H3C H3C SecPath F1800-A Скачать руководство пользователя страница 5

Страница: 5 / 30

Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall

Chapter 1 VLAN Configuration

4-3

VLANs cannot directly communicate with one another, that is, the users in one VLAN

cannot directly access those in other VLANs. They need help of such layer 3 devices

as routers and Layer 3 switches to fulfill the access.

It provides the virtual workgroup.

VLAN can be used to group users to different workgroups. When the workgroups

change, the users need not change their physical locations. In the application, users

of the same workgroup usually cooperate with each other at the same place, and

there are few cases that users are in different places.

On a switch, the common ports can only belong to one VLAN, that is, they can only

identify and send packets of the VLAN they belong to. However, when the VLAN is

across switches, it is necessary that the ports (links) among the switches can identify

and send packets of several VLANs at the same time. The same problem exists

among the switches and routers that support VLAN.

The link of this type is called Trunk, which has two meanings:

One is "trunking".

Namely, transparently transmit the VLAN packets to the interconnected switches or

routers so as to extend the VLAN.

The other is "super trunk".

Namely, several VLANs run on such a link.

The common protocol used to implement Trunk is IEEE 802.1Q (dot1q) is a standard

protocol of IEEE. It identifies the VLAN through adding a 4-byte VLAN tag to the end

of the source address field in the original Ethernet packet.

VLANs cannot directly interconnect with each other. So routers supporting VLAN

must be used to connect each VLAN to implement the interconnection among VLANs.

Usually, this is a kind of layer 3 (IP layer) interconnection.

1.1.3 VLAN Aggregation

In the application of broadband network, a large number of VLAN users need to be

connected to the router (firewall). A typical way for connecting residential users of

metropolitan area network (MAN) to broadband via Ethernet is: Connect the users

through Ethernet switch and isolate, mark and manage users through VLAN.

A problem exists in such networking model: Each VLAN occupies a separate address

segment and the upstream gateway is various. Thus, many IP addresses are wasted.

In addition, it’s not convenient for the network management and extension because

various users need to be allocated various gateways if Dynamic Host Configuration

Protocol (DHCP) is not adopted.

VLAN aggregation is brought forward to solve the above networking problem.

Through VLAN aggregation, a sub-interface can be configured a VLAN, but several

Содержание H3C SecPath F1800-A

Страница 1: ...figuring PPP 4 12 2 2 1 Configuring Link Layer Protocol for Interface Encapsulation as PPP 4 12 2 2 2 Setting Polling Interval 4 12 2 2 3 Setting PPP Authentication Mode User Name and User Password 4 13 2 2 4 Configuring PPP Authentication Mode of AAA 4 15 2 2 5 Setting PPP Negotiation Parameters 4 15 2 2 6 Configuring PPP Compression 4 16 2 2 7 Configuring PPP Link Quality Monitoring 4 16 2 2 8 C...

Страница 2: ... 2 1 Enabling or Disabling PPPoE 4 23 3 2 2 Setting PPPoE Parameters 4 24 3 3 Configuring PPPoE Client 4 24 3 3 1 Configuring a Dialer Interface 4 24 3 3 2 Configuring a PPPoE Session 4 25 3 3 3 Resetting or Deleting a PPPoE Session 4 26 3 4 Displaying and Debugging PPPoE 4 26 3 5 Typical Examples for Configuring PPPoE 4 27 ...

Страница 3: ...ove problems can be solved by using the Transparent Bridge or LAN switch to interconnect the LANs The switch establishes a MAC PORT mapping table with the source MAC addresses of received frames For the received data frames the switch will look up their destination MAC address in the mapping table If it can find the destination MAC address the switch will send the frame only to the corresponding p...

Страница 4: ...ter Figure 1 1 An example of VLAN The buildup of VLAN is not restricted by physical locations that is to say one VLAN can be within in one switch or across switches or even across routers The VLAN can be classified z Based on the port z Based on the MAC address z Based on the protocol type z Based on IP address mapping z Based on multicast z Based on the policy At present the VLAN is usually class...

Страница 5: ...outers so as to extend the VLAN z The other is super trunk Namely several VLANs run on such a link The common protocol used to implement Trunk is IEEE 802 1Q dot1q is a standard protocol of IEEE It identifies the VLAN through adding a 4 byte VLAN tag to the end of the source address field in the original Ethernet packet VLANs cannot directly interconnect with each other So routers supporting VLAN ...

Страница 6: ... and associated VLAN ID for the sub interface 2 In transparent mode Only high speed interfaces such as 8FE interfaces and GE interfaces support the transparent mode When configuring the relevant VLAN do as follows z Creating a VLAN and entering VLAN view z Entering VLAN interface view when a VLAN is created z Adding or deleting a port z Configuring a Trunk port 3 In composite mode Only high speed ...

Страница 7: ...Do as follows in system view Table 1 2 Creating a VLAN and entering VLAN view Action Command Create a VLAN and enter VLAN view vlan vlan id Delete a VLAN undo vlan vlan id 1 2 3 Entering VLAN Interface View When a VLAN Is Created Do as follows in system view Table 1 3 Entering VLAN interface view when a VLAN is created Action Command Enter VLAN interface view when a VLAN is created interface vlani...

Страница 8: ...e view Table 1 6 Configuring a Trunk port Action Command Configure a port as Trunk port and set the allowed VLAN ID on the port port trunk allow pass vlan vlan id to vlan id 1 10 all Configure a Trunk port to non trunk port and delete all the allowed VLAN IDs undo port trunk allow pass vlan vlan id to vlan id 1 10 all 1 2 6 Setting Sub interface Encapsulation Type and Related VLAN ID Do as follows...

Страница 9: ...Requirements The following is a configuration example of layer 3 forwarding mode sub interface As shown in Figure 1 2 Switch 1 and Switch 2 specify the VLAN attributes of ports Thus the workstations A B C and D connected to these Switches belong to VLAN 10 or VLAN 20 It is required z The addresses of the SecPath F1800 A sub interfaces Ethernet 3 0 0 1 Ethernet 3 0 0 2 Ethernet 4 0 0 1 and Ethernet...

Страница 10: ... F1800 A is configured as follows Create an Ethernet sub interface Ethernet 3 0 0 1 and enter its view SecPath system view SecPath interface ethernet 3 0 0 1 Assign the IP address to Ethernet 3 0 0 1 SecPath Ethernet3 0 0 1 ip address 1 0 0 1 255 0 0 0 Set the encapsulation type of Ethernet 3 0 0 1 and the related VLAN ID SecPath Ethernet3 0 0 1 vlan type dot1q 10 Note The encapsulation type of th...

Страница 11: ...0 1 Assign the IP address to Ethernet 4 0 0 1 SecPath Ethernet4 0 0 1 ip address 3 0 0 1 255 0 0 0 Set the encapsulation of Ethernet 4 0 0 1 and the related VLAN ID SecPath Ethernet4 0 0 1 vlan type dot1q 10 Create an Ethernet sub interface Ethernet 4 0 0 2 and enter its view SecPath interface ethernet 4 0 0 2 Assign the IP address to Ethernet 4 0 0 2 SecPath Ethernet4 0 0 2 ip address 4 0 0 1 255...

Страница 12: ... to negotiate parameters of network layer protocols II PPP Authentication 1 PAP authentication PAP is a 2 way handshake authentication protocol and it sends the user name and password in plain text The process of PAP authentication is as follows z The requester under authentication sends its user name and password to the authenticator z The authenticator checks if the user name exists and the pass...

Страница 13: ...g mode SP or MP authentication mode and MTU After LCP negotiation is successful the status of LCP is opened which indicates that the lower layer link has been established 3 If the authentication is not configured it enters network negotiation phase At this moment the status of LCP is still opened while the status of NCP changes from initial to request sent and enters 5 If the authentication the re...

Страница 14: ...tion and accounting parameter of PPP Optional PPP configuration includes z Setting PPP negotiation parameters z Configuring PPP compression algorithm z Configuring PPP link quality monitoring z Configuring callback z Configuring dialing string needed for the SecPath F1800 A callback z Configuring DNS server address negotiation z Configuring VJ TCP header compression 2 2 1 Configuring Link Layer Pr...

Страница 15: ...peer in CHAP and PAP modes Action Command Configure the local device to support both CHAP and PAP modes ppp authentication mode chap pap Remove CHAP and PAP negotiation modes undo ppp authentication mode After configuration the local device authenticates the peer in CHAP negotiation first If the remote does not support CHAP the local device then authenticates the peer in PAP negotiation CHAP and P...

Страница 16: ... PAP Mode Table 2 6 Configuring the peer to authenticate the local device in PAP mode Action Command Set PAP user name and password sent by the local when the peer authenticates the local in PAP mode ppp pap local user user name password simple cipher password Delete the user name and password sent during authentication in PAP mode undo ppp pap local user V Configuring the Peer to Authenticate the...

Страница 17: ...authentication mode chap pap pap call in For PPP authentication method of AAA refer to the 06 Security Defence Operation module in this manual After the above configuration basic PPP configuration is completed You can configure the following advanced configuration as required 2 2 5 Setting PPP Negotiation Parameters The following PPP negotiation parameters can be set z Interval between negotiation...

Страница 18: ...interface undo ppp compression stac lzs Allow the IPHC compression on an interface ppp compression iphc nonstandard rtp connections rtp connections tcp connections tcp connections Disable the IPHC compression on an interface undo ppp compression iphc rtp connections tcp connections 2 2 7 Configuring PPP Link Quality Monitoring PPP link quality monitoring can monitor the PPP link quality including ...

Страница 19: ...uality in every ten LQR packets The link will not be resumed unless the calculation results of link quality are qualified for three consecutive times Therefore the link can only be resumed after at least 30 polling intervals when it is disabled If the polling interval is set too long it may cause the link fails to resume for a long time 2 2 8 Configuring Callback Do as follows in interface view Ta...

Страница 20: ...imary dns address secondary dns address Remove the DNS address configuration undo ppp ipcp dns primary dns address secondary dns address admit any By default DNS address negotiation is denied Currently only the firewall can serve as DNS address negotiation server 2 2 11 Configuring VJ TCP Header Compression Van Jacobson TCP Header Compression VJ TCP Header Compression is a kind of compression algo...

Страница 21: ...e for Configuring PPP 2 4 1 PAP Authentication Example I Networking Requirement As shown in Figure 2 2 the SecPath F1800 A and the router are interconnected through the Serial 3 0 0 and the SecPath F1800 A is required to authenticate the router in PAP mode II Networking Diagram SecPath Serial3 0 0 Router Serial3 0 0 Figure 2 2 Networking diagram of PAP and CHAP authentication III Configuration Pro...

Страница 22: ...mode chap 2 Configuring the router SecPath aaa local user SecPath1 password simple hello SecPath aaa quit SecPath interface serial 3 0 0 SecPath Serial3 0 0 ppp chap user SecPath2 2 5 Troubleshooting PPP Fault 1 Link always fails to turn to the Up status Analysis PPP authentication parameters are likely to be set incorrectly As a result PPP authentication fails Troubleshooting 1 Debug PPP and it i...

Страница 23: ...e DOWN Link layer protocol current state DOWN 2 The interface is activated but link negotiation is not successful Serial3 1 0 current state UP Link layer protocol current state DOWN 3 The link negotiation that is the LCP negotiation on this interface succeeds Serial3 1 0 current state UP Link layer protocol current state UP ...

Страница 24: ...rent from PPP the discovery phase of PPPoE creates a Client Server relationship rather than the peer relationship created by PPP During the discovery phase a host client can discover an access concentrator server After the discovery phase the host and the concentrator can establish PPPoE session through the MAC address and session ID z The PPP Session phase At the beginning of the PPP session phas...

Страница 25: ...ealized without installing PPPoE client dialing software by the user 3 2 PPPoE Server Configuration The configuration of PPPoE server includes z Enabling or disabling PPPoE z Setting PPPoE parameters 3 2 1 Enabling or Disabling PPPoE These commands take effect only on Ethernet interfaces Namely when the PPPoE server is enabled on one Ethernet interface it is not enabled on other Ethernet interface...

Страница 26: ...um number of PPPoE sessions that could be set up on a local MAC address pppoe server max sessions local mac number Restore the default value of the maximum number of PPPoE sessions that could be set up on a local MAC address undo pppoe server max sessions local mac Set the maximum number of PPPoE sessions that could be set up the on local system pppoe server max sessions total number Restore the d...

Страница 27: ...p on an interface dialer group group number As required such parameters as PPP authentication may also be configured on a Dialer interface 3 3 2 Configuring a PPPoE Session Do as follows in Ethernet interface view Table 3 4 Configuring a PPPoE session Action Command Configure a PPPoE in session permanently on line mode pppoe client dial bundle number number no hostuniq Configure a PPPoE session in...

Страница 28: ...orarily terminates a PPPoE session while the latter permanently deletes a PPPoE session z When a PPPoE session works in permanent on line mode if it is terminated by the reset pppoe client command the router will automatically re create a PPPoE session later z When a PPPoE session works in packet triggering mode if it is terminated by the reset pppoe client command the router will re create a PPPo...

Страница 29: ...t through Ethernet 1 0 0 and the Internet through Ethernet 3 0 0 Internet Host Host SecPath Ethernet1 0 0 Ethernet3 0 0 Figure 3 2 PPPoE networking diagram III Configuration Procedure Add a PPPoE user SecPath aaa local user testuser password simple testpwd Set PPPoE parameters on the SecPath F1800 A SecPath interface ethernet 1 0 0 SecPath Ethernet1 0 0 pppoe server bind virtual template 1 Set vir...

Страница 30: ...stuser and testpwd respectively is set on hosts every host on the Ethernet can use PPPoE to access the Internet through the SecPath F1800 A After the above parameters are set such parameters as AAA or RADIUS can still be set on the SecPath F1800 A Thus the SecPath F1800 A can achieve charging For configuration procedures in detail refer to the part 06 Security Defence Operation 4 ...

Результаты поиска

Содержание H3C SecPath F1800-A

Отзывы:

Похожие инструкции для H3C SecPath F1800-A

Бренды по названию

Популярные бренды

H3C H3C SecPath F1800-A, Руководство по эксплуатации

Результаты поиска

Содержание H3C SecPath F1800-A

Отзывы:

Похожие инструкции для H3C SecPath F1800-A

Бренды по названию

Популярные бренды