Monitor communication links on HP MSR NG routers

- Meet! Alice, this is pudding! Pudding, this is Alice! Blow it! ...
Well, you just introduced, and you have him with a knife!

(c) Lewis Carroll. Alice in Wonderland

A year has passed since HP has updated the HP MSR enterprise-class router line. The new routers called this the new generation of routers or MSR NG. These are absolutely new devices from the hardware point of view, using multi-core processors with built-in encryption accelerator, PCIE 2.0 bus and a noticeably larger amount of both operational and flash memory. First of all, the new hardware platform made it possible to obtain a multiple increase in productivity, which helped HP overtake many distinguished “shop colleagues”. Of course, to implement this performance, it was necessary to seriously rework and the operating system, it is still called HP Comware, but the version is already 7. With the advent of this OS, in addition to improving reliability and performance, a lot of new features have appeared, such as: improved technology for creating dynamic VPNs - HP ADVPN, support for fault-tolerant IRF stacking of routers, built-in EAA automation system, firewall with zones and many other useful functions in the network economy.
With this article, we begin to introduce our blog readers to HP MSR NG routers and the new functionality of the HP Comware 7 operating system. The first article in this series is devoted to an example of solving a common task of monitoring communication channels using the HP MSR NG router.

So, we solve the problem of monitoring the availability of a communication channel using ICMP echo requests, or, in simple terms, using “pings”. If the service is unavailable, we inform the administrator about the state change by all available means - we send an SNMP trap to the management system, a syslog message with arbitrary content to the syslog server and write an email via the ESMTP server. Other actions, such as switching to the backup channel and changing the configuration can be added as salt and sugar - to taste. The configuration can be run-in on the HP Network Simulator , we, for a change, will use the HP Virtual Router VSR1000 , which anyone can download. The router supports VMware ESXi and Linux KVM virtualization platforms, but, for our purposes, it can be run on VMware Workstation 10 version and even on VMware Player. Virtual machine requirements:

• Processor One vCPU (main frequency≥ 2.0 GHz);
• Memory 1 GB;
• Hard disk One vHD, 8 GB;
• Network interface card Two virtual NICs at least. Up to 16 virtual NICs are supported;
• Virtual NIC types: E1000 (VMware ESXi and Linux KVM), VMXNET3 (VMware ESXi), VirtIO (Linux KVM), InteI 82599 VF (VMware ESXi and Linux KVM).

Requirements, as we see, by modern standards are far from sky-high, which will allow us to run a couple of routers to work out the configuration right on a working laptop. As part of the downloaded distribution, we will find three files with extensions:

• “.Ipe” - Comware 7 software for upgrading an already functioning router;
• “.Iso” - an image for installing the software on a virtual machine yourself;
• “.Ova” is a ready-made virtual machine image with an already installed HP VSR 1000.

We will use the ready OVA image and create the following network diagram in a virtual environment:
The installation process of the HP VSR1000 Router on VMware Player is extremely simple and intuitive.
After installing the routers and setting up the VMware network environment, according to our scheme, we start the virtual machines and perform the initial settings that will allow us to get the usual access from the terminal program using the SSH protocol. How to install HP VSR, create a booth using VMware Player software and perform the preliminary settings shown in the video .
Now, having received the usual access via SSH, we proceed to solving our problem. We will need to configure two functions - Network quality analyzer (or NQA for short) and Embedded Automation Architecture (EAA).
Network quality analyzer (NQA) is a functional that allows measuring data transmission network parameters for various types of applications. Monitoring of the following applications is supported:

• ICMP echo;
• DHCP;
• DNS;
• FTP;
• HTTP;
• UDP jitter;
• SNMP;
• TCP;
• UDP echo;
• Voice;
• Path jitter;
• DLSw.

This functionality works as follows: a router-probe, or NQA Client in terms of HP, creates a request packet and sends it to a remote device (NQA destination device), which responds to probe requests. For monitoring functions with TCP, UDP echo, UDP jitter and voice packets, the HP router (NQA Server) must be the NQA of the responder, other network devices can respond to other types of requests.
In our example, we consider the operation of NQA in the channel test mode using ICMP echo requests. The VSR1000-1 router, which monitors the channel, “pings” the specified IP address (in our case, the HP VSR1000-2) and, on the basis of the responses received, concludes that the channel is operational.
The router allows you to set the following parameters:
Configure the NQA probe, which will send every 30 seconds 5 ICMP echo messages to the IP address 192.168.1.2 with the IP ToS field set to “A0” (DSCP 40), 1024 bytes each, and wait for a response within 0.5 seconds on the router as follows:

[VSR1000-1] nqa entry icmp 1
[VSR1000-1-nqa-icmp-1] type icmp-echo
[VSR1000-1-nqa-icmp-1-icmp-echo]
[VSR1000-1-nqa-icmp-1-icmp-echo] description === Test1 ===
[VSR1000-1-nqa-icmp-1-icmp-echo] destination ip 192.168.1.2
[VSR1000-1-nqa-icmp-1-icmp-echo] frequency 30000
[VSR1000-1-nqa-icmp-1-icmp-echo] data-size 1024
[VSR1000-1-nqa-icmp-1-icmp-echo] tos 160
[VSR1000-1-nqa-icmp-1-icmp-echo] probe count 5
[VSR1000-1-nqa-icmp-1-icmp-echo] probe timeout 500
')
Next, we need to set the router's reaction to the test results of the communication channel. In our example, we will consider the failure of the communication channel to consistently fail to receive three replies to the pings sent. Here we will solve the first task, namely, we will force the router to generate SNPM trap both when the threshold is exceeded in 3 consecutively lost responses, and when the number of losses falls below the specified value:

[VSR1000-1-nqa-icmp-1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trap-only
We have the following NQA configuration:

[VSR1000-1] display current-configuration configuration nqa
#
nqa entry icmp 1
type icmp-echo
data-size 1024
description === Test1 ===
destination ip 192.168.1.2
frequency 30000
probe count 5
probe timeout 500
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trap-only
source ip 192.168.1.1
tos 160
#
In order for the router to send an SNMP trap, you must specify the version of the SNMP protocol, the IP address of the management station and securityname:

[VSR1000-1] snmp-agent sys-info version v2c
[VSR1000-1] snmp-agent target-host trap address udp-domain 172.16.1.100 params securityname public v2c

We will configure the SNMP community to read; we will need this for subsequent actions related to finding the SNMP object responsible for this NQA record:

[VSR1000-1] snmp-agent community read simple public

You can run our probe:

[VSR1000-1] nqa schedule icmp 1 start-time now lifetime forever

Now, when a change in the link state is detected, the router will send an SNMP message to the IP address 172.16.1.100.
You can see the live configuration process by following the link .
We proceed to the solution of the second part of the task - let our device generate a syslog message duplicating the SNMP trap. For this we will use the embedded automation system - HP EAA (Embedded Automation Architecture). The overall EAA architecture is shown in the figure:
This functionality allows the device to register various events, such as entering a command, the appearance of a given syslog message, installing a new module into a router, and many others. Based on the registered event, the router allows you to perform various actions:

• execute a set of commands;
• send syslog message;
• switch between primary and backup control modules;
• reboot the router with / without saving the configuration.

To perform these actions, both a CLI script and a script written in TCL version 8.5 can be used.
To generate syslog messages we will use two TCL scripts. The first will register the change in SNMP OID of the corresponding NQA probe from the state “overThreshold (2)” to the state “belowThreshold (3)”, which corresponds to the transition of the communication channel from the non-operational to the operational state and send a syslog message that our channel is available. The second will register the reverse evolution of the NQA probe, namely the transition from the state “belowThreshold (3)” to the state “overThreshold (2)” which corresponds to the transition of the communication channel from the working state to the non-working state and send a syslog message that our channel has failed .
The first problem faced by an inquisitive administrator on the way to implementing his plan is, in fact, the search for an SNMP OID responsible for the state of the configured NQA. To solve this problem, we need the MIB library, available for download at MIBs_V7 , and any MIB browser (I used the free version of Ireasoning MIB Browser Personal Edition ). From this library we load into the MIB a browser MIB with the name “hh3c-nqa.mib”. In the MIB browser, we find the “hh3cNqaReactCurrentStatus” object and execute the “Get Subtree” command after specifying the IP address of our router (172.16.1.1) and community (“public”). In response, we will get the desired object, in my case it is SNMP OID .1.3.6.1.4.1.25506.8.3.1.13.1.11.4.105.99.109.112.1.49.1.
Now in the text editor we write the first script and call it, for example, up.tcl. This script will, once every 10 seconds, poll the state of our SNMP OID, record the change in OID value from “3” to “2” (which corresponds to the restoration of the communication channel) and generate a syslog with the message “VSR1000-2 Dest IP 192.168.1.2 is available” . Let's take the script for 30 seconds:

:: comware :: rtm :: event_register snmp oid 1.3.6.1.4.1.25506.8.3.1.13.1.11.4.105.99.109.112.1.49.1 monitor-obj get start-op eq start-val 3 restart-op eq restart- val 2 interval 10 running-time 30 user-role network-admin
:: comware :: rtm :: action syslog priority 5 facility local4 msg "VSR1000-2 Dest IP 192.168.1.2 is available"

Similarly, we write the second script, which will track the “drop” of the channel and output a syslog of the form “VSR1000-2 Dest IP 192.168.1.2 is unavailable”:

:: comware :: rtm :: event_register snmp oid 1.3.6.1.4.1.25506.8.3.1.13.1.11.4.105.99.109.112.1.49.1 monitor-obj get start-op eq start-val 2 restart-op eq restart- val 3 interval 10 running-time 30 user-role network-admin
:: comware :: rtm :: action syslog priority 5 facility local4 msg "VSR1000-2 Dest IP 192.168.1.2 is unavailable"

Then we load the received files “up.tcl” and “down.tcl” into the flash memory of the router and register them:

[VSR1000-1] rtm tcl-policy up flash: /up.tcl
[VSR1000-1] rtm tcl-policy down flash: /down.tcl

It remains only to set the IP address of the syslog server in the router configuration:

[VSR1000-1] info-center loghost 172.16.1.100
Video showing this part of the config .
We taught our router to send a syslog message in addition to the SNMP trap.
We proceed to the final part of our task - sending an email message through an ESMTP server.
To solve this problem, we will use a ready-made script, which can be downloaded from http://wiki.tcl.tk/417 . Save it to the sendmail.tcl file and write it to the root directory of the router’s flash memory. The script describes the procedure, and requires the definition of the following variables:

• smtphost - the IP address of the ESMTP server;
• toList - email addresses of recipients;
• from - the address of the sender e-mail;
• subject - the subject of the letter;
• body - the contents of the letter;
• {trace 0} - enable / disable debugging information.

Part of the variables, namely, the address of the mail server and the recipient of the messages, we set in the router configuration:

[VSR1000-1] rtm environment smtphost 172.16.1.100
[VSR1000-1] rtm environment toList ADMIN@company.org

The remaining variables are defined in the body of our scripts:

variable from VSR1000-1@test.org
variable subject “VSR1000-2 availability”
variable body “VSR1000-2 Dest IP 192.168.1.2 is available”

Also, in the body of the up.tcl and down.tcl scripts add a line that registers the library responsible for sending mail:

source sendmail.tcl

And the line that calls this procedure:

sendmail $ smtphost $ toList $ from $ subject $ body

Who cares, watch the video of this process.
That's all you need to set up.
The resulting configurations and scripts can be said here:
HP VSR1000-1 Router Configuration
HP VSR1000-2 Router Configuration
Script up.tcl
Script down.tcl
Sendmail.tcl script
This article does not pretend to be the ultimate truth, does not call for solving your tasks in this way, and rather is a demonstration of the tools available to owners of HP MSR NG routers. I hope this information will help our readers to develop their own configuration, solving their unique production problems.
In the process of solving the problem materials were used:
HP VSR1000 Virtual Services Router Installation and Getting Started Guide
HP VSR1000 Virtual Services Router Network Management and Monitoring Configuration Guide
R0202-HP VSR1000 Virtual Services Router Network Management and Monitoring Command Reference