Firewall Overview

39	CONFIGURING FIREWALL

	This chapter covers the following topics:
	■	Firewall Overview
	■	Configure Firewall
	■ Displaying and Debugging Firewall
	■	Firewall Configuration Example

Firewall Overview	A firewall is used to control the network equipment, which accesses the internal
	network resources. Setting a firewall at the access entry point of the intranet can
	control access to the internal network resources by the external network devices.
	In case of multiple entry points, every access entry point should be configured with
	a firewall to effectively control the external access. To ensure that all data entering
	the intranet is detected by the firewall, the firewall should be set at the intranet
	entry point.
	A firewall is used not only to connect the Internet, but also to control the access to
	some special part of the internal network, such as to protect mainframes and
	important resources, such as data, in the network. Access to the protected data
	must be filtered through the firewall even if the access is from inside.
	The firewall can screen the information, structure and operation of the intranet
	from outside by detecting, restricting and modifying data flow overriding the
	firewall. At present many firewalls also have other characteristics, for example, to
	identify the user, and conduct security processing (encryption) for information.
	Figure 170 A firewall isolates the internal network from the Internet

Internet

Firewall

Ethernet

PC	PC	PC	Server	PC
			Server

Page 551

Image 551

Contents

3Com Router Configuration Guide 01752-3064 3Com CorporationCampus Drive Marlborough, MAPage VPN Text Conventions This guide describes 3Com routers and how to configure themList conventions that are used throughout this guide About this Guide 3Com Router Introduction 3Com Router User Interface Page 3COM Router Introduction Router Version Features of the 3ComFollowing table lists the basic features of the 3Com Router List of the 3Com Router 1.x features RIP-1/RIP-2 NAT Quality of service 3Com Router New Features of the 3Com Router 1.x 3COM Router Introduction Port ConfigurationEstablish Environment Establish a new connection Set port communication parameters Establish a remote configuration environment Router ConfigurationConnection Environment Workstation Ethernet Interface CLI Command Line 3COM Router User Interface Views and their prompts System view Table Enter controller Async 0 in anyEthernet 0 in any Loopback 0 in any Partial help HelpsFull help Routerdisplay ? List of common command line error messagesCommon error Message Causes For example Three options are available for users Command LineFeatures Display Features Management Following commandsPlease perform the following commands in system view User Identity Set the system clock Configure the router nameSystem Display the System Information Router By default, the system clock is 080000 1 1Execute the following commands in all views Reboot the system System Management Page Softwaresoftware Storage Media and File Types Supported by the System Input Ctrl+D, and the following prompt information displays Upgrade Boot ROM Software Main Program software Upgrade the 3ComRouter Main Program Software XModem Approach Modify the terminal baud rate Transfer File dialog box Tftp server application can run on Windows 95/98/NT Preparation for using the Tftp serverEnable the Tftp server program Tftpd32 Set interface Press Enter and the following prompts will be displayed Network Interface Parameters Enter Ctrl+B and the system prompts Get ip-addr file-name system Download configuration files from a Tftp serverOperation Command Downloads the 3Com Router main Press Enter for loading Set an authentication mode for an FTP server Prepare for using the FTP server Enable FTP server Upgrade the 3Com Router Main Software with FTP Copy ip-addr file-name system Back up the 3Com Router Main Program SoftwareTftp Approach FTP Approach Setup Users Dialog Box Password Configure on-line upgrading of the cardUpdate slot slot-number ftpserver host-name Port-number user user-name password Content and Format of the Configuration File Configuration File ManagementDownload Configuration File Perform the following command in system view Set the binary transmission protocol to XModem/CRC Load configuration filesDownload Config Router download config File-name config Display current-configurationcommand output backup approachBack up Configuration Files Upload configuration files to a Tftp server View router configuration Please use the following commands in corresponding views Erase the configuration file in storage media Select and view the storage media of configuration fileSave current configuration Set the Flag Bit to Enter the Initial Setup Mode Files on the router Configure FTPConfigure authentication and authorization of FTP server Client via port 20 and transfer data Set the authentication mode of FTP server Enter the following commands in system viewConfigure Parameters of FTP Service Please enter the following commands in system view Force to shut down FTP process Set FTP update modeSet the connection time limit of FTP service Force to shut down FTP process Display local-user Display FTP Server Display FTP serverDisplay ftp-server Server Display detailed information of the FTP user System Management Overview Terminal ServiceFeatures of Terminal Service at Console Port On one router ServiceSet the attributes of terminal service Terminal Message Enable/disable receiving messages from other terminals Perform the following configuration in all viewsConfigure Terminal Message Service Display Terminal Message Service Dumb Terminal Typical Example Terminal Message Service ConfigurationTerminal Service By default, no dumb terminal service is configured Configuration Examples Dumb Terminal ServiceConfigure Dumb Terminal Configure Auto-execute command Router-Serial1auto-execute command telnet Terminal Service Telnet ConnectionConfigure the interface to dumb terminal mode Configure the auto-execute command command Establish Telnet Connection Terminal service features of telnet connectionService Value Establish Telnet Server or Telnet Client connection Setup Reverse Telnet ConnectionEnable Reverse Telnet connection Service-port Force to shut down Telnet process Typical Configuration Example of Telnet Reverse TelnetForce shut down Telnet Process Example of Telnet Router telnet 10.110.164.44 Rlogin TerminalUse Rlogin protocol Example of Reverse Telnet Use local user name abc to log on Establish a Rlogin connectionTypical Rlogin Configuration Examples Rlogin ip-address username Communicate with other terminals through the X.25 network Access ServicePAD Remote Local-user user-name Configure X.25 PAD remote userConfigure X.25 PAD remote user Service-type type password Establish a X.25 PAD call Start AAA authentication of X.25 remote usersEnable AAA authentication for X.25 remote PAD users Establish an X.25 PAD call Set the Response Time to the Invite Clear Message II. Networking DiagramIII. Configuration Procedure Display and Debug RouterB-serial0x25 x121-address Fault Diagnosis TroubleshootingSet its X.121 address as RouterA-serial0x25 x121-address Development of Snmp Snmp Overview Configuring Network Management SNMP-supported MIB Snmp architecture Engineid By default, the system disables Snmp service3Com Router-supported MIB Configure Snmp version and related tasks Perform the following configurations in system view Interface-number Configure information of router administratorConfigure the traps to be sent by the router V1 username Byte-count Perform the following commands in all viewsDisplay and debug Snmp Name Examples Networking Requirements Example 1 Configure Network Management of SNMPv1Set the community name and access authority Configure an IP address for the Ethernet interface ethernet Network equipment Configure an IP address for the Ethernet interface ethernetRmon Overview Schematic diagram of Rmon application Examples Networking Requirement Enable Rmon statistics RouterA-Ethernet0 rmon promiscuous Commands to display information of the whole system Test Tool of Network Connection Ping command Ip-address Ping supporting IP protocolSystem displays Ping supporting IPX protocol MaxTTL -p port -q nqueries Following command can be executed in any command modesTracert command Timeout host Log Function Configure on the router Set the direction of syslog outputting log information Set Filter of Log Information Set Severity of Log InformationPerform the following task in system view Sylog-defined severity is as follows Turn on/turn off syslog Configuration of Log HostTurn on/turn off syslog Display and Debug Syslog Routerdebug ppp all Syslog Configuration ExampleTurn on debugging switch of PPP module Routerinfo-center enable Display and Debugging Tools Dial-up POS Access POS Terminal Access Service Advantages of POS network access are as follows POS Network Access Start POS server POS Access Service ConfigurationConfigure POS access port Ip-address port-number Configure a POS applicationInterface-type interface-number App-number Bind the source address of TCP connection Configure POS multi-application mapping tableDefault app-number Set the parameters of FCM used during Modem negotiation Display and Debug POS AccessDisplay and debug POS access Set the parameters of FCM used during Modem negotiation Configure POS access interface FCM1 Typical Configuration Example of POS Access ServiceConfigure the Ethernet interface Ethernet Configure the POS access interface FCM0 III. Configuration Procedure 1 Start the POS access server Configure POS access interface FCM2Configure POS access interface FCM0 Configure Router a Start the POS access server Configure Async 0 to operate in POS application modeConfigure Async 1 to operate in POS application mode III. Configuration Procedures RouterA ip route-static 10.1.1.2 255.255.255.0 serial Configure Router B Configure the Ethernet interface Ethernet III Interface 106 Enter the Interface View Configure InterfaceInterface Interface-description Exit the Interface ViewInterface view, input quit to return to the system view Set time interval for flow control statistics Interface state information Please use the following commands in all viewsDisplay and Debug Interface Display and debug interface Interface Configuration Overview Ethernet Interface Configure Ethernet Interface Set frame format of sending message Enter view of specified Ethernet interfaceSet IP address Set IPX address Select working rate of fast Ethernet interface Select work mode of Ethernet interfaceEnable or disable internal loopback and external loopback Display and Debug II. Network Diagram Typical Ethernet Interface Configuration ExampleTroubleshooting Troubleshooting Configuring LAN Interface Asynchronous Serial Interface WAN InterfaceIntroduction Interface serial number Enter view of specified asynchronous interfaceInterface async number Link-protocol slip ppp Set the work mode of asynchronous serial interfaceSet the baud rate of asynchronous serial interface Modem in out Hardware inbound outbound Async Mode protocolFlow-control none software Stopbits 1 1.5 Works in flow modeParity even mark none Odd space Set the coding format of Modem BackupAUX Interface Set MTU of asynchronous serial interface Synchronous Serial Interface Configure AUX interfaceConfigure AUX interface Configure Synchronous Serial Interface Link-protocol fr hdlc Enter view of specified synchronous interfaceSet the link layer protocol of synchronous serial interface Physical-mode sync Synchronous serial interface is 64000 bps Select work clockWorking modes have different working clocks Set the baud rate of synchronous serial interface Set clock inversion Inversion is disabled by defaultSelect work clock Reverse-rts Internal loopback/external loopback are disabled by defaultDetect dcd Undo detect dcd Graphics and video Isdn BRI InterfaceIdle coding of synchronous serial interface is 7E Technical Background Function group includes Preparations before ConfigurationBe clear about the following items before the configuration Interface or a PRI interface Channelized operating modeCE1/PRI Interface Network protocols such as IP and IPX Enter the view for a specified interface Configure CE1/PRI CE1/PRI interface configuration includesDial-on-Demand Routing Interface Number set-number Enter the synchronous serial interface viewBind the interface to be channel sets Undo pri-set Bind the interface to be a pri setEnter the Isdn interface view Pri-set timeslot-list range Set the frame format of CE1/PRI interface Enable/disable the internal loopback/external loopbackSet the line code format on the CE1/PRI interface Set the line clock of the CE1/PRI interface CT1/PRI Interface Configure CT1/PRI Timeslot-list range speed Operation Command Enter the view of CT1/PRI interfaceController t1 number Interface serial number23 Set the frame format of CT1/PRI interface Set the line code format on the CT1/PRI interfaceSet the line clock of the CT1/PRI interface Them into multiple channel sets Choice for E1 accessE1-F interface does not support PRI operating mode E1-F Interface Fe1 unframed Set Operating mode for an E1-F interfaceEnter the view of an E1-F interface Interface serial serial-number Set line clock for an E1-F interface Set interface rate after binding operationSet line code format for E1-F interfaces Serial-number Enable/Disable local/remote loopback on an E1-F interfaceSet frame format for an E1-F interface Display and debug E1-F interface 193 X 8k = 1544kbps Choice for T1 accessT1-F interface does not support PRI operating mode T1-F Interface Set line code format for T1-F interface Set frame format of T1-F interface Enable/Disable local/remote loopback on a T1-F interfaceSet line clock for a T1-F interface Display and debug T1-F interface Other related informationCE3 Interface Display and Debug T1-F Enter the view of the specified E3 interface Set E1 frame format Set the operating mode of CE3 interfaceSet the operating mode of E1 channel Data bandwidth 44736kbps Mode non-channelized modeCT3 Interface 44.736Mbps Set cable length of the CT3 interface Set clock mode of the CT3 interfaceSet clock mode of the T1 channel Enter specified CT3 interface view Perform the following configurations in CT3 interface view By default, loopback is disabled Set Frame FormatBy default, the CT3 interface uses the C-bit frame format T1 line-number unframed Set the operating mode of T1 channelSet CRC of the serial interface Display and debug of the CT3 interface Disable and Enable CT3 interface Configuring WAN Interface Dialer Interface Logical Interface Null Interface Configure Loopback Sub-Interface Number.sub-number multipoint Configure sub-interfaces of Ethernet interfaceCreate and delete WAN sub-interface Number.sub-number Routerinterface serial Enter the view of WAN interface Serial0 of router aSelect frame relay link layer protocol Allocate a virtual circuit with Dlci 50 to it Configure the static route from router a to LAN2 and LAN3Specify DTE as its frame relay terminal type Set its IP address to 202.38.160.1 and address mask to Undo interface Set work parameters of virtual-templateCreate or delete virtual-template Interface virtual-template Virtual-template-number Fault 1 Fail to create virtual interfaceTroubleshooting the reasons may be as follows Display state of the specified virtual-template Link Layer Protocol 164 PPP Overview PPP Authentication Mode Configuring PPP and MP Transmission time of large packets Configure PPPMP Overview For detailed description of PPP, refer to RFC1661 Name-list Configure the link layer protocol of the interface to PPPConfigure the local authenticates the peer in PAP mode Configure the peer authenticates the local in PAP mode User username Configure the local authenticates the peer in Chap modeConfigure as the peer authenticates the local in Chap mode Cipher password Configure PPP compression Configure AAA authentication and accounting of PPPConfigure the time interval of PPP negotiation timeout Resumptive-percentage Perform the following configuration in interface viewConfigure PPP link quality monitoring Ppp lqc forbidden-percentage Bind the physical Interface to a Virtual Template Configure MP Protocol Parameters Create Virtual TemplateConfigure Operating Parameters of Virtual Template Create/Delete virtual template User-name Specify the conditions for MP binding Frags Configure virtual Baud rate on interface Example Typical PPP Configuration ExampleConfiguration Requirement Set local username as Router1 Typical MP Configuration ExampleII. Configuration Procedure Configure to start Chap authentication at this side Configure router-c Add a user for router-a Configure virtual interface templateConfigure router-b Add a user for router-a Indicates that the interface is shutdown Fault Diagnosis TroubleshootingFault 1 Link always fails to turn to up status Fault 2 Physical link fails to turn to Up status Introduction to PPPoE client PPoE Overview Client Configure PPPoE Reset or delete PPPoE session Configure PPPoE session III. Configuration Procedure 1 Configure a dialer interface Typical PPPoE Configuration ExamplePerform the display and debugging command in all views Access a LAN to the Internet via Adsl Use Adsl as Standby Line Configure a PPPoE sessionConfigure the LAN interface and the default route Configure the DDN interface Serial Configuring Pppoe Client For further details about SLIP, you can refer to RFC1055 Configure SlipAsynchronous mode Slip Overview Interconnect two Router routers via Pstn and run IP Enable/Disable the information debugging of SlipTypical Slip Time Configure the default route to Route B Configure Router a Configure Dialer RuleConfigure IP address of synchronous/asynchronous interface Configure the Dialer String to router B Routerip route-static 0.0.0.0 0.0.0.0 Isdn Overview Configure Isdn Configure the receiving mode By default, DSS1 signaling is used on Isdn PRI interfacesConfigure type of signaling on Isdn interface Configure the length of call reference Time-interval Configure the sending modeConfigure interval for Qsig signaling timer Timer-name all Perform the display and debugging commands in all views Configure Call Processing Method on an InterfacePerform the following configuration in Isdn interface view RouterB transmit data after the call is set up Typical Configuration ExampleConfigure Router a Create an Isdn PRI interface Configure the Isdn PRI interface Configure Router B Configure Router a Protocols Overview Lapb PSN 25 packet and Lapb frame By default, k is Configure Lapb N1, N2 Configure LapbBy default, the Lapb modulus is Modulo Configure Address Configure X.25 InterfaceSet/Cancel the X.121 address of the interface Set X.25 working mode Parameter Meaning 25 channel delimitation parameters Finally, the following should be noted By default, X.25 interface use modulo 8 modeSet/cancel X.25 virtual circuit range Set/Cancel X.25 packet numbering modulo Out-packets Configure X.25 flow control parameterConfigure X.25 Interface Supplementary Parameter Set the default flow control parameter Set X.25 layer 3 timer delay 25 layer 3 timer Match-type alias-string Specify/Cancel an alias for the interfaceAlias match modes and meanings Alias-string Set/Cancel the default upper layer protocol borne on Address option Configure X.25 Datagram TransmissionCreate the permanent virtual circuit PVC Protocol-address x121-address Undo x25 pvc pvc-number Configure Additional Parameters Datagram TransmissionCreate/Delete permanent virtual circuit X25 pvc pvc-number protocol Interface view, perform the following task Configure X.25 user facility Specify/Cancel packet pre-acknowledgement Serial port view, list1 can be quoted Configure the sending queue length of virtual circuit Address logic-channel Set broadcast viaSet interface with standby center Address broadcast Number.subinterface-number multipoi Switching FunctionConfigure X.25 sub-Interface Configure X.25 Switching Introduction to X.25 Load Balancing Configure X.25 Load BalancingAdd or delete a PVC route Configure X.25 Diagram of X.25 network load balancing List of Configuration Tasks of X.25 Load Balancing Add/Delete interfaces or XOT Tunnels in hunt group Start /Close X.25 switching functionCreate/Delete X.25 hunt group Introduction to XOT Protocol Configure X.25 over Other ProtocolsAdd/delete other X.25 switching routes Configure X.25 over TCP XOT Configure XOT For PVC, perform the following tasks in interface view Start X.25 switchingConfigure local switching Configure SVC XOT switching Configure Keepalive and xot-source attributes Configure Annex G Data InteroperationConfigure PVC XOT switching Configure X.25 over Frame Relay Annex G Configure the X.25 attributes for an Annex G Dlci Configure the X.25 Attributes for a Dlci Specify IP address for this interface Typical Lapb Configuration ExampleBy default, X.25 template is not applied on DLCIs Current status of Lapb Specify X.121 address of this interface Configure Router B Select interfaceConfigure Router a a Select interface Connect the Router to X.25 Public Packet Network Specify address mapping to the peer Configure Router C Configure interface IP address Configure Router a Configure interface IP addressConfigure Router B Configure interface IP address Transmit IP Datagram via X.25 PVC Configure Virtual Circuit I. Networking RequirementDisabled Range Router-Ethernet0ip address 196.25.231.1 Typical Sub-Interface Configuration Example Create sub-interface serial Configure Router CConfigure Router D SVC Application of XOT I. Networking Requirement Routerx25 switch svc 1 xot Configure Router C Start X.25 switchingConfigure Serial Routerx25 switch svc 2 interface serial Application of X.25 Load Balancing Add Serial 1, Serial 2 and XOT Tunnel to hunt group Enable X.25 switching in system viewConfigure X.25 switching route to forward to X.25 terminal S11 Routerinterface serial Router-Serial0link-protocol x25 dce Routerx25 switch svc 1111 xotRouterx25 switch svc 8888 interface serial Load Balancing Carrying IP Data Transmission Configure RouterB Configure interface Ethernet Configure RouterA Configure interface EthernetConfigure interface Serial Configure static route to RouterC Configure an IP address for the local interface Configure the static route to RouterA and RouterBConfigure RouterA Create an X.25 template Configure the local X.25 address SVC Application of X.25 over Frame Relay Configure RouterB Create an X.25 templateMap the Frame Relay address to the destination IP address Associates an X.25 template with the Dlci Configure Serial 1 as the Frame Relay interface Configure the router Router B Enable X.25 switchingEnable switching on Frame Relay DCE Configure Serial 0 as the X.25 interface Configure local X.25 switching.Router-fr-dlci-100annexg dte Configure X.25 over Frame Relay switchingConfigure the router Router C Enable X.25 switching Configure the Frame Relay Annex G Dlci Configure S1 as the Frame Relay interface Configure Router D Configure the basic X.25 parametersConfigure Router B Enable X.25 switching Configure an X.25 template Lapb Configure Serial Configure S1 as the Frame Relay interface Facility options inhibited by network have been carried Fault Diagnosis and Troubleshooting of X.25 Configuring Lapb Configuring Frame Relay Nonstandard By default, the interfaces link layer protocol is PPPLink-protocol fr ietf Relay Configure Frame Relay LMI protocol type Configure Frame Relay interface type Undo fr lmi n392dce Fr lmi n391dte n391-valueUndo fr lmi-n391dte Fr lmi n392dce n392-value Fr lmi t392dce t392-value Undo fr lmi n393dceFr lmi t391dte t391-value Undo fr lmi t391dte Configure Frame Relay dynamic address mapping Configure Frame Relay static address mapping Undo fr Configure Frame Relay local virtual circuit numberCreate Frame Relay sub-interface Fr dlci Establish static address mapping Configure virtual circuit of Frame Relay sub-interfaceApplying dynamic address mapping to the sub-interface Configure the Frame Relay switched PVC Configure the Frame Relay local virtual circuit numberConfigure the route for Frame Relay PVC switching Configure Frame Relay local switched PVC number Overview Configure Multilink Frame Relay FRF.16 Subnumber Configure MFRConfigure a MFR bundle interface MFR interface Configure MFR interface parameter Configure the parameters of the bundle link interface Frame Relay Compression Configuration Configure Frame Relay Compression on multipoint interface By default, interfaces use initiative compressionConfigure Frame Relay Fragment FRF.12 Configure Frame Relay Fragment Attributes Undo Fr traffic-shaping Disable the Frame Relay traffic shapingFrame Relay Traffic Shaping Fr traffic-shaping Rate Frame Relay Traffic Policing Frame Relay Queueing Management 100 Kbps CI R ALLOWº£ 64 Kbps 150 Kbps Frame Relay DE rule list Frame Relay Congestion Management Undo fr-class class-name By default, no Frame Relay class is createdConfigure the Frame Relay class parameters Configure Frame Relay Traffic Shaping Configure the parameters of Frame Relay class Enable/Disable the Frame Relay traffic shaping Enable/Disable the Frame Relay traffic policing Dequeue-percentage Queue-percentage Configure the Frame Relay PVC queueing Configure Frame Relay DE Rule ListConfigure Frame Relay Queueing Management Configure Pipq Configure Frame Relay switching Configure Frame Relay over Other ProtocolsConfigure Frame Relay over IP Configure a tunnel interface Networking of a typical Frame Relay over Isdn application Frame Relay over Isdn Operation Process and Fundamentals Back-to-back connection between DTE and DCE devices Frame Relay switching connection between DTE devicesPhysical Connection Between Frame Relay over Isdn Devices Configure the Frame Relay-related commands Configure Frame Relay over Isdn Dlci Configure the commands related to Frame Relay switchingConfigure the link layer protocol of the interface Isdnsubaddress Configure parameters related to dialer profilesDisplay and debug Frame Relay Display and Debug Frame Relay Mfr number Number dlci dlci-numberNumber interface serial Type number dlci Router-Serial1fr map ip 202.38.163.251 dlci Typical Frame Relay Configuration ExampleConfigure static address mapping Interconnect LANs via Frame Relay Network Router-Serial1ip address 202.38.163.253 Configure local virtual circuitRelay FRF.16 Interconnect LANs via Private Line Them Create a MFR interfaceBundle Serial 0 and Serial 1 to mfr Example FRF.9 Fragment between them III. Configuration Procedure 1 Configure Router aIII. Configuration Procedure 1 Configure RouterA FRF.12 Typical Frame Relay over IP ConfigurationRouterfr class 96k Router-fr-class-96ktraffic-shaping adaptation becn Router-Serial0fr interface-type dce Configure IP interface Ethernet0Configure tunnel interface Configure Frame Relay over IP Router-Dialer0fr interface-type dce Configure the Frame Relay parameters on Bri0Router-Bri0fr map ip 110.0.0.2 dlci Router-Dialer0dialer number Router-Dialer0dialer call-in Configure the Frame Relay-related parameters on Bri0 Router-Serial1.1ip address 130.0.0.2 Configure Frame Relay SVCs Fault 4 Frame Relay data cannot be transmitted across Isdn Fault Diagnosis Troubleshooting Frame RelayFault 1 the physical layer in Down status Configuring Frame Relay Configure the link layer protocol of the interface to Hdlc Configure HdlcConfigure Hdlc Display and Debug Hdlc By default, the link layer protocol of the interface is PPP Debugging Hdlc Packet Interface Enable Hdlc packet debugging Bridge Overview Configure Bridge’s Routing FunctionTypical Bridge Configuration Bridge Overview Main Functions of Bridging Obtain address table Bridge Overview Final bridging address table Forward and Filter Filter not forward Eliminating loop Preliminary examination state of bridging loops Spanning Tree Topology Spanning tree topology Bpdu Forwarding Mechanism Bridge enable Configure Bridge’s Routing FunctionBy default, disable bridging functions Enable/Disable bridging functions Mac-address Configure static address table entriesSpecify the STP version supported by the bridge-set Add ports to a bridge-set Disable/Enable STP on ports Enable/Disable forwarding by using dynamic address tableConfigure the aging time of dynamic address table Configure the bridge port priority Configure the bridge priorityConfigure the path cost of bridge port Configure the forward delay for the port status transition Configure the interval for sending BPDUs Create ACLs based on varied Ethernet encapsulation formats Configure the Max age of Bpdu Acl acl-number Bridge-set Enable/Disable bridge’s routingConfigure a bridge-template interface Bridgebridge-set link-set link-set Define a link-setShare load by source MAC address Link-set Define a dialer list Configuration on the interfaceMap the bridge address to Dlci Transparent Bridging Multiple LANs Typical Bridge ConfigurationDisplay and Debug Bridge Display and debug bridge Router-Serial0bridge-set 1 stp disable Configure Router aConfigure Router B Transparent bridge over the Frame Relay Transparent Bridging over Frame Relay Router-Serial1dialer route bridge broadcast Please refer to Figure Asynchronous Dial-inStandby Connected are failed Networking of bridge-template interface Bridge-Template interface Networking for bridging on sub-interfaces Bridging on Sub-Interfaces Router-Serial1bridge-set 1 link-set Link-Set Configuration I. Networking RequirementsRouterbridge enable Routerbridge 1 stp ieee Network Protocol 316 Configuring IP Address Network IP network range Description Class IP address classes and ranges Sub-net classification of IP address Ip address ip-address mask Configure IP Address Configure IP Address for an InterfaceBy default, the interface has no master IP address Configure master IP address of an interface Undo ip address ip-address Configure slave IP address of an interfaceIp address ip-address mask Mask-length sub Delete slave IP address of an interface Set negotiable attribute of IP address for an interface By default, the interface has no negotiating IP addressConfigure IP Address Unnumbered for an Interface Introduction to IP address unnumbered Borrow IP address of Ethernet interface Configuration Example I. Configuration RequirementsConfigure routing to Ethernet segment of Shenzhen router R1 Configure IP address unnumbered Router ip route-static 0.0.0.0 0.0.0.0 Configure router R1 of Shenzhen subsidiaryBorrow IP address of Ethernet Router-Ethernet0ip address 172.16.20.1Page Configuring IP Address Arp dynamic ip-address Define a static ARP mappingArp static ip-address Undo arp static ip-address Display and Debug ARP Configure DomainName Resolution Name Resolution Display ip host Display and Debug Domain Name ResolutionDisplay and Debug domain name resolution Vlan-type dot1q vid vlan-id Create Ethernet subinterfaceSpecify the Vlan on which Ethernet subinterface is located Interface-number.subinterface-number Display vlan Configure IP address of Ethernet subinterfaceTypical Vlan Configuration Example Display and Debug Display and Debug Vlan Router-Ethernet0.1ip address 3.3.3.8 Configure IP address for the subinterfaceConfigure Vlan information of LAN Switch Troubleshooting The steps below can be taken Background of the Dhcp development Dhcp Server ConfigurationFault Ping Two PCs, but fails to ping them through Dhcp vs Bootp Dhcp server Dhcp clients Occasions in which Dhcp server is appliedFollowing figure Dhcp client logs into the network again Dhcp Server Configuration Dhcp server ip-pool pool-name Enable/disable the Dhcp serviceDhcp Enable Undo Dhcp enable Network ip-address Configure the statically binding IP address and MAC addressNetmask Low-ipaddress high -ipaddress Low-ipaddress high-ipaddress Configure the DNS addresses in a Dhcp address pool By default, the IP address of DNS is not configuredConfigure the gateway router address of client Configure the domain names of Dhcp clients Ip-address2 ... ip-address8 Set the type of NetBIOS node for Dhcp clientSet the type of NetBIOS node for Dhcp client Nbns-list ip-address1 Display and Debug Dhcp servers Use reset, debugging and display command in All viewsConfigure Dhcp self-defined options Display and Debug Dhcp Server Router dhcp server forbidden-ip III. Configuration Procedures 1 Enable the Dhcp serviceRouter dhcp enable Router-dhcp2nbns-list Router-dhcp2gateway-list At the client, use ipconfig /releaseall Delete interface relay address Configure interface relay addressOperation Command Configure interface relay address Ip relay-address ip-address Available on Dhcp server Dhcp Relay Configuration RequirementDhcp Relay IP address from Dhcp server through application Networking diagram of an Dhcp relay configuration example Configure Dhcp relay router Fault 2 fail to forward transparent transmission protocol Under which condition should the address be translated Private Network Address and Public Network Address Mechanism of Network Address Translation NAT Characteristic of Network Address Translation NATRole the Network Address Translation NAT plays Pool-name Configure address poolPerformance of Network Address Translation NAT End-addr pool-name Undo nat outbound Nat outbound acl-numberAddress-group pool-name Undo nat outbound acl-number Www inside inside-addr inside-port any Configure the Internal ServerConfigure the Timeout of address translation Nat server global global-addr global-port Display and Debug NAT Display and debug NAT Typical NAT Configuration Example Set internal WWW server Configure address pool and access listAllow address translation of segment at 10.110.10.0/24 Set internal FTP server Correlate the address translation list and the interface Configure address access control list and dialer-listConfigure dial-up property for the interface Configure a default route to serial Fault 2 Internal server abnormal Configuring IP Application Performance Configure IPTo configure IP performance, carry out the following steps Configure maximum transmission unit on an interface Configure TCP Tcp window size Forwarding Configure Fast Display and Debug Fast Display and Debug fast forwarding Perform the following configuration in system viewDisplay and Debug IP Forwarding Router info-center enable Router debugging tcp event Troubleshooting IP Performance ConfigurationRouter info-center enable Router debugging tcp packet Configuring IP Count Undo ip count enable IP Count ConfigurationEnable/Disable IP Count service Ip count enable Specify count maximum of exterior Configure IP Count on an interfaceConfigure IP Count list Display and debug IP Count By default, IP Count entries time out after 720 minutesCount Specify count maximum of interior Information is displayed IV. Test ProcedureNot been configured on the interface of the router Configuring IP Count IPX address Configuring IPX SAP Its first Ethernet interface as its node address Configure IPXModify length of service information reserve queue Configure relative parameters of IPX SAP Perform the following task in interface view Enable IPX interfaceConfigure IPX RIP static route Enable/Disable a Default Route Configure the maximum number of IPX parallel route Configure RIP updating periodConfigure RIP aging period Configure the maximum size of RIP update packet Configure static service information table item Configure length of route reserve queue Ipx sap timer update seconds Configure SAP aging periodConfigure size of SAP maximum updated message Configure reply to SAP GNS request Disable split-horizon Configure Using touch-off for an interface Encapsulation format of IPX frame Configure the delay of interface sending IPX packetsConfigure management of IPX packet Modify Encapsulation Format of IPX Frame on Interface Display and Debug IPX Display and Debug IPX Configure Router a a Activate IPX Configure an information about Server2 directory service Configure an address map to Router BConfigure a static route to network ID Configure an information about Server2 file service Configure an information about Server1 directory service DLSw Protocol Max-frame-size max-window Configuration of DLSwCreate DLSw local peer entity Init-window-size max-frame Create DLSw remote end peer entity Configure Bridge set connecting to DLSw Configure Sdlc role Configure to add ethernet port to Bridge set Controller sdlc-address Configure Sdlc virtual MAC addressConfigure Sdlc address Sdlc-address Add synchronous Interface to Bridge set Configure Sdlc peer entityConfigure XID of Sdlc Baudrate Configure to stop running DLSwConfigure baud rate of synchronous Interface Mseconds Configure Idle time encoding mode of synchronous InterfaceConfigure parameters of DLSw timer Configure LLC2 local acknowledgement delay time Configure modulo value of LLC2 Configure LLC2 premature acknowledgement window Configure P/F wait time of LLC2 Configure retransmission number of LLC2Configure LLC2 local acknowledgement time Configure Busy status time of LLC2 Configure Sdlc local acknowledgement window Configure REJ status time of LLC2Configure queue length of sending message of LLC2 Configure Queue Length of Sending Message of Sdlc Configure poll time interval of Sdlc Configure maximum receivable frame length of SdlcConfigure retransmission number of Sdlc Dsap Configure SAP address for transforming Sdlc to LLC2Configure data bi-directional transmission mode of Sdlc Lsap IP across WAN Typical DLSw Configuration ExampleDLSw Configuration Networking Requirement DLSw Router dlsw local Router a ConfigurationRouter B Configuration DLSw Configuration Networking diagram of DLSw configuration of SDLC-SDLC Networking Diagram of SDLC-LAN Virtual circuit cant attain Connected state DLSw FaultWhen using command display dlsw remote Diagnosis Diagnosis and Troubleshooting of DLSw Fault Configuring Dlsw VI Routing 404 IP Routing Protocol IP Routing Protocol Routing Protocol or Type Corresponding Routing Priority Routing Protocol and Routing Priority Ospf ASE Default Route Configuring Static Routes Transmitting interface or next hop address Configuring a Static RouteConfiguring a Static Route Configure a Static Route Other parameters Configuring a Default RouteDisplaying Debugging Routing Table Preference Other Troubleshooting aStatic Route RIP Overview Features is not subject to whether RIP has been enabled Configure RIP Enabling RIP Enable RIP at the Specified Network Peer ip-address By default, the interface runs RIP-1Define a Neighboring Router Specify RIP Version Specify the Status of an Interface RIP Version 1 enables zero field check by defaultConfigure Check Zero Field of RIP Version Disable a Host Route Version Authentication onEnabling Route Summarization for RIP Specify a Default Route Metric Value for RIP By default, the default route metric for RIP isConfigure RIP Horizontal Segmentation on the Interface Configure Route Import for RIP Set Route Preference Configure filtering route information received by RIPDistribution for RIP Specify Additional Route Metric Value for RIP Display and Debug RIP Reset RIPDisplaying and Debugging RIP Filter the Routing Information Being Advertised by RIP RIP Unicast Displaying and Debugging Ospf Ospf Configuration ExampleOspf Overview Ospf Overview Configuring Ospf Undo router id Enable OspfSpecify Router ID Router id router-id Area area-id By default, Ospf is disabledArea-id P2mp P2p Configure the Network Type of the Ospf InterfaceConfigure Sending Packet Cost Ospf network-type broadcast nbma Cost Configuring a Peer for the Nbma Interface Undo Ospf dr-priority Operation Command Set the priority of the interface whenSpecify the Router Priority Ospf Dr-priority value Specify Dead Interval Specify Hello Intervall Specify Retransmitting Interval Configuring a Stubby Area and a TotallySpecify Transmit-delay No-summary Perform the following configuration under Ospf viewConfigure Totally Stubby Area of Ospf Stub cost cost area area-id Configure an Nssa Area of Ospf Perform the following configuration in Ospf view Undo abr-summary address mask mask Configure Route Summarization Within Ospf DomainAbr-summary address mask mask area Area-id advertise notadvertise Area-id None Router-id None Create and Configuring a Virtual Link Key-id Configure Authentication Configure Parameters When Importing External Routes Configure Route Import for Ospf Filter for Ospf Configure filtering route information received by OspfDisplaying Debugging Ospf Router D 201 Router B 301 302 Router C 1.3 Ospf Configuration ExampleConfiguring Ospf on the Point-to-Multipoint Network RouterB-Serial0ospf network-type p2mp Enable OspfRouterC ospf enable RouterA-Serial0ospf network-type p2mp Configure DR on Ospf Preference 2.2 3.3 1.1 4.4 E0 192.1.1.1/24E0 192.1.1.4/24 E0 192.1.1.2/24 E0 10.1.2.3/24 RouterD display ospf peer RouterA display ospf peer RouterB-ospfVlink peer-id 3.3.3.3 transit-area To configure an Ospf virtual link Configure Router aBetween Router B and Router C To configure Ospf peer authentication Configure Router a Normally Troubleshooting anOspf Configuration Ospf Configuration Example Configuring Ospf Displaying and Debugging BGP BGP Configuration ExampleBGP Overview BGP Overview Configuring BGP Perform the following configurations in BGP view Resetting BGP Connections Enabling BGPPerform the following configurations in system view By default, BGP is disabled Configure BGP Route-update Interval Configure the BGP Version of the PeerSet the Timers for BGP Peer Configure to Distribute Default Router to the Peer Configure to distribute default route to the peerConfigure to Send Community Attribute to the Peer Configure the Peer to be the Client of the Route Reflector Allow Comparing Path MED Create a Fltering Policy Based on Access List for the PeerConfigure the BGP MED Metric Create a BGP Route Filtering Based on AS Path for the Peer Holdtime-interval Configure the Local PreferenceConfigure the Keepalive Timer and Holdtime Tmer for BGP Timers keepalive-interval Group-name By default, there is no BGP peer in a peer groupAdd a Peer to the BGP Peer Group Peer group-name Configure BGP Routing Update Sending Interval Configure AS Number of BGP Peer GroupConfigure Connection Between Peers Indirectly Connected Set the Timers of BGP Peer Group Create Routing Policy for Peer Group Configure to send the default route to the peer groupConfigure to Send the Default Route to the Peer Group Create an Aggregate Addresses By default, software accepts BGP VersionConfigure BGP Version of Peer Group Undo aggregate address By default, an aggregate is disabledAggregate address mask As-set Undo reflect between-clients Reflect between-clientsClients within the reflection group Extended-community-list-number Configure the Cluster IDConfigure BGP Community Standard-community-list-number As-number … Configure a ConfederationConfigure the Sub-system of E Confederation Schematic diagram of route dampening Display Route Flap Information Still exists By default, BGP synchronizes with IGPIs insured When AS is not a transitional AS Configuring Configure Route Import for BGP Define a routing policy Define an access list entryEntry, an AS Path-list Define an AS Path-list entry Define an apply clause Perform the following configurations in Routing policy viewDefine a match rule Filter for BGP Display and Debug BGP Reset BGP ConnectionsDebugging BGP Filter Routing Information Being Advertised by BGP Acl-number network-address BGP ConfigurationProcedure for each configuration As-regular-expression acl Networking diagram of configuring AS confederation RouterC-ospfinterface serial Configure Router B Configure BGP peersRouterA-bgppeer 192.1.1.2 as-number RouterB-Serial1ip address 193.1.1.2 Configure Router D Configure BGP peers RouterA-acl-1rule permit source 1.0.0.0 Configure peerStart BGP Specify BGP transmission network RouterC-bgppeer 193.1.1.1 route-policy localpref import RouterC-acl-1rule permit source 1.0.0.0 RouterD-ospf network 4.0.0.0 0.0.0.255 area 0 RouterD bgp Configuring BGP IP Routing Policy Configuring IP Routing Policy Define a Routing Policy Configure IP RoutingOperation Command Define a routing policy and enter into Policy Configure a Matching Rules Apply tag tag-value Define a Setting ClauseApply community aa nn No-export addtive none Tag tag-value type 1 Configure Route ImportRoute-policy route-policy-name Ge-value less-equal le-value Define an IP Prefix ListIp ip-prefix prefix-list-name BGP route discovered by BGP protocol Perform the following configurations in all viewsDebugging IP Routing Policy OSPF-ASE external route discovered by Ospf protocol Protocol Configuring IPWith different weighting values Routing Policy Route Information Routerip ip-prefix p1 permit 192.1.1.0/24 Troubleshooting IPConfigure RIP protocol Normal operation Configuring IP Routing Policy Routing Configuring IP PolicyIP Policy Routing Define Apply Clause Create a Routing PolicyDefine Match Rules Interface Policy Routing By default, interface policy routing is disabledEnable/Disable Interface Policy Routing Displaying Debugging IP Policy Routing Router-acl-102rule permit tcp source any destination any Suggested procedure for each configurationDefine access list Router-acl-101rule deny tcp source any destination any RouterB-ripnetwork Adopt policy aaa in Ethernet interfaceRouter-Ethernet0ip policy route-policy aaa RouterA-Ethernet0ip policy route-policy lab1 RouterAdebugging ip policy-routing IP Multicast Configuring Igmp Configuring PIM-DM Configuring PIM-SMChapter 498 IP Multicast Class D address range Meaning Range and Meaning of Class D AddressesList for Reserved Multicast Addresses IP Multicast Routing Protocols IP Multicast Application IP Multicast PacketIP Multicast IP Multicast Igmp Overview Configuring IgmpIgmp Configuration Example Igmp Overview Configuring Igmp Configure Igmp Maximum Query Response Time Make the following configuration in interface viewConfigure the Igmp Version Number Run at Router Interface Interfaces are all fast Ethernet FE Igmp ConfigurationDebugging command in system view to debug Igmp Displaying and Debugging Igmp Router a Router B Configuring Igmp Configuring PIM-DM Operation Command Enable multicast routing Make the following configuration in the system viewBy default, the system disables the multicast routing Enable Multicast Routing Group-address source-address Start/Disable PIM-DM ProtocolDisplaying and Debugging PIM-DM Display and Debug PIM-DM Receiver 2 are the two receivers of this multicast group PIM-DM ConfigurationEnable multicast routing protocol Enable PIM-DM protocol PIM-SM Overview Enabling Multicast Routing PIM-SM Configuration Configure Candidate RP By default, the interface disables PIM-SM protocolEnable/Disable PIM-SM Protocol Configure Candidate BSR Configure PIM-SM Domain Boundary By default, no interface is configured to be candidate RPBy default, no PIM-SM domain boundary is configured Debugging PIM-SM Use the pim command in system view to enter PIM view RouterA-pimspt-switch-threshold 10 accept-policy Configure Router a Enable PIM-SM protocolConfigure Router B Enable PIM-SM protocol RouterA multicast routing-enable RouterA interface ethernet RouterB-acl-5rule permit source 225.0.0.0 Display pim neighbor command can be used to check whetherFollow these steps Neighbors have discovered each other Configuring PIM-SM Viii Security 524 Configuring a User Terminal AccessConfiguring Terminal Access Security Configure EXECLogin Authentication Configure the authentication method list of Exec users Enable AAAConfigure Radius server and the shared secret Configuring Terminal Access Security Radius Overview AAA Overview Components of Radius server Basic message interaction process of Radius Code Packet type Explanation of the packet Request Authenticator Adopts 16-byte random codeType of Packets Decided by Code Field Attribute Fields Server-template-name method1 By default, AAA is disabledAAA Enable/Disable AAA Configure AAA Login Authentication Default methods-list Configuring an Authentication Method List for PPP UsersConfigure PPP Authentication Method List of AAA Default methods-list method1 Configure Local IP Address Pool By default no address pool is defined by the systemConfigure AAA Local-First Authentication Configure AAA Accounting Option Configure Ordinary User and Password By default pool-number isConfigure a User and Password Configure Callback User Configure User with Caller Number Configure User with Caller NumberConfigure FTP User and the Usable Directory Configure Callback User and the Callback Number Directory Authorize a User with Usable Service TypesConfigure FTP User and the Usable Directory Configure Authorizing a User with Usable Service Types Radius server hostname ip-address Configure Radius Server Shared SecretBy default, no key is configured for the Radius server Configure Radius Server Shared Secret Configure the Time Interval for the Inquiry Packet Configure the Request Retransmission Times AAA and Radius Accessing UserAuthentication Case Displaying Debugging AAA Routerradius server Configure IP address and port of Radius serverConfigure local-first authentication Router aaa authentication-scheme local-first Radius Troubleshooting AAA Can Users Radius authentication is always rejectedConnected user cannot be seen in display aaa user Configuring AAA and Radius Protocol Firewall Overview Classification of Firewalls Packet filtering schematic diagram Operators of the Extended Access Control List Extended access control listCommand format when the protocol is IGMP, IP, GRE or Ospf Command format when the protocol is TCP or UDP Mnemonic Symbol of the Port Number UDP Protocol Mnemonic Symbol Meaning and Actual Value Operator and Syntax Meaning Configure the match sequence of access control listMnemonic Symbol of the Icmp Message Type Firewall Configure FirewallEffect Perform the following configurations in system view Firewalls are disabled by default Configure Extended Access Control List Configure Standard Access Control List Destination dest-addr dest- wildcard Enabling and disabling filtering according to timerangeConfiguring Special Timerange Set Default Firewall Filtering Mode Settr begin-time end-time Enable/Disable Filtering According to TimerangeSet special time range Set Special Time Range Display and Debug Firewall Use debugging, reset and display commands in all viewsDisplaying and Debugging Firewall Specify Logging Host Routerfirewall default permit Enable firewallConfigure access rules to inhibit passing of all packets Routerfirewall enable Router-Serial0firewall packet-filter 102 inbound Apply rule 102 on packets coming in from interface Serial0Router-Ethernet0firewall packet-filter 101 inbound IPSec Protocol IPSec Message Processing IPSec Related TermsFollowing terms are important to an understanding of IPSec Creating an Encryption Configuring IPSecAccess Control List Operator port1 port2 Create Encryption Access Control List Set the output of the crypto card log Configure Ndec Cards Enable the crypto cardsBy default, all the crypto cards are enabled Define IPSec proposal By default, no proposal view is configuredEnable/Disable the Host to Backup the Ndec Cards Set the Mode for Security Protocol to Encapsulate Messages Select Security Protocol Selecting the Encryption Authentication AlgorithmDefault mode is tunnel-encapsulation mode Select Security Protocol Creating a Security Policy Select Encryption Algorithm and Authentication Algorithm Set start point and end point of security tunnel By default, no security policy is createdConfigure access control list quoted in security policy Perform the following configurations in IPSec policy view Set SPI of security policy association and its adopted key By default, the security policy quotes no IPSec proposalConfigure IPSec Proposal Quoted in Security Policy Set IPSec proposal quoted in security policy Hex-key By default, no key is used by any security policyConfigure SPI Parameters of Security Policy Association Configure Key Used by Security Policy Association Specify End Point of Security Tunnel Set access control list quoted by security policySet end point of security tunnel Creating a Security Policy Association with Proposal-name2...proposal-name6 Set the IPSec proposal quoted in security policySet SA lifetime Proposal proposal-name1 Configure Separate SA LIfetime Configure a separate SA lifetimeBy default, apply the global SA lifetime Configure Global SA LIfetime Ipsec sa dynamic-detect Use debugging, reset and display commands in all viewsDebugging IPSec Apply Security Policy Group on Interface Dest-address protocol spi Reset crypto cardDisplay and Debug IPSec Creating an SA Manually IPSec Configuration ExampleUse the debugging, reset and display command in all views Displaying and Debugging the crypto card Create the IPSec proposal view named tran1 Adopt tunnel mode as the message-encapsulating formSelect authentication algorithm and encryption algorithm Quote access list Exit to system view Configure the routeCreate a security policy with negotiation mode as manual Apply security policy group on serial interface Set remote addresses Create a security policy with negotiation mode as isakmpCreate the IPSec proposal view named trans1 Create a security policy with negotiation view as isakmp Configure ip address of the serial interfaceConfigure corresponding IKE Configure serial interface Serial0 RouterB ike pre-shared-key abcde remote Establish a security policy with manual negotiation modeAdopt tunnel module for packets encapsulation form Return to system view Apply security policy base on serial port Enter Ethernet interface view and configure IP addressSet local address Set encryption key RouterB ipsec policy map1 10 manual Establish a security policy with manual configuration modeTroubleshooting IPSec Ndec card cannot be configured Return to the system view Do the following Configuring Ipsec Configuring IKE Policy Configuring IKEIKE features Undo ike Create IKE PolicyIke proposal policy-number View Delete IKE policy Select Encryption Algorithm Selecting an Authentication AlgorithmSelect Authentication Method Configure Pre-shared Key Set Lifetime of IKE Negotiation SA By default, 768-bit Diffie-Hellman group is selectedSelect Hashing Algorithm Select DH Group ID Display and Debug IKE Configure IKE Keepalive TimerReset ike sa connection-ike-sa-id Displaying and Debugging IKE Invalid user ID information IKE Configuration Unable to establish security channel Unmatched policy IX VPN Configuring VPN Configuring L2TP Configuring GRE 596 VPN Overview Authority given by local ISP Basic NetworkingApplications of VPN Classification of IP Comparison of layer 2 and layer 3 tunnel protocols Layer 2 tunneling protocolLayer 3 tunneling protocol Configuring VPN Vpdn Operation Vpdn and L2TP L2TP channel Methods of Implementing Vpdn Tunnel and session Networking diagram of two typical methods of Vpdn Control message and data message IV. Call setup flow of L2TP tunnel Call setup flow of L2TP channel Features of L2TP L2tp enable Basic Configuration atEnable L2TP Enable/Disable L2TP Ip-address … domain domain-name Originate L2TP Connection Request and LNS AddressL2tp-group group-number L2TP Attribute Table By default, L2TP is disabledConfigure AAA and Local Users Default list-name method1 Create/Delete a Virtual Template Operation Command Create a L2TP groupOperation Command Create a virtual template Create/Delete L2TP Group Configure Local VPN Users Advanced Configuration at LAC or LNSBy default, receiving dial-in from LAC is disabled Configure the Name of the Receiving End of the Tunnel Tunnel name name Enable Tunnel Authentication Setting PasswordBy default, the local name is the host name of router Set Local Name Set the Interval for Sending Hello Message Configure the Interval For Sending Hello MessagesSet Tunnel Authentication and Password Set Domain Name Delimiter and Searching Order Configure Domain Delimiter and Searching OrderForce Force to Disconnect Channel This configuration is applicable to LNS onlyOperation Command Force to disconnect tunnel Reset l2tp tunnel remote-name LCP to Renegotiate Configure the Local Address and Address PoolLCP does not renegotiate by default Number of L2TP Sessions Enable/Disable Hiding Attribute Value Pairs AVBy default, AV pairs are hidden Enable/Disable Hiding AV Pairs Display and Debug L2TP L2TP Configuration ExamplesBy default, the maximum number of L2TP sessions is Use debugging, display command in all views Configure BDR dialup parameters Implement local AAA authentication on VPN userConfigure the IP address of Serial1 interface of LAC Enable L2TP service and configure a L2TP group Configure the Virtual-Template-related information Configure the IP address of Serial0 interface of LNS Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Router-LACip pool 1 192.170.0.3 Client-originated VPN Networking Disable tunnel authentication Configure the IP address of Serial1 interface at LAC sideConfigure BDR parameters Configure the IP address of Serial0 interface at LNS side Network Connection Wizard Network Connection Wizard Connect Connection to Router1 l2tp domain suffix-separator @ Configure an IP address on Serial0 interfaceConfigure a L2TP group and the related attributes Configure the domain suffix separator to @ III. Procedures Enable AAA authenticationConfigure Virtual-Template Force to implement local Chap authentication Configure an access control list and specify L2TP data Configure a L2TP group and configure the related attributesConfiguration at Router2 LNS side Enable AAA authentication Configure an address pool 1 in the range of 192.168.0.2 to PPP negotiation fails. The reasons may be Fault 1 The users fail to log Troubleshooting L2TP Configuring L2TP Packet GRE ProtocolEncapsulation Encapsulated tunnel message format Refer to RFC Enlarge network operating range Create Virtual Tunnel Interface Configuring GREBy default, no virtual tunnel interface is created Creating a Virtual Tunnel Interface Address of the Tunnel Address of a Tunnel Must be configured InterfaceSetting the Network Perform the configurations in the tunnel interface view Gre key key-number Number discardedSet Tunnel Interface to Check with Checksum Set the Tunnel to Synchronize Datagram Sequence Numbers All views GRE Configuration ExampleGroup1 and group2. It can be implemented by using GRE Debugging GRE Configure Router B Configure the IP address of Serial0 Configure the IP address of Ethernet0 interface Configure Router B Activate IPX Configure Router a Activate IPXConfigure the IP address and IPX address of Ethernet0 Configure the static route to Novell Group2 RouterB ipx route 1e 1f.a.a.a tick 30000 hop Networking of troubleshooting GRE Configuring a Standby Center Configuring Vrrp 646 Standby Center Configuring Standby Center Next-hop-address dialer-number Enter the Logic Channel ViewAddress logic-channelnumber Fr map protocol address dlci dlci Standby timer disable-delay seconds Channel to check whether it has recoveredStandby timer enable-delay seconds Undo standby timer enable-delay Enter the view of Serial Please perform the following configuration in all viewsLoad Sharing view Interfaces Router-logic-channel10standby interface serial Enter the view of logic channelChannel Router-Serial1logic-channel Vrrp Overview Vrrp Configuration ExamplesTroubleshooting Vrrp Vrrp Overview Address Configuring VrrpAdding a Virtual IP Undo vrrp vrid virtualrouterid Configure Router Priority in Standby GroupAdd Virtual IP Address Vrrp vrid virtualrouterid Virtualrouterid Configuring Authentication Method Authentication KeyVrrp provides simple character authentication method Configure Authentication Method and Authentication Key Monitoring Configure StandbyGroup Timer Debugging Vrrp Vrrp Single Standby Vrrp ConfigurationProcedure for each configuration Backup with preemption aII. Networking diagram Multiple Standby Gateway services insteadBalancing and mutual backup are implemented Gateway function as the master Many master routers exist within the same standby group There is requent switchover of the Vrrp state XI QOS 662 QOS Overview Three Types of QoS Services QOS Overview Benefits of QoS for the Network Service QOS Overview Traffic Policing Traffic Classification Traffic POLICING, Traffic Shaping and Line Rate Rate CAR Committed Access Precedence-value mac mac-address Defining RulesDefine CAR Rules Qos carl carl-index precedence Apply the CAR Rule on the Interface By default, no CAR rule of ACL list is establishedApplying the CAR Policy on the Interface Display and Debug CAR CAR Configuration Applying a CAR Policy to all PacketsConfigure the Priority Level Based CAR Policy Displaying and Debugging CAR Configure the CAR Policy Based on the MAC Address Packets Traffic ShapingApply a CAR Policy on the Packets that Match ACL Matches ACL Schematic diagram of GTS processing Configuring shaping parameters for a specified flow Shape the flows matching 110 on Ethernet interface Configuring shaping parameters for all flowsConfigure the ACL Shape all the flows on Ethernet interface Configure the Physical Interface LIne RatePhysical Interface Line Rate Display qos lr interface type Operation Command Display the LR configuration conditionsDisplaying Display and Debug LR Debugging LR Congestion Management Priority Queuing CongestionManagement Policy Fifo Queuing Selecting Congestion Management Policies Number Queues Advantage Disadvantage Comparison of Several Congestion Management Policies Schematic diagram of the first in first out queue Schematic diagram of the custom queuing Schematic diagram of weighted fair queuing Weighted Fair Queuing WFQ Configure the First In First Out Queuing Configuring Congestion ManagementConfiguring Fifo Queuing Configuring priority queuing Pql-index protocol By default, no priority queue is establishedValues of Queue-Option with Protocol as IP Protocol-name queue-option queue Specifying the queue length of the priority-list queuing By default, the interface utilizes the Fifo queueApplying the priority-list queuing group to the interface Displaying and debugging the priority queue Configuring custom-list queuingConfiguring Custom Queuing CQ Default Length Value of the Priority Queue Queue queue-number Configure the Custom-Lst Queuing According to the InterfaceConfigure the Default Custom-List Queuing Queue-number Applying the custom-list queuing group to the interface By default, the interface uses the Fifo queueConfiguring the queue length of the custom-list queuing Configure the Queue Length of the Custom-List Queuing Displaying and debugging the custom-list queue Configuring Weighted fair queuingDisplaying and debugging the weighted fair queue Apply the priority queue 2 to Serial Congestion Management Configuration ExamplesPQ Configuration Example Apply the priority queue 1 to Serial RouterA-Tunnel1destination Configure the CQ queueConfigure Router B Configure the access control list RouterA-Tunnel0ip address 10.1.1.1 WFQ Configuration Example Configure Serial0 master/slave addressesConfigure Tunnel0 Configure Tunnel1 Congestion Management Congestion Avoidance Congestion Avoidance Function of the Interface Wred ConfigurationEnable the Wred Enable Wred Ip-precedence Discard-prob Displaying Debugging Congestion Avoidance Congestion Avoidance Configuration ExampleConfigure a WFQ queue Enable Wred Congestion Avoidance XII DIAL-UP Configuring DCC Configuring Modem 704 DCC Overview Terms in DCC Configuration DCC Circular DCC Resource-Shared DCC Implementing callback through DCC Basic DCC featuresWith 3Com Routers Configure the local parameters of DCC Configuring DCCPreparing to Configure Prepare the data for DCC configuration Ip address ipaddress mask Configuring the mode of the physical interfaceConfigure Physical Interface Mode Linklayer-protocol-type Associating a DCC dialer ACL with the interface Configuring an interface to originate calls to a remote end Undo dialer number Configure an interface to receive calls from a remote endDialer enable-circular Dialer number dial-number Next-hop-address dial-number DialerRoute protocol Next-hop-address Undo dialer route protocol Dialer priority priority Undo interface dialer numberDialer circular-group number Undo dialer circular-group Undo dialer circular-group Interface dialer numberUndo interface dialer number Dialer circular-group number Router Dialer0 Enabing Resource-Shared DCC Configuring dialing authentication for resource-shared DCCConfiguring the dialer interface and dialer number By default, no dialer interface is created Configuring dialing authentication for resource-shared DCC Threshold traffic-percentage Configuring MP binding in circular DCCConfigure MP Binding in Circular DCC Dialer threshold traffic-percentage Configuring MP binding in resource-shared DCCConfiguring PPP callback in the circular DCC implementation Configure MP Binding in Resource-Shared DCC Implement PPP Callback Server Configuration in Circular DCC Implement PPP Callback Client Configuration in Circular DCC Dial-number CommandTelephone-number Next-hop-address user username Dialer callback-center dial-number Features of Isdn caller identification callbackPrimary rule The best match is the number with the fewest Callback according to the Isdn caller Operation Command Configure the local end to implementIdentification Undo dialer call-in remote-number Configure Isdn leased line for Circular DCC Configuring Isdn leased lineConfiguring auto-dial Configuring Special DCC Functions Configure Dialer Number Circular Standby Configuring dialer number circular standbyConfiguring the Link Idle Time Configure Auto-Dial Configure the Link Idle Time By default, the link idle time is 120 secondsBy default, the link disconnection time is 20 seconds Configuring the link idle time when interface competion Debugging DCC Configuring the timeout of call setting upBy default, the timeout of call setting up is 60 seconds Configuring the buffer queue length of the dialer DCC Applications in Common Use DCC Configuration ExamplesSolution Router-Serial0dialer route ip 100.1.1.1 Configure RouterCConfigure RouterB Router-Serial1dialer circular-group Router-Serial1dialer bundle-member Router-Serial0dialer bundle-member Configure RouterC Configure RouterC Router-Serial015dialer route ip 100.1.1.1 Configure RouterARouter-Dialer0dialer threshold Router-Bri0dialer bundle-member Router-Bri1dialer route ip 100.1.1.1 Router dialer-rule 1 ip permit Router interface serial Router-Serial1dialer enable-circularRouter-Serial0dialer route ip 100.1.1.2 Router-Bri0dialer route ip 100.1.1.2 user usera NT Server-to-Router Configure the PCCallback for DC C By the NT server Router-Async0dialer route ip 100.1.1.254 Dial Number Circular Standby and Internet Access for DCC Router-Serial0dialer route ip 100.1.1.254 Configure subscriber PC Router-Serial215ppp chap password simple passb Router-Serial215ppp authentication-mode chap Router-Serial1standby logic-channel Remote end cannot be pinged after the modem is connected Message Fault DCC Fault Messages DCC peeraddr matching error Modem Script Modem Function Provided by 3Com Routers Receive-string1 send-string1 receive-string2 send-string2 Syntax description of modem scriptModem script format in common use is as follow By default, modem dial-in and dial-out are allowed Which, seconds defaults to 180 and is in the range of 0 toConfigure the Modem Dial-in and Dial-out Authorities Execute a Modem Script Manually Configure Modem Through the AT CommandConfigure a Modem Script Configure a Modem Script Specify the Events Triggering the Modem Scripts By default, the modem works in non-auto answer modeConfigure the Answer Mode for the Modem Configure Authentication for a Modem Dial-in User Displaying and Debugging a Modem Modem Configuration ExamplesExecutethe debugging command in all views for the debugging Configure a Modem adaptation baud rate AT&b1&c1&d2&s0=0 Restore the ex-factory modem settingsConfigure the modem initialization parameters Modem Dial-in User Power-on Initialization Through Initialization ScriptAuthentication for Directly Troubleshooting Configuring Modem

3Com 10014299 manual Firewall Overview

Models: 10014299

CONFIGURING FIREWALL

Figure 170 A firewall isolates the internal network from the Internet