3Com Router 3033 Скачать руководство пользователя

Страница: 18 / 63

2.2 The Basic Message Interaction Flow of

For example, use to implement AAA on a telnet user, and the basic

message interaction flow described below is used:

1) A user requests access to the router. The router( client) sends the

authentication start packet to the server upon receipt of the request.

2) The server sends an authentication response packet requesting the

user name. The router ( client) asks the user for the user name upon

receipt of the response packet.

3) After receiving the user name from the user, the router ( client) sends

the authentication packet to the carrying the user name.

The server sends back an authentication response packet, requesting

the login password. Upon receipt of the response packet, the router (

client) requests the user for the login password.

5) The router ( client) sends an authentication packet carrying the login

password to the server.

6) The server sends back the authentication response packet indicating

that the user has passed the authentication.

7) The router ( client) sends the user authorization packet to the

server.

8) The server sends back the authorization response packet, indicating

that the user has passed the authorization.

9) Upon receipt of the response packet indicating an authorization success, the

router ( client) pushes the configuration interface of the router to the

user.

10) The router ( client) sends the accounting start request packet to the

server

11) The server sends back an accounting response packet, indicating that

it has received the accounting start request packet.

12) The user quits, and the router ( client) sends the accounting stop

packet to the server.

13) The server sends back the accounting stop packet, indicating that the

accounting stop request packet has been received.

The following figure illustrates the basic message interaction flow:

3Com Router Configuration Guide Addendum for V1.20

Содержание Router 3033

Страница 1: ...3ComRouter Configuration Guide for V1 20 http www 3com com Part No 10014303 Published January 2004 ...

Страница 2: ...rt 3com com infodeli tools routers R3000Install pdf Download the Router 5000 Installation Guide from http support 3com com infodeli tools routers 5000Install pdf Download the 3Com Router Command Reference Guide from http support 3com com infodeli tools routers 3ComRouterComRef pdf Download the 3Com Router Configuration Guide from http support 3com com infodeli tools routers 3com_configuration_guid...

Страница 3: ...ive data flow may not be sent out in time Therefore PQ is introduced to CBQ to create low latency queuing LLQ which provides strictly preferred sending service for such delay sensitive data flow as voice packets LLQ strictly combines PQ with CBQ When a user defines a class he can specify it to accept strict priority service The class of this type is called priority class All packets of the priorit...

Страница 4: ...es of a class Define the policy and enter the policy view Configure class in policy and enter policy class view Configure features of a class Apply a policy to an interface 1 2 1 Define a Class and Enter the Class View Defines a class and enters class view Perform the following configurations in the system view Table 1 1 Define a class and enter the class view Operation Command Define a Class and ...

Страница 5: ...ass A directly or indirectly 3 Define the ACL matching rule Perform the following configurations in class view Table 1 4 Define delete ACL matching rule Operation Command Define ACL matching rule if match logic not acl acl number Delete ACL matching rule undo if match logic not acl acl number 4 Define the MAC address matching rule Perform the following configurations in class view Table 1 5 Define...

Страница 6: ...erv services are classified and traffic is controlled according to service requirements at the network ingress Simultaneously DSCP is set Communication including resource allocation packet discard policy etc is classified and served on the basis of the grouped DSCP values You can set classified matching rules according to DSCP values Perform the following configurations in class view Table 1 7 Def...

Страница 7: ...ations in class view Table 1 10 Define delete IP matching rule Operation Command Define IP matching rule if match logic not protocol ip Delete IP matching rule undo if match logic not protocol ip 10 Define the rule of all packets that do not satisfy the specified matching rule Perform the following configurations in class view Table 1 11 Define delete the rule of all packets not satisfying the spe...

Страница 8: ...ined class 1 2 5 Configure Features of a Class in Policy 1 Configure bandwidth CBQ can set bandwidth and queuing length for each class Bandwidth is the minimum guarantee that the router can provide when congestion occurs If there is no congestion each class can use the bandwidth larger than the assigned one but if there is congestion for each class all the packets exceeding the assigned bandwidth ...

Страница 9: ...ng for an ordinary class or default class and configure the minimum bandwidth for them af bandwidth bandwidth pct percentage Delete the assured forwarding undo af Configure expedited forwarding for priority class and configure the maximum bandwidth and CBS for it ef bandwidth bandwidth cbs size Delete expedited forwarding undo ef This function can only be applied on the outbound direction Note Pri...

Страница 10: ...lass as random wred ip dscp value ip precedence value Restore the default setting undo wred ip dscp value ip precedence value ip dscp indicates that the DSCP value is used to calculate the drop probability of a packet Ip precedence Indicate that the IP precedence value is used to calculate drop probability of a packet which is the default setting This command cannot be used until the af command ha...

Страница 11: ...y of WRED undo wred ip dscp value value DSCP value in the range from 0 to 63 which can be any of the following keywords ef af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 cs1 cs2 cs3 cs4 cs5 or cs7 The discard mode based on WRED should have been enabled via the wred ip dscp command When the configuration of qos wred is deleted the wred ip dscp will also be deleted When the af configura...

Страница 12: ... it This value ranges from 0 to 63 remark prec pass new prec Set new IP priority new prec and send it This value ranges from 0 to 7 If TP is used in the class policy applied on the interface it can be applied on both inbound and outbound interfaces When the class policy including TP feature is applied on an interface it invalidates the original qos car command If this command is repeatedly configu...

Страница 13: ... to identify packets remark ip dscp value Remove DSCP value that identifies packets undo remark ip dscp 11 Set IP precedence value to identify matched packets Perform the following configurations in the policy class view Table 1 24 Set IP precedence value to identify matched packets Operation Command Set IP precedence value to identify matched packets remark ip precedence value Set IP precedence v...

Страница 14: ...n configured on the router display qos class class name Display the configuration information of an specified policy or a specified class in all policies or all classes display qos policy policy name class class name Display the configuration information and running status of an policy on a specified interface display qos policy interface type number inbound outbound Display the configuration info...

Страница 15: ...d routes should be performed by the user independently This example only configures CBQ on Router A Router B can be configured similarly Configure Router A 1 Configure ACL rule RouterA acl 101 RouterA acl 101 rule normal permit ip source 1 1 0 0 0 0 255 255 destination any RouterA acl 102 RouterA acl 102 rule normal permit ip source 10 1 0 0 0 0 255 255 destination any 2 Configure class 1 RouterA ...

Страница 16: ... qos class 2 RouterA qospolicy c 1 2 af bandwidth 20 RouterA qospolicy c 1 2 quit 8 Configure the voice service to be priority service RouterA qospolicy 1 qos class voip RouterA qospolicy c 1 voip ef bandwidth 10 cbs 1500 RouterA qospolicy c 1 voip quit 9 Apply CBQ policy 1 to Serial0 RouterA interface serial 0 RouterA Serial0 qos apply policy outbound 1 10 Remove fast forwarding on the interface ...

Страница 17: ...rization together Is well suited to security control Is well suited to accounting Supports authorization before the configuration commands on the Router can be used Does not support authorization before configuration In a typical TACACS application a dial up or terminal user needs to log in the router for operations Working as the TACACS client in this case the router sends the user name and passw...

Страница 18: ...ing the login password to the TACACS server 6 The TACACS server sends back the authentication response packet indicating that the user has passed the authentication 7 The router TACACS client sends the user authorization packet to the TACACS server 8 The TACACS server sends back the authorization response packet indicating that the user has passed the authorization 9 Upon receipt of the response p...

Страница 19: ...rs the user name Authentication continuance packet carrying the user name Authentication response packet requesting for the password Request User for the password User enters the password Authentication continuance packet carrying the password Authentication success packet Authorization request packet Authorization success packet User is permitted Accounting start request packet Accounting start r...

Страница 20: ...ACACS server group by specifying its name hwtacacs server template template name Delete a TACACS server group by specifying its name undo hwtacacs server template template name By default no server group is configured 2 4 2 Add a TACACS Server into a TACACS Server Group After a TACACS server group is created you add TACACS servers into it Each group allows of a maximum of 5 servers Perform the fol...

Страница 21: ...r switchover interval timer quiet minutes Restore the default standby primary server switchover interval undo timer quiet The standby primary server switchover interval defaults to five minutes 2 4 4 Set a Shared Key for the AAA Negotiation Between Router and TACACS Server Setting a shared key can ensure the security of the communications between router and TACACS server By default the system does...

Страница 22: ... packet carrying an unregistered source IP address it regards the packet as illegal and hence does no processing on it Caution You must make sure that the specified source IP address is the IP address of some interface on the router and that the server maintains the route to that IP address You can configure a loopback interface on the router specify an IP address for it and use this address as th...

Страница 23: ... user user name interface interface name 2 6 Implementing AAA Using TACACS Use TACACS to implement AAA on PPP and login users Router TACACS server 10 110 1 1 TACACS server 10 110 1 2 ISDN PSTN Dial up user Terminal user S0 168 1 1 1 E1 192 10 1 1 E0 10 110 1 10 192 10 1 0 24 Accessed network Router TACACS server 10 110 1 1 TACACS server 10 110 1 2 ISDN PSTN Dial up user Terminal user S0 168 1 1 1 ...

Страница 24: ...ization scheme for login users 3Com login method authorization mode telnet login author list 8 Enable PPP authorization and use the ppp author list authorization scheme on Serial0 3Com aaa authorization scheme ppp ppp author list template tactemplate1 3Com interface serial 0 3Com Serial0 link protocol ppp 3Com Serial0 ip address 168 1 1 1 255 255 255 0 3Com Serial0 ppp authorization mode ppp autho...

Страница 25: ...0 1 1 RADIUS server 10 110 1 2 ISDN PSTN Dial up user Terminal user S0 168 1 1 1 E1 192 10 1 1 E0 10 110 1 10 192 10 1 0 24 Accessed network Router TACACS server 10 110 1 1 RADIUS server 10 110 1 2 ISDN PSTN Dial up user Terminal user S0 168 1 1 1 E1 192 10 1 1 E0 10 110 1 10 192 10 1 0 24 Accessed network Figure 2 5 Networking for the application combining TACACS and RADIUS To integrate TACACS an...

Страница 26: ...ce serial 0 3Com Serial0 link protocol ppp 3Com Serial0 ppp authentication pap scheme ppp authen list 3Com serial0 quit 9 Enable login authorization and configure an authorization scheme 3Com aaa authorization scheme login login author list template tactemplate1 10 Apply a telnet login authorization scheme 3Com login method authorization mode telnet login author list 11 Enable PPP authorization an...

Страница 27: ...tion implemented through TACACS Do the following Check whether the correct user name and password and the available services for the user have been configured on the TACACS server Check whether the TACACS server can be pinged and whether the correct address and port number and shared key of the server have been configured on the router Use the host command to reconfigure the TACACS server Due to t...

Страница 28: ...and 2 2 you can set up an SSH channel for the purpose of local or WAN connection V1 20 supports SSH Server 1 5 SSH Client enabled PC 100BASE TX Server Ethernet Workstation Laptop Router SSH Client enabled PC 100BASE TX Server Ethernet Workstation Laptop Router Set up an SSH channel in a LAN Local router WAN line Ethernet Local SSH enabled PC Local LAN Router to be configured Ethernet Remote LAN WA...

Страница 29: ... remote login protocol is Telnet instead of SSH You must set the remote login protocol supported by the system to SSH and set the maximum number of the connections Perform the following configuration in system view Table 3 1 Set remote login protocol and the maximum number of connections Operation Command Set the remote login protocol supported by the system and the allowed maximum number of conne...

Страница 30: ... configuring the SSH user you must set the SSH user s rights Administrator Operator or Guest and specify the authentication mode Perform the following configuration in system view Table 3 3 Configure authentication type for an SSH user Operation Command Configure an SSH user local user username service type ssh administrator operator guest password simple cipher password Configure an authenticatio...

Страница 31: ...guration in system view Table 3 6 Set the number of SSH authentication retries Operation Command Set the number of SSH authentication retries ssh server authentication retries times Restore the default number of SSH authentication retries undo ssh server authentication retries By default the parameter times defaults to 3 III Access the Public Key View and Edit the Key To configure public key you m...

Страница 32: ...upporting SSH1 5 lower Perform the following configuration in public key edit view Table 3 9 Edit a public key Operation Command Input the public key data hex hex data IV Assign a Public Key to an SSH User Perform this task to assign a public key that has been configured to an SSH user Perform the following configuration in system view Table 3 10 Assign a public key to an SSH user Operation Comman...

Страница 33: ...rsa local key pair public Display the client end RSA public keys display rsa peer public key brief name keyname Display the SSH status and session information display ssh server status session Display the SSH user information display ssh user information username Enable SSH debugging debugging ssh server VTY index all Enable RSA debugging debugging rsa Disable SSH debugging undo debugging ssh serv...

Страница 34: ...se the third party client software PuTTY in the following example to set the configuration of SSH client I Specify the IP address of the server Enable the PuTTY program and the following client configuration interface appears Figure 3 1 SSH Client configuration interface 1 Enter the IP address of the router in the field Host Name or IP address The address can be the IP address of the interface who...

Страница 35: ...tion interface 2 Specify the SSH version to 1 as shown in the above interface IV Enable the SSH connection in password authentication mode Click Open button and the SSH Client interface appears If the connection is normal then you are prompted to enter user name and password as shown in the following figure 3Com Router Configuration Guide Addendum for V1 20 35 ...

Страница 36: ... the logout command V Enable the SSH connection in RAS authentication mode To enable the SSH connection in RSA mode you need to configure the RSA key on both the SSH server and client Take the following method to generate keys using PuTTY key generator software Enable the PuTTY key generator software as shown in the following 3Com Router Configuration Guide Addendum for V1 20 36 ...

Страница 37: ...umber of bits in the key Click Generate button to generate the RSA key To ensure the random key you are required to move the mouse Once you stop moving the cursor the generating process will pause After the key is generated the following interface appears 3Com Router Configuration Guide Addendum for V1 20 37 ...

Страница 38: ...les e g publicMyKey ppk and privateMykey ppk Configure RSA public keys on the server For details about configuring RSA public keys on the server please refer to 2 7 2 7 Configure public key Note Not all the keys generated by the SSH client key generator can be configured on the router SSH server Only the RSA keys compliant with PKCS 1 format can be configured on the router Specify the RSA private ...

Страница 39: ...ollowing figure appears Figure 3 6 SSH Client Configuration interface 3 Click Browse button and a file selection dialog box will pop up After you have chosen the private key file click the open button Enable the SSH connection Click Open button and the SSH Client interface appears If the connection is normal you are prompted to enter the user name as shown in the following figure 3Com Router Confi...

Страница 40: ...efer to the use guide of the SSH Client or the online help As shown in Figure 2 3 the console terminal SSH Client has set up a local connection with Router Run the SSH1 5 enabled client software on the terminal for the sake of safer data and information communications SSH Client Router Networking for the SSH local configuration In this section the configuration procedures for different login authe...

Страница 41: ...he random RSA key pairs in the SSH1 5 enabled client software and send the RSA public key to the server end by performing the following procedure 3Com rsa peer public key key002 3Com rsa public key public key code begin 3Com rsa key code hex 308186 3Com rsa key code hex 028180 3Com rsa key code hex E75E3D7C 11923D33 143FB829 470EA018 889147F6 6 F27A98A D6C54A36 3Com rsa key code hex C7DB17E1 647DC...

Страница 42: ...als The above figure illustrates the NTP operating fundamentals In the figure Router A and Router B are connected via the serial interface both routers have an independent system clock and they want to synchronize their system clocks Before proceeding to the synchronization procedure assume the following The time settings on Router A and Router B are respectively 10 00 00am and 11 00 00am Router B...

Страница 43: ...et NTP authentication key Set a specified key to be a reliable key Set the local NTP message sending interface Set the external reference clock or local clock to be the NTP master clock Enable Disable the interface to receive NTP messages Control the access to the services of the local router Set the number of sessions allowed at the local 4 2 1 Configure NTP Operating Mode You may set the operati...

Страница 44: ...e the NTP server mode undo ntp service unicast server X X X X NTP version is in the range of 1 to 3 and defaults to 3 The authentication key ID is in the range of 1 to 4294967295 You can specify an interface by specifying its interface name or interface type interface number The local router will use the IP address of the interface as the source IP address carried by the NTP messages sent to the t...

Страница 45: ...he following configuration in interface view Table 4 3 Configure NTP broadcast server mode Operation Command Configure NTP broadcast server mode ntp service broadcast server authentication keyid keyid version number Disable NTP broadcast server mode undo ntp service broadcast server NTP version is in the range of 1 to 3 and defaults to 3 and authentication key ID is in the range of 1 to 4294967295...

Страница 46: ... NTP version is in the range of 1 to 3 and defaults to 3 authentication key ID is in the range of 1 to 4294967295 the Time To Live TTL value of multicast packets is in the range of 1 to 255 and the multicast IP address defaults to 224 0 1 1 This command must be configured on the interface to be used for sending NTP multicast messages VI Configure NTP multicast client mode This task specifies an in...

Страница 47: ...iable authentication key ID Perform the following configuration in system view Table 4 7 Configure NTP authentication Operation Command Enable NTP authentication ntp service authentication enable Disable NTP authentication undo ntp service authentication enable 4 2 3 Set NTP Authentication Key This task is used to set the NTP authentication key Perform the following configuration in system view Ta...

Страница 48: ... time server Perform the following configuration in system view Table 4 10 Set a local interface for sending NTP messages Operation Command Set a local interface for sending NTP messages ntp service source interface interface name interface type interface number Disable the interface as the interface for sending NTP messages undo ntp service source interface You can specify an interface by specify...

Страница 49: ...onfiguration in interface view Table 4 12 Disable Enable an interface to receive NTP messages Operation Command Disable an interface to receive NTP messages ntp service source interface disable Enable the interface to receive NTP messages undo ntp service source interface disable This task must be performed on the interface desired to be disabled in receiving NTP messages 4 2 8 Assign the Rights f...

Страница 50: ...o the remote server peer Permits the requestors to request the local NTP for time service and controlled query and allows the synchronization of local clock to the remote server 4 2 9 Set the Number of Sessions Allowed at the Local This command sets the number of dynamic sessions that a client router can establish Perform the following configuration in system view Table 4 14 Set the number of sess...

Страница 51: ...interface number Interface number which identifies an interface along with interface type Description Using the ntp service source interface command you can specify a local interface for NTP message transmission Using the undo ntp service source interface command you can remove the current setting Source address will be determined depending on the output interface Using this command you can specif...

Страница 52: ...interface to receive NTP messages By default an interface is enables to receive NTP messages Example Disable Ethernet 0 to receive NTP messages 3Com interface Ethernet 0 3Com Ethernet0 ntp service source interface disable 4 3 3 ntp service unicast peer Syntax ntp service unicast peer X X X X version number authentication key keyid source interface interface name interface type interface number pri...

Страница 53: ...nicast peer mode Using the undo ntp service unicast peer command you can disable the NTP unicast peer mode By default version number is 3 authentication is disabled and the server is not the preferred choice This command sets the remote server at X X X X to be the peer of the local device running in symmetric active mode X X X X represents a host address which must not be a broadcast or multicast ...

Страница 54: ...ecifies the interface name interface name Interface name The IP address of the interface will be used as the source IP address of the NTP messages that the local device sends to the defined server interface type Interface type which identifies an interface along with interface number interface number Interface number which identifies an interface along with interface type priority Specifies the se...

Страница 55: ...ce clock Configured with this command the local device is working in client mode and therefore it is up to the local client to synchronize with the remote server rather than vice versa Example Configure the local device to synchronize with the server at 128 108 22 44 and set the version number to 3 3Com ntp service unicast server 128 108 22 44 version 3 3Com Router Configuration Guide Addendum for...

Страница 56: ... router extracts the pure data from the X 25 packet and sends it to the IP host across the TCP connection From the perspective of an IP host it needs to know only the IP address of the interface of the router at the IP network side to access an X 25 host Whenever the router receives a TCP connection request it examines the destination IP address and TCP port number of the TCP connection and looks ...

Страница 57: ...f the interface at the IP network side see the Network Protocol section in the 3Com Router Configuration Guide II Configuring an X 25 Route Perform the following configuration in system view Table 5 2 Configure an X 25 route Operation Command Configure an X 25 route x25 switch svc x 121 address interface serial number Delete the X 25 route undo x25 switch svc x 121 address interface serial number ...

Страница 58: ...isplay and debug the X2T information Operation Command Display the static routing table of X2T display x25 x2t route Display the dynamic routing table of X2T display x25 x2t switch table Enable X2T debugging debugging x25 x2t all event packet 5 4 Typical X2T Configuration Example The configuration in this example interconnects an X 25 network and an IP network Using a router and allows the X 25 te...

Страница 59: ...ure the interface at the IP network side 3Com interface ethernet 0 3Com Ethernet0 ip address 10 1 1 1 255 255 255 0 4 Configure an X 25 route 3Com x25 switch svc 2222 interface serial 0 5 Configure an X2T route 3Com translate ip 10 1 1 1 port 102 x25 2222 3Com translate x25 1111 ip 10 1 1 2 port 102 3Com Router Configuration Guide Addendum for V1 20 59 ...

Страница 60: ...ol Commands Operation Command Disable the Sending Complete Information Element in the Setup message undo isdn sending complete Disable the SETUP ACK messages if the received SETUP messages in data service calls do not carry the called number information isdn ignore callednum Table 6 2 Optional NTT Protocol Commands Operation Command Configure the SETUP message to ignore the high level compatibilit...

Страница 61: ...SETUP message undo isdn ignore hlc Configure the SETUP message to ignore the low level compatibility information unit when a data call is initiated isdn ignore llc Restore the SETUP message undo isdn ignore llc Disable the SETUP ACK messages if the received SETUP messages in data service calls do not carry the called number information isdn ignore callednum Enable the router to send SETUP ACK mess...

Страница 62: ...ECT ACK message replies from the connected exchange until switching to the ACTIVE state isdn waitconnectack Configure the router to become ACTIVE to start data exchange before receiving CONNECT ACK messages undo isdn waitconnectack Configure the interval for the Q931 timers isdn q931 timer timer name time interval Restore the default interval timers undo isdn q931 timer timer name time interval Th...

Страница 63: ...e interval of timer TSPID isdn spid timer seconds Restore the default value of the time interval undo isdn spid timer Set the number of times to resend a message on the BRI interface isdn spid resend times Restore the default number of times to resend a message undo isdn spid resend Set the SPID value of channel B1 isdn spid1 spid Delete the SPID value of channel B1 undo isdn spid1 Set the SPID va...

Результаты поиска

Содержание Router 3033

Отзывы:

Похожие инструкции для Router 3033

Бренды по названию

Популярные бренды

3Com Router 3033, Руководство по настройке

Результаты поиска

Содержание Router 3033

Отзывы:

Похожие инструкции для Router 3033

Бренды по названию

Популярные бренды