manualshive.com logo in svg

3Com 3036, Configuration Manual

The Casio 3036 is a multifunctional timepiece designed to cater to your every need. With its sleek design and advanced features, this watch is perfect for those seeking both style and functionality. Ensure you make the most of your Casio 3036 by downloading the free Operation Manual from manualshive.com.

Share
Download
background image

74

C

HAPTER

 5: C

ONFIGURING

 N

ETWORK

 M

ANAGEMENT

addition to the functions defined in SNMPv2c and SNMPv1. In other words, 
SNMPv3 develops SNMPv2c by adding security and management functions.

SNMPv1 and SNMPv2c lack security functions, especially in the aspect of 
authentication and privacy. SNMPv1 defines only a type of community 
representing a group of managed devices. Each NMS controls access to the 
devices via the community name list. However, agents do not verify whether the 
community names used by the senders are authorized, and they even do not 
check the IDs of administrators. Additionally, transmission of SNMP messages 
without encryption, which exposes the community name, brings potential threats 
to security. Even though some security mechanisms, like digest authentication, 
timestamp authentication, encryption and authorization, have been considered at 
the early stage of proposing SNMPv2c, only the “community name” similar to 
SNMPv1 is used in the final criterion of RFC 1901 through 1908. SNMPv2c is only 
a transitional version between SNMPv1 and SNMPv3. To avoid the lack of security 
in SNMPv1 and SNMPv2c, IETF develops the SNMPv3 protocol, which is described 
in RFC2271 through 2275 and RFC2570 through RFC2575 in details.

RFC2570 through RFC2575 supplements and subdivides SNMPv3 on the basis of 
RFC2271 through RFC2275, giving a complete and exact description of the 
processing of abnormal errors and the message processing procedure. The 
SNMPv3 framework thus defined has become a feasible standard.

Security of SNMPv3 is mostly represented by data security and access control.

Data security features provided in SNMPv3

Message-level data security provided in SNMPv3 includes the following three 
aspects:

Data integrity. It ensures that data will not be tampered with by means of 
unauthorized modes and the data sequence will only be changed within the 
permitted range.

Data origin authentication. It confirms which user the received data is from. 
Security defined in SNMPv3 is user-based. Hence, it authenticates the users 
that generate messages instead of the particular applications that are used 
to generate the messages.

Data confidentiality. Whenever an NMS or agent receives a message, it will 
verify when the message is generated. If the difference between the 
generating time of message and the current system time exceeds the 
specified time range, the message will be rejected. Thereby, it ensures that 
the message has not been tampered with in-transit on the network and 
prevents processing of received malicious messages.

Access control in SNMPv3 

As a security measure, access control defined in SNMPv3 implements a security 
check on the basis of protocol operations, thereby to controlling access to the 
managed objects.

MIB accessible to a SNMP entity is defined by the particular context. For 
security reasons, different groups and corresponding authorities probably need 
to be defined on one entity. The authorities are specified by the MIB view. A 
MIB view specifies a collection of managed object types in the context. The MIB 
view takes the form of a “view sub-tree” to define objects because MIB adopts 
the tree structure. If the flag of the object to be accessed belongs to the MIB 

Summary of Contents for 3036

Page 1: ...http www 3com com 3Com Router Configuration Guide Published March 2004 Part No 10014299 ...

Page 2: ...vided to you UNITED STATES GOVERNMENT LEGEND If you are a United States government agency then this documentation and the software described herein are provided to you subject to the following All technical data and computer software are commercial in nature and developed solely at private expense Software is delivered as Commercial Computer Software as defined in DFARS 252 227 7014 June 1995 or a...

Page 3: ...GETTING STARTED 1 SYSTEM MANAGEMENT 33 INTERFACE 121 LINK LAYER PROTOCOL 183 NETWORK PROTOCOL 335 ROUTING 423 MULTICAST 517 SECURITY 543 ...

Page 4: ...VPN 615 RELIABILITY 665 QOS 681 DIAL UP 721 ...

Page 5: ...epresents information as it appears on the screen Keyboard key names If you must press two or more keys simultaneously the key names are linked with a plus sign for example Press Ctrl Alt Del The words enter and type When you see the word enter in this guide you must type something and then press Return or Enter Do not press Return or Enter when an instruction simply says type Words in italics Ita...

Page 6: ...2 ABOUT THIS GUIDE ...

Page 7: ...I GETTING STARTED Chapter 1 3Com Router Introduction Chapter 2 3Com Router User Interface ...

Page 8: ...4 ...

Page 9: ...nsistent network interface user interface and management interface providing flexible and multiple application solutions for users This manual describes features and functions of the 3Com Router 1 x system software platform series of low end and middle range routers In this manual the 3Com Router is also referred to as the 3Com Router 1 x software version You should make sure that the 3Com Router ...

Page 10: ...ay and Frame Relay switching Supports FRoIP FRoISDN Supports Multi link Frame Relay MFR FR compression Supports FR Traffic Shaping FRTS to ensure even traffic over the VCs on FR Supports X 25 and X 25 switching X 25 Over TCP XOT Supports HDLC SDLC and LAPB regulations Supports SLIP PPP and MP Supports PPPoE Client Supports ITU T Q 921 and Q 931 regulations ISDN ITU T Q 921 Q 931 and ISDN semi perm...

Page 11: ...base of Internetwork routes and service information Supports DLSw of SNA system implementing SNA through WAN transmission IP performance Supports IP fast forwarding Supports Van Jacobson TCP message header compression IP routing Supports Static route management Supports Dynamic route protocol RIP 1 RIP 2 OSPF BGP Supports IP routing policy Supports IP policy based routing Multicast routing Support...

Page 12: ... classification protection user login authentication Supports IPSec provides tunnel and transmission encapsulation modes and supports AH and ESP security authentication Supports network data encryption card and provide IPSec encryption decryption Supports IKE automatically negotiates on security key and create the security federation Network reliability Backup center Can back up any physical inter...

Page 13: ...ter Prompt Detailed debugging information helpful for diagnosis of network faults Provides network test tools such as tracert and ping commands to quickly diagnose whether the network is normal Info center loghost configuration Terminal service Performs local or remote configuration via the console port asynchronous serial port X 25 PAD Telnet and Reverse Telnet etc Logs on the UNIX host via Rlogi...

Page 14: ...ring neither division of multiple channel groups nor ISDN PRI either the E1 F or T1 F interface will be a good choice Null Interface The functions of the Null interface are similar to those of null devices supported by many operating systems It is always in UP status but cannot forward data packets or configure IP addresses or encapsulate other protocols Null interface is a virtual interface with ...

Page 15: ...ces In addition its network connection is no difference from a HUB 3Com Routers support transparent bridging and are compatible with IEEE 802 1d The routers support the STP and bridging functions defined in IEEE 802 1d and support bridging on the links encapsulated with PPP HDLC X 25 or Frame Relay as well as bridging on VLAN sub interfaces and BDR Furthermore the routers can implement multi port ...

Page 16: ...12 CHAPTER 1 3COM ROUTER INTRODUCTION ...

Page 17: ...figuration interface On 3Com modular routers the CONSOLE port and AUX port are on the front of the unit while other ports are on the rear of the unit The above diagram shows the rear of the unit For details please refer to the 3Com Installation Guide 2 Run a terminal emulator application such as HyperTerminal of Win9X on the computer to establish a new connection Select an RS 232 serial port on th...

Page 18: ...14 CHAPTER 2 3COM ROUTER USER INTERFACE Figure 3 Establish a new connection Figure 4 Select the computer serial port for actual connection ...

Page 19: ...eters Figure 6 Select terminal emulation type 3 Power on the router to display the self test information of the router Press Enter after the self test to display the prompt Username and password Type in the correct username and the password then enter the system view of Router ...

Page 20: ...rminal Service chapter in this manual The modem connected to the asynchronous serial interface should be set to auto answer mode 1 As shown in Figure 7 connect a modem to computer serial port and another modem to the routers asynchronous serial port AUX interface in the diagram Figure 7 Establish a remote configuration environment 2 Run a terminal emulator application such as HyperTerminal of Win9...

Page 21: ...ng status of the router Enter to get help when necessary For details of specific commands please refer to the following chapters Local Remote Telnet Connection Configuration Environment After the router powers on and IP addresses of the interfaces have been properly configured on the router you can use the Telnet client program to establish a connection with the router and log in the router via LA...

Page 22: ...environment of a remote telnet connection 2 As shown in the following two figures Telnet client program interface in Windows 9X run the Telnet client program on the computer and set its terminal emulation type as VT100 Ethernet Server Workstation Workstation running Telnet Client LAN Ethernet Ethernet Workstation Local workstation running Telnet client Router LAN Remote router to be configured Rem...

Page 23: ...nds please refer to the following chapters In router configuration via Telnet connection the Telnet connection will be disabled if you change the IP address of the router interface So please enter the new IP address of the router interface at the Telnet client prompt after any changes in address so as to re establish the connection Command Line Interface CLI The 3Com Router 1 x provides a series o...

Page 24: ...configuration files Provide function similar to DosKey to execute a history command Searches the key word via command line interpreter with an incomplete match method Interpretation will be available just by entering non conflict key words For example enter abbreviated dis for display command View View is the interface of the 3Com Router command Different commands are implemented in different view...

Page 25: ...and Exit command system view Configures the system parameters Router Directly enter the view upon the login of subscribers Enter logout to disconnect the connection with the Router RIP view Configures the RIP parameters Router rip Enter rip in system view Enter quit to return to the system view OSPF view Configures the OSPF parameters Router ospf Enter ospf in system view Enter quit to return to t...

Page 26: ... Router E3 0 Enter controller e3 0 in any views Enter quit to return to the system view CT3 interface view Configures a time slot binding method on the CT3 interface and the physical layer parameters Router T3 0 Enter controller t3 0 in any views Enter quit to return to the system view E1 F interface view Configures the physical layer parameters for the E1 F interface Router Serial0 Enter interfac...

Page 27: ...return to the system view DLCI view Configures the DLCI parameters Router fr dlci 100 Enter fr dlci 100 in synchronous serial interface view The link layer protocol encapsulated on the interface should be FR Enter quit to return to the synchronous serial interface view Frame Relay switch view Configures the FR switch parameters Router fr switch abc Enter fr switch abc in system view Enter quit to ...

Page 28: ...play access list information arp ARP table information bgp BGP protocol information bridge Remote bridge information 3 Partial help Enter a character string followed by and descriptions of all the commands beginning with this character string will be listed Router di dialer dialer rule display 4 Partial help Enter a command and a character string followed by and all the key words beginning with th...

Page 29: ...ter 1 x provides the following display features Provide pause function when the information displayed exceeds one screen page and three options are available for users Operation Command Display history command display history command Operation Keys Result Go to the previous history command Ctrl E in Windows 9x If there are earlier inputted commands fetch the previous one Otherwise the alarms rings...

Page 30: ...mote UNIX host send Send a message to other terminals telnet Telnet to a remote host tracert Trace the route taken by packets to reach a network host undo Cancel current setting 3 A guest user has no right to manage the router but only has the right to perform a remote test on the router The guest user can only execute the following commands language Switch language mode English Chinese logout log...

Page 31: ...ted to the Console port to clear the application password and then reboot the router At this time the operator user can log onto the router without username and password If an administrator user forgets their password they can modify the password through another administrator user identity If there is no other administrator user they can only enter into the boot menu only on the HyperTerminal conn...

Page 32: ...tion Command Reboot the system right now reboot reason reason string Reboot the system after a specified time reboot mode interval hh mm time string Reboot the system at the specified time reboot mode time hh mm dd mm yy string Cancel the reboot task reboot cancel Operation Command Displays the current date and clock of the router display clock Displays the duration between the startup of the Rout...

Page 33: ...II SYSTEM MANAGEMENT Chapter 3 System Management Chapter 4 Terminal Service Chapter 5 Configuring Network Management Chapter 6 Display and Debugging Tools Chapter 7 POS Terminal Access Service ...

Page 34: ...30 ...

Page 35: ...s of software Boot ROM file Program file Configuration file Upgrade Boot ROM Software This section contains information to assist you with upgrading the Boot ROM software Upgrade router software carefully and under the guidance of technical support personnel In addition please refer to the release notes in the software upgrade file packet to make sure that the Boot ROM software version matches the...

Page 36: ...ady been modified input the correct one If your attempts to input the correct password fail three times the system will halt and you must power off and then power on the router 3 If the input Boot ROM password is correct the system will prompt Boot Menu 1 Download Bootrom program 2 Modify Bootrom password 3 Reboot Enter your choice 1 3 In the above prompt Select 1 to use XModem protocol to load ro...

Page 37: ...nal then press Enter to begin downloading After having set the terminal baud rate make sure to disconnect and then reconnect the terminal emulator Otherwise the new baud rate will not be effective 6 The router outputs the following information to indicate waiting for download Now Downloading Program File Please Start Transfer Program File Use Xmodem Protocol If You Want To Exit Press Ctrl X Downlo...

Page 38: ...ad fails the system displays the following information and reboot the router Download failed 3Com Router start booting If this message is displayed you should find out the cause prior to upgrading 9 Restore baud rate of the terminal emulator Press Enter and the Boot ROM software of the router will be directly decompressed and loaded into the memory for execution Upgrade the 3Com Router Main Progra...

Page 39: ...n Otherwise the system will start decompressing the program Reboot the router if you want to enter the 3Com Router main software upgrade menu after program decompression is started 2 The system prompts the following information after you press Ctrl B Please input Bootrom password Enter the Boot ROM password behind the prompt If no default ex factory Boot ROM password was set on the router directly...

Page 40: ... into the baud rate selected for software downloading Figure 17 Modify the terminal baud rate Click OK after setting the new terminal baud rate Click Disconnect and then Connect in the terminal interface to proceed to the next step You must disconnect and connect the terminal emulation program after modifying the baud rate of the terminal Otherwise the new baud rate cannot take effect 6 The router...

Page 41: ... router writes the Boot ROM into the Flash or NVRAM and the following prompts display Download completed Writing into flash memory Please wait it needs a long time about 1 min Writing into Flash Succeeds Please use 9600 bps Press Enter key to reboot the system Perform the operation as prompted click Disconnect and then Connect in the terminal interface If the downloading operation fails the system...

Page 42: ...nfiguration files from the file server into the Flash or NVRAM of the local router Before using TFTP you should purchase and install a TFTP server application as the 3Com Router does not come with a TFTP server application The TFTP server application can run on Windows 95 98 NT Preparation for using the TFTP server 1 Enable the TFTP server program a Enable the TFTP server program Select a PC insta...

Page 43: ... check the slots for a 1FE card in the order of 0 2 4 6 1 3 5 and 7 The Ethernet interface thus found will be used as the downloading network interface If the router is not available with a 1FE card check the slots for the available 2FE cards in the same order and the Ethernet interface 0 of the 2FE card found first will be used as the downloading network interface b After the Ethernet port for do...

Page 44: ...ER PARAMETERS IP address of the TFTP host is 10 110 10 13 The file to download and start is m8240ram arj After board is reset start up code will wait 5 seconds M odify any of the 3Com router configuration or C ontinue M 2 Enter C to confirm the selection and the router performs POST again and the Boot ROM starts normally 3 The router performs POST and the following displays 3Com Router start booti...

Page 45: ...read len 03713478 Writing program code to FLASH Please waiting it needs a long time about 1 min WriteFlash Success Press ENTER key to reboot the system 8 Press Enter upon the completion of the loading and the router reboots and the 3Com Router main program directly decompresses and loads into the memory for execution Upgrade the 3Com Router Main Software with TFTP after Booting the Router This app...

Page 46: ...The 3Com Router authenticates and authorizes FTP subscribers through an AAA server If no AAA is configured the local user authentication is adopted by default When using AAA the router cannot perform local accounting Therefore when using local authentication you need to open the accounting option switch to disable the accounting function Perform the following configuration in system view Table 16 ...

Page 47: ...ogged in ftp 4 After the authentication is passed the FTP client displays the prompt ftp enter binary after the prompt and set the upload directory on the FTP client ftp binary 200 Type set to I ftp lcd c temp Local directory now C temp 5 At the prompt ftp set a directory for the FTP server the router By default the file name of the 3Com Router main program is system which is case sensitive You ca...

Page 48: ...ter booting the router Start the TFTP server and connect it with the router before using this method to back up the 3Com Router main software Then execute the following command in system view Table 19 Download configuration files from a TFTP server FTP Approach The procedure of backing up the 3Com Router main program software with FTP is the same as loading the software with FTP except for step 6 ...

Page 49: ... the installation of the FTP application you can execute Serv u exe and configure the serv u FTP according to the following steps 1 Click Setup Users and the Setup Users dialog box displays as shown below Figure 22 Setup Users Dialog Box 2 Click Edit to pop up the Edit Users Group dialog box Enter user name and password in the first two boxes respectively and the path of the serv u FTP in the Home...

Page 50: ...the card 5 The system will display the following information according to different situations If the on line upgrading succeeds the Console displays the following prompt information End of programming successful Total 131072 bytes written If the on line upgrading fails the Console periodically displays the following prompt information Please enter the update request command for slot number Operat...

Page 51: ...e saved but the defaults are not saved Please refer to the following chapters for the default values of configuration parameters Commands are organized by views Commands in the same view are organized together forming a section and sections are separated with a blank line or a comment line beginning with Sections are usually arranged in the following order global configuration physical interface c...

Page 52: ...ipment TFTP Approach With this approach you can use the get command to download the configuration files from the TFTP server after booting the router Like the preparation done before loading the 3Com Router main program with TFTP the TFTP server application should be enabled on the PC and the transferring path for downloading the configuration files IP address of the server host and the number of ...

Page 53: ...d to the PC directly or indirectly and ping operation can be performed between them then set a path and use the copy command in the system view thus you can upload the configuration files to the TFTP server from the router The method is often used in remote maintenance Perform the following command in system view Table 23 Upload configuration files to a TFTP server FTP approach The procedure of lo...

Page 54: ...onfiguration files Either can be selected with the configfile command to serve as the storage media of configuration file The current media can be viewed by the display current configuration command Please use the following commands in corresponding views Operation Command View the initial configuration of the router display saved configuration View the current configuration of the router display ...

Page 55: ...ted in the following cases After upgrading if the router software does not match with the configuration file If the configuration file in Flash or NVRAM is damaged for example the wrong configuration file is loaded Please use the following command in system view Table 27 Erase the configuration file in storage media Set the Flag Bit to Enter the Initial Setup Mode first config set is used to set t...

Page 56: ...o install the FTP Client application You need to purchase the FTP Client application as this is not supplied as part of the 3Com Router series Configure FTP Server FTP server configuration includes Configure authentication and authorization of the FTP server Start FTP server Upload the configuration file program file Download the configuration file program file Configure the running parameters of ...

Page 57: ...ng status so as to make proper use of system resources 1 Set the file name on FTP server Before the file is uploaded or downloaded the name of the program configuration file should be set on the router Please enter the following commands in system view Table 32 Set the file name on FTP server Operation Command Start AAA server aaa enable Disable AAA server undo aaa enable Turn on the accounting se...

Page 58: ...orking in normal update mode Please perform the following configuration in system view Table 33 Set FTP update mode By default the FTP server adopts fast update mode 3 Set the connection time limit of FTP service To prevent illegal access by unauthorized users if no service request from the FTP client is received within a certain period connection with this FTP client will be disconnected Please e...

Page 59: ... FTP 55 Display FTP Server Table 36 Display FTP server Operation Command Display the configuration status of current FTP server display ftp server Display detailed information of the FTP user display local user ...

Page 60: ...56 CHAPTER 3 SYSTEM MANAGEMENT ...

Page 61: ...erminal configuration via RLogin connection Perform remote login via X 25 PAD Perform terminal message service Features of Terminal Service at Console Port The Local configuration environment can be established via the console port Please refer to Chapter 2 3Com Router User Interface for specific method The features of the terminal service at the console port are shown in the following table Param...

Page 62: ...et the attributes of terminal service By default the system will enable the timeout disconnection of the terminal user Terminal Message Service Whenever the terminal users that log into the same router want to communicate with each other they can use the terminal message service to send messages The remote users can telnet onto the local router to transmit information such as simple configuration ...

Page 63: ...s Supports the users that login through Telnet or console port to use the message services Supports the input of multiple lines of messages Supports the screen paste on HyperTerminal Supports using the backspace button to modify the message input in a line Does not support the control keys such as Insert Delete Home End and Tab Displays the prompt information when users input h or H 2 Enable disab...

Page 64: ...ous serial port and log in to the router by running the hyper terminal on PC to carry out the configuration management of the router Figure 26 Configuration management through dumb terminal The typical method of terminal access is The asynchronous port working under the flow mode is connected to the RS 232 serial port via dedicated line to enter the router command line interface thereby providing ...

Page 65: ... serial 0 ports is as follows Router Serial0 physical mode async Router Serial0 undo modem Router Serial0 async mode flow The configuration procedure of the dumb terminal on 8 16 async serial 0 port is as follows Router Async0 undo modem Router Async0 async mode flow The configuration procedure of the dumb terminal on AUX port is as follows Router Aux0 undo modem After the above operation Press EN...

Page 66: ...the network Telnet connection services provided by the 3Com Router 1 x include Telnet Server service provides services for local and remote users to logon to the router maintains the router and accesses network resources As shown in the following figure users can logon to the router by running the Telnet client program on the computer and perform the configuration management for the router Figure ...

Page 67: ... Telnet service Connection Configuration of Telnet and Reverse Telnet Terminal Service Features of Telnet Connection The terminal service features of Telnet connection are shown in the following table and the parameters of the Telnet Client program running on the computer should be set according to the table Table 45 Terminal service features of telnet connection Establish Telnet Connection Please...

Page 68: ...g transmitted the Reverse Telnet will not be disconnected The Reverse Telnet can be disconnected in interface view The undo modem command must be used to disable modem calling in and calling out before the Reverse Telnet timeout of the configuration interface is configured On the 3Com Router series the maximum number of Reverse Telnet connections is related to the interface card and the maximum nu...

Page 69: ...onnection Perform the following configuration in all views Table 49 Establish Telnet Server or Telnet Client connection display client can only be used to display the interface through which the Telnet client connected to the router passes If you want to view the IP address of the Telnet server connected to the router you should execute the display tcp status command The TCP connection whose local...

Page 70: ...y using the AT command Rlogin Terminal Service Rlogin Remote Login is one of the most common Internet applications developed by the BSD UNIX system in which a client is connected with the server by TCP connection It provides the function of several remote terminals accessing the UNIX host Rlogin originated from Berkeley UNIX and id used for telnet service between UNIX systems Compared with Telnet ...

Page 71: ...al user name abc to log on Router rlogin 10 110 96 53 root Trying 10 110 96 53 Password Last successful login for root Thu Jan 30 20 29 45 2003 on ttyp2 Last unsuccessful login for root Sun Jan 26 11 21 53 2003 SCO OpenServer TM Release 5 C 1976 1998 The Santa Cruz Operation Inc C 1980 1994 Microsoft Corporation All rights reserved For complete copyright credits enter copyrights at the command pro...

Page 72: ...ss the X 25 network X 25 PAD technology was developed to address how these devices can be enabled to communicate via X 25 network X 25 PAD bridges the X 25 network and non X 25 terminals it provides a mechanism through which non X 25 terminals can access the X 25 network As shown in the figure below a PAD is positioned between the X 25 network and terminals that do not support X 25 procedures to e...

Page 73: ... Set the response time for the Invite Clear message Configure X 25 PAD remote user Since remote PAD users can place an X 25 PAD call through the X 25 network access the local router and configure the router it may be necessary to authenticate the validity of remote users You can configure X 25 remote users with access permission on the router for the purpose of authentication on receiving the remo...

Page 74: ...n be skipped If the authentication succeeds the Client side can access the Server side and configure the Server side After successful access of the remote terminals users can log out and disconnect the X 25 PAD connection Please implement the following configuration under the system view at the Client side Table 53 Establish a X 25 PAD call If a call successfully logs on the user can at the Client...

Page 75: ...wing configuration under the system view at the Server side Table 54 Set the response time to the Invite Clear message Display and Debug X 25 PAD Perform the following configuration in all views Table 55 Display and debug X 25 PAD Typical X 25 PAD Configuration Example I Networking Requirement As shown in the figure below with Serial 0 as the interface to the X 25 network router A is connected wit...

Page 76: ...or connection and both ends support X 25 PAD protocol After the above condition is met make sure that the serial port at the Server side used to receive X 25 calls has set the X 121 address and the address is correctly called at the Client side After the above conditions are satisfied then you should confirm that the serial interface used to accept the X 25 PAD calls at the Server end has specifie...

Page 77: ...gement Station and an agent NMS is the workstation running the client application It sends various request packets to the managed network devices receives the response and trap packets from the managed devices and displays status information of the managed devices The agent is a process running on the managed equipment It receives and processes the request packets from the NMS and responds to the ...

Page 78: ... standard Security of SNMPv3 is mostly represented by data security and access control Data security features provided in SNMPv3 Message level data security provided in SNMPv3 includes the following three aspects Data integrity It ensures that data will not be tampered with by means of unauthorized modes and the data sequence will only be changed within the permitted range Data origin authenticati...

Page 79: ...s the command responder indication generator or proxy transponder is called the SNMP agent Nevertheless an SNMP entity can have functions of both manager and agent SNMP supported MIB To uniquely identify the equipment management variables in SNMP packets SNMP identifies the managed objects by using the hierarchical structure to name them The hierarchical structure is like a tree in which the nodes...

Page 80: ... in hexadecimal format By default the SNMP engine ID is MIB attribute MIB description Reference Public MIB MIB II based on TCP IP network equipment RFC1213 RMON MIB RFC1757 RIP 2 MIB RFC1389 OSPF MIB RFC1253 BGP MIB RFC1657 PPP MIB RFC1471 X 25 MIB RFC1382 LAPB MIB RFC1381 PPP RFC1471 RFC1472 RFC1473 RFC1661 RFC1332 and RFC1334 FrameRelay MIB RFC1315 and RFC2115 SNMP RFC1907 RFC2271 RFC2272 RFC227...

Page 81: ...MS have different access authority An SNMP group can have read only read write or notifying authority The authorities of the SNMP group are also determined by MIB views Perform the following configurations in system view Table 58 Configure SNMP version and related tasks Operation Command Select an SNMP version for NMS snmp agent sys info version v1 v2c v3 all Define the SNMP version s that NMS are...

Page 82: ...s as a managed device you should configure the destination and source addresses of the trap that it will send The destination address is the IP address of the NMS receiving the trap packet and the source address is the address of the local router that is the address of an interface on the local router Perform the following configurations in system view Table 60 Configure the traps to be sent by th...

Page 83: ...sage queue length undo snmp agent trap queue size Set the timeout time for traps snmp agent trap life timeout Restore the default timeout time for traps undo snmp agent trap life Operation Command Set the maximum size of SNMP packets that the agent can receive send snmp agent packet max size byte count Restore the default maximum size of SNMP packets undo snmp agent packet max size Operation Comma...

Page 84: ...router to send traps to NMS 129 102 149 23 and use the community name public and set the source address in the traps to be the IP address of the interface ethernet 0 Router snmp agent trap enable Router snmp agent target host trap address 129 102 149 23 securityname public Router snmp agent trap source ethernet 0 5 Configure an IP address for the Ethernet interface ethernet 0 Router interface ethe...

Page 85: ...nmp agent sys info contact Mr Wang Tel 3306 Router snmp agent sys info location telephone closet 3rd floor 4 Configure the router to send Traps to the host whose IP address is 129 102 149 23 Router snmp agent trap enable Router snmp agent target host trap address 129 102 149 23 securityname user_notify parameters v3 auth Router snmp agent trap source ethernet 0 5 Configure an IP address for the Et...

Page 86: ...tandard MIB not only provides a lot of the original port data of the managed object but it provides statistics data and calculation results of a network segment By running SNMP Agent supporting RMON on the network monitor NMS can obtain the overall flow error statistics and performance statistics of the network segment that connects the interfaces of managed network equipment so as to fulfill netw...

Page 87: ...tination is another router from the Ethernet interface the interface should be added in the DLSw bridge set Otherwise the router only performs statistics for frames with this router as the destination II Networking Diagram Figure 37 Enable RMON statistics III Configuration Procedure Configure the 3Com Router 1 Configure address and route of host1 host2 host3 routerA and routerB Make sure they can ...

Page 88: ...84 CHAPTER 5 CONFIGURING NETWORK MANAGEMENT RouterA interface ethernet 0 RouterA Ethernet0 rmon promiscuous ...

Page 89: ...tem Debugging Command Set The command line interface of the 3Com Router 1 x provides abundant debugging commands almost corresponding to all the protocols supported by the router helping the user to diagnose and eliminate network faults Operation Command Display current terminal user display client Display the system clock display clock Display the current memory type display configfile Display st...

Page 90: ...leshooting more convenient On the 3Com Router Syslog log system manages the output of debugging information and other prompt information Before obtaining the debugging information you need to open the related Syslog switch Firstly you must use the info center enable command to enable Syslog function then you can use the info center console or info center monitor command to enable debugging accordi...

Page 91: ...from 202 38 160 244 bytes 56 sequence 2 ttl 255 time 2ms Reply from 202 38 160 244 bytes 56 sequence 3 ttl 255 time 1ms Reply from 202 38 160 244 bytes 56 sequence 4 ttl 255 time 3ms Reply from 202 38 160 244 bytes 56 sequence 5 ttl 255 time 2ms 202 38 160 244 ping statistics 5 packets transmitted 5 packets received 0 packet loss round trip min avg max 1 2 3 ms Ping supporting IPX protocol For eac...

Page 92: ...eference Guide for detailed meanings of various options and parameters Described below are two examples to analyze the network connection with tracert command In the former example network connection is correct while in the latter network connection is faulty Router tracert 35 1 1 48 Trace route to nis nsf net 35 1 1 48 30 hops max 56 byte packet 1 helios ee lbl gov 128 3 112 1 19 ms 19 ms 0 ms 2 ...

Page 93: ...ndispensable part of the 3Com Router 1 x Syslog serves as the information junction of the 3Com Router 1 x system software module The log system is responsible for most of the information output and can perform detailed classification so as to filter information effectively In combination with the debugging command the system provides powerful support for the network administrator and development s...

Page 94: ...on parameters which include the filtering setting based on the module Chinese English selection and severity threshold When a user changes the values of these parameters other user terminals will also be affected At this time the undo info center monitor command can only turn off the log information output on the respective terminal Therefore to turn off the log information outputs of all telnet t...

Page 95: ...erts critical errors warnings notifications informational debugging Enable to output log information with priority to the terminal info center monitor emergencies alerts critical errors warnings notifications informational debugging Enable to output log information with priority to internal buffer info center logbuffer emergencies alerts critical errors warnings notifications informational debuggi...

Page 96: ...security 2 Edit the file etc syslog conf as the root and add the following selector action pairs Router configuration messages Local4 crit var log Router config When editing etc syslog conf note the following The comments can only be in separate lines beginning with character The selector action pairs must be separated with one Tab instead of a space There must not be redundant spaces behind the f...

Page 97: ...log information output of the control console 1 Turn on the log system Router info center enable 2 Configure the log information output of the control console severity ranging between emergencies debugging and do not filter the log information output of PPP module Router info center console Router info center console debugging 3 Turn on debugging switch of PPP module Router debug ppp all Configure...

Page 98: ...94 CHAPTER 6 DISPLAY AND DEBUGGING TOOLS ...

Page 99: ...problem and makes it possible to use different bank cards on the same POS The POS terminal is connected to the transaction center in two ways namely through dial up POS access and POS network access Dial up POS Access In the dial up POS access mode after responding to the smart card the POS terminal device will synchronously or asynchronously dial up with the built in modem Thus the POS terminal d...

Page 100: ...ork access Figure 41 Access mode when the POS access router located at the commercial client end In the POS network access mode 3Com Router series can be connected to the POS terminal in the following two ways Directly connect the POS RS 232 connector with the asynchronous interface including the asynchronous mode of the synchronous asynchronous interface of the 3Com Router series If the distance ...

Page 101: ...OS Access Server To implement the POS access service the POS access server must first be started Please perform the following configuration in system view Table 72 Start POS server By default the system disables the POS access server 2 Configure POS Access Port Only configured as a POS access port can the interface provide POS access service At present the interfaces of the 3Com Router series whic...

Page 102: ...ade it is necessary to configure the POS application to UNIX FEP for the terminal Please perform the following configuration in system view Table 74 Configure a POS application By default no POS application is configured by the system 4 Configure POS Application Interface POS application interface should operate in posapp mode Please perform the following configuration in asynchronous interface vi...

Page 103: ...t for the sake of security it is necessary to hide the true IP address of the up TCP connection in the access service and set another IP address for the source address instead At the same time to perform the backup of the link the terminal access server provides the function of binding the source address of the TCP connection The principle of binding the source address of the TCP connection is to ...

Page 104: ...ss port and to avoid a POS terminal being occupied for a long time it is necessary to manage individual transaction times through configuring the parameter TRADETIME If the maximum transaction time is exceeded after the POS terminal is dialed the router will disconnect to unblock the resource In general the default values of the parameters can satisfy the demands of application but in abnormal occ...

Page 105: ...pplication to UNIX B in TCP IP connection mode the application is 1 Router pos server app tcp 1 10 1 1 2 9020 4 Configure the POS multi application mapping table to map the packet whose destination address is 01f1 to application 0 Router pos server map 01f1 0 5 Configure the POS multi application mapping table to map the packet whose destination address is 01f2 to application 1 Router pos server m...

Page 106: ...ync 0 the application sequence number is 0 Router pos server app flow 0 async 0 3 Configure the POS application to UNIX B in asynchronous connection mode the connected interface is async 1 the application sequence number is 1 Router pos server app flow 1 async 1 4 Configure the POS multi application mapping table to map the packet whose destination address is 01f1 to application 0 Router pos serve...

Page 107: ...connection mode II Networking Diagram Figure 44 Networking diagram when the router is located at commercial client in TCP IP connection mode III Configuration Procedures 1 Configure Router A a Start the POS access server RouterA pos server enable b Configure the POS application to destination UNIX host in TCP IP connection mode RouterA pos server app tcp 0 10 1 1 1 9010 c Configure POS default mul...

Page 108: ...A interface async 2 RouterA Async2 undo modem RouterA Async0 flow control none RouterA Async0 undo detect dsr dtr RouterA Async2 async mode pos 3 g Configure the route to Router B take the static route as example RouterA Async2 quit RouterA ip route static 10 1 1 2 255 255 255 0 serial 0 2 Configure Router B a Configure the Ethernet interface Ethernet 0 RouterB interface ethernet 0 RouterB Etherne...

Page 109: ...III INTERFACE Chapter 8 Interface Configuration Overview Chapter 9 Configuring LAN Interface Chapter 10 Configuring WAN Interface Chapter 11 Configuring Logical Interface ...

Page 110: ...106 ...

Page 111: ...he network devices in LAN Second one is the WAN interface which includes interfaces like the synchronous asynchronous serial interface asynchronous serial interface AUX interface CE1 PRI ISDN BRI interface Through the WAN interface the router can exchange data with the network devices in the external network Logical interface is an interface that does not physically exist and needs to be establish...

Page 112: ... it is necessary to have a clear idea about the networking requirement and network diagram The following operations must be implemented at least for the interface configuration If the interface is a physical interface be clear about the connection state working mode of the physical interface to be selected and related working parameters If the interface is a WAN interface assign the encapsulated l...

Page 113: ...information If a physical interface on the router is idle and not connected with cable use the shutdown command to disable the interface in case that the interface goes abnormal due to some interference Operation Command Display current running state and statistic information of the interface in all views display interfaces type number display interfaces brief Clear interface statistic information...

Page 114: ...110 CHAPTER 8 INTERFACE CONFIGURATION OVERVIEW ...

Page 115: ...ty it can consult other network devices to determine and automatically select the optimum working mode and rate thus greatly simplifying the configuration and management of the system Configure Ethernet Interface Ethernet interface configuration includes Enter view of specified Ethernet interface Set network protocol address Set frame format of sending message Set MTU Select working rate of fast E...

Page 116: ...frame Please use the following commands in Ethernet interface view Table 88 Set frame format of sending message The frame format of sending message is Ethernet_II by default 4 Set MTU Maximum transmission unit MTU will influence the fragmentation and reassembling of network message Please use the following commands in Ethernet interface view Table 89 Set MTU Operation Command Enter view of specifi...

Page 117: ...Ethernet interface view Table 91 Select working mode of Ethernet interface The default is negotiation i e the system automatically chooses an optimum working mode 7 Enable or disable internal loopback and external loopback When performing special functionality test on Ethernet interface it needs to be set as internal loopback and external loopback sometimes Therefore it is possible to enable inter...

Page 118: ...View the statistic information of two ends of the connection such as the router and switch to observe whether the statistic number of the received error frames increases quickly If either test fails to pass it indicates that the Ethernet interface of the router or the connected Ethernet is abnormal After confirming the fault proceed as follows 1 View whether the LAN connection between the host and...

Page 119: ...resses must be the same only the host addresses are different If they are not in the same sub net please re set the IP address 3 Check whether the link layer protocols match one another Take for example two link layer protocol standards supporting IP protocol Ethernet_II and Ethernet_SNAP These two link layer protocols have different encapsulation formats and MTU MTU of the former has 1500 bytes a...

Page 120: ... party working in full duplex mode shows large amount of error messages received accompanied with serious message losses at both parties In this case use display interfaces ethernet command to view the error ratio of transceiving messages of the Ethernet interface Usually the collision can be observed through the status indicator of the network interface ...

Page 121: ...l interface ISDN BRI interface CE1 PRI interfaces CT3 CT1 PRI interface E1 F interface T1 F interface CE3 interface Asynchronous Serial Interface There are two asynchronous serial interfaces in the 3Com Router One is Serial which sets the synchronous asynchronous serial interface to work in asynchronous mode The other is Async a special asynchronous serial interface You can set asynchronous serial...

Page 122: ...onous asynchronous serial interface Table 94 Set the synchronous asynchronous serial interface to work in asynchronous mode The synchronous asynchronous serial interface works in synchronous mode by default 2 Enter the view of specified asynchronous serial interface Please use the following commands to enter the view of the specified serial interface in all views Table 95 Enter view of specified a...

Page 123: ...onous serial interface is used in dialup mode the baud rate only refers to the communication rate between the asynchronous serial interface of the router and Modem And the rate between two Modems must be determined according to the line quality after mutual consultation Therefore baud rate settings of asynchronous serial interfaces of two routers at two ends of the line can be inconsistent When th...

Page 124: ...ta transmission on the asynchronous serial interface will be controlled by the hardware signal on the interface When transmitting data the interface will automatically detect the CTS signal If there are CTS signals it will transmit data If no signals are detected it will terminate the data transmission If software flow control is adopted the data transmission on the asynchronous serial interface w...

Page 125: ... the stop bit when the asynchronous serial interface works in flow mode By default there is only 1 stop bit 10 Set data bit in flow mode This command is used to set another interactive operating parameter of the link layer protocol the data bit Please perform the following configuration in asynchronous serial interface view Table 103 Set the data bit when the asynchronous serial interface works in...

Page 126: ...e asynchronous serial interface Table 106 Set MTU of asynchronous serial interface The unit of mtu is byte ranging from 128 to 1500 with 1500 as default 14 Set the coding format of Modem Please perform the following configurations in asynchronous serial interface mode Table 107 Set the coding format of Modem AUX Interface AUX interface is a fixed port provided by the 3Com Router It can be used as ...

Page 127: ...erface Features of synchronous serial interface It can work in two modes DTE and DCE Usually the synchronous serial interface serves as DTE and receives DCE provided clock The synchronous serial interface can connect multiple cables externally such as V 24 and V 35 The 3Com Router can automatically detect types of cables connected externally and select electrical characters There is no need to con...

Page 128: ...The synchronous asynchronous serial interface works in synchronous mode by default 2 Enter the view of the specified synchronous serial interface In all views enter the view of the specified synchronous serial interface with the following command Table 110 Enter view of specified synchronous interface 3 Set link layer protocol The link layer protocol of synchronous serial interface can be set to P...

Page 129: ...to 64000 bps 6 Select work clock The synchronous serial interface works in two modes DTE and DCE Different working modes have different working clocks If the synchronous serial interface is used as DCE it is necessary to provide clock to the opposite DTE by choosing DCEclk If the synchronous serial interface is used as DTE the clock provided by the opposite DCE needs to be accepted As the receivin...

Page 130: ...ot be set 8 Enable or disable level detection By default when the system decides whether the synchronous serial interface is in UP status or DOWN status it detects the DSR signal DCD signal and whether the interface connects a cable at the same time Only when the three signals are effective will the system regard the interface is in UP status otherwise in DOWN status If level detection is disabled...

Page 131: ...ial interface mode Table 119 Set the synchronous serial interface to work in full duplex or half duplex mode By default the synchronous serial interface works in full duplex mode 11 Enable or disable internal loopback external loopback To perform special function test the internal loopback external loopback are enabled for the synchronous serial interface Please use the following commands in the v...

Page 132: ...le coding of synchronous serial interface is 7E ISDN BRI Interface Technical Background Integrated Services Digital Network ISDN is a new technology developed from the 1970 s It can provide all digital services from terminal user to terminal user and fulfill an all digital transmission mode integrating services such as voice data graphics and video ISDN is different from conventional PSTN In conve...

Page 133: ...hannel contention Network terminal 2 NT2 Also called intelligent network terminal including layer 1 layer 3 of OSI Type 1 terminal equipment TE1 Also called ISDN standard terminal which is user equipment conforming to ISDN interface standard such as digital phone set Type 2 terminal equipment TE2 Also called non ISDN standard terminal which is user equipment not conforming to ISDN interface standa...

Page 134: ...ollowing command in all views Table 124 Enter the view of the specified ISDN BRI interface The ISDN BRI interface is used to dial up Please refer to Dial up for detail CE1 PRI Interface Along with the emergence of Pulse Code Modulation PCM technique in the 1960s Time Division Multiplexing TDM technique is eventually achieving broad applications in the digital communication systems The TDM system i...

Page 135: ...interface operating mode Bind the interface to be channel sets Bind the interface to be a pri set Set the line code format Set line clock Set frame format Enable disable internal loopback external loopback 1 Enter the view for a specified interface In system view use the following command to enter the view of a specified CE1 PRI interface Table 125 Enter the view of a specified interface 2 Set the...

Page 136: ...CE1 PRI at one time that is the interface can only be bound into either channel sets or a pri set in that period After binding the interface to be channel sets the system will automatically create a Serial interface numbered serial number set number This interface has the same logic feature as that of a synchronous serial interface and can be treated as a synchronous serial interface for further c...

Page 137: ...ported on one CE1 PRI interface at one time that is the interface can only be bound into either channel sets or a pri set After the interface is bound to be a pri set the system will automatically create a Serial interface numbered serial number 15 This interface is logically equivalent to an ISDN PRI interface and hence you can further configure it Perform the following configuration in all views...

Page 138: ...nd no crc4 The frame format crc4 supports the 4 bit Cyclic Redundancy Check CRC on physical frames whereas the frame format no crc4 does not Perform the following configurations in CE1 PRI interface view Table 134 Set the frame format of CE1 PRI interface By default the frame format of CE1 PRI interface is no crc4 8 Enable disable internal loopback external loopback The interface needs to be set t...

Page 139: ...can be got as follows 24 x 8 1 193 bits Since 8000 frames can be sent per second the transmission speed of DS1 is 193 x 8K 1 544 Mbps The CT1 PRI interface can only operate in channelized operating mode It is used in the following two ways When the interface is used as a CT1 interface all the timeslots from 1 to 24 can be divided into multiple groups at will and each group can be bound to form a c...

Page 140: ...ither channel sets or a pri set in that period After binding the interface to be channel sets the system will automatically create a Serial interface numbered serial number set number This interface has the same logic feature as that of a synchronous serial interface and can be treated as a synchronous serial interface for further configurations Perform the following configuration in all views Tab...

Page 141: ...rface is logically equivalent to an ISDN PRI interface and hence you can further configure it Perform the following configuration in all views Table 141 Enter the ISDN interface view The following is to be set BDR operating parameters Encapsulate the data link layer protocol PPP its authentication parameters and etc IP address The operating parameters of the standby center need to be set when the ...

Page 142: ... the CT1 PRI interface By default the line clock of CT1 PRI interface is slave clock 7 Set the frame format of interface A CT1 PRI interface supports two frame formats Super Frame SF and Extended Super Frame ESF In SF format multiple frames can share the same frame synchronization information and signaling information so that more significant bits can be used to transmit user data In practice a sy...

Page 143: ...is not necessary in an E1 application it is too much to use CE1 PRI interface At this time E1 F interface is more than enough for meeting the simple E1 access requirements Compared with CE1 PRI interface E1 F interface is a nice low cost choice for E1 access Compared with CE1 PRI interfaces E1 F interface has the following features When working in framed mode E1 F interface can only bind time slot...

Page 144: ...stem identify an E1 F interface as a synchronous serial interface so entering the view of E1 F interface is equivalent to entering the view of the corresponding serial interface Perform the following configuration in all views Table 148 Enter the view of an E1 F interface E1 F interface is sequenced based on the same numbering and are numbered together with the synchronous serial interfaces For ex...

Page 145: ...ock If E1 F interface is used as DCE the slave clock should be selected If it is used as DTE the master clock should be selected If the E1 F interfaces of two routers are directly connected they must respectively work in slave and master clock modes If the E1 F interface of the router is connected to an exchange however the exchange is working as DCE and provides clock so the interface of the rout...

Page 146: ...local loopback and remote loopback but these two functions cannot be enabled at the same time Display and Debug E1 F Interface Perform the display command in all views to display the state of E1 F interface and other related information Table 155 Display and debug E1 F interface Operation Command Set frame format for an E1 F interface fe1 frame format crc4 no crc4 Restore the default frame format ...

Page 147: ... work in framed mode and it can randomly bind all time slots time slots 1 through 24 into one channel set T1 F interface has the rate of nx64kbps or nx56kbps owns logical features of synchronous serial interface and supports the data link layer protocols PPP HDLC Frame Relay LAPB and X 25 as well as the network protocols IP and IPX Configure T1 F Interface T1 F interface configuration includes Ent...

Page 148: ... lines of various lengths you should match attenuation and waveform of the interface signals with the transmission lines Perform the following configuration in T1 F interface view Table 158 Set length attenuation of transmission line on a T1 F interface By default attenuation matched a T1 F interface is long 0db 4 Set Line Code Format T1 F interface supports line code formats AMI Alternate Mark In...

Page 149: ...test is being carried out Perform the following configuration in T1 F interface view Table 161 Set frame format of T1 F interface By default the frame format of T1 F interface is ESF 7 Enable or Disable Local Loopback Remote Loopback An interface should be place in local loopback or remote loopback for some special functionality tests Perform the following configuration in T1 F interface view Tabl...

Page 150: ...0 for transmitting frame synchronizing signals cannot participate in binding operation Therefore CE3 interface can be channelized into E1 channels of 64Kbps CE3 interface supports the link layer protocols PPP HDLC Frame Relay LAPB and X 25 and the network protocols such as IP and IPX Configure CE3 Interface CE3 interface configuration includes Enter the view of the specified CE3 interface Set cloc...

Page 151: ...le channel loopback can be set on the E1 channels on a CE3 interface and the settings of individual channels are independent Table 169 Set loopback mode of E1 channel 5 Set E1 Frame Format Operation Command Enter the view of CE3 interface controller e3 number Operation Command Set clock mode of the CE3 interface clock master slave Restore the default clock mode of CE3 interface undo clock Operatio...

Page 152: ...e whose number is serial number line number 0 and whose rate is 2048 kbps The interface has the same logic feature as that of a synchronous serial interface therefore it can be regarded as a synchronous serial interface for further configuration When E1 channel works in CE1 mode framed mode timeslot binding can be performed on it The system will automatically create a serial interface whose number...

Page 153: ...channel binding operations CT3 Interface Both T3 and T1 belong to the T carrier system specified by ANSI T3 is corresponding to the digital signal level DS 3 and the data transmission rate is 44 736Mbps CT3 interface has two operating modes T3 mode channelized mode and CT3 mode non channelized mode When working in T3 mode the interface is equivalent to a fractional interface of data bandwidth 4473...

Page 154: ...lock mode of the T1 channel By default T1 channel uses slave clock 3 Set Cable Length Use the cable command to set the distance between the router and the cable distribution frame Perform the following configuration in CT3 interface view Table 177 Set cable length of the CT3 interface By default the cable length of the CT3 interface is set to 350 feet 4 Set Loopback Mode The CT3 interface supports...

Page 155: ...ollowing configurations in CT3 interface view Table 181 Set the frame format of T1 channel By default the frame format of T1 channel is ESF 6 Configure Operate Mode of CT3 Interface When setting the operating mode of a CT3 interface you should set the operating modes of both the CT3 interface and the T1 channels on the interface Perform the following configuration in CT3 interface view Table 182 S...

Page 156: ...ure as that of a synchronous serial interface therefore it can be regarded as a synchronous serial interface for further configuration 7 Set CRC of the Serial Interface For the serial interface formed by T3 the one formed by T1 channel or the one bundled by T1 channel timeslots its CRC can be configured in the corresponding serial interface view Table 184 Set CRC of the serial interface By default...

Page 157: ...el or the serial interface formed by timeslot bundle of T1 channel user can use command shutdown undo shutdown in Serial interface view Perform the following configuration in all views Table 186 Display and debug of the CT3 interface Operation Command Disable CT3 Interface shutdown Enable CT3 Interface undo shutdown Disable T1 channel t1 t1 number shutdown Enable T1 channel undo t1 t1 number shutd...

Page 158: ...154 CHAPTER 10 CONFIGURING WAN INTERFACE ...

Page 159: ...outer realizes the Bandwidth on Demand Routing BDR function and provides two BDR configuration methods Legacy BDR and BDR profiles Please see Operation Manual Dial up for detailed information Configure Dialer Interface According to different BDR modes configurations of Dialer interface are Configure Dialer interface for Legacy BDR Configure Dialer interface for BDR profiles Please see related chap...

Page 160: ... can be 255 255 255 255 The IP address with this 32 bit mask can be advertised by the routing protocols When configuring the ip address of loopback interface it is recommended to configure the 32bit mask to save the ip address Null Interface The 3Com Router support Null interface Null interface is always in UP status but cannot forward data packet or configure IP address or encapsulate other proto...

Page 161: ...rface These virtual interfaces share the physical layer parameters of the physical interface meanwhile they can be configured with their own link layer parameters and network layer parameters Therefore the multiple virtual interfaces corresponding to one physical are called sub interfaces In the 3Com Router series the physical interfaces supporting sub interface features include Ethernet interface...

Page 162: ...nfigure sub interfaces of WAN interface which link layer protocol is frame relay 1 Create and delete WAN sub interfaces Please use the following commands in all views Table 191 Create and delete WAN sub interface When using the above commands if corresponding WAN sub interface has been created the same as sub number enter the view of this sub interface directly Otherwise first create WAN sub inter...

Page 163: ...nterface and other IPX working parameters Virtual circuit of the sub interface Please see chapters in the Operation Manual Link Layer Protocol and Operation Manual Network Protocol for details about the above configurations and sub interface monitoring and maintenance No further details are provided here Typical WAN sub interface configuration example I Networking Requirements As shown below WAN i...

Page 164: ...omitted here For fault diagnosis and troubleshooting of sub interface please see chapters in Operation Manual Link Layer Protocol and Operation Manual Network Protocol in this manual Standby Center Logic Channel The standby center not only provides mutual backup between respective interfaces but also chooses a certain virtual circuit belonging to X 25 or frame relay as the main interface or standb...

Page 165: ...e ranging 1 to 25 i e the user can create up to 25 virtual templates In executing interface virtual template command if corresponding virtual template has been created then directly enter the view of this virtual template Otherwise first create the virtual template with specified template number In deleting the virtual template make sure that all of its derived virtual interfaces have been removed...

Page 166: ...ooting Before checking and eliminating faults of virtual template first find out the virtual template is used to create VPN virtual access interface or MP virtual interface then locate the fault of the virtual template in actual application environment Fault 1 Fail to create virtual interface Troubleshooting the reasons may be as follows The virtual template is not configured with IP address There...

Page 167: ...ng PPP and MP Chapter 13 Configuring PPPoE Client Chapter 14 Configuring SLIP Chapter 15 Configuring ISDN Protocol Chapter 16 Configuring LAPB and X 25 Chapter 17 Configuring Frame Relay Chapter 18 Configuring HDLC Chapter 19 Configuring Bridge ...

Page 168: ...164 ...

Page 169: ...d to negotiate some parameters of the link and is responsible for creating and maintaining the link Network Control Protocol is used to negotiate the parameters of network layer protocol PPP Authentication Mode 1 PAP authentication PAP Password Authentication Protocol is a 2 way handshake authentication protocol and it transmits username and password in plain text over the Internet The process of ...

Page 170: ...gotiation including negotiation of working mode SP or MP authentication mode and maximum transmission unit etc After the successful LCP negotiation the status of LCP is Open indicating that the link has been established c If the authentication is not configured it begins NCP negotiation At this time the status of LCP is still Open while the status of NCP is changed from Initial to Request sent d I...

Page 171: ...e or endpoint In the former way the router does not detect the username and endpoint and binds the interface to a specified virtual template interface In the latter way the router binds the interface to the virtual template interface according to the username or endpoint 3 Perform NCP negotiation After the interface is bound to a virtual template the router will begin NCP negotiation with the NCP ...

Page 172: ... originates the PAP authenticator only needs to start PAP authentication itself use ppp authentication mode pap command The requester does not need to configure the command If both sides originate PAP simultaneously then each side is both authenticator and requester At this time both sides need to configure all the commands supporting the PAP authentication Configure CHAP authentication a Configur...

Page 173: ... and send its username and password to the authenticator use ppp chap user command If one side originates the CHAP authenticator only needs to start CHAP authentication itself use ppp authentication mode chap command The requester does not need to configure the command If both sides originate CHAP simultaneously then each side is both authenticator and requester At this time both sides need to con...

Page 174: ...e configuration of local IP address and the IP address assigned to the peer refer to Network Protocol For example if it is necessary for the remote end to allocate an IP address for the local end you can use the ip address ppp negotiate command while the remote address command can be used to designate the local to assign IP address for the peer Table 200 Configure the time interval of PPP negotiat...

Page 175: ...lace the keepalive packets by LQR packets that is PPP interface will send LQR packets every period in order to monitor the link When link quality is normal the system will calculate the link quality in each LQR packet If the calculation results turn out to be unqualified for two consecutive times the link will be disabled After the link is disabled the system will calculate the link quality in eve...

Page 176: ...ollowing configuration in interface view Table 204 Configure the physical interface to work in MP mode By default interface does not work in MP mode 4 Bind the Physical Interface to a Virtual Template The physical interface can be bound to a virtual template in two ways Bind directly Perform the following configuration in interface view Table 205 Bind the physical Interface to a Virtual Template A...

Page 177: ...ith the virtual template interface Bind according to endpoint The endpoint is determined automatically when the router is started and each router has its own endpoint The interfaces with the same endpoint will be bound to the same virtual template interface The endpoint is generated by the router automatically and the user cannot change the configuration 5 Configure MP Protocol Parameters a Config...

Page 178: ... of two routers are connected via Modems the actual transmission speed is decided by the line quality after the Modem negotiations In this case the speed is usually slower than the preset interface Baud rate Moreover for synchronous serial interfaces running under DTE mode system cannot obtain their correct Baud rate In the above cases you should set the virtual Baud rate on interfaces When virtua...

Page 179: ...2 and password hello to the local database Router local user Router2 password simple hello b Configure to start PAP authentication at this side Router interface serial 0 Router Serial0 ppp authentication mode pap 2 Configure Router 2 requester a Configure this side to be authenticated by the opposite side with username Router2 and password hello Router interface serial 0 Router Serial0 ppp pap loc...

Page 180: ...ap user Router2 Typical MP Configuration Example I Configuration Requirement In Figure 51 two B channels of E1 interface of router a are bound to the B channel of router b and the other two B channels are bound to router c Suppose that four B channels on router a are serial2 1 serial2 2 serial2 3 and serial2 4 the names of interfaces of two B channels on router b are serial2 1 and serial2 2 and th...

Page 181: ...b Specify the virtual interface template for this user and begin PPP negotiation for the NCP information using this template Router ppp mp user router a bind virtual template 1 c Configure working parameters of the virtual interface template Router interface virtual template 1 Router Virtual Template1 ip address 202 38 166 2 255 255 255 0 d Add the interfaces serial2 1 and serial2 2 into MP channe...

Page 182: ...n line protocol is down Indicates that the interface is not activated or the physical layer does not turn to Up status serial number is up line protocol is up spoofing Indicates that this interface is a dialup interface and the call is not connected successfully serial number is up line protocol is up Indicates that data can be transmitted through this interface serial number is up line protocol i...

Page 183: ...ase Discovery phase When a host initiates a PPP session it must first go through the discovery phase to confirm the remote Ethernet MAC address and establish a PPPoE session ID Different from PPP PPPoE establishes a client server relationship at this phase whereas PPP establishes a peer relationship Through the discovery phase the host client can discover an access concentrator server After this p...

Page 184: ...l up software Configure PPPoE Client The fundamental PPPoE configuration includes Configure dialer interface Configure PPPoE session The high level PPPoE configuration includes Reset or delete PPPoE session 1 Configure Dialer Interface Before configuring a PPPoE session you should configure a dialer interface and a dialer bundle on the interface Each PPPoE session should uniquely associates with a...

Page 185: ...ppoe client command in Ethernet interface view Table 215 Reset or delete PPPoE session The commands reset pppoe client and undo pppoe client differ in the sense that the former only resets a PPPoE session temporarily whereas the latter deletes a PPPoE session permanently If a permanent PPPoE session has been reset by executing the reset pppoe client command the router will automatically re establi...

Page 186: ...e Internet via ADSL It uses 3com as the user name of the ADSL account and the password is 12345 Enable the PPPoE client function on the router so that the hosts on the LAN can access the Internet even installed with no PPPoE client software II Networking Diagram Figure 53 Access a LAN to the Internet via ADSL III Configuration Procedure 1 Configure a dialer interface Router dialer rule 1 ip permit...

Page 187: ... connect with the network center and ADSL is used as a standby for the DDN leased line Thus if the DDN leased line fails RouterA can still originate PPPoE call for connection to the network center across ADSL If ADSL has been idle for two minutes the PPPoE session will be terminated If new packets are generated for transmission after that PPPoE session will be re established II Networking Diagram ...

Page 188: ...184 CHAPTER 13 CONFIGURING PPPOE CLIENT ...

Page 189: ...emote end SLIP dialer can only be used with the standard BDR SLIP dialer on the physical port configuration includes Configure the synchronous asynchronous serial interface to asynchronous mode Configure the incoming and outgoing call authorities of Modem Enable BDR Configure the link layer protocol of the interface to SLIP Configure Dialer Group and Dialer Rule of activated calls Configure the di...

Page 190: ...nterface cannot be modified to asynchronous mode At this time you should first modify the link layer protocol of the interface to PPP and then you may change the interface attribute to asynchronous mode Display and Debug SLIP Perform the following task in all views to monitor the current state of SLIP in real time Table 219 Enable Disable the information debugging of SLIP Typical SLIP Configuratio...

Page 191: ...k protocol slip h Specify Dialer Group Router Serial0 dialer group 1 i Configure the default route to Route B Router ip route static 0 0 0 0 0 0 0 0 10 110 0 2 2 Configure Router B a Configure Dialer Rule Router dialer rule 1 ip permit b Configure the synchronous asynchronous interface to asynchronous mode Router interface serial 0 Router Serial0 physical mode async c Configure IP address of synch...

Page 192: ...188 CHAPTER 14 CONFIGURING SLIP Router ip route static 0 0 0 0 0 0 0 0 10 110 0 1 ...

Page 193: ... D Here B channel is a user channel used to transmit the voice data and other user information with the transmission rate 64kbps D channel is a control channel and used to transmit the common channel signaling controlling the calls on B channels of the same interface The rate of D channel is 64kbit s PRI or 16kbps BRI ITU T Q 921 the data link layer protocol of D channel defines the rules by which...

Page 194: ... ISDN PRI interface adopts QSIG signaling a Length of call reference Call reference is the flag used to distinguish the communication entities A call reference uniquely identifies a call Perform the following configurations in interface view Table 221 Configure the length of call reference By default the length of call reference is two bytes b Mode in which a called number is received A router can...

Page 195: ... the remote call differs from the local configuration the call will be denied Otherwise the call will be accepted Perform the following configurations in interface view Table 225 Set the called number or sub address to be checked in digital incoming call By default no called number or sub address is configured The commands are used to set the items to be checked in the digital incoming call If the...

Page 196: ...w it processes a call however the packets transmitted over the established connection are data packets Perform the following configuration in ISDN interface view Table 227 Configure an interface to receive voice calls Display and Debug ISDN Perform the display and debugging commands in all views Table 228 Display and debug ISDN Operation Command Configure an interface to initiate connection using ...

Page 197: ... 0 Router Serial0 15 dialer route info ip 202 38 154 2 8810154 Router Serial0 15 dialer group 1 Router Serial0 15 quit Router dialer rule 1 ip permit 2 Configure Router B The parameter configuration on Router B is almost the same as Router A so it will not be mentioned here Typical ISDN DoV Configuration Example I Networking Requirements RouterA and Router are connected over an ISDN and RouterA wi...

Page 198: ...SDN PRI line but pinging the routers is not successful Troubleshooting 1 Execute the display isdn call info command If the system prompts there is no isdn port it means that there is no ISDN PRI port and you should configure one For the configuration refer to the section cE1 PRI Interface and cT1 PRI Interface Configuration in Operation Manual Interface 2 If enabling Q 921 information debugging an...

Page 199: ...nctions and facilities With X 25 two DTE can communicate with each other via the existing telephone network X 25 sessions are established when one DTE device contacts another to request a communication session The DTE device that receives the request can either accept or refuse the connection If the request is accepted the two systems begin full duplex information transfer Either DTE device can te...

Page 200: ...E and DCE The above relation is shown in the following diagram Figure 59 DTE DCE interface A virtual circuit is a logical connection created to ensure reliable communication between two network devices A virtual circuit denotes the existence of a logic bi directional path from one DTE device to another across an X 25 network Two types of X 25 virtual circuits exist permanent virtual circuit PVC an...

Page 201: ...ctions as follows Transmit the data effectively between DTE and DCE Ensure the synchronization of information between the receiver and transmitter Detect and correct the error in the transmission Identify and report the procedure error to the higher layer protocol Inform the packet layer of the link layer state As specified in international standards X 25 link layer protocol LAPB adopts the frame ...

Page 202: ...ence number is selected periodically within the range of the modulo In the interface view configure as follows Table 230 Configure LAPB frame numbering mode By default the LAPB modulus is Modulo 8 b Configure LAPB parameter K The parameter K in the LAPB window represents the maximum number of I frames numbered in sequence that is to be identified by the DTE or DCE in any specified time In the inte...

Page 203: ...time idle channel state to the packet layer The timer value must be larger than T1 in DCE T3 T1 If T3 is 0 it indicates that the timer is not set Table 233 Configure LAPB system timer T1 T2 T3 By default T1 is 2000ms T2 is 1000ms and T3 is 0ms Configure X 25 X 25 configuration includes Configure X 25 interface Configure X 25 interface supplementary parameter Configure X 25 datagram transmission Co...

Page 204: ...iew Table 234 Set Cancel the X 121 address of the interface 2 Configure X 25 working mode To configure X 25 working mode perform the following task in the interface view Table 235 Set X 25 working mode Layer 3 of X 25 supported by 3Com Router series can work in both DTE mode and DCE mode It can also specify the datagram format among the two optional formats IETF and Nonstandard Note that generally...

Page 205: ...mber from the one way incoming call channel range and two way channel range to initiate a call while DCE selects an available logical channel with a larger number from the one way incoming call channel range and two way channel range to initiate a call Thus we can avoid the case that one side of the communication occupies all the channels and minimize the possibility of call collision In X 25 prot...

Page 206: ...ul X 25 protocol negotiation It is necessary to first execute shutdown and undo shutdown commands 4 Configure X 25 modulo The implementation of X 25 in 3Com Router series supports both modulo 8 and modulo 128 packet sequence numbering Module 8 is the default To set cancel the packet sequence numbering perform the following task in the interface view Table 238 Set Cancel X 25 packet numbering modul...

Page 207: ...et is received according to M bit marker Therefore too small value of the maximum packet size will consume too much router resources on packet fragmenting and assembling thus lowering efficiency Finally the following two points should be noted Maximum packet size MTU 8 LAPB N1 New configuration will take effect only after executing shutdown and undo shutdown commands To set cancel the default flow...

Page 208: ...ified in ITU T Recommendation X 121 X 121 address is a character string consists of the Arabic numerals from 0 to 9 and it is of 0 to 15 characters Configure an alias for the interface When an X 25 call is forwarded across the network different networks will be likely to make some modifications on the called address according to their own needs such as adding or deleting the prefix In such cases t...

Page 209: ...lowing task in interface view Task Command Specify an alias for the interface x25 alias policy match type alias string Cancel the specification of an alias for the interface undo x25 alias policy match type alias string Matching mode Meaning Example Free Free matching the alias string is in the form of 1234 1234 will match with 561234 1234567 and 956123478 but will not match with 12354 free ext Ex...

Page 210: ...ancel not carrying the called DTE address information when a call is originated undo x25 ignore called address Not carrying the calling DTE address information when a call is originated Default carry x25 ignore calling address by default Cancel not carrying of the calling DTE address information in a call undo x25 ignore calling address Not carrying the called DTE address information when the orig...

Page 211: ...red address mapping The called destination just like a calling source also has its own protocol address and X 121 address Establish the mapping between the destination protocol address and the X 121 address at the calling source you can find the destination X 121 address according to the destination protocol address and successfully initiate a call In the interface view perform the following comma...

Page 212: ...re X 25 user facility Set the length of virtual circuit queue Broadcast via X 25 Restrict the use of address mapping Configure the interface with the standby center The X 25 of the 3Com Router series allows adding some additional characteristics including a series of optional user facilities stipulated in ITU T Recommendation X 25 This section shows how to configure such additional characteristics...

Page 213: ...n low efficiency of sending and receiving Therefore we specify a value Each time the number of received packets reaches the value the acknowledgment will be sent to the peer thus improving receiving and sending efficiency This value called a receive threshold ranges between 0 and window size in packets If it is set to 1 every packet will be acknowledged If it is set to window size in packets the a...

Page 214: ...cknowledgment value undo x25 receive threshold Operation Command Specify CUG Closed User Group x25 call facility closed user group group number Or x25 map protocol protocol address x121 address x 121 address closed user group group_number Cancel CUG number undo x25 call facility closed user group Perform flow control parameter negotiation while initiating a call x25 call facility packet size in si...

Page 215: ... the length of virtual circuit queue Table 252 Configure the sending queue length of virtual circuit 6 Broadcast via X 25 Receive calls with reverse charging requests x25 reverse charge accept Or x25 map protocol protocol address x121 address x 121 address reverse charge accept Request throughput level negotiation while initiating a call x25 call facility threshold in out Or x25 map protocol proto...

Page 216: ...out only while others are used for calling in only The X 25 of the 3Com Router series allows restricting the use of this address mapping addition by adding some option items as shown in the following table Table 254 Restrict the use of address mapping 8 Configure interface with standby center The powerful standby function of the 3Com Router series is provided by the standby center To add an X 25 i...

Page 217: ...ass through many nodes each of which must have packet switching capability X 25 packet switching means to receive packets from one X 25 port and send them out from the X 25 port selected according to related destination address information contained in the packets X 25 switching enables the 3Com Router series to perform packet switching function in the packet layer and to be used as a small packet...

Page 218: ...te table Configure X 25 Load Balancing Introduction to X 25 Load Balancing Using the property of hunt group of X 25 protocol ISPs can provide load balancing function in X 25 packet switching networks X 25 load balancing can implement the load balancing in different DTEs or different links of a single DTE PC PC Quidway Router X 25 host X 25 host Operation Command Enable X 25 switching x25 switching...

Page 219: ...ffective and data transmission will be processed in accordance with the normal virtual circuit After being established PVC stays at the data transmission stage without the process of call establishment and call deletion therefore X 25 load balancing is ineffective on PVC and functions only on SVC Within a single X 25 hunt group all DTEs hold identical status and have the same X 121 addresses The D...

Page 220: ...e sent to Server A and Server B by turns vc number mode selects the interfaces with the free logical channels in a hunt group for every call request For example as shown in the above Figure1 1 if hunt group hg1 adopts vc number mode there will be 500 residual logical channels in the lines between Server A and DCE and 300 residual logical channels in the lines between Server B and DCE Thus all the ...

Page 221: ...rfaces and XOT Tunnels to hunt group Perform the following configuration in X 25 hunt group view Table 262 Add Delete interfaces or XOT Tunnels in hunt group It should be noted that a hunt group can have ten synchronous serial interfaces or XOT Tunnels at most XOT Tunnels cannot be added to the hunt group that adopts vc number channel selection policy 4 Configure X 25 switching route which is forw...

Page 222: ... svc x 121 address sub dest destination address sub source source address hunt group hunt group name Delete an X 25 switching route whose forwarding address is hunt group undo x25 switch svc x 121 address sub dest destination address sub source source address hunt group hunt group name Operation Command Add an X 25 switching route whose forwarding address is interface x25 switch svc x 121 address ...

Page 223: ...e line is disconnected If Keepalive is configured TCP check the usability of the links in time and it will automatically clear the TCP connection if it does not receive the answer of the opposite side for certain times Implementing theory of XOT taking SVC as an example As shown in the former figure when it has data to transmit RouterA first send a request packet to set up a VC After RouterB recei...

Page 224: ...e X 25 side packets received are forwarded through IP net There are different views for SVC and PVC For SVC perform the following tasks in system view Table 267 Configure SVC XOT switching The local X 25 route must be configured in the SVC mode For PVC perform the following tasks in interface view Operation Command Enable X 25 switching x25 switching Operation Command Configure X 25 local switchin...

Page 225: ...ke configurations so that Annex G DLCI can be used to transmit IP data For the configurations of X 25 switching over Annex G DLCIs refer to the subsequent section Table 270 Configure an Annex G DLCI Annex G DLCI does not support IARP Inverse Address Resolution Protocol so the user should configure a static map between the destination IP address and the Frame Relay address Operation Command Add a P...

Page 226: ...liable To ensure reliable transmission of signals for call set up and termination in dynamic calling mode these signals are transmitted over an X 25 VC Virtual Circuit Thereby reliable transmission can be ensured through the X 25 message acknowledgement mechanism A DLCI needs to be configured with X 25 attributes only when VoFR Voice over Frame Relay adopts dynamic calling mode The x 25 template c...

Page 227: ... Router Serial0 link protocol lapb dte d Configure other Lapb parameters if the link is of good quality and a higher rate is required the flow control parameter modulo can be increased to 128 k to 127 but they must be the same for both ends in the direct connection Operation Command Display interface information display interface type number Display X 25 alias table display x25 alias policy Displa...

Page 228: ...128 Router Serial1 lapb window size 127 Typical X 25 Configuration Example Back to Back Direct Connection of Two Routers via Serial Interface I Networking Requirement As shown in the diagram below two routers are to be directly connected back to back the X 25 protocol is used between the serial ports for IP data packet transmission II Networking Diagram Figure 68 Direct connection of two routers v...

Page 229: ...51 f As this is a direct connection the flow control parameters can be increased slightly Router Serial1 x25 packet size 1024 1024 Router Serial1 x25 window size 5 5 Connect the Router to X 25 Public Packet Network I Networking Requirement As shown in the diagram below three routers A B and C are connected to the same X 25 network for mutual communication The requirements are IP addresses of the i...

Page 230: ...erface Serial 0 Router Serial0 ip address 168 173 24 2 255 255 255 0 b Connect to public packet network make the router as DTE side Router Serial0 link protocol x25 dte Router Serial0 x25 x121 address 30561002 Router Serial0 x25 window size 5 5 Router Serial0 x25 packet size 512 512 Router Serial0 x25 map ip 168 173 24 1 x121 address 30561001 Router Serial0 x25 map ip 168 173 24 3 x121 address 305...

Page 231: ...ly The IP network addresses of Ethernet A and B are 202 38 165 0 and 196 25 231 0 respectively It is required to exchange routing information between Ethernet A and B with RIP routing protocol so that PC A and PC B can exchange information without adding static route II Networking Diagram Figure 70 X 25 PVC bearing IP data packet III Configuration Procedure 1 Configure Router A Router interface et...

Page 232: ...d each logical channel has a separate number The virtual circuit between routers A and B is shown in suppose this virtual circuit passes four packet switching exchanges in the network Figure 71 A virtual circuit consisting of several logical channels Therefore the PVC 3 and PVC 4 mentioned above actually refer to the numbers of the logical channels between the router and the switch directly connec...

Page 233: ...ress 300 2 Configure Router B Router interface serial 0 Router Serial0 link protocol x25 dte Router Serial0 x25 x121 address 200 Router Serial0 x25 map ip 10 1 1 2 x121 address 100 3 Configure Router C Router interface serial 0 Router Serial0 link protocol x25 dte Router Serial0 x25 x121 address 300 Router Serial0 x25 map ip 20 1 1 2 x121 address 100 4 Configure Router D Router interface serial 0 ...

Page 234: ...uter Serial0 ip address 1 1 1 1 255 0 0 0 2 Configure Router D a Basic X 25 Configuration Router interface serial 0 Router Serial0 link protocol x25 dte ietf Router Serial0 x25 x121 address 2 Router Serial0 x25 map ip 1 1 1 1 x121 address 1 Router Serial0 ip address 1 1 1 2 255 0 0 0 3 Configure Router B a Start X 25 switching Router x25 switching b Configure X 25 local switching Router x25 switch...

Page 235: ...et interface and build TCP connection between them X 25 packets forward through TCP and configure PVC to implement the PVC function II Networking Diagram Figure 74 PVC application networking diagram of XOT III Configuration Procedure 1 Configure Router A a Basic X 25 Configuration Router interface serial 0 Router Serial0 link protocol x25 dte ietf Router Serial0 x25 x121 address 1 Router Serial0 x...

Page 236: ...ddress 10 1 1 2 255 0 0 0 c Configure Serial 0 Router Ethernet0 interface serial 0 Router Serial0 link protocol x25 dce ietf Router Serial0 x25 vc range in channel 10 20 bi channel 30 1024 Router Serial0 x25 xot pvc 1 10 1 1 1 interface serial 0 pvc 1 Application of X 25 Load Balancing I Networking Requirements Configure hunt group on Server RouterA which serves as an X 25 switch and simultaneousl...

Page 237: ...roperty of rotary in system view Router x25 hunt group hg1 round robin f Add Serial 1 Serial 2 and XOT Tunnel to hunt group Router X25 huntgroup hg1 interface serial 1 Router X25 huntgroup hg1 interface serial 2 Router X25 huntgroup hg1 channel xot 10 1 1 2 g Configure X 25 switching route whose forwarding address is hunt group hg1 and enable the substitution of destination address and source addr...

Page 238: ... to router RouterE Router x25 switch svc 8888 interface serial 0 X 25 Load Balancing Carrying IP Data Transmission I Networking Requirements X 25 packet switching networks interconnect IP networks in different areas and X 25 networks carry IP data At the same time ISPs provide the function of X 25 network load balancing and implement the configuration of load balancing with subscribers to achieve ...

Page 239: ...re interface Ethernet 0 Router interface ethernet 0 Router Ethernet0 ip address 10 2 1 1 255 255 255 0 b Configure interface Serial 0 Router interface serial 0 Router Serial0 link protocol x25 dte Router Serial0 x25 x121 address 2222 Router Serial0 ip address 1 1 1 2 255 255 255 0 Router Serial0 x25 map ip 1 1 1 3 x121 address 3333 Router Serial0 x25 vc per map 2 c Configure static route to Router...

Page 240: ... as Frame Relay DTE II Networking Diagram Figure 77 Interconnect LANs via an Annex G DLCI III Configuration Procedure 1 Configure RouterA a Create an X 25 template Router x25 template profile1 b Configure the local X 25 address Router x25 profile1 x25 x121 address 10094 c Map the destination X 25 address to the destination IP address Router x25 profile1 x25 map ip 202 38 163 252 x121 address 20094...

Page 241: ...5 255 0 e Configure the link layer protocol of the interface to Frame Relay Router Serial1 link protocol fr Router Serial1 fr interface type dte f Configure a Frame Relay DLCI Router Serial1 fr dlci 100 g Configure the DLCI to be Annex G DLCI Router fr dlci 100 annexg dte h Associates an X 25 template with the DLCI Router fr dlci 100 x25 template profile1 Router fr dlci 100 quit i Map the Frame Re...

Page 242: ...ink protocol x25 dte ietf Router Serial0 x25 x121 address 2 Router Serial0 x25 map ip 1 1 1 1 x121 address 1 Router Serial0 ip address 1 1 1 2 255 0 0 0 3 Configure the router Router B a Enable X 25 switching Router x25 switching b Enable switching on Frame Relay DCE Router fr switching c Configure Serial 0 as the X 25 interface Router interface serial 0 Router Serial0 switching x25 dce ietf d Con...

Page 243: ...witch svc 2 interface serial 0 f Configure X 25 over Frame Relay switching Router x25 switch svc 1 interface serial 1 dlci 100 PVC Application of X 25 over Frame Relay I Networking Requirements RouterA and RouterC are respectively connected to RouterB and RouterD through X 25 RouterB and RouterC are connected through Frame Relay Configure Frame Relay Annex G DLCI 100 on both RouterB and RouterC to...

Page 244: ...er Serial0 link protocol x25 dce ietf Router Serial0 x25 vc range in channel 10 20 bi channel 30 1024 d Configure an X 25 template Router x25 template profile1 Router x25 profile1 x25 vc range in channel 10 20 bi channel 30 1024 Router x25 profile1 x25 pvc 1 interface serial 0 pvc 1 e Configure S1 as the Frame Relay interface Router interface serial 1 Router Serial1 link protocol fr Router Serial1...

Page 245: ...ult 2 Two connected sides use X 25 link layer protocol and the protocol is already in UP status but cannot ping through the peer Turn on the debugging switch and it is found that the received frames are discarded on one end instead of being forwarded up to the packet layer Troubleshooting The maximum frame bits of this end may be too small Change the configuration Fault Diagnosis and Troubleshooti...

Page 246: ...ace status is DOWN check if the physical connection and bottom configuration are correct If the interface is properly configured then check the SVC configuration If SVC is also properly configured check the XOT configuration Fault 6 After configuring PVC application of XOT you cannot ping through Troubleshooting there are various reasons You may first check if the physical and protocol statuses of...

Page 247: ... the packets is different from that configured in the Frame Relay address map and X 25 address map you need to reconfigure the maps If multiple X 25 address maps for reaching the same destination X 121 address have been configured in an X 25 template check whether the x25 vc per map command has been configured so that multiple X 25 SVC calls can be placed with the same X 25 address map Use the deb...

Page 248: ...244 CHAPTER 16 CONFIGURING LAPB AND X 25 ...

Page 249: ...k Connection Identifier which is valid only on the local interface and the corresponding opposite interface This means that in the same Frame Relay network the same DLCI on different physical interfaces does not indicate the same virtual connection A user interface in the Frame Relay network supports up to 1024 virtual circuits among which the DLCI range available to the user is 16 1007 As a Frame...

Page 250: ...d the network determines the status of Permanent virtual circuits PVCs of DCE In case that the two network devices are directly connected the equipment administrator sets the virtual circuit status of DCE In The 3Com Router the quantity and status of the virtual circuits are set at the time when address mapping is set with the fr map command They can also be configured with the Frame Relay local v...

Page 251: ...E or DCE format according to its location in the network In Frame Relay networks Network to Network Interface NNI is used between the Frame Relay switches In the interface view perform the following task to configure the type of Frame Relay interface as DTE DCE or NNI Table 275 Configure Frame Relay interface type The default type of Frame Relay interface is DTE Note the following point If the ter...

Page 252: ... all the PVCs if the PVC status on the network changes or there is PVC added or deleted irrespective of DTE inquires for the PVC status or not Thereby DTE can know the changes on DCE side and update the record based on that information If the timer T391 times out but no status message is received yet at the DTE side to respond to that this event error will be recorded and 1 will be added to the nu...

Page 253: ...eive the response in the specified time the error will be recorded If the number of errors exceeds the threshold the DTE equipment will regard the physical path and all the virtual circuits as unusable The parameters N392 and N393 together define the error threshold That is if the number of errors in the N393 status enquiry messages sent by the DTE equipment reaches Restore the default value of th...

Page 254: ...ere is a default route In interface view perform the following task to configure the Frame Relay static address mapping Table 279 Configure Frame Relay static address mapping By default the dynamic inverse arp is enabled on all the interfaces After the Frame Relay static address mapping is configured the dynamic inverse arp will be disabled automatically on the specified DLCI b Configure Frame Rel...

Page 255: ...logical interface and can be used to configure protocol address and virtual circuit One physical interface can include multiple sub interfaces which do not exist physically However for the network layer both the sub interface and main interface can be used to configure the virtual circuit to connect to remote equipment The sub interfaces of Frame Relay fall into two types point to point sub interf...

Page 256: ...verse arp 8 Configure Frame Relay PVC Switching Router routers can be used as Frame Relay switches to provide the function of Frame Relay PVC switching There are two ways to configure the Frame Relay switching configuring the Frame Relay switched route or configuring the Frame Relay switched PVC a Enable the Frame Relay switching Configure interface link layer protocol to Frame Relay link protocol...

Page 257: ... view Table 289 Configure Frame Relay local switched PVC number Perform the following configurations in system view Table 290 Configure the Frame Relay switched PVC Operation Command Enable the Frame Relay to carry out PVC switching fr switching Disable the Frame Relay to carry out PVC switching undo fr switching Set the Frame Relay interface type fr interface type dte dce nni Operation Command As...

Page 258: ...multiple Frame Relay physical interfaces In this way the bandwidth of the virtual Frame Relay is equal to the sum of the bandwidth of each Frame Relay physical interface contained in the virtual Frame Relay interface The virtual Frame Relay interface is called Bundle and the physical interfaces contained in the virtual interface is called bundle link As for an actual physical layer bundle link is ...

Page 259: ...ent on the multiple physical interfaces bundled to the MFR interface by turns 2 Configure a MFR bundle link Please perform the following configuration in synchronous serial interface view Table 293 Configure physical interface s link layer protocol to Multilink Frame Relay By default no MFR bundle link is created To remove the association between the physical interface and the MFR interface config...

Page 260: ...t interface Perform the following configurations in interface view Table 295 Configure Frame Relay compression on point to point interface By default Frame Relay payload compression is disabled On the 3Com Router only the Frame Relay sub interfaces can be point to point interfaces 2 Configure Frame Relay payload compression on multipoint interface Operation Command configure link identification of...

Page 261: ... packets behind it and hence degrade the voice quality The purpose of configuring Frame Relay fragmentation is to shorten voice delay and ensure real time voice transmission After configuring fragmentation large packets will be fragmented into small data fragments These smaller and less delay causing data fragments and the voice packets are interspersed for transmission to ensure an even flow of v...

Page 262: ...e general QoS can only provide the service of QoS on the whole interface Therefore the Frame Relay QoS can provide more flexible quality services for users Figure 81 Frame Relay QoS application Frame Relay Traffic Shaping The Frame Relay traffic shaping can control the normal traffic size and the burst traffic size transmitted from a PVC and enable the Frame Relay PVC to transmit these packets at ...

Page 263: ...e Frame Relay switch device has been configured with the function of congestion management it will notify the router of network congestion Upon receiving the notification the router will eventually slow down the transmit rate to the CIR so as to ease the congestion then users can transmit data at the rate of CIR After this if no notifications of network congestion are received within a certain per...

Page 264: ...Queueing PQ Priority Queueing CQ Custom Queueing and WFQ Weighted Fair Queueing The FIFO PQ CQ WFQ and PIPQ PVC Interface Priority Queueing queues can be used on a Frame Relay interface Among them FIFO PQ CQ and WFQ queues are general queues For the detailed introduction refer to the part of QoS PIPQ can only be applied on the Frame Relay interface It is similar to PQ but aiming at the PVCs on an ...

Page 265: ...hich is the size exceeding CBS the router will mark the flag bit of DE in the Frame Relay packet headers to 1 Figure 86 Fundamentals of Frame Relay traffic policing As shown in the above figure the parameters of Frame Relay traffic policing are respectively set to be CIR ALLOW 64 kbps CBS 64000 bit EBS 64000 bit and interval Tc CBS CIR ALLOW 1s When the interval is in the range of 0 to 2s DTE will...

Page 266: ... that are marked with DE flag bit will be first discarded once there is congestion The DE rule lists are applied on the Frame Relay PVCs on a router and each of them contains multiple DE rules If a packet transmitted on a PVC complies with the rules in the DE rule list its DE flag bit will be set to 1 and the packets like it will be discarded first if the congestion occurs on the network Configure...

Page 267: ... see the configuration of the Frame Relay class To delete the Frame Relay class use the undo fr class command When a Frame Relay PVC implements QoS it will search for the corresponding Frame Relay class in the following sequence If there is a Frame Relay class associated with the PVC use the QoS parameters configured to the Frame Relay class If there is no Frame Relay class associated with the PVC...

Page 268: ...n be used to set the inbound and outbound parameters However only the outbound parameters are effective for the Frame Relay traffic shaping Operation Command Enable the Frame Relay traffic shaping fr traffic shaping Disable the Frame Relay traffic shaping undo fr traffic shaping Operation Command Set the CBS of a Frame Relay PVC cbs outbound burst size Restore the CBS of a Frame Relay PVC to the d...

Page 269: ...nfiguration procedure in detail 3 Associate the Frame Relay class with the Frame Relay interface or a PVC Please refer to the above section Configure Frame Relay class for the configuration procedure in detail 4 Configure the parameters of Frame Relay class for Frame Relay traffic policing Perform the following configurations in frame relay class view Table 304 Configure the parameters of Frame Re...

Page 270: ...nfigurations in frame relay class view Table 306 Configure the congestion management policy on a Frame Relay PVC By default the congestion management is not enabled on Frame Relay PVCs When the congestion management is enabled on a Frame Relay PVC the queueing type on the PVC can only be FIFO Only when the Frame Relay traffic shaping is enabled on the interface where a PVC is located can the conge...

Page 271: ...e Relay interface each PVC under this interface will own its independent PVC queue If the function is not enabled on the Frame Relay interface the PVCs will have no PVC queues Perform the following configurations in frame relay class view Table 309 Configure the Frame Relay PVC queueing Operation Command Configure an interface based DE rule list fr del list number inbound interface type number Del...

Page 272: ...nsmitted according to the priority sequence Specifically all the packets in the top queue will be first transmitted then the packets in the middle queue followed by the packets in the normal queue and finally those in the bottom queue Each Frame Relay PVC on the interface has its own PIPQ priority Therefore the packets from this PVC can only enter the corresponding PIPQ queue Perform the following...

Page 273: ...e configuration details will not be covered here Please read the related chapters in Operation manual VPN for reference 2 Configure Frame Relay Switching Enable Frame Relay switching in system view and configure Frame Relay switched routes in serial interface view Table 312 Configure Frame Relay switching If the specified tunnel interface does not exist when implementing configuration the system w...

Page 274: ...ks much quicker and with lower cost At the same time ISDN can also be taken as a standby for Frame Relay accessing Therefore the Frame Relay over ISDN is mainly used in the following two aspects The simplest application is to take Frame Relay over ISDN as the main communications method That is all the routers support Frame Relay over ISDN and the individual routers can directly access the Frame Re...

Page 275: ...ith Frame Relay the calling party can directly use the configured dial string to make an ISDN call to the remote end after it finds an available B channel If dialer profiles are adopted the calling party will re configure the selected available B channel with the link layer protocol on the dialer interface and then use the configured dial string to place an ISDN call to the remote end After a phys...

Page 276: ...e established Then the DCE device will look for another PVC segment according to the Frame Relay switching configuration and activate the PVC segment When both PVC segments are in active status it means that the whole PVC is set up In this case Frame Relay can be adopted on the B channel to carry the network layer data Distinguished from legacy BDR dialer profiles require a called party to search ...

Page 277: ...on in physical ISDN or dialer interface view Table 315 Configure the link layer protocol of the interface The two ends of a BDR call should work with the same link layer protocol For a physical interface such as an ISDN BRI or PRI interface both the D channel and B channel are configured with Frame Relay Configure the synchronous serial interface with Frame Relay link protocol fr ietf nonstandard ...

Page 278: ... implement Frame Relay over ISDN it should be configured with Frame Relay In addition Frame Relay and PPP are probably carried on a B channel for supporting the dynamic configuration on the channel Therefore the ISDN physical interface should be configured with PPP After the dynamic B channel is disconnected the link layer protocol of the ISDN interface will be automatically restored to PPP by def...

Page 279: ... interface type number dlci Enable the debugging of Frame Relay arp debugging fr arp interface type number Enable the debugging of Frame Relay compression debugging fr compress interface type number Enable the debugging of Frame Relay congestion debugging fr congestion interface type number Enable the debugging of Frame Relay DE message debugging fr de interface type number Enable the debugging of...

Page 280: ...interface to Frame Relay Router Serial1 link protocol fr Router Serial1 fr interface type dte c Configure static address mapping Router Serial1 fr map ip 202 38 163 252 dlci 50 Router Serial1 fr map ip 202 38 163 253 dlci 60 2 Configure Router B a Configure interface IP address Router interface serial 1 Router Serial1 ip address 202 38 163 252 255 255 255 0 b Configure the link layer protocol of t...

Page 281: ...rface IP address Router interface serial 1 Router Serial1 ip address 202 38 163 251 255 255 255 0 b Configure the link layer protocol of the interface to Frame Relay Router Serial1 link protocol fr Router Serial1 fr interface type dce c Configure local virtual circuit Router Serial1 fr dlci 100 2 Configure Router B a Configure interface IP address Router interface serial 1 Router Serial1 ip addres...

Page 282: ...0 2 Configure RouterB a Create a MFR interface Router interface mfr 0 Router MFR0 ip address 202 38 163 252 255 255 255 0 Router MFR0 fr interface type dte Router MFR0 fr dlci 100 Router MFR0 fr map ip 202 38 163 251 dlci 100 b Bundle Serial 0 and Serial 1 to mfr 0 Router interface serial 0 Router Serial0 link protocol fr mfr 0 Router interface serial 1 Router Serial0 link protocol fr mfr 0 Frame ...

Page 283: ... Relay Network and enable Frame Relay Fragment between them II Networking Diagram Figure 96 networking diagram of Frame Relay Fragment III Configuration Procedure 1 Configure RouterA Router interface serial0 Router Serial0 link protocol fr Router Serial0 ip address 10 1 1 2 255 0 0 0 Router Serial0 fr dlci 16 Router fr dlci 16 fr class frts Router fr class frts Router fr class frts cir allow 64000...

Page 284: ... acl 1 Router acl 1 rule normal permit source 10 0 0 0 0 0 0 0 Router qos pql 1 protocol ip acl 1 queue top 2 Create a Frame Relay class and configure the parameters of Frame Relay traffic shaping Router fr class 96k Router fr class 96k cir allow 96000 Router fr class 96k cir 32000 Router fr class 96k cbs 96000 Router fr class 96k ebs 32000 Router fr class 96k traffic shaping adaptation becn Route...

Page 285: ...B a Configure the Frame Relay interface Serial0 Router interface serial 0 Router Serial0 link protocol fr Router Serial0 fr interface type dce Router Serial0 fr dlci 300 b Configure IP interface Ethernet0 Router interface ethernet 0 Router Ethernet0 ip address 10 110 50 2 255 255 255 0 c Configure tunnel interface Router interface tunnel 1 Router Tunnel1 source 10 110 50 2 Router Tunnel1 destinati...

Page 286: ...acy Router Bri0 dialer group 1 Router Bri0 dialer number 660045 b Configure the Frame Relay parameters on Bri0 Router Bri0 fr map ip 110 0 0 2 dlci 100 Router Bri0 fr dlci 100 For configuring the BDR and Frame Relay parameters on Bri1 refer to the configuration on Bri0 The user only needs to change the IP address to 120 0 0 1 DLCI number to 200 and address mapping to static address mapping 2 Confi...

Page 287: ...services for two dialer interfaces This PRI interface is assigned with the ISDN number 660045 and the DLCI numbers 100 and 200 respectively for these two dialer interfaces At the same time RouterB is connected to RouterC via a serial interface which is assigned with the DLCI numbers 300 and 400 The serial interface on RouterC is available with 2 sub interfaces which are respectively assigned with ...

Page 288: ...I number to 200 and configure to receive the incoming calls from the number 660208 and assign Dialer1 to Dialer Bundle 20 b Configure the Frame Relay switching parameters on Serial1 Router Serial1 link protocol fr Router Serial1 fr interface type dce Router interface serial 1 1 Router Serial1 1 ip address 130 0 0 1 255 255 255 0 Router Serial1 1 fr dlci 300 Router interface serial 1 2 Router Seria...

Page 289: ...shooting Check whether the link layer protocols of the equipment at both ends are UP Check whether the equipment at both ends have configured or created correct address mapping for the peer Check the route table to see whether there is a route to the peer Fault 4 After the Frame Relay traffic shaping is enabled on the Frame Relay interface the small sized packets can be pinged but the large sized ...

Page 290: ...286 CHAPTER 17 CONFIGURING FRAME RELAY Check whether the Frame Relay configurations at both ends are correct Read the section of troubleshooting in Link Layer Protocol ...

Page 291: ...ure the link layer protocol of the interface to HDLC 1 Configure the Link Layer Protocol of the Interface to HDLC In synchronous interface view perform the following task Table 318 Configure the link layer protocol of the interface to HDLC By default the link layer protocol of the interface is PPP Only when the interface operates in the synchronous mode can the link layer protocol be configured to...

Page 292: ...288 CHAPTER 18 CONFIGURING HDLC Enable HDLC packet debugging debugging hdlc packet interface type number ...

Page 293: ...MAC addresses and interfaces Source route Bridging Such bridging forwards frames based on the routing indicators contained in the frames The table of correlation between destination MAC addresses and routing indicators will be determined and maintained by the end stations the starting and the ending point This bridging is found primarily in the Token Ring environments Translational Bridging Such b...

Page 294: ... picked up and the correlation between this MAC address and the interface receiving this frame will be added to the bridging address table As shown in the following figure four workstations A B C and D are distributed in two LANs Ethernet segment 1 connected with Bridge port 1 and Ethernet segment 2 connected with Bridge port 2 At a certain moment when Workstation A transmits an Ethernet frame to ...

Page 295: ...l the workstations are in use the bridge will obtain all correlation between the MAC addresses and the bridge ports as shown in the following figure Bridge Ethernet segment 1 Bridge port 1 Bridge port 2 Ethernet segment 2 00e0 fcbb bbbb 00e0 fcaa aaaa00e0 fcbb bbbb Source addressDestination address Bridging table MAC address 00e0 fcaa aaaa Port 1 00e0 fcaa aaaa 00e0 fccc cccc 00e0 fcdd dddd Workst...

Page 296: ... Workstation B the bridge will filter this frame rather than forwarding it since Workstation B and Workstation A are located on the same physical network segment Bridge Ethernet segment 1 Bridge port 1 Bridge port 2 Ethernet segment 2 00e0 fcaa aaaa Bridging table MAC address 00e0 fcbb bbbb 00e0 fccc cccc 00e0 fcdd dddd 00e0 fcaa aaaa Port 1 1 2 2 00e0 fcbb bbbb 00e0 fccc cccc 00e0 fcdd dddd Works...

Page 297: ...idges X and Y are connected with Ethernet segment 1 Once detecting a broadcasting frame both bridges will send it to all ports except the source port on which the frame is detected That is both bridges X and Y will forward this broadcast frame No forwarding Bridge Ethernet segment 1 Bridge port 1 Bridge port 2 Ethernet segment 2 00e0 fcaa aaaa 00e0 fcbb bbbb Source address Destination address Brid...

Page 298: ...g loops is an essential requirement for ensuring the bridge working normally Therefore the third function of bridge is to locate loops and block redundant ports Spanning Tree Protocol Spanning Tree Protocol STP is used to prevent redundant paths through certain algorithms A loop network is thus pruned to be a loop free tree network so as to avoid the infinite cycling of data frames in the loop net...

Page 299: ...warding data to the current subordinate bridge The path cost via a designated bridge is the lowest between the leaf nodes and root bridge Specify the designated port Designated ports are those on the designated bridge and responsible for forwarding data to the subordinate bridges The path cost of BPDUs sent on a designated port will be the lowest Specify the root port Root port refers to the one o...

Page 300: ...ted Specifically the root port and the designated ports will undergo a transitional state for an interval of forward delay to enter the forwarding state to resume the data forwarding Such a delay ensures that the new BPDU has already been propagated throughout the network before the data frames are forwarded according to the latest topology Multi Protocol Router Generally a router is called multi ...

Page 301: ...The link set can guarantee the bridging function and save the link bandwidth The solution is adding multiple parallel links to a link set Each corresponding link port can still independently take part in the spanning tree calculation which guarantees the bridging function During data forwarding each link in the link set can share loads thus utilizing all link bandwidths Configure Bridge s Routing ...

Page 302: ... the correlation between the destination MAC addresses and the ports According to it a bridge implements forwarding a Configure static address table entries Normally a bridging table is dynamically generated according to the correlation between the MAC addresses and the ports obtained by the bridge However there are still some static entries in the bridging address table which are manually configu...

Page 303: ...ollowing configuration in interface view Table 326 Disable Enable STP on ports By default STP is enabled on all ports b Configure the bridge priority Bridge Identifier is comprised of the bridge priority and the MAC address of the bridge The bridge with smallest Bridge Identifier will be elected as the root bridge of the whole spanning tree If the priorities of all the bridges in the network are t...

Page 304: ... will cause recomputation of the spanning tree If all the bridge ports adopt the same priority the smaller the port number is the smaller the port ID will be Perform the following configuration in interface view Table 329 Configure the bridge port priority By default the bridge port priority is 128 It is in the range of 0 to 255 e Configure the interval for sending BPDUs The Hello Time timer is us...

Page 305: ...g state to resume the data forwarding Such a delay ensures that the new BPDU has already been propagated throughout the network before the data frames are forwarded according to the latest topology The forward delay timer is thus used to control the interval for the system waiting to enter the Forwarding state Perform the following configuration in system view Table 331 Configure the forward delay...

Page 306: ...sses Perform the following configuration in system view Table 333 Create an ACL based on MAC Ethernet addresses By default no ACL based on MAC Ethernet addresses is created When creating an ACL based on MAC Ethernet addresses value the access list number in the range of 700 to 799 mac address is an MAC Ethernet address in the format of xx xx xx xx xx xx which is used to match the source address of...

Page 307: ...ncapsulated in the form of IEEE 802 2 on the port Operation Command Apply ACLs based on MAC addresses in the input direction of ports bridge set bridge set source mac acl acl number Remove the application of ACLs based on MAC addresses in the input direction of ports undo bridge set bridge set source mac acl acl number Apply ACLs based on MAC addresses in the output direction of ports bridge set b...

Page 308: ...ts the whole bridge set corresponding to the routed interface on the router Bridge template interface uses the same number of the bridge set represented by it All kinds of network layer attributes can be configured on the bridge template interface Each bridge set can have only one bridge template interface Perform the following configuration in system view Table 339 Configure a bridge template int...

Page 309: ... if it is configured Executing the display bridge bridge set link set command can display the configuration of the link set on each bridge as well as whether it is sharing the load 10 Configure Bridging over Frame Relay When establishing a bridge mapping between the bridge address and DLCI address should be specified Perform the following configuration in interface view Operation Command Enable th...

Page 310: ...ing over HDLC Perform the following configuration in interface view Table 348 Configure the link layer protocol of the interface to HDLC 15 Configure Bridging over VLAN Perform the following configuration in interface view Operation Command Configure a Frame Relay mapping forwarded to the bridge fr map bridge dlci broadcast Operation Command Define a dialer list dialer rule dialer group bridge per...

Page 311: ...ounters acl number Clear the entries of all the bridge sets or specified groups in the forwarding database reset bridge bridge set Clear the statistics of Spanning Tree reset stp statistics Clear the traffic statistics of bridge set on the interface reset bridge traffic Display the states of all the bridge sets display bridge set bridge set Display the information in the bridge forwarding database...

Page 312: ...rnet0 bridge set stp disable Router Ethernet0 interface serial 0 Router Serial0 link protocol ppp Router Serial0 bridge set 1 Router Serial0 bridge set 1 stp disable 2 Configure Router B Router bridge enable Router bridge 1 stp ieee Router bridge 1 learning Router bridge aging time 300 Router interface ethernet 0 Router Ethernet0 bridge set 1 Router Ethernet0 bridge set 1 stp disable Router Ethern...

Page 313: ...r Serial0 fr interface type dce Router Serial0 fr dlci 50 Router Serial0 bridge set 1 Router Serial0 fr map bridge 50 broadcast Router Serial0 interface ethernet 0 Router Ethernet0 bridge set 1 Router Ethernet0 bridge set 1 stp disable 2 Configure Router B Router fr switching Router bridge enable Router bridge 1 stp ieee Router interface serial 0 Router Serial0 link protocol fr Router Serial0 fr i...

Page 314: ...pp Router Serial1 dialer enable legacy Router Serial1 dialer group 1 Router Serial1 dialer route bridge broadcast 660074 Router Serial1 bridge set 1 Router Serial1 interface serial 0 Router Serial0 standby interface Serial 1 Router Serial0 bridge set 1 Router Serial0 interface ethernet0 Router Ethernet0 bridge set 1 Router Ethernet0 bridge set 1 stp disable 2 Configure Router B Router bridge enabl...

Page 315: ...outer Serial1 dialer enable legacy Router Serial1 dialer group 1 Router Serial1 dialer route bridge broadcast 660074 Router Serial1 bridge set 1 Router Serial1 interface serial 0 Router Serial0 standby interface Serial 1 Router Serial0 bridge set 1 Router Serial0 interface ethernet0 Router Ethernet0 bridge set 1 Router Ethernet0 bridge set 1 stp disable 2 Configure Router B Router bridge enable Ro...

Page 316: ...rocedure Router bridge enable Router bridge routing enable Router bridge 1 stp ieee Router interface ethernet1 Router Ethernet1 bridge set 1 Router Ethernet1 interface ethernet2 Router Ethernet2 bridge set 1 Router Ethernet2 interface bridge template 1 Router Bridge Template1 ip address 1 1 1 1 255 255 0 0 Router Bridge Template1 interface ethernet0 Router Ethernet0 ip address 2 1 1 1 255 255 0 0 ...

Page 317: ...ter Ethernet2 bridge set 2 Router Ethernet2 interface ethernet 0 1 Router Ethernet0 1 vlan type dot1q vid 1 Router Ethernet0 1 bridge set 1 Router Ethernet0 1 interface ethernet 0 2 Router Ethernet0 2 vlan type dot1q vid 2 Router Ethernet0 2 bridge set 2 2 Configure Router B Router bridge enable Router bridge 1 stp ieee Router bridge 2 stp ieee Router interface ethernet 1 Router Ethernet1 bridge s...

Page 318: ...et0 bridge set 1 Router Ethernet0 interface serial0 Router Serial0 bridge set 1 Router Serial0 bridge set 1 link set 1 Router Serial0 interface serial1 Router Serial1 bridge set 1 Router Serial1 bridge set 1 link set 1 2 Configure Router B Router bridge enable Router bridge 1 stp ieee Router interface ethernet 0 Router Ethernet0 bridge set 1 Router Ethernet0 interface serial0 Router Serial0 bridge...

Page 319: ...RK PROTOCOL Chapter 20 Configuring IP Address Chapter 21 Configuring IP Application Chapter 22 Configuring IP Performance Chapter 23 Configuring IP Count Chapter 24 Configuring IPX Chapter 25 Configuring DLSw ...

Page 320: ...316 ...

Page 321: ...ress of Internet is divided into five classes An IP address consists of the following 3 fields Type field also called type bit used to distinguish the type of IP address Network ID field net id Host ID field host id Figure 117 Classification of IP address Address of class D is a multicast address mainly used by IAB Internet Architecture Board Address of class E is reserved for future use At presen...

Page 322: ...te management Please note that the division of sub nets is Network class IP network range Description A 1 0 0 0 126 0 0 0 Network IDs with all the digits being 0 or all the digits being 1 are reserved for special use Host ID with all the digits being 0 indicates that the IP address is the network address and is used for network routing Host ID with all the digits being 1 indicates the broadcast ad...

Page 323: ...t IDs which is less than the sum before sub net classification If there is no sub net division in an enterprise then its sub net mask is the default value and the length of 1 indicates the net id length Therefore for IP addresses of classes A B and C the default values of corresponding sub net mask are 255 0 0 0 255 255 0 0 and 255 255 255 0 respectively A router connecting multiple sub nets will ...

Page 324: ...ch one is the master IP address and the others are slave IP addresses Any two IP addresses of a router cannot be in the same network segment Perform the following configuration in interface view 1 Configure master IP address of an interface For each interface of a router multiple IP addresses can be configured among which one is the master IP address and the rest are slave IP addresses Two IP addr...

Page 325: ...ent with each other and they cannot be on the same network segment with the master IP address Otherwise the system will prompt IP address configured now conflicts with others If the interface is not configured with the master IP address the first configured IP address will become the master IP address automatically When there are slave IP addresses on the interface the master IP address cannot be ...

Page 326: ...an interface has no IP address it can neither generate any route nor forward any message IP Address Unnumbered is used when you want to use an interface with no IP address In such case an IP address will be borrowed from another interface If the lending interface has multiple IP addresses then only the master one can be borrowed However if the lending interface has no IP address then the IP addres...

Page 327: ...headquarters router R Router Ethernet0 ip address 172 16 10 1 255 255 255 0 a Borrow IP address of Ethernet interface 0 Router Serial0 ip address unnumbered Ethernet0 Router Serial0 link protocol ppp b Configure routing to Ethernet segment of Shenzhen router R1 Router ip route static 172 16 20 0 255 255 255 0 172 16 20 1 c Configure the interface routing to Shenzhen router R1 serial port Router ip...

Page 328: ...e configured on R1 to access the Ethernet segment of router R The first static routing is to Ethernet segment of R the next hop is the IP address of serial port of R or an unnumbered IP address ip route static 0 0 0 0 0 0 0 0 172 16 10 1 The second static route is an interface route to the serial port of R and the next hop is the serial port of R1 ip route static 172 16 10 1 255 255 255 255 serial...

Page 329: ... pinged through by other ports Map between WAN Interface IP Address and Link Layer Protocol Address In a router you shall maintain both the mapping from an Ethernet interface IP address to an MAC address and that from a WAN interface IP address to a link layer protocol address Namely there are the following types On a dialup interface such as an asynchronous serial port or ISDN interface mapping b...

Page 330: ...326 CHAPTER 20 CONFIGURING IP ADDRESS ...

Page 331: ...e item In some special cases for example the LAN gateway is assigned with a fixed IP address and bound to a specific network adapter so that packets to this IP address can only go out via this gateway While filtering illegal IP addresses if they are bound to a non existing MAC address it is necessary for user to configure mapping items in the static ARP table manually In the system view configure ...

Page 332: ... submits it to superior domain name resolution server if the domain name is not within local domain till the resolution is completed The result can either be an IP address or a non existing domain name which will be fed back to the user Static resolution sets relationships between domain names and IP addresses manually When a client requires an IP address corresponding to a domain name it searches...

Page 333: ...m Router series is implemented by Ethernet interface and it supports IP and IPX packet In order to save port resources several subinterfaces can be encapsulated on one Ethernet interface and every subinterface acts as an independent Ethernet interface Therefore a physical Ethernet interface can implement data forwarding between several VLANs as shown in the figure below Figure 121 Networking diagr...

Page 334: ...VLAN on which Ethernet subinterface is located In order to enable a certain Ethernet subinterface to receive and transmit VLAN message it is necessary to specify to which VLAN the subinterface belongs i e to specify the ID number of the VLAN Please implement the following configuration under Ethernet subinterface view Table 363 Specify the VLAN on which Ethernet subinterface is located By default ...

Page 335: ...t subinterface can be set only when this subinterface has finished the configuration of VLAN ID Display and Debug VLAN Table 365 Display and Debug VLAN Typical VLAN Configuration Example I Networking Requirements Two PCs respectively belongs to two VLANs and a router is used to implement data forwarding between two different VLANs II Networking Diagram Figure 123 Networking diagram for configuring...

Page 336: ... Vlan id 003 Including ports Port 1 YES Port 2 NO Port 3 YES Unknown Vlan Discard Vlan index 1 Vlan id 004 Including ports Port 1 NO Port 2 YES Port 3 YES Fault Diagnosis and Troubleshooting of VLAN Fault Ping the IP address of the Ethernet subinterface in the same VLAN from a PC but fails Troubleshooting The steps below can be taken Use display interface ethernet 0 1 command or display interface ...

Page 337: ...nt can dynamically request configuration information from a DHCP server including important parameters such as assigned IP addresses subnet masks and default gateways etc DHCP server can also conveniently configure this information dynamically for DHCP clients DHCP vs BOOTP Both BOOTP and DHCP adopt the client server communication mode A client applies to the server for configurations including th...

Page 338: ... at the same time it is difficult to centralize the management of the overall network Hosts on the network are more than the IP addresses supported by this network That is a fixed IP address cannot be allocated to each host For example Internet accessing operators are in this situation Numerous users must dynamically obtain their own IP addresses through the DHCP service and the number of simultan...

Page 339: ...e offered IP address and other settings to the DHCP client advising that the offered IP address can be used Then the DHCP client will bind its TCP IP suite with the network card Except the server selected by the DHCP client other DHCP servers will use their unallocated IP addresses for the applications of other clients for IP addresses DHCP client logs into the network again Once the DHCP client l...

Page 340: ...th the MAC address of the client b IP address that was used by the client c Address in the requested IP address option contained in the DHCP_Discover message sent by the client d IP address that is first found when searching for the IP addresses available for allocation in the DHCP address pool in sequence e Report the error if no IP address is available for allocation after going through the abov...

Page 341: ... an IP address the DHCP server will choose an appropriate address pool according to a certain algorithm it will select an idle IP address from this address pool and transmit it together with other parameters e g DNS server address the lease period of the address and so on to the client Each DHCP server can be configured with 1 and more address pools Up to 50 address pools are supported An address ...

Page 342: ...p address and static bind mac address are conflicting In other words a DHCP address pool can be used either to configure statically binding addresses or the dynamic addresses but not both b Configure the dynamic IP addresses allocated to clients For the addresses dynamically allocated to the clients including the permanent dynamic addresses and those dynamic addresses with a limited lease period i...

Page 343: ...sses are assumed to participate in auto allocation This command can be superimposed That is the latest and the original configurations will take effect simultaneously When using the undo dhcp server forbidden ip command to delete the address excluding setting make sure that the parameters are totally consistent with those originally configured That is do not delete only some addresses originally c...

Page 344: ...f DHCP clients By default the domain names allocated to DHCP clients are not configured 8 Configure IP Address of DNS Used by DHCP Clients When a computer accesses the Internet through the domain name the domain name should be resolved to IP addresses To access the DHCP client to the Internet a DHCP server specifies the DNS address for the client when allocating the IP address to it Each DHCP addr...

Page 345: ...between host names and IP addresses There are four types of NetBIOS nodes for obtaining mapping relations b node Obtain the mapping between them by means of broadcast p node Obtain the mapping relation by means of communicating with a NetBIOS server m node p node owning part of the broadcasting features h node b node owning the peer to peer communicating mechanism Perform the following configurati...

Page 346: ...ver ping packets Configure the longest time waiting for response after ping packets are sent by the DHCP server dhcp server ping timeout milliseconds Restore the longest time waiting for response after ping packets are sent by the DHCP server to the default value undo dhcp server ping timeout Operation Command Configure DHCP self defined options option code ascii ascii string hex hex string hex st...

Page 347: ...ss lease period is 10 days and 12 hours the domain name is 3com com The DNS address is 10 1 1 2 without NetBIOS address and the outgoing router address is 10 1 1 126 In the segment 10 1 1 128 the address lease period is 5 days the DNS address is 10 1 1 2 the NetBIOS address is 10 1 1 4 and the outgoing router address is 10 1 1 254 II Networking Diagram Figure 126 DHCP server and clients reside in ...

Page 348: ...c addresses Configure DHCP Relay As the scale of networks grows and their complexities increase network configurations become more and more complex The original BOOTP protocol for static host configuration cannot satisfy the demands of users especially on the occasions when computers are always on the move e g using laptops or wireless network and the number of actual computers exceeds that of the...

Page 349: ...ddresses For example transmit TFTP and DNS protocol messages transparently to corresponding servers To implement the DHCP relay users have to configure IP auxiliary addresses to specify the DHCP server addresses Configure DHCP Relay DHCP configuration includes Configure interface relay address Configure transparent transmission forwarding protocol 1 Configure interface relay address To implement D...

Page 350: ... host is in the network segment 10 110 0 0 while DHCP server is in the network segment 202 38 0 0 DHCP relay router needs to relay DHCP messages so that DHCP client hosts can obtain configuration information such as IP address from DHCP server through application DHCP server should be assigned with an address pool in network segment 10 110 0 0 so that it can assign proper address information to th...

Page 351: ...hernet interface of the DHCP relay router processes and sends it to the helper address of the interface i e the DHCP server The DHCP server returns the generated reply message to the DHCP relay router then the router notifies the DHCP client host of the reply message Configuration example of transparent transmission forwarding protocol I Configuration Requirements The host and TFTP server should n...

Page 352: ...iguration information Troubleshooting perform as follows Check whether the DHCP server is configured with the address pool of the network segment where the DHCP client host is located Check whether the DHCP relay router and the DHCP server have routes reachable to each other Check whether the DHCP relay router is configured with the correct helper address on the client host interface and whether m...

Page 353: ...resses according to their forecast of the number of internal host computers and networks in future The internal network addresses of different enterprises can be the same Disorders are most likely to occur if a company select the network segments outside the three ranges above as the internal network address Under which condition should the address be translated As shown in the diagram above The a...

Page 354: ... mechanism of address translation is to translate the IP address and port number of the host computer in the network to the external network address and port number to implement the translation from internal address port number to external address port number Characteristic of Network Address Translation NAT Transparent address allocation to the user allocation of the external addresses Achievemen...

Page 355: ...translated source address Please process the following configurations in the system view Table 383 Configure address pool All the addresses in the address pool should be consecutive For the most 64 addresses can be defined in each address pool An address pool can not be deleted if it is correlated to one access control list and address translation has started 2 Configure the correlation between th...

Page 356: ...s EASY IP feature It refers to taking the IP address of the interface as the translated source address directly during the course of address translation which is applicable to two conditions In dial view the user hopes to take the interface IP address obtained through negotiation as the translated source address or the user hopes to take the IP address of the interface itself as the translated sou...

Page 357: ... TCP UDP IP or ICMP 5 Configure the Timeout of address translation As the HASH table used in the address translation can t be saved permanently the user can set up the Timeout of address translation for TCP UDP and ICMP protocol If this address is not used for translation within the time set up the system will delete the link Please process the following configurations in the system view Table 387...

Page 358: ...ernal FTP server address is 10 110 10 1 using the public network address 202 38 160 101 The internal WWW server1 address is 10 110 10 2 The internal WWW server 2 address is 10 110 10 3 using the 8080 port for external communications and the two WWW servers both use the public network address 202 38 160 102 The internal SNMP server address 10 110 10 4 It is expected to provide uniform server IP add...

Page 359: ...l c Set internal FTP server Router Serial0 nat server global 202 38 160 101 inside 10 110 10 1 ftp tcp d Set internal WWW server 1 Router Serial0 nat server global 202 38 160 102 inside 10 110 10 2 www tcp e Set internal WWW server 2 Router Serial0 nat server global 202 38 160 102 8080 inside 10 110 10 3 www tcp f Set internal SNMP server Router Serial0 nat server global 202 38 160 103 inside 10 1...

Page 360: ...egacy Router Serial0 dialer group 1 Router Serial0 dialer number 169 3 Correlate the address translation list and the interface Router Serial0 nat outbound 1 interface 4 Configure a default route to serial 0 Router ip route static 0 0 0 0 0 0 0 0 serial 0 Troubleshooting NAT Configuration Fault 1 Address translation abnormal Troubleshooting Turn ON the debug switch for NAT and refer to debugging n...

Page 361: ...cess the internal server normally check the configuration on the internal server host or the internal server configuration on the router It s possible that the internal server IP address is wrong or that the firewall has inhibited the external host to access the internal network Use the command display rule for further check ...

Page 362: ...358 CHAPTER 21 CONFIGURING IP APPLICATION ...

Page 363: ...e The serial port mtu ranges from 128 to 1500 bytes and 1500 bytes is default value The BRI port mtu value ranges from 128 to 1500 bytes and 1500 bytes is default value 2 Configure Queue Length Perform the following task in system view Table 390 Configure queue length The range of the receiving queue length of all the protocols is 10 1000 bytes and 75 bytes is the default value 3 Configure Router ...

Page 364: ...re TCP Timers The following TCP timers can be configured Synwait timer When a syn message is sent TCP starts the synwait timer If no response message is received till synwait timeout TCP connection will be terminated Finwait timer When the TCP connection status changes from FIN_WAIT_1 to FIN_WAIT_2 the finwait timer is started If no FIN message is received till the finwait timer timeout then TCP c...

Page 365: ...a default value of 75 seconds The Finwait timer s timeout ranges between 76 3600 seconds with a default value of 675 seconds The value of window size ranges between 1 32Kbytes with a default value of 4Kbytes Configure the size of the receiving and sending window for TCP Socket tcp window size ...

Page 366: ...gh speed link interfaces such as Ethernet synchronous PPP frame relay and HDLC Besides the 3Com Router also supports Fast forwarding when firewall is configured Fast forwarding implemented via the 3Com Router contains the following features Support fast forwarding on all types of high speed link interfaces including Ethernet synchronous PPP frame relay and HDLC etc Provide fast forwarding when the...

Page 367: ...t again when IP messages pass the same interface Otherwise ICMP reorientation messages needs to be sent while messages are forwarded Display and Debug IP Performance Table 398 Display and Debug IP address Disable fast forwarding on the interface undo ip fast forwarding Operation Command Configure a fast forwarding table size ip fast forwarding cache size 4k 16k 64k 256k 1m Restore the default fast...

Page 368: ...1 Destination port 4296 Use the debugging tcp command to turn on the TCP debugging switch and trace the TCP data packet TCP has two data packet format options one is to debug and trace the receiving sending of TCP packets in all TCP connections with this equipment as one end The specific operation is as follows Router info center enable Router debugging tcp packet The TCP packets received or sent ...

Page 369: ... been enabled on the output interface Ethernet1 the statistics will be made on the flows transmitted from this interface to the network B A flow destined for the B network can be identified by an IP triplet source address destination address and protocol Through the statistics that has been made you can know the outgoing traffic size If a firewall for filtering outgoing packets has been configured...

Page 370: ...for accounting entries in Interior List Configure upper threshold for accounting entries in Exterior List Configure timeout time of IP Count statistics list entries 1 Enable IP Count Service This command can be used to enable or disable IP Count service You can configure IP Count to make statistics on the packets that the router has input or output depending on the specific requirements on the rou...

Page 371: ... of exterior that is the max entries number of the packets incompliant with the IP Count lists Perform the following configuration in system view Table 402 Specify count maximum of exterior Operation Command Set IP Count to make statistics on the input packets on the current interface ip count inbound packets Disable IP Count to make statistics on the input packets on the current interface undo ip...

Page 372: ...y exists before it times out By default IP Count entries time out after 720 minutes Display and Debug IP Count Table 405 Display and debug IP Count Typical Configuration Example I Networking Requirements As shown in Figure 4 1 the router is connected to PC1 and PC2 via the interface Ethernet0 and to PC3 and PC4 via Ethernet1 The router is required to make statistics on the packets that the router ...

Page 373: ... 10 2 2 Execute the display command of IP Count to view the IP Count statistics Router display ip count inbound packets interior Input packets in Interior list Src Dst Packets Bytes Protocol 169 254 10 1 169 254 10 2 5 420 ICMP Router display ip count outbound packets interior Output packets in Interior list Src Dst Packets Bytes Protocol 169 254 10 2 169 254 10 1 5 420 ICMP Troubleshooting Fault ...

Page 374: ...370 CHAPTER 23 CONFIGURING IP COUNT ...

Page 375: ...formation table and then forward them out IPX address IPX address consists of network and node represented as network node Network number is the unique identifier of the physical network which is 4 byte long and is expressed by eight hexadecimal digits The preamble 0 can be omitted and not input Node value is of 6 bytes long the unique identifier of one node Every two bytes are followed by and the...

Page 376: ...s of RIP Figure 135 Schematic diagram of the relation between main components of RIP SAP SAP is an abbreviation for Service Advertising Protocol SAP allows providing various service nodes such as file server print server NetWare access server and remote control console server and broadcasting their service types and addresses When servers start they broadcast their services through SAP and when se...

Page 377: ...X frame Configure IPX on WAN 1 Activate Deactivate IPX Perform the following task in system view Table 406 Activate deactivate IPX If the node of a router is not specified then the router will use the MAC address of its first Ethernet interface as its node address 2 Enable IPX Interface After activating the IPX function of a router each independent interface must be assigned with a network ID so t...

Page 378: ... interrupted and the message will be sent to a destination that does not exist Perform the following task in system view Table 408 Configure IPX RIP static route By default there is no static route The default priority of IPX static route is 10 and that of IPX dynamic route is 60 Smaller value indicates higher priority of the route For default route the value of network node should be FFFFFFFE Aft...

Page 379: ...red exceeds 1 the system will implement load sharing function automatically Reuse multiple paths to send data Configuring parallel routes can decrease the possibility of congestion but occupy relatively large memory Parallel routes are not recommended when the memory is not abundant however to configure parallel routes can reduce the probability of blockage Perform the following task in system vie...

Page 380: ... the route related to the static service information is invalid or deleted the static service information will be prevented from broadcasting until the router finds a new valid route related to the service information Perform the following task in system view Table 415 Configure static service information table item By default the priority of static service information is 10 and that of dynamic se...

Page 381: ...ll reply to GNS request with the service information of the nearest server There may also be exceptions if the nearest server is local server then the router will not reply to the GNS request from this network segment Please configure ipx sap gns round robin command in system view and configure ipx sap gns disable reply command in interface view Table 419 Configure reply to SAP GNS request By defa...

Page 382: ...erface 6 Disable Split Horizon Split horizon algorithm can avoid generating route loop Split horizon means that routes received from a specific interface are not to be sent from this interface In special circumstances split horizon shall be disabled sacrificing efficiency to achieve correct transmission of routes It is recommended not to disable the RIP split horizon unless necessary Disabling spl...

Page 383: ...ernet interface is Ethernet 802 3 and that on WAN interface is PPP 10 Configure IPX on WAN In the 3Com Router series commands such as dialer route fr map and x25 map can be used to configure mapping from IPX address to link layer address so as to run IPX on WAN For detailed configurations refer to relative chapters in Link Layer Protocol Operation Command Configure the Delay of Interface Sending I...

Page 384: ...tion Procedure 1 Configure Router A a Activate IPX Router ipx enable b Activate IPX module on interface Ethernet0 the network ID being 2 Router interface ethernet 0 Router Ethernet0 ipx network 2 c Set encapsulation format of packets on Ethernet interface to Ethernet_II Router Ethernet0 ipx encapsulation ethernet 2 Router Ethernet0 exit Operation Command Display interface status and interface para...

Page 385: ...dialing rules Router dialer rule 1 ipx permit 2 Configure Router B a Activate IPX module Router ipx enable b Activate IPX function on interface Ethernet0 the network ID being 3 Router interface ethernet 0 Router Ethernet0 ipx network 3 c Set encapsulation format of packets on Ethernet interface to Ethernet_SNAP Router Ethernet0 ipx encapsulation snap Router Ethernet0 quit d Activate IPX module on ...

Page 386: ... i Configure an information about Server1 directory service Router ipx service 26B tree 937f 0000 0000 0001 5 hop 2 Router ipx service 278 tree 937f 0000 0000 0001 4006 hop 2 j Configure dialing rules Router dialer rule 1 ipx permit ...

Page 387: ...e remote end through TCP channel across WANs and transforms SSP frame into the corresponding frame in LLC2 format at the remote end site finally sends the latter to the next hop SNA equipment In another words DLSw makes the local terminating equipment think the remote equipment locates in the same network With the differences from transparent bridge DLSw transforms the original LLC2 protocol frame...

Page 388: ... establishing DLSw connection To create TCP channel you have to firstly configure DLSw local peer entity in order to specify the IP address of the local end for establishing TCP connection then the request sent by the remote end router can be received for establishing TCP connection One router can only configure one local peer entity Please process the following configurations in the system view T...

Page 389: ...ridge technology Bridge set is a unit for forwarding by bridge Several Ethernet ports can be configured into a Bridge set in order to forward messages among them To forward the messages of the specified Bridge set to the remote end over TCP connection you need to use this command to connect a local Bridge set to DLSw In another words the messages of the local Bridge set can be forwarded to the rem...

Page 390: ...ts role is primary The other part is the secondary station that is controlled in a passive mode and its role is secondary Subscribers need to configure role for the interface encapsulated with SDLC protocol Please process the following configurations in the synchronous interface view Table 433 Configure SDLC role SDLC role shall be configured according to the role of SDLC equipment connecting with...

Page 391: ...harer or SDLC switch One primary equipment can be connected with several secondary equipment and the relationship is unique However connection cannot be established between secondary equipment It can ensure that communication normally operates in one group of SDLC equipment only if the addresses of secondary equipment are identified This command is used to specify SDLC address for virtual circuit ...

Page 392: ...identities each other by exchanging XID PU2 0 equipment does not exchange XID and it does not include XID Thus PU2 1 equipment does not need this command but you have to specify a XID for PU2 0 equipment Please process the following configurations in the synchronous interface view Table 437 Configure XID of SDLC By default synchronous interface is not configured with XID of SDLC 11 Configure to Ad...

Page 393: ...NRZ encoding mode but the encoding mode of the serial ports in some SNA equipment uses NRZI So you need to change the encoding of routers according to the encoding mode used by the connected equipment This command is used to change the encoding mode of synchronous serial interface Please process the following configurations in the synchronous interface view Table 441 Configure encoding mode of syn...

Page 394: ...al Acknowledgement Delay Time The message transmitted by SNA over Ethernet is LLC2 message Some working parameters of LLC2 can be modified by configuring the commands related to LLC2 LLC2 local acknowledgement delay time refers to max wait time of delay acknowledgement when receiving a piece of LLC2 data message Please process the following configurations in the Ethernet interface view Table 444 C...

Page 395: ...e view Table 446 Configure LLC2 premature acknowledgement window By default the length of LLC2 local acknowledgement window is 7 d Configure Modulo Value of LLC2 LLC2 uses modulo mode to number the information message like X25 protocol The modulo value is 8 or 128 Ethernet generally uses modulo 128 Please process the following configurations in the Ethernet interface view Table 447 Configure modul...

Page 396: ... refers to duration waiting for correct information frame after sending frame P Please process the following configurations in the Ethernet interface view Table 451 Configure P F wait time of LLC2 By default P F wait time of LLC2 is 5000 ms i Configure REJ Status Time of LLC2 REJ status time of LLC2 refers to duration waiting for correct information frame after refusing frame Please process the fo...

Page 397: ...able 455 Configure SDLC local acknowledgement window By default the length of SDLC local acknowledgement window is 7 c Configure Modulo Value of SDLC SDLC uses modulo mode to number the information message like X25 protocol The modulo value is 8 or 128 SDLC generally uses modulo 8 Please process the following configurations in the synchronous interface view Table 456 Configure modulo value of SDLC...

Page 398: ... 20 f Configure Poll Time Interval of SDLC Poll time interval of SDLC refers to wait time interval between two SDLC nodes polled by SDLC primary station Please process the following configurations in the synchronous interface view Table 459 Configure poll time interval of SDLC By default the poll time interval of SDLC is 100 ms g Configure SAP address for transforming SDLC to LLC2 When transformin...

Page 399: ...SDLC primary station By default the acknowledgement wait time T1 of SDLC primary station is configured to be 3000 ms j Configure Acknowledgement Wait Time T2 of SDLC Secondary Station Acknowledgement wait time T2 of secondary station refers to the duration that the secondary station waits for acknowledgement from primary station after sending information frame Please process the following configur...

Page 400: ...splay performance exchange information display dlsw information local ip address ip address Display Information about DLSw circuits running in the router display dlsw circuits circuit id verbose Display remote end peer entity information display dlsw remote ip address ip address Clear entry buffer memory information of Bridge set reset dlsw circuits circuit id Clear virtual circuit information deb...

Page 401: ...te 10 120 25 1 Router dlsw bridge set 7 Router interface ethernet 0 Router Ethernet0 bridge set 7 Thus the two LANs across WAN are connected together Note that we don t list the related IP commands here but you have to make sure that IPs of the configured local peer and remote peer can be intercommunicated each other The notes apply for the following sections DLSw Configuration of SDLC SDLC I Netw...

Page 402: ... 11 Router dlsw bridge set 1 Router interface serial 1 Router Serial1 link protocol sdlc Router Serial1 baudrate 9600 Router Serial1 code nrzi Router Serial1 sdlc status primary Router Serial1 sdlc mac map local 00 00 22 22 00 00 Router Serial1 sdlc controller c1 Router Serial1 sdlc mac map remote 00 00 11 11 00 c1 c1 Router Serial1 bridge set 1 Transform Configuration from SDLC LAN Remote End Med...

Page 403: ... c2 Router Serial0 sdlc xid c2 03e00002 Router Serial0 sdlc mac map remote 00 14 cc 00 54 af c2 Router Serial0 bridge set 1 Router Serial0 interface serial 1 Router Serial1 link protocol sdlc Router Serial1 baudrate 9600 Router Serial1 code nrzi Router Serial1 sdlc status primary Router Serial1 sdlc mac map local 00 00 22 22 00 00 Router Serial1 sdlc controller c3 Router Serial1 sdlc mac map remot...

Page 404: ...router and SNA equipment mainly the problem of SDLC configuration Firstly open the debugging switch of SDLC to observe if the SDLC interface can receive and send messages successfully You can use display interface command to observe the condition of receiving and sending messages on the interface If the messages can t be received and sent correctly it is generally because something is wrong with t...

Page 405: ...Diagnosis and Troubleshooting of DLSw Fault 401 active equipment of SDLC such as AS 400 or S390 is activated Sometimes communication can be implemented after you activate SDLC line manually ...

Page 406: ...402 CHAPTER 25 CONFIGURING DLSW ...

Page 407: ...6 IP Routing Protocol Chapter 27 Configuring Static Routes Chapter 28 Configuring RIP Chapter 29 Configuring OSPF Chapter 30 Configuring BGP Chapter 31 Configuring IP Routing Policy Chapter 32 Configuring IP Policy Routing ...

Page 408: ...404 ...

Page 409: ...he hops from a router to the local network host total 0 In the diagram the bold arrows represent the hops The router does not handle data transmission through the physical links in each route unit Figure 142 Concept of route segment Networks vary in size so the actual length of each hop is also different Therefore for different networks the route segments can be multiplied by a weight coefficient ...

Page 410: ...d to IP routing table Determines the best route There may be different next hops to the same destination These routes can be found by different routing protocols or they may be static routes configured manually The route with higher priority smaller value is the best route The user can configure multiple routes with different priorities to the same destination and select one to forward messages Ac...

Page 411: ...mined only by a unique routing protocol As a result every routing protocol including static route is assigned a priority When there are multiple route information sources the route found by higher priority routing protocols become the current route The routing protocols and their default routing priorities the less the value the higher the priority are shown in the Table 465 Here 0 stands for a di...

Page 412: ...uter will send data through the main path When a fault occurs on the line the route will be hidden and router will select the backup route with second highest priority for data transmission In this way the switchover from the active interface to the backup interface is implemented When the main path is recovered the router recovers the route and begins reselecting routes Since the recovered route ...

Page 413: ...nreachable route When a static route to a certain destination has the reject attribute all IP packets to this destination are discarded and destination unreachable information is given Black hole route When a static route to a certain destination has black hole attribute all IP packets to this destination will be discarded Here the attributes reject and blackhole are normally used to control the s...

Page 414: ...pecify the transmitting interfaces in the following cases For interfaces that support resolution from the network address to the link layer address like Ethernet interface supporting ARP if a host address has been specified for Ip address and mask or mask length and if the destination address is in a network directly connected to this interface then you can specify the transmitting interface For a...

Page 415: ...configuring multiple routes to the same destination if the same preference is designated load balancing can be realized If different preferences are designated route standby can be realized Other parameters The reject and blackhole attributes refer to unreachable routes and black hole routes respectively Configuring a Default Route Perform the following configurations in system view Table 467 Conf...

Page 416: ... 2 1 RouterC ip route static 1 1 4 0 255 255 255 0 1 1 3 2 Troubleshooting a Static Route Configuration The status of the physical interface and link layer protocol is UP but IP packets cannot be forwarded normally Troubleshooting Use the display ip routing table static command to check whether related static routes are configured correctly or not Use the display ip routing table command to see wh...

Page 417: ...sions RIP 1 and RIP 2 RIP 2 supports simple text authentication and MD5 authentication as well as the variable length sub net masks To improve performance and prevent route loops RIP supports split horizon poisoned reverse using triggered update This allows the importation of routes that are obtained by other routing protocols Each router that runs RIP manages a database that includes route items ...

Page 418: ...me and effective Though RIP is widely used by most of the router manufacturers it has limitations It supports a very limited number of routers RIP is only suitable to small autonomous systems such as most campus networks and local networks with simple structure and high continuity The route calculations depend on a fixed metric RIP cannot update its metric in real time to adapt to network changes ...

Page 419: ...e following configurations in RIP view Table 470 Enable RIP at the Specified Network The undo network command is associated with RIP by default after RIP is enabled After enabling RIP you must specify a list of networks with the RIP since RIP works only on the interface of specified network segment RIP won t receive or forward a route on interfaces of non specified network segments and it function...

Page 420: ...nsmits the broadcast packets of RIP 1 and RIP 2 but does not receive RIP 2 multicast messages When RIP 2 is running on the interface the interface can receive and transmit RIP 1 and RIP 2 broadcast packets but cannot receive RIP 2 multicast packets When the interface runs in RIP 2 multicast mode it receives and transmits the RIP 2 multicast packets and does not receive the RIP 1 and RIP 2 broadcas...

Page 421: ...n undo network mode routes of related interfaces are not forwarded as if an interface was missing In addition rip work functions similar to the combination of two commands rip input and rip output Disabling Host Routes In some special cases a router may receive large number of host routes from the same network segment These routes consume lots of network resources and are of little use to route ad...

Page 422: ... that the unencrypted authentication is transmitted with the packets therefore simple text authentication does not apply to a situation that requires a high level of security MD5 authentication has two message formats in compliance of the requirements of RFC1723 RIP Version 2 Carrying Additional Information and RFC2082 RIP Version 2 MD5 Authentication 3Com routers support both formats Perform the ...

Page 423: ...ing domain that can be imported At present RIP can import routes domain such as Connected Static OSPF OSPF ASE and BGP See Configure Route Import in Configuration of IP Routing Policy for the details of importing routes Specifying Default Route Metric Value for RIP The import route command is used to import routes of other routing protocols If import route is not followed by the value of a routing...

Page 424: ...te Preference Each routing protocol has its own preference that decides which routing protocol is used to select the best route by IP route strategy The greater the value is the lower the preference RIP preference can be set manually Perform the following configurations in RIP view Table 482 Set Route Preference By default the RIP route preference is 100 Configuring Route Distribution for RIP Perf...

Page 425: ...l number ip prefix prefix list name import Change or cancel filtering routing information received undo filter policy acl number ip prefix prefix list name import Filter routing information received from a specified gateway and the routing information received according to prefix list filter policy ip prefix prefix list name gateway prefix list name import Change or cancel filtering the routing in...

Page 426: ...RouterA rip RouterA rip network 192 1 1 0 2 Configure Router A s unicast peer to be Router B RouterA rip peer 192 1 1 2 3 Configure serial interface Serial 0 RouterA rip interface serial 0 RouterA Serial0 ip address 192 1 1 1 255 255 255 0 Troubleshooting RIP No updating messages can be received when the physical connection works well This may have the following cause RIP is not running on the cor...

Page 427: ...r abstracted reducing the bandwidth occupation in the network Equivalent route support multiple equivalent routes to the same destination address Route level the four levels of routes according to different priorities intra area routes inter area routes external route class 1 and external route class 2 Authentication support interface based message authentication to ensure the security of the rout...

Page 428: ...asting it to record additional information for the AS Obviously each router gets a different routing table In addition multiple adjacent relationship lists must be created so that each router on the broadcast network and NBMA network can broadcast the local status information such as available interface information and reachable peer information to the whole system Consequently the route change of...

Page 429: ... not been configured with IP addresses the router ID must be configured in OSPF view otherwise OSPF will not run The modified router ID takes effect after OSPF is restarted You must configure the router ID which must be the same as the IP address of a specific interface of this router Perform the following configurations in system view Table 487 Specify Router ID Please note when modifying the rou...

Page 430: ...an area id associated with the specified interface OSPF only works on the specified interface Configuring the Network Type of the OSPF Interface The OSPF protocol calculates the route on the basis of the topological structure of the neighboring network of this router Each router describes the topology of its neighboring network and transmits this information to all other routers OSPF divides the n...

Page 431: ... to multipoint is not a default network type No link layer protocol can be considered as a point to multipoint protocol because it must be a modification from other network types The most common practice is to change the not fully connected NBMA to a point to multipoint network An NBMA network sends messages in unicast mode and the peer must be configured manually In point to multipoint network me...

Page 432: ...map to make the whole network fully connected so there is a virtual circuit between any two routers ont eh network and they are directly reachable Then OSPF can process like a broadcast network The IP address of the adjacent router and whether it has a voting right must be specified manually for the interface because the adjacent router cannot be found dynamically by broadcasting hello packets Per...

Page 433: ...iorities are equivalent the one with higher router ID is chosen If the priority of a router is 0 it is not selected as the DR or backup designated router BDR If a DR fails due to a specific fault a new DR must be elected with synchronization This can take a long time during which the route calculation is not correct To shorten the process OSPF puts forward the concept of the backup designated rout...

Page 434: ...nbma interfaces on the same network segment must be identical Specifying the Dead Interval The expiration time of a neighboring router means that if a hello packet of the neighbor router peer is not received within a certain period the neighbor router is invalid You can specify the dead timer the period where the peer route fails The value of the dead timer must be at least 4 times the value of th...

Page 435: ...ew Table 497 Specify Transmit delay By default the time for transmit delay is 1 second Configuring a Stubby Area and a Totally Stubby Area Usually OSPF has 5 kinds of LSA packets as follows Router LSA Generated by each router and transmitted to the whole area describing link status and cost of the router Network LSA Generated by the DR and transmitted to the whole area describing the link status o...

Page 436: ...st be configured with this attribute An ASBR cannot be inside a stubby area or a totally stub area which means that the exterior route of the AS cannot be transferred to the area Perform the following configuration under OSPF view Table 498 Configure Totally Stubby Area of OSPF By default no stubby area or totally stub area is configured The cost of the default routing sent to Stub area is 1 The a...

Page 437: ...ated on an ASBR when there is a default route 0 0 0 0 in the routing table The no import route attribute is used on the ASBR which allows the OSPF route that is imported using the import route command to not be advertised to the NSSA area If the NSSA router is both ASBR and ABR this parameter option is always selected Configuring Route Summarization within the OSPF Domain Route summary provides th...

Page 438: ...d that a routing summary configuration is only valid on the ABR Creating and Configuring a Virtual Link After the OSPF area division all the areas may not be of equal size One particular area is unique and that is the backbone area with the area id of 0 0 0 0 OSPF route update between non backbone areas is carried out through the backbone area The OSPF protocol requires that all non backbone areas...

Page 439: ...ne area directly or logically The backbone area must include all ABRs and may include routers belonging to the backbone area only An ASBR may not be inside the backbone area ABRs inside the backbone area must be well connected and may be connected physically or logically establishing virtual connection between ABRs When configuring a virtual connection note that A virtual connection can only span ...

Page 440: ...he route in an area of the AS Inter area route The route between different areas of the AS External router Type 1 The received IGP route such as RIP STATIC The reliability of this route is high so the calculated cost of the external route and the cost of the route inside the AS are in the same numeric level It is comparable with the cost of OSPF route i e the cost value of external route Type 1 th...

Page 441: ...External Routes Operation Command Configure route import for OSPF import route protocol cost cost type 1 2 tag tag value route policy policy name Cancel route distribution for OSPF undo import route protocol cost cost type 1 2 tag tag value route policy policy name Operation Command Configure the default cost value when OSPF importing external routes default import route cost cost Return to the de...

Page 442: ...nformation Received by OSPF By default OSPF does not filter any route information received Displaying and Debugging OSPF Table 507 Display and Debug OSPF Operation Command Specify OSPF route preference preference ase value Return the default value of OSPF route preference undo preference ase Operation Command Filter the routing information received filter policy acl number import Change or cancel ...

Page 443: ...I 401 Router E communicates with Router A through DLCI 501 and communicates with Router D through DLCI 502 Figure 147 Networking diagram of running OSPF on point to multipoint interface To configure OSPF on the point to multipoint network 1 Configure Router A a Configure the ip address of interface Serial0 encapsulated into frame relay and configure frame relay mapping table Display OSPF routing t...

Page 444: ... mapping table RouterB interface serial 0 RouterB Serial0 ip address 1 1 1 2 255 0 0 0 RouterB Serial0 link protocol fr RouterB Serial0 fr map ip 1 1 1 1 dlci 201 broadcast RouterB Serial0 fr map ip 1 1 1 3 dlci 202 broadcast b Enable OSPF RouterB Serial0 quit RouterB router id 2 2 2 2 RouterB ospf enable RouterB ospf quit c Configure the area id of the interface and the interface type RouterB int...

Page 445: ... Serial0 encapsulated into frame relay and configure frame relay mapping table RouterE interface serial 0 RouterE Serial0 ip address 1 1 1 5 255 0 0 0 RouterE Serial0 link protocol fr RouterE Serial0 fr map IP 1 1 1 1 dlci 501 broadcast RouterE Serial0 fr map IP 1 1 1 4 dlci 502 broadcast b Enable OSPF RouterE Serial0 quit RouterE router id 5 5 5 5 RouterE ospf enable c Configure the area id of th...

Page 446: ...thernet0 quit RouterB router id 2 2 2 2 RouterB ospf enable RouterB ospf interface ethernet 0 RouterB Ethernet0 ospf enable area 0 3 Configure Router C RouterC interface ethernet 0 RouterC Ethernet0 ip address 192 1 1 3 255 255 255 0 RouterC Ethernet0 ospf dr priority 2 RouterC Ethernet0 quit RouterC router id 3 3 3 3 RouterC ospf enable RouterC ospf interface ethernet 0 RouterC Ethernet0 ospf ena...

Page 447: ...splay ospf peer on Router D to display peers Note that Router C which was BDR now becomes DR and so does Router B RouterD display ospf peer Shutting down the router and restarting leads to the reelection of DR and BDR Restart router A and run the display ospf peer command to display peers Note that router B is elected DR whose preference is 200 and Router A becomes BDR whose preference is 100 Rout...

Page 448: ...rface ethernet 0 RouterB Ethernet0 ip address 192 1 1 2 255 255 255 0 RouterB Ethernet0 interface serial 0 RouterB Serial0 ip address 193 1 1 2 255 255 255 0 RouterB Serial0 quit RouterB router id 2 2 2 2 RouterB ospf enable RouterB ospf interface ethernet 0 RouterB Ethernet0 ospf enable area 0 RouterB Ethernet0 interface serial 0 RouterB Serial0 ospf enable area 1 RouterB Serial0 quit RouterB osp...

Page 449: ...e serial interface of Router A and that of Router B are both in area 1 configured with MD5 authentication Figure 150 Networking diagram of configuring OSPF peer authentication To configure OSPF peer authentication 1 Configure Router A RouterA router id 1 1 1 1 RouterA ospf enable RouterA ospf interface ethernet 0 RouterA Ethernet0 ip address 192 1 1 1 255 255 255 0 RouterA Ethernet0 ospf enable ar...

Page 450: ...w Router display ospf peer Interface 202 38 160 1 Area 0 0 0 2 Neighbors RouterID 2 2 2 2 Address 202 38 160 2 State FULL Mode None Priority 0 DR 202 38 160 1 BDR 202 38 160 1 Last Hello 14 04 Last Exchange 0 Authentication Sequence a51dac View OSPF information on the interface with the display ospf interface command Check whether the physical connection and low layer protocol are running normally...

Page 451: ... router at least one area must be configured as a backbone area the area id of one area must be 0 or a virtual link must be configured As shown in the following diagram only one area is configured on Router A and Router D and two areas are configured respectively for Router B area0 area1 and Router C area1 area2 One area in Router B is 0 which satisfies the requirement However none of the two area...

Page 452: ...448 CHAPTER 29 CONFIGURING OSPF ...

Page 453: ...ing protocol Completely resolves the route loop problem by carrying AS path information Uses TCP as the transmission layer protocol improving the reliability of the protocol BGP 4 supports classless interdomain routing CIDR or supernetting CIDR judges the IP address in a totally new way It no long recognizes network class A network class B or network class C For example with CIDR an illegal class ...

Page 454: ...BGP External BGP IBGP is run when routers in an autonomous system exchange network reachable information When routers of different ASs exchange network reachable information they use EBGP The BGP protocol system is driven by messages that can be divided into 4 categories Open message This is the first transmitted message after the connection is created It is used to create a connection between BGP...

Page 455: ... BGP is disabled Configuring Networks for BGP Distribution Perform the following configurations in BGP view Table 509 Configure Networks for BGP Distribution By default no network is configured for BGP distribution Configuring Peers The routers that exchange BGP packets are called peers to each other Peers can be directly connected routers or indirectly connected routers but should be connected by...

Page 456: ...nterval Table 514 Configure BGP Route update Interval By default the BGP route update interval is 5 seconds 5 Configure to send community attribute to the peer Delete a BGP peer undo peer peer address as number as number Operation Command Configure connection between EBGP peers connected indirectly peer peer address ebgp max hop max hop count Return to the default BGP connections to external peers...

Page 457: ...olicy for the Peer Operation Command Configure to send community attribute to the peer peer peer address advertise community Cancel sending community attribute to the peer undo peer peer address advertise community Operation Command Configure the peer to be the client of the route reflector peer peer address reflect client Cancel the configuration of making the peer as the client of the BGP route ...

Page 458: ...xt hop through different external peers it makes a preference selection based on the MED values To operate the MED attribute an access control list is used to indicate what network will be operated Perform the following configurations in BGP view Table 522 Configure the BGP MED Metric Allow Comparing Path MED This command is used to compare MED values from different AS neighboring routes and to se...

Page 459: ...y the time interval for sending a keepalive message is one third of the value for the holdtime attribute The value of the holdtime interval attribute is the time interval for continuously receiving keepalive and update messages If a keepalive or update message is received the holding timer is reset If a router has not received any messages from the opposite router for a specific period of holding ...

Page 460: ... peers may discard the route updating information you have sent All peers in this group must be configured with an AS number if this group is not configured with an AS number If you add an AS number to the peer group any peer in this group cannot be configured with an AS number different from this peer group AS number The members of the peer group cannot be configured with a route updating strateg...

Page 461: ...sending interval is 5 seconds 5 Configure to send the community attribute to a BGP peer group Table 532 Configure to Send Community Attribute to a BGP Peer Group Operation Command Configure AS number of BGP peer group peer group name as number as number Remove AS number of BGP peer group undo peer group name as number as number Operation Command Configure connection between peers indirectly connec...

Page 462: ... the default route to the peer group Table 534 Configure to Send the Default Route to the Peer Group By default the local router does not advertise the default route to any peer group A next hop should be sent to the peer unconditionally as the default route 8 Set the router s own IP address as the next hop when the peer group distributes route information Cancel the processing of next hop when se...

Page 463: ...at the same time when manual aggregation mode is configured Perform the following configurations in BGP view Table 540 Create an Aggregate Addresses Create routing policy for peer group peer group name route policy policy name import export Remove a routing policy to import or export routes undo peer group name route policy policy name import export Operation Command Create an filtering policy bas...

Page 464: ...ransfers it to Router B Router B is a route reflector which has two clients Router A and Router C Router B can reflect the routing update from client Router A to client Router C In this instance the session between Router A and Router C is unnecessary because the route reflector forwards the BGP information to Router C Figure 152 Schematic diagram of route reflector The route reflector divides the...

Page 465: ...are fully connected 2 Configure the cluster ID As the route reflector is imported the route selection circle can occur in an AS and the route that leaves a cluster during update may try to reenter this cluster The traditional AS routing method cannot detect the internal circle of the AS because the update has not left the AS yet BGP provides two methods to avoid an AS internal loop when you config...

Page 466: ...m the following configurations in system view Table 543 Configure BGP Community By default no community list is created Configuring a BGP AS Confederation Attribute Confederation is another method to solve the problem of a sudden increase of IBGP closed networks inside an AS An AS is divided into multiple sub ASs and the IBGP peers inside the sub ASs are fully connected and each sub AS connects wi...

Page 467: ...tem of E Confederation By default no confederation peers are specified 3 Configure the non RFC standard AS confederation attributes The creation of an AS confederation in the devices from some other providers may not be consistent with the RFC1965 standard All the routers in the confederation must be configured as using non RFC1965 standard AS confederation attributes to create interconnections wi...

Page 468: ...lty is exponentially decreased as time goes by Once it is lower than a certain threshold the route is unsuppressed and is advertised again as shown in the following diagram Figure 153 Schematic diagram of route dampening Configure the following parameters to adjust the performance of route dampening Penalty Increases upon each route flap decays as time goes by Reachable half life Time duration bef...

Page 469: ...alf life reachable half life unreachable reuse suppress ceiling route policy policy name Clear route routing dampening information and de suppress the suppressed route reset dampening network address mask Disable the route dampening undo dampening Operation Command Display BGP dampened routes display bgp routing table dampened Display flap information of all routes display bgp routing table flap i...

Page 470: ...ctions between BGP and an IGP BGP can import route information that is found by running IGP in another AS to its own AS Perform the following configurations in BGP view Table 550 Configure Route Import for BGP By default BGP does not import routes from other domains into the routing table The protocol attribute specifies the source routing domain that can be imported At present BGP can import rout...

Page 471: ... represents a group of aspath lists Each AS path list is identified with numbers Perform the following configurations in system view Table 552 Define a BGP related ACL Entry By default no access list entry is defined In the matching process many aspath list number us Boolean OR operation so that if the routing information passes one item information is filtered by the as path list identified with ...

Page 472: ... to be matched in routing policy undo if match as path Specify BGP community list number to be matched in routing policy if match community standard community list number exact match extended community list number Delete BGP community list undo if match community Define the matched routing access control list and prefix list in routing policy if match ip address acl number ip prefix prefix list na...

Page 473: ...apply cost cost Restore the destination routing protocol s cost value undo apply cost Set the origin attribute of the original route in the Route policy apply origin igp egp as number incomplete Remove the origin attribute undo apply origin Operation Command Operation Command Filter routing information received from a specified gateway filter policy gateway prefix list name import Change or cancel...

Page 474: ...sed by BGP undo filter policy acl number ip prefix prefix list name export protocol Operation Command Reset BGP connection reset bgp all peer id Clear routing flapping attenuation information and cancel the dampening over the routes reset bgp dampening network address mask Reset the BGP connection of a specified peer or all members of a peer group reset bgp group group name Operation Command Displ...

Page 475: ...ay the route with inconsistent source AS display bgp routing table different origin as Display peer information display bgp peer peer address Display routing information distributed through BGP display bgp routing table network Display peer group information display bgp group group name table regular express display bgp routing table regular expression as regular expression Display BGP route summa...

Page 476: ...on RouterC bgp confederation id 100 RouterC bgp confederation peer as 1001 1002 RouterC bgp peer 172 68 10 1 as number 1001 RouterC bgp peer 172 68 10 2 as number 1002 RouterC bgp peer 156 10 1 2 as number 200 RouterC bgp peer 172 68 1 2 as number 1003 Configuring BGP Route Reflector Router B receives a BGP update message and forwards the update to Router C which is configured as a route reflector...

Page 477: ...rial0 interface serial 1 RouterB Serial1 ip address 193 1 1 2 255 255 255 0 RouterB Serial1 ospf enable area 0 3 Configure Router C a Configure BGP peers and route reflector clients RouterC bgp 200 RouterA bgp undo synchronization RouterC bgp peer 193 1 1 2 as number 200 reflect client RouterC bgp peer 193 1 1 2 reflect client RouterC bgp peer 194 1 1 2 as number 200 reflect client RouterC bgp pee...

Page 478: ... on Router B with display bgp routing table command Note that Router B knows that network 1 0 0 0 exists RouterB display bgp routing table View BGP routing table on Router C with display bgp routing table command Note that Router C knows that network 1 0 0 0 exists RouterD display bgp routing table Configuring BGP Path Selection This example describes how the administrator manages the routing with...

Page 479: ...t_med_100 The first routing diagram is network 1 0 0 0 The MED attribute is 50 and the second MED attribute is 100 RouterA acl 1 route policy set_med_50 permit 1 RouterA route policy if match ip address 1 RouterA route policy apply cost 50 RouterA route policy quit RouterA route policy set_med_100 permit 1 RouterA route policy if match ip address 1 RouterA route policy apply cost 100Apply the rout...

Page 480: ...s number 200 RouterC bgp peer 195 1 1 1 as number 200 Set the local preference attribute of Router C Add access list 1 to Router C and enable network 1 0 0 0 RouterC bgp acl 1 RouterC acl 1 rule permit source 1 0 0 0 0 255 255 255 Define a routing diagram named localpref In the diagram the local preference of the route matching access list 1 is set to 200 and the local preference of the route not ...

Page 481: ...k 4 0 0 0 0 0 0 255 area 0 RouterD bgp 200 RouterD bgp undo synchronization RouterD bgp peer 194 1 1 2 as number 100 RouterD bgp peer 194 1 1 2 as number 200 To make the configuration effective use the reset bgp all command to reset all BGP neighbors ...

Page 482: ...478 CHAPTER 30 CONFIGURING BGP ...

Page 483: ...ategy consists of a series of rules classified into three types and used for route information filtering in route advertisement route receiving and route import Since defining a strategy is similar to defining a group of filters that are used during receiving or advertising route information or before the route information exchange between different protocols route strategy is also called route fi...

Page 484: ...distributed by specific routers The addresses of these filters must be filtered by prefix list In this case the matching object of ip ip prefix is the source address of the IP header of the route packet A prefix list is identified with the list name and consists of several parts with sequence number specifying the matching order of these parts In each part you can specify a matching range in the f...

Page 485: ...es with sequence number specifying the matching order of these parts Perform the following configurations in system view Table 560 Define a Routing Policy By default no routing policy is defined permit specifies the matching mode of the defined routing policy node as permit mode When the route item satisfies all if match clauses of the node it is permitted to pass the filtering of this node and ex...

Page 486: ... the BGP community attributes to be matched from the route policy undo if match community list Specify the ACL and prefix list to be matched in the route policy if match ip address acl number ip prefix prefix list name Remove the ACL and prefix list to be matched from the route policy undo if match ip address ip prefix Specify the interface to be matched in the route policy if match interface type...

Page 487: ... original routing protocol At this time a route metric should be specified for the imported route Perform the following configurations in RIP view OSPF view or BGP view Operation Command Specify the AS number ahead of the original AS path in Routing policy apply as path aspath list number Cancel the AS number ahead of the original AS path in Routing policy undo apply as path Set BGP community attr...

Page 488: ...tands for 10µs ranging from 1 to 16777215 reliability is the channel reliability ranging 0 to 255 255 stands for 100 creditable loading is the channel seizure rate ranging 1 to 255 255 stands for 100 seized mtu is the maximum transfer unit of route ranging from 1 to 65535 byte route policy policy name specifies imported routes which matches the specified routing policy name This item can be used i...

Page 489: ...ence numbers use Boolean OR operations and the routing information matches different parts in turn Matched with a specific part of the IP prefix list is considered as successfully filter through this IP prefix list Perform the following configurations in system view Table 564 Define an IP Prefix List By default no IP prefix list is defined Configuring Route Filter In some cases only the routing in...

Page 490: ...rations in all views Operation Command Filter the route information received from a specified gateway filter policy gateway prefix list name import Change or cancel filtering the route information received from a specified gateway undo filter policy gateway prefix list name import Filter the route information received filter policy acl number ip prefix prefix list name import Change or cancel filt...

Page 491: ...16 2 Configure Routing policy Router route policy r1 permit 10 Router route policy if match ip address ip prefix p1 Router route policy route policy r1 permit 20 Router route policy if match ip address ip prefix p2 Router route policy quit 3 Configure OSPF Router ospf enable Router ospf import route rip route policy r1 Router ospf interface ethernet 0 Router Ethernet0 ip address 128 1 0 1 255 255 ...

Page 492: ...it any RouterB acl 1 quit b Start OSPF protocol and configure the area number of this interface RouterB router id 2 2 2 2 RouterB ospf enable c Configure filtering route information received for OSPF RouterB ospf filter policy 1 import d Configure IP address of Serial0 encapsulated to PPP protocol RouterB ospf interface serial 0 RouterB Serial0 link protocol ppp RouterB Serial0 ip address 10 0 0 2...

Page 493: ...olicy When all nodes of the routing policy are in deny mode no routing information will pass the filtering of this routing policy At least one item in the prefix list should be in permit matching mode The list items in deny mode can be defined to fast filtering routing information that does not meet the conditions But if all list items are in deny mode no route will pass the filtering of this pref...

Page 494: ...490 CHAPTER 31 CONFIGURING IP ROUTING POLICY ...

Page 495: ...rwarding At present two if match clauses if match length and if match ip address are provided Apply clause defines the operation of the strategy there are five apply clauses apply ip precedence apply interface apply ip next hop apply default interface apply ip default next hop They are executed in sequence until the operation can proceed There are two kinds of policy routings interface policy rout...

Page 496: ...cy routing provides two if match clauses that allow matching strategy according to IP message length and IP address One strategy includes multiple if match clauses which can be used in combination Perform the following configurations in Routing policy view Table 569 Define Match Rules By default no if match clause is defined Define Apply Clause IP policy routing provides 5 apply clauses One strate...

Page 497: ...el apply clauses setting message precedence undo apply ip precedence Set message transmitting interface apply interface type number Cancel apply clauses setting message transmitting interface no apply interface Set message default transmitting interface apply default interface type number Cancel apply clauses setting message default sending interface undo apply default interface Set message next h...

Page 498: ... If nodes in deny modes are matched exit from policy routing LAN A is connected with the Internet through the 3Com router requiring that TCP messages be transmitted through path 1 and other messages be transmitted through path 2 Figure 160 Networking diagram of configuring policy routing based on source address 1 Define access list Router acl 101 Router acl 101 rule deny tcp source any destination...

Page 499: ...rial0 ip address 150 1 1 1 255 255 255 0 RouterA Serial0 interface serial 1 RouterA Serial1 ip address 151 1 1 1 255 255 255 0 RouterA Serial1 quit RouterA rip RouterA rip network 192 1 1 0 RouterA rip network 150 1 1 0 RouterA rip network 151 1 1 0 RouterA rip route policy lab1 permit 10 RouterA route policy if match length 64 100 RouterA route policy apply ip next hop 150 1 1 2 RouterA route pol...

Page 500: ...routing diagram lab1 They are sent to 151 1 1 2 RouterA debugging ip policy routing IP s 151 1 1 1 local d 152 1 1 1 len 101 policy match IP route map lab1 item 20 permit IP s 151 1 1 1 local d 152 1 1 1 len 101 64 policy routed IP local to serial 151 1 1 2 On Router A change the message size to 1001 bytes and monitor policy routing with debug ip policy command Note that this message does not matc...

Page 501: ...VII MULTICAST Chapter 33 IP Multicast Chapter 34 Configuring IGMP Chapter 35 Configuring PIM DM Chapter 36 Configuring PIM SM ...

Page 502: ...498 ...

Page 503: ...the network by adopting the broadcast method Using the unicast method to transmit to 200 subscribers results in wasted bandwidth Using the broadcast method risks information security and confidentiality IP multicast technology solves both of these problems The multicast source sends the information only once The transmitted information is duplicated and distributed continuously at key network node...

Page 504: ... that IANA obtains the IEEE 802 MAC is from 01 00 5e 00 00 00 to 01 00 5E ff ff ff IP Multicast Features In simple TCP IP routing the path of a data packet transmission is from the source address to the destination address following the principle of hop by hop But in Class D address range Meaning 224 0 0 0 to 224 0 0 255 Reserved multicast address Permanent group address 224 0 1 0 to 238 255 255 2...

Page 505: ... host can only save the multicast groups it has joined IP Multicast Routing Protocols The multicast protocol includes two parts One part is the Internet Group Management Protocol IGMP acting as the IP multicast basic signaling protocol The other part includes the multicast routing protocols such as DVMRP PIM SM PIM DM which implement IP multicast flow routing Internet Group Management Protocol IGM...

Page 506: ...s with the multicast forwarding demand in the pruned branches to receive multicast data flow the pruned branches can return to forwarding state periodically To reduce the time delay for the pruned branch to recover to the forwarding state the dense mode of the multicast routing protocol adopts a grafting mechanism to actively add to the multicast distribution tree This cyclic diffusion and pruning...

Page 507: ...terfaces This checking mechanism is the basis for most multicast routing protocols to carry out the multicast forwarding reverse path forwarding RPF check The multicast module checks the source address in the received multicast data packet If the active tree is adopted this source address is that of the host sending the multicast data packet If the shared tree is adopted this source address is the...

Page 508: ...504 CHAPTER 33 IP MULTICAST ...

Page 509: ...ssage the router is used to check whether there is any subscriber in a connecting network who wants to make the query message valid and the target group address must be zero or a valid multicast group address IGMP Version 2 allows routers to send group specific query messages Membership Report Message When the host receives a general query or a group specific membership query message it first iden...

Page 510: ...erval of IGMP Host Sending Query Messages Configuring IGMP Maximum Query Response Time Configuring Subnet Querier Survival Time Enabling Multicast Routing Start the IGMP protocol on all interfaces to enable routers to send multicast messages Only after enabling multicast routing can all the other configurations related to the multicast be valid Make the following configuration in system view Table...

Page 511: ...onfiguring IGMP Maximum Query Response Time After the host receives the query message periodically sent by the router it starts delay timers for each of the multicast groups it joins A random number between zero and the maximum response time will be adopted to serve as the initial value The maximum response time is the query message assigned maximum response time the maximum response time of IGMP ...

Page 512: ... querier The querier selection process restarts Make the following configuration in the interface view Table 581 Configure Subnet Querier Survival Time By default subnet querier timeout is 250 seconds This configuration can only be carried out if the current router interface is operating IGMP Version 2 Displaying and Debugging IGMP Table 582 Display and Debug IGMP After the previous configuration ...

Page 513: ...e e0 RouterA Ethernet0 ip address 10 16 1 3 24 RouterB interface e0 RouterB Ethernet0 ip address 10 16 1 2 24 2 Execute the multicast routing enable command on 3Com A and 3Com B to enable multicast routing RouterA multicast routing enable RouterB multicast routing enable Quidway A PC Quidway B HUB 10 16 1 3 10 16 1 2 10 16 1 0 24 10 16 1 1 Router A Router B ...

Page 514: ...510 CHAPTER 34 CONFIGURING IGMP ...

Page 515: ... for it to distribute data to the downstream nodes any more When new members appear in the prune area PIM DM sends graft message to enable the pruned path to restore to distribution status This mechanism is called broadcast prune process The PIM DM broadcast prune mechanism continues periodically PIM DM adopts reverse path forwarding RPF technology in the broadcast prune process When a multicast p...

Page 516: ... a router receives multicast packets at the forwarding port of a shared LAN it requires all the routers operating PIM DM group address is 224 0 0 13 to send an assert message The downstream routers determine the winner by comparing the specific domains of the assert message according to the relevant series of rules The router with little message preference wins If the preference is the same the ro...

Page 517: ...ure the Time Interval of Interface Sending Hello Messages By default the time interval of interface sending hello messages is 30 seconds Displaying and Debugging PIM DM Table 586 Display and Debug PIM DM Operation Command Start PIM DM protocol pim dm Disable PIM DM protocol undo pim dm Operation Command Set the time interval of interface sending hello messages pim timer hello seconds Restore the d...

Page 518: ...CEIVER 1 and RECEIVER 2 are the two receivers of this multicast group Figure 163 PIM DM configuration and networking 1 Enable multicast routing protocol Router multicast routing enable 2 Enable PIM DM protocol Router interface Ethernet 0 Router Ethernet0 pim dm Router Ethernet0 interface serial 0 Router Serial0 pim dm Router Serial0 interface serial 1 Router Serial1 pim dm Turn on the switch of PI...

Page 519: ... it reduces data messages and controls the network bandwidth occupied by the messages occupy by allowing routers to explicitly join and leave multicast groups PIM SM constructs an RP path tree RPT with the RP its root so as to make the multicast packets transmitted along with the RPT When a host joins a multicast group the directly connected router sends a joining message to the RP PIM The first h...

Page 520: ...ters It is used to inform all the routers of the RP Set information collected by BSR Assert Message When there are multiple routers in the multiple access network and the output interface for the routing item of a router receives multicast message this kind of message is used to specify the transmitter Candidate RP Advertisement Message This message is unicast to BSR by the candidate RP to report ...

Page 521: ...nfigure Candidate BSR By default no interface is configured to be a candidate BSR Use the pim command in system view to enter PIM view Configuring the Candidate RP In the PIM SM protocol the shared tree RP Path Tree constructed by the routing multicast data regards the rendezvous point RP as its root and the group members as its leaves RP is generated from BSR selection After the BSR is selected a...

Page 522: ...llo Message After the interface starts PIM SM protocol it will periodically transmits a hello message to all the PIM routers group address is 224 0 0 13 to find PIM neighbors the query interval timer determines this time interval If the interface receives the Hello message it means that there are adjacent PIM routers for this interface and this interface can add the neighbor to its interface neigh...

Page 523: ...ource spt switch threshold traffic rate infinity accept policy acl number Restore the default threshold value of the shortest path switching from the shared tree to source undo spt switch threshold accept policy acl number Operation Command Display multicast forwarding list information display multicast forwarding table group address source address Display multicast core routing table display mult...

Page 524: ... 164 PIM SM comprehensive configuration networking diagram 1 Configure Router A a Enable PIM SM protocol RouterA multicast routing enable RouterA interface ethernet 0 RouterA Ethernet0 pim sm RouterA Ethernet0 interface serial 0 RouterA Serial0 pim sm RouterA Serial0 interface serial 1 RouterA Serial1 pim sm b Configure the threshold value of the multicast group switching from the shared tree to t...

Page 525: ... RouterC Serial1 pim sm Suppose Host A is the receiver of 225 0 0 1 Host B now begins sending data with the destination address 225 0 0 1 Router A receives the multicast data sent by Host B via Router B When the multicast data rate of Host B exceeds 10kbps Router A will be added to the shortest path tree and the multicast data message sent by Host B will be received directly from Router C Troubles...

Page 526: ...522 CHAPTER 36 CONFIGURING PIM SM ...

Page 527: ...VIII SECURITY Chapter 37 Configuring Terminal Access Security Chapter 38 Configuring AAA and RADIUS Protocol Chapter 39 Configuring Firewall Chapter 40 Configuring IPSec Chapter 41 Configuring IKE ...

Page 528: ...524 ...

Page 529: ... can also configure and maintain the router All users need to authenticate the usernames and passwords when visiting the router The command line interface CLI provides the following features for terminal users For security password input is not displayed on the terminal screen If an illegal user attempts to break into the system by testing different passwords access is automatically denied if the ...

Page 530: ...trate how to configure login authentication for Configure a user local user user name service type type password cipher password Delete a user undo local user user name Operation Command Configure login authentication of terminal user from asynchronous port login async Cancel login authentication of terminal user from asynchronous port undo login async Configure login authentication of terminal us...

Page 531: ...ervice type exec adminstrator password cipher hello 4 Configure the default authentication method list of EXEC users Router aaa authentication scheme login default radius local 5 Configure RADIUS server and the shared secret Router radius server 172 17 0 30 authentication port 1645 accouting port 1646 Router radius shared key 3Com Configuring Operator User Login Authentication Through Telnet In th...

Page 532: ...528 CHAPTER 37 CONFIGURING TERMINAL ACCESS SECURITY ...

Page 533: ...stributed client server system that provides AAA functions and protects networks from being intruded by unauthorized visitors so it is mainly applied in network environments that require high security and support remote login RADIUS consists of three components Protocol Based on UDP IP layer RFC2865 and 2866 define the RADIUS frame relay format and message transmission mechanism and define 1812 as...

Page 534: ...S server can act as the client of other AAA servers to perform authentication or accounting A RADIUS server supports multiple ways to authenticate the user such as PPP based PAP CHAP and UNIX based login Basic Information Interaction Procedure of RADIUS The RADIUS server usually uses the agent authentication function of the devices like NAS to authenticate the user The RADIUS client and server aut...

Page 535: ...sponse packet Accounting Response 6 The RADIUS client sends an accounting stop request packet Accounting Request to the RADIUS server The value of Status Type is stop 7 The RADIUS server returns an accounting stop response packet Accounting Response Packet Structure of the RADIUS protocol RADIUS uses UDP to transmit messages By employing a timer management mechanism retransmission mechanism and sl...

Page 536: ...ket 1 Access Request Direction Client Server The Client transmits the user information to Server to decide whether or not to allow the user to access The packet must contain User Name attribute and may contain such attributes as NAS IP Address User Password or NAS Port 2 Access Accept Direction Server Client If all the Attribute values in the Access Request packets are acceptable i e the authentic...

Page 537: ...type Type Attribute type 1 User Name 23 Framed IPX Network 2 User Password 24 State 3 CHAP Password 25 Class 4 NAS IP Address 26 Vendor Specific 5 NAS Port 27 Session Timeout 6 Service Type 28 Idle Timeout 7 Framed Protocol 29 Termination Action 8 Framed IP Address 30 Called Station Id 9 Framed IP Netmask 31 Calling Station Id 10 Framed Routing 32 NAS Identifier 11 Filter ID 33 Proxy State 12 Fram...

Page 538: ... user defining user name and password should be set on the RADIUS server before it is started Perform the following configuration in system view Table 600 Configure AAA Login Authentication By default the login method list is aaa authentication scheme login default local If the user does not define the methods list the execution sequence of default method list will be used Method here refers to th...

Page 539: ...e the method methods list the executing sequence defined in the default method list defined by default is used Method here refers to the authentication method The authentication method includes the following radius authentication using the RADIUS server local local authentication none access authority to all users without authentication While configuring the authentication method list at least one...

Page 540: ...rk resources Perform the following configurations in system view Table 603 Configure AAA Accounting Option By default the accounting option is disabled and users are charged When the method list designated by the user is none accounting is unnecessary Configuring a Local IP Address Pool A local address pool is mainly used to assign an IP address for users who log in remote PPP If the end IP addres...

Page 541: ...uthentication succeeds the user can log on normally Otherwise the user is rejected 3 If the user information is not in the local database and the RADIUS server authentication is not configured the login of the user is rejected Various configuration tasks conducted in the local user database can be nested or combined and all local user databases can be configured in one command Perform the followin...

Page 542: ...the Callback Number A RADIUS server can be configured with callback number equivalent to number which is defined locally If aaa authentication scheme ppp default radius is configured then number which is configured locally is invalid and the number to be transmitted to PPP will be decided by callback number set on RADIUS server If aaa authentication scheme ppp default radius local is configured lo...

Page 543: ...ers of exec ftp and ppp after the service type When multiple services are authorized to a user it is necessary to configure over 2 types of the above mentioned parameters other than to use this command repeatedly because the new service type will overwrite the old one not to pack the service type Table 610 Configure Authorizing a User with Usable Service Types By default users are authorized to us...

Page 544: ... it can pass the authentication of the RADIUS server Table 612 Configure RADIUS Server Shared Secret By default no key is configured for the RADIUS server Configure the Time Interval at Which the Request Packet is Sent Before the RADIUS Server Fails To determine whether a RADIUS server is invalid the router will send authentication request packets to the RADIUS server periodically Table 613 Config...

Page 545: ...he Inquiry Packet By default the inquiry packet is sent at intervals of 5 minutes after the RADIUS server fails and the interval ranges from 1 to 255 minutes Configure the Time Interval at Which the Real Time Accounting Packet is Sent to the RADIUS Server After a user passes authentication NAS sends the user s real time accounting information to the RADIUS server periodically If the real time acco...

Page 546: ...ed for authentication 129 7 66 66 acts as the first authentication and accounting server and 129 7 66 67 as the second authentication and accounting server both using default authentication port number 1812 and default accounting port number 1813 Configure the time interval at which the real time accounting packet is sent to RADIUS server radius timer realtime accounting scheme minutes Restore def...

Page 547: ...acts as the first authentication and accounting server port numbers being 1000 and 1001 respectively 129 7 66 67 acts as the second authentication and accounting server port numbers being 1812 and 1813 respectively Authenticate by the local database first and if there is no response use the RADIUS server Charge all users in real time The real time accounting packet is sent at the interval of 5 min...

Page 548: ...uter local user abc service type ftp password simple hello 4 Configure RADIUS server IP address and port using default port number Router radius server 129 7 66 66 5 Configure RADIUS server shared secret retransmission times timeout and RADIUS server dead time Router rad shared key this is my secret Router radius retry 4 Router radius timer response timeout 2 Router radius timer quiet 1 Troublesho...

Page 549: ...rver may be considered by the system as unavailable by the system And as the radius timer quiet command has not been configured defaulted as 5 minutes or a relative long dead time has been configured the system does not know that the server has recovered Use undo radius server command to delete the original RADIUS server and reconfigure it by radius server command to activate the server immediatel...

Page 550: ...546 CHAPTER 38 CONFIGURING AAA AND RADIUS PROTOCOL ...

Page 551: ...tected by the firewall the firewall should be set at the intranet entry point A firewall is used not only to connect the Internet but also to control the access to some special part of the internal network such as to protect mainframes and important resources such as data in the network Access to the protected data must be filtered through the firewall even if the access is from inside The firewal...

Page 552: ...ss proxy on a proxy server or a router It replaces the IP address and port of a host inside the network with the IP address and port of a server or router For example the intranet address of an enterprise is 129 0 0 0 network segment and its formal external IP address is 202 38 160 2 202 38 160 6 When the internal host 129 9 10 100 accesses a certain external server in WWW mode the IP address and ...

Page 553: ...fic as from a year month day to another year month day Support ACL automatic sorting You can select sorting ACLs of a specific category to simplify the configuration and facilitate the maintenance It can be as specific as indicating the input output direction For example a special packet filtering rule can be applied in the output direction of the interface that is connected with WAN or another pa...

Page 554: ... dest addr dest wildcard any icmp type icmp type icmp code logging 2 Command format when the protocol is IGMP IP GRE or OSPF rule normal special permit deny ip ospf igmp gre source source addr source wildcard any destination dest addr dest wildcard any logging 3 Command format when the protocol is TCP or UDP rule normal special permit deny tcp udp source source addr source wildcard any source port...

Page 555: ...mote commands rcmd 514 Daytime 13 Discard 9 Domain Name Service 53 Echo 7 Exec rsh 512 Finger 79 File Transfer Protocol 21 FTP data connections 20 Gopher 70 NIC hostname server 101 Internet Relay Chat 194 Kerberos login 543 Kerberos shell 544 Login rlogin 513 Printer service 515 Network News Transport Protocol 119 Post Office Protocol v2 109 Post Office Protocol v3 110 Simple Mail Transport Protoc...

Page 556: ...otify 512 Bootstrap Protocol Client 68 Bootstrap Protocol Server 67 Discard 9 Domain Name Service 53 DNSIX Securit Attribute Token Map 90 Echo 7 MobileIP Agent 434 MobilIP MN 435 Host Name Server 42 NETBIOS Datagram Service 138 NETBIOS Name Service 137 NETBIOS Session Service 139 Network Time Protocol 123 Routing Information Protocol 520 SNMP 161 SNMPTRAP 162 SUN Remote Procedure Call 111 Syslog 5...

Page 557: ...atch rules according to the following principle Rules with the same serial number can be defined If two rules with the same serial number conflict use the depth first principle to judge the source addr source wildcard mask destination addr destination wildcard mask protocol number and port number then determine the sequence of the rule If the ranges defined by the rules are the same then determine...

Page 558: ... control rules compare the wildcards of source addresses If they are the same then compare the wildcards of the destination address If they are still the same compare the range of port numbers and the rule with smaller range will be arranged first If the port numbers are the same then match the rules according to the user s configuration sequence The display acl acl number command can be used to v...

Page 559: ...he access control list and then configure specific access rules through rule command If the matching sequence is not configured it will be conducted in auto mode Perform the following configurations in system view and ACL view Table 623 Configure Extended Access Control List Operation Command Enter the ACL view and configure the match sequence of access control list acl acl number match order conf...

Page 560: ...different access rules It is also called the special rules for special time The time ranges are classified into two types according to actual applications Special time range Time within the set time range specified by key word special Normal time range Time beyond the specified time range specified by key word normal Similarly the access control rules are also classified into two types Normal pack...

Page 561: ...user The newly defined special time range becomes valid about 1 minute after it is defined and that defined last time will become invalid automatically Perform the following configurations in system view Table 626 Set Special Time Range By default the system adopts the access rules defined for normal time range for message filtering The command settr can define 6 time ranges at the same time The f...

Page 562: ...y and Debug Firewall Firewall Configuration Example The following is a sample firewall configuration in an enterprise This enterprise accesses the Internet through interface Serial 0 of one 3Com router and the enterprise provides www FTP and Telnet services to the outside The internal sub network of the enterprise is 129 38 1 0 the internal ftp server address 129 38 1 1 internal Telnet server addr...

Page 563: ...d Router firewall default permit 3 Configure access rules to inhibit passing of all packets Router acl 101 Router acl 101 rule deny ip source any destination any 4 Configure rules to permit specific host to access external network to permit internal server to access external network Router acl 101 rule permit ip source 129 38 1 4 0 destination any Router acl 101 rule permit ip source 129 38 1 1 0 ...

Page 564: ...nal network Router acl 102 rule permit tcp source any destination 202 38 160 1 0 0 0 0 destination port greater than 1024 7 Apply rule 101 on packets coming in from interface Ethernet0 Router Ethernet0 firewall packet filter 101 inbound 8 Apply rule 102 on packets coming in from interface Serial0 Router Serial0 firewall packet filter 102 inbound ...

Page 565: ...ckets are authenticated To ensure security the algorithms of encryption decryption and authentication are very complicated The encryption and decryption algorithm process of the router occupies large quantities of resources as a result the performance of the integrated machine is affected Using crypto cards modular plug in cards the 3Com modular series routers process encryption and decryption ope...

Page 566: ...input processing function is called This processing function authenticates the message to make a comparison with the original authentication value If the values are the same the added AH is canceled and the original IP message is restored Then IP input flow is recalled for processing Otherwise this message is discarded IPSec Related Terms The following terms are important to an understanding of IP...

Page 567: ... of SPI IP destination address security protocol number identify a specific SA uniquely When SA is configured manually SPI should also be set manually To ensure the uniqueness of an SA you must specify different SPI values for different SAs When SA is generated with IKE negotiation SPI will be generated at random IPSec Proposal It includes security protocol algorithm used by security protocol and ...

Page 568: ... is because when the data packet enters the router and is sent to a router not configured with encryption the key word any will cause the router to try to establish encryption session with a router without encryption The encryption access list defined at local router must have a mirror encryption access list defined by the remote router so that the communication contents encrypted locally can be d...

Page 569: ...e output of the crypto card log Perform the following configuration in system view Table 633 Set the Output of the NDEC Card Log By default the outputting of log is disabled Enable the main software backup For the SAs applied at the encrypt card side the works of IPSec processing on the traffic will be shared among the normal encrypt cards as long as there are encrypt cards in normal status on the...

Page 570: ...and to clear part or all of the SA database Perform the following configurations in system view Table 635 Define IPSec Proposal By default no proposal view is configured Set the Mode for Security Protocol to Encapsulate IP Message The IP message encapsulating mode selected by both ends of security tunnel must be consistent Configure the following in IPSec proposal view or proposal view of crypto c...

Page 571: ...here are seven kinds of security encryption algorithms supported by ESP crypto card which are 3des des blowfish cast skipjack aes and qc5 The current security authentication algorithm includes MD5 message digest Version 5 and SHA security hashing algorithm both of which are HMAC variables HMAC is a hashing algorithm with key which can authenticate data The algorithm md5 uses 128 bit key and the al...

Page 572: ...me policy with a different mode you must delete the policy then recreate it with a different mode Security policies with the same name together comprise a security policy group The name and the sequence number define a security policy uniquely and a security policy group can include at most 100 security policies The security policy with smaller sequence number in the same security policy group is ...

Page 573: ...he local address and the remote address must be set correctly to successfully establish a security tunnel For the security policy created manually only one remote address can be specified To set a new remote address the previously specified one must be deleted first Only when both local address and remote address are set correctly can a security tunnel be created Perform the following configuratio...

Page 574: ...n the quoted IPSec proposal it is necessary to set manually the SPI of AH SA and the quoted authentication key for the inbound outbound communications If the ESP protocol is included in the quoted IPSec proposal it is necessary to manually set the SPI of ESP SA and the quoted authentication key and ciphering key for the inbound outbound communications At both ends of a security tunnel the SPI and ...

Page 575: ...elete authentication key of AH protocol in hexadecimal mode applicable to IPSec software and crypto card undo sa inbound outbound ah hex key string Set authentication key of AH protocol input in string mode applicable to IPSec software and crypto card sa inbound outbound ah string key string key Delete authentication key of AH protocol character string applicable to IPSec software and crypto card ...

Page 576: ... IKE negotiation view it is unnecessary to set a local address because IKE can obtain the local address from the interface on which this security policy is applied Only specify one remote address for security policy can be established by IKE If a remote address is specified the previous address must be deleted before specifying the new remote address Perform the following configurations in IPSec p...

Page 577: ...d the SA established manually does not involve the concept of lifetime If a security policy is not configured with lifetime value when the router applies for a new SA it sends a request to the remote end to set up a security tunnel negotiation and gets the SA lifetime of the remote end and applies it as the new SA lifetime If the local end has configured the SA lifetime when creating security poli...

Page 578: ... the communication switches back to the primary link the phase 1 SAs saved on the local router and the remote router may be inconsistent so that the IPSec tunnel cannot be established Enabling the monitoring function can ensure that the phase 1 SA can be released when the phase 2 SA us released so that a new SA pair can be reestablished between the two routers when the primary link goes into UP st...

Page 579: ...d by a security policy then it will go on looking for next security policy If a message is matched with no access list quoted by the security policy then the message will be directly transmitted IPSec will not protect the message One interface can be applied with only one security policy group and one security policy group can be applied to only one interface Perform the following configurations i...

Page 580: ...base information applicable to IPSec software display ipsec sa policy policy name sequence number Display statistic information related to security message applicable to IPSec software display ipsec statistics Display configured IPSec proposal applicable to IPSec software display ipsec proposal proposal name Display all security policy base information applicable to IPSec software display ipsec po...

Page 581: ...ocol spi number Display statistical information of the security packets processing on crypto card applicable to crypto card display encrypt card statistic slot id Display current operating status of crypto card applicable to crypto card display encrypt card status slot id Display current operating logging of crypto card applicable to crypto card display encrypt card syslog slot id Display version ...

Page 582: ...p new e Select authentication algorithm and encryption algorithm RouterA ipsec proposal tran1 esp new encryption algorithm des RouterA ipsec proposal tran1 esp new authentication algorithm sha1 hmac 96 f Create a security policy with negotiation view as manual RouterA ipsec policy policy1 10 manual g Quote access list RouterA ipsec policy policy1 10 security acl 101 h Quote IPSec proposal RouterA ...

Page 583: ...ransform esp new e Select authentication algorithm and encryption algorithm RouterB ipsec proposal tran1 esp new encryption algorithm des RouterB ipsec proposal tran1 esp new authentication algorithm sha1 hmac 96 f Create a security policy with negotiation mode as manual RouterB ipsec policy use1 10 manual g Quote access list RouterB ipsec policy use1 10 security acl 101 h Quote IPSec proposal Rou...

Page 584: ...e Router A a Configure an access list and define the data stream from Subnet 10 1 1x to Subnet 10 1 2x RouterA acl 101 RouterA acl 101 rule permit ip source 10 1 1 0 0 0 0 255 destination 10 1 2 0 0 0 0 255 RouterA acl 101 rule deny ip source any destination any b Create the IPSec proposal view named trans1 RouterA ipsec proposal tran1 c Adopt tunnel mode as the message encapsulating form RouterA ...

Page 585: ...tunnel mode as the message encapsulating form RouterB ipsec proposal tran1 encapsulation mode tunnel d Adopt ESP protocol as security protocol RouterB ipsec proposal tran1 transform esp new e Select authentication algorithm and encryption algorithm RouterB ipsec proposal tran1 esp new encryption algorithm des RouterB ipsec proposal tran1 esp new authentication algorithm sha1 hmac 96 f Create a sec...

Page 586: ...blish networking diagram of security tunnel using crypto cards 1 Configure Router A a Configure an access list and define a data stream from subnet 10 1 1 x to subnet 10 1 1 2 x RouterA acl 101 permit RouterA acl 101 rule permit ip source 10 1 1 0 0 0 0 255 destination 10 1 2 0 0 0 0 255 RouterA acl 101 rule deny ip source any destination any b Establish proposal view of crypto card in the name of...

Page 587: ...uration mode and configure IP address RouterA interface serial 0 RouterA Serial0 ip address 202 38 163 1 255 255 255 0 q Return to system view and configure the static routing to network segment 10 1 2 x RouterA Serial0 quit RouterA ip route static 10 1 2 0 255 255 255 0 202 38 162 1 r Apply security policy base on serial port RouterA Serial0 ipsec policy policy1 2 Configure Router B a Configure a...

Page 588: ...encryption key RouterB ipsec policy map1 10 sa outbound esp string key gfedcba RouterB ipsec policy map1 10 sa inbound esp string key abcdefg n Return to the system view RouterB ipsec policy map1 10 quit o Enter Ethernet port configuration mode and configure IP address RouterB Ethernet0 ip address 10 1 2 1 255 255 255 0 RouterB Ethernet0 quit p Enter serial port configuration mode and configure IP...

Page 589: ...is configured policy on the interface It shall display configuration policy under normal condition If no policy is configured map shall be configured under interface view Check the matching of the security policy If the security policy map was established manually the local and remote address of the security association must be correct and the parameters of security association must be identified ...

Page 590: ...586 CHAPTER 40 CONFIGURING IPSEC ...

Page 591: ...ecure network After establishing security association by both parties of the security association if the peer party is invalid and cannot operate normally such as shut off the local party has no way to know about it When the peer party restarts the machine because there is a security association locally the negotiation cannot be initiated or only initiated by the peer party or negotiated after tim...

Page 592: ...gorithm Configuring Pre shared Key Selecting the Hashing Algorithm Selecting DH Group ID Setting the Lifetime of IKE Association SA Configuring IKE Keepalive Timer Creating an IKE Security Policy IKE negotiation determines whether IKE policies at both ends are matched and then reach a negotiation using an IKE policy During the subsequent negotiation the security data provided by this IKE policy wi...

Page 593: ...algorithm and Diffie Hellman algorithm the calculation resources consumed and the security capability provided Different algorithms are of different intensities and the higher the algorithm intensity is the more difficult it is to decode the protected data but the more resources are consumed The longer key usually has higher algorithm intensity Determine the security protection intensity needed in...

Page 594: ...are key i e pre share algorithm is adopted Configuring Pre shared Key If pre shared key authentication method is selected it is necessary to configure pre shared key Perform the following configurations in system view Table 659 Configure Pre shared Key By default both ends of the security channel have no pre shared keys Selecting the Hashing Algorithm Hashing algorithms use HMAC framework to achie...

Page 595: ...ty parameters of the two parties be consistent SA quotes the consistent parameters at each terminal and each terminal keeps SA until its lifetime expires Before SA becomes invalid the sequent IKE negotiation can use it again The new SA is negotiated before the current SA becomes invalid IKE negotiation can be set with a relatively short life cycle for the purpose of improving IKE negotiation secur...

Page 596: ...red at one side the other side should be configured with a timeout timer In the actual application if one side is configured with the timeout timer the other side must be configured with the interval timer or the SA will be deleted If one side is configured with the interval timer it is not necessary to configure the timeout timer at the other side To avoid the negative influence of network conges...

Page 597: ...pre share key abcde remote 171 69 224 33 e Configure IKE SA lifetime to 5000 seconds RouterA ike proposal 10 sa duration 5000 2 Configure Security Gateway B a Use default IKE policy on Gateway B and configure the peer authentication word RouterB ike pre share key abcde remote 202 38 160 1 These steps configure IKE negotiation To establish an IPSec security channel for secure communication it is ne...

Page 598: ...f both parties to see whether the encryption algorithm and authentication algorithm are the same Unable to establish security channel Follow these steps Check whether the state of network is stable and whether the security channel has been properly established You may encounter the situation as follows the two parties cannot communicate via the existing security channel while the access control li...

Page 599: ...IX VPN Chapter 42 Configuring VPN Chapter 43 Configuring L2TP Chapter 44 Configuring GRE ...

Page 600: ...596 ...

Page 601: ...mplicated than the mechanisms of various ordinary point to point applications Network interconnection between the users of private networks is required for VPN service including the creation of VPN internal network topology route calculation adding and deleting of members The advantages of VPN include The security of data transportation can be ensured With VPN reliable and safe connections can be ...

Page 602: ...P server via PSTN or ISDN the users who want a resource directly call the remote servers of enterprises VPN servers The access server of ISP along with the VPN server accomplishes the call process Classification of IP VPN IP VPN is the emulation of leased line services remote dial up and DDN of WAN equipment using IP facilities including public Internet or private IP backbone network IP VPN classi...

Page 603: ...es Layer 3 tunneling protocol Layer 3 tunneling protocol starts from and ends in ISP PPP session ends in NAS and only layer 3 messages are carried over the tunnel The current layer 3 tunneling protocols include General Routing Encapsulation GRE protocol used to implement the encapsulation of any network layer protocol on another network layer protocol IP Security IPSec protocols The IPSec protocol...

Page 604: ... to partners and clients through VPN so that different enterprises can build their VPNs using public networks Networking Model VPNs are classified by the type of networking model that they use Virtual Leased Line VLL VLL emulates the traditional leased line service with the help of the IP network and hence providing asymmetrical and inexpensive leased line service For the users at both ends of the...

Page 605: ...or large sized ISPs As the access server of VPDN NAS provides WAN interfaces in charge of connecting PSTN or ISDN and supports various LAN protocols security management and authentication and supports tunnels and other related techniques The user side equipment is located in the headquarters of an enterprise According to different network functions the equipment can function as a NAS router or fir...

Page 606: ...sing tunneling protocol conveying the PPP connection to the gateways of enterprises The current available protocols are L2F and L2TP The advantage of the method is its transparency to users After logging in once the users can access the Intranet which authenticates the users and distributes the internal addresses for users avoiding consuming public addresses The accounting of dial up users can be ...

Page 607: ... in the unreliable data channel after being encapsulated with the L2TP header and then undergoes the packet transmission process of UDP Frame Relay and ATM A control message is transmitted in the reliable L2TP control channel Tunnel and session A L2TP tunnel is established between LAC and LNS which is composed of one control connection and n n0 sessions Only one L2TP tunnel can be established betw...

Page 608: ...ssion of a control message is reliable but data message transmission is not reliable If a data message is lost it is not transmitted again L2TP supports flow control and congestion control only for control messages not for data messages L2TP is transmitted in the form of a UDP message L2TP registers UDP Port 1701 which is used only for initial tunnel establishment Originating side of L2TP tunnel r...

Page 609: ...ADIUS with user name and password RADIUS server receives authentication request of the user fulfils the authentication and returns the configuration information to establish the connection to LAC Supports internal address allocation LNS can be put behind the Intranet firewall It can dynamically distribute and manage the addresses of remote users and support the application of private WAN PSTN ISDN...

Page 610: ...ork normally only after it is enabled If it is disabled the router will not provide the related function even if the L2TP parameters are configured Perform the following tasks in the system view Table 665 Enable Disable L2TP By default L2TP is disabled Create a L2TP Group To configure related parameters of L2TP an L2TP group should be added The L2TP group is used to configure the L2TP functions on...

Page 611: ... are compliant with the local registered user name and password and hence to check whether these users are legal VPN users Only after passing authentication successfully can the request of establishing tunnel connection be processed otherwise the user will be turned to services of other types except VPN When user ID authentication is implemented at LAC side user name can be given in by the followi...

Page 612: ... are configured Perform the following configurations in system view Table 670 Enable Disable L2TP By default L2TP is disabled Operation Command Enable AAA aaa enable Configure the authentication method table of PPP user aaa authentication scheme ppp default list name method1 method2 Specify accounting scheme configure information aaa accounting scheme optional Configure to authenticate users ppp a...

Page 613: ...MP bounding logic interface and L2TP logic interface Perform the following configurations in system view Table 672 Create Delete a Virtual Template By far the virtual template in L2TP application only supports one peer but does not support IP unnumbered that is the virtual template has to be configured with its own IP address Dial up users should only be allocated with negotiation IP addresses by ...

Page 614: ...tion will be removed once users have passed local authentication These VPN users can access internal resource after the authentication at LNS Perform the ppp authentication mode configuration in interface view and make the other configurations in system view Table 674 Configure Local VPN Users At LNS local user name configured adopts the mode of fullusername domain Advanced Configuration at LAC or...

Page 615: ...igure the Local Name This configuration is applicable to LAC and LNS Users can configure the local tunnel name at both LAC and LNS The tunnel name at LAC should keep consistent with the name of the receiving end of the tunnel configured at LNS Perform the following configurations in L2TP group view Table 675 Set Local Name By default the local name is the host name of router The tunnel name config...

Page 616: ...he password at the LAC side is the same as that at the LNS side Configure the Interval for Sending Hello Messages This configuration is available to LAC and LNS To detect the connectivity of the tunnel between LAC and LNS both the LAC and the LNS will regularly send Hello messages to the peer and the receiving end will make responses upon receiving If the LAC or LNS does not receive the Hello resp...

Page 617: ...ame dnis Search according to dialed number only domain dnis Search according to domain name first then according to dialed number domain Search according to domain name only Perform the following configurations in system view Table 678 Set Domain Name Delimiter and Searching Order The l2tp match order command merely configures the order of dialed number and domain name for searching In an actual s...

Page 618: ...ll adopt LCP renegotiation first and then use authentication methods configured on corresponding virtual template If only forcing CHAP authentication is configured LNS will authenticate users by means of CHAP Only after user name password and authentication are configured at LNS and AAA function is enabled can the process of forcing CHAP authentication locally take effect If neither LCP renegotiat...

Page 619: ...iate by default After LCP renegotiation is enabled LNS will not reauthenticate users if there is no authentication information configured on the virtual template then users are authenticated only once at LAC Configure the Local Address and Address Pool This configuration is applicable to LNS only After the L2TP tunnel connection between LAC and LNS is established the LNS should allocate the IP add...

Page 620: ... tunnel password are configured first can the AV pairs hiding be meaningful After the AV pairs are hidden the L2TP hiding algorithm will be implemented so that the username and password transmitted in plaintext during proxy authentication can be encrypted in AV pairs Please perform the following configurations in L2TP group view Table 684 Enable Disable Hiding AV Pairs By default AV pairs are hidd...

Page 621: ...s the Intranet of an enterprise through local dial up access The NAS authenticates the users to determine whether they are VPN users The tunnel is used to transmit data between NAS and LNS A user can have access to the LAN of a company through dialup Both the LAC NAS and LNS connect to the Internet through serial interfaces and transmit data through Tunnel The PC is installed with Windows2000 oper...

Page 622: ...a tunnel authentication password Router LAC l2tp1 tunnel authentication Router LAC l2tp1 tunnel password simple 3Com router f Configure BDR dialup parameters Router LAC dialer rule 1 ip permit Router LAC interface async 2 Router LAC Async2 async mode protocol Router LAC Async2 link protocol ppp Router LAC Async2 ppp authentication mode chap Router LAC Async2 dialer enable legacy Router LAC Async2 ...

Page 623: ...NS l2tp group 1 Router LNS l2tp1 tunnel name lns end Router LNS l2tp1 allow l2tp virtual template 1 remote lac end g Enable tunnel authentication and configure a tunnel authentication password Router LNS l2tp1 tunnel authentication Router LNS l2tp1 tunnel password simple 3Com router 3 Configuration at the user side Open Start Program Accessories Communication Network Connection Wizard on the PC in...

Page 624: ...ure 185 Internet Connection Wizard 1 Click Next and input the telephone number at the NAS side in the popup dialog box if it is a local telephone number you should deselect Use area code and dialing rules as shown in the following figure ...

Page 625: ...Connection Wizard 2 Click Next and input username and password such as the username lac and password lac in the popup dialog box so as to access ISP The input contents must be the same as the configuration at the NAS side as shown in the following figure ...

Page 626: ...ING L2TP Figure 187 Internet Connection Wizard 3 Click Next and input the name of dialup connection such as Connection to 660046 in the popup dialog box as shown in the following figure Figure 188 Internet Connection Wizard 4 ...

Page 627: ...llowing figure Figure 189 Internet Connection Wizard 5 Click Finish and double click Connection to 66046 icon then after inputting the username and password you can dial up to access NAS As receiving the call NAS will establish a tunnel and session to LNS as shown in the following figure The input username and password must be the same as those configured at LAC and LNS side ...

Page 628: ...ugh serial interfaces and transmit data through Tunnel The PC named win2000 in installed with Windows2000 The Async2 interface and the PC are connected to a Modem and the number are 660046 and 600040 separately II Networking diagram Figure 191 Networking diagram of client originated VPN III Configuration procedure 1 Configuration at the LAC NAS side a Configure the username and password when diali...

Page 629: ...enable Router LNS aaa authentication scheme ppp default local Router LNS aaa accounting scheme optional d Configure the IP address of Serial0 interface at LNS side Router LNS interface serial 0 Router LNS Serial0 ip address 192 167 0 1 255 255 255 0 e Enable L2TP service and configure a L2TP group Router LNS l2tp enable Router LNS l2tp group 1 Router LNS l2tp1 tunnel name lns end Router LNS l2tp1 ...

Page 630: ...on and a VPN connection in Windows2000 operation system The way to create a dialup connection is the same as that introduced in the example of NAS originated VPN Networking To create a VPN connection open Start Program Accessories Network and Dialup Connection click New Connection and then choose Connect to a private network through the Internet as the Connection Type as shown in the following fig...

Page 631: ...3 Network Connection Wizard 2 Click Next and configure the IP address of LNS in the popup dialog box The address is the address of LNS interface connected to the Internet as shown in the following figure Figure 194 Network Connection Wizard 3 ...

Page 632: ...e CLI mode of Windows2000 and then you can view the IP addresses assigned by LAC NAS and LNS as shown in the following figure Windows 2000 IP Configuration Ethernet adapter Media State Cable Disconnected PPP adapter Connection specific DNS Suffix IP Address 192 168 0 3 Subnet Mask 255 255 255 255 Default Gateway 192 168 0 3 PPP adapter Connection specific DNS Suffix IP Address 192 170 0 3 Subnet M...

Page 633: ... scheme ppp default local Router1 aaa accounting scheme optional c Configure an IP address on Serial0 interface Router1 interface serial 0 Router1 Serial0 ip address 202 38 160 1 255 255 255 0 Router1 Serial0 ppp authentication mode chap d Configure a L2TP group and the related attributes Router1 l2tp enable Router1 l2tp group 1 Router1 l2tp1 tunnel name lac end Router1 l2tp1 start l2tp ip 202 38 ...

Page 634: ...cation Router2 l2tp1 tunnel password simple 3Com router g Force to implement local CHAP authentication Router2 l2tp1 mandatory chap Networking of VPN Protected by IPSec I Networking requirements To create an IPSec tunnel between the both ends of L2TP to transmit L2TP packets which are encrypted through IPSec so as to guarantee the security for VPN II Networking diagram Figure 197 Networking of VPN...

Page 635: ...tpmap 10 set peer 202 38 160 2 Router1 ipsec policy l2tpmap 10 set transform l2tptrans f Configure an IP address on Serial 0 interface and apply a IPSec policy Router1 interface serial 0 Router1 Serial0 ip address 202 38 160 1 255 255 255 0 Router1 Serial0 ipsec policy l2tymap g Configure a L2TP group and configure the related attributes Router1 l2tp enable Router1 l2tp group 1 Router1 l2tp1 tunne...

Page 636: ...p and configure the related attributes Router2 l2tp enable Router2 l2tp group 1 Router2 l2tp1 tunnel name lns end Router2 l2tp1 allow l2tp virtual template 1 remote lac end Router2 l2tp1 undo tunnel authentication Troubleshooting L2TP Before debugging VPN please confirm that both LAC and LNS are on the same public network The connectivity between them can be tested by ping command Fault 1 The user...

Page 637: ... transmitted for example ping operation fails Troubleshooting The reasons may be as follows The address of LAC is configured incorrectly Generally LNS distributes addresses but LAC can also specify its own address If the specified address and the address to be allocated by LNS are not in the same segment this problem will occur It is recommended that LNS allocate the addresses for LAC Network cong...

Page 638: ...634 CHAPTER 43 CONFIGURING L2TP ...

Page 639: ... Figure 198 after receiving an IPX datagram the interface connecting Group1 first delivers it to be processed by the IPX protocol which checks the destination address domain in the IPX header and determines how to route the packet Figure 198 Typical networking diagram of GRE If it is found that the destination address of the message will route through the network with network number 1f virtual net...

Page 640: ... The IP protocol that forwards the messages is often called a delivery protocol or transport protocol The form of an encapsulated message is shown in Figure 199 Figure 199 Encapsulated tunnel message format Refer to RFC For example The format of IPX transmission message that is encapsulated in an IP tunnel is as follows Figure 200 Format of transmission message in the tunnel Delivery Header Transp...

Page 641: ... can Term1 and Term2 2 Enlarge the operating range of the hop limited network such as IPX Figure 202 Enlarge network operating range When using RIP if the hop count between two terminals in Figure 202 is more than 15 the two terminals cannot communicate with each other If tunneling is used in the network hop counts will not be incremented inside the tunnel that is hops can be hidden which enlarges...

Page 642: ...o Check with Checksum Settng the Tunnel Interface to Synchronize the Datagram Sequence Number Creating a Virtual Tunnel Interface Perform the following tasks in the system view Table 687 Create Virtual Tunnel Interface By default no virtual tunnel interface is created Setting the Source Address of a Tunnel Interface After a tunnel interface is created the source address of tunnel channel must be c...

Page 643: ...etwork segment Thus the system can produce a direct tunnel route automatically Perform the following settings in the tunnel interface view Table 690 Set the Network Address of Tunnel Interface By default no network address for the tunnel interface is configured Setting the Identification Key Word of the Tunnel Interface It is stipulated in RFC 1701 that if the key field of the GRE header is set th...

Page 644: ...e the sequence numbers The synchronized message should be further processed or it is discarded With the sequence numbers the message is unreliable but in order The receiving end establishes sequence numbers for the message which is received by the local end and successfully de encapsulated The sequence numbers are integers between 0 and 232 1 and the sequence number of the first packet is 0 After ...

Page 645: ...ure the IP address of PC_A to 10 110 24 100 add a default gateway in the network attribute i e default route or use the following command in DOS mode C WINDOWS route add 0 0 0 0 mask 0 0 0 0 10 110 24 1 b Configure the IP address of PC_B to 30 110 1 200 add a default gateway in the network attribute i e default route or use the following command in DOS mode C WINDOWS route add 0 0 0 0 mask 0 0 0 0...

Page 646: ...address of Ethernet0 interface RouterB Serial0 exit RouterB interface ethernet 0 RouterB Ethernet0 ip address 30 110 1 1 255 255 255 0 c Create a virtual Tunnel interface and configure the IP address source address and destination address RouterB Ethernet0 exit RouterB interface tunnel 0 RouterB Tunnel0 ip address 1 1 1 2 255 255 255 0 RouterB Tunnel0 source 20 1 1 2 RouterB Tunnel0 destination 10...

Page 647: ... e Configure the static route to Novell Group2 RouterA ipx route 31 1f b b b tick 2000 hop 15 2 Configure Router B a Activate IPX RouterB ipx enable node b b b b Configure the IP address and IPX address of Ethernet0 interface RouterB interface ethernet 0 RouterB Ethernet0 ip address 10 1 3 1 255 255 255 0 RouterB Ethernet0 ipx network 31 c Configure the IP address of Serial0 interface RouterB inte...

Page 648: ...the ping operation between PC A and PC B fails Check whether there is a route passing through the Tunnel interface that is on Router A the route to 10 2 0 0 16 passes through Tunnel0 interface on Router B the route to 10 1 0 0 16 passes through Tunnel0 interface it is implemented by adding a static route Figure 206 Networking of troubleshooting GRE Router B Router C PC A PC B Router A 10 1 1 1 10 ...

Page 649: ...X RELIABILITY Chapter 45 Configuring a Standby Center Chapter 46 Configuring VRRP ...

Page 650: ...646 ...

Page 651: ... on priority Interfaces such as ISDN BRI and ISDN PRI interfaces that have multiple physical channels can provide standbys to multiple main interfaces by using dialer route Standby centers support the standby load sharing function When the traffic of the all active interfaces on the standby center reaches the set enable threshold routers will start a standby interface with the highest priority to ...

Page 652: ...tual virtual circuit or dialer route Please perform the following tasks in the views of the physical interface to which the virtual circuit or the dialer route belongs and specify the corresponding logic channel number Table 698 Establish a Corresponding Relation Between Logic Channel and Virtual Circuit or Dialer Route Operation Command Enter the view of the main interface interface type number O...

Page 653: ...in Interface By default the delay time for the switchover from the standby interface to the main interface is 0 second meaning that the switchover is instanteous Setting State judging Conditions of the Logic Channel State When the main interface is a logic channel the logic channel is regarded as down after a specified number of unsuccessful calls After it switches over to the standby interface re...

Page 654: ...procedure for each configuration Standby Between Interfaces Take interface Serial 2 as the standby interface for interface Serial 1 1 Enter the view of Serial 1 Router interface serial 1 2 Set Serial 2 as its standby interface Router Serial1 standby interface serial 2 3 Set the time for switchover between main and standby interfaces as 10 seconds Router Serial1 standby timer enable delay 10 Router...

Page 655: ... 10 Router Serial0 logic channel 10 4 Specify interface Serial 1 as the standby interface of this logic channel Router logic channel10 standby interface serial 1 5 Set the time interval as 10 seconds for judging the logic channel as up Router logic channel10 standby state up 10 Multiple Standby Interfaces with a Logic Channel Take both logic channel 3 on interface Serial 1 and interface Serial 2 a...

Page 656: ...logic channel 5 and set logic channel 3 and interface Serial 1 as its standby interfaces their priorities being 50 and 20 respectively Router Serial1 logic channel 5 Router logic channel5 standby logic channel 3 50 Router logic channel5 standby interface serial 2 20 ...

Page 657: ...l network segment go through the default route to Router 1 to implement communication between the host and the external network When Router 1 breaks down in this network segment all the hosts that regard Router 1 as the default route next hop stop the communication with the external network Figure 207 LAN networking scheme To solve this problem VRRP is designed for LANs with multi casting and broa...

Page 658: ...backup router function as the new master router to continue serving the host with routing to avoid interrupting the communication between the host and the external networks For the details of VRRP refer to RFC 2338 Configuring VRRP Configuring VRRP includes tasks that are described in the following section s Add Virtual IP AddAdding a Virtual IP Addressress Configuring Router Priority in a Standby...

Page 659: ... virtual IP address from the virtual address list on a standby group After the last virtual IP address has been deleted from the standby group this standby group is also deleted Then this standby group no longer exists on this interface and all the configurations of this standby group are no longer valid Configuring Router Priority in a Standby Group The status of each router in a standby group ca...

Page 660: ...hentication Key VRRP provides simple character authentication method In a secure network authentication can be configured to No which means no authentication will be conducted by the router to the VRRP packets being sent out And the router receiving the VRRP packets will take them as true and legal without any authentication In this case no authentication key is needed In a network under possible ...

Page 661: ...er_down_interval is 3 seconds Monitoring the Specified Interface The interface monitoring function of VRRP expands backup function when the interface of the router is unavailable it is regarded that the router is not stable hence it should not act as a master router After the interface monitoring function is set the router s priority will be adjusted dynamically according to the state of the inter...

Page 662: ...ter A Router Ethernet0 vrrp vrid 1 virtual ip 202 38 160 111 Router Ethernet0 vrrp vrid 1 priority 120 2 Configure router B Router Ethernet0 vrrp vrid 1 virtual ip 202 38 160 111 The standby group can be used immediately after configuration The default gateway of host A can be set as 202 38 160 111 Under normal conditions router A functions as the gateway but when router A is turned off or malfunc...

Page 663: ... will be reduced by 30 lower than that of router B so that router B will preempt to function as master for gateway services instead When Serial0 the interface of router A recovers this router will resume its gateway function as the master Multiple Standby Groups Configuration One 3Com router is allowed to function as the standby router for many standby groups See Figure 209 Such a multi backup con...

Page 664: ...eeds no manual intervention Another is the long coexistence of many master routers which may be caused by failure to receive VRRP packets between master routers or the reception of illegal packets To solve these problems try to ping the many master routers If that fails it indicates faults in the links between routers and it is necessary to check the links If they can be pinged through it indicate...

Page 665: ...XI QOS Chapter 47 QoS Overview Chapter 48 Traffic Policing Traffic Shaping and Line Rate Chapter 49 Congestion Management Chapter 50 Congestion Avoidance ...

Page 666: ...662 ...

Page 667: ...andwidth of the network however the increase in bandwidth is so limited and so expensive that it only relieves this problem to some extent The provision of QoS is the basic requirements for future IP networks Quality of Service QoS refers to a series of technology integrations to obtain the expected service level with respect to the throughput delayed jitter delay and packet loss ratio for users I...

Page 668: ...cket at the same rate CIR The CBS the C bucket is generally smaller than EBS the E bucket When traffic conformance is being evaluated if the C bucket has sufficient tokens the traffic is said to conform to allowable burst levels If the C Bucket is short of tokens but the E bucket has sufficient tokens the traffic partially conforms to allowable burst levels If both the C and E buckets are short of...

Page 669: ...y using QoS the adjustable network services of different priority levels can be provided to various types of clients Secure network services for specific data flows For example it can ensure that the multimedia data flows and voice flows sensitive to the delay will acquire the service in time ...

Page 670: ...666 CHAPTER 47 QOS OVERVIEW ...

Page 671: ...e specific destination addresses are classified at a high priority level Traffic Policing Overview An Internet service provider ISP must control the traffic and load sent by users in the network For an enterprise network if the control can be performed on the traffics of some applications it must be an effective method for controlling the network conditions The typical function of t traffic polici...

Page 672: ...ckets can also be dropped directly which is completely dependent on the agreement and rules between the operators and users Token bucket feature The token bucket may be regarded as a container that stores tokens The system puts tokens into the bucket at the set speed When the bucket is full of tokens the excessive tokens overflow and the number of the tokens in the bucket does not increase Figure ...

Page 673: ...ata traffic size before the amount of some traffic exceeds the line rate At this rate the service quality of the data can be guaranteed Excess Burst Size EBS The burst data traffic size before the amount of all traffic exceeds the line rate At this rate the service quality of the data cannot be guaranteed With two token buckets the rates for putting in the tokens are the same that is CIR While the...

Page 674: ... of CAR rules can also be used in which a packet is matched with successive CAR rules Multiple CAR rules can be used on an interface The router can attempt to match the CAR rules in configured order until it matches one successfully If no matched rules are found rate limiting is not implemented CAR Configuration CAR configuration includes Defining Rules Applying the CAR Policy on the Interface Dis...

Page 675: ...each interface both inbound and outbound directions a total of 100 CAR policies can be applied Up to 100 CAR policies can be applied on one interface inbound and outbound directions You must disable fast forwarding before applying the CAR policies Enter the acl view acl acl number match order config auto Configure the extended access control list rule normal special permit deny pro number source s...

Page 676: ...00 cbs 15000 ebs 8000 conform pass exceed discard CAR policy is applied to all the packets that are output from router A Ethernet 1 RouterA Ethernet1 ip address 191 0 0 1 255 255 255 0 RouterA Ethernet1 qos car outbound any cir 8000 cbs 15000 ebs 8000 conform pass exceed discard Configure the Priority Level Based CAR Policy The packet that is input to router A serial interface 0 are matched with t...

Page 677: ...d acl 2 cir 8000 cbs 15000 ebs 8000 conform pass exceed discard Configure the CAR Policy Based on the MAC Address The packet input to router A serial interface 0 the source address of the packet is 00e0 34b0 7676 is matched with the CAR policy based on MAC address A packet that meets the conditions after its priority level value is changed to 7 will be sent continuously and dropped if it does not ...

Page 678: ...outerA Serial0 ip address 10 0 0 1 255 255 255 0 RouterA Serial0 qos car inbound acl 1 cir 8000 cbs 15000 ebs 8000 conform pass exceed discard The CAR policy is applied to the packet that is output from router A serial interface 1 and matches ACL RouterA acl 1 RouterA acl 1 rule permit source 11 0 0 1 0 0 0 0 RouterA acl 1 rule permit source 11 0 0 2 0 0 0 0 RouterA acl 1 interface serial 0 Router...

Page 679: ...eue of the interface To reduce the unnecessary loss of the packet GTS processing is performed on the packet in the upstream router egress and the packet that exceeds the GTS traffic characteristics are buffered on the interface buffer When the network congestion is removed GTS again takes out the packet from the buffer queue and continues to send Thus the packets sent to the downstream router will...

Page 680: ...g all the traffic shaping parameters Displaying and Debugging Traffic Shaping Table 716 Display and Debug Traffic Shaping GTS Configuration Example 1 Configure the ACL Router acl 110 Router acl 110 rule permit udp source any destination any Shape the flows matching 110 on Ethernet interface 0 Router acl 110 interface ethernet0 Router Ethernet0 qos gts acl 110 cir 2000000 cbs 120000 ebs 120000 Oper...

Page 681: ...ere is no token in the token bucket the packet cannot be sent until a new token is generated in the token bucket Thus there is a limitation that packet traffic cannot be larger than the generating speed of the token therefore it realizes that the traffic is limited and burst traffic is allowed to pass through at the same time Compared with CAR LR can limit all the packets passing through the physi...

Page 682: ...ING TRAFFIC SHAPING AND LINE RATE Displaying and Debugging LR Table 718 Display and Debug LR Operation Command Display the LR configuration conditions and statistic information of the interface display qos lr interface type number ...

Page 683: ...ecause of a timeout which can cause a communication failure There are many factors causing congestion For example when the data packet flow enters the router through the high speed link and is then transmitted through the low speed link congestion can occur When the data packet flow enters the router simultaneously from multiple interfaces and is transmitted from one interface or the processor slo...

Page 684: ... order of data packet from the interface depends on the order in which the data packet arrives at this interface at this time the queuing and de queuing orders of the packet are the same FIFO provides the basic storage and transmission capabilities Priority Queuing In Priority Queueing PQ mode you can flexibly specify the priority queues which the packets enter according to the fields packet lengt...

Page 685: ... or type of the communication However when using the FIFO policy some low priority data in abnormal operation may consume most of available bandwidths and occupy the entire queue which causes the delay of the burst data source and the important communication may be thereby discarded PQ can assure some communication transmission with higher priority That is the strict priority sequence is conducted...

Page 686: ...teed PQ 4 The absolute priority can be provided to various service data and the delay of the real time application sensitive to time such as VolP can be guaranteed The bandwidth occupation of the packet with the priority service may have the absolute priority 1 It needs to be configured and the processing speed is slow 2 If the bandwidth of the packet with high priority is not restricted it will c...

Page 687: ...the PQ queue is used to provide strict priority levels for important network data It can flexibly specify the priority order according to the network protocol such as IP or IPX the interface into which the data are input the length of the packet and the source address destination address and other features Figure 219 Schematic diagram of the priority queuing When the packets arrive at the interfac...

Page 688: ...patching the queue the data packets in the system queue are first transmitted Before the system queue is empty a certain number of data packets from user queues 1 to 16 are not extracted and sent out according to the predetermined configured proportion using polling method Figure 220 Schematic diagram of the custom queuing PQ assigns the absolute priority to the data packets with higher priority c...

Page 689: ... and B ready to be transmitted in the view of the statistic results the proportion between the bandwidths allocated to the key services and the bandwidths allocated to the non key services is approximately 3 1 Weighted Fair Queuing WFQ Weighted fair queuing WFQ is based on the guarantee of fair bandwidth delay and reflects the weighted value that is dependent on the PI priority carried in the IP p...

Page 690: ... priority list queuing group to the interface Specifying the queue length of the priority list queuing Configuring priority queuing The priority queuing classifies the packets according to a given policy and all the packets are divided into 4 classifications each of which corresponds to one of the 4 queues of PQ respectively Then the packet is input to the corresponding queue according to its clas...

Page 691: ...llowing configurations in the system view Table 723 Configure the Priority List Queuing According to the Interface Operation Command Configure the priority queue according to the network layer protocol qos pql pql index protocol protocol name queue option queue top middle normal bottom Delete the classification policy in the priority queue undo qos pql pql index protocol protocol name queue option...

Page 692: ...o function the configured priority queue group must be applied to the specific interface Every interface can only use one priority queue group but one priority queue can be applied to multiple interfaces Multiple different priority queues group can be established to apply to different interfaces Perform the following configurations in the interface view Table 725 Apply the Priority List Queuing Gr...

Page 693: ... continuously transmitted by polling every queue Every time the packets are transmitted the packets in queues 1 to 16 are transmitted sequentially and the number of the transmitted bytes for every transmission is not less than the number of the specified bytes in this queue until this queue is empty Multiple custom queues can be configured and the data packet will be matched by the system accordin...

Page 694: ...ations in the system view Table 731 Configure the Default Custom List Queuing Multiple policies can be defined for the group of the custom list queues which is then applied to an interface When the data packet arrives at the interface the data packet is matched by the system according to the configured policy and the data packet is input to the specified custom queue if it matches with the policy ...

Page 695: ...tinuously transmitted bytes of the custom queue The number of bytes of the continuously transmitted packets the total number of the accommodated bytes may be specified for each custom queue Perform the following configurations in the system view Table 734 Configure the Number of the Continuously Transmitted Bytes of the Custom Queuing By default the number of bytes transmitted by respective queues...

Page 696: ...eighted fair queuing perform the following configurations in the interface view Configuring Weighted fair queuing Displaying and debugging the weighted fair queue Configuring Weighted fair queuing Table 736 Configure Weighted Fair Queuing By default the adopted congestion management policy is FIFO By default max queue length is 64 packets discard threshold can range from 1 to 1024 packets total qu...

Page 697: ...priority queue to 10 while the lengths of other queues utilize the default values Router qos pql 1 queue top queue length 10 4 Apply the priority queue 1 to Serial 0 Router Serial0 qos pq pql 1 5 One policy is defined for the group 2 of the priority queue so that all the IP packets from the Serial 1 interface are inputted into the queue with the priority level of middle Router qos pql 2 inbound in...

Page 698: ...rving 1000 RouterA qos cql 1 protocol ip acl 107 queue 1 RouterA qos cql 1 protocol ip acl 108 queue 2 b Configure Serial0 master slave addresses RouterA Serial0 ip address 192 168 0 1 255 255 255 252 RouterA Serial0 ip address 192 168 1 1 255 255 255 252 sub c Apply the CQ queue 1 to Serial0 RouterA Serial0 qos cq cql d Configure Tunnel0 RouterA Tunnel0 ip address 10 1 1 1 255 255 255 0 RouterA T...

Page 699: ...7 queue 1 RouterB qos cql 1 protocol ip acl 108 queue 2 CQ restricts the traffic in Tunnel0 that is larger than that in tunnel1 and CQ is effective at the exit c Configure Serial0 master slave addresses RouterB Serial0 ip address 192 168 0 2 255 255 255 252 RouterB Serial0 ip address 192 168 1 2 255 255 255 252 sub d Apply the CQ queue 1 to Serial0 RouterB Serial0 qos cq cql 1 e Configure Tunnel0 ...

Page 700: ...696 CHAPTER 49 CONGESTION MANAGEMENT ...

Page 701: ...n the router discards the packet it does not reject the cooperation with the flow control action such as the TCP flow control of the source end so as to adjust the traffic of the network to a rational load status in a more efficient way The combination of a good drop policy and source end flow control mechanism always pursue the maximization of the network throughput and service efficiency and the...

Page 702: ...reatment on the burst data flow and be disadvantageous for the transmission of the data flow Therefore when comparing the minimum and maximum thresholds and when dropping the average lengths of the queue are adopted this is to set the relative value of the comparison between the queue threshold and the average length The average length of the queue is the result of the low pass filtering of the qu...

Page 703: ...robability of the high priority packets The 3Com router takes WRED as its congestion avoidance policy WRED Configuration WRED configuration includes Enable the WRED Function of the Interface Configure Weight Factors when Calculating WRED Average Queue Length Set the Priority Parameters for WRED Enable the WRED Function of the Interface WRED must first be enabled and then other parameters related t...

Page 704: ...ts will be dropped Please perform the following configurations in the interface view Table 740 Configure the Related Parameters for the Packets of Specific IP Priority ip precedence is the IP precedence and the range of the value is 0 to 7 low limit and high limit are the minimum and maximum thresholds respectively The default values are 10 and 30 respectively and the range of the value is 1 to 10...

Page 705: ...ed 3 Configure the exponent to calculate the average WRED queue length Router Ethernet0 qos wred weighting constant 1 4 Configure the lower threshold upper threshold and drop probability denominator of the WRED queue with precedence 0 to be 10 1024 and 30 respectively Router Ethernet0 qos wred ip precedence 0 low limit 10 high limit 1024 discard probability 30 Operation Command Display the WRED co...

Page 706: ...702 CHAPTER 50 CONGESTION AVOIDANCE ...

Page 707: ...XII DIAL UP Chapter 51 Configuring DCC Chapter 52 Configuring Modem ...

Page 708: ...704 ...

Page 709: ...ons In practice DCC guarantees the priority of communications through designated backup lines In the case that a primary line for normal communications become unavailable for any reasons DCC uses the designated backup channels to carry out the communications to assure the required services are timely completed Frame Relay network through a leased line To reduce the cost you can adopt frame relay o...

Page 710: ...ialer circular group inherit the attributes of the same dialer interface Through configuring the dialer route command a dialer interface can be associated with multiple dialing destination addresses Through configuring the dialer number command however a dialer can only be associated with one dialing destination address In addition all the B channels on an ISDN BRI interface inherit the configurat...

Page 711: ... which is specified in the dialer number command Each logical dial dialer interface can use the services provided by multiple physical interfaces and each physical interface can serve multiple dialer interfaces at the same time Dial attributes are described based on RS attributes set in implementing resource shared DCC All the calls originated to the same destination network use the same RS attrib...

Page 712: ... and Frame Relay on dial interfaces physical or dialer interfaces Network layer protocols such as IP IPX and Bridge on dial interfaces Dynamic routing protocols such as RIP and OSPF on dial interfaces Flexible dial interface standby modes Modem control on asynchronous dial interfaces for managing various modems Implementing callback through DCC In callback the called party originates a return call...

Page 713: ...figure the basic DCC parameters according to the selected DCC configuration method circular DCC or resource shared DCC to enable the initial DCC implementation Configure MP binding PPP callback ISDN caller identification callback ISDN leased line auto dial or a combination of these in addition to the basic DCC configuration if special applications are required Alternatively depending on the actual...

Page 714: ...ace through the ip address or ipx network command and perform other configurations in system view Table 743 Configure Link Layer and Network and Routing Protocols on the Interface The linklayer protocol type can be SLIP PPP or Frame Relay For configuration details see the related section in Operation Manual Link Layer Protocol Operation Manual Network Protocol and Operation Manual Routing Protocol...

Page 715: ...CL and associate the corresponding interface physical or dialer interface to the dialer ACL through the dialer group command Otherwise DCC cannot normally renominate a call The user can either directly configure the conditions for filtering packets in the DCC dialer ACL or reference the filtering rules in an ACL Perform the configuration of the dialer group command in dial interface physical or di...

Page 716: ... interfaces can both originate and receive calls the user can flexibly use one configuration or the combination of several configurations in the Circular DCC configurations introduced below In the circular DCC implementation of DCC the two dial parties can configure Password Authentication Protocol PAP or Challenge Handshake Authentication Protocol CHAP authentication However the other party must ...

Page 717: ... interfaces but disabled on other interfaces serial asynchronous AUX etc and the user should manually configure the dialer enable circular command No dialer number for calling the remote end is configured by default Configure an interface to receive calls from a remote end Perform the following configuration steps after the basic DCC configuration is implemented As shown in the following figure a ...

Page 718: ...uters irrelevant with the specific networking Figure 228 An interface placing calls to multiple remote ends As shown in the above figure a single local interface interface0 if0 originates DCC calls to the remote interfaces if1 and if2 Since calls are originated to multiple remote ends the user must use the dialer route command to configure the dialer numbers and destination addresses Since the cal...

Page 719: ...n perform other configuration steps in the dial interface physical or dialer interface view Table 748 Configure a Local Interface to Receive Calls from Multiple Remote Ends By default circular DCC is enabled on ISDN BRI and PRI interfaces but disabled on other interfaces serial asynchronous AUX etc and the user should manually configure the dialer enable circular command No authentication paramete...

Page 720: ...erface dialer command to create a dialer interface in global view add it to the specified dialer circular group through the dialer circular group command and perform other configuration processes in dialer interface view Table 749 Configure Multiple Local Interfaces to Originate Calls to Multiple Remote Ends Operation Command Enable Circular DCC dialer enable circular Configure the destination add...

Page 721: ...e user can select to configure either PAP or CHAP authentication Use the local user password command to configure the user name and password permitted to dial in system view and perform other configurations in dial interface physical or dialer interface view Table 750 Configure Multiple Local Interfaces to Receive Calls From Multiple Remote Ends By default circular DCC is enabled on ISDN BRI and P...

Page 722: ...ent dialer interfaces are used for placing calls to different remote ends That is one dialer interface only corresponds to one remote end Through adding a physical interface to the bundle of some dialer interfaces the interface can originate calls as needed When configure resource shared DCC based on RS attribute set a physical interface only needs to be configured with the link layer protocol and...

Page 723: ...erface dialer command to create a dialer interface in system view then perform other configurations in dialer interface view Table 752 Configure a Dialer Interface and Dialer Number By default no dialer interface is created Creating dialer bundle and assigning physical interfaces to it To implement the resource shared DCC the system selects a physical interface based on the dialing priority from a...

Page 724: ...r interface for receiving calls then the command dialer user is a must and the command dialer number is optional While Frame Relay is encapsulated on a Dialer interface because of no username negotiation procedure the called end will distinguish Dialer interfaces according to the received number dialed by calling end hence the command dialer user is optional and the command dialer number is a must...

Page 725: ...d to configure the dialer threshold command on dialer interfaces If a physical interface is an ISDN BRI or PRI interface the user can either use a dialer circular group or directly configure MP binding on the physical interface After the dialer threshold command is configured on a dialer interface if the percentage of the traffic on a physical interface or B channels to the bandwidth exceeds the t...

Page 726: ...and the called party is the callback server The client first originates a call and the server determines whether to originate a return call If it determines to do that the callback server disconnects and then originates a return call according to the information such as user name or callback number Configure PPP callback after completing the basic configuration of Circular DCC or Resource Shared D...

Page 727: ... the local end to send the user name and password for PAP authentication ppp pap local user username password cipher simple password Configure the local user name sent to the remote end for CHAP authentication ppp chap user username Configure the password that the local end will send to the remote end for CHAP authentication ppp chap password cipher simple password Configure the user name and pass...

Page 728: ...lementation must use the dialer number command to configure a dial number See Configure PPP callback client in the circular DCC implementation in Dial up Perform the following configuration in dialer interface view Table 759 Implement PPP Callback Client Configuration in Resource Shared DCC Configure the callback user and callback number local user username callback number telephone number Configu...

Page 729: ...cation callback the callback server can process a incoming call in three ways depending on the matching result of the calling number and the dialer call in command at the local end Denies the incoming call The dialer call in command has been configured but no match is found for the dial in number and the configured dialer callers Accepts the incoming call The dialer call in command is not configur...

Page 730: ...ementation perform the following configuration in dial interface physical or dialer interface view Table 762 Implement ISDN Caller Identification Callback Server Configuration in Circular DCC By default callback according to ISDN caller identification is not configured The dialer route command configured on the dial interface physical or dialer at the server should be exactly the same dialer route...

Page 731: ...rform the following configuration in dial interface ISDN BRI or PRI interface view Table 765 Configure ISDN leased line for Circular DCC By default no B channel is configured for ISDN leased line connection Configuring auto dial This function can only be used with circular DCC With a circular DCC after the router is started the DCC will automatically attempt to dial the remote end of the connectio...

Page 732: ... Number Circular Standby Configuring Attributes of DCC Dial Interface Circular DCC and resource shared DCC also have some optional parameters to improve configuration flexibility improve DCC efficiency and hence satisfies various requirements DCC dial interface attributes configuration includes Configuring the Link Idle Time Configuring the link disconnection time before initiating the next call C...

Page 733: ...tion of contention occurs Normally after a line is set up idle timeout timer will take effect However if a call to a different destination address is originated at this time competion will occur In this case DCC replaces the idle timeout timer with the compete idle timer In other words the line will be automatically disconnected after the line idle time exceeds the time specified by the compete id...

Page 734: ...d rather than discarded Perform the following configuration in dial interface physical or dialer interface view Table 772 Configure the Buffer Queue Length of the Dial Interface By default no buffer queues are configured on dial interfaces Displaying and Debugging DCC After completing the above configuration steps execute the display command in all views to display the running of the DCC configura...

Page 735: ... 1 1 2 Figure 233 Network of a DCC application in common use Solution 1 Establish a connection via the serial interface by using Circular DCC configure the DCC parameters on the dialer interface for RouterA with the help of a dialer circular group and directly configure the DCC parameters on the physical interfaces on RouterB and RouterC 1 Configure RouterA Router dialer rule 1 ip permit Router in...

Page 736: ... Solution 2 Establish a connection via the serial interfaces by using Resource Shared DCC and configure the DCC parameters on the dialer interfaces a Configure RouterA Router dialer rule 1 ip permit Router local user userb password simple userb Router local user userc password simple userc Router interface dialer 0 Router Dialer0 ip address 100 1 1 1 255 255 255 0 Router Dialer0 undo dialer enable...

Page 737: ...up 2 Router Dialer0 ppp authentication mode pap Router Dialer0 ppp pap local user userb password simple userb Router Dialer0 interface serial 0 Router Serial0 physical mode async Router Serial0 modem Router Serial0 dialer bundle member 1 Router Serial0 link protocol ppp Router Serial0 ppp authentication mode pap Router Serial0 ppp pap local user userb password simple usera 5 Configure RouterC Rout...

Page 738: ... 1 1 8810048 Solution 4 Establish a connection via the ISDN BRI or PRI interfaces by using Resource Shared DCC and configure the DCC parameters on the dialer interfaces 1 Configure RouterA Router dialer rule 1 ip permit Router local user userb password simple userb Router local user userc password simple userc Router interface dialer 0 Router Dialer0 ip address 100 1 1 1 255 255 255 0 Router Diale...

Page 739: ...r 0 Router Dialer0 ip address 122 1 1 2 255 255 255 0 Router Dialer0 undo dialer enable circular Router Dialer0 dialer bundle 1 Router Dialer0 dialer number 8810148 Router Dialer0 dialer user usera Router Dialer0 dialer group 1 Router Dialer0 ppp authentication mode pap Router Dialer0 ppp pap local user userc password simple userc Router Dialer0 interface bri 0 Router Bri0 undo dialer enable circu...

Page 740: ...hentication mode pap Router Bri0 ppp pap local user usera password simple usera Router Bri0 interface bri 1 Router Bri1 undo dialer enable circular Router Bri1 dialer bundle member 1 Router Bri1 ppp mp Router Bri1 link protocol ppp Router Bri1 ppp authentication mode pap Router Bri1 ppp pap local user usera password simple usera 2 Configure RouterB Router dialer rule 2 ip permit Router local user ...

Page 741: ... Configure RouterA Router dialer rule 1 ip permit Router interface bri 0 Router Bri0 ip address 100 1 1 1 255 255 255 0 Router Bri0 dialer isdn leased 2 Router Bri0 dialer group 1 Router Bri0 dialer route ip 100 1 1 2 8810152 2 Configure RouterB Router dialer rule 2 ip permit Router interface bri 1 Router Bri1 ip address 100 1 1 2 255 255 255 0 Router Bri1 dialer isdn leased 1 Router Bri1 dialer g...

Page 742: ...p callback client 2 Configure RouterB Router dialer rule 2 ip permit Router local user usera password simple usera Router interface serial 1 Router Serial1 ip address 100 1 1 2 255 255 255 0 Router Serial1 physical mode async Router Serial1 modem Router Serial1 dialer enable circular Router Serial1 dialer group 2 Router Serial1 dialer route ip 100 1 1 1 user usera 8810048 Router Serial1 dialer cal...

Page 743: ...tion mode pap Router Serial1 ppp callback server Solution 3 Use Circular DCC to implement ISDN caller identification callback 1 Configure RouterA Router dialer rule 1 ip permit Router interface bri 0 Router Bri0 ip address 100 1 1 1 255 255 255 0 Router Bri0 dialer group 1 Router Bri0 dialer route ip 100 1 1 2 user usera 8810152 2 Configure RouterB Router dialer rule 2 ip permit Router interface b...

Page 744: ... serial 0 Router Serial0 ip address 100 1 1 1 255 255 255 0 Router Serial0 remote address 100 1 1 2 Router Serial0 physical mode async Router Serial0 modem Router Serial0 dialer enable circular Router Serial0 dialer group 1 Router Serial0 dialer route ip 100 1 1 2 user userpc 8810052 Router Serial0 dialer callback center user Router Serial0 link protocol ppp Router Serial0 ppp authentication mode ...

Page 745: ...the modem attribute to Dial out and dial in If the modem has been installed click Configure Click the Network button on the right to set the network attributes of RAS including Select TCP IP in both Dial out protocol and Server setting Click Configure on the right to configure an address assignment method for the dial in client It can be either Use DHCP or Use static address set Select Allow any a...

Page 746: ...s 8810048 to 8810055 from the telecommunications service provider ISDN dial number is 8810148 which provides services for 16 network users Figure 239 Network for the DCC application providing dial number circular standby and accessing service Solution 1 Configure dial number circular standby on the dialing parties adopt Circular DCC to set up connections on the 8 asynchronous serial interfaces at ...

Page 747: ...0 ppp authentication mode pap Router Dialer0 ppp pap local user userc password simple passc Router Dialer0 interface async 1 Router Async1 dialer circular group 0 Router Async1 link protocol ppp Router Async1 ppp authentication mode pap Router Async1 interface async 2 Router Async2 dialer circular group 0 Router Async7 interface async 8 Router Async8 dialer circular group 0 Router Async8 link prot...

Page 748: ...erial 2 15 Router Serial2 15 ip address 100 1 1 254 255 255 255 0 Router Serial2 15 remote address pool 1 Router Serial2 15 dialer enable circular Router Serial2 15 dialer group 2 Router Serial2 15 link protocol ppp Router Serial2 15 ppp authentication mode chap Router Serial2 15 ppp chap user userb Router Serial2 15 ppp chap password simple passb Logical Interface Standby through Dialer route for...

Page 749: ... Configure RouterB Router dialer rule 2 ip permit Router interface serial 0 Router Serial0 physical mode async Router Serial0 modem Router Serial0 ip address 100 1 1 2 255 255 255 0 Router Serial0 dialer enable circular Router Serial0 dialer group 2 Router Serial0 dialer route ip 100 1 1 1 8810059 logic channel 1 Router Serial0 interface serial 1 Router Serial1 ip address 200 1 1 2 255 255 255 0 R...

Page 750: ...m initialization process is correct For the synchronous asynchronous serial interface check whether it is configured to asynchronous and dialing mode Check whether DCC has been enabled on the dial interface Check whether the corresponding dialer route or dialer number command has been configured for the packet The remote end cannot be pinged after the modem is connected Do the following Check whet...

Page 751: ... inconsistent with name configured for PPP authentication and the dialer route at the remote end does not contain the local network address The remote end disconnects the connection because the remote DCC idle timeout timer has timed out Solution If PPP configuration is incorrect or name configurations are inconsistent implement the configuration as shown in the above example If it is the problem ...

Page 752: ...lity of the phone line is bad DCC The interface has no dialer group discard the packet The debugging information is probably outputted because the dialer group command has not been configured on the corresponding dialer interface or the physical interface on which DCC is directly enabled To solve the problem refer to the previous example to make the configuration DCC there is not a dialer number o...

Page 753: ...erface works in flow mode the user can establish a remote connection to the interface through the dumb terminal or modem dialup to configure and manage the router Directly send AT commands to the modem via the serial interface for managing the modem Interwork with the equipment of other equipment vendors That is the asynchronous serial interfaces of the participating parties are working in the flo...

Page 754: ...ched with any expected receive strings which are separated with The default timeout time waiting for a receive string is 5 seconds TIMEOUT seconds can be inserted into the script anytime to adjust the timeout time waiting for the receive string which is valid till a new TIMEOUT is set in the same script All the strings and keywords in a script are case sensitive Both the strings and keywords are s...

Page 755: ...rings sent from a modems or remote DTE device for a match The match mode is full match Multiple ABORT entries can be configured for a script and all of them take effect in the whole script execution period TIMEOUT seconds The digit following TIMEOUT is used to set the timeout interval that the device waits for receiving strings If no expected strings are received within the interval the execution ...

Page 756: ...ociating modem scripts with events is to automatically execute the corresponding script after a particular event occurs to the router In 3Com routers the following script events are supported An outgoing call is established to a line The specified script will be executed if a modem outgoing call is established An incoming call is established to a line The specified script will be executed if a mod...

Page 757: ... User The command modem login is configured to authenticate the name and password of the dial in user Generally this command is used together with the command of script trigger connect thus many usernames can login at the same interface Perform the following configuration in interface asynchronous serial AUX or AM interface view Operation Command Specify the automatically executed modem script whe...

Page 758: ...m baud rate and send the AT command to the modem If OK is received from the modem it indicates that the modem can automatically adapt to the corresponding baud rate Then write the configuration into the modem for conservation and the corresponding AT command is AT W Figure 241 Network of the configuration for the router to manage the modem 1 Configure a modem script Router script string baud AT OK...

Page 759: ...umentation to learn how the modem locks the modem speed check the settings b j q n or s register settings The modem must use the data carrier detect DCD to indicate when a connection is established with a remote end Most modems use the c1 command to implement the configuration Refer to the modem documentation for details The modem must disconnect the modem active connections via the data terminal ...

Page 760: ... can logging in network and those who have failed the authentication are not allowed to log in Figure 242 Network of authentication for modem dial in user 1 Configure a modem script Router script string welcome Welcome use 3Com router 2 Configure a modem user and enable AAA authentication Router local user testuser password simple testuser service exec operator Router aaa enable Router aaa authent...

Page 761: ...Troubleshooting 757 If the modem is still in abnormal status proceed to run the AT string such as AT F OK ATE0S0 0 C1 D2 OK AT W on the router physical interface connected to the modem ...

Page 762: ...758 CHAPTER 52 CONFIGURING MODEM ...

Reviews:

No comments

Related manuals for 3036

Watchguard AP200 Setup Manual preview
AP200
Brand: Watchguard Pages: 40
D-Link DI-106 Series Faq preview
DI-106 Series
Brand: D-Link Pages: 29
D-Link DGS-3700 Series User Manual preview
DGS-3700 Series
Brand: D-Link Pages: 292
D-Link DGS-3224SR User Manual preview
DGS-3224SR
Brand: D-Link Pages: 140
D-Link DGS-1224T - Web Smart Switch User Manual preview
DGS-1224T - Web Smart Switch
Brand: D-Link Pages: 61
D-Link DI-LB604 - Load Balancing Router Quick Installation Manual preview
DI-LB604 - Load Balancing Router
Brand: D-Link Pages: 14
D-Link DIR-605L Specification preview
DIR-605L
Brand: D-Link Pages: 2
D-Link DIR-510L Manual preview
DIR-510L
Brand: D-Link Pages: 45
D-Link DES-3550 Manual preview
DES-3550
Brand: D-Link Pages: 218
D-Link DES-3528 - xStack Switch - Stackable User Manual preview
DES-3528 - xStack Switch - Stackable
Brand: D-Link Pages: 322
D-Link DIR-130 - Broadband VPN Router How To Set Up preview
DIR-130 - Broadband VPN Router
Brand: D-Link Pages: 10
D-Link DIR-130 - Broadband VPN Router Troubleshooting Manual preview
DIR-130 - Broadband VPN Router
Brand: D-Link Pages: 4
D-Link DIR-130 - Broadband VPN Router Configuration preview
DIR-130 - Broadband VPN Router
Brand: D-Link Pages: 13
D-Link DIR Series Configuration Manual preview
DIR Series
Brand: D-Link Pages: 13
D-Link DI-804HV - Express ENwork Router Configuration Manual preview
DI-804HV - Express ENwork Router
Brand: D-Link Pages: 19
D-Link DI-808HV Quick Installation Manual preview
DI-808HV
Brand: D-Link Pages: 12
D-Link DI-804 Quick Install Manual preview
DI-804
Brand: D-Link Pages: 8
D-Link DI-604UP Quick Install Manual preview
DI-604UP
Brand: D-Link Pages: 16

Brands by name

Popular brands

Load more brands