Manuals / 3Com / Computer Equipment / Network Router

3Com 10014299 manual Apply security policy group on serial interface, Configure the route

Models: 10014299

1 762

Download 762 pages 3.46 Kb

Page 583

Image 583

IPSec Configuration Example 579

lApply security policy group on serial interface

[RouterA]interface serial 0 [RouterA-Serial0]ipsec policy policy1

[RouterA-Serial0]ip address 202.38.163.1 255.255.255.0

mConfigure the route.

[RouterA] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1

2Configure Router B:

aConfigure an access list and define the data stream from Subnet 10.1.2x to Subnet 10.1.1x.

[RouterB] acl 101

[RouterB-acl-101]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

[RouterB-acl-101]rule deny ip source any destination any

bCreate the IPSec proposal view named tran1

[RouterB] ipsec proposal tran1

cAdopt tunnel mode as the message-encapsulating form

[RouterB-ipsec-proposal-tran1] encapsulation-mode tunnel

dAdopt ESP protocol as security protocol

[RouterB-ipsec-proposal-tran1] transform esp-new

eSelect authentication algorithm and encryption algorithm

[RouterB-ipsec-proposal-tran1]esp-new encryption-algorithm des

[RouterB-ipsec-proposal-tran1]esp-new authentication-algorithm

sha1-hmac-96

fCreate a security policy with negotiation mode as manual

[RouterB] ipsec policy use1 10 manual

gQuote access list

[RouterB-ipsec-policy-use1-10] security acl 101

hQuote IPSec proposal

[RouterB-ipsec-policy-use1-10] proposal tran1

iSet local and remote addresses

[RouterB-ipsec-policy-use1-10] tunnel local 202.38.162.1

[RouterB-ipsec-policy-use1-10] tunnel remote 202.38.163.1

jSet SPI

[RouterB-ipsec-policy-use1-10] sa outbound esp spi 54321

[RouterB-ipsec-policy-use1-10] sa inbound esp spi 12345

kSet session key

[RouterB-ipsec-policy-use1-10]sa outbound esp string-key gfedcba

[RouterB-ipsec-policy-use1-10]sa inbound esp string-key abcdefg

lExit to system view

[RouterB-ipsec-policy-use1-10] quit

mEnter serial interface view

[RouterB] interface serial 0

nApply security policy group on serial interface

Page 583

Image 583

3Com 10014299 manual Apply security policy group on serial interface, Configure the route, Exit to system view

Contents

3Com Router Configuration Guide 01752-3064 3Com CorporationCampus Drive Marlborough, MAPage VPN List conventions that are used throughout this guide This guide describes 3Com routers and how to configure themText Conventions About this Guide 3Com Router Introduction 3Com Router User Interface Page 3COM Router Introduction Router Version Features of the 3ComFollowing table lists the basic features of the 3Com Router List of the 3Com Router 1.x featuresRIP-1/RIP-2 NAT Quality of service 3Com Router New Features of the 3Com Router 1.x 3COM Router Introduction Port ConfigurationEstablish EnvironmentEstablish a new connection Set port communication parameters Establish a remote configuration environment Router ConfigurationConnection EnvironmentWorkstation Ethernet Interface CLI Command Line3COM Router User Interface Views and their prompts System view TableEnter controller Async 0 in anyEthernet 0 in any Loopback 0 in anyFull help HelpsPartial help Routerdisplay ? List of common command line error messagesCommon error Message Causes For exampleThree options are available for users Command LineFeatures Display FeaturesManagement Following commandsPlease perform the following commands in system view User IdentitySystem Configure the router nameSet the system clock Display the System Information Router By default, the system clock is 080000 1 1Execute the following commands in all views Reboot the systemSystem Management Page Softwaresoftware Storage Media and File Types Supported by the SystemInput Ctrl+D, and the following prompt information displays Upgrade Boot ROM Software Main Program software Upgrade the 3ComRouter Main Program SoftwareXModem Approach Modify the terminal baud rate Transfer File dialog box Enable the Tftp server program Preparation for using the Tftp serverTftp server application can run on Windows 95/98/NT Tftpd32 Set interface Press Enter and the following prompts will be displayedNetwork Interface Parameters Enter Ctrl+B and the system promptsGet ip-addr file-name system Download configuration files from a Tftp serverOperation Command Downloads the 3Com Router main Press Enter for loadingSet an authentication mode for an FTP server Prepare for using the FTP serverEnable FTP server Upgrade the 3Com Router Main Software with FTPCopy ip-addr file-name system Back up the 3Com Router Main Program SoftwareTftp Approach FTP ApproachSetup Users Dialog Box Password Configure on-line upgrading of the cardUpdate slot slot-number ftpserver host-name Port-number user user-name passwordContent and Format of the Configuration File Configuration File ManagementDownload Configuration File Perform the following command in system viewSet the binary transmission protocol to XModem/CRC Load configuration filesDownload Config Router download configFile-name config Display current-configurationcommand output backup approachBack up Configuration Files Upload configuration files to a Tftp serverView router configuration Please use the following commands in corresponding viewsErase the configuration file in storage media Select and view the storage media of configuration fileSave current configuration Set the Flag Bit to Enter the Initial Setup ModeFiles on the router Configure FTPConfigure authentication and authorization of FTP server Client via port 20 and transfer dataSet the authentication mode of FTP server Enter the following commands in system viewConfigure Parameters of FTP Service Please enter the following commands in system viewForce to shut down FTP process Set FTP update modeSet the connection time limit of FTP service Force to shut down FTP processDisplay local-user Display FTP Server Display FTP serverDisplay ftp-server Server Display detailed information of the FTP userSystem Management Overview Terminal ServiceFeatures of Terminal Service at Console PortOn one router ServiceSet the attributes of terminal service Terminal MessageEnable/disable receiving messages from other terminals Perform the following configuration in all viewsConfigure Terminal Message Service Display Terminal Message ServiceTerminal Service Typical Example Terminal Message Service ConfigurationDumb Terminal By default, no dumb terminal service is configured Configuration Examples Dumb Terminal ServiceConfigure Dumb Terminal Configure Auto-execute commandRouter-Serial1auto-execute command telnet Terminal Service Telnet ConnectionConfigure the interface to dumb terminal mode Configure the auto-execute command commandService Value Terminal service features of telnet connectionEstablish Telnet Connection Establish Telnet Server or Telnet Client connection Setup Reverse Telnet ConnectionEnable Reverse Telnet connection Service-portForce to shut down Telnet process Typical Configuration Example of Telnet Reverse TelnetForce shut down Telnet Process Example of TelnetRouter telnet 10.110.164.44 Rlogin TerminalUse Rlogin protocol Example of Reverse TelnetUse local user name abc to log on Establish a Rlogin connectionTypical Rlogin Configuration Examples Rlogin ip-address usernamePAD Remote Access ServiceCommunicate with other terminals through the X.25 network Local-user user-name Configure X.25 PAD remote userConfigure X.25 PAD remote user Service-type type passwordEstablish a X.25 PAD call Start AAA authentication of X.25 remote usersEnable AAA authentication for X.25 remote PAD users Establish an X.25 PAD callSet the Response Time to the Invite Clear Message II. Networking DiagramIII. Configuration Procedure Display and DebugRouterB-serial0x25 x121-address Fault Diagnosis TroubleshootingSet its X.121 address as RouterA-serial0x25 x121-addressDevelopment of Snmp Snmp OverviewConfiguring Network Management SNMP-supported MIB Snmp architecture3Com Router-supported MIB By default, the system disables Snmp serviceEngineid Configure Snmp version and related tasks Perform the following configurations in system viewInterface-number Configure information of router administratorConfigure the traps to be sent by the router V1 usernameByte-count Perform the following commands in all viewsDisplay and debug Snmp NameExamples Networking Requirements Example 1 Configure Network Management of SNMPv1Set the community name and access authority Configure an IP address for the Ethernet interface ethernetRmon Overview Configure an IP address for the Ethernet interface ethernetNetwork equipment Schematic diagram of Rmon application Examples Networking Requirement Enable Rmon statisticsRouterA-Ethernet0 rmon promiscuous Commands to display information of the whole system Test Tool of Network Connection Ping commandIp-address Ping supporting IP protocolSystem displays Ping supporting IPX protocolMaxTTL -p port -q nqueries Following command can be executed in any command modesTracert command Timeout hostLog Function Configure on the routerSet the direction of syslog outputting log information Set Filter of Log Information Set Severity of Log InformationPerform the following task in system view Sylog-defined severity is as followsTurn on/turn off syslog Configuration of Log HostTurn on/turn off syslog Display and Debug SyslogRouterdebug ppp all Syslog Configuration ExampleTurn on debugging switch of PPP module Routerinfo-center enableDisplay and Debugging Tools Dial-up POS Access POS Terminal Access ServiceAdvantages of POS network access are as follows POS Network AccessConfigure POS access port POS Access Service ConfigurationStart POS server Ip-address port-number Configure a POS applicationInterface-type interface-number App-numberDefault app-number Configure POS multi-application mapping tableBind the source address of TCP connection Set the parameters of FCM used during Modem negotiation Display and Debug POS AccessDisplay and debug POS access Set the parameters of FCM used during Modem negotiationConfigure POS access interface FCM1 Typical Configuration Example of POS Access ServiceConfigure the Ethernet interface Ethernet Configure the POS access interface FCM0Configure POS access interface FCM0 Configure POS access interface FCM2III. Configuration Procedure 1 Start the POS access server Configure Router a Start the POS access server Configure Async 0 to operate in POS application modeConfigure Async 1 to operate in POS application mode III. Configuration ProceduresRouterA ip route-static 10.1.1.2 255.255.255.0 serial Configure Router B Configure the Ethernet interface EthernetIII Interface 106 Interface Configure InterfaceEnter the Interface View Interface-description Exit the Interface ViewInterface view, input quit to return to the system view Set time interval for flow control statisticsInterface state information Please use the following commands in all viewsDisplay and Debug Interface Display and debug interfaceInterface Configuration Overview Ethernet Interface Configure Ethernet InterfaceSet frame format of sending message Enter view of specified Ethernet interfaceSet IP address Set IPX addressSelect working rate of fast Ethernet interface Select work mode of Ethernet interfaceEnable or disable internal loopback and external loopback Display and DebugTroubleshooting Typical Ethernet Interface Configuration ExampleII. Network Diagram Troubleshooting Configuring LAN Interface Introduction WAN InterfaceAsynchronous Serial Interface Interface async number Enter view of specified asynchronous interfaceInterface serial number Link-protocol slip ppp Set the work mode of asynchronous serial interfaceSet the baud rate of asynchronous serial interface Modem in outFlow-control none software Async Mode protocolHardware inbound outbound Stopbits 1 1.5 Works in flow modeParity even mark none Odd spaceSet the coding format of Modem BackupAUX Interface Set MTU of asynchronous serial interfaceSynchronous Serial Interface Configure AUX interfaceConfigure AUX interface Configure Synchronous Serial InterfaceLink-protocol fr hdlc Enter view of specified synchronous interfaceSet the link layer protocol of synchronous serial interface Physical-mode syncSynchronous serial interface is 64000 bps Select work clockWorking modes have different working clocks Set the baud rate of synchronous serial interfaceSelect work clock Inversion is disabled by defaultSet clock inversion Reverse-rts Internal loopback/external loopback are disabled by defaultDetect dcd Undo detect dcdGraphics and video Isdn BRI InterfaceIdle coding of synchronous serial interface is 7E Technical BackgroundBe clear about the following items before the configuration Preparations before ConfigurationFunction group includes Interface or a PRI interface Channelized operating modeCE1/PRI Interface Network protocols such as IP and IPXEnter the view for a specified interface Configure CE1/PRI CE1/PRI interface configuration includesDial-on-Demand Routing InterfaceBind the interface to be channel sets Enter the synchronous serial interface viewNumber set-number Undo pri-set Bind the interface to be a pri setEnter the Isdn interface view Pri-set timeslot-list rangeSet the frame format of CE1/PRI interface Enable/disable the internal loopback/external loopbackSet the line code format on the CE1/PRI interface Set the line clock of the CE1/PRI interfaceCT1/PRI Interface Configure CT1/PRIController t1 number Operation Command Enter the view of CT1/PRI interfaceTimeslot-list range speed Interface serial number23 Set the line clock of the CT1/PRI interface Set the line code format on the CT1/PRI interfaceSet the frame format of CT1/PRI interface Them into multiple channel sets Choice for E1 accessE1-F interface does not support PRI operating mode E1-F InterfaceFe1 unframed Set Operating mode for an E1-F interfaceEnter the view of an E1-F interface Interface serial serial-numberSet line code format for E1-F interfaces Set interface rate after binding operationSet line clock for an E1-F interface Serial-number Enable/Disable local/remote loopback on an E1-F interfaceSet frame format for an E1-F interface Display and debug E1-F interface193 X 8k = 1544kbps Choice for T1 accessT1-F interface does not support PRI operating mode T1-F InterfaceSet line code format for T1-F interface Set line clock for a T1-F interface Enable/Disable local/remote loopback on a T1-F interfaceSet frame format of T1-F interface Display and debug T1-F interface Other related informationCE3 Interface Display and Debug T1-FEnter the view of the specified E3 interface Set the operating mode of E1 channel Set the operating mode of CE3 interfaceSet E1 frame format Data bandwidth 44736kbps Mode non-channelized modeCT3 Interface 44.736MbpsSet cable length of the CT3 interface Set clock mode of the CT3 interfaceSet clock mode of the T1 channel Enter specified CT3 interface viewBy default, the CT3 interface uses the C-bit frame format By default, loopback is disabled Set Frame FormatPerform the following configurations in CT3 interface view Set CRC of the serial interface Set the operating mode of T1 channelT1 line-number unframed Display and debug of the CT3 interface Disable and Enable CT3 interfaceConfiguring WAN Interface Dialer Interface Logical InterfaceNull Interface Configure LoopbackSub-Interface Number.sub-number multipoint Configure sub-interfaces of Ethernet interfaceCreate and delete WAN sub-interface Number.sub-numberSelect frame relay link layer protocol Enter the view of WAN interface Serial0 of router aRouterinterface serial Allocate a virtual circuit with Dlci 50 to it Configure the static route from router a to LAN2 and LAN3Specify DTE as its frame relay terminal type Set its IP address to 202.38.160.1 and address mask toUndo interface Set work parameters of virtual-templateCreate or delete virtual-template Interface virtual-templateVirtual-template-number Fault 1 Fail to create virtual interfaceTroubleshooting the reasons may be as follows Display state of the specified virtual-templateLink Layer Protocol 164 PPP Overview PPP Authentication ModeConfiguring PPP and MP Transmission time of large packets Configure PPPMP Overview For detailed description of PPP, refer to RFC1661Name-list Configure the link layer protocol of the interface to PPPConfigure the local authenticates the peer in PAP mode Configure the peer authenticates the local in PAP modeUser username Configure the local authenticates the peer in Chap modeConfigure as the peer authenticates the local in Chap mode Cipher passwordConfigure the time interval of PPP negotiation timeout Configure AAA authentication and accounting of PPPConfigure PPP compression Resumptive-percentage Perform the following configuration in interface viewConfigure PPP link quality monitoring Ppp lqc forbidden-percentageBind the physical Interface to a Virtual Template Configure MP Protocol Parameters Create Virtual TemplateConfigure Operating Parameters of Virtual Template Create/Delete virtual templateUser-name Specify the conditions for MP bindingFrags Configure virtual Baud rate on interfaceConfiguration Requirement Typical PPP Configuration ExampleExample Set local username as Router1 Typical MP Configuration ExampleII. Configuration Procedure Configure to start Chap authentication at this sideConfigure router-b Add a user for router-a Configure virtual interface templateConfigure router-c Add a user for router-a Indicates that the interface is shutdown Fault Diagnosis TroubleshootingFault 1 Link always fails to turn to up status Fault 2 Physical link fails to turn to Up statusIntroduction to PPPoE client PPoE OverviewClient Configure PPPoEReset or delete PPPoE session Configure PPPoE sessionIII. Configuration Procedure 1 Configure a dialer interface Typical PPPoE Configuration ExamplePerform the display and debugging command in all views Access a LAN to the Internet via AdslUse Adsl as Standby Line Configure a PPPoE sessionConfigure the LAN interface and the default route Configure the DDN interface SerialConfiguring Pppoe Client For further details about SLIP, you can refer to RFC1055 Configure SlipAsynchronous mode Slip OverviewInterconnect two Router routers via Pstn and run IP Enable/Disable the information debugging of SlipTypical Slip TimeConfigure the default route to Route B Configure Router a Configure Dialer RuleConfigure IP address of synchronous/asynchronous interface Configure the Dialer String to router BRouterip route-static 0.0.0.0 0.0.0.0 Isdn Overview Configure IsdnConfigure the receiving mode By default, DSS1 signaling is used on Isdn PRI interfacesConfigure type of signaling on Isdn interface Configure the length of call referenceTime-interval Configure the sending modeConfigure interval for Qsig signaling timer Timer-name allPerform the following configuration in Isdn interface view Configure Call Processing Method on an InterfacePerform the display and debugging commands in all views RouterB transmit data after the call is set up Typical Configuration ExampleConfigure Router a Create an Isdn PRI interface Configure the Isdn PRI interfaceConfigure Router B Configure Router aProtocols Overview LapbPSN 25 packet and Lapb frame By default, the Lapb modulus is Modulo Configure LapbBy default, k is Configure Lapb N1, N2 Configure Address Configure X.25 InterfaceSet/Cancel the X.121 address of the interface Set X.25 working modeParameter Meaning 25 channel delimitation parametersFinally, the following should be noted By default, X.25 interface use modulo 8 modeSet/cancel X.25 virtual circuit range Set/Cancel X.25 packet numbering moduloOut-packets Configure X.25 flow control parameterConfigure X.25 Interface Supplementary Parameter Set the default flow control parameterSet X.25 layer 3 timer delay 25 layer 3 timerMatch-type alias-string Specify/Cancel an alias for the interfaceAlias match modes and meanings Alias-stringSet/Cancel the default upper layer protocol borne on Address option Configure X.25 Datagram TransmissionCreate the permanent virtual circuit PVC Protocol-address x121-addressUndo x25 pvc pvc-number Configure Additional Parameters Datagram TransmissionCreate/Delete permanent virtual circuit X25 pvc pvc-number protocolInterface view, perform the following task Configure X.25 user facility Specify/Cancel packet pre-acknowledgementSerial port view, list1 can be quoted Configure the sending queue length of virtual circuitAddress logic-channel Set broadcast viaSet interface with standby center Address broadcastNumber.subinterface-number multipoi Switching FunctionConfigure X.25 sub-Interface Configure X.25 SwitchingAdd or delete a PVC route Configure X.25 Load BalancingIntroduction to X.25 Load Balancing Configure X.25 Diagram of X.25 network load balancing List of Configuration Tasks of X.25 Load BalancingCreate/Delete X.25 hunt group Start /Close X.25 switching functionAdd/Delete interfaces or XOT Tunnels in hunt group Introduction to XOT Protocol Configure X.25 over Other ProtocolsAdd/delete other X.25 switching routes Configure X.25 over TCP XOTConfigure XOT For PVC, perform the following tasks in interface view Start X.25 switchingConfigure local switching Configure SVC XOT switchingConfigure Keepalive and xot-source attributes Configure Annex G Data InteroperationConfigure PVC XOT switching Configure X.25 over Frame Relay Annex GConfigure the X.25 attributes for an Annex G Dlci Configure the X.25 Attributes for a DlciSpecify IP address for this interface Typical Lapb Configuration ExampleBy default, X.25 template is not applied on DLCIs Current status of LapbConfigure Router a a Select interface Configure Router B Select interfaceSpecify X.121 address of this interface Connect the Router to X.25 Public Packet Network Specify address mapping to the peerConfigure Router B Configure interface IP address Configure Router a Configure interface IP addressConfigure Router C Configure interface IP address Transmit IP Datagram via X.25 PVC Configure Virtual Circuit I. Networking RequirementDisabled RangeRouter-Ethernet0ip address 196.25.231.1 Typical Sub-Interface Configuration ExampleConfigure Router D Configure Router CCreate sub-interface serial SVC Application of XOT I. Networking Requirement Routerx25 switch svc 1 xot Configure Router C Start X.25 switchingConfigure Serial Routerx25 switch svc 2 interface serialApplication of X.25 Load Balancing Add Serial 1, Serial 2 and XOT Tunnel to hunt group Enable X.25 switching in system viewConfigure X.25 switching route to forward to X.25 terminal S11Routerinterface serial Router-Serial0link-protocol x25 dce Routerx25 switch svc 1111 xotRouterx25 switch svc 8888 interface serial Load Balancing Carrying IP Data TransmissionConfigure RouterB Configure interface Ethernet Configure RouterA Configure interface EthernetConfigure interface Serial Configure static route to RouterCConfigure an IP address for the local interface Configure the static route to RouterA and RouterBConfigure RouterA Create an X.25 template Configure the local X.25 addressSVC Application of X.25 over Frame Relay Configure RouterB Create an X.25 templateMap the Frame Relay address to the destination IP address Associates an X.25 template with the DlciConfigure Serial 1 as the Frame Relay interface Configure the router Router B Enable X.25 switchingEnable switching on Frame Relay DCE Configure Serial 0 as the X.25 interfaceConfigure local X.25 switching.Router-fr-dlci-100annexg dte Configure X.25 over Frame Relay switchingConfigure the router Router C Enable X.25 switching Configure the Frame Relay Annex G DlciConfigure S1 as the Frame Relay interface Configure Router D Configure the basic X.25 parametersConfigure Router B Enable X.25 switching Configure an X.25 templateLapb Configure Serial Configure S1 as the Frame Relay interfaceFacility options inhibited by network have been carried Fault Diagnosis and Troubleshooting of X.25 Configuring Lapb Configuring Frame Relay Nonstandard By default, the interfaces link layer protocol is PPPLink-protocol fr ietf RelayConfigure Frame Relay LMI protocol type Configure Frame Relay interface typeUndo fr lmi n392dce Fr lmi n391dte n391-valueUndo fr lmi-n391dte Fr lmi n392dce n392-valueFr lmi t392dce t392-value Undo fr lmi n393dceFr lmi t391dte t391-value Undo fr lmi t391dteConfigure Frame Relay dynamic address mapping Configure Frame Relay static address mappingUndo fr Configure Frame Relay local virtual circuit numberCreate Frame Relay sub-interface Fr dlciApplying dynamic address mapping to the sub-interface Configure virtual circuit of Frame Relay sub-interfaceEstablish static address mapping Configure the Frame Relay switched PVC Configure the Frame Relay local virtual circuit numberConfigure the route for Frame Relay PVC switching Configure Frame Relay local switched PVC numberOverview Configure Multilink Frame Relay FRF.16Subnumber Configure MFRConfigure a MFR bundle interface MFR interface Configure MFR interface parameterConfigure the parameters of the bundle link interface Frame Relay Compression ConfigurationConfigure Frame Relay Compression on multipoint interface By default, interfaces use initiative compressionConfigure Frame Relay Fragment FRF.12 Configure Frame Relay Fragment AttributesUndo Fr traffic-shaping Disable the Frame Relay traffic shapingFrame Relay Traffic Shaping Fr traffic-shapingRate Frame Relay Traffic Policing Frame Relay Queueing Management100 Kbps CI R ALLOWº£ 64 Kbps 150 KbpsFrame Relay DE rule list Frame Relay Congestion ManagementUndo fr-class class-name By default, no Frame Relay class is createdConfigure the Frame Relay class parameters Configure Frame Relay Traffic ShapingConfigure the parameters of Frame Relay class Enable/Disable the Frame Relay traffic shapingEnable/Disable the Frame Relay traffic policing Dequeue-percentage Queue-percentageConfigure Frame Relay Queueing Management Configure Frame Relay DE Rule ListConfigure the Frame Relay PVC queueing Configure Pipq Configure Frame Relay switching Configure Frame Relay over Other ProtocolsConfigure Frame Relay over IP Configure a tunnel interfaceNetworking of a typical Frame Relay over Isdn application Frame Relay over Isdn Operation Process and FundamentalsPhysical Connection Between Frame Relay over Isdn Devices Frame Relay switching connection between DTE devicesBack-to-back connection between DTE and DCE devices Configure the Frame Relay-related commands Configure Frame Relay over IsdnConfigure the link layer protocol of the interface Configure the commands related to Frame Relay switchingDlci Isdnsubaddress Configure parameters related to dialer profilesDisplay and debug Frame Relay Display and Debug Frame RelayMfr number Number dlci dlci-numberNumber interface serial Type number dlciRouter-Serial1fr map ip 202.38.163.251 dlci Typical Frame Relay Configuration ExampleConfigure static address mapping Interconnect LANs via Frame Relay NetworkRouter-Serial1ip address 202.38.163.253 Configure local virtual circuitRelay FRF.16 Interconnect LANs via Private LineThem Create a MFR interfaceBundle Serial 0 and Serial 1 to mfr Example FRF.9Fragment between them III. Configuration Procedure 1 Configure Router aIII. Configuration Procedure 1 Configure RouterA FRF.12Typical Frame Relay over IP ConfigurationRouterfr class 96k Router-fr-class-96ktraffic-shaping adaptation becnRouter-Serial0fr interface-type dce Configure IP interface Ethernet0Configure tunnel interface Configure Frame Relay over IPRouter-Dialer0fr interface-type dce Configure the Frame Relay parameters on Bri0Router-Bri0fr map ip 110.0.0.2 dlci Router-Dialer0dialer number Router-Dialer0dialer call-inConfigure the Frame Relay-related parameters on Bri0 Router-Serial1.1ip address 130.0.0.2 Configure Frame Relay SVCsFault 1 the physical layer in Down status Fault Diagnosis Troubleshooting Frame RelayFault 4 Frame Relay data cannot be transmitted across Isdn Configuring Frame Relay Configure the link layer protocol of the interface to Hdlc Configure HdlcConfigure Hdlc Display and Debug Hdlc By default, the link layer protocol of the interface is PPPDebugging Hdlc Packet Interface Enable Hdlc packet debuggingBridge Overview Configure Bridge’s Routing FunctionTypical Bridge Configuration Bridge OverviewMain Functions of Bridging Obtain address tableBridge Overview Final bridging address table Forward and FilterFilter not forward Eliminating loopPreliminary examination state of bridging loops Spanning Tree Topology Spanning tree topology Bpdu Forwarding MechanismBridge enable Configure Bridge’s Routing FunctionBy default, disable bridging functions Enable/Disable bridging functionsMac-address Configure static address table entriesSpecify the STP version supported by the bridge-set Add ports to a bridge-setConfigure the aging time of dynamic address table Enable/Disable forwarding by using dynamic address tableDisable/Enable STP on ports Configure the path cost of bridge port Configure the bridge priorityConfigure the bridge port priority Configure the forward delay for the port status transition Configure the interval for sending BPDUsCreate ACLs based on varied Ethernet encapsulation formats Configure the Max age of BpduAcl acl-number Configure a bridge-template interface Enable/Disable bridge’s routingBridge-set Bridgebridge-set link-set link-set Define a link-setShare load by source MAC address Link-setMap the bridge address to Dlci Configuration on the interfaceDefine a dialer list Transparent Bridging Multiple LANs Typical Bridge ConfigurationDisplay and Debug Bridge Display and debug bridgeConfigure Router B Configure Router aRouter-Serial0bridge-set 1 stp disable Transparent bridge over the Frame Relay Transparent Bridging over Frame RelayRouter-Serial1dialer route bridge broadcast Please refer to Figure Asynchronous Dial-inStandby Connected are failedNetworking of bridge-template interface Bridge-Template interfaceNetworking for bridging on sub-interfaces Bridging on Sub-InterfacesRouterbridge enable Routerbridge 1 stp ieee Link-Set Configuration I. Networking RequirementsRouter-Serial1bridge-set 1 link-set Network Protocol 316 Configuring IP Address Network IP network range Description Class IP address classes and rangesSub-net classification of IP address Ip address ip-address mask Configure IP Address Configure IP Address for an InterfaceBy default, the interface has no master IP address Configure master IP address of an interfaceUndo ip address ip-address Configure slave IP address of an interfaceIp address ip-address mask Mask-length sub Delete slave IP address of an interfaceSet negotiable attribute of IP address for an interface By default, the interface has no negotiating IP addressConfigure IP Address Unnumbered for an Interface Introduction to IP address unnumberedBorrow IP address of Ethernet interface Configuration Example I. Configuration RequirementsConfigure routing to Ethernet segment of Shenzhen router R1 Configure IP address unnumberedRouter ip route-static 0.0.0.0 0.0.0.0 Configure router R1 of Shenzhen subsidiaryBorrow IP address of Ethernet Router-Ethernet0ip address 172.16.20.1Page Configuring IP Address Arp dynamic ip-address Define a static ARP mappingArp static ip-address Undo arp static ip-addressDisplay and Debug ARP Configure DomainName Resolution Name ResolutionDisplay and Debug domain name resolution Display and Debug Domain Name ResolutionDisplay ip host Vlan-type dot1q vid vlan-id Create Ethernet subinterfaceSpecify the Vlan on which Ethernet subinterface is located Interface-number.subinterface-numberDisplay vlan Configure IP address of Ethernet subinterfaceTypical Vlan Configuration Example Display and Debug Display and Debug VlanRouter-Ethernet0.1ip address 3.3.3.8 Configure IP address for the subinterfaceConfigure Vlan information of LAN Switch Troubleshooting The steps below can be takenBackground of the Dhcp development Dhcp Server ConfigurationFault Ping Two PCs, but fails to ping them through Dhcp vs BootpFollowing figure Occasions in which Dhcp server is appliedDhcp server Dhcp clients Dhcp client logs into the network again Dhcp Server Configuration Dhcp server ip-pool pool-name Enable/disable the Dhcp serviceDhcp Enable Undo Dhcp enableNetmask Configure the statically binding IP address and MAC addressNetwork ip-address Low-ipaddress high -ipaddress Low-ipaddress high-ipaddressConfigure the DNS addresses in a Dhcp address pool By default, the IP address of DNS is not configuredConfigure the gateway router address of client Configure the domain names of Dhcp clientsIp-address2 ... ip-address8 Set the type of NetBIOS node for Dhcp clientSet the type of NetBIOS node for Dhcp client Nbns-list ip-address1Display and Debug Dhcp servers Use reset, debugging and display command in All viewsConfigure Dhcp self-defined options Display and Debug Dhcp ServerRouter dhcp enable III. Configuration Procedures 1 Enable the Dhcp serviceRouter dhcp server forbidden-ip Router-dhcp2nbns-list Router-dhcp2gateway-list At the client, use ipconfig /releaseallDelete interface relay address Configure interface relay addressOperation Command Configure interface relay address Ip relay-address ip-addressAvailable on Dhcp server Dhcp Relay Configuration RequirementDhcp Relay IP address from Dhcp server through applicationNetworking diagram of an Dhcp relay configuration example Configure Dhcp relay routerFault 2 fail to forward transparent transmission protocol Under which condition should the address be translated Private Network Address and Public Network AddressRole the Network Address Translation NAT plays Characteristic of Network Address Translation NATMechanism of Network Address Translation NAT Pool-name Configure address poolPerformance of Network Address Translation NAT End-addr pool-nameUndo nat outbound Nat outbound acl-numberAddress-group pool-name Undo nat outbound acl-numberWww inside inside-addr inside-port any Configure the Internal ServerConfigure the Timeout of address translation Nat server global global-addr global-portDisplay and Debug NAT Display and debug NAT Typical NAT Configuration ExampleSet internal WWW server Configure address pool and access listAllow address translation of segment at 10.110.10.0/24 Set internal FTP serverCorrelate the address translation list and the interface Configure address access control list and dialer-listConfigure dial-up property for the interface Configure a default route to serialFault 2 Internal server abnormal Configuring IP Application Performance Configure IPTo configure IP performance, carry out the following steps Configure maximum transmission unit on an interfaceConfigure TCP Tcp window size Forwarding Configure FastDisplay and Debug Fast Display and Debug fast forwarding Perform the following configuration in system viewDisplay and Debug IP ForwardingRouter info-center enable Router debugging tcp packet Troubleshooting IP Performance ConfigurationRouter info-center enable Router debugging tcp event Configuring IP Count Undo ip count enable IP Count ConfigurationEnable/Disable IP Count service Ip count enableConfigure IP Count list Configure IP Count on an interfaceSpecify count maximum of exterior Display and debug IP Count By default, IP Count entries time out after 720 minutesCount Specify count maximum of interiorNot been configured on the interface of the router IV. Test ProcedureInformation is displayed Configuring IP Count IPX address Configuring IPXSAP Its first Ethernet interface as its node address Configure IPXModify length of service information reserve queue Configure relative parameters of IPX SAPPerform the following task in interface view Enable IPX interfaceConfigure IPX RIP static route Enable/Disable a Default RouteConfigure the maximum number of IPX parallel route Configure RIP updating periodConfigure RIP aging period Configure the maximum size of RIP update packetConfigure static service information table item Configure length of route reserve queueIpx sap timer update seconds Configure SAP aging periodConfigure size of SAP maximum updated message Configure reply to SAP GNS requestDisable split-horizon Configure Using touch-off for an interfaceEncapsulation format of IPX frame Configure the delay of interface sending IPX packetsConfigure management of IPX packet Modify Encapsulation Format of IPX Frame on InterfaceDisplay and Debug IPX Display and Debug IPX Configure Router a a Activate IPXConfigure an information about Server2 directory service Configure an address map to Router BConfigure a static route to network ID Configure an information about Server2 file serviceConfigure an information about Server1 directory service DLSw Protocol Max-frame-size max-window Configuration of DLSwCreate DLSw local peer entity Init-window-size max-frameCreate DLSw remote end peer entity Configure Bridge set connecting to DLSwConfigure Sdlc role Configure to add ethernet port to Bridge setController sdlc-address Configure Sdlc virtual MAC addressConfigure Sdlc address Sdlc-addressConfigure XID of Sdlc Configure Sdlc peer entityAdd synchronous Interface to Bridge set Configure baud rate of synchronous Interface Configure to stop running DLSwBaudrate Mseconds Configure Idle time encoding mode of synchronous InterfaceConfigure parameters of DLSw timer Configure LLC2 local acknowledgement delay timeConfigure modulo value of LLC2 Configure LLC2 premature acknowledgement windowConfigure P/F wait time of LLC2 Configure retransmission number of LLC2Configure LLC2 local acknowledgement time Configure Busy status time of LLC2Configure Sdlc local acknowledgement window Configure REJ status time of LLC2Configure queue length of sending message of LLC2 Configure Queue Length of Sending Message of SdlcConfigure retransmission number of Sdlc Configure maximum receivable frame length of SdlcConfigure poll time interval of Sdlc Dsap Configure SAP address for transforming Sdlc to LLC2Configure data bi-directional transmission mode of Sdlc LsapIP across WAN Typical DLSw Configuration ExampleDLSw Configuration Networking Requirement DLSwRouter dlsw local Router a ConfigurationRouter B Configuration DLSw ConfigurationNetworking diagram of DLSw configuration of SDLC-SDLC Networking Diagram of SDLC-LAN Virtual circuit cant attain Connected state DLSw FaultWhen using command display dlsw remote DiagnosisDiagnosis and Troubleshooting of DLSw Fault Configuring Dlsw VI Routing 404 IP Routing Protocol IP Routing Protocol Routing Protocol or Type Corresponding Routing Priority Routing Protocol and Routing PriorityOspf ASE Default Route Configuring Static RoutesTransmitting interface or next hop address Configuring a Static RouteConfiguring a Static Route Configure a Static RouteOther parameters Configuring a Default RouteDisplaying Debugging Routing Table PreferenceStatic Route Troubleshooting aOther RIP Overview Features is not subject to whether RIP has been enabled Configure RIPEnabling RIP Enable RIP at the Specified NetworkPeer ip-address By default, the interface runs RIP-1Define a Neighboring Router Specify RIP VersionSpecify the Status of an Interface RIP Version 1 enables zero field check by defaultConfigure Check Zero Field of RIP Version Disable a Host RouteVersion Authentication onEnabling Route Summarization for RIPSpecify a Default Route Metric Value for RIP By default, the default route metric for RIP isConfigure RIP Horizontal Segmentation on the Interface Configure Route Import for RIPSet Route Preference Configure filtering route information received by RIPDistribution for RIP Specify Additional Route Metric Value for RIPDisplay and Debug RIP Reset RIPDisplaying and Debugging RIP Filter the Routing Information Being Advertised by RIPRIP Unicast Displaying and Debugging Ospf Ospf Configuration ExampleOspf Overview Ospf OverviewConfiguring Ospf Undo router id Enable OspfSpecify Router ID Router id router-idArea-id By default, Ospf is disabledArea area-id P2mp P2p Configure the Network Type of the Ospf InterfaceConfigure Sending Packet Cost Ospf network-type broadcast nbmaCost Configuring a Peer for the Nbma InterfaceUndo Ospf dr-priority Operation Command Set the priority of the interface whenSpecify the Router Priority Ospf Dr-priority valueSpecify Dead Interval Specify Hello IntervallSpecify Transmit-delay Configuring a Stubby Area and a TotallySpecify Retransmitting Interval No-summary Perform the following configuration under Ospf viewConfigure Totally Stubby Area of Ospf Stub cost cost area area-idConfigure an Nssa Area of Ospf Perform the following configuration in Ospf viewUndo abr-summary address mask mask Configure Route Summarization Within Ospf DomainAbr-summary address mask mask area Area-id advertise notadvertiseArea-id None Router-id None Create and Configuring a Virtual LinkKey-id Configure AuthenticationConfigure Parameters When Importing External Routes Configure Route Import for OspfFilter for Ospf Configure filtering route information received by OspfDisplaying Debugging OspfConfiguring Ospf on the Point-to-Multipoint Network Ospf Configuration ExampleRouter D 201 Router B 301 302 Router C 1.3 RouterB-Serial0ospf network-type p2mp Enable OspfRouterC ospf enable RouterA-Serial0ospf network-type p2mpConfigure DR on Ospf Preference 2.2 3.3 1.1 4.4 E0 192.1.1.1/24E0 192.1.1.4/24 E0 192.1.1.2/24 E0 10.1.2.3/24RouterD display ospf peer RouterA display ospf peerBetween Router B and Router C To configure an Ospf virtual link Configure Router aRouterB-ospfVlink peer-id 3.3.3.3 transit-area To configure Ospf peer authentication Configure Router a Ospf Configuration Troubleshooting anNormally Ospf Configuration Example Configuring Ospf Displaying and Debugging BGP BGP Configuration ExampleBGP Overview BGP OverviewConfiguring BGP Perform the following configurations in BGP view Resetting BGP Connections Enabling BGPPerform the following configurations in system view By default, BGP is disabledSet the Timers for BGP Peer Configure the BGP Version of the PeerConfigure BGP Route-update Interval Configure to Distribute Default Router to the Peer Configure to distribute default route to the peerConfigure to Send Community Attribute to the Peer Configure the Peer to be the Client of the Route ReflectorAllow Comparing Path MED Create a Fltering Policy Based on Access List for the PeerConfigure the BGP MED Metric Create a BGP Route Filtering Based on AS Path for the PeerHoldtime-interval Configure the Local PreferenceConfigure the Keepalive Timer and Holdtime Tmer for BGP Timers keepalive-intervalGroup-name By default, there is no BGP peer in a peer groupAdd a Peer to the BGP Peer Group Peer group-nameConfigure BGP Routing Update Sending Interval Configure AS Number of BGP Peer GroupConfigure Connection Between Peers Indirectly Connected Set the Timers of BGP Peer GroupConfigure to Send the Default Route to the Peer Group Configure to send the default route to the peer groupCreate Routing Policy for Peer Group Configure BGP Version of Peer Group By default, software accepts BGP VersionCreate an Aggregate Addresses Undo aggregate address By default, an aggregate is disabledAggregate address mask As-setClients within the reflection group Reflect between-clientsUndo reflect between-clients Extended-community-list-number Configure the Cluster IDConfigure BGP Community Standard-community-list-numberConfigure the Sub-system of E Confederation Configure a ConfederationAs-number … Schematic diagram of route dampening Display Route Flap Information Still exists By default, BGP synchronizes with IGPIs insured When AS is not a transitional AS Configuring Configure Route Import for BGPDefine a routing policy Define an access list entryEntry, an AS Path-list Define an AS Path-list entryDefine a match rule Perform the following configurations in Routing policy viewDefine an apply clause Filter for BGP Display and Debug BGP Reset BGP ConnectionsDebugging BGP Filter Routing Information Being Advertised by BGPAcl-number network-address BGP ConfigurationProcedure for each configuration As-regular-expression aclNetworking diagram of configuring AS confederation RouterC-ospfinterface serial Configure Router B Configure BGP peersRouterA-bgppeer 192.1.1.2 as-number RouterB-Serial1ip address 193.1.1.2Configure Router D Configure BGP peers RouterA-acl-1rule permit source 1.0.0.0 Configure peerStart BGP Specify BGP transmission networkRouterC-bgppeer 193.1.1.1 route-policy localpref import RouterC-acl-1rule permit source 1.0.0.0RouterD-ospf network 4.0.0.0 0.0.0.255 area 0 RouterD bgp Configuring BGP IP Routing Policy Configuring IP Routing Policy Define a Routing Policy Configure IP RoutingOperation Command Define a routing policy and enter into PolicyConfigure a Matching Rules Apply tag tag-value Define a Setting ClauseApply community aa nn No-export addtive noneRoute-policy route-policy-name Configure Route ImportTag tag-value type 1 Ip ip-prefix prefix-list-name Define an IP Prefix ListGe-value less-equal le-value BGP route discovered by BGP protocol Perform the following configurations in all viewsDebugging IP Routing Policy OSPF-ASE external route discovered by Ospf protocolProtocol Configuring IPWith different weighting values Routing PolicyRoute Information Routerip ip-prefix p1 permit 192.1.1.0/24 Troubleshooting IPConfigure RIP protocol Normal operationConfiguring IP Routing Policy IP Policy Routing Configuring IP PolicyRouting Define Match Rules Create a Routing PolicyDefine Apply Clause Interface Policy Routing By default, interface policy routing is disabledEnable/Disable Interface Policy Routing Displaying Debugging IP Policy RoutingRouter-acl-102rule permit tcp source any destination any Suggested procedure for each configurationDefine access list Router-acl-101rule deny tcp source any destination anyRouterB-ripnetwork Adopt policy aaa in Ethernet interfaceRouter-Ethernet0ip policy route-policy aaa RouterA-Ethernet0ip policy route-policy lab1RouterAdebugging ip policy-routing Chapter Configuring Igmp Configuring PIM-DM Configuring PIM-SMIP Multicast 498 IP Multicast List for Reserved Multicast Addresses Range and Meaning of Class D AddressesClass D address range Meaning IP Multicast Routing Protocols IP Multicast IP Multicast IP Multicast PacketApplication IP Multicast Igmp Overview Configuring IgmpIgmp Configuration Example Igmp OverviewConfiguring Igmp Configure the Igmp Version Number Run at Router Interface Make the following configuration in interface viewConfigure Igmp Maximum Query Response Time Interfaces are all fast Ethernet FE Igmp ConfigurationDebugging command in system view to debug Igmp Displaying and Debugging IgmpRouter a Router B Configuring Igmp Configuring PIM-DM Operation Command Enable multicast routing Make the following configuration in the system viewBy default, the system disables the multicast routing Enable Multicast RoutingGroup-address source-address Start/Disable PIM-DM ProtocolDisplaying and Debugging PIM-DM Display and Debug PIM-DMReceiver 2 are the two receivers of this multicast group PIM-DM ConfigurationEnable multicast routing protocol Enable PIM-DM protocolPIM-SM Overview Enabling Multicast Routing PIM-SM ConfigurationConfigure Candidate RP By default, the interface disables PIM-SM protocolEnable/Disable PIM-SM Protocol Configure Candidate BSRBy default, no PIM-SM domain boundary is configured By default, no interface is configured to be candidate RPConfigure PIM-SM Domain Boundary Debugging PIM-SM Use the pim command in system view to enter PIM viewRouterA-pimspt-switch-threshold 10 accept-policy Configure Router a Enable PIM-SM protocolConfigure Router B Enable PIM-SM protocol RouterA multicast routing-enable RouterA interface ethernetRouterB-acl-5rule permit source 225.0.0.0 Display pim neighbor command can be used to check whetherFollow these steps Neighbors have discovered each otherConfiguring PIM-SM Viii Security 524 Configuring a User Terminal AccessConfiguring Terminal Access SecurityConfigure EXECLogin Authentication Configure Radius server and the shared secret Enable AAAConfigure the authentication method list of Exec users Configuring Terminal Access Security Radius Overview AAA OverviewComponents of Radius server Basic message interaction process of Radius Type of Packets Decided by Code Field Request Authenticator Adopts 16-byte random codeCode Packet type Explanation of the packet Attribute Fields Server-template-name method1 By default, AAA is disabledAAA Enable/Disable AAA Configure AAA Login AuthenticationDefault methods-list Configuring an Authentication Method List for PPP UsersConfigure PPP Authentication Method List of AAA Default methods-list method1Configure Local IP Address Pool By default no address pool is defined by the systemConfigure AAA Local-First Authentication Configure AAA Accounting OptionConfigure Ordinary User and Password By default pool-number isConfigure a User and Password Configure Callback UserConfigure User with Caller Number Configure User with Caller NumberConfigure FTP User and the Usable Directory Configure Callback User and the Callback NumberDirectory Authorize a User with Usable Service TypesConfigure FTP User and the Usable Directory Configure Authorizing a User with Usable Service TypesRadius server hostname ip-address Configure Radius Server Shared SecretBy default, no key is configured for the Radius server Configure Radius Server Shared SecretConfigure the Time Interval for the Inquiry Packet Configure the Request Retransmission TimesAAA and Radius Accessing UserAuthentication Case Displaying Debugging AAARouterradius server Configure IP address and port of Radius serverConfigure local-first authentication Router aaa authentication-scheme local-firstRadius Troubleshooting AAAConnected user cannot be seen in display aaa user Users Radius authentication is always rejectedCan Configuring AAA and Radius Protocol Firewall Overview Classification of Firewalls Packet filtering schematic diagram Operators of the Extended Access Control List Extended access control listCommand format when the protocol is IGMP, IP, GRE or Ospf Command format when the protocol is TCP or UDPMnemonic Symbol of the Port Number UDP Protocol Mnemonic Symbol Meaning and Actual ValueMnemonic Symbol of the Icmp Message Type Configure the match sequence of access control listOperator and Syntax Meaning Firewall Configure FirewallEffect Perform the following configurations in system view Firewalls are disabled by defaultConfigure Extended Access Control List Configure Standard Access Control ListDestination dest-addr dest- wildcard Enabling and disabling filtering according to timerangeConfiguring Special Timerange Set Default Firewall Filtering ModeSettr begin-time end-time Enable/Disable Filtering According to TimerangeSet special time range Set Special Time RangeDisplay and Debug Firewall Use debugging, reset and display commands in all viewsDisplaying and Debugging Firewall Specify Logging HostRouterfirewall default permit Enable firewallConfigure access rules to inhibit passing of all packets Routerfirewall enableRouter-Ethernet0firewall packet-filter 101 inbound Apply rule 102 on packets coming in from interface Serial0Router-Serial0firewall packet-filter 102 inbound IPSec Protocol Following terms are important to an understanding of IPSec IPSec Related TermsIPSec Message Processing Access Control List Configuring IPSecCreating an Encryption Operator port1 port2 Create Encryption Access Control ListBy default, all the crypto cards are enabled Configure Ndec Cards Enable the crypto cardsSet the output of the crypto card log Define IPSec proposal By default, no proposal view is configuredEnable/Disable the Host to Backup the Ndec Cards Set the Mode for Security Protocol to Encapsulate MessagesSelect Security Protocol Selecting the Encryption Authentication AlgorithmDefault mode is tunnel-encapsulation mode Select Security ProtocolCreating a Security Policy Select Encryption Algorithm and Authentication AlgorithmSet start point and end point of security tunnel By default, no security policy is createdConfigure access control list quoted in security policy Perform the following configurations in IPSec policy viewSet SPI of security policy association and its adopted key By default, the security policy quotes no IPSec proposalConfigure IPSec Proposal Quoted in Security Policy Set IPSec proposal quoted in security policyHex-key By default, no key is used by any security policyConfigure SPI Parameters of Security Policy Association Configure Key Used by Security Policy AssociationSpecify End Point of Security Tunnel Set access control list quoted by security policySet end point of security tunnel Creating a Security Policy Association withProposal-name2...proposal-name6 Set the IPSec proposal quoted in security policySet SA lifetime Proposal proposal-name1Configure Separate SA LIfetime Configure a separate SA lifetimeBy default, apply the global SA lifetime Configure Global SA LIfetimeIpsec sa dynamic-detect Use debugging, reset and display commands in all viewsDebugging IPSec Apply Security Policy Group on InterfaceDisplay and Debug IPSec Reset crypto cardDest-address protocol spi Creating an SA Manually IPSec Configuration ExampleUse the debugging, reset and display command in all views Displaying and Debugging the crypto cardCreate the IPSec proposal view named tran1 Adopt tunnel mode as the message-encapsulating formSelect authentication algorithm and encryption algorithm Quote access listExit to system view Configure the routeCreate a security policy with negotiation mode as manual Apply security policy group on serial interfaceCreate the IPSec proposal view named trans1 Create a security policy with negotiation mode as isakmpSet remote addresses Create a security policy with negotiation view as isakmp Configure ip address of the serial interfaceConfigure corresponding IKE Configure serial interface Serial0RouterB ike pre-shared-key abcde remote Establish a security policy with manual negotiation modeAdopt tunnel module for packets encapsulation form Return to system viewApply security policy base on serial port Enter Ethernet interface view and configure IP addressSet local address Set encryption keyRouterB ipsec policy map1 10 manual Establish a security policy with manual configuration modeTroubleshooting IPSec Ndec card cannot be configured Return to the system viewDo the following Configuring Ipsec Configuring IKE IKE features Configuring IKEPolicy Undo ike Create IKE PolicyIke proposal policy-number View Delete IKE policySelect Encryption Algorithm Selecting an Authentication AlgorithmSelect Authentication Method Configure Pre-shared KeySet Lifetime of IKE Negotiation SA By default, 768-bit Diffie-Hellman group is selectedSelect Hashing Algorithm Select DH Group IDDisplay and Debug IKE Configure IKE Keepalive TimerReset ike sa connection-ike-sa-id Displaying and Debugging IKEInvalid user ID information IKE ConfigurationUnable to establish security channel Unmatched policyIX VPN Configuring VPN Configuring L2TP Configuring GRE596 VPN Overview Authority given by local ISP Basic NetworkingApplications of VPN Classification of IPLayer 3 tunneling protocol Layer 2 tunneling protocolComparison of layer 2 and layer 3 tunnel protocols Configuring VPN Vpdn Operation Vpdn and L2TPL2TP channel Methods of Implementing VpdnTunnel and session Networking diagram of two typical methods of VpdnControl message and data message IV. Call setup flow of L2TP tunnelCall setup flow of L2TP channel Features of L2TPL2tp enable Basic Configuration atEnable L2TP Enable/Disable L2TPL2tp-group group-number Originate L2TP Connection Request and LNS AddressIp-address … domain domain-name L2TP Attribute Table By default, L2TP is disabledConfigure AAA and Local Users Default list-name method1Create/Delete a Virtual Template Operation Command Create a L2TP groupOperation Command Create a virtual template Create/Delete L2TP GroupConfigure Local VPN Users Advanced Configuration at LAC or LNSBy default, receiving dial-in from LAC is disabled Configure the Name of the Receiving End of the TunnelTunnel name name Enable Tunnel Authentication Setting PasswordBy default, the local name is the host name of router Set Local NameSet Tunnel Authentication and Password Configure the Interval For Sending Hello MessagesSet the Interval for Sending Hello Message Force Configure Domain Delimiter and Searching OrderSet Domain Name Delimiter and Searching Order Force to Disconnect Channel This configuration is applicable to LNS onlyOperation Command Force to disconnect tunnel Reset l2tp tunnel remote-nameLCP does not renegotiate by default Configure the Local Address and Address PoolLCP to Renegotiate Number of L2TP Sessions Enable/Disable Hiding Attribute Value Pairs AVBy default, AV pairs are hidden Enable/Disable Hiding AV PairsDisplay and Debug L2TP L2TP Configuration ExamplesBy default, the maximum number of L2TP sessions is Use debugging, display command in all viewsConfigure BDR dialup parameters Implement local AAA authentication on VPN userConfigure the IP address of Serial1 interface of LAC Enable L2TP service and configure a L2TP groupConfigure the Virtual-Template-related information Configure the IP address of Serial0 interface of LNSInternet Connection Wizard Internet Connection Wizard Internet Connection Wizard Internet Connection Wizard Router-LACip pool 1 192.170.0.3 Client-originated VPN NetworkingDisable tunnel authentication Configure the IP address of Serial1 interface at LAC sideConfigure BDR parameters Configure the IP address of Serial0 interface at LNS sideNetwork Connection Wizard Network Connection Wizard Connect Connection to Router1 l2tp domain suffix-separator @ Configure an IP address on Serial0 interfaceConfigure a L2TP group and the related attributes Configure the domain suffix separator to @III. Procedures Enable AAA authenticationConfigure Virtual-Template Force to implement local Chap authenticationConfigure an access control list and specify L2TP data Configure a L2TP group and configure the related attributesConfiguration at Router2 LNS side Enable AAA authentication Configure an address pool 1 in the range of 192.168.0.2 toPPP negotiation fails. The reasons may be Fault 1 The users fail to logTroubleshooting L2TP Configuring L2TP Encapsulation GRE ProtocolPacket Encapsulated tunnel message format Refer to RFC Enlarge network operating range Create Virtual Tunnel Interface Configuring GREBy default, no virtual tunnel interface is created Creating a Virtual Tunnel InterfaceAddress of the Tunnel Address of a Tunnel Must be configured InterfaceSetting the Network Perform the configurations in the tunnel interface viewGre key key-number Number discardedSet Tunnel Interface to Check with Checksum Set the Tunnel to Synchronize Datagram Sequence NumbersAll views GRE Configuration ExampleGroup1 and group2. It can be implemented by using GRE Debugging GREConfigure Router B Configure the IP address of Serial0 Configure the IP address of Ethernet0 interfaceConfigure Router B Activate IPX Configure Router a Activate IPXConfigure the IP address and IPX address of Ethernet0 Configure the static route to Novell Group2RouterB ipx route 1e 1f.a.a.a tick 30000 hop Networking of troubleshooting GREConfiguring a Standby Center Configuring Vrrp 646 Standby Center Configuring Standby CenterNext-hop-address dialer-number Enter the Logic Channel ViewAddress logic-channelnumber Fr map protocol address dlci dlciStandby timer disable-delay seconds Channel to check whether it has recoveredStandby timer enable-delay seconds Undo standby timer enable-delayEnter the view of Serial Please perform the following configuration in all viewsLoad Sharing view InterfacesChannel Enter the view of logic channelRouter-logic-channel10standby interface serial Router-Serial1logic-channel Vrrp Overview Vrrp Configuration ExamplesTroubleshooting Vrrp Vrrp OverviewAdding a Virtual IP Configuring VrrpAddress Undo vrrp vrid virtualrouterid Configure Router Priority in Standby GroupAdd Virtual IP Address Vrrp vrid virtualrouteridVirtualrouterid Configuring Authentication Method Authentication KeyVrrp provides simple character authentication method Configure Authentication Method and Authentication KeyMonitoring Configure StandbyGroup Timer Debugging VrrpVrrp Single Standby Vrrp ConfigurationProcedure for each configuration Backup with preemption aII. Networking diagramMultiple Standby Gateway services insteadBalancing and mutual backup are implemented Gateway function as the masterMany master routers exist within the same standby group There is requent switchover of the Vrrp stateXI QOS 662 QOS Overview Three Types of QoS ServicesQOS Overview Benefits of QoS for the Network Service QOS Overview Traffic Policing Traffic ClassificationTraffic POLICING, Traffic Shaping and Line Rate Rate CAR Committed AccessPrecedence-value mac mac-address Defining RulesDefine CAR Rules Qos carl carl-index precedenceApplying the CAR Policy on the Interface By default, no CAR rule of ACL list is establishedApply the CAR Rule on the Interface Display and Debug CAR CAR Configuration Applying a CAR Policy to all PacketsConfigure the Priority Level Based CAR Policy Displaying and Debugging CARConfigure the CAR Policy Based on the MAC Address Packets Traffic ShapingApply a CAR Policy on the Packets that Match ACL Matches ACLSchematic diagram of GTS processing Configuring shaping parameters for a specified flowConfigure the ACL Configuring shaping parameters for all flowsShape the flows matching 110 on Ethernet interface Shape all the flows on Ethernet interface Configure the Physical Interface LIne RatePhysical Interface Line RateDisplaying Display and Debug LR Debugging LR Operation Command Display the LR configuration conditionsDisplay qos lr interface type Congestion Management Priority Queuing CongestionManagement Policy Fifo QueuingSelecting Congestion Management Policies Number Queues Advantage Disadvantage Comparison of Several Congestion Management PoliciesSchematic diagram of the first in first out queue Schematic diagram of the custom queuing Schematic diagram of weighted fair queuing Weighted Fair Queuing WFQConfigure the First In First Out Queuing Configuring Congestion ManagementConfiguring Fifo Queuing Configuring priority queuingPql-index protocol By default, no priority queue is establishedValues of Queue-Option with Protocol as IP Protocol-name queue-option queueApplying the priority-list queuing group to the interface By default, the interface utilizes the Fifo queueSpecifying the queue length of the priority-list queuing Displaying and debugging the priority queue Configuring custom-list queuingConfiguring Custom Queuing CQ Default Length Value of the Priority QueueQueue queue-number Configure the Custom-Lst Queuing According to the InterfaceConfigure the Default Custom-List Queuing Queue-numberApplying the custom-list queuing group to the interface By default, the interface uses the Fifo queueConfiguring the queue length of the custom-list queuing Configure the Queue Length of the Custom-List QueuingDisplaying and debugging the weighted fair queue Configuring Weighted fair queuingDisplaying and debugging the custom-list queue Apply the priority queue 2 to Serial Congestion Management Configuration ExamplesPQ Configuration Example Apply the priority queue 1 to SerialRouterA-Tunnel1destination Configure the CQ queueConfigure Router B Configure the access control list RouterA-Tunnel0ip address 10.1.1.1WFQ Configuration Example Configure Serial0 master/slave addressesConfigure Tunnel0 Configure Tunnel1Congestion Management Congestion Avoidance Congestion Avoidance Function of the Interface Wred ConfigurationEnable the Wred Enable WredIp-precedence Discard-probDisplaying Debugging Congestion Avoidance Congestion Avoidance Configuration ExampleConfigure a WFQ queue Enable WredCongestion Avoidance XII DIAL-UP Configuring DCC Configuring Modem704 DCC Overview Terms in DCC ConfigurationDCC Circular DCCResource-Shared DCC With 3Com Routers Basic DCC featuresImplementing callback through DCC Configure the local parameters of DCC Configuring DCCPreparing to Configure Prepare the data for DCC configurationIp address ipaddress mask Configuring the mode of the physical interfaceConfigure Physical Interface Mode Linklayer-protocol-typeAssociating a DCC dialer ACL with the interface Configuring an interface to originate calls to a remote end Undo dialer number Configure an interface to receive calls from a remote endDialer enable-circular Dialer number dial-numberRoute protocol DialerNext-hop-address dial-number Next-hop-address Undo dialer route protocolDialer priority priority Undo interface dialer numberDialer circular-group number Undo dialer circular-groupUndo dialer circular-group Interface dialer numberUndo interface dialer number Dialer circular-group numberRouter Dialer0 Enabing Resource-Shared DCC Configuring dialing authentication for resource-shared DCCConfiguring the dialer interface and dialer number By default, no dialer interface is createdConfiguring dialing authentication for resource-shared DCC Configure MP Binding in Circular DCC Configuring MP binding in circular DCCThreshold traffic-percentage Dialer threshold traffic-percentage Configuring MP binding in resource-shared DCCConfiguring PPP callback in the circular DCC implementation Configure MP Binding in Resource-Shared DCCImplement PPP Callback Server Configuration in Circular DCC Implement PPP Callback Client Configuration in Circular DCCDial-number CommandTelephone-number Next-hop-address user usernamePrimary rule The best match is the number with the fewest Features of Isdn caller identification callbackDialer callback-center dial-number Callback according to the Isdn caller Operation Command Configure the local end to implementIdentification Undo dialer call-in remote-numberConfigure Isdn leased line for Circular DCC Configuring Isdn leased lineConfiguring auto-dial Configuring Special DCC FunctionsConfigure Dialer Number Circular Standby Configuring dialer number circular standbyConfiguring the Link Idle Time Configure Auto-DialConfigure the Link Idle Time By default, the link idle time is 120 secondsBy default, the link disconnection time is 20 seconds Configuring the link idle time when interface competionDebugging DCC Configuring the timeout of call setting upBy default, the timeout of call setting up is 60 seconds Configuring the buffer queue length of the dialerSolution DCC Configuration ExamplesDCC Applications in Common Use Router-Serial0dialer route ip 100.1.1.1 Configure RouterCConfigure RouterB Router-Serial1dialer circular-groupRouter-Serial1dialer bundle-member Router-Serial0dialer bundle-memberConfigure RouterC Configure RouterC Router-Serial015dialer route ip 100.1.1.1 Configure RouterARouter-Dialer0dialer threshold Router-Bri0dialer bundle-memberRouter-Bri1dialer route ip 100.1.1.1 Router-Serial0dialer route ip 100.1.1.2 Router-Serial1dialer enable-circularRouter dialer-rule 1 ip permit Router interface serial Router-Bri0dialer route ip 100.1.1.2 user usera NT Server-to-Router Configure the PCCallback for DC C By the NT serverRouter-Async0dialer route ip 100.1.1.254 Dial Number Circular Standby and Internet Access for DCC Router-Serial0dialer route ip 100.1.1.254 Configure subscriber PCRouter-Serial215ppp chap password simple passb Router-Serial215ppp authentication-mode chapRouter-Serial1standby logic-channel Remote end cannot be pinged after the modem is connected Message Fault DCC Fault MessagesDCC peeraddr matching error Modem Script Modem Function Provided by 3Com RoutersModem script format in common use is as follow Syntax description of modem scriptReceive-string1 send-string1 receive-string2 send-string2 Configure the Modem Dial-in and Dial-out Authorities Which, seconds defaults to 180 and is in the range of 0 toBy default, modem dial-in and dial-out are allowed Execute a Modem Script Manually Configure Modem Through the AT CommandConfigure a Modem Script Configure a Modem ScriptSpecify the Events Triggering the Modem Scripts By default, the modem works in non-auto answer modeConfigure the Answer Mode for the Modem Configure Authentication for a Modem Dial-in UserDisplaying and Debugging a Modem Modem Configuration ExamplesExecutethe debugging command in all views for the debugging Configure a Modem adaptation baud rateConfigure the modem initialization parameters Restore the ex-factory modem settingsAT&b1&c1&d2&s0=0 Modem Dial-in User Power-on Initialization Through Initialization ScriptAuthentication for DirectlyTroubleshooting Configuring Modem