3Com 3036 Configuration Manual

Page 2

3com corporation 350 campus drive marlborough, ma 01752-3064 copyright © 2004, 3com corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written p...

Page 4: Vpn 615

Vpn 615 r eliability 665 q o s 681 d ial - up 721.

Page 6

2 a bout t his g uide.

Page 8

4.

Page 10

6 c hapter 1: 3c om r outer i ntroduction figure 1 schematic diagram of the 3com router architecture features of the 3com router version 1.10 the following table lists the basic features of the 3com router 1.X: table 3 list of the 3com router 1.X features system service tcp/udp ip forwarding engine ...

Page 12

8 c hapter 1: 3c om r outer i ntroduction network security authentication, authorization and accounting (aaa) service ■ provides ppp and login user authentication ■ supports radius, provides radius authentication/accounting ■ provides local authentication ■ supports chap and pap authentication firew...

Page 14

10 c hapter 1: 3c om r outer i ntroduction new features of the 3com router 1.X new features have been added to the 3com router1.10. Support new interfaces e3 and ce3 interfaces both e3 and e1 are part of the itu-t digital carrier architecture and are used in most regions beyond north america. The da...

Page 16

12 c hapter 1: 3c om r outer i ntroduction.

Page 18

14 c hapter 2: 3c om r outer u ser i nterface figure 3 establish a new connection figure 4 select the computer serial port for actual connection.

Page 20

16 c hapter 2: 3c om r outer u ser i nterface 4 enter the command to configure the router or view the running status of the router. Enter “?” to get help when necessary. For details of specific commands, please refer to the following chapters. Remote configuration environment via async serial port t...

Page 22

18 c hapter 2: 3c om r outer u ser i nterface configuration environment, connect the computer with the router via the wan interface. Figure 10 . Establish configuration environment of local telnet connection figure 11 establish a configuration environment of a remote telnet connection 2 as shown in ...

Page 24

20 c hapter 2: 3c om r outer u ser i nterface ■ provide online help any time the user keys in “?”. ■ provide network test commands, such as tracert and ping , etc. To quickly diagnose whether the network is normal. ■ provide rich and detailed debugging information for diagnosis of network faults. ■ ...

Page 26

22 c hapter 2: 3c om r outer u ser i nterface async serial interface view configures the asynchronous serial interface parameters [router-async0] enter interface async 0 in any views enter quit to return to the system view aux interface view configures the aux interface parameters [router-aux0] ente...

Page 28

24 c hapter 2: 3c om r outer u ser i nterface ■ the help information obtained via the above-mentioned online help is described as follows: 1 full help: enter “?” in any view, all the commands in this view and their brief descriptions can be obtained. [router]? Aaa-enable enable aaa(authentication, a...

Page 30

26 c hapter 2: 3c om r outer u ser i nterface table 9 display function table user identity management the 3com router sets three kinds of router management users: administrator user, operator user and guest user. Different kinds of users have different rights to execute commands. 1 an administrator ...

Page 32

28 c hapter 2: 3c om r outer u ser i nterface by default, the system clock is 08:00:00 1 1 1997. The system clock will reset to the initial number when the configuration is deleted by using the delete command or is deleted at the boot menu. 3 reboot the system please perform the following commands i...

Page 34

30

Page 36

32 c hapter 3: s ystem m anagement quickly input ctrl+d to enter the boot rom menu. If ctrl+d is not input within three seconds, the system will restart the router and the following prompt information displays: ****************************************** * * * 3com router series bootrom, v4.25 * * * ...

Page 38

34 c hapter 3: s ystem m anagement figure 16 “send file” message window 8 after downloading, the router will save the file into flash or nvram, display the following information, and prompt restoring of the baud-rate setting of the terminal emulator. Download completed. Writing to flash memory... Pl...

Page 40

36 c hapter 3: s ystem m anagement 3: 38400 bps 4: 57600 bps 5: 115200 bps 6: exit and reboot enter your choice(1-6): make your selection as needed. 5 after a baud rate (115200 bps for example) is selected, the system displays the following information to prompt you to modify the baud rate and selec...

Page 42

38 c hapter 3: s ystem m anagement 9 restore the baud rate of the terminal emulation program to 9600 bps and press enter for rebooting the router so that the new 3com router main program software can be run. Tftp approach tftp is a protocol used for transferring trivial files between clients and ser...

Page 44

40 c hapter 3: s ystem m anagement network interface parameters: do you want a lan interface? [n] y this board's lan ip address? [169.254.1.1] 10.110.10.1 subnet mask for lan (0 for none)? [255.255.0.0] tftp server parameters: ip address of the tftp server? [169.254.75.166] 10.110.10.13 what is the ...

Page 46

42 c hapter 3: s ystem m anagement after a client originates a control connection to a server by using the port command and uses a randomly assigned ftp port to establish the control link with port 21 on the server, the link will be in place until there is no data waiting for transmission. The serve...

Page 48

44 c hapter 3: s ystem m anagement 7 at the prompt ftp> , appearing after the file uploading is completed, enter the dir command to display the file name and size on the router. If the uploading operation is successful, the program or configuration file on the router and the uploaded file on the hos...

Page 50

46 c hapter 3: s ystem m anagement figure 24 path name dialog box select the check boxes read, write and delete in files and click ok to return. Figure 25 edit users/group check box 4 the cards can be upgraded on-line after the on-line upgrading files are copied to the path of the serv-u ftp. Perfor...

Page 52

48 c hapter 3: s ystem m anagement table 21 load configuration files follow these steps in the terminal emulation program: 1 enter the command and make the confirmation. [router] download config do you want really download the config.Ini?(y/n)y 2 set the binary transmission protocol to xmodem/crc. C...

Page 54

50 c hapter 3: s ystem m anagement 226 file transmit success. Ftp: 735 bytes received in 0.06seconds 12.25kbytes/sec. View current and saved configuration of the router during the power-on of the router, read the configuration files from flash (or nvram) to initialize the router. Therefore, the conf...

Page 56

52 c hapter 3: s ystem m anagement table 28 set/clear the flag bit to enter the initial setup by default, no flag bit for entering the initial setup mode is set. Configure ftp ftp (file transfer protocol), which belongs to the application layer protocol in the tcp/ip protocol suite, mainly provides ...

Page 58

54 c hapter 3: s ystem m anagement the names of the program/configuration file are “system” and “config” respectively by default. In the command, file-name is a character string with the length of 1 to 30. 2 set ftp update mode when logging onto the ftp server from a pc, you can use the put command ...

Page 60

56 c hapter 3: s ystem m anagement.

Page 62

58 c hapter 4: t erminal s ervice features of terminal service at async serial port the 3com router supports remote configuration on the router via asynchronous serial port (including synchronous/asynchronous serial port, 8/16 asynchronous serial port, and aux port). Please refer to chapter 2 “3com ...

Page 64

60 c hapter 4: t erminal s ervice typical example of terminal message service configuration # input the send command in system view. [router] send enter message, end with ctrl/z; abort with ctrl/c: # input the contents of the message that the terminal will send. Hello world # (enter to terminate the...

Page 66

62 c hapter 4: t erminal s ervice figure 27 dumb terminal networking diagram 1 configure the interface to dumb terminal mode. [router-serial1] physical-mode async [router-serial1] undo modem [router-serial1] async mode flow 2 configure the auto-execute command command. [router-serial1] auto-execute ...

Page 68

64 c hapter 4: t erminal s ervice table 46 establish telnet server or telnet client connection by default, telnet server starts automatically. The default value of service-port is 23. To terminate telnet service, enter ctrl+]at telnet client side. Setup reverse telnet connection please use async mod...

Page 70

66 c hapter 4: t erminal s ervice password: user guest logged in . 3 the message showing successful telnet to router b should pop up and display the host name of routerb. [routerb] example of reverse telnet the host is connected to the router, then communicates with the device connected to the seven...

Page 72

68 c hapter 4: t erminal s ervice sco openserver(tm) release 5 (c) 1976-1998 the santa cruz operation, inc. (c) 1980-1994 microsoft corporation. All rights reserved. For complete copyright credits, enter "copyrights" at the command prompt. You have mail terminal type is vt100 # x.25 pad remote acces...

Page 74

70 c hapter 4: t erminal s ervice by default, no x.25 pad remote user is configured at the server side. For details of the command, refer to the relevant sections on security configuration commands in command reference (v1.6). Start aaa authentication of x.25 remote users after the configuration of ...

Page 76

72 c hapter 4: t erminal s ervice c enter the view of interface serial 0 and set its link layer protocol as x.25 dte ietf. [routera]interface serial 0 [routera-serial0]link-protocol x25 dte ietf d set its x.121 address as 123456. [routera-serial0]x25 x121-address 123456 2 configure router b: a enter...

Page 78

74 c hapter 5: c onfiguring n etwork m anagement addition to the functions defined in snmpv2c and snmpv1. In other words, snmpv3 develops snmpv2c by adding security and management functions. Snmpv1 and snmpv2c lack security functions, especially in the aspect of authentication and privacy. Snmpv1 de...

Page 80

76 c hapter 5: c onfiguring n etwork m anagement table 56 3com router-supported mib configure snmp snmp configuration includes: ■ configure the network management agent on a router ■ configure the information of router administrator ■ configure the snmp version ■ configure the trap ■ adjust the maxi...

Page 82

78 c hapter 5: c onfiguring n etwork m anagement by default, snmpv3 is used. The default view name in the system is viewdefault, and oid of which is 1.3.6.1. Snmp group has only the read-only authority by default. If snmpv1/snmpv2c is used, the community name or snmpv1/snmpv2c groups and users shoul...

Page 84

80 c hapter 5: c onfiguring n etwork m anagement typical configuration examples example 1: configure network management of snmpv1 i. Networking requirements in the following diagram the nms and a router are connected via the ethernet. The ip addresses of nms and the ethernet interface on the router ...

Page 86

82 c hapter 5: c onfiguring n etwork m anagement thus managing large-scale interconnection networks easily and effectively. Rmon also allows several monitors and can collect data in two ways: one is to collect with the rmon probe — nms directly obtains management data from an rmon probe and controls...

Page 88

84 c hapter 5: c onfiguring n etwork m anagement [routera] interface ethernet 0 [routera-ethernet0] rmon promiscuous.

Page 90

86 c hapter 6: d isplay and d ebugging t ools two switches control the output of the debugging information: ■ debugging switch, which controls whether to test a certain function/module/protocol. ■ syslog output direction switch, which controls outputting the debugging information to the control cons...

Page 92

88 c hapter 6: d isplay and d ebugging t ools !!!!! --2.0.0c91.F61f ipx ping statistics-- 5 packets transmitted 5 packets received 0% packet loss round-trip min/avg/max = 1/2/3 ms tracert command (trace route command) the trace route command helps to trace the current network path to a destination. ...

Page 94

90 c hapter 6: d isplay and d ebugging t ools set the direction of syslog outputting log information as described before, syslog of the 3com router 1.X can output various log information in four directions: ■ output log information to local control console via console port ■ output log information t...

Page 96

92 c hapter 6: d isplay and d ebugging t ools here, module stands for the module name. Only the log information related to a specified module can be filtered and output. Turn on/turn off syslog please enter the following commands in system view. Table 70 turn on/turn off syslog when syslog is turned...

Page 99: Pos T

7 pos t erminal a ccess s ervice this chapter contains information on the following topics: ■ pos access service overview ■ pos access service configuration ■ display and debug pos access ■ typical configuration example of pos access service pos access service overview point of sale (pos) service is...

Page 101

Pos access service configuration 97 ■ avoiding the dial-up time problem and fast connecting to the transaction processing center. ■ reducing the number of occupied communication links, hence saving the communications cost greatly. ■ avoiding the problem of service queuing as it is as though each pos...

Page 103

Pos access service configuration 99 pos access does not support flow control, therefore, the interface should be configured with the flow-control none command. 5 configure pos multi-application map pos multi-application is a kind of pos access function, which sends the packets from a pos terminal de...

Page 105

Typical configuration example of pos access service 101 t ypical configuration example of pos access service configuration example when the router is located at the fep side in tcp/ip mode i. Networking requirements three pos terminals access the router a located at the fep side through the fcm card...

Page 107

Typical configuration example of pos access service 103 [router-fcm2] async mode pos 3 9 configure async 0 to operate in pos application mode. [router] interface async 0 [router-async0] undo modem [router-async0] flow-control none [router-async0] async mode posapp 10 configure async 1 to operate in ...

Page 109: III

Iii i nterface chapter 8 interface configuration overview chapter 9 configuring lan interface chapter 10 configuring wan interface chapter 11 configuring logical interface.

Page 111: Nterface

8 i nterface c onfiguration o verview this chapter contains information on the following topics: ■ interface configuration overview ■ configure interface ■ display and debug interface interface configuration overview the router interface refers to the part through which the router exchanges data and...

Page 114

110 c hapter 8: i nterface c onfiguration o verview.

Page 116

112 c hapter 9: c onfiguring lan i nterface table 85 enter view of specified ethernet interface 2 set network protocol address the 3com router supports ip and ipx at ethernet interface. Therefore, it is necessary to configure ip or ipx network address. Please use the following commands in ethernet i...

Page 118

114 c hapter 9: c onfiguring lan i nterface typical ethernet interface configuration example i. Networking requirement as shown below, the ethernet interfaces of routers a is connected to ip networks 192.168.0.0. The computer in lan connects to the internet through router a. Set the mtu of ethernet ...

Page 120

116 c hapter 9: c onfiguring lan i nterface hub is connected, all the other devices on the whole network segment will show serious network collisions), while the party working in full duplex mode shows large amount of error messages received, accompanied with serious message losses at both parties. ...

Page 122

118 c hapter 10: c onfiguring wan i nterface ■ set the asynchronous serial interface to work in dialup or dedicated line mode ■ set link layer protocol ■ set baud rate ■ set link establishment mode ■ set the check mode in flow mode ■ set stop bit in flow mode ■ set data bit in flow mode ■ set flow c...

Page 124

120 c hapter 10: c onfiguring wan i nterface dedicated mode is usually used when asynchronous serial interfaces are directly connected. ■ flow: also called the interactive mode, which means two ends of the link interact with each other after the setup of a physical connection. The calling end sends ...

Page 126

122 c hapter 10: c onfiguring wan i nterface please use the following commands in the view of the asynchronous serial interface. Table 104 enable or disable the level detection for the asynchronous serial interface by default the level detection is enabled for the asynchronous serial interface. 12 e...

Page 128

124 c hapter 10: c onfiguring wan i nterface ■ enable or disable level detection ■ enable or disable data carrier detection ■ setting the synchronous serial interface to work in full duplex or half duplex mode ■ enable or disable internal loopback/external loopback ■ set mtu ■ set the time interval ...

Page 130

126 c hapter 10: c onfiguring wan i nterface txclk stands for transmitting clock, rxclk for receiving clock, the clock before “=” is dte-side clock, and that behind “=” is dce-side clock. Please use the following commands in the view of the synchronous serial interface. Table 115 select work clock t...

Page 132

128 c hapter 10: c onfiguring wan i nterface 12 configure mtu mtu of synchronous serial interface affects the fragmentation and reassembling of ip network protocol message on this interface. Please use the following commands in the view of the synchronous serial interface. Table 121 set mtu of synch...

Page 134

130 c hapter 10: c onfiguring wan i nterface ■ whether the interface provided by telecom service provider is isdn bri u interface or isdn bri s/t interface: in itu-t i.411 recommendation, the reference model of isdn user-network interface is given. However, there is a worldwide dispute about the pos...

Page 136

132 c hapter 10: c onfiguring wan i nterface table 127 enter the synchronous serial interface view the following are to be set: ■ operating parameters of data link layer protocol, such as ppp, frame relay, lapb or x.25. ■ ip address ■ the operating parameters of the standby center need to be set whe...

Page 138

134 c hapter 10: c onfiguring wan i nterface table 132 set the line code format on the ce1/pri interface by default, the line code format on the ce1/pri interface is hdb3. 6 set line clock when the ce1/pri interface operates as dce, you should choose the internal clock, that is, master clock mode. W...

Page 140

136 c hapter 10: c onfiguring wan i nterface ■ bind the interface to be a pri set ■ set the length/attenuation of the transmission cable ■ set the line code format ■ set line clock ■ set frame format ■ enable/disable internal loopback/external loopback 1 enter the view for a specified interface in s...

Page 142

138 c hapter 10: c onfiguring wan i nterface by default, the attenuation of transmission cable that the ct1/pri interface matches is long 0db. 5 set the line code format a ct1/pri interface supports two types of line code formats: ami format and b8zs format. Perform the following configurations in c...

Page 144

140 c hapter 10: c onfiguring wan i nterface supporting the data link layer protocols ppp, hdlc, frame relay, lapb and x.25, as well as the network protocols ip and ipx. When it works in framed mode, however, it is physically divided into 32 time slots numbered in the range of 0 to 31. In these time...

Page 146

142 c hapter 10: c onfiguring wan i nterface table 153 set frame format for an e1-f interface by default, the frame format of e1-f interface is no-crc4. 7 enable or disable local loopback/remote loopback an interface should be place in local loopback or remote loopback for some special functionality...

Page 148

144 c hapter 10: c onfiguring wan i nterface module in slot 2. Hence, the e1-f interface will be numbered serial 0, and the 4sa interfaces will be numbered serial 1 through serial 4, and the t1-f interfaces will be numbered serial 5 and serial 6. 2 set interface rate after binding operation when t1-...

Page 150

146 c hapter 10: c onfiguring wan i nterface display and debug t1-f interface perform the display command in all views to display the state of t1-f interface and other related information. Table 163 display and debug t1-f interface ce3 interface both e3 and e1 belong to itu-t digital carrier system ...

Page 152

148 c hapter 10: c onfiguring wan i nterface if framing has been enabled on an e1 channel, you can set its frame format. Perform the following configuration in ce3 interface view. Table 170 set e1 frame forma t by default, the frame format of e1 channel is no-crc4. 6 configure operating mode of ce3 ...

Page 154

150 c hapter 10: c onfiguring wan i nterface ■ set crc of the serial interface depending on the networking requirements, the user perhaps needs to configure the parameters such as ppp, frame relay and ip address for the ct3 interface. For details, refer to the involving chapters. 1 enter the view of...

Page 156

152 c hapter 10: c onfiguring wan i nterface by default, ct3 mode is used. When ct3 interface works in t3 mode, the system will automatically create a serial interface whose number is serial number/0:0 and whose rate is 44.736mbps. The interface has the same logic feature as that of a synchronous se...

Page 158

154 c hapter 10: c onfiguring wan i nterface.

Page 160

156 c hapter 11: c onfiguring l ogical i nterface some applications (such as configuring local peer of sna) requires that a local interface with specified ip address should be configured without affecting physical interface configuration. Furthermore, this address should have a 32-bit mask to reduce...

Page 162

158 c hapter 11: c onfiguring l ogical i nterface configure sub-interfaces of ethernet interface 1 create and delete ethernet sub-interfaces please use the following commands in all views. Table 190 create and delete ethernet interface when using the above commands, if corresponding ethernet sub-int...

Page 164

160 c hapter 11: c onfiguring l ogical i nterface [router-serial0]link-protocol fr 3 specify dte as its frame relay terminal type [router-serial0]fr interface-type dte 4 create sub-interface serial 0.1 on wan interface serial0 of router a in point-to point mode, and enter its view [router]interface ...

Page 166

162 c hapter 11: c onfiguring l ogical i nterface 3 create corresponding relation between the virtual-template and related physical interface in vpn application environment, it is necessary to build up corresponding relations between l2tp group and virtual-template. In mp application environment, it...

Page 168

164.

Page 170

166 c hapter 12: c onfiguring ppp and mp the authenticator sends some randomly generated packets to the requester (challenge), and at the same time it sends its configured username to the requester. When the requester receives the challenge, it will look for the user password according to the authen...

Page 172

168 c hapter 12: c onfiguring ppp and mp table 194 configure the link layer protocol of the interface to ppp the default link layer protocol of the interface is ppp. 2 configure ppp authentication ppp has two authentication modes: pap mode and chap mode. Chap authentication is more secure. ■ configu...

Page 175

Configure mp 171 in mp working mode, it is not recommended to use ppp compression. To configure ppp compression negotiation on the virtual interface, ppp compression must be configured on virtual-template interface before the subordinate physical interface can accept the ppp compression negotiation....

Page 177

Configure mp 173 ■ bind according to username or endpoint here the username refers to the received remote username when ppp link performs pap or chap authentication. Endpoint is the unique mark of a router and refers to the received remote endpoint when performing lcp negotiation. The system can imp...

Page 179

Display and debug ppp 175 by default, virtual baud rate is not set on interface. Display and debug ppp please use the display and debugging commands in all views. Table 212 display and debug ppp typical ppp configuration example pap authentication example i. Configuration requirement as shown in fig...

Page 181

Typical mp configuration example 177 [router]local-user router-c password simple router-c b specify the virtual interface templates for the two users and begin ppp negotiation for the ncp information using this template [router]ppp mp user router-b bind virtual-template 1 [router]ppp mp user router-...

Page 183: Onfiguring

13 c onfiguring ppp o e c lient this chapter contains information on the following topics: ■ ppoe overview ■ configure pppoe client ■ display and debug pppoe client ■ typical pppoe configuration example ppoe overview point-to-point protocol over ethernet (pppoe) can be used for connecting ethernet h...

Page 185

Configure pppoe client 181 depending on the needs, it is probably required to configure the parameters such as ppp authentication on a dialer interface. The dialer interface configuration will not be covered in this section, however. Please see operation manual - dial-up for reference. 2 configure p...

Page 187

Typical pppoe configuration example 183 [router-dialer1]ip ppp-negotiate [router-dialer1]ppp pap local-user 3com password cipher 12345 2 configure a pppoe session [router]interface ethernet 1 [router-ethernet1]pppoe-client dial-bundle-number 1 3 configure the lan interface and the default route [rou...

Page 189: Onfiguring

14 c onfiguring slip this chapter contains information on the following topics: ■ slip overview ■ configure slip ■ display and debug slip ■ typical slip configuration example slip overview slip (serial link internet protocol) can transmit data over the asynchronous serial link. Through slip, the use...

Page 191

Typical slip configuration example 187 iii. Configuration procedure 1 configure router a: a configure dialer rule [router]dialer-rule 1 ip permit b configure the synchronous/asynchronous interface to asynchronous mode [router]interface serial 0 [router-serial0]physical-mode async c configure ip addr...

Page 193: Onfiguring

15 c onfiguring isdn p rotocol this chapter contains information on the following topics: ■ isdn overview ■ configure isdn ■ display and debug isdn ■ typical configuration example ■ fault diagnosis and troubleshooting of isdn isdn overview isdn (integrated services digital network), developed from t...

Page 195

Configure isdn 191 when a router originates a call to pbx, it usually contains all called number information in the setup message. However, you can configure the command to determine whether the sending sending-complete information element (scie) should be carried in the setup message. Perform the f...

Page 197

Typical configuration example 193 typical configuration example interconnect routers for data transmission via isdn pri line i. Networking requirement router a is connected with router b via wan, as shown in the following diagram. Ii. Networking diagram figure 56 networking diagram of isdn protocol ...

Page 199: Onfiguring

16 c onfiguring lapb and x.25 this chapter contains information on the following topics: ■ x.25 and lapb protocols overview ■ configure lapb ■ configure x.25 ■ configure x.25 over other protocols ■ display and debug lapb and x.25 ■ typical lapb configuration example ■ typical x.25 configuration exam...

Page 201

X.25 and lapb protocols overview 197 once a virtual circuit is established between a pair of dtes, it is assigned with a unique virtual circuit number. When one dte is to send a packet to the other, it numbers this packet (with virtual circuit number) and sends it to dce. According to the number on ...

Page 203

Configure x.25 199 n1 value represents the maximum number bits of i frame that dce or dte wants to receive from dte or dce. N2 value represents the maximum number of times that dce or dte tries to successfully send a frame to dte or dce. Table 232 configure lapb n1, n2 by default, n1 is 12032, and n...

Page 205

Configure x.25 201 x.25 protocol can multiplex multiple virtual connection over a real physical link between dte and dce, also called virtual circuit (vc) or logical channel (lc). X.25 can establish up to 4095 virtual connections numbered from 1 to 4095. The number that can be employed to identify e...

Page 207

Configure x.25 203 end-to-end is affected, that is, the efficiency between two sets of communicating dte increases. 5 configure x.25 flow control parameter it is essential to set correct default flow control parameters (window size and packet size) for the operation of the link because x.25 protocol...

Page 209

Configure x.25 205 of a call that reaches x.25 interface may be inconsistent with x.121 address of the destination interface (because the destination address of this call is modified within the network), still the interface will accept this call. At this time, one or multiple aliases should be speci...

Page 211

Configure x.25 207 configure x.25 datagram transmission the configuration of x.25 datagram transmission includes: ■ create the mapping from the protocol address to x.121 address ■ create the permanent virtual circuit in the most frequently used x.25 service, data is transmitted remotely between two ...

Page 213

Configure x.25 209 table 248 specify/cancel svc maximum idle time by default, the value of svc maximum idle time is 0 minute, which means this svc will not be disconnected for idle times out. 2 configure the maximum number of svcs that are associated with the same address mapping the maximum number ...

Page 215

Configure x.25 211 window-size and packet-size options are also supported in x25 pvc command. However, in x25 pvc command, these two options specify the window size and maximum packet length of the set pvc. If these two options are not selected in the x25 pvc command, the set pvc will choose the def...

Page 217

Configure x.25 213 configure x.25 sub-interface x.25 sub-interface is a virtual interface with its own protocol address and virtual circuit. Multiple sub-interfaces can be created on a physical interface, so the networks can be interconnected via one physical interface. The sub-interface of x.25 fal...

Page 219

Configure x.25 215 which guarantees no occurrence of link overload when an address is accessed by a large number of subscribers. X.25 load balancing is provided by dces. In order to implement the load balancing in x.25 networks, a group of dte/dce interfaces (synchronous serial interfaces or xot tun...

Page 221

Configure x.25 217 dce equipment in x.25 networks to provide the function of load balancing for dte equipment) then configuration of x.25 load balancing needs to be made on the routers. The main configuration tasks of x.25 load balancing are as follows: ■ start x.25 switching ■ create x.25 hunt grou...

Page 223

Configure x.25 over other protocols 219 protocol provides reliable data transmission link. Because tcp has the mechanism of error redirection and window flow controlling to guarantee the reliability of links, it can be used by x.25. Xot builds a tcp tunnel connection between the two x.25 networks, a...

Page 225

Configure x.25 over other protocols 221 table 268 configure pvc xot switching 5 configure keepalive and xot-source attributes after the tcp link is established, tcp will not be easily cleared even if the link is disconnected. But after configuring keepalive, the router will send checking packets in ...

Page 227

Display and debug lapb and x.25 223 by default, x.25 template is not applied on dlcis. Display and debug lapb and x.25 in the all views, perform the following tasks to enable real-time monitoring of the current status of lapb and x.25. Table 273 display and debug lapb and x.25 typical lapb configura...

Page 229

Typical x.25 configuration example 225 e specify address mapping to the peer [router-serial0]x25 map ip 202.38.160.2 x121-address 20112452 f as this is a direct connection, the flow control parameters can be increased slightly [router-serial0]x25 packet-size 1024 1024 [router-serial0]x25 window-size...

Page 231

Typical x.25 configuration example 227 [router-serial0]x25 map ip 168.173.24.1 x121-address 30561001 [router-serial0]x25 map ip 168.173.24.2 x121-address 30561002 configure virtual circuit range i. Networking requirement the link layer protocol of router's interface serial0 is x.25l, with the virtua...

Page 233

Typical x.25 configuration example 229 ii. Networking diagram figure 72 diagram of x.25 sub-interface configuration iii. Configuration procedure 1 configure router a: [router]interface serial 0 [router-serial0]link-protocol x25 dte [router-serial0]x25 x121-address 100 [router-serial0]interface seria...

Page 235

Typical x.25 configuration example 231 4 configure router c a start x.25 switching [router]x25 switching b configure x.25 local switching [router]x25 switch svc 2 interface serial 0 c configure xot switching [router]x25 switch svc 1 xot 10.1.1.1 d configure ethernet 0 [router]interface ethernet 0 [r...

Page 237

Typical x.25 configuration example 233 ii. Networking diagram figure 75 networking diagram of typical configuration of x.25 hunt group iii. Configuration procedure 1 configure routera a configure the link layer protocol of interface serial1 to x.25 and specify it to operate in dce mode. [router]inte...

Page 239

Typical x.25 configuration example 235 note that you must configure a virtual ip address and two static routes on interface serial 1 to deceive the router because two lines connected to the same peer exist in router routerc. Thus load balancing can be achieved because router routerc will deem that t...

Page 241

Typical x.25 configuration example 237 [router-fr-dlci-100]x25-template profile1 [router-fr-dlci-100]quit i map the frame relay address to the destination ip address. [router-serial1]fr map ip 202.38.163.252 100 2 configure routerb: a create an x.25 template. [router]x25 template profile1 b configur...

Page 243

Typical x.25 configuration example 239 [router]x25 switch svc 1 interface serial 0 g configure x.25 over frame relay switching. [router]x25 switch svc 2 interface serial 1 dlci 100 4 configure the router router c: a enable x.25 switching. [router]x25 switching b configure serial 0 as the x.25 interf...

Page 245

Fault diagnosis and troubleshooting of lapb 241 [router-x25-profile1]x25 vc-range in-channel 10 20 bi-channel 30 1024 [router-x25-profile1]x25 pvc 1 interface serial 0 pvc 1 5 configure serial 1. A configure s1 as the frame relay interface. [router]interface serial 1 [router-serial1]link-protocol fr...

Page 247

Fault diagnosis and troubleshooting of x.25 243 ■ if receiving the ping packet forwarded from the router at one end, check whether the returning route has been configured in the routing table. In addition, if the destination ip address for returning the packets is different from that configured in t...

Page 249: Onfiguring

17 c onfiguring f rame r elay this chapter contains information on the following topics: ■ frame relay protocol overview ■ configure frame relay ■ configure frame relay qos ■ configure frame relay over other protocols ■ display and debug frame relay ■ typical frame relay configuration example ■ faul...

Page 251

Configure frame relay 247 note the following: ■ the interface's link layer protocol can be configured to frame relay only when it operates in the synchronous mode. ■ when the interface's link layer protocol is slip, the physical attributes of the interface cannot be modified to synchronous mode. At ...

Page 253

Configure frame relay 249 the following table describes the value ranges and default values of related parameters of the frame relay lmi protocol table 278 descriptions of related parameters of frame relay lmi protocol in which, the related parameters at the dte side include: ■ t391dte: the interval...

Page 255

Configure frame relay 251 the map created through the dynamic inverse arp has broadcast attribute. 6 configure frame relay local virtual circuit number perform the following configurations in synchronous serial interface view. Table 281 configure frame relay local virtual circuit number after enteri...

Page 257

Configure frame relay 253 perform “enabling/disabling frame relay pvc switching” in system view, and configure all the other commands in synchronous serial interface view. Table 286 configure the frame relay pvc switching by default, frame relay pvc switching is disabled. The configured pvc can take...

Page 259

Configure frame relay 255 will not take effect. On the mfr interface, you can configure the network layer parameters (e.G., ip address) and frame relay parameters (e.G., dlci). The physical interface bundled on the mfr interface will use the parameters on the mfr interface. Configure mfr the configu...

Page 261

Configure frame relay 257 perform the following configurations in interface view. Table 296 configure frame relay compression on multipoint interface by default, frame relay payload compression is disable. On the 3com router, both the frame relay main interfaces and sub-interfaces can be multipoint ...

Page 263

Configure frame relay qos 259 figure 82 frame relay traffic shaping if the frame relay traffic shaping is applied on the outgoing interface serial 0 on router b, the interface will be able to transmit packets at 64 kbps, a relatively average rate, so as to avoid the network congestion. Even if the c...

Page 265

Configure frame relay qos 261 figure 85 frame relay traffic policing as shown in the above figure, router a at the user side transmits packets at 192 kbps to router b at the switching side. However, router b only wants to provide the 64 kbps bandwidth for router a. In this case, you need to configur...

Page 267

Configure frame relay qos 263 table 299 create/delete a frame relay class by default, no frame relay class is created. After creating the frame relay class using this command, the user will enter the frame relay class view under which you can configure the parameters like cir. 2 associate the frame ...

Page 269

Configure frame relay qos 265 numerically, the value of cbs should not be less than cir allow, otherwise, the large packets may not be sent. Configure frame relay traffic policing frame relay traffic policing configuration includes: ■ enable the frame relay traffic policing ■ create a frame relay cl...

Page 271

Configure frame relay qos 267 configure frame relay de rule list 1 configure a de rule list perform the following configurations in system view. Table 307 configure a de rule list by default, no de rule list is defined. A router can support up to 10 de rule lists, and each of them can contain up to ...

Page 273

Configure frame relay over other protocols 269 configure frame relay over other protocols frame relay over ip ip networks are used to carry the frame relay data to interconnect the frame relay networks. In the technique of frame relay over ip, a gre tunnel is established between the frame relay netw...

Page 275

Configure frame relay over other protocols 271 ■ the dce device identifies the calling number of the incoming call and authenticates the dte device according to it to determine whether to accept or deny the call. ■ if the dte device passes the authentication, it can establish a b channel to the dce ...

Page 277

Configure frame relay over other protocols 273 2 configuration related to frame relay switching only some simple frame relay switching configurations are covered in this section. For other configurations, refer to the link layer protocol. Configure the commands fr switch and fr switching in system v...

Page 279

Display and debug frame relay 275 display frame relay data receiving/sending statistics information. Display fr statistics [ interface type number ] display the frame relay pvc statistics display fr pvc-info [ serial number ] [ dlci dlci-number ] display frame relay pvc route table display fr dlci-s...

Page 281

Typical frame relay configuration example 277 [router-serial1] ip address 202.38.163.253 255.255.255.0 b configure the link layer protocol of the interface to frame relay [router-serial1]link-protocol fr [router-serial1]fr interface-type dte c configure static address mapping [router-serial1]fr map ...

Page 283

Typical frame relay configuration example 279 ii. Networking diagram figure 95 networking diagram of frame relay over ip iii. Configuration procedure 1 configure router a [router]interface serial 0 [router-serial0]ip address 202.38.163.251 255.255.255.0 [router-serial0]fr interface-type dte [router-...

Page 285

Typical frame relay configuration example 281 ii. Networking diagram figure 98 networking diagram of frame relay over ip iii. Configuration procedure 1 configure routera a configure the frame relay interface serial0 [router]interface serial 0 [router-serial0]link-protocol fr [router-serial0]fr inter...

Page 287

Typical frame relay configuration example 283 [router-serial2:15]dialer bundle-member 20 for configuring the bdr and frame relay parameters on dialer1, refer to the configuration on dialer0. The user only needs to change the ip address to 120.0.0.2, dlci number to 200, and configure to receive the i...

Page 289

Fault diagnosis and troubleshooting of frame relay 285 fault diagnosis and troubleshooting of frame relay fault 1: the physical layer in down status. Troubleshooting: ■ check whether the physical line is normal. ■ check whether the opposite equipment runs normally. Fault 2: the physical layer is alr...

Page 291: Onfiguring

18 c onfiguring hdlc this chapter contains information on the following topics: ■ configure hdlc ■ display and debug hdlc configure hdlc hdlc (high data link control) is a bit-oriented link layer protocol. Its most prominent feature is that it can transparently transmit any kind of bit flow without ...

Page 293: Onfiguring

19 c onfiguring b ridge this chapter contains information on the following topics: ■ bridge overview ■ configure bridge’s routing function ■ display and debug bridge ■ typical bridge configuration bridge overview bridge is a type of network device on the data link layer, which interconnects local ar...

Page 295

Bridge overview 291 figure 102 bridge learns that workstation a is connected with port 1 once workstation b responds to workstation a, the bridge can detect the responding ethernet frame from workstation b and learn that workstation b is also connected to bridge port 1 because the frame is detected ...

Page 297

Bridge overview 293 figure 106 filter (not forward) ■ suppose that workstation a sends an ethernet frame to workstation c, and the bridge does not find the correlation between the mac address of workstation c and the port in the bridging address table, what will the bridge do? The bridge will forwar...

Page 299

Bridge overview 295 will also specify which bridge to be the “root bridge” and which bridges to be the “leaf nodes”. A bpdu contains the following information: ■ root identifier: consists of the bridge priority and the mac address of the root bridge. ■ root path cost: path cost from the individual l...

Page 301

Configure bridge’s routing function 297 will be routed through ip. Certainly, if ip cannot find a route, it will discard the packet instead of forwarding it to the bridge for processing. If the packet uses a protocol other than ip (for example, if it is the packet from the network like appletalk or ...

Page 303

Configure bridge’s routing function 299 perform the following configuration in system view. Table 324 enable/disable forwarding by using dynamic address table by default, the dynamic address table is used to forward frames. C configure the aging time of dynamic address table the aging time of dynami...

Page 305

Configure bridge’s routing function 301 table 330 configure the interval for sending bpdus by default, the value of hello time timer is 2 seconds. It is in the range of 1 to 10 seconds. When configuring the hello time timer, it should be noted that: ■ in the spanning tree, all the bridges use the ti...

Page 307

Configure bridge’s routing function 303 when creating an acl based on ethernet type code (ethernet-ii, snap or lsap), you can specify aclt-number in the range of 200 to 299. Type-code is a 16-bit hexadecimal number written with a leading “0x”, corresponding to the type-code field in the ethernet-ii ...

Page 309

Configure bridge’s routing function 305 table 340 configure bridge set to route or bridge the network layer protoco l by default, the bridging is enabled, the routing is disabled. You can execute the display bridge bridge-set bridge-template command to view the configuration of routing and bridging ...

Page 311

Display and debug bridge 307 table 349 configure bridge on vlan display and debug bridge perform the reset , display and debugging commands in all views. Table 350 display and debug bridge typical bridge configuration transparent bridging multiple lans i. Networking requirements suppose that there a...

Page 313

Typical bridge configuration 309 transparent bridging over frame relay i. Networking requirements two routers are directly connected via serial interfaces. Implement transparent bridging over the frame relay. Ii. Networking diagram figure 112 transparent bridge over the frame relay iii. Configuratio...

Page 315

Typical bridge configuration 311 transparent bridging for asynchronous dial-in standby i. Networking requirements configure transparent bridging for asynchronous dial-in standby on two routers. Thereby, transparent bridging can be implemented by enabling asynchronous dial-in in case that the serial ...

Page 317

Typical bridge configuration 313 bridging on sub-interfaces i. Networking requirements two routers are connected via a network cable. Enabling bridging on the ethernet sub-interfaces so that the two bridges established via the routers can be interconnected. Ii. Networking diagram figure 115 networki...

Page 319: Etwork

V n etwork p rotocol chapter 20 configuring ip address chapter 21 configuring ip application chapter 22 configuring ip performance chapter 23 configuring ip count chapter 24 configuring ipx chapter 25 configuring dlsw.

Page 321: Onfiguring

20 c onfiguring ip a ddress this chapter contains information on the following topics: ■ ip address overview ■ troubleshooting ip address configuration ■ map between wan interface ip address and link layer protocol address ip address overview ip address is a unique 32-bit address assigned to a host ...

Page 323

Ip address overview 319 completely internal to the enterprise itself, and seen from the outside, the enterprise only has one net-id. When an external message enters this enterprise network, the internal router can route according to the sub-net number, and finally reach the destination host. The fol...

Page 325

Ip address overview 321 when configuring the master ip address for an interface, note: ■ an interface can only have one master ip address. ■ when deleting the ip address of the interface, if no ip address and mask is specified, all the ip addresses (including all slave ip addresses) will be deleted ...

Page 327

Ip address overview 323 table 355 configure ip address unnumbered by default, the interface has no ip address. 2 display ip address unnumbered table 356 display ip address unnumbered configuration example i. Configuration requirements suppose the headquarters of a company is in beijing, with subsidi...

Page 329

Map between wan interface ip address and link layer protocol address 325 cannot receive the arp message, then possibly the error is on the ethernet physical layer. Fault 2: when the interface is encapsulated with ppp or frame relay, the link layer protocol status does not change to up. Troubleshooti...

Page 331: Onfiguring

21 c onfiguring ip a pplication this chapter contains information on the following topics: ■ configure address resolution protocol (arp) ■ configure domain name resolution (dns) ■ vlan configuration ■ dhcp server configuration ■ configure dhcp relay ■ configure network address translation (nat) conf...

Page 333

Vlan configuration 329 by default, the system has no static domain name resolution mapping. Pay attention that when adding a domain name mapping, if the same hostname has been input twice, the current configuration will overwrite the previous one. A static domain name resolution table can maintain a...

Page 335

Vlan configuration 331 in as ethernet interface is connected with a lan switch port. As the ethernet subinterface of every specified vlan id can act as an independent gateway, this subinterface and other ethernet subinterface in the same vlan id should belong to the same subnet segment. Please imple...

Page 337

Dhcp server configuration 333 connected with pc must be set as “untagged” for the reason that pc cannot identify data packet marked with vlan tag. Fault: ping two pcs, but fails to ping them through. Troubleshooting: the steps below can be taken. ■ first, ping the ip address of ethernet subinterface...

Page 339

Dhcp server configuration 335 ■ dhcp client logins the network for the first time if it is the first time for a dhcp client to login to the network, it will establish a connection with the dhcp server through four stages: ■ discovering stage. This is the stage when the dhcp client searches the dhcp ...

Page 341

Dhcp server configuration 337 ■ configure the range of a dhcp address pool ■ configure the ip addresses that do not participate in auto-allocation in the dhcp address pool ■ configure the lease valid period of the ip addresses in a dhcp address pool ■ configure the ip address of the outgoing gateway...

Page 343

Dhcp server configuration 339 the command network cannot be superimposed, that is, the latest configuration will overwrite the previous one. The command network and the commands static-bind ip-address and static-bind mac-address are conflicting. In other words, for the same dhcp address pool, config...

Page 345

Dhcp server configuration 341 that is because the new dns address will replace the previous one rather than superimpose it. 9 configure ip address of netbios server used by dhcp clients clients can communicate through the netbios protocol. As for the clients installed with the microsoft operating sy...

Page 347

Dhcp server configuration 343 typical dhcp server configuration example the common dhcp networking methods can be classified into two categories: one is that the dhcp server and the clients reside on the same subnetwork and they directly carry out the interaction of dhcp. Another one is that the dhc...

Page 349

Configure dhcp relay 345 figure 127 schematic diagram of dhcp relay the above figure is the schematic diagram of dhcp relay. Its working principle is as follows: after starting dhcp client, a configuration request message is broadcast and the dhcp relay router will send the message to the designated...

Page 351

Configure dhcp relay 347 ii. Networking diagram figure 128 networking diagram of an dhcp relay configuration example iii. Configuration procedure 1 configure dhcp relay router: [router-ethernet0] ip address 10.110.1.1 255.255.0.0 [router-ethernet0] ip relay-address 202.38.160.2 to configure helper a...

Page 353

Configure network address translation (nat) 349 ■ check whether the transparent transmission router itself is configured with services of the protocol transmitted transparently. Configure network address translation (nat) network address translation (nat), also known as address proxy, implements the...

Page 355

Configure network address translation (nat) 351 ■ the debugging of the network becomes even more difficult. For instance, when one host machine of the internal network attempts to attack other networks, it is very difficult to pinpoint which computer is attacking computer, since the ip address of th...

Page 357

Configure network address translation (nat) 353 corresponding internal server. During the course of address translation, it will look up the resource address of the message, to determine if the message is sent from the internal server. If yes, the source address is translated to the corresponding pu...

Page 359

Configure network address translation (nat) 355 ii. Networking diagram figure 132 nat configuration case networking diagram 1 iii. Configuration procedure a configure address pool and access list [router] nat address-group 202.38.160.101 202.38.160.105 pool 1 [router] acl 1 [router-acl-1]rule permit...

Page 361

Configure network address translation (nat) 357 fault 2: internal server abnormal troubleshooting: if an external host cannot access the internal server normally, check the configuration on the internal server host, or the internal server configuration on the router. It's possible that the internal ...

Page 363: Onfiguring

22 c onfiguring ip p erformance this chapter contains information on the following topics: ■ configure ip performance ■ configure tcp performance ■ configure fast forwarding ■ display and debug ip performance ■ troubleshooting ip performance configuration configure ip performance to configure ip per...

Page 365

Configure tcp performance 361 the synwait timer's timeout ranges between 2~600 seconds, with a default value of 75 seconds. The finwait timer's timeout ranges between 76~3600 seconds, with a default value of 675 seconds. The value of window-size ranges between 1~32kbytes, with a default value of 4kb...

Page 367

Display and debug ip performance 363 by default, fast-forwarding is enabled in the input/output directions of the interface. When fast-forwarding is carried out on an interface, note that: ■ you can disable fast-forwarding as necessary. For example, if load sharing is required, fast-forwarding must ...

Page 369: Onfiguring

23 c onfiguring ip c ount this chapter contains information on the following topics: ■ ip count introduction ■ ip count configuration ■ display and debug ip count ■ typical configuration example ■ troubleshooting ip count introduction ip count makes the statistics about the input and output packets,...

Page 371

Ip count configuration 367 configuring ip count on an interface can enable packet accounting on the interface. You can configure to make statistics on the packets input or output on the interface, as well as packets denied by firewall. Perform the following configuration in interface view. Table 400...

Page 373

Troubleshooting 369 ii. Networking diagram see figure 4-1 networking for ip count application for reference. Iii. Configuration procedure 1 configure the router a enable ip count service [router]ip count enable b specify count maximum of exterior-list to 10 [router]ip count exterior-threshold 10 c s...

Page 375: Onfiguring

24 c onfiguring ipx this chapter contains information on the following topics: ■ ipx protocol overview ■ configure ipx ipx protocol overview novell ipx protocol is a connectionless protocol. Though both data and destination ipx address are included in ipx packet, the protocol cannot confirm whether ...

Page 377

Configure ipx 373 clients can always obtain the latest server addresses. The following diagram describes the relation between main components of sap. Figure 136 schematic diagram of the relation between main components of sap configure ipx ipx configuration includes: ■ activate/deactivate ipx ■ enab...

Page 379

Configure ipx 375 table 410 configure rip updating period by default, the time interval for rip updating period is adjusted to be 60 seconds. C configure aging period of ipx rip perform the following task in system view. Table 411 configure rip aging period by default, the aging period of a routing ...

Page 381

Configure ipx 377 table 416 configure ipx sap updating period by default, the updating period of ipx sap is 1 tick (i.E. 1/18 seconds). C configure sap aging period perform the following task in system view. Table 417 configure sap aging period by default, the service information which is not update...

Page 383

Configure ipx 379 table 423 configure the delay of interface sending ipx packets by default, the delay of ethernet interface is 1 tick, for asynchronous serial port is 30 ticks and that for wan port is 6 ticks. The range of ticks is: 0~30000. 8 configure management of ipx packet by default, the rout...

Page 385

Configure ipx 381 d activate ipx module on interface serial0, the network id being 1000. Configuring bdr parameter [router] interface serial 0 [router-serial0] dialer enable-legacy [router-serial0] dialer-group 1 [router-serial0] ipx network 1000 e configure an address map to router b [router-serial...

Page 387: Onfiguring

25 c onfiguring dls w this chapter contains information on the following topics: ■ dlsw protocol overview ■ configuration of dlsw ■ display and debug dlsw ■ typical dlsw configuration example ■ diagnosis and troubleshooting of dlsw fault dlsw protocol overview data link switch protocol (dlsw) is a m...

Page 389

Configuration of dlsw 385 please perform the following configurations in system view. Table 429 create dlsw remote end peer entity no dlsw remote end peer entity is created by default. When creating remote backup-peer, note: when the remote backup peer is created, the tcp ip-address should be the ip...

Page 391

Configuration of dlsw 387 forwarding. This command is used to specify the virtual mac address on the interface, thus providing source mac address for transforming sdlc message into llc2 message. Please process the following configurations in the synchronous interface view. Table 434 configure sdlc v...

Page 393

Configuration of dlsw 389 12 configure to stop running dlsw please carry out the following configuration under overall view. Table 439 configure to stop running dlsw by default, the system does not run dlsw protocol. After using this command, the system will release all the dynamic resources but res...

Page 395

Configuration of dlsw 391 llc2 pre-answer refers to sending answer packet to the peer in advance after receiving the specified amount of packets. This parameter and local answer display time in 1 controls the time to send answer packet together. If any condition is satisfied, the answer packet will ...

Page 397

Configuration of dlsw 393 table 452 configure rej status time of llc2 by default, rej status time of llc2 is 500 ms. J configure queue length of sending message of llc2 please process the following configurations in the ethernet interface view. Table 453 configure queue length of sending message of ...

Page 399

Configuration of dlsw 395 table 460 configure sap address for transforming sdlc to llc2 by default, both lsap and dsap of llc2 are 04. H configure data bi-directional transmission mode of sdlc this command is used to allow the synchronous serial port of the encapsulated sdlc protocol to work in the ...

Page 401

Typical dlsw configuration example 397 ii. Networking diagram figure 139 networking diagram of dlsw configuration of lan-lan iii. Configuration procedure 1 router a configuration: [router] dlsw local 10.120.25.1 [router] dlsw remote 10.120.5.2 [router] dlsw bridge-set 5 [router] interface ethernet 0...

Page 403

Typical dlsw configuration example 399 ii. Networking diagram figure 141 networking diagram of sdlc-lan iii. Configuration procedure: 1 router a configuration: [router] dlsw local 110.87.33.11 [router] dlsw remote 202.39.28.33 [router] dlsw bridge-set 1 [router] interface ethernet 0 [router-ethernet...

Page 405

Diagnosis and troubleshooting of dlsw fault 401 active equipment of sdlc (such as as/400 or s390) is activated. Sometimes, communication can be implemented after you activate sdlc line manually..

Page 407: Outing

Vi r outing chapter 26 ip routing protocol chapter 27 configuring static routes chapter 28 configuring rip chapter 29 configuring ospf chapter 30 configuring bgp chapter 31 configuring ip routing policy chapter 32 configuring ip policy routing.

Page 409: Ip R

26 ip r outing p rotocol ip routing protocol overview routers are used to select the route in the internet. A router selects a suitable path according to the destination host address contained in a received data packet, and sends the data packet to the next router. The last router on the path sends ...

Page 411

Routing management strategy 407 figure 143 routing table illustration 3com routers support not only static route configuration, but also dynamic routing protocols such as rip, ospf and bgp. Depending on the interface status and user configuration, a router can automatically obtain some direct routes...

Page 413: Onfiguring

27 c onfiguring s tatic r outes this chapter covers the following topics: ■ static route overview ■ configuring a static route ■ displaying and debugging the routing table ■ static route configuration example ■ troubleshooting a static route configuration static route overview a static route is a sp...

Page 415

Displaying and debugging the routing table 411 ip address to the link layer address (such as dialer route ip, x.25 map ip or fr map ip commands, and so on). In this case, you cannot specify the transmitting interface for the static route and must configure the ip address of the next hop. Actually, a...

Page 417: Onfiguring

28 c onfiguring rip this chapter covers the following topics: ■ rip overview ■ configure rip ■ displaying and debugging rip ■ rip - unicast configuration example ■ troubleshooting rip rip overview the routing information protocol (rip) is an interior gateway and dynamic routing protocol based on the...

Page 419

Configure rip 415 ■ configuring rip horizontal segmentation on the interface ■ configuring route import for rip ■ specifying default route metric value for rip ■ specifying additional route metric values for rip ■ setting route preference ■ configuring route distribution for rip ■ resetting rip enab...

Page 421

Configure rip 417 rip version 2 does not have provisions for a zero field in its header so this configuration is invalid for rip-2. Perform the following configurations in rip view. Table 473 configure check zero field of rip version 1 rip version 1 enables zero field check by default. Specifying th...

Page 423

Configure rip 419 configuring rip horizontal segmentation on the interface rip is a distance-vector algorithm routing protocol. It uses the split-horizon algorithm to avoid loop routes. Split-horizon means that routes received at a certain interface are not sent to the same interface. If correct tra...

Page 425

Displaying and debugging rip 421 configure filtering the routing information being advertised table 484 filter the routing information being advertised by rip by default, rip does not filter any route information received or being advertised. The protocol attribute specifies the routing domain that ...

Page 427: Onfiguring

29 c onfiguring ospf this chapter covers the following topics: ■ ospf overview ■ configuring ospf ■ displaying and debugging ospf ■ ospf configuration example ospf overview open shortest path first (ospf) is an autonomous, link-state-based internal routing protocol developed by internet engineering ...

Page 429

Configuring ospf 425 ■ configuring sending packet cost ■ configuring a peer for the nbma interface ■ specifying the router priority ■ specifying the hello interval ■ specifying the dead interval ■ specifying the retransmitting interval ■ specifying the transmit-delay ■ configuring a stubby area and ...

Page 431

Configuring ospf 427 hello packet before this interface sets up neighboring relations with the adjacent routers. The interface can be configured into nbma mode on the broadcast network without multi-access capability. If not all routers are inter-reachable on nbma network, the interface can be confi...

Page 433

Configuring ospf 429 specifying the router priority it is necessary to establish the peer relationship manually between interfaces for multi-point access network, (nbma and broadcast type networks). But establishing peer relationshipoccupies large amounts of system resources when there are hundreds ...

Page 435

Configuring ospf 431 specifying the retransmitting interval the router waits for confirmation from the neighbor to whom it has sent an lsa. If the router does not receive the neighbor's confirmation after a specified interval, the retransmitting interval, it resends the lsa. You can set the time int...

Page 437

Configuring ospf 433 in the following group network, an as operating the ospf protocol includes three areas, area 1, area 2, and area 0. Area 0 is the backbone area. The other ass operate rip. Area 1 is defined as an nssa area. After an rip route advertises to the nssa asbr that generates a type-7 l...

Page 439

Configuring ospf 435 the virtual link is activated after the route through the transit area is calculated. It is equivalent to a point-to-point connection between two terminals. Parameters can be configured for this connection like a physical interface, such as sending a hello-timer. A “logic channe...

Page 441

Configuring ospf 437 table 503 configure route import for ospf by default, ospf does not import routes from other domains into the routing table. The protocol attribute specifies the source routing domain that can be imported. At present, ospf can import routes domain such as connected, static, rip,...

Page 443

Ospf configuration example 439 ospf configuration example this section describes several different configurations of ospf with a suggested procedure for each configuration configuring ospf on the point-to-multipoint network. The configuration for this example includes the following features: ■ route...

Page 445

Ospf configuration example 441 c configure the area-id of the interface and the interface type [routerc-ospf] quit [routerc] interface serial 0 [routerc-serial0] ospf enable area 0 [routerc-serial0] ospf network-type p2mp [routerc-serial0] ospf peer 1.1.1.1 [routerc-serial0] ospf peer 1.1.1.2 4 conf...

Page 447

Ospf configuration example 443 run display ospf peer on router a to show ospf peer. Note that router a has 3 peers. [routera] display ospf peer the status of every peer is full, which means that router a has created neighboring relation with all peers. Only dr and bdr have created neighboring relati...

Page 449

Ospf configuration example 445 [routerc] router id 3.3.3.3 [routerc] ospf enable [routerc-ospf] interface ethernet 0 [routerc-ethernet0] ospf enable area 2 [routerc-ethernet0] interface serial 0 [routerc-serial0] ospf enable area 1 [routerc-serial0] quit [routerc] ospf [routerc-ospf] vlink peer-id 2...

Page 451

Ospf configuration example 447 dial-up mode, although the ppp protocol is encapsulated on the link layer, it is still nbma type. The peer must be specified manually. Use the ospf peer ip-address command. ■ if the network type is broadcast network or nbma, at least the priority of one interface must ...

Page 453: Onfiguring

30 c onfiguring bgp this chapter covers the following topics: ■ bgp overview ■ configuring bgp ■ displaying and debugging bgp ■ bgp configuration example bgp overview border gateway protocol (bgp) is an inter-as dynamic route discovery protocol. Its primary function is to exchange loop-free routing ...

Page 455

Configuring bgp 451 ■ configuring a bgp community ■ configuring a bgp as confederation attribute ■ configuring route dampening ■ configuring synchronization of bgp and igp ■ configuring the interactions between bgp and an igp ■ defining an access list entry, an as path-list entry, a routing policy ■...

Page 457

Configuring bgp 453 table 515 configure to send community attribute to the pee r by default, the community attributes are not sent to the peer. 6 configure the peer to be the client of the route reflector. Table 516 configure the peer to be the client of the route reflector 7 configure to distribute...

Page 459

Configuring bgp 455 by default, med values from different as neighboring routes are not compared when determining the best route. This configuration should not be used unless it is certain that different ass uses the same igp and routing modes. Configuring the local preference configuring different ...

Page 461

Configuring bgp 457 to configure an advanced bgp peer group configuration: 1 configure the as number of bgp peer group table 528 configure as number of bgp peer group by default, there is no as number for bgp peer group. 2 configure connection between peers indirectly connected table 529 configure c...

Page 463

Configuring bgp 459 by default, the route from the peer or peer group is not designated with any route policy. 10 create a filtering policy based on the access list for the peer group table 537 create a filtering policy based on access list for peer group by default, no route filtering policy based ...

Page 465

Configuring bgp 461 the non-clients must form an all-closed network with the reflector, as they follow the basic rules of ibgp. A client should not be peer of other internal speakers outside its cluster. The reflecting function is achieved only on the route reflector. All the clients and non-clients...

Page 467

Configuring bgp 463 the disadvantage is that when a non-confederation scheme changes to a confederation scheme, it is required to reconfigure the router and to modify the logical topology. In addition, if the bgp strategy is not manually configured, the best path may not be selected through the conf...

Page 469

Configuring bgp 465 table 547 configure route dampening by default, route dampening is disabled. 2 display route flap information. Perform the following configurations in system view. Table 548 display route flap information configuring synchronization of bgp and igp bgp protocol prescribes that a b...

Page 471

Configuring bgp 467 table 551 allow the import of network 0.0.0.0 into the bgp by default, the import of network 0.0.0.0 into bgp is disabled. Defining an access list entry, an as path-list entry, a routing policy this section describes the configuration of an access list, an as path list, and a rou...

Page 473

Configuring bgp 469 by default, as serial number, bgp community attribute, next hop, local preference, metric value, and origin attributes are not applied. See “define apply clause “of “configuration of ip routing policy” for details. Configuring a route filter for bgp perform the following configur...

Page 475

Bgp configuration example 471 bgp configuration example this section describes several different configurations of bgp with a suggested procedure for each configuration. Configuring the as confederation attribute as shown in the following diagram, as 100 is divided into 3 sub-ass: 1001, 1002, 1003, ...

Page 477

Bgp configuration example 473 figure 155 networking diagram of configuring route reflector 1 configure router a: [routera] bgp 100 [routera-bgp] undo synchronization [routera-bgp] peer 192.1.1.2 as-number 200 [routera-bgp] interface serial 0 [routera-serial0] ip address 192.1.1.1 255.255.255.0 2 con...

Page 479

Bgp configuration example 475 figure 156 networking diagram of configuring bgp path selection 1 configure router a: [routera] interface serial 0 [routera-serial0] ip address 192.1.1.1 255.255.255.0 [routera] interface serial 1 [routera-serial1] ip address 193.1.1.1 255.255.255.0 [routera-serial1] qu...

Page 481

Bgp configuration example 477 [routerd-ospf] network 4.0.0.0 0.0.0.255 area 0 [routerd] bgp 200 [routerd-bgp] undo synchronization [routerd-bgp] peer 194.1.1.2 as-number 100 [routerd-bgp] peer 194.1.1.2 as-number 200 to make the configuration effective, use the reset bgp all command to reset all bgp...

Page 483: Onfiguring

31 c onfiguring ip r outing p olicy this chapter covers the following topics: ■ ip routing policy overview ■ configure ip routing policy ■ displaying and debugging ip routing policy ■ configuring ip routing policy ■ troubleshooting ip routing policy ip routing policy overview during the information ...

Page 485

Configure ip routing policy 481 community. Actually, it is a method of grouping according to the destination address where the packets are sent. After grouping, the whole group of routing information should be distributed, received or imported. The community-list is an access list based on community...

Page 487

Configure ip routing policy 483 be filtered through the routing policy unless it matches all if-match clauses of this part and it can execute the operation of teh apply sub-clause. ■ if an if-match clause is not specified, all routing information is filtered through the policy of this node. Defining...

Page 489

Configure ip routing policy 485 type is the type of ospf external route corresponding to the imported route when ospf is importing other protocol routes. Type 1 refers to external route type 1 and type 2 refers to external route type 2. The metric value of the imported route can be set as the follow...

Page 491

Configuring ip routing policy 487 table 567 display and debug of ip routing policy configuring ip routing policy this example explains how an ospf protocol selectively imports an rip route. As shown in the following figure, the router connects a campus network which uses rip as its internal routing ...

Page 493

Troubleshooting ip routing policy 489 figure 159 networking diagram of filtering the distributed routing information 1 configure ip-prefix [router]ip ip-prefix p1 permit 192.1.1.0/24 2 configure rip protocol [router]rip [router-rip]network 192.1.0.0 [router-rip]network 202.1.1.0 [router-rip]filter-p...

Page 495: Onfiguring

32 c onfiguring ip p olicy r outing this chapter covers the following topics: ■ ip policy routing overview ■ configuring ip policy routing ■ displaying and debugging ip policy routing ■ ip policy routing configuration example ip policy routing overview ip policy routing is a mechanism in which messa...

Page 497

Displaying and debugging ip policy routing 493 you can specify multiple next-hops or send the message to multiple interfaces. Generally, only the first parameter works. If the first parameter is mismatched, the second parameter will take effect, and so on. By default, no apply clause is defined. Ena...

Page 499

Ip policy routing configuration example 495 4 adopt policy aaa in ethernet interface [router-route-policy]interface ethernet 0 [router-ethernet0]ip policy route-policy aaa configure policy routing based on message size router a sends the messages of 64-100 bytes through s0, messages of 101-1000 byte...

Page 501: Vii

Vii m ulticast chapter 33 ip multicast chapter 34 configuring igmp chapter 35 configuring pim-dm chapter 36 configuring pim-sm.

Page 503: Ip M

33 ip m ulticast this chapter covers the following topics: ■ ip multicast overview ■ ip multicast addresses ■ ip multicast features ■ ip multicast routing protocols ■ ip multicast packet forwarding ■ ip multicast application ip multicast overview when the destination addresses carrying information (...

Page 505

Ip multicast routing protocols 501 the ip multicast environment, the destination address of a data packet is not one address but a group, forming a group address. All the information receivers are added to a group, and once they access the group, data flowing to the destination address begin to tran...

Page 507

Ip multicast packet forwarding 503 the transmitting end is first registered at the rp if it needs to send data to a specific address, and then sends the data to the rp. Once data reaches the rp, multicast data packets are duplicated and sent to receivers who are interested in getting them along the ...

Page 509: Onfiguring

34 c onfiguring igmp this chapter covers the following topics: ■ igmp overview ■ configuring igmp ■ displaying and debugging igmp ■ igmp configuration example igmp overview the internet group management protocol (igmp) is a protocol that is responsible for the ip multicast member management among th...

Page 511

Configuring igmp 507 configuring the version number of igmp at the router interface igmp version 2 is able to configure query message timeout and the maximum query response time. All the systems in the same subnet must run the same igmp version because the routers are not able to check the version n...

Page 513

Igmp configuration example 509 figure 162 igmp network diagram 1 configure the ip addresses of the interfaces of router a, router b and the pc. [routera]interface e0 [routera-ethernet0]ip address 10.16.1.3 24 [routerb]interface e0 [routerb-ethernet0]ip address 10.16.1.2 24 2 execute the multicast ro...

Page 515: Onfiguring

35 c onfiguring pim-dm this chapter covers the following topics: ■ pim-dm overview ■ pim-dm configuration ■ displaying and debugging pim-dm ■ pim-dm configuration example pim-dm overview protocol independent multicast--dense mode (pim-dm) is applicable to the following conditions: ■ the transmitter ...

Page 517

Displaying and debugging pim-dm 513 starting the pim-dm protocol you must start the pim-dm protocol at each interface. By default, the system disables the pim-dm protocol. Make the following configuration in the interface view. Table 584 start/disable pim-dm protocol configuring the time interval fo...

Page 519: Onfiguring

36 c onfiguring pim-sm this chapter covers the following topics: ■ pim-sm overview ■ pim-sm configuration ■ displaying and debugging pim-sm ■ pim-sm configuration example ■ troubleshooting pim-sm pim-sm overview protocol independent multicast--sparse mode (pim-sm) is used in the following conditions...

Page 521

Pim-sm configuration 517 table 588 enable/disable pim-sm protocol by default, the interface disables pim-sm protocol. Note that pim-sm only runs on specific interfaces. One interface can only run one multicast routing protocol at one time. Configuring the candidate bsr in a pim-sm domain, there must...

Page 523

Displaying and debugging pim-sm 519 by default, the time interval of interface sending hello message is 30 seconds. Configuring the threshold of the shortest path the pim-sm router first forwards multicast data packets by the shared tree. But if the multicast data rate exceeds a certain threshold va...

Page 525

Troubleshooting pim-sm 521 [routerb-serial1] pim sm [routerb] interface serial 2 [routerb-serial2] pim sm b configure the candidate bsr [routerb-pim] c-bsr serial 0 30 2 c configure the candidate rp [routerb-pim] acl 5 [routerb-acl-5] rule permit source 225.0.0.0 255.0.0.0 [routerb-acl-5] pim [route...

Page 527: Viii

Viii s ecurity chapter 37 configuring terminal access security chapter 38 configuring aaa and radius protocol chapter 39 configuring firewall chapter 40 configuring ipsec chapter 41 configuring ike.

Page 529: Onfiguring

37 c onfiguring t erminal a ccess s ecurity this chapter provides an overview to the security features provided for terminal access of 3com routers and covers the following topics: ■ terminal access security overview ■ configuring terminal access security ■ exec configuration example terminal access...

Page 531

Exec configuration example 527 ■ an administrator user using the console port ■ an operator user using telnet configureng administrator user login authentication from a console port in this example, the user name is abc and the password is hello. The radius server first authenticates the user, and t...

Page 533: Onfiguring

38 c onfiguring aaa and radius p rotocol this chapter covers the following topics: ■ aaa overview ■ radius overview ■ configuring aaa and radius ■ displaying and debugging aaa and radius ■ aaa and radius configuration examples ■ troubleshooting aaa and radius aaa overview aaa implements the followin...

Page 535

Radius overview 531 figure 166 basic message interaction process of radius the basic operation is described as follows: 1 the user enters a username and password. 2 having received the username and password, teh radius client sends an authentication request packet (access-request) to the radius serv...

Page 537

Configuring aaa and radius 533 table 598 attribute fields attribute field 26 (vender-specific) in the radius protocol can be easily extended, so that the user can define extension attributes. Figure 168 shows the packet structure: figure 168 fragment of the radius packet that includes extension attr...

Page 539

Configuring aaa and radius 535 methods the subsequent methods can be used. If authentication again, the authentication is terminated. The none method is meaningful only when it is the last item of the method list. Note that only one login method list can be configured, which can use a different name...

Page 541

Configuring aaa and radius 537 the pool-number ranges from 0 to 99. Addresses in each address pool must be consecutive, and each address pool can have at most 256 addresses. Assigning an ip address for a ppp user for a user accessing the internet through remote ppp dialing, the system either specifi...

Page 543

Configuring aaa and radius 539 table 609 configure ftp user and the usable directory authorize a user with usable service types the services, which can be used by a user, are authorized in the local database. Presently there are five service types, which are listed as follows: ■ exec refers to opera...

Page 545

Configuring aaa and radius 541 configure the request retransmission times if the radius server fails to respond, the router sends the authentication request packet again periodically. If no radius server response is received after the configured value of timeout, the authentication request packet ne...

Page 547

Aaa and radius configuration examples 543 figure 169 networking diagram of typical aaa and radius configuration 1 enable aaa and configure default authentication method list of ppp user. [router]aaa-enable [router]aaa authentication-scheme ppp default radius 2 configure ip address and port of radius...

Page 549

Troubleshooting aaa and radius 545 unavailable. Moreover as the radius timer quiet command has not been configured (defaulted as 5 minutes), or a relative long dead-time has been configured, the system does not know that the server has recovered. Use undo radius server command to delete the original...

Page 551: Onfiguring

39 c onfiguring f irewall this chapter covers the following topics: ■ firewall overview ■ configure firewall ■ displaying and debugging firewall ■ firewall configuration example firewall overview a firewall is used to control the network equipment, which accesses the internal network resources. Sett...

Page 553

Firewall overview 549 figure 171 packet filtering schematic diagram the following can be realized by data packet filtering: ■ prohibit logging on with telnet from outside ■ every e-mail is sent by smtp (simple message transfer protocol). ■ one pc, rather than all other pcs, can send news to us by nn...

Page 556

552 c hapter 39: c onfiguring f irewall as for the icmp, you can specify the icmp packet type. You can use a number (ranging 0 to 255) or a mnemonic symbol to specify the packet type. Udp biff bootpc bootps discard dns dnsix echo mobilip-ag mobilip-mn nameserver netbios-dgm netbios-ns netbios-ssn nt...

Page 558

554 c hapter 39: c onfiguring f irewall the “depth-first” principle means matching the access rules with the smallest definition range of data packets. It can be achieved by comparing the wildcards of address. The smaller the wildcards are, the smaller the range specified by the host is. For example...

Page 560

556 c hapter 39: c onfiguring f irewall normal means that this rule functions during normal time range, while special means that this rule will function during the special time range. Users shall set the special time range when using special . Multiple rules with the same serial number will be match...

Page 562

558 c hapter 39: c onfiguring f irewall table 627 configure rules for applying access control list on interface by default no rule for filtering messages on interface is specified. In one direction of an interface ( inbound or outbound ), up to 20 access rules can be applied. That is to say, 20 rule...

Page 564

560 c hapter 39: c onfiguring f irewall 6 configure rules to permit specific user to obtain data (only packets of port greater than 1024) from an external network [router-acl-102] rule permit tcp source any destination 202.38.160.1 0.0.0.0 destination-port greater-than 1024 7 apply rule 101 on packe...

Page 566

562 c hapter 40: c onfiguring ips ec state by polling. Thus, crypto cards can synchronously process user data, which improves the speed of data encryption and decryption. For the ipsec applied at the crypto card side, the crypto cards will be unable to implement the ipsec processing if all the crypt...

Page 568

564 c hapter 40: c onfiguring ips ec authentication and encryption, for instance), it is necessary to create two different encryption access control lists and apply them to different security policies. Encryption access control list can be used to judge both inbound communication and outbound commun...

Page 570

566 c hapter 40: c onfiguring ips ec table 634 enable/disable the host to backup the ndec cards by default, the host is disabled to backup the crypto cards. Defining ipsec proposal the ipsec saved in conversion mode needs a special security protocol and encryption/authentication algorithm to provide...

Page 572

568 c hapter 40: c onfiguring ips ec perform the following configurations in ipsec proposal view (or proposal view of crypto card) table 638 select encryption algorithm and authentication algorithm by default, esp protocol adopts des encryption algorithm and md5-hmac-96 authentication algorithm, and...

Page 574

570 c hapter 40: c onfiguring ips ec by default, the start point and the end point of the security tunnel are not specified. Set ipsec proposal quoted in security policy when sa is created manually, a security policy can quote only one ipsec proposal, and to set new ipsec proposal, the previously co...

Page 576

572 c hapter 40: c onfiguring ips ec the keys are input in two modes and those input in string mode are preferred. At both ends of the security tunnel, the keys should be input in the same mode. If the key is input at one end in string mode, but at the other end in hexadecimal mode, the security tun...

Page 578

574 c hapter 40: c onfiguring ips ec defined by kilobytes. Hard timeout of sa means that the sa lives for the whole lifetime. Perform the following configurations in system view. Table 649 configure global sa lifetime by default, time-based lifetime is 3600 seconds (an hour),- and traffic-based life...

Page 580

576 c hapter 40: c onfiguring ips ec table 653 display and debug ipsec displaying and debugging the ndec car d resetting the crypto card when the crypto card operates abnormally, resetting the crypto card can be used to restore the crypto card to normality. When resetting the crypto card, the crypto...

Page 582

578 c hapter 40: c onfiguring ips ec figure 174 networking diagram of manually creating sa prior to the configuration, you should ensure that router a and router b can interwork at the network layer through a serial interface. 1 configure router a: a configure an access list and define the data stre...

Page 584

580 c hapter 40: c onfiguring ips ec [routerb-serial0] ipsec policy use1 [routerb-serial0] ip address 202.38.162.1 255.255.255.0 o configure the route. [routerb] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1 after the configuration is complete and the security tunnel between router a and route...

Page 586

582 c hapter 40: c onfiguring ips ec m configure corresponding ike [routerb] ike pre-shared-key abcde remote 202.38.163.1 after the above configurations are completed, if the messages between subnet 10.1.1.X and subnet 10.1.2x transmits between router-a and router-b, ike will be triggered to negotia...

Page 588

584 c hapter 40: c onfiguring ips ec [routerb-ipsec-card-proposal-tran1] esp-new authentication-algorithm sha1-hmac-96 f return to system view. [routerb-ipsec-card-proposal-tran1] quit g establish a security policy with manual configuration mode. [routerb] ipsec policy map1 10 manual h quote access ...

Page 590

586 c hapter 40: c onfiguring ips ec.

Page 592

588 c hapter 41: c onfiguring ike figure 176 diagram of relationship between ike and ipsec ike features ■ avoid specifying manually all ipsec security parameters in password mapping of both communication ends. ■ allow specifying the lifetime of ipsec sa ■ allow exchanging ciphering key during ipsec ...

Page 594

590 c hapter 41: c onfiguring ike the system creates only the default ike security policy that cannot be deleted or modified by users. Selecting an encryption algorithm the two types of encryption algorithms that are supported are the 56-bit des-cipher block chaining (des-cbc) algorithm and the 168-...

Page 596

592 c hapter 41: c onfiguring ike by default, sa lifetime is 86400 seconds (a day). It is recommended that the configured seconds should be greater than 10 minutes. Configuring ike keepalive timer the keepalive function detects and deletes idle security association when the peer party is invalid and...

Page 598

594 c hapter 41: c onfiguring ike for protecting different data streams. At present, we use the user ip address to identify the user. Got notify of type invalid_id_information or drop message from x.X.X.X due to notification type invalid_id_information check whether acl contents in ipsec policy conf...

Page 600

596.

Page 602

598 c hapter 42: c onfiguring vpn the vpn with service quality guarantee can provide different levels of service quality guarantees for users by charging for different services. Basic networking applications of vpn an enterprise that has an intranet established with vpn is shown in the following fig...

Page 604

600 c hapter 42: c onfiguring vpn isp gateway and ppp session ends at nas, it is unnecessary for the gateway at the user end to manage and maintain the status of every ppp session, thus improving system performance. Generally, layer 2 and layer 3 tunnel protocols are used independently so combining ...

Page 606

602 c hapter 43: c onfiguring l2tp figure 179 networking diagram of typical vpdn application in this figure, lac stands for l2tp access concentrator, which is a switch network device with a ppp end system and l2tp client-side processing ability. Usually, lac is a nas, which provides access service f...

Page 608

604 c hapter 43: c onfiguring l2tp the l2tp header includes the information of tunnel and session ids, which are used to identify different tunnels and sessions. The messages with the same tunnel id and different session ids is multiplexed in one tunnel. Tunnel id and session id are distributed to t...

Page 610

606 c hapter 43: c onfiguring l2tp addresses (rfc1918). The addresses allocated to remote users are private addresses belonging to an enterprise, thus the addresses can be easily managed and the security can also be improved. ■ flexible network charging charging can be fulfilled at both lac and lns ...

Page 612

608 c hapter 43: c onfiguring l2tp table 668 configure aaa and local users by default, the local user name and password are not configured. As the aaa attributes of l2tp are not standard attributes of radius protocol, it is necessary to add the definition of l2tp attributes to the attribute set of r...

Page 614

610 c hapter 43: c onfiguring l2tp table 673 configure the name of the receiving end of the tunnel when the group number of l2tp is 1 (the default l2tp group number), it is unnecessary to specify the remote-name. If the name of remote end is still specified in the view of l2tp group 1, l2tp group 1 ...

Page 616

612 c hapter 43: c onfiguring l2tp ■ lac and lns authenticate each other. It can be found that either lac or lns can originate tunnel authentication request. However, if one side enables the tunnel authentication, the tunnel can be established only when the passwords on both ends of the tunnel are e...

Page 618

614 c hapter 43: c onfiguring l2tp information (ack) and wait for some time before clearing the tunnel, so that the request transmitted again from the peer can be properly received when ack message is lost. After disconnecting the tunnel by force, all control connections and session connections on t...

Page 620

616 c hapter 43: c onfiguring l2tp by default, address pool 0 (the default one) will be used by the peer for allocating addresses. When specifying the address pool from which addresses are allocated for users, the default address pool will be used for allocating addresses if no specific pool-number ...

Page 622

618 c hapter 43: c onfiguring l2tp ii. Networking diagram figure 183 networking diagram of nas-originated vpn iii. Configuration procedure 1 configuration at the lac (nas) side:) a configure username and password (when dialing in windows2000). [router-lac] local-user lac service-type ppp password si...

Page 624

620 c hapter 43: c onfiguring l2tp figure 185 internet connection wizard (1) ■ click and input the telephone number at the nas side in the popup dialog box (if it is a local telephone number, you should deselect “use area code and dialing rules”), as shown in the following figure..

Page 626

622 c hapter 43: c onfiguring l2tp figure 187 internet connection wizard (3) ■ click and input the name of dialup connection (such as “connection to 660046”) in the popup dialog box, as shown in the following figure. Figure 188 internet connection wizard (4).

Page 628

624 c hapter 43: c onfiguring l2tp figure 190 connect to “connection to 66046” to determine the ip address assigned to your computer by the lns, use the dos-based command ipconfig. Client-originated vpn networking i. Networking requirements after connecting to the internet, the vpn user originates r...

Page 630

626 c hapter 43: c onfiguring l2tp ■ search for hkey_local_machine, system, currentcontrolset, services, rasman and parameters level by level in the register in the left. Click , and click in the blank space in the right window. Choose {create/double byte value} and create a register value (name: pr...

Page 632

628 c hapter 43: c onfiguring l2tp ■ click to complete the configuration. ■ double click [connect connection to 660046] to start vpn connection. Before that, if the dialup connection is not set up, the system will automatically prompt you to set up dialup connection. After connection, input the user...

Page 634

630 c hapter 43: c onfiguring l2tp [router2] ip pool 1 192.168.0.2 192.168.0.100 b enable aaa authentication. [router2] aaa-enable [router2] aaa authentication-scheme ppp default local c configure virtual-template 1. [router2] interface virtual-template 1 [router2-virtual-template1] ip address 192.1...

Page 636

632 c hapter 43: c onfiguring l2tp [router2-ipsec-proposal-l2tptrans] transform esp-new [router2-ipsec-proposal-l2tptrans] esp-new encryption-algorithm des [router2-ipsec-proposal-l2tptrans] esp-new authentication-algorithm sha1-hmac-96 [router2-ipsec-proposal-l2tptrans] encapsulation-mode transport...

Page 638

634 c hapter 43: c onfiguring l2tp.

Page 640

636 c hapter 44: c onfiguring gre which examines the key, checksum or message sequence number. After the gre header is removed, the ip message is processed by the ipx protocol in the same way as an ordinary datagram. The system receives a datagram to be encapsulated and routed,. The datagram is firs...

Page 642

638 c hapter 44: c onfiguring gre the two sub-networks group1 and group2 that are running the novell ipx protocol are in different cities. With the tunnel available, the trans-wan vpn can be established. In addition, gre also allows users to select and record an identification key word for the tunne...

Page 644

640 c hapter 44: c onfiguring gre by default, no identification key word of the tunnel interface is configured. Setting the tunnel interface to check with checksum it is stipulated in rfc 1701 that if the checksum field of the gre header is set, the checksum is valid. The transmitting side calculate...

Page 646