Classification of Firewalls

548CHAPTER 39: CONFIGURING FIREWALL

Usually firewalls are divided into two types: network layer firewalls and application layer firewalls. A network layer firewall mainly obtains the packet head information of data packets, such as protocol number, source address and source port, destination address and destination port, or directly obtains the data of a packet head. But an application layer firewall analyzes the whole information stream.

Commonly used firewalls include the following:

■Application Gateway: checks the application layer data of all data packets passing through this gateway. For example, the FTP application gateway will be a FTP server to a connected client end, but will be an FTP dlient to the server end. All FTP data packets transmitted on the connection must pass through this FTP application gateway.

■Packet Filtering: filters each data packet using the user-defined items. For example, to check if the source address and destination address of a data packet meet the rules. Packet filtering does not check call status, nor does it analyze the data. If data packets with port 21 or greater than or equal to 1024 are allowed to pass, then once a port meets this condition, the data packet can pass this firewall. If the rules are configured, then many data packets with hidden security troubles can be filtered out on this layer.

■Proxy: normally refer to address proxy on a proxy server or a router. It replaces the IP address and port of a host inside the network with the IP address and port of a server or router. For example, the intranet address of an enterprise is 129.0.0.0 network segment, and its formal external IP address is 202.38.160.2-202.38.160.6. When the internal host 129.9.10.100 accesses a certain external server in WWW mode, the IP address and port might become 202.38.160.2:6080 after passing through the proxy server. An address mapping table is maintained in the proxy server. When the external WWW server returns the result, the proxy server will convert this IP address and port into the internal IP address and port 80 of the network. The proxy server is used so that all access between the external network hosts and the internal network occurs through this proxy server. In this way, the access to internal devices that contain important resources can be controlled.

Packet Filtering Usually, packet filtering refers to filtering for IP data packets forwarded. For the data packets that need to be forwarded by a router, first the packet header information, including the number of the upper layer protocol carried by the IP layer, the packet's source/destination address and source/destination port is obtained. Then the information is compared with the set rules. Finally, it is decided whether to transfer or discard the data packet according to the comparison result.

Packet filtering (for IP data packets) selects the following elements for judgment (in the figure, the upper layer protocol carried by IP is TCP), as shown in the figure below.

Page 552

Image 552

3Com 10014299 manual Classification of Firewalls

Contents

3Com Router Configuration Guide 3Com Corporation Campus DriveMarlborough, MA 01752-3064Page VPN This guide describes 3Com routers and how to configure them List conventions that are used throughout this guideText Conventions About this Guide 3Com Router Introduction 3Com Router User Interface Page 3COM Router Introduction Features of the 3Com Following table lists the basic features of the 3Com RouterList of the 3Com Router 1.x features Router Version RIP-1/RIP-2 NAT Quality of service 3Com Router New Features of the 3Com Router 1.x 3COM Router Introduction Configuration EstablishEnvironment Port Establish a new connection Set port communication parameters Establish a remote configuration environment Configuration ConnectionEnvironment Router Workstation Ethernet Command Line Interface CLI 3COM Router User Interface System view Table Views and their prompts Async 0 in any Ethernet 0 in anyLoopback 0 in any Enter controller Helps Full helpPartial help List of common command line error messages Common error Message CausesFor example Routerdisplay ? Command Line FeaturesDisplay Features Three options are available for users Following commands Please perform the following commands in system viewUser Identity Management Configure the router name SystemSet the system clock By default, the system clock is 080000 1 1 Execute the following commands in all viewsReboot the system Display the System Information Router System Management Page Storage Media and File Types Supported by the System Softwaresoftware Input Ctrl+D, and the following prompt information displays Upgrade Boot ROM Software Upgrade the 3Com Router Main ProgramSoftware Main Program software XModem Approach Modify the terminal baud rate Transfer File dialog box Preparation for using the Tftp server Enable the Tftp server programTftp server application can run on Windows 95/98/NT Press Enter and the following prompts will be displayed Tftpd32 Set interface Enter Ctrl+B and the system prompts Network Interface Parameters Download configuration files from a Tftp server Operation Command Downloads the 3Com Router mainPress Enter for loading Get ip-addr file-name system Prepare for using the FTP server Set an authentication mode for an FTP server Upgrade the 3Com Router Main Software with FTP Enable FTP server Back up the 3Com Router Main Program Software Tftp ApproachFTP Approach Copy ip-addr file-name system Setup Users Dialog Box Configure on-line upgrading of the card Update slot slot-number ftpserver host-namePort-number user user-name password Password Configuration File Management Download Configuration FilePerform the following command in system view Content and Format of the Configuration File Load configuration files Download ConfigRouter download config Set the binary transmission protocol to XModem/CRC Display current-configurationcommand output backup approach Back up Configuration FilesUpload configuration files to a Tftp server File-name config Please use the following commands in corresponding views View router configuration Select and view the storage media of configuration file Save current configurationSet the Flag Bit to Enter the Initial Setup Mode Erase the configuration file in storage media Configure FTP Configure authentication and authorization of FTP serverClient via port 20 and transfer data Files on the router Enter the following commands in system view Configure Parameters of FTP ServicePlease enter the following commands in system view Set the authentication mode of FTP server Set FTP update mode Set the connection time limit of FTP serviceForce to shut down FTP process Force to shut down FTP process Display FTP Server Display FTP server Display ftp-serverServer Display detailed information of the FTP user Display local-user System Management Terminal Service Features of TerminalService at Console Port Overview Service Set the attributes of terminal serviceTerminal Message On one router Perform the following configuration in all views Configure Terminal Message ServiceDisplay Terminal Message Service Enable/disable receiving messages from other terminals Typical Example Terminal Message Service Configuration Terminal ServiceDumb Terminal Configuration Examples Dumb Terminal Service Configure Dumb TerminalConfigure Auto-execute command By default, no dumb terminal service is configured Terminal Service Telnet Connection Configure the interface to dumb terminal modeConfigure the auto-execute command command Router-Serial1auto-execute command telnet Terminal service features of telnet connection Service ValueEstablish Telnet Connection Setup Reverse Telnet Connection Enable Reverse Telnet connectionService-port Establish Telnet Server or Telnet Client connection Typical Configuration Example of Telnet Reverse Telnet Force shut down Telnet ProcessExample of Telnet Force to shut down Telnet process Rlogin Terminal Use Rlogin protocolExample of Reverse Telnet Router telnet 10.110.164.44 Establish a Rlogin connection Typical Rlogin Configuration ExamplesRlogin ip-address username Use local user name abc to log on Access Service PAD RemoteCommunicate with other terminals through the X.25 network Configure X.25 PAD remote user Configure X.25 PAD remote userService-type type password Local-user user-name Start AAA authentication of X.25 remote users Enable AAA authentication for X.25 remote PAD usersEstablish an X.25 PAD call Establish a X.25 PAD call II. Networking Diagram III. Configuration ProcedureDisplay and Debug Set the Response Time to the Invite Clear Message Fault Diagnosis Troubleshooting Set its X.121 address asRouterA-serial0x25 x121-address RouterB-serial0x25 x121-address Snmp Overview Development of Snmp Configuring Network Management Snmp architecture SNMP-supported MIB By default, the system disables Snmp service 3Com Router-supported MIBEngineid Perform the following configurations in system view Configure Snmp version and related tasks Configure information of router administrator Configure the traps to be sent by the routerV1 username Interface-number Perform the following commands in all views Display and debug SnmpName Byte-count Example 1 Configure Network Management of SNMPv1 Set the community name and access authorityConfigure an IP address for the Ethernet interface ethernet Examples Networking Requirements Configure an IP address for the Ethernet interface ethernet Rmon OverviewNetwork equipment Schematic diagram of Rmon application Enable Rmon statistics Examples Networking Requirement RouterA-Ethernet0 rmon promiscuous Commands to display information of the whole system Ping command Test Tool of Network Connection Ping supporting IP protocol System displaysPing supporting IPX protocol Ip-address Following command can be executed in any command modes Tracert commandTimeout host MaxTTL -p port -q nqueries Configure on the router Log Function Set the direction of syslog outputting log information Set Severity of Log Information Perform the following task in system viewSylog-defined severity is as follows Set Filter of Log Information Configuration of Log Host Turn on/turn off syslogDisplay and Debug Syslog Turn on/turn off syslog Syslog Configuration Example Turn on debugging switch of PPP moduleRouterinfo-center enable Routerdebug ppp all Display and Debugging Tools POS Terminal Access Service Dial-up POS Access POS Network Access Advantages of POS network access are as follows POS Access Service Configuration Configure POS access portStart POS server Configure a POS application Interface-type interface-numberApp-number Ip-address port-number Configure POS multi-application mapping table Default app-numberBind the source address of TCP connection Display and Debug POS Access Display and debug POS accessSet the parameters of FCM used during Modem negotiation Set the parameters of FCM used during Modem negotiation Typical Configuration Example of POS Access Service Configure the Ethernet interface EthernetConfigure the POS access interface FCM0 Configure POS access interface FCM1 Configure POS access interface FCM2 Configure POS access interface FCM0III. Configuration Procedure 1 Start the POS access server Configure Async 0 to operate in POS application mode Configure Async 1 to operate in POS application modeIII. Configuration Procedures Configure Router a Start the POS access server Configure Router B Configure the Ethernet interface Ethernet RouterA ip route-static 10.1.1.2 255.255.255.0 serial III Interface 106 Configure Interface InterfaceEnter the Interface View Exit the Interface View Interface view, input quit to return to the system viewSet time interval for flow control statistics Interface-description Please use the following commands in all views Display and Debug InterfaceDisplay and debug interface Interface state information Interface Configuration Overview Configure Ethernet Interface Ethernet Interface Enter view of specified Ethernet interface Set IP addressSet IPX address Set frame format of sending message Select work mode of Ethernet interface Enable or disable internal loopback and external loopbackDisplay and Debug Select working rate of fast Ethernet interface Typical Ethernet Interface Configuration Example TroubleshootingII. Network Diagram Troubleshooting Configuring LAN Interface WAN Interface IntroductionAsynchronous Serial Interface Enter view of specified asynchronous interface Interface async numberInterface serial number Set the work mode of asynchronous serial interface Set the baud rate of asynchronous serial interfaceModem in out Link-protocol slip ppp Async Mode protocol Flow-control none softwareHardware inbound outbound Works in flow mode Parity even mark noneOdd space Stopbits 1 1.5 Backup AUX InterfaceSet MTU of asynchronous serial interface Set the coding format of Modem Configure AUX interface Configure AUX interfaceConfigure Synchronous Serial Interface Synchronous Serial Interface Enter view of specified synchronous interface Set the link layer protocol of synchronous serial interfacePhysical-mode sync Link-protocol fr hdlc Select work clock Working modes have different working clocksSet the baud rate of synchronous serial interface Synchronous serial interface is 64000 bps Inversion is disabled by default Select work clockSet clock inversion Internal loopback/external loopback are disabled by default Detect dcdUndo detect dcd Reverse-rts Isdn BRI Interface Idle coding of synchronous serial interface is 7ETechnical Background Graphics and video Preparations before Configuration Be clear about the following items before the configurationFunction group includes Channelized operating mode CE1/PRI InterfaceNetwork protocols such as IP and IPX Interface or a PRI interface Configure CE1/PRI CE1/PRI interface configuration includes Dial-on-Demand RoutingInterface Enter the view for a specified interface Enter the synchronous serial interface view Bind the interface to be channel setsNumber set-number Bind the interface to be a pri set Enter the Isdn interface viewPri-set timeslot-list range Undo pri-set Enable/disable the internal loopback/external loopback Set the line code format on the CE1/PRI interfaceSet the line clock of the CE1/PRI interface Set the frame format of CE1/PRI interface Configure CT1/PRI CT1/PRI Interface Operation Command Enter the view of CT1/PRI interface Controller t1 numberTimeslot-list range speed Interface serial number23 Set the line code format on the CT1/PRI interface Set the line clock of the CT1/PRI interfaceSet the frame format of CT1/PRI interface Choice for E1 access E1-F interface does not support PRI operating modeE1-F Interface Them into multiple channel sets Set Operating mode for an E1-F interface Enter the view of an E1-F interfaceInterface serial serial-number Fe1 unframed Set interface rate after binding operation Set line code format for E1-F interfacesSet line clock for an E1-F interface Enable/Disable local/remote loopback on an E1-F interface Set frame format for an E1-F interfaceDisplay and debug E1-F interface Serial-number Choice for T1 access T1-F interface does not support PRI operating modeT1-F Interface 193 X 8k = 1544kbps Set line code format for T1-F interface Enable/Disable local/remote loopback on a T1-F interface Set line clock for a T1-F interfaceSet frame format of T1-F interface Other related information CE3 InterfaceDisplay and Debug T1-F Display and debug T1-F interface Enter the view of the specified E3 interface Set the operating mode of CE3 interface Set the operating mode of E1 channelSet E1 frame format Mode non-channelized mode CT3 Interface44.736Mbps Data bandwidth 44736kbps Set clock mode of the CT3 interface Set clock mode of the T1 channelEnter specified CT3 interface view Set cable length of the CT3 interface By default, loopback is disabled Set Frame Format By default, the CT3 interface uses the C-bit frame formatPerform the following configurations in CT3 interface view Set the operating mode of T1 channel Set CRC of the serial interfaceT1 line-number unframed Disable and Enable CT3 interface Display and debug of the CT3 interface Configuring WAN Interface Logical Interface Dialer Interface Configure Loopback Null Interface Sub-Interface Configure sub-interfaces of Ethernet interface Create and delete WAN sub-interfaceNumber.sub-number Number.sub-number multipoint Enter the view of WAN interface Serial0 of router a Select frame relay link layer protocolRouterinterface serial Configure the static route from router a to LAN2 and LAN3 Specify DTE as its frame relay terminal typeSet its IP address to 202.38.160.1 and address mask to Allocate a virtual circuit with Dlci 50 to it Set work parameters of virtual-template Create or delete virtual-templateInterface virtual-template Undo interface Fault 1 Fail to create virtual interface Troubleshooting the reasons may be as followsDisplay state of the specified virtual-template Virtual-template-number Link Layer Protocol 164 PPP Authentication Mode PPP Overview Configuring PPP and MP Configure PPP MP OverviewFor detailed description of PPP, refer to RFC1661 Transmission time of large packets Configure the link layer protocol of the interface to PPP Configure the local authenticates the peer in PAP modeConfigure the peer authenticates the local in PAP mode Name-list Configure the local authenticates the peer in Chap mode Configure as the peer authenticates the local in Chap modeCipher password User username Configure AAA authentication and accounting of PPP Configure the time interval of PPP negotiation timeoutConfigure PPP compression Perform the following configuration in interface view Configure PPP link quality monitoringPpp lqc forbidden-percentage Resumptive-percentage Configure MP Protocol Parameters Create Virtual Template Configure Operating Parameters of Virtual TemplateCreate/Delete virtual template Bind the physical Interface to a Virtual Template Specify the conditions for MP binding User-name Configure virtual Baud rate on interface Frags Typical PPP Configuration Example Configuration RequirementExample Typical MP Configuration Example II. Configuration ProcedureConfigure to start Chap authentication at this side Set local username as Router1 Configure virtual interface template Configure router-b Add a user for router-aConfigure router-c Add a user for router-a Fault Diagnosis Troubleshooting Fault 1 Link always fails to turn to up statusFault 2 Physical link fails to turn to Up status Indicates that the interface is shutdown PPoE Overview Introduction to PPPoE client Configure PPPoE Client Configure PPPoE session Reset or delete PPPoE session Typical PPPoE Configuration Example Perform the display and debugging command in all viewsAccess a LAN to the Internet via Adsl III. Configuration Procedure 1 Configure a dialer interface Configure a PPPoE session Configure the LAN interface and the default routeConfigure the DDN interface Serial Use Adsl as Standby Line Configuring Pppoe Client Configure Slip Asynchronous modeSlip Overview For further details about SLIP, you can refer to RFC1055 Enable/Disable the information debugging of Slip Typical SlipTime Interconnect two Router routers via Pstn and run IP Configure Router a Configure Dialer Rule Configure IP address of synchronous/asynchronous interfaceConfigure the Dialer String to router B Configure the default route to Route B Routerip route-static 0.0.0.0 0.0.0.0 Configure Isdn Isdn Overview By default, DSS1 signaling is used on Isdn PRI interfaces Configure type of signaling on Isdn interfaceConfigure the length of call reference Configure the receiving mode Configure the sending mode Configure interval for Qsig signaling timerTimer-name all Time-interval Configure Call Processing Method on an Interface Perform the following configuration in Isdn interface viewPerform the display and debugging commands in all views Typical Configuration Example Configure Router a Create an Isdn PRI interfaceConfigure the Isdn PRI interface RouterB transmit data after the call is set up Configure Router a Configure Router B Lapb Protocols Overview PSN 25 packet and Lapb frame Configure Lapb By default, the Lapb modulus is ModuloBy default, k is Configure Lapb N1, N2 Configure Configure X.25 Interface Set/Cancel the X.121 address of the interfaceSet X.25 working mode Address 25 channel delimitation parameters Parameter Meaning By default, X.25 interface use modulo 8 mode Set/cancel X.25 virtual circuit rangeSet/Cancel X.25 packet numbering modulo Finally, the following should be noted Configure X.25 flow control parameter Configure X.25 Interface Supplementary ParameterSet the default flow control parameter Out-packets 25 layer 3 timer Set X.25 layer 3 timer delay Specify/Cancel an alias for the interface Alias match modes and meaningsAlias-string Match-type alias-string Set/Cancel the default upper layer protocol borne on Configure X.25 Datagram Transmission Create the permanent virtual circuit PVCProtocol-address x121-address Address option Configure Additional Parameters Datagram Transmission Create/Delete permanent virtual circuitX25 pvc pvc-number protocol Undo x25 pvc pvc-number Interface view, perform the following task Specify/Cancel packet pre-acknowledgement Configure X.25 user facility Configure the sending queue length of virtual circuit Serial port view, list1 can be quoted Set broadcast via Set interface with standby centerAddress broadcast Address logic-channel Switching Function Configure X.25 sub-InterfaceConfigure X.25 Switching Number.subinterface-number multipoi Configure X.25 Load Balancing Add or delete a PVC routeIntroduction to X.25 Load Balancing Configure X.25 List of Configuration Tasks of X.25 Load Balancing Diagram of X.25 network load balancing Start /Close X.25 switching function Create/Delete X.25 hunt groupAdd/Delete interfaces or XOT Tunnels in hunt group Configure X.25 over Other Protocols Add/delete other X.25 switching routesConfigure X.25 over TCP XOT Introduction to XOT Protocol Configure XOT Start X.25 switching Configure local switchingConfigure SVC XOT switching For PVC, perform the following tasks in interface view Configure Annex G Data Interoperation Configure PVC XOT switchingConfigure X.25 over Frame Relay Annex G Configure Keepalive and xot-source attributes Configure the X.25 Attributes for a Dlci Configure the X.25 attributes for an Annex G Dlci Typical Lapb Configuration Example By default, X.25 template is not applied on DLCIsCurrent status of Lapb Specify IP address for this interface Configure Router B Select interface Configure Router a a Select interfaceSpecify X.121 address of this interface Specify address mapping to the peer Connect the Router to X.25 Public Packet Network Configure Router a Configure interface IP address Configure Router B Configure interface IP addressConfigure Router C Configure interface IP address Configure Virtual Circuit I. Networking Requirement DisabledRange Transmit IP Datagram via X.25 PVC Typical Sub-Interface Configuration Example Router-Ethernet0ip address 196.25.231.1 Configure Router C Configure Router DCreate sub-interface serial SVC Application of XOT I. Networking Requirement Configure Router C Start X.25 switching Configure SerialRouterx25 switch svc 2 interface serial Routerx25 switch svc 1 xot Application of X.25 Load Balancing Enable X.25 switching in system view Configure X.25 switching route to forward to X.25 terminalS11 Add Serial 1, Serial 2 and XOT Tunnel to hunt group Routerx25 switch svc 1111 xot Routerx25 switch svc 8888 interface serialLoad Balancing Carrying IP Data Transmission Routerinterface serial Router-Serial0link-protocol x25 dce Configure RouterA Configure interface Ethernet Configure interface SerialConfigure static route to RouterC Configure RouterB Configure interface Ethernet Configure the static route to RouterA and RouterB Configure RouterA Create an X.25 templateConfigure the local X.25 address Configure an IP address for the local interface Configure RouterB Create an X.25 template Map the Frame Relay address to the destination IP addressAssociates an X.25 template with the Dlci SVC Application of X.25 over Frame Relay Configure the router Router B Enable X.25 switching Enable switching on Frame Relay DCEConfigure Serial 0 as the X.25 interface Configure Serial 1 as the Frame Relay interface Configure X.25 over Frame Relay switching Configure the router Router C Enable X.25 switchingConfigure the Frame Relay Annex G Dlci Configure local X.25 switching.Router-fr-dlci-100annexg dte Configure Router D Configure the basic X.25 parameters Configure Router B Enable X.25 switchingConfigure an X.25 template Configure S1 as the Frame Relay interface Configure Serial Configure S1 as the Frame Relay interface Lapb Facility options inhibited by network have been carried Fault Diagnosis and Troubleshooting of X.25 Configuring Lapb Configuring Frame Relay By default, the interfaces link layer protocol is PPP Link-protocol fr ietfRelay Nonstandard Configure Frame Relay interface type Configure Frame Relay LMI protocol type Fr lmi n391dte n391-value Undo fr lmi-n391dteFr lmi n392dce n392-value Undo fr lmi n392dce Undo fr lmi n393dce Fr lmi t391dte t391-valueUndo fr lmi t391dte Fr lmi t392dce t392-value Configure Frame Relay static address mapping Configure Frame Relay dynamic address mapping Configure Frame Relay local virtual circuit number Create Frame Relay sub-interfaceFr dlci Undo fr Configure virtual circuit of Frame Relay sub-interface Applying dynamic address mapping to the sub-interfaceEstablish static address mapping Configure the Frame Relay local virtual circuit number Configure the route for Frame Relay PVC switchingConfigure Frame Relay local switched PVC number Configure the Frame Relay switched PVC Configure Multilink Frame Relay FRF.16 Overview Configure MFR Configure a MFR bundle interface MFR interfaceConfigure MFR interface parameter Subnumber Frame Relay Compression Configuration Configure the parameters of the bundle link interface By default, interfaces use initiative compression Configure Frame Relay Fragment FRF.12Configure Frame Relay Fragment Attributes Configure Frame Relay Compression on multipoint interface Disable the Frame Relay traffic shaping Frame Relay Traffic ShapingFr traffic-shaping Undo Fr traffic-shaping Rate Frame Relay Queueing Management Frame Relay Traffic Policing 150 Kbps 100 Kbps CI R ALLOWº£ 64 Kbps Frame Relay Congestion Management Frame Relay DE rule list By default, no Frame Relay class is created Configure the Frame Relay class parametersConfigure Frame Relay Traffic Shaping Undo fr-class class-name Enable/Disable the Frame Relay traffic shaping Configure the parameters of Frame Relay class Enable/Disable the Frame Relay traffic policing Queue-percentage Dequeue-percentage Configure Frame Relay DE Rule List Configure Frame Relay Queueing ManagementConfigure the Frame Relay PVC queueing Configure Pipq Configure Frame Relay over Other Protocols Configure Frame Relay over IPConfigure a tunnel interface Configure Frame Relay switching Frame Relay over Isdn Operation Process and Fundamentals Networking of a typical Frame Relay over Isdn application Frame Relay switching connection between DTE devices Physical Connection Between Frame Relay over Isdn DevicesBack-to-back connection between DTE and DCE devices Configure Frame Relay over Isdn Configure the Frame Relay-related commands Configure the commands related to Frame Relay switching Configure the link layer protocol of the interfaceDlci Configure parameters related to dialer profiles Display and debug Frame RelayDisplay and Debug Frame Relay Isdnsubaddress Number dlci dlci-number Number interface serialType number dlci Mfr number Typical Frame Relay Configuration Example Configure static address mappingInterconnect LANs via Frame Relay Network Router-Serial1fr map ip 202.38.163.251 dlci Configure local virtual circuit Relay FRF.16Interconnect LANs via Private Line Router-Serial1ip address 202.38.163.253 Create a MFR interface Bundle Serial 0 and Serial 1 to mfrExample FRF.9 Them III. Configuration Procedure 1 Configure Router a III. Configuration Procedure 1 Configure RouterAFRF.12 Fragment between them IP Configuration Routerfr class 96kRouter-fr-class-96ktraffic-shaping adaptation becn Typical Frame Relay over Configure IP interface Ethernet0 Configure tunnel interfaceConfigure Frame Relay over IP Router-Serial0fr interface-type dce Configure the Frame Relay parameters on Bri0 Router-Bri0fr map ip 110.0.0.2 dlciRouter-Dialer0dialer number Router-Dialer0dialer call-in Router-Dialer0fr interface-type dce Configure the Frame Relay-related parameters on Bri0 Configure Frame Relay SVCs Router-Serial1.1ip address 130.0.0.2 Fault Diagnosis Troubleshooting Frame Relay Fault 1 the physical layer in Down statusFault 4 Frame Relay data cannot be transmitted across Isdn Configuring Frame Relay Configure Hdlc Configure Hdlc Display and Debug HdlcBy default, the link layer protocol of the interface is PPP Configure the link layer protocol of the interface to Hdlc Enable Hdlc packet debugging Debugging Hdlc Packet Interface Configure Bridge’s Routing Function Typical Bridge ConfigurationBridge Overview Bridge Overview Obtain address table Main Functions of Bridging Bridge Overview Forward and Filter Final bridging address table Eliminating loop Filter not forward Preliminary examination state of bridging loops Spanning Tree Topology Bpdu Forwarding Mechanism Spanning tree topology Configure Bridge’s Routing Function By default, disable bridging functionsEnable/Disable bridging functions Bridge enable Configure static address table entries Specify the STP version supported by the bridge-setAdd ports to a bridge-set Mac-address Enable/Disable forwarding by using dynamic address table Configure the aging time of dynamic address tableDisable/Enable STP on ports Configure the bridge priority Configure the path cost of bridge portConfigure the bridge port priority Configure the interval for sending BPDUs Configure the forward delay for the port status transition Configure the Max age of Bpdu Create ACLs based on varied Ethernet encapsulation formats Acl acl-number Enable/Disable bridge’s routing Configure a bridge-template interfaceBridge-set Define a link-set Share load by source MAC addressLink-set Bridgebridge-set link-set link-set Configuration on the interface Map the bridge address to DlciDefine a dialer list Typical Bridge Configuration Display and Debug BridgeDisplay and debug bridge Transparent Bridging Multiple LANs Configure Router a Configure Router BRouter-Serial0bridge-set 1 stp disable Transparent Bridging over Frame Relay Transparent bridge over the Frame Relay Router-Serial1dialer route bridge broadcast Asynchronous Dial-in StandbyConnected are failed Please refer to Figure Bridge-Template interface Networking of bridge-template interface Bridging on Sub-Interfaces Networking for bridging on sub-interfaces Link-Set Configuration I. Networking Requirements Routerbridge enable Routerbridge 1 stp ieeeRouter-Serial1bridge-set 1 link-set Network Protocol 316 Configuring IP Address IP address classes and ranges Network IP network range Description Class Sub-net classification of IP address Configure IP Address Configure IP Address for an Interface By default, the interface has no master IP addressConfigure master IP address of an interface Ip address ip-address mask Configure slave IP address of an interface Ip address ip-address mask Mask-length subDelete slave IP address of an interface Undo ip address ip-address By default, the interface has no negotiating IP address Configure IP Address Unnumbered for an InterfaceIntroduction to IP address unnumbered Set negotiable attribute of IP address for an interface Configuration Example I. Configuration Requirements Configure routing to Ethernet segment of Shenzhen router R1Configure IP address unnumbered Borrow IP address of Ethernet interface Configure router R1 of Shenzhen subsidiary Borrow IP address of EthernetRouter-Ethernet0ip address 172.16.20.1 Router ip route-static 0.0.0.0 0.0.0.0Page Configuring IP Address Define a static ARP mapping Arp static ip-addressUndo arp static ip-address Arp dynamic ip-address Configure Domain Name ResolutionName Resolution Display and Debug ARP Display and Debug Domain Name Resolution Display and Debug domain name resolutionDisplay ip host Create Ethernet subinterface Specify the Vlan on which Ethernet subinterface is locatedInterface-number.subinterface-number Vlan-type dot1q vid vlan-id Configure IP address of Ethernet subinterface Typical Vlan Configuration ExampleDisplay and Debug Display and Debug Vlan Display vlan Configure IP address for the subinterface Configure Vlan information of LAN SwitchTroubleshooting The steps below can be taken Router-Ethernet0.1ip address 3.3.3.8 Dhcp Server Configuration Fault Ping Two PCs, but fails to ping them throughDhcp vs Bootp Background of the Dhcp development Occasions in which Dhcp server is applied Following figureDhcp server Dhcp clients Dhcp client logs into the network again Dhcp Server Configuration Enable/disable the Dhcp service Dhcp EnableUndo Dhcp enable Dhcp server ip-pool pool-name Configure the statically binding IP address and MAC address NetmaskNetwork ip-address Low-ipaddress high-ipaddress Low-ipaddress high -ipaddress By default, the IP address of DNS is not configured Configure the gateway router address of clientConfigure the domain names of Dhcp clients Configure the DNS addresses in a Dhcp address pool Set the type of NetBIOS node for Dhcp client Set the type of NetBIOS node for Dhcp clientNbns-list ip-address1 Ip-address2 ... ip-address8 Use reset, debugging and display command in All views Configure Dhcp self-defined optionsDisplay and Debug Dhcp Server Display and Debug Dhcp servers III. Configuration Procedures 1 Enable the Dhcp service Router dhcp enableRouter dhcp server forbidden-ip At the client, use ipconfig /releaseall Router-dhcp2nbns-list Router-dhcp2gateway-list Configure interface relay address Operation Command Configure interface relay addressIp relay-address ip-address Delete interface relay address Dhcp Relay Configuration Requirement Dhcp RelayIP address from Dhcp server through application Available on Dhcp server Configure Dhcp relay router Networking diagram of an Dhcp relay configuration example Fault 2 fail to forward transparent transmission protocol Private Network Address and Public Network Address Under which condition should the address be translated Characteristic of Network Address Translation NAT Role the Network Address Translation NAT playsMechanism of Network Address Translation NAT Configure address pool Performance of Network Address Translation NATEnd-addr pool-name Pool-name Nat outbound acl-number Address-group pool-nameUndo nat outbound acl-number Undo nat outbound Configure the Internal Server Configure the Timeout of address translationNat server global global-addr global-port Www inside inside-addr inside-port any Typical NAT Configuration Example Display and Debug NAT Display and debug NAT Configure address pool and access list Allow address translation of segment at 10.110.10.0/24Set internal FTP server Set internal WWW server Configure address access control list and dialer-list Configure dial-up property for the interfaceConfigure a default route to serial Correlate the address translation list and the interface Fault 2 Internal server abnormal Configuring IP Application Configure IP To configure IP performance, carry out the following stepsConfigure maximum transmission unit on an interface Performance Configure TCP Tcp window size Configure Fast Forwarding Perform the following configuration in system view Display and Debug IPForwarding Display and Debug Fast Display and Debug fast forwarding Troubleshooting IP Performance Configuration Router info-center enable Router debugging tcp packetRouter info-center enable Router debugging tcp event Configuring IP Count IP Count Configuration Enable/Disable IP Count serviceIp count enable Undo ip count enable Configure IP Count on an interface Configure IP Count listSpecify count maximum of exterior By default, IP Count entries time out after 720 minutes CountSpecify count maximum of interior Display and debug IP Count IV. Test Procedure Not been configured on the interface of the routerInformation is displayed Configuring IP Count Configuring IPX IPX address SAP Configure IPX Modify length of service information reserve queueConfigure relative parameters of IPX SAP Its first Ethernet interface as its node address Enable IPX interface Configure IPX RIP static routeEnable/Disable a Default Route Perform the following task in interface view Configure RIP updating period Configure RIP aging periodConfigure the maximum size of RIP update packet Configure the maximum number of IPX parallel route Configure length of route reserve queue Configure static service information table item Configure SAP aging period Configure size of SAP maximum updated messageConfigure reply to SAP GNS request Ipx sap timer update seconds Configure Using touch-off for an interface Disable split-horizon Configure the delay of interface sending IPX packets Configure management of IPX packetModify Encapsulation Format of IPX Frame on Interface Encapsulation format of IPX frame Configure Router a a Activate IPX Display and Debug IPX Display and Debug IPX Configure an address map to Router B Configure a static route to network IDConfigure an information about Server2 file service Configure an information about Server2 directory service Configure an information about Server1 directory service DLSw Protocol Configuration of DLSw Create DLSw local peer entityInit-window-size max-frame Max-frame-size max-window Configure Bridge set connecting to DLSw Create DLSw remote end peer entity Configure to add ethernet port to Bridge set Configure Sdlc role Configure Sdlc virtual MAC address Configure Sdlc addressSdlc-address Controller sdlc-address Configure Sdlc peer entity Configure XID of SdlcAdd synchronous Interface to Bridge set Configure to stop running DLSw Configure baud rate of synchronous InterfaceBaudrate Configure Idle time encoding mode of synchronous Interface Configure parameters of DLSw timerConfigure LLC2 local acknowledgement delay time Mseconds Configure LLC2 premature acknowledgement window Configure modulo value of LLC2 Configure retransmission number of LLC2 Configure LLC2 local acknowledgement timeConfigure Busy status time of LLC2 Configure P/F wait time of LLC2 Configure REJ status time of LLC2 Configure queue length of sending message of LLC2Configure Queue Length of Sending Message of Sdlc Configure Sdlc local acknowledgement window Configure maximum receivable frame length of Sdlc Configure retransmission number of SdlcConfigure poll time interval of Sdlc Configure SAP address for transforming Sdlc to LLC2 Configure data bi-directional transmission mode of SdlcLsap Dsap Typical DLSw Configuration Example DLSw Configuration Networking RequirementDLSw IP across WAN Router a Configuration Router B ConfigurationDLSw Configuration Router dlsw local Networking diagram of DLSw configuration of SDLC-SDLC Networking Diagram of SDLC-LAN DLSw Fault When using command display dlsw remoteDiagnosis Virtual circuit cant attain Connected state Diagnosis and Troubleshooting of DLSw Fault Configuring Dlsw VI Routing 404 IP Routing Protocol IP Routing Protocol Routing Protocol and Routing Priority Routing Protocol or Type Corresponding Routing Priority Ospf ASE Configuring Static Routes Default Route Configuring a Static Route Configuring a Static RouteConfigure a Static Route Transmitting interface or next hop address Configuring a Default Route Displaying Debugging Routing TablePreference Other parameters Troubleshooting a Static RouteOther RIP Overview Configure RIP Features is not subject to whether RIP has been enabled Enable RIP at the Specified Network Enabling RIP By default, the interface runs RIP-1 Define a Neighboring RouterSpecify RIP Version Peer ip-address RIP Version 1 enables zero field check by default Configure Check Zero Field of RIP VersionDisable a Host Route Specify the Status of an Interface Authentication on Enabling RouteSummarization for RIP Version By default, the default route metric for RIP is Configure RIP Horizontal Segmentation on the InterfaceConfigure Route Import for RIP Specify a Default Route Metric Value for RIP Configure filtering route information received by RIP Distribution for RIPSpecify Additional Route Metric Value for RIP Set Route Preference Reset RIP Displaying and Debugging RIPFilter the Routing Information Being Advertised by RIP Display and Debug RIP RIP Unicast Ospf Configuration Example Ospf OverviewOspf Overview Displaying and Debugging Ospf Configuring Ospf Enable Ospf Specify Router IDRouter id router-id Undo router id By default, Ospf is disabled Area-idArea area-id Configure the Network Type of the Ospf Interface Configure Sending Packet CostOspf network-type broadcast nbma P2mp P2p Configuring a Peer for the Nbma Interface Cost Operation Command Set the priority of the interface when Specify the Router PriorityOspf Dr-priority value Undo Ospf dr-priority Specify Hello Intervall Specify Dead Interval Configuring a Stubby Area and a Totally Specify Transmit-delaySpecify Retransmitting Interval Perform the following configuration under Ospf view Configure Totally Stubby Area of OspfStub cost cost area area-id No-summary Perform the following configuration in Ospf view Configure an Nssa Area of Ospf Configure Route Summarization Within Ospf Domain Abr-summary address mask mask areaArea-id advertise notadvertise Undo abr-summary address mask mask Create and Configuring a Virtual Link Area-id None Router-id None Configure Authentication Key-id Configure Route Import for Ospf Configure Parameters When Importing External Routes Configure filtering route information received by Ospf DisplayingDebugging Ospf Filter for Ospf Ospf Configuration Example Configuring Ospf on the Point-to-Multipoint NetworkRouter D 201 Router B 301 302 Router C 1.3 Enable Ospf RouterC ospf enableRouterA-Serial0ospf network-type p2mp RouterB-Serial0ospf network-type p2mp Configure DR on Ospf Preference 1.1 4.4 E0 192.1.1.1/24 E0 192.1.1.4/24E0 192.1.1.2/24 E0 10.1.2.3/24 2.2 3.3 RouterA display ospf peer RouterD display ospf peer To configure an Ospf virtual link Configure Router a Between Router B and Router CRouterB-ospfVlink peer-id 3.3.3.3 transit-area To configure Ospf peer authentication Configure Router a Troubleshooting an Ospf ConfigurationNormally Ospf Configuration Example Configuring Ospf BGP Configuration Example BGP OverviewBGP Overview Displaying and Debugging BGP Configuring BGP Resetting BGP Connections Enabling BGP Perform the following configurations in system viewBy default, BGP is disabled Perform the following configurations in BGP view Configure the BGP Version of the Peer Set the Timers for BGP PeerConfigure BGP Route-update Interval Configure to distribute default route to the peer Configure to Send Community Attribute to the PeerConfigure the Peer to be the Client of the Route Reflector Configure to Distribute Default Router to the Peer Create a Fltering Policy Based on Access List for the Peer Configure the BGP MED MetricCreate a BGP Route Filtering Based on AS Path for the Peer Allow Comparing Path MED Configure the Local Preference Configure the Keepalive Timer and Holdtime Tmer for BGPTimers keepalive-interval Holdtime-interval By default, there is no BGP peer in a peer group Add a Peer to the BGP Peer GroupPeer group-name Group-name Configure AS Number of BGP Peer Group Configure Connection Between Peers Indirectly ConnectedSet the Timers of BGP Peer Group Configure BGP Routing Update Sending Interval Configure to send the default route to the peer group Configure to Send the Default Route to the Peer GroupCreate Routing Policy for Peer Group By default, software accepts BGP Version Configure BGP Version of Peer GroupCreate an Aggregate Addresses By default, an aggregate is disabled Aggregate address maskAs-set Undo aggregate address Reflect between-clients Clients within the reflection groupUndo reflect between-clients Configure the Cluster ID Configure BGP CommunityStandard-community-list-number Extended-community-list-number Configure a Confederation Configure the Sub-system of E ConfederationAs-number … Schematic diagram of route dampening Display Route Flap Information By default, BGP synchronizes with IGP Is insured When AS is not a transitional AS ConfiguringConfigure Route Import for BGP Still exists Define an access list entry Entry, an AS Path-listDefine an AS Path-list entry Define a routing policy Perform the following configurations in Routing policy view Define a match ruleDefine an apply clause Filter for BGP Reset BGP Connections Debugging BGPFilter Routing Information Being Advertised by BGP Display and Debug BGP BGP Configuration Procedure for each configurationAs-regular-expression acl Acl-number network-address Networking diagram of configuring AS confederation Configure Router B Configure BGP peers RouterA-bgppeer 192.1.1.2 as-numberRouterB-Serial1ip address 193.1.1.2 RouterC-ospfinterface serial Configure Router D Configure BGP peers Configure peer Start BGPSpecify BGP transmission network RouterA-acl-1rule permit source 1.0.0.0 RouterC-acl-1rule permit source 1.0.0.0 RouterC-bgppeer 193.1.1.1 route-policy localpref import RouterD-ospf network 4.0.0.0 0.0.0.255 area 0 RouterD bgp Configuring BGP IP Routing Policy Configuring IP Routing Policy Configure IP Routing Operation Command Define a routing policy and enter intoPolicy Define a Routing Policy Configure a Matching Rules Define a Setting Clause Apply community aa nnNo-export addtive none Apply tag tag-value Configure Route Import Route-policy route-policy-nameTag tag-value type 1 Define an IP Prefix List Ip ip-prefix prefix-list-nameGe-value less-equal le-value Perform the following configurations in all views Debugging IP Routing PolicyOSPF-ASE external route discovered by Ospf protocol BGP route discovered by BGP protocol Configuring IP With different weighting valuesRouting Policy Protocol Route Information Troubleshooting IP Configure RIP protocolNormal operation Routerip ip-prefix p1 permit 192.1.1.0/24 Configuring IP Routing Policy Configuring IP Policy IP Policy RoutingRouting Create a Routing Policy Define Match RulesDefine Apply Clause By default, interface policy routing is disabled Enable/Disable Interface Policy RoutingDisplaying Debugging IP Policy Routing Interface Policy Routing Suggested procedure for each configuration Define access listRouter-acl-101rule deny tcp source any destination any Router-acl-102rule permit tcp source any destination any Adopt policy aaa in Ethernet interface Router-Ethernet0ip policy route-policy aaaRouterA-Ethernet0ip policy route-policy lab1 RouterB-ripnetwork RouterAdebugging ip policy-routing Configuring Igmp Configuring PIM-DM Configuring PIM-SM ChapterIP Multicast 498 IP Multicast Range and Meaning of Class D Addresses List for Reserved Multicast AddressesClass D address range Meaning IP Multicast Routing Protocols IP Multicast IP Multicast Packet IP MulticastApplication IP Multicast Configuring Igmp Igmp Configuration ExampleIgmp Overview Igmp Overview Configuring Igmp Make the following configuration in interface view Configure the Igmp Version Number Run at Router InterfaceConfigure Igmp Maximum Query Response Time Igmp Configuration Debugging command in system view to debug IgmpDisplaying and Debugging Igmp Interfaces are all fast Ethernet FE Router a Router B Configuring Igmp Configuring PIM-DM Make the following configuration in the system view By default, the system disables the multicast routingEnable Multicast Routing Operation Command Enable multicast routing Start/Disable PIM-DM Protocol Displaying and Debugging PIM-DMDisplay and Debug PIM-DM Group-address source-address PIM-DM Configuration Enable multicast routing protocolEnable PIM-DM protocol Receiver 2 are the two receivers of this multicast group PIM-SM Overview PIM-SM Configuration Enabling Multicast Routing By default, the interface disables PIM-SM protocol Enable/Disable PIM-SM ProtocolConfigure Candidate BSR Configure Candidate RP By default, no interface is configured to be candidate RP By default, no PIM-SM domain boundary is configuredConfigure PIM-SM Domain Boundary Use the pim command in system view to enter PIM view Debugging PIM-SM Configure Router a Enable PIM-SM protocol Configure Router B Enable PIM-SM protocolRouterA multicast routing-enable RouterA interface ethernet RouterA-pimspt-switch-threshold 10 accept-policy Display pim neighbor command can be used to check whether Follow these stepsNeighbors have discovered each other RouterB-acl-5rule permit source 225.0.0.0 Configuring PIM-SM Viii Security 524 Terminal Access Configuring TerminalAccess Security Configuring a User Configure EXECLogin Authentication Enable AAA Configure Radius server and the shared secretConfigure the authentication method list of Exec users Configuring Terminal Access Security AAA Overview Radius Overview Components of Radius server Basic message interaction process of Radius Request Authenticator Adopts 16-byte random code Type of Packets Decided by Code FieldCode Packet type Explanation of the packet Attribute Fields By default, AAA is disabled AAA Enable/Disable AAAConfigure AAA Login Authentication Server-template-name method1 Configuring an Authentication Method List for PPP Users Configure PPP Authentication Method List of AAADefault methods-list method1 Default methods-list By default no address pool is defined by the system Configure AAA Local-First AuthenticationConfigure AAA Accounting Option Configure Local IP Address Pool By default pool-number is Configure a User and PasswordConfigure Callback User Configure Ordinary User and Password Configure User with Caller Number Configure FTP User and the Usable DirectoryConfigure Callback User and the Callback Number Configure User with Caller Number Authorize a User with Usable Service Types Configure FTP User and the Usable DirectoryConfigure Authorizing a User with Usable Service Types Directory Configure Radius Server Shared Secret By default, no key is configured for the Radius serverConfigure Radius Server Shared Secret Radius server hostname ip-address Configure the Request Retransmission Times Configure the Time Interval for the Inquiry Packet Accessing User Authentication CaseDisplaying Debugging AAA AAA and Radius Configure IP address and port of Radius server Configure local-first authenticationRouter aaa authentication-scheme local-first Routerradius server Troubleshooting AAA Radius Users Radius authentication is always rejected Connected user cannot be seen in display aaa userCan Configuring AAA and Radius Protocol Firewall Overview Classification of Firewalls Packet filtering schematic diagram Extended access control list Command format when the protocol is IGMP, IP, GRE or OspfCommand format when the protocol is TCP or UDP Operators of the Extended Access Control List Mnemonic Symbol of the Port Number Protocol Mnemonic Symbol Meaning and Actual Value UDP Configure the match sequence of access control list Mnemonic Symbol of the Icmp Message TypeOperator and Syntax Meaning Configure Firewall Effect Perform the following configurations in system viewFirewalls are disabled by default Firewall Configure Standard Access Control List Configure Extended Access Control List Enabling and disabling filtering according to timerange Configuring Special TimerangeSet Default Firewall Filtering Mode Destination dest-addr dest- wildcard Enable/Disable Filtering According to Timerange Set special time rangeSet Special Time Range Settr begin-time end-time Use debugging, reset and display commands in all views Displaying and Debugging FirewallSpecify Logging Host Display and Debug Firewall Enable firewall Configure access rules to inhibit passing of all packetsRouterfirewall enable Routerfirewall default permit Apply rule 102 on packets coming in from interface Serial0 Router-Ethernet0firewall packet-filter 101 inboundRouter-Serial0firewall packet-filter 102 inbound IPSec Protocol IPSec Related Terms Following terms are important to an understanding of IPSecIPSec Message Processing Configuring IPSec Access Control ListCreating an Encryption Create Encryption Access Control List Operator port1 port2 Configure Ndec Cards Enable the crypto cards By default, all the crypto cards are enabledSet the output of the crypto card log By default, no proposal view is configured Enable/Disable the Host to Backup the Ndec CardsSet the Mode for Security Protocol to Encapsulate Messages Define IPSec proposal Selecting the Encryption Authentication Algorithm Default mode is tunnel-encapsulation modeSelect Security Protocol Select Security Protocol Select Encryption Algorithm and Authentication Algorithm Creating a Security Policy By default, no security policy is created Configure access control list quoted in security policyPerform the following configurations in IPSec policy view Set start point and end point of security tunnel By default, the security policy quotes no IPSec proposal Configure IPSec Proposal Quoted in Security PolicySet IPSec proposal quoted in security policy Set SPI of security policy association and its adopted key By default, no key is used by any security policy Configure SPI Parameters of Security Policy AssociationConfigure Key Used by Security Policy Association Hex-key Set access control list quoted by security policy Set end point of security tunnelCreating a Security Policy Association with Specify End Point of Security Tunnel Set the IPSec proposal quoted in security policy Set SA lifetimeProposal proposal-name1 Proposal-name2...proposal-name6 Configure a separate SA lifetime By default, apply the global SA lifetimeConfigure Global SA LIfetime Configure Separate SA LIfetime Use debugging, reset and display commands in all views Debugging IPSecApply Security Policy Group on Interface Ipsec sa dynamic-detect Reset crypto card Display and Debug IPSecDest-address protocol spi IPSec Configuration Example Use the debugging, reset and display command in all viewsDisplaying and Debugging the crypto card Creating an SA Manually Adopt tunnel mode as the message-encapsulating form Select authentication algorithm and encryption algorithmQuote access list Create the IPSec proposal view named tran1 Configure the route Create a security policy with negotiation mode as manualApply security policy group on serial interface Exit to system view Create a security policy with negotiation mode as isakmp Create the IPSec proposal view named trans1Set remote addresses Configure ip address of the serial interface Configure corresponding IKEConfigure serial interface Serial0 Create a security policy with negotiation view as isakmp Establish a security policy with manual negotiation mode Adopt tunnel module for packets encapsulation formReturn to system view RouterB ike pre-shared-key abcde remote Enter Ethernet interface view and configure IP address Set local addressSet encryption key Apply security policy base on serial port Establish a security policy with manual configuration mode Troubleshooting IPSec Ndec card cannot be configuredReturn to the system view RouterB ipsec policy map1 10 manual Do the following Configuring Ipsec Configuring IKE Configuring IKE IKE featuresPolicy Create IKE Policy Ike proposal policy-numberView Delete IKE policy Undo ike Selecting an Authentication Algorithm Select Authentication MethodConfigure Pre-shared Key Select Encryption Algorithm By default, 768-bit Diffie-Hellman group is selected Select Hashing AlgorithmSelect DH Group ID Set Lifetime of IKE Negotiation SA Configure IKE Keepalive Timer Reset ike sa connection-ike-sa-idDisplaying and Debugging IKE Display and Debug IKE IKE Configuration Invalid user ID information Unmatched policy Unable to establish security channel Configuring VPN Configuring L2TP Configuring GRE IX VPN 596 VPN Overview Basic Networking Applications of VPNClassification of IP Authority given by local ISP Layer 2 tunneling protocol Layer 3 tunneling protocolComparison of layer 2 and layer 3 tunnel protocols Configuring VPN Vpdn and L2TP Vpdn Operation Methods of Implementing Vpdn L2TP channel Networking diagram of two typical methods of Vpdn Tunnel and session IV. Call setup flow of L2TP tunnel Control message and data message Features of L2TP Call setup flow of L2TP channel Basic Configuration at Enable L2TPEnable/Disable L2TP L2tp enable Originate L2TP Connection Request and LNS Address L2tp-group group-numberIp-address … domain domain-name By default, L2TP is disabled Configure AAA and Local UsersDefault list-name method1 L2TP Attribute Table Operation Command Create a L2TP group Operation Command Create a virtual templateCreate/Delete L2TP Group Create/Delete a Virtual Template Advanced Configuration at LAC or LNS By default, receiving dial-in from LAC is disabledConfigure the Name of the Receiving End of the Tunnel Configure Local VPN Users Enable Tunnel Authentication Setting Password By default, the local name is the host name of routerSet Local Name Tunnel name name Configure the Interval For Sending Hello Messages Set Tunnel Authentication and PasswordSet the Interval for Sending Hello Message Configure Domain Delimiter and Searching Order ForceSet Domain Name Delimiter and Searching Order This configuration is applicable to LNS only Operation Command Force to disconnect tunnelReset l2tp tunnel remote-name Force to Disconnect Channel Configure the Local Address and Address Pool LCP does not renegotiate by defaultLCP to Renegotiate Enable/Disable Hiding Attribute Value Pairs AV By default, AV pairs are hiddenEnable/Disable Hiding AV Pairs Number of L2TP Sessions L2TP Configuration Examples By default, the maximum number of L2TP sessions isUse debugging, display command in all views Display and Debug L2TP Implement local AAA authentication on VPN user Configure the IP address of Serial1 interface of LACEnable L2TP service and configure a L2TP group Configure BDR dialup parameters Configure the IP address of Serial0 interface of LNS Configure the Virtual-Template-related information Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Client-originated VPN Networking Router-LACip pool 1 192.170.0.3 Configure the IP address of Serial1 interface at LAC side Configure BDR parametersConfigure the IP address of Serial0 interface at LNS side Disable tunnel authentication Network Connection Wizard Network Connection Wizard Connect Connection to Configure an IP address on Serial0 interface Configure a L2TP group and the related attributesConfigure the domain suffix separator to @ Router1 l2tp domain suffix-separator @ Enable AAA authentication Configure Virtual-TemplateForce to implement local Chap authentication III. Procedures Configure a L2TP group and configure the related attributes Configuration at Router2 LNS side Enable AAA authenticationConfigure an address pool 1 in the range of 192.168.0.2 to Configure an access control list and specify L2TP data Fault 1 The users fail to log PPP negotiation fails. The reasons may be Troubleshooting L2TP Configuring L2TP GRE Protocol EncapsulationPacket Encapsulated tunnel message format Refer to RFC Enlarge network operating range Configuring GRE By default, no virtual tunnel interface is createdCreating a Virtual Tunnel Interface Create Virtual Tunnel Interface Address of a Tunnel Must be configured Interface Setting the NetworkPerform the configurations in the tunnel interface view Address of the Tunnel Number discarded Set Tunnel Interface to Check with ChecksumSet the Tunnel to Synchronize Datagram Sequence Numbers Gre key key-number GRE Configuration Example Group1 and group2. It can be implemented by using GREDebugging GRE All views Configure the IP address of Ethernet0 interface Configure Router B Configure the IP address of Serial0 Configure Router a Activate IPX Configure the IP address and IPX address of Ethernet0Configure the static route to Novell Group2 Configure Router B Activate IPX Networking of troubleshooting GRE RouterB ipx route 1e 1f.a.a.a tick 30000 hop Configuring a Standby Center Configuring Vrrp 646 Configuring Standby Center Standby Center Enter the Logic Channel View Address logic-channelnumberFr map protocol address dlci dlci Next-hop-address dialer-number Channel to check whether it has recovered Standby timer enable-delay secondsUndo standby timer enable-delay Standby timer disable-delay seconds Please perform the following configuration in all views Load Sharing viewInterfaces Enter the view of Serial Enter the view of logic channel ChannelRouter-logic-channel10standby interface serial Router-Serial1logic-channel Vrrp Configuration Examples Troubleshooting VrrpVrrp Overview Vrrp Overview Configuring Vrrp Adding a Virtual IPAddress Configure Router Priority in Standby Group Add Virtual IP AddressVrrp vrid virtualrouterid Undo vrrp vrid virtualrouterid Configuring Authentication Method Authentication Key Vrrp provides simple character authentication methodConfigure Authentication Method and Authentication Key Virtualrouterid Configure Standby Group TimerDebugging Vrrp Monitoring Vrrp Configuration Procedure for each configurationBackup with preemption aII. Networking diagram Vrrp Single Standby Gateway services instead Balancing and mutual backup are implementedGateway function as the master Multiple Standby There is requent switchover of the Vrrp state Many master routers exist within the same standby group XI QOS 662 Three Types of QoS Services QOS Overview QOS Overview Benefits of QoS for the Network Service QOS Overview Traffic Classification Traffic Policing Traffic POLICING, Traffic Shaping and Line Rate Committed Access Rate CAR Defining Rules Define CAR RulesQos carl carl-index precedence Precedence-value mac mac-address By default, no CAR rule of ACL list is established Applying the CAR Policy on the InterfaceApply the CAR Rule on the Interface CAR Configuration Applying a CAR Policy to all Packets Configure the Priority Level Based CAR PolicyDisplaying and Debugging CAR Display and Debug CAR Configure the CAR Policy Based on the MAC Address Traffic Shaping Apply a CAR Policy on the Packets that Match ACLMatches ACL Packets Configuring shaping parameters for a specified flow Schematic diagram of GTS processing Configuring shaping parameters for all flows Configure the ACLShape the flows matching 110 on Ethernet interface Configure the Physical Interface LIne Rate Physical Interface LineRate Shape all the flows on Ethernet interface Operation Command Display the LR configuration conditions Displaying Display and Debug LR Debugging LRDisplay qos lr interface type Congestion Management Congestion Management PolicyFifo Queuing Priority Queuing Selecting Congestion Management Policies Comparison of Several Congestion Management Policies Number Queues Advantage Disadvantage Schematic diagram of the first in first out queue Schematic diagram of the custom queuing Weighted Fair Queuing WFQ Schematic diagram of weighted fair queuing Configuring Congestion Management Configuring Fifo QueuingConfiguring priority queuing Configure the First In First Out Queuing By default, no priority queue is established Values of Queue-Option with Protocol as IPProtocol-name queue-option queue Pql-index protocol By default, the interface utilizes the Fifo queue Applying the priority-list queuing group to the interfaceSpecifying the queue length of the priority-list queuing Configuring custom-list queuing Configuring Custom Queuing CQDefault Length Value of the Priority Queue Displaying and debugging the priority queue Configure the Custom-Lst Queuing According to the Interface Configure the Default Custom-List QueuingQueue-number Queue queue-number By default, the interface uses the Fifo queue Configuring the queue length of the custom-list queuingConfigure the Queue Length of the Custom-List Queuing Applying the custom-list queuing group to the interface Configuring Weighted fair queuing Displaying and debugging the weighted fair queueDisplaying and debugging the custom-list queue Congestion Management Configuration Examples PQ Configuration ExampleApply the priority queue 1 to Serial Apply the priority queue 2 to Serial Configure the CQ queue Configure Router B Configure the access control listRouterA-Tunnel0ip address 10.1.1.1 RouterA-Tunnel1destination Configure Serial0 master/slave addresses Configure Tunnel0Configure Tunnel1 WFQ Configuration Example Congestion Management Congestion Avoidance Congestion Avoidance Wred Configuration Enable the WredEnable Wred Function of the Interface Discard-prob Ip-precedence Congestion Avoidance Configuration Example Configure a WFQ queueEnable Wred Displaying Debugging Congestion Avoidance Congestion Avoidance Configuring DCC Configuring Modem XII DIAL-UP 704 Terms in DCC Configuration DCC Overview Circular DCC DCC Resource-Shared DCC Basic DCC features With 3Com RoutersImplementing callback through DCC Configuring DCC Preparing to ConfigurePrepare the data for DCC configuration Configure the local parameters of DCC Configuring the mode of the physical interface Configure Physical Interface ModeLinklayer-protocol-type Ip address ipaddress mask Associating a DCC dialer ACL with the interface Configuring an interface to originate calls to a remote end Configure an interface to receive calls from a remote end Dialer enable-circularDialer number dial-number Undo dialer number Dialer Route protocolNext-hop-address dial-number Undo dialer route protocol Next-hop-address Undo interface dialer number Dialer circular-group numberUndo dialer circular-group Dialer priority priority Interface dialer number Undo interface dialer numberDialer circular-group number Undo dialer circular-group Router Dialer0 Configuring dialing authentication for resource-shared DCC Configuring the dialer interface and dialer numberBy default, no dialer interface is created Enabing Resource-Shared DCC Configuring dialing authentication for resource-shared DCC Configuring MP binding in circular DCC Configure MP Binding in Circular DCCThreshold traffic-percentage Configuring MP binding in resource-shared DCC Configuring PPP callback in the circular DCC implementationConfigure MP Binding in Resource-Shared DCC Dialer threshold traffic-percentage Implement PPP Callback Client Configuration in Circular DCC Implement PPP Callback Server Configuration in Circular DCC Command Telephone-numberNext-hop-address user username Dial-number Features of Isdn caller identification callback Primary rule The best match is the number with the fewestDialer callback-center dial-number Operation Command Configure the local end to implement IdentificationUndo dialer call-in remote-number Callback according to the Isdn caller Configuring Isdn leased line Configuring auto-dialConfiguring Special DCC Functions Configure Isdn leased line for Circular DCC Configuring dialer number circular standby Configuring the Link Idle TimeConfigure Auto-Dial Configure Dialer Number Circular Standby By default, the link idle time is 120 seconds By default, the link disconnection time is 20 secondsConfiguring the link idle time when interface competion Configure the Link Idle Time Configuring the timeout of call setting up By default, the timeout of call setting up is 60 secondsConfiguring the buffer queue length of the dialer Debugging DCC DCC Configuration Examples SolutionDCC Applications in Common Use Configure RouterC Configure RouterBRouter-Serial1dialer circular-group Router-Serial0dialer route ip 100.1.1.1 Router-Serial0dialer bundle-member Router-Serial1dialer bundle-member Configure RouterC Configure RouterC Configure RouterA Router-Dialer0dialer thresholdRouter-Bri0dialer bundle-member Router-Serial015dialer route ip 100.1.1.1 Router-Bri1dialer route ip 100.1.1.1 Router-Serial1dialer enable-circular Router-Serial0dialer route ip 100.1.1.2Router dialer-rule 1 ip permit Router interface serial Router-Bri0dialer route ip 100.1.1.2 user usera Configure the PC Callback for DC CBy the NT server NT Server-to-Router Router-Async0dialer route ip 100.1.1.254 Dial Number Circular Standby and Internet Access for DCC Configure subscriber PC Router-Serial0dialer route ip 100.1.1.254 Router-Serial215ppp authentication-mode chap Router-Serial215ppp chap password simple passb Router-Serial1standby logic-channel Remote end cannot be pinged after the modem is connected DCC Fault Messages Message Fault DCC peeraddr matching error Modem Function Provided by 3Com Routers Modem Script Syntax description of modem script Modem script format in common use is as followReceive-string1 send-string1 receive-string2 send-string2 Which, seconds defaults to 180 and is in the range of 0 to Configure the Modem Dial-in and Dial-out AuthoritiesBy default, modem dial-in and dial-out are allowed Configure Modem Through the AT Command Configure a Modem ScriptConfigure a Modem Script Execute a Modem Script Manually By default, the modem works in non-auto answer mode Configure the Answer Mode for the ModemConfigure Authentication for a Modem Dial-in User Specify the Events Triggering the Modem Scripts Modem Configuration Examples Executethe debugging command in all views for the debuggingConfigure a Modem adaptation baud rate Displaying and Debugging a Modem Restore the ex-factory modem settings Configure the modem initialization parametersAT&b1&c1&d2&s0=0 Power-on Initialization Through Initialization Script Authentication forDirectly Modem Dial-in User Troubleshooting Configuring Modem