Monitor communication channels on HP MSR NG routers

    - Meet me! Alice, this is pudding! Pudding, this is Alice! Take it away! ...
    Well, you’ve just been introduced, and you are already at it with a knife!
    (c) Lewis Carroll. Alice in Wonderland

    It has been a year since HP updated the line of HP MSR enterprise-class routers. The new routers were called - the new generation routers or MSR NG. These are completely new devices from a hardware point of view, using multi-core processors with a built-in encryption accelerator, a PCIE 2.0 bus and a noticeably larger amount of both RAM and flash memory. First of all, the new hardware platform made it possible to get a multiple increase in productivity, which helped HP to overtake many well-known “colleagues in the shop”. Of course, to implement this performance, it was necessary to seriously redesign the operating system, it is still called HP Comware, but the version is already 7. With the advent of this OS, in addition to increasing reliability and productivity, a lot of new functions have appeared, such as:
    With this article, we begin to acquaint readers of our blog with the HP MSR NG routers and the new functionality of the HP Comware 7 operating system. The first article in this series is devoted to an example of solving the common task of monitoring communication channels using the HP MSR NG router.

    So, we solve the problem of monitoring the availability of a communication channel using ICMP echo requests, or, in simple terms, using “pings”. If the service is unavailable, we inform the administrator about the state change by all available means - we send SNMP trap to the management system, a syslog message with arbitrary content to the syslog server and write an email through the ESMTP server. Other actions, such as switching to the backup channel and changing the configuration, can be added as salt and sugar to taste. The configuration can be run on the HP Network Simulator , but for a change, we will use the virtual router HP VSR1000, which everyone can download. The router supports the VMware ESXi and Linux KVM virtualization platforms, but, for our purposes, it can also be run on VMware Workstation 10 version and even on VMware Player. Virtual Machine Requirements:
    • Processor One vCPU (main frequency≥ 2.0 GHz);
    • Memory 1 GB;
    • Hard disk One vHD, 8 GB;
    • Network interface card Two virtual NICs at least. Up to 16 virtual NICs are supported;
    • Virtual NIC types: E1000 (VMware ESXi and Linux KVM), VMXNET3 (VMware ESXi), VirtIO (Linux KVM), InteI 82599 VF (VMware ESXi and Linux KVM).
    The requirements, as we see, are far from sky-high by modern standards, which will allow us to launch a pair of routers to work out the configuration directly on a working laptop. As part of the downloaded distribution, we will find three files with extensions:
    • “.Ipe” - Comware 7 software for upgrading an already functioning router;
    • “.Iso” - an image for installing software on a virtual machine independently;
    • “.Ova” is a ready-made image of a virtual machine with the installed HP VSR 1000.
    We will use the ready-made OVA image and create the following network diagram in a virtual environment: image
    The process of installing the HP VSR1000 router on VMware Player is extremely simple and intuitive.
    After installing the routers and setting up the VMware network environment, according to our scheme, we start the virtual machines and perform the initial settings, which will allow us to get the usual access from the terminal program using the SSH protocol. How to install HP VSR, create a stand using VMware Player software and perform presets shown in the video .
    Now that we’ve got the usual access via SSH, we’ll move on to solving our problem. We will need to configure two functions - Network quality analyzer (or NQA for short) and Embedded Automation Architecture (EAA).
    Network quality analyzer (NQA) - a functional that allows you to measure the parameters of the data network for various types of applications. Monitoring of the following applications is supported:
    • ICMP echo;
    • DHCP
    • DNS
    • FTP
    • HTTP
    • UDP jitter;
    • SNMP
    • TCP
    • UDP echo;
    • Voice
    • Path jitter;
    • DLSw.

    This functionality works as follows: the probe router, or NQA Client in terms of HP, forms a request packet and sends it to a remote device (NQA destination device), which responds to probe requests. For monitoring functions with TCP, UDP echo, UDP jitter and voice packets, the HP router (NQA Server) must be the NQA responder, other network devices can respond to other types of requests.
    In our example, we will consider the operation of NQA in the channel testing mode using ICMP echo requests. The VSR1000-1 router that monitors the channel “pings” the specified IP address (in our case, HP VSR1000-2) and, based on the received responses, makes a conclusion about the channel’s working capacity.
    The router allows you to set the following parameters:image
    Configure an NQA probe that will send 5 ICMP echo bans to the IP address 192.168.1.2 every 30 seconds with the IP ToS field (DSCP 40) set to “A0”, size 1024 bytes each and wait for a response for 0.5 seconds on the router looks like this:

    [VSR1000-1] nqa entry icmp 1
    [VSR1000-1-nqa-icmp-1] type icmp-echo
    [VSR1000-1-nqa-icmp-1-icmp-echo]
    [VSR1000-1-nqa- icmp-1-icmp-echo] description === Test1 ===
    [VSR1000-1-nqa-icmp-1-icmp-echo] destination ip 192.168.1.2
    [VSR1000-1-nqa-icmp-1-icmp-echo ] frequency 30000
    [VSR1000-1-nqa-icmp-1-icmp-echo] data-size 1024
    [VSR1000-1-nqa-icmp-1-icmp-echo] tos 160
    [VSR1000-1-nqa-icmp-1- icmp-echo] probe count 5
    [VSR1000-1-nqa-icmp-1-icmp-echo] probe timeout 500

    Next, we need to set the reaction of the router to the results of testing the communication channel. In our example, we will consider the failure of the communication channel the consecutive non-receipt of three responses to the sent “pings”. Here we will solve the first of the set tasks, namely, we will force the router to generate SNPM trap both when the threshold is 3 consecutively lost responses and when the number of losses decreases below the specified value:

    [VSR1000-1-nqa-icmp-1-icmp-echo ] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trap-only
    We got the following NQA configuration:

    [VSR1000-1] display current-configuration configuration nqa
    #
    nqa entry icmp 1
    type icmp-echo
    data-size 1024
    description === Test1 ===
    destination ip 192.168.1.2
    frequency 30000
    probe count 5
    probe timeout 500
    reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trap-only
    source ip 192.168.1.1
    tos 160
    #
    In order for the router to be able to send SNMP trap, it is necessary to specify the version of SNMP protocol, the IP address of the management station and securityname:

    [VSR1000-1] snmp-agent sys-info version v2c
    [VSR1000-1] snmp-agent target-host trap address udp-domain 172.16.1.100 params securityname public v2c

    We set up the SNMP community for reading, we will need this for the next steps related to finding the SNMP object responsible for this NQA record:

    [VSR1000-1] snmp-agent community read simple public

    You can run our probe:

    [VSR1000-1] nqa schedule icmp 1 start-time now lifetime forever

    Now, upon detecting changes in the state of the communication channel, the router will send an SNMP message to the IP address 172.16.1.100.
    You can see the live tuning process by clicking on the link .
    We turn to the solution of the second part of the task - make our device generate a syslog message that duplicates SNMP trap. To do this, we will use the integrated automation system - HP EAA (Embedded Automation Architecture). The general EAA architecture is shown in the figure: image
    This functionality allows the device to log various events, such as entering a command, the appearance of a given syslog message, installing a new module in the router and many others. Based on the registered event, the router allows you to perform various actions:
    • execute a set of commands;
    • send syslog message;
    • Switch between primary and backup control modules
    • reboot the router with / without saving the configuration.
    To perform these actions, both CLI script and a script written on TCL version 8.5 can be used.
    To generate syslog messages we will use two TCL scripts. The first one will record the SNMP OID change of the corresponding NQA probe from the “overThreshold (2)” state to the “belowThreshold (3)” state, which corresponds to the transition of the communication channel from the idle state to the operational state and send a syslog message that our channel is available. The second one will record the reverse evolution of the NQA probe, namely the transition from the “belowThreshold (3)” state to the “overThreshold (2)” state, which corresponds to the transition of the communication channel from the working state to the idle one and send a syslog message stating that our channel has failed .
    The first problem that an inquisitive administrator faces on the way to implementing his plan is, in fact, searching for the SNMP OID that is responsible for the state of the configured NQA. To solve this problem, we need the MIB library, available for download at MIBs_V7 , and any MIB browser (I used the free version of Ireasoning MIB Browser Personal Edition ). From the composition of this library, load the MIB with the name “hh3c-nqa.mib” into the MIB browser. In the MIB browser, find the “hh3cNqaReactCurrentStatus” object and execute the “Get Subtree” command, pre-specifying the IP address of our router (172.16.1.1) and community (“public”). In response, we get the desired object, in my case it is SNMP OID .1.3.6.1.4.1.25506.8.3.1.13.1.11.4.105.99.109.112.1.49.1.
    Now in the text editor we write the first script and call it, for example, up.tcl. This script will poll the status of our SNMP OID once every 10 seconds, register a change in the OID value from “3” to “2” (which corresponds to restoring the communication channel) and generate a syslog with a message like “VSR1000-2 Dest IP 192.168.1.2 is available” . Let's take the script 30 seconds to work:

    :: comware :: rtm :: event_register snmp oid 1.3.6.1.4.1.25506.8.3.1.13.1.11.4.105.99.109.112.1.49.1 monitor-obj get start-op eq start-val 3 restart-op eq restart-val 2 interval 10 running-time 30 user-role network-admin
    :: comware :: rtm :: action syslog priority 5 facility local4 msg "VSR1000-2 Dest IP 192.168.1.2 is available"

    Similarly, we write a second script that will monitor the “fall” of the channel and issue a syslog of the form “VSR1000-2 Dest IP 192.168.1.2 is unavailable”:

    :: comware :: rtm :: event_register snmp oid 1.3.6.1.4.1.25506.8.3.1 .13.1.11.4.105.99.109.112.1.49.1 monitor-obj get start-op eq start-val 2 restart-op eq restart-val 3 interval 10 running-time 30 user-role network-admin
    :: comware :: rtm :: action syslog priority 5 facility local4 msg “VSR1000-2 Dest IP 192.168.1.2 is unavailable”

    Then we load the received files “up.tcl” and “down.tcl” into the flash memory of the router and register them:

    [VSR1000-1] rtm tcl-policy up flash: /up.tcl
    [VSR1000-1] rtm tcl-policy down flash: /down.tcl

    It remains only to set the IP address of the syslog server in the router configuration:

    [VSR1000-1] info-center loghost 172.16.1.100 A
    video demonstrating this part of the config .
    We taught our router to send syslog message in addition to SNMP trap.
    We pass to the final part of our task - sending email messages through the ESMTP server.
    To solve this problem, we will use a ready-made script, which can be downloaded at http://wiki.tcl.tk/417 . We save it in the sendmail.tcl file and write it to the root directory of the flash memory of the router. The script describes the procedure, and requires the definition of the following variables:
    • smtphost - IP address of the ESMTP server;
    • toList - e-mail recipient addresses;
    • from - sender email address;
    • subject - subject of the letter;
    • body - message content;
    • {trace 0} - enable / disable information for debugging.

    Part of the variables, namely, the address of the mail server and message recipient, we will set in the router configuration:

    [VSR1000-1] rtm environment smtphost 172.16.1.100
    [VSR1000-1] rtm environment toList ADMIN@company.org

    The rest of the variables are defined in the body of our scripts:

    variable from VSR1000-1@test.org
    variable subject “VSR1000-2 availability”
    variable body “VSR1000-2 Dest IP 192.168.1.2 is available”

    Also, in the script body up.tcl and down.tcl add a line that registers the library responsible for sending mail:

    source sendmail.tcl

    And the line that calls this procedure:

    sendmail $ smtphost $ toList $ from $ subject $ body

    Who cares , watch the videoof this process.
    That's all that was required to configure.
    The resulting configurations and scripts can be said here:
    Configuration HP router VSR1000-1
    configuration router HP VSR1000-2
    script up.tcl
    script down.tcl
    script sendmail.tcl
    This article does not claim to ultimate truth, not calling Rush your tasks exactly and rather a demonstration of the tools available to owners of HP MSR NG routers. I hope this information will help our readers develop their own configurations that solve their unique production problems.
    In the process of solving the problem, the following materials were used:
    HP VSR1000 Virtual Services Router Network and Monitoring Command Reference
    HP VSR1000 Virtual Services Router Network Management and Monitoring Configuration Guide
    R0202-HP VSR1000 Virtual Services Router Network Management and Monitoring Command Reference

    Also popular now: