Configuring IPSec, Creating an Encryption | 3Com 10014299 specification

Configuring IPSec 563

policy with smaller sequence number in the same security policy group is of higher priority.

■ SA (Security Association): IPSec provides security service for data streams through security association, which includes protocol, algorithm, key and other contents and specifies how to process IP messages. An SA is a unidirectional logical connection between two IPSec systems. Inbound data stream and outbound data stream are processed separately by inbound SA and outbound SA. SA is identified uniquely by a triple (SPI, IP destination address and security protocol number (AH or ESP). SA can be established through manual configuration or automatic negotiation. A SA can be manually established after some parameters set by the users at two ends are matched and the agreement is reached through negotiation. Automatic negotiation mode is created and maintained by IKE, i.e., both communication parties are matched and negotiated based on their own security policies without user's interface.

■ SA Update Time: There are two SA update time modes: time-basedduring which SA is updated at regular intervals and traffic-based, during which SA is updated whenever certain bytes are transmitted.

■ SPI (Security Parameter Index): a 32-bit value, which is carried by each IPSec message. The trio of SPI, IP destination address, security protocol number, identify a specific SA uniquely. When SA is configured manually, SPI should also be set manually. To ensure the uniqueness of an SA, you must specify different SPI values for different SAs. When SA is generated with IKE negotiation, SPI will be generated at random.

	■ IPSec Proposal: It includes security protocol, algorithm used by security
		protocol, and the mode how security protocol encapsulates messages, and
		prescribes how ordinary IP messages are transformed into IPSec messages. In
		security policy, a IPSec proposal is quoted to prescribe the protocol and
		algorithm adopted by this security policy.

Configuring IPSec	IPSec configuration includes:
	■ Creating an Encryption Access Control List
	■	Configure NDEC Cards
	■ Enable the main software backup
	■	Defining IPSec Proposal
	■ Selecting the Encryption and Authentication Algorithm
	■ Creating a Security Policy
	■ Apply Security Policy Group on Interface
Creating an Encryption	Matching the encrypted access control list determines which IP packets are
Access Control List	encrypted and sent, and which IP packets are directly forwarded. Encryption
	access control lists are different from the ordinary ones, because the ordinary ones
	only determine which data can pass an interface. An encryption access list is
	defined by an extended IP access list.

For one kind of communication to accept one security protection mode (only authentication, for instance), and another kind to accept a different one (both

Page 567

Image 567

3Com 10014299 manual Configuring IPSec, Creating an Encryption, Access Control List

Contents

3Com Router Configuration Guide 01752-3064 3Com CorporationCampus Drive Marlborough, MAPage VPN This guide describes 3Com routers and how to configure them List conventions that are used throughout this guideText Conventions About this Guide 3Com Router Introduction 3Com Router User Interface Page 3COM Router Introduction Router Version Features of the 3ComFollowing table lists the basic features of the 3Com Router List of the 3Com Router 1.x features RIP-1/RIP-2 NAT Quality of service 3Com Router New Features of the 3Com Router 1.x 3COM Router Introduction Port ConfigurationEstablish Environment Establish a new connection Set port communication parameters Establish a remote configuration environment Router ConfigurationConnection Environment Workstation Ethernet Interface CLI Command Line 3COM Router User Interface Views and their prompts System view Table Enter controller Async 0 in anyEthernet 0 in any Loopback 0 in any Helps Full helpPartial help Routerdisplay ? List of common command line error messagesCommon error Message Causes For example Three options are available for users Command LineFeatures Display Features Management Following commandsPlease perform the following commands in system view User Identity Configure the router name SystemSet the system clock Display the System Information Router By default, the system clock is 080000 1 1Execute the following commands in all views Reboot the system System Management Page Softwaresoftware Storage Media and File Types Supported by the System Input Ctrl+D, and the following prompt information displays Upgrade Boot ROM Software Main Program software Upgrade the 3ComRouter Main Program Software XModem Approach Modify the terminal baud rate Transfer File dialog box Preparation for using the Tftp server Enable the Tftp server programTftp server application can run on Windows 95/98/NT Tftpd32 Set interface Press Enter and the following prompts will be displayed Network Interface Parameters Enter Ctrl+B and the system prompts Get ip-addr file-name system Download configuration files from a Tftp serverOperation Command Downloads the 3Com Router main Press Enter for loading Set an authentication mode for an FTP server Prepare for using the FTP server Enable FTP server Upgrade the 3Com Router Main Software with FTP Copy ip-addr file-name system Back up the 3Com Router Main Program SoftwareTftp Approach FTP Approach Setup Users Dialog Box Password Configure on-line upgrading of the cardUpdate slot slot-number ftpserver host-name Port-number user user-name password Content and Format of the Configuration File Configuration File ManagementDownload Configuration File Perform the following command in system view Set the binary transmission protocol to XModem/CRC Load configuration filesDownload Config Router download config File-name config Display current-configurationcommand output backup approachBack up Configuration Files Upload configuration files to a Tftp server View router configuration Please use the following commands in corresponding views Erase the configuration file in storage media Select and view the storage media of configuration fileSave current configuration Set the Flag Bit to Enter the Initial Setup Mode Files on the router Configure FTPConfigure authentication and authorization of FTP server Client via port 20 and transfer data Set the authentication mode of FTP server Enter the following commands in system viewConfigure Parameters of FTP Service Please enter the following commands in system view Force to shut down FTP process Set FTP update modeSet the connection time limit of FTP service Force to shut down FTP process Display local-user Display FTP Server Display FTP serverDisplay ftp-server Server Display detailed information of the FTP user System Management Overview Terminal ServiceFeatures of Terminal Service at Console Port On one router ServiceSet the attributes of terminal service Terminal Message Enable/disable receiving messages from other terminals Perform the following configuration in all viewsConfigure Terminal Message Service Display Terminal Message Service Typical Example Terminal Message Service Configuration Terminal ServiceDumb Terminal By default, no dumb terminal service is configured Configuration Examples Dumb Terminal ServiceConfigure Dumb Terminal Configure Auto-execute command Router-Serial1auto-execute command telnet Terminal Service Telnet ConnectionConfigure the interface to dumb terminal mode Configure the auto-execute command command Terminal service features of telnet connection Service ValueEstablish Telnet Connection Establish Telnet Server or Telnet Client connection Setup Reverse Telnet ConnectionEnable Reverse Telnet connection Service-port Force to shut down Telnet process Typical Configuration Example of Telnet Reverse TelnetForce shut down Telnet Process Example of Telnet Router telnet 10.110.164.44 Rlogin TerminalUse Rlogin protocol Example of Reverse Telnet Use local user name abc to log on Establish a Rlogin connectionTypical Rlogin Configuration Examples Rlogin ip-address username Access Service PAD RemoteCommunicate with other terminals through the X.25 network Local-user user-name Configure X.25 PAD remote userConfigure X.25 PAD remote user Service-type type password Establish a X.25 PAD call Start AAA authentication of X.25 remote usersEnable AAA authentication for X.25 remote PAD users Establish an X.25 PAD call Set the Response Time to the Invite Clear Message II. Networking DiagramIII. Configuration Procedure Display and Debug RouterB-serial0x25 x121-address Fault Diagnosis TroubleshootingSet its X.121 address as RouterA-serial0x25 x121-address Development of Snmp Snmp Overview Configuring Network Management SNMP-supported MIB Snmp architecture By default, the system disables Snmp service 3Com Router-supported MIBEngineid Configure Snmp version and related tasks Perform the following configurations in system view Interface-number Configure information of router administratorConfigure the traps to be sent by the router V1 username Byte-count Perform the following commands in all viewsDisplay and debug Snmp Name Examples Networking Requirements Example 1 Configure Network Management of SNMPv1Set the community name and access authority Configure an IP address for the Ethernet interface ethernet Configure an IP address for the Ethernet interface ethernet Rmon OverviewNetwork equipment Schematic diagram of Rmon application Examples Networking Requirement Enable Rmon statistics RouterA-Ethernet0 rmon promiscuous Commands to display information of the whole system Test Tool of Network Connection Ping command Ip-address Ping supporting IP protocolSystem displays Ping supporting IPX protocol MaxTTL -p port -q nqueries Following command can be executed in any command modesTracert command Timeout host Log Function Configure on the router Set the direction of syslog outputting log information Set Filter of Log Information Set Severity of Log InformationPerform the following task in system view Sylog-defined severity is as follows Turn on/turn off syslog Configuration of Log HostTurn on/turn off syslog Display and Debug Syslog Routerdebug ppp all Syslog Configuration ExampleTurn on debugging switch of PPP module Routerinfo-center enable Display and Debugging Tools Dial-up POS Access POS Terminal Access Service Advantages of POS network access are as follows POS Network Access POS Access Service Configuration Configure POS access portStart POS server Ip-address port-number Configure a POS applicationInterface-type interface-number App-number Configure POS multi-application mapping table Default app-numberBind the source address of TCP connection Set the parameters of FCM used during Modem negotiation Display and Debug POS AccessDisplay and debug POS access Set the parameters of FCM used during Modem negotiation Configure POS access interface FCM1 Typical Configuration Example of POS Access ServiceConfigure the Ethernet interface Ethernet Configure the POS access interface FCM0 Configure POS access interface FCM2 Configure POS access interface FCM0III. Configuration Procedure 1 Start the POS access server Configure Router a Start the POS access server Configure Async 0 to operate in POS application modeConfigure Async 1 to operate in POS application mode III. Configuration Procedures RouterA ip route-static 10.1.1.2 255.255.255.0 serial Configure Router B Configure the Ethernet interface Ethernet III Interface 106 Configure Interface InterfaceEnter the Interface View Interface-description Exit the Interface ViewInterface view, input quit to return to the system view Set time interval for flow control statistics Interface state information Please use the following commands in all viewsDisplay and Debug Interface Display and debug interface Interface Configuration Overview Ethernet Interface Configure Ethernet Interface Set frame format of sending message Enter view of specified Ethernet interfaceSet IP address Set IPX address Select working rate of fast Ethernet interface Select work mode of Ethernet interfaceEnable or disable internal loopback and external loopback Display and Debug Typical Ethernet Interface Configuration Example TroubleshootingII. Network Diagram Troubleshooting Configuring LAN Interface WAN Interface IntroductionAsynchronous Serial Interface Enter view of specified asynchronous interface Interface async numberInterface serial number Link-protocol slip ppp Set the work mode of asynchronous serial interfaceSet the baud rate of asynchronous serial interface Modem in out Async Mode protocol Flow-control none softwareHardware inbound outbound Stopbits 1 1.5 Works in flow modeParity even mark none Odd space Set the coding format of Modem BackupAUX Interface Set MTU of asynchronous serial interface Synchronous Serial Interface Configure AUX interfaceConfigure AUX interface Configure Synchronous Serial Interface Link-protocol fr hdlc Enter view of specified synchronous interfaceSet the link layer protocol of synchronous serial interface Physical-mode sync Synchronous serial interface is 64000 bps Select work clockWorking modes have different working clocks Set the baud rate of synchronous serial interface Inversion is disabled by default Select work clockSet clock inversion Reverse-rts Internal loopback/external loopback are disabled by defaultDetect dcd Undo detect dcd Graphics and video Isdn BRI InterfaceIdle coding of synchronous serial interface is 7E Technical Background Preparations before Configuration Be clear about the following items before the configurationFunction group includes Interface or a PRI interface Channelized operating modeCE1/PRI Interface Network protocols such as IP and IPX Enter the view for a specified interface Configure CE1/PRI CE1/PRI interface configuration includesDial-on-Demand Routing Interface Enter the synchronous serial interface view Bind the interface to be channel setsNumber set-number Undo pri-set Bind the interface to be a pri setEnter the Isdn interface view Pri-set timeslot-list range Set the frame format of CE1/PRI interface Enable/disable the internal loopback/external loopbackSet the line code format on the CE1/PRI interface Set the line clock of the CE1/PRI interface CT1/PRI Interface Configure CT1/PRI Operation Command Enter the view of CT1/PRI interface Controller t1 numberTimeslot-list range speed Interface serial number23 Set the line code format on the CT1/PRI interface Set the line clock of the CT1/PRI interfaceSet the frame format of CT1/PRI interface Them into multiple channel sets Choice for E1 accessE1-F interface does not support PRI operating mode E1-F Interface Fe1 unframed Set Operating mode for an E1-F interfaceEnter the view of an E1-F interface Interface serial serial-number Set interface rate after binding operation Set line code format for E1-F interfacesSet line clock for an E1-F interface Serial-number Enable/Disable local/remote loopback on an E1-F interfaceSet frame format for an E1-F interface Display and debug E1-F interface 193 X 8k = 1544kbps Choice for T1 accessT1-F interface does not support PRI operating mode T1-F Interface Set line code format for T1-F interface Enable/Disable local/remote loopback on a T1-F interface Set line clock for a T1-F interfaceSet frame format of T1-F interface Display and debug T1-F interface Other related informationCE3 Interface Display and Debug T1-F Enter the view of the specified E3 interface Set the operating mode of CE3 interface Set the operating mode of E1 channelSet E1 frame format Data bandwidth 44736kbps Mode non-channelized modeCT3 Interface 44.736Mbps Set cable length of the CT3 interface Set clock mode of the CT3 interfaceSet clock mode of the T1 channel Enter specified CT3 interface view By default, loopback is disabled Set Frame Format By default, the CT3 interface uses the C-bit frame formatPerform the following configurations in CT3 interface view Set the operating mode of T1 channel Set CRC of the serial interfaceT1 line-number unframed Display and debug of the CT3 interface Disable and Enable CT3 interface Configuring WAN Interface Dialer Interface Logical Interface Null Interface Configure Loopback Sub-Interface Number.sub-number multipoint Configure sub-interfaces of Ethernet interfaceCreate and delete WAN sub-interface Number.sub-number Enter the view of WAN interface Serial0 of router a Select frame relay link layer protocolRouterinterface serial Allocate a virtual circuit with Dlci 50 to it Configure the static route from router a to LAN2 and LAN3Specify DTE as its frame relay terminal type Set its IP address to 202.38.160.1 and address mask to Undo interface Set work parameters of virtual-templateCreate or delete virtual-template Interface virtual-template Virtual-template-number Fault 1 Fail to create virtual interfaceTroubleshooting the reasons may be as follows Display state of the specified virtual-template Link Layer Protocol 164 PPP Overview PPP Authentication Mode Configuring PPP and MP Transmission time of large packets Configure PPPMP Overview For detailed description of PPP, refer to RFC1661 Name-list Configure the link layer protocol of the interface to PPPConfigure the local authenticates the peer in PAP mode Configure the peer authenticates the local in PAP mode User username Configure the local authenticates the peer in Chap modeConfigure as the peer authenticates the local in Chap mode Cipher password Configure AAA authentication and accounting of PPP Configure the time interval of PPP negotiation timeoutConfigure PPP compression Resumptive-percentage Perform the following configuration in interface viewConfigure PPP link quality monitoring Ppp lqc forbidden-percentage Bind the physical Interface to a Virtual Template Configure MP Protocol Parameters Create Virtual TemplateConfigure Operating Parameters of Virtual Template Create/Delete virtual template User-name Specify the conditions for MP binding Frags Configure virtual Baud rate on interface Typical PPP Configuration Example Configuration RequirementExample Set local username as Router1 Typical MP Configuration ExampleII. Configuration Procedure Configure to start Chap authentication at this side Configure virtual interface template Configure router-b Add a user for router-aConfigure router-c Add a user for router-a Indicates that the interface is shutdown Fault Diagnosis TroubleshootingFault 1 Link always fails to turn to up status Fault 2 Physical link fails to turn to Up status Introduction to PPPoE client PPoE Overview Client Configure PPPoE Reset or delete PPPoE session Configure PPPoE session III. Configuration Procedure 1 Configure a dialer interface Typical PPPoE Configuration ExamplePerform the display and debugging command in all views Access a LAN to the Internet via Adsl Use Adsl as Standby Line Configure a PPPoE sessionConfigure the LAN interface and the default route Configure the DDN interface Serial Configuring Pppoe Client For further details about SLIP, you can refer to RFC1055 Configure SlipAsynchronous mode Slip Overview Interconnect two Router routers via Pstn and run IP Enable/Disable the information debugging of SlipTypical Slip Time Configure the default route to Route B Configure Router a Configure Dialer RuleConfigure IP address of synchronous/asynchronous interface Configure the Dialer String to router B Routerip route-static 0.0.0.0 0.0.0.0 Isdn Overview Configure Isdn Configure the receiving mode By default, DSS1 signaling is used on Isdn PRI interfacesConfigure type of signaling on Isdn interface Configure the length of call reference Time-interval Configure the sending modeConfigure interval for Qsig signaling timer Timer-name all Configure Call Processing Method on an Interface Perform the following configuration in Isdn interface viewPerform the display and debugging commands in all views RouterB transmit data after the call is set up Typical Configuration ExampleConfigure Router a Create an Isdn PRI interface Configure the Isdn PRI interface Configure Router B Configure Router a Protocols Overview Lapb PSN 25 packet and Lapb frame Configure Lapb By default, the Lapb modulus is ModuloBy default, k is Configure Lapb N1, N2 Configure Address Configure X.25 InterfaceSet/Cancel the X.121 address of the interface Set X.25 working mode Parameter Meaning 25 channel delimitation parameters Finally, the following should be noted By default, X.25 interface use modulo 8 modeSet/cancel X.25 virtual circuit range Set/Cancel X.25 packet numbering modulo Out-packets Configure X.25 flow control parameterConfigure X.25 Interface Supplementary Parameter Set the default flow control parameter Set X.25 layer 3 timer delay 25 layer 3 timer Match-type alias-string Specify/Cancel an alias for the interfaceAlias match modes and meanings Alias-string Set/Cancel the default upper layer protocol borne on Address option Configure X.25 Datagram TransmissionCreate the permanent virtual circuit PVC Protocol-address x121-address Undo x25 pvc pvc-number Configure Additional Parameters Datagram TransmissionCreate/Delete permanent virtual circuit X25 pvc pvc-number protocol Interface view, perform the following task Configure X.25 user facility Specify/Cancel packet pre-acknowledgement Serial port view, list1 can be quoted Configure the sending queue length of virtual circuit Address logic-channel Set broadcast viaSet interface with standby center Address broadcast Number.subinterface-number multipoi Switching FunctionConfigure X.25 sub-Interface Configure X.25 Switching Configure X.25 Load Balancing Add or delete a PVC routeIntroduction to X.25 Load Balancing Configure X.25 Diagram of X.25 network load balancing List of Configuration Tasks of X.25 Load Balancing Start /Close X.25 switching function Create/Delete X.25 hunt groupAdd/Delete interfaces or XOT Tunnels in hunt group Introduction to XOT Protocol Configure X.25 over Other ProtocolsAdd/delete other X.25 switching routes Configure X.25 over TCP XOT Configure XOT For PVC, perform the following tasks in interface view Start X.25 switchingConfigure local switching Configure SVC XOT switching Configure Keepalive and xot-source attributes Configure Annex G Data InteroperationConfigure PVC XOT switching Configure X.25 over Frame Relay Annex G Configure the X.25 attributes for an Annex G Dlci Configure the X.25 Attributes for a Dlci Specify IP address for this interface Typical Lapb Configuration ExampleBy default, X.25 template is not applied on DLCIs Current status of Lapb Configure Router B Select interface Configure Router a a Select interfaceSpecify X.121 address of this interface Connect the Router to X.25 Public Packet Network Specify address mapping to the peer Configure Router a Configure interface IP address Configure Router B Configure interface IP addressConfigure Router C Configure interface IP address Transmit IP Datagram via X.25 PVC Configure Virtual Circuit I. Networking RequirementDisabled Range Router-Ethernet0ip address 196.25.231.1 Typical Sub-Interface Configuration Example Configure Router C Configure Router DCreate sub-interface serial SVC Application of XOT I. Networking Requirement Routerx25 switch svc 1 xot Configure Router C Start X.25 switchingConfigure Serial Routerx25 switch svc 2 interface serial Application of X.25 Load Balancing Add Serial 1, Serial 2 and XOT Tunnel to hunt group Enable X.25 switching in system viewConfigure X.25 switching route to forward to X.25 terminal S11 Routerinterface serial Router-Serial0link-protocol x25 dce Routerx25 switch svc 1111 xotRouterx25 switch svc 8888 interface serial Load Balancing Carrying IP Data Transmission Configure RouterB Configure interface Ethernet Configure RouterA Configure interface EthernetConfigure interface Serial Configure static route to RouterC Configure an IP address for the local interface Configure the static route to RouterA and RouterBConfigure RouterA Create an X.25 template Configure the local X.25 address SVC Application of X.25 over Frame Relay Configure RouterB Create an X.25 templateMap the Frame Relay address to the destination IP address Associates an X.25 template with the Dlci Configure Serial 1 as the Frame Relay interface Configure the router Router B Enable X.25 switchingEnable switching on Frame Relay DCE Configure Serial 0 as the X.25 interface Configure local X.25 switching.Router-fr-dlci-100annexg dte Configure X.25 over Frame Relay switchingConfigure the router Router C Enable X.25 switching Configure the Frame Relay Annex G Dlci Configure S1 as the Frame Relay interface Configure Router D Configure the basic X.25 parametersConfigure Router B Enable X.25 switching Configure an X.25 template Lapb Configure Serial Configure S1 as the Frame Relay interface Facility options inhibited by network have been carried Fault Diagnosis and Troubleshooting of X.25 Configuring Lapb Configuring Frame Relay Nonstandard By default, the interfaces link layer protocol is PPPLink-protocol fr ietf Relay Configure Frame Relay LMI protocol type Configure Frame Relay interface type Undo fr lmi n392dce Fr lmi n391dte n391-valueUndo fr lmi-n391dte Fr lmi n392dce n392-value Fr lmi t392dce t392-value Undo fr lmi n393dceFr lmi t391dte t391-value Undo fr lmi t391dte Configure Frame Relay dynamic address mapping Configure Frame Relay static address mapping Undo fr Configure Frame Relay local virtual circuit numberCreate Frame Relay sub-interface Fr dlci Configure virtual circuit of Frame Relay sub-interface Applying dynamic address mapping to the sub-interfaceEstablish static address mapping Configure the Frame Relay switched PVC Configure the Frame Relay local virtual circuit numberConfigure the route for Frame Relay PVC switching Configure Frame Relay local switched PVC number Overview Configure Multilink Frame Relay FRF.16 Subnumber Configure MFRConfigure a MFR bundle interface MFR interface Configure MFR interface parameter Configure the parameters of the bundle link interface Frame Relay Compression Configuration Configure Frame Relay Compression on multipoint interface By default, interfaces use initiative compressionConfigure Frame Relay Fragment FRF.12 Configure Frame Relay Fragment Attributes Undo Fr traffic-shaping Disable the Frame Relay traffic shapingFrame Relay Traffic Shaping Fr traffic-shaping Rate Frame Relay Traffic Policing Frame Relay Queueing Management 100 Kbps CI R ALLOWº£ 64 Kbps 150 Kbps Frame Relay DE rule list Frame Relay Congestion Management Undo fr-class class-name By default, no Frame Relay class is createdConfigure the Frame Relay class parameters Configure Frame Relay Traffic Shaping Configure the parameters of Frame Relay class Enable/Disable the Frame Relay traffic shaping Enable/Disable the Frame Relay traffic policing Dequeue-percentage Queue-percentage Configure Frame Relay DE Rule List Configure Frame Relay Queueing ManagementConfigure the Frame Relay PVC queueing Configure Pipq Configure Frame Relay switching Configure Frame Relay over Other ProtocolsConfigure Frame Relay over IP Configure a tunnel interface Networking of a typical Frame Relay over Isdn application Frame Relay over Isdn Operation Process and Fundamentals Frame Relay switching connection between DTE devices Physical Connection Between Frame Relay over Isdn DevicesBack-to-back connection between DTE and DCE devices Configure the Frame Relay-related commands Configure Frame Relay over Isdn Configure the commands related to Frame Relay switching Configure the link layer protocol of the interfaceDlci Isdnsubaddress Configure parameters related to dialer profilesDisplay and debug Frame Relay Display and Debug Frame Relay Mfr number Number dlci dlci-numberNumber interface serial Type number dlci Router-Serial1fr map ip 202.38.163.251 dlci Typical Frame Relay Configuration ExampleConfigure static address mapping Interconnect LANs via Frame Relay Network Router-Serial1ip address 202.38.163.253 Configure local virtual circuitRelay FRF.16 Interconnect LANs via Private Line Them Create a MFR interfaceBundle Serial 0 and Serial 1 to mfr Example FRF.9 Fragment between them III. Configuration Procedure 1 Configure Router aIII. Configuration Procedure 1 Configure RouterA FRF.12 Typical Frame Relay over IP ConfigurationRouterfr class 96k Router-fr-class-96ktraffic-shaping adaptation becn Router-Serial0fr interface-type dce Configure IP interface Ethernet0Configure tunnel interface Configure Frame Relay over IP Router-Dialer0fr interface-type dce Configure the Frame Relay parameters on Bri0Router-Bri0fr map ip 110.0.0.2 dlci Router-Dialer0dialer number Router-Dialer0dialer call-in Configure the Frame Relay-related parameters on Bri0 Router-Serial1.1ip address 130.0.0.2 Configure Frame Relay SVCs Fault Diagnosis Troubleshooting Frame Relay Fault 1 the physical layer in Down statusFault 4 Frame Relay data cannot be transmitted across Isdn Configuring Frame Relay Configure the link layer protocol of the interface to Hdlc Configure HdlcConfigure Hdlc Display and Debug Hdlc By default, the link layer protocol of the interface is PPP Debugging Hdlc Packet Interface Enable Hdlc packet debugging Bridge Overview Configure Bridge’s Routing FunctionTypical Bridge Configuration Bridge Overview Main Functions of Bridging Obtain address table Bridge Overview Final bridging address table Forward and Filter Filter not forward Eliminating loop Preliminary examination state of bridging loops Spanning Tree Topology Spanning tree topology Bpdu Forwarding Mechanism Bridge enable Configure Bridge’s Routing FunctionBy default, disable bridging functions Enable/Disable bridging functions Mac-address Configure static address table entriesSpecify the STP version supported by the bridge-set Add ports to a bridge-set Enable/Disable forwarding by using dynamic address table Configure the aging time of dynamic address tableDisable/Enable STP on ports Configure the bridge priority Configure the path cost of bridge portConfigure the bridge port priority Configure the forward delay for the port status transition Configure the interval for sending BPDUs Create ACLs based on varied Ethernet encapsulation formats Configure the Max age of Bpdu Acl acl-number Enable/Disable bridge’s routing Configure a bridge-template interfaceBridge-set Bridgebridge-set link-set link-set Define a link-setShare load by source MAC address Link-set Configuration on the interface Map the bridge address to DlciDefine a dialer list Transparent Bridging Multiple LANs Typical Bridge ConfigurationDisplay and Debug Bridge Display and debug bridge Configure Router a Configure Router BRouter-Serial0bridge-set 1 stp disable Transparent bridge over the Frame Relay Transparent Bridging over Frame Relay Router-Serial1dialer route bridge broadcast Please refer to Figure Asynchronous Dial-inStandby Connected are failed Networking of bridge-template interface Bridge-Template interface Networking for bridging on sub-interfaces Bridging on Sub-Interfaces Link-Set Configuration I. Networking Requirements Routerbridge enable Routerbridge 1 stp ieeeRouter-Serial1bridge-set 1 link-set Network Protocol 316 Configuring IP Address Network IP network range Description Class IP address classes and ranges Sub-net classification of IP address Ip address ip-address mask Configure IP Address Configure IP Address for an InterfaceBy default, the interface has no master IP address Configure master IP address of an interface Undo ip address ip-address Configure slave IP address of an interfaceIp address ip-address mask Mask-length sub Delete slave IP address of an interface Set negotiable attribute of IP address for an interface By default, the interface has no negotiating IP addressConfigure IP Address Unnumbered for an Interface Introduction to IP address unnumbered Borrow IP address of Ethernet interface Configuration Example I. Configuration RequirementsConfigure routing to Ethernet segment of Shenzhen router R1 Configure IP address unnumbered Router ip route-static 0.0.0.0 0.0.0.0 Configure router R1 of Shenzhen subsidiaryBorrow IP address of Ethernet Router-Ethernet0ip address 172.16.20.1Page Configuring IP Address Arp dynamic ip-address Define a static ARP mappingArp static ip-address Undo arp static ip-address Display and Debug ARP Configure DomainName Resolution Name Resolution Display and Debug Domain Name Resolution Display and Debug domain name resolutionDisplay ip host Vlan-type dot1q vid vlan-id Create Ethernet subinterfaceSpecify the Vlan on which Ethernet subinterface is located Interface-number.subinterface-number Display vlan Configure IP address of Ethernet subinterfaceTypical Vlan Configuration Example Display and Debug Display and Debug Vlan Router-Ethernet0.1ip address 3.3.3.8 Configure IP address for the subinterfaceConfigure Vlan information of LAN Switch Troubleshooting The steps below can be taken Background of the Dhcp development Dhcp Server ConfigurationFault Ping Two PCs, but fails to ping them through Dhcp vs Bootp Occasions in which Dhcp server is applied Following figureDhcp server Dhcp clients Dhcp client logs into the network again Dhcp Server Configuration Dhcp server ip-pool pool-name Enable/disable the Dhcp serviceDhcp Enable Undo Dhcp enable Configure the statically binding IP address and MAC address NetmaskNetwork ip-address Low-ipaddress high -ipaddress Low-ipaddress high-ipaddress Configure the DNS addresses in a Dhcp address pool By default, the IP address of DNS is not configuredConfigure the gateway router address of client Configure the domain names of Dhcp clients Ip-address2 ... ip-address8 Set the type of NetBIOS node for Dhcp clientSet the type of NetBIOS node for Dhcp client Nbns-list ip-address1 Display and Debug Dhcp servers Use reset, debugging and display command in All viewsConfigure Dhcp self-defined options Display and Debug Dhcp Server III. Configuration Procedures 1 Enable the Dhcp service Router dhcp enableRouter dhcp server forbidden-ip Router-dhcp2nbns-list Router-dhcp2gateway-list At the client, use ipconfig /releaseall Delete interface relay address Configure interface relay addressOperation Command Configure interface relay address Ip relay-address ip-address Available on Dhcp server Dhcp Relay Configuration RequirementDhcp Relay IP address from Dhcp server through application Networking diagram of an Dhcp relay configuration example Configure Dhcp relay router Fault 2 fail to forward transparent transmission protocol Under which condition should the address be translated Private Network Address and Public Network Address Characteristic of Network Address Translation NAT Role the Network Address Translation NAT playsMechanism of Network Address Translation NAT Pool-name Configure address poolPerformance of Network Address Translation NAT End-addr pool-name Undo nat outbound Nat outbound acl-numberAddress-group pool-name Undo nat outbound acl-number Www inside inside-addr inside-port any Configure the Internal ServerConfigure the Timeout of address translation Nat server global global-addr global-port Display and Debug NAT Display and debug NAT Typical NAT Configuration Example Set internal WWW server Configure address pool and access listAllow address translation of segment at 10.110.10.0/24 Set internal FTP server Correlate the address translation list and the interface Configure address access control list and dialer-listConfigure dial-up property for the interface Configure a default route to serial Fault 2 Internal server abnormal Configuring IP Application Performance Configure IPTo configure IP performance, carry out the following steps Configure maximum transmission unit on an interface Configure TCP Tcp window size Forwarding Configure Fast Display and Debug Fast Display and Debug fast forwarding Perform the following configuration in system viewDisplay and Debug IP Forwarding Troubleshooting IP Performance Configuration Router info-center enable Router debugging tcp packetRouter info-center enable Router debugging tcp event Configuring IP Count Undo ip count enable IP Count ConfigurationEnable/Disable IP Count service Ip count enable Configure IP Count on an interface Configure IP Count listSpecify count maximum of exterior Display and debug IP Count By default, IP Count entries time out after 720 minutesCount Specify count maximum of interior IV. Test Procedure Not been configured on the interface of the routerInformation is displayed Configuring IP Count IPX address Configuring IPX SAP Its first Ethernet interface as its node address Configure IPXModify length of service information reserve queue Configure relative parameters of IPX SAP Perform the following task in interface view Enable IPX interfaceConfigure IPX RIP static route Enable/Disable a Default Route Configure the maximum number of IPX parallel route Configure RIP updating periodConfigure RIP aging period Configure the maximum size of RIP update packet Configure static service information table item Configure length of route reserve queue Ipx sap timer update seconds Configure SAP aging periodConfigure size of SAP maximum updated message Configure reply to SAP GNS request Disable split-horizon Configure Using touch-off for an interface Encapsulation format of IPX frame Configure the delay of interface sending IPX packetsConfigure management of IPX packet Modify Encapsulation Format of IPX Frame on Interface Display and Debug IPX Display and Debug IPX Configure Router a a Activate IPX Configure an information about Server2 directory service Configure an address map to Router BConfigure a static route to network ID Configure an information about Server2 file service Configure an information about Server1 directory service DLSw Protocol Max-frame-size max-window Configuration of DLSwCreate DLSw local peer entity Init-window-size max-frame Create DLSw remote end peer entity Configure Bridge set connecting to DLSw Configure Sdlc role Configure to add ethernet port to Bridge set Controller sdlc-address Configure Sdlc virtual MAC addressConfigure Sdlc address Sdlc-address Configure Sdlc peer entity Configure XID of SdlcAdd synchronous Interface to Bridge set Configure to stop running DLSw Configure baud rate of synchronous InterfaceBaudrate Mseconds Configure Idle time encoding mode of synchronous InterfaceConfigure parameters of DLSw timer Configure LLC2 local acknowledgement delay time Configure modulo value of LLC2 Configure LLC2 premature acknowledgement window Configure P/F wait time of LLC2 Configure retransmission number of LLC2Configure LLC2 local acknowledgement time Configure Busy status time of LLC2 Configure Sdlc local acknowledgement window Configure REJ status time of LLC2Configure queue length of sending message of LLC2 Configure Queue Length of Sending Message of Sdlc Configure maximum receivable frame length of Sdlc Configure retransmission number of SdlcConfigure poll time interval of Sdlc Dsap Configure SAP address for transforming Sdlc to LLC2Configure data bi-directional transmission mode of Sdlc Lsap IP across WAN Typical DLSw Configuration ExampleDLSw Configuration Networking Requirement DLSw Router dlsw local Router a ConfigurationRouter B Configuration DLSw Configuration Networking diagram of DLSw configuration of SDLC-SDLC Networking Diagram of SDLC-LAN Virtual circuit cant attain Connected state DLSw FaultWhen using command display dlsw remote Diagnosis Diagnosis and Troubleshooting of DLSw Fault Configuring Dlsw VI Routing 404 IP Routing Protocol IP Routing Protocol Routing Protocol or Type Corresponding Routing Priority Routing Protocol and Routing Priority Ospf ASE Default Route Configuring Static Routes Transmitting interface or next hop address Configuring a Static RouteConfiguring a Static Route Configure a Static Route Other parameters Configuring a Default RouteDisplaying Debugging Routing Table Preference Troubleshooting a Static RouteOther RIP Overview Features is not subject to whether RIP has been enabled Configure RIP Enabling RIP Enable RIP at the Specified Network Peer ip-address By default, the interface runs RIP-1Define a Neighboring Router Specify RIP Version Specify the Status of an Interface RIP Version 1 enables zero field check by defaultConfigure Check Zero Field of RIP Version Disable a Host Route Version Authentication onEnabling Route Summarization for RIP Specify a Default Route Metric Value for RIP By default, the default route metric for RIP isConfigure RIP Horizontal Segmentation on the Interface Configure Route Import for RIP Set Route Preference Configure filtering route information received by RIPDistribution for RIP Specify Additional Route Metric Value for RIP Display and Debug RIP Reset RIPDisplaying and Debugging RIP Filter the Routing Information Being Advertised by RIP RIP Unicast Displaying and Debugging Ospf Ospf Configuration ExampleOspf Overview Ospf Overview Configuring Ospf Undo router id Enable OspfSpecify Router ID Router id router-id By default, Ospf is disabled Area-idArea area-id P2mp P2p Configure the Network Type of the Ospf InterfaceConfigure Sending Packet Cost Ospf network-type broadcast nbma Cost Configuring a Peer for the Nbma Interface Undo Ospf dr-priority Operation Command Set the priority of the interface whenSpecify the Router Priority Ospf Dr-priority value Specify Dead Interval Specify Hello Intervall Configuring a Stubby Area and a Totally Specify Transmit-delaySpecify Retransmitting Interval No-summary Perform the following configuration under Ospf viewConfigure Totally Stubby Area of Ospf Stub cost cost area area-id Configure an Nssa Area of Ospf Perform the following configuration in Ospf view Undo abr-summary address mask mask Configure Route Summarization Within Ospf DomainAbr-summary address mask mask area Area-id advertise notadvertise Area-id None Router-id None Create and Configuring a Virtual Link Key-id Configure Authentication Configure Parameters When Importing External Routes Configure Route Import for Ospf Filter for Ospf Configure filtering route information received by OspfDisplaying Debugging Ospf Ospf Configuration Example Configuring Ospf on the Point-to-Multipoint NetworkRouter D 201 Router B 301 302 Router C 1.3 RouterB-Serial0ospf network-type p2mp Enable OspfRouterC ospf enable RouterA-Serial0ospf network-type p2mp Configure DR on Ospf Preference 2.2 3.3 1.1 4.4 E0 192.1.1.1/24E0 192.1.1.4/24 E0 192.1.1.2/24 E0 10.1.2.3/24 RouterD display ospf peer RouterA display ospf peer To configure an Ospf virtual link Configure Router a Between Router B and Router CRouterB-ospfVlink peer-id 3.3.3.3 transit-area To configure Ospf peer authentication Configure Router a Troubleshooting an Ospf ConfigurationNormally Ospf Configuration Example Configuring Ospf Displaying and Debugging BGP BGP Configuration ExampleBGP Overview BGP Overview Configuring BGP Perform the following configurations in BGP view Resetting BGP Connections Enabling BGPPerform the following configurations in system view By default, BGP is disabled Configure the BGP Version of the Peer Set the Timers for BGP PeerConfigure BGP Route-update Interval Configure to Distribute Default Router to the Peer Configure to distribute default route to the peerConfigure to Send Community Attribute to the Peer Configure the Peer to be the Client of the Route Reflector Allow Comparing Path MED Create a Fltering Policy Based on Access List for the PeerConfigure the BGP MED Metric Create a BGP Route Filtering Based on AS Path for the Peer Holdtime-interval Configure the Local PreferenceConfigure the Keepalive Timer and Holdtime Tmer for BGP Timers keepalive-interval Group-name By default, there is no BGP peer in a peer groupAdd a Peer to the BGP Peer Group Peer group-name Configure BGP Routing Update Sending Interval Configure AS Number of BGP Peer GroupConfigure Connection Between Peers Indirectly Connected Set the Timers of BGP Peer Group Configure to send the default route to the peer group Configure to Send the Default Route to the Peer GroupCreate Routing Policy for Peer Group By default, software accepts BGP Version Configure BGP Version of Peer GroupCreate an Aggregate Addresses Undo aggregate address By default, an aggregate is disabledAggregate address mask As-set Reflect between-clients Clients within the reflection groupUndo reflect between-clients Extended-community-list-number Configure the Cluster IDConfigure BGP Community Standard-community-list-number Configure a Confederation Configure the Sub-system of E ConfederationAs-number … Schematic diagram of route dampening Display Route Flap Information Still exists By default, BGP synchronizes with IGPIs insured When AS is not a transitional AS Configuring Configure Route Import for BGP Define a routing policy Define an access list entryEntry, an AS Path-list Define an AS Path-list entry Perform the following configurations in Routing policy view Define a match ruleDefine an apply clause Filter for BGP Display and Debug BGP Reset BGP ConnectionsDebugging BGP Filter Routing Information Being Advertised by BGP Acl-number network-address BGP ConfigurationProcedure for each configuration As-regular-expression acl Networking diagram of configuring AS confederation RouterC-ospfinterface serial Configure Router B Configure BGP peersRouterA-bgppeer 192.1.1.2 as-number RouterB-Serial1ip address 193.1.1.2 Configure Router D Configure BGP peers RouterA-acl-1rule permit source 1.0.0.0 Configure peerStart BGP Specify BGP transmission network RouterC-bgppeer 193.1.1.1 route-policy localpref import RouterC-acl-1rule permit source 1.0.0.0 RouterD-ospf network 4.0.0.0 0.0.0.255 area 0 RouterD bgp Configuring BGP IP Routing Policy Configuring IP Routing Policy Define a Routing Policy Configure IP RoutingOperation Command Define a routing policy and enter into Policy Configure a Matching Rules Apply tag tag-value Define a Setting ClauseApply community aa nn No-export addtive none Configure Route Import Route-policy route-policy-nameTag tag-value type 1 Define an IP Prefix List Ip ip-prefix prefix-list-nameGe-value less-equal le-value BGP route discovered by BGP protocol Perform the following configurations in all viewsDebugging IP Routing Policy OSPF-ASE external route discovered by Ospf protocol Protocol Configuring IPWith different weighting values Routing Policy Route Information Routerip ip-prefix p1 permit 192.1.1.0/24 Troubleshooting IPConfigure RIP protocol Normal operation Configuring IP Routing Policy Configuring IP Policy IP Policy RoutingRouting Create a Routing Policy Define Match RulesDefine Apply Clause Interface Policy Routing By default, interface policy routing is disabledEnable/Disable Interface Policy Routing Displaying Debugging IP Policy Routing Router-acl-102rule permit tcp source any destination any Suggested procedure for each configurationDefine access list Router-acl-101rule deny tcp source any destination any RouterB-ripnetwork Adopt policy aaa in Ethernet interfaceRouter-Ethernet0ip policy route-policy aaa RouterA-Ethernet0ip policy route-policy lab1 RouterAdebugging ip policy-routing Configuring Igmp Configuring PIM-DM Configuring PIM-SM ChapterIP Multicast 498 IP Multicast Range and Meaning of Class D Addresses List for Reserved Multicast AddressesClass D address range Meaning IP Multicast Routing Protocols IP Multicast IP Multicast Packet IP MulticastApplication IP Multicast Igmp Overview Configuring IgmpIgmp Configuration Example Igmp Overview Configuring Igmp Make the following configuration in interface view Configure the Igmp Version Number Run at Router InterfaceConfigure Igmp Maximum Query Response Time Interfaces are all fast Ethernet FE Igmp ConfigurationDebugging command in system view to debug Igmp Displaying and Debugging Igmp Router a Router B Configuring Igmp Configuring PIM-DM Operation Command Enable multicast routing Make the following configuration in the system viewBy default, the system disables the multicast routing Enable Multicast Routing Group-address source-address Start/Disable PIM-DM ProtocolDisplaying and Debugging PIM-DM Display and Debug PIM-DM Receiver 2 are the two receivers of this multicast group PIM-DM ConfigurationEnable multicast routing protocol Enable PIM-DM protocol PIM-SM Overview Enabling Multicast Routing PIM-SM Configuration Configure Candidate RP By default, the interface disables PIM-SM protocolEnable/Disable PIM-SM Protocol Configure Candidate BSR By default, no interface is configured to be candidate RP By default, no PIM-SM domain boundary is configuredConfigure PIM-SM Domain Boundary Debugging PIM-SM Use the pim command in system view to enter PIM view RouterA-pimspt-switch-threshold 10 accept-policy Configure Router a Enable PIM-SM protocolConfigure Router B Enable PIM-SM protocol RouterA multicast routing-enable RouterA interface ethernet RouterB-acl-5rule permit source 225.0.0.0 Display pim neighbor command can be used to check whetherFollow these steps Neighbors have discovered each other Configuring PIM-SM Viii Security 524 Configuring a User Terminal AccessConfiguring Terminal Access Security Configure EXECLogin Authentication Enable AAA Configure Radius server and the shared secretConfigure the authentication method list of Exec users Configuring Terminal Access Security Radius Overview AAA Overview Components of Radius server Basic message interaction process of Radius Request Authenticator Adopts 16-byte random code Type of Packets Decided by Code FieldCode Packet type Explanation of the packet Attribute Fields Server-template-name method1 By default, AAA is disabledAAA Enable/Disable AAA Configure AAA Login Authentication Default methods-list Configuring an Authentication Method List for PPP UsersConfigure PPP Authentication Method List of AAA Default methods-list method1 Configure Local IP Address Pool By default no address pool is defined by the systemConfigure AAA Local-First Authentication Configure AAA Accounting Option Configure Ordinary User and Password By default pool-number isConfigure a User and Password Configure Callback User Configure User with Caller Number Configure User with Caller NumberConfigure FTP User and the Usable Directory Configure Callback User and the Callback Number Directory Authorize a User with Usable Service TypesConfigure FTP User and the Usable Directory Configure Authorizing a User with Usable Service Types Radius server hostname ip-address Configure Radius Server Shared SecretBy default, no key is configured for the Radius server Configure Radius Server Shared Secret Configure the Time Interval for the Inquiry Packet Configure the Request Retransmission Times AAA and Radius Accessing UserAuthentication Case Displaying Debugging AAA Routerradius server Configure IP address and port of Radius serverConfigure local-first authentication Router aaa authentication-scheme local-first Radius Troubleshooting AAA Users Radius authentication is always rejected Connected user cannot be seen in display aaa userCan Configuring AAA and Radius Protocol Firewall Overview Classification of Firewalls Packet filtering schematic diagram Operators of the Extended Access Control List Extended access control listCommand format when the protocol is IGMP, IP, GRE or Ospf Command format when the protocol is TCP or UDP Mnemonic Symbol of the Port Number UDP Protocol Mnemonic Symbol Meaning and Actual Value Configure the match sequence of access control list Mnemonic Symbol of the Icmp Message TypeOperator and Syntax Meaning Firewall Configure FirewallEffect Perform the following configurations in system view Firewalls are disabled by default Configure Extended Access Control List Configure Standard Access Control List Destination dest-addr dest- wildcard Enabling and disabling filtering according to timerangeConfiguring Special Timerange Set Default Firewall Filtering Mode Settr begin-time end-time Enable/Disable Filtering According to TimerangeSet special time range Set Special Time Range Display and Debug Firewall Use debugging, reset and display commands in all viewsDisplaying and Debugging Firewall Specify Logging Host Routerfirewall default permit Enable firewallConfigure access rules to inhibit passing of all packets Routerfirewall enable Apply rule 102 on packets coming in from interface Serial0 Router-Ethernet0firewall packet-filter 101 inboundRouter-Serial0firewall packet-filter 102 inbound IPSec Protocol IPSec Related Terms Following terms are important to an understanding of IPSecIPSec Message Processing Configuring IPSec Access Control ListCreating an Encryption Operator port1 port2 Create Encryption Access Control List Configure Ndec Cards Enable the crypto cards By default, all the crypto cards are enabledSet the output of the crypto card log Define IPSec proposal By default, no proposal view is configuredEnable/Disable the Host to Backup the Ndec Cards Set the Mode for Security Protocol to Encapsulate Messages Select Security Protocol Selecting the Encryption Authentication AlgorithmDefault mode is tunnel-encapsulation mode Select Security Protocol Creating a Security Policy Select Encryption Algorithm and Authentication Algorithm Set start point and end point of security tunnel By default, no security policy is createdConfigure access control list quoted in security policy Perform the following configurations in IPSec policy view Set SPI of security policy association and its adopted key By default, the security policy quotes no IPSec proposalConfigure IPSec Proposal Quoted in Security Policy Set IPSec proposal quoted in security policy Hex-key By default, no key is used by any security policyConfigure SPI Parameters of Security Policy Association Configure Key Used by Security Policy Association Specify End Point of Security Tunnel Set access control list quoted by security policySet end point of security tunnel Creating a Security Policy Association with Proposal-name2...proposal-name6 Set the IPSec proposal quoted in security policySet SA lifetime Proposal proposal-name1 Configure Separate SA LIfetime Configure a separate SA lifetimeBy default, apply the global SA lifetime Configure Global SA LIfetime Ipsec sa dynamic-detect Use debugging, reset and display commands in all viewsDebugging IPSec Apply Security Policy Group on Interface Reset crypto card Display and Debug IPSecDest-address protocol spi Creating an SA Manually IPSec Configuration ExampleUse the debugging, reset and display command in all views Displaying and Debugging the crypto card Create the IPSec proposal view named tran1 Adopt tunnel mode as the message-encapsulating formSelect authentication algorithm and encryption algorithm Quote access list Exit to system view Configure the routeCreate a security policy with negotiation mode as manual Apply security policy group on serial interface Create a security policy with negotiation mode as isakmp Create the IPSec proposal view named trans1Set remote addresses Create a security policy with negotiation view as isakmp Configure ip address of the serial interfaceConfigure corresponding IKE Configure serial interface Serial0 RouterB ike pre-shared-key abcde remote Establish a security policy with manual negotiation modeAdopt tunnel module for packets encapsulation form Return to system view Apply security policy base on serial port Enter Ethernet interface view and configure IP addressSet local address Set encryption key RouterB ipsec policy map1 10 manual Establish a security policy with manual configuration modeTroubleshooting IPSec Ndec card cannot be configured Return to the system view Do the following Configuring Ipsec Configuring IKE Configuring IKE IKE featuresPolicy Undo ike Create IKE PolicyIke proposal policy-number View Delete IKE policy Select Encryption Algorithm Selecting an Authentication AlgorithmSelect Authentication Method Configure Pre-shared Key Set Lifetime of IKE Negotiation SA By default, 768-bit Diffie-Hellman group is selectedSelect Hashing Algorithm Select DH Group ID Display and Debug IKE Configure IKE Keepalive TimerReset ike sa connection-ike-sa-id Displaying and Debugging IKE Invalid user ID information IKE Configuration Unable to establish security channel Unmatched policy IX VPN Configuring VPN Configuring L2TP Configuring GRE 596 VPN Overview Authority given by local ISP Basic NetworkingApplications of VPN Classification of IP Layer 2 tunneling protocol Layer 3 tunneling protocolComparison of layer 2 and layer 3 tunnel protocols Configuring VPN Vpdn Operation Vpdn and L2TP L2TP channel Methods of Implementing Vpdn Tunnel and session Networking diagram of two typical methods of Vpdn Control message and data message IV. Call setup flow of L2TP tunnel Call setup flow of L2TP channel Features of L2TP L2tp enable Basic Configuration atEnable L2TP Enable/Disable L2TP Originate L2TP Connection Request and LNS Address L2tp-group group-numberIp-address … domain domain-name L2TP Attribute Table By default, L2TP is disabledConfigure AAA and Local Users Default list-name method1 Create/Delete a Virtual Template Operation Command Create a L2TP groupOperation Command Create a virtual template Create/Delete L2TP Group Configure Local VPN Users Advanced Configuration at LAC or LNSBy default, receiving dial-in from LAC is disabled Configure the Name of the Receiving End of the Tunnel Tunnel name name Enable Tunnel Authentication Setting PasswordBy default, the local name is the host name of router Set Local Name Configure the Interval For Sending Hello Messages Set Tunnel Authentication and PasswordSet the Interval for Sending Hello Message Configure Domain Delimiter and Searching Order ForceSet Domain Name Delimiter and Searching Order Force to Disconnect Channel This configuration is applicable to LNS onlyOperation Command Force to disconnect tunnel Reset l2tp tunnel remote-name Configure the Local Address and Address Pool LCP does not renegotiate by defaultLCP to Renegotiate Number of L2TP Sessions Enable/Disable Hiding Attribute Value Pairs AVBy default, AV pairs are hidden Enable/Disable Hiding AV Pairs Display and Debug L2TP L2TP Configuration ExamplesBy default, the maximum number of L2TP sessions is Use debugging, display command in all views Configure BDR dialup parameters Implement local AAA authentication on VPN userConfigure the IP address of Serial1 interface of LAC Enable L2TP service and configure a L2TP group Configure the Virtual-Template-related information Configure the IP address of Serial0 interface of LNS Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Router-LACip pool 1 192.170.0.3 Client-originated VPN Networking Disable tunnel authentication Configure the IP address of Serial1 interface at LAC sideConfigure BDR parameters Configure the IP address of Serial0 interface at LNS side Network Connection Wizard Network Connection Wizard Connect Connection to Router1 l2tp domain suffix-separator @ Configure an IP address on Serial0 interfaceConfigure a L2TP group and the related attributes Configure the domain suffix separator to @ III. Procedures Enable AAA authenticationConfigure Virtual-Template Force to implement local Chap authentication Configure an access control list and specify L2TP data Configure a L2TP group and configure the related attributesConfiguration at Router2 LNS side Enable AAA authentication Configure an address pool 1 in the range of 192.168.0.2 to PPP negotiation fails. The reasons may be Fault 1 The users fail to log Troubleshooting L2TP Configuring L2TP GRE Protocol EncapsulationPacket Encapsulated tunnel message format Refer to RFC Enlarge network operating range Create Virtual Tunnel Interface Configuring GREBy default, no virtual tunnel interface is created Creating a Virtual Tunnel Interface Address of the Tunnel Address of a Tunnel Must be configured InterfaceSetting the Network Perform the configurations in the tunnel interface view Gre key key-number Number discardedSet Tunnel Interface to Check with Checksum Set the Tunnel to Synchronize Datagram Sequence Numbers All views GRE Configuration ExampleGroup1 and group2. It can be implemented by using GRE Debugging GRE Configure Router B Configure the IP address of Serial0 Configure the IP address of Ethernet0 interface Configure Router B Activate IPX Configure Router a Activate IPXConfigure the IP address and IPX address of Ethernet0 Configure the static route to Novell Group2 RouterB ipx route 1e 1f.a.a.a tick 30000 hop Networking of troubleshooting GRE Configuring a Standby Center Configuring Vrrp 646 Standby Center Configuring Standby Center Next-hop-address dialer-number Enter the Logic Channel ViewAddress logic-channelnumber Fr map protocol address dlci dlci Standby timer disable-delay seconds Channel to check whether it has recoveredStandby timer enable-delay seconds Undo standby timer enable-delay Enter the view of Serial Please perform the following configuration in all viewsLoad Sharing view Interfaces Enter the view of logic channel ChannelRouter-logic-channel10standby interface serial Router-Serial1logic-channel Vrrp Overview Vrrp Configuration ExamplesTroubleshooting Vrrp Vrrp Overview Configuring Vrrp Adding a Virtual IPAddress Undo vrrp vrid virtualrouterid Configure Router Priority in Standby GroupAdd Virtual IP Address Vrrp vrid virtualrouterid Virtualrouterid Configuring Authentication Method Authentication KeyVrrp provides simple character authentication method Configure Authentication Method and Authentication Key Monitoring Configure StandbyGroup Timer Debugging Vrrp Vrrp Single Standby Vrrp ConfigurationProcedure for each configuration Backup with preemption aII. Networking diagram Multiple Standby Gateway services insteadBalancing and mutual backup are implemented Gateway function as the master Many master routers exist within the same standby group There is requent switchover of the Vrrp state XI QOS 662 QOS Overview Three Types of QoS Services QOS Overview Benefits of QoS for the Network Service QOS Overview Traffic Policing Traffic Classification Traffic POLICING, Traffic Shaping and Line Rate Rate CAR Committed Access Precedence-value mac mac-address Defining RulesDefine CAR Rules Qos carl carl-index precedence By default, no CAR rule of ACL list is established Applying the CAR Policy on the InterfaceApply the CAR Rule on the Interface Display and Debug CAR CAR Configuration Applying a CAR Policy to all PacketsConfigure the Priority Level Based CAR Policy Displaying and Debugging CAR Configure the CAR Policy Based on the MAC Address Packets Traffic ShapingApply a CAR Policy on the Packets that Match ACL Matches ACL Schematic diagram of GTS processing Configuring shaping parameters for a specified flow Configuring shaping parameters for all flows Configure the ACLShape the flows matching 110 on Ethernet interface Shape all the flows on Ethernet interface Configure the Physical Interface LIne RatePhysical Interface Line Rate Operation Command Display the LR configuration conditions Displaying Display and Debug LR Debugging LRDisplay qos lr interface type Congestion Management Priority Queuing CongestionManagement Policy Fifo Queuing Selecting Congestion Management Policies Number Queues Advantage Disadvantage Comparison of Several Congestion Management Policies Schematic diagram of the first in first out queue Schematic diagram of the custom queuing Schematic diagram of weighted fair queuing Weighted Fair Queuing WFQ Configure the First In First Out Queuing Configuring Congestion ManagementConfiguring Fifo Queuing Configuring priority queuing Pql-index protocol By default, no priority queue is establishedValues of Queue-Option with Protocol as IP Protocol-name queue-option queue By default, the interface utilizes the Fifo queue Applying the priority-list queuing group to the interfaceSpecifying the queue length of the priority-list queuing Displaying and debugging the priority queue Configuring custom-list queuingConfiguring Custom Queuing CQ Default Length Value of the Priority Queue Queue queue-number Configure the Custom-Lst Queuing According to the InterfaceConfigure the Default Custom-List Queuing Queue-number Applying the custom-list queuing group to the interface By default, the interface uses the Fifo queueConfiguring the queue length of the custom-list queuing Configure the Queue Length of the Custom-List Queuing Configuring Weighted fair queuing Displaying and debugging the weighted fair queueDisplaying and debugging the custom-list queue Apply the priority queue 2 to Serial Congestion Management Configuration ExamplesPQ Configuration Example Apply the priority queue 1 to Serial RouterA-Tunnel1destination Configure the CQ queueConfigure Router B Configure the access control list RouterA-Tunnel0ip address 10.1.1.1 WFQ Configuration Example Configure Serial0 master/slave addressesConfigure Tunnel0 Configure Tunnel1 Congestion Management Congestion Avoidance Congestion Avoidance Function of the Interface Wred ConfigurationEnable the Wred Enable Wred Ip-precedence Discard-prob Displaying Debugging Congestion Avoidance Congestion Avoidance Configuration ExampleConfigure a WFQ queue Enable Wred Congestion Avoidance XII DIAL-UP Configuring DCC Configuring Modem 704 DCC Overview Terms in DCC Configuration DCC Circular DCC Resource-Shared DCC Basic DCC features With 3Com RoutersImplementing callback through DCC Configure the local parameters of DCC Configuring DCCPreparing to Configure Prepare the data for DCC configuration Ip address ipaddress mask Configuring the mode of the physical interfaceConfigure Physical Interface Mode Linklayer-protocol-type Associating a DCC dialer ACL with the interface Configuring an interface to originate calls to a remote end Undo dialer number Configure an interface to receive calls from a remote endDialer enable-circular Dialer number dial-number Dialer Route protocolNext-hop-address dial-number Next-hop-address Undo dialer route protocol Dialer priority priority Undo interface dialer numberDialer circular-group number Undo dialer circular-group Undo dialer circular-group Interface dialer numberUndo interface dialer number Dialer circular-group number Router Dialer0 Enabing Resource-Shared DCC Configuring dialing authentication for resource-shared DCCConfiguring the dialer interface and dialer number By default, no dialer interface is created Configuring dialing authentication for resource-shared DCC Configuring MP binding in circular DCC Configure MP Binding in Circular DCCThreshold traffic-percentage Dialer threshold traffic-percentage Configuring MP binding in resource-shared DCCConfiguring PPP callback in the circular DCC implementation Configure MP Binding in Resource-Shared DCC Implement PPP Callback Server Configuration in Circular DCC Implement PPP Callback Client Configuration in Circular DCC Dial-number CommandTelephone-number Next-hop-address user username Features of Isdn caller identification callback Primary rule The best match is the number with the fewestDialer callback-center dial-number Callback according to the Isdn caller Operation Command Configure the local end to implementIdentification Undo dialer call-in remote-number Configure Isdn leased line for Circular DCC Configuring Isdn leased lineConfiguring auto-dial Configuring Special DCC Functions Configure Dialer Number Circular Standby Configuring dialer number circular standbyConfiguring the Link Idle Time Configure Auto-Dial Configure the Link Idle Time By default, the link idle time is 120 secondsBy default, the link disconnection time is 20 seconds Configuring the link idle time when interface competion Debugging DCC Configuring the timeout of call setting upBy default, the timeout of call setting up is 60 seconds Configuring the buffer queue length of the dialer DCC Configuration Examples SolutionDCC Applications in Common Use Router-Serial0dialer route ip 100.1.1.1 Configure RouterCConfigure RouterB Router-Serial1dialer circular-group Router-Serial1dialer bundle-member Router-Serial0dialer bundle-member Configure RouterC Configure RouterC Router-Serial015dialer route ip 100.1.1.1 Configure RouterARouter-Dialer0dialer threshold Router-Bri0dialer bundle-member Router-Bri1dialer route ip 100.1.1.1 Router-Serial1dialer enable-circular Router-Serial0dialer route ip 100.1.1.2Router dialer-rule 1 ip permit Router interface serial Router-Bri0dialer route ip 100.1.1.2 user usera NT Server-to-Router Configure the PCCallback for DC C By the NT server Router-Async0dialer route ip 100.1.1.254 Dial Number Circular Standby and Internet Access for DCC Router-Serial0dialer route ip 100.1.1.254 Configure subscriber PC Router-Serial215ppp chap password simple passb Router-Serial215ppp authentication-mode chap Router-Serial1standby logic-channel Remote end cannot be pinged after the modem is connected Message Fault DCC Fault Messages DCC peeraddr matching error Modem Script Modem Function Provided by 3Com Routers Syntax description of modem script Modem script format in common use is as followReceive-string1 send-string1 receive-string2 send-string2 Which, seconds defaults to 180 and is in the range of 0 to Configure the Modem Dial-in and Dial-out AuthoritiesBy default, modem dial-in and dial-out are allowed Execute a Modem Script Manually Configure Modem Through the AT CommandConfigure a Modem Script Configure a Modem Script Specify the Events Triggering the Modem Scripts By default, the modem works in non-auto answer modeConfigure the Answer Mode for the Modem Configure Authentication for a Modem Dial-in User Displaying and Debugging a Modem Modem Configuration ExamplesExecutethe debugging command in all views for the debugging Configure a Modem adaptation baud rate Restore the ex-factory modem settings Configure the modem initialization parametersAT&b1&c1&d2&s0=0 Modem Dial-in User Power-on Initialization Through Initialization ScriptAuthentication for Directly Troubleshooting Configuring Modem

Configuring IPSec

Creating an Encryption

Access Control List

defined by an extended IP access list.