Creating a Security Policy

568CHAPTER 40: CONFIGURING IPSEC

Perform the following configurations in IPSec proposal view (or proposal view of crypto card)

Table 638 Select Encryption Algorithm and Authentication Algorithm

Operation	Command

Set the encryption algorithm adopted by	esp-new encryption-algorithm { 3des
ESP protocol (applicable to IPSec software)	des blowfish cast skipjack }

Set the encryption algorithm adopted by	esp-new encryption-algorithm { 3des
ESP protocol (applicable to crypto card)	des blowfish cast skipjack
	aes qc5 }

Cancel the encryption algorithm adopted	undo esp-new encryption-algorithm
by ESP protocol(applicable to IPSec
software and crypto card)

Set the authentication algorithm adopted	esp-new authentication-algorithm {
by ESP protocol (applicable to IPSec	md5-hmac-96 sha1-hmac-96 }
software and crypto card)
Cancel the authentication algorithm	undo esp-new
adopted by ESP protocol (applicable to	authentication-algorithm
IPSec software and crypto card)

Set the authentication algorithm adopted	ah-new authentication-algorithm {
by AH protocol (applicable to IPSec	md5-hmac-96 sha1-hmac-96 }
software and crypto card)
Restore the authentication algorithm	undo ah-new authentication-algorithm
adopted by AH protocol (applicable to
IPSec software and crypto card)

By default, ESP protocol adopts des encryption algorithm and md5-hmac-96authentication algorithm, and AH protocol adopts md5-hmac-96authentication algorithm.

The commands undo esp-new encryption-algorithm and undo esp-new authentication-algorithm cannot be used at the same time. That is, ESP must use at least one type of encryption algorithm or authentication algorithm.

The following questions should be answered before a security policy is created:

■Which data needs IPSec protection?

■How long should the data stream be protected by SA?

■What security policy will be used?

■Is the security policy created manually or through IKE negotiation?

The following aspects require attention when a security policy is created:

■To create a security policy, you must specify its negotiation mode. Once a security policy is created, its negotiation mode cannot be modified. To create a new security policy, the current one must be deleted. For example, a security policy created with manual mode cannot be modified to a policy with isakmp mode. To have the same policy with a different mode, you must delete the policy then recreate it with a different mode.

■Security policies with the same name together comprise a security policy group. The name and the sequence number define a security policy uniquely, and a security policy group can include at most 100 security policies. The security policy with smaller sequence number in the same security policy group is of

Page 572

Image 572

3Com 10014299 manual Creating a Security Policy, Select Encryption Algorithm and Authentication Algorithm

Contents

3Com Router Configuration Guide 3Com Corporation Campus DriveMarlborough, MA 01752-3064Page VPN Text Conventions This guide describes 3Com routers and how to configure themList conventions that are used throughout this guide About this Guide 3Com Router Introduction 3Com Router User Interface Page 3COM Router Introduction Features of the 3Com Following table lists the basic features of the 3Com RouterList of the 3Com Router 1.x features Router Version RIP-1/RIP-2 NAT Quality of service 3Com Router New Features of the 3Com Router 1.x 3COM Router Introduction Configuration EstablishEnvironment Port Establish a new connection Set port communication parameters Establish a remote configuration environment Configuration ConnectionEnvironment Router Workstation Ethernet Command Line Interface CLI 3COM Router User Interface System view Table Views and their prompts Async 0 in any Ethernet 0 in anyLoopback 0 in any Enter controller Partial help HelpsFull help List of common command line error messages Common error Message CausesFor example Routerdisplay ? Command Line FeaturesDisplay Features Three options are available for users Following commands Please perform the following commands in system viewUser Identity Management Set the system clock Configure the router nameSystem By default, the system clock is 080000 1 1 Execute the following commands in all viewsReboot the system Display the System Information Router System Management Page Storage Media and File Types Supported by the System Softwaresoftware Input Ctrl+D, and the following prompt information displays Upgrade Boot ROM Software Upgrade the 3Com Router Main ProgramSoftware Main Program software XModem Approach Modify the terminal baud rate Transfer File dialog box Tftp server application can run on Windows 95/98/NT Preparation for using the Tftp serverEnable the Tftp server program Press Enter and the following prompts will be displayed Tftpd32 Set interface Enter Ctrl+B and the system prompts Network Interface Parameters Download configuration files from a Tftp server Operation Command Downloads the 3Com Router mainPress Enter for loading Get ip-addr file-name system Prepare for using the FTP server Set an authentication mode for an FTP server Upgrade the 3Com Router Main Software with FTP Enable FTP server Back up the 3Com Router Main Program Software Tftp ApproachFTP Approach Copy ip-addr file-name system Setup Users Dialog Box Configure on-line upgrading of the card Update slot slot-number ftpserver host-namePort-number user user-name password Password Configuration File Management Download Configuration FilePerform the following command in system view Content and Format of the Configuration File Load configuration files Download ConfigRouter download config Set the binary transmission protocol to XModem/CRC Display current-configurationcommand output backup approach Back up Configuration FilesUpload configuration files to a Tftp server File-name config Please use the following commands in corresponding views View router configuration Select and view the storage media of configuration file Save current configurationSet the Flag Bit to Enter the Initial Setup Mode Erase the configuration file in storage media Configure FTP Configure authentication and authorization of FTP serverClient via port 20 and transfer data Files on the router Enter the following commands in system view Configure Parameters of FTP ServicePlease enter the following commands in system view Set the authentication mode of FTP server Set FTP update mode Set the connection time limit of FTP serviceForce to shut down FTP process Force to shut down FTP process Display FTP Server Display FTP server Display ftp-serverServer Display detailed information of the FTP user Display local-user System Management Terminal Service Features of TerminalService at Console Port Overview Service Set the attributes of terminal serviceTerminal Message On one router Perform the following configuration in all views Configure Terminal Message ServiceDisplay Terminal Message Service Enable/disable receiving messages from other terminals Dumb Terminal Typical Example Terminal Message Service ConfigurationTerminal Service Configuration Examples Dumb Terminal Service Configure Dumb TerminalConfigure Auto-execute command By default, no dumb terminal service is configured Terminal Service Telnet Connection Configure the interface to dumb terminal modeConfigure the auto-execute command command Router-Serial1auto-execute command telnet Establish Telnet Connection Terminal service features of telnet connectionService Value Setup Reverse Telnet Connection Enable Reverse Telnet connectionService-port Establish Telnet Server or Telnet Client connection Typical Configuration Example of Telnet Reverse Telnet Force shut down Telnet ProcessExample of Telnet Force to shut down Telnet process Rlogin Terminal Use Rlogin protocolExample of Reverse Telnet Router telnet 10.110.164.44 Establish a Rlogin connection Typical Rlogin Configuration ExamplesRlogin ip-address username Use local user name abc to log on Communicate with other terminals through the X.25 network Access ServicePAD Remote Configure X.25 PAD remote user Configure X.25 PAD remote userService-type type password Local-user user-name Start AAA authentication of X.25 remote users Enable AAA authentication for X.25 remote PAD usersEstablish an X.25 PAD call Establish a X.25 PAD call II. Networking Diagram III. Configuration ProcedureDisplay and Debug Set the Response Time to the Invite Clear Message Fault Diagnosis Troubleshooting Set its X.121 address asRouterA-serial0x25 x121-address RouterB-serial0x25 x121-address Snmp Overview Development of Snmp Configuring Network Management Snmp architecture SNMP-supported MIB Engineid By default, the system disables Snmp service3Com Router-supported MIB Perform the following configurations in system view Configure Snmp version and related tasks Configure information of router administrator Configure the traps to be sent by the routerV1 username Interface-number Perform the following commands in all views Display and debug SnmpName Byte-count Example 1 Configure Network Management of SNMPv1 Set the community name and access authorityConfigure an IP address for the Ethernet interface ethernet Examples Networking Requirements Network equipment Configure an IP address for the Ethernet interface ethernetRmon Overview Schematic diagram of Rmon application Enable Rmon statistics Examples Networking Requirement RouterA-Ethernet0 rmon promiscuous Commands to display information of the whole system Ping command Test Tool of Network Connection Ping supporting IP protocol System displaysPing supporting IPX protocol Ip-address Following command can be executed in any command modes Tracert commandTimeout host MaxTTL -p port -q nqueries Configure on the router Log Function Set the direction of syslog outputting log information Set Severity of Log Information Perform the following task in system viewSylog-defined severity is as follows Set Filter of Log Information Configuration of Log Host Turn on/turn off syslogDisplay and Debug Syslog Turn on/turn off syslog Syslog Configuration Example Turn on debugging switch of PPP moduleRouterinfo-center enable Routerdebug ppp all Display and Debugging Tools POS Terminal Access Service Dial-up POS Access POS Network Access Advantages of POS network access are as follows Start POS server POS Access Service ConfigurationConfigure POS access port Configure a POS application Interface-type interface-numberApp-number Ip-address port-number Bind the source address of TCP connection Configure POS multi-application mapping tableDefault app-number Display and Debug POS Access Display and debug POS accessSet the parameters of FCM used during Modem negotiation Set the parameters of FCM used during Modem negotiation Typical Configuration Example of POS Access Service Configure the Ethernet interface EthernetConfigure the POS access interface FCM0 Configure POS access interface FCM1 III. Configuration Procedure 1 Start the POS access server Configure POS access interface FCM2Configure POS access interface FCM0 Configure Async 0 to operate in POS application mode Configure Async 1 to operate in POS application modeIII. Configuration Procedures Configure Router a Start the POS access server Configure Router B Configure the Ethernet interface Ethernet RouterA ip route-static 10.1.1.2 255.255.255.0 serial III Interface 106 Enter the Interface View Configure InterfaceInterface Exit the Interface View Interface view, input quit to return to the system viewSet time interval for flow control statistics Interface-description Please use the following commands in all views Display and Debug InterfaceDisplay and debug interface Interface state information Interface Configuration Overview Configure Ethernet Interface Ethernet Interface Enter view of specified Ethernet interface Set IP addressSet IPX address Set frame format of sending message Select work mode of Ethernet interface Enable or disable internal loopback and external loopbackDisplay and Debug Select working rate of fast Ethernet interface II. Network Diagram Typical Ethernet Interface Configuration ExampleTroubleshooting Troubleshooting Configuring LAN Interface Asynchronous Serial Interface WAN InterfaceIntroduction Interface serial number Enter view of specified asynchronous interfaceInterface async number Set the work mode of asynchronous serial interface Set the baud rate of asynchronous serial interfaceModem in out Link-protocol slip ppp Hardware inbound outbound Async Mode protocolFlow-control none software Works in flow mode Parity even mark noneOdd space Stopbits 1 1.5 Backup AUX InterfaceSet MTU of asynchronous serial interface Set the coding format of Modem Configure AUX interface Configure AUX interfaceConfigure Synchronous Serial Interface Synchronous Serial Interface Enter view of specified synchronous interface Set the link layer protocol of synchronous serial interfacePhysical-mode sync Link-protocol fr hdlc Select work clock Working modes have different working clocksSet the baud rate of synchronous serial interface Synchronous serial interface is 64000 bps Set clock inversion Inversion is disabled by defaultSelect work clock Internal loopback/external loopback are disabled by default Detect dcdUndo detect dcd Reverse-rts Isdn BRI Interface Idle coding of synchronous serial interface is 7ETechnical Background Graphics and video Function group includes Preparations before ConfigurationBe clear about the following items before the configuration Channelized operating mode CE1/PRI InterfaceNetwork protocols such as IP and IPX Interface or a PRI interface Configure CE1/PRI CE1/PRI interface configuration includes Dial-on-Demand RoutingInterface Enter the view for a specified interface Number set-number Enter the synchronous serial interface viewBind the interface to be channel sets Bind the interface to be a pri set Enter the Isdn interface viewPri-set timeslot-list range Undo pri-set Enable/disable the internal loopback/external loopback Set the line code format on the CE1/PRI interfaceSet the line clock of the CE1/PRI interface Set the frame format of CE1/PRI interface Configure CT1/PRI CT1/PRI Interface Timeslot-list range speed Operation Command Enter the view of CT1/PRI interfaceController t1 number Interface serial number23 Set the frame format of CT1/PRI interface Set the line code format on the CT1/PRI interfaceSet the line clock of the CT1/PRI interface Choice for E1 access E1-F interface does not support PRI operating modeE1-F Interface Them into multiple channel sets Set Operating mode for an E1-F interface Enter the view of an E1-F interfaceInterface serial serial-number Fe1 unframed Set line clock for an E1-F interface Set interface rate after binding operationSet line code format for E1-F interfaces Enable/Disable local/remote loopback on an E1-F interface Set frame format for an E1-F interfaceDisplay and debug E1-F interface Serial-number Choice for T1 access T1-F interface does not support PRI operating modeT1-F Interface 193 X 8k = 1544kbps Set line code format for T1-F interface Set frame format of T1-F interface Enable/Disable local/remote loopback on a T1-F interfaceSet line clock for a T1-F interface Other related information CE3 InterfaceDisplay and Debug T1-F Display and debug T1-F interface Enter the view of the specified E3 interface Set E1 frame format Set the operating mode of CE3 interfaceSet the operating mode of E1 channel Mode non-channelized mode CT3 Interface44.736Mbps Data bandwidth 44736kbps Set clock mode of the CT3 interface Set clock mode of the T1 channelEnter specified CT3 interface view Set cable length of the CT3 interface Perform the following configurations in CT3 interface view By default, loopback is disabled Set Frame FormatBy default, the CT3 interface uses the C-bit frame format T1 line-number unframed Set the operating mode of T1 channelSet CRC of the serial interface Disable and Enable CT3 interface Display and debug of the CT3 interface Configuring WAN Interface Logical Interface Dialer Interface Configure Loopback Null Interface Sub-Interface Configure sub-interfaces of Ethernet interface Create and delete WAN sub-interfaceNumber.sub-number Number.sub-number multipoint Routerinterface serial Enter the view of WAN interface Serial0 of router aSelect frame relay link layer protocol Configure the static route from router a to LAN2 and LAN3 Specify DTE as its frame relay terminal typeSet its IP address to 202.38.160.1 and address mask to Allocate a virtual circuit with Dlci 50 to it Set work parameters of virtual-template Create or delete virtual-templateInterface virtual-template Undo interface Fault 1 Fail to create virtual interface Troubleshooting the reasons may be as followsDisplay state of the specified virtual-template Virtual-template-number Link Layer Protocol 164 PPP Authentication Mode PPP Overview Configuring PPP and MP Configure PPP MP OverviewFor detailed description of PPP, refer to RFC1661 Transmission time of large packets Configure the link layer protocol of the interface to PPP Configure the local authenticates the peer in PAP modeConfigure the peer authenticates the local in PAP mode Name-list Configure the local authenticates the peer in Chap mode Configure as the peer authenticates the local in Chap modeCipher password User username Configure PPP compression Configure AAA authentication and accounting of PPPConfigure the time interval of PPP negotiation timeout Perform the following configuration in interface view Configure PPP link quality monitoringPpp lqc forbidden-percentage Resumptive-percentage Configure MP Protocol Parameters Create Virtual Template Configure Operating Parameters of Virtual TemplateCreate/Delete virtual template Bind the physical Interface to a Virtual Template Specify the conditions for MP binding User-name Configure virtual Baud rate on interface Frags Example Typical PPP Configuration ExampleConfiguration Requirement Typical MP Configuration Example II. Configuration ProcedureConfigure to start Chap authentication at this side Set local username as Router1 Configure router-c Add a user for router-a Configure virtual interface templateConfigure router-b Add a user for router-a Fault Diagnosis Troubleshooting Fault 1 Link always fails to turn to up statusFault 2 Physical link fails to turn to Up status Indicates that the interface is shutdown PPoE Overview Introduction to PPPoE client Configure PPPoE Client Configure PPPoE session Reset or delete PPPoE session Typical PPPoE Configuration Example Perform the display and debugging command in all viewsAccess a LAN to the Internet via Adsl III. Configuration Procedure 1 Configure a dialer interface Configure a PPPoE session Configure the LAN interface and the default routeConfigure the DDN interface Serial Use Adsl as Standby Line Configuring Pppoe Client Configure Slip Asynchronous modeSlip Overview For further details about SLIP, you can refer to RFC1055 Enable/Disable the information debugging of Slip Typical SlipTime Interconnect two Router routers via Pstn and run IP Configure Router a Configure Dialer Rule Configure IP address of synchronous/asynchronous interfaceConfigure the Dialer String to router B Configure the default route to Route B Routerip route-static 0.0.0.0 0.0.0.0 Configure Isdn Isdn Overview By default, DSS1 signaling is used on Isdn PRI interfaces Configure type of signaling on Isdn interfaceConfigure the length of call reference Configure the receiving mode Configure the sending mode Configure interval for Qsig signaling timerTimer-name all Time-interval Perform the display and debugging commands in all views Configure Call Processing Method on an InterfacePerform the following configuration in Isdn interface view Typical Configuration Example Configure Router a Create an Isdn PRI interfaceConfigure the Isdn PRI interface RouterB transmit data after the call is set up Configure Router a Configure Router B Lapb Protocols Overview PSN 25 packet and Lapb frame By default, k is Configure Lapb N1, N2 Configure LapbBy default, the Lapb modulus is Modulo Configure Configure X.25 Interface Set/Cancel the X.121 address of the interfaceSet X.25 working mode Address 25 channel delimitation parameters Parameter Meaning By default, X.25 interface use modulo 8 mode Set/cancel X.25 virtual circuit rangeSet/Cancel X.25 packet numbering modulo Finally, the following should be noted Configure X.25 flow control parameter Configure X.25 Interface Supplementary ParameterSet the default flow control parameter Out-packets 25 layer 3 timer Set X.25 layer 3 timer delay Specify/Cancel an alias for the interface Alias match modes and meaningsAlias-string Match-type alias-string Set/Cancel the default upper layer protocol borne on Configure X.25 Datagram Transmission Create the permanent virtual circuit PVCProtocol-address x121-address Address option Configure Additional Parameters Datagram Transmission Create/Delete permanent virtual circuitX25 pvc pvc-number protocol Undo x25 pvc pvc-number Interface view, perform the following task Specify/Cancel packet pre-acknowledgement Configure X.25 user facility Configure the sending queue length of virtual circuit Serial port view, list1 can be quoted Set broadcast via Set interface with standby centerAddress broadcast Address logic-channel Switching Function Configure X.25 sub-InterfaceConfigure X.25 Switching Number.subinterface-number multipoi Introduction to X.25 Load Balancing Configure X.25 Load BalancingAdd or delete a PVC route Configure X.25 List of Configuration Tasks of X.25 Load Balancing Diagram of X.25 network load balancing Add/Delete interfaces or XOT Tunnels in hunt group Start /Close X.25 switching functionCreate/Delete X.25 hunt group Configure X.25 over Other Protocols Add/delete other X.25 switching routesConfigure X.25 over TCP XOT Introduction to XOT Protocol Configure XOT Start X.25 switching Configure local switchingConfigure SVC XOT switching For PVC, perform the following tasks in interface view Configure Annex G Data Interoperation Configure PVC XOT switchingConfigure X.25 over Frame Relay Annex G Configure Keepalive and xot-source attributes Configure the X.25 Attributes for a Dlci Configure the X.25 attributes for an Annex G Dlci Typical Lapb Configuration Example By default, X.25 template is not applied on DLCIsCurrent status of Lapb Specify IP address for this interface Specify X.121 address of this interface Configure Router B Select interfaceConfigure Router a a Select interface Specify address mapping to the peer Connect the Router to X.25 Public Packet Network Configure Router C Configure interface IP address Configure Router a Configure interface IP addressConfigure Router B Configure interface IP address Configure Virtual Circuit I. Networking Requirement DisabledRange Transmit IP Datagram via X.25 PVC Typical Sub-Interface Configuration Example Router-Ethernet0ip address 196.25.231.1 Create sub-interface serial Configure Router CConfigure Router D SVC Application of XOT I. Networking Requirement Configure Router C Start X.25 switching Configure SerialRouterx25 switch svc 2 interface serial Routerx25 switch svc 1 xot Application of X.25 Load Balancing Enable X.25 switching in system view Configure X.25 switching route to forward to X.25 terminalS11 Add Serial 1, Serial 2 and XOT Tunnel to hunt group Routerx25 switch svc 1111 xot Routerx25 switch svc 8888 interface serialLoad Balancing Carrying IP Data Transmission Routerinterface serial Router-Serial0link-protocol x25 dce Configure RouterA Configure interface Ethernet Configure interface SerialConfigure static route to RouterC Configure RouterB Configure interface Ethernet Configure the static route to RouterA and RouterB Configure RouterA Create an X.25 templateConfigure the local X.25 address Configure an IP address for the local interface Configure RouterB Create an X.25 template Map the Frame Relay address to the destination IP addressAssociates an X.25 template with the Dlci SVC Application of X.25 over Frame Relay Configure the router Router B Enable X.25 switching Enable switching on Frame Relay DCEConfigure Serial 0 as the X.25 interface Configure Serial 1 as the Frame Relay interface Configure X.25 over Frame Relay switching Configure the router Router C Enable X.25 switchingConfigure the Frame Relay Annex G Dlci Configure local X.25 switching.Router-fr-dlci-100annexg dte Configure Router D Configure the basic X.25 parameters Configure Router B Enable X.25 switchingConfigure an X.25 template Configure S1 as the Frame Relay interface Configure Serial Configure S1 as the Frame Relay interface Lapb Facility options inhibited by network have been carried Fault Diagnosis and Troubleshooting of X.25 Configuring Lapb Configuring Frame Relay By default, the interfaces link layer protocol is PPP Link-protocol fr ietfRelay Nonstandard Configure Frame Relay interface type Configure Frame Relay LMI protocol type Fr lmi n391dte n391-value Undo fr lmi-n391dteFr lmi n392dce n392-value Undo fr lmi n392dce Undo fr lmi n393dce Fr lmi t391dte t391-valueUndo fr lmi t391dte Fr lmi t392dce t392-value Configure Frame Relay static address mapping Configure Frame Relay dynamic address mapping Configure Frame Relay local virtual circuit number Create Frame Relay sub-interfaceFr dlci Undo fr Establish static address mapping Configure virtual circuit of Frame Relay sub-interfaceApplying dynamic address mapping to the sub-interface Configure the Frame Relay local virtual circuit number Configure the route for Frame Relay PVC switchingConfigure Frame Relay local switched PVC number Configure the Frame Relay switched PVC Configure Multilink Frame Relay FRF.16 Overview Configure MFR Configure a MFR bundle interface MFR interfaceConfigure MFR interface parameter Subnumber Frame Relay Compression Configuration Configure the parameters of the bundle link interface By default, interfaces use initiative compression Configure Frame Relay Fragment FRF.12Configure Frame Relay Fragment Attributes Configure Frame Relay Compression on multipoint interface Disable the Frame Relay traffic shaping Frame Relay Traffic ShapingFr traffic-shaping Undo Fr traffic-shaping Rate Frame Relay Queueing Management Frame Relay Traffic Policing 150 Kbps 100 Kbps CI R ALLOWº£ 64 Kbps Frame Relay Congestion Management Frame Relay DE rule list By default, no Frame Relay class is created Configure the Frame Relay class parametersConfigure Frame Relay Traffic Shaping Undo fr-class class-name Enable/Disable the Frame Relay traffic shaping Configure the parameters of Frame Relay class Enable/Disable the Frame Relay traffic policing Queue-percentage Dequeue-percentage Configure the Frame Relay PVC queueing Configure Frame Relay DE Rule ListConfigure Frame Relay Queueing Management Configure Pipq Configure Frame Relay over Other Protocols Configure Frame Relay over IPConfigure a tunnel interface Configure Frame Relay switching Frame Relay over Isdn Operation Process and Fundamentals Networking of a typical Frame Relay over Isdn application Back-to-back connection between DTE and DCE devices Frame Relay switching connection between DTE devicesPhysical Connection Between Frame Relay over Isdn Devices Configure Frame Relay over Isdn Configure the Frame Relay-related commands Dlci Configure the commands related to Frame Relay switchingConfigure the link layer protocol of the interface Configure parameters related to dialer profiles Display and debug Frame RelayDisplay and Debug Frame Relay Isdnsubaddress Number dlci dlci-number Number interface serialType number dlci Mfr number Typical Frame Relay Configuration Example Configure static address mappingInterconnect LANs via Frame Relay Network Router-Serial1fr map ip 202.38.163.251 dlci Configure local virtual circuit Relay FRF.16Interconnect LANs via Private Line Router-Serial1ip address 202.38.163.253 Create a MFR interface Bundle Serial 0 and Serial 1 to mfrExample FRF.9 Them III. Configuration Procedure 1 Configure Router a III. Configuration Procedure 1 Configure RouterAFRF.12 Fragment between them IP Configuration Routerfr class 96kRouter-fr-class-96ktraffic-shaping adaptation becn Typical Frame Relay over Configure IP interface Ethernet0 Configure tunnel interfaceConfigure Frame Relay over IP Router-Serial0fr interface-type dce Configure the Frame Relay parameters on Bri0 Router-Bri0fr map ip 110.0.0.2 dlciRouter-Dialer0dialer number Router-Dialer0dialer call-in Router-Dialer0fr interface-type dce Configure the Frame Relay-related parameters on Bri0 Configure Frame Relay SVCs Router-Serial1.1ip address 130.0.0.2 Fault 4 Frame Relay data cannot be transmitted across Isdn Fault Diagnosis Troubleshooting Frame RelayFault 1 the physical layer in Down status Configuring Frame Relay Configure Hdlc Configure Hdlc Display and Debug HdlcBy default, the link layer protocol of the interface is PPP Configure the link layer protocol of the interface to Hdlc Enable Hdlc packet debugging Debugging Hdlc Packet Interface Configure Bridge’s Routing Function Typical Bridge ConfigurationBridge Overview Bridge Overview Obtain address table Main Functions of Bridging Bridge Overview Forward and Filter Final bridging address table Eliminating loop Filter not forward Preliminary examination state of bridging loops Spanning Tree Topology Bpdu Forwarding Mechanism Spanning tree topology Configure Bridge’s Routing Function By default, disable bridging functionsEnable/Disable bridging functions Bridge enable Configure static address table entries Specify the STP version supported by the bridge-setAdd ports to a bridge-set Mac-address Disable/Enable STP on ports Enable/Disable forwarding by using dynamic address tableConfigure the aging time of dynamic address table Configure the bridge port priority Configure the bridge priorityConfigure the path cost of bridge port Configure the interval for sending BPDUs Configure the forward delay for the port status transition Configure the Max age of Bpdu Create ACLs based on varied Ethernet encapsulation formats Acl acl-number Bridge-set Enable/Disable bridge’s routingConfigure a bridge-template interface Define a link-set Share load by source MAC addressLink-set Bridgebridge-set link-set link-set Define a dialer list Configuration on the interfaceMap the bridge address to Dlci Typical Bridge Configuration Display and Debug BridgeDisplay and debug bridge Transparent Bridging Multiple LANs Router-Serial0bridge-set 1 stp disable Configure Router aConfigure Router B Transparent Bridging over Frame Relay Transparent bridge over the Frame Relay Router-Serial1dialer route bridge broadcast Asynchronous Dial-in StandbyConnected are failed Please refer to Figure Bridge-Template interface Networking of bridge-template interface Bridging on Sub-Interfaces Networking for bridging on sub-interfaces Router-Serial1bridge-set 1 link-set Link-Set Configuration I. Networking RequirementsRouterbridge enable Routerbridge 1 stp ieee Network Protocol 316 Configuring IP Address IP address classes and ranges Network IP network range Description Class Sub-net classification of IP address Configure IP Address Configure IP Address for an Interface By default, the interface has no master IP addressConfigure master IP address of an interface Ip address ip-address mask Configure slave IP address of an interface Ip address ip-address mask Mask-length subDelete slave IP address of an interface Undo ip address ip-address By default, the interface has no negotiating IP address Configure IP Address Unnumbered for an InterfaceIntroduction to IP address unnumbered Set negotiable attribute of IP address for an interface Configuration Example I. Configuration Requirements Configure routing to Ethernet segment of Shenzhen router R1Configure IP address unnumbered Borrow IP address of Ethernet interface Configure router R1 of Shenzhen subsidiary Borrow IP address of EthernetRouter-Ethernet0ip address 172.16.20.1 Router ip route-static 0.0.0.0 0.0.0.0Page Configuring IP Address Define a static ARP mapping Arp static ip-addressUndo arp static ip-address Arp dynamic ip-address Configure Domain Name ResolutionName Resolution Display and Debug ARP Display ip host Display and Debug Domain Name ResolutionDisplay and Debug domain name resolution Create Ethernet subinterface Specify the Vlan on which Ethernet subinterface is locatedInterface-number.subinterface-number Vlan-type dot1q vid vlan-id Configure IP address of Ethernet subinterface Typical Vlan Configuration ExampleDisplay and Debug Display and Debug Vlan Display vlan Configure IP address for the subinterface Configure Vlan information of LAN SwitchTroubleshooting The steps below can be taken Router-Ethernet0.1ip address 3.3.3.8 Dhcp Server Configuration Fault Ping Two PCs, but fails to ping them throughDhcp vs Bootp Background of the Dhcp development Dhcp server Dhcp clients Occasions in which Dhcp server is appliedFollowing figure Dhcp client logs into the network again Dhcp Server Configuration Enable/disable the Dhcp service Dhcp EnableUndo Dhcp enable Dhcp server ip-pool pool-name Network ip-address Configure the statically binding IP address and MAC addressNetmask Low-ipaddress high-ipaddress Low-ipaddress high -ipaddress By default, the IP address of DNS is not configured Configure the gateway router address of clientConfigure the domain names of Dhcp clients Configure the DNS addresses in a Dhcp address pool Set the type of NetBIOS node for Dhcp client Set the type of NetBIOS node for Dhcp clientNbns-list ip-address1 Ip-address2 ... ip-address8 Use reset, debugging and display command in All views Configure Dhcp self-defined optionsDisplay and Debug Dhcp Server Display and Debug Dhcp servers Router dhcp server forbidden-ip III. Configuration Procedures 1 Enable the Dhcp serviceRouter dhcp enable At the client, use ipconfig /releaseall Router-dhcp2nbns-list Router-dhcp2gateway-list Configure interface relay address Operation Command Configure interface relay addressIp relay-address ip-address Delete interface relay address Dhcp Relay Configuration Requirement Dhcp RelayIP address from Dhcp server through application Available on Dhcp server Configure Dhcp relay router Networking diagram of an Dhcp relay configuration example Fault 2 fail to forward transparent transmission protocol Private Network Address and Public Network Address Under which condition should the address be translated Mechanism of Network Address Translation NAT Characteristic of Network Address Translation NATRole the Network Address Translation NAT plays Configure address pool Performance of Network Address Translation NATEnd-addr pool-name Pool-name Nat outbound acl-number Address-group pool-nameUndo nat outbound acl-number Undo nat outbound Configure the Internal Server Configure the Timeout of address translationNat server global global-addr global-port Www inside inside-addr inside-port any Typical NAT Configuration Example Display and Debug NAT Display and debug NAT Configure address pool and access list Allow address translation of segment at 10.110.10.0/24Set internal FTP server Set internal WWW server Configure address access control list and dialer-list Configure dial-up property for the interfaceConfigure a default route to serial Correlate the address translation list and the interface Fault 2 Internal server abnormal Configuring IP Application Configure IP To configure IP performance, carry out the following stepsConfigure maximum transmission unit on an interface Performance Configure TCP Tcp window size Configure Fast Forwarding Perform the following configuration in system view Display and Debug IPForwarding Display and Debug Fast Display and Debug fast forwarding Router info-center enable Router debugging tcp event Troubleshooting IP Performance ConfigurationRouter info-center enable Router debugging tcp packet Configuring IP Count IP Count Configuration Enable/Disable IP Count serviceIp count enable Undo ip count enable Specify count maximum of exterior Configure IP Count on an interfaceConfigure IP Count list By default, IP Count entries time out after 720 minutes CountSpecify count maximum of interior Display and debug IP Count Information is displayed IV. Test ProcedureNot been configured on the interface of the router Configuring IP Count Configuring IPX IPX address SAP Configure IPX Modify length of service information reserve queueConfigure relative parameters of IPX SAP Its first Ethernet interface as its node address Enable IPX interface Configure IPX RIP static routeEnable/Disable a Default Route Perform the following task in interface view Configure RIP updating period Configure RIP aging periodConfigure the maximum size of RIP update packet Configure the maximum number of IPX parallel route Configure length of route reserve queue Configure static service information table item Configure SAP aging period Configure size of SAP maximum updated messageConfigure reply to SAP GNS request Ipx sap timer update seconds Configure Using touch-off for an interface Disable split-horizon Configure the delay of interface sending IPX packets Configure management of IPX packetModify Encapsulation Format of IPX Frame on Interface Encapsulation format of IPX frame Configure Router a a Activate IPX Display and Debug IPX Display and Debug IPX Configure an address map to Router B Configure a static route to network IDConfigure an information about Server2 file service Configure an information about Server2 directory service Configure an information about Server1 directory service DLSw Protocol Configuration of DLSw Create DLSw local peer entityInit-window-size max-frame Max-frame-size max-window Configure Bridge set connecting to DLSw Create DLSw remote end peer entity Configure to add ethernet port to Bridge set Configure Sdlc role Configure Sdlc virtual MAC address Configure Sdlc addressSdlc-address Controller sdlc-address Add synchronous Interface to Bridge set Configure Sdlc peer entityConfigure XID of Sdlc Baudrate Configure to stop running DLSwConfigure baud rate of synchronous Interface Configure Idle time encoding mode of synchronous Interface Configure parameters of DLSw timerConfigure LLC2 local acknowledgement delay time Mseconds Configure LLC2 premature acknowledgement window Configure modulo value of LLC2 Configure retransmission number of LLC2 Configure LLC2 local acknowledgement timeConfigure Busy status time of LLC2 Configure P/F wait time of LLC2 Configure REJ status time of LLC2 Configure queue length of sending message of LLC2Configure Queue Length of Sending Message of Sdlc Configure Sdlc local acknowledgement window Configure poll time interval of Sdlc Configure maximum receivable frame length of SdlcConfigure retransmission number of Sdlc Configure SAP address for transforming Sdlc to LLC2 Configure data bi-directional transmission mode of SdlcLsap Dsap Typical DLSw Configuration Example DLSw Configuration Networking RequirementDLSw IP across WAN Router a Configuration Router B ConfigurationDLSw Configuration Router dlsw local Networking diagram of DLSw configuration of SDLC-SDLC Networking Diagram of SDLC-LAN DLSw Fault When using command display dlsw remoteDiagnosis Virtual circuit cant attain Connected state Diagnosis and Troubleshooting of DLSw Fault Configuring Dlsw VI Routing 404 IP Routing Protocol IP Routing Protocol Routing Protocol and Routing Priority Routing Protocol or Type Corresponding Routing Priority Ospf ASE Configuring Static Routes Default Route Configuring a Static Route Configuring a Static RouteConfigure a Static Route Transmitting interface or next hop address Configuring a Default Route Displaying Debugging Routing TablePreference Other parameters Other Troubleshooting aStatic Route RIP Overview Configure RIP Features is not subject to whether RIP has been enabled Enable RIP at the Specified Network Enabling RIP By default, the interface runs RIP-1 Define a Neighboring RouterSpecify RIP Version Peer ip-address RIP Version 1 enables zero field check by default Configure Check Zero Field of RIP VersionDisable a Host Route Specify the Status of an Interface Authentication on Enabling RouteSummarization for RIP Version By default, the default route metric for RIP is Configure RIP Horizontal Segmentation on the InterfaceConfigure Route Import for RIP Specify a Default Route Metric Value for RIP Configure filtering route information received by RIP Distribution for RIPSpecify Additional Route Metric Value for RIP Set Route Preference Reset RIP Displaying and Debugging RIPFilter the Routing Information Being Advertised by RIP Display and Debug RIP RIP Unicast Ospf Configuration Example Ospf OverviewOspf Overview Displaying and Debugging Ospf Configuring Ospf Enable Ospf Specify Router IDRouter id router-id Undo router id Area area-id By default, Ospf is disabledArea-id Configure the Network Type of the Ospf Interface Configure Sending Packet CostOspf network-type broadcast nbma P2mp P2p Configuring a Peer for the Nbma Interface Cost Operation Command Set the priority of the interface when Specify the Router PriorityOspf Dr-priority value Undo Ospf dr-priority Specify Hello Intervall Specify Dead Interval Specify Retransmitting Interval Configuring a Stubby Area and a TotallySpecify Transmit-delay Perform the following configuration under Ospf view Configure Totally Stubby Area of OspfStub cost cost area area-id No-summary Perform the following configuration in Ospf view Configure an Nssa Area of Ospf Configure Route Summarization Within Ospf Domain Abr-summary address mask mask areaArea-id advertise notadvertise Undo abr-summary address mask mask Create and Configuring a Virtual Link Area-id None Router-id None Configure Authentication Key-id Configure Route Import for Ospf Configure Parameters When Importing External Routes Configure filtering route information received by Ospf DisplayingDebugging Ospf Filter for Ospf Router D 201 Router B 301 302 Router C 1.3 Ospf Configuration ExampleConfiguring Ospf on the Point-to-Multipoint Network Enable Ospf RouterC ospf enableRouterA-Serial0ospf network-type p2mp RouterB-Serial0ospf network-type p2mp Configure DR on Ospf Preference 1.1 4.4 E0 192.1.1.1/24 E0 192.1.1.4/24E0 192.1.1.2/24 E0 10.1.2.3/24 2.2 3.3 RouterA display ospf peer RouterD display ospf peer RouterB-ospfVlink peer-id 3.3.3.3 transit-area To configure an Ospf virtual link Configure Router aBetween Router B and Router C To configure Ospf peer authentication Configure Router a Normally Troubleshooting anOspf Configuration Ospf Configuration Example Configuring Ospf BGP Configuration Example BGP OverviewBGP Overview Displaying and Debugging BGP Configuring BGP Resetting BGP Connections Enabling BGP Perform the following configurations in system viewBy default, BGP is disabled Perform the following configurations in BGP view Configure BGP Route-update Interval Configure the BGP Version of the PeerSet the Timers for BGP Peer Configure to distribute default route to the peer Configure to Send Community Attribute to the PeerConfigure the Peer to be the Client of the Route Reflector Configure to Distribute Default Router to the Peer Create a Fltering Policy Based on Access List for the Peer Configure the BGP MED MetricCreate a BGP Route Filtering Based on AS Path for the Peer Allow Comparing Path MED Configure the Local Preference Configure the Keepalive Timer and Holdtime Tmer for BGPTimers keepalive-interval Holdtime-interval By default, there is no BGP peer in a peer group Add a Peer to the BGP Peer GroupPeer group-name Group-name Configure AS Number of BGP Peer Group Configure Connection Between Peers Indirectly ConnectedSet the Timers of BGP Peer Group Configure BGP Routing Update Sending Interval Create Routing Policy for Peer Group Configure to send the default route to the peer groupConfigure to Send the Default Route to the Peer Group Create an Aggregate Addresses By default, software accepts BGP VersionConfigure BGP Version of Peer Group By default, an aggregate is disabled Aggregate address maskAs-set Undo aggregate address Undo reflect between-clients Reflect between-clientsClients within the reflection group Configure the Cluster ID Configure BGP CommunityStandard-community-list-number Extended-community-list-number As-number … Configure a ConfederationConfigure the Sub-system of E Confederation Schematic diagram of route dampening Display Route Flap Information By default, BGP synchronizes with IGP Is insured When AS is not a transitional AS ConfiguringConfigure Route Import for BGP Still exists Define an access list entry Entry, an AS Path-listDefine an AS Path-list entry Define a routing policy Define an apply clause Perform the following configurations in Routing policy viewDefine a match rule Filter for BGP Reset BGP Connections Debugging BGPFilter Routing Information Being Advertised by BGP Display and Debug BGP BGP Configuration Procedure for each configurationAs-regular-expression acl Acl-number network-address Networking diagram of configuring AS confederation Configure Router B Configure BGP peers RouterA-bgppeer 192.1.1.2 as-numberRouterB-Serial1ip address 193.1.1.2 RouterC-ospfinterface serial Configure Router D Configure BGP peers Configure peer Start BGPSpecify BGP transmission network RouterA-acl-1rule permit source 1.0.0.0 RouterC-acl-1rule permit source 1.0.0.0 RouterC-bgppeer 193.1.1.1 route-policy localpref import RouterD-ospf network 4.0.0.0 0.0.0.255 area 0 RouterD bgp Configuring BGP IP Routing Policy Configuring IP Routing Policy Configure IP Routing Operation Command Define a routing policy and enter intoPolicy Define a Routing Policy Configure a Matching Rules Define a Setting Clause Apply community aa nnNo-export addtive none Apply tag tag-value Tag tag-value type 1 Configure Route ImportRoute-policy route-policy-name Ge-value less-equal le-value Define an IP Prefix ListIp ip-prefix prefix-list-name Perform the following configurations in all views Debugging IP Routing PolicyOSPF-ASE external route discovered by Ospf protocol BGP route discovered by BGP protocol Configuring IP With different weighting valuesRouting Policy Protocol Route Information Troubleshooting IP Configure RIP protocolNormal operation Routerip ip-prefix p1 permit 192.1.1.0/24 Configuring IP Routing Policy Routing Configuring IP PolicyIP Policy Routing Define Apply Clause Create a Routing PolicyDefine Match Rules By default, interface policy routing is disabled Enable/Disable Interface Policy RoutingDisplaying Debugging IP Policy Routing Interface Policy Routing Suggested procedure for each configuration Define access listRouter-acl-101rule deny tcp source any destination any Router-acl-102rule permit tcp source any destination any Adopt policy aaa in Ethernet interface Router-Ethernet0ip policy route-policy aaaRouterA-Ethernet0ip policy route-policy lab1 RouterB-ripnetwork RouterAdebugging ip policy-routing IP Multicast Configuring Igmp Configuring PIM-DM Configuring PIM-SMChapter 498 IP Multicast Class D address range Meaning Range and Meaning of Class D AddressesList for Reserved Multicast Addresses IP Multicast Routing Protocols IP Multicast Application IP Multicast PacketIP Multicast IP Multicast Configuring Igmp Igmp Configuration ExampleIgmp Overview Igmp Overview Configuring Igmp Configure Igmp Maximum Query Response Time Make the following configuration in interface viewConfigure the Igmp Version Number Run at Router Interface Igmp Configuration Debugging command in system view to debug IgmpDisplaying and Debugging Igmp Interfaces are all fast Ethernet FE Router a Router B Configuring Igmp Configuring PIM-DM Make the following configuration in the system view By default, the system disables the multicast routingEnable Multicast Routing Operation Command Enable multicast routing Start/Disable PIM-DM Protocol Displaying and Debugging PIM-DMDisplay and Debug PIM-DM Group-address source-address PIM-DM Configuration Enable multicast routing protocolEnable PIM-DM protocol Receiver 2 are the two receivers of this multicast group PIM-SM Overview PIM-SM Configuration Enabling Multicast Routing By default, the interface disables PIM-SM protocol Enable/Disable PIM-SM ProtocolConfigure Candidate BSR Configure Candidate RP Configure PIM-SM Domain Boundary By default, no interface is configured to be candidate RPBy default, no PIM-SM domain boundary is configured Use the pim command in system view to enter PIM view Debugging PIM-SM Configure Router a Enable PIM-SM protocol Configure Router B Enable PIM-SM protocolRouterA multicast routing-enable RouterA interface ethernet RouterA-pimspt-switch-threshold 10 accept-policy Display pim neighbor command can be used to check whether Follow these stepsNeighbors have discovered each other RouterB-acl-5rule permit source 225.0.0.0 Configuring PIM-SM Viii Security 524 Terminal Access Configuring TerminalAccess Security Configuring a User Configure EXECLogin Authentication Configure the authentication method list of Exec users Enable AAAConfigure Radius server and the shared secret Configuring Terminal Access Security AAA Overview Radius Overview Components of Radius server Basic message interaction process of Radius Code Packet type Explanation of the packet Request Authenticator Adopts 16-byte random codeType of Packets Decided by Code Field Attribute Fields By default, AAA is disabled AAA Enable/Disable AAAConfigure AAA Login Authentication Server-template-name method1 Configuring an Authentication Method List for PPP Users Configure PPP Authentication Method List of AAADefault methods-list method1 Default methods-list By default no address pool is defined by the system Configure AAA Local-First AuthenticationConfigure AAA Accounting Option Configure Local IP Address Pool By default pool-number is Configure a User and PasswordConfigure Callback User Configure Ordinary User and Password Configure User with Caller Number Configure FTP User and the Usable DirectoryConfigure Callback User and the Callback Number Configure User with Caller Number Authorize a User with Usable Service Types Configure FTP User and the Usable DirectoryConfigure Authorizing a User with Usable Service Types Directory Configure Radius Server Shared Secret By default, no key is configured for the Radius serverConfigure Radius Server Shared Secret Radius server hostname ip-address Configure the Request Retransmission Times Configure the Time Interval for the Inquiry Packet Accessing User Authentication CaseDisplaying Debugging AAA AAA and Radius Configure IP address and port of Radius server Configure local-first authenticationRouter aaa authentication-scheme local-first Routerradius server Troubleshooting AAA Radius Can Users Radius authentication is always rejectedConnected user cannot be seen in display aaa user Configuring AAA and Radius Protocol Firewall Overview Classification of Firewalls Packet filtering schematic diagram Extended access control list Command format when the protocol is IGMP, IP, GRE or OspfCommand format when the protocol is TCP or UDP Operators of the Extended Access Control List Mnemonic Symbol of the Port Number Protocol Mnemonic Symbol Meaning and Actual Value UDP Operator and Syntax Meaning Configure the match sequence of access control listMnemonic Symbol of the Icmp Message Type Configure Firewall Effect Perform the following configurations in system viewFirewalls are disabled by default Firewall Configure Standard Access Control List Configure Extended Access Control List Enabling and disabling filtering according to timerange Configuring Special TimerangeSet Default Firewall Filtering Mode Destination dest-addr dest- wildcard Enable/Disable Filtering According to Timerange Set special time rangeSet Special Time Range Settr begin-time end-time Use debugging, reset and display commands in all views Displaying and Debugging FirewallSpecify Logging Host Display and Debug Firewall Enable firewall Configure access rules to inhibit passing of all packetsRouterfirewall enable Routerfirewall default permit Router-Serial0firewall packet-filter 102 inbound Apply rule 102 on packets coming in from interface Serial0Router-Ethernet0firewall packet-filter 101 inbound IPSec Protocol IPSec Message Processing IPSec Related TermsFollowing terms are important to an understanding of IPSec Creating an Encryption Configuring IPSecAccess Control List Create Encryption Access Control List Operator port1 port2 Set the output of the crypto card log Configure Ndec Cards Enable the crypto cardsBy default, all the crypto cards are enabled By default, no proposal view is configured Enable/Disable the Host to Backup the Ndec CardsSet the Mode for Security Protocol to Encapsulate Messages Define IPSec proposal Selecting the Encryption Authentication Algorithm Default mode is tunnel-encapsulation modeSelect Security Protocol Select Security Protocol Select Encryption Algorithm and Authentication Algorithm Creating a Security Policy By default, no security policy is created Configure access control list quoted in security policyPerform the following configurations in IPSec policy view Set start point and end point of security tunnel By default, the security policy quotes no IPSec proposal Configure IPSec Proposal Quoted in Security PolicySet IPSec proposal quoted in security policy Set SPI of security policy association and its adopted key By default, no key is used by any security policy Configure SPI Parameters of Security Policy AssociationConfigure Key Used by Security Policy Association Hex-key Set access control list quoted by security policy Set end point of security tunnelCreating a Security Policy Association with Specify End Point of Security Tunnel Set the IPSec proposal quoted in security policy Set SA lifetimeProposal proposal-name1 Proposal-name2...proposal-name6 Configure a separate SA lifetime By default, apply the global SA lifetimeConfigure Global SA LIfetime Configure Separate SA LIfetime Use debugging, reset and display commands in all views Debugging IPSecApply Security Policy Group on Interface Ipsec sa dynamic-detect Dest-address protocol spi Reset crypto cardDisplay and Debug IPSec IPSec Configuration Example Use the debugging, reset and display command in all viewsDisplaying and Debugging the crypto card Creating an SA Manually Adopt tunnel mode as the message-encapsulating form Select authentication algorithm and encryption algorithmQuote access list Create the IPSec proposal view named tran1 Configure the route Create a security policy with negotiation mode as manualApply security policy group on serial interface Exit to system view Set remote addresses Create a security policy with negotiation mode as isakmpCreate the IPSec proposal view named trans1 Configure ip address of the serial interface Configure corresponding IKEConfigure serial interface Serial0 Create a security policy with negotiation view as isakmp Establish a security policy with manual negotiation mode Adopt tunnel module for packets encapsulation formReturn to system view RouterB ike pre-shared-key abcde remote Enter Ethernet interface view and configure IP address Set local addressSet encryption key Apply security policy base on serial port Establish a security policy with manual configuration mode Troubleshooting IPSec Ndec card cannot be configuredReturn to the system view RouterB ipsec policy map1 10 manual Do the following Configuring Ipsec Configuring IKE Policy Configuring IKEIKE features Create IKE Policy Ike proposal policy-numberView Delete IKE policy Undo ike Selecting an Authentication Algorithm Select Authentication MethodConfigure Pre-shared Key Select Encryption Algorithm By default, 768-bit Diffie-Hellman group is selected Select Hashing AlgorithmSelect DH Group ID Set Lifetime of IKE Negotiation SA Configure IKE Keepalive Timer Reset ike sa connection-ike-sa-idDisplaying and Debugging IKE Display and Debug IKE IKE Configuration Invalid user ID information Unmatched policy Unable to establish security channel Configuring VPN Configuring L2TP Configuring GRE IX VPN 596 VPN Overview Basic Networking Applications of VPNClassification of IP Authority given by local ISP Comparison of layer 2 and layer 3 tunnel protocols Layer 2 tunneling protocolLayer 3 tunneling protocol Configuring VPN Vpdn and L2TP Vpdn Operation Methods of Implementing Vpdn L2TP channel Networking diagram of two typical methods of Vpdn Tunnel and session IV. Call setup flow of L2TP tunnel Control message and data message Features of L2TP Call setup flow of L2TP channel Basic Configuration at Enable L2TPEnable/Disable L2TP L2tp enable Ip-address … domain domain-name Originate L2TP Connection Request and LNS AddressL2tp-group group-number By default, L2TP is disabled Configure AAA and Local UsersDefault list-name method1 L2TP Attribute Table Operation Command Create a L2TP group Operation Command Create a virtual templateCreate/Delete L2TP Group Create/Delete a Virtual Template Advanced Configuration at LAC or LNS By default, receiving dial-in from LAC is disabledConfigure the Name of the Receiving End of the Tunnel Configure Local VPN Users Enable Tunnel Authentication Setting Password By default, the local name is the host name of routerSet Local Name Tunnel name name Set the Interval for Sending Hello Message Configure the Interval For Sending Hello MessagesSet Tunnel Authentication and Password Set Domain Name Delimiter and Searching Order Configure Domain Delimiter and Searching OrderForce This configuration is applicable to LNS only Operation Command Force to disconnect tunnelReset l2tp tunnel remote-name Force to Disconnect Channel LCP to Renegotiate Configure the Local Address and Address PoolLCP does not renegotiate by default Enable/Disable Hiding Attribute Value Pairs AV By default, AV pairs are hiddenEnable/Disable Hiding AV Pairs Number of L2TP Sessions L2TP Configuration Examples By default, the maximum number of L2TP sessions isUse debugging, display command in all views Display and Debug L2TP Implement local AAA authentication on VPN user Configure the IP address of Serial1 interface of LACEnable L2TP service and configure a L2TP group Configure BDR dialup parameters Configure the IP address of Serial0 interface of LNS Configure the Virtual-Template-related information Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Client-originated VPN Networking Router-LACip pool 1 192.170.0.3 Configure the IP address of Serial1 interface at LAC side Configure BDR parametersConfigure the IP address of Serial0 interface at LNS side Disable tunnel authentication Network Connection Wizard Network Connection Wizard Connect Connection to Configure an IP address on Serial0 interface Configure a L2TP group and the related attributesConfigure the domain suffix separator to @ Router1 l2tp domain suffix-separator @ Enable AAA authentication Configure Virtual-TemplateForce to implement local Chap authentication III. Procedures Configure a L2TP group and configure the related attributes Configuration at Router2 LNS side Enable AAA authenticationConfigure an address pool 1 in the range of 192.168.0.2 to Configure an access control list and specify L2TP data Fault 1 The users fail to log PPP negotiation fails. The reasons may be Troubleshooting L2TP Configuring L2TP Packet GRE ProtocolEncapsulation Encapsulated tunnel message format Refer to RFC Enlarge network operating range Configuring GRE By default, no virtual tunnel interface is createdCreating a Virtual Tunnel Interface Create Virtual Tunnel Interface Address of a Tunnel Must be configured Interface Setting the NetworkPerform the configurations in the tunnel interface view Address of the Tunnel Number discarded Set Tunnel Interface to Check with ChecksumSet the Tunnel to Synchronize Datagram Sequence Numbers Gre key key-number GRE Configuration Example Group1 and group2. It can be implemented by using GREDebugging GRE All views Configure the IP address of Ethernet0 interface Configure Router B Configure the IP address of Serial0 Configure Router a Activate IPX Configure the IP address and IPX address of Ethernet0Configure the static route to Novell Group2 Configure Router B Activate IPX Networking of troubleshooting GRE RouterB ipx route 1e 1f.a.a.a tick 30000 hop Configuring a Standby Center Configuring Vrrp 646 Configuring Standby Center Standby Center Enter the Logic Channel View Address logic-channelnumberFr map protocol address dlci dlci Next-hop-address dialer-number Channel to check whether it has recovered Standby timer enable-delay secondsUndo standby timer enable-delay Standby timer disable-delay seconds Please perform the following configuration in all views Load Sharing viewInterfaces Enter the view of Serial Router-logic-channel10standby interface serial Enter the view of logic channelChannel Router-Serial1logic-channel Vrrp Configuration Examples Troubleshooting VrrpVrrp Overview Vrrp Overview Address Configuring VrrpAdding a Virtual IP Configure Router Priority in Standby Group Add Virtual IP AddressVrrp vrid virtualrouterid Undo vrrp vrid virtualrouterid Configuring Authentication Method Authentication Key Vrrp provides simple character authentication methodConfigure Authentication Method and Authentication Key Virtualrouterid Configure Standby Group TimerDebugging Vrrp Monitoring Vrrp Configuration Procedure for each configurationBackup with preemption aII. Networking diagram Vrrp Single Standby Gateway services instead Balancing and mutual backup are implementedGateway function as the master Multiple Standby There is requent switchover of the Vrrp state Many master routers exist within the same standby group XI QOS 662 Three Types of QoS Services QOS Overview QOS Overview Benefits of QoS for the Network Service QOS Overview Traffic Classification Traffic Policing Traffic POLICING, Traffic Shaping and Line Rate Committed Access Rate CAR Defining Rules Define CAR RulesQos carl carl-index precedence Precedence-value mac mac-address Apply the CAR Rule on the Interface By default, no CAR rule of ACL list is establishedApplying the CAR Policy on the Interface CAR Configuration Applying a CAR Policy to all Packets Configure the Priority Level Based CAR PolicyDisplaying and Debugging CAR Display and Debug CAR Configure the CAR Policy Based on the MAC Address Traffic Shaping Apply a CAR Policy on the Packets that Match ACLMatches ACL Packets Configuring shaping parameters for a specified flow Schematic diagram of GTS processing Shape the flows matching 110 on Ethernet interface Configuring shaping parameters for all flowsConfigure the ACL Configure the Physical Interface LIne Rate Physical Interface LineRate Shape all the flows on Ethernet interface Display qos lr interface type Operation Command Display the LR configuration conditionsDisplaying Display and Debug LR Debugging LR Congestion Management Congestion Management PolicyFifo Queuing Priority Queuing Selecting Congestion Management Policies Comparison of Several Congestion Management Policies Number Queues Advantage Disadvantage Schematic diagram of the first in first out queue Schematic diagram of the custom queuing Weighted Fair Queuing WFQ Schematic diagram of weighted fair queuing Configuring Congestion Management Configuring Fifo QueuingConfiguring priority queuing Configure the First In First Out Queuing By default, no priority queue is established Values of Queue-Option with Protocol as IPProtocol-name queue-option queue Pql-index protocol Specifying the queue length of the priority-list queuing By default, the interface utilizes the Fifo queueApplying the priority-list queuing group to the interface Configuring custom-list queuing Configuring Custom Queuing CQDefault Length Value of the Priority Queue Displaying and debugging the priority queue Configure the Custom-Lst Queuing According to the Interface Configure the Default Custom-List QueuingQueue-number Queue queue-number By default, the interface uses the Fifo queue Configuring the queue length of the custom-list queuingConfigure the Queue Length of the Custom-List Queuing Applying the custom-list queuing group to the interface Displaying and debugging the custom-list queue Configuring Weighted fair queuingDisplaying and debugging the weighted fair queue Congestion Management Configuration Examples PQ Configuration ExampleApply the priority queue 1 to Serial Apply the priority queue 2 to Serial Configure the CQ queue Configure Router B Configure the access control listRouterA-Tunnel0ip address 10.1.1.1 RouterA-Tunnel1destination Configure Serial0 master/slave addresses Configure Tunnel0Configure Tunnel1 WFQ Configuration Example Congestion Management Congestion Avoidance Congestion Avoidance Wred Configuration Enable the WredEnable Wred Function of the Interface Discard-prob Ip-precedence Congestion Avoidance Configuration Example Configure a WFQ queueEnable Wred Displaying Debugging Congestion Avoidance Congestion Avoidance Configuring DCC Configuring Modem XII DIAL-UP 704 Terms in DCC Configuration DCC Overview Circular DCC DCC Resource-Shared DCC Implementing callback through DCC Basic DCC featuresWith 3Com Routers Configuring DCC Preparing to ConfigurePrepare the data for DCC configuration Configure the local parameters of DCC Configuring the mode of the physical interface Configure Physical Interface ModeLinklayer-protocol-type Ip address ipaddress mask Associating a DCC dialer ACL with the interface Configuring an interface to originate calls to a remote end Configure an interface to receive calls from a remote end Dialer enable-circularDialer number dial-number Undo dialer number Next-hop-address dial-number DialerRoute protocol Undo dialer route protocol Next-hop-address Undo interface dialer number Dialer circular-group numberUndo dialer circular-group Dialer priority priority Interface dialer number Undo interface dialer numberDialer circular-group number Undo dialer circular-group Router Dialer0 Configuring dialing authentication for resource-shared DCC Configuring the dialer interface and dialer numberBy default, no dialer interface is created Enabing Resource-Shared DCC Configuring dialing authentication for resource-shared DCC Threshold traffic-percentage Configuring MP binding in circular DCCConfigure MP Binding in Circular DCC Configuring MP binding in resource-shared DCC Configuring PPP callback in the circular DCC implementationConfigure MP Binding in Resource-Shared DCC Dialer threshold traffic-percentage Implement PPP Callback Client Configuration in Circular DCC Implement PPP Callback Server Configuration in Circular DCC Command Telephone-numberNext-hop-address user username Dial-number Dialer callback-center dial-number Features of Isdn caller identification callbackPrimary rule The best match is the number with the fewest Operation Command Configure the local end to implement IdentificationUndo dialer call-in remote-number Callback according to the Isdn caller Configuring Isdn leased line Configuring auto-dialConfiguring Special DCC Functions Configure Isdn leased line for Circular DCC Configuring dialer number circular standby Configuring the Link Idle TimeConfigure Auto-Dial Configure Dialer Number Circular Standby By default, the link idle time is 120 seconds By default, the link disconnection time is 20 secondsConfiguring the link idle time when interface competion Configure the Link Idle Time Configuring the timeout of call setting up By default, the timeout of call setting up is 60 secondsConfiguring the buffer queue length of the dialer Debugging DCC DCC Applications in Common Use DCC Configuration ExamplesSolution Configure RouterC Configure RouterBRouter-Serial1dialer circular-group Router-Serial0dialer route ip 100.1.1.1 Router-Serial0dialer bundle-member Router-Serial1dialer bundle-member Configure RouterC Configure RouterC Configure RouterA Router-Dialer0dialer thresholdRouter-Bri0dialer bundle-member Router-Serial015dialer route ip 100.1.1.1 Router-Bri1dialer route ip 100.1.1.1 Router dialer-rule 1 ip permit Router interface serial Router-Serial1dialer enable-circularRouter-Serial0dialer route ip 100.1.1.2 Router-Bri0dialer route ip 100.1.1.2 user usera Configure the PC Callback for DC CBy the NT server NT Server-to-Router Router-Async0dialer route ip 100.1.1.254 Dial Number Circular Standby and Internet Access for DCC Configure subscriber PC Router-Serial0dialer route ip 100.1.1.254 Router-Serial215ppp authentication-mode chap Router-Serial215ppp chap password simple passb Router-Serial1standby logic-channel Remote end cannot be pinged after the modem is connected DCC Fault Messages Message Fault DCC peeraddr matching error Modem Function Provided by 3Com Routers Modem Script Receive-string1 send-string1 receive-string2 send-string2 Syntax description of modem scriptModem script format in common use is as follow By default, modem dial-in and dial-out are allowed Which, seconds defaults to 180 and is in the range of 0 toConfigure the Modem Dial-in and Dial-out Authorities Configure Modem Through the AT Command Configure a Modem ScriptConfigure a Modem Script Execute a Modem Script Manually By default, the modem works in non-auto answer mode Configure the Answer Mode for the ModemConfigure Authentication for a Modem Dial-in User Specify the Events Triggering the Modem Scripts Modem Configuration Examples Executethe debugging command in all views for the debuggingConfigure a Modem adaptation baud rate Displaying and Debugging a Modem AT&b1&c1&d2&s0=0 Restore the ex-factory modem settingsConfigure the modem initialization parameters Power-on Initialization Through Initialization Script Authentication forDirectly Modem Dial-in User Troubleshooting Configuring Modem