Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-gRPC commands | 149.92 KB |
Contents
destination-group (subscription view)
destination-group (telemetry view)
sensor-group (subscription view)
gRPC commands
Generic gRPC commands
crl check
Use crl check enable to enable CRL checking.
Use undo crl check enable to disable CRL checking.
Syntax
crl check enable
undo crl check enable
Default
CRL checking is enabled.
Views
PKI domain view
Predefined user roles
network-admin
Usage guidelines
A CRL is a list of revoked certificates signed and published by a CA. Revoked certificates should no longer be trusted.
Enable CRL checking to ensure that the device only accepts certificates that have not been revoked by the issuing CA.
Examples
# Disable CRL checking.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] undo crl check enable
Related commands
pki import
pki domain
Use pki domain to create a PKI domain and enter its view, or enter the view of an existing PKI domain.
Use undo pki domain to remove a PKI domain.
Syntax
pki domain domain-name
undo pki domain domain-name
Default
No PKI domains exist.
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 1.
|
Character name |
Symbol |
Character name |
Symbol |
|
Tilde |
~ |
Dot |
. |
|
Asterisk |
* |
Left angle bracket |
< |
|
Backslash |
\ |
Right angle bracket |
> |
|
Vertical bar |
| |
Quotation marks |
" |
|
Colon |
: |
Apostrophe |
' |
Usage guidelines
When you remove a PKI domain, the certificates and the CRL in the domain are also removed.
Examples
# Create a PKI domain named aaa and enter its view.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa]
pki import
Use pki import to import the CA certificate, local certificates, or peer certificates for a PKI domain.
Syntax
pki import domain domain-name { der { ca | local | peer } filename filename | p12 local filename filename | pem { ca | local | peer } [ filename filename ] }
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 2.
|
Character name |
Symbol |
Character name |
Symbol |
|
Tilde |
~ |
Dot |
. |
|
Asterisk |
* |
Left angle bracket |
< |
|
Backslash |
\ |
Right angle bracket |
> |
|
Vertical bar |
| |
Quotation marks |
" |
|
Colon |
: |
Apostrophe |
' |
der: Specifies the DER certificate file format, including PKCS#7.
p12: Specifies the PKCS#12 certificate file format.
pem: Specifies the PEM certificate file format.
ca: Specifies the CA certificate.
local: Specifies the local certificates.
peer: Specifies the peer certificates.
filename filename: Specifies a certificate file name, a case-insensitive string. For a certificate in PEM format, you can also choose to copy and paste the certificate contents on the terminal instead of importing from a file.
Usage guidelines
Use this command to import a certificate in the following situations:
· The CRL repository is not specified or the CA server does not support SCEP.
· The certificate is packed with the server generated key pair in a single file. Only certificate files in PKCS12 or PEM format can contain key pairs.
Before you import certificates, complete the following tasks:
· Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or TFTP is not available, display and copy the contents of a certificate to a file on the device. Make sure the certificate is in PEM format because only certificates in PEM format can be imported by this means.
· For the local certificates or peer certificates to be imported, the correct CA certificate chain must exist. The CA certificate chain can be stored on the device, or carried in the local certificates or peer certificates. If the PKI domain, the local certificates, or the peer certificates do not have the CA certificate chain, you must import the CA certificate first. To import a local or peer certificate, a CA certificate chain must exist in the PKI domain, or be carried in the local or peer certificate. If not, obtain it first.
When you import the local or peer certificates:
· If the local or peer certificates contain the CA certificate chain, you can import the CA certificate and the local or peer certificates at the same time. If the CA certificate already exists in a PKI domain, the system prompts you whether to overwrite the existing CA certificate.
· If the local or peer certificates do not contain the CA certificate chain, but the CA certificate already exists in a PKI domain, you can directly import the certificates.
You can import the CA certificate to a PKI domain when either of the following conditions is met:
· The CA certificate to be imported is the root CA certificate or contains the certificate chain with the root certificate.
· The CA certificate contains a certificate chain without the root certificate, but can form a complete certificate chain with an existing CA certificate on the device.
Contact the CA administrator to get information as prompted in the following scenarios:
· The system prompts you to confirm the certificate's fingerprint in the following situation:
¡ The certificate file to be imported contains the root certificate, but the root certificate does not exist in any PKI domains on the device.
¡ The root-certificate fingerprint command is not configured in the PKI domain to which the certificate file is to be imported.
· The system prompts you to enter the challenge password used for encrypting the private key if the local certificate to be imported contains a key pair.
When you import a local certificate file that contains a key pair, you can choose to update the domain with the key pair. Depending on the purpose of the key pair, the following conditions might apply:
· If the purpose of the key pair is general, the device uses the key pair to replace the local key pair that is found in this order:
a. General-purpose key pair.
b. Signature key pair.
c. Encryption key pair.
· If the purpose of the key pair is signature, the device uses the key pair to replace the local key pair that is found in this order:
d. General-purpose key pair.
e. Signature key pair.
· If the purpose of the key pair is encryption, the device searches the domain for an encryption key pair.
If a matching key pair is found, the device asks whether you want to overwrite the existing key pair on the device. If no match is found, the device asks you to enter a key pair name (defaulting to the PKI domain name). Then, it generates the key pair according to the key algorithm and the purpose defined in the certificate file.
The import operation automatically updates or generates the correct key pair. When you perform the import operation, be sure to save the configuration file to avoid data loss.
Examples
# Import CA certificate file rootca_pem.cer in PEM format to PKI domain aaa. The certificate file contains the root certificate.
<Sysname> system-view
[Sysname] pki import domain aaa pem ca filename rootca_pem.cer
The trusted CA's finger print is:
MD5 fingerprint:FFFF 3EFF FFFF 37FF FFFF 137B FFFF 7535
SHA1 fingerprint:FFFF FF7F FF2B FFFF 7618 FF4C FFFF 0A7D FFFF FF69
Is the finger print correct?(Y/N):y
[Sysname]
# Import CA certificate file aca_pem.cer in PEM format to PKI domain bbb. The certificate file does not contain the root certificate.
<Sysname> system-view
[Sysname] pki import domain bbb pem ca filename aca_pem.cer
[Sysname]
# Import local certificate file local-ca.p12 in PKCS12 format to PKI domain bbb. The certificate file contains a key pair.
<Sysname> system-view
[Sysname] pki import domain bbb p12 local filename local-ca.p12
Please input challenge password:
******
[Sysname]
# Import the local certificate in PEM format to PKI domain bbb by copying and pasting the contents of the certificate. The certificate contains the key pair and the CA certificate chain.
<Sysname> system-view
[Sysname] pki import domain bbb pem local
Enter PEM-formatted certificate.
End with a Ctrl+c on a line by itself.
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: {F7619D96-3AC2-40D4-B6F3-4EAB73DEED73}
Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,8DCE37F0A61A4B8C
k9C3KHY5S3EtnF5iQymvHYYrVFy5ZdjSasU5y4XFubjdcvmpFHQteMjD0GKX6+xO
kuKbvpyCnWsPVg56sL/PDRyrRmqLmtUV3bpyQsFXgnc7p+Snj3CG2Ciow9XApybW
Ec1TDCD75yuQckpVQdhguTvoPQXf9zHmiGu5jLkySp2k7ec/Mc97Ef+qqpfnHpQp
GDmMqnFpp59ZzB21OGlbGzlPcsjoT+EGpZg6B1KrPiCyFim95L9dWVwX9sk+U1s2
+8wqac8jETwwM0UZ1NGJ50JJz1QYIzMbcrw+S5WlPxACTIz1cldlBlb1kpc+7mcX
4W+MxFzsL88IJ99T72eu4iUNsy26g0BZMAcc1sJA3A4w9RNhfs9hSG43S3hAh5li
JPp720LfYBlkQHn/MgMCZASWDJ5G0eSXQt9QymHAth4BiT9v7zetnQqf4q8plfd/
Xqd9zEFlBPpoJFtJqXwxHUCKgw6kJeC4CxHvi9ZCJU/upg9IpiguFPoaDOPia+Pm
GbRqSyy55clVde5GOccGN1DZ94DW7AypazgLpBbrkIYAdjFPRmq+zMOdyqsGMTNj
jnheI5l784pNOAKuGi0i/uXmRRcfoMh6qAnK6YZGS7rOLC9CfPmy8fgY+/Sl9d9x
Q00ruO1psxzh9c2YfuaiXFIx0auKl6o5+ZZYn7Rg/xy2Y0awVP+dO925GoAcHO40
cCl6jA/HsGAU9HkpwKHL35lmBDRLEzQeBFcaGwSm1JvRfE4tkJM7+Uz2QHJOfP10
0VLqMgxMlpk3TvBWgzHGJDe7TdzFCDPMPhod8pi4P8gGXmQd01PbyQ==
-----END RSA PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
subject=/CN=sldsslserver
issuer=/C=cn/O=ccc/OU=sec/CN=ssl
-----BEGIN CERTIFICATE-----
MIICjzCCAfigAwIBAgIRAJoDN+shVrofVHbk11SlqfcwDQYJKoZIhvcNAQEFBQAw
NzELMAkGA1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDc2VjMQwwCgYD
VQQDEwNzc2wwHhcNMTAxMDE1MDEyMzA2WhcNMTIwNzI2MDYzMDU0WjAXMRUwEwYD
VQQDEwxzbGRzc2xzZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLP
N3aTKV7NDndIOk0PpiikYPgxVih/geMXR3iYaANbcvRX07/FMDINWHJnBAZhCDvp
rFO552loGiPyl0wmFMK12TSL7sHvrxr0OdrFrqtWlbW+DsNGNcFSKZy3RvIngC2k
ZZqBeFPUytP185JUhbOrVaUDlisZi6NNshcIjd2BAgMBAAGjgbowgbcwHwYDVR0j
BBgwFoAUmoMpEynZYoPLQdR1LlKhZjg8kBEwDgYDVR0PAQH/BAQDAgP4MBEGCWCG
SAGG+EIBAQQEAwIGQDASBgNVHREECzAJggdoM2MuY29tMB0GA1UdDgQWBBQ8dpWb
3cJ/X5iDt8eg+JkeS9cvJjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vczAzMTMw
LmgzYy5odWF3ZWktM2NvbS5jb206NDQ3L3NzbC5jcmwwDQYJKoZIhvcNAQEFBQAD
gYEAYS15x0kW474lu4twNzEy5dPjMSwtwfm/UK01S8GQjGV5tl9ZNiTHFGNEFx7k
zxBp/JPpcFM8hapAfrVHdQ/wstq0pVDdBkrVF6XKIBks6XgCvRl32gcaQt9yrQd9
5RbWdetuBljudjFj25airYO2u7pLeVmdWWx3WVvZBzOo8KU=
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/C=cn/O=ccc/OU=sec/CN=ssl
issuer=/C=cn/O=ccc/OU=sec/CN=ssl
-----BEGIN CERTIFICATE-----
MIIB7DCCAVUCEG+jJTPxxiE67pl2ff0SnOMwDQYJKoZIhvcNAQEFBQAwNzELMAkG
A1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDc2VjMQwwCgYDVQQDEwNz
c2wwHhcNMDkwNzMxMDY0ODQ2WhcNMTIwNzI5MDYyODU4WjA3MQswCQYDVQQGEwJj
bjEMMAoGA1UEChMDaDNjMQwwCgYDVQQLEwNzZWMxDDAKBgNVBAMTA3NzbDCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt8QSMetQ70GONiFh7iJkvGQ8nC15zCF1
cqC/RcJhE/88LkKyQcu9j+Tz8Bk9Qj2UPaZdrk8fOrgtBsa7lZ+UO3j3l30q84l+
HjWq8yxVLRQahU3gqJze6pGR2l0s76u6GRyCX/zizGrHKqYlNnxK44NyRZx2klQ2
tKQAfpXCPIkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBWsaMgRbBMtYNrrYCMjY6g
c7PBjvajVOKNUMxaDalePmXfKCxl91+PKM7+i8I/zLcoQO+sHbva26a2/C4sNvoJ
2QZs6GtAOahP6CDqXC5VuNBU6eTKNKjL+mf6uuDeMxrlDNha0iymdrXXVIp5cuIu
fl7xgArs8Ks6aXDXM1o4DQ==
-----END CERTIFICATE-----
Please input the password:********
Local certificate already exist, confirm to overwrite it? [Y/N]:y
The PKI domain already has a CA certificate. If it is overwritten, local certificates, peer certificates and CRL of this domain will also be deleted.
Overwrite it? [Y/N]:y
The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-).
Please enter the key pair name [default name: bbb]:
The key pair already exists.
Please enter the key pair name:
import-key
Related commands
public-key rsa
public-key rsa
Use public-key rsa to specify an RSA key pair for certificate request.
Use undo public-key to restore the default.
Syntax
public-key rsa { { encryption name encryption-key-name [ length key-length ] | signature name signature-key-name [ length key-length ] } * | general name key-name [ length key-length ] }
undo public-key
Default
No key pair is specified for certificate request.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
encryption: Specifies a key pair for encryption.
name encryption-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).
signature: Specifies a key pair for signing.
name signature-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).
general: Specifies a key pair for both signing and encryption.
name key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).
length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to 2048, and the default is 1024. In FIPS mode, the value must be 2048. A longer key means higher security but more public key calculation time.
Usage guidelines
You can specify a nonexistent key pair in this command. You can get a key pair in any of the following ways:
· Use the public-key local create command to generate a key pair.
· An application, like IKE using digital signature authentication, triggers the device to generate a key pair.
· Use the pki import command to import a certificate containing a key pair.
A PKI domain can have key pairs using only one type of cryptographic algorithm (DSA, ECDSA, or RSA).
A PKI domain can have two RSA key pairs of different purposes: one is the signing key pair, and the other is the encryption key pair. If you configure an RSA signing key pair or RSA encryption key pair multiple times, the most recent configuration takes effect. The RSA signing key pair and encryption key pair do not overwrite each other.
If you specify a signing key pair and an encryption key pair separately, their key length can be different.
The length key-length option takes effect only if you specify a nonexistent key pair. The device will automatically create the key pair by using the specified name and length before submitting a certificate request. The length key-length option is ignored if the specified key pair already exists or is already contained in an imported certificate.
Examples
# Specify 2048-bit general purpose RSA key pair abc for certificate request.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key rsa general name abc length 2048
# Specify the following 2048-bit RSA key pairs for certificate request:
· RSA encryption key pair rsa1.
· RSA signing key pair sig1.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key rsa encryption name rsa1 length 2048
[Sysname-pki-domain-aaa] public-key rsa signature name sig1 length 2048
Related commands
pki import
public-key local create (Security Command Reference)
grpc data-model
Use grpc data-model to specify the architecture of telemetry data models.
Use undo grpc data-model to restore the default.
Syntax
grpc data-model { 2-layer | 3-layer }
undo grpc data-model
Default
The device uses the two-layer telemetry data model architecture to push data.
Views
System view
Predefined user roles
network-admin
Parameters
2-layer: Specifies the two-layer telemetry data model architecture.
3-layer: Specifies the three-layer telemetry data model architecture.
Usage guidelines
This command is available only in gRPC dial-out mode.
If you specify the two-layer telemetry data model, the encoding format for pushed data can only be JSON.
For more information about telemetry data model architectures, see gRPC configuration in Telemetry Configuration Guide.
Examples
# Configure the device to use three-layer telemetry data models to push data.
<Sysname> system-view
[Sysname] grpc data-model 3-layer
Related commands
encoding
grpc enable
Use grpc enable to enable the gRPC service.
Use undo grpc enable to disable the gRPC service.
Syntax
grpc enable
undo grpc enable
Default
The gRPC service is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
You must enable the gRPC service before you can configure gRPC service attributes.
Disabling the gRPC service deletes all gRPC settings.
Examples
# Enable the gRPC service.
<Sysname> system
[Sysname] grpc enable
grpc pki domain
Use grpc pki domain to specify a PKI domain for establishing secure gRPC connections to collectors.
Use undo grpc pki domain to restore the default.
Syntax
grpc pki domain domain-name
undo grpc pki domain
Default
No PKI domain is specified for establishing secure gRPC connections to collectors.
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
By default, the gRPC connection between the device and a collector does not provide data encryption service or require authentication. After you specify a PKI domain, the device and the collector will use TLS for data encryption and bidirectional certificate-based authentication to improve communication security.
For the device to establish secure gRPC connections to collectors, make sure the PKI domain already exists and has correct certificate and key settings. If these requirements are not met, the connections to collectors are not secure.
Examples
# Specify a PKI domain for establishing secure gRPC connections to collectors.
<Sysname> system-view
[Sysname] grpc pki domain grpc_test
[Sysname] grpc enable
gRPC dial-in mode commands
display grpc
Use display grpc to display gRPC dial-in mode information.
Syntax
display grpc
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display gRPC dial-in mode information.
<Sysname> display grpc
gRPC status : enabled.
gRPC port : 50051
gRPC idle-timeout : 3 minutes
Session count: 1.
Session ID: 1
User name: test
Login time:2011-01-05 06:46:43 Idle time : 2 mins 56 s
Client IP address : 169.254.100.170:40810
Received RPCs : 0 Received error RPCs : 0
Received subscription: 0 Output notifications: 0
Table 3 Command output
|
Field |
Description |
|
gRPC status |
Status of the gRPC service: · enabled—The gRPC service is enabled. · disabled—The gRPC service is disabled. |
|
gRPC idle-timeout |
Setting for the gRPC session idle timeout timer. |
|
Session count |
Number of gRPC sessions. |
|
Idle time |
Duration in which the session idle timeout timer will expire. If the value of this field is 0, gRPC sessions will never be timed out. |
|
Received error RPCs |
Number of received erroneous gRPC requests. |
|
Received subscription |
Number of received gRPC subscription requests. |
grpc idle-timeout
Use grpc idle-timeout to set the gRPC session idle timeout timer.
Use undo grpc idle-timeout to restore the default.
Syntax
grpc idle-timeout minutes
undo grpc idle-timeout
Default
The gRPC session idle timeout timer is 5 minutes.
Views
System view
Predefined user roles
network-admin
Parameters
minutes: Specifies the gRPC session idle timeout timer in minutes, in the range of 0 to 30. To disable gRPC sessions from being timed out, set it to 0.
Usage guidelines
If no gRPC packet exchanges occur on the session between a gRPC and the server before the idle timeout timer expires, the device closes the session.
Examples
# Set the gRPC session idle timeout timer to 6 minutes.
<Sysname> system
[Sysname] grpc idle-timeout 6
grpc log dial-in gnmi
Use grpc log dial-in gnmi to enable gRPC logging for gNMI operations in dial-in mode.
Use undo grpc log dial-in gnmi to disable gRPC logging for gNMI operations in dial-in mode.
Syntax
grpc log dial-in gnmi { all | { capabilities | get | set | subscribe }* }
undo grpc log dial-in gnmi { all | { capabilities | get | set | subscribe }* }
Default
In dial-in mode, gRPC logging is enabled for gNMI Set operations and disabled for other gNMI operations.
Views
System view
Predefined user roles
network-admin
Parameters
all: Specifies all gNMI operations.
capabilities: Specifies the gNMI Capabilities operations.
get: Specifies the gNMI Get operations.
set: Specifies the gNMI Set operations.
subscribe: Specifies the gNMI Subscribe operations.
Usage guidelines
To identify gRPC issues, enable gNMI operations logging in dial-in mode.
This command generates gNMI operation logs in dial-in mode and sends them to the information center. With the information center, you can configure log destinations and output rules. For more information about the information center, see Network Management and Monitoring Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable gRPC logging for gNMI Get operations in dial-in mode.
<Sysname> system
[Sysname] grpc log dial-in gnmi get
grpc log dial-in rpc
Use grpc log dial-in rpc to enable gRPC logging for RPC operations in dial-in mode.
Use undo grpc log dial-in rpc to disable gRPC logging for RPC operations in dial-in mode.
Syntax
grpc log dial-in rpc { all | { cli | get }* }
undo grpc log dial-in rpc { all | { cli | get }* }
Default
In dial-in mode, gRPC logging is disabled for RPC operations.
Views
System view
Predefined user roles
network-admin
Parameters
all: Specifies both RPC CLI and Get operations.
cli: Specifies the RPC CLI operations.
get: Specifies the RPC Get operations.
Usage guidelines
To identify gRPC issues, enable RPC operations logging in dial-in mode.
This command generates RPC operation logs in dial-in mode and sends them to the information center. With the information center, you can configure log destinations and output rules. For more information about the information center, see Network Management and Monitoring Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable gRPC logging for RPC Get operations in dial-in mode.
<Sysname> system
[Sysname] grpc log dial-in gnmi get
grpc port
Use grpc port to specify the gRPC service port number.
Use undo grpc port to restore the default.
Syntax
grpc port port-number
undo grpc port
Default
The gRPC service port number is 50051.
Views
System view
Predefined user roles
network-admin
Parameters
port-number: Specifies the gRPC service port number, in the range of 1 to 65535.
Usage guidelines
Changing the gRPC service port number reboots the gRPC service and terminates all gRPC sessions to the gRPC server. If the new port is not available, the system reboots the gRPC service again to use the old port.
Examples
# Set the gRPC service port number to 50052.
<Sysname> system
[Sysname] grpc port 50052
grpc enable
gRPC dial-out mode commands
destination-group (subscription view)
Use destination-group to specify a destination group for a subscription.
Use undo destination-group to remove a destination group from a subscription.
Syntax
destination-group group-name
undo destination-group group-name
Default
A subscription does not have a destination group.
Views
Subscription view
Predefined user roles
network-admin
Parameters
group-name: Specifies a destination group by its name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
A subscription binds sensor groups to destination groups. Then, the device pushes data from the specified sensors to the collectors.
The specified destination group must have been created by using the destination-group command in telemetry view.
A subscription can have a maximum of five destination groups.
Examples
# Specify destination group collector1 for subscription A.
<Sysname> system-view
[Sysname] telemetry
[Sysname-telemetry] subscription A
[Sysname-telemetry-subscription-A] destination-group collector1
Related commands
destination-group (telemetry view)
destination-group (telemetry view)
Use destination-group to create a destination group and enter its view, or enter the view of an existing destination group.
Use undo destination-group to delete a destination group.
Syntax
destination-group group-name
undo destination-group group-name
Default
No destination groups exist.
Views
Telemetry view
Predefined user roles
network-admin
Parameters
group-name: Specifies the destination group name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
As a best practice, configure a maximum of five destination groups. If you configure too many destination groups, system performance might degrade.
To delete a destination group that is already used by a subscription, you must remove the destination group from the subscription first.
Examples
# Create a destination group named collector1.
<Sysname> system-view
[Sysname] telemetry
[Sysname-telemetry] destination-group collector1
[Sysname-telemetry-destination-group-collector1]
Related commands
destination-group (subscription view)
subscription
dscp
Use dscp to set the DSCP value of packets sent to collectors.
Use undo dscp to restore the default.
Syntax
dscp dscp-value
undo dscp
Default
The DSCP value of packets sent to collectors is 0.
Views
Subscription view
Predefined user roles
network-admin
Parameters
dscp-value: Specifies a DSCP value for packets sent to collectors, in the range of 0 to 63.
Usage guidelines
A greater DSCP value represents a higher priority.
If you execute this command multiple times in the same view, the most recent configuration takes effect.
Examples
# Set the DSCP value of packets sent to collectors to 12 for subscription A.
<Sysname> system-view
[Sysname] telemetry
[Sysname-telemetry] subscription A
[Sysname-telemetry-subscription-A] dscp 12
encoding
Use encoding to specify the encoding format for pushed data.
Use undo encoding to restore the default.
Syntax
encoding { gpb | json }
undo encoding
Default
The encoding format for pushed data is JSON.
Views
Subscription view
Predefined user roles
network-admin
Parameters
gpb: Specifies the GPB encoding format. This keyword is available only when the device uses the three-layer telemetry data model architecture to push data.
json: Specifies the JSON encoding format.
Usage guidelines
The device supports JSON encoding for all data available for subscription. However, it does not support GPB encoding for all data. With GPB encoding, the device will not push data that cannot be GPB encoded. When you choose GPB encoding for a subscription, make sure all data in the subscription can be encoded in GPB.
Examples
# Specify the three-layer architecture for telemetry data models and use GPB to encode data for subscription A.
<Sysname> system-view
[Sysname] grpc data-model 3-layer
[Sysname] telemetry
[Sysname-telemetry] subscrption A
[Sysname-telemetry-subscription-A] encoding gpb
Related commands
grpc data-model
grpc log dial-out
Use grpc log dial-out to enable gRPC logging in dial-out mode.
Use undo grpc log dial-out to disable gRPC logging in dial-out mode.
Syntax
grpc log dial-out { all | { event | sample }* }
undo grpc log dial-out { all | { event | sample }* }
Default
In dial-out mode, gRPC logging is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
all: Specifies all data collection types.
event: Specifies event-triggered data collection.
sample: Specifies periodical data collection.
Usage guidelines
To identify gRPC issues, enable gRPC data collection logging in dial-out mode.
This command generates gRPC data collection logs in dial-out mode and sends them to the information center. With the information center, you can configure log destinations and output rules. For more information about the information center, see Network Management and Monitoring Configuration Guide.
gRPC logging in dial-out mode is unavailable for gNMI subscriptions.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable gRPC logging for periodical data collection in dial-out mode.
<Sysname> system
[Sysname] grpc log dial-in gnmi get
ipv4-address
Use ipv4-address to add an IPv4 collector to a destination group.
Use undo ipv4-address to remove an IPv4 collector from a destination group.
Syntax
ipv4-address ipv4-address [ port port-number ] [ vpn-instance vpn-instance-name ]
undo ipv4-address ipv4-address [ port port-number ] [ vpn-instance vpn-instance-name ]
Default
A destination group does not have IPv4 collectors.
Views
Destination group view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the collector.
port port-number: Specifies the listening port of the collector, in the range of 1 to 65535. The default is 50051.
vpn-instance vpn-instance-name: Specifies the VPN instance to which the collector belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the collector belongs to the public network, do not specify this option.
Usage guidelines
One collector must have a different address, port, or VPN instance than the other collectors.
To add multiple collectors to a destination group, execute this command multiple times.
A destination group can have a maximum of five collectors.
To modify the collector configuration for a destination group that is already used by a subscription, you must remove the destination group from the subscription first.
Examples
# Add a collector that uses IPv4 address 192.168.21.21 and the default port number to destination group collector1.
<Sysname> system-view
[Sysname] telemetry
[Sysname-telemetry] destination-group collector1
[Sysname-telemetry-destination-group-collector1] ipv4-address 192.168.21.21
Related commands
destination-group (subscription view)
subscription
ipv6-address
Use ipv6-address to add an IPv6 collector to a destination group.
Use undo ipv6-address to remove an IPv6 collector from a destination group.
Syntax
ipv6-address ipv6-address [ port port-number ] [ vpn-instance vpn-instance-name ]
undo ipv6-address ipv6-address [ port port-number ] [ vpn-instance vpn-instance-name ]
Default
A destination group does not have IPv6 collectors.
Views
Destination group view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies the IPv6 address of the collector. It cannot be an IPv6 link-local address. For more information about IPv6 link-local addresses, see IPv6 basics configuration in Layer 3—IP Services Configuration Guide.
port port-number: Specifies the listening port of the collector, in the range of 1 to 65535. The default is 50051.
vpn-instance vpn-instance-name: Specifies the VPN instance to which the collector belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the collector belongs to the public network, do not specify this option.
Usage guidelines
One collector must have a different address, port, or VPN instance than the other collectors.
To add multiple collectors to a destination group, execute this command multiple times.
A destination group can have a maximum of five collectors.
To modify the collector configuration for a destination group that is already used by a subscription, you must remove the destination group from the subscription first.
Examples
# Add a collector that uses IPv6 address 1::1 and the default port number to destination group collector1.
<Sysname> system-view
[Sysname] telemetry
[Sysname-telemetry] destination-group collector1
[Sysname-telemetry-destination-group-collector1] ipv6-address 1::1
Related commands
destination-group (subscription view)
subscription
sensor path
Use sensor path to configure a sensor path.
Use undo sensor path to delete a sensor path.
Syntax
sensor path path [ condition node node operator operator value value | depth depth ]
undo sensor path path [ condition node node operator operator ]
Default
No sensor paths exist.
Views
Sensor group view
Predefined user roles
network-admin
Parameters
path: Specifies a data path by its complete name. The data path name is case insensitive. For information about the available paths, enter sensor path ?.
condition: Adds a data push condition. This keyword is available only for periodic sensor path.
node node: Specifies a node by its complete name, a case-insensitive string. For information about the available nodes, enter sensor path condition path node ?.
operator operator: Specifies an operator for the condition. Supported operators vary by node. Operators might include: eq (equal to), ge (greater than or equal to), gt (greater than), le (less than or equal to), lt (less than), and ne (not equal to),
value value: Specifies the reference value.
depth depth: Sets the retrieval level for the sensor path. This option takes effect if the sensor path is a periodic path. The value range for the depth is 1 to 3. The default depth is 1.
· If the depth is set to 1, the device collects data from all columns under the specified path.
· If the depth is set to 2, the device collects data from all columns and subtables under the specified path.
· If the depth is set to 3, the device collects data from all columns, subtables, and subtables under the subtables, under the specified path.
Usage guidelines
The device supports a maximum of 128 sensor paths. A sensor group can have a maximum of 128 sensor paths.
A sensor path can have a maximum of five data push conditions. The device pushes data from the sensor path to collectors only when all relevant conditions are met.
For sensor path ifmgr/statistics, you can specify a maximum of 64 filtering conditions. The device pushes data of the sensor path to collectors as long as one of the conditions is met.
· Use the [ifindex=”index”] format to specify each filtering condition. The index is a case-insensitive string that represents the type and number or index of an interface.
· The last character for index can be wildcard character (*), for example, sensor path ifmgr/statistics[ifindex="GigabitEthernet1/0/*"].
· If you specify filtering conditions for this command, you cannot specify data push conditions, and vice versa.
To modify the sensor path configuration for a sensor group that is already used by a subscription, you must remove the sensor group from the subscription first.
Examples
# Configure sensor path ifmgr/devicecapabilities for sensor group test.
<Sysname> system-view
[Sysname] telemetry
[Sysname-telemetry] sensor-group test
[Sysname-telemetry-sensor-group-test] sensor path ifmgr/devicecapabilities
# Configure sensor path device/base for sensor group test so the device pushes data of the sensor path only when the uptime is greater than or equal to 377.
<Sysname> system-view
[Sysname] telemetry
[Sysname-telemetry] sensor-group test
[Sysname-telemetry-sensor-group-test] sensor path device/base condition node uptime operator ge value 377
Related commands
sensor-group (subscription view)
subscription
sensor-group (subscription view)
Use sensor-group to specify a sensor group for a subscription.
Use undo sensor-group to remove a sensor group from a subscription.
Syntax
sensor-group group-name [ sample-interval [ msec ] interval ]
undo sensor-group group-name
Default
A subscription does not have a sensor group.
Views
Subscription view
Predefined user roles
network-admin
Parameters
group-name: Specifies a sensor group by its name, a case-sensitive string of 1 to 31 characters.
sample-interval: Specifies that the sensor group collect and push data at intervals. If you do not specify this keyword, the sensor group collects and pushes data only when triggered by events.
msec: Specifies the data collection interval in milliseconds. If you do not specify this keyword, specify the data collection interval in seconds.
interval: Specifies the data sampling interval. If you do not specify the msec keyword, the value range is 1 to 86400. If you specify the msec keyword, the data sampling interval must be a multiple of 100 in the range of 100 to 900.
Usage guidelines
Specify the sample-interval interval option for periodic sensor paths and only for periodic sensor paths.
· If you specify the option for event-triggered sensor paths, the sensor paths do not take effect.
· If you do not specify the option for periodic sensor paths, the device does not collect or push data.
The specified sensor group must have been created by using the sensor-group command in telemetry view.
Examples
# Specify sensor group test for subscription A. Set the data sampling interval to 10 seconds.
<Sysname> system-view
[Sysname] telemetry
[Device-telemetry] subscription A
[Device-telemetry-subscription-A] sensor-group test sample-interval 10
Related commands
sensor path
sensor-group (telemetry view)
sensor-group (telemetry view)
Use sensor-group to create a sensor group and enter its view, or enter the view of an existing sensor group.
Use undo sensor-group to delete a sensor group.
Syntax
sensor-group group-name
undo sensor-group group-name
Default
No sensor groups exist.
Views
Telemetry view
Predefined user roles
network-admin
Parameters
group-name: Specifies the sensor group name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
The device supports a maximum of 32 sensor groups.
To delete a sensor group that is already used by a subscription, you must remove the sensor group from the subscription first.
Examples
# Create a sensor group named test.
<Sysname> system-view
[Sysname] telemetry
[Sysname-telemetry] sensor-group test
[Sysname-telemetry-sensor-group-test]
Related commands
sensor-group (subscription view)
subscription
source-address
Use source-address to specify the source IP address for packets sent to collectors.
Use undo source-address to restore the default.
Syntax
source-address { ipv4-address | interface interface-type interface-number | ipv6 ipv6-address }
undo source-address
Default
The device uses the primary IP address of the output interface for the route to the collectors as the source address.
Views
Subscription view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address.
interface interface-type interface-number: Specifies an interface by its type and number. In the current software version, you must specify a loopback interface. The device will use the interface's primary IPv4 address as the source address. If the interface does not have a primary IPv4 address, the device uses the primary IP address of the output interface in the route to the collectors.
ipv6 ipv6-address: Specifies an IPv6 address.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Changing the source address causes the device to reconnect to the gRPC server.
Examples
# Specify the source IPv4 address of 169.254.1.1 for packets sent to collectors.
<Sysname> system-view
[Sysname] telemetry
[Sysname-telemetry] subscription A
[Sysname-telemetry-subscription-A] source-address 169.254.1.1
subscription
Use subscription to create a subscription and enter its view, or enter the view of an existing subscription.
Use undo sensor-group to delete a subscription.
Syntax
subscription subscription-name
undo subscription subscription-name
Default
No subscription exists.
Views
Telemetry view
Predefined user roles
network-admin
Parameters
subscription-name: Specifies the subscription name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
The device supports a maximum of 10 subscriptions.
Examples
# Configure a subscription named A.
<Sysname> system-view
[Sysname] telemetry
[Sysname-telemetry] subscription A
[Sysname-telemetry-subscription-A]
Related commands
destination-group (subscription view)
sensor-group (subscription view)
telemetry
Use telemetry to enter telemetry view.
Syntax
telemetry
Views
System view
Predefined user roles
network-admin
Usage guidelines
In telemetry view, you can configure telemetry parameters.
Examples
# Enter telemetry view.
<Sysname> system-view
[Sysname] telemetry
[Sysname-telemetry]
