IPSec Configuration Example

IPSec Configuration Example 577

Displaying and Debugging the crypto card

Use the debugging, reset and display command in all views.

Table 655 Display and Debug NDEC Card

Operation	Command

Display the detailed information of crypto	display encrypt-card details [
cards (applicable to crypto cards)	slot-id ]

Display all established Security Association	display encrypt-card ipsec sa all [
on crypto card (applicable to crypto card)	slot-id ]

Display a specified Security Association on	display encrypt-card ipsec sa
crypto card (applicable to crypto card)	parameters remote-address protocol
	spi-number

Display statistical information of the	display encrypt-card statistic [
security packets processing on crypto card	slot-id ]
(applicable to crypto card)

Display current operating status of crypto	display encrypt-card status [ slot-id
card (applicable to crypto card)	]

Display current operating logging of	display encrypt-card syslog [ slot-id
crypto card (applicable to crypto card)	]

Display version number of crypto card	display encrypt-card version [
(applicable to crypto card)	slot-id ]

Delete all established Security Association	reset encrypt-card sa all [ slot-id ]
(applicable to crypto card)

Delete the specified Security Association	reset encrypt-card sa parameters
on crypto card (applicable to crypto card)	remote-address protocol spi-number

Clear the statistical information of security	reset encrypt-card statistic [
packets on crypto card (applicable to	slot-id ]
crypto card)

Clear all the logging information on the	reset encrypt-card syslog [ slot-id]
crypto card (applicable to crypto cards)

Enable the debugging of information,	debugging encrypt-card { all packet
packets, SA, command, error and other	sa command error misc } [
information (applicable to crypto cards)	slot-id ]
	slot-id ]

Enable the debugging of the main	debugging encrypt-card host { all
software on the crypto card (applicable to	packet sa command error misc
crypto cards)	}

Creating an SA Manually

The following sections demonstrate the following IPSec configurations:

■Creating an SA Manually

■Creating an SA in IKE Negotiation Mode

■Encrypting, Decrypting, and Authenticating NDEC Cards

Establish a security tunnel between Router-A and Router-B to perform security protection for the data streams between PC-A represented subnet (10.1.1.x) and PC-B represented subnet (10.1.2.x). The security protocol adopts ESP protocol, algorithm adopts DES, and authentication algorithm adopts sha1-hmac-96.

Page 581

Image 581

3Com 10014299 manual IPSec Configuration Example, Displaying and Debugging the crypto card, Creating an SA Manually

Contents

3Com Router Configuration Guide Campus Drive 3Com CorporationMarlborough, MA 01752-3064Page VPN Text Conventions This guide describes 3Com routers and how to configure themList conventions that are used throughout this guide About this Guide 3Com Router Introduction 3Com Router User Interface Page 3COM Router Introduction Following table lists the basic features of the 3Com Router Features of the 3ComList of the 3Com Router 1.x features Router Version RIP-1/RIP-2 NAT Quality of service 3Com Router New Features of the 3Com Router 1.x 3COM Router Introduction Establish ConfigurationEnvironment Port Establish a new connection Set port communication parameters Establish a remote configuration environment Connection ConfigurationEnvironment Router Workstation Ethernet Interface CLI Command Line 3COM Router User Interface Views and their prompts System view Table Ethernet 0 in any Async 0 in anyLoopback 0 in any Enter controller Partial help HelpsFull help Common error Message Causes List of common command line error messagesFor example Routerdisplay ? Features Command LineDisplay Features Three options are available for users Please perform the following commands in system view Following commandsUser Identity Management Set the system clock Configure the router nameSystem Execute the following commands in all views By default, the system clock is 080000 1 1Reboot the system Display the System Information Router System Management Page Softwaresoftware Storage Media and File Types Supported by the System Input Ctrl+D, and the following prompt information displays Upgrade Boot ROM Software Router Main Program Upgrade the 3ComSoftware Main Program software XModem Approach Modify the terminal baud rate Transfer File dialog box Tftp server application can run on Windows 95/98/NT Preparation for using the Tftp serverEnable the Tftp server program Tftpd32 Set interface Press Enter and the following prompts will be displayed Network Interface Parameters Enter Ctrl+B and the system prompts Operation Command Downloads the 3Com Router main Download configuration files from a Tftp serverPress Enter for loading Get ip-addr file-name system Set an authentication mode for an FTP server Prepare for using the FTP server Enable FTP server Upgrade the 3Com Router Main Software with FTP Tftp Approach Back up the 3Com Router Main Program SoftwareFTP Approach Copy ip-addr file-name system Setup Users Dialog Box Update slot slot-number ftpserver host-name Configure on-line upgrading of the cardPort-number user user-name password Password Download Configuration File Configuration File ManagementPerform the following command in system view Content and Format of the Configuration File Download Config Load configuration filesRouter download config Set the binary transmission protocol to XModem/CRC Back up Configuration Files Display current-configurationcommand output backup approachUpload configuration files to a Tftp server File-name config View router configuration Please use the following commands in corresponding views Save current configuration Select and view the storage media of configuration fileSet the Flag Bit to Enter the Initial Setup Mode Erase the configuration file in storage media Configure authentication and authorization of FTP server Configure FTPClient via port 20 and transfer data Files on the router Configure Parameters of FTP Service Enter the following commands in system viewPlease enter the following commands in system view Set the authentication mode of FTP server Set the connection time limit of FTP service Set FTP update modeForce to shut down FTP process Force to shut down FTP process Display ftp-server Display FTP Server Display FTP serverServer Display detailed information of the FTP user Display local-user System Management Features of Terminal Terminal ServiceService at Console Port Overview Set the attributes of terminal service ServiceTerminal Message On one router Configure Terminal Message Service Perform the following configuration in all viewsDisplay Terminal Message Service Enable/disable receiving messages from other terminals Dumb Terminal Typical Example Terminal Message Service ConfigurationTerminal Service Configure Dumb Terminal Configuration Examples Dumb Terminal ServiceConfigure Auto-execute command By default, no dumb terminal service is configured Configure the interface to dumb terminal mode Terminal Service Telnet ConnectionConfigure the auto-execute command command Router-Serial1auto-execute command telnet Establish Telnet Connection Terminal service features of telnet connectionService Value Enable Reverse Telnet connection Setup Reverse Telnet ConnectionService-port Establish Telnet Server or Telnet Client connection Force shut down Telnet Process Typical Configuration Example of Telnet Reverse TelnetExample of Telnet Force to shut down Telnet process Use Rlogin protocol Rlogin TerminalExample of Reverse Telnet Router telnet 10.110.164.44 Typical Rlogin Configuration Examples Establish a Rlogin connectionRlogin ip-address username Use local user name abc to log on Communicate with other terminals through the X.25 network Access ServicePAD Remote Configure X.25 PAD remote user Configure X.25 PAD remote userService-type type password Local-user user-name Enable AAA authentication for X.25 remote PAD users Start AAA authentication of X.25 remote usersEstablish an X.25 PAD call Establish a X.25 PAD call III. Configuration Procedure II. Networking DiagramDisplay and Debug Set the Response Time to the Invite Clear Message Set its X.121 address as Fault Diagnosis TroubleshootingRouterA-serial0x25 x121-address RouterB-serial0x25 x121-address Development of Snmp Snmp Overview Configuring Network Management SNMP-supported MIB Snmp architecture Engineid By default, the system disables Snmp service3Com Router-supported MIB Configure Snmp version and related tasks Perform the following configurations in system view Configure the traps to be sent by the router Configure information of router administratorV1 username Interface-number Display and debug Snmp Perform the following commands in all viewsName Byte-count Set the community name and access authority Example 1 Configure Network Management of SNMPv1Configure an IP address for the Ethernet interface ethernet Examples Networking Requirements Network equipment Configure an IP address for the Ethernet interface ethernetRmon Overview Schematic diagram of Rmon application Examples Networking Requirement Enable Rmon statistics RouterA-Ethernet0 rmon promiscuous Commands to display information of the whole system Test Tool of Network Connection Ping command System displays Ping supporting IP protocolPing supporting IPX protocol Ip-address Tracert command Following command can be executed in any command modesTimeout host MaxTTL -p port -q nqueries Log Function Configure on the router Set the direction of syslog outputting log information Perform the following task in system view Set Severity of Log InformationSylog-defined severity is as follows Set Filter of Log Information Turn on/turn off syslog Configuration of Log HostDisplay and Debug Syslog Turn on/turn off syslog Turn on debugging switch of PPP module Syslog Configuration ExampleRouterinfo-center enable Routerdebug ppp all Display and Debugging Tools Dial-up POS Access POS Terminal Access Service Advantages of POS network access are as follows POS Network Access Start POS server POS Access Service ConfigurationConfigure POS access port Interface-type interface-number Configure a POS applicationApp-number Ip-address port-number Bind the source address of TCP connection Configure POS multi-application mapping tableDefault app-number Display and debug POS access Display and Debug POS AccessSet the parameters of FCM used during Modem negotiation Set the parameters of FCM used during Modem negotiation Configure the Ethernet interface Ethernet Typical Configuration Example of POS Access ServiceConfigure the POS access interface FCM0 Configure POS access interface FCM1 III. Configuration Procedure 1 Start the POS access server Configure POS access interface FCM2Configure POS access interface FCM0 Configure Async 1 to operate in POS application mode Configure Async 0 to operate in POS application modeIII. Configuration Procedures Configure Router a Start the POS access server RouterA ip route-static 10.1.1.2 255.255.255.0 serial Configure Router B Configure the Ethernet interface Ethernet III Interface 106 Enter the Interface View Configure InterfaceInterface Interface view, input quit to return to the system view Exit the Interface ViewSet time interval for flow control statistics Interface-description Display and Debug Interface Please use the following commands in all viewsDisplay and debug interface Interface state information Interface Configuration Overview Ethernet Interface Configure Ethernet Interface Set IP address Enter view of specified Ethernet interfaceSet IPX address Set frame format of sending message Enable or disable internal loopback and external loopback Select work mode of Ethernet interfaceDisplay and Debug Select working rate of fast Ethernet interface II. Network Diagram Typical Ethernet Interface Configuration ExampleTroubleshooting Troubleshooting Configuring LAN Interface Asynchronous Serial Interface WAN InterfaceIntroduction Interface serial number Enter view of specified asynchronous interfaceInterface async number Set the baud rate of asynchronous serial interface Set the work mode of asynchronous serial interfaceModem in out Link-protocol slip ppp Hardware inbound outbound Async Mode protocolFlow-control none software Parity even mark none Works in flow modeOdd space Stopbits 1 1.5 AUX Interface BackupSet MTU of asynchronous serial interface Set the coding format of Modem Configure AUX interface Configure AUX interfaceConfigure Synchronous Serial Interface Synchronous Serial Interface Set the link layer protocol of synchronous serial interface Enter view of specified synchronous interfacePhysical-mode sync Link-protocol fr hdlc Working modes have different working clocks Select work clockSet the baud rate of synchronous serial interface Synchronous serial interface is 64000 bps Set clock inversion Inversion is disabled by defaultSelect work clock Detect dcd Internal loopback/external loopback are disabled by defaultUndo detect dcd Reverse-rts Idle coding of synchronous serial interface is 7E Isdn BRI InterfaceTechnical Background Graphics and video Function group includes Preparations before ConfigurationBe clear about the following items before the configuration CE1/PRI Interface Channelized operating modeNetwork protocols such as IP and IPX Interface or a PRI interface Dial-on-Demand Routing Configure CE1/PRI CE1/PRI interface configuration includesInterface Enter the view for a specified interface Number set-number Enter the synchronous serial interface viewBind the interface to be channel sets Enter the Isdn interface view Bind the interface to be a pri setPri-set timeslot-list range Undo pri-set Set the line code format on the CE1/PRI interface Enable/disable the internal loopback/external loopbackSet the line clock of the CE1/PRI interface Set the frame format of CE1/PRI interface CT1/PRI Interface Configure CT1/PRI Timeslot-list range speed Operation Command Enter the view of CT1/PRI interfaceController t1 number Interface serial number23 Set the frame format of CT1/PRI interface Set the line code format on the CT1/PRI interfaceSet the line clock of the CT1/PRI interface E1-F interface does not support PRI operating mode Choice for E1 accessE1-F Interface Them into multiple channel sets Enter the view of an E1-F interface Set Operating mode for an E1-F interfaceInterface serial serial-number Fe1 unframed Set line clock for an E1-F interface Set interface rate after binding operationSet line code format for E1-F interfaces Set frame format for an E1-F interface Enable/Disable local/remote loopback on an E1-F interfaceDisplay and debug E1-F interface Serial-number T1-F interface does not support PRI operating mode Choice for T1 accessT1-F Interface 193 X 8k = 1544kbps Set line code format for T1-F interface Set frame format of T1-F interface Enable/Disable local/remote loopback on a T1-F interfaceSet line clock for a T1-F interface CE3 Interface Other related informationDisplay and Debug T1-F Display and debug T1-F interface Enter the view of the specified E3 interface Set E1 frame format Set the operating mode of CE3 interfaceSet the operating mode of E1 channel CT3 Interface Mode non-channelized mode44.736Mbps Data bandwidth 44736kbps Set clock mode of the T1 channel Set clock mode of the CT3 interfaceEnter specified CT3 interface view Set cable length of the CT3 interface Perform the following configurations in CT3 interface view By default, loopback is disabled Set Frame FormatBy default, the CT3 interface uses the C-bit frame format T1 line-number unframed Set the operating mode of T1 channelSet CRC of the serial interface Display and debug of the CT3 interface Disable and Enable CT3 interface Configuring WAN Interface Dialer Interface Logical Interface Null Interface Configure Loopback Sub-Interface Create and delete WAN sub-interface Configure sub-interfaces of Ethernet interfaceNumber.sub-number Number.sub-number multipoint Routerinterface serial Enter the view of WAN interface Serial0 of router aSelect frame relay link layer protocol Specify DTE as its frame relay terminal type Configure the static route from router a to LAN2 and LAN3Set its IP address to 202.38.160.1 and address mask to Allocate a virtual circuit with Dlci 50 to it Create or delete virtual-template Set work parameters of virtual-templateInterface virtual-template Undo interface Troubleshooting the reasons may be as follows Fault 1 Fail to create virtual interfaceDisplay state of the specified virtual-template Virtual-template-number Link Layer Protocol 164 PPP Overview PPP Authentication Mode Configuring PPP and MP MP Overview Configure PPPFor detailed description of PPP, refer to RFC1661 Transmission time of large packets Configure the local authenticates the peer in PAP mode Configure the link layer protocol of the interface to PPPConfigure the peer authenticates the local in PAP mode Name-list Configure as the peer authenticates the local in Chap mode Configure the local authenticates the peer in Chap modeCipher password User username Configure PPP compression Configure AAA authentication and accounting of PPPConfigure the time interval of PPP negotiation timeout Configure PPP link quality monitoring Perform the following configuration in interface viewPpp lqc forbidden-percentage Resumptive-percentage Configure Operating Parameters of Virtual Template Configure MP Protocol Parameters Create Virtual TemplateCreate/Delete virtual template Bind the physical Interface to a Virtual Template User-name Specify the conditions for MP binding Frags Configure virtual Baud rate on interface Example Typical PPP Configuration ExampleConfiguration Requirement II. Configuration Procedure Typical MP Configuration ExampleConfigure to start Chap authentication at this side Set local username as Router1 Configure router-c Add a user for router-a Configure virtual interface templateConfigure router-b Add a user for router-a Fault 1 Link always fails to turn to up status Fault Diagnosis TroubleshootingFault 2 Physical link fails to turn to Up status Indicates that the interface is shutdown Introduction to PPPoE client PPoE Overview Client Configure PPPoE Reset or delete PPPoE session Configure PPPoE session Perform the display and debugging command in all views Typical PPPoE Configuration ExampleAccess a LAN to the Internet via Adsl III. Configuration Procedure 1 Configure a dialer interface Configure the LAN interface and the default route Configure a PPPoE sessionConfigure the DDN interface Serial Use Adsl as Standby Line Configuring Pppoe Client Asynchronous mode Configure SlipSlip Overview For further details about SLIP, you can refer to RFC1055 Typical Slip Enable/Disable the information debugging of SlipTime Interconnect two Router routers via Pstn and run IP Configure IP address of synchronous/asynchronous interface Configure Router a Configure Dialer RuleConfigure the Dialer String to router B Configure the default route to Route B Routerip route-static 0.0.0.0 0.0.0.0 Isdn Overview Configure Isdn Configure type of signaling on Isdn interface By default, DSS1 signaling is used on Isdn PRI interfacesConfigure the length of call reference Configure the receiving mode Configure interval for Qsig signaling timer Configure the sending modeTimer-name all Time-interval Perform the display and debugging commands in all views Configure Call Processing Method on an InterfacePerform the following configuration in Isdn interface view Configure Router a Create an Isdn PRI interface Typical Configuration ExampleConfigure the Isdn PRI interface RouterB transmit data after the call is set up Configure Router B Configure Router a Protocols Overview Lapb PSN 25 packet and Lapb frame By default, k is Configure Lapb N1, N2 Configure LapbBy default, the Lapb modulus is Modulo Configure Set/Cancel the X.121 address of the interface Configure X.25 InterfaceSet X.25 working mode Address Parameter Meaning 25 channel delimitation parameters Set/cancel X.25 virtual circuit range By default, X.25 interface use modulo 8 modeSet/Cancel X.25 packet numbering modulo Finally, the following should be noted Configure X.25 Interface Supplementary Parameter Configure X.25 flow control parameterSet the default flow control parameter Out-packets Set X.25 layer 3 timer delay 25 layer 3 timer Alias match modes and meanings Specify/Cancel an alias for the interfaceAlias-string Match-type alias-string Set/Cancel the default upper layer protocol borne on Create the permanent virtual circuit PVC Configure X.25 Datagram TransmissionProtocol-address x121-address Address option Create/Delete permanent virtual circuit Configure Additional Parameters Datagram TransmissionX25 pvc pvc-number protocol Undo x25 pvc pvc-number Interface view, perform the following task Configure X.25 user facility Specify/Cancel packet pre-acknowledgement Serial port view, list1 can be quoted Configure the sending queue length of virtual circuit Set interface with standby center Set broadcast viaAddress broadcast Address logic-channel Configure X.25 sub-Interface Switching FunctionConfigure X.25 Switching Number.subinterface-number multipoi Introduction to X.25 Load Balancing Configure X.25 Load BalancingAdd or delete a PVC route Configure X.25 Diagram of X.25 network load balancing List of Configuration Tasks of X.25 Load Balancing Add/Delete interfaces or XOT Tunnels in hunt group Start /Close X.25 switching functionCreate/Delete X.25 hunt group Add/delete other X.25 switching routes Configure X.25 over Other ProtocolsConfigure X.25 over TCP XOT Introduction to XOT Protocol Configure XOT Configure local switching Start X.25 switchingConfigure SVC XOT switching For PVC, perform the following tasks in interface view Configure PVC XOT switching Configure Annex G Data InteroperationConfigure X.25 over Frame Relay Annex G Configure Keepalive and xot-source attributes Configure the X.25 attributes for an Annex G Dlci Configure the X.25 Attributes for a Dlci By default, X.25 template is not applied on DLCIs Typical Lapb Configuration ExampleCurrent status of Lapb Specify IP address for this interface Specify X.121 address of this interface Configure Router B Select interfaceConfigure Router a a Select interface Connect the Router to X.25 Public Packet Network Specify address mapping to the peer Configure Router C Configure interface IP address Configure Router a Configure interface IP addressConfigure Router B Configure interface IP address Disabled Configure Virtual Circuit I. Networking RequirementRange Transmit IP Datagram via X.25 PVC Router-Ethernet0ip address 196.25.231.1 Typical Sub-Interface Configuration Example Create sub-interface serial Configure Router CConfigure Router D SVC Application of XOT I. Networking Requirement Configure Serial Configure Router C Start X.25 switchingRouterx25 switch svc 2 interface serial Routerx25 switch svc 1 xot Application of X.25 Load Balancing Configure X.25 switching route to forward to X.25 terminal Enable X.25 switching in system viewS11 Add Serial 1, Serial 2 and XOT Tunnel to hunt group Routerx25 switch svc 8888 interface serial Routerx25 switch svc 1111 xotLoad Balancing Carrying IP Data Transmission Routerinterface serial Router-Serial0link-protocol x25 dce Configure interface Serial Configure RouterA Configure interface EthernetConfigure static route to RouterC Configure RouterB Configure interface Ethernet Configure RouterA Create an X.25 template Configure the static route to RouterA and RouterBConfigure the local X.25 address Configure an IP address for the local interface Map the Frame Relay address to the destination IP address Configure RouterB Create an X.25 templateAssociates an X.25 template with the Dlci SVC Application of X.25 over Frame Relay Enable switching on Frame Relay DCE Configure the router Router B Enable X.25 switchingConfigure Serial 0 as the X.25 interface Configure Serial 1 as the Frame Relay interface Configure the router Router C Enable X.25 switching Configure X.25 over Frame Relay switchingConfigure the Frame Relay Annex G Dlci Configure local X.25 switching.Router-fr-dlci-100annexg dte Configure Router B Enable X.25 switching Configure Router D Configure the basic X.25 parametersConfigure an X.25 template Configure S1 as the Frame Relay interface Lapb Configure Serial Configure S1 as the Frame Relay interface Facility options inhibited by network have been carried Fault Diagnosis and Troubleshooting of X.25 Configuring Lapb Configuring Frame Relay Link-protocol fr ietf By default, the interfaces link layer protocol is PPPRelay Nonstandard Configure Frame Relay LMI protocol type Configure Frame Relay interface type Undo fr lmi-n391dte Fr lmi n391dte n391-valueFr lmi n392dce n392-value Undo fr lmi n392dce Fr lmi t391dte t391-value Undo fr lmi n393dceUndo fr lmi t391dte Fr lmi t392dce t392-value Configure Frame Relay dynamic address mapping Configure Frame Relay static address mapping Create Frame Relay sub-interface Configure Frame Relay local virtual circuit numberFr dlci Undo fr Establish static address mapping Configure virtual circuit of Frame Relay sub-interfaceApplying dynamic address mapping to the sub-interface Configure the route for Frame Relay PVC switching Configure the Frame Relay local virtual circuit numberConfigure Frame Relay local switched PVC number Configure the Frame Relay switched PVC Overview Configure Multilink Frame Relay FRF.16 Configure a MFR bundle interface MFR interface Configure MFRConfigure MFR interface parameter Subnumber Configure the parameters of the bundle link interface Frame Relay Compression Configuration Configure Frame Relay Fragment FRF.12 By default, interfaces use initiative compressionConfigure Frame Relay Fragment Attributes Configure Frame Relay Compression on multipoint interface Frame Relay Traffic Shaping Disable the Frame Relay traffic shapingFr traffic-shaping Undo Fr traffic-shaping Rate Frame Relay Traffic Policing Frame Relay Queueing Management 100 Kbps CI R ALLOWº£ 64 Kbps 150 Kbps Frame Relay DE rule list Frame Relay Congestion Management Configure the Frame Relay class parameters By default, no Frame Relay class is createdConfigure Frame Relay Traffic Shaping Undo fr-class class-name Configure the parameters of Frame Relay class Enable/Disable the Frame Relay traffic shaping Enable/Disable the Frame Relay traffic policing Dequeue-percentage Queue-percentage Configure the Frame Relay PVC queueing Configure Frame Relay DE Rule ListConfigure Frame Relay Queueing Management Configure Pipq Configure Frame Relay over IP Configure Frame Relay over Other ProtocolsConfigure a tunnel interface Configure Frame Relay switching Networking of a typical Frame Relay over Isdn application Frame Relay over Isdn Operation Process and Fundamentals Back-to-back connection between DTE and DCE devices Frame Relay switching connection between DTE devicesPhysical Connection Between Frame Relay over Isdn Devices Configure the Frame Relay-related commands Configure Frame Relay over Isdn Dlci Configure the commands related to Frame Relay switchingConfigure the link layer protocol of the interface Display and debug Frame Relay Configure parameters related to dialer profilesDisplay and Debug Frame Relay Isdnsubaddress Number interface serial Number dlci dlci-numberType number dlci Mfr number Configure static address mapping Typical Frame Relay Configuration ExampleInterconnect LANs via Frame Relay Network Router-Serial1fr map ip 202.38.163.251 dlci Relay FRF.16 Configure local virtual circuitInterconnect LANs via Private Line Router-Serial1ip address 202.38.163.253 Bundle Serial 0 and Serial 1 to mfr Create a MFR interfaceExample FRF.9 Them III. Configuration Procedure 1 Configure RouterA III. Configuration Procedure 1 Configure Router aFRF.12 Fragment between them Routerfr class 96k IP ConfigurationRouter-fr-class-96ktraffic-shaping adaptation becn Typical Frame Relay over Configure tunnel interface Configure IP interface Ethernet0Configure Frame Relay over IP Router-Serial0fr interface-type dce Router-Bri0fr map ip 110.0.0.2 dlci Configure the Frame Relay parameters on Bri0Router-Dialer0dialer number Router-Dialer0dialer call-in Router-Dialer0fr interface-type dce Configure the Frame Relay-related parameters on Bri0 Router-Serial1.1ip address 130.0.0.2 Configure Frame Relay SVCs Fault 4 Frame Relay data cannot be transmitted across Isdn Fault Diagnosis Troubleshooting Frame RelayFault 1 the physical layer in Down status Configuring Frame Relay Configure Hdlc Display and Debug Hdlc Configure HdlcBy default, the link layer protocol of the interface is PPP Configure the link layer protocol of the interface to Hdlc Debugging Hdlc Packet Interface Enable Hdlc packet debugging Typical Bridge Configuration Configure Bridge’s Routing FunctionBridge Overview Bridge Overview Main Functions of Bridging Obtain address table Bridge Overview Final bridging address table Forward and Filter Filter not forward Eliminating loop Preliminary examination state of bridging loops Spanning Tree Topology Spanning tree topology Bpdu Forwarding Mechanism By default, disable bridging functions Configure Bridge’s Routing FunctionEnable/Disable bridging functions Bridge enable Specify the STP version supported by the bridge-set Configure static address table entriesAdd ports to a bridge-set Mac-address Disable/Enable STP on ports Enable/Disable forwarding by using dynamic address tableConfigure the aging time of dynamic address table Configure the bridge port priority Configure the bridge priorityConfigure the path cost of bridge port Configure the forward delay for the port status transition Configure the interval for sending BPDUs Create ACLs based on varied Ethernet encapsulation formats Configure the Max age of Bpdu Acl acl-number Bridge-set Enable/Disable bridge’s routingConfigure a bridge-template interface Share load by source MAC address Define a link-setLink-set Bridgebridge-set link-set link-set Define a dialer list Configuration on the interfaceMap the bridge address to Dlci Display and Debug Bridge Typical Bridge ConfigurationDisplay and debug bridge Transparent Bridging Multiple LANs Router-Serial0bridge-set 1 stp disable Configure Router aConfigure Router B Transparent bridge over the Frame Relay Transparent Bridging over Frame Relay Router-Serial1dialer route bridge broadcast Standby Asynchronous Dial-inConnected are failed Please refer to Figure Networking of bridge-template interface Bridge-Template interface Networking for bridging on sub-interfaces Bridging on Sub-Interfaces Router-Serial1bridge-set 1 link-set Link-Set Configuration I. Networking RequirementsRouterbridge enable Routerbridge 1 stp ieee Network Protocol 316 Configuring IP Address Network IP network range Description Class IP address classes and ranges Sub-net classification of IP address By default, the interface has no master IP address Configure IP Address Configure IP Address for an InterfaceConfigure master IP address of an interface Ip address ip-address mask Ip address ip-address mask Mask-length sub Configure slave IP address of an interfaceDelete slave IP address of an interface Undo ip address ip-address Configure IP Address Unnumbered for an Interface By default, the interface has no negotiating IP addressIntroduction to IP address unnumbered Set negotiable attribute of IP address for an interface Configure routing to Ethernet segment of Shenzhen router R1 Configuration Example I. Configuration RequirementsConfigure IP address unnumbered Borrow IP address of Ethernet interface Borrow IP address of Ethernet Configure router R1 of Shenzhen subsidiaryRouter-Ethernet0ip address 172.16.20.1 Router ip route-static 0.0.0.0 0.0.0.0Page Configuring IP Address Arp static ip-address Define a static ARP mappingUndo arp static ip-address Arp dynamic ip-address Name Resolution Configure DomainName Resolution Display and Debug ARP Display ip host Display and Debug Domain Name ResolutionDisplay and Debug domain name resolution Specify the Vlan on which Ethernet subinterface is located Create Ethernet subinterfaceInterface-number.subinterface-number Vlan-type dot1q vid vlan-id Typical Vlan Configuration Example Configure IP address of Ethernet subinterfaceDisplay and Debug Display and Debug Vlan Display vlan Configure Vlan information of LAN Switch Configure IP address for the subinterfaceTroubleshooting The steps below can be taken Router-Ethernet0.1ip address 3.3.3.8 Fault Ping Two PCs, but fails to ping them through Dhcp Server ConfigurationDhcp vs Bootp Background of the Dhcp development Dhcp server Dhcp clients Occasions in which Dhcp server is appliedFollowing figure Dhcp client logs into the network again Dhcp Server Configuration Dhcp Enable Enable/disable the Dhcp serviceUndo Dhcp enable Dhcp server ip-pool pool-name Network ip-address Configure the statically binding IP address and MAC addressNetmask Low-ipaddress high -ipaddress Low-ipaddress high-ipaddress Configure the gateway router address of client By default, the IP address of DNS is not configuredConfigure the domain names of Dhcp clients Configure the DNS addresses in a Dhcp address pool Set the type of NetBIOS node for Dhcp client Set the type of NetBIOS node for Dhcp clientNbns-list ip-address1 Ip-address2 ... ip-address8 Configure Dhcp self-defined options Use reset, debugging and display command in All viewsDisplay and Debug Dhcp Server Display and Debug Dhcp servers Router dhcp server forbidden-ip III. Configuration Procedures 1 Enable the Dhcp serviceRouter dhcp enable Router-dhcp2nbns-list Router-dhcp2gateway-list At the client, use ipconfig /releaseall Operation Command Configure interface relay address Configure interface relay addressIp relay-address ip-address Delete interface relay address Dhcp Relay Dhcp Relay Configuration RequirementIP address from Dhcp server through application Available on Dhcp server Networking diagram of an Dhcp relay configuration example Configure Dhcp relay router Fault 2 fail to forward transparent transmission protocol Under which condition should the address be translated Private Network Address and Public Network Address Mechanism of Network Address Translation NAT Characteristic of Network Address Translation NATRole the Network Address Translation NAT plays Performance of Network Address Translation NAT Configure address poolEnd-addr pool-name Pool-name Address-group pool-name Nat outbound acl-numberUndo nat outbound acl-number Undo nat outbound Configure the Timeout of address translation Configure the Internal ServerNat server global global-addr global-port Www inside inside-addr inside-port any Display and Debug NAT Display and debug NAT Typical NAT Configuration Example Allow address translation of segment at 10.110.10.0/24 Configure address pool and access listSet internal FTP server Set internal WWW server Configure dial-up property for the interface Configure address access control list and dialer-listConfigure a default route to serial Correlate the address translation list and the interface Fault 2 Internal server abnormal Configuring IP Application To configure IP performance, carry out the following steps Configure IPConfigure maximum transmission unit on an interface Performance Configure TCP Tcp window size Forwarding Configure Fast Display and Debug IP Perform the following configuration in system viewForwarding Display and Debug Fast Display and Debug fast forwarding Router info-center enable Router debugging tcp event Troubleshooting IP Performance ConfigurationRouter info-center enable Router debugging tcp packet Configuring IP Count Enable/Disable IP Count service IP Count ConfigurationIp count enable Undo ip count enable Specify count maximum of exterior Configure IP Count on an interfaceConfigure IP Count list Count By default, IP Count entries time out after 720 minutesSpecify count maximum of interior Display and debug IP Count Information is displayed IV. Test ProcedureNot been configured on the interface of the router Configuring IP Count IPX address Configuring IPX SAP Modify length of service information reserve queue Configure IPXConfigure relative parameters of IPX SAP Its first Ethernet interface as its node address Configure IPX RIP static route Enable IPX interfaceEnable/Disable a Default Route Perform the following task in interface view Configure RIP aging period Configure RIP updating periodConfigure the maximum size of RIP update packet Configure the maximum number of IPX parallel route Configure static service information table item Configure length of route reserve queue Configure size of SAP maximum updated message Configure SAP aging periodConfigure reply to SAP GNS request Ipx sap timer update seconds Disable split-horizon Configure Using touch-off for an interface Configure management of IPX packet Configure the delay of interface sending IPX packetsModify Encapsulation Format of IPX Frame on Interface Encapsulation format of IPX frame Display and Debug IPX Display and Debug IPX Configure Router a a Activate IPX Configure a static route to network ID Configure an address map to Router BConfigure an information about Server2 file service Configure an information about Server2 directory service Configure an information about Server1 directory service DLSw Protocol Create DLSw local peer entity Configuration of DLSwInit-window-size max-frame Max-frame-size max-window Create DLSw remote end peer entity Configure Bridge set connecting to DLSw Configure Sdlc role Configure to add ethernet port to Bridge set Configure Sdlc address Configure Sdlc virtual MAC addressSdlc-address Controller sdlc-address Add synchronous Interface to Bridge set Configure Sdlc peer entityConfigure XID of Sdlc Baudrate Configure to stop running DLSwConfigure baud rate of synchronous Interface Configure parameters of DLSw timer Configure Idle time encoding mode of synchronous InterfaceConfigure LLC2 local acknowledgement delay time Mseconds Configure modulo value of LLC2 Configure LLC2 premature acknowledgement window Configure LLC2 local acknowledgement time Configure retransmission number of LLC2Configure Busy status time of LLC2 Configure P/F wait time of LLC2 Configure queue length of sending message of LLC2 Configure REJ status time of LLC2Configure Queue Length of Sending Message of Sdlc Configure Sdlc local acknowledgement window Configure poll time interval of Sdlc Configure maximum receivable frame length of SdlcConfigure retransmission number of Sdlc Configure data bi-directional transmission mode of Sdlc Configure SAP address for transforming Sdlc to LLC2Lsap Dsap DLSw Configuration Networking Requirement Typical DLSw Configuration ExampleDLSw IP across WAN Router B Configuration Router a ConfigurationDLSw Configuration Router dlsw local Networking diagram of DLSw configuration of SDLC-SDLC Networking Diagram of SDLC-LAN When using command display dlsw remote DLSw FaultDiagnosis Virtual circuit cant attain Connected state Diagnosis and Troubleshooting of DLSw Fault Configuring Dlsw VI Routing 404 IP Routing Protocol IP Routing Protocol Routing Protocol or Type Corresponding Routing Priority Routing Protocol and Routing Priority Ospf ASE Default Route Configuring Static Routes Configuring a Static Route Configuring a Static RouteConfigure a Static Route Transmitting interface or next hop address Displaying Debugging Routing Table Configuring a Default RoutePreference Other parameters Other Troubleshooting aStatic Route RIP Overview Features is not subject to whether RIP has been enabled Configure RIP Enabling RIP Enable RIP at the Specified Network Define a Neighboring Router By default, the interface runs RIP-1Specify RIP Version Peer ip-address Configure Check Zero Field of RIP Version RIP Version 1 enables zero field check by defaultDisable a Host Route Specify the Status of an Interface Enabling Route Authentication onSummarization for RIP Version Configure RIP Horizontal Segmentation on the Interface By default, the default route metric for RIP isConfigure Route Import for RIP Specify a Default Route Metric Value for RIP Distribution for RIP Configure filtering route information received by RIPSpecify Additional Route Metric Value for RIP Set Route Preference Displaying and Debugging RIP Reset RIPFilter the Routing Information Being Advertised by RIP Display and Debug RIP RIP Unicast Ospf Overview Ospf Configuration ExampleOspf Overview Displaying and Debugging Ospf Configuring Ospf Specify Router ID Enable OspfRouter id router-id Undo router id Area area-id By default, Ospf is disabledArea-id Configure Sending Packet Cost Configure the Network Type of the Ospf InterfaceOspf network-type broadcast nbma P2mp P2p Cost Configuring a Peer for the Nbma Interface Specify the Router Priority Operation Command Set the priority of the interface whenOspf Dr-priority value Undo Ospf dr-priority Specify Dead Interval Specify Hello Intervall Specify Retransmitting Interval Configuring a Stubby Area and a TotallySpecify Transmit-delay Configure Totally Stubby Area of Ospf Perform the following configuration under Ospf viewStub cost cost area area-id No-summary Configure an Nssa Area of Ospf Perform the following configuration in Ospf view Abr-summary address mask mask area Configure Route Summarization Within Ospf DomainArea-id advertise notadvertise Undo abr-summary address mask mask Area-id None Router-id None Create and Configuring a Virtual Link Key-id Configure Authentication Configure Parameters When Importing External Routes Configure Route Import for Ospf Displaying Configure filtering route information received by OspfDebugging Ospf Filter for Ospf Router D 201 Router B 301 302 Router C 1.3 Ospf Configuration ExampleConfiguring Ospf on the Point-to-Multipoint Network RouterC ospf enable Enable OspfRouterA-Serial0ospf network-type p2mp RouterB-Serial0ospf network-type p2mp Configure DR on Ospf Preference E0 192.1.1.4/24 1.1 4.4 E0 192.1.1.1/24E0 192.1.1.2/24 E0 10.1.2.3/24 2.2 3.3 RouterD display ospf peer RouterA display ospf peer RouterB-ospfVlink peer-id 3.3.3.3 transit-area To configure an Ospf virtual link Configure Router aBetween Router B and Router C To configure Ospf peer authentication Configure Router a Normally Troubleshooting anOspf Configuration Ospf Configuration Example Configuring Ospf BGP Overview BGP Configuration ExampleBGP Overview Displaying and Debugging BGP Configuring BGP Perform the following configurations in system view Resetting BGP Connections Enabling BGPBy default, BGP is disabled Perform the following configurations in BGP view Configure BGP Route-update Interval Configure the BGP Version of the PeerSet the Timers for BGP Peer Configure to Send Community Attribute to the Peer Configure to distribute default route to the peerConfigure the Peer to be the Client of the Route Reflector Configure to Distribute Default Router to the Peer Configure the BGP MED Metric Create a Fltering Policy Based on Access List for the PeerCreate a BGP Route Filtering Based on AS Path for the Peer Allow Comparing Path MED Configure the Keepalive Timer and Holdtime Tmer for BGP Configure the Local PreferenceTimers keepalive-interval Holdtime-interval Add a Peer to the BGP Peer Group By default, there is no BGP peer in a peer groupPeer group-name Group-name Configure Connection Between Peers Indirectly Connected Configure AS Number of BGP Peer GroupSet the Timers of BGP Peer Group Configure BGP Routing Update Sending Interval Create Routing Policy for Peer Group Configure to send the default route to the peer groupConfigure to Send the Default Route to the Peer Group Create an Aggregate Addresses By default, software accepts BGP VersionConfigure BGP Version of Peer Group Aggregate address mask By default, an aggregate is disabledAs-set Undo aggregate address Undo reflect between-clients Reflect between-clientsClients within the reflection group Configure BGP Community Configure the Cluster IDStandard-community-list-number Extended-community-list-number As-number … Configure a ConfederationConfigure the Sub-system of E Confederation Schematic diagram of route dampening Display Route Flap Information Is insured When AS is not a transitional AS Configuring By default, BGP synchronizes with IGPConfigure Route Import for BGP Still exists Entry, an AS Path-list Define an access list entryDefine an AS Path-list entry Define a routing policy Define an apply clause Perform the following configurations in Routing policy viewDefine a match rule Filter for BGP Debugging BGP Reset BGP ConnectionsFilter Routing Information Being Advertised by BGP Display and Debug BGP Procedure for each configuration BGP ConfigurationAs-regular-expression acl Acl-number network-address Networking diagram of configuring AS confederation RouterA-bgppeer 192.1.1.2 as-number Configure Router B Configure BGP peersRouterB-Serial1ip address 193.1.1.2 RouterC-ospfinterface serial Configure Router D Configure BGP peers Start BGP Configure peerSpecify BGP transmission network RouterA-acl-1rule permit source 1.0.0.0 RouterC-bgppeer 193.1.1.1 route-policy localpref import RouterC-acl-1rule permit source 1.0.0.0 RouterD-ospf network 4.0.0.0 0.0.0.255 area 0 RouterD bgp Configuring BGP IP Routing Policy Configuring IP Routing Policy Operation Command Define a routing policy and enter into Configure IP RoutingPolicy Define a Routing Policy Configure a Matching Rules Apply community aa nn Define a Setting ClauseNo-export addtive none Apply tag tag-value Tag tag-value type 1 Configure Route ImportRoute-policy route-policy-name Ge-value less-equal le-value Define an IP Prefix ListIp ip-prefix prefix-list-name Debugging IP Routing Policy Perform the following configurations in all viewsOSPF-ASE external route discovered by Ospf protocol BGP route discovered by BGP protocol With different weighting values Configuring IPRouting Policy Protocol Route Information Configure RIP protocol Troubleshooting IPNormal operation Routerip ip-prefix p1 permit 192.1.1.0/24 Configuring IP Routing Policy Routing Configuring IP PolicyIP Policy Routing Define Apply Clause Create a Routing PolicyDefine Match Rules Enable/Disable Interface Policy Routing By default, interface policy routing is disabledDisplaying Debugging IP Policy Routing Interface Policy Routing Define access list Suggested procedure for each configurationRouter-acl-101rule deny tcp source any destination any Router-acl-102rule permit tcp source any destination any Router-Ethernet0ip policy route-policy aaa Adopt policy aaa in Ethernet interfaceRouterA-Ethernet0ip policy route-policy lab1 RouterB-ripnetwork RouterAdebugging ip policy-routing IP Multicast Configuring Igmp Configuring PIM-DM Configuring PIM-SMChapter 498 IP Multicast Class D address range Meaning Range and Meaning of Class D AddressesList for Reserved Multicast Addresses IP Multicast Routing Protocols IP Multicast Application IP Multicast PacketIP Multicast IP Multicast Igmp Configuration Example Configuring IgmpIgmp Overview Igmp Overview Configuring Igmp Configure Igmp Maximum Query Response Time Make the following configuration in interface viewConfigure the Igmp Version Number Run at Router Interface Debugging command in system view to debug Igmp Igmp ConfigurationDisplaying and Debugging Igmp Interfaces are all fast Ethernet FE Router a Router B Configuring Igmp Configuring PIM-DM By default, the system disables the multicast routing Make the following configuration in the system viewEnable Multicast Routing Operation Command Enable multicast routing Displaying and Debugging PIM-DM Start/Disable PIM-DM ProtocolDisplay and Debug PIM-DM Group-address source-address Enable multicast routing protocol PIM-DM ConfigurationEnable PIM-DM protocol Receiver 2 are the two receivers of this multicast group PIM-SM Overview Enabling Multicast Routing PIM-SM Configuration Enable/Disable PIM-SM Protocol By default, the interface disables PIM-SM protocolConfigure Candidate BSR Configure Candidate RP Configure PIM-SM Domain Boundary By default, no interface is configured to be candidate RPBy default, no PIM-SM domain boundary is configured Debugging PIM-SM Use the pim command in system view to enter PIM view Configure Router B Enable PIM-SM protocol Configure Router a Enable PIM-SM protocolRouterA multicast routing-enable RouterA interface ethernet RouterA-pimspt-switch-threshold 10 accept-policy Follow these steps Display pim neighbor command can be used to check whetherNeighbors have discovered each other RouterB-acl-5rule permit source 225.0.0.0 Configuring PIM-SM Viii Security 524 Configuring Terminal Terminal AccessAccess Security Configuring a User Configure EXECLogin Authentication Configure the authentication method list of Exec users Enable AAAConfigure Radius server and the shared secret Configuring Terminal Access Security Radius Overview AAA Overview Components of Radius server Basic message interaction process of Radius Code Packet type Explanation of the packet Request Authenticator Adopts 16-byte random codeType of Packets Decided by Code Field Attribute Fields AAA Enable/Disable AAA By default, AAA is disabledConfigure AAA Login Authentication Server-template-name method1 Configure PPP Authentication Method List of AAA Configuring an Authentication Method List for PPP UsersDefault methods-list method1 Default methods-list Configure AAA Local-First Authentication By default no address pool is defined by the systemConfigure AAA Accounting Option Configure Local IP Address Pool Configure a User and Password By default pool-number isConfigure Callback User Configure Ordinary User and Password Configure FTP User and the Usable Directory Configure User with Caller NumberConfigure Callback User and the Callback Number Configure User with Caller Number Configure FTP User and the Usable Directory Authorize a User with Usable Service TypesConfigure Authorizing a User with Usable Service Types Directory By default, no key is configured for the Radius server Configure Radius Server Shared SecretConfigure Radius Server Shared Secret Radius server hostname ip-address Configure the Time Interval for the Inquiry Packet Configure the Request Retransmission Times Authentication Case Accessing UserDisplaying Debugging AAA AAA and Radius Configure local-first authentication Configure IP address and port of Radius serverRouter aaa authentication-scheme local-first Routerradius server Radius Troubleshooting AAA Can Users Radius authentication is always rejectedConnected user cannot be seen in display aaa user Configuring AAA and Radius Protocol Firewall Overview Classification of Firewalls Packet filtering schematic diagram Command format when the protocol is IGMP, IP, GRE or Ospf Extended access control listCommand format when the protocol is TCP or UDP Operators of the Extended Access Control List Mnemonic Symbol of the Port Number UDP Protocol Mnemonic Symbol Meaning and Actual Value Operator and Syntax Meaning Configure the match sequence of access control listMnemonic Symbol of the Icmp Message Type Effect Perform the following configurations in system view Configure FirewallFirewalls are disabled by default Firewall Configure Extended Access Control List Configure Standard Access Control List Configuring Special Timerange Enabling and disabling filtering according to timerangeSet Default Firewall Filtering Mode Destination dest-addr dest- wildcard Set special time range Enable/Disable Filtering According to TimerangeSet Special Time Range Settr begin-time end-time Displaying and Debugging Firewall Use debugging, reset and display commands in all viewsSpecify Logging Host Display and Debug Firewall Configure access rules to inhibit passing of all packets Enable firewallRouterfirewall enable Routerfirewall default permit Router-Serial0firewall packet-filter 102 inbound Apply rule 102 on packets coming in from interface Serial0Router-Ethernet0firewall packet-filter 101 inbound IPSec Protocol IPSec Message Processing IPSec Related TermsFollowing terms are important to an understanding of IPSec Creating an Encryption Configuring IPSecAccess Control List Operator port1 port2 Create Encryption Access Control List Set the output of the crypto card log Configure Ndec Cards Enable the crypto cardsBy default, all the crypto cards are enabled Enable/Disable the Host to Backup the Ndec Cards By default, no proposal view is configuredSet the Mode for Security Protocol to Encapsulate Messages Define IPSec proposal Default mode is tunnel-encapsulation mode Selecting the Encryption Authentication AlgorithmSelect Security Protocol Select Security Protocol Creating a Security Policy Select Encryption Algorithm and Authentication Algorithm Configure access control list quoted in security policy By default, no security policy is createdPerform the following configurations in IPSec policy view Set start point and end point of security tunnel Configure IPSec Proposal Quoted in Security Policy By default, the security policy quotes no IPSec proposalSet IPSec proposal quoted in security policy Set SPI of security policy association and its adopted key Configure SPI Parameters of Security Policy Association By default, no key is used by any security policyConfigure Key Used by Security Policy Association Hex-key Set end point of security tunnel Set access control list quoted by security policyCreating a Security Policy Association with Specify End Point of Security Tunnel Set SA lifetime Set the IPSec proposal quoted in security policyProposal proposal-name1 Proposal-name2...proposal-name6 By default, apply the global SA lifetime Configure a separate SA lifetimeConfigure Global SA LIfetime Configure Separate SA LIfetime Debugging IPSec Use debugging, reset and display commands in all viewsApply Security Policy Group on Interface Ipsec sa dynamic-detect Dest-address protocol spi Reset crypto cardDisplay and Debug IPSec Use the debugging, reset and display command in all views IPSec Configuration ExampleDisplaying and Debugging the crypto card Creating an SA Manually Select authentication algorithm and encryption algorithm Adopt tunnel mode as the message-encapsulating formQuote access list Create the IPSec proposal view named tran1 Create a security policy with negotiation mode as manual Configure the routeApply security policy group on serial interface Exit to system view Set remote addresses Create a security policy with negotiation mode as isakmpCreate the IPSec proposal view named trans1 Configure corresponding IKE Configure ip address of the serial interfaceConfigure serial interface Serial0 Create a security policy with negotiation view as isakmp Adopt tunnel module for packets encapsulation form Establish a security policy with manual negotiation modeReturn to system view RouterB ike pre-shared-key abcde remote Set local address Enter Ethernet interface view and configure IP addressSet encryption key Apply security policy base on serial port Troubleshooting IPSec Ndec card cannot be configured Establish a security policy with manual configuration modeReturn to the system view RouterB ipsec policy map1 10 manual Do the following Configuring Ipsec Configuring IKE Policy Configuring IKEIKE features Ike proposal policy-number Create IKE PolicyView Delete IKE policy Undo ike Select Authentication Method Selecting an Authentication AlgorithmConfigure Pre-shared Key Select Encryption Algorithm Select Hashing Algorithm By default, 768-bit Diffie-Hellman group is selectedSelect DH Group ID Set Lifetime of IKE Negotiation SA Reset ike sa connection-ike-sa-id Configure IKE Keepalive TimerDisplaying and Debugging IKE Display and Debug IKE Invalid user ID information IKE Configuration Unable to establish security channel Unmatched policy IX VPN Configuring VPN Configuring L2TP Configuring GRE 596 VPN Overview Applications of VPN Basic NetworkingClassification of IP Authority given by local ISP Comparison of layer 2 and layer 3 tunnel protocols Layer 2 tunneling protocolLayer 3 tunneling protocol Configuring VPN Vpdn Operation Vpdn and L2TP L2TP channel Methods of Implementing Vpdn Tunnel and session Networking diagram of two typical methods of Vpdn Control message and data message IV. Call setup flow of L2TP tunnel Call setup flow of L2TP channel Features of L2TP Enable L2TP Basic Configuration atEnable/Disable L2TP L2tp enable Ip-address … domain domain-name Originate L2TP Connection Request and LNS AddressL2tp-group group-number Configure AAA and Local Users By default, L2TP is disabledDefault list-name method1 L2TP Attribute Table Operation Command Create a virtual template Operation Command Create a L2TP groupCreate/Delete L2TP Group Create/Delete a Virtual Template By default, receiving dial-in from LAC is disabled Advanced Configuration at LAC or LNSConfigure the Name of the Receiving End of the Tunnel Configure Local VPN Users By default, the local name is the host name of router Enable Tunnel Authentication Setting PasswordSet Local Name Tunnel name name Set the Interval for Sending Hello Message Configure the Interval For Sending Hello MessagesSet Tunnel Authentication and Password Set Domain Name Delimiter and Searching Order Configure Domain Delimiter and Searching OrderForce Operation Command Force to disconnect tunnel This configuration is applicable to LNS onlyReset l2tp tunnel remote-name Force to Disconnect Channel LCP to Renegotiate Configure the Local Address and Address PoolLCP does not renegotiate by default By default, AV pairs are hidden Enable/Disable Hiding Attribute Value Pairs AVEnable/Disable Hiding AV Pairs Number of L2TP Sessions By default, the maximum number of L2TP sessions is L2TP Configuration ExamplesUse debugging, display command in all views Display and Debug L2TP Configure the IP address of Serial1 interface of LAC Implement local AAA authentication on VPN userEnable L2TP service and configure a L2TP group Configure BDR dialup parameters Configure the Virtual-Template-related information Configure the IP address of Serial0 interface of LNS Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Router-LACip pool 1 192.170.0.3 Client-originated VPN Networking Configure BDR parameters Configure the IP address of Serial1 interface at LAC sideConfigure the IP address of Serial0 interface at LNS side Disable tunnel authentication Network Connection Wizard Network Connection Wizard Connect Connection to Configure a L2TP group and the related attributes Configure an IP address on Serial0 interfaceConfigure the domain suffix separator to @ Router1 l2tp domain suffix-separator @ Configure Virtual-Template Enable AAA authenticationForce to implement local Chap authentication III. Procedures Configuration at Router2 LNS side Enable AAA authentication Configure a L2TP group and configure the related attributesConfigure an address pool 1 in the range of 192.168.0.2 to Configure an access control list and specify L2TP data PPP negotiation fails. The reasons may be Fault 1 The users fail to log Troubleshooting L2TP Configuring L2TP Packet GRE ProtocolEncapsulation Encapsulated tunnel message format Refer to RFC Enlarge network operating range By default, no virtual tunnel interface is created Configuring GRECreating a Virtual Tunnel Interface Create Virtual Tunnel Interface Setting the Network Address of a Tunnel Must be configured InterfacePerform the configurations in the tunnel interface view Address of the Tunnel Set Tunnel Interface to Check with Checksum Number discardedSet the Tunnel to Synchronize Datagram Sequence Numbers Gre key key-number Group1 and group2. It can be implemented by using GRE GRE Configuration ExampleDebugging GRE All views Configure Router B Configure the IP address of Serial0 Configure the IP address of Ethernet0 interface Configure the IP address and IPX address of Ethernet0 Configure Router a Activate IPXConfigure the static route to Novell Group2 Configure Router B Activate IPX RouterB ipx route 1e 1f.a.a.a tick 30000 hop Networking of troubleshooting GRE Configuring a Standby Center Configuring Vrrp 646 Standby Center Configuring Standby Center Address logic-channelnumber Enter the Logic Channel ViewFr map protocol address dlci dlci Next-hop-address dialer-number Standby timer enable-delay seconds Channel to check whether it has recoveredUndo standby timer enable-delay Standby timer disable-delay seconds Load Sharing view Please perform the following configuration in all viewsInterfaces Enter the view of Serial Router-logic-channel10standby interface serial Enter the view of logic channelChannel Router-Serial1logic-channel Troubleshooting Vrrp Vrrp Configuration ExamplesVrrp Overview Vrrp Overview Address Configuring VrrpAdding a Virtual IP Add Virtual IP Address Configure Router Priority in Standby GroupVrrp vrid virtualrouterid Undo vrrp vrid virtualrouterid Vrrp provides simple character authentication method Configuring Authentication Method Authentication KeyConfigure Authentication Method and Authentication Key Virtualrouterid Group Timer Configure StandbyDebugging Vrrp Monitoring Procedure for each configuration Vrrp ConfigurationBackup with preemption aII. Networking diagram Vrrp Single Standby Balancing and mutual backup are implemented Gateway services insteadGateway function as the master Multiple Standby Many master routers exist within the same standby group There is requent switchover of the Vrrp state XI QOS 662 QOS Overview Three Types of QoS Services QOS Overview Benefits of QoS for the Network Service QOS Overview Traffic Policing Traffic Classification Traffic POLICING, Traffic Shaping and Line Rate Rate CAR Committed Access Define CAR Rules Defining RulesQos carl carl-index precedence Precedence-value mac mac-address Apply the CAR Rule on the Interface By default, no CAR rule of ACL list is establishedApplying the CAR Policy on the Interface Configure the Priority Level Based CAR Policy CAR Configuration Applying a CAR Policy to all PacketsDisplaying and Debugging CAR Display and Debug CAR Configure the CAR Policy Based on the MAC Address Apply a CAR Policy on the Packets that Match ACL Traffic ShapingMatches ACL Packets Schematic diagram of GTS processing Configuring shaping parameters for a specified flow Shape the flows matching 110 on Ethernet interface Configuring shaping parameters for all flowsConfigure the ACL Physical Interface Line Configure the Physical Interface LIne RateRate Shape all the flows on Ethernet interface Display qos lr interface type Operation Command Display the LR configuration conditionsDisplaying Display and Debug LR Debugging LR Congestion Management Management Policy CongestionFifo Queuing Priority Queuing Selecting Congestion Management Policies Number Queues Advantage Disadvantage Comparison of Several Congestion Management Policies Schematic diagram of the first in first out queue Schematic diagram of the custom queuing Schematic diagram of weighted fair queuing Weighted Fair Queuing WFQ Configuring Fifo Queuing Configuring Congestion ManagementConfiguring priority queuing Configure the First In First Out Queuing Values of Queue-Option with Protocol as IP By default, no priority queue is establishedProtocol-name queue-option queue Pql-index protocol Specifying the queue length of the priority-list queuing By default, the interface utilizes the Fifo queueApplying the priority-list queuing group to the interface Configuring Custom Queuing CQ Configuring custom-list queuingDefault Length Value of the Priority Queue Displaying and debugging the priority queue Configure the Default Custom-List Queuing Configure the Custom-Lst Queuing According to the InterfaceQueue-number Queue queue-number Configuring the queue length of the custom-list queuing By default, the interface uses the Fifo queueConfigure the Queue Length of the Custom-List Queuing Applying the custom-list queuing group to the interface Displaying and debugging the custom-list queue Configuring Weighted fair queuingDisplaying and debugging the weighted fair queue PQ Configuration Example Congestion Management Configuration ExamplesApply the priority queue 1 to Serial Apply the priority queue 2 to Serial Configure Router B Configure the access control list Configure the CQ queueRouterA-Tunnel0ip address 10.1.1.1 RouterA-Tunnel1destination Configure Tunnel0 Configure Serial0 master/slave addressesConfigure Tunnel1 WFQ Configuration Example Congestion Management Congestion Avoidance Congestion Avoidance Enable the Wred Wred ConfigurationEnable Wred Function of the Interface Ip-precedence Discard-prob Configure a WFQ queue Congestion Avoidance Configuration ExampleEnable Wred Displaying Debugging Congestion Avoidance Congestion Avoidance XII DIAL-UP Configuring DCC Configuring Modem 704 DCC Overview Terms in DCC Configuration DCC Circular DCC Resource-Shared DCC Implementing callback through DCC Basic DCC featuresWith 3Com Routers Preparing to Configure Configuring DCCPrepare the data for DCC configuration Configure the local parameters of DCC Configure Physical Interface Mode Configuring the mode of the physical interfaceLinklayer-protocol-type Ip address ipaddress mask Associating a DCC dialer ACL with the interface Configuring an interface to originate calls to a remote end Dialer enable-circular Configure an interface to receive calls from a remote endDialer number dial-number Undo dialer number Next-hop-address dial-number DialerRoute protocol Next-hop-address Undo dialer route protocol Dialer circular-group number Undo interface dialer numberUndo dialer circular-group Dialer priority priority Undo interface dialer number Interface dialer numberDialer circular-group number Undo dialer circular-group Router Dialer0 Configuring the dialer interface and dialer number Configuring dialing authentication for resource-shared DCCBy default, no dialer interface is created Enabing Resource-Shared DCC Configuring dialing authentication for resource-shared DCC Threshold traffic-percentage Configuring MP binding in circular DCCConfigure MP Binding in Circular DCC Configuring PPP callback in the circular DCC implementation Configuring MP binding in resource-shared DCCConfigure MP Binding in Resource-Shared DCC Dialer threshold traffic-percentage Implement PPP Callback Server Configuration in Circular DCC Implement PPP Callback Client Configuration in Circular DCC Telephone-number CommandNext-hop-address user username Dial-number Dialer callback-center dial-number Features of Isdn caller identification callbackPrimary rule The best match is the number with the fewest Identification Operation Command Configure the local end to implementUndo dialer call-in remote-number Callback according to the Isdn caller Configuring auto-dial Configuring Isdn leased lineConfiguring Special DCC Functions Configure Isdn leased line for Circular DCC Configuring the Link Idle Time Configuring dialer number circular standbyConfigure Auto-Dial Configure Dialer Number Circular Standby By default, the link disconnection time is 20 seconds By default, the link idle time is 120 secondsConfiguring the link idle time when interface competion Configure the Link Idle Time By default, the timeout of call setting up is 60 seconds Configuring the timeout of call setting upConfiguring the buffer queue length of the dialer Debugging DCC DCC Applications in Common Use DCC Configuration ExamplesSolution Configure RouterB Configure RouterCRouter-Serial1dialer circular-group Router-Serial0dialer route ip 100.1.1.1 Router-Serial1dialer bundle-member Router-Serial0dialer bundle-member Configure RouterC Configure RouterC Router-Dialer0dialer threshold Configure RouterARouter-Bri0dialer bundle-member Router-Serial015dialer route ip 100.1.1.1 Router-Bri1dialer route ip 100.1.1.1 Router dialer-rule 1 ip permit Router interface serial Router-Serial1dialer enable-circularRouter-Serial0dialer route ip 100.1.1.2 Router-Bri0dialer route ip 100.1.1.2 user usera Callback for DC C Configure the PCBy the NT server NT Server-to-Router Router-Async0dialer route ip 100.1.1.254 Dial Number Circular Standby and Internet Access for DCC Router-Serial0dialer route ip 100.1.1.254 Configure subscriber PC Router-Serial215ppp chap password simple passb Router-Serial215ppp authentication-mode chap Router-Serial1standby logic-channel Remote end cannot be pinged after the modem is connected Message Fault DCC Fault Messages DCC peeraddr matching error Modem Script Modem Function Provided by 3Com Routers Receive-string1 send-string1 receive-string2 send-string2 Syntax description of modem scriptModem script format in common use is as follow By default, modem dial-in and dial-out are allowed Which, seconds defaults to 180 and is in the range of 0 toConfigure the Modem Dial-in and Dial-out Authorities Configure a Modem Script Configure Modem Through the AT CommandConfigure a Modem Script Execute a Modem Script Manually Configure the Answer Mode for the Modem By default, the modem works in non-auto answer modeConfigure Authentication for a Modem Dial-in User Specify the Events Triggering the Modem Scripts Executethe debugging command in all views for the debugging Modem Configuration ExamplesConfigure a Modem adaptation baud rate Displaying and Debugging a Modem AT&b1&c1&d2&s0=0 Restore the ex-factory modem settingsConfigure the modem initialization parameters Authentication for Power-on Initialization Through Initialization ScriptDirectly Modem Dial-in User Troubleshooting Configuring Modem

Displaying and Debugging the crypto card

Use the debugging, reset and display command in all views.

Table 655 Display and Debug NDEC Card

slot-id ]

spi-number

remote-address protocol spi-number

IPSec Configuration Example

Creating an SA Manually