IPSec Related Terms, IPSec Message Processing

562CHAPTER 40: CONFIGURING IPSEC

IPSec Message Processing

state by polling. Thus, crypto cards can synchronously process user data, which improves the speed of data encryption and decryption.

For the IPSec applied at the crypto card side, the crypto cards will be unable to implement the IPSec processing if all the crypto cards on the router are in abnormal state. In this case, given that the host has been enabled to backup the crypto cards, the IPSec module of the operating system will replace the crypto cards to implement the IPSec processing, if the IPSec module supports the encryption/authentication algorithm used by the crypto cards. Thus, the software IPSec module fulfills the backup of crypto cards.

The processing mechanism of the crypto cards and that of the software IPSec module is almost the same. The only difference is that the former implements the encryption/decryption processing through the software and the latter through the the main operating system.

IPSec can process messages as follows (with AH protocol as an example):

■Add authentication header to messages: IP messages sent by the module block from IPSec queue are read, and an AH header is added according to the configured protocol mode (transport or tunnel mode), then forward it by IP layer.

■Cancel the authentication header after messages are authenticated: The IP message received at the IP layer is analyzed as a local host address with protocol number 51, then the corresponding protocol switch table item is searched and the corresponding input processing function is called. This processing function authenticates the message to make a comparison with the original authentication value. If the values are the same, the added AH is canceled, and the original IP message is restored. Then IP input flow is recalled for processing. Otherwise, this message is discarded.

IPSec Related Terms

The following terms are important to an understanding of IPSec:

■Data stream: A combination of a group of traffic, which is prescribed by source address/mask, destination address/mask, encapsulation upper-level protocol number of IP message, source port number, destination port number, etc. Generally, a data stream is defined by an access list, and all messages permitted by access list are called a data stream logically. A data stream can be a TCP connection between the endpoints, or all the data stream transferred between two subnets. IPSec can implement different security protections for different data streams. For example, it can use different security protocols for different data flow, algorithm and ciphering.

■Security policy: The policy, which is configured manually by the user to define what security measure to take for what data stream. The data stream is defined by configuring multiple rules in an access list, and in security policy this access list is quoted to determine to protect the data flow. Name and Sequence number define a security policy uniquely.

■Security policy group: The set of the security policies with the same name. A security policy group can be applied or cancelled on an interface, applying multiple security polices in the same security policy group to this interface, to implement different security protection for different data streams. The security

Page 566

Image 566

3Com 10014299 IPSec Related Terms, Following terms are important to an understanding of IPSec, IPSec Message Processing

Contents

3Com Router Configuration Guide Marlborough, MA 3Com CorporationCampus Drive 01752-3064Page VPN Text Conventions This guide describes 3Com routers and how to configure themList conventions that are used throughout this guide About this Guide 3Com Router Introduction 3Com Router User Interface Page 3COM Router Introduction List of the 3Com Router 1.x features Features of the 3ComFollowing table lists the basic features of the 3Com Router Router Version RIP-1/RIP-2 NAT Quality of service 3Com Router New Features of the 3Com Router 1.x 3COM Router Introduction Environment ConfigurationEstablish Port Establish a new connection Set port communication parameters Establish a remote configuration environment Environment ConfigurationConnection Router Workstation Ethernet Command Line Interface CLI 3COM Router User Interface System view Table Views and their prompts Loopback 0 in any Async 0 in anyEthernet 0 in any Enter controller Partial help HelpsFull help For example List of common command line error messagesCommon error Message Causes Routerdisplay ? Display Features Command LineFeatures Three options are available for users User Identity Following commandsPlease perform the following commands in system view Management Set the system clock Configure the router nameSystem Reboot the system By default, the system clock is 080000 1 1Execute the following commands in all views Display the System Information Router System Management Page Storage Media and File Types Supported by the System Softwaresoftware Input Ctrl+D, and the following prompt information displays Upgrade Boot ROM Software Software Upgrade the 3ComRouter Main Program Main Program software XModem Approach Modify the terminal baud rate Transfer File dialog box Tftp server application can run on Windows 95/98/NT Preparation for using the Tftp serverEnable the Tftp server program Press Enter and the following prompts will be displayed Tftpd32 Set interface Enter Ctrl+B and the system prompts Network Interface Parameters Press Enter for loading Download configuration files from a Tftp serverOperation Command Downloads the 3Com Router main Get ip-addr file-name system Prepare for using the FTP server Set an authentication mode for an FTP server Upgrade the 3Com Router Main Software with FTP Enable FTP server FTP Approach Back up the 3Com Router Main Program SoftwareTftp Approach Copy ip-addr file-name system Setup Users Dialog Box Port-number user user-name password Configure on-line upgrading of the cardUpdate slot slot-number ftpserver host-name Password Perform the following command in system view Configuration File ManagementDownload Configuration File Content and Format of the Configuration File Router download config Load configuration filesDownload Config Set the binary transmission protocol to XModem/CRC Upload configuration files to a Tftp server Display current-configurationcommand output backup approachBack up Configuration Files File-name config Please use the following commands in corresponding views View router configuration Set the Flag Bit to Enter the Initial Setup Mode Select and view the storage media of configuration fileSave current configuration Erase the configuration file in storage media Client via port 20 and transfer data Configure FTPConfigure authentication and authorization of FTP server Files on the router Please enter the following commands in system view Enter the following commands in system viewConfigure Parameters of FTP Service Set the authentication mode of FTP server Force to shut down FTP process Set FTP update modeSet the connection time limit of FTP service Force to shut down FTP process Server Display detailed information of the FTP user Display FTP Server Display FTP serverDisplay ftp-server Display local-user System Management Service at Console Port Terminal ServiceFeatures of Terminal Overview Terminal Message ServiceSet the attributes of terminal service On one router Display Terminal Message Service Perform the following configuration in all viewsConfigure Terminal Message Service Enable/disable receiving messages from other terminals Dumb Terminal Typical Example Terminal Message Service ConfigurationTerminal Service Configure Auto-execute command Configuration Examples Dumb Terminal ServiceConfigure Dumb Terminal By default, no dumb terminal service is configured Configure the auto-execute command command Terminal Service Telnet ConnectionConfigure the interface to dumb terminal mode Router-Serial1auto-execute command telnet Establish Telnet Connection Terminal service features of telnet connectionService Value Service-port Setup Reverse Telnet ConnectionEnable Reverse Telnet connection Establish Telnet Server or Telnet Client connection Example of Telnet Typical Configuration Example of Telnet Reverse TelnetForce shut down Telnet Process Force to shut down Telnet process Example of Reverse Telnet Rlogin TerminalUse Rlogin protocol Router telnet 10.110.164.44 Rlogin ip-address username Establish a Rlogin connectionTypical Rlogin Configuration Examples Use local user name abc to log on Communicate with other terminals through the X.25 network Access ServicePAD Remote Service-type type password Configure X.25 PAD remote userConfigure X.25 PAD remote user Local-user user-name Establish an X.25 PAD call Start AAA authentication of X.25 remote usersEnable AAA authentication for X.25 remote PAD users Establish a X.25 PAD call Display and Debug II. Networking DiagramIII. Configuration Procedure Set the Response Time to the Invite Clear Message RouterA-serial0x25 x121-address Fault Diagnosis TroubleshootingSet its X.121 address as RouterB-serial0x25 x121-address Snmp Overview Development of Snmp Configuring Network Management Snmp architecture SNMP-supported MIB Engineid By default, the system disables Snmp service3Com Router-supported MIB Perform the following configurations in system view Configure Snmp version and related tasks V1 username Configure information of router administratorConfigure the traps to be sent by the router Interface-number Name Perform the following commands in all viewsDisplay and debug Snmp Byte-count Configure an IP address for the Ethernet interface ethernet Example 1 Configure Network Management of SNMPv1Set the community name and access authority Examples Networking Requirements Network equipment Configure an IP address for the Ethernet interface ethernetRmon Overview Schematic diagram of Rmon application Enable Rmon statistics Examples Networking Requirement RouterA-Ethernet0 rmon promiscuous Commands to display information of the whole system Ping command Test Tool of Network Connection Ping supporting IPX protocol Ping supporting IP protocolSystem displays Ip-address Timeout host Following command can be executed in any command modesTracert command MaxTTL -p port -q nqueries Configure on the router Log Function Set the direction of syslog outputting log information Sylog-defined severity is as follows Set Severity of Log InformationPerform the following task in system view Set Filter of Log Information Display and Debug Syslog Configuration of Log HostTurn on/turn off syslog Turn on/turn off syslog Routerinfo-center enable Syslog Configuration ExampleTurn on debugging switch of PPP module Routerdebug ppp all Display and Debugging Tools POS Terminal Access Service Dial-up POS Access POS Network Access Advantages of POS network access are as follows Start POS server POS Access Service ConfigurationConfigure POS access port App-number Configure a POS applicationInterface-type interface-number Ip-address port-number Bind the source address of TCP connection Configure POS multi-application mapping tableDefault app-number Set the parameters of FCM used during Modem negotiation Display and Debug POS AccessDisplay and debug POS access Set the parameters of FCM used during Modem negotiation Configure the POS access interface FCM0 Typical Configuration Example of POS Access ServiceConfigure the Ethernet interface Ethernet Configure POS access interface FCM1 III. Configuration Procedure 1 Start the POS access server Configure POS access interface FCM2Configure POS access interface FCM0 III. Configuration Procedures Configure Async 0 to operate in POS application modeConfigure Async 1 to operate in POS application mode Configure Router a Start the POS access server Configure Router B Configure the Ethernet interface Ethernet RouterA ip route-static 10.1.1.2 255.255.255.0 serial III Interface 106 Enter the Interface View Configure InterfaceInterface Set time interval for flow control statistics Exit the Interface ViewInterface view, input quit to return to the system view Interface-description Display and debug interface Please use the following commands in all viewsDisplay and Debug Interface Interface state information Interface Configuration Overview Configure Ethernet Interface Ethernet Interface Set IPX address Enter view of specified Ethernet interfaceSet IP address Set frame format of sending message Display and Debug Select work mode of Ethernet interfaceEnable or disable internal loopback and external loopback Select working rate of fast Ethernet interface II. Network Diagram Typical Ethernet Interface Configuration ExampleTroubleshooting Troubleshooting Configuring LAN Interface Asynchronous Serial Interface WAN InterfaceIntroduction Interface serial number Enter view of specified asynchronous interfaceInterface async number Modem in out Set the work mode of asynchronous serial interfaceSet the baud rate of asynchronous serial interface Link-protocol slip ppp Hardware inbound outbound Async Mode protocolFlow-control none software Odd space Works in flow modeParity even mark none Stopbits 1 1.5 Set MTU of asynchronous serial interface BackupAUX Interface Set the coding format of Modem Configure Synchronous Serial Interface Configure AUX interfaceConfigure AUX interface Synchronous Serial Interface Physical-mode sync Enter view of specified synchronous interfaceSet the link layer protocol of synchronous serial interface Link-protocol fr hdlc Set the baud rate of synchronous serial interface Select work clockWorking modes have different working clocks Synchronous serial interface is 64000 bps Set clock inversion Inversion is disabled by defaultSelect work clock Undo detect dcd Internal loopback/external loopback are disabled by defaultDetect dcd Reverse-rts Technical Background Isdn BRI InterfaceIdle coding of synchronous serial interface is 7E Graphics and video Function group includes Preparations before ConfigurationBe clear about the following items before the configuration Network protocols such as IP and IPX Channelized operating modeCE1/PRI Interface Interface or a PRI interface Interface Configure CE1/PRI CE1/PRI interface configuration includesDial-on-Demand Routing Enter the view for a specified interface Number set-number Enter the synchronous serial interface viewBind the interface to be channel sets Pri-set timeslot-list range Bind the interface to be a pri setEnter the Isdn interface view Undo pri-set Set the line clock of the CE1/PRI interface Enable/disable the internal loopback/external loopbackSet the line code format on the CE1/PRI interface Set the frame format of CE1/PRI interface Configure CT1/PRI CT1/PRI Interface Timeslot-list range speed Operation Command Enter the view of CT1/PRI interfaceController t1 number Interface serial number23 Set the frame format of CT1/PRI interface Set the line code format on the CT1/PRI interfaceSet the line clock of the CT1/PRI interface E1-F Interface Choice for E1 accessE1-F interface does not support PRI operating mode Them into multiple channel sets Interface serial serial-number Set Operating mode for an E1-F interfaceEnter the view of an E1-F interface Fe1 unframed Set line clock for an E1-F interface Set interface rate after binding operationSet line code format for E1-F interfaces Display and debug E1-F interface Enable/Disable local/remote loopback on an E1-F interfaceSet frame format for an E1-F interface Serial-number T1-F Interface Choice for T1 accessT1-F interface does not support PRI operating mode 193 X 8k = 1544kbps Set line code format for T1-F interface Set frame format of T1-F interface Enable/Disable local/remote loopback on a T1-F interfaceSet line clock for a T1-F interface Display and Debug T1-F Other related informationCE3 Interface Display and debug T1-F interface Enter the view of the specified E3 interface Set E1 frame format Set the operating mode of CE3 interfaceSet the operating mode of E1 channel 44.736Mbps Mode non-channelized modeCT3 Interface Data bandwidth 44736kbps Enter specified CT3 interface view Set clock mode of the CT3 interfaceSet clock mode of the T1 channel Set cable length of the CT3 interface Perform the following configurations in CT3 interface view By default, loopback is disabled Set Frame FormatBy default, the CT3 interface uses the C-bit frame format T1 line-number unframed Set the operating mode of T1 channelSet CRC of the serial interface Disable and Enable CT3 interface Display and debug of the CT3 interface Configuring WAN Interface Logical Interface Dialer Interface Configure Loopback Null Interface Sub-Interface Number.sub-number Configure sub-interfaces of Ethernet interfaceCreate and delete WAN sub-interface Number.sub-number multipoint Routerinterface serial Enter the view of WAN interface Serial0 of router aSelect frame relay link layer protocol Set its IP address to 202.38.160.1 and address mask to Configure the static route from router a to LAN2 and LAN3Specify DTE as its frame relay terminal type Allocate a virtual circuit with Dlci 50 to it Interface virtual-template Set work parameters of virtual-templateCreate or delete virtual-template Undo interface Display state of the specified virtual-template Fault 1 Fail to create virtual interfaceTroubleshooting the reasons may be as follows Virtual-template-number Link Layer Protocol 164 PPP Authentication Mode PPP Overview Configuring PPP and MP For detailed description of PPP, refer to RFC1661 Configure PPPMP Overview Transmission time of large packets Configure the peer authenticates the local in PAP mode Configure the link layer protocol of the interface to PPPConfigure the local authenticates the peer in PAP mode Name-list Cipher password Configure the local authenticates the peer in Chap modeConfigure as the peer authenticates the local in Chap mode User username Configure PPP compression Configure AAA authentication and accounting of PPPConfigure the time interval of PPP negotiation timeout Ppp lqc forbidden-percentage Perform the following configuration in interface viewConfigure PPP link quality monitoring Resumptive-percentage Create/Delete virtual template Configure MP Protocol Parameters Create Virtual TemplateConfigure Operating Parameters of Virtual Template Bind the physical Interface to a Virtual Template Specify the conditions for MP binding User-name Configure virtual Baud rate on interface Frags Example Typical PPP Configuration ExampleConfiguration Requirement Configure to start Chap authentication at this side Typical MP Configuration ExampleII. Configuration Procedure Set local username as Router1 Configure router-c Add a user for router-a Configure virtual interface templateConfigure router-b Add a user for router-a Fault 2 Physical link fails to turn to Up status Fault Diagnosis TroubleshootingFault 1 Link always fails to turn to up status Indicates that the interface is shutdown PPoE Overview Introduction to PPPoE client Configure PPPoE Client Configure PPPoE session Reset or delete PPPoE session Access a LAN to the Internet via Adsl Typical PPPoE Configuration ExamplePerform the display and debugging command in all views III. Configuration Procedure 1 Configure a dialer interface Configure the DDN interface Serial Configure a PPPoE sessionConfigure the LAN interface and the default route Use Adsl as Standby Line Configuring Pppoe Client Slip Overview Configure SlipAsynchronous mode For further details about SLIP, you can refer to RFC1055 Time Enable/Disable the information debugging of SlipTypical Slip Interconnect two Router routers via Pstn and run IP Configure the Dialer String to router B Configure Router a Configure Dialer RuleConfigure IP address of synchronous/asynchronous interface Configure the default route to Route B Routerip route-static 0.0.0.0 0.0.0.0 Configure Isdn Isdn Overview Configure the length of call reference By default, DSS1 signaling is used on Isdn PRI interfacesConfigure type of signaling on Isdn interface Configure the receiving mode Timer-name all Configure the sending modeConfigure interval for Qsig signaling timer Time-interval Perform the display and debugging commands in all views Configure Call Processing Method on an InterfacePerform the following configuration in Isdn interface view Configure the Isdn PRI interface Typical Configuration ExampleConfigure Router a Create an Isdn PRI interface RouterB transmit data after the call is set up Configure Router a Configure Router B Lapb Protocols Overview PSN 25 packet and Lapb frame By default, k is Configure Lapb N1, N2 Configure LapbBy default, the Lapb modulus is Modulo Configure Set X.25 working mode Configure X.25 InterfaceSet/Cancel the X.121 address of the interface Address 25 channel delimitation parameters Parameter Meaning Set/Cancel X.25 packet numbering modulo By default, X.25 interface use modulo 8 modeSet/cancel X.25 virtual circuit range Finally, the following should be noted Set the default flow control parameter Configure X.25 flow control parameterConfigure X.25 Interface Supplementary Parameter Out-packets 25 layer 3 timer Set X.25 layer 3 timer delay Alias-string Specify/Cancel an alias for the interfaceAlias match modes and meanings Match-type alias-string Set/Cancel the default upper layer protocol borne on Protocol-address x121-address Configure X.25 Datagram TransmissionCreate the permanent virtual circuit PVC Address option X25 pvc pvc-number protocol Configure Additional Parameters Datagram TransmissionCreate/Delete permanent virtual circuit Undo x25 pvc pvc-number Interface view, perform the following task Specify/Cancel packet pre-acknowledgement Configure X.25 user facility Configure the sending queue length of virtual circuit Serial port view, list1 can be quoted Address broadcast Set broadcast viaSet interface with standby center Address logic-channel Configure X.25 Switching Switching FunctionConfigure X.25 sub-Interface Number.subinterface-number multipoi Introduction to X.25 Load Balancing Configure X.25 Load BalancingAdd or delete a PVC route Configure X.25 List of Configuration Tasks of X.25 Load Balancing Diagram of X.25 network load balancing Add/Delete interfaces or XOT Tunnels in hunt group Start /Close X.25 switching functionCreate/Delete X.25 hunt group Configure X.25 over TCP XOT Configure X.25 over Other ProtocolsAdd/delete other X.25 switching routes Introduction to XOT Protocol Configure XOT Configure SVC XOT switching Start X.25 switchingConfigure local switching For PVC, perform the following tasks in interface view Configure X.25 over Frame Relay Annex G Configure Annex G Data InteroperationConfigure PVC XOT switching Configure Keepalive and xot-source attributes Configure the X.25 Attributes for a Dlci Configure the X.25 attributes for an Annex G Dlci Current status of Lapb Typical Lapb Configuration ExampleBy default, X.25 template is not applied on DLCIs Specify IP address for this interface Specify X.121 address of this interface Configure Router B Select interfaceConfigure Router a a Select interface Specify address mapping to the peer Connect the Router to X.25 Public Packet Network Configure Router C Configure interface IP address Configure Router a Configure interface IP addressConfigure Router B Configure interface IP address Range Configure Virtual Circuit I. Networking RequirementDisabled Transmit IP Datagram via X.25 PVC Typical Sub-Interface Configuration Example Router-Ethernet0ip address 196.25.231.1 Create sub-interface serial Configure Router CConfigure Router D SVC Application of XOT I. Networking Requirement Routerx25 switch svc 2 interface serial Configure Router C Start X.25 switchingConfigure Serial Routerx25 switch svc 1 xot Application of X.25 Load Balancing S11 Enable X.25 switching in system viewConfigure X.25 switching route to forward to X.25 terminal Add Serial 1, Serial 2 and XOT Tunnel to hunt group Load Balancing Carrying IP Data Transmission Routerx25 switch svc 1111 xotRouterx25 switch svc 8888 interface serial Routerinterface serial Router-Serial0link-protocol x25 dce Configure static route to RouterC Configure RouterA Configure interface EthernetConfigure interface Serial Configure RouterB Configure interface Ethernet Configure the local X.25 address Configure the static route to RouterA and RouterBConfigure RouterA Create an X.25 template Configure an IP address for the local interface Associates an X.25 template with the Dlci Configure RouterB Create an X.25 templateMap the Frame Relay address to the destination IP address SVC Application of X.25 over Frame Relay Configure Serial 0 as the X.25 interface Configure the router Router B Enable X.25 switchingEnable switching on Frame Relay DCE Configure Serial 1 as the Frame Relay interface Configure the Frame Relay Annex G Dlci Configure X.25 over Frame Relay switchingConfigure the router Router C Enable X.25 switching Configure local X.25 switching.Router-fr-dlci-100annexg dte Configure an X.25 template Configure Router D Configure the basic X.25 parametersConfigure Router B Enable X.25 switching Configure S1 as the Frame Relay interface Configure Serial Configure S1 as the Frame Relay interface Lapb Facility options inhibited by network have been carried Fault Diagnosis and Troubleshooting of X.25 Configuring Lapb Configuring Frame Relay Relay By default, the interfaces link layer protocol is PPPLink-protocol fr ietf Nonstandard Configure Frame Relay interface type Configure Frame Relay LMI protocol type Fr lmi n392dce n392-value Fr lmi n391dte n391-valueUndo fr lmi-n391dte Undo fr lmi n392dce Undo fr lmi t391dte Undo fr lmi n393dceFr lmi t391dte t391-value Fr lmi t392dce t392-value Configure Frame Relay static address mapping Configure Frame Relay dynamic address mapping Fr dlci Configure Frame Relay local virtual circuit numberCreate Frame Relay sub-interface Undo fr Establish static address mapping Configure virtual circuit of Frame Relay sub-interfaceApplying dynamic address mapping to the sub-interface Configure Frame Relay local switched PVC number Configure the Frame Relay local virtual circuit numberConfigure the route for Frame Relay PVC switching Configure the Frame Relay switched PVC Configure Multilink Frame Relay FRF.16 Overview Configure MFR interface parameter Configure MFRConfigure a MFR bundle interface MFR interface Subnumber Frame Relay Compression Configuration Configure the parameters of the bundle link interface Configure Frame Relay Fragment Attributes By default, interfaces use initiative compressionConfigure Frame Relay Fragment FRF.12 Configure Frame Relay Compression on multipoint interface Fr traffic-shaping Disable the Frame Relay traffic shapingFrame Relay Traffic Shaping Undo Fr traffic-shaping Rate Frame Relay Queueing Management Frame Relay Traffic Policing 150 Kbps 100 Kbps CI R ALLOWº£ 64 Kbps Frame Relay Congestion Management Frame Relay DE rule list Configure Frame Relay Traffic Shaping By default, no Frame Relay class is createdConfigure the Frame Relay class parameters Undo fr-class class-name Enable/Disable the Frame Relay traffic shaping Configure the parameters of Frame Relay class Enable/Disable the Frame Relay traffic policing Queue-percentage Dequeue-percentage Configure the Frame Relay PVC queueing Configure Frame Relay DE Rule ListConfigure Frame Relay Queueing Management Configure Pipq Configure a tunnel interface Configure Frame Relay over Other ProtocolsConfigure Frame Relay over IP Configure Frame Relay switching Frame Relay over Isdn Operation Process and Fundamentals Networking of a typical Frame Relay over Isdn application Back-to-back connection between DTE and DCE devices Frame Relay switching connection between DTE devicesPhysical Connection Between Frame Relay over Isdn Devices Configure Frame Relay over Isdn Configure the Frame Relay-related commands Dlci Configure the commands related to Frame Relay switchingConfigure the link layer protocol of the interface Display and Debug Frame Relay Configure parameters related to dialer profilesDisplay and debug Frame Relay Isdnsubaddress Type number dlci Number dlci dlci-numberNumber interface serial Mfr number Interconnect LANs via Frame Relay Network Typical Frame Relay Configuration ExampleConfigure static address mapping Router-Serial1fr map ip 202.38.163.251 dlci Interconnect LANs via Private Line Configure local virtual circuitRelay FRF.16 Router-Serial1ip address 202.38.163.253 Example FRF.9 Create a MFR interfaceBundle Serial 0 and Serial 1 to mfr Them FRF.12 III. Configuration Procedure 1 Configure Router aIII. Configuration Procedure 1 Configure RouterA Fragment between them Router-fr-class-96ktraffic-shaping adaptation becn IP ConfigurationRouterfr class 96k Typical Frame Relay over Configure Frame Relay over IP Configure IP interface Ethernet0Configure tunnel interface Router-Serial0fr interface-type dce Router-Dialer0dialer number Router-Dialer0dialer call-in Configure the Frame Relay parameters on Bri0Router-Bri0fr map ip 110.0.0.2 dlci Router-Dialer0fr interface-type dce Configure the Frame Relay-related parameters on Bri0 Configure Frame Relay SVCs Router-Serial1.1ip address 130.0.0.2 Fault 4 Frame Relay data cannot be transmitted across Isdn Fault Diagnosis Troubleshooting Frame RelayFault 1 the physical layer in Down status Configuring Frame Relay By default, the link layer protocol of the interface is PPP Configure HdlcConfigure Hdlc Display and Debug Hdlc Configure the link layer protocol of the interface to Hdlc Enable Hdlc packet debugging Debugging Hdlc Packet Interface Bridge Overview Configure Bridge’s Routing FunctionTypical Bridge Configuration Bridge Overview Obtain address table Main Functions of Bridging Bridge Overview Forward and Filter Final bridging address table Eliminating loop Filter not forward Preliminary examination state of bridging loops Spanning Tree Topology Bpdu Forwarding Mechanism Spanning tree topology Enable/Disable bridging functions Configure Bridge’s Routing FunctionBy default, disable bridging functions Bridge enable Add ports to a bridge-set Configure static address table entriesSpecify the STP version supported by the bridge-set Mac-address Disable/Enable STP on ports Enable/Disable forwarding by using dynamic address tableConfigure the aging time of dynamic address table Configure the bridge port priority Configure the bridge priorityConfigure the path cost of bridge port Configure the interval for sending BPDUs Configure the forward delay for the port status transition Configure the Max age of Bpdu Create ACLs based on varied Ethernet encapsulation formats Acl acl-number Bridge-set Enable/Disable bridge’s routingConfigure a bridge-template interface Link-set Define a link-setShare load by source MAC address Bridgebridge-set link-set link-set Define a dialer list Configuration on the interfaceMap the bridge address to Dlci Display and debug bridge Typical Bridge ConfigurationDisplay and Debug Bridge Transparent Bridging Multiple LANs Router-Serial0bridge-set 1 stp disable Configure Router aConfigure Router B Transparent Bridging over Frame Relay Transparent bridge over the Frame Relay Router-Serial1dialer route bridge broadcast Connected are failed Asynchronous Dial-inStandby Please refer to Figure Bridge-Template interface Networking of bridge-template interface Bridging on Sub-Interfaces Networking for bridging on sub-interfaces Router-Serial1bridge-set 1 link-set Link-Set Configuration I. Networking RequirementsRouterbridge enable Routerbridge 1 stp ieee Network Protocol 316 Configuring IP Address IP address classes and ranges Network IP network range Description Class Sub-net classification of IP address Configure master IP address of an interface Configure IP Address Configure IP Address for an InterfaceBy default, the interface has no master IP address Ip address ip-address mask Delete slave IP address of an interface Configure slave IP address of an interfaceIp address ip-address mask Mask-length sub Undo ip address ip-address Introduction to IP address unnumbered By default, the interface has no negotiating IP addressConfigure IP Address Unnumbered for an Interface Set negotiable attribute of IP address for an interface Configure IP address unnumbered Configuration Example I. Configuration RequirementsConfigure routing to Ethernet segment of Shenzhen router R1 Borrow IP address of Ethernet interface Router-Ethernet0ip address 172.16.20.1 Configure router R1 of Shenzhen subsidiaryBorrow IP address of Ethernet Router ip route-static 0.0.0.0 0.0.0.0Page Configuring IP Address Undo arp static ip-address Define a static ARP mappingArp static ip-address Arp dynamic ip-address Name Resolution Configure DomainName Resolution Display and Debug ARP Display ip host Display and Debug Domain Name ResolutionDisplay and Debug domain name resolution Interface-number.subinterface-number Create Ethernet subinterfaceSpecify the Vlan on which Ethernet subinterface is located Vlan-type dot1q vid vlan-id Display and Debug Display and Debug Vlan Configure IP address of Ethernet subinterfaceTypical Vlan Configuration Example Display vlan Troubleshooting The steps below can be taken Configure IP address for the subinterfaceConfigure Vlan information of LAN Switch Router-Ethernet0.1ip address 3.3.3.8 Dhcp vs Bootp Dhcp Server ConfigurationFault Ping Two PCs, but fails to ping them through Background of the Dhcp development Dhcp server Dhcp clients Occasions in which Dhcp server is appliedFollowing figure Dhcp client logs into the network again Dhcp Server Configuration Undo Dhcp enable Enable/disable the Dhcp serviceDhcp Enable Dhcp server ip-pool pool-name Network ip-address Configure the statically binding IP address and MAC addressNetmask Low-ipaddress high-ipaddress Low-ipaddress high -ipaddress Configure the domain names of Dhcp clients By default, the IP address of DNS is not configuredConfigure the gateway router address of client Configure the DNS addresses in a Dhcp address pool Nbns-list ip-address1 Set the type of NetBIOS node for Dhcp clientSet the type of NetBIOS node for Dhcp client Ip-address2 ... ip-address8 Display and Debug Dhcp Server Use reset, debugging and display command in All viewsConfigure Dhcp self-defined options Display and Debug Dhcp servers Router dhcp server forbidden-ip III. Configuration Procedures 1 Enable the Dhcp serviceRouter dhcp enable At the client, use ipconfig /releaseall Router-dhcp2nbns-list Router-dhcp2gateway-list Ip relay-address ip-address Configure interface relay addressOperation Command Configure interface relay address Delete interface relay address IP address from Dhcp server through application Dhcp Relay Configuration RequirementDhcp Relay Available on Dhcp server Configure Dhcp relay router Networking diagram of an Dhcp relay configuration example Fault 2 fail to forward transparent transmission protocol Private Network Address and Public Network Address Under which condition should the address be translated Mechanism of Network Address Translation NAT Characteristic of Network Address Translation NATRole the Network Address Translation NAT plays End-addr pool-name Configure address poolPerformance of Network Address Translation NAT Pool-name Undo nat outbound acl-number Nat outbound acl-numberAddress-group pool-name Undo nat outbound Nat server global global-addr global-port Configure the Internal ServerConfigure the Timeout of address translation Www inside inside-addr inside-port any Typical NAT Configuration Example Display and Debug NAT Display and debug NAT Set internal FTP server Configure address pool and access listAllow address translation of segment at 10.110.10.0/24 Set internal WWW server Configure a default route to serial Configure address access control list and dialer-listConfigure dial-up property for the interface Correlate the address translation list and the interface Fault 2 Internal server abnormal Configuring IP Application Configure maximum transmission unit on an interface Configure IPTo configure IP performance, carry out the following steps Performance Configure TCP Tcp window size Configure Fast Forwarding Forwarding Perform the following configuration in system viewDisplay and Debug IP Display and Debug Fast Display and Debug fast forwarding Router info-center enable Router debugging tcp event Troubleshooting IP Performance ConfigurationRouter info-center enable Router debugging tcp packet Configuring IP Count Ip count enable IP Count ConfigurationEnable/Disable IP Count service Undo ip count enable Specify count maximum of exterior Configure IP Count on an interfaceConfigure IP Count list Specify count maximum of interior By default, IP Count entries time out after 720 minutesCount Display and debug IP Count Information is displayed IV. Test ProcedureNot been configured on the interface of the router Configuring IP Count Configuring IPX IPX address SAP Configure relative parameters of IPX SAP Configure IPXModify length of service information reserve queue Its first Ethernet interface as its node address Enable/Disable a Default Route Enable IPX interfaceConfigure IPX RIP static route Perform the following task in interface view Configure the maximum size of RIP update packet Configure RIP updating periodConfigure RIP aging period Configure the maximum number of IPX parallel route Configure length of route reserve queue Configure static service information table item Configure reply to SAP GNS request Configure SAP aging periodConfigure size of SAP maximum updated message Ipx sap timer update seconds Configure Using touch-off for an interface Disable split-horizon Modify Encapsulation Format of IPX Frame on Interface Configure the delay of interface sending IPX packetsConfigure management of IPX packet Encapsulation format of IPX frame Configure Router a a Activate IPX Display and Debug IPX Display and Debug IPX Configure an information about Server2 file service Configure an address map to Router BConfigure a static route to network ID Configure an information about Server2 directory service Configure an information about Server1 directory service DLSw Protocol Init-window-size max-frame Configuration of DLSwCreate DLSw local peer entity Max-frame-size max-window Configure Bridge set connecting to DLSw Create DLSw remote end peer entity Configure to add ethernet port to Bridge set Configure Sdlc role Sdlc-address Configure Sdlc virtual MAC addressConfigure Sdlc address Controller sdlc-address Add synchronous Interface to Bridge set Configure Sdlc peer entityConfigure XID of Sdlc Baudrate Configure to stop running DLSwConfigure baud rate of synchronous Interface Configure LLC2 local acknowledgement delay time Configure Idle time encoding mode of synchronous InterfaceConfigure parameters of DLSw timer Mseconds Configure LLC2 premature acknowledgement window Configure modulo value of LLC2 Configure Busy status time of LLC2 Configure retransmission number of LLC2Configure LLC2 local acknowledgement time Configure P/F wait time of LLC2 Configure Queue Length of Sending Message of Sdlc Configure REJ status time of LLC2Configure queue length of sending message of LLC2 Configure Sdlc local acknowledgement window Configure poll time interval of Sdlc Configure maximum receivable frame length of SdlcConfigure retransmission number of Sdlc Lsap Configure SAP address for transforming Sdlc to LLC2Configure data bi-directional transmission mode of Sdlc Dsap DLSw Typical DLSw Configuration ExampleDLSw Configuration Networking Requirement IP across WAN DLSw Configuration Router a ConfigurationRouter B Configuration Router dlsw local Networking diagram of DLSw configuration of SDLC-SDLC Networking Diagram of SDLC-LAN Diagnosis DLSw FaultWhen using command display dlsw remote Virtual circuit cant attain Connected state Diagnosis and Troubleshooting of DLSw Fault Configuring Dlsw VI Routing 404 IP Routing Protocol IP Routing Protocol Routing Protocol and Routing Priority Routing Protocol or Type Corresponding Routing Priority Ospf ASE Configuring Static Routes Default Route Configure a Static Route Configuring a Static RouteConfiguring a Static Route Transmitting interface or next hop address Preference Configuring a Default RouteDisplaying Debugging Routing Table Other parameters Other Troubleshooting aStatic Route RIP Overview Configure RIP Features is not subject to whether RIP has been enabled Enable RIP at the Specified Network Enabling RIP Specify RIP Version By default, the interface runs RIP-1Define a Neighboring Router Peer ip-address Disable a Host Route RIP Version 1 enables zero field check by defaultConfigure Check Zero Field of RIP Version Specify the Status of an Interface Summarization for RIP Authentication onEnabling Route Version Configure Route Import for RIP By default, the default route metric for RIP isConfigure RIP Horizontal Segmentation on the Interface Specify a Default Route Metric Value for RIP Specify Additional Route Metric Value for RIP Configure filtering route information received by RIPDistribution for RIP Set Route Preference Filter the Routing Information Being Advertised by RIP Reset RIPDisplaying and Debugging RIP Display and Debug RIP RIP Unicast Ospf Overview Ospf Configuration ExampleOspf Overview Displaying and Debugging Ospf Configuring Ospf Router id router-id Enable OspfSpecify Router ID Undo router id Area area-id By default, Ospf is disabledArea-id Ospf network-type broadcast nbma Configure the Network Type of the Ospf InterfaceConfigure Sending Packet Cost P2mp P2p Configuring a Peer for the Nbma Interface Cost Ospf Dr-priority value Operation Command Set the priority of the interface whenSpecify the Router Priority Undo Ospf dr-priority Specify Hello Intervall Specify Dead Interval Specify Retransmitting Interval Configuring a Stubby Area and a TotallySpecify Transmit-delay Stub cost cost area area-id Perform the following configuration under Ospf viewConfigure Totally Stubby Area of Ospf No-summary Perform the following configuration in Ospf view Configure an Nssa Area of Ospf Area-id advertise notadvertise Configure Route Summarization Within Ospf DomainAbr-summary address mask mask area Undo abr-summary address mask mask Create and Configuring a Virtual Link Area-id None Router-id None Configure Authentication Key-id Configure Route Import for Ospf Configure Parameters When Importing External Routes Debugging Ospf Configure filtering route information received by OspfDisplaying Filter for Ospf Router D 201 Router B 301 302 Router C 1.3 Ospf Configuration ExampleConfiguring Ospf on the Point-to-Multipoint Network RouterA-Serial0ospf network-type p2mp Enable OspfRouterC ospf enable RouterB-Serial0ospf network-type p2mp Configure DR on Ospf Preference E0 192.1.1.2/24 E0 10.1.2.3/24 1.1 4.4 E0 192.1.1.1/24E0 192.1.1.4/24 2.2 3.3 RouterA display ospf peer RouterD display ospf peer RouterB-ospfVlink peer-id 3.3.3.3 transit-area To configure an Ospf virtual link Configure Router aBetween Router B and Router C To configure Ospf peer authentication Configure Router a Normally Troubleshooting anOspf Configuration Ospf Configuration Example Configuring Ospf BGP Overview BGP Configuration ExampleBGP Overview Displaying and Debugging BGP Configuring BGP By default, BGP is disabled Resetting BGP Connections Enabling BGPPerform the following configurations in system view Perform the following configurations in BGP view Configure BGP Route-update Interval Configure the BGP Version of the PeerSet the Timers for BGP Peer Configure the Peer to be the Client of the Route Reflector Configure to distribute default route to the peerConfigure to Send Community Attribute to the Peer Configure to Distribute Default Router to the Peer Create a BGP Route Filtering Based on AS Path for the Peer Create a Fltering Policy Based on Access List for the PeerConfigure the BGP MED Metric Allow Comparing Path MED Timers keepalive-interval Configure the Local PreferenceConfigure the Keepalive Timer and Holdtime Tmer for BGP Holdtime-interval Peer group-name By default, there is no BGP peer in a peer groupAdd a Peer to the BGP Peer Group Group-name Set the Timers of BGP Peer Group Configure AS Number of BGP Peer GroupConfigure Connection Between Peers Indirectly Connected Configure BGP Routing Update Sending Interval Create Routing Policy for Peer Group Configure to send the default route to the peer groupConfigure to Send the Default Route to the Peer Group Create an Aggregate Addresses By default, software accepts BGP VersionConfigure BGP Version of Peer Group As-set By default, an aggregate is disabledAggregate address mask Undo aggregate address Undo reflect between-clients Reflect between-clientsClients within the reflection group Standard-community-list-number Configure the Cluster IDConfigure BGP Community Extended-community-list-number As-number … Configure a ConfederationConfigure the Sub-system of E Confederation Schematic diagram of route dampening Display Route Flap Information Configure Route Import for BGP By default, BGP synchronizes with IGPIs insured When AS is not a transitional AS Configuring Still exists Define an AS Path-list entry Define an access list entryEntry, an AS Path-list Define a routing policy Define an apply clause Perform the following configurations in Routing policy viewDefine a match rule Filter for BGP Filter Routing Information Being Advertised by BGP Reset BGP ConnectionsDebugging BGP Display and Debug BGP As-regular-expression acl BGP ConfigurationProcedure for each configuration Acl-number network-address Networking diagram of configuring AS confederation RouterB-Serial1ip address 193.1.1.2 Configure Router B Configure BGP peersRouterA-bgppeer 192.1.1.2 as-number RouterC-ospfinterface serial Configure Router D Configure BGP peers Specify BGP transmission network Configure peerStart BGP RouterA-acl-1rule permit source 1.0.0.0 RouterC-acl-1rule permit source 1.0.0.0 RouterC-bgppeer 193.1.1.1 route-policy localpref import RouterD-ospf network 4.0.0.0 0.0.0.255 area 0 RouterD bgp Configuring BGP IP Routing Policy Configuring IP Routing Policy Policy Configure IP RoutingOperation Command Define a routing policy and enter into Define a Routing Policy Configure a Matching Rules No-export addtive none Define a Setting ClauseApply community aa nn Apply tag tag-value Tag tag-value type 1 Configure Route ImportRoute-policy route-policy-name Ge-value less-equal le-value Define an IP Prefix ListIp ip-prefix prefix-list-name OSPF-ASE external route discovered by Ospf protocol Perform the following configurations in all viewsDebugging IP Routing Policy BGP route discovered by BGP protocol Routing Policy Configuring IPWith different weighting values Protocol Route Information Normal operation Troubleshooting IPConfigure RIP protocol Routerip ip-prefix p1 permit 192.1.1.0/24 Configuring IP Routing Policy Routing Configuring IP PolicyIP Policy Routing Define Apply Clause Create a Routing PolicyDefine Match Rules Displaying Debugging IP Policy Routing By default, interface policy routing is disabledEnable/Disable Interface Policy Routing Interface Policy Routing Router-acl-101rule deny tcp source any destination any Suggested procedure for each configurationDefine access list Router-acl-102rule permit tcp source any destination any RouterA-Ethernet0ip policy route-policy lab1 Adopt policy aaa in Ethernet interfaceRouter-Ethernet0ip policy route-policy aaa RouterB-ripnetwork RouterAdebugging ip policy-routing IP Multicast Configuring Igmp Configuring PIM-DM Configuring PIM-SMChapter 498 IP Multicast Class D address range Meaning Range and Meaning of Class D AddressesList for Reserved Multicast Addresses IP Multicast Routing Protocols IP Multicast Application IP Multicast PacketIP Multicast IP Multicast Igmp Overview Configuring IgmpIgmp Configuration Example Igmp Overview Configuring Igmp Configure Igmp Maximum Query Response Time Make the following configuration in interface viewConfigure the Igmp Version Number Run at Router Interface Displaying and Debugging Igmp Igmp ConfigurationDebugging command in system view to debug Igmp Interfaces are all fast Ethernet FE Router a Router B Configuring Igmp Configuring PIM-DM Enable Multicast Routing Make the following configuration in the system viewBy default, the system disables the multicast routing Operation Command Enable multicast routing Display and Debug PIM-DM Start/Disable PIM-DM ProtocolDisplaying and Debugging PIM-DM Group-address source-address Enable PIM-DM protocol PIM-DM ConfigurationEnable multicast routing protocol Receiver 2 are the two receivers of this multicast group PIM-SM Overview PIM-SM Configuration Enabling Multicast Routing Configure Candidate BSR By default, the interface disables PIM-SM protocolEnable/Disable PIM-SM Protocol Configure Candidate RP Configure PIM-SM Domain Boundary By default, no interface is configured to be candidate RPBy default, no PIM-SM domain boundary is configured Use the pim command in system view to enter PIM view Debugging PIM-SM RouterA multicast routing-enable RouterA interface ethernet Configure Router a Enable PIM-SM protocolConfigure Router B Enable PIM-SM protocol RouterA-pimspt-switch-threshold 10 accept-policy Neighbors have discovered each other Display pim neighbor command can be used to check whetherFollow these steps RouterB-acl-5rule permit source 225.0.0.0 Configuring PIM-SM Viii Security 524 Access Security Terminal AccessConfiguring Terminal Configuring a User Configure EXECLogin Authentication Configure the authentication method list of Exec users Enable AAAConfigure Radius server and the shared secret Configuring Terminal Access Security AAA Overview Radius Overview Components of Radius server Basic message interaction process of Radius Code Packet type Explanation of the packet Request Authenticator Adopts 16-byte random codeType of Packets Decided by Code Field Attribute Fields Configure AAA Login Authentication By default, AAA is disabledAAA Enable/Disable AAA Server-template-name method1 Default methods-list method1 Configuring an Authentication Method List for PPP UsersConfigure PPP Authentication Method List of AAA Default methods-list Configure AAA Accounting Option By default no address pool is defined by the systemConfigure AAA Local-First Authentication Configure Local IP Address Pool Configure Callback User By default pool-number isConfigure a User and Password Configure Ordinary User and Password Configure Callback User and the Callback Number Configure User with Caller NumberConfigure FTP User and the Usable Directory Configure User with Caller Number Configure Authorizing a User with Usable Service Types Authorize a User with Usable Service TypesConfigure FTP User and the Usable Directory Directory Configure Radius Server Shared Secret Configure Radius Server Shared SecretBy default, no key is configured for the Radius server Radius server hostname ip-address Configure the Request Retransmission Times Configure the Time Interval for the Inquiry Packet Displaying Debugging AAA Accessing UserAuthentication Case AAA and Radius Router aaa authentication-scheme local-first Configure IP address and port of Radius serverConfigure local-first authentication Routerradius server Troubleshooting AAA Radius Can Users Radius authentication is always rejectedConnected user cannot be seen in display aaa user Configuring AAA and Radius Protocol Firewall Overview Classification of Firewalls Packet filtering schematic diagram Command format when the protocol is TCP or UDP Extended access control listCommand format when the protocol is IGMP, IP, GRE or Ospf Operators of the Extended Access Control List Mnemonic Symbol of the Port Number Protocol Mnemonic Symbol Meaning and Actual Value UDP Operator and Syntax Meaning Configure the match sequence of access control listMnemonic Symbol of the Icmp Message Type Firewalls are disabled by default Configure FirewallEffect Perform the following configurations in system view Firewall Configure Standard Access Control List Configure Extended Access Control List Set Default Firewall Filtering Mode Enabling and disabling filtering according to timerangeConfiguring Special Timerange Destination dest-addr dest- wildcard Set Special Time Range Enable/Disable Filtering According to TimerangeSet special time range Settr begin-time end-time Specify Logging Host Use debugging, reset and display commands in all viewsDisplaying and Debugging Firewall Display and Debug Firewall Routerfirewall enable Enable firewallConfigure access rules to inhibit passing of all packets Routerfirewall default permit Router-Serial0firewall packet-filter 102 inbound Apply rule 102 on packets coming in from interface Serial0Router-Ethernet0firewall packet-filter 101 inbound IPSec Protocol IPSec Message Processing IPSec Related TermsFollowing terms are important to an understanding of IPSec Creating an Encryption Configuring IPSecAccess Control List Create Encryption Access Control List Operator port1 port2 Set the output of the crypto card log Configure Ndec Cards Enable the crypto cardsBy default, all the crypto cards are enabled Set the Mode for Security Protocol to Encapsulate Messages By default, no proposal view is configuredEnable/Disable the Host to Backup the Ndec Cards Define IPSec proposal Select Security Protocol Selecting the Encryption Authentication AlgorithmDefault mode is tunnel-encapsulation mode Select Security Protocol Select Encryption Algorithm and Authentication Algorithm Creating a Security Policy Perform the following configurations in IPSec policy view By default, no security policy is createdConfigure access control list quoted in security policy Set start point and end point of security tunnel Set IPSec proposal quoted in security policy By default, the security policy quotes no IPSec proposalConfigure IPSec Proposal Quoted in Security Policy Set SPI of security policy association and its adopted key Configure Key Used by Security Policy Association By default, no key is used by any security policyConfigure SPI Parameters of Security Policy Association Hex-key Creating a Security Policy Association with Set access control list quoted by security policySet end point of security tunnel Specify End Point of Security Tunnel Proposal proposal-name1 Set the IPSec proposal quoted in security policySet SA lifetime Proposal-name2...proposal-name6 Configure Global SA LIfetime Configure a separate SA lifetimeBy default, apply the global SA lifetime Configure Separate SA LIfetime Apply Security Policy Group on Interface Use debugging, reset and display commands in all viewsDebugging IPSec Ipsec sa dynamic-detect Dest-address protocol spi Reset crypto cardDisplay and Debug IPSec Displaying and Debugging the crypto card IPSec Configuration ExampleUse the debugging, reset and display command in all views Creating an SA Manually Quote access list Adopt tunnel mode as the message-encapsulating formSelect authentication algorithm and encryption algorithm Create the IPSec proposal view named tran1 Apply security policy group on serial interface Configure the routeCreate a security policy with negotiation mode as manual Exit to system view Set remote addresses Create a security policy with negotiation mode as isakmpCreate the IPSec proposal view named trans1 Configure serial interface Serial0 Configure ip address of the serial interfaceConfigure corresponding IKE Create a security policy with negotiation view as isakmp Return to system view Establish a security policy with manual negotiation modeAdopt tunnel module for packets encapsulation form RouterB ike pre-shared-key abcde remote Set encryption key Enter Ethernet interface view and configure IP addressSet local address Apply security policy base on serial port Return to the system view Establish a security policy with manual configuration modeTroubleshooting IPSec Ndec card cannot be configured RouterB ipsec policy map1 10 manual Do the following Configuring Ipsec Configuring IKE Policy Configuring IKEIKE features View Delete IKE policy Create IKE PolicyIke proposal policy-number Undo ike Configure Pre-shared Key Selecting an Authentication AlgorithmSelect Authentication Method Select Encryption Algorithm Select DH Group ID By default, 768-bit Diffie-Hellman group is selectedSelect Hashing Algorithm Set Lifetime of IKE Negotiation SA Displaying and Debugging IKE Configure IKE Keepalive TimerReset ike sa connection-ike-sa-id Display and Debug IKE IKE Configuration Invalid user ID information Unmatched policy Unable to establish security channel Configuring VPN Configuring L2TP Configuring GRE IX VPN 596 VPN Overview Classification of IP Basic NetworkingApplications of VPN Authority given by local ISP Comparison of layer 2 and layer 3 tunnel protocols Layer 2 tunneling protocolLayer 3 tunneling protocol Configuring VPN Vpdn and L2TP Vpdn Operation Methods of Implementing Vpdn L2TP channel Networking diagram of two typical methods of Vpdn Tunnel and session IV. Call setup flow of L2TP tunnel Control message and data message Features of L2TP Call setup flow of L2TP channel Enable/Disable L2TP Basic Configuration atEnable L2TP L2tp enable Ip-address … domain domain-name Originate L2TP Connection Request and LNS AddressL2tp-group group-number Default list-name method1 By default, L2TP is disabledConfigure AAA and Local Users L2TP Attribute Table Create/Delete L2TP Group Operation Command Create a L2TP groupOperation Command Create a virtual template Create/Delete a Virtual Template Configure the Name of the Receiving End of the Tunnel Advanced Configuration at LAC or LNSBy default, receiving dial-in from LAC is disabled Configure Local VPN Users Set Local Name Enable Tunnel Authentication Setting PasswordBy default, the local name is the host name of router Tunnel name name Set the Interval for Sending Hello Message Configure the Interval For Sending Hello MessagesSet Tunnel Authentication and Password Set Domain Name Delimiter and Searching Order Configure Domain Delimiter and Searching OrderForce Reset l2tp tunnel remote-name This configuration is applicable to LNS onlyOperation Command Force to disconnect tunnel Force to Disconnect Channel LCP to Renegotiate Configure the Local Address and Address PoolLCP does not renegotiate by default Enable/Disable Hiding AV Pairs Enable/Disable Hiding Attribute Value Pairs AVBy default, AV pairs are hidden Number of L2TP Sessions Use debugging, display command in all views L2TP Configuration ExamplesBy default, the maximum number of L2TP sessions is Display and Debug L2TP Enable L2TP service and configure a L2TP group Implement local AAA authentication on VPN userConfigure the IP address of Serial1 interface of LAC Configure BDR dialup parameters Configure the IP address of Serial0 interface of LNS Configure the Virtual-Template-related information Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Client-originated VPN Networking Router-LACip pool 1 192.170.0.3 Configure the IP address of Serial0 interface at LNS side Configure the IP address of Serial1 interface at LAC sideConfigure BDR parameters Disable tunnel authentication Network Connection Wizard Network Connection Wizard Connect Connection to Configure the domain suffix separator to @ Configure an IP address on Serial0 interfaceConfigure a L2TP group and the related attributes Router1 l2tp domain suffix-separator @ Force to implement local Chap authentication Enable AAA authenticationConfigure Virtual-Template III. Procedures Configure an address pool 1 in the range of 192.168.0.2 to Configure a L2TP group and configure the related attributesConfiguration at Router2 LNS side Enable AAA authentication Configure an access control list and specify L2TP data Fault 1 The users fail to log PPP negotiation fails. The reasons may be Troubleshooting L2TP Configuring L2TP Packet GRE ProtocolEncapsulation Encapsulated tunnel message format Refer to RFC Enlarge network operating range Creating a Virtual Tunnel Interface Configuring GREBy default, no virtual tunnel interface is created Create Virtual Tunnel Interface Perform the configurations in the tunnel interface view Address of a Tunnel Must be configured InterfaceSetting the Network Address of the Tunnel Set the Tunnel to Synchronize Datagram Sequence Numbers Number discardedSet Tunnel Interface to Check with Checksum Gre key key-number Debugging GRE GRE Configuration ExampleGroup1 and group2. It can be implemented by using GRE All views Configure the IP address of Ethernet0 interface Configure Router B Configure the IP address of Serial0 Configure the static route to Novell Group2 Configure Router a Activate IPXConfigure the IP address and IPX address of Ethernet0 Configure Router B Activate IPX Networking of troubleshooting GRE RouterB ipx route 1e 1f.a.a.a tick 30000 hop Configuring a Standby Center Configuring Vrrp 646 Configuring Standby Center Standby Center Fr map protocol address dlci dlci Enter the Logic Channel ViewAddress logic-channelnumber Next-hop-address dialer-number Undo standby timer enable-delay Channel to check whether it has recoveredStandby timer enable-delay seconds Standby timer disable-delay seconds Interfaces Please perform the following configuration in all viewsLoad Sharing view Enter the view of Serial Router-logic-channel10standby interface serial Enter the view of logic channelChannel Router-Serial1logic-channel Vrrp Overview Vrrp Configuration ExamplesTroubleshooting Vrrp Vrrp Overview Address Configuring VrrpAdding a Virtual IP Vrrp vrid virtualrouterid Configure Router Priority in Standby GroupAdd Virtual IP Address Undo vrrp vrid virtualrouterid Configure Authentication Method and Authentication Key Configuring Authentication Method Authentication KeyVrrp provides simple character authentication method Virtualrouterid Debugging Vrrp Configure StandbyGroup Timer Monitoring Backup with preemption aII. Networking diagram Vrrp ConfigurationProcedure for each configuration Vrrp Single Standby Gateway function as the master Gateway services insteadBalancing and mutual backup are implemented Multiple Standby There is requent switchover of the Vrrp state Many master routers exist within the same standby group XI QOS 662 Three Types of QoS Services QOS Overview QOS Overview Benefits of QoS for the Network Service QOS Overview Traffic Classification Traffic Policing Traffic POLICING, Traffic Shaping and Line Rate Committed Access Rate CAR Qos carl carl-index precedence Defining RulesDefine CAR Rules Precedence-value mac mac-address Apply the CAR Rule on the Interface By default, no CAR rule of ACL list is establishedApplying the CAR Policy on the Interface Displaying and Debugging CAR CAR Configuration Applying a CAR Policy to all PacketsConfigure the Priority Level Based CAR Policy Display and Debug CAR Configure the CAR Policy Based on the MAC Address Matches ACL Traffic ShapingApply a CAR Policy on the Packets that Match ACL Packets Configuring shaping parameters for a specified flow Schematic diagram of GTS processing Shape the flows matching 110 on Ethernet interface Configuring shaping parameters for all flowsConfigure the ACL Rate Configure the Physical Interface LIne RatePhysical Interface Line Shape all the flows on Ethernet interface Display qos lr interface type Operation Command Display the LR configuration conditionsDisplaying Display and Debug LR Debugging LR Congestion Management Fifo Queuing CongestionManagement Policy Priority Queuing Selecting Congestion Management Policies Comparison of Several Congestion Management Policies Number Queues Advantage Disadvantage Schematic diagram of the first in first out queue Schematic diagram of the custom queuing Weighted Fair Queuing WFQ Schematic diagram of weighted fair queuing Configuring priority queuing Configuring Congestion ManagementConfiguring Fifo Queuing Configure the First In First Out Queuing Protocol-name queue-option queue By default, no priority queue is establishedValues of Queue-Option with Protocol as IP Pql-index protocol Specifying the queue length of the priority-list queuing By default, the interface utilizes the Fifo queueApplying the priority-list queuing group to the interface Default Length Value of the Priority Queue Configuring custom-list queuingConfiguring Custom Queuing CQ Displaying and debugging the priority queue Queue-number Configure the Custom-Lst Queuing According to the InterfaceConfigure the Default Custom-List Queuing Queue queue-number Configure the Queue Length of the Custom-List Queuing By default, the interface uses the Fifo queueConfiguring the queue length of the custom-list queuing Applying the custom-list queuing group to the interface Displaying and debugging the custom-list queue Configuring Weighted fair queuingDisplaying and debugging the weighted fair queue Apply the priority queue 1 to Serial Congestion Management Configuration ExamplesPQ Configuration Example Apply the priority queue 2 to Serial RouterA-Tunnel0ip address 10.1.1.1 Configure the CQ queueConfigure Router B Configure the access control list RouterA-Tunnel1destination Configure Tunnel1 Configure Serial0 master/slave addressesConfigure Tunnel0 WFQ Configuration Example Congestion Management Congestion Avoidance Congestion Avoidance Enable Wred Wred ConfigurationEnable the Wred Function of the Interface Discard-prob Ip-precedence Enable Wred Congestion Avoidance Configuration ExampleConfigure a WFQ queue Displaying Debugging Congestion Avoidance Congestion Avoidance Configuring DCC Configuring Modem XII DIAL-UP 704 Terms in DCC Configuration DCC Overview Circular DCC DCC Resource-Shared DCC Implementing callback through DCC Basic DCC featuresWith 3Com Routers Prepare the data for DCC configuration Configuring DCCPreparing to Configure Configure the local parameters of DCC Linklayer-protocol-type Configuring the mode of the physical interfaceConfigure Physical Interface Mode Ip address ipaddress mask Associating a DCC dialer ACL with the interface Configuring an interface to originate calls to a remote end Dialer number dial-number Configure an interface to receive calls from a remote endDialer enable-circular Undo dialer number Next-hop-address dial-number DialerRoute protocol Undo dialer route protocol Next-hop-address Undo dialer circular-group Undo interface dialer numberDialer circular-group number Dialer priority priority Dialer circular-group number Interface dialer numberUndo interface dialer number Undo dialer circular-group Router Dialer0 By default, no dialer interface is created Configuring dialing authentication for resource-shared DCCConfiguring the dialer interface and dialer number Enabing Resource-Shared DCC Configuring dialing authentication for resource-shared DCC Threshold traffic-percentage Configuring MP binding in circular DCCConfigure MP Binding in Circular DCC Configure MP Binding in Resource-Shared DCC Configuring MP binding in resource-shared DCCConfiguring PPP callback in the circular DCC implementation Dialer threshold traffic-percentage Implement PPP Callback Client Configuration in Circular DCC Implement PPP Callback Server Configuration in Circular DCC Next-hop-address user username CommandTelephone-number Dial-number Dialer callback-center dial-number Features of Isdn caller identification callbackPrimary rule The best match is the number with the fewest Undo dialer call-in remote-number Operation Command Configure the local end to implementIdentification Callback according to the Isdn caller Configuring Special DCC Functions Configuring Isdn leased lineConfiguring auto-dial Configure Isdn leased line for Circular DCC Configure Auto-Dial Configuring dialer number circular standbyConfiguring the Link Idle Time Configure Dialer Number Circular Standby Configuring the link idle time when interface competion By default, the link idle time is 120 secondsBy default, the link disconnection time is 20 seconds Configure the Link Idle Time Configuring the buffer queue length of the dialer Configuring the timeout of call setting upBy default, the timeout of call setting up is 60 seconds Debugging DCC DCC Applications in Common Use DCC Configuration ExamplesSolution Router-Serial1dialer circular-group Configure RouterCConfigure RouterB Router-Serial0dialer route ip 100.1.1.1 Router-Serial0dialer bundle-member Router-Serial1dialer bundle-member Configure RouterC Configure RouterC Router-Bri0dialer bundle-member Configure RouterARouter-Dialer0dialer threshold Router-Serial015dialer route ip 100.1.1.1 Router-Bri1dialer route ip 100.1.1.1 Router dialer-rule 1 ip permit Router interface serial Router-Serial1dialer enable-circularRouter-Serial0dialer route ip 100.1.1.2 Router-Bri0dialer route ip 100.1.1.2 user usera By the NT server Configure the PCCallback for DC C NT Server-to-Router Router-Async0dialer route ip 100.1.1.254 Dial Number Circular Standby and Internet Access for DCC Configure subscriber PC Router-Serial0dialer route ip 100.1.1.254 Router-Serial215ppp authentication-mode chap Router-Serial215ppp chap password simple passb Router-Serial1standby logic-channel Remote end cannot be pinged after the modem is connected DCC Fault Messages Message Fault DCC peeraddr matching error Modem Function Provided by 3Com Routers Modem Script Receive-string1 send-string1 receive-string2 send-string2 Syntax description of modem scriptModem script format in common use is as follow By default, modem dial-in and dial-out are allowed Which, seconds defaults to 180 and is in the range of 0 toConfigure the Modem Dial-in and Dial-out Authorities Configure a Modem Script Configure Modem Through the AT CommandConfigure a Modem Script Execute a Modem Script Manually Configure Authentication for a Modem Dial-in User By default, the modem works in non-auto answer modeConfigure the Answer Mode for the Modem Specify the Events Triggering the Modem Scripts Configure a Modem adaptation baud rate Modem Configuration ExamplesExecutethe debugging command in all views for the debugging Displaying and Debugging a Modem AT&b1&c1&d2&s0=0 Restore the ex-factory modem settingsConfigure the modem initialization parameters Directly Power-on Initialization Through Initialization ScriptAuthentication for Modem Dial-in User Troubleshooting Configuring Modem