Set the IPSec proposal quoted in security policy

Creating a Security Policy 573

Delete remote address of security tunnel (applicable to IPSec software and crypto card)

undo tunnel remote ip-address

By default, the end point of the security tunnel is not specified.

Set the IPSec proposal quoted in security policy

Perform the following configurations in IPSec policy view.

Table 648 Configure IPSec Proposal Quoted in Security Policy

Operation	Command

Set IPSec proposal quoted in security	proposal proposal-name1
policy (applicable to IPSec software and	[proposal-name2...proposal-name6]
crypto card)

Cancel IPSec proposal quoted in security	undo proposal
policy (applicable to IPSec software and
crypto card)

By default, the security policy quotes no IPSec proposal.

When SA is created through IKE negotiation, a security policy can quote at most 6 IPSec proposals and IKE negotiation will search the completely matched IPSec proposal at both ends of the security tunnel. If IKE cannot find completely matched IPSec proposal, then it will not establish SA successfully, then the messages that require protection will be discarded.

The security policy determines its protocol, algorithm and encapsulation mode by quoting the IPSec proposal. A IPSec proposal must be established before it is quoted

Set SA lifetime

There are two types of SA lifetime (or lifecycle): time-basedand traffic-based. The SA becomes invalid on the first expiration of either type of lifetime. Before the SA becomes invalid, IKE establishes a new SA for IPSec negotiation, so a new SA is ready when the previous one becomes invalid. If the global lifetime is modified during the valid period of the current SA, the new one will be applied, not to the present SA but to the later SA negotiation.

The SA lifetime is only effective for an SA established with IKE, and the SA established manually does not involve the concept of lifetime.

If a security policy is not configured with lifetime value, when the router applies for a new SA, it sends a request to the remote end to set up a security tunnel negotiation and gets the SA lifetime of the remote end, and applies it as the new SA lifetime. If the local end has configured the SA lifetime when creating security policy, when it receives the application for security tunnel negotiation from the remote end, it will compare the lifetime proposed by the remote end with its own lifetime, and choose the smaller one as the SA lifetime.

SA is timeout based on the first expiration of the lifetime by seconds (specified by the key word time-based) or kilobytes of communication traffic (specified by the key word traffic-based).

The new SA should have completed the negotiation before the original SA times out, so that the new SA can be put into use as soon as the original SA expires. Soft timeout of SA occurs when a new SA is negotiated at the time when the existing SA lives for a certain percentage of lifetime defined by seconds (such as 90%), or when the traffic reaches a certain percentage (such as 90%) of the lifetime

Page 577

Image 577

3Com 10014299 manual Set the IPSec proposal quoted in security policy, Set SA lifetime, Proposal proposal-name1

Contents

3Com Router Configuration Guide Campus Drive 3Com CorporationMarlborough, MA 01752-3064Page VPN List conventions that are used throughout this guide This guide describes 3Com routers and how to configure themText Conventions About this Guide 3Com Router Introduction 3Com Router User Interface Page 3COM Router Introduction Following table lists the basic features of the 3Com Router Features of the 3ComList of the 3Com Router 1.x features Router Version RIP-1/RIP-2 NAT Quality of service 3Com Router New Features of the 3Com Router 1.x 3COM Router Introduction Establish ConfigurationEnvironment Port Establish a new connection Set port communication parameters Establish a remote configuration environment Connection ConfigurationEnvironment Router Workstation Ethernet Interface CLI Command Line 3COM Router User Interface Views and their prompts System view Table Ethernet 0 in any Async 0 in anyLoopback 0 in any Enter controller Full help HelpsPartial help Common error Message Causes List of common command line error messagesFor example Routerdisplay ? Features Command LineDisplay Features Three options are available for users Please perform the following commands in system view Following commandsUser Identity Management System Configure the router nameSet the system clock Execute the following commands in all views By default, the system clock is 080000 1 1Reboot the system Display the System Information Router System Management Page Softwaresoftware Storage Media and File Types Supported by the System Input Ctrl+D, and the following prompt information displays Upgrade Boot ROM Software Router Main Program Upgrade the 3ComSoftware Main Program software XModem Approach Modify the terminal baud rate Transfer File dialog box Enable the Tftp server program Preparation for using the Tftp serverTftp server application can run on Windows 95/98/NT Tftpd32 Set interface Press Enter and the following prompts will be displayed Network Interface Parameters Enter Ctrl+B and the system prompts Operation Command Downloads the 3Com Router main Download configuration files from a Tftp serverPress Enter for loading Get ip-addr file-name system Set an authentication mode for an FTP server Prepare for using the FTP server Enable FTP server Upgrade the 3Com Router Main Software with FTP Tftp Approach Back up the 3Com Router Main Program SoftwareFTP Approach Copy ip-addr file-name system Setup Users Dialog Box Update slot slot-number ftpserver host-name Configure on-line upgrading of the cardPort-number user user-name password Password Download Configuration File Configuration File ManagementPerform the following command in system view Content and Format of the Configuration File Download Config Load configuration filesRouter download config Set the binary transmission protocol to XModem/CRC Back up Configuration Files Display current-configurationcommand output backup approachUpload configuration files to a Tftp server File-name config View router configuration Please use the following commands in corresponding views Save current configuration Select and view the storage media of configuration fileSet the Flag Bit to Enter the Initial Setup Mode Erase the configuration file in storage media Configure authentication and authorization of FTP server Configure FTPClient via port 20 and transfer data Files on the router Configure Parameters of FTP Service Enter the following commands in system viewPlease enter the following commands in system view Set the authentication mode of FTP server Set the connection time limit of FTP service Set FTP update modeForce to shut down FTP process Force to shut down FTP process Display ftp-server Display FTP Server Display FTP serverServer Display detailed information of the FTP user Display local-user System Management Features of Terminal Terminal ServiceService at Console Port Overview Set the attributes of terminal service ServiceTerminal Message On one router Configure Terminal Message Service Perform the following configuration in all viewsDisplay Terminal Message Service Enable/disable receiving messages from other terminals Terminal Service Typical Example Terminal Message Service ConfigurationDumb Terminal Configure Dumb Terminal Configuration Examples Dumb Terminal ServiceConfigure Auto-execute command By default, no dumb terminal service is configured Configure the interface to dumb terminal mode Terminal Service Telnet ConnectionConfigure the auto-execute command command Router-Serial1auto-execute command telnet Service Value Terminal service features of telnet connectionEstablish Telnet Connection Enable Reverse Telnet connection Setup Reverse Telnet ConnectionService-port Establish Telnet Server or Telnet Client connection Force shut down Telnet Process Typical Configuration Example of Telnet Reverse TelnetExample of Telnet Force to shut down Telnet process Use Rlogin protocol Rlogin TerminalExample of Reverse Telnet Router telnet 10.110.164.44 Typical Rlogin Configuration Examples Establish a Rlogin connectionRlogin ip-address username Use local user name abc to log on PAD Remote Access ServiceCommunicate with other terminals through the X.25 network Configure X.25 PAD remote user Configure X.25 PAD remote userService-type type password Local-user user-name Enable AAA authentication for X.25 remote PAD users Start AAA authentication of X.25 remote usersEstablish an X.25 PAD call Establish a X.25 PAD call III. Configuration Procedure II. Networking DiagramDisplay and Debug Set the Response Time to the Invite Clear Message Set its X.121 address as Fault Diagnosis TroubleshootingRouterA-serial0x25 x121-address RouterB-serial0x25 x121-address Development of Snmp Snmp Overview Configuring Network Management SNMP-supported MIB Snmp architecture 3Com Router-supported MIB By default, the system disables Snmp serviceEngineid Configure Snmp version and related tasks Perform the following configurations in system view Configure the traps to be sent by the router Configure information of router administratorV1 username Interface-number Display and debug Snmp Perform the following commands in all viewsName Byte-count Set the community name and access authority Example 1 Configure Network Management of SNMPv1Configure an IP address for the Ethernet interface ethernet Examples Networking Requirements Rmon Overview Configure an IP address for the Ethernet interface ethernetNetwork equipment Schematic diagram of Rmon application Examples Networking Requirement Enable Rmon statistics RouterA-Ethernet0 rmon promiscuous Commands to display information of the whole system Test Tool of Network Connection Ping command System displays Ping supporting IP protocolPing supporting IPX protocol Ip-address Tracert command Following command can be executed in any command modesTimeout host MaxTTL -p port -q nqueries Log Function Configure on the router Set the direction of syslog outputting log information Perform the following task in system view Set Severity of Log InformationSylog-defined severity is as follows Set Filter of Log Information Turn on/turn off syslog Configuration of Log HostDisplay and Debug Syslog Turn on/turn off syslog Turn on debugging switch of PPP module Syslog Configuration ExampleRouterinfo-center enable Routerdebug ppp all Display and Debugging Tools Dial-up POS Access POS Terminal Access Service Advantages of POS network access are as follows POS Network Access Configure POS access port POS Access Service ConfigurationStart POS server Interface-type interface-number Configure a POS applicationApp-number Ip-address port-number Default app-number Configure POS multi-application mapping tableBind the source address of TCP connection Display and debug POS access Display and Debug POS AccessSet the parameters of FCM used during Modem negotiation Set the parameters of FCM used during Modem negotiation Configure the Ethernet interface Ethernet Typical Configuration Example of POS Access ServiceConfigure the POS access interface FCM0 Configure POS access interface FCM1 Configure POS access interface FCM0 Configure POS access interface FCM2III. Configuration Procedure 1 Start the POS access server Configure Async 1 to operate in POS application mode Configure Async 0 to operate in POS application modeIII. Configuration Procedures Configure Router a Start the POS access server RouterA ip route-static 10.1.1.2 255.255.255.0 serial Configure Router B Configure the Ethernet interface Ethernet III Interface 106 Interface Configure InterfaceEnter the Interface View Interface view, input quit to return to the system view Exit the Interface ViewSet time interval for flow control statistics Interface-description Display and Debug Interface Please use the following commands in all viewsDisplay and debug interface Interface state information Interface Configuration Overview Ethernet Interface Configure Ethernet Interface Set IP address Enter view of specified Ethernet interfaceSet IPX address Set frame format of sending message Enable or disable internal loopback and external loopback Select work mode of Ethernet interfaceDisplay and Debug Select working rate of fast Ethernet interface Troubleshooting Typical Ethernet Interface Configuration ExampleII. Network Diagram Troubleshooting Configuring LAN Interface Introduction WAN InterfaceAsynchronous Serial Interface Interface async number Enter view of specified asynchronous interfaceInterface serial number Set the baud rate of asynchronous serial interface Set the work mode of asynchronous serial interfaceModem in out Link-protocol slip ppp Flow-control none software Async Mode protocolHardware inbound outbound Parity even mark none Works in flow modeOdd space Stopbits 1 1.5 AUX Interface BackupSet MTU of asynchronous serial interface Set the coding format of Modem Configure AUX interface Configure AUX interfaceConfigure Synchronous Serial Interface Synchronous Serial Interface Set the link layer protocol of synchronous serial interface Enter view of specified synchronous interfacePhysical-mode sync Link-protocol fr hdlc Working modes have different working clocks Select work clockSet the baud rate of synchronous serial interface Synchronous serial interface is 64000 bps Select work clock Inversion is disabled by defaultSet clock inversion Detect dcd Internal loopback/external loopback are disabled by defaultUndo detect dcd Reverse-rts Idle coding of synchronous serial interface is 7E Isdn BRI InterfaceTechnical Background Graphics and video Be clear about the following items before the configuration Preparations before ConfigurationFunction group includes CE1/PRI Interface Channelized operating modeNetwork protocols such as IP and IPX Interface or a PRI interface Dial-on-Demand Routing Configure CE1/PRI CE1/PRI interface configuration includesInterface Enter the view for a specified interface Bind the interface to be channel sets Enter the synchronous serial interface viewNumber set-number Enter the Isdn interface view Bind the interface to be a pri setPri-set timeslot-list range Undo pri-set Set the line code format on the CE1/PRI interface Enable/disable the internal loopback/external loopbackSet the line clock of the CE1/PRI interface Set the frame format of CE1/PRI interface CT1/PRI Interface Configure CT1/PRI Controller t1 number Operation Command Enter the view of CT1/PRI interfaceTimeslot-list range speed Interface serial number23 Set the line clock of the CT1/PRI interface Set the line code format on the CT1/PRI interfaceSet the frame format of CT1/PRI interface E1-F interface does not support PRI operating mode Choice for E1 accessE1-F Interface Them into multiple channel sets Enter the view of an E1-F interface Set Operating mode for an E1-F interfaceInterface serial serial-number Fe1 unframed Set line code format for E1-F interfaces Set interface rate after binding operationSet line clock for an E1-F interface Set frame format for an E1-F interface Enable/Disable local/remote loopback on an E1-F interfaceDisplay and debug E1-F interface Serial-number T1-F interface does not support PRI operating mode Choice for T1 accessT1-F Interface 193 X 8k = 1544kbps Set line code format for T1-F interface Set line clock for a T1-F interface Enable/Disable local/remote loopback on a T1-F interfaceSet frame format of T1-F interface CE3 Interface Other related informationDisplay and Debug T1-F Display and debug T1-F interface Enter the view of the specified E3 interface Set the operating mode of E1 channel Set the operating mode of CE3 interfaceSet E1 frame format CT3 Interface Mode non-channelized mode44.736Mbps Data bandwidth 44736kbps Set clock mode of the T1 channel Set clock mode of the CT3 interfaceEnter specified CT3 interface view Set cable length of the CT3 interface By default, the CT3 interface uses the C-bit frame format By default, loopback is disabled Set Frame FormatPerform the following configurations in CT3 interface view Set CRC of the serial interface Set the operating mode of T1 channelT1 line-number unframed Display and debug of the CT3 interface Disable and Enable CT3 interface Configuring WAN Interface Dialer Interface Logical Interface Null Interface Configure Loopback Sub-Interface Create and delete WAN sub-interface Configure sub-interfaces of Ethernet interfaceNumber.sub-number Number.sub-number multipoint Select frame relay link layer protocol Enter the view of WAN interface Serial0 of router aRouterinterface serial Specify DTE as its frame relay terminal type Configure the static route from router a to LAN2 and LAN3Set its IP address to 202.38.160.1 and address mask to Allocate a virtual circuit with Dlci 50 to it Create or delete virtual-template Set work parameters of virtual-templateInterface virtual-template Undo interface Troubleshooting the reasons may be as follows Fault 1 Fail to create virtual interfaceDisplay state of the specified virtual-template Virtual-template-number Link Layer Protocol 164 PPP Overview PPP Authentication Mode Configuring PPP and MP MP Overview Configure PPPFor detailed description of PPP, refer to RFC1661 Transmission time of large packets Configure the local authenticates the peer in PAP mode Configure the link layer protocol of the interface to PPPConfigure the peer authenticates the local in PAP mode Name-list Configure as the peer authenticates the local in Chap mode Configure the local authenticates the peer in Chap modeCipher password User username Configure the time interval of PPP negotiation timeout Configure AAA authentication and accounting of PPPConfigure PPP compression Configure PPP link quality monitoring Perform the following configuration in interface viewPpp lqc forbidden-percentage Resumptive-percentage Configure Operating Parameters of Virtual Template Configure MP Protocol Parameters Create Virtual TemplateCreate/Delete virtual template Bind the physical Interface to a Virtual Template User-name Specify the conditions for MP binding Frags Configure virtual Baud rate on interface Configuration Requirement Typical PPP Configuration ExampleExample II. Configuration Procedure Typical MP Configuration ExampleConfigure to start Chap authentication at this side Set local username as Router1 Configure router-b Add a user for router-a Configure virtual interface templateConfigure router-c Add a user for router-a Fault 1 Link always fails to turn to up status Fault Diagnosis TroubleshootingFault 2 Physical link fails to turn to Up status Indicates that the interface is shutdown Introduction to PPPoE client PPoE Overview Client Configure PPPoE Reset or delete PPPoE session Configure PPPoE session Perform the display and debugging command in all views Typical PPPoE Configuration ExampleAccess a LAN to the Internet via Adsl III. Configuration Procedure 1 Configure a dialer interface Configure the LAN interface and the default route Configure a PPPoE sessionConfigure the DDN interface Serial Use Adsl as Standby Line Configuring Pppoe Client Asynchronous mode Configure SlipSlip Overview For further details about SLIP, you can refer to RFC1055 Typical Slip Enable/Disable the information debugging of SlipTime Interconnect two Router routers via Pstn and run IP Configure IP address of synchronous/asynchronous interface Configure Router a Configure Dialer RuleConfigure the Dialer String to router B Configure the default route to Route B Routerip route-static 0.0.0.0 0.0.0.0 Isdn Overview Configure Isdn Configure type of signaling on Isdn interface By default, DSS1 signaling is used on Isdn PRI interfacesConfigure the length of call reference Configure the receiving mode Configure interval for Qsig signaling timer Configure the sending modeTimer-name all Time-interval Perform the following configuration in Isdn interface view Configure Call Processing Method on an InterfacePerform the display and debugging commands in all views Configure Router a Create an Isdn PRI interface Typical Configuration ExampleConfigure the Isdn PRI interface RouterB transmit data after the call is set up Configure Router B Configure Router a Protocols Overview Lapb PSN 25 packet and Lapb frame By default, the Lapb modulus is Modulo Configure LapbBy default, k is Configure Lapb N1, N2 Configure Set/Cancel the X.121 address of the interface Configure X.25 InterfaceSet X.25 working mode Address Parameter Meaning 25 channel delimitation parameters Set/cancel X.25 virtual circuit range By default, X.25 interface use modulo 8 modeSet/Cancel X.25 packet numbering modulo Finally, the following should be noted Configure X.25 Interface Supplementary Parameter Configure X.25 flow control parameterSet the default flow control parameter Out-packets Set X.25 layer 3 timer delay 25 layer 3 timer Alias match modes and meanings Specify/Cancel an alias for the interfaceAlias-string Match-type alias-string Set/Cancel the default upper layer protocol borne on Create the permanent virtual circuit PVC Configure X.25 Datagram TransmissionProtocol-address x121-address Address option Create/Delete permanent virtual circuit Configure Additional Parameters Datagram TransmissionX25 pvc pvc-number protocol Undo x25 pvc pvc-number Interface view, perform the following task Configure X.25 user facility Specify/Cancel packet pre-acknowledgement Serial port view, list1 can be quoted Configure the sending queue length of virtual circuit Set interface with standby center Set broadcast viaAddress broadcast Address logic-channel Configure X.25 sub-Interface Switching FunctionConfigure X.25 Switching Number.subinterface-number multipoi Add or delete a PVC route Configure X.25 Load BalancingIntroduction to X.25 Load Balancing Configure X.25 Diagram of X.25 network load balancing List of Configuration Tasks of X.25 Load Balancing Create/Delete X.25 hunt group Start /Close X.25 switching functionAdd/Delete interfaces or XOT Tunnels in hunt group Add/delete other X.25 switching routes Configure X.25 over Other ProtocolsConfigure X.25 over TCP XOT Introduction to XOT Protocol Configure XOT Configure local switching Start X.25 switchingConfigure SVC XOT switching For PVC, perform the following tasks in interface view Configure PVC XOT switching Configure Annex G Data InteroperationConfigure X.25 over Frame Relay Annex G Configure Keepalive and xot-source attributes Configure the X.25 attributes for an Annex G Dlci Configure the X.25 Attributes for a Dlci By default, X.25 template is not applied on DLCIs Typical Lapb Configuration ExampleCurrent status of Lapb Specify IP address for this interface Configure Router a a Select interface Configure Router B Select interfaceSpecify X.121 address of this interface Connect the Router to X.25 Public Packet Network Specify address mapping to the peer Configure Router B Configure interface IP address Configure Router a Configure interface IP addressConfigure Router C Configure interface IP address Disabled Configure Virtual Circuit I. Networking RequirementRange Transmit IP Datagram via X.25 PVC Router-Ethernet0ip address 196.25.231.1 Typical Sub-Interface Configuration Example Configure Router D Configure Router CCreate sub-interface serial SVC Application of XOT I. Networking Requirement Configure Serial Configure Router C Start X.25 switchingRouterx25 switch svc 2 interface serial Routerx25 switch svc 1 xot Application of X.25 Load Balancing Configure X.25 switching route to forward to X.25 terminal Enable X.25 switching in system viewS11 Add Serial 1, Serial 2 and XOT Tunnel to hunt group Routerx25 switch svc 8888 interface serial Routerx25 switch svc 1111 xotLoad Balancing Carrying IP Data Transmission Routerinterface serial Router-Serial0link-protocol x25 dce Configure interface Serial Configure RouterA Configure interface EthernetConfigure static route to RouterC Configure RouterB Configure interface Ethernet Configure RouterA Create an X.25 template Configure the static route to RouterA and RouterBConfigure the local X.25 address Configure an IP address for the local interface Map the Frame Relay address to the destination IP address Configure RouterB Create an X.25 templateAssociates an X.25 template with the Dlci SVC Application of X.25 over Frame Relay Enable switching on Frame Relay DCE Configure the router Router B Enable X.25 switchingConfigure Serial 0 as the X.25 interface Configure Serial 1 as the Frame Relay interface Configure the router Router C Enable X.25 switching Configure X.25 over Frame Relay switchingConfigure the Frame Relay Annex G Dlci Configure local X.25 switching.Router-fr-dlci-100annexg dte Configure Router B Enable X.25 switching Configure Router D Configure the basic X.25 parametersConfigure an X.25 template Configure S1 as the Frame Relay interface Lapb Configure Serial Configure S1 as the Frame Relay interface Facility options inhibited by network have been carried Fault Diagnosis and Troubleshooting of X.25 Configuring Lapb Configuring Frame Relay Link-protocol fr ietf By default, the interfaces link layer protocol is PPPRelay Nonstandard Configure Frame Relay LMI protocol type Configure Frame Relay interface type Undo fr lmi-n391dte Fr lmi n391dte n391-valueFr lmi n392dce n392-value Undo fr lmi n392dce Fr lmi t391dte t391-value Undo fr lmi n393dceUndo fr lmi t391dte Fr lmi t392dce t392-value Configure Frame Relay dynamic address mapping Configure Frame Relay static address mapping Create Frame Relay sub-interface Configure Frame Relay local virtual circuit numberFr dlci Undo fr Applying dynamic address mapping to the sub-interface Configure virtual circuit of Frame Relay sub-interfaceEstablish static address mapping Configure the route for Frame Relay PVC switching Configure the Frame Relay local virtual circuit numberConfigure Frame Relay local switched PVC number Configure the Frame Relay switched PVC Overview Configure Multilink Frame Relay FRF.16 Configure a MFR bundle interface MFR interface Configure MFRConfigure MFR interface parameter Subnumber Configure the parameters of the bundle link interface Frame Relay Compression Configuration Configure Frame Relay Fragment FRF.12 By default, interfaces use initiative compressionConfigure Frame Relay Fragment Attributes Configure Frame Relay Compression on multipoint interface Frame Relay Traffic Shaping Disable the Frame Relay traffic shapingFr traffic-shaping Undo Fr traffic-shaping Rate Frame Relay Traffic Policing Frame Relay Queueing Management 100 Kbps CI R ALLOWº£ 64 Kbps 150 Kbps Frame Relay DE rule list Frame Relay Congestion Management Configure the Frame Relay class parameters By default, no Frame Relay class is createdConfigure Frame Relay Traffic Shaping Undo fr-class class-name Configure the parameters of Frame Relay class Enable/Disable the Frame Relay traffic shaping Enable/Disable the Frame Relay traffic policing Dequeue-percentage Queue-percentage Configure Frame Relay Queueing Management Configure Frame Relay DE Rule ListConfigure the Frame Relay PVC queueing Configure Pipq Configure Frame Relay over IP Configure Frame Relay over Other ProtocolsConfigure a tunnel interface Configure Frame Relay switching Networking of a typical Frame Relay over Isdn application Frame Relay over Isdn Operation Process and Fundamentals Physical Connection Between Frame Relay over Isdn Devices Frame Relay switching connection between DTE devicesBack-to-back connection between DTE and DCE devices Configure the Frame Relay-related commands Configure Frame Relay over Isdn Configure the link layer protocol of the interface Configure the commands related to Frame Relay switchingDlci Display and debug Frame Relay Configure parameters related to dialer profilesDisplay and Debug Frame Relay Isdnsubaddress Number interface serial Number dlci dlci-numberType number dlci Mfr number Configure static address mapping Typical Frame Relay Configuration ExampleInterconnect LANs via Frame Relay Network Router-Serial1fr map ip 202.38.163.251 dlci Relay FRF.16 Configure local virtual circuitInterconnect LANs via Private Line Router-Serial1ip address 202.38.163.253 Bundle Serial 0 and Serial 1 to mfr Create a MFR interfaceExample FRF.9 Them III. Configuration Procedure 1 Configure RouterA III. Configuration Procedure 1 Configure Router aFRF.12 Fragment between them Routerfr class 96k IP ConfigurationRouter-fr-class-96ktraffic-shaping adaptation becn Typical Frame Relay over Configure tunnel interface Configure IP interface Ethernet0Configure Frame Relay over IP Router-Serial0fr interface-type dce Router-Bri0fr map ip 110.0.0.2 dlci Configure the Frame Relay parameters on Bri0Router-Dialer0dialer number Router-Dialer0dialer call-in Router-Dialer0fr interface-type dce Configure the Frame Relay-related parameters on Bri0 Router-Serial1.1ip address 130.0.0.2 Configure Frame Relay SVCs Fault 1 the physical layer in Down status Fault Diagnosis Troubleshooting Frame RelayFault 4 Frame Relay data cannot be transmitted across Isdn Configuring Frame Relay Configure Hdlc Display and Debug Hdlc Configure HdlcBy default, the link layer protocol of the interface is PPP Configure the link layer protocol of the interface to Hdlc Debugging Hdlc Packet Interface Enable Hdlc packet debugging Typical Bridge Configuration Configure Bridge’s Routing FunctionBridge Overview Bridge Overview Main Functions of Bridging Obtain address table Bridge Overview Final bridging address table Forward and Filter Filter not forward Eliminating loop Preliminary examination state of bridging loops Spanning Tree Topology Spanning tree topology Bpdu Forwarding Mechanism By default, disable bridging functions Configure Bridge’s Routing FunctionEnable/Disable bridging functions Bridge enable Specify the STP version supported by the bridge-set Configure static address table entriesAdd ports to a bridge-set Mac-address Configure the aging time of dynamic address table Enable/Disable forwarding by using dynamic address tableDisable/Enable STP on ports Configure the path cost of bridge port Configure the bridge priorityConfigure the bridge port priority Configure the forward delay for the port status transition Configure the interval for sending BPDUs Create ACLs based on varied Ethernet encapsulation formats Configure the Max age of Bpdu Acl acl-number Configure a bridge-template interface Enable/Disable bridge’s routingBridge-set Share load by source MAC address Define a link-setLink-set Bridgebridge-set link-set link-set Map the bridge address to Dlci Configuration on the interfaceDefine a dialer list Display and Debug Bridge Typical Bridge ConfigurationDisplay and debug bridge Transparent Bridging Multiple LANs Configure Router B Configure Router aRouter-Serial0bridge-set 1 stp disable Transparent bridge over the Frame Relay Transparent Bridging over Frame Relay Router-Serial1dialer route bridge broadcast Standby Asynchronous Dial-inConnected are failed Please refer to Figure Networking of bridge-template interface Bridge-Template interface Networking for bridging on sub-interfaces Bridging on Sub-Interfaces Routerbridge enable Routerbridge 1 stp ieee Link-Set Configuration I. Networking RequirementsRouter-Serial1bridge-set 1 link-set Network Protocol 316 Configuring IP Address Network IP network range Description Class IP address classes and ranges Sub-net classification of IP address By default, the interface has no master IP address Configure IP Address Configure IP Address for an InterfaceConfigure master IP address of an interface Ip address ip-address mask Ip address ip-address mask Mask-length sub Configure slave IP address of an interfaceDelete slave IP address of an interface Undo ip address ip-address Configure IP Address Unnumbered for an Interface By default, the interface has no negotiating IP addressIntroduction to IP address unnumbered Set negotiable attribute of IP address for an interface Configure routing to Ethernet segment of Shenzhen router R1 Configuration Example I. Configuration RequirementsConfigure IP address unnumbered Borrow IP address of Ethernet interface Borrow IP address of Ethernet Configure router R1 of Shenzhen subsidiaryRouter-Ethernet0ip address 172.16.20.1 Router ip route-static 0.0.0.0 0.0.0.0Page Configuring IP Address Arp static ip-address Define a static ARP mappingUndo arp static ip-address Arp dynamic ip-address Name Resolution Configure DomainName Resolution Display and Debug ARP Display and Debug domain name resolution Display and Debug Domain Name ResolutionDisplay ip host Specify the Vlan on which Ethernet subinterface is located Create Ethernet subinterfaceInterface-number.subinterface-number Vlan-type dot1q vid vlan-id Typical Vlan Configuration Example Configure IP address of Ethernet subinterfaceDisplay and Debug Display and Debug Vlan Display vlan Configure Vlan information of LAN Switch Configure IP address for the subinterfaceTroubleshooting The steps below can be taken Router-Ethernet0.1ip address 3.3.3.8 Fault Ping Two PCs, but fails to ping them through Dhcp Server ConfigurationDhcp vs Bootp Background of the Dhcp development Following figure Occasions in which Dhcp server is appliedDhcp server Dhcp clients Dhcp client logs into the network again Dhcp Server Configuration Dhcp Enable Enable/disable the Dhcp serviceUndo Dhcp enable Dhcp server ip-pool pool-name Netmask Configure the statically binding IP address and MAC addressNetwork ip-address Low-ipaddress high -ipaddress Low-ipaddress high-ipaddress Configure the gateway router address of client By default, the IP address of DNS is not configuredConfigure the domain names of Dhcp clients Configure the DNS addresses in a Dhcp address pool Set the type of NetBIOS node for Dhcp client Set the type of NetBIOS node for Dhcp clientNbns-list ip-address1 Ip-address2 ... ip-address8 Configure Dhcp self-defined options Use reset, debugging and display command in All viewsDisplay and Debug Dhcp Server Display and Debug Dhcp servers Router dhcp enable III. Configuration Procedures 1 Enable the Dhcp serviceRouter dhcp server forbidden-ip Router-dhcp2nbns-list Router-dhcp2gateway-list At the client, use ipconfig /releaseall Operation Command Configure interface relay address Configure interface relay addressIp relay-address ip-address Delete interface relay address Dhcp Relay Dhcp Relay Configuration RequirementIP address from Dhcp server through application Available on Dhcp server Networking diagram of an Dhcp relay configuration example Configure Dhcp relay router Fault 2 fail to forward transparent transmission protocol Under which condition should the address be translated Private Network Address and Public Network Address Role the Network Address Translation NAT plays Characteristic of Network Address Translation NATMechanism of Network Address Translation NAT Performance of Network Address Translation NAT Configure address poolEnd-addr pool-name Pool-name Address-group pool-name Nat outbound acl-numberUndo nat outbound acl-number Undo nat outbound Configure the Timeout of address translation Configure the Internal ServerNat server global global-addr global-port Www inside inside-addr inside-port any Display and Debug NAT Display and debug NAT Typical NAT Configuration Example Allow address translation of segment at 10.110.10.0/24 Configure address pool and access listSet internal FTP server Set internal WWW server Configure dial-up property for the interface Configure address access control list and dialer-listConfigure a default route to serial Correlate the address translation list and the interface Fault 2 Internal server abnormal Configuring IP Application To configure IP performance, carry out the following steps Configure IPConfigure maximum transmission unit on an interface Performance Configure TCP Tcp window size Forwarding Configure Fast Display and Debug IP Perform the following configuration in system viewForwarding Display and Debug Fast Display and Debug fast forwarding Router info-center enable Router debugging tcp packet Troubleshooting IP Performance ConfigurationRouter info-center enable Router debugging tcp event Configuring IP Count Enable/Disable IP Count service IP Count ConfigurationIp count enable Undo ip count enable Configure IP Count list Configure IP Count on an interfaceSpecify count maximum of exterior Count By default, IP Count entries time out after 720 minutesSpecify count maximum of interior Display and debug IP Count Not been configured on the interface of the router IV. Test ProcedureInformation is displayed Configuring IP Count IPX address Configuring IPX SAP Modify length of service information reserve queue Configure IPXConfigure relative parameters of IPX SAP Its first Ethernet interface as its node address Configure IPX RIP static route Enable IPX interfaceEnable/Disable a Default Route Perform the following task in interface view Configure RIP aging period Configure RIP updating periodConfigure the maximum size of RIP update packet Configure the maximum number of IPX parallel route Configure static service information table item Configure length of route reserve queue Configure size of SAP maximum updated message Configure SAP aging periodConfigure reply to SAP GNS request Ipx sap timer update seconds Disable split-horizon Configure Using touch-off for an interface Configure management of IPX packet Configure the delay of interface sending IPX packetsModify Encapsulation Format of IPX Frame on Interface Encapsulation format of IPX frame Display and Debug IPX Display and Debug IPX Configure Router a a Activate IPX Configure a static route to network ID Configure an address map to Router BConfigure an information about Server2 file service Configure an information about Server2 directory service Configure an information about Server1 directory service DLSw Protocol Create DLSw local peer entity Configuration of DLSwInit-window-size max-frame Max-frame-size max-window Create DLSw remote end peer entity Configure Bridge set connecting to DLSw Configure Sdlc role Configure to add ethernet port to Bridge set Configure Sdlc address Configure Sdlc virtual MAC addressSdlc-address Controller sdlc-address Configure XID of Sdlc Configure Sdlc peer entityAdd synchronous Interface to Bridge set Configure baud rate of synchronous Interface Configure to stop running DLSwBaudrate Configure parameters of DLSw timer Configure Idle time encoding mode of synchronous InterfaceConfigure LLC2 local acknowledgement delay time Mseconds Configure modulo value of LLC2 Configure LLC2 premature acknowledgement window Configure LLC2 local acknowledgement time Configure retransmission number of LLC2Configure Busy status time of LLC2 Configure P/F wait time of LLC2 Configure queue length of sending message of LLC2 Configure REJ status time of LLC2Configure Queue Length of Sending Message of Sdlc Configure Sdlc local acknowledgement window Configure retransmission number of Sdlc Configure maximum receivable frame length of SdlcConfigure poll time interval of Sdlc Configure data bi-directional transmission mode of Sdlc Configure SAP address for transforming Sdlc to LLC2Lsap Dsap DLSw Configuration Networking Requirement Typical DLSw Configuration ExampleDLSw IP across WAN Router B Configuration Router a ConfigurationDLSw Configuration Router dlsw local Networking diagram of DLSw configuration of SDLC-SDLC Networking Diagram of SDLC-LAN When using command display dlsw remote DLSw FaultDiagnosis Virtual circuit cant attain Connected state Diagnosis and Troubleshooting of DLSw Fault Configuring Dlsw VI Routing 404 IP Routing Protocol IP Routing Protocol Routing Protocol or Type Corresponding Routing Priority Routing Protocol and Routing Priority Ospf ASE Default Route Configuring Static Routes Configuring a Static Route Configuring a Static RouteConfigure a Static Route Transmitting interface or next hop address Displaying Debugging Routing Table Configuring a Default RoutePreference Other parameters Static Route Troubleshooting aOther RIP Overview Features is not subject to whether RIP has been enabled Configure RIP Enabling RIP Enable RIP at the Specified Network Define a Neighboring Router By default, the interface runs RIP-1Specify RIP Version Peer ip-address Configure Check Zero Field of RIP Version RIP Version 1 enables zero field check by defaultDisable a Host Route Specify the Status of an Interface Enabling Route Authentication onSummarization for RIP Version Configure RIP Horizontal Segmentation on the Interface By default, the default route metric for RIP isConfigure Route Import for RIP Specify a Default Route Metric Value for RIP Distribution for RIP Configure filtering route information received by RIPSpecify Additional Route Metric Value for RIP Set Route Preference Displaying and Debugging RIP Reset RIPFilter the Routing Information Being Advertised by RIP Display and Debug RIP RIP Unicast Ospf Overview Ospf Configuration ExampleOspf Overview Displaying and Debugging Ospf Configuring Ospf Specify Router ID Enable OspfRouter id router-id Undo router id Area-id By default, Ospf is disabledArea area-id Configure Sending Packet Cost Configure the Network Type of the Ospf InterfaceOspf network-type broadcast nbma P2mp P2p Cost Configuring a Peer for the Nbma Interface Specify the Router Priority Operation Command Set the priority of the interface whenOspf Dr-priority value Undo Ospf dr-priority Specify Dead Interval Specify Hello Intervall Specify Transmit-delay Configuring a Stubby Area and a TotallySpecify Retransmitting Interval Configure Totally Stubby Area of Ospf Perform the following configuration under Ospf viewStub cost cost area area-id No-summary Configure an Nssa Area of Ospf Perform the following configuration in Ospf view Abr-summary address mask mask area Configure Route Summarization Within Ospf DomainArea-id advertise notadvertise Undo abr-summary address mask mask Area-id None Router-id None Create and Configuring a Virtual Link Key-id Configure Authentication Configure Parameters When Importing External Routes Configure Route Import for Ospf Displaying Configure filtering route information received by OspfDebugging Ospf Filter for Ospf Configuring Ospf on the Point-to-Multipoint Network Ospf Configuration ExampleRouter D 201 Router B 301 302 Router C 1.3 RouterC ospf enable Enable OspfRouterA-Serial0ospf network-type p2mp RouterB-Serial0ospf network-type p2mp Configure DR on Ospf Preference E0 192.1.1.4/24 1.1 4.4 E0 192.1.1.1/24E0 192.1.1.2/24 E0 10.1.2.3/24 2.2 3.3 RouterD display ospf peer RouterA display ospf peer Between Router B and Router C To configure an Ospf virtual link Configure Router aRouterB-ospfVlink peer-id 3.3.3.3 transit-area To configure Ospf peer authentication Configure Router a Ospf Configuration Troubleshooting anNormally Ospf Configuration Example Configuring Ospf BGP Overview BGP Configuration ExampleBGP Overview Displaying and Debugging BGP Configuring BGP Perform the following configurations in system view Resetting BGP Connections Enabling BGPBy default, BGP is disabled Perform the following configurations in BGP view Set the Timers for BGP Peer Configure the BGP Version of the PeerConfigure BGP Route-update Interval Configure to Send Community Attribute to the Peer Configure to distribute default route to the peerConfigure the Peer to be the Client of the Route Reflector Configure to Distribute Default Router to the Peer Configure the BGP MED Metric Create a Fltering Policy Based on Access List for the PeerCreate a BGP Route Filtering Based on AS Path for the Peer Allow Comparing Path MED Configure the Keepalive Timer and Holdtime Tmer for BGP Configure the Local PreferenceTimers keepalive-interval Holdtime-interval Add a Peer to the BGP Peer Group By default, there is no BGP peer in a peer groupPeer group-name Group-name Configure Connection Between Peers Indirectly Connected Configure AS Number of BGP Peer GroupSet the Timers of BGP Peer Group Configure BGP Routing Update Sending Interval Configure to Send the Default Route to the Peer Group Configure to send the default route to the peer groupCreate Routing Policy for Peer Group Configure BGP Version of Peer Group By default, software accepts BGP VersionCreate an Aggregate Addresses Aggregate address mask By default, an aggregate is disabledAs-set Undo aggregate address Clients within the reflection group Reflect between-clientsUndo reflect between-clients Configure BGP Community Configure the Cluster IDStandard-community-list-number Extended-community-list-number Configure the Sub-system of E Confederation Configure a ConfederationAs-number … Schematic diagram of route dampening Display Route Flap Information Is insured When AS is not a transitional AS Configuring By default, BGP synchronizes with IGPConfigure Route Import for BGP Still exists Entry, an AS Path-list Define an access list entryDefine an AS Path-list entry Define a routing policy Define a match rule Perform the following configurations in Routing policy viewDefine an apply clause Filter for BGP Debugging BGP Reset BGP ConnectionsFilter Routing Information Being Advertised by BGP Display and Debug BGP Procedure for each configuration BGP ConfigurationAs-regular-expression acl Acl-number network-address Networking diagram of configuring AS confederation RouterA-bgppeer 192.1.1.2 as-number Configure Router B Configure BGP peersRouterB-Serial1ip address 193.1.1.2 RouterC-ospfinterface serial Configure Router D Configure BGP peers Start BGP Configure peerSpecify BGP transmission network RouterA-acl-1rule permit source 1.0.0.0 RouterC-bgppeer 193.1.1.1 route-policy localpref import RouterC-acl-1rule permit source 1.0.0.0 RouterD-ospf network 4.0.0.0 0.0.0.255 area 0 RouterD bgp Configuring BGP IP Routing Policy Configuring IP Routing Policy Operation Command Define a routing policy and enter into Configure IP RoutingPolicy Define a Routing Policy Configure a Matching Rules Apply community aa nn Define a Setting ClauseNo-export addtive none Apply tag tag-value Route-policy route-policy-name Configure Route ImportTag tag-value type 1 Ip ip-prefix prefix-list-name Define an IP Prefix ListGe-value less-equal le-value Debugging IP Routing Policy Perform the following configurations in all viewsOSPF-ASE external route discovered by Ospf protocol BGP route discovered by BGP protocol With different weighting values Configuring IPRouting Policy Protocol Route Information Configure RIP protocol Troubleshooting IPNormal operation Routerip ip-prefix p1 permit 192.1.1.0/24 Configuring IP Routing Policy IP Policy Routing Configuring IP PolicyRouting Define Match Rules Create a Routing PolicyDefine Apply Clause Enable/Disable Interface Policy Routing By default, interface policy routing is disabledDisplaying Debugging IP Policy Routing Interface Policy Routing Define access list Suggested procedure for each configurationRouter-acl-101rule deny tcp source any destination any Router-acl-102rule permit tcp source any destination any Router-Ethernet0ip policy route-policy aaa Adopt policy aaa in Ethernet interfaceRouterA-Ethernet0ip policy route-policy lab1 RouterB-ripnetwork RouterAdebugging ip policy-routing Chapter Configuring Igmp Configuring PIM-DM Configuring PIM-SMIP Multicast 498 IP Multicast List for Reserved Multicast Addresses Range and Meaning of Class D AddressesClass D address range Meaning IP Multicast Routing Protocols IP Multicast IP Multicast IP Multicast PacketApplication IP Multicast Igmp Configuration Example Configuring IgmpIgmp Overview Igmp Overview Configuring Igmp Configure the Igmp Version Number Run at Router Interface Make the following configuration in interface viewConfigure Igmp Maximum Query Response Time Debugging command in system view to debug Igmp Igmp ConfigurationDisplaying and Debugging Igmp Interfaces are all fast Ethernet FE Router a Router B Configuring Igmp Configuring PIM-DM By default, the system disables the multicast routing Make the following configuration in the system viewEnable Multicast Routing Operation Command Enable multicast routing Displaying and Debugging PIM-DM Start/Disable PIM-DM ProtocolDisplay and Debug PIM-DM Group-address source-address Enable multicast routing protocol PIM-DM ConfigurationEnable PIM-DM protocol Receiver 2 are the two receivers of this multicast group PIM-SM Overview Enabling Multicast Routing PIM-SM Configuration Enable/Disable PIM-SM Protocol By default, the interface disables PIM-SM protocolConfigure Candidate BSR Configure Candidate RP By default, no PIM-SM domain boundary is configured By default, no interface is configured to be candidate RPConfigure PIM-SM Domain Boundary Debugging PIM-SM Use the pim command in system view to enter PIM view Configure Router B Enable PIM-SM protocol Configure Router a Enable PIM-SM protocolRouterA multicast routing-enable RouterA interface ethernet RouterA-pimspt-switch-threshold 10 accept-policy Follow these steps Display pim neighbor command can be used to check whetherNeighbors have discovered each other RouterB-acl-5rule permit source 225.0.0.0 Configuring PIM-SM Viii Security 524 Configuring Terminal Terminal AccessAccess Security Configuring a User Configure EXECLogin Authentication Configure Radius server and the shared secret Enable AAAConfigure the authentication method list of Exec users Configuring Terminal Access Security Radius Overview AAA Overview Components of Radius server Basic message interaction process of Radius Type of Packets Decided by Code Field Request Authenticator Adopts 16-byte random codeCode Packet type Explanation of the packet Attribute Fields AAA Enable/Disable AAA By default, AAA is disabledConfigure AAA Login Authentication Server-template-name method1 Configure PPP Authentication Method List of AAA Configuring an Authentication Method List for PPP UsersDefault methods-list method1 Default methods-list Configure AAA Local-First Authentication By default no address pool is defined by the systemConfigure AAA Accounting Option Configure Local IP Address Pool Configure a User and Password By default pool-number isConfigure Callback User Configure Ordinary User and Password Configure FTP User and the Usable Directory Configure User with Caller NumberConfigure Callback User and the Callback Number Configure User with Caller Number Configure FTP User and the Usable Directory Authorize a User with Usable Service TypesConfigure Authorizing a User with Usable Service Types Directory By default, no key is configured for the Radius server Configure Radius Server Shared SecretConfigure Radius Server Shared Secret Radius server hostname ip-address Configure the Time Interval for the Inquiry Packet Configure the Request Retransmission Times Authentication Case Accessing UserDisplaying Debugging AAA AAA and Radius Configure local-first authentication Configure IP address and port of Radius serverRouter aaa authentication-scheme local-first Routerradius server Radius Troubleshooting AAA Connected user cannot be seen in display aaa user Users Radius authentication is always rejectedCan Configuring AAA and Radius Protocol Firewall Overview Classification of Firewalls Packet filtering schematic diagram Command format when the protocol is IGMP, IP, GRE or Ospf Extended access control listCommand format when the protocol is TCP or UDP Operators of the Extended Access Control List Mnemonic Symbol of the Port Number UDP Protocol Mnemonic Symbol Meaning and Actual Value Mnemonic Symbol of the Icmp Message Type Configure the match sequence of access control listOperator and Syntax Meaning Effect Perform the following configurations in system view Configure FirewallFirewalls are disabled by default Firewall Configure Extended Access Control List Configure Standard Access Control List Configuring Special Timerange Enabling and disabling filtering according to timerangeSet Default Firewall Filtering Mode Destination dest-addr dest- wildcard Set special time range Enable/Disable Filtering According to TimerangeSet Special Time Range Settr begin-time end-time Displaying and Debugging Firewall Use debugging, reset and display commands in all viewsSpecify Logging Host Display and Debug Firewall Configure access rules to inhibit passing of all packets Enable firewallRouterfirewall enable Routerfirewall default permit Router-Ethernet0firewall packet-filter 101 inbound Apply rule 102 on packets coming in from interface Serial0Router-Serial0firewall packet-filter 102 inbound IPSec Protocol Following terms are important to an understanding of IPSec IPSec Related TermsIPSec Message Processing Access Control List Configuring IPSecCreating an Encryption Operator port1 port2 Create Encryption Access Control List By default, all the crypto cards are enabled Configure Ndec Cards Enable the crypto cardsSet the output of the crypto card log Enable/Disable the Host to Backup the Ndec Cards By default, no proposal view is configuredSet the Mode for Security Protocol to Encapsulate Messages Define IPSec proposal Default mode is tunnel-encapsulation mode Selecting the Encryption Authentication AlgorithmSelect Security Protocol Select Security Protocol Creating a Security Policy Select Encryption Algorithm and Authentication Algorithm Configure access control list quoted in security policy By default, no security policy is createdPerform the following configurations in IPSec policy view Set start point and end point of security tunnel Configure IPSec Proposal Quoted in Security Policy By default, the security policy quotes no IPSec proposalSet IPSec proposal quoted in security policy Set SPI of security policy association and its adopted key Configure SPI Parameters of Security Policy Association By default, no key is used by any security policyConfigure Key Used by Security Policy Association Hex-key Set end point of security tunnel Set access control list quoted by security policyCreating a Security Policy Association with Specify End Point of Security Tunnel Set SA lifetime Set the IPSec proposal quoted in security policyProposal proposal-name1 Proposal-name2...proposal-name6 By default, apply the global SA lifetime Configure a separate SA lifetimeConfigure Global SA LIfetime Configure Separate SA LIfetime Debugging IPSec Use debugging, reset and display commands in all viewsApply Security Policy Group on Interface Ipsec sa dynamic-detect Display and Debug IPSec Reset crypto cardDest-address protocol spi Use the debugging, reset and display command in all views IPSec Configuration ExampleDisplaying and Debugging the crypto card Creating an SA Manually Select authentication algorithm and encryption algorithm Adopt tunnel mode as the message-encapsulating formQuote access list Create the IPSec proposal view named tran1 Create a security policy with negotiation mode as manual Configure the routeApply security policy group on serial interface Exit to system view Create the IPSec proposal view named trans1 Create a security policy with negotiation mode as isakmpSet remote addresses Configure corresponding IKE Configure ip address of the serial interfaceConfigure serial interface Serial0 Create a security policy with negotiation view as isakmp Adopt tunnel module for packets encapsulation form Establish a security policy with manual negotiation modeReturn to system view RouterB ike pre-shared-key abcde remote Set local address Enter Ethernet interface view and configure IP addressSet encryption key Apply security policy base on serial port Troubleshooting IPSec Ndec card cannot be configured Establish a security policy with manual configuration modeReturn to the system view RouterB ipsec policy map1 10 manual Do the following Configuring Ipsec Configuring IKE IKE features Configuring IKEPolicy Ike proposal policy-number Create IKE PolicyView Delete IKE policy Undo ike Select Authentication Method Selecting an Authentication AlgorithmConfigure Pre-shared Key Select Encryption Algorithm Select Hashing Algorithm By default, 768-bit Diffie-Hellman group is selectedSelect DH Group ID Set Lifetime of IKE Negotiation SA Reset ike sa connection-ike-sa-id Configure IKE Keepalive TimerDisplaying and Debugging IKE Display and Debug IKE Invalid user ID information IKE Configuration Unable to establish security channel Unmatched policy IX VPN Configuring VPN Configuring L2TP Configuring GRE 596 VPN Overview Applications of VPN Basic NetworkingClassification of IP Authority given by local ISP Layer 3 tunneling protocol Layer 2 tunneling protocolComparison of layer 2 and layer 3 tunnel protocols Configuring VPN Vpdn Operation Vpdn and L2TP L2TP channel Methods of Implementing Vpdn Tunnel and session Networking diagram of two typical methods of Vpdn Control message and data message IV. Call setup flow of L2TP tunnel Call setup flow of L2TP channel Features of L2TP Enable L2TP Basic Configuration atEnable/Disable L2TP L2tp enable L2tp-group group-number Originate L2TP Connection Request and LNS AddressIp-address … domain domain-name Configure AAA and Local Users By default, L2TP is disabledDefault list-name method1 L2TP Attribute Table Operation Command Create a virtual template Operation Command Create a L2TP groupCreate/Delete L2TP Group Create/Delete a Virtual Template By default, receiving dial-in from LAC is disabled Advanced Configuration at LAC or LNSConfigure the Name of the Receiving End of the Tunnel Configure Local VPN Users By default, the local name is the host name of router Enable Tunnel Authentication Setting PasswordSet Local Name Tunnel name name Set Tunnel Authentication and Password Configure the Interval For Sending Hello MessagesSet the Interval for Sending Hello Message Force Configure Domain Delimiter and Searching OrderSet Domain Name Delimiter and Searching Order Operation Command Force to disconnect tunnel This configuration is applicable to LNS onlyReset l2tp tunnel remote-name Force to Disconnect Channel LCP does not renegotiate by default Configure the Local Address and Address PoolLCP to Renegotiate By default, AV pairs are hidden Enable/Disable Hiding Attribute Value Pairs AVEnable/Disable Hiding AV Pairs Number of L2TP Sessions By default, the maximum number of L2TP sessions is L2TP Configuration ExamplesUse debugging, display command in all views Display and Debug L2TP Configure the IP address of Serial1 interface of LAC Implement local AAA authentication on VPN userEnable L2TP service and configure a L2TP group Configure BDR dialup parameters Configure the Virtual-Template-related information Configure the IP address of Serial0 interface of LNS Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Router-LACip pool 1 192.170.0.3 Client-originated VPN Networking Configure BDR parameters Configure the IP address of Serial1 interface at LAC sideConfigure the IP address of Serial0 interface at LNS side Disable tunnel authentication Network Connection Wizard Network Connection Wizard Connect Connection to Configure a L2TP group and the related attributes Configure an IP address on Serial0 interfaceConfigure the domain suffix separator to @ Router1 l2tp domain suffix-separator @ Configure Virtual-Template Enable AAA authenticationForce to implement local Chap authentication III. Procedures Configuration at Router2 LNS side Enable AAA authentication Configure a L2TP group and configure the related attributesConfigure an address pool 1 in the range of 192.168.0.2 to Configure an access control list and specify L2TP data PPP negotiation fails. The reasons may be Fault 1 The users fail to log Troubleshooting L2TP Configuring L2TP Encapsulation GRE ProtocolPacket Encapsulated tunnel message format Refer to RFC Enlarge network operating range By default, no virtual tunnel interface is created Configuring GRECreating a Virtual Tunnel Interface Create Virtual Tunnel Interface Setting the Network Address of a Tunnel Must be configured InterfacePerform the configurations in the tunnel interface view Address of the Tunnel Set Tunnel Interface to Check with Checksum Number discardedSet the Tunnel to Synchronize Datagram Sequence Numbers Gre key key-number Group1 and group2. It can be implemented by using GRE GRE Configuration ExampleDebugging GRE All views Configure Router B Configure the IP address of Serial0 Configure the IP address of Ethernet0 interface Configure the IP address and IPX address of Ethernet0 Configure Router a Activate IPXConfigure the static route to Novell Group2 Configure Router B Activate IPX RouterB ipx route 1e 1f.a.a.a tick 30000 hop Networking of troubleshooting GRE Configuring a Standby Center Configuring Vrrp 646 Standby Center Configuring Standby Center Address logic-channelnumber Enter the Logic Channel ViewFr map protocol address dlci dlci Next-hop-address dialer-number Standby timer enable-delay seconds Channel to check whether it has recoveredUndo standby timer enable-delay Standby timer disable-delay seconds Load Sharing view Please perform the following configuration in all viewsInterfaces Enter the view of Serial Channel Enter the view of logic channelRouter-logic-channel10standby interface serial Router-Serial1logic-channel Troubleshooting Vrrp Vrrp Configuration ExamplesVrrp Overview Vrrp Overview Adding a Virtual IP Configuring VrrpAddress Add Virtual IP Address Configure Router Priority in Standby GroupVrrp vrid virtualrouterid Undo vrrp vrid virtualrouterid Vrrp provides simple character authentication method Configuring Authentication Method Authentication KeyConfigure Authentication Method and Authentication Key Virtualrouterid Group Timer Configure StandbyDebugging Vrrp Monitoring Procedure for each configuration Vrrp ConfigurationBackup with preemption aII. Networking diagram Vrrp Single Standby Balancing and mutual backup are implemented Gateway services insteadGateway function as the master Multiple Standby Many master routers exist within the same standby group There is requent switchover of the Vrrp state XI QOS 662 QOS Overview Three Types of QoS Services QOS Overview Benefits of QoS for the Network Service QOS Overview Traffic Policing Traffic Classification Traffic POLICING, Traffic Shaping and Line Rate Rate CAR Committed Access Define CAR Rules Defining RulesQos carl carl-index precedence Precedence-value mac mac-address Applying the CAR Policy on the Interface By default, no CAR rule of ACL list is establishedApply the CAR Rule on the Interface Configure the Priority Level Based CAR Policy CAR Configuration Applying a CAR Policy to all PacketsDisplaying and Debugging CAR Display and Debug CAR Configure the CAR Policy Based on the MAC Address Apply a CAR Policy on the Packets that Match ACL Traffic ShapingMatches ACL Packets Schematic diagram of GTS processing Configuring shaping parameters for a specified flow Configure the ACL Configuring shaping parameters for all flowsShape the flows matching 110 on Ethernet interface Physical Interface Line Configure the Physical Interface LIne RateRate Shape all the flows on Ethernet interface Displaying Display and Debug LR Debugging LR Operation Command Display the LR configuration conditionsDisplay qos lr interface type Congestion Management Management Policy CongestionFifo Queuing Priority Queuing Selecting Congestion Management Policies Number Queues Advantage Disadvantage Comparison of Several Congestion Management Policies Schematic diagram of the first in first out queue Schematic diagram of the custom queuing Schematic diagram of weighted fair queuing Weighted Fair Queuing WFQ Configuring Fifo Queuing Configuring Congestion ManagementConfiguring priority queuing Configure the First In First Out Queuing Values of Queue-Option with Protocol as IP By default, no priority queue is establishedProtocol-name queue-option queue Pql-index protocol Applying the priority-list queuing group to the interface By default, the interface utilizes the Fifo queueSpecifying the queue length of the priority-list queuing Configuring Custom Queuing CQ Configuring custom-list queuingDefault Length Value of the Priority Queue Displaying and debugging the priority queue Configure the Default Custom-List Queuing Configure the Custom-Lst Queuing According to the InterfaceQueue-number Queue queue-number Configuring the queue length of the custom-list queuing By default, the interface uses the Fifo queueConfigure the Queue Length of the Custom-List Queuing Applying the custom-list queuing group to the interface Displaying and debugging the weighted fair queue Configuring Weighted fair queuingDisplaying and debugging the custom-list queue PQ Configuration Example Congestion Management Configuration ExamplesApply the priority queue 1 to Serial Apply the priority queue 2 to Serial Configure Router B Configure the access control list Configure the CQ queueRouterA-Tunnel0ip address 10.1.1.1 RouterA-Tunnel1destination Configure Tunnel0 Configure Serial0 master/slave addressesConfigure Tunnel1 WFQ Configuration Example Congestion Management Congestion Avoidance Congestion Avoidance Enable the Wred Wred ConfigurationEnable Wred Function of the Interface Ip-precedence Discard-prob Configure a WFQ queue Congestion Avoidance Configuration ExampleEnable Wred Displaying Debugging Congestion Avoidance Congestion Avoidance XII DIAL-UP Configuring DCC Configuring Modem 704 DCC Overview Terms in DCC Configuration DCC Circular DCC Resource-Shared DCC With 3Com Routers Basic DCC featuresImplementing callback through DCC Preparing to Configure Configuring DCCPrepare the data for DCC configuration Configure the local parameters of DCC Configure Physical Interface Mode Configuring the mode of the physical interfaceLinklayer-protocol-type Ip address ipaddress mask Associating a DCC dialer ACL with the interface Configuring an interface to originate calls to a remote end Dialer enable-circular Configure an interface to receive calls from a remote endDialer number dial-number Undo dialer number Route protocol DialerNext-hop-address dial-number Next-hop-address Undo dialer route protocol Dialer circular-group number Undo interface dialer numberUndo dialer circular-group Dialer priority priority Undo interface dialer number Interface dialer numberDialer circular-group number Undo dialer circular-group Router Dialer0 Configuring the dialer interface and dialer number Configuring dialing authentication for resource-shared DCCBy default, no dialer interface is created Enabing Resource-Shared DCC Configuring dialing authentication for resource-shared DCC Configure MP Binding in Circular DCC Configuring MP binding in circular DCCThreshold traffic-percentage Configuring PPP callback in the circular DCC implementation Configuring MP binding in resource-shared DCCConfigure MP Binding in Resource-Shared DCC Dialer threshold traffic-percentage Implement PPP Callback Server Configuration in Circular DCC Implement PPP Callback Client Configuration in Circular DCC Telephone-number CommandNext-hop-address user username Dial-number Primary rule The best match is the number with the fewest Features of Isdn caller identification callbackDialer callback-center dial-number Identification Operation Command Configure the local end to implementUndo dialer call-in remote-number Callback according to the Isdn caller Configuring auto-dial Configuring Isdn leased lineConfiguring Special DCC Functions Configure Isdn leased line for Circular DCC Configuring the Link Idle Time Configuring dialer number circular standbyConfigure Auto-Dial Configure Dialer Number Circular Standby By default, the link disconnection time is 20 seconds By default, the link idle time is 120 secondsConfiguring the link idle time when interface competion Configure the Link Idle Time By default, the timeout of call setting up is 60 seconds Configuring the timeout of call setting upConfiguring the buffer queue length of the dialer Debugging DCC Solution DCC Configuration ExamplesDCC Applications in Common Use Configure RouterB Configure RouterCRouter-Serial1dialer circular-group Router-Serial0dialer route ip 100.1.1.1 Router-Serial1dialer bundle-member Router-Serial0dialer bundle-member Configure RouterC Configure RouterC Router-Dialer0dialer threshold Configure RouterARouter-Bri0dialer bundle-member Router-Serial015dialer route ip 100.1.1.1 Router-Bri1dialer route ip 100.1.1.1 Router-Serial0dialer route ip 100.1.1.2 Router-Serial1dialer enable-circularRouter dialer-rule 1 ip permit Router interface serial Router-Bri0dialer route ip 100.1.1.2 user usera Callback for DC C Configure the PCBy the NT server NT Server-to-Router Router-Async0dialer route ip 100.1.1.254 Dial Number Circular Standby and Internet Access for DCC Router-Serial0dialer route ip 100.1.1.254 Configure subscriber PC Router-Serial215ppp chap password simple passb Router-Serial215ppp authentication-mode chap Router-Serial1standby logic-channel Remote end cannot be pinged after the modem is connected Message Fault DCC Fault Messages DCC peeraddr matching error Modem Script Modem Function Provided by 3Com Routers Modem script format in common use is as follow Syntax description of modem scriptReceive-string1 send-string1 receive-string2 send-string2 Configure the Modem Dial-in and Dial-out Authorities Which, seconds defaults to 180 and is in the range of 0 toBy default, modem dial-in and dial-out are allowed Configure a Modem Script Configure Modem Through the AT CommandConfigure a Modem Script Execute a Modem Script Manually Configure the Answer Mode for the Modem By default, the modem works in non-auto answer modeConfigure Authentication for a Modem Dial-in User Specify the Events Triggering the Modem Scripts Executethe debugging command in all views for the debugging Modem Configuration ExamplesConfigure a Modem adaptation baud rate Displaying and Debugging a Modem Configure the modem initialization parameters Restore the ex-factory modem settingsAT&b1&c1&d2&s0=0 Authentication for Power-on Initialization Through Initialization ScriptDirectly Modem Dial-in User Troubleshooting Configuring Modem

Set the IPSec proposal quoted in security policy

Perform the following configurations in IPSec policy view.

Table 648 Configure IPSec Proposal Quoted in Security Policy

proposal proposal-name1

[proposal-name2...proposal-name6]

Set SA lifetime