Displaying and Debugging Firewall

558CHAPTER 39: CONFIGURING FIREWALL

Table 627 Configure Rules for Applying Access Control List on Interface

Operation	Command

Specify rule for filtering receive/send	firewall packet-filter acl-number[
messages on interface	inbound outbound ]]

Cancel rule for filtering receive/send	undo firewall packet-filter
messages on interface	acl-number[ inbound outbound ]]

By default no rule for filtering messages on interface is specified.

In one direction of an interface (inbound or outbound), up to 20 access rules can be applied. That is to say, 20 rules can be applied in firewall packet-filter inbound, and 20 rules can be applied in firewall packet-filter outbound.

If two rules with different sequence numbers conflict, then the number with greater acl-numbershould be matched preferentially.

Specifying Logging Host Firewall supports a logging function. When an access rule is matched, and if the user has specified to generate logging for this rule, logs can be sent to and recorded and saved by the logging host.

Perform the following configurations in system view.

Table 628 Specify Logging Host

Operation	Command

Specify logging host	ip host	unix-hostname ip-address

Cancel logging host	undo ip	host

For detailed description logging host parameters, see “Logging Function” in “System Management”.

Use debugging, reset and display commands in all views.

Table 629 Display and Debug Firewall

Operation	Command

Display firewall status	display firewall

Display packet filtering rule and its	display acl [ all acl-number
application on interface	interface type number ]

Display current timerange	display timerange

Display whether the current time is within	display isintr
special timerange

Clear access rule counters	reset acl counters [ acl-number]

Enable the information debugging of	debugging filter { all icmp tcp
firewall packet filtering	udp}

Firewall Configuration The following is a sample firewall configuration in an enterprise.

Example

This enterprise accesses the Internet through interface Serial 0 of one 3Com router, and the enterprise provides www, FTP and Telnet services to the outside. The internal sub-network of the enterprise is 129.38.1.0, the internal ftp server address 129.38.1.1, internal Telnet server address 129.38.1.2, and the internal

Page 562

Image 562

3Com 10014299 manual Displaying and Debugging Firewall, Use debugging, reset and display commands in all views

Contents

3Com Router Configuration Guide Marlborough, MA 3Com CorporationCampus Drive 01752-3064Page VPN List conventions that are used throughout this guide This guide describes 3Com routers and how to configure themText Conventions About this Guide 3Com Router Introduction 3Com Router User Interface Page 3COM Router Introduction List of the 3Com Router 1.x features Features of the 3ComFollowing table lists the basic features of the 3Com Router Router Version RIP-1/RIP-2 NAT Quality of service 3Com Router New Features of the 3Com Router 1.x 3COM Router Introduction Environment ConfigurationEstablish Port Establish a new connection Set port communication parameters Establish a remote configuration environment Environment ConfigurationConnection Router Workstation Ethernet Command Line Interface CLI 3COM Router User Interface System view Table Views and their prompts Loopback 0 in any Async 0 in anyEthernet 0 in any Enter controller Full help HelpsPartial help For example List of common command line error messagesCommon error Message Causes Routerdisplay ? Display Features Command LineFeatures Three options are available for users User Identity Following commandsPlease perform the following commands in system view Management System Configure the router nameSet the system clock Reboot the system By default, the system clock is 080000 1 1Execute the following commands in all views Display the System Information Router System Management Page Storage Media and File Types Supported by the System Softwaresoftware Input Ctrl+D, and the following prompt information displays Upgrade Boot ROM Software Software Upgrade the 3ComRouter Main Program Main Program software XModem Approach Modify the terminal baud rate Transfer File dialog box Enable the Tftp server program Preparation for using the Tftp serverTftp server application can run on Windows 95/98/NT Press Enter and the following prompts will be displayed Tftpd32 Set interface Enter Ctrl+B and the system prompts Network Interface Parameters Press Enter for loading Download configuration files from a Tftp serverOperation Command Downloads the 3Com Router main Get ip-addr file-name system Prepare for using the FTP server Set an authentication mode for an FTP server Upgrade the 3Com Router Main Software with FTP Enable FTP server FTP Approach Back up the 3Com Router Main Program SoftwareTftp Approach Copy ip-addr file-name system Setup Users Dialog Box Port-number user user-name password Configure on-line upgrading of the cardUpdate slot slot-number ftpserver host-name Password Perform the following command in system view Configuration File ManagementDownload Configuration File Content and Format of the Configuration File Router download config Load configuration filesDownload Config Set the binary transmission protocol to XModem/CRC Upload configuration files to a Tftp server Display current-configurationcommand output backup approachBack up Configuration Files File-name config Please use the following commands in corresponding views View router configuration Set the Flag Bit to Enter the Initial Setup Mode Select and view the storage media of configuration fileSave current configuration Erase the configuration file in storage media Client via port 20 and transfer data Configure FTPConfigure authentication and authorization of FTP server Files on the router Please enter the following commands in system view Enter the following commands in system viewConfigure Parameters of FTP Service Set the authentication mode of FTP server Force to shut down FTP process Set FTP update modeSet the connection time limit of FTP service Force to shut down FTP process Server Display detailed information of the FTP user Display FTP Server Display FTP serverDisplay ftp-server Display local-user System Management Service at Console Port Terminal ServiceFeatures of Terminal Overview Terminal Message ServiceSet the attributes of terminal service On one router Display Terminal Message Service Perform the following configuration in all viewsConfigure Terminal Message Service Enable/disable receiving messages from other terminals Terminal Service Typical Example Terminal Message Service ConfigurationDumb Terminal Configure Auto-execute command Configuration Examples Dumb Terminal ServiceConfigure Dumb Terminal By default, no dumb terminal service is configured Configure the auto-execute command command Terminal Service Telnet ConnectionConfigure the interface to dumb terminal mode Router-Serial1auto-execute command telnet Service Value Terminal service features of telnet connectionEstablish Telnet Connection Service-port Setup Reverse Telnet ConnectionEnable Reverse Telnet connection Establish Telnet Server or Telnet Client connection Example of Telnet Typical Configuration Example of Telnet Reverse TelnetForce shut down Telnet Process Force to shut down Telnet process Example of Reverse Telnet Rlogin TerminalUse Rlogin protocol Router telnet 10.110.164.44 Rlogin ip-address username Establish a Rlogin connectionTypical Rlogin Configuration Examples Use local user name abc to log on PAD Remote Access ServiceCommunicate with other terminals through the X.25 network Service-type type password Configure X.25 PAD remote userConfigure X.25 PAD remote user Local-user user-name Establish an X.25 PAD call Start AAA authentication of X.25 remote usersEnable AAA authentication for X.25 remote PAD users Establish a X.25 PAD call Display and Debug II. Networking DiagramIII. Configuration Procedure Set the Response Time to the Invite Clear Message RouterA-serial0x25 x121-address Fault Diagnosis TroubleshootingSet its X.121 address as RouterB-serial0x25 x121-address Snmp Overview Development of Snmp Configuring Network Management Snmp architecture SNMP-supported MIB 3Com Router-supported MIB By default, the system disables Snmp serviceEngineid Perform the following configurations in system view Configure Snmp version and related tasks V1 username Configure information of router administratorConfigure the traps to be sent by the router Interface-number Name Perform the following commands in all viewsDisplay and debug Snmp Byte-count Configure an IP address for the Ethernet interface ethernet Example 1 Configure Network Management of SNMPv1Set the community name and access authority Examples Networking Requirements Rmon Overview Configure an IP address for the Ethernet interface ethernetNetwork equipment Schematic diagram of Rmon application Enable Rmon statistics Examples Networking Requirement RouterA-Ethernet0 rmon promiscuous Commands to display information of the whole system Ping command Test Tool of Network Connection Ping supporting IPX protocol Ping supporting IP protocolSystem displays Ip-address Timeout host Following command can be executed in any command modesTracert command MaxTTL -p port -q nqueries Configure on the router Log Function Set the direction of syslog outputting log information Sylog-defined severity is as follows Set Severity of Log InformationPerform the following task in system view Set Filter of Log Information Display and Debug Syslog Configuration of Log HostTurn on/turn off syslog Turn on/turn off syslog Routerinfo-center enable Syslog Configuration ExampleTurn on debugging switch of PPP module Routerdebug ppp all Display and Debugging Tools POS Terminal Access Service Dial-up POS Access POS Network Access Advantages of POS network access are as follows Configure POS access port POS Access Service ConfigurationStart POS server App-number Configure a POS applicationInterface-type interface-number Ip-address port-number Default app-number Configure POS multi-application mapping tableBind the source address of TCP connection Set the parameters of FCM used during Modem negotiation Display and Debug POS AccessDisplay and debug POS access Set the parameters of FCM used during Modem negotiation Configure the POS access interface FCM0 Typical Configuration Example of POS Access ServiceConfigure the Ethernet interface Ethernet Configure POS access interface FCM1 Configure POS access interface FCM0 Configure POS access interface FCM2III. Configuration Procedure 1 Start the POS access server III. Configuration Procedures Configure Async 0 to operate in POS application modeConfigure Async 1 to operate in POS application mode Configure Router a Start the POS access server Configure Router B Configure the Ethernet interface Ethernet RouterA ip route-static 10.1.1.2 255.255.255.0 serial III Interface 106 Interface Configure InterfaceEnter the Interface View Set time interval for flow control statistics Exit the Interface ViewInterface view, input quit to return to the system view Interface-description Display and debug interface Please use the following commands in all viewsDisplay and Debug Interface Interface state information Interface Configuration Overview Configure Ethernet Interface Ethernet Interface Set IPX address Enter view of specified Ethernet interfaceSet IP address Set frame format of sending message Display and Debug Select work mode of Ethernet interfaceEnable or disable internal loopback and external loopback Select working rate of fast Ethernet interface Troubleshooting Typical Ethernet Interface Configuration ExampleII. Network Diagram Troubleshooting Configuring LAN Interface Introduction WAN InterfaceAsynchronous Serial Interface Interface async number Enter view of specified asynchronous interfaceInterface serial number Modem in out Set the work mode of asynchronous serial interfaceSet the baud rate of asynchronous serial interface Link-protocol slip ppp Flow-control none software Async Mode protocolHardware inbound outbound Odd space Works in flow modeParity even mark none Stopbits 1 1.5 Set MTU of asynchronous serial interface BackupAUX Interface Set the coding format of Modem Configure Synchronous Serial Interface Configure AUX interfaceConfigure AUX interface Synchronous Serial Interface Physical-mode sync Enter view of specified synchronous interfaceSet the link layer protocol of synchronous serial interface Link-protocol fr hdlc Set the baud rate of synchronous serial interface Select work clockWorking modes have different working clocks Synchronous serial interface is 64000 bps Select work clock Inversion is disabled by defaultSet clock inversion Undo detect dcd Internal loopback/external loopback are disabled by defaultDetect dcd Reverse-rts Technical Background Isdn BRI InterfaceIdle coding of synchronous serial interface is 7E Graphics and video Be clear about the following items before the configuration Preparations before ConfigurationFunction group includes Network protocols such as IP and IPX Channelized operating modeCE1/PRI Interface Interface or a PRI interface Interface Configure CE1/PRI CE1/PRI interface configuration includesDial-on-Demand Routing Enter the view for a specified interface Bind the interface to be channel sets Enter the synchronous serial interface viewNumber set-number Pri-set timeslot-list range Bind the interface to be a pri setEnter the Isdn interface view Undo pri-set Set the line clock of the CE1/PRI interface Enable/disable the internal loopback/external loopbackSet the line code format on the CE1/PRI interface Set the frame format of CE1/PRI interface Configure CT1/PRI CT1/PRI Interface Controller t1 number Operation Command Enter the view of CT1/PRI interfaceTimeslot-list range speed Interface serial number23 Set the line clock of the CT1/PRI interface Set the line code format on the CT1/PRI interfaceSet the frame format of CT1/PRI interface E1-F Interface Choice for E1 accessE1-F interface does not support PRI operating mode Them into multiple channel sets Interface serial serial-number Set Operating mode for an E1-F interfaceEnter the view of an E1-F interface Fe1 unframed Set line code format for E1-F interfaces Set interface rate after binding operationSet line clock for an E1-F interface Display and debug E1-F interface Enable/Disable local/remote loopback on an E1-F interfaceSet frame format for an E1-F interface Serial-number T1-F Interface Choice for T1 accessT1-F interface does not support PRI operating mode 193 X 8k = 1544kbps Set line code format for T1-F interface Set line clock for a T1-F interface Enable/Disable local/remote loopback on a T1-F interfaceSet frame format of T1-F interface Display and Debug T1-F Other related informationCE3 Interface Display and debug T1-F interface Enter the view of the specified E3 interface Set the operating mode of E1 channel Set the operating mode of CE3 interfaceSet E1 frame format 44.736Mbps Mode non-channelized modeCT3 Interface Data bandwidth 44736kbps Enter specified CT3 interface view Set clock mode of the CT3 interfaceSet clock mode of the T1 channel Set cable length of the CT3 interface By default, the CT3 interface uses the C-bit frame format By default, loopback is disabled Set Frame FormatPerform the following configurations in CT3 interface view Set CRC of the serial interface Set the operating mode of T1 channelT1 line-number unframed Disable and Enable CT3 interface Display and debug of the CT3 interface Configuring WAN Interface Logical Interface Dialer Interface Configure Loopback Null Interface Sub-Interface Number.sub-number Configure sub-interfaces of Ethernet interfaceCreate and delete WAN sub-interface Number.sub-number multipoint Select frame relay link layer protocol Enter the view of WAN interface Serial0 of router aRouterinterface serial Set its IP address to 202.38.160.1 and address mask to Configure the static route from router a to LAN2 and LAN3Specify DTE as its frame relay terminal type Allocate a virtual circuit with Dlci 50 to it Interface virtual-template Set work parameters of virtual-templateCreate or delete virtual-template Undo interface Display state of the specified virtual-template Fault 1 Fail to create virtual interfaceTroubleshooting the reasons may be as follows Virtual-template-number Link Layer Protocol 164 PPP Authentication Mode PPP Overview Configuring PPP and MP For detailed description of PPP, refer to RFC1661 Configure PPPMP Overview Transmission time of large packets Configure the peer authenticates the local in PAP mode Configure the link layer protocol of the interface to PPPConfigure the local authenticates the peer in PAP mode Name-list Cipher password Configure the local authenticates the peer in Chap modeConfigure as the peer authenticates the local in Chap mode User username Configure the time interval of PPP negotiation timeout Configure AAA authentication and accounting of PPPConfigure PPP compression Ppp lqc forbidden-percentage Perform the following configuration in interface viewConfigure PPP link quality monitoring Resumptive-percentage Create/Delete virtual template Configure MP Protocol Parameters Create Virtual TemplateConfigure Operating Parameters of Virtual Template Bind the physical Interface to a Virtual Template Specify the conditions for MP binding User-name Configure virtual Baud rate on interface Frags Configuration Requirement Typical PPP Configuration ExampleExample Configure to start Chap authentication at this side Typical MP Configuration ExampleII. Configuration Procedure Set local username as Router1 Configure router-b Add a user for router-a Configure virtual interface templateConfigure router-c Add a user for router-a Fault 2 Physical link fails to turn to Up status Fault Diagnosis TroubleshootingFault 1 Link always fails to turn to up status Indicates that the interface is shutdown PPoE Overview Introduction to PPPoE client Configure PPPoE Client Configure PPPoE session Reset or delete PPPoE session Access a LAN to the Internet via Adsl Typical PPPoE Configuration ExamplePerform the display and debugging command in all views III. Configuration Procedure 1 Configure a dialer interface Configure the DDN interface Serial Configure a PPPoE sessionConfigure the LAN interface and the default route Use Adsl as Standby Line Configuring Pppoe Client Slip Overview Configure SlipAsynchronous mode For further details about SLIP, you can refer to RFC1055 Time Enable/Disable the information debugging of SlipTypical Slip Interconnect two Router routers via Pstn and run IP Configure the Dialer String to router B Configure Router a Configure Dialer RuleConfigure IP address of synchronous/asynchronous interface Configure the default route to Route B Routerip route-static 0.0.0.0 0.0.0.0 Configure Isdn Isdn Overview Configure the length of call reference By default, DSS1 signaling is used on Isdn PRI interfacesConfigure type of signaling on Isdn interface Configure the receiving mode Timer-name all Configure the sending modeConfigure interval for Qsig signaling timer Time-interval Perform the following configuration in Isdn interface view Configure Call Processing Method on an InterfacePerform the display and debugging commands in all views Configure the Isdn PRI interface Typical Configuration ExampleConfigure Router a Create an Isdn PRI interface RouterB transmit data after the call is set up Configure Router a Configure Router B Lapb Protocols Overview PSN 25 packet and Lapb frame By default, the Lapb modulus is Modulo Configure LapbBy default, k is Configure Lapb N1, N2 Configure Set X.25 working mode Configure X.25 InterfaceSet/Cancel the X.121 address of the interface Address 25 channel delimitation parameters Parameter Meaning Set/Cancel X.25 packet numbering modulo By default, X.25 interface use modulo 8 modeSet/cancel X.25 virtual circuit range Finally, the following should be noted Set the default flow control parameter Configure X.25 flow control parameterConfigure X.25 Interface Supplementary Parameter Out-packets 25 layer 3 timer Set X.25 layer 3 timer delay Alias-string Specify/Cancel an alias for the interfaceAlias match modes and meanings Match-type alias-string Set/Cancel the default upper layer protocol borne on Protocol-address x121-address Configure X.25 Datagram TransmissionCreate the permanent virtual circuit PVC Address option X25 pvc pvc-number protocol Configure Additional Parameters Datagram TransmissionCreate/Delete permanent virtual circuit Undo x25 pvc pvc-number Interface view, perform the following task Specify/Cancel packet pre-acknowledgement Configure X.25 user facility Configure the sending queue length of virtual circuit Serial port view, list1 can be quoted Address broadcast Set broadcast viaSet interface with standby center Address logic-channel Configure X.25 Switching Switching FunctionConfigure X.25 sub-Interface Number.subinterface-number multipoi Add or delete a PVC route Configure X.25 Load BalancingIntroduction to X.25 Load Balancing Configure X.25 List of Configuration Tasks of X.25 Load Balancing Diagram of X.25 network load balancing Create/Delete X.25 hunt group Start /Close X.25 switching functionAdd/Delete interfaces or XOT Tunnels in hunt group Configure X.25 over TCP XOT Configure X.25 over Other ProtocolsAdd/delete other X.25 switching routes Introduction to XOT Protocol Configure XOT Configure SVC XOT switching Start X.25 switchingConfigure local switching For PVC, perform the following tasks in interface view Configure X.25 over Frame Relay Annex G Configure Annex G Data InteroperationConfigure PVC XOT switching Configure Keepalive and xot-source attributes Configure the X.25 Attributes for a Dlci Configure the X.25 attributes for an Annex G Dlci Current status of Lapb Typical Lapb Configuration ExampleBy default, X.25 template is not applied on DLCIs Specify IP address for this interface Configure Router a a Select interface Configure Router B Select interfaceSpecify X.121 address of this interface Specify address mapping to the peer Connect the Router to X.25 Public Packet Network Configure Router B Configure interface IP address Configure Router a Configure interface IP addressConfigure Router C Configure interface IP address Range Configure Virtual Circuit I. Networking RequirementDisabled Transmit IP Datagram via X.25 PVC Typical Sub-Interface Configuration Example Router-Ethernet0ip address 196.25.231.1 Configure Router D Configure Router CCreate sub-interface serial SVC Application of XOT I. Networking Requirement Routerx25 switch svc 2 interface serial Configure Router C Start X.25 switchingConfigure Serial Routerx25 switch svc 1 xot Application of X.25 Load Balancing S11 Enable X.25 switching in system viewConfigure X.25 switching route to forward to X.25 terminal Add Serial 1, Serial 2 and XOT Tunnel to hunt group Load Balancing Carrying IP Data Transmission Routerx25 switch svc 1111 xotRouterx25 switch svc 8888 interface serial Routerinterface serial Router-Serial0link-protocol x25 dce Configure static route to RouterC Configure RouterA Configure interface EthernetConfigure interface Serial Configure RouterB Configure interface Ethernet Configure the local X.25 address Configure the static route to RouterA and RouterBConfigure RouterA Create an X.25 template Configure an IP address for the local interface Associates an X.25 template with the Dlci Configure RouterB Create an X.25 templateMap the Frame Relay address to the destination IP address SVC Application of X.25 over Frame Relay Configure Serial 0 as the X.25 interface Configure the router Router B Enable X.25 switchingEnable switching on Frame Relay DCE Configure Serial 1 as the Frame Relay interface Configure the Frame Relay Annex G Dlci Configure X.25 over Frame Relay switchingConfigure the router Router C Enable X.25 switching Configure local X.25 switching.Router-fr-dlci-100annexg dte Configure an X.25 template Configure Router D Configure the basic X.25 parametersConfigure Router B Enable X.25 switching Configure S1 as the Frame Relay interface Configure Serial Configure S1 as the Frame Relay interface Lapb Facility options inhibited by network have been carried Fault Diagnosis and Troubleshooting of X.25 Configuring Lapb Configuring Frame Relay Relay By default, the interfaces link layer protocol is PPPLink-protocol fr ietf Nonstandard Configure Frame Relay interface type Configure Frame Relay LMI protocol type Fr lmi n392dce n392-value Fr lmi n391dte n391-valueUndo fr lmi-n391dte Undo fr lmi n392dce Undo fr lmi t391dte Undo fr lmi n393dceFr lmi t391dte t391-value Fr lmi t392dce t392-value Configure Frame Relay static address mapping Configure Frame Relay dynamic address mapping Fr dlci Configure Frame Relay local virtual circuit numberCreate Frame Relay sub-interface Undo fr Applying dynamic address mapping to the sub-interface Configure virtual circuit of Frame Relay sub-interfaceEstablish static address mapping Configure Frame Relay local switched PVC number Configure the Frame Relay local virtual circuit numberConfigure the route for Frame Relay PVC switching Configure the Frame Relay switched PVC Configure Multilink Frame Relay FRF.16 Overview Configure MFR interface parameter Configure MFRConfigure a MFR bundle interface MFR interface Subnumber Frame Relay Compression Configuration Configure the parameters of the bundle link interface Configure Frame Relay Fragment Attributes By default, interfaces use initiative compressionConfigure Frame Relay Fragment FRF.12 Configure Frame Relay Compression on multipoint interface Fr traffic-shaping Disable the Frame Relay traffic shapingFrame Relay Traffic Shaping Undo Fr traffic-shaping Rate Frame Relay Queueing Management Frame Relay Traffic Policing 150 Kbps 100 Kbps CI R ALLOWº£ 64 Kbps Frame Relay Congestion Management Frame Relay DE rule list Configure Frame Relay Traffic Shaping By default, no Frame Relay class is createdConfigure the Frame Relay class parameters Undo fr-class class-name Enable/Disable the Frame Relay traffic shaping Configure the parameters of Frame Relay class Enable/Disable the Frame Relay traffic policing Queue-percentage Dequeue-percentage Configure Frame Relay Queueing Management Configure Frame Relay DE Rule ListConfigure the Frame Relay PVC queueing Configure Pipq Configure a tunnel interface Configure Frame Relay over Other ProtocolsConfigure Frame Relay over IP Configure Frame Relay switching Frame Relay over Isdn Operation Process and Fundamentals Networking of a typical Frame Relay over Isdn application Physical Connection Between Frame Relay over Isdn Devices Frame Relay switching connection between DTE devicesBack-to-back connection between DTE and DCE devices Configure Frame Relay over Isdn Configure the Frame Relay-related commands Configure the link layer protocol of the interface Configure the commands related to Frame Relay switchingDlci Display and Debug Frame Relay Configure parameters related to dialer profilesDisplay and debug Frame Relay Isdnsubaddress Type number dlci Number dlci dlci-numberNumber interface serial Mfr number Interconnect LANs via Frame Relay Network Typical Frame Relay Configuration ExampleConfigure static address mapping Router-Serial1fr map ip 202.38.163.251 dlci Interconnect LANs via Private Line Configure local virtual circuitRelay FRF.16 Router-Serial1ip address 202.38.163.253 Example FRF.9 Create a MFR interfaceBundle Serial 0 and Serial 1 to mfr Them FRF.12 III. Configuration Procedure 1 Configure Router aIII. Configuration Procedure 1 Configure RouterA Fragment between them Router-fr-class-96ktraffic-shaping adaptation becn IP ConfigurationRouterfr class 96k Typical Frame Relay over Configure Frame Relay over IP Configure IP interface Ethernet0Configure tunnel interface Router-Serial0fr interface-type dce Router-Dialer0dialer number Router-Dialer0dialer call-in Configure the Frame Relay parameters on Bri0Router-Bri0fr map ip 110.0.0.2 dlci Router-Dialer0fr interface-type dce Configure the Frame Relay-related parameters on Bri0 Configure Frame Relay SVCs Router-Serial1.1ip address 130.0.0.2 Fault 1 the physical layer in Down status Fault Diagnosis Troubleshooting Frame RelayFault 4 Frame Relay data cannot be transmitted across Isdn Configuring Frame Relay By default, the link layer protocol of the interface is PPP Configure HdlcConfigure Hdlc Display and Debug Hdlc Configure the link layer protocol of the interface to Hdlc Enable Hdlc packet debugging Debugging Hdlc Packet Interface Bridge Overview Configure Bridge’s Routing FunctionTypical Bridge Configuration Bridge Overview Obtain address table Main Functions of Bridging Bridge Overview Forward and Filter Final bridging address table Eliminating loop Filter not forward Preliminary examination state of bridging loops Spanning Tree Topology Bpdu Forwarding Mechanism Spanning tree topology Enable/Disable bridging functions Configure Bridge’s Routing FunctionBy default, disable bridging functions Bridge enable Add ports to a bridge-set Configure static address table entriesSpecify the STP version supported by the bridge-set Mac-address Configure the aging time of dynamic address table Enable/Disable forwarding by using dynamic address tableDisable/Enable STP on ports Configure the path cost of bridge port Configure the bridge priorityConfigure the bridge port priority Configure the interval for sending BPDUs Configure the forward delay for the port status transition Configure the Max age of Bpdu Create ACLs based on varied Ethernet encapsulation formats Acl acl-number Configure a bridge-template interface Enable/Disable bridge’s routingBridge-set Link-set Define a link-setShare load by source MAC address Bridgebridge-set link-set link-set Map the bridge address to Dlci Configuration on the interfaceDefine a dialer list Display and debug bridge Typical Bridge ConfigurationDisplay and Debug Bridge Transparent Bridging Multiple LANs Configure Router B Configure Router aRouter-Serial0bridge-set 1 stp disable Transparent Bridging over Frame Relay Transparent bridge over the Frame Relay Router-Serial1dialer route bridge broadcast Connected are failed Asynchronous Dial-inStandby Please refer to Figure Bridge-Template interface Networking of bridge-template interface Bridging on Sub-Interfaces Networking for bridging on sub-interfaces Routerbridge enable Routerbridge 1 stp ieee Link-Set Configuration I. Networking RequirementsRouter-Serial1bridge-set 1 link-set Network Protocol 316 Configuring IP Address IP address classes and ranges Network IP network range Description Class Sub-net classification of IP address Configure master IP address of an interface Configure IP Address Configure IP Address for an InterfaceBy default, the interface has no master IP address Ip address ip-address mask Delete slave IP address of an interface Configure slave IP address of an interfaceIp address ip-address mask Mask-length sub Undo ip address ip-address Introduction to IP address unnumbered By default, the interface has no negotiating IP addressConfigure IP Address Unnumbered for an Interface Set negotiable attribute of IP address for an interface Configure IP address unnumbered Configuration Example I. Configuration RequirementsConfigure routing to Ethernet segment of Shenzhen router R1 Borrow IP address of Ethernet interface Router-Ethernet0ip address 172.16.20.1 Configure router R1 of Shenzhen subsidiaryBorrow IP address of Ethernet Router ip route-static 0.0.0.0 0.0.0.0Page Configuring IP Address Undo arp static ip-address Define a static ARP mappingArp static ip-address Arp dynamic ip-address Name Resolution Configure DomainName Resolution Display and Debug ARP Display and Debug domain name resolution Display and Debug Domain Name ResolutionDisplay ip host Interface-number.subinterface-number Create Ethernet subinterfaceSpecify the Vlan on which Ethernet subinterface is located Vlan-type dot1q vid vlan-id Display and Debug Display and Debug Vlan Configure IP address of Ethernet subinterfaceTypical Vlan Configuration Example Display vlan Troubleshooting The steps below can be taken Configure IP address for the subinterfaceConfigure Vlan information of LAN Switch Router-Ethernet0.1ip address 3.3.3.8 Dhcp vs Bootp Dhcp Server ConfigurationFault Ping Two PCs, but fails to ping them through Background of the Dhcp development Following figure Occasions in which Dhcp server is appliedDhcp server Dhcp clients Dhcp client logs into the network again Dhcp Server Configuration Undo Dhcp enable Enable/disable the Dhcp serviceDhcp Enable Dhcp server ip-pool pool-name Netmask Configure the statically binding IP address and MAC addressNetwork ip-address Low-ipaddress high-ipaddress Low-ipaddress high -ipaddress Configure the domain names of Dhcp clients By default, the IP address of DNS is not configuredConfigure the gateway router address of client Configure the DNS addresses in a Dhcp address pool Nbns-list ip-address1 Set the type of NetBIOS node for Dhcp clientSet the type of NetBIOS node for Dhcp client Ip-address2 ... ip-address8 Display and Debug Dhcp Server Use reset, debugging and display command in All viewsConfigure Dhcp self-defined options Display and Debug Dhcp servers Router dhcp enable III. Configuration Procedures 1 Enable the Dhcp serviceRouter dhcp server forbidden-ip At the client, use ipconfig /releaseall Router-dhcp2nbns-list Router-dhcp2gateway-list Ip relay-address ip-address Configure interface relay addressOperation Command Configure interface relay address Delete interface relay address IP address from Dhcp server through application Dhcp Relay Configuration RequirementDhcp Relay Available on Dhcp server Configure Dhcp relay router Networking diagram of an Dhcp relay configuration example Fault 2 fail to forward transparent transmission protocol Private Network Address and Public Network Address Under which condition should the address be translated Role the Network Address Translation NAT plays Characteristic of Network Address Translation NATMechanism of Network Address Translation NAT End-addr pool-name Configure address poolPerformance of Network Address Translation NAT Pool-name Undo nat outbound acl-number Nat outbound acl-numberAddress-group pool-name Undo nat outbound Nat server global global-addr global-port Configure the Internal ServerConfigure the Timeout of address translation Www inside inside-addr inside-port any Typical NAT Configuration Example Display and Debug NAT Display and debug NAT Set internal FTP server Configure address pool and access listAllow address translation of segment at 10.110.10.0/24 Set internal WWW server Configure a default route to serial Configure address access control list and dialer-listConfigure dial-up property for the interface Correlate the address translation list and the interface Fault 2 Internal server abnormal Configuring IP Application Configure maximum transmission unit on an interface Configure IPTo configure IP performance, carry out the following steps Performance Configure TCP Tcp window size Configure Fast Forwarding Forwarding Perform the following configuration in system viewDisplay and Debug IP Display and Debug Fast Display and Debug fast forwarding Router info-center enable Router debugging tcp packet Troubleshooting IP Performance ConfigurationRouter info-center enable Router debugging tcp event Configuring IP Count Ip count enable IP Count ConfigurationEnable/Disable IP Count service Undo ip count enable Configure IP Count list Configure IP Count on an interfaceSpecify count maximum of exterior Specify count maximum of interior By default, IP Count entries time out after 720 minutesCount Display and debug IP Count Not been configured on the interface of the router IV. Test ProcedureInformation is displayed Configuring IP Count Configuring IPX IPX address SAP Configure relative parameters of IPX SAP Configure IPXModify length of service information reserve queue Its first Ethernet interface as its node address Enable/Disable a Default Route Enable IPX interfaceConfigure IPX RIP static route Perform the following task in interface view Configure the maximum size of RIP update packet Configure RIP updating periodConfigure RIP aging period Configure the maximum number of IPX parallel route Configure length of route reserve queue Configure static service information table item Configure reply to SAP GNS request Configure SAP aging periodConfigure size of SAP maximum updated message Ipx sap timer update seconds Configure Using touch-off for an interface Disable split-horizon Modify Encapsulation Format of IPX Frame on Interface Configure the delay of interface sending IPX packetsConfigure management of IPX packet Encapsulation format of IPX frame Configure Router a a Activate IPX Display and Debug IPX Display and Debug IPX Configure an information about Server2 file service Configure an address map to Router BConfigure a static route to network ID Configure an information about Server2 directory service Configure an information about Server1 directory service DLSw Protocol Init-window-size max-frame Configuration of DLSwCreate DLSw local peer entity Max-frame-size max-window Configure Bridge set connecting to DLSw Create DLSw remote end peer entity Configure to add ethernet port to Bridge set Configure Sdlc role Sdlc-address Configure Sdlc virtual MAC addressConfigure Sdlc address Controller sdlc-address Configure XID of Sdlc Configure Sdlc peer entityAdd synchronous Interface to Bridge set Configure baud rate of synchronous Interface Configure to stop running DLSwBaudrate Configure LLC2 local acknowledgement delay time Configure Idle time encoding mode of synchronous InterfaceConfigure parameters of DLSw timer Mseconds Configure LLC2 premature acknowledgement window Configure modulo value of LLC2 Configure Busy status time of LLC2 Configure retransmission number of LLC2Configure LLC2 local acknowledgement time Configure P/F wait time of LLC2 Configure Queue Length of Sending Message of Sdlc Configure REJ status time of LLC2Configure queue length of sending message of LLC2 Configure Sdlc local acknowledgement window Configure retransmission number of Sdlc Configure maximum receivable frame length of SdlcConfigure poll time interval of Sdlc Lsap Configure SAP address for transforming Sdlc to LLC2Configure data bi-directional transmission mode of Sdlc Dsap DLSw Typical DLSw Configuration ExampleDLSw Configuration Networking Requirement IP across WAN DLSw Configuration Router a ConfigurationRouter B Configuration Router dlsw local Networking diagram of DLSw configuration of SDLC-SDLC Networking Diagram of SDLC-LAN Diagnosis DLSw FaultWhen using command display dlsw remote Virtual circuit cant attain Connected state Diagnosis and Troubleshooting of DLSw Fault Configuring Dlsw VI Routing 404 IP Routing Protocol IP Routing Protocol Routing Protocol and Routing Priority Routing Protocol or Type Corresponding Routing Priority Ospf ASE Configuring Static Routes Default Route Configure a Static Route Configuring a Static RouteConfiguring a Static Route Transmitting interface or next hop address Preference Configuring a Default RouteDisplaying Debugging Routing Table Other parameters Static Route Troubleshooting aOther RIP Overview Configure RIP Features is not subject to whether RIP has been enabled Enable RIP at the Specified Network Enabling RIP Specify RIP Version By default, the interface runs RIP-1Define a Neighboring Router Peer ip-address Disable a Host Route RIP Version 1 enables zero field check by defaultConfigure Check Zero Field of RIP Version Specify the Status of an Interface Summarization for RIP Authentication onEnabling Route Version Configure Route Import for RIP By default, the default route metric for RIP isConfigure RIP Horizontal Segmentation on the Interface Specify a Default Route Metric Value for RIP Specify Additional Route Metric Value for RIP Configure filtering route information received by RIPDistribution for RIP Set Route Preference Filter the Routing Information Being Advertised by RIP Reset RIPDisplaying and Debugging RIP Display and Debug RIP RIP Unicast Ospf Overview Ospf Configuration ExampleOspf Overview Displaying and Debugging Ospf Configuring Ospf Router id router-id Enable OspfSpecify Router ID Undo router id Area-id By default, Ospf is disabledArea area-id Ospf network-type broadcast nbma Configure the Network Type of the Ospf InterfaceConfigure Sending Packet Cost P2mp P2p Configuring a Peer for the Nbma Interface Cost Ospf Dr-priority value Operation Command Set the priority of the interface whenSpecify the Router Priority Undo Ospf dr-priority Specify Hello Intervall Specify Dead Interval Specify Transmit-delay Configuring a Stubby Area and a TotallySpecify Retransmitting Interval Stub cost cost area area-id Perform the following configuration under Ospf viewConfigure Totally Stubby Area of Ospf No-summary Perform the following configuration in Ospf view Configure an Nssa Area of Ospf Area-id advertise notadvertise Configure Route Summarization Within Ospf DomainAbr-summary address mask mask area Undo abr-summary address mask mask Create and Configuring a Virtual Link Area-id None Router-id None Configure Authentication Key-id Configure Route Import for Ospf Configure Parameters When Importing External Routes Debugging Ospf Configure filtering route information received by OspfDisplaying Filter for Ospf Configuring Ospf on the Point-to-Multipoint Network Ospf Configuration ExampleRouter D 201 Router B 301 302 Router C 1.3 RouterA-Serial0ospf network-type p2mp Enable OspfRouterC ospf enable RouterB-Serial0ospf network-type p2mp Configure DR on Ospf Preference E0 192.1.1.2/24 E0 10.1.2.3/24 1.1 4.4 E0 192.1.1.1/24E0 192.1.1.4/24 2.2 3.3 RouterA display ospf peer RouterD display ospf peer Between Router B and Router C To configure an Ospf virtual link Configure Router aRouterB-ospfVlink peer-id 3.3.3.3 transit-area To configure Ospf peer authentication Configure Router a Ospf Configuration Troubleshooting anNormally Ospf Configuration Example Configuring Ospf BGP Overview BGP Configuration ExampleBGP Overview Displaying and Debugging BGP Configuring BGP By default, BGP is disabled Resetting BGP Connections Enabling BGPPerform the following configurations in system view Perform the following configurations in BGP view Set the Timers for BGP Peer Configure the BGP Version of the PeerConfigure BGP Route-update Interval Configure the Peer to be the Client of the Route Reflector Configure to distribute default route to the peerConfigure to Send Community Attribute to the Peer Configure to Distribute Default Router to the Peer Create a BGP Route Filtering Based on AS Path for the Peer Create a Fltering Policy Based on Access List for the PeerConfigure the BGP MED Metric Allow Comparing Path MED Timers keepalive-interval Configure the Local PreferenceConfigure the Keepalive Timer and Holdtime Tmer for BGP Holdtime-interval Peer group-name By default, there is no BGP peer in a peer groupAdd a Peer to the BGP Peer Group Group-name Set the Timers of BGP Peer Group Configure AS Number of BGP Peer GroupConfigure Connection Between Peers Indirectly Connected Configure BGP Routing Update Sending Interval Configure to Send the Default Route to the Peer Group Configure to send the default route to the peer groupCreate Routing Policy for Peer Group Configure BGP Version of Peer Group By default, software accepts BGP VersionCreate an Aggregate Addresses As-set By default, an aggregate is disabledAggregate address mask Undo aggregate address Clients within the reflection group Reflect between-clientsUndo reflect between-clients Standard-community-list-number Configure the Cluster IDConfigure BGP Community Extended-community-list-number Configure the Sub-system of E Confederation Configure a ConfederationAs-number … Schematic diagram of route dampening Display Route Flap Information Configure Route Import for BGP By default, BGP synchronizes with IGPIs insured When AS is not a transitional AS Configuring Still exists Define an AS Path-list entry Define an access list entryEntry, an AS Path-list Define a routing policy Define a match rule Perform the following configurations in Routing policy viewDefine an apply clause Filter for BGP Filter Routing Information Being Advertised by BGP Reset BGP ConnectionsDebugging BGP Display and Debug BGP As-regular-expression acl BGP ConfigurationProcedure for each configuration Acl-number network-address Networking diagram of configuring AS confederation RouterB-Serial1ip address 193.1.1.2 Configure Router B Configure BGP peersRouterA-bgppeer 192.1.1.2 as-number RouterC-ospfinterface serial Configure Router D Configure BGP peers Specify BGP transmission network Configure peerStart BGP RouterA-acl-1rule permit source 1.0.0.0 RouterC-acl-1rule permit source 1.0.0.0 RouterC-bgppeer 193.1.1.1 route-policy localpref import RouterD-ospf network 4.0.0.0 0.0.0.255 area 0 RouterD bgp Configuring BGP IP Routing Policy Configuring IP Routing Policy Policy Configure IP RoutingOperation Command Define a routing policy and enter into Define a Routing Policy Configure a Matching Rules No-export addtive none Define a Setting ClauseApply community aa nn Apply tag tag-value Route-policy route-policy-name Configure Route ImportTag tag-value type 1 Ip ip-prefix prefix-list-name Define an IP Prefix ListGe-value less-equal le-value OSPF-ASE external route discovered by Ospf protocol Perform the following configurations in all viewsDebugging IP Routing Policy BGP route discovered by BGP protocol Routing Policy Configuring IPWith different weighting values Protocol Route Information Normal operation Troubleshooting IPConfigure RIP protocol Routerip ip-prefix p1 permit 192.1.1.0/24 Configuring IP Routing Policy IP Policy Routing Configuring IP PolicyRouting Define Match Rules Create a Routing PolicyDefine Apply Clause Displaying Debugging IP Policy Routing By default, interface policy routing is disabledEnable/Disable Interface Policy Routing Interface Policy Routing Router-acl-101rule deny tcp source any destination any Suggested procedure for each configurationDefine access list Router-acl-102rule permit tcp source any destination any RouterA-Ethernet0ip policy route-policy lab1 Adopt policy aaa in Ethernet interfaceRouter-Ethernet0ip policy route-policy aaa RouterB-ripnetwork RouterAdebugging ip policy-routing Chapter Configuring Igmp Configuring PIM-DM Configuring PIM-SMIP Multicast 498 IP Multicast List for Reserved Multicast Addresses Range and Meaning of Class D AddressesClass D address range Meaning IP Multicast Routing Protocols IP Multicast IP Multicast IP Multicast PacketApplication IP Multicast Igmp Overview Configuring IgmpIgmp Configuration Example Igmp Overview Configuring Igmp Configure the Igmp Version Number Run at Router Interface Make the following configuration in interface viewConfigure Igmp Maximum Query Response Time Displaying and Debugging Igmp Igmp ConfigurationDebugging command in system view to debug Igmp Interfaces are all fast Ethernet FE Router a Router B Configuring Igmp Configuring PIM-DM Enable Multicast Routing Make the following configuration in the system viewBy default, the system disables the multicast routing Operation Command Enable multicast routing Display and Debug PIM-DM Start/Disable PIM-DM ProtocolDisplaying and Debugging PIM-DM Group-address source-address Enable PIM-DM protocol PIM-DM ConfigurationEnable multicast routing protocol Receiver 2 are the two receivers of this multicast group PIM-SM Overview PIM-SM Configuration Enabling Multicast Routing Configure Candidate BSR By default, the interface disables PIM-SM protocolEnable/Disable PIM-SM Protocol Configure Candidate RP By default, no PIM-SM domain boundary is configured By default, no interface is configured to be candidate RPConfigure PIM-SM Domain Boundary Use the pim command in system view to enter PIM view Debugging PIM-SM RouterA multicast routing-enable RouterA interface ethernet Configure Router a Enable PIM-SM protocolConfigure Router B Enable PIM-SM protocol RouterA-pimspt-switch-threshold 10 accept-policy Neighbors have discovered each other Display pim neighbor command can be used to check whetherFollow these steps RouterB-acl-5rule permit source 225.0.0.0 Configuring PIM-SM Viii Security 524 Access Security Terminal AccessConfiguring Terminal Configuring a User Configure EXECLogin Authentication Configure Radius server and the shared secret Enable AAAConfigure the authentication method list of Exec users Configuring Terminal Access Security AAA Overview Radius Overview Components of Radius server Basic message interaction process of Radius Type of Packets Decided by Code Field Request Authenticator Adopts 16-byte random codeCode Packet type Explanation of the packet Attribute Fields Configure AAA Login Authentication By default, AAA is disabledAAA Enable/Disable AAA Server-template-name method1 Default methods-list method1 Configuring an Authentication Method List for PPP UsersConfigure PPP Authentication Method List of AAA Default methods-list Configure AAA Accounting Option By default no address pool is defined by the systemConfigure AAA Local-First Authentication Configure Local IP Address Pool Configure Callback User By default pool-number isConfigure a User and Password Configure Ordinary User and Password Configure Callback User and the Callback Number Configure User with Caller NumberConfigure FTP User and the Usable Directory Configure User with Caller Number Configure Authorizing a User with Usable Service Types Authorize a User with Usable Service TypesConfigure FTP User and the Usable Directory Directory Configure Radius Server Shared Secret Configure Radius Server Shared SecretBy default, no key is configured for the Radius server Radius server hostname ip-address Configure the Request Retransmission Times Configure the Time Interval for the Inquiry Packet Displaying Debugging AAA Accessing UserAuthentication Case AAA and Radius Router aaa authentication-scheme local-first Configure IP address and port of Radius serverConfigure local-first authentication Routerradius server Troubleshooting AAA Radius Connected user cannot be seen in display aaa user Users Radius authentication is always rejectedCan Configuring AAA and Radius Protocol Firewall Overview Classification of Firewalls Packet filtering schematic diagram Command format when the protocol is TCP or UDP Extended access control listCommand format when the protocol is IGMP, IP, GRE or Ospf Operators of the Extended Access Control List Mnemonic Symbol of the Port Number Protocol Mnemonic Symbol Meaning and Actual Value UDP Mnemonic Symbol of the Icmp Message Type Configure the match sequence of access control listOperator and Syntax Meaning Firewalls are disabled by default Configure FirewallEffect Perform the following configurations in system view Firewall Configure Standard Access Control List Configure Extended Access Control List Set Default Firewall Filtering Mode Enabling and disabling filtering according to timerangeConfiguring Special Timerange Destination dest-addr dest- wildcard Set Special Time Range Enable/Disable Filtering According to TimerangeSet special time range Settr begin-time end-time Specify Logging Host Use debugging, reset and display commands in all viewsDisplaying and Debugging Firewall Display and Debug Firewall Routerfirewall enable Enable firewallConfigure access rules to inhibit passing of all packets Routerfirewall default permit Router-Ethernet0firewall packet-filter 101 inbound Apply rule 102 on packets coming in from interface Serial0Router-Serial0firewall packet-filter 102 inbound IPSec Protocol Following terms are important to an understanding of IPSec IPSec Related TermsIPSec Message Processing Access Control List Configuring IPSecCreating an Encryption Create Encryption Access Control List Operator port1 port2 By default, all the crypto cards are enabled Configure Ndec Cards Enable the crypto cardsSet the output of the crypto card log Set the Mode for Security Protocol to Encapsulate Messages By default, no proposal view is configuredEnable/Disable the Host to Backup the Ndec Cards Define IPSec proposal Select Security Protocol Selecting the Encryption Authentication AlgorithmDefault mode is tunnel-encapsulation mode Select Security Protocol Select Encryption Algorithm and Authentication Algorithm Creating a Security Policy Perform the following configurations in IPSec policy view By default, no security policy is createdConfigure access control list quoted in security policy Set start point and end point of security tunnel Set IPSec proposal quoted in security policy By default, the security policy quotes no IPSec proposalConfigure IPSec Proposal Quoted in Security Policy Set SPI of security policy association and its adopted key Configure Key Used by Security Policy Association By default, no key is used by any security policyConfigure SPI Parameters of Security Policy Association Hex-key Creating a Security Policy Association with Set access control list quoted by security policySet end point of security tunnel Specify End Point of Security Tunnel Proposal proposal-name1 Set the IPSec proposal quoted in security policySet SA lifetime Proposal-name2...proposal-name6 Configure Global SA LIfetime Configure a separate SA lifetimeBy default, apply the global SA lifetime Configure Separate SA LIfetime Apply Security Policy Group on Interface Use debugging, reset and display commands in all viewsDebugging IPSec Ipsec sa dynamic-detect Display and Debug IPSec Reset crypto cardDest-address protocol spi Displaying and Debugging the crypto card IPSec Configuration ExampleUse the debugging, reset and display command in all views Creating an SA Manually Quote access list Adopt tunnel mode as the message-encapsulating formSelect authentication algorithm and encryption algorithm Create the IPSec proposal view named tran1 Apply security policy group on serial interface Configure the routeCreate a security policy with negotiation mode as manual Exit to system view Create the IPSec proposal view named trans1 Create a security policy with negotiation mode as isakmpSet remote addresses Configure serial interface Serial0 Configure ip address of the serial interfaceConfigure corresponding IKE Create a security policy with negotiation view as isakmp Return to system view Establish a security policy with manual negotiation modeAdopt tunnel module for packets encapsulation form RouterB ike pre-shared-key abcde remote Set encryption key Enter Ethernet interface view and configure IP addressSet local address Apply security policy base on serial port Return to the system view Establish a security policy with manual configuration modeTroubleshooting IPSec Ndec card cannot be configured RouterB ipsec policy map1 10 manual Do the following Configuring Ipsec Configuring IKE IKE features Configuring IKEPolicy View Delete IKE policy Create IKE PolicyIke proposal policy-number Undo ike Configure Pre-shared Key Selecting an Authentication AlgorithmSelect Authentication Method Select Encryption Algorithm Select DH Group ID By default, 768-bit Diffie-Hellman group is selectedSelect Hashing Algorithm Set Lifetime of IKE Negotiation SA Displaying and Debugging IKE Configure IKE Keepalive TimerReset ike sa connection-ike-sa-id Display and Debug IKE IKE Configuration Invalid user ID information Unmatched policy Unable to establish security channel Configuring VPN Configuring L2TP Configuring GRE IX VPN 596 VPN Overview Classification of IP Basic NetworkingApplications of VPN Authority given by local ISP Layer 3 tunneling protocol Layer 2 tunneling protocolComparison of layer 2 and layer 3 tunnel protocols Configuring VPN Vpdn and L2TP Vpdn Operation Methods of Implementing Vpdn L2TP channel Networking diagram of two typical methods of Vpdn Tunnel and session IV. Call setup flow of L2TP tunnel Control message and data message Features of L2TP Call setup flow of L2TP channel Enable/Disable L2TP Basic Configuration atEnable L2TP L2tp enable L2tp-group group-number Originate L2TP Connection Request and LNS AddressIp-address … domain domain-name Default list-name method1 By default, L2TP is disabledConfigure AAA and Local Users L2TP Attribute Table Create/Delete L2TP Group Operation Command Create a L2TP groupOperation Command Create a virtual template Create/Delete a Virtual Template Configure the Name of the Receiving End of the Tunnel Advanced Configuration at LAC or LNSBy default, receiving dial-in from LAC is disabled Configure Local VPN Users Set Local Name Enable Tunnel Authentication Setting PasswordBy default, the local name is the host name of router Tunnel name name Set Tunnel Authentication and Password Configure the Interval For Sending Hello MessagesSet the Interval for Sending Hello Message Force Configure Domain Delimiter and Searching OrderSet Domain Name Delimiter and Searching Order Reset l2tp tunnel remote-name This configuration is applicable to LNS onlyOperation Command Force to disconnect tunnel Force to Disconnect Channel LCP does not renegotiate by default Configure the Local Address and Address PoolLCP to Renegotiate Enable/Disable Hiding AV Pairs Enable/Disable Hiding Attribute Value Pairs AVBy default, AV pairs are hidden Number of L2TP Sessions Use debugging, display command in all views L2TP Configuration ExamplesBy default, the maximum number of L2TP sessions is Display and Debug L2TP Enable L2TP service and configure a L2TP group Implement local AAA authentication on VPN userConfigure the IP address of Serial1 interface of LAC Configure BDR dialup parameters Configure the IP address of Serial0 interface of LNS Configure the Virtual-Template-related information Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Client-originated VPN Networking Router-LACip pool 1 192.170.0.3 Configure the IP address of Serial0 interface at LNS side Configure the IP address of Serial1 interface at LAC sideConfigure BDR parameters Disable tunnel authentication Network Connection Wizard Network Connection Wizard Connect Connection to Configure the domain suffix separator to @ Configure an IP address on Serial0 interfaceConfigure a L2TP group and the related attributes Router1 l2tp domain suffix-separator @ Force to implement local Chap authentication Enable AAA authenticationConfigure Virtual-Template III. Procedures Configure an address pool 1 in the range of 192.168.0.2 to Configure a L2TP group and configure the related attributesConfiguration at Router2 LNS side Enable AAA authentication Configure an access control list and specify L2TP data Fault 1 The users fail to log PPP negotiation fails. The reasons may be Troubleshooting L2TP Configuring L2TP Encapsulation GRE ProtocolPacket Encapsulated tunnel message format Refer to RFC Enlarge network operating range Creating a Virtual Tunnel Interface Configuring GREBy default, no virtual tunnel interface is created Create Virtual Tunnel Interface Perform the configurations in the tunnel interface view Address of a Tunnel Must be configured InterfaceSetting the Network Address of the Tunnel Set the Tunnel to Synchronize Datagram Sequence Numbers Number discardedSet Tunnel Interface to Check with Checksum Gre key key-number Debugging GRE GRE Configuration ExampleGroup1 and group2. It can be implemented by using GRE All views Configure the IP address of Ethernet0 interface Configure Router B Configure the IP address of Serial0 Configure the static route to Novell Group2 Configure Router a Activate IPXConfigure the IP address and IPX address of Ethernet0 Configure Router B Activate IPX Networking of troubleshooting GRE RouterB ipx route 1e 1f.a.a.a tick 30000 hop Configuring a Standby Center Configuring Vrrp 646 Configuring Standby Center Standby Center Fr map protocol address dlci dlci Enter the Logic Channel ViewAddress logic-channelnumber Next-hop-address dialer-number Undo standby timer enable-delay Channel to check whether it has recoveredStandby timer enable-delay seconds Standby timer disable-delay seconds Interfaces Please perform the following configuration in all viewsLoad Sharing view Enter the view of Serial Channel Enter the view of logic channelRouter-logic-channel10standby interface serial Router-Serial1logic-channel Vrrp Overview Vrrp Configuration ExamplesTroubleshooting Vrrp Vrrp Overview Adding a Virtual IP Configuring VrrpAddress Vrrp vrid virtualrouterid Configure Router Priority in Standby GroupAdd Virtual IP Address Undo vrrp vrid virtualrouterid Configure Authentication Method and Authentication Key Configuring Authentication Method Authentication KeyVrrp provides simple character authentication method Virtualrouterid Debugging Vrrp Configure StandbyGroup Timer Monitoring Backup with preemption aII. Networking diagram Vrrp ConfigurationProcedure for each configuration Vrrp Single Standby Gateway function as the master Gateway services insteadBalancing and mutual backup are implemented Multiple Standby There is requent switchover of the Vrrp state Many master routers exist within the same standby group XI QOS 662 Three Types of QoS Services QOS Overview QOS Overview Benefits of QoS for the Network Service QOS Overview Traffic Classification Traffic Policing Traffic POLICING, Traffic Shaping and Line Rate Committed Access Rate CAR Qos carl carl-index precedence Defining RulesDefine CAR Rules Precedence-value mac mac-address Applying the CAR Policy on the Interface By default, no CAR rule of ACL list is establishedApply the CAR Rule on the Interface Displaying and Debugging CAR CAR Configuration Applying a CAR Policy to all PacketsConfigure the Priority Level Based CAR Policy Display and Debug CAR Configure the CAR Policy Based on the MAC Address Matches ACL Traffic ShapingApply a CAR Policy on the Packets that Match ACL Packets Configuring shaping parameters for a specified flow Schematic diagram of GTS processing Configure the ACL Configuring shaping parameters for all flowsShape the flows matching 110 on Ethernet interface Rate Configure the Physical Interface LIne RatePhysical Interface Line Shape all the flows on Ethernet interface Displaying Display and Debug LR Debugging LR Operation Command Display the LR configuration conditionsDisplay qos lr interface type Congestion Management Fifo Queuing CongestionManagement Policy Priority Queuing Selecting Congestion Management Policies Comparison of Several Congestion Management Policies Number Queues Advantage Disadvantage Schematic diagram of the first in first out queue Schematic diagram of the custom queuing Weighted Fair Queuing WFQ Schematic diagram of weighted fair queuing Configuring priority queuing Configuring Congestion ManagementConfiguring Fifo Queuing Configure the First In First Out Queuing Protocol-name queue-option queue By default, no priority queue is establishedValues of Queue-Option with Protocol as IP Pql-index protocol Applying the priority-list queuing group to the interface By default, the interface utilizes the Fifo queueSpecifying the queue length of the priority-list queuing Default Length Value of the Priority Queue Configuring custom-list queuingConfiguring Custom Queuing CQ Displaying and debugging the priority queue Queue-number Configure the Custom-Lst Queuing According to the InterfaceConfigure the Default Custom-List Queuing Queue queue-number Configure the Queue Length of the Custom-List Queuing By default, the interface uses the Fifo queueConfiguring the queue length of the custom-list queuing Applying the custom-list queuing group to the interface Displaying and debugging the weighted fair queue Configuring Weighted fair queuingDisplaying and debugging the custom-list queue Apply the priority queue 1 to Serial Congestion Management Configuration ExamplesPQ Configuration Example Apply the priority queue 2 to Serial RouterA-Tunnel0ip address 10.1.1.1 Configure the CQ queueConfigure Router B Configure the access control list RouterA-Tunnel1destination Configure Tunnel1 Configure Serial0 master/slave addressesConfigure Tunnel0 WFQ Configuration Example Congestion Management Congestion Avoidance Congestion Avoidance Enable Wred Wred ConfigurationEnable the Wred Function of the Interface Discard-prob Ip-precedence Enable Wred Congestion Avoidance Configuration ExampleConfigure a WFQ queue Displaying Debugging Congestion Avoidance Congestion Avoidance Configuring DCC Configuring Modem XII DIAL-UP 704 Terms in DCC Configuration DCC Overview Circular DCC DCC Resource-Shared DCC With 3Com Routers Basic DCC featuresImplementing callback through DCC Prepare the data for DCC configuration Configuring DCCPreparing to Configure Configure the local parameters of DCC Linklayer-protocol-type Configuring the mode of the physical interfaceConfigure Physical Interface Mode Ip address ipaddress mask Associating a DCC dialer ACL with the interface Configuring an interface to originate calls to a remote end Dialer number dial-number Configure an interface to receive calls from a remote endDialer enable-circular Undo dialer number Route protocol DialerNext-hop-address dial-number Undo dialer route protocol Next-hop-address Undo dialer circular-group Undo interface dialer numberDialer circular-group number Dialer priority priority Dialer circular-group number Interface dialer numberUndo interface dialer number Undo dialer circular-group Router Dialer0 By default, no dialer interface is created Configuring dialing authentication for resource-shared DCCConfiguring the dialer interface and dialer number Enabing Resource-Shared DCC Configuring dialing authentication for resource-shared DCC Configure MP Binding in Circular DCC Configuring MP binding in circular DCCThreshold traffic-percentage Configure MP Binding in Resource-Shared DCC Configuring MP binding in resource-shared DCCConfiguring PPP callback in the circular DCC implementation Dialer threshold traffic-percentage Implement PPP Callback Client Configuration in Circular DCC Implement PPP Callback Server Configuration in Circular DCC Next-hop-address user username CommandTelephone-number Dial-number Primary rule The best match is the number with the fewest Features of Isdn caller identification callbackDialer callback-center dial-number Undo dialer call-in remote-number Operation Command Configure the local end to implementIdentification Callback according to the Isdn caller Configuring Special DCC Functions Configuring Isdn leased lineConfiguring auto-dial Configure Isdn leased line for Circular DCC Configure Auto-Dial Configuring dialer number circular standbyConfiguring the Link Idle Time Configure Dialer Number Circular Standby Configuring the link idle time when interface competion By default, the link idle time is 120 secondsBy default, the link disconnection time is 20 seconds Configure the Link Idle Time Configuring the buffer queue length of the dialer Configuring the timeout of call setting upBy default, the timeout of call setting up is 60 seconds Debugging DCC Solution DCC Configuration ExamplesDCC Applications in Common Use Router-Serial1dialer circular-group Configure RouterCConfigure RouterB Router-Serial0dialer route ip 100.1.1.1 Router-Serial0dialer bundle-member Router-Serial1dialer bundle-member Configure RouterC Configure RouterC Router-Bri0dialer bundle-member Configure RouterARouter-Dialer0dialer threshold Router-Serial015dialer route ip 100.1.1.1 Router-Bri1dialer route ip 100.1.1.1 Router-Serial0dialer route ip 100.1.1.2 Router-Serial1dialer enable-circularRouter dialer-rule 1 ip permit Router interface serial Router-Bri0dialer route ip 100.1.1.2 user usera By the NT server Configure the PCCallback for DC C NT Server-to-Router Router-Async0dialer route ip 100.1.1.254 Dial Number Circular Standby and Internet Access for DCC Configure subscriber PC Router-Serial0dialer route ip 100.1.1.254 Router-Serial215ppp authentication-mode chap Router-Serial215ppp chap password simple passb Router-Serial1standby logic-channel Remote end cannot be pinged after the modem is connected DCC Fault Messages Message Fault DCC peeraddr matching error Modem Function Provided by 3Com Routers Modem Script Modem script format in common use is as follow Syntax description of modem scriptReceive-string1 send-string1 receive-string2 send-string2 Configure the Modem Dial-in and Dial-out Authorities Which, seconds defaults to 180 and is in the range of 0 toBy default, modem dial-in and dial-out are allowed Configure a Modem Script Configure Modem Through the AT CommandConfigure a Modem Script Execute a Modem Script Manually Configure Authentication for a Modem Dial-in User By default, the modem works in non-auto answer modeConfigure the Answer Mode for the Modem Specify the Events Triggering the Modem Scripts Configure a Modem adaptation baud rate Modem Configuration ExamplesExecutethe debugging command in all views for the debugging Displaying and Debugging a Modem Configure the modem initialization parameters Restore the ex-factory modem settingsAT&b1&c1&d2&s0=0 Directly Power-on Initialization Through Initialization ScriptAuthentication for Modem Dial-in User Troubleshooting Configuring Modem

3Com 10014299 Displaying and Debugging Firewall, Specify Logging Host, Display and Debug Firewall

Models: 10014299

Perform the following configurations in system view.

Table 628 Specify Logging Host

unix-hostname ip-address