from cluster
member
switch
administrator
switch
45
3: HGMP-Work processes
Request configuration
HGMP register(30s)
HGMP
Server
HGMP
Client
Registration successful
Registration process
HGMP
Server
Handshake message(2s)
State maintenance process
46
Configuration
Configuration successful
HGMP
Client
Restore Configure process
HGMP
Client
Handshake response
HGMP
Server
HGMP
Server
Configuration cmd
Configuration successful
Cmd issued process
HGMP
Client
3: HGMP-Basic cluster management

Establishment of a cluster management domain

Addition and deletion of a member

Status transition of a member

Communication in the cluster

Switchover between the administrator switch and the candidate switch

Display of the topology

Modification of the cluster management configuration

Automatic configuration of SNMP
* In HGMP, member switches in a cluster can communicate with devices in the public
network through Network Address Transmission (NAT).*
47
3: HGMP-Basic cluster management

Establishment of a cluster management domain

Addition and deletion of a member

Status transition of a member

Communication in the cluster

Switchover between the administrator switch and the candidate switch

Display of the topology

Modification of the cluster management configuration

Automatic configuration of SNMP
* In HGMP, member switches in a cluster can communicate with devices in the public
network through Network Address Transmission (NAT).*
48
3: HGMP-Advantage

Batch Distribution

Batch Restart

Incremental Configuration

Configuration Synchronization(to FTP Server)

Security Features

Plug and Play
49
3: HGMP-Configuration

Ensuring that the device is correctly powered on and operates normally

Configuring basic attributes of interfaces on the device
Data Preparation
No.
Data
1
Range of private IP addresses used in the cluster
2
Cluster name
3
Medium access control (MAC) address of the member switch
4
(Optional) Aging time of NDP packets and interval for sending NDP packets
5
(Optional) Range of topology collection, hop delay and interface delay in forwarding NTDP
topology request packets, interval for topology collection
6
(Optional) ID of the management VLAN, aging time of NDP packets, interval for sending
handshake packets, address of the SNMP host, and IP addresses of the FTP server and the SFTP
server
50
3: How to configure HGMP(1)
1 Configuring NDP & NTDP
Step1: [Quidway] ndp enable
Step2: [Quidway] ndp enable interface
Step3: [Quidway-if] ndp enable
Step4: [Quidway] ndp timer hello interval
Step5: [Quidway] ntdp enable
Step6: [Quidway-if] ntdp enable
2 Creating a Cluster
3 Adding a Member Switch
4 (Optional) Deleting or Quitting a Cluster
5 (Optional) Deleting a Member Switch
51
*optional*
Step1:
Step2:
Step3:
Step4:
[Quidway]
[Quidway]
[Quidway]
[Quidway]
vlan vlan-id
interface vlanif vlan-id
cluster
mngvlanid vlan-id
------------------------------------Configuring a management VLAN--------------------------------Step1: [Quidway] cluster enable
----------------------------------------Enabling the cluster function------------------------------------
Step1: [Quidway] cluster
Step2: [Quidway] ip-pool
administrator-ip-address
Step3: [Quidway] build cluster-name
Manually create
Step2: [Quidway] ip-pool
administrator-ip-address
Step3: [Quidway] auto-build
Automatically create
-----------------------------------------------Creating a cluster------------------------------------------52
1 Configuring NDP & NTDP
3 Adding a Member Switch
Step2: [Quidway] add-member
[ member-number ] mac-address
mac-address
Manually add
Step2: [Quidway] auto-build
[ recover ]
Automatically add
4 (Optional) Deleting or Quitting a Cluster
5 (Optional) Deleting a Member Switch
53
3: HGMP-check configuration

display cluster-increment-result

display cluster-license

display cluster-topology-info

display increment-command

display increment-synchronization-result

display member-getfile-state

display member-interface-state { ndp | ntdp }

display member-reboot-state

display member-save-state

display synchronization-result
54
3: HGMP-Configuration example
55
3: HGMP-Configuration example
56
Content
1
SNMP
6
NQA
2
NTP
7
AAA
3
HGMP
8
RMON
4
LLDP
9
Syslog
5
Ping&Tracert
10
For IPV6
57
4: LLDP
The Link Layer Discovery Protocol (LLDP) is a Layer 2 discovery
protocol defined in the IEEE 802.1ab standard
The Layer 2 discovery protocol precisely discovers the interfaces on
Each device and obtains connection information between devices. In
addition, it displays the paths between clients, switches, routers,
application servers, and network servers. The Layer 2 information
helps you:
quickly know the device topology, detect configuration conflicts
between devices, and locate network faults.
58
4: LLDP-Diagram
59
4: LLDP-Mib
LLDP Local System MIB
LLDP Remote System MIB
stores information about the local
stores information about neighbor
device, including the device ID, port
devices, including the device ID,
ID, system name, system description,
port ID, system name, system
port description, system capability,
description, port description,
and management address.
system capability,and management
address.
60
4: LLDP-Agent
manages LLDP operations for an interface

Maintains information in the LLDP local system MIB.

Obtains and sends LLDP local system MIB information to neighbor devices
when the status of the local device status changes. If the local device status
keeps unchanged, the LLDP agent also obtains and sends LLDP local system
MIB information to neighbor devices at intervals.

Identifies and processes received LLDP packets.

Maintains information in the LLDP remote system MIB.

Sends LLDP traps to the NMS when information in the LLDP local system MIB
or the LLDP remote system MIB changes.
61
4: LLDP-Packet format

DA: indicates the destination address of the LLDP packet. It is the multicast
address 01-80-C2-00-00-0E.


SA: indicates the bridge MAC address of the neighbor device.
LLDP Ethertype: indicates the LLDP packet type. If a packet contains this field, it
is an LLDP packet and it is sent to the LLDP module. The value of this field is
0x88CC.

LLDPDU: indicates the LLDP data unit. It is the major content of an LLDP packet.

FCS: indicates the Frame Check Sequence.
62
4: LLDP-Application
three types of networks:
The network where
an interface has
only one neighbor
an interface has
multiple neighbors
The network where
link aggregation is
configured
63
4: LLDP-Configuration

Configuring a reachable route between the switch and the NMS and setting the SNMP

Configuring an LLDP management address
Data Preparation
No.
Data
1
IP address to be set as the LLDP management address
2
(Optional) Interval for sending LLDP packets
3
(Optional) Delay to send LLDP packets
4
(Optional) Hold time multiplier of device information stored on neighbors
5
(Optional) Delay to re-enable the LLDP function on an interface
6
(Optional) Delay to send neighbor change traps to the NMS
64
4: LLDP-Configuration
Step1: [Quidway] lldp enable
Step3: Disabling LLDP on an Interface
* Optional*
Step4: Configuring an LLDP Management Address
* Optional*
Step5: Configuring the TLV in the LLDPDU
* Optional*
Step6: Configuring LLDP Timers
* Optional*
Step7: Enabling the LLDP Trap Function
* Optional*
Check : display lldp local
display lldp neighbor
display lldp neighbor brief
display lldp tlv-config
display lldp statistics
65
4: LLDP-Configuration example(1)
66
67
68
Content
1
SNMP
6
NQA
2
NTP
7
AAA
3
HGMP
8
RMON
4
LLDP
9
Syslog
5
Ping&Tracert
10
For IPV6
69
5: Ping
Principle of the ping operation
Format of ICMP Echo Request and Echo Reply messages
The ping command is used to check network connectivity and host reach ability.
Ping tests IP reach ability and status of the link between the source and the destination by checking
whether the destination sends back an ICMP Echo Reply message and measuring the interval
between sending the ICMP Echo Request message and receiving the ICMP Echo Reply message.
70
5: Tracert
Tracert (Trace Route), is used to check the IP addresses and the number of
gateways between the source and the destination. Tracert is helpful in testing
network reach ability And locating the fault on the network.
The S9700 implements tracert based on ICMP. Tracert records the gateways that
the ICMP message passes along the path between a source host and a
destination. In this manner, you can check network connectivity and locate the
fault.
71
5: Tracert & Ping Test

ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -I
interface-type interface-number | -m time | -n | -p pattern | -q | -r | -s
packetsize | -t timeout | -tos tos-value | -v ] * host

tracert [ -a source-ip-address | -f first-ttl | -m max-ttl | -p port | -q nqueries | -w timeout
]* host
72
5: Ping ICMP Reference Document
ICMP
ICMPv6
(ICMPv3)
Name
Doc
ICMP Packet for error
RFC 792,RFC 950,RFC 1256
ICMP Packet for request
RFC 792,RFC 950,RFC 1256
ICMP Packet for redirect
RFC 792,RFC 950,RFC 1256
Network Management MIB
RFC 1213
Support ICMP Echo Message
RFC 2463
Process Neighbor Discovery
RFC 2463
Support IPv6 Redirect
RFC 2461
73
Content
1
SNMP
6
NQA
2
NTP
7
AAA
3
HGMP
8
RMON
4
LLDP
9
Syslog
5
Ping&Tracert
10
For IPV6
74
6: NQA-Introduction

NQA - Network Quality Analysis

NQA measures the performance of each protocol running on the network
and helps network operators collect network operation statistics, such as
the total HTTP delay, TCP connection delay, file transfer rate, FTP
connection delay, Domain Name System (DNS) resolution delay, and DNS
resolution error ratio. By collecting these statistics, network operators
provide users with network services of various grades.

NQA is an efficient tool for diagnosing and locating faults on a network.
75
6: NQA VS Ping
By sending an Internet Control Message Protocol
(ICMP) Echo-Request packet from the local and
expecting an ICMP Echo-Reply packet from the
specified destination, the Ping program can test
the round-trip time (RTT) of an ICMP packet.
In addition to testing the RRT of an ICMP
packet between the local and the
destination, NQA can detect whether
network services, such as TCP, UDP, FTP,
HTTP and the SNMP, are enabled and test
the response time of each service.
76
6: NQA-Between test instance & server
NQA test instance and NQA Client
NQA can be used to test many items. You must create a test instance
for each item and each of these test instances is a type of NQA test.
You need to create NQA test instances on NQA clients. Each test
instance has an administrator name and an operation tag as unique
identification.
NQA Server
In most types of tests, you need to configure only the NQA clients. In
TCP, UDP, and Jitter tests, however, you must configure the NQA server.
An NQA server processes the test packets received from the clients.
the NQA server responds to the test request packet received from the
client through the monitoring function.
77
6: NQA-How to work

In most types of tests, you need to configure only the NQA clients. In TCP,
UDP, and Jitter tests, however, you must configure the NQA server.

An NQA server processes the test packets received from the clients. the
NQA server responds to the test request packet received from the client
through the monitoring function.
78
6: NQA-Configure instance(ICMP)

Before configuring the ICMP test, configure reachable routes between the NQA
client and the tested device.
Data Preparation
No.
Data
1
Administrator name and test name of the NQA test
2
Destination IP address
3
(Optional) Virtual Private Network (VPN) instance name, source interface that
sends test packets, source IP address, size of the Echo-Request packets, TTL value,
ToS, padding character, interval for sending test packets, and percentage of the
failed NQA tests
4
Start mode and end mode
79
6: NQA-Configure instance(ICMP)
Step1: [Quidway]
Step2: [Quidway]
Step3: [Quidway]
Step4: [Quidway]
Step5: [Quidway]
nqa test-instance admin-name test-name
test-type icmp
destination-address ipv4 ip-address
Perform the other ICMP test parameters
start * Select the mode *
How To Check:
display nqa result
80
* Optional*
6: NQA-Configuration example(ICMP)
81
82
NQA Client Support:

TCP/UDP test

HTTP test

ICMP test

Trace test

SNMP test

DNS test

UDP jitter test

LSP Ping test

LSP Ping jitter test

LSP Trace test

FTP test

NQA Multicast Ping test
83
Content
1
SNMP
6
NQA
2
NTP
7
AAA
3
HGMP
8
RMON
4
LLDP
9
Syslog
5
Ping&Tracert
10
For IPV6
84
7: AAA-Introduction
Authentication: determines the users who can access the
network
Authorization: authorizes the users who can use certain
services
Accounting: records the usage of network resources.
Performing AAA for
access users
* On the S9700, AAA is mainly
used to authenticate and
authorize the users who log in to
the S9700 for system
configuration. does not support
accounting *
85
7: AAA-Authentication
The S9700 provides authentication schemes in the following modes:

Non-authentication: In this mode, the S9700 does not authenticate user validity
when users are trusted. This mode is not adopted in other scenarios.

Local authentication: In this mode, user information such as user names,
passwords, and other attributes is configured on theS9700. The S9700
authenticates users according to the information. In local authentication mode, the
processing speed is fast, but the capacity of information storage is restricted by
the hardware.

Remote authentication: In this mode, user information such as user names,
passwords, and other attributes is configured on an authentication server. The
S9700 functions as the client to communicate with the authentication server
through the RADIUS or HWTACACS protocol.
86
7: AAA-Authorization
The S9700 provides authorization schemes in the following modes :

Non-authorization: completely trusts users and directly authorizes them.

Local authorization: authorizes users according to the configured attributes of
local user accounts on the S9700.

Remote authorization: the S9700 functions as the client to communicate with the
authorization server through HWTACACS.

If-authenticated authorization: authorizes users after the users pass
authentication in local or remote authentication mode.
87
7: AAA-Accounting
The S9700 provides the following accounting modes:

None: Users are not charged.

RADIUS accounting: The S9700 sends the accounting packets to the RADIUS
server. Then the RADIUS server performs accounting.

HWTACACS accounting: The S9700 sends the accounting packets to the
HWTACACS server. Then the HWTACACS server performs accounting.
88
7: Configuring AAA
AAA schemes of the S9700 consists of the authentication scheme, authorization scheme, accounting

scheme, and recording scheme
None

Data Preparation
No.
Data
1
Name of the authentication scheme and authentication mode
2
Name of the authorization scheme, authorization mode, (optional) user level in command-line-based
authorization mode on the HWTACACS server, and (optional) timeout interval for command-line-based
authorization
3
Name of the accounting scheme and accounting mode
4
(Optional) Name of the recording scheme, name of the HWTACACS server template associated with the
recording scheme, and recording policy used to record events
89
7: How to configure AAA(1)
1 Configuring an Authentication Scheme
Step1: [Quidway]aaa
Step2: [Quidway]authentication-scheme authentication-scheme-name
Step3: [Quidway]authentication-mode { hwtacacs | radius | local }*[ none ]
Step4: [Quidway]authentication-super { hwtacacs | super }* [ none ]
[Quidway]authentication-super none
2 Configuring an Authorization Scheme
3 Configuring an Accounting Scheme
4 Configuring a Recording Scheme
90
Step1: [Quidway]aaa
Step2: [Quidway]authorization-scheme authorization-scheme-name
Step3: [Quidway]authorization-mode [ hwtacacs ] { if-authenticated | local | none }
Step4: authorization-cmd privilege-level hwtacacs [ local ]
91
*optional*
Step1: [Quidway]aaa
Step2: [Quidway]accounting-scheme accounting-scheme-name
Step3: [Quidway]accounting-mode { hwtacacs | radius | none }
Step4: [Quidway]accounting realtime interval
*optional*
Step5: [Quidway]accounting start-fail { online | offline }
*optional*
Step6: [Quidway]accounting interim-fail [ max-times times ] { online | offline }
92
*optional*
Step1: [Quidway]hwtacacs-server template
Step2: [Quidway]aaa
Step3: [Quidway]recording-scheme recording-scheme-name
Step4: [Quidway]recording-mode hwtacacs template-name
Step5: [Quidway]cmd recording-scheme recording-scheme-name
Step6: [Quidway]outbound recording-scheme recording-scheme-name
Step7: [Quidway]system recording-scheme recording-scheme-name
93
7: AAA-Radius Introduction
In remote authentication and remote authorization, the S9700 serves as
The RADIUS client and transfers information about authentication and
authorization of the user to the RADIUS server.
The RADIUS protocol defines the mode of transferring user information
between the RADIUS client and the RADIUS server. The messages
exchanged between the RADIUS client and the RADIUS server are
encrypted before being sent.
94
7: AAA-Configuring RADIUS

In remote authentication or authorization mode, you need to configure a server template as
required. You need to configure a RADIUS server template if RADIUS is used in the
authentication scheme.

None
Data Preparation:
No.
Data
1
IP address of the RADIUS authentication server
2
IP address of the RADIUS accounting server
3
(Optional) Shared key of the RADIUS server
4
(Optional) User name format supported by the RADIUS server
5
(Optional) Traffic unit of the RADIUS server
6
(Optional) Timeout interval for a RADIUS server to send response packets and
number of times for retransmitting request packets on a RADIUS server
7
(Optional) Format of the NAS port attribute of the RADIUS server
95
7: AAA-Configuring RADIUS
Step1: [Quidway]radius-server template template-name
Step2: [Quidway]radius-server authentication ip-address port (secondary)
Step3: [Quidway]radius-server accounting ip-address port (secondary)
Step4: [Quidway]radius-server authorization ip-address
-----------------------------------------------following optional-------------------------------------------Step5: [Quidway]radius-server shared-key [ cipher | simple ] key-string *default is huawei*
Step6: [Quidway]radius-server user-name domain-included
Step7: [Quidway]radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
Step8: [Quidway]radius-server timeout timeout
Step9: [Quidway]radius-server retransmit retry-times
Step10: [Quidway]radius-server nas-port-format { new | old } radius-server nas-port-id-format {
new | old }
* For Ethernet access users or ADSL access users *
96
7: AAA-How to check RADIUS
display radius-server configuration
97
7: HWTACACS-Introduction
HWTACACS is a security protocol and an extension of TACACS defined in RFC1492. The process of
transmitting HWTACACS messages is similar to that of transmitting RADIUS messages. The
difference is that the HWTACACS server sends an authentication acknowledgement packet rather
than the user authority after the user passes authentication. The user authority is returned only after
the authorization process is complete. HWTACACS authorizes users using the command line.
(1) Process of command-line-based
(2) Process of upgrading the HWTACACS
authorization supported by HWTACACS
user level
98
7: RADIUS VS HWTACACS
99
7: Configure HWTACACS

In remote authentication or authorization mode, you need to configure a server template as
required. You need to configure an HWTACACS server template if HWTACACS is used in an
authentication or an authorization scheme.
Pre-configuration Tasks ------ None
Data Preparation
No.
Data
1
Name of the HWTACACS server template
2
IP addresses of HWTACACS AAA servers
3
(Optional) Source IP address of the HWTACACS server
4
(Optional) Shared key of the HWTACACS server
5
(Optional) User name format supported by the HWTACACS server
6
(Optional) Traffic unit of the HWTACACS server
7
(Optional) Timeout interval for the HWTACACS server to send response packets and time when the
primary HWTACACS server is restored to the active state
100
7: AAA-How to check HWTACACS
display hwtacacs-server template huawei
101
7: RADIUS-Configuration example(1)
102
7: RADIUS-Configuration example(2)
103
7: HWTACACS-Configuration example(1)
104
7: HWTACACS-Configuration example(2)
105
7: AAA-References
Description
Document
Generic AAA Architecture
RFC 2093
AAA Authorization Framework
RFC 2094
AAA Authorization Application Examples
RFC 2095
AAA Authorization Requirements
RFC 2096
Remote Authentication Dial In User Service (RADIUS)
RFC 2058, RFC 2138, RFC 2865
RADIUS Accounting
RFC 2059, RFC 2139, RFC 2866
RADIUS Extensions
RFC 2869
TACACS user identification Telnet option
RFC 0927
An Access Control Protocol, Sometimes Called TACACS
RFC 1492
106
Content
1
SNMP
6
NQA
2
NTP
7
AAA
3
HGMP
8
RMON
4
LLDP
9
Syslog
5
Ping&Tracert
10
For IPV6
107
8: RMON
RMON(Remote Network Monitoring),is a protocol to monitor the
Ethernet interface ,it is implemented based on the SNMP
There are two concepts involved in RMON, namely, the Network
Management Workstation (NM Station) and the agent. A RMON agent
collects statistics of various traffic in a network.
Compared with SNMP, RMON monitors remote network devices more
efficiently and actively. It provides an efficient solution to monitor the
running of sub-networks, which reduces the communication traffic
between the NM Station and the agent. Large-sized networks can thus
be managed in a simple and effective manner.
108
8: RMON
RMON allows multiple monitors. It collects data in the following ways:

Use a dedicated RMON Probe. This ensures that the NM Station can obtain
overall information on the RMON MIB.

Embed a RMON agent into a network device (a switch for example) to enable the
device to be of the RMON Probe capability. the NM Station collects only
information on four groups (alarm, event, history, and statistics) and not the
complete information on the RMON MIB.
*Currently, the S9700 implements the monitoring and statistics collection function
only on the Ethernet interfaces of network devices.*
109
8: RMON
RMON MIB Includes 9 groups of data (RFC2819)
No.
Group
Function
1
Hosts group
2
Hosts TopN group
3
Matrix group
4
Filter group
5
Capture group
6
Statistic group
Collect the basic statistics of each monitored subnetwork
7
History group
Collects the network state statistics and stores them for
future reference
8
Alarm group
The alarms are re-generated if the smapling value turns
to the noraml threshold.
9
Event group
stores all the events generated by the RMON agent in a
table
10
Performance-MIB
HUAWEI private
110
}
S9700
Support
8: Configuring RMON
Before configuring the ICMP test, configure reachable routes between the NQA client and

the tested device.
Data Preparation
No.
Data
1
Administrator name and test name of the NQA test
2
Destination IP address
3
(Optional) Virtual Private Network (VPN) instance name, source interface that sends
test packets, source IP address, size of the Echo-Request packets, TTL value, ToS,
padding character, interval for sending test packets, and percentage of the failed
NQA tests
4
Start mode and end mode
111
8: Configuring RMON

To monitor network status and collect traffic statistics on a network segment, you can
configure RMON

Configuring parameters for Ethernet interfaces

Configuring basic SNMP functions
Data Preparation
No.
Data
1
Interface on which the statistics function is enabled
2
Statistics table to be used and related parameters
3
HistoryControl table to be used and related parameters
4
Event table to be used and related parameters
5
Alarm table to be used and related parameters
6
Prialarm table to be used and related parameters
112
8: Configuring RMON
Procedure:
Step1: [Quidway]snmp-agent trap enable
Step2: [Quidway]snmp-agent target-host trap address udp-domain ip-address params
securityname public
--------------------------------------------------------------------------------------------------------Enable SNMP
Step3: [Switch-if] rmon-statistics enable
--------------------------------------------------------------------------------------------------------Enable RMON
Step4: rmon statistics entry-number [ owner owner-name]
Step5: rmon history entry-number buckets number interval sampling-interval
Step6: rmon event entry-number
Step7: rmon alarm entry-number alarm-OID sampling-time
Step8: rmon prialarm entry-number prialarm-formula description-string samplinginterval
------------------------------------------------------------------------------------------------------Config 5 Groups
113
8: How to check RMON(1)

display rmon statistics

display rmon history
114

display rmon event

display rmon eventlog
115

display rmon alarm

display rmon prialarm
116
8: RMON2 VS RMON
RMON2 is one of the RMON MIB standards. It
OSI
Monitor By
functions as a supplement to RMON and add some
new groups. RMON monitors the traffic only at the
7
MAC layer whereas RMON2 can monitor the traffic at
6
the MAC layer and above it. RMON2 provides the
5
following functions:

Monitors the traffic based on the network layer
RMON2
4
protocols and addresses, including the IP protocol

Records the incoming and outgoing traffic to and from a
3
specific application because it is capable of decoding
2
and monitoring the traffic of applications, such as email,
FTP, and WWW.
117
1
RMON
8: RMON2
RMON2 MIB Includes 9 groups of data
No.
Group
Function
1
Protocol
Directory
It is a simple and interoperable way for an RMON2 application to establish
which protocols a particular RMON2 agent implements. This is especially
important when the application and the agent are from different vendors
2
Network
Layer host
Network host (IP layer) statistics
3
Address mapping
4
Protocol Distribution
5
Network layer matrix
6
Application layer host
7
Application layer matrix
8
User history
9
Probe configuration
118
8: Configuring RMON2

By configuring RMON2, you can monitor the traffic on an Ethernet interface that connects to the
network, analyze the hosts the data on the interface comes from and goes to, and collect
statistics of the data passing through the interface from each host on the network.

Configuring parameters for Ethernet interfaces
Data Preparation
No.
1
2
Data
Values of the hlHostControlDataSource and hlHostControlStatus in the
hlHostControlTable
Values of the protocolDirDescr and protocolDirHostConfig in the
protocolDirTable
119
8: Configuring & check RMON2(1)
Procedure:
Step1: [Quidway]rmon2 hlhostcontroltable index ctrl-index
How to check:
<Quidway>display rmon2
hlhostcontroltable
<Quidway>display rmon2
nlhosttable
120
8: Configuring & check RMON2(2)
Procedure:
Step2: rmon2 protocoldirtable protocoldirid protocol-id parameter parameter-value
How to check:
<Quidway>display rmon2 protocoldirtable
121
Content
1
SNMP
6
NQA
2
NTP
7
AAA
3
HGMP
8
RMON
4
LLDP
9
Syslog
5
Ping&Tracert
10
For IPV6
122
9: Syslog
Introduction of Information Center
The information center works as the information hub of the S9700. By classifying and
filtering output information, the information center helps the network administrator and
developers to monitor the network operation and analyze the network fault.
The information center receives and processes the following information types:

Log information

Debugging information

Trap information or alarm information
123
9: Syslog
Functions of the information center
*The information center supports ten channels, among which Channel 0 to Channel
5 have their default channel names. By default, the six information channels are
respectively related to six output directions.*
124
9: Introduce Syslog

when equipment running, Log in host software will record the state of host, it is log
information

Log information is mainly used for viewing operational status of
devices, analysis of network status and orientation of reason, to provide the basis for
diagnosis and maintenance of the system.

1.
2.
The log information is stored in the Cache of host,we can use it in following ways:
Through console&telnet login the host, display logbuffer(CMD)
Send the log information from the host to Syslog Server through syslog protocol
125
9: Syslog


The format of log information:
timestamp
“Mmm dd hh:mm:ss yyyy”
Hostname
Default “Quidway”
Huawei ID
“%%” is HUAWEI company identifier
Version
“dd” Identifies the version of the log format,start from “01”
Module name
Indicates that a log is generated by the module
Severity
Log level is divided into 8 levels, from 0~7
Brief
represents the contents of the information summary
Log Flag
“(1)” Used to identify the information to log information
Description
describes in detail the specific contents of the log
* The syslog protocol use the UDP port 514
126
9: Syslog
Information has eight severity levels
Log level
Define
Description
0
Emergency
System is unusable.
1
Alert
Action must be taken immediately.
2
Critical
Critical conditions.
3
Errors
Error conditions.
4
Warnings
Warning conditions.
5
Notifications
Normal but significant condition.
6
Informational
Informational messages.
7*When the information
Debug
is filteredDebug-level
based on itsmessages.
severity level, only the information
whose severity level threshold is lower than or equal to the configured threshold, is
output.*
127
9: Configuring Information Center

To collect debugging, log, or trap information during the running of the S9700, and to output the
information to the terminal for display or to the buffer or host for storage, you need configure the
information center.

None
Data Preparation
No.
Data
1
(Optional) Numbers and names of information channels
2
(Optional) Format of the timestamp
3
(Optional) Severity level
4
(Optional) Language used in log information and the address of the
log host
5
(Optional) Size of the log buffer and the trap buffer
128
9: Configuring Information Center
Procedure:
Step1: [Quidway]info-center enable
---------------------------------------------------------------------------------------------Enable the info center
Step2: [Quidway]info-center channel channel-number name channel-name
--------------------------------------------------------------((Optional))Naming the information channel
Step3: [Switch-if] info-center source { module-name | default } channel
--------------------------------------------------------------Add information to the information channel
Step4: info-center timestamp { { debugging | trap } { boot | date | none | short-date } | { log | { boot |
date | format-date | none | short-date } }
-----------------------------------------------------------------(Optional) Setting the Timestamp Format
129
9: Configuring Information Output Modes

After the information center is configured, to output log information, trap information, and
debugging information to the terminal for display or to the buffer or host for storage, you need
configure the information output mode of the information center.

None
Data Preparation
No.
Data
1
(Optional) Numbers and names of information channels
2
(Optional) Language used in log information and the address of the log host
3
(Optional) Size of the log buffer and the trap buffer
130
9: How to configure output modes
1 outputting Information to the console
Step1: [Quidway]info-center console channel
Step2: <Switch> terminal monitor
Step3: <Switch> terminal { debugging | logging | trapping }
2 outputting Information to the Telnet terminal
3 outputting Information to the SNMP Agent
4 outputting Information to the Log Buffer
5 outputting Information to the Trap Buffer
6 outputting Information to the Log Host
131
Step1: [Quidway]info-center monitor channel { channel-number | channel-name }
Step2: <Switch> terminal monitor
Step3: <Switch> terminal { debugging | logging | trapping }
132
Step1: [Quidway]info-center snmp channel
133
Step1: [Quidway]info-center logbuffer [ channel { channel-number | channel-name } | size buffersize ]
134
Step1: [Quidway]info-center trapbuffer [ channel { channel-number | channel-name } | size
buffer-size ]
135
Step1: [Quidway]info-center loghost ip-address [ channel { channel-number | channel-name } |
facility local-number | language { chinese | english } ]
Step2: [Quidway]info-center loghost source interface-type interface-number
136
9: Check output modes
How to check:
<Quidway> display info-center statistics
137
9: Example for Outputting Logs to the Log File
138
9: Example for Outputting Logs to Log Hosts
139
9: Example for Outputting Logs to Log Hosts
140
9: Example for Outputting Alarms to the SNMP Agent
141
Content
1
SNMP
6
NQA
2
NTP
7
AAA
3
HGMP
8
RMON
4
LLDP
9
Syslog
5
Ping&Tracert
10
For IPV6
142
10: Why IPV6
IPV4’s deficiencies:
1、IPV4 address space is deficient;
2、The routing table entry number maintained by backbone routers is too large;
3、It is not easy to configure automatically and re-addressing;
4、Can not solve the increasingly prominent security issues.
IPV6’s advantages:
1、Use 128 bit address structure which can provide sufficient address space;
2、Hierarchical network structure to improve routing efficiency;
3、IPV6 packet head is succinct, flexible, more efficiently and expansively;
4、Support auto configuration, plug-and-play;
5、Support end to end security;
6、Support mobile feature;
7、Support flow label feature which is more conducive to support QoS.
143
10: Management feature for IPV6
HUAWEI SX7 series switches support management feature for IPV6, such as:
No.
Feature
1
SNMP for IPV6
2
SSH for IPV6
3
IPV6 MIB
4
Ping6
5
Tracert6
6
FTP for IPV6
7
TFTP for IPV6
8
Telnet for IPV6
144
10: SX7 series support SNMP for IPV6
SNMP for IPV6 consists of the following functions:
Function
Description
Read SNMP packet
Read and dispose the SNMP packets based on IPV4 and IPV6 at
the same time. The two kind of packets work independently of
each others. So our switches can run at the all IPV6 environment or
IPV6 and IPV4 mix environment.
Send IPV6 based trap
Provide command line to configure NM host based on IPV6 to
make the trap can be sent to this NM host based on IPV6 protocol.
Track or record the
SNMP IPV6 packets
Do not provide additional command line to configure SNMP IPV6
packet track. The SNMP IPV6 and SNMP IPV4 use the same
command and the displays adjust the protocol automatically.
Command line for configuring the IPV6 trap
145
10: SX7 series support IPV6 MIB
Principle description:
HUAWEI IPV6 MIB is developed based on the RFC2465.
The IPv6 General group consists of 6 tables:
ipv6IfTable:
The IPv6 Interfaces table contains information on the entity’s IPv6 interfaces.
ipv6IfStatsTable:
This table contains information on the traffic statistics of the entity’s IPv6 interfaces. ipv6AddrPrefixTable:
The IPv6 Address Prefix table contains information on Address Prefixes that are associated with the entity’s
IPv6 interfaces.
ipv6AddrTable:
This table contains the addressing information relevant to the entity’s IPv6 interfaces.
ipv6RouteTable:
The IPv6 routing table contains an entry for each valid IPv6 unicast route that can be used for packet
forwarding determination.
ipv6NetToMediaTable:
The IPv6 address translation table contain the IPv6 Address to ‘physical’ address equivalencies.
146
10: SX7 series support IPV6 features
Other management features:
SX7 series support other management features for IPV6 such as SSH for IPV6, Ping6, Tracert6, FTP for IPV6,
TFTP for IPV6, Telnet for IPV6. All these features are realized according to the way for IPV4, the difference is
that feature for IPV6 is based on IPV6 protocol and the packet uses the IPV6 head.
147
Summary

SNMP(If the NM station and managed device are both Huawei products, follow
the procedure described in Enabling the SNMP Extended Error Code Function to
allow the device to send more types of error codes. This allows more specific error
identification and facilitates your fault location and rectification.)

HGMP (HUAWEI group management protocol)
148
HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY
Copyright©2012 Huawei Technologies Co., Ltd. All Rights Reserved.
The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive
statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time
without notice.

Management

Transcription

Similar documents

Management of Computer Networks CS 158B Assignment #1: Agent and Management Station 1

NTS100 - Tekron

HOW TO INSTALL THE SP12 TURBO UPGRADE KIT

Antenne Bayern Chooses 2wcom

stand alone inverters

Dantel`s Eagle

Document 6515650