ProCurve Secure Router 7000dl - Apache Welcome Pageh20628. · ProCurve Secure Router 7000dl....
Transcript of ProCurve Secure Router 7000dl - Apache Welcome Pageh20628. · ProCurve Secure Router 7000dl....
Basic Management andConfiguration Guide
www.procurve.com
ProCurve Secure Router 7000dl
ProCurve Secure Router 7000dl Series
Basic Management and Configuration Guide
December 2005J04_01
Hewlett-Packard Company8000 Foothills BoulevardRoseville, California 95747http://www.procurve.com/
© Copyright 2005 Hewlett-Packard Development Company,L.P. The information contained herein is subject to change with-out notice. All Rights Reserved.
This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard.
Publication Number
5991-3785December 2005
Applicable Products
ProCurve Secure Router 7102 dl (J8752A)ProCurve Secure Router 7203 dl (J8753A)
Trademark Credits
Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation.
Disclaimer
The information contained in this document is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard.
Warranty
See the Customer Support/Warranty booklet included with the product.
A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer.
Contents
1 Overview
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Using This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Understanding Command Syntax Statements . . . . . . . . . . . . . . . . . . . . 1-5
CLI Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
IP Address Notation Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Quick Starts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Obtaining Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Downloading Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Interface Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Accessing the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . 1-11
Using the ProCurve Web Browser Interface . . . . . . . . . . . . . . . . 1-12
Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
ProCurve Secure Router Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Slots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
E1 and T1 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
ISDN Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
Backup Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
Wide-Slot Option Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
Interface Numbering Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
Power LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
Fault LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
i
LEDs for Slots 1 and 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24
Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24
Backup LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25
Tx and Rx LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25
Slot 3 LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25
Status LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26
Activity LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26
Test LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26
Ethernet and Activity LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26
Activity LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Link LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Optional IPSec VPN Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Compact Flash Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28
Redundant Power Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
Software Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30
Bootup Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30
Advantages of Booting From Compact Flash . . . . . . . . . . . . . . . . 1-32
Setting Up a Compact Flash Card From Which to Boot the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33
Saving Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33
AutoSynch™ Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34
Secure Router OS Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34
Basic Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36
Enable Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36
Global Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37
Commands Available in the Basic, Enable, or Global Configuration Mode Contexts . . . . . . . . . . . . . . . . . . . . 1-39
Basic Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39
Clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39
Enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39
Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-40
Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-40
Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-41
ii
Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-42
Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-42
Terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43
Wall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43
Enable Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43
Clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-44
Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-45
Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46
Copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46
Debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49
Dir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49
Disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-50
Erase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-50
Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51
Reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51
Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51
Undebug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-56
Write . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-56
show tech . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-57
Updating the Boot Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-59
Global Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . 1-60
hostname Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-60
autosynch Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-60
Support for SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-61
SafeMode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-61
Help Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64
CLI Help Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64
Editing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64
no . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66
do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66
exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66
Bootstrap Mode Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66
iii
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-70
Compact Flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-70
AutoSynch™ Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-70
Using the reload in Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-72
Managing Configuration Files Using a Text Editor . . . . . . . . . . . . . . . . . . 1-73
Creating and Transferring Configuration Files . . . . . . . . . . . . . . . . . . 1-75
Configuration File Transfer Using the Console Port . . . . . . . . . . 1-76
Configuration File Transfer Using a TFTP Server . . . . . . . . . . . . 1-78
Configuration File Transfer Using a Compact Flash Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-81
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-83
Accessing the Secure Router OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-83
2 Controlling Management Access to the ProCurve Secure
Router
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Securing Management Access to the ProCurve Secure Router . . . . . . . . . 2-4
Restricting Access to the Enable Mode Context . . . . . . . . . . . . . . . . . . 2-4
Configuring a Password for Console Access . . . . . . . . . . . . . . . . . . . . . 2-5
Enabling Remote Access to the ProCurve Secure Router . . . . . . . . . . 2-6
Configuring an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Configuring Telnet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Configuring Local User Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Encrypting All the Passwords Configured on the Router . . . . . . 2-11
Enabling Access to the Web Browser Interface . . . . . . . . . . . . . . 2-11
Managing SSH Communications . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Using FTP to Access the Router . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Using the Local User List for Console or Telnet Access . . . . . . . 2-13
Enabling Secure Copy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Viewing Information about Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
Using the AAA Subsystem to Control Management Access . . . . . . . . . . . 2-14
Advantages of Using the AAA Subsystem . . . . . . . . . . . . . . . . . . . . . . 2-15
Enabling the AAA Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
iv
Configuring AAA for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Creating a Named List for the Enable Mode Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Creating a Named List for User Authentication . . . . . . . . . . . . . . 2-18
Criteria for Failure of Authentication Methods . . . . . . . . . . . . . . 2-19
Assign the Named List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
Options for AAA Authentication: Configuring Banners, Messages, and Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
Configuring Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
Define a Named List for Authorization . . . . . . . . . . . . . . . . . . . . . 2-23
Assign the Named List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Enable Authorization Commands for Console Line . . . . . . . . . . 2-24
Configuring the TACACS+ Server for Accounting . . . . . . . . . . . . . . . 2-25
Configuring a Named List for Accounting . . . . . . . . . . . . . . . . . . 2-25
Assign the Named List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26
Configure Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26
Do Not Send Records for Null Users . . . . . . . . . . . . . . . . . . . . . . . 2-27
Configuring a RADIUS Server for Authentication . . . . . . . . . . . . . . . 2-27
Define the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-27
Define a Group of RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . 2-29
Configure Global Settings for RADIUS Servers . . . . . . . . . . . . . . 2-30
Configuring the TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31
Define the TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31
Creating a TACACS+ Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33
Configure Global Settings for TACACS+ Servers . . . . . . . . . . . . 2-34
Troubleshooting AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35
debug aaa Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35
Troubleshooting the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . 2-36
debug radius Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Troubleshooting the TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Port Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40
Enabling Supplicant Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40
Troubleshooting Supplicant Functionality . . . . . . . . . . . . . . . . . . . . . 2-41
v
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-42
Configure the Enable Mode Password . . . . . . . . . . . . . . . . . . . . . . . . . 2-42
Configure a Password for the Console Access . . . . . . . . . . . . . . . . . . 2-42
Configuring Remote Access to the ProCurve Secure Router . . . . . . 2-43
Configuring an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . 2-43
Configuring a Password for Telnet Access . . . . . . . . . . . . . . . . . . 2-44
Configuring Local User Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45
Configuring AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45
Configuring Authentication with AAA . . . . . . . . . . . . . . . . . . . . . . 2-46
Configuring Authorization with AAA . . . . . . . . . . . . . . . . . . . . . . . 2-46
Configuring the TACACS+ Server for Accounting . . . . . . . . . . . . 2-47
Defining a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48
Defining a TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48
Enabling 802.1X Supplicant Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48
3 Configuring Ethernet Interfaces
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Configuring the Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Enabling the Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Configuring an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Assigning a Static IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Configuring the Ethernet Interface as a DHCP Client . . . . . . . . . . 3-5
Configuring the Ethernet Interface as an Unnumbered Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Setting the Speed and the Duplex Settings . . . . . . . . . . . . . . . . . . . . . 3-10
Configuring the Line for Half-Duplex or Full-Duplex . . . . . . . . . . . . . 3-11
Setting the MTU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
Adding a Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Summary of Ethernet Configuration Settings . . . . . . . . . . . . . . . . . . . 3-13
Configure VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Configuring VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Assigning an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
vi
Viewing the Status of Ethernet Interfaces or Subinterfaces . . . . . . . . . . . 3-19
show interfaces Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
show running-config Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Viewing the Configurations That Have Been Entered . . . . . . . . . 3-22
Viewing All the Configuration Settings Including Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
Troubleshooting an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24
show event-history Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25
debug interface ethernet Command . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26
Configuring the Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26
4 Configuring E1 and T1 Interfaces
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Overview of E1 and T1 WAN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Elements of an E1- or T1-Carrier Line . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Connecting Your Premises to the Public Carrier: the Local Loop . . . 4-4
External or Built-in CSU/DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
ProCurve Secure Router Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
E1 Modules with a Built-in DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Supported Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
T1 Modules with a Built-in CSU/DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Supported Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
E1 or T1 Interfaces: Configuring the Physical Layer . . . . . . . . . . . . . 4-10
E1 or T1 Interface Configuration Mode Context . . . . . . . . . . . . . 4-11
Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
Line Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Frame Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15
Clock Source, or Timing, for the E1- or T1-Carrier Line . . . . . . . 4-17
Transmit Signal Level (T1 Interfaces Only) . . . . . . . . . . . . . . . . . 4-18
Set the FDL (T1 Interfaces Only) . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19
Activate the E1 or T1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
Threshold Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21
Types of Line Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22
vii
Viewing Information about E1 and T1 Interfaces . . . . . . . . . . . . . . . . . . . 4-26
show interfaces Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27
show running-config Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28
show running-config verbose Command . . . . . . . . . . . . . . . . . . . . . . . 4-29
Troubleshooting E1 and T1 WAN Connections . . . . . . . . . . . . . . . . . . . . . 4-30
No Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
Red Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
Yellow Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34
Green Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35
Viewing Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37
Configuring an E1 or T1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-38
5 Configuring Serial Interfaces for E1- and T1-Carrier Lines
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Using the Serial Module for E1- or T1-Carrier Lines . . . . . . . . . . . . . . . . . . 5-3
Elements of an E1- or T1-Carrier Line . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Connecting Your Premises to the Public Carrier’s Central Office: the Local Loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
External or Built-in CSU/DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Serial Module for the ProCurve Secure Router . . . . . . . . . . . . . . . . . . . 5-7
Standards Supported by the Serial Module . . . . . . . . . . . . . . . . . . 5-7
Serial Interface: Configuring the Physical Layer . . . . . . . . . . . . . . . . . . . . . 5-8
Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Serial Interface Configuration Mode Context . . . . . . . . . . . . . . . . . . . 5-12
Configuring the Interface for the Appropriate Cable . . . . . . . . . . . . . 5-12
Configuring the Clock Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Inverting et-clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Inverting txclock or rxclock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Activating the Serial Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
Configuring the Data Link Layer Protocol . . . . . . . . . . . . . . . . . . . . . . 5-14
viii
Viewing Information about the Serial Interface . . . . . . . . . . . . . . . . . . . . . 5-15
show interfaces serial Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
show running-config interface Command . . . . . . . . . . . . . . . . . . . . . . 5-16
View All the WAN Connections Configured on the Router . . . . . . . . 5-17
Troubleshooting a Serial Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
Checking the LED for the Serial Module . . . . . . . . . . . . . . . . . . . . . . . 5-18
No Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
Red Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
Yellow Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20
Green Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
Solving a Specific Problem: the Line Between the Serial Module and the CSU/DSU Keeps Going Down . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
Configure a Serial Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
6 Configuring the Data Link Layer Protocol for E1, T1, and
Serial Interfaces
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Configuring the Logical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
PPP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Establishing a PPP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Creating a PPP Interface on the ProCurve Secure Router . . . . . . 6-6
Configuring an IP Address for the WAN Connection . . . . . . . . . . 6-8
Activating the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
Binding the Physical Interface to the Logical Interface . . . . . . . 6-10
PPP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
Settings Explained in Other Chapters . . . . . . . . . . . . . . . . . . . . . . 6-18
Frame Relay Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19
Packet-Switching Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20
Components of a Frame Relay Network . . . . . . . . . . . . . . . . . . . . 6-21
DLCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22
Create the Frame Relay Interface . . . . . . . . . . . . . . . . . . . . . . . . . 6-23
Activate the Frame Relay Interface . . . . . . . . . . . . . . . . . . . . . . . . 6-25
Define the Signaling Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25
ix
Define the Frame Relay Signaling Type . . . . . . . . . . . . . . . . . . . . 6-26
Configure Frame-Relay Counters . . . . . . . . . . . . . . . . . . . . . . . . . 6-26
Create the Frame Relay Subinterface . . . . . . . . . . . . . . . . . . . . . . 6-28
Assign a DLCI to the Frame Relay Subinterface . . . . . . . . . . . . . 6-28
Configure the IP Address for the WAN Connection . . . . . . . . . . 6-29
Set the CIR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-33
Set the EIR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-34
Bind the Physical Interface to the Logical Interface . . . . . . . . . . 6-35
Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-36
Settings Explained in Other Chapters . . . . . . . . . . . . . . . . . . . . . . 6-38
Configuring HDLC as the Data Link Layer Protocol . . . . . . . . . . . . . . 6-39
Create the HDLC Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39
Activate the HDLC Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41
Configure an IP Address for the WAN Connection . . . . . . . . . . . 6-41
Bind the Physical Interface to the Logical Interface . . . . . . . . . . 6-43
Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-44
Settings Explained in Other Chapters . . . . . . . . . . . . . . . . . . . . . . 6-46
Example Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-46
Checking the Status of Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 6-53
View the Status of Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-53
Viewing the Status of PPP Interfaces . . . . . . . . . . . . . . . . . . . . . . 6-53
Viewing the Status of Frame Relay Interfaces and Subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-55
Viewing the Status of HDLC Interfaces . . . . . . . . . . . . . . . . . . . . . 6-57
Viewing Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . 6-57
Troubleshooting Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58
Troubleshooting the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58
Troubleshooting PPP Authentication . . . . . . . . . . . . . . . . . . . . . . 6-62
Troubleshooting the Frame Relay Interface . . . . . . . . . . . . . . . . . . . . 6-65
Troubleshooting HDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-69
x
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-70
PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-70
PPP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-71
Requiring the Peer to Authenticate Itself . . . . . . . . . . . . . . . . . . . 6-72
Authenticating to a Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-72
Frame Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-73
HDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-75
7 ADSL WAN Connections
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
ADSL Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
ADSL Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
ADSL2 and ADSL2+: Enhancing Transmission Speeds . . . . . . . . 7-5
READSL: Supporting Greater Distances . . . . . . . . . . . . . . . . . . . . . 7-6
Elements of an ADSL Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
ADSL Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
ADSL Annex A and Annex B: Sharing the Line with Analog or ISDN Voice Traffic . . . . . . . . . . . . . . . . . . . . . . . . . 7-8
ADSL Splitters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
ADSL Without Splitters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10
ADSL Modules for the ProCurve Secure Router . . . . . . . . . . . . . . . . . . . . 7-11
Configuring the ADSL Interface: the Physical Layer . . . . . . . . . . . . . 7-12
Accessing the ADSL Interface Configuration Mode Context . . . 7-12
Activating the ADSL Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13
Defining the Training Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13
Setting the SNR-Margin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15
Monitoring the SNR-Margin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16
Manually Forcing Retraining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16
Configuring the Data Link Layer for the ADSL Connection . . . . . . . 7-17
Creating the ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
Activating the ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
Configuring a Subinterface for each PVC . . . . . . . . . . . . . . . . . . . . . . 7-18
Creating the Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18
Activating the ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19
Configuring the VPI/VCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19
xi
Defining the ATM Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20
Assigning the ATM Subinterface an IP Address . . . . . . . . . . . . . . 7-20
OAM Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-26
Bind the ADSL Interface to the ATM Interface . . . . . . . . . . . . . . . . . . 7-27
Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27
PPPoE Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28
Two Phases for Establishing a PPPoE Session . . . . . . . . . . . . . . . . . . 7-29
Discovery Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29
PPP Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-31
Creating the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32
Assigning an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-33
Binding the ATM Subinterface to the PPP Interface . . . . . . . . . . . . . 7-33
Identifying the Access Concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . 7-34
Identifying PPPoE Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-35
PPPoA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-35
Creating the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37
Assigning an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37
Binding the ATM Subinterface to the PPP Interface . . . . . . . . . . . . . 7-38
Routed Bridged Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-39
Viewing the Status and Configuration of Interfaces . . . . . . . . . . . . . . . . . 7-41
Viewing the Status of the ADSL Interface . . . . . . . . . . . . . . . . . . . . . . 7-41
Viewing the Status of the ATM Interface and Subinterface . . . . . . . . 7-44
Troubleshooting the ADSL Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-46
Troubleshooting the ADSL Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 7-46
Identifying the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-46
debug interface adsl events Command . . . . . . . . . . . . . . . . . . . . . 7-47
Troubleshooting the ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-48
Troubleshooting the ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . 7-49
debug atm oam Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-49
Troubleshooting PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-50
Troubleshooting the PPPoE Discovery Process . . . . . . . . . . . . . 7-50
show pppoe Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-51
xii
Clear a PPPoE Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-52
debug pppoe client Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-52
Troubleshooting the PPP Link Establishment Process . . . . . . . . . . . 7-52
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-54
Configure the Physical Layer: the ADSL Interface . . . . . . . . . . . . . . . 7-54
Configure the Data Link Layer: the ATM Interface and Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-56
Configure ATM Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-56
Configure RBE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-58
Configure PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-59
Configure PPPoA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-61
8 Configuring Demand Routing for Primary ISDN Modules
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Overview of ISDN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Elements of an ISDN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
The Local Loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
ISDN Interfaces: Connecting Equipment to the ISDN Network . . . . . 8-8
Line Coding for ISDN BRI Connections . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
ISDN Data Link Layer Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
LAPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10
Q.931 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11
Call Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11
ProCurve Secure Router ISDN Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13
Primary ISDN Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
Using Demand Routing for ISDN Connections . . . . . . . . . . . . . . . . . . . . . . 8-16
Define the Traffic That Triggers the Connection . . . . . . . . . . . . . . . . 8-18
Specifying a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19
Defining the Source and Destination Addresses . . . . . . . . . . . . . 8-20
Configuring the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22
Creating the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23
Configuring an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-24
Matching the Interesting Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
Specifying the connect-mode Option . . . . . . . . . . . . . . . . . . . . . . 8-29
xiii
Associating a Resource Pool with the Demand Interface . . . . . . 8-30
Defining the Connect Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-30
Specify the Order in Which Connect Sequences Are Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32
Configure the Number of Connect Sequence Attempts . . . . . . . 8-33
Configure Settings for the Recovery State . . . . . . . . . . . . . . . . . . 8-33
Understanding How the connect-sequence Commands Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35
Configuring the idle-timeout Option . . . . . . . . . . . . . . . . . . . . . . . 8-37
Configuring the fast-idle Option . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38
Defining the caller-number Option . . . . . . . . . . . . . . . . . . . . . . . . 8-38
Defining the called-number Option . . . . . . . . . . . . . . . . . . . . . . . . 8-39
Configuring the Hold Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39
Configuring the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40
Accessing the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40
Configuring the ISDN Signaling (Switch) Type . . . . . . . . . . . . . . 8-41
Configuring a SPID and LDN for ISDN BRI U Modules . . . . . . . 8-42
Configuring an LDN for BRI S/T Modules . . . . . . . . . . . . . . . . . . . 8-43
Activating the Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43
Caller ID Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43
Configuring the ISDN Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-44
Creating an ISDN Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-44
Assigning BRI Interfaces to the ISDN Group . . . . . . . . . . . . . . . . 8-44
Assigning the ISDN Group to a Resource Pool . . . . . . . . . . . . . . 8-45
Configuring the incoming-accept-number . . . . . . . . . . . . . . . . . . 8-45
Configuring a Static Route for the Demand Interface . . . . . . . . . . . . 8-46
Example of a Successful Demand Interface Call . . . . . . . . . . . . . . . . 8-48
MLPPP: Increasing Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-50
Configuring MLPPP for Incoming Calls . . . . . . . . . . . . . . . . . . . . 8-50
Configuring MLPPP for Demand Interfaces . . . . . . . . . . . . . . . . . 8-51
Example of MLPPP with Demand Routing . . . . . . . . . . . . . . . . . . 8-52
Configuring PPP Authentication for an ISDN Connection . . . . . . . . 8-53
Enabling PPP Authentication for All Demand Interfaces . . . . . . 8-54
Configuring PAP Authentication for a Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-54
xiv
Configuring CHAP Authentication for a Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-54
Configuring the Username and Password That the Router Expects to Receive . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-55
Configuring Peer IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-55
Example of Demand Routing with PAP Authentication . . . . . . . . . . 8-55
Setting the MTU for Demand Interfaces . . . . . . . . . . . . . . . . . . . . . . . 8-56
Configuring an ISDN Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-57
Using Call Types and Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-59
Default ISDN Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-60
Viewing Information about Demand Routing . . . . . . . . . . . . . . . . . . . . . . . 8-61
Viewing the Status of the Demand Interface . . . . . . . . . . . . . . . . . . . . 8-61
Viewing a Summary of Information about the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-63
Viewing the Status of the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . 8-64
Viewing Demand Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-66
Viewing the Resource Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-67
Show the Running-Config for the Demand Interface . . . . . . . . . . . . . 8-67
Troubleshooting Demand Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-68
Checking the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-68
Checking the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-69
Checking the ACL That Defines the Interesting Traffic . . . . . . . . . . . 8-71
Troubleshooting the ISDN Connection . . . . . . . . . . . . . . . . . . . . . . . . 8-72
Test Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-73
Line Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-75
Troubleshooting with Loopbacks . . . . . . . . . . . . . . . . . . . . . . . . . 8-75
Troubleshooting PPP for the ISDN Connection . . . . . . . . . . . . . . . . . 8-75
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-76
9 Configuring the E1 + G.703 and T1 + DSX-1 Modules
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Using an E1- or T1-Carrier Line for Data and Voice . . . . . . . . . . . . . . . . . . . 9-3
Drop-and-Insert Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Standards Supported by the Drop-and-Insert Modules . . . . . . . . . 9-3
xv
Configuring the E1 + G.703 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9- 4
Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Configuring the E1 Interface for Data Communications . . . . . . . . . . . 9-5
Assigning Channels to the E1 Interface . . . . . . . . . . . . . . . . . . . . . 9-5
Setting the Clock Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Accessing the G.703 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Configuring Line Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Configuring Frame Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
Enabling TS16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
Activating the Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
Checking the Status of the G.703 Interface . . . . . . . . . . . . . . . . . . . . . 9-10
Viewing Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
Troubleshooting the G.703 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12
Alarms or Errors That Will Not Clear . . . . . . . . . . . . . . . . . . . . . . 9-12
Yellow Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
Interface Is Accruing Errored Seconds and Clock Slips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
Configuring the T1 + DSX-1 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
Configuring the T1 Interface for Data Communications . . . . . . . . . . 9-14
Assigning Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14
Setting the Clock Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15
Accessing the T1 Interface for the DSX-1 Port . . . . . . . . . . . . . . . . . . 9-16
Configuring Line Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16
Configuring Frame Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17
Setting the Line Length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18
Configuring Signaling Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18
Activating the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-19
Checking the Status of the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . 9-19
Viewing Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20
Troubleshooting the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20
Alarms or Errors That Will Not Clear . . . . . . . . . . . . . . . . . . . . . . 9-20
Yellow Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21
Interface Is Accruing Errored Seconds and Clock Slips . . . . . . . 9-21
xvi
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21
Configuring the E1 + G.703 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22
Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22
Configuring the E1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22
Configuring the G.703 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23
Configuring the T1 + DSX-1 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-24
Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . 9-24
Assigning the Channels to the T1 Interface . . . . . . . . . . . . . . . . . 9-24
Configuring the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25
10 Bridging—Transmitting Non-IP Traffic or Merging Two
Networks
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3
Transmitting Non-IP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Merging Two Remote Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Configuring Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
Configuring a Bridge Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6
Assigning an Interface to the Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6
Disabling IP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Viewing the Bridge Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
Troubleshooting Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10
Configuring Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12
STP BPDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12
STP States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13
RSTP Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14
RSTP and STP Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17
xvii
Configuring RSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17
Determining Which Device Becomes Root: Setting the Router’s Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-18
Determining Which Links Are Chosen: Setting Link Cost . . . . 10-18
Setting Interface Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19
Altering Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-22
Configuring STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23
Using the BPDU Filter to Disable STP or RSTP . . . . . . . . . . . . . . . . 10-23
Troubleshooting Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24
Testing Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24
Addressing Common Spanning Tree Problems . . . . . . . . . . . . . . . . . 10-25
Slow Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27
Incorrect Path Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-28
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29
11 IP Routing—Configuring Static Routes
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
Network Addresses and Subnet Masks . . . . . . . . . . . . . . . . . . . . . 11-4
Classful Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5
CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6
Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7
Destination Network Address and Subnet Mask . . . . . . . . . . . . . 11-7
Next-Hop Address and Forwarding Interface . . . . . . . . . . . . . . . 11-8
Administrative Distance and Metric . . . . . . . . . . . . . . . . . . . . . . . 11-8
Other Information Stored in a Route . . . . . . . . . . . . . . . . . . . . . . . 11-9
Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9
Dynamic Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
Static Routing Versus Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . 11-10
Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11
Fast Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12
xviii
Configuring Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13
Configuring a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-14
Configuring a Floating Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . 11-16
Configuring a Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17
Configuring a Route through the Null Interface . . . . . . . . . . . . . . . . 11-18
Configuring Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-20
Enabling Fast Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-22
Troubleshooting Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23
Monitoring the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23
Using the Routing Table to Troubleshoot Static Routing . . . . . 11-25
Monitoring Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26
Clearing Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-27
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30
Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30
Connecting Simple Remote Sites . . . . . . . . . . . . . . . . . . . . . . . . . 11-30
Routing Traffic to an ISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-31
12 Domain Name System (DNS) Services
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
Host and Domain Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
Host Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
Authoritative and Caching Name Servers . . . . . . . . . . . . . . . . . . . . . . 12-4
DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4
ProCurve Secure Router DNS Support . . . . . . . . . . . . . . . . . . . . . . . . . 12-5
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
Static DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7
Custom DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7
xix
Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8
Enabling DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8
Adding an Entry to the Router’s Host Table . . . . . . . . . . . . . . . . . . . . 12-9
Specifying DNS Server Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10
Enabling the Router to Act as a Name Server . . . . . . . . . . . . . . . . . . 12-10
Troubleshooting DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11
Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11
Debugging DNS Server Activity . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11
Debugging DNS Client Activity . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14
Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15
Opening an Account with DynDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16
Configuring the Interface’s IP Address . . . . . . . . . . . . . . . . . . . . . . . . 12-16
Setting a Dynamic Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16
Specifying a Static Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17
Activating the Dynamic DNS Client . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17
Special Considerations for Configuring Custom DNS . . . . . . . . . . . 12-18
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-19
Configuring the ProCurve Secure Router as a DNS Client . . . . . . . 12-19
Configuring the ProCurve Secure Router as a Name Server . . . . . . 12-20
Configuring a Dynamic DNS Client on a ProCurve Secure Router Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20
13 Dynamic Host Configuration Protocol (DHCP)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
DHCP Request Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
The ProCurve Secure Router as a DHCP Server . . . . . . . . . . . . . . . . . 13-4
The ProCurve Secure Router as a DHCP Client . . . . . . . . . . . . . . . . . 13-5
DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6
Configuring a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6
Excluding Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7
Creating a DHCP Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7
Specifying the Network Address and Subnet Mask . . . . . . . . . . . 13-8
Specifying the Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9
xx
Changing a Pool’s Lease Time . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-10
Specifying DNS, WINS, and Other Servers . . . . . . . . . . . . . . . . . 13-11
Specifying a Domain Name for the Subnet . . . . . . . . . . . . . . . . . 13-12
Specifying a Bootfile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-12
Configuring Parent and Child Pools . . . . . . . . . . . . . . . . . . . . . . . . . . 13-13
Example DHCP Pool Configuration . . . . . . . . . . . . . . . . . . . . . . 13-14
Assigning a Fixed Address to a Host through a DHCP Server . . . . 13-14
Configuring DHCP Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-15
Configuring the DHCP Server’s Ping Settings . . . . . . . . . . . . . . . . . . 13-17
Managing and Troubleshooting the DHCP Server . . . . . . . . . . . . . . . . . . 13-18
Viewing DHCP Client Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-19
Monitoring the DHCP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-19
Clients Unable to Receive a DHCP Address . . . . . . . . . . . . . . . . 13-20
Client Receiving the Wrong Fixed DHCP Address . . . . . . . . . . 13-21
Configuring a Router Interface as a DHCP Client . . . . . . . . . . . . . . . . . . 13-21
Configuring a Dynamic Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-22
Setting an Interface’s Client ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-23
Setting the Interface’s Hostnatme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-24
Preventing the Interface from Taking Other Configurations . . . . . . 13-24
Configuring a Static Hostname for an Interface with a Dynamic Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-25
Managing and Troubleshooting the DHCP Client . . . . . . . . . . . . . . . . . . 13-26
Viewing the Interface’s Lease . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-26
Releasing and Renewing Dynamic Addresses . . . . . . . . . . . . . . . . . . 13-27
Monitoring DHCP Client Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-27
Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-30
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-32
Configuring a DHCP Server for a Network . . . . . . . . . . . . . . . . . . . . 13-33
Assigning a Fixed DHCP Address to a Single Host . . . . . . . . . . . . . . 13-34
Configuring a Router Interface as a DHCP Client . . . . . . . . . . . . . . . 13-36
xxi
14 Using the Web Browser Interface for Basic Configuration
Tasks
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1
Configuring Access to the Web Browser Interface . . . . . . . . . . . . . . . . . . 14-4
Enabling Access to the Web Browser Interface . . . . . . . . . . . . . . . . . 14-4
Managing Files, Firmware, Boot Software, and the AutoSynch™ Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5
The AutoSynch™ Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7
Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-10
Reboot Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13
Telnet to Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-14
Enabling IP Services on the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-15
Web Access Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-17
Configuring Passwords to Control Management Access to the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-18
Encrypting All the Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-18
Configuring a Local User List: Passwords for Web, SSH, and FTP Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-19
Configuring an Enable Mode Password . . . . . . . . . . . . . . . . . . . . . . . 14-21
Configuring a Password for Telnet Access . . . . . . . . . . . . . . . . . . . . 14-22
Configuring a Password for Console Access . . . . . . . . . . . . . . . . . . . 14-23
Configuring a Password for SSH Access . . . . . . . . . . . . . . . . . . . . . . 14-24
Configuring a Password for HTTP Access . . . . . . . . . . . . . . . . . . . . . 14-25
Configuring a Password for FTP Access . . . . . . . . . . . . . . . . . . . . . . 14-26
Using the AAA Subsystem to Control Management Access . . . . . . 14-27
Configuring Authentication Using a RADIUS Server . . . . . . . . 14-28
Configuring Authentication Using a TACACS+ Server . . . . . . . 14-29
Configuring Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-31
IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-32
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-33
Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-34
Ethernet Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-34
Releasing/Renewing a DCHP IP Address . . . . . . . . . . . . . . . . . . . . . . 14-34
xxii
Configuring PPPoE for the Ethernet Interface . . . . . . . . . . . . . . . . . 14-35
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-37
Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-37
View Statistics for the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . 14-38
Configuring E1 and T1 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-39
Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-42
Configuring a Serial Interface for an E1- or T1-Carrier Line . . . . . . . . . 14-44
Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-46
Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-46
Configure PPP as the Data Link Layer Protocol . . . . . . . . . . . . . . . . 14-47
IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-48
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-49
Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-49
Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-50
PPP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-50
Requiring a Peer to Authenticate Itself to the Local Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-50
Configuring the Local Router to Authenticate Itself to a Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-51
Configure Frame Relay as the Data Link Layer Protocol . . . . . . . . . 14-52
Configure a Permanent Virtual Circuit (PVC) . . . . . . . . . . . . . . 14-54
Configure IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-56
Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-56
Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-56
Configure HDLC as the Data Link Layer Protocol . . . . . . . . . . . . . . 14-58
IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-59
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-59
Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-60
Configuring ADSL Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-61
Configure an ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-63
Configure the ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-63
Configuring ATM Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-66
Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-68
xxiii
Configuring PPPoE or PPPoA for the ADSL Connection . . . . . . . . 14-68
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-70
Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-70
View Statistics for the PPP Interface . . . . . . . . . . . . . . . . . . . . . . 14-70
ISDN Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-71
E1 + G.703 and T1 + DSX-1 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-74
Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-76
Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-77
Configuring Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-77
Configuring the Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . 14-80
Viewing a Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-81
Setting Global Spanning Tree Parameters . . . . . . . . . . . . . . . . . 14-82
Configuring Spanning Tree Settings for Individual Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-84
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-86
Configuring a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-86
Configuring a Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-88
DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-89
Configuring DNS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-89
Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-91
Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-94
Configuring a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-94
Configuring a DHCP Pool for a Subnet . . . . . . . . . . . . . . . . . . . . 14-95
Assigning a Single Host a Fixed Address . . . . . . . . . . . . . . . . . . 14-97
Configuring an Interface as a DHCP Client . . . . . . . . . . . . . . . . . . . . 14-98
Configuring UDP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-100
A Appendix A: Configuring the Router to Boot from
Compact Flash
Updating the Boot Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
B Appendix B: Glossary
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
xxiv
1
Overview
Contents
Using This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Understanding Command Syntax Statements . . . . . . . . . . . . . . . . . . . . 1-5
CLI Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
IP Address Notation Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Quick Starts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Obtaining Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Downloading Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Interface Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Accessing the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . 1-11
Using the ProCurve Web Browser Interface . . . . . . . . . . . . . . . . 1-12
Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
ProCurve Secure Router Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Slots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
E1 and T1 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
ISDN Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
Backup Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
Wide-Slot Option Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
Interface Numbering Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
Power LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
Fault LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
1-1
OverviewContents
LEDs for Slots 1 and 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24
Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24
Backup LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25
Tx and Rx LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25
Slot 3 LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25
Status LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26
Activity LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26
Test LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26
Ethernet and Activity LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26
Activity LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Link LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Optional IPSec VPN Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Compact Flash Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28
Redundant Power Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
Software Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30
Bootup Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30
Advantages of Booting From Compact Flash . . . . . . . . . . . . . . . . 1-32
Setting Up a Compact Flash Card From Which to Boot the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33
Saving Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33
AutoSynch™ Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34
Secure Router OS Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34
Basic Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36
Enable Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36
Global Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37
Commands Available in the Basic, Enable, or Global Configuration Mode Contexts . . . . . . . . . . . . . . . . . . . . . . 1-39
Basic Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39
Clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39
Enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39
Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-40
Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-40
Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-41
Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-42
Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-42
1-2
OverviewContents
Terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43
Wall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43
Enable Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43
Clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-44
Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-45
Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46
Copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46
Debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49
Dir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49
Disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-50
Erase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-50
Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51
Reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51
Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51
Undebug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-56
Write . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-56
show tech . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-57
Updating the Boot Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-59
Global Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . 1-60
hostname Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-60
autosynch Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-60
Support for SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-61
SafeMode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-61
Help Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64
CLI Help Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64
Editing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64
no . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66
do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66
exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66
Bootstrap Mode Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-70
Compact Flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-70
AutoSynch™ Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-70
Using the reload in Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-72
1-3
OverviewContents
Managing Configuration Files Using a Text Editor . . . . . . . . . . . . . . . . . . 1-73
Creating and Transferring Configuration Files . . . . . . . . . . . . . . . . . . 1-75
Configuration File Transfer Using the Console Port . . . . . . . . . . 1-76
Configuration File Transfer Using a TFTP Server . . . . . . . . . . . . 1-78
Configuration File Transfer Using a Compact Flash Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-81
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-83
Accessing the Secure Router OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-83
1-4
OverviewUsing This Guide
Using This Guide
The ProCurve Secure Router Management and Configuration Guide describes how to use the ProCurve Secure Router 7000 series in a network environment. Specifically, it focuses on two models:
■ ProCurve Secure Router 7102dl
■ ProCurve Secure Router 7203dl
This guide describes how to use the command line interface (CLI) and the Web browser interface to configure, manage, monitor, and troubleshoot basic router operation. In particular, this guide focuses on configuring the router’s physical interfaces and basic Data Link Layer protocols to establish LAN and WAN connections.
This guide assumes that your router uses the J04_01 SROS image or later. If the router runs J_03 or earlier, see the ProCurve Secure Router 7000dl Series
Management and Configuration Guide for instructions.
If you need information on how to configure advanced router functions such as virtual private networks (VPNs), multilink connections, backup connec-tions, network address translation (NAT), quality of service (QoS), multicast-ing, or routing protocols, see the ProCurve Secure Router Advanced
Management and Configuration Guide.
Understanding Command Syntax Statements
This guide uses the following conventions for command syntax and information.
Syntax: show access-lists [<listname>]
Syntax: [permit | deny] [any | host <A.B.C.D> | <A.B.C.D> <wildcard bits>] ■ Carats ( < > ) enclose a description of a command element, a part of the
command in which you enter information specific to your particular router or WAN. For example, in the first command shown above, you replace <listname> with the name of a particular access control list (ACL) configured on your router.
1-5
OverviewUsing This Guide
■ Square brackets ( [ ] ) are used in two ways:
• They enclose a set of options. When entering the command, you select one option from the set. For example, in the second command shown above, you would enter any or host <A.B.C.D> or <A.B.C.D>
<wildcard bits>.
• They indicate an optional element. You can include the optional element in the command, but it is not required.
■ Vertical bars ( | ) separate alternative, mutually exclusive elements.
■ Carats within square brackets ( [ < > ] ) indicate that you may optionally add the information specific to your router or WAN to the command. For example, in the first command above, you can either replace <listname> with the name of a specific ACL or not enter a name at all to view all ACLs.
■ Braces ( { } ) indicate an embedded option.
■ Bold typeface is used for simulations of actual keys. For example, the “Y” key appears as y.
■ Italics indicate an element that you must replace with information that is specific to your router or WAN.
When examples of commands are included in this guide, the guide notes the context required for the command and displays the context as it appears in the CLI.
CLI Prompt
When you first boot up your ProCurve Secure Router, the CLI prompt indicates the router model:
ProCurveSR7102dl>
ProCurveSR7203dl>
For simplicity, throughout this manual the CLI prompt will be shown as:
ProCurve>
You can change the name displayed at the prompt of your router by changing the router’s hostname. See “hostname Command” on page 1-60 for instructions.
1-6
OverviewUsing This Guide
IP Address Notation Convention
You must sometimes enter an IP address or addresses as part of a command. For example, you might need to assign an IP address to a logical interface on the ProCurve Secure Router, or you might need to enter an IP address to be filtered by an ACL.
When you enter IP addresses, you must use one of the following formats:
■ IP address with subnet mask:
Syntax: ip address 192.168.1.1 255.255.255.0■ IP with Classless Inter-Domain Routing (CIDR) notation (prefix length):
Syntax: ip address 192.168.1.1 /24
Quick Starts
Each chapter includes a Quick Start section that provides the instructions you need to quickly configure the functions described in that chapter on your ProCurve Secure Router. Designed for experienced network administrators, the Quick Start sections provide minimal explanation.
The first time you perform a task, ProCurve Networking strongly recommends that you read the entire chapter so you thoroughly understand how to manage the ProCurve Secure Router. If you begin to use the Quick Start instructions and find that you need additional information about a specific aspect of the configuration, check the “Contents” for that chapter to locate the section that contains the explanation you need.
The Quick Start section is located at the end of each chapter. For the specific page number, consult the “Contents” pages located at the beginning of each chapter.
Obtaining Additional Information
You will need the Adobe® Acrobat® Reader to view, print, or copy product documentation. To obtain the additional documentation, follow these steps:
1. Access the ProCurve Networking Web site at http://www.procurve.com.
2. Click Technical support in the bar on the left side of the screen, and then click Product manuals. (See Figure 1-1.)
3. Click the name of the product for which you want documentation.
4. On the resulting Web page, double-click the document you want.
1-7
OverviewUsing This Guide
5. When the document file opens, click the disk icon in the Acrobat® toolbar and save a copy of the file.
Figure 1-1. The ProCurve Technical Support Web Page
Downloading Software Updates
ProCurve Networking periodically updates the router software to include new features. You can download software updates and the corresponding release notes from ProCurve Networking’s Web site as described below.
To download software, complete the following steps:
1. Access the ProCurve Networking Web site at http://www.procurve.com.
2. Click Software updates (in the sidebar). (See Figure 1-2.)
3. Under Latest software, click Secure Router 7000dl Series.
Click Product Manuals
1-8
OverviewUsing This Guide
Figure 1-2. Downloading Software Updates
Release notes are included with the software updates and provide information about:
■ new features and how to configure and use them
■ software management, including downloading the new software to the router
■ software fixes addressed in current and previous releases
Step 2
Step 3
1-9
OverviewInterface Management Options
Interface Management Options
The ProCurve Secure Router includes two management interfaces: the com-mand line interface (CLI) and the Web browser interface.
CLI
To initially access the CLI, connect the COM port on your workstation to the console port on the front panel of the router. Use the serial cable (5184-1894) that was shipped with the ProCurve Secure Router. Then run terminal session software such as Tera Term or Hyper Terminal on your workstation, setting the following parameters for the session:
■ Baud Rate = 9600
■ Parity = None
■ Data Bits = 8
■ Stop Bits = 1
■ Flow Control = None
Using the CLI provides you an organized, linear path to help you configure your router. This guide will focus primarily on configuring the router through the CLI.
Web Browser Interface
You can also manage the ProCurve Secure Router through the Web browser interface, which allows you to navigate the router’s (OS) in a GUI environment. Even if you are a dedicated CLI user, you should try out this easy-to-use Web browser interface. You will find it especially helpful for more complicated tasks such as configuring access control policies (ACPs) and virtual private networks (VPNs). (See Figure 1-3.) In fact, the Web browser interface provides wizards to help you configure VPNs, the router’s built-in firewall, or QoS for VoIP.
1-10
OverviewInterface Management Options
Figure 1-3. Configuring ACPs Using the Web Browser Interface
Accessing the Web Browser Interface
To access the Web browser interface, you must first establish a CLI session and configure at least one interface through which you can establish an HTTP session with the router. You must also enable the HTTP server on the router and configure a password for HTTP access. (For information about enabling access to the Web browser interface, see “Enabling Access to the Web Browser Interface” on page 14-4.)
1-11
OverviewInterface Management Options
Using the ProCurve Web Browser Interface
The ProCurve Web browser interface is organized into the following sections:
■ System
■ Router/Bridge
■ Firewall
■ VPN
■ Utilities
The System section of the interface contains general router functions. In this section, you can:
■ configure WAN and LAN connections
■ configure IP services
■ enable the Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers
■ set the router’s hostname and add entries to the DNS host table
■ configure Link Layer Discovery Protocol (LLDP) settings
You can also click Getting Started to display a help menu, or select System
Summary to display information about the router. Click Physical Interfaces for a list of interfaces (including status and type) on your router.
The Router/Bridge section allows you to configure the router’s bridging and routing functions. You can set a default gateway, configure the IP interfaces, set up quality of service (QoS) maps and routing protocols, and add entries to the route table. You can also configure the router to act as a bridge and participate in a spanning tree.
The firewall wizard can be found in the Firewall section. Click Firewall
Wizard to open the wizard in a new window. The wizard guides you through establishing policies for controlling access to your network. From the Fire-
wall section, you can also enable specific application-level gateways (ALGs) and set protocol timeouts.
The VPN section includes a wizard that simplifies the process of configuring an IPSec-compliant VPN. The VPN section eliminates the difficulty of remem-bering the many commands necessary for configuring a VPN in the CLI. The VPN section only appears in the Web browser interface if you have installed an optional IPSec encryption module in the rear panel of your router.
You can perform most of your file maintenance in the Utilities section. Click Configure to complete tasks such as saving, downloading, uploading, and deleting files. You can also click Firmware to view information about your
1-12
OverviewHardware Overview
router’s current OS and upload any necessary upgrades. You can click Reboot and restart the router, and you can also set up a Telnet session by clicking Telnet to Unit.
N o t e In the CLI, boot and configuration files are referred to as software. In the Web browser interface, the boot and configuration files are called firmware.
For more information on how to configure your ProCurve Secure Router using the Web browser interface, see Chapter 14: Using the Web Browser Interface
for Basic Configuration Tasks.
Hardware Overview
This section provides a brief overview of external features, slots, and modules on the ProCurve Secure Router 7000dl Series. The ProCurve Secure Router 7000dl Series includes two models: the ProCurve Secure Router 7102dl and the ProCurve Secure Router 7203dl. Both models include two narrow module slots. The ProCurve Secure Router 7203dl also includes one wide module slot.
ProCurve Secure Router Front Panel
To make accessing the router and connecting it to other devices more conve-nient, the console interface and all physical link ports are located on the front panel of the router. The front panel of each router includes two Ethernet interfaces and two narrow dl option module slots that can house your two choices from among ten narrow modules. The ProCurve Secure Router 7203dl also provides a wide module slot to support up to eight additional T1 or E1 lines.
The following sections briefly introduce the features on the front of your ProCurve Secure Router.
Console Port
The console port, which is a DB-9 DTE male connector, allows you to manage the ProCurve Secure Router locally. To access the CLI, use the serial cable (5184-1894) supplied with the router to connect the console port to the COM port on your laptop or PC. (See Figure 1-4.)
1-13
OverviewHardware Overview
Figure 1-4. Connecting to the Console Port
Ethernet Ports
Because the two Ethernet ports are not modular, they are assigned a fixed slot and port number. For interface notation purposes, these ports are labeled Eth 0/1 and Eth 0/2. (See Figure 1-5.)
Figure 1-5. Connecting to the Two Ethernet Ports
The Ethernet ports support a 10 Mbps or a 100 Mbps connection. Connect these ports to your LAN using 10Base-T or 100Base-T cabling with an RJ-45 connector that meets the EIA/TIA-568-A and 568-B standards. For a 10 Mbps connection, use a Category 3 cable or better. For a 100 Mbps connection, use a Category 5 cable or better.
Slots
The ProCurve Secure Router models 7102dl and 7203dl are both equipped with two narrow slots. (See Figure 1-6.)
Console Port
Eth 0/2 Eth 0/1
1-14
OverviewHardware Overview
Figure 1-6. Two Narrow Slots
Each slot can house one of the ten narrow modules available for WAN connections. (See Table 1-1.)
Table 1-1. Narrow Slot Modules
Slot 1 Slot 2
Module Type of Module Explanation
E1 modules:• one-port module• two-port module
E1 module with integrated DSU supports E1-carrier lines when the service provider does not provide an external DSU
T1 modules:• one-port module• two-port module
T1 module with integrated CSU/DSU
supports T1-carrier lines when the service provider does not provide an external CSU/DSU
E1 + G.703 module E1 for data and analog voice allocates some channels of the E1-carrier line for data transmission and some channels for voice (through a PBX)
T1 + DSX-1 module T1 for data and analog voice allocates some channels of the T1-carrier line for data transmission and some channels for voice (through a PBX)
serial module T1- or E1-carrier line that connects to an external CSU/DSU using a serial connector
supports E1- or T1-carrier lines when the service provider provides an external CSU/DSU
ADSL2+ Annex A module ADSL2+ for most regions of North America
provides up to 25 Mbps downstream and 1.544 Mbps upstream; enables analog voice traffic to be transmitted at lower frequencies on the local loop
ADSL2+ Annex B module ADSL2+ for Germany and other areas of the world
provides up to 25 Mbps downstream and 1.544 Mbps upstream; enables Integrated Services Digital Network (ISDN) voice and fax traffic to be transmitted at lower frequencies on the local loop
ISDN module (two ports) ISDN BRI for voice and data provides cost-efficient, dial-up WAN access
1-15
OverviewHardware Overview
N o t e For information on these or additional modules, please check the ProCurve Web site at www.procurve.com. Click on Products & Solutions in the left bar, then click on Secure Router 7000dl series under WAN.
E1 and T1 Modules
E-carrier lines are used in Europe, Asia, Australia, and South America. T-carrier lines are used in the United States, Canada, and, to some degree, in Japan.
N o t e Japan uses J-carrier lines for voice and both T-carrier and E-carrier lines for data. J-carrier lines are not supported by the ProCurve Secure Router.
The type of module you purchase to support your E1 or T1 WAN connection depends on how your public carrier implements the Channel Service Unit/Digital Service Unit (CSU/DSU) that is required for E1- and T1-carrier lines. The CSU/DSU has two main functions. The DSU accepts traffic from the router and translates it from the signaling format used on the LAN to the format necessary for transmission on the WAN. The CSU then generates the signal to be sent across the WAN.
The public carrier can provide:
■ the CSU/DSU as one complete unit
■ only the CSU
■ neither the CSU nor the DSU
Common practice varies depending on the region in which the public carrier operates. In Europe, Asia, Australia, or South America, the public carrier will either provide the CSU/DSU or just the CSU. In North America, the public carrier will provide the CSU/DSU, or the public carrier will not provide either the CSU or DSU. (For more information about E1- and T1-carrier lines, see Chapter 4: Configuring E1 and T1 Interfaces.)
E1 Modules. If you are leasing an E1-carrier line and the public carrier provides only the CSU, you will need to purchase one of the E1 modules, which include a built-in DSU. (See Figure 1-7.) You can select:
■ a one-port E1 module, which supports a full E1-carrier line (32 channels or 2.048 Mbps)
■ a two-port E1 module, which provides 2.048 Mbps on each interface (4.096 Mbps total)
■ an E1 + G.703 module, which enables you to use some channels for data and some channels for voice
1-16
OverviewHardware Overview
Figure 1-7. E1 Modules
T1 Modules. If you are leasing a T1-carrier line and the public carrier does not provide a CSU/DSU, you will need to purchase one of the three narrow slot T1 modules, which include a built-in CSU/DSU. (See Figure 1-8.) Select:
■ a one-port T1 module, which supports a full T1-carrier line (24 channels or 1.544 Mbps)
■ a two-port T1 module, which provides 1.544 Mbps on each interface (3.088 Mbps total)
■ a T1 + DSX-1 module, which enables you to use some channels for data and some channels for voice
Figure 1-8. T1 Modules
Serial Module. If you lease an E1- or T1-carrier line and the public carrier provides an external CSU/DSU, you will need to purchase the serial module. (See Figure 1-9.)
1-17
OverviewHardware Overview
Figure 1-9. Serial Module
ADSL2+ Annex A or Annex B Module. The ADSL2+ modules provide bandwidth up to 25 Mbps downstream and 1.544 Mbps upstream. Because ADSL also supports analog voice on the local loop, existing telephone equip-ment and fax machines can continue to carry traffic on the same line. The ADSL2+ Annex A module supports analog voice over the Plain Old Telephone Service (POTS). The ADSL2+ Annex B module supports ISDN voice and fax traffic. (See figure 1-10.)
Figure 1-10. ADSL Modules
ISDN Module
The two-port ISDN module provides two Basic Rate Interface (BRI) lines for dial-up connections. Each ISDN BRI line can deliver a maximum bandwidth of 128 Kbps. (See Figure 1-11.) The S/T interface module is most often used outside North America. The U interface module is used in WAN connections in the United States and Canada.
1-18
OverviewHardware Overview
Figure 1-11. ISDN BRI Modules
Backup Modules
A backup connection protects a company’s WAN operations against system failure. Three types of backup modules are available for the ProCurve Secure Router:
■ ISDN BRI S/T backup module for use outside of North America—supports a 64 Kbps backup call or a bonded 128 Kbps call
■ ISDN BRI U backup module for use in the US and Canada—supports a 64 Kbps backup call or a bonded 128 Kbps call
■ VTU V.90 compliant analog modem—provides a connection speed of up to 56 Kbps
N o t e Backup ISDN call bonding is currently a ProCurve proprietary technology. If you bond your BRI backup call, your router can only place the call to another ProCurve Secure Router.
With the ProCurve Secure Router, it is not necessary to devote an entire module slot for a backup connection. Each module includes a backup inter-face port. To activate the backup interface, you must purchase a separate backup module and install it on top of the module, as shown in Figure 1-12.
1-19
OverviewHardware Overview
Figure 1-12. Installing a Backup Module on Top of a Narrow Slot Module
Each backup module can be used to back up any WAN connection on the router, no matter where the backup module is housed.
Wide-Slot Option Modules
The ProCurve Secure Router 7203dl includes a third, wide-module slot. ProCurve offers an eight-port E1/T1 module and an eight-port serial module. (See Figure 1-14 and Figure 1-15). This module supports both E1 and T1 formats and can be toggled between the two. The toggle switch is located on the top of the module. Set the switch to ON for E1 format; set the switch to 1 for T1 format. Figure 1-13 shows the location of the toggle switch on the module.
1-20
OverviewHardware Overview
Figure 1-13. E1/T1 Toggle Switch
N o t e Although the ProCurve Secure Router 7203dl can support up to 12 E1 or T1 lines, the router only supports enough throughput for up to 8 E1 or T1 lines.
You can configure each of the eight ports independently with separate clock sources, frame formats, and other specifications.
Figure 1-14. The Eight-port T1/E1 Module
E1/T1 Toggle Switch
Port Numbers
1-21
OverviewHardware Overview
Figure 1-15. The Eight-port T1/E1 Serial Module
Interface Numbering Conventions
When configuring a WAN connection, you will need to specify the slot and port of the physical interface that is providing the connection. The syntax for specifying a physical interface is <interface> <slot>/<port>.
Replace <interface> with the name of the interface. For example, for E1 interfaces, you would use e1, and for ADSL interfaces you would use adsl. For ISDN interfaces, use bri.
Replace <slot> with the slot number in which the module is inserted. The slots on the router are numbered from left to right. The left narrow slot is slot 1, and the slot to the right is slot 2. If you have a ProCurve Secure Router 7203dl, the wide module is installed in slot 3, the rightmost slot.
Finally, replace <port> with the number of the port on the module. Like the slots, the ports are numbered from left to right. The port number is printed below each port on the module. (See Figure 1-14)
For example, if you have a two-port T1 module in slot one, you would configure the left T1 port by entering:
ProCurve(config)# interface t1 1/1
To configure the other T1 port, you would enter:
ProCurve(config)# interface t1 1/2
As mentioned earlier, the Ethernet interfaces are also labeled in <slot>/
<port> notation as eth 0/1 and eth 0/2.
1-22
OverviewHardware Overview
Status LEDs
ProCurve Secure Routers feature LEDs on the front panel to provide informa-tion about the condition of the router itself and of the modules you have installed. This section describes how to interpret these LEDs.
Power LED
The power LED indicates the router’s power status. (See Figure 1-16 for its location on the front panel.) It displays one of the following:
■ No light—The AC power input is off.
■ Solid green—The power is on.
Figure 1-16. Power and Fault LEDs
Fault LED
The fault LED is located directly below the power LED. (See Figure 1-16.) It flashes orange to indicate any fault condition, including:
■ a cooling fan failure
■ a failure in the option modules
If the power source in the ProCurve Secure Router 7102dl fails, the router turns off, as do its LEDs. However, the ProCurve Secure Router 7203dl features a redundant power source (RPS) outlet to provide greater network stability. When a problem occurs with the primary power source, the fault LED flashes orange, and the RPS begins to supply power to the ProCurve Secure Router. Problems with the primary power source include:
■ AC power not being received
■ primary AC/DC power converter failure
When the fault LED is flashing slowly on a ProCurve Secure Router 7203dl, the RPS is currently in use.
Power LED
Fault LED
1-23
OverviewHardware Overview
LEDs for Slots 1 and 2
Both the ProCurve Secure Router 7102dl and 7203dl have two columns of LEDs that report information about the modules installed in the narrow slots. As you would expect, column 1 reports information about the module in slot 1, and column 2 reports information about the module in slot 2. Each column contains four LEDs; each LED monitors a different aspect of the module’s Physical and Data Link Layer connections. (See Figure 1-17.)
Figure 1-17. Two Columns of LEDs Report Information about the Modules in Slots 1 and 2.
Status LEDs
The first LED in each column signals whether or not the module in the corresponding slot is functional and connected to the network. The status LED can display one of the following:
■ No light—No module has been installed, or the interface is administra-tively down. An interface is administratively down until you activate it.
■ Red—A module has been installed, and the corresponding interface has been activated, but no valid physical connection has been established. Red LEDs may also indicate other problems with the interface, such as:
• a self-test failure
• an active WAN alarm condition
■ Green—A module has been installed and activated, and the physical connection is up and operational.
■ Yellow—An interface on the module is being tested.
Slot 1 and 2 LEDs
1-24
OverviewHardware Overview
Backup LEDs
The second LED in each column reports the status of the backup module, if a backup module is installed. The LED in the first column corresponds to the backup module in slot one, and the LED in the second column corresponds to the module in slot two. The status LEDs for backup modules can display one of the following:
■ No light—A backup module has not been installed and activated.
■ Red—The backup module has been activated and configured, but a valid physical connection has not been made. A red LED may also indicate that the backup interface has received a WAN alarm or has failed a self-test.
■ Solid green—The module is ready to be used if a connection that it backs up should fail. For ISDN BRI backup modules, a solid green light further indicates that the module has completed negotiation with the switch.
■ Yellow—A self-test is in process.
■ Flashing green—The backup link is currently active.
Tx and Rx LEDs
The Tx and Rx LEDs signal WAN activity across the corresponding interface’s link. The third (Tx) LED in each column signals that the interface is transmit-ting data, and the fourth (Rx) LED indicates that the interface is receiving data. Tx and Rx LEDs signal the following:
■ Off—The link is inactive.
■ Green—Data is being transferred across the WAN or backup interface.
Slot 3 LEDs
The ProCurve Secure Router 7203dl includes a third column of LEDs that represent the wide module. Unlike the other columns of LEDs, this column includes only three LEDs. (See Figure 1-18.)
1-25
OverviewHardware Overview
Figure 1-18. On the ProCurve Secure Router 7203dl, the Third Column LEDs Report on the Wide Module.
Status LED
The first LED reports on the status of the wide module, indicating whether the wide module is installed and functional.
■ No light—The module has not been installed or none of the interface ports have been activated.
■ Green—The module has been recognized and at least one interface is up.
■ Red—There is an active alarm condition on one of the interfaces.
Activity LED
The second LED reports activity across the WAN links established through the wide module. The LED flashes green to signal activity.
Test LED
The third LED glows solid yellow if one of the interfaces on the module is in test mode.
Ethernet and Activity LEDs
The Ethernet interfaces also have LEDs that report on their status and activity. (See Figure 1-19.)
Slot 3 LEDs
1-26
OverviewHardware Overview
Figure 1-19. LEDs for Ethernet Interfaces
Activity LEDs
Activity LEDs signal data transfer between the LAN and the router.
■ No light—The Ethernet connection is inactive.
■ Flashing yellow—The link is currently transmitting or receiving data.
Link LEDs
Link LEDs signal whether or not the router recognizes a valid connection to a LAN.
■ No light—The Ethernet interface is down.
■ Green—The Ethernet interface is up.
Rear Panel
The rear panel of the ProCurve Secure Router includes a slot for an optional IPSec VPN module and a slot for a compact flash card. The ProCurve Secure Router 7203dl also includes an additional feature: an outlet for a Redundant Power Source.
Optional IPSec VPN Module
If your company wants to establish virtual private networks (VPNs) over the Internet, you can install the IPSec VPN module in the slot provided on the ProCurve Secure Router’s rear panel. (See Figure 1-20.) The router can then establish a VPN with another router or with a VPN client that is installed on a user’s workstation. Remote sites and individual users can then connect to your company’s network through private Internet connections.
Link LED Activity LED
1-27
OverviewHardware Overview
Figure 1-20. IPSec VPN Module
To protect your network from security breaches through the Internet, the ProCurve Secure Router establishes secure VPN tunnels using the industry-standard IP Security (IPSec) protocol. The IPSec VPN module enables the software that supports the IPSec protocols and relieves the CPU of the overhead associated with processing the encryption algorithms.
When the IPSec VPN module is installed, the ProCurve Secure Router 7102dl supports up to 500 VPN tunnels; the ProCurve Secure Router 7203dl supports up to 1000 tunnels.
Compact Flash Card
The compact flash slot on the ProCurve Secure Router’s back panel supports most standard compact flash cards. (See Figure 1-21.) To protect your ProCurve Secure Router against system failure, you can store the Secure Router OS software and your configuration file on a compact flash card. In fact, the ProCurve Secure Router provides additional features that automati-cally use compact flash to safeguard the Secure Router OS and your configu-rations. These features are described in “Bootup Process” on page 1-30 and “AutoSynch™ Technology” on page 1-34.
Figure 1-21. Compact Flash Slot on Rear Panel of the ProCurve Secure Router
Slot for the IPSec VPN module
Compact flash slot
1-28
OverviewHardware Overview
Redundant Power Source
The RPS outlet on the back panel of the ProCurve Secure Router 7203dl provides increased router reliability for mission-critical applications. (See Figure 1-22.) The RPS slot can be used with the ProCurve 600 Redundant External Power Supply.
Figure 1-22. RPS Outlet on the ProCurve Secure Router 7203dl
Memory
Both the ProCurve Secure Router 7102dl and 7203dl have 32 MB of internal flash memory. The flash memory provides nonvolatile random access memory (NVRAM); in other words, the router retains what is stored in the internal flash even when the router is powered down.
Because internal flash memory is relatively limited, SROS software is stored in compressed form. The SROS software file is approximately 6 MB. The number of configuration files that can be saved in internal flash is limited only by the amount of available memory. Because configuration files tend to be small, you will be able to save multiple configuration files in internal flash.
In addition to internal flash, the ProCurve Secure Router 7102dl has 128 MB of random access memory (RAM), which holds the running configuration. All information in RAM is lost when the router is powered off. The ProCurve Secure Router 7203dl has 256 MB of RAM.
RPS slot
1-29
OverviewSoftware Overview
Software Overview
To manage your ProCurve Secure Router, you must understand basic router operations, including how the router uses:
■ Secure Router OS (SROS) boot code
■ SROS software
■ the startup-config
■ the running-config
Further, you must understand how the Secure Router OS is organized so that you can properly configure the router and enable safeguards to protect the router from unauthorized access.
This section describes software operations such as the boot process, the process of saving configurations, the OS hierarchy, and the bootstrap mode.
Bootup Process
Concurrent with the release of J02_02A.biz software in July 2005, ProCurve Networking changed the boot process for the ProCurve Secure Router. By default, the ProCurve Secure Router now boots from compact flash. If a compact flash card is not inserted into the compact flash slot or if the card does not contain the required Secure Router OS file, the router will boot from internal flash. Previously, the ProCurve Secure Router booted only from internal flash.
This change has been made in routers that shipped after July 2005; these routers have the following serial numbers:
■ ProCurve Secure Router 7102dl (J8752A) US525TRAP4 or later
■ ProCurve Secure Router 7203dl (J8753A) US522TS252 or later
N o t e If you purchased a ProCurve Secure Router before this change was made, you can enable the new boot process by upgrading to J02_02A.biz or later and making a small configuration change. For information about this configura-tion change, see Appendix A: Configuring the Router to Boot from Compact
Flash.
1-30
OverviewSoftware Overview
The boot process begins when you power up the ProCurve Secure Router or manually reload it. It proceeds as follows:
1. The router first loads the SROS boot software (which has been set through the copy <source> <filename> boot command).
2. The router then searches compact flash for the SROS.BIZ file, which contains the Secure Router OS software.
• If the router finds the SROS.BIZ file in compact flash, it will load this SROS software and begin step 3.
• If a compact flash card is not installed or the SROS.BIZ file on the card is missing or corrupted, the router searches for this file in internal flash. If the router finds the SROS.BIZ file in internal flash, it loads this SROS software and begins step 3.
• If the router does not find a valid SROS.BIZ file in either compact flash or internal flash, the router boots up in bootstrap mode (as described in “Bootstrap Mode Context” on page 1-66).
3. After the router finds a valid SROS.BIZ file (either in compact flash or internal flash), it checks compact flash for the startup-config file, which contains the saved configurations for the router.
• If the router finds the startup-config file in compact flash, it loads this file.
• If the router does not find the startup-config in compact flash, it searches for the startup-config file in internal flash. If it finds the startup-config in flash, it loads this configuration.
• If the router does not find the startup-config file in either compact flash or internal flash, the router boots in basic mode using the factory default configuration settings.
1-31
OverviewSoftware Overview
Figure 1-23 summarizes the boot process.
Figure 1-23. Booting the ProCurve Secure Router
Advantages of Booting From Compact Flash
Booting from compact flash simplifies router setup. You can use a compact flash card to preconfigure a router and simply send the card to a remote site. Any person at the remote side can insert the compact flash card into the router, connect the cables that will enable the LAN and WAN connections, and power up the router. The ProCurve Secure Router will boot with the SROS.BIZ file and startup-config on compact flash, and the router will be immediately operational.
To check the configuration by remote, you can simply establish a Telnet or Secure Shell (SSH) session with the router or use the Web browser interface.
YesYes
Yes
compact flash
Yes
SROS.BIZ
internal flash
SROS.BIZ
startup-config startup-config
boot-basic mode boot-basic mode
No
No
Router loads the boot software (J0X_0X-boot.biz) from internal flash
Checks compact flash (cflash) for SROS.BIZ
ProCurve Secure Router
NoRouter boots using default settings
Router boots in bootstrap mode
No
1-32
OverviewSoftware Overview
Setting Up a Compact Flash Card From Which to Boot the Router
Newly shipped ProCurve Secure routers have an internal flash that contains two SROS software files:
■ J0X_0X.biz
■ SROS.BIZ
The SROS.BIZ and J0X_0X.biz files are identical. The J0X_0X.biz file reflects the version number of the software, such as J04_01.biz. This file has then been resaved as SROS.BIZ.
Internal flash also contains the startup-config file. At this point, the startup-config file contains the default configuration for the router. Once you have configured your router and saved the configurations, the new startup-config file will allow the router to boot up with the configurations you have made.
To set up a new compact flash card so that the router can boot from it, insert the card into the slot provided on the back panel of the router and copy the following files from flash memory to compact flash:
■ J0X_0X.biz
■ SROS.BIZ
■ startup-config
After you copy the files to a compact flash card, take the card to any ProCurve Secure Router. Unless its boot process has been altered, the router will automatically boot from the software and startup-config file stored on the card.
When ProCurve Networking releases new software, part of the update process will include renaming the new file as SROS.BIZ and copying the new file to compact flash and to internal flash. When you need to know the version of software the router is using, the show version command will display the exact version. (This and other show commands are described later in this chapter.)
Saving Configuration Changes
When the ProCurve Secure Router loads the startup-config, it executes it line by line as the running-config. As you make configuration changes, these changes are held in RAM. Because RAM is cleared every time the router is powered down, you must save any changes that you want to keep to the startup-config file.
1-33
OverviewSoftware Overview
When the command is entered, the ProCurve Secure Router first tries to save these changes to a startup-config file on compact flash. If no compact flash card is inserted into the slot on the back panel, the router saves the changes to the startup-config file that is stored in internal flash. If no startup-config file exists on either the compact flash or internal flash memories, the router creates the file and saves the configuration to it.
AutoSynch™ Technology
The AutoSynch feature was first released as an update in the J03_01.biz software. This feature ensures that the SROS software (SROS.BIZ) and the startup-config file stored on compact flash are identical to those stored on internal flash. AutoSynch technology affects only the SROS.BIZ and startup-config files; any other files that you intend to keep on the compact flash drive will need to be manually copied from your router’s internal flash to the compact flash card.
When you save your configurations, the ProCurve Secure Router saves the running-config to the startup-config stored on the compact flash. If the auto-
synch command is enabled, when you save your current configuration to the startup-config, the file is saved to both compact flash and internal flash at the same time.
AutoSynch technology ensures that you always have a backup copy of your configuration file and the SROS software you are using. If a hardware failure should occur, you simply contact ProCurve Networking to get a new part or even a new unit (if that is required). Then you replace the part, insert the compact flash card, and power up the router. The router automatically loads the SROS software and the startup-config from the compact flash card.
Likewise, if the SROS software or the configuration file becomes corrupted, you have up-to-date backup copies, so downtime is confined to the time it takes to load these copies. This is especially helpful if the SROS software you are using is no longer available on the ProCurve Networking Web site (because subsequent versions have been released).
Secure Router OS Hierarchy
The ProCurve Secure Router OS is organized into two security modes and then further organized into configuration modes. Each of these modes allows you to access and configure a separate aspect of your router’s operation. This OS hierarchy creates levels of security by limiting certain functions to authorized users.
1-34
OverviewSoftware Overview
This section introduces the different mode contexts and describes the types of commands you can enter in each one. (See Figure 1-24.)
Figure 1-24. Security and Configuration Modes in the Secure Router OS
To protect your WAN against unauthorized access, the ProCurve Secure Router has two security modes:
■ basic mode
■ enable mode
ConsoleSSHTelnet
ADSL LoopbackATM ModemBRI PPPDemand SerialE1 SHDSLEthernet T1Frame Relay TunnelHDLC
Session now available
Press Return to get started
Interface configuration
context
Line configuration
context
Router configuration
context
Other configuration
contexts
BGPOSPFRIPPIM-Sparse
Crypto IKE policyCrypto mapIP access-listIP policy-classISDN-group
enable
ProCurve>
configure terminal
ProCurve#
ProCurve(config)#Global configuration mode context
Enable mode context
Basic mode context
Return
Security modes
1-35
OverviewSoftware Overview
Basic Mode
The basic mode allows restricted access to the router, providing only a limited number of commands. From this mode, you can view basic system informa-tion, verify some processes, and enter traceroute and ping commands. You do not have access to any of the options that allow you to configure the router.
When you first access the Secure Router OS through the CLI and press Enter, the router is in the basic mode context. To verify your location in the CLI, check the prompt. In the basic mode context, the prompt is the > symbol, as shown below:
ProCurve>
From the basic mode context, you can access the enable mode by entering:
ProCurve> enable
Enable Mode
The enable mode is sometimes called the privileged mode because it allows you to access all management and configuration commands. You can use this command to view detailed information about how your router is functioning, perform system management tasks, and gain access to all configuration modes on the router. From the enable mode, you can save, mode, and delete the startup-config and running-config files and use the show and debug com-mands.
Although you cannot actually configure the ProCurve Secure Router from the enable mode, you can access the global configuration mode from this mode, and from there, you can access any configuration mode and configure any aspect of the router. For additional security, you can—and should—password protect this more-secure OS level.
In the enable mode context, the prompt is followed by the # symbol, as shown below:
ProCurve#
From the enable mode context, you can access the global configuration mode context by entering:
ProCurve# configure terminal
1-36
OverviewSoftware Overview
Global Configuration Mode
From the global configuration mode, you can make configuration changes that apply to the entire router and all interfaces. You can configure the system’s global parameters, such as the hostname, passwords, and banners. You can also set parameters for IP services such as DHCP and DNS. You can enable the built-in firewall and configure global options for that firewall. You can also configure passwords to protect the enable mode and SSH, FTP, and HTTP access.
From the global configuration mode context, you can also access other configuration mode contexts to configure specific router interfaces and func-tions, such as routing protocols. There are four main types of contexts:
■ interface
■ router
■ line
■ other
Interface. The interface configuration mode contexts enable you to config-ure the LAN and the WAN connections to your router. To configure an interface, enter the following command from the global configuration mode context:
Syntax: interface <interface> [<slot>/<port> | <interface number>]
Replace <interface> with the type of physical interface such as e1, t1, serial, bri (for ISDN interfaces), adsl, or modem (for analog backup interfaces). You can also replace <interface> with a logical interface such as ppp, frame-
relay, loopback, or tunnel. For physical interfaces, replace <slot>/<port> with the slot and port location of the connection, and for logical interfaces, replace <interface number> with the interface number.
For example, if your router has a T1 module in slot one, you would type interface t1 1/1 to configure this interface. The CLI prompt will change to show that you are in the T1 1/1 interface configuration mode context:
ProCurve(config)# interface t1 1/1ProCurve(config-t1 1/1)#
For another example, if you want to configure a PPP connection to an ISP, you would enter interface ppp 1 to create and configure a PPP logical interface.
1-37
OverviewSoftware Overview
Router. You can configure dynamic routing protocols from the router con-figuration mode contexts. There are four router configuration modes: BGP, RIP, PIM-Sparse, and OSPF. To configure these protocols, move to the global configuration mode context and use this command:
Syntax: router [bgp | ospf | pim-sparse | rip]
For example, to configure RIP, enter:
ProCurve(config)# router ripProCurve(config-rip)#
When configuring BGP, you must also designate an AS number, which can be between 1 and 65535, in the command line. (Your ISP will provide this number.)
Syntax: router bgp <AS number>
For example, enter:
ProCurve(config)# router bgp 1ProCurve(config-bgp)#
Line. Your router has three data lines that allow you to access the ProCurve Secure Router’s OS: console, SSH, and Telnet. You can configure options for line sessions by accessing the line configuration mode context.
Syntax: line [console 0 | ssh <0-4> | telnet <0-4>]
For example, you might enter:
ProCurve(config)# line ssh 2
For more information on configuring secure access to the router using these lines, see Chapter 2: Controlling Management Access to the ProCurve Secure
Router.
Other. You can access other configuration mode contexts from the global configuration mode context, such as those from which you configure ACLs, access control policies (ACPs), QoS maps, and crypto maps. You can enter these configuration contexts from the global configuration mode context or from individual interface configuration mode contexts.
1-38
OverviewSoftware Overview
Commands Available in the Basic, Enable, or Global Configuration Mode Contexts
The ProCurve Secure Router OS permits you to use certain commands only in specific modes. When you are managing the ProCurve Secure Router and you try to use a command that is not supported from the current mode context, you will receive an error message.
To help you become familiar with the Secure Router OS, the following sections introduce the types of commands that are available in the three main modes: basic, enable, and global configuration.
Basic Mode Commands
The basic mode commands include those discussed in the following sections.
Clear
These commands reset router operations or statistical records. Table 1-2 shows the clear commands available in basic mode context.
Table 1-2. Basic Mode Context clear Commands
Enable
To begin managing the router in the enable mode context, enter:
Syntax: enable
Option Result
clear counters [<interface>] clears interface counters, such as the number of packets transmitted and received or errors detected
clear event-history clears the event history log
clear host [<hostname> | *] deletes host table entries
clear sip [location | user-registration] clears local SIP information
clear user [console | ssh | telnet] detaches a user from a particular line
1-39
OverviewSoftware Overview
Logout
Exit the current CLI session and return to the login screen.
Syntax: logout
Ping
Send an ICMP echo to a specified destination. To send a default ping of 5 echoes, enter:
Syntax: ping [<A.B.C.D > | <domain name>]
When you begin sending ICMP echoes, the router displays a legend to describe the types of responses the router receives. For example, Figure 1-25 shows a successful ping:
Figure 1-25. Sending a Ping
Typing ping and pressing Enter without a destination address will allow you to set extended options for the ICMP echo. Extended options include the number of pings to be sent, the size of the datagram to be sent, and the timeout value. The CLI displays default settings in brackets; press Enter to accept the defaults. For example:
ProCurve> pingTarget IP address?Repeat count [5]:Datagram size [100]:Timeout in seconds [2]:Extended commands? [n]
Pressing y for the Extended commands? option allows you to set the source address and data pattern. You can also specify that the ping sweep a range of datagram sizes.
ProCurve> ping 1.1.1.1Legend: ‘!’ = Success, ‘?’ = Unknown host, ‘$’ = Invalid host address
‘*’ = Request timed out, ‘–’ = Destination host unreachable‘x’ = TTL expired in transit
!!!!!Success rate is 100 percent (5/5), round trip min/avg/max = 3/3.0/3 ms
1-40
OverviewSoftware Overview
If you enter y for the verbose option in the extended commands, the output reports the result of each ping with a description of the datagram size and the echo’s round-trip time. For example:
Reply from 1.1.1.1: bytes = 100 time = 4 ms
If you need to halt a ping operation, press Ctrl+C.
N o t e Ping commands are available in all areas of the Secure Router OS.
Show
View information about, or the current status of, an interface or feature. Table 1-3 is a list of show commands available in the router’s basic mode context. For a more comprehensive list of show commands, see “Show” on page 1-51.
Table 1-3. Basic Mode Context show Commands
Option Result
show arp [realtime] shows the ARP table, which includes interfaces’ IP and MAC addresses
show autosynch-status reports whether the SROS.BIZ and startup-config in internal flash and compact flash are synchronized
show clock displays clock information such as the time, date, and time source
show demand shows demand routing parameters and statistics
show dynamic-dns shows the dynamic DNS hostname and registered IP address
show event-history displays the events log
show frame-relay [fragment | lmi | multilink | pvc] gives information on Frame Relay fragmentation, LMI status polls, permanent virtual connections (PVCs), and multilinks
show interfaces [<interface ID> {performance-statistics | realtime}]
shows status reports for router interfaces; you can also specify a particular interface
show ip access-list [<name>] displays configured ACLs and the number of packets the router has matched to each entry
show ip interfaces [demand | ethernet | frame-relay | hdlc | loopback | ppp | tunnel]
lists interfaces with their assigned IP addresses and network masks, the MTU for each interface, and whether fast caching is enabled on the interface
1-41
OverviewSoftware Overview
Telnet
Open a Telnet session. (You enable and set the parameters for Telnet sessions from the Telnet line configuration mode context.)
Syntax: telnet <A.B.C.D>
For information on how to set up a Telnet session, see Chapter 2: Controlling
Management Access to the ProCurve Secure Router.
Traceroute
Ping an IP address and display the hops that the packet takes en route to the destination.
Syntax: traceroute <A.B.C.D>
The router will display a route to a destination up to 30 hops away. You can end the traceroute process at any time by pressing Ctrl+C.
show isdn-group [<interface number>] lists the ISDN group configurations and member interfaces
show lldp [<cr> | device <name> | interface <interface ID> | <neighbors>]
displays LLDP settings and information, including information on specific neighbors
show memory heap [realtime] displays statistics for the router memory, including how much has been used and how much is available
show modules gives information on the router’s modules, including the type of module in each slot and the number of ports in each module
show processes cpu shows the process statistics, including the load percent for each process
show snmp displays the SNMP information and packets received
show sntp shows SNTP information
show thresholds displays the thresholds that have been exceeded on each E1 or T1 interface
show version displays the router system software and hardware versions
Option Result
1-42
OverviewSoftware Overview
Similar to the ping command, you can set extended options for tracing a route by entering traceroute and pressing Enter without specifying the destination address. Options include the source address at which the trace begins and the maximum number of hops.
The traceroute command is also available from the enable mode context.
Terminal
Set the maximum number of lines to display on the screen during a terminal session.
Syntax: terminal length <0-480>
If a readout includes more lines than the configured terminal length amount, the display stops at the length limit and displays --MORE-- at the bottom.
To continue the display after the --MORE--, press Spacebar. To only display the next line of the readout, press Enter. To return to the router prompt and end the display, press a key.
Wall
Broadcast a message through the console port.
Syntax: wall <message>
Enable Mode Commands
To enter the enable mode context, enter enable from the basic mode context. The following sections briefly describe some of the enable mode commands and their functions.
I m p o r t a n t ! ProCurve strongly recommends that you set an enable password to prevent unauthorized access to the router. If the enable mode context is not password protected, anyone with console access to the router will be able to change the configurations and compromise network security. See “Restricting Access to the Enable Mode Context” on page 2-4 for more information on how to configure an enable mode password.
1-43
OverviewSoftware Overview
Clear
The enable mode context expands the options for the clear command. To view these options, enter:
Syntax: clear ?
Table 1-4 lists the clear command options available in the enable mode context.
Table 1-4. Enable Mode Context clear Commands
Option Result
clear access-list clears the statistics for packets matched to ACL entries
clear arp-cache clears the ARP cache
clear arp-entry clears a single ARP table entry
clear bridge [<group number>] clears the bridge table
clear buffers clears the buffer statistics
clear counters [<interface>] clears interface counters
clear crypto [ike | ipsec] sa clears any existing crypto IKE or IPSec SAs
clear dump-core clears core-dump debug information
clear event-history clears the event-history log
clear host deletes DNS host table entries
clear ip [bgp | cache | dhcp-server | igmp | ospf | policy-sessions| policy-stats | prefix-list | route {* | <A.B.C.D>}]
clears IP routes or sessions established using an ACP
clear lldp [counters | neighbors] clears lldp information
clear pppoe <ppp interface number> clears a single PPPoE session
clear processes [cpu | queue] clears router process statistics
clear qos map clears the QoS map statistics
clear route-map counters resets the statistics for packets selected by route maps
clear sip [location | proxy | user-registration] clears local SIP-related information
clear spanning-tree clears spanning tree statistics
clear tacacs+ statistics clears TACACS+ server statistics
clear user [console | ssh | telnet] detaches a user from a particular line
1-44
OverviewSoftware Overview
Some examples of clear commands include the following:
Syntax: clear ip policy-sessions
This command clears all sessions established using the ACPs applied to router interfaces.
Syntax: clear ip route [** | <A.B.C.D>]
The ** option clears all routes learned through a routing protocol. Static routes are not affected. You can clear a single route by entering the destination IP address.
Clock
The clock command in the enable mode context allows you to set the clock, adjust for the time zone, and manage the clock source. To view the options for the clock command, enter:
Syntax: clock ?
For example, to set the clock and the time zone, enter:
Syntax: clock set <HH:MM:SS>Syntax: clock timezone <zone>
Enter clock timezone ? for a complete list of keywords for the time zones of various locations.
Daylight Savings Time Auto Correction. The router is set to automati-cally correct the time for daylight savings time. If the router is operating in an area that does not observe daylight savings time, you should disable this option using the clock no-auto-correct-dst command. Enter:
ProCurve# clock no-auto-correct-dst
To re-enable daylight savings time correction, enter:
ProCurve# clock auto-correct-dst
1-45
OverviewSoftware Overview
Configure
There are four options to this command: memory, network, overwrite-
network, and terminal. The configure memory, configure network, and configure overwrite-network commands allow you to retrieve and apply a configuration file by saving the file as the router’s running-config. Using this command causes your router to immediately begin using the specified config-uration without rebooting the router.
The configure memory command pulls and activates the startup-config file from compact flash memory. If no compact flash card is mounted, this command pulls and activates the startup-config file from flash. The file you intend to use must be named startup-config.
The configure network command pulls and applies a file from a TFTP server as the running-config.
Enter configure overwrite-network to retrieve a file from a TFTP server and save it as startup-config and startup-config.bak on compact flash. This command only works if you have a compact flash card installed on the router. Configure overwrite-network overwrites any existing startup-config file on compact flash with the startup-config it retrieves from the TFTP server.
The last configure command, configure terminal, moves you to the CLI’s global configuration mode context.
Copy
This command is used for managing configuration files and other files on your router. It has the following syntax:
Syntax: copy <source file location> <source filename> <destination location> <des-tination filename>
This command is used to copy and save files in the router’s internal flash and compact flash memories. Table 1-5 gives the available options for the copy command.
You can also use this command to save the changes you make in the running-config to the startup-config. If you do not save these changes, the next time the router reboots, all changes will be lost.
1-46
OverviewSoftware Overview
To save configuration changes while using the CLI, enter:
Syntax: copy running-config [<destination location> <destination filename> | <config-file>]
ProCurve# copy running-config startup-config
Verify that the Done. Success! message is displayed, indicating that the copy process is complete.
Table 1-5. Options for the copy Command
To save a configuration as a file on compact flash, enter the following com-mand from the enable mode context:
Syntax: copy flash <config-file> cflash <filename>
Replace <config-file> with either running-config or startup-config and replace <filename> with a name that you choose.
Source Location Options Destination Location Options
cflash <filename> or flash <filename>
• boot• cflash [<filename>]• flash [<filename>]• interface (only from flash <filename>)
cflash or flash • tftp• xmodem
console • flash <filename>
running-config • cflash <filename>• flash <filename>• startup-config• tftp• xmodem
startup-config • cflash <filename>• flash <filename>• running-config• tftp• xmodem
tftp or xmodem • flash• cflash• running-config• startup-config
1-47
OverviewSoftware Overview
Verify that the Percent Complete 100% message is displayed, indicating that the download is complete. The current configuration is now saved in compact flash with the specified filename.
To save a configuration as a file on internal flash, enter the following from the enable mode context:
ProCurve# copy <source file location> <source config-file> flash [<filename>]
Replace <source file location> with the location of the configuration file you are saving, either compact flash (cflash) or internal flash (flash) memory. Replace <source config-file> with startup-config or running-config (You can also enter a filename to copy a file to another location). You must enter a destination filename unless the filename will be the same as that of the source. For example, if you need to save the startup-config file from the compact flash card to internal flash, enter:
ProCurve# copy cflash startup-config flash startup-config
Saving the Current or Start-up Configuration to a TFTP Server. To initiate an upload of a configuration file to an external TFTP server, enter one of the following commands from the enable mode context:
ProCurve# copy [flash | cflash] tftpProCurve# copy [startup-config | running-config] tftp
For example, if you wanted to upload the startup-config on compact flash to your TFTP server, you would enter:
ProCurve# copy cflash tftp
When prompted for the Address of remote host?, enter the IP address of the TFTP server.
When prompted for the Source filename?, enter the name of the configura-tion file (startup-config or running-config) you would like to upload.
When you are prompted for the Destination filename?, enter the filename under which the uploaded configuration should be saved.
The copy command can be used for other file TFTP management tasks such as:
■ loading a running-configuration file from the TFTP server—Enter copy
tftp running-config.
■ loading a startup-configuration from the TFTP server—Enter copy tftp
startup-config.
1-48
OverviewSoftware Overview
Debug
Entering debug will display debug messages as packets arrive on the router. Debugging is useful when troubleshooting or testing your router’s operation.
The Secure Router OS provides many debug commands, including options for most protocols and processes run on the router.
For a list of debug commands, go to the enable mode context and enter:
ProCurve# debug ?
For example, you could debug the establishment of a PPP connection:
ProCurve# debug ppp negotiation
You can find the exact command syntax for relevant debug commands in the troubleshooting section of each chapter.
C a u t i o n This guide will describe how to use debug commands to troubleshoot your router. You should be aware that debug commands are processor-intensive and could seriously degrade network performance.
Dir
This command shows the current files in internal flash or compact flash.
Syntax: dir [flash | cflash] [*.<file extension>]
Use the flash option to list all files in the router’s flash memory. Use the cflash option to display all the files on the router’s compact flash card.
The * symbol is a wildcard that allows you to specify a file pattern to display. For example, if you want the router to list all the Secure Router OS files in internal flash memory, you would enter:
ProCurve# dir flash *.biz
Or if you wanted to display all the router configuration files stored on the compact flash card, you might enter:
ProCurve# dir cflash *.cfg
N o t e If you do not specify an option for flash or cflash, the CLI displays only files in the internal flash.
1-49
OverviewSoftware Overview
Disable
To leave the enable mode context, type disable. The Secure Router OS will return you to basic mode context.
Erase
The erase command is a file management command. Table 1-6 shows the erase command options.
Syntax: erase [{cflash | flash} <filename> | startup-config | file-system cflash]
Table 1-6. File Locations for the erase Command
For example, entering erase flash <filename> will delete the file you specify from internal flash:
ProCurve# erase flash oldconfig
N o t e When erasing files, be sure to enter the filename exactly as it appears in the directory.
Erasing the startup-config files will return the router to the factory default settings at the next reboot. Entering erase startup after executing the autosynch command will delete the startup-config files from both flash and compact flash. If you have a compact flash card, and are not running the autosynch command, this command erases the startup-config only from compact flash. If you do not have a compact flash card, this command erases the startup-config file from flash.
Use the erase file-system cflash command to format your compact flash card memory. Using this command will erase any existing files on your compact flash card.
File location Description
cflash <filename> erases the specified file from compact flash
file-system cflash formats compact flash
flash <filename> erases the specified file from flash
startup-config erases the startup-config file
1-50
OverviewSoftware Overview
Events
The events command enables the Secure Router OS to display a notice to the CLI whenever an event occurs. This command is useful for troubleshooting, because it lets you immediately determine whether a connection is up and working properly. This command is active in the default router settings. To turn off the events reporting, enter no events.
Reload
This command exits the current session and reboots the router. Before exiting the session, the Secure Router OS will ask whether you want to save the running-config. It will also ask you to confirm that you want to reboot the router.
Show
The enable mode context includes the complete set of show commands for the Secure Router OS. Table 1-7 lists these show commands.
Table 1-7. Enable Mode Context show Commands
Option Result
show access-lists [<name>] displays ACLs, including all entries and the number of packets the router has matched to each entry
show arp [interfaces <interface ID>] [realtime] shows the ARP table, which includes interfaces’ IP and MAC addresses
show atm pvc [interfaces atm <number.subinterface>] shows information about ATM PVCs on an ADSL connection
show atm traffic interface atm <number.subinterface> shows information about ATM traffic on a specific virtual channel
show autosynch-status reports whether the SROS.BIZ and startup-config in internal flash and compact flash are synchronized
show backup interfaces displays the backup configuration, including backup phone numbers
show bridge [<interface ID> | <bridge group>] displays the bridge table and, optionally, the table for a particular logical interface or bridge group
show buffers [users] [realtime] lists the buffer pool statistics
show cflash lists files in compact flash
show clock [detail] displays clock information such as the time, date, and time source
1-51
OverviewSoftware Overview
show configuration shows the startup configuration
show connections lists all logical interface binds
show crypto [ca | ike | ipsec | map] shows certificates and VPN configurations, such as IKE policies, transform sets, and crypto maps
show debugging displays the active debugging switches
show demand shows the current statistics and settings for the demand interfaces
show dialin interfaces displays interfaces that are configured to provide dial-in console sessions
show dynamic-dns shows dynamic DNS status including hostname and registered IP address
show event-history displays the events log
show file [{cflash | flash} <filename>] shows the contents of a file in internal flash or compact flash
show flash lists the files in internal flash
show frame-relay [fragment | lmi | multilink | pvc] gives information on Frame Relay fragmentation, LMI status polls, permanent virtual connections (PVCs), and multilinks
show hosts [verbose] displays IP domain name, style, name servers, and the IP host table
show interfaces [<interface ID>] shows the interface table; input an interface ID to see information on a particular interface
show interfaces <physical interface ID> performance-statistics
shows the performance statistics for physical interface over the past 15 minutes
show interfaces [<interface ID>] realtime displays interface statistics in realtime
show ip <options> lists information on IP traffic, routes, ACLs, ACPs, and routing protocols
show ip interfaces [demand | ethernet | frame-relay | hdlc | loopback | ppp | tunnel]
lists interfaces with their assigned IP addresses and network masks, the MTU for each interface, and whether fast caching is enabled
show isdn-group lists the ISDN group configurations and member interfaces
show lldp [<cr> | device <name> | interface <interface ID> | neighbors]
shows LLDP settings and information, including information on specific neighbors
show memory heap [realtime] displays statistics for the router memory, including how much has been used and how much is available
Option Result
1-52
OverviewSoftware Overview
show modules gives information on the router’s modules, including the type of module in each slot and the number of ports in each module
show output-startup lists the startup-config error log
show port-auth supplicant [interface <interface ID> | summary]
displays port authentication information
show pppoe displays the status of the PPPoE client
show processes cpu [realtime] shows the process statistics, including the load percent for each process
show qos map displays the QoS maps, including how many packets have been matched to the map
show queue [<interface ID>] lists the statistics for queues on an interface or interfaces
show queueing [fair] shows each interface queue’s discard threshold and maximum number of subqueues
show radius statistics displays RADIUS system statistics
show route-map [<name>] displays the route-map
show running-config shows the current operating configuration
show sip [location | resources | statistics | user-registration]
displays information such as a local SIP location database, resources allocated to SIP sessions, and registered SIP users
show snmp displays the SNMP information and packets received
show sntp shows SNTP information
show spanning-tree [<bridge group number>] [realtime] displays the spanning-tree topology
show startup-config [checksum] displays the startup configuration
show tacacs+ statistics lists TACACS+ packet and socket statistics
show tcp info [<tcp index>] [realtime] lists information for TCP ports
show tech [terminal] generates and displays the output of most show commands to the screen or to saves the output to showtech.txt
show thresholds displays the thresholds that have been exceeded on each E1 or T1 interface
show udp info [<session ID>] [realtime] lists information for UDP ports
show users [realtime] displays the users currently connected to a session on the router
show version displays the router system software and hardware versions
Option Result
1-53
OverviewSoftware Overview
The verbose option is available for many show commands. This option displays all aspects of the item you are displaying. For example, the show
running-config verbose command displays all the configurations currently running on your router, including default settings that have not been altered.
The show interfaces command will display information on any of the router’s physical or logical interfaces. When you enter this command without an option for a specific interface, the CLI will display information on all the router’s interfaces. If you only need to see information on a particular interface, you can specify the physical interface by its slot and port numbers and the logical interfaces by the interface number.
You have the option to specify the types of information to be displayed by the show interfaces <interface> command. To see snapshots the errors detected on a physical interface’s performance over a certain interval, enter:
Syntax: show interface <interface> <slot>/<port> performance-statistics [Total-24-hour | <range of intervals>]
To view the performance statistics over the past 24-hours in 15-minute inter-vals, enter:
ProCurve# show interface t1 1/1 performance-statistics
You can also limit the display to a specific range of 15-minute intervals by replacing <range of intervals> with a range of values between 1 and 96. (Interval 1 is the interval which began 24 hours ago.) For example:
ProCurve# show interfaces e1 1/1 performance-statistics 74-76
A screen displays, showing statistics during the numbered intervals. Figure 1-26 shows the performance statistics for a T1 line.
1-54
OverviewSoftware Overview
Figure 1-26. show interfaces t1 performance-statistics Command
Alternatively, you can specify the readout to only show a summary of the total statistics over the last 24 hours by entering the Total-24-hour option.
The performance-statistics command is available only for physical interfaces. To end the display, press Ctrl+C.
To see realtime information on a physical or logical interface, enter:
Syntax: show interfaces <interface> <slot>/<port> realtime
or
Syntax: show interfaces <interface> <number> realtime
For example, to display realtime information about the T1 interface that is installed in slot one, port one, enter:
ProCurve# show interface t1 1/1 realtime
This command displays a readout of the current statistics, which is updated once every second. Figure 1-27 shows the realtime command screen for a T1 interface.
To pause the update, press f. To resume the update, press r. To leave the realtime screen, press Ctrl+C.
Interval 74 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes Interval 75 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes Interval 76 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes
1-55
OverviewSoftware Overview
Figure 1-27. show t1 1/1 realtime Command
The show event command displays the event-history log. The event-history is a log of the dates, times, and description of events such as connections going up or down or attacks blocked by the Secure Router OS firewall.
Many show commands also have options that allow you to focus or specify the display. For a list of available options for a specific show command, enter the command at the CLI and press ?.
Undebug
This command disables a debug command. To turn off all currently active debug commands, enter undebug all.
Write
This command is a file management command that manages the running-config file.
■ write memory. This command is similar to the copy command. Entering write memory will save the running-configuration to the startup-config-uration. In J03_01.biz and later, the running-config will automatically save
--------------------------------------------------------------------t1 1/1 is UP Receiver has no alarms T1 coding is B8ZS, framing is ESF Clock source is through t1 1/2, FDL type is ANSI Line build-out is 0dB No remote loopbacks, No network loopbacks Acceptance of remote loopback requests enabled Tx Alarm Enable: rai Last clearing of counters never loss of frame : 1, last occurred 00:10:27 loss of signal : 1, last occurred 00:10:41 AIS alarm : 0 40 Remote alarm : 0
DS0 Status: 123456789012345678901234 NNNNNNNNNNNNNNNNNNNNNNNN Status Legend: '-' = DS0 is unallocated 'N' = DS0 is dedicated (nailed)
Line Status: -- No Alarms --(OUTPUT TRUNCATED)-------------------------------------------------- Exit - 'Ctrl-C', Freeze - 'f', Resume - 'r'
Instructions for pausing or ending the output
1-56
OverviewSoftware Overview
to the compact flash card, if present, as startup-config. Otherwise the running-config will be saved as startup-config on the router’s internal flash.
■ write erase. This command erases the startup-config. If you have a compact flash card, the startup-config is erased from cflash. If you are running the AutoSynch feature, this command erases startup-config from both flash and compact flash. If you do not have a compact flash card, the file is erased from flash.
■ write network. This command saves the running-config to a TFTP server. Enter a filename meaningful to you when you are prompted with Desti-
nation filename?.
■ write terminal. This command is similar to the show running-config command; it displays the current running-configuration in the CLI.
show tech
Unlike the other show commands, the show tech command does not neces-sarily display the information in the CLI. This command creates a file named showtech.txt in flash that contains a summary of the router’s show command information.
To create this file, enter show tech from the enable mode context. This will prepare the showtech.txt file and save it in the router’s internal flash.
After the showtech.txt file is created, you can save it to compact flash or upload it to a TFTP server. You can also save the contents of the showtech.txt file to your terminal’s text editor. See “Managing Configuration Files Using a Text Editor” on page 1-73 for more information on performing these tasks. (When following the steps for copying a file, replace <filename> with show-tech.txt.)
N o t e The showtech.txt file is saved to internal flash. If you intend to use a compact flash card to transport the file, you must save the showtech.txt file to compact flash.
The showtech.txt file contains a readout of many of the show commands:
■ show version
■ show modules
■ show cflash
■ show run verbose
■ show interfaces
■ show atm pvc
1-57
OverviewSoftware Overview
■ show dial-backup interfaces
■ show dialin
■ show frame-relay lmi
■ show frame-relay pvc
■ show ip bgp neighbors
■ show ip bgp neighbor summary
■ show ip ospf neighbor
■ show ip ospf neighbor summary-add
■ show ip route
■ show bridge
■ show spanning-tree
■ show ip interfaces
■ show connections
■ show arp
■ show ip traffic
■ show tcp info
■ show ip protocols
■ show ip mroute
■ show ip access-lists
■ show event-history
■ show output-startup
■ show processes cpu
■ show buffers
■ show buffers users
■ show memory heap
■ show debugging
To display the contents of a showtech.txt file, enter show file [flash | cflash]
showtech.txt from the enable mode context.
This readout allows a network administrator to pinpoint a router configura-tion problem without a connection to the router.
You can also specify the show tech command readout be displayed to the CLI instead of generating and saving the showtech.txt file to flash memory. To display the readout to the screen, use the terminal option.
Syntax: show tech [terminal]
1-58
OverviewSoftware Overview
Updating the Boot Code
When applying a new boot configuration file, enter boot as the destination of a copy command. This command copies a file to the boot sector. For example, if you are upgrading from J03_01.biz to J04_01.biz, you might enter:
ProCurve# copy flash J04_01-boot.biz boot
The resulting text explains that other router tasks will be halted while the boot code is upgraded. See Figure 1-28.
Figure 1-28. Upgrading Boot Code
Enter y. The router then begins to update the boot sector code with the file you specified. The output shown in Figure 1-29 is displayed.
Figure 1-29. Successfully Upgraded Boot Code
Upgrading boot code is a critical process that cannot be interrupted. If something were to happen and the process was not able to be completed, it would render your unit inoperable. It is for this reason that during a bootcode upgrade, all other system tasks will be halted. This means packets will not be routed, and all console sessions will not respond during the upgrade process. Once this process finishes, the system will function as it did before. This process will take approximately 20 seconds.Do you want to proceed? [yes/no] Enter y
WARNING!! A bootcode upgrade has been initiated. Your session will become nonresponsive for the duration of the upgrade (approx. 20 seconds). A message will be sent when the upgrade is completed.Reading 324883 bytes of code, stand by . . .Image is compressed, inflating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Verifying imageErasing boot sectorProgramming boot sectorSuccess!!!Bootcode upgrade process done. Your session should function normally.Success!!!!ProCurve#
1-59
OverviewSoftware Overview
Global Configuration Mode Commands
From enable mode, access the global configuration mode context by entering configure terminal. It is from this mode context that you enter the commands to configure the router; most of the commands in the global configuration mode context are discussed in the various chapters included in this guide. This section explains how to create an enable mode password, activate the AutoSynch™ technology, configure access to the Web browser interface, and enable support for Simple Network Management Protocol (SNMP). For information on how to configure a particular router interface or function, see the “Table of Contents” in either this Guide or the Advanced
Management and Configuration Guide.
hostname Command
It is often useful to give the router a name that helps to distinguish it from other routers in your network. To change the router’s hostname, enter the following command from the global configuration mode context:
ProCurve(config)# hostname <hostname>
autosynch Command
The AutoSynch™ feature is used with a compact flash card. Enabling AutoSynch technology allows the router to automatically keep the startup-config and SROS files in internal flash synchronized with the startup-config and SROS file on the compact flash card.
The autosynch command is disabled in its default setting. To enable the AutoSynch technology, move to the global configuration mode context and enter:
ProCurve (config)# autosynch-mode
The CLI should display:
AutoSynch: SROS.BIZ synchedAutoSynch: startup-config synched
To disable the autosynch command, use the no command:
ProCurve(config)# no autosynch-mode
AutoSynch: SROS.BIZ not synchedAutoSynch: startup-config not synched
1-60
OverviewSoftware Overview
Support for SNMP
If you are using a Simple Network Management Protocol (SNMP) console, you can configure the ProCurve Secure Router as an SNMP agent and enable SNMP traps.
Entering ip snmp agent from the global configuration mode context enables the SNMP agent functions on the router. You can set up the SNMP agent from the global configuration mode by entering snmp-server. You will move to the SNMP server configuration mode context, from which you can set the chassis ID, contact information, management URL and URL label, source interface, community name, and the host that is to receive the SNMP information. You can also enable SNMP traps on individual interfaces.
MIBs for the ProCurve SR 7000dl series routers are available at the ProCurve Web site. To download the MIBs, go to http://www.hp.com/rnd/software/
securerouters.htm and click the latest version of the SR 7000dl Router MIB File.
SafeMode
SafeMode is a CLI feature that allows you to perform configuration changes without the fear of being disconnected from a Telnet or SSH session. Some configuration changes can interrupt network connectivity. If you are managing a router remotely via SSH or Telnet, you can inadvertently lose your connection to the router.
For example, you may need to apply an ACL, but this ACL doesn’t allow Telnet or SSH traffic. Once you applied the ACL, you would be locked out of the router. In order to fix the configuration that has locked you out, you would need physical access to the router so that you could establish a console session with it. SafeMode allows you to make configuration changes using Telnet or SSH without worrying about losing your connection and being unable to reestablish it.
SafeMode requires you to periodically reset a reload timer. If the reload timer runs out before you reset it, the Secure Router OS will assume that the current running configuration has disrupted your connection to the router. It will save the running-config to internal flash as “problem-config” and reboot the router. Once the router has reloaded, it will display a reboot cause message and load the currently saved startup-configuration file. The startup-config should allow you to regain access to the router. You will then be able to review the saved problem-config file and correct the setting that caused the disruption.
1-61
OverviewSoftware Overview
After you enable SafeMode and set the time limit, a reload timer is activated for the Telnet and SSH access lines and begins to count down. You also set a threshold timer, which is shorter than the reload timer. When the threshold timer expires, a warning message is displayed in the CLI that allows you to reset the timer. Unless you enter the reset keystroke before the reload timer finishes counting down, the router reboots. This prevents you from being locked out of the router if you lose the connection and are unable to reset the timer.
While SafeMode is enabled, it temporarily suspends AutoSynch functioning. This prevents a disruptive configuration from being saved to both flash and compact flash. After the SafeMode configuration is complete and you have disabled the SafeMode counter, the AutoSynch function, if previously enabled, will automatically re-enable and begin synchronization.
Enabling SafeMode. To enable SafeMode, access the global configuration mode context and enter:
Syntax: safe-mode [<reload time> <threshold time>]
For example:
ProCurve(config)# safe-mode 600 500ProCurve(safe-config)#
Set the <reload time> to the number of seconds to countdown until the router reboots. Set the <threshold time> to the number of seconds to countdown until you receive a reminder to reset the timer. Both the reload time and threshold time must be between 30 and 3600 seconds. The default value for the reload time is 300 seconds, and the default value for the threshold time is 60 seconds. To enable SafeMode with the default settings, enter safe-
mode at the global configuration prompt.
The reload time should be greater than the threshold time. If you enter a threshold value greater than the reload value, the CLI displays an error message.
When you are configuring in SafeMode from a Telnet or SSH session, the configuration mode context prompt is displayed as safe-config. For example:
ProCurve(safe-config)# interface ethernet 0/1ProCurve(safe-config-eth 0/1)#
All configurations that you make during SafeMode are saved in RAM as part of the running-config.
1-62
OverviewSoftware Overview
After the countdown for the reload timer has begun, it continues until you either reset it by pressing Ctrl+R, you disable it by entering no safe-mode, or you exit out of the global configuration mode context.
Use the no form of the command to disable SafeMode and the countdown timer:
ProCurve(safe-config)# no safe-modeProCurve(config)#
SafeMode Functioning. SafeMode events are displayed in the CLI. When the threshold timer reaches zero, a notice is displayed in the CLI reminding you to reset the timer:
SAFEMODE: SafeMode will reboot in <threshold> seconds.
When you activate SafeMode, or when you leave and re-enter the configuration mode context while SafeMode is enabled, the reload timer is activated and a message is displayed in the CLI:
SAFEMODE: SafeMode enabled. Reboot in <n> seconds!
Once SafeMode is enabled, any CLI user can reset the timer by entering Ctrl+R. You can reset the timer at any time, as often as you need to complete the configuration.
C a u t i o n If you save your configuration to the startup-config while in SafeMode, you may essentially negate SafeMode’s effect: the router may reboot with the saved disruptive configuration and you will still be locked out of the router. Be very careful about saving your in-process configurations when in SafeMode.
The problem-config file that is generated when the router reboots can be examined and edited in a text editor to repair the commands that caused the problems. For more information on using a text editor to edit router configurations, see “Configuration File Transfer Using the Console Port” on page 1-76, “Configuration File Transfer Using a TFTP Server” on page 1-78, or “Configuration File Transfer Using a Compact Flash Card” on page 1-81.
N o t e The problem-config file is saved in the router’s internal flash memory. If you want to transport the file or save a backup of the file using compact flash, you need to copy the file to compact flash by entering copy flash problem-config
cflash problem-config from the enable mode context.
1-63
OverviewHelp Tools
Help Tools
The Secure Router OS features help tools, editing functions, and global commands to help you navigate through the Secure Router OS and configure and maintain your WAN.
CLI Help Commands
You can enter the ? character to display the available command syntax for any command in the CLI.
The ? character displays information about the available commands and options available to those commands in your current CLI context. You will not need to press Enter to activate the ? help tool. The character immediately triggers the display.
■ ?. Entering the ? character displays a list of all the available commands in your current mode context with a brief description of their functions.
■ <letter>?. If you know the beginning of a command but need to be reminded of the entire word or if you want a more limited list of com-mands, enter a letter or set of letters followed immediately by the ? command. Do not put a space between the letters and the ?. The router will then display only the specific commands that begin with those letters. For example,
ProCurve> e?enable exception exit
■ <command> ?. If you know the command but need to be reminded of the available options, type the command followed by a space and ?. This will bring up a display of the available options for that command in the current mode and a brief description of each. The following is an example:
ProCurve(config t1 1/1)#clock source ?internal -Use internal clock sourceline -Recover clock from linethrough -Recover clock from alt i/f
Editing Commands
The router’s CLI supports basic editing functions that move the cursor through the command line and allow you to cycle through previous commands. Table 1-8 describes the Secure Router OS CLI editing commands.
1-64
OverviewHelp Tools
Table 1-8. Keystrokes for Moving Around the CLI
Command Recall. Recall the most recent command by entering Ctrl+P or by pressing the up arrow. Pressing the up arrow again will cycle through the previous commands.
Moving within the Command Line. When typing a lengthy command, you may make an error and need to move the cursor within the command line. See Table 1-8 for a list of keystrokes that move the cursor within the command line.
Tab. The Tab key is a shortcut key. Press Tab after typing the first few charac-ters of a command. If you have typed enough characters to distinguish the command from all other available commands, the Secure Router OS will finish the word for you.
Truncation. The ProCurve Secure Router OS also recognizes truncated commands. You only need to enter enough characters in the CLI to distinguish the command you wish to execute from other available commands. A good way to learn how many characters you must enter for a particular command is to press the Tab key. If, when you press Tab, the Secure Router OS is able to finish the command without having to list possible options, you have typed enough characters.
For example, when entering the enable mode context, it is not necessary to type the whole word enable. The basic mode context includes three com-mands that begin with the letter “e” and only one command that begins with the letters “en.” To enter the enable mode context from basic mode you only need to enter en and press Enter. This can be checked by pressing Tab after typing en at the basic mode context prompt. Because the Secure Router OS is able to finish the word enable, it also recognizes the truncated command.
Editing Command Action
Ctrl+P or up arrow recall the most recent command
Ctrl+A move to the beginning of the line (Home)
Ctrl+E move to the end of the line (End)
Ctrl+F or right arrow move forward one character
Ctrl+B or left arrow move backward one character
Tab finish partially typed command
1-65
OverviewHelp Tools
no
In the enable and configuration mode contexts, typing the word no before a command negates that command. For example, if you want to stop event notices from displaying to the CLI screen, enter no events.
do
If you need to execute an enable mode command from a configuration mode context, type do before you enter the command. The do command allows you to stay in your current mode context while executing other mode context commands. For example, to display the status of a physical interface while configuring its logical interface, enter:
Syntax: do show interfaces <interface type> <slot>/<port>
ProCurve(config-ppp 1)# do show interface e1 1/1
exit
To leave a specific interface or configuration mode, type exit. The exit command moves you back one mode level. For example, if you were in the ATM interface configuration mode context and entered exit, you would return to the global configuration mode context.
When you enter the exit command in the global configuration mode context, you return to the enable mode context and the CLI displays this message:
Appropriate commands must be issued to preserve configuration.
This message is a reminder to save the configuration you have completed. All configuration changes are initially saved in the router’s running-configuration file. If the router were powered down, the running config, and any changes that you have not saved, would be lost.
Save your current configuration by entering either write memory or copy
run startup from the enable mode context.
Bootstrap Mode Context
The bootstrap mode context allows you access your router when a problem with the software, or a forgotten password, prevents you from accessing it through a console session. Bootstrap mode is a temporary measure to allow you enough access to the router to restore it to proper operation.
1-66
OverviewHelp Tools
The ProCurve Secure Router automatically enters the bootstrap mode context if it cannot locate valid SROS software or if the SROS software has been corrupted. You can also access the bootstrap mode by pressing Esc during the first five seconds of the startup process. During the startup process, the screen will display a countdown, alerting you to how much time you have left to access the bootstrap mode context.
You may want to access the bootstrap mode context if you need to replace corrupted software, cannot remember the system password, or have made configurations that have locked you out of the router. For security, the bootstrap mode context is available only through the console port and cannot be accessed through the Web browser interface.
When you enter the bootstrap mode context, this CLI prompt will display:
bootstrap#
The commands available in bootstrap mode are limited to those related to helping you to successfully boot the router. The following is a list of some of the bootstrap mode commands.
Boot. This command allows you to configure the software and configura-tions booted by the router.
Syntax: boot [cflash <filename> | flash <filename> | config {flash | cflash} <filename> | system {flash | cflash} <filename> | <filename>] [<backup boot file location> <backup filename>]
To set the Secure Router OS software that you want the router to use to boot, enter:
Syntax: boot system [flash | cflash] <filename> [<backup location> <backup file-name>]
For example:
bootstrap# boot system cflash SROS.BIZ flash SROS.BIZ
To set the configuration file that you want the router to load, enter:
Syntax: boot config [flash | cflash] <filename>
For example:
bootstrap# boot config cflash startup-config flash startup-config.bak
1-67
OverviewHelp Tools
After you configure the boot software settings, enter reload or boot to reboot the server.
Use the boot [cflash | flash] <filename> option to immediately boot the router using the specified file. To set the backup boot code, replace <backup filename> with the name of the file you want the router to boot with in case the primary boot file you specified is unavailable or corrupted. Replace <backup boot file location> with flash or cflash.
Bypass. This command allows you to bypass passwords and configurations. If you are locked out because you have forgotten a console or enable pass-word, you can reboot the system with the following commands:
bootstrap# bypass passwordsbootstrap# boot
This command will reboot the ProCurve Secure Router using the startup-config but with all passwords disabled.
If you inadvertently make configuration changes that lock you out of the router, you may need to bypass the startup-config to keep yourself from being locked out permanently. You can reboot the router using the default settings by entering the following commands:
bootstrap# bypass startup-configbootstrap# boot
Replacing Corrupted Software. If the Secure Router OS software is invalid or corrupted, you need to load new software. However, the Secure Router OS may be corrupted to the point that you can no longer access the CLI or Web browser interface to upgrade it. You can upgrade the Secure Router OS software from the bootstrap mode by completing the following steps:
1. Configure an IP address for the Ethernet 0/1 interface by entering:
bootstrap# ip address <A.B.C.D> <subnet mask>
In this mode, the subnet mask must be in <A.B.C.D> format. The router will not accept a prefix length notation.
2. Copy the Secure Router OS software from a TFTP server by entering:
bootstrap# copy tftp flashAddress of remote host? <A.B.C.D>
Source of filename? J04_01.bizDestination filename? J04_01.biz
1-68
OverviewHelp Tools
You can also copy the Secure Router OS software from a compact flash card.
bootstrap# copy cflash <filename> flash [<filename>]
3. If your router uses the standard boot process, you should copy the new software as SROS.BIZ to both the compact flash memory (if your router uses a compact flash card) and the internal flash.
bootstrap# copy flash J04_01.biz cflash SROS.BIZbootstrap# copy flash J04_01.biz flash SROS.BIZ
4. Alternatively, you can enter the boot system command and specify the new Secure Router OS software by entering:
Syntax: boot system [flash | cflash] <filename>
bootstrap# boot system flash J04_01.biz
This option, however, is not recommended because you must then enter a new boot system command whenever you upgrade the router’s soft-ware.
5. Enter reload or boot to reboot the system.
N o t e A quicker and easier way to replace corrupted software is to make sure that you have an uncorrupted backup copy of the Secure Router OS on compact flash. If you have a compact flash card with the good copy of the Secure Router OS, you only need to insert it into the router and boot it. Then copy the uncorrupted version to flash and erase the corrupt version.
1-69
OverviewTroubleshooting
Troubleshooting
Compact Flash
Compact flash performance can vary greatly between vendors. If there seems to be a delay when the ProCurve Secure Router saves changes to the compact flash card, the Secure Router OS is still functioning, though at times it may seem to be in a suspended state.
If your router does not have a dedicated compact flash card, you will need to copy needed files to the router’s internal flash memory if you want to continue to use these files and configurations. To save a compact flash file to the router’s internal flash, access the enable mode context and enter:
Syntax: copy <source> <filename> <destination> <filename>
For example:
ProCurve# copy cflash SROS.BIZ flash SROS.BIZ
If you use the show tech command and intend to transport the file on your compact flash card, you will need to save the file to the compact flash card. From the enable mode context, enter:
ProCurve# copy flash showtech.txt cflash showtech.txt
AutoSynch™ Error Messages
If the router is displaying AutoSynch error messages or messages that your files are not synchronized, you may need to do some file management tasks to get it up and running.
The autosynch command synchronizes files from compact flash to flash. It is very important to ensure that you have the current and proper SROS.BIZ and startup-config files on compact flash. Otherwise, once synchronization begins, the version of SROS.BIZ or startup-config on compact flash will be copied over the file on flash.
Table 1-9 is a short list of AutoSynch error messages.
1-70
OverviewTroubleshooting
Table 1-9. AutoSynch™ Error Messages
If the router is reporting that the compact flash card is removed, check the back panel to be sure that the compact flash card is firmly mounted in the slot.
Even if you have identical copies of SROS.BIZ on both flash and compact flash, the router will not be able to report that SROS.BIZ is synched until there are synchronized copies of startup-config on compact flash and flash. Both loca-tions must have files with exactly the same filename.
Because the router always synchronizes files from compact flash to internal flash memory, it will report error messages if you do not have a copy of the SROS.BIZ or startup-config files on compact flash.
Copy the missing file from flash to cflash by entering the following commands from the enable mode context:
ProCurve# copy flash SROS.BIZ cflash SROS.BIZProCurve# write memory
Then enter autosynch from the enable mode context to synchronize the files.
N o t e During the AutoSynch synchronization process, do not remove the compact flash card. Wait for state completion.
If the router is reporting that the files are not synchronized after you have ensured that there are copies of SROS.BIZ and startup-config on the compact flash card, check the filenames.
N o t e Filenames are case sensitive. SROS.biz is not the same file as SROS.BIZ. It is important that the filenames on the compact flash card are exactly correct.
Error Message Action
compact flash removed Make sure the compact flash card is firmly mounted in the compact flash slot
CFLASH startup-config does not exist
From the enable mode context, enter write memory. Then begin synchronization by entering autosynch.
CFLASH SROS.BIZ does not exist
From the enable mode context, enter copy fl SROS.BIZ cfl SROS.BIZ.
CFLASH startup-config not synched
Enter autosynch from the enable mode context.
1-71
OverviewTroubleshooting
C a u t i o n Be very careful doing any kind of file management with the startup-config and SROS.BIZ files while the autosynch command is enabled. If you erase either the startup-config file or SROS.BIZ file from compact flash, the file will also be erased from the internal flash.
If you have managed to erase the SROS.BIZ file from both flash and compact flash, you can create the file by entering this command from the enable mode context:
ProCurve# copy flash J0X_0X.biz flash SROS.BIZ
Pay special attention to the filenames.
If you have erased the startup-config, entering write memory from the enable mode context will create a startup-config file and save it to compact flash.
Using the reload in Command
When you are configuring the ProCurve Secure Router, you may want to enter a safeguard to ensure that you do not inadvertently block your access to the router. You can configure the ProCurve Secure Router to reload the startup-config after a set time period has elapsed, returning the router to its previous configurations.
To schedule a system reboot, enter the following command from the enable mode context:
ProCurve# reload in <mmm>
or
ProCurve# reload in <hhh:mm>
Replace <mmm> with the number of minutes to countdown until the router reboots. You can specify a three-digit number. Replace <hhh:mm> with a countdown time such as 1:15 (1 hour and 15 minutes).
For example, if you wanted to set the router to reboot in 3 hours, you would enter:
ProCurve# reload in 3:00
or
ProCurve# reload in 180
1-72
OverviewManaging Configuration Files Using a Text Editor
The CLI will prompt you to save the system configuration. If you have already made the configurations that you want to test, reply no. If you are getting ready to make the configurations to be tested and want to save previous configura-tions, reply yes. The CLI then displays:
You are about to reboot the system. Continue? [y/n]
Enter y. The system will not reboot immediately. It will wait the amount of time you have specified. Remember that while you are doing a delicate configuration and using the reload in command, you must not save the running-config to the startup-config (by entering either write memory or copy run start). Otherwise, the ProCurve Secure Router will load these configurations when it reboots.
To cancel the reload, enter:
ProCurve# reload cancel
N o t e SafeMode automates this process if you are configuring the router using a Telnet or SSH session. (See “SafeMode” on page 1-61.)
Managing Configuration Files Using a Text Editor
Configuration files can be adjusted to each router’s needs using your com-puter’s text editor. This allows you to set up a configuration on one router, save it to a file, and edit it for installation on another router.
ProCurve Secure router configuration files are robust. If you miskey a com-mand or make a mistake in the text editor, the router will simply ignore the mistake and use the default settings. If any necessary command is missing, the router will substitute the default. Problem commands will trigger an error message during bootup.
It is not necessary to re-edit the configuration in a text editor to repair a problem; simply enter the pertinent command in the CLI. View the error messages displayed during bootup to determine which command is faulty.
1-73
OverviewManaging Configuration Files Using a Text Editor
Figure 1-30. Boot Error Messages
The error messages in Figure 1-30 were displayed during bootup. In this particular case, the startup-config file has VPNs configured, and the router that is booting does not have the IPSec VPN module that enables these commands. The VPN commands are reported as errors.
You can use error messages like these to locate and troubleshoot a problem in the router’s configuration.
1-74
OverviewManaging Configuration Files Using a Text Editor
Figure 1-31. Using Boot Error Messages to Target a Configuration Problem
The line number given in the error message is the line number in the running-config. You can use this information to locate and repair any configuration problems.
You will need to scroll up in your terminal session software window to read the error message. Make a note of the line, the command, and the resulting error message, as shown in Figure 1-31. Then return to the command line and enter the enable mode context.
Enter show running-config to display the current configuration. When the running-config is displayed, begin with the first exclamation point and count down, line by line, until you reach the line that generated the error message. Check the resulting message from the error report. Repair the problem by entering the appropriate configuration context and re-entering the command using the error report as a guide.
For example, in Figure 1-31 there is an error in line 58. The faulty command was
ProCurve(config-ike)# peer 10.2.2.1
The peer at 10.2.2.1 was already assigned to IKE policy 100 and cannot be assigned to more than one policy. In this example, you should configure the IKE policy for a different peer.
Creating and Transferring Configuration Files
To create a configuration file, begin by creating a base configuration on an originating router. Save the base configuration by entering copy running-
config <destination location> <destination filename> or write mem-
ory from the enable mode context.
Error location
Resulting message
1-75
OverviewManaging Configuration Files Using a Text Editor
If you do not want the base router to use the base configuration, you should save the base configuration as a .cfg or .txt file. From the enable mode context, enter:
ProCurve# copy flash running-config <destination location> <destination filename>
If you entered write memory and are running the AutoSynch function, the configuration is saved as the startup-config file on the flash and compact flash memories. If you have a compact flash card but are not running the AutoSynch function, this command will save the configuration as startup-config on the compact flash card. If you do not have a compact flash card in your router, the file is saved in internal flash as the startup-config file.
Configuration File Transfer Using the Console Port
In order to complete these steps, you must establish a console session with the ProCurve Secure Router.
1. Create a base configuration.
Use either the router’s factory defaults or another router’s configuration as a base. This can be the contents of the startup-config file or the current running-configuration. Display this configuration from the enable mode context.
Syntax: show file <location> <filename>
ProCurve# show file cflash startup-configorProCurve# show running-config verbose
2. Copy the text.
Use your mouse to highlight the resulting display in the terminal session window. Copy this text either by pressing Ctrl+C, right-clicking the mouse and clicking Copy, or by clicking Edit > Copy in the window.
Paste the copied text into a text editor program such as Notepad.
3. Edit the configuration.
Change the configuration as needed. Adjust IP addresses, hostnames, and other settings.
1-76
OverviewManaging Configuration Files Using a Text Editor
4. Copy the edited text.
Highlight the edited configuration in the text editor. Copy the highlighted text either by pressing Ctrl+C, right-clicking the mouse and clicking Copy, or clicking Edit > Copy in the window.
5. Save the edited configuration on the router.
On the router you are configuring, enter the enable mode context. Then enter the following from the enable mode context:
Syntax: copy console flash <destination filename>
ProCurve# copy console flash configuration.txtEnter text to be saved to “configuration.txt”
Type CTRL+D to finish
Replace <destination filename> with the name you want to give this file.
When the message Enter text to be saved to “configuration.txt”,
Type CTRL+D to finish appears, paste the text into the terminal session window. You may need to right-click the mouse and click Paste to host. Press Ctrl+D after the text has been entered.
The text is saved as a file in the location you specified and with the filename you specified.
6. Erase files that may conflict with the new configuration.
Enter show flash from the enable mode context. If there are files named startup-config or startup-config.bak, erase them:
ProCurve# erase flash startup-configDeleted NONVOL:/startup-configProCurve# erase flash startup-config.bakDeleted NONVOL:/startup-config.bak
Do the same for compact flash by entering show cflash and erasing any startup-config files.
ProCurve# erase cflash startup-configDeleted CFLASH:/startup-configProCurve# erase cflash startup-config.bakDeleted CFLASH:/startup-config.bak
Erasing the startup-config files will return the router configurations to the factory defaults.
1-77
OverviewManaging Configuration Files Using a Text Editor
7. Install the configuration.
Copy the edited configuration file to startup-config.
Syntax: copy <source location> <source filename> <destination location> <destination filename>
ProCurve# copy flash configuration.txt flash startup-config
The router will create the startup-config file and save the edited configu-ration to the file.
8. Reboot the router.
Enter reload from the enable mode context. When it prompts you to save the system configuration, press n.
N o t e Be careful. If you press y when asked to save the system configuration, the new startup configuration you just entered will be erased and replaced by the current running configuration.
Press y when asked whether you want to proceed.
The router will boot up using the new configuration.
Configuration File Transfer Using a TFTP Server
1. Create a base configuration. Then copy the base configuration to a file.
Syntax: copy <source> <base config filename> <destination> <destination file-name.txt>
For example:
ProCurve# copy flash startup-config flash routerB.txt
Replace <source> with the location of the base configuration file. If you have a compact flash card and the file is saved on compact flash, enter cflash. Otherwise, enter flash. Because you will be editing this file in a text editor, give the file a .txt extension.
1-78
OverviewManaging Configuration Files Using a Text Editor
2. Upload the file to the TFTP server.
Syntax: copy <source location> tftp
ProCurve# copy flash tftpAddress of remote host? 192.168.100.2Source filename? routerB.txtDestination filename? [routerB.txt]
After you enter copy <source location> tftp from the enable mode context, the router will prompt you for the information it needs to suc-cessfully complete the TFTP file transfer. When prompted, enter the IP address of the TFTP server that is to receive the file. Then enter the filename of the configuration file. When asked for the destination file-name, you can either rename the file by entering the desired filename or keep the same name by pressing Enter.
N o t e Filenames are case sensitive. When copying a file, be sure to enter the filename exactly.
3. Open the file in a text editor.
Once the file has been successfully uploaded into a TFTP server, you can open the file using a text editor such as Notepad.
4. Enter the changes.
Using the text editor, change the configurations that need to be custom-ized. For example, you may need to change the IP addresses, hostname, and other configurations to suit the destination router. Save the edited configuration file back into the TFTP server.
5. Initiate a session with the router on which you want to install the custom-ized configuration.
6. Erase files on the target router that may conflict with the new configura-tion.
Make sure that the internal flash on the target router does not include a backup startup-config.
ProCurve# show flashProCurve# show cflash
If there is a startup-config.bak, erase it.
1-79
OverviewManaging Configuration Files Using a Text Editor
ProCurve# erase flash startup-config.bakDeleted NONVOL:/startup-config.bakProCurve# erase cflash startup-config.bakDeleted CFLASH:/startup-config.bak
To be sure that old configurations do not interfere with the new configu-ration, erase any startup-config files. This will reset the router to its factory defaults.
ProCurve# erase flash startup-configDeleted NONVOL:/startup-configProCurve# erase cflash startup-configDeleted CFLASH:/startup-config
7. Upload and apply the edited configuration file to the destination router.
Configure the destination router to upload TFTP files. In most cases, this will involve configuring a connection between the router and the TFTP server.
After you have configured access to the TFTP server from the destination router, enter the enable mode context and enter:
Syntax: configure network
ProCurve# configure networkAddress of remote host? 192.168.100.2Source filename? routerB.txtInitiating TFTP transfer . . .Received 1044 bytes.Transfer complete.
Opening and applying file . . .
ProCurve2#
8. Save the new configuration.
The configure network command saves the configuration to running-config. To preserve this configuration, you need to save the running-config as the startup-config.
Syntax: write memory
The router will now load and use the current configuration when it is booted.
1-80
OverviewManaging Configuration Files Using a Text Editor
Configuration File Transfer Using a Compact Flash Card
1. Copy and rename the base configuration.
Syntax: copy <source> <base configuration name> <destination> <destination filename.txt>
For example, if your base configuration were the router’s startup-config, you would enter:
ProCurve# copy cflash startup-config cflash routerB.txt
Replace <source> with the location of the base configuration file. Because you will be editing this file in a text editor, give the destination filename a .txt extension.
N o t e Filenames are case sensitive. When copying a file, be sure to enter the filename exactly.
2. Move the file to a text editor.
Remove the compact flash card from the router and put in into the compact flash card slot on your terminal. Open the configuration file in a text editor such as Notepad.
3. Enter the configuration changes.
Using the text editor, change the configurations that need to be custom-ized. For example, you may need to change the IP addresses, hostname, and other configurations to suit the destination router.
Save the edited configuration to the compact flash card. Eject the card.
N o t e If you are using a dedicated compact flash card on this router, you can simply name the edited configuration startup-config. As long as the destination router uses the standard boot process, the new configuration will load when you install it in the destination router and reboot it. Otherwise, you can follow the steps below.
4. Insert the compact flash card into the destination router’s compact flash slot in the rear of the router.
1-81
OverviewManaging Configuration Files Using a Text Editor
5. Open a session with the destination router and erase files that may conflict with the new configuration.
Make sure there are no startup-configuration files on the router’s internal flash or compact flash. Backup files for the startup-config can also inter-fere with the installation of the new configuration.
ProCurve# show cflash
If you see files called startup-config.bak or startup-config, erase them.
ProCurve# erase cflash startup-config.bakDeleted CFLASH:/ startup-config.bakProCurve# erase flash startup-config.bakDeleted NONVOL:/ startup-config.bak
Unless you saved the edited configuration as startup-config on the com-pact flash card, you will need to erase the existing startup-config files. These files can interfere with the installation of the edited configuration.
ProCurve# erase cflash startup-configDeleted CFLASH:/ startup-configProCurve# erase flash startup-configDeleted NONVOL:/ startup-config
Erasing the startup files will reset the router to its factory defaults.
6. Install the edited configuration.
From the enable mode context, load the edited configuration file and rename it “startup-config”:
Syntax: copy cflash <filename> cflash startup-config
ProCurve# copy cflash routerB.txt cflash startup-config
7. Reboot the router.
Enter reload from the enable mode context. When the Secure Router OS prompts you to save the system configuration, press n.
N o t e Be careful. If you press y when asked to save the system configuration, the new startup configuration you just entered will be erased and replaced by the current running configuration.
Press y when asked whether you want to proceed. The router will boot up using the new configuration.
1-82
OverviewQuick Start
Quick Start
This section provides the instructions you need to quickly access the ProCurve Secure Router CLI and establish a console session.
Only minimal explanation is provided. It is strongly recommended that you read the entire chapter so that you understand how the Secure Router oper-ating system (OS) is organized and how to manage the OS. If you need information about a specific aspect of managing the OS, see “Contents” on page 1-1 to locate the section that contains the explanation you need.
Accessing the Secure Router OS
1. Use the serial cable (5184-1894) that shipped with the ProCurve Secure Router to connect the COM port on your computer to the console port on the front panel of the router.
2. Open a terminal session with the ProCurve Secure Router using the following settings:
• Baud Rate = 9600
• Parity = None
• Data Bits = 8
• Stop Bits = 1
• Flow Control = None
3. Press Enter to access the basic mode context.
4. Access the enable mode context:
ProCurve> enable
5. Access the global configuration mode:
ProCurve# configure terminal
For information about configuring Telnet, SSH, or HTTP access, see Chapter
2: Controlling Management Access to the ProCurve Secure Router. For information about configuring Web access to the router, see “Enabling Access to the Web Browser Interface” on page 14-4.
1-83
OverviewQuick Start
1-84
2
Controlling Management Access to the ProCurve Secure Router
Contents
Securing Management Access to the ProCurve Secure Router . . . . . . . . . 2-4
Restricting Access to the Enable Mode Context . . . . . . . . . . . . . . . . . . 2-4
Configuring a Password for Console Access . . . . . . . . . . . . . . . . . . . . . 2-5
Enabling Remote Access to the ProCurve Secure Router . . . . . . . . . . 2-6
Configuring an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Configuring Telnet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Configuring Local User Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Encrypting All the Passwords Configured on the Router . . . . . . 2-11
Enabling Access to the Web Browser Interface . . . . . . . . . . . . . . 2-11
Managing SSH Communications . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Using FTP to Access the Router . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Using the Local User List for Console or Telnet Access . . . . . . . 2-13
Enabling Secure Copy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Viewing Information about Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
Using the AAA Subsystem to Control Management Access . . . . . . . . . . . 2-14
Advantages of Using the AAA Subsystem . . . . . . . . . . . . . . . . . . . . . . 2-15
Enabling the AAA Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
Configuring AAA for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Creating a Named List for the Enable Mode Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Creating a Named List for User Authentication . . . . . . . . . . . . . . 2-18
Criteria for Failure of Authentication Methods . . . . . . . . . . . . . . 2-19
Assign the Named List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
Options for AAA Authentication: Configuring Banners, Messages, and Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
2-1
Controlling Management Access to the ProCurve Secure RouterContents
Configuring Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
Define a Named List for Authorization . . . . . . . . . . . . . . . . . . . . . 2-23
Assign the Named List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Enable Authorization Commands for Console Line . . . . . . . . . . 2-24
Configuring the TACACS+ Server for Accounting . . . . . . . . . . . . . . . 2-25
Configuring a Named List for Accounting . . . . . . . . . . . . . . . . . . 2-25
Assign the Named List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26
Configure Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26
Do Not Send Records for Null Users . . . . . . . . . . . . . . . . . . . . . . . 2-27
Configuring a RADIUS Server for Authentication . . . . . . . . . . . . . . . 2-27
Define the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-27
Define a Group of RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . 2-29
Configure Global Settings for RADIUS Servers . . . . . . . . . . . . . . 2-30
Configuring the TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31
Define the TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31
Creating a TACACS+ Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33
Configure Global Settings for TACACS+ Servers . . . . . . . . . . . . 2-34
Troubleshooting AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35
debug aaa Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35
Troubleshooting the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . 2-36
debug radius Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Troubleshooting the TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Port Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40
Enabling Supplicant Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40
Troubleshooting Supplicant Functionality . . . . . . . . . . . . . . . . . . . . . 2-41
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-42
Configure the Enable Mode Password . . . . . . . . . . . . . . . . . . . . . . . . . 2-42
Configure a Password for the Console Access . . . . . . . . . . . . . . . . . . 2-42
Configuring Remote Access to the ProCurve Secure Router . . . . . . 2-43
Configuring an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . 2-43
Configuring a Password for Telnet Access . . . . . . . . . . . . . . . . . . 2-44
Configuring Local User Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45
2-2
Controlling Management Access to the ProCurve Secure RouterContents
Configuring AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45
Configuring Authentication with AAA . . . . . . . . . . . . . . . . . . . . . . 2-46
Configuring Authorization with AAA . . . . . . . . . . . . . . . . . . . . . . . 2-46
Configuring the TACACS+ Server for Accounting . . . . . . . . . . . . 2-47
Defining a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48
Defining a TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48
Enabling 802.1X Supplicant Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48
2-3
Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router
Securing Management Access to the ProCurve Secure Router
The ProCurve Secure Router supports both local and remote management. For local management, you can use a serial cable to attach your PC to the ProCurve Secure Router and establish a console terminal session. For remote management, you have the following options:
■ Telnet
■ Secure Shell (SSH)
■ Web browser interface
You can also establish an FTP session with the router or use secure copy server to copy configuration files to internal or compact flash.
The ProCurve Secure Router allows you to restrict who can use these access methods to manage the router.
Restricting Access to the Enable Mode Context
The first step you should take to protect your WAN is to configure a password for the enable mode context. If you do not configure this password, anyone who has physical access to your router can establish a console terminal session and view or change configurations on the router.
In addition, an enable mode password is required for remote management through a Telnet or SSH session. If you do not create an enable mode pass-word, you may be able to establish a Telnet or SSH session (if the router is configured to permit this access), but you will not be able to move beyond the basic mode context.
To configure an enable mode password, move to the global configuration mode context and enter:
Syntax: enable password [md5] <password>
Replace <password> with any combination of up to 30 characters. Include the Message Digest 5 (md5) option to encrypt the password.
For example, if you want to set the password as procurve, enter:
ProCurve(config)# enable password procurve
2-4
Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router
Because you did not include the md5 option, the password you entered is stored as clear text and is displayed when you enter the show running-config command, as shown below.
hostname “ProCurve”enable password procurve
To encrypt the password so that it is not stored as clear text, use the md5 option. From the global configuration mode context, enter:
ProCurve(config)# enable password md5 procurve
The ProCurve Secure Router then uses the MD5 hashing algorithm to encrypt the password so that it is not readable when it is transmitted across the wire or when you display the running-config file. An encrypted password is dis-played in the running-config as shown below:
hostname “ProCurveSR7203dl”enable password md5 encrypted b46f9961af093fdfb9e177eda79
Configuring a Password for Console Access
If possible, you should place the ProCurve Secure Router in a locked room so that unauthorized users do not have physical access to it. Restricting physical access to the router helps prevent malicious or curious users from damaging your WAN or LAN.
You can further protect the ProCurve Secure Router by configuring a pass-word for console access. Then, if someone breaches the physical security you have set up to protect the router, the console password prevents that person from viewing information that is available at the basic mode context. Although the basic mode offers only a limited number of commands, you can still enter show commands and view some configuration information. For example, you can view information about:
■ interfaces
■ event-history
Configuring a password for the console access is a three-step process:
1. Access the console line configuration mode context.
2. Enter the login command, which requires users to provide a password before they can access the ProCurve Secure Router OS through a console session.
3. Enter the password that authorized users must supply when they start a console session.
2-5
Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router
From the global configuration mode context, enter:
ProCurve(config)# line console 0
The ProCurve Secure Router prompt will show that you are in the console line configuration mode context:
ProCurve(config-con0)#
Enter:
ProCurve(config-con0)#loginProCurve(config-con0)#password <password>
Replace <password> with any combination of up to 30 characters.
The password you enter is stored as clear text and is displayed when you enter the show running-config command, as shown below.
line con 0 login password procurve
To encrypt the password, use the md5 option. From the global configuration mode context, enter:
ProCurve(config-con0)# password md5 <password>
The ProCurve Secure Router then uses the MD5 hashing algorithm to encrypt the password so that it is not readable when it is transmitted across the wire or when you display the running-config file.
Enabling Remote Access to the ProCurve Secure Router
As mentioned earlier, you can access the ProCurve Secure Router through the Web browser interface, Telnet session, SSH session, or FTP session. To establish this access, you must configure at least one interface, such as an Ethernet interface.
2-6
Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router
Configuring an Ethernet Interface
This section provides the minimum steps required to configure an Ethernet interface. For more detailed information about configuring an Ethernet inter-face, see Chapter 3: Configuring Ethernet Interfaces.)
1. Use a 10Base-T or 100Base-T cable to connect the Ethernet port to a device (such as a switch) on your LAN.
2. Open your terminal session software and initiate a console session with the ProCurve Secure Router, using the following parameters:
• Baud Rate = 9600
• Parity = None
• Data Bits = 8
• Stop Bits = 1
• Flow Control = None
3. Press Enter when you are prompted to start a session with the router. The router basic mode context prompt appears, as shown below:
ProCurve>
4. Access the enable mode context:
ProCurve> enable
5. Access the global configuration mode context:
ProCurve# configure terminal
6. From the global configuration mode context, enter the Ethernet interface configuration mode context:
ProCurve(config)# interface ethernet 0/<port>
7. Assign the Ethernet interface an IP address.
Syntax: ip address <A.B.C.D> [<subnet mask> | /<prefix-length>]
For example, if you want to assign the Ethernet interface an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0, enter
ProCurve(config-eth 0/1)# ip address 192.168.1.1 /24
8. Activate the Ethernet interface.
ProCurve(config-eth 0/1)# no shutdown
9. Save your configuration.
ProCurve(config-eth 0/1)# do write memory
2-7
Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router
Configuring Telnet Access
By default, the ProCurve Secure Router requires a login password for Telnet sessions. Unless you configure a password for a Telnet line or disable the login option, no one can establish a Telnet session with the ProCurve Secure Router. This security helps protect your organization against unauthorized users who might try to access your ProCurve Secure Router and damage or get information about your WAN.
In addition to configuring a password for Telnet access, you must configure a password for the enable mode. If you do not configure a password for the enable mode, you can establish a Telnet session and enter the basic mode context. However, you cannot move beyond the basic mode context.
You can configure five Telnet lines, which are numbered 0 to 4. If you configure all five lines, a maximum of five people can establish a Telnet session with the ProCurve Secure Router at one time.
Configuring the Telnet Lines. Configuring Telnet access is a three-step process:
1. Access the Telnet line configuration mode context.
2. Enter the password that authorized users must supply when they start a Telnet session.
3. Configure a password for the enable mode context, if you have not done so already.
From the global configuration mode context, enter the following command:
Syntax: line telnet <0–4>
For example, if you want to configure line 0, enter:
ProCurve(config)# line telnet 0
The ProCurve Secure Router prompt will show that you are in the Telnet line 0 configuration mode context:
ProCurve(config-telnet0)#
You can then enter the password command:
Syntax: password [md5] <password>
The md5 option encrypts the password as it is sent over the wire and when it is stored in the running-config.
2-8
Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router
For example, if you want to create the password as procurve, enter
ProCurve(config-telnet0)# password md5 procurve
N o t e You can also configure an access control list (ACL) to block or limit Telnet access. For instructions on configuring this ACL, see the Advanced Management
and Configuration Guide, Chapter 5: Applying Access Control to Router
Interfaces.
Configuring Multiple Telnet Lines at Once. You can also create a password for all Telnet lines at once. Enter:
ProCurve(config) line telnet 0 4
Entering 0 4 indicates that you are configuring all four lines. The router context displays the lines you are configuring, as shown below:
ProCurve(config-telnet0–4)
You can then enter the password command.
N o t e If you do not enter a space between 0 and 4, you will configure only line 4. The prompt will be displayed as:
ProCurve(config-telnet04)
Configuring Multiple Passwords for Telnet Lines. If you have a large IT staff, you may want to configure multiple Telnet lines. You may also want to configure a different password for one Telnet line and reserve that line for your access only.
You should always place the more restrictive password on the configured Telnet line with the highest number due to the way that the ProCurve Secure Router handles Telnet sessions. The router always assigns a remote user to the first available Telnet line, starting with line 0. That is, the first user to initiate a Telnet session connects over Telnet line 0, the second over Telnet line 1, and so forth.
If a user cannot enter the correct password, the router terminates the Telnet session. It does not allow the user to access the next Telnet line. If you place a password that only you know on Telnet line 0, no other user will be able to access the other Telnet lines for which they do know the password—except in the unlikely event that you have already established a Telnet session with the router.
2-9
Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router
Configuring an Enable Mode Password. To provide access to the enable mode context through a Telnet session, you must configure an enable mode password. If you do not configure an enable mode password, users will receive a message, telling them that no enable mode password is configured, and they will be denied access to the enable mode context.
To configure an enable mode password, move to the global configuration mode context and enter:
Syntax: enable password [md5] <password>
Configuring Timeout Setting for Telnet Access. By default, the ProCurve Secure Router maintains your Telnet session until it has been inactive for 15 minutes. You can configure the number of minutes a line session can remain inactive before the Secure Router OS terminates the session. From the Telnet line configuration mode context, enter:
Syntax: line-timeout <minutes>
Replace minutes with a number between 0 and 35791.
To return this setting to the default value, use the no command:
Syntax: no line-timeout <minutes>
Entering 0 will disable the timeout.
Disabling the Login Requirement. If you do not want to require a pass-word for users to establish a Telnet session, you can disable the login option. From the Telnet line configuration mode context, enter:
ProCurve(config-telnet0–4)# no login
Disabling this option is not recommended because it weakens your security and could compromise your entire network. However, if you do disable the login option, you are still required to create an enable mode password to allow users to configure the router through a Telnet session.
Configuring Local User Lists
By default, access to HTTP, SSH, and FTP is controlled through the local user list. To add a username and password to the local user list, enter the following command from the global configuration mode:
Syntax: username <username> password <password>
2-10
Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router
Both the username and password can be an alphanumerical string up to 30 characters in length.
You can add multiple usernames and passwords to the local user list, and these usernames and passwords can be used for HTTP, SSH, and FTP access.
Encrypting All the Passwords Configured on the Router
By default, the passwords that you enter in the local user list are not encrypted. You can enter one command to encrypt all the passwords configured on the ProCurve Secure Router, including the passwords configured for Telnet and console access. From the global configuration mode context, enter:
ProCurve(config)# service password-encryption
Enabling Access to the Web Browser Interface
In addition to configuring a username and password, you must enable the HTTP server in order to access the Web browser interface. From the global configuration mode context, enter:
ProCurve(config)# ip http server [<TCP port>]
Include the <TCP port> option only if you want to change the port on which the server receives HTTP communications.
If you want to use Secure Sockets Layer (SSL) to protect the communications between your PC and the router, enter:
ProCurve(config)# ip http secure-server [<TCP port>]
Again, include the <TCP port> option only if you want to customize the port on which the HTTP server receives and sends communications.
After you configure a username and password for the local user list and enable the HTTP server, you can access the Web browser interface. Make sure that your workstation is on a network segment that is connected to the ProCurve Secure Router. Then, open an Internet browser and enter the IP address assigned to the Ethernet interface. For example, if the IP address of the Ethernet interface is 192.168.1.1, enter:
http://192.168.1.1
If you have enabled the HTTP secure server, enter:
https://192.168.1.1
2-11
Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router
When prompted, enter a username and password that you configured in the local user list.
Managing SSH Communications
With Telnet, communications between the server and your PC are sent over the wire in clear text. If you want to encrypt these communications, you can use SSH instead.
The SSH server on the ProCurve Secure Router is enabled by default. After you configure a username and password in the local user list, you can enter that username and password to access the router through SSH.
The ProCurve Secure Router supports up to five SSH lines, which are num-bered 0 to 4. If you configure a username and password in the local user list, a maximum of five people can establish an SSH session with the ProCurve Secure Router at one time.
You can configure timeout settings for SSH lines just as you configure timeout settings for Telnet lines. First, move to the SSH line configuration mode context by entering the following command from the global configuration mode context:
Syntax: line ssh <0–4>
To access all the SSH lines at once, enter:
ProCurve(config)# line ssh 0 4
By default, ProCurve Secure Router maintains your SSH session until it has been inactive for 15 minutes. To configure the number of minutes an SSH session can remain inactive before the Secure Router OS terminates the session, enter the following command from the SSH line configuration mode context:
Syntax: line-timeout <minutes>
Replace minutes with a number between 0 and 35791.
To return this setting to the default value, use the no command:
Syntax: no line-timeout <minutes>
Entering 0 will disable the timeout.
2-12
Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router
N o t e If you want to use an ACL to restrict SSH access, you apply this ACL at the SSH line configuration mode context. For more information, see the Advanced
Management and Configuration Guide, Chapter 5: Applying Access Control
to Router Interfaces.
Using FTP to Access the Router
After you add one username and password to the local user list, you can use FTP to access the router. You can then copy configuration files to and from the router’s compact flash or internal flash. If you want to encrypt these files as they are copied to and from the router, see “Enabling Secure Copy Server” on page 2-13.
Using the Local User List for Console or Telnet Access
You can configure the ProCurve Secure Router to use the usernames and passwords you configure from the global configuration mode context to control access to console terminal, SSH, or Telnet sessions. To use these passwords for console terminal sessions, move to the console configuration mode context and enter:
ProCurve(config-con0)# login local-userlist
By default, no login password is required for console terminal sessions.
To use these passwords for SSH or Telnet access, move to the appropriate line configuration mode context and enter the same command:
ProCurve(config-ssh0–4)# login local-userlist
ProCurve(config-telnet0–4)# login local-userlist
Enabling Secure Copy Server
You can enable the secure copy (SCP) server, so that files are encrypted as they are copied to and from the ProCurve Secure Router. You use the SCP server in conjunction with SSH so that the user trying to access the server is authenticated and the data transmitted is encrypted.
To enable the SCP server, enter the following command from the global configuration mode context:
Syntax: ip scp server
2-13
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
To disable the SCP server, enter:
Syntax: no ip scp server
Viewing Information about Users
At any time, you can view information about the users who are accessing the ProCurve Secure Router through the console, Telnet, SSH, FTP, and Web browser interface. From the enable mode context, enter:
ProCurve# show users
Figure 2-1 shows the type of information that is displayed when you enter this command. You can view the username that the user entered to obtain access, the type of access (such as console or Telnet), and the time the connection has been idle. For Telnet, SSH, FTP, and Web access, you can also view the IP address of the device from which the user obtained access.
Figure 2-1. Viewing the Users Who Are Accessing the Router Through the Console, Telnet, SSH, FTP, and Web Browser Interface
Using the AAA Subsystem to Control Management Access
Authentication, authorization, and accounting (AAA) is an industry standard for controlling:
■ which users can access a system (authentication)
■ what they can do once they are granted access (authorization)
■ what is recorded about their activities (accounting)
The AAA subsystem on the ProCurve Secure Router currently supports:
■ authentication methods configured on the router itself
■ authentication through Remote Authentication Dial-In User Service (RADIUS) servers
■ authentication, authorization, and accounting through TACACS+ servers
- CONSOLE 0 ‘password-only’ logged in and enabled Idle for 00:00:00- TELNET 0 (192.168.20.25:1029) 'geoff' logged in and enabled Idle for 00:00:09
2-14
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
Advantages of Using the AAA Subsystem
The AAA subsystem provides more flexibility than simple password-based authentication. If you enable the AAA subsystem, you can configure a list of authentication methods for the enable mode and for each access method. For example, you could configure a list of authentication methods for Telnet access or for SSH access. The authentication methods include:
■ the Telnet password
■ the enable mode password
■ the local userlist
■ a RADIUS server
■ a TACACS+ server
You configure the list of authentication methods in the order in which you want them used. Then, if one method fails, the next method is used. (For information about what constitutes a failure, see “Criteria for Failure of Authentication Methods” on page 2-19.)
The AAA subsystem allows you to use a standard authentication method across your entire network. If you are using a RADIUS server or a TACACS+ server to authenticate network services and applications, you can use this same server to authenticate management access to the ProCurve Secure Router.
In addition to controlling management access, the AAA subsystem can be used to authenticate VPN users when Xauth is configured. (For more information about Xauth, see the ProCurve Secure Router Advanced Management and
Configuration Guide, Chapter 8: Virtual Private Networks.)
The AAA subsystem also strengthens your WAN security by supporting autho-rization and accounting for management access to the ProCurve Secure Router. Enforced through a TACACS+ server, authorization and accounting go beyond password authentication to ensure that only authorized users perform management functions and to provide a record of the configuration commands entered.
Enabling the AAA Subsystem
By default, the AAA subsystem is disabled. To enable it, move to the global configuration mode context and enter:
ProCurve(config)# aaa on
2-15
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
After you enable the AAA subsystem, the complete set of AAA commands becomes available in the ProCurve Secure Router OS. For example, you can then configure AAA-based authentication, authorization, and accounting for SSH lines. The AAA authentication settings that you configure override any other authentication settings you have configured.
Configuring AAA for Authentication
Configuring AAA for authentication involves the following steps:
1. Create a list of authentication methods, called a named list. You can create a named list for the enable mode and a named list for each access method.
2. Assign the named list to the console line, Telnet lines, SSH lines, FTP server, or HTTP server. You do not have to complete this step to configure AAA authentication methods for the enable mode.
3. Configure the RADIUS or TACACS+ server if you want to use one of these servers to authenticate VPN users or users who try to manage the ProCurve Secure Router. (To learn how to configure these servers, see “Define the RADIUS Server” on page 2-27 and “Define the TACACS+ Server” on page 2-31.)
Creating a Named List for the Enable Mode Authentication
To create a named list for the enable mode, you must determine the authenti-cation methods you want to use and the order in which you want the authenti-cation methods applied. From the global configuration mode context, enter:
Syntax: aaa authentication enable default {none | line | enable | [group <groupname> | radius | tacacs+]}
2-16
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
The options you can select for the enable mode context are listed in Table 2-1:
Table 2-1. Authentication Options for the Enable Named List
For example, you may decide that when a user attempts to access the enable mode context, you want the ProCurve Secure Router to use the following authentication methods, in the order they are listed:
■ TACACS+
■ enable
You would enter:
ProCurve(config)# aaa authentication enable default group tacacs+ enable
If you enter this command, the ProCurve Secure Router will first try to authenticate the user through the TACACS+ server. If the TACACS+ server does not respond, the ProCurve Secure Router will prompt the user to enter the enable mode password and will check the password that the user enters against the enable mode password you configured.
For the enable mode password, you do not have to enter another command to apply the named list. If you are using a RADIUS or TACACS+ server as an authentication method, you must configure the ProCurve Secure Router to locate and communicate with that server. For information about the configuration required for a RADIUS server, see “Configuring a RADIUS Server for Authentication” on page 2-27. For information about the configuration required for a TACACS+ server, see “Define the TACACS+ Server” on page 2-31.
Option Meaning
none No password is required.
line Use the password configured for the Telnet line or the console.
enable Use the password configured for the enable mode context.
group [<groupname> | radius | tacacs+]
Use one of the following:• group of RADIUS or TACACS+ servers that you have
configured• all the RADIUS servers that you have defined (if you have
not defined a group of RADIUS servers)• all the TACACS+ servers that you have defined (if you have
not defined a group of TACACS+ servers)
2-17
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
N o t e If you enable the AAA subsystem but do not configure a named list for the enable mode, the Secure Router OS uses the enable mode password by default.
Creating a Named List for User Authentication
To create a named list for user authentication, you must determine the authentication methods you want to use and the order in which you want the authentication methods applied. From the global configuration mode context, enter:
Syntax: aaa authentication login <listname> {none | line | enable | [group <groupname> | radius | tacacs+]}
Replace <listname> with the name you want to give the named list you create.
The options you can select to authenticate users are listed in Table 2-2:
Table 2-2. Authentication Options for Named Lists
There is one difference between the list of options for the enable mode and the list of options for authenticating users: the local user database is not an option for the enable mode.
Option Meaning
none No password is required.
line Use the password configured for the line or the console.
enable Use the password configured for the enable mode context.
local Use the local user database (which is defined on the router).
group [<groupname> | radius | tacacs+]
Use one of the following:• group of RADIUS or TACACS+ servers that you have
configured• all the RADIUS servers that you have defined (if you have not
defined a group of RADIUS servers)• all the TACACS+ servers that you have defined (if you have not
defined a group of TACACS+ servers)
2-18
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
For example, when you configure a named list for user authentication, you may want to call this list UserLogin. You may also decide to use the following authentication methods:
■ enable password
■ line password
■ local user database
In this case, you would enter:
ProCurve(config)# aaa authentication login UserLogin enable line local
N o t e If you select the enable password as an authentication method for an access method that requires a username, the username is, by default, $enab15$. You can change this username for RADIUS servers when you enter the radius-server command, as explained in “Define the RADIUS Server” on page 2-27.
If no enable password has been defined, the AAA subsystem moves to the line username and password. If no username and password have been defined for the line, the AAA subsystem moves to the local user database and tries to match the username and password that the user enters to a username and password in that database.
Criteria for Failure of Authentication Methods
The AAA subsystem skips an authentication method if the method itself fails. However, if a user fails to enter the correct password, that user is denied access to the router. The user failed in his or her attempt to authenticate; the authentication method did not fail.
The ProCurve Secure Router uses the following criteria to determine if an authentication method failed:
■ Line and enable passwords fail if no line or enable passwords are configured.
■ RADIUS or TACACS+ servers fail if the ProCurve Secure Router tries to communicate with them but they do not respond.
■ The local user list fails if the given user is not listed in the database.
For example, if you configure the authentication methods with RADIUS as the first option and the RADIUS server goes down, the AAA subsystem tries the next authentication method you configured. If you listed the local user list after the RADIUS server, the AAA subsystem will use that authentication method next.
2-19
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
Assign the Named List
After you configure a named list, you must assign the list to the specific access method. To assign a list to the console, Telnet, or SSH lines, move to the appropriate line configuration mode context and enter:
Syntax: login authentication <named list>
For example, to assign ListA to the console line, enter:
ProCurve(config)# line console 0ProCurve(config-con0)# login authentication ListA
To assign ListA to the Telnet 0 line, enter:
ProCurve(config)# line telnet 0ProCurve(config-telnet0)# login authentication ListA
To assign ListA to all of the SSH lines, enter:
ProCurve(config)# line ssh 0 4ProCurve(config-ssh0-4)# login authentication ListA
For FTP and HTTP access, you assign the list from the global configuration mode context. If you want to assign a named list to control FTP access, enter:
Syntax: ftp authentication <named list>
If you want to assign a named list to control Web access, enter the following command from the global configuration mode context:
Syntax: ip http authentication <named list>
No Named List Assigned. If you enable the AAA subsystem but do not configure a named list and assign it to an access method (console, Telnet, FTP, SSH, or HTTP), the ProCurve Secure Router handles authentication as outlined in Table 2-3.
2-20
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
Table 2-3. Default Action if No Named List Is Configured
Options for AAA Authentication: Configuring Banners, Messages, and Prompts
To help users log in to the ProCurve Secure Router successfully, you can customize the following:
■ banner
■ message that is displayed when a login attempt fails
■ password prompt
■ username prompt
To configure these displays, you use the following command syntax:
Syntax: aaa authentication [banner | fail-message | password-prompt | username-prompt]
Configuring a Banner. A banner is displayed before a user attempts to log in to the router. By default, the following banner is displayed:
User Access Verification
To configure a banner, move to the global configuration mode context and enter the aaa authentication banner command followed by any character that signals the beginning of the banner text. For example, you might enter the @ character, as shown below:
ProCurve(config)# aaa authentication banner @
You can then type the banner that you want to display. For example, you might enter:
Only authorized users allowed @
Access Authentication Method
console access no password required
Telnet access Telnet password
FTP access local user list
HTTP access local user list
SSH access local user list
2-21
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
To end the banner, you must enter the same character that you used to signal the beginning of the banner.
Configuring a Fail Message. A fail message is displayed if the user’s attempts to log in to the router and fails. By default, the fail message is:
Authentication Failed
To customize a fail message, move to the global configuration mode context and enter the aaa authentication fail-message command followed by a character that signals the beginning of the message that you want to display. For example, you might enter the @ character or even the !, as shown below:
ProCurve(config)# aaa authentication fail-message !
Then type the message you want to be displayed if a login attempt fails. After entering the message, enter the same character you used to signal the begin-ning of the fail message. In the example above, you would enter the ! character.
Configuring a Username or Password Prompt. By default, the ProCurve Secure Router displays the following prompts to help users log in to the router:
Username:Password:
To customize the username prompt, move to the global configuration mode context and enter:
Syntax: aaa authentication username-prompt <prompt>
Replace <prompt> with the word you want displayed when users attempt to log in. For example, if you want the prompt to be User, enter:
ProCurve(config)# aaa authentication username-prompt User
To customize the password prompt, move to the global configuration mode context and enter:
Syntax: aaa authentication password-prompt <prompt>
Replace <prompt> with the word you want displayed when users attempt to log in. For example, if you want the prompt to be Secret, enter:
ProCurve(config)# aaa authentication password-prompt Secret
2-22
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
Configuring Authorization
After you enable the AAA subsystem, you can use a TACACS+ server to control not only who can access the Secure Router OS but also who can actually enter unprivileged or privileged commands. That is, you can determine which users are authorized to configure the router from the basic or enable mode context.
Configuring authorization through the TACACS+ server involves the following steps:
1. Define a named list for authorization.
2. Assign the named list to a line configuration mode context.
If you want to enforce authorization for console sessions, you must also enable authorization for the console line.
Of course, the AAA subsystem must be enabled, and the TACACS+ server must be defined. (See “Define the TACACS+ Server” on page 2-31.)
Define a Named List for Authorization
You must define a named list for authorization, just as you define a named list for authentication. In this named list, you specify if users are authorized to enter commands from the basic or enable mode context. You also define the TACACS+ servers that will handle the authorization request.
To define a named list for authorization, enter the following command from the global configuration mode context:
Syntax: aaa authorization commands [1 | 15] [default | <named list>] group [tacacs+ | <group name>] [if-authenticated | none]
Include 1 or 15 to specify the level of commands for which you want to configure authorization: 1 is unprivileged access, which is the basic mode, and 15 is privileged access, which is the enable mode.
Specify the default authorization list or replace <named list> to create a named list.
Use the group tacacs+ option to specify the default group of TACACS+ servers. Use the group <group name> if you have created a group of TACACS+ servers.
2-23
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
Include the if-authenticated option to authorize authenticated users. Use the none option to grant access immediately. You may want to enter none as a second option. That way, if the ProCurve Secure Router cannot contact the TACACS+ server, you will still be able to configure the router.
For example, to allow authenticated users to configure the router from the enable mode context, enter:
ProCurve (config)# aaa authorization commands 15 default group tacacs+ if-authenticated
After you create a named list for authorization, you must assign it to an access method, such as a Telnet or SSH line.
Assign the Named List
To assign the named list to a console, Telnet, or SSH line, you must move to the line configuration mode context. To completely enforce this security measure, you must ensure that you assign the named list to all of the Telnet or SSH lines that you have enabled. For example, if you have enabled all five Telnet lines, you must assign the named list to all five lines.
From the appropriate line configuration mode context, enter:
Syntax: authorization commands [1 | 15] [default | <named list>]
Enter 1 to grant access to the basic mode, or enter 15 to grant access to the enable mode.
Enter default to assign the default list, or replace <named list> with the list that you have created.
For example, you might create a named list called Authorize and then assign it to all of the Telnet lines. You might also include the 15 option because you want this named list to control who can enter commands from the enable mode context. From the global configuration mode context, enter:
ProCurve (config)# line telnet 0 4ProCurve (config-telnet04)# authorization commands 15 Authorize
Enable Authorization Commands for Console Line
If you want to configure authorization commands for the console line, you must enable this capability. From the global configuration mode context, enter:
Syntax: aaa authorization console
2-24
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
N o t e Take care when you configure authorization for the console line. If you are not careful, you may prohibit yourself from entering commands from the console.
To disable authorization through the console line, enter:
Syntax: no aaa authorization console
By default, authorization commands can be configured for the enable mode context. To disable authorization for the enable mode context, enter the following command from the global configuration mode context:
Syntax: no aaa authorization config-command
To re-instate this capability, enter:
Syntax: aaa authorization config-command
Configuring the TACACS+ Server for Accounting
You can track which users access the ProCurve Secure Router and the configuration changes those users make. When you configure AAA accounting on the ProCurve Secure Router, it will configuration information to the TACACS+ sever you specify.
Configuring accounting involves the following steps:
1. Configure a named list.
2. Apply the named list.
Of course, the AAA subsystem must be enabled, and the TACACS+ server must be defined. (See “Define the TACACS+ Server” on page 2-31.)
Configuring a Named List for Accounting
Once again, you create a named list to configure accounting on the ProCurve Secure Router. This named list determines:
■ what information is sent to the TACACS+ server
■ which TACACS+ the information is sent to
■ when the information is sent
Syntax: aaa accounting commands [1 |15] [default | <named list>] [none | stop-only] group [tacacs+ | <group name>]
2-25
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
Specify the level of commands for which you want to generate accounting: 1 is unprivileged access, which is the basic mode, and 15 is privileged access, which is the enable mode.
Specify the default accounting list or replace <named list> to create an accounting list.
Include the stop-only option if you want an accounting record to be generated when the user ends his or her session. Include the none option if you do not want an accounting record generated. For example, you may not want any records generated if a user enters a command at the basic mode context.
Include the group tacacs+ option if you want the ProCurve Secure Router to send the accounting information to the default group of TACACS+ servers. Replace group <groupname> with a group that you created. You can specify more than one group.
Assign the Named List
To assign the named list to a console, Telnet, or SSH line, you must move to the appropriate line configuration mode context. If you want to record con-figuration activities for all Telnet and SSH lines, you must ensure that you assign the named list to all of the Telnet or SSH lines that you have enabled. For example, if you have enabled all five Telnet lines, you must assign the named list to all five lines.
From the appropriate line configuration mode context, enter:
Syntax: accounting commands [1 | 15] [default | <named list>]
For example, you might create a named list called Account and then assign it to all of the Telnet lines. You might also include the 15 option because you want this named list to record information about the commands entered from the privileged mode. From the global configuration mode context, enter:
ProCurve (config)# line telnet 0 4ProCurve (config-telnet04)# accounting commands 15 Account
Configure Update Settings
You can configure when the ProCurve Secure Router sends updates to the TACACS+ server. To configure updates, enter the following command from the global configuration mode context:
Syntax: aaa accounting update [newinfo | periodic <minutes>]
2-26
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
Include newinfo if you want all new records sent immediately, or include periodic if you want the records sent at specific intervals. If you specify periodic, replace <minutes> with a number between 1 and 2147483647.
Do Not Send Records for Null Users
By default, the ProCurve Secure Router does not send accounting information for the null usernames. Null usernames are any users that the TACACS+ system cannot identify. For example, if you do not control access to the console line through the TACACS+ servers, users who access and make changes through the console line will not be known to the TACACS+ server. The ProCurve Secure Router will not send information about such users to the TACACS+ server unless you change this default setting. To do so, enter:
Syntax: no aaa accounting suppress null-username
Configuring a RADIUS Server for Authentication
In order to use a RADIUS server in a named list, you must configure the Secure Router OS to locate and contact that RADIUS server. If your network includes multiple RADIUS servers, you can add these servers to the default group of RADIUS servers or define a group of RADIUS servers. In addition, you can configure specific settings for each RADIUS server, or you can configure global settings for all of the RADIUS servers you define.
Define the RADIUS Server
The ProCurve Secure Router must be able to locate and communicate with the RADIUS server. (See Figure 2-2.)
2-27
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
Figure 2-2. Using a RADIUS Server for Authenticating Users Who Want to Manage the ProCurve Secure Router
To set up this communication, you must specify the IP address of the RADIUS server. Enter the following command from the global configuration mode context:
Syntax: radius-server host <A.B.C.D | hostname> [acct-port <port number> | auth-port <port number> | retransmit <number> | timeout <seconds> | key <key>]
To define the RADIUS server, you simply enter the first part of the command:
Syntax: radius-server host <A.B.C.D | hostname>
Either replace <A.B.C.D> with an IP address or replace <hostname> with the RADIUS server’s host name. For example, if your RADIUS server has the IP address of 192.168.115.5, enter:
ProCurve(config)# radius-server host 192.168.115.5
You can also configure other settings—such as the authentication port and the shared key—for the RADIUS server. Table 2-4 lists the available options.
Core switch
RADIUSserver
Edge switch
ProCurve Secure Router
Edge switch
2-28
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
Table 2-4. Customizing Settings for Individual RADIUS Servers
For example, you might enter:
ProCurve(config)# radius-server host 192.168.115.5 acct-port 1646 key secret
After you define a RADIUS server, that server is added to the router’s default RADIUS group. If you define a second RADIUS server, it is added to the default group, and the Secure Router OS contacts the servers in the order in which you entered them. Once you define the RADIUS servers in the default group, this order cannot be changed.
If you want to change the order in which the Secure Router OS contacts the RADIUS servers, you should create a RADIUS server group, as described in the next section.
Define a Group of RADIUS Servers
To define a group of RADIUS servers, enter the following command from the global configuration mode context:
Syntax: aaa group server radius <groupname>
Replace <groupname> with a name that is meaningful to you.
For example, the following command creates a group called myServers and enters the RADIUS group configuration mode context:
ProCurve(config)# aaa group server radius myServersProCurve(config-sg-radius)#
Option Meaning Default Value
acct-port <port number> configures the router to send accounting requests to the port you specify
acct-port 1813
auth-port <port number> configures the router to send authentication requests to the port you specify
auth-port 1812
retransmit <attempts> specifies the number of times the router tries to contact the RADIUS server after the timeout expires
global RADIUS setting
timeout <seconds> specifies the number of seconds the router waits if it does not receive a response from the RADIUS server
global RADIUS setting
key <key> defines the shared key the router uses to authenticate to the RADIUS server
none
2-29
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
From this context, use the following command to add RADIUS servers to the group:
Syntax: server <hostname | A.B.C.D>
Either replace <hostname> with the RADIUS server’s hostname or replace <A.B.C.D> with the RADIUS server’s IP address.
The following examples add servers to the myServers group:
ProCurve(config)# aaa group server radius myServersProCurve(config-sg-radius)# server 1.2.3.4 auth-port 1812ProCurve(config-sg-radius)# server 4.3.2.1ProCurve(config-sg-radius)# exit
or
ProCurve(config)# aaa group server radius myServersProCurve(config-sg-radius)# server 2.2.2.2ProCurve(config-sg-radius)# exit
You must use the radius-server command to define RADIUS servers before you can add them to a group. If a server is added to a named group but is not defined by a radius-server command, the router simply bypasses that server in the list.
Empty RADIUS groups are not saved. When the last server is removed from a group, the Secure Router OS automatically deletes the group.
Configure Global Settings for RADIUS Servers
You can configure global settings that will be applied to all RADIUS servers defined on the router. However, if you configure specific settings for a RADIUS server, these settings will override the global settings.
To configure global settings, you use the radius-server command, but you do not specify a particular server. Instead, you use the following command syntax:
Syntax: radius-server [challenge-noecho | deadtime <minutes> | enable-username <name> | key <key> | retry <attempts> | radius-server timeout <seconds>]
You must enter this command from the global configuration mode context. Table 2-5 lists all the options and what they do.
2-30
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
Table 2-5. Global Settings for RADIUS Servers
The following is an example configuration for global RADIUS settings:
ProCurve(config)# radius-server challenge-noechoProCurve(config)# radius-server deadtime 10ProCurve(config)# radius-server timeout 2ProCurve(config)# radius-server retry 4ProCurve(config)# radius-server key my secret key
Configuring the TACACS+ Server
In addition to supporting authentication, the ProCurve Secure Router supports authorization and accounting with TACACS+ servers. If you want to use a TACACS+ server to authenticate, authorize, or keep track of users who want to manage the ProCurve Secure Router, you must first define the TACACS+ server.
Define the TACACS+ Server
In order to authenticate, authorize, and track users who try to access the ProCurve Secure Router, the TACACS+ server must be able to communicate with the router. (See Figure 2-3.)
Option Meaning Default Value
challenge-noecho disables echoing of user challenge-entry; users will see the text of the challenge as they type responses (enabling this option hides the text as it is being entered)
on
deadtime <minutes> specifies how long a RADIUS server is considered “dead” if a timeout occurs; the router will not contact the server again until after the deadtime expires
1 minute
enable-username <name> specifies a username to be used for enable authentication enable-username $enab15$
key <key> specifies the shared key to use with RADIUS servers none
retry <attempts> specifies how many times the ProCurve Secure Router should try to contact a RADIUS server before marking it as “dead”
3
timeout <seconds> specifies how long to wait for a RADIUS server to respond to a request
5 seconds
2-31
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
Figure 2-3. Using a TACACS+ Server for Authenticating Users Who Want to Manage the ProCurve Secure Router
To enable this communication, you must configure the IP address or host name of the TACACS+ server. From the global configuration mode context, enter:
Syntax: tacacs-server host <A.B.C.D | hostname>
Either replace <A.B.C.D> with an IP address or replace <hostname> with the TACACS+ server’s host name. For example, if the TACACS+ server has the IP address 192.168.7.1, enter:
ProCurve(config)# tacacs-server host 192.168.7.1
After you define a TACACS+ server, that server is added to the router’s default TACACS+ group. If you define a second TACACS+ server, it is added to the default group, and the Secure Router OS contacts the servers in the order in which you entered them. After you define TACACS+ servers, you cannot change the order in which TACACS+ servers are listed in the default group. (Instead, you would have to delete servers by entering the no tacacs-server
host command and then redefine them in the order you want them used.)
If you want to change the order in which the Secure Router OS contacts the TACACS+ servers, you can create a TACACS+ server group, as described in “Creating a TACACS+ Group” on page 2-33.
Core switch
TACACS+server
Edge switch
ProCurve Secure Router
Edge switch
2-32
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
You can use the complete tacacs-server command to configure other settings for a TACACS+ server, as shown below:
Syntax: tacacs-server host <A.B.C.D | hostname> [port <number> | timeout <seconds> | key <key>]
You can enter all of the options with one command if you include them in the order shown above. Table 2-6 lists these options and provides a brief explanation for each one.
Table 2-6. Customizing Settings for TACACS+ Servers
For example, you might enter:
ProCurve(config)# tacacs-server host 192.168.7.1 timeout 10 key cool
After you entered this command, the ProCurve Secure Router would time out the connection if the TACACS+ server did not respond after 10 seconds, and the router would use cool as the shared secret with the TACACS+ server.
Creating a TACACS+ Group
To define a group of TACACS+ servers, enter the following command from the global configuration mode context:
Syntax: aaa group server tacacs+ <groupname>
Replace <groupname> with a name that is meaningful to you.
Option Meaning Default Value
port <number> Specifies the TCP port number to be used when connecting to the TACACS+ server. You can enter a number between 1 and 65535.
49
timeout <seconds> Specifies the period of time (in seconds) that the router will wait for a response before it declares an error. You can specify a number between 1 and 1000. This command overrides any time you set with the tacacs-server timeout command. For more information about this command, see “Configure Global Settings for TACACS+ Servers” on page 2-34.
5
key <key> Specifies the shared secret for the TACACS+ server. This command overrides any key specified with the tacacs-server key command. For more information about this command, see “Configure Global Settings for TACACS+ Servers” on page 2-34.
none
2-33
Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access
For example, the following command creates a group called tacacs and enters the TACACS+ group configuration mode context:
ProCurve(config)# aaa group server tacacs+ tacacsProCurve(config-sg-tacacs+)#
Use the following command to add TACACS+ servers to the group:
Syntax: server <hostname | A.B.C.D>
Either replace <hostname> with the TACACS+ server’s hostname or replace <A.B.C.D> with the server’s IP address.
The following example adds two servers to the tacacs group:
ProCurve(config-sg-tacacs+)# server 192.168.1.1 ProCurve(config-sg-tacacs+)# server 192.168.7.101ProCurve(config-sg-tacacs+)# exit
You must use the tacacs-server command to define TACACS+ servers before you can add them to a group. If you add a server to a group but the server is not defined by a tacacs-server command, the router simply bypasses that server in the group.
The Secure Router OS does not save empty TACACS+ groups. When the last server is removed from a group, the Secure Router OS automatically deletes the group.
Configure Global Settings for TACACS+ Servers
You can configure global settings that will be applied to all TACACS+ servers defined on the router. However, if you configure specific settings for a TACACS+ server, those settings override the global settings.
To configure global settings, you use the tacacs-server command, but you do not specify a particular server. Instead, you use the following commands:
Syntax: tacacs-server key <key>
Syntax: tacacs-server packet maxsize <size>
Syntax: tacacs-server timeout <seconds>
2-34
Controlling Management Access to the ProCurve Secure RouterTroubleshooting AAA
Table 2-7. Global Settings for TACACS+ Servers
Troubleshooting AAA
The ProCurve Secure Router provides several commands to help you troubleshoot the AAA subsystem.
debug aaa Command
You can view detailed messages about the AAA subsystem in real time. From the enable mode context, enter:
Syntax: debug aaa
The Secure Router OS will then display AAA events such as connection notices, login attempts, and session tracking. Figure 2-4 shows the debug aaa
messages when a user attempts to establish a Telnet session but does not enter a valid username and password. The AAA subsystem has been enabled on the router, but no named list has been defined for Telnet access, so the ProCurve Secure Router uses the default named list.
Option Meaning Default Value
tacacs-server key <key> Specifies the shared key to use with TACACS+ servers. Any keys you configure for a particular TACACS+ server supersede the global key.
none
packet maxsize <size> Defines the packet size to send to the TACACS+ server. You can specify a number between 10240 and 65535.
10240
tacacs-server timeout <seconds>
Specifies how long to wait for the TACACS+ server to respond to a request. You can specify a number between 1 and 1000.
5 seconds
2-35
Controlling Management Access to the ProCurve Secure RouterTroubleshooting AAA
Figure 2-4. debug aaa
To end the debug messages, enter:
Syntax: no debug aaa
Troubleshooting the RADIUS Server
To view information about RADIUS servers, enter the following command from the enable mode context:
ProCurve# show radius statistics
This command displays information such as:
■ number of packets sent
■ number of invalid responses
■ number of timeouts
■ average packet delay
■ maximum packet delay
Statistics are shown for both authentication and accounting packets. (See Figure 2-5.)
AAA: New Session on portal 'TELNET 0 (172.22.12.60:4867)'.
AAA: No list mapped to 'TELNET 0'. Using 'default'.
AAA: Attempting authentication (username/password).
AAA: RADIUS authentication failed.
AAA: Authentication failed.
AAA: Closing Session on portal 'TELNET 0 (192.168.1.60:4867)'.
No named list for Telnet line 0; default aaa configuration used Default for
Telnet is local userlist
Not a valid username and password
2-36
Controlling Management Access to the ProCurve Secure RouterTroubleshooting AAA
Figure 2-5. show radius statistics
debug radius Command
You can view debug messages about RADIUS servers in real time. From the enable mode context, enter:
Syntax: debug radius
The RADIUS debug messages show the communication process with the remote RADIUS servers, as shown below.
RADIUS AUTHENTICATION: Sending packet to 172.22.48.1 (1645).RADIUS AUTHENTICATION: Received response from 172.22.48.1.
To end the debug messages, enter one of the following commands:
Syntax: no debug radius
Troubleshooting the TACACS+ Server
You can display information about the authentication, authorization, and accounting packets that the ProCurve Secure Router exchanges with the TACACS+ server. From the enable mode context, enter:
Syntax: show tacacs+ statistics
Figure 2-6 shows the type of information displayed with this command.
Auth. Acct.
Number of packets sent: 10 0
Number of invalid responses: 2 0
Number of timeouts: 0 0
Average delay: 2 ms 0 ms
Maximum delay: 3 ms 0 ms
2-37
Controlling Management Access to the ProCurve Secure RouterTroubleshooting AAA
Figure 2-6. Viewing Information about Authentication, Authorization, and Accounting Through the TACACS+ Server
To clear the statistics associated with TACACS+ protocol, enter the following command from the enable mode context:
Syntax: clear tacacs+ statistics
To debug the authentication, authorization, or accounting with the TACACS+ server, enter the following command at the enable mode context:
Syntax: debug tacacs+ [packets | events]
Figure 2-7 shows the output if you enter this command to monitor authentication through the TACACS+ server.
Authentication Authorization AccountingPackets sent: 25 0 0Invalid responses: 0 0 0Timeouts: 0 0 0Average delay: 0ms 0ms 0msMaximum delay: 0ms 0ms 0ms
Socket Opens: 10Socket Closes: 10Socket Aborts: 0Socket Errors: 0Socket Timeouts: 0Socket Failed Connections: 0Socket Packets Sent: 25Socket Packets Received: 25
2-38
Controlling Management Access to the ProCurve Secure RouterTroubleshooting AAA
Figure 2-7. Using Debug to Monitor Authentication Through the TACACS+ Server
TAC+ TX: Sending Authentication START pkt TAC+ TX: version=0xc0, type=Authentication, seq_no=1, flags=00 TAC+ TX: action=Login TAC+ TX: level=1 TAC+ TX: authen type=ASCII TAC+ TX: requested service=Login TAC+ TX: username= TAC+ TX: port=TELNET 0 (192.168.7.23:1072) TAC+ TX: remote address=192.168.7.23TAC+ RX: Received Authen REPLY pkt TAC+ RX: version=0xc0, type=Authentication, seq_no=2, flags=00 TAC+ RX: status=GETUSER TAC+ RX: flags=00 TAC+ RX: server msg=Login:TAC+ TX: Sending Authentication CONTINUE pkt TAC+ TX: version=0xc0, type=Authentication, seq_no=3, flags=00 TAC+ TX: user message=******** TAC+ TX: flags=0x00TAC+ RX: Received Authen REPLY pkt TAC+ RX: version=0xc0, type=Authentication, seq_no=4, flags=00 TAC+ RX: status=GETPASS TAC+ RX: flags=0x01 TAC+ RX: server msg=Password:TAC+ TX: Sending Authentication CONTINUE pkt TAC+ TX: version=0xc0, type=Authentication, seq_no=5, flags=00 TAC+ TX: user message=******** TAC+ TX: flags=0x00TAC+ RX: Received Authen REPLY pkt TAC+ RX: version=0xc0, type=Authentication, seq_no=6, flags=00 TAC+ RX: status=PASS TAC+ RX: flags=00 TAC+ RX: server msg=
User is authenticated
IP address of the device trying to establish a Telnet session
2-39
Controlling Management Access to the ProCurve Secure RouterPort Authentication
Port Authentication
Allowing mobile devices unlimited access to a network poses a severe security risk. While it is beneficial to allow employees to plug in and gain access to a company’s LAN, there is the potential that unauthorized users may similarly gain access to your network.
Devices can be required to authenticate themselves before they are assigned an IP address on a network and before the access port is opened. The IEEE 802.1X protocol provides a standard for this authentication.
Enabling Supplicant Functionality
The ProCurve Secure Router can act as an IEEE 802.1X supplicant. You can set the supplicant username and password for access to the protected network using the port-auth command.
To enable the router to function as a supplicant:
1. Move to the configuration mode context for the Ethernet interface that you want to use to access the 802.1X-secured network.
ProCurve(config)# interface eth 0/1ProCurve(config-eth 0/1)#
2. Configure the supplicant username and password:
Syntax: port-auth supplicant username <username> password <password>
ProCurve(config-eth 0/1)# port-auth supplicant username ProCurve password ProCurve
The default username is “username,” and the default password is “password.”
3. Enable the interface’s supplicant functionality by entering the following:
ProCurve(config-eth 0/1)# port-auth supplicant
As soon as you enable the supplicant functionality, the interface begins to attempt to authenticate itself and establish a connection to the 802.1X-secured network.
2-40
Controlling Management Access to the ProCurve Secure RouterPort Authentication
Troubleshooting Supplicant Functionality
If the ProCurve Secure Router is unable to access the 802.1X-secured network, begin troubleshooting by checking the physical connection. Ensure that the 10Base-T or 100Base-T cable is connected and in the proper ports.
Check the supplicant status and make sure that it is enabled and that you have entered the correct username and password. You can do this by entering the following from the enable mode context:
Syntax: show port-auth supplicant [summary | interface <slot>/<port>]
ProCurve# show port-auth supplicant interface eth 0/1
This command displays the Local Supplicant mode (enabled or disabled), the username and password that are configured, the router’s authorization status, and the connection status. The summary option displays only the interface, its status and current state, and whether it is authorized.
Debug the supplicant interface by entering:
Syntax: debug port-auth {general | packet [both | rx | tx] | supp-sm}
The general option displays the port authentication configuration. To view information on the packet exchange in transmit-only, receive-only, or both directions, use the packet option. The supp-sm option displays information on the supplicant state machine.
If you have entered the correct username and password, and you have checked the physical connection and access is still denied, you may need to contact the 802.1X-secured network’s administrator. Then determine what other authentication requirements may be needed and ensure that the administrator did not miskey your supplicant username and password.
2-41
Controlling Management Access to the ProCurve Secure RouterQuick Start
Quick Start
This section provides the commands you must enter to quickly configure passwords to protect management access to the ProCurve Secure Router. Only a minimal explanation is provided.
If you need additional information about any of these options, see “Contents” on page 2-1 to locate the section and page number that contains the explanation you need.
Configure the Enable Mode Password
From the global configuration mode context, enter:
Syntax: enable password [md5] <password>
Replace <password> with any combination of up to 30 characters. The Message Digest 5 (md5) option encrypts the password. If you do not enter this option, the password is stored in clear text in the running-config.
Configure a Password for the Console Access
By default, you do not have to enter a password to access the ProCurve Secure Router through a console session. To configure a password to protect console access, complete these steps:
1. From the global configuration mode context, enter:
ProCurve(config)# line console 0
2. Enter the login command to require a password for console access.
ProCurve(config-con0)# login
3. Create a password:
Syntax: password [md5] <password>
Replace <password> with any combination of up to 30 characters. Use the md5 option if you want the password encrypted. For example:
ProCurve(config-con0)#password md5 procurve
If you do not enter the md5 option, the password is stored in clear text in the running-config.
2-42
Controlling Management Access to the ProCurve Secure RouterQuick Start
Configuring Remote Access to the ProCurve Secure Router
You can access the ProCurve Secure Router through:
■ Telnet
■ SSH
■ HTTP
■ FTP
■ Secure Copy (SCP) server
Configuring an Ethernet Interface
Before you can access the router through a remote location, you must enable at least one interface and provide a physical connection to either a LAN or WAN. This section provides the minimum steps required to configure an Ethernet interface and to connect that interface to your company’s LAN. You can then access the router from a workstation on the LAN. For more detailed information about configuring an Ethernet interface, see Chapter 3: Config-
uring Ethernet Interfaces.)
1. Use a 10Base-T or 100Base-T cable to connect the Ethernet port to a device (such as a switch) on your LAN.
2. Open your terminal session software and initiate a console session with the ProCurve Secure Router, using the following parameters:
• Baud Rate = 9600
• Parity = None
• Data Bits = 8
• Stop Bits = 1
• Flow Control = None
3. Press Enter when you are prompted to start a session with the router. The router basic mode context prompt appears, as shown below:
ProCurve>
4. Access the enable mode context:
ProCurve> enable
5. Access the global configuration mode context:
ProCurve# configure terminal
2-43
Controlling Management Access to the ProCurve Secure RouterQuick Start
6. From the global configuration mode context, enter the Ethernet interface configuration mode context:
ProCurve(config)# interface ethernet 0/<port>
7. Assign the Ethernet interface an IP address.
Syntax: ip address <A.B.C.D> [<subnet mask> | /<prefix-length>]
For example, if you want to assign the Ethernet interface an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0, enter
ProCurve(config-eth 0/1)# ip address 192.168.1.1 /24
8. Activate the Ethernet interface.
ProCurve(config-eth 0/1)# no shutdown
9. Save your configuration.
ProCurve(config-eth 0/1)# do write memory
Configuring a Password for Telnet Access
By default, you are required to configure a password for Telnet access. In addition, you must configure an enable mode password.
1. From the global configuration mode context, enter the following command:
Syntax: line telnet <0–4>
For example, if you want to configure port 0, enter:
ProCurve(config)# line telnet 0
If you want to configure all the Telnet ports, enter:
ProCurve(config)# line telnet 0 4
2. Configure a password for Telnet access:
Syntax: password [md5] <password>
For additional security, use the md5 option to encrypt the password.
For example, if you want to create the password as procurve, enter
ProCurve(config-telnet0)# password md5 procurve
3. Exit to the global configuration mode context and create password for the enable mode context.
Syntax: enable password [md5] <password>
2-44
Controlling Management Access to the ProCurve Secure RouterQuick Start
N o t e You can configure an access control list (ACL) to block Telnet access. For instructions on configuring this ACL, see Chapter 5: Applying Access Control
to Router Interfaces in the Advanced Management and Configuration Guide.
Configuring Local User Lists
You can configure multiple usernames and passwords to be used for FTP, HTTP, and SSH access to the router. From the global configuration mode context, enter:
Syntax: username <username> password <password>
These passwords are stored in the local user lists.
To encrypt all the passwords configured on the ProCurve Secure Router, enter the following command from the global configuration mode context:
ProCurve(config)# service password-encryption
The ProCurve Secure Router automatically supports SSH and FTP access. After you configure a password in the local user list, you can access the router through these methods.
Enabling HTTP Access. From the global configuration mode context, enter:
ProCurve(config)# ip http server
If you want to use Secure Sockets Layer (SSL) to protect the communications between your PC and the router, enter:
ProCurve(config)# ip http secure-server
Enabling the SCP Server. To encrypt files as they are copied to and from the ProCurve Secure Router, enter the following command from the global configuration mode context:
Syntax: ip scp server
Configuring AAA
To configuring AAA, complete these steps.:
1. Enable the AAA subsystem.
ProCurve(config)# aaa on
2-45
Controlling Management Access to the ProCurve Secure RouterQuick Start
Configuring Authentication with AAA
2. Create a list of authentication methods, called a named list, for the enable mode.
Syntax: aaa authentication enable default {none | line | enable | [group <group-name> | radius | tacacs+]}
For example, you might enter:
ProCurve(config)# aaa authentication enable default enable line
N o t e If you specify a RADIUS or TACACS+ server, you must define that server. See “Defining a RADIUS Server” on page 2-48 and “Defining a TACACS+ Server” on page 2-48.
3. Create a named list for the router’s access lines (such as the console line and the Telnet lines).
Syntax: aaa authentication login <listname> {none | line | enable | [group <groupname> | radius | tacacs+]}
Replace <listname> with the name you want to use to refer to the named list you create. For example, you might enter:
ProCurve(config)# aaa authentication login LoginList enable line local
4. Assign the named list to the console line, Telnet lines, FTP, or Web access. Move to the appropriate line configuration mode context and enter:
Syntax: login authentication <aaa login list>
You do not have to complete this step to configure AAA authentication methods for the enable mode.
Configuring Authorization with AAA
5. To define a named list for authorization, enter the following command from the global configuration mode context:
Syntax: aaa authorization commands [1 | 15] [default | <named list>] group [tacacs+ | <group name>] [if-authenticated | none]
Include 1 or 15 to specify the level of commands for which you want to configure authorization: 1 is for unprivileged access, or basic mode, and 15 is for privileged access, or the enable mode.
Specify the default authorization list or replace <named list> to create a named list.
2-46
Controlling Management Access to the ProCurve Secure RouterQuick Start
Use the group tacacs+ option to specify the default group of TACACS+ servers. Use the group <group name> if you have created a group of TACACS+ servers.
Include the if-authenticated option to authorize authenticated users. Use the none option if authorization is not required. You may want to enter none as a second option. That way, if the ProCurve Secure Router cannot contact the TACACS+ server, you will still be able to configure the router.
6. Assign the named list to a console, Telnet, or SSH line. From the appro-priate line configuration mode context, enter:
Syntax: authorization commands [1 | 15] [default | <named list>]
7. To enable authorization commands for the console line, enter the follow-ing command from the global configuration mode context:
Syntax: aaa authorization console
N o t e Take care when you configure authorization for the console line. If you are not careful, you may prohibit yourself from entering commands from the console.
Configuring the TACACS+ Server for Accounting
8. To configure a named list for accounting, enter:
Syntax: aaa accounting commands [1 |15] [default | <named list> [none | stop-only] group [tacacs+ | <group name>]
Specify the level of commands for which you want to generate accounting: 1 is for unprivileged access, which is the basic mode, and 15 is for privileged access, which is the enable mode.
Specify the default accounting list or replace <named list> to create an accounting list.
Include the stop-only option if you want an accounting record to be generated when the user ends his or her session. Include the none option if you do not want an accounting record generated. For example, you may not want any records generated if a user enters a command at the basic mode context.
Include the group tacacs+ option if you want the ProCurve Secure Router to send the accounting information to the default group of TACACS+ servers. Replace group <groupname> with a group that you created. You can specify more than one group.
2-47
Controlling Management Access to the ProCurve Secure RouterQuick Start
9. Assign the named list to a console, Telnet, or SSH line. From the appro-priate line configuration mode context, enter:
Syntax: accounting commands [1 | 15] [default | <named list>]
Defining a RADIUS Server
Define the IP address of the RADIUS server and the key that the ProCurve Secure Router must use to authenticate to the server (if a key is required). From the global configuration mode context, enter:
Syntax: radius-server host <A.B.C.D> key <key>
Replace <A.B.C.D> with the RADIUS server’s IP address and replace <key> with the shared key for the RADIUS server.
Defining a TACACS+ Server
Define the IP address of the TACACS+ server and the key that the ProCurve Secure Router must use to authenticate to the server (if a key is required). From the global configuration mode context, enter:
Syntax: tacacs-server host <A.B.C.D | hostname> <key>
Replace <A.B.C.D> with the server’s IP address or replace <hostname> with the hostname of the TACACS+ server. Replace <key> with the shared key.
Enabling 802.1X Supplicant Status
To enable the router to function as a supplicant:
1. Move to the configuration mode context for the Ethernet interface that you want to use to access the 802.1X-secured network.
ProCurve(config)# interface eth 0/1ProCurve(config-eth 0/1)#
2. Configure the supplicant username and password:
Syntax: port-auth supplicant username <username> password <password>
ProCurve(config-eth 0/1)# port-auth supplicant username ProCurve password ProCurve
The default username is “username,” and the default password is “password.”
3. Enable the interface’s supplicant functionality by entering the following:
ProCurve(config-eth 0/1)# port-auth supplicant
2-48
3
Configuring Ethernet Interfaces
Contents
Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Configuring the Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Enabling the Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Configuring an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Assigning a Static IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Configuring the Ethernet Interface as a DHCP Client . . . . . . . . . . 3-5
Configuring the Ethernet Interface as an Unnumbered Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Setting the Speed and the Duplex Settings . . . . . . . . . . . . . . . . . . . . . 3-10
Configuring the Line for Half-Duplex or Full-Duplex . . . . . . . . . . . . . 3-11
Setting the MTU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
Adding a Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Summary of Ethernet Configuration Settings . . . . . . . . . . . . . . . . . . . 3-13
Configure VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Configuring VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Assigning an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
Viewing the Status of Ethernet Interfaces or Subinterfaces . . . . . . . . . . . 3-19
show interfaces Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
show running-config Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Viewing the Configurations That Have Been Entered . . . . . . . . . 3-22
Viewing All the Configuration Settings Including Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
Troubleshooting an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24
show event-history Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25
debug interface ethernet Command . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26
Configuring the Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26
3-1
Configuring Ethernet InterfacesEthernet Interfaces
Ethernet Interfaces
The ProCurve Secure Router includes two Ethernet ports on the front panel, allowing you to connect two LAN segments to your WAN. You can also use the Ethernet ports to connect to a cable or Digital Subscriber Line (DSL) modem. Most companies will connect the router to a switch on the LAN segment. (See Figure 3-1.)
To connect a LAN segment to an Ethernet port, you use unshielded 10Base-T or 100Base-T cabling with an RJ-45 connector that meets the EIA/TIA-568-A or 568-B standards. For a 10-Mbps connection, use a Category 3 cable or better. For a 100-Mbps connection, use a Category 5 cable or better.
Figure 3-1. Connecting LAN Segments to the ProCurve Secure Router
Like the uplink ports on ProCurve switches, the Ethernet ports on the ProCurve Secure Router support auto MDIX, which automatically reverse transmit and receive signals as needed; even in situations in which you would normally need a crossover cable, you can still use a straight-through cable. For example, you can connect a PC to an Ethernet interface on the ProCurve Secure Router with a straight-through cable.
After you connect your LAN segments to the ProCurve Secure Router, you can enable the built-in firewall and configure access control policies to protect your internal network from unauthorized access or network attacks. (For more information about enabling the firewall, see the Advanced Management
Switch
Server
Server
ProCurve Secure Router
Switch
Ethernet 0/1
Ethernet 0/2
3-2
Configuring Ethernet InterfacesEthernet Interfaces
and Configuration Guide, Chapter 4: ProCurve Secure Router OS Firewall—
Protecting the Internal, Trusted Network; for more information about access controls, see the Advanced Management and Configuration Guide, Chapter 5: Applying Access Control to Router Interfaces.)
Configuring the Ethernet Interface
The Ethernet interface is the only interface on the ProCurve Secure Router that you configure to control both the Physical and the Data Link Layers of a connection. To configure an Ethernet interface, you must access the appro-priate interface. Like the physical WAN interfaces on the ProCurve Secure Router, the Ethernet interfaces are referred to by their slot and port number.
For Ethernet interfaces, the slot number is always 0. The port number for the bottom Ethernet port is 1, so the interface for that port is referred to as Ethernet 0/1. The port number for the top port is 2, so the interface for that port is referred to as Ethernet 0/2. (See Figure 3-2.)
Figure 3-2. Ethernet Ports on the ProCurve Secure Router
To access the Ethernet configuration mode context in the command line interface (CLI), enter the following command from the global configuration mode context:
Syntax: interface ethernet 0/<port>
For example, if you want to configure the bottom Ethernet port, enter:
ProCurve(config)# interface ethernet 0/1
Ethernet 0/2
Ethernet 0/1
3-3
Configuring Ethernet InterfacesEthernet Interfaces
You can also use a truncated reference for both interface and Ethernet, as shown below:
ProCurve(config)# int eth 0/1
When you truncate a command, you only need to enter enough of the com-mand to distinguish it from other commands.
After you enter the int eth 0/1 command, the prompt will show that you are in the Ethernet 0/1 interface configuration mode context:
ProCurve(config-eth 0/1)#
Enabling the Ethernet Interface
By default, all the interfaces on the ProCurve Secure Router are administra-tively down. You must activate the Ethernet interface before you can establish a connection to it. From the Ethernet interface configuration mode context, enter:
ProCurve(config-eth 0/1)# no shutdown
After you activate the interface, a message is displayed on the CLI, reporting that the interface is administratively up. Then when the Ethernet interface establishes a valid connection to the endpoint device, another message is displayed, reporting that the interface is up.
If the Ethernet interface cannot establish a valid connection, the status of the interface changes to down. You need to continue configuring the interface, or you need to attach a cable to the interface and establish a connection with another device such as a switch.
These interface status messages are displayed on the CLI by default. To stop these messages from being displayed, enter the following enable mode command:
ProCurve# no events
To enable the display of these messages again, enter:
ProCurve# events
3-4
Configuring Ethernet InterfacesEthernet Interfaces
Configuring an IP Address
To assign the Ethernet interface an IP address, you must be at the Ethernet interface configuration mode context:
ProCurve(config-eth 0/1)#
You then have several options for assigning an IP address to an Ethernet interface:
■ You can assign the Ethernet interface a static IP address.
■ You can configure the Ethernet interface as a Dynamic Host Configuration Protocol (DHCP) client.
■ You can configure the Ethernet interface as an unnumbered interface.
Assigning a Static IP Address
To assign the Ethernet interface a static IP address, use the following com-mand syntax:
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
For example, you might enter:
ProCurve(config-eth 0/1)# ip address 192.168.1.1 255.255.255.0
Because the ProCurve Secure Router supports Classless Inter-Domain Rout-ing (CIDR) notations, you could also enter:
ProCurve(config-eth 0/1)# ip address 192.168.1.1 /24
N o t e You must include a space between the IP address and the / symbol in front of the prefix length.
Configuring the Ethernet Interface as a DHCP Client
If you are using DHCP to assign IP addresses to the clients on your network, you may also want to have the DHCP server assign an IP address to the Ethernet interface. To enable the DHCP client for the Ethernet interface, you use one of the following commands:
Syntax: ip address dhcp {client-id [ethernet 0/<port> | HH:HH:HH:HH:HH:HH:HH] | hostname <hostname>}
Syntax: ip address dhcp [hostname <hostname> | no-default-route | no-domain-name | no-nameservers]
3-5
Configuring Ethernet InterfacesEthernet Interfaces
In addition to enabling the DHCP client, this command allows you to configure the settings shown in Table 3-1.
Table 3-1. DHCP Client Settings
Before you enable the DHCP client, you must decide whether or not you want to configure the settings listed in Table 3-1, and you must then include the settings in the same command you enter to enable the DHCP client. After you enable the DHCP client, it immediately begins to search for a DHCP server and negotiate a lease. You cannot impose settings on that lease after it is established.
Accepting the Default Settings. If you want to use default DHCP settings for Ethernet interface, you can simply enter:
ProCurve(config-eth 0/1)# ip address dhcp
The DHCP client on the Ethernet interface will immediately begin to send DHCP discovery messages to find a DHCP server. When a DHCP server responds, the client will negotiate an IP address.
The DHCP client will send DHCP discovery messages whether or not the Ethernet interface is activated or a valid Ethernet connection has been estab-lished. It will continue to send DHCP discovery messages until a DHCP server responds.
Option Meaning Default Setting
client-id configures the client id displayed in the DHCP server’s table
media type and interface’s MAC address
hostname configures the hostname displayed in the DHCP server’s table
router hostname
no-default-route specifies that the DHCP client should not accept the default route obtained through DHCP
accept default route from the DHCP server
no-domain-name specifies that the DHCP client should not accept the domain name included with the other lease settings that the DHCP server sends
accept the domain name setting from the DHCP server
no-nameservers specifies that the DHCP client should not accept the DNS setting included with the other lease settings that the DHCP server sends
accept DNS settings from the DHCP server
3-6
Configuring Ethernet InterfacesEthernet Interfaces
You should ensure that the DHCP client receives an IP address so that these requests do not consume router resources or bandwidth on your Ethernet link. To determine if the Ethernet interface has been assigned an IP address, enter:
ProCurve(config-eth 0/1)# do show int eth 0/1
N o t e The do command allows you to enter enable mode commands from any context (except the basic mode context).
Configuring a Client Identifier. By default, the Secure Router OS popu-lates the DHCP client identifier with the Ethernet interface’s media type and media access control (MAC) address. You can specify that the DHCP client uses the MAC address of the other Ethernet port, or you can change the client identifier to a customized MAC address.
To configure a client identifier when you enable the DHCP client, enter:
Syntax: ip address dhcp client-id [ethernet 0/<port> | HH:HH:HH:HH:HH:HH:HH]
When you configure the client-identifier, you can also configure a hostname, as explained in the next section.
Configuring a Hostname. The Secure Router OS uses the hostname con-figured for the router as the Ethernet interface’s default DHCP client host-name. If you want to override this name when you enable the DHCP client, enter the following command:
Syntax: ip address dhcp hostname <hostname>
For example, you might want to specify that the hostname is RouterB. In this case, you would enter:
ProCurve(config-eth 0/1)# ip address dhcp hostname RouterB
When you specify the hostname, you can also configure a client-identifier at the same time, as shown below.
ProCurve(config-eth 0/1)# ip address dhcp client-id ethernet 0/2 hostname RouterB
If you enter this command, the DHCP client will use the MAC address of the Ethernet 0/2 interface as its client identifier. The DHCP client will also use the hostname RouterB.
Alternatively, you can specify the hostname and configure the client to ignore the settings received from the DHCP server. These commands are described in the following sections.
3-7
Configuring Ethernet InterfacesEthernet Interfaces
Overriding Settings Received from the DHCP Server. If the DHCP server is configured to provide a default-route, a domain name, or a domain name server (DNS), the DHCP client for the Ethernet interface will accept and use these settings. If you do not want to use any of these settings, enter:
Syntax: ip address dhcp [hostname <hostname> | no-default-route | no-domain-name | no-nameservers]
For example, if you do not want the DHCP client to use the route settings and name (DNS) server settings that it receives from the DHCP server, enter:
ProCurve(config-eth 0/1)# ip address dhcp no-default-route no-nameservers
If you do not want the DHCP client to use any of the default settings, enter:
ProCurve(config-eth 0/1)# ip address dhcp no-default-route no-domain-name no-nameservers
Releasing or Renewing an IP address. If you want to manually force the Ethernet interface to release or renew an IP address, enter these commands from the Ethernet interface configuration mode context:
ProCurve(config-eth 0/1)# ip dhcp release
ProCurve(config-eth 0/1)# ip dhcp renew
Remove the DHCP Client Setting. If you decide that you no longer want the Ethernet interface to be a DHCP client, enter:
ProCurve(config-eth 0/1)# no ip address dhcp
Changing a Setting for the DHCP Client. If you want to change a setting for the DHCP client, you must first disable the client. Then you can enter the command to enable the client with the setting that you want to change.
Before you disable the client, you should release the IP address obtained through DHCP. This will prevent the DHCP server from holding the IP address and allow it to assign the IP address to another client.
For example, if you enabled the DHCP client with all the default settings and later determined that you wanted the router to function as the DNS server for the Ethernet interface, you would enter:
ProCurve(config-eth 0/1)# ip dhcp releaseProCurve(config-eth 0/1)# no ip address dhcpProCurve(config-eth 0/1)# ip address dhcp no-nameservers
3-8
Configuring Ethernet InterfacesEthernet Interfaces
Configuring the Ethernet Interface as an Unnumbered Interface
To conserve IP addresses on your network, you may want to create the Ethernet interface as an unnumbered interface. When you assign the Ethernet interface an IP address, that IP address cannot overlap with the IP addresses assigned to other interfaces on the router. As a result, each interface on the router that has an IP address represents an entire subnet. Depending on the subnetting scheme you use, this could use more IP addresses than you can spare.
You can configure the Ethernet interface (and other interfaces on the ProCurve Secure Router) as an unnumbered interface. The Ethernet interface will then use the IP address of the interface you specify. The Secure Router OS uses the IP address of the specified interface when sending route updates over the unnumbered interface.
Before configuring the Ethernet interface as an unnumbered interface, you should be aware of a potential disadvantage: if the interface to which the IP address is actually assigned goes down, the Ethernet interface will be unavail-able. For example, suppose you configure the Ethernet 0/1 interface as an unnumbered interface that takes its IP address from the Frame Relay 1.16 subinterface. If the Frame Relay 1.16 subinterface goes down, the Ethernet 0/1 interface will be unavailable as well.
To minimize the chances of the interface with the IP address going down, you can assign the IP address to a loopback interface, which typically does not go down.
To configure an Ethernet interface as an unnumbered interface, enter the following command from the Ethernet interface configuration mode context:
Syntax: ip unnumbered <interface>
Valid interfaces include:
■ Asynchronous Transfer Mode (ATM) subinterfaces
■ the other Ethernet interface or Ethernet subinterfaces
■ demand interfaces
■ Frame Relay subinterfaces
■ High-level Data Link Control (HDLC) interfaces
■ loopback interfaces
■ PPP interfaces
3-9
Configuring Ethernet InterfacesEthernet Interfaces
If you configure the Ethernet interface to support virtual LANs (VLANs), you can specify an Ethernet subinterface.
For example, you would enter the following commands to configure a loop-back interface and then configure the Ethernet 0/1 interface to use the IP address assigned to that loopback interface:
ProCurve(config)# interface loopback 1ProCurve(config-loop 1)# ip address 10.1.1.1 /24ProCurve(config-loop 1)# interface ethernet 0/1ProCurve(config-eth 0/1)# ip unnumbered loopback 1ProCurve(config-eth 0/1)# no shutdown
N o t e You do not have to enter no shutdown to activate a loopback interface. The status of a loopback interface automatically changes to up after you enter the interface loopback <interface number> command.
Setting the Speed and the Duplex Settings
By default, the Ethernet interfaces automatically negotiate both the line speed and duplex setting, as outlined below:
■ When an Ethernet interface is enabled and the cable is connected to an endpoint, the interface first tries to negotiate the speed at 100 Mbps with full-duplex. If the endpoint device can operate at 100 Mbps with full-duplex, the Ethernet link is established.
■ If the endpoint device cannot operate at 100 Mbps with full-duplex, the Ethernet interface attempts to establish the speed at 10 Mbps with full-duplex. If the endpoint device can operate at this speed with full-duplex, the link is established with these settings.
■ If the endpoint device cannot operate at 10 Mbps with full duplex, the Ethernet interface attempts to establish the speed at 10 Mbps with half-duplex. If the endpoint device accepts these settings, the link is established.
If you have manually configured a setting for duplex on the interface, the negotiated setting for duplex is ignored.
Unless the router experiences problems negotiating the speed with the device at the other end of the Ethernet link, you should keep the default setting of auto. However, if you need to set the speed of the link for the Ethernet interface, use the following command syntax:
Syntax: speed [10 | 100 | auto]
3-10
Configuring Ethernet InterfacesEthernet Interfaces
For example, you might enter:
ProCurve(config-eth 0/1)# speed 100
N o t e If you configure a default setting for speed, the Ethernet interfaces still negotiate the duplex setting—either full-duplex or half-duplex. Some Ethernet devices cannot negotiate duplex if the speed is manually set. To avoid possible problems, you may want to manually configure the duplex setting if the speed is manually set. (Manually configuring the duplex setting is described in the next section.)
You can enter one of the following commands to return to the default setting for speed:
ProCurve(config-eth 0/1)# speed auto
or
ProCurve(config-eth 0/1)# no speed
Configuring the Line for Half-Duplex or Full-Duplex
The Ethernet modules support both full-duplex and half-duplex. By default, the Ethernet modules operate at full-duplex. If you need to change this setting, enter:
ProCurve(config-eth 0/1)# half-duplex
To return to the default setting, you can enter one of the following commands:
ProCurve(config-eth 0/1)# full-duplex
or
ProCurve(config-eth 0/1)# no half-duplex
Setting the MTU
The maximum transmission unit (MTU) defines the largest size that an Ether-net frame can be. If a frame exceeds the MTU, it must be fragmented. By default, the MTU for Ethernet interfaces is 1500 bytes.
For most environments you should keep the default MTU size. However, you may need to adjust the MTU if the interface is connected to another device that uses a different MTU size and you have enabled Open Shortest Path First (OSPF) routing on the ProCurve Secure Router. OSPF routers cannot become
3-11
Configuring Ethernet InterfacesEthernet Interfaces
adjacent if their MTU sizes do not match. You should ensure that the MTU on the device at the far end of the Ethernet connection is using the same MTU as the interface you are configuring.
If routers and switches have different MTU sizes in a TCP/IP network, trans-missions and routing may be affected. For example, if a switch has a smaller MTU and your router sends a frame that exceeds that size, the switch will fragment the frame. If the forwarded frame is tagged with the “do not frag-ment” field, then the switch cannot send the frame onto its destination. In this case, the switch must return an Internet Control Message Protocol (ICMP) message to notify the router that the frame cannot be fragmented. The router, in turn, must send the packet back to the originator, and the originator must remove the “do not fragment” field and resend the frame. If possible, you should ensure that the switches and routers on your network are using the same MTU.
N o t e The MTU size refers to the Ethernet payload.
To change this setting, enter:
Syntax: mtu <size>
Replace <size> with a number between 64 and 1500.
Adding a Description
You can add a description to the interface if you want to document information about it. For example, you might want to use a description to differentiate between the two Ethernet interfaces: you could document which LAN seg-ment connects to each interface. You might also want to use a description if you have had to troubleshoot a problem and want to document why you changed a particular setting.
Syntax: description <line>
Replace <line> with up to 80 characters. For example, you might enter:
ProCurve(config-eth 0/1)# description Attached to building 1
The description you enter is displayed only when you enter the following command from the enable mode context:
ProCurve# show running-config
3-12
Configuring Ethernet InterfacesEthernet Interfaces
interface eth 0/1 description Attached to building 1 ip address 192.168.1.1 255.255.255.0 no shutdown
You can also view the description by entering:
ProCurve# show running-config interface eth 0/1
This command displays the running-config settings for only the Ethernet 0/1 interface.
Summary of Ethernet Configuration Settings
Table 3-2 shows the main settings for configuring an Ethernet interface.
Table 3-2. Ethernet Interface Configuration Options
Setting Description Default Page
description include information about the interface that can be viewed when you enter show running-config
no default 3-12
encapsulation 802.1q configures the interface to support VLANs
no default 3-15
full-duplex or half-duplex defines whether the connection uses full-duplex or half-duplex
full-duplex 3-10
ip address <A.B.C.D> <subnet mask | /prefix length>
assigns a static IP address to the interface
no default 3-5
ip address dhcp configures the interface as a DHCP client that receives its address from a DHCP server
no default 3-5
ip unnumbered <interface> uses the IP address assigned to another interface on the router
no default 3-5
mtu <size> sets the maximum size that an Ethernet frame can be before it is fragmented
1500 3-11
no shutdown activates interface shutdown 3-4
speed [10 | 100 | auto] defines the speed at which data is transmitted over the connection
auto 3-10
3-13
Configuring Ethernet InterfacesEthernet Interfaces
In addition to configuring these settings, you can:
■ assign access control policies (ACPs) or access control lists (ACLs) to the interface
■ enable bridging
■ assign crypto maps to enable virtual private networks (VPNs)
■ configure settings for routing protocols
■ configure quality of service (QoS) settings
These settings are discussed in other chapters, as shown in Table 3-3.
Table 3-3. Additional Configurations for the Ethernet Interface
After you configure one Ethernet interface using the CLI, you can enable the HTTP server and use the Web browser interface to configure the other Ethernet interfaces, see Chapter 14: Using the Web Browser Interface for
Basic Configuration Tasks.
Ethernet subinterfaces are used to enable VLAN support. To configure VLAN support and the Ethernet subinterfaces, you will configure these settings from the Ethernet subinterface configuration mode context. (VLAN support is discussed in the next section.)
Settings Configuration Guide Page
access controls to filter incoming and outgoing traffic Advanced 5-18
bridging Basic 10-6
VPNs Advanced 8-46
routing commands for OSPF, RIP, or BGP Advanced 13-1
quality of service settings Advanced 7-28
3-14
Configuring Ethernet InterfacesConfigure VLAN Support
Configure VLAN Support
VLANs enable you to group users by logical function rather than physical location. Creating VLANs on your network provides several advantages:
■ VLANs allow you to segment your network into smaller broadcast domains. In networks that have large broadcast domains, broadcast storms can disrupt network traffic.
■ VLANs enhance your network security. Because each VLAN is a separate broadcast domain, members of a particular VLAN cannot “see” traffic from other VLANs.
■ VLANs simplify network management. For example, you can use VLANs to grant users access to network resources.
ProCurve Networking devices support the IEEE 802.1Q standard for VLAN tagging. When you define a VLAN on an 802.1Q-compliant device, it inserts a four-byte tag into the Ethernet frame. This tag identifies the packet’s VLAN membership. The 802.1Q tag contains:
■ the tag value, which identifies the data as a tag
■ the VLAN ID
As per the 802.1Q specification, the default tag value is 8100 (hexadecimal). The VLAN ID is determined by the VLAN on which the packet is being forwarded.
Figure 3-3 shows the format of Ethernet frames that contain the 802.1Q tag.
N o t e Because a VLAN tag is inserted into the Ethernet frame, it is called VLAN
tagging in a ProCurve environment. (In a Cisco environment, VLAN tagging is referred to as VLAN trunking.)
3-15
Configuring Ethernet InterfacesConfigure VLAN Support
Figure 3-3. The 802.1Q Tag
A VLAN is comprised of multiple ports operating as members of the same subnet (or broadcast domain). Ports on multiple devices can belong to the same VLAN, and traffic moving between ports in the same VLAN is bridged (or “switched”).
Traffic moving between different VLANs, on the other hand, must be routed. If a switch supports IP routing, it can internally route IP (IPv4) traffic between VLANs. If a switch is not configured to route traffic internally between LANs, an external router must forward traffic between VLANs. The router, of course, must support 802.1Q. (See Figure 3-4.)
Ethernet II with 802.1Q tag
IEEE 802.3 with 802.1Q tag
Destination address
6 bytes
Source address
6 bytes
802.1Q Tag
4 bytes
Type field
2 bytes
Data field
Up to 1500 bytes
CRC
4 bytes
Destination address
6 bytes
Source address
6 bytes
802.1Q Tag
4 bytes
Length field
2 bytes
Data field
Up to 1496 bytes
CRC
4 bytes
Octet 4Octet 2Octet 1
Tag protocol ID(TPID)
802.1P(3 bits)
VLAN ID(12 bits)
1 2 3 4 5 6 7 8
3-16
Configuring Ethernet InterfacesConfigure VLAN Support
Figure 3-4. Routing VLAN Traffic Between Layer 2 Switches
If your company is using Layer 2 switches, you may want to enable VLAN support on the ProCurve Secure Router and configure it to route the VLAN traffic on your internal network.
You may also want to enable VLAN support on the ProCurve Secure Router so that you can use VLANs to apply network access controls. By using VLANs, you can tailor access controls for the users who are members of different VLANs. For example, you can apply different access controls to the marketing department, which is part of VLAN12, than the access controls you apply to the executives of your company, which are part of VLAN 20. (For more information about access controls on router interfaces, see the Advanced
Management and Configuration Guide, Chapter 5: Applying Access Control
to Router Interfaces.)
You can also use VLANs to grant groups of users access to VPNs. (For more information about VPNs, see the Advanced Management and Configuration
Guide, Chapter 8: Virtual Private Networks.)
Configuring VLAN Support
Configuring VLAN support on the ProCurve Secure Router involves four steps:
1. Enable the ProCurve Secure Router to read IEEE 802.1Q tags.
2. Create Ethernet subinterfaces.
3. Associate each Ethernet subinterface with a VLAN ID.
4. Assign the Ethernet subinterfaces an IP address.
Switch
Server
Server
ProCurve Secure Router
Switch
Layer 2 switch
Layer 2 switch
Routing between VLANs
3-17
Configuring Ethernet InterfacesConfigure VLAN Support
Enabling VLAN Support. To configure the ProCurve Secure Router to rec-ognize the IEEE 802.1Q tag and route traffic accordingly, enter the following command from the Ethernet interface configuration mode context:
ProCurve(config-eth 0/1)# encapsulation 802.1Q
After you enter this command, the ProCurve Secure Router immediately recognizes that it must route traffic through this Ethernet interface to multiple VLANs with separate IP addresses. You will no longer be able to assign an IP address to the Ethernet interface. Instead, you must assign an IP address to the Ethernet subinterfaces.
Creating Subinterfaces. Because each VLAN represents a subnet with a unique network IP address, you must create one Ethernet subinterface for each VLAN. To create an Ethernet subinterface, move to the Ethernet interface mode configuration context and enter the following command:
Syntax: interface eth 0/<port number.subinterface number>
Replace <port number> with 1 for the bottom Ethernet port and with 2 for the top port. Replace <subinterface number> with a number that uniquely identifies this subinterface.
For example, to create the Ethernet subinterface 0/1.1, enter:
ProCurve(config-eth 0/1)# interface ethernet 0/1.1
The router prompt shows that you are at the configuration mode context for the Ethernet subinterface that you just created:
ProCurve(config-eth 0/1.1)#
Setting the VLAN ID. Next, you must associate the subinterface with a particular VLAN on your network. To create this association, enter the follow-ing command from the Ethernet subinterface configuration mode context:
Syntax: vlan-id <vlan id> [native]
Replace <vlan id> with the number of the VLAN. Use the native option if you want the traffic to leave the subinterface untagged. If you do not include this option, the traffic will remain tagged.
3-18
Configuring Ethernet InterfacesViewing the Status of Ethernet Interfaces or Subinterfaces
Assigning an IP Address
You must assign the Ethernet subinterfaces a static IP address. From the Ethernet subinterface configuration mode context, enter:
Syntax: ip address <A.B.C.D> <subnet mask | /<prefix length>
For example, if you are configuring a subinterface for VLAN 2 and VLAN 2 encompasses the subnet 192.168.115.0 255.255.255.0, you might enter:
ProCurve(config-eth 0/1.1)# ip address 192.168.115.5 /24
Viewing the Status of Ethernet Interfaces or Subinterfaces
After you configure an Ethernet interface or subinterface, you may want to view the configuration settings you have entered, or you may want to deter-mine the status of the interface—is the interface up, down, or administratively down? You can use the following commands to view the configuration and status of Ethernet interfaces and subinterfaces:
■ show interfaces command
■ show running-config commands
show interfaces Command
To view the status of an Ethernet interface, move to the enable mode context and enter:
Syntax: show interfaces ethernet 0/<port>
For example, to view the status of the Ethernet 0/1 interface, enter:
ProCurve# show interfaces ethernet 0/1
If you are not at the enable mode context, you can use the do command. Enter:
ProCurve(config-eth 0/1)# do show interfaces ethernet 0/1
3-19
Configuring Ethernet InterfacesViewing the Status of Ethernet Interfaces or Subinterfaces
Figure 3-5. Interpreting the Output from a show interfaces ethernet Command
The Ethernet 0/1 interface shown in Figure 3-5 is up, and the line protocol is up. You can also see that the IP address and subnet mask have been configured and the speed of the connection is 100 Mbps with full-duplex.
If you have created Ethernet subinterfaces to support the VLANs on your network, enter:
Syntax: show interfaces eth 0/<port number.subinterface number>
For example, to view the status of the Ethernet 0/2.5 subinterface, enter:
ProCurve# show interfaces ethernet 0/2.5
You can view the status information for the Ethernet interfaces in real-time by adding the realtime option to the show interfaces command. (See Figure 3-6.)
Syntax: show interfaces eth 0/<port number.subinterface number> [realtime]
eth 0/1 is UP eth 0/1 is UP, line protocol is UP Hardware address is 00:15:55:05:35:D4 Ip address is 192.168.1.1, netmask is 255.255.255.0 MTU is 1500 bytes, BW is 100000 Kbit 100Mb/s, negotiated full-duplex, configured full-duplex ARP type: ARPA; ARP timeout is 20 minutes 5 minute input rate 32 bits/sec, 0 packets/sec 5 minute output rate 16 bits/sec, 0 packets/sec 16 packets input, 1460 bytes 0 unicasts, 16 broadcasts, 0 multicasts input 0 unknown protocol, 0 symbol errors, 0 discards 0 input errors, 0 runts, 0 giants 0 no buffer, 0 overruns, 0 internal receive errors 0 alignment errors, 0 crc errors 3 packets output, 522 bytes 2 unicasts, 1 broadcasts, 0 multicasts output 0 output errors, 0 deferred, 0 discards 0 single, 0 multiple, 0 late collisions 0 excessive collisions, 0 underruns 0 internal transmit errors, 0 carrier sense errors 0 resets, 0 throttles
Physical Layer and Data Link Layer are up
Negotiated speed and type of duplex
3-20
Configuring Ethernet InterfacesViewing the Status of Ethernet Interfaces or Subinterfaces
Figure 3-6. Results of the show interface ethernet realtime Command
To end the realtime display of the show interface ethernet command, enter Ctrl+C. To suspend the updates and maintain the current display, enter f. To view the updates again, enter r.
show running-config Commands
Located in RAM, the running-config file includes the configurations that are currently running on the router—this includes the configurations that were read from the startup-config when the ProCurve Secure Router was booted, and any configurations that you have subsequently entered. The running-config is cleared every time the ProCurve Secure Router is powered down, and any changes that have not been saved to the startup-config file are lost.
N o t e To save the running-config to the startup-config file, you must enter one of the following commands from the enable mode context:
write memory
copy running-config startup-config
-------------------------------------------------------------------eth 0/1 is UP, line protocol is UP Hardware address is 00:12:79:05:25:B0 Ip address is 192.168.1.1, netmask is 255.255.255.0 MTU is 1500 bytes, BW is 100000 Kbit 100Mb/s, negotiated full-duplex, configured full-duplex ARP type: ARPA; ARP timeout is 20 minutes 5 minute input rate 208 bits/sec, 0 packets/sec 5 minute output rate608 bits/sec, 1 packets/sec 47 packets input, 7448 bits/sec, 1 packets/sec 244 packets input, 22907 bytes multicasts input 192 unicasts, 52 broadcasts, 0 multicasts input 0 input errors, 0 runts, 0 giants 0 no buffer, 0 overruns, 0 internal receive errors 0 alignment errors, 0 crc errors 3 packets output, 512 bytes 204 packets output, 16642 bytes multicasts output 193 unicasts, 1 broadcasts, 10 multicasts output 0 single, 0 multiple, 0 late collisions 0 excessive collisions, 0 underruns 0 internal transmit errors, 0 carrier sense errors(OUTPUT TRUNCATED)-------------------------------------------------- Exit - 'Ctrl-C', Freeze - 'f', Resume - 'r'
Instructions for pausing or ending the output
3-21
Configuring Ethernet InterfacesViewing the Status of Ethernet Interfaces or Subinterfaces
Viewing the Configurations That Have Been Entered
To view the settings that have been entered manually and are currently being used by the ProCurve Secure Router, move to the enable mode context and enter:
ProCurve# show running-config
This command displays the current configurations for the router. You must browse the output to find the configurations for the Ethernet interfaces, which are listed under the headings interface eth 0/1 or interface eth 0/2. If you have configured Ethernet subinterfaces, the configurations for each are listed under their respective ports.
If you do not want to browse through the entire running-config, you can enter:
ProCurve# show running-config interface eth 0/<port>
This command displays the manually entered configurations for only the Ethernet interface that you specify.
Likewise, you can view the configuration settings you have entered for the Ethernet subinterfaces by entering:
Syntax: show running-config interface eth 0/<port number.subinterface number>
Figure 3-7 shows the portion of the show running-config output that is related to the Ethernet 0/1.1 subinterface.
Figure 3-7. Viewing the show running-config Command for an Ethernet Subinterface
Viewing All the Configuration Settings Including Defaults
The show running-config command displays only the settings that you have configured for the ProCurve Secure Router. It does not display the default settings, which are automatically applied to the router. To view all the settings that are currently applied to the router, enter the following command from the enable mode context:
ProCurve# show running-config verbose
interface eth 0/1.1 ip address 192.168.1.1 255.255.255.0 no shutdown
3-22
Configuring Ethernet InterfacesViewing the Status of Ethernet Interfaces or Subinterfaces
The display shows the current running-config file, including any default set-tings. Again, you will need to browse for the information relating to the Ethernet interface or subinterface you are checking.
Alternately, you can enter the following command to display only information about a particular Ethernet interface or subinterface:
Syntax: show running-config interface eth 0/<port number.subinterface number> verbose
Figure 3-8 shows the output for the Ethernet 0/2.1 interface.
Figure 3-8. Using the show running-config verbose Command
interface eth 0/2.1 description alias native no shutdown ip address 192.10.10.1 255.255.255.0 ip proxy-arp ip ospf authentication-key ip ospf authentication null ip ospf message-digest-key 1 md5 ip ospf message-digest-key 2 md5 ip ospf cost 0 ip ospf retransmit-interval 5 ip ospf transmit-delay 1 ip ospf priority 1 ip ospf hello-interval 10 ip ospf dead-interval 40 no ip mcast-stub helper-enable ip igmp version 2 ip igmp last-member-query-interval 1000 ip igmp query-interval 60 ip igmp query-max-response-time 10 ip igmp querier-timeout 120 no ip igmp immediate-leave mtu 1500 bandwidth 0 ip route-cache ip split-horizon no crypto map no dynamic-dns no qos-policy out max-reserved-bandwidth 75
3-23
Configuring Ethernet InterfacesTroubleshooting an Ethernet Interface
To understand the difference between the show running-config command and the show running-config verbose command, compare Figure 3-7 to Figure 3-8. For example, if you entered the IP address, a description, and the no shut command to configure the Ethernet interface, only those settings are listed when you enter the show running-config command.
When you enter show running-config verbose, other default settings that you have not altered are also displayed. For example, the running-config
verbose command displays settings such as the Ethernet interface’s MTU, speed and duplex settings, MAC address, as well as settings for OSPF routing and Link Layer Discovery Protocol (LLDP).
Troubleshooting an Ethernet Interface
The first step in troubleshooting problems with any interface is to enter the show interfaces command. This command allows you to determine, at a glance, if the connection is up.
If the interface has not been activated, the following status is displayed:
eth 0/1 is administratively down
You should then move to the Ethernet interface configuration mode context and enter the no shutdown command.
Two error messages indicate problems with the interface:
■ “eth 0/1 is DOWN” indicates that the Physical Layer is not active. This problem may be caused by:
• loose or bad connection
• bad cabling
• no cabling
■ “line protocol is DOWN” indicates that the software processes that handle the line protocol consider the interface down. Whether due to faulty hardware, incompatible configurations, or problems at the other end of the line, the ProCurve Secure Router cannot negotiate a link on the interface.
3-24
Configuring Ethernet InterfacesTroubleshooting an Ethernet Interface
Depending on the error messages displayed, you should check the cabling or the configuration settings for the Ethernet interface. If the “eth 0/1 is DOWN” message is displayed, substitute a different 10Base-T or 100Base-T cable and make sure the connectors are securely seated in the Ethernet port on both the router and the far-end device.
If the “line protocol is DOWN” message is displayed, check your configuration. Ensure that the Ethernet interface can successfully negotiate the speed and duplex settings for the line.
show event-history Command
Another useful tool for troubleshooting problems on the Ethernet interface is the show event-history command. By default, the ProCurve Secure Router logs events such as changes in the status of interfaces and ports. To display this information, enter the following command from the enable mode context:
ProCurve# show event-history
To isolate problems, you can clear the event history, reproduce the problem, and then display the event history again. To clear the event history, enter the following command from the enable mode context:
ProCurve# clear event-history
The event history is automatically cleared when the router is rebooted.
debug interface ethernet Command
If you check the configurations and basic hardware used for the Ethernet connection and still cannot resolve the issue, you can use the debug interface command to display information about the interface in real-time.
Syntax: debug interface <interface>
Replace <interface> with Ethernet.
For example, if you cannot establish an Ethernet connection, you may want to enter this command to determine if the Ethernet interface is successfully negotiating the speed and the duplex setting. Figure 3-9 shows the debug messages for an Ethernet interface that was successfully established.
3-25
Configuring Ethernet InterfacesQuick Start
Figure 3-9. debug interface ethernet Messages
To end the display of debug messages, enter:
Syntax: no debug interface <interface>
ProCurve# no debug interface ethernet
Quick Start
This section provides the commands you must enter to quickly configure Ethernet interfaces. Only a minimal explanation is provided.
If you need additional information about any of these options, see “Contents” on page 3-1 to locate the section and page number that contains the explanation you need.
Configuring the Ethernet Interface
To configure the Ethernet interface, complete these steps:
1. Use a 10Base-T or 100Base-T cable to connect the Ethernet port on the ProCurve Secure Router to the appropriate device on your LAN. In most cases, you will connect the router to a switch.
2. Establish a terminal session with the ProCurve Secure Router. You are automatically at the basic mode context.
ProCurve>
3. Move to the enable mode context. If you have configured a password for the enable mode context, enter that password when you are prompted to do so.
ProCurve> enablePassword:
2005.08.27 15:31:53 ETHERNET_INTERFACE.eth 0/1 auto-negotiation in progress2005.08.27 15:31:55 ETHERNET_INTERFACE.eth 0/1 auto-negotiation complete2005.08.27 15:31:56 ETHERNET_INTERFACE.eth 0/1 link up2005.08.27 15:31:56 ETHERNET_INTERFACE.eth 0/1 speed is 100Mbps, full duplex2005.08.27 15:31:56 INTERFACE_STATUS.eth 0/1 changed state to up
3-26
Configuring Ethernet InterfacesQuick Start
4. Move to the global configuration mode context.
ProCurve# configure terminal
5. Access the Ethernet configuration mode context:
Syntax: interface ethernet 0/<port>
For example, if you want to configure the bottom Ethernet port, enter:
ProCurve(config)# interface ethernet 0/1
6. Assign the Ethernet interface an IP address.
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
For example, if you want to assign the Ethernet interface the IP address 192.168.1.1 /24, enter:
ProCurve(config-eth 0/1)# ip address 192.168.1.1 /24
7. Activate the interface
ProCurve(config-eth 0/1)# no shut
8. View the status of the Ethernet interface you just configured.
ProCurve(config-eth 0/1)# do show interface ethernet 0/<port>
N o t e The do command allows you to enter enable mode commands (such as show commands) from any context (except the basic mode context).
3-27
Configuring Ethernet InterfacesQuick Start
3-28
4
Configuring E1 and T1 Interfaces
Contents
Overview of E1 and T1 WAN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Elements of an E1- or T1-Carrier Line . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Connecting Your Premises to the Public Carrier: the Local Loop . . . 4-4
External or Built-in CSU/DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
ProCurve Secure Router Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
E1 Modules with a Built-in DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Supported Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
T1 Modules with a Built-in CSU/DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Supported Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
E1 or T1 Interfaces: Configuring the Physical Layer . . . . . . . . . . . . . 4-10
E1 or T1 Interface Configuration Mode Context . . . . . . . . . . . . . 4-11
Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
Line Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Frame Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15
Clock Source, or Timing, for the E1- or T1-Carrier Line . . . . . . . 4-17
Transmit Signal Level (T1 Interfaces Only) . . . . . . . . . . . . . . . . . 4-18
Set the FDL (T1 Interfaces Only) . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19
Activate the E1 or T1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
Threshold Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21
Types of Line Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22
Viewing Information about E1 and T1 Interfaces . . . . . . . . . . . . . . . . . . . 4-26
show interfaces Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27
show running-config Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28
show running-config verbose Command . . . . . . . . . . . . . . . . . . . . . . . 4-29
4-1
Configuring E1 and T1 InterfacesContents
Troubleshooting E1 and T1 WAN Connections . . . . . . . . . . . . . . . . . . . . . 4-30
No Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
Red Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
Yellow Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34
Green Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35
Viewing Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37
Configuring an E1 or T1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-38
4-2
Configuring E1 and T1 InterfacesOverview of E1 and T1 WAN Connections
Overview of E1 and T1 WAN Connections
Public carriers offer E1- and T1-carrier lines for customers who need dedicated, secure, point-to-point wide area network (WAN) connections. The connection is always active, so data can be immediately transmitted at any time, with no wait for a dial-up process.
In Europe, Australia, South America, and Asia, Public Telephone and Tele-graph (PTT) authorities offer E1-carrier lines, which provide 2.048 Mbps bandwidth. In the United States, Canada, and sometimes Japan, telcos offer T1-carrier lines, which provide 1.544 Mbps bandwidth.
N o t e In Japan, PTTs offer T1-carrier lines and sometimes E1-carrier lines for data. For traditional analog voice, these PTTs offer J1-carrier lines. (J1 lines are outside the scope of the ProCurve Secure Router Management and Config-
uration Guide.)
An E1- or T1-carrier line can be used for both traditional analog voice and data—a characteristic that can make it an appealing option for some companies. By combining analog voice and data on an E1- or T1-carrier line, companies may be able to save money on their telephone and data communications costs.
Elements of an E1- or T1-Carrier Line
All WAN connections, including E1- and T1-carrier lines, consist of three basic elements:
■ the physical transmission media, such as the cabling, switches, routers, and other infrastructure required to create and maintain the connection
■ electrical signaling specifications for generating, transmitting, and receiv-ing signals through the various transmission media
■ Data Link Layer protocols, which provide logical flow control for moving data between the peers in the WAN (peers are the devices at either end of a WAN connection)
4-3
Configuring E1 and T1 InterfacesOverview of E1 and T1 WAN Connections
Physical transmission media and electrical specifications are part of the Physical Layer (Layer 1) of the Open Systems Interconnection (OSI) model, and Data Link Layer protocols are part of the Data Link Layer (Layer 2). (See Figure 4-1.)
Figure 4-1. Physical and Data Link Layers of the OSI model
When you configure an E1 or T1 WAN connection, you must configure both the Physical Layer and the Data Link Layer (which is also called the logical layer).
Connecting Your Premises to the Public Carrier: the Local Loop
In the United States and Canada, the network that provides the infrastructure for T1-carrier lines is called the public switched telephone network (PSTN). In all other countries, PTT authorities provide the infrastructure for WAN connections.
When you lease an E1- or T1-carrier line, your LAN must be connected to the public carrier’s nearest central office (CO). All of the telecommunications infrastructure that is used to connect your LAN to the CO is collectively called the local loop. Because the CO may be located miles away from your premises, this telecommunications infrastructure may include repeaters, as well as switches, cable, and connectors. (See Figure 4-2.)
Physical layer
Data Link layer
Network layer
Transport layer
Session layer
Presentation layer
Application layer
1
2
3
4
5
6
7
PPPFrame RelayHDLC
E1 and T1
4-4
Configuring E1 and T1 InterfacesOverview of E1 and T1 WAN Connections
Figure 4-2. Local Loop
All carrier lines require the same basic components on the local loop, although the components may differ slightly in form and design. (See Figure 4-2.) These components are listed below:
■ CSU/DSU—The Channel Service Unit/Digital Service Unit (CSU/DSU) has two purposes: The DSU accepts traffic from the router and translates it from the signaling format used on the LAN to the format necessary for transmission on the WAN. The CSU then generates the signal to be sent across the WAN. For incoming traffic, the CSU regenerates the signal for transmission across the LAN.
■ Demarc—A line of demarcation, or demarc, separates your wiring and equipment from the public carrier’s wiring and equipment. As a general rule, you own, operate, and maintain the wiring and equipment on your side of the demarc, and the public carrier owns, operates, and maintains the wiring and equipment on its side of the demarc.
■ Network interface unit (NIU)—The NIU automatically maintains the WAN connection and enables public carrier employees to perform simple man-agement tasks from a remote location. The NIU is usually located outside the subscriber’s premises so that public carrier employees can always access it. In the United States and Canada, the NIU is commonly referred to as the smart jack.
■ Wire span—Because public carrier networks were originally designed to carry analog voice calls, copper wire is still the most common physical transmission medium used on the local loop. Because copper wire has a limited capacity to carry signals, local loops that use copper wire are the slowest, least capable component of the WAN connection.
Wire span
Router (DTE)
Demarc
CSU/DSU
Network Interface Unit (Smart Jack)
Public Carrier’s CO
Repeater OCU
Office Channel Unit(PTT’s CSU)
LAN
4-5
Configuring E1 and T1 InterfacesOverview of E1 and T1 WAN Connections
■ Repeater—A repeater receives, amplifies, and retransmits the digital signal so that the signal is always strong enough to be read. The distance between repeaters depends on the type of connection, including the transmission media used. On an E1 or T1 connection over unshielded twisted pair (UTP) wiring, the distance between repeaters is one mile or less.
■ Office channel unit—Located at the CO, the office channel unit (OCU) performs the same function at the public carrier’s site that the CSU performs at each subscriber’s site: It generates the signal to be sent across the WAN—either to be sent to a subscriber’s premises or to be transmitted on to the public carrier network.
Although you will never see most of these components, having a basic under-standing of the local loop can help you work with your public carrier to troubleshoot problems if your E1- or T1-carrier line ever goes down.
In addition, two of these components directly affect your E1 or T1 WAN connection: the demarc and the CSU/DSU. The demarc determines which part of the E1 or T1 WAN connection you are responsible for. Again, this becomes important if your E1- or T1-carrier line ever goes down and you have to work with the public carrier to identify and fix the problem.
The CSU/DSU is important because its form and design not only determines which ProCurve Secure Router module you purchase but also which settings you must configure for the E1- or T1-carrier line.
External or Built-in CSU/DSU
Your public carrier determines the type of CSU/DSU that will be used in your WAN connection. There are three options:
■ The public carrier provides the CSU/DSU and installs it on your premises.
■ The public carrier provides the CSU but not the DSU.
■ The public carrier does not provide the CSU/DSU.
In Europe, Australia, South America, and Asia (except Japan), the PTT author-ity will provide both the CSU/DSU or just the CSU. In the United States and Canada, public carriers will either provide the entire CSU/DSU, or they will not provide either one at all.
If the public carrier provides an external CSU/DSU, you should purchase a serial module. (See Figure 4-3.) For information about the serial module, see Chapter 5: Configuring Serial Interfaces for E1- and T1-Carrier Lines.
4-6
Configuring E1 and T1 InterfacesOverview of E1 and T1 WAN Connections
Figure 4-3. Router Connects Directly to an External CSU/DSU.
If your public carrier does not provide the DSU, the router must include a built-in DSU. You will then use UTP cable with RJ-48C connectors to connect the router to the external CSU. (See Figure 4-4.)
Figure 4-4. Router with a Built-in DSU Connects Directly to the External CSU.
If your public carrier does not provide the CSU/DSU, the router must include a built-in CSU/DSU. In this case, the public carrier provides a wall jack on your premises to connect your router to the local loop, and you use UTP cable with RJ-48C connectors to connect the router to the wall jack. (See Figure 4-5.)
Wire span
Router (DTE)
Demarc
CSU/DSU
Network Interface Unit (Smart Jack)
Public Carrier’s CO
Repeater OCU
Office Channel Unit(public carrier’s CSU)
LAN
Wire span
Router w/internal DSU
Demarc
CSUNetwork
Interface Unit (Smart Jack)
Public Carrier’s CO
Repeater OCU
Office Channel Unit(Public carrier’s CSU)
LAN
UTP cable with RJ-48C connectors
4-7
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
Figure 4-5. Router with a Built-in CSU/DSU
ProCurve Secure Router Modules
ProCurve Networking provides several E1 and T1 modules, which are described in the next sections.
E1 Modules with a Built-in DSU
If your public carrier does not provide an external DSU, you should use one of the E1 modules, which include a built-in DSU:
■ one-port E1 module
■ two-port E1 module
■ eight-port wide-option module (ProCurve Secure Router 7203dl only)
Supported Standards
The ProCurve Secure Router E1 modules are standards based. Specifically, they support the standards listed in Table 4-1.
Wire span
Router w/ internal CSU/DSU
Demarc
Network Interface Unit (Smart Jack)
Public Carrier’s CO
Repeater OCU
Office Channel Unit(public carrier’s CSU)
LAN
UTP cable with RJ-48C connectors
4-8
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
Table 4-1. Standards Supported by E1 Modules
For instructions on configuring E1 modules, see “E1 or T1 Interfaces: Config-uring the Physical Layer” on page 4-10.
T1 Modules with a Built-in CSU/DSU
If your public carrier does not provide a CSU/DSU, you should use one of the ProCurve Secure Router T1 modules, which include a built-in CSU/DSU:
■ one-port T1 module
■ two-port T1 module
■ eight-port wide-option module (ProCurve Secure Router 7203dl only)
Supported Standards
The ProCurve Secure Router T1 modules support the standards listed in Table 4-2.
Type of Standard Port
E-carrier line • International Telecommunications Union (ITU) G.703• ITU-T G.704 (CRC-4)• ITU-T G.823• ITU-T G.797
Electrical/power • Norme Europeenne (EN) 60950 (EN is also referred to as European Standards.)
• International Electrotechnical Commission (IEC) 60950• Australian Standard/New Zealand Standard (AS/NZS) 60950
4-9
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
Table 4-2. Standards Supported by T1 Modules
Instructions for configuring the T1 modules begin below.
E1 or T1 Interfaces: Configuring the Physical Layer
When you configure an E1 or T1 interface, the settings you enter must match the settings that your public carrier is using. Your public carrier will provide you with the settings you should enter for the following:
■ number of channels
■ line coding
■ frame format
■ clock source
For T1-carrier lines, your public carrier may also provide you with settings for the following:
■ line build out (LBO), or signal level
■ facility data link (FDL), if you are using the Extended SuperFrame (ESF) frame format
In addition to configuring these options, you must activate the E1 or T1 interface.
These are the minimal configuration options that you must enter to establish the Physical Layer of the WAN connection. In fact, you may not have to enter all of these options: if the public carrier’s setting for an option matches the default setting for the E1 or T1 interface, you do not have to configure that option.
Type of Standard Port
T-carrier line • AT&T TR194• AT&T TR54016• American National Standards Institute (ANSI) T1.403
Electrical/power • AT&T Pub 62411 (jitter tolerance)• U.S. Federal Communications Commission (FCC) Part 15
Class A• EN 55022 Class A• American Council for Terminal Attachments (ACTA)/FCC
Part 68• Industry Canada (IC) CS-03• UL/cUL 60950• IEC 60950
4-10
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
The rest of this section describes these options in more detail and explains how to configure them from the command line interface (CLI). If you want to configure the E1 or T1 connection from the Web browser interface, see Chapter 14: Using the Web Browser Interface for Basic Configuration Tasks.
E1 or T1 Interface Configuration Mode Context
To begin configuring the E1 or T1 interface that will provide the WAN connec-tion, you must access the appropriate configuration mode context. In the ProCurve Secure Router CLI, move to the global configuration mode context and enter:
Syntax: interface <interface> <slot>/<port>
Replace <interface> with e1 or t1, depending on the type of connection you are configuring. On the ProCurve Secure Router, the interface for each phys-ical port is identified by its slot number and port number.
The possible slot numbers for an E1 or T1 interface are:
■ 1 = dl option module slot 1
■ 2 = dl option module slot 2
■ 3 = dl wide option module slot (ProCurve Secure Router 7203dl only)
The port number you enter depends on the number of ports included in the E1 or T1 module. For example, two-port E1 modules have two E1 ports plus one backup port. (For more information about backup ports, see the ProCurve
Secure Router Advanced Management and Configuration Guide, Chapter 3:
Configuring Backup WAN Connections.) If the E1 module is located in slot 1 and you are configuring the interface for port 1, enter:
ProCurve(config)# interface e1 1/1
Likewise, if the T1 module is located in slot 2 and you are configuring the interface for port 2, enter:
ProCurve(config)# interface t1 2/2
The router prompt should indicate that you have entered the appropriate interface configuration mode context:
ProCurve(config-t1 2/2)#
From the configuration mode context, you can enter the ? help command to display the commands available from this configuration mode context.
ProCurve(config-t1 2/2)# ?
4-11
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
The settings that you must configure in order to establish an E1 or T1 WAN connection are explained in the following sections.
Channels
As mentioned earlier, E1- and T1-carrier lines provide different transmission speeds. An E1-carrier line provides 2.048 Mbps in total bandwidth, which is divided into 32 channels. A T1-carrier line, on the other hand, provides 1.544 Mbps in total bandwidth, which is divided into 24 channels.
Called digital signal zero (DS0), each channel operates at 64 Kbps, the amount of bandwidth required to transmit a single analog voice call through a digital telecommunications network. The channels in these dedicated circuits are created using time division multiplexing (TDM). By combining, or multiplex-ing, multiple channels into a larger, more complex signal, TDM creates a high-bandwidth channel. (See Figure 4-6.)
Figure 4-6. Multiplexing Multiple Channels into One E1- or T1-Carrier Line
Each channel receives an equal time slice within the complex signal in a rotating, repeating sequence and thus receives an equal amount of bandwidth. On the receiving end, TDM is used to recover the original signals through a reverse process called demultiplexing.
E1 Channels. When you configure an E1 module with a built-in DSU, you must configure the number of channels that the E1 WAN connection uses. You can configure channels 1-31. One channel—channel 0—is used to maintain the connection and cannot be used for data or voice.
If you purchase an entire E1-carrier line, you configure channels 1-31. If you purchase a fractional E1-carrier line, your public carrier will tell you which channels to configure for that connection. (If you want to use some of the channels for voice, see Chapter 9: Configuring the E1 + G.703 and T1 +
DSX-1 Modules.)
MUX MUX
32 or 24 DS0s 32 or 24 DS0s
DS0 channels multiplexed into E1 or T1
E1 or T1 demultiplexed into DS0 channels
E1- or T1-carrier line
4-12
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
T1 Channels. When you configure a T1 module with a built-in CSU/DSU, you must configure the number of channels that the T1 WAN connection uses. If you lease an entire T1 line, you configure channels 1-24. If you lease a fractional T1 line, your public carrier will tell you which channels to configure for that connection. (If you want to use some of the channels for voice, see Chapter 9: Configuring the E1 + G.703 and T1 + DSX-1 Modules.)
Configuring the Number of Channels. To configure the number of channels used for an E1 or T1 WAN connection, you use the tdm-group command:
Syntax: tdm-group <number> timeslots <range of numbers> speed [56 | 64]
This command creates a TDM group and assigns it a number of channels. Replace <number> with a number between 1 and 255, and replace <range of numbers> with the channels that will be used for this connection.
The TDM-group number relates directly to the interface that you are config-uring. This means that you can create a TDM group 1 for each E1 or T1 interface on the ProCurve Secure Router.
You enter the tdm-group command from the E1 or T1 interface configuration mode context. For example, to configure the E1 1/1 interface to use all 31 channels, enter:
ProCurve(config-e1 1/1)# tdm-group 1 timeslots 1-31
To configure the T1 2/2 interface to use all 24 channels, enter:
ProCurve(config-t1 2/2)# tdm-group 1 timeslots 1-24
Speed Option. If you view the syntax for the tdm-group command from the CLI, you will notice that it includes a speed option, as shown below:
Syntax: tdm-group <number> timeslots <range of numbers> speed [56 | 64]
By default, the speed for channels is 64 kbps, and this setting will be used for all E1-carrier lines and most T1-carrier lines. The speed 56 setting is used only if your public carrier is using a 56 Kbps setting for the connection. In this case, your public carrier will tell you to set the speed for each channel to 56 kbps. For all other environments, you should simply accept the default setting of 64 kbps.
4-13
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
Line Coding
In addition to configuring the number of channels for the E1 or T1 connection, you must configure the interface to use the same line coding that your public carrier is using. Line coding defines how digital signals are configured for transport through a physical transmission medium. Line coding schemes use electrical signals to represent the logical 0 and 1 bits in a data stream.
E1- and T1-carrier lines have slightly different options for line coding.
E1 Line Coding. E1-carrier lines use the following line coding schemes:
■ Alternate mark inversion (AMI)
■ High-density bipolar of order 3 (HDB3)
AMI uses alternating positive and negative voltage (referred to as alternating polarity or bipolarity) to represent logical ones, and zero voltage to represent logical zeros. Because AMI uses zero voltage for logical zeros, it can cause synchronization loss between peers at each end of a WAN connection if a data stream contains a long string of logical zeros.
Although HDB3 is based on AMI, HDB3 prevents synchronization loss by limiting the number of consecutive zero signals in a data stream to three. HDB3 replaces four logical zeros with three signals at zero voltage and a violation bit with the same polarity as the last AMI logical one detected.
Because HDB3 is the most common line coding scheme used in E1 lines, it is the default setting for all E1 interfaces on the ProCurve Secure Router.
To configure line coding on an E1 interface, enter the following command from the E1 interface configuration mode context:
Syntax: coding [ami | hdb3]
For example, to configure the line coding as AMI, enter:
ProCurve(config-e1 1/1)# coding ami
T1 Line Coding. T1-carrier lines use the following line coding schemes:
■ AMI
■ Bipolar 8-Zero Substitution (B8ZS)
4-14
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
Like HDB3, B8ZS was designed to overcome the deficiencies of AMI. To prevent synchronization loss, B8ZS replaces a string of eight zeros with a string that includes two logical ones of the same polarity as a timing mark. Because B8ZS has become the standard line coding used on T1-carrier lines, it is the default setting on the ProCurve Secure Router.
To configure line coding on a T1 interface, enter the following command from the T1 interface configuration mode context:
Syntax: coding [ami | b8zs]
For example, to configure the T1 interface to use the ami option, enter:
ProCurve(config-t1 1/1)# coding ami
N o t e If you want to accept a default setting, it is not necessary to enter the command. For an E1-carrier line, you can simply accept the default setting of HDB3. For a T1-carrier line, you can simply accept the default setting of B8ZS.
Frame Format
You must configure the E1 or T1 interface to use the same frame format as that used by the public carrier. Otherwise, the WAN connection cannot be established.
E1-carrier lines and T1-carrier lines use different frame formats.
E1 Frame Formats. E1 interfaces on the ProCurve Secure Router support two frame formats:
■ E1
■ Cyclic Redundancy Check 4 (CRC4)
In the E1 frame format, a channel (or timeslot) is called a TS, and the 32 channels are numbered TS0 to TS31. Two channels are used to establish and maintain synchronization and signaling: specifically, TS0 is used for synchro-nization, error detection, and alarms, and TS16 is used for signaling. The other channels are used to transmit data.
CRC4 is based on the E1 frame format but includes additional error detection. A checksum bit is included in all even frames of the 16-frame multiframe: frames 0, 2, 4, 6, 8, 10, 12, and 14. A total of 8 checksum bits are used.
4-15
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
Although E1 interfaces, including those for the G.703 port, support two frame formats, only one option is listed if you enter the following command from the E1 interface configuration mode context:
ProCurve(config-e1 1/1)# framing ?
Only the crc4 option is listed.
By default, the frame format is E1. If your public carrier is using the E1 frame format, you simply accept the default setting by not entering a framing command.
However, if your public carrier is using the CRC4 frame format, enter:
Syntax: framing crc4
ProCurve(config-e1 1/1)# framing crc4
To return to the E1 frame format, enter:
ProCurve(config-e1 1/1)# no framing crc4
T1 Frame Formats. For T1-carrier lines, public carriers use one of two frame formats:
■ D4
■ ESF
D4 framing aggregates 12 DS0 frames into a single superframe. The ESF standard multiplexes 24 DS0 frames into an extended superframe.
The ESF format has essentially replaced the D4 framing standard because it frees up bits that can be used to maintain the connection. Due to its popularity, ESF is the default setting for T1 modules on the ProCurve Secure Router.
To configure the frame format, enter the following command from the T1 interface configuration mode context:
Syntax: framing [d4 | esf]
If you want to use the default frame format, ESF, you do not have to enter a command. However, if you want to configure the T1 interface to use D4, enter:
ProCurve(config-t1 1/1)# framing d4
4-16
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
Clock Source, or Timing, for the E1- or T1-Carrier Line
Because data transmission requires hosts to be synchronized, you must configure the clock source, or timing, for the E1 or T1 interface. You can configure the E1 or T1 interface with one of the following clock sources:
■ Line—Use the line setting if the E1 or T1 interface will take the clock source from the public carrier.
■ Internal—Use the internal setting if the E1 or T1 interface will provide the clock for the connection. For example, if you connect the ProCurve Secure Router to another router, one of the routers must provide the clock source. If the local ProCurve Secure Router is providing the clock source, use the internal setting.
■ Through—Use the through setting if you want the E1 or T1 interface to take the clock from the other interface on that module.
Each narrow E1 or T1 module can have only one clock source. If the module has two ports, one port must be set to line or internal; the other port must be set to through.
Each port on the eight-port E1 or T1 module can have its own clock source. You can set the clock source for each port to line.
Table 4-3 shows the default clock source settings for the different ports on the E1 or T1 modules.
Table 4-3. Default Clock Source Settings for E1 and T1 Modules
N o t e On the one-port E1 and T1 modules, the only clock source options are internal and line. This is because when an E1 or T1 line accepts a clock
source through setting, the timing must come from another port on the same module.
Module Port Default Clock Source
One-port E1 or T1 module 1 line
Two-port E1 or T1 module 12
linethrough
E1 + G.703 moduleT1 + DSX-1 module
12
linethrough
Eight-port module 1–8 line
4-17
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
To configure the clock source, enter the following command from the E1 or T1 interface configuration mode context:
Syntax: clock source [internal | line | through]
For example, to configure the clock source as line, enter:
ProCurve(config-e1 2/1)# clock source line
N o t e You cannot connect two interfaces on one module to different service providers because each module can have only one clock source. If you want to use two different service providers, you must purchase two separate modules, or you must purchase the eight-port module.
Transmit Signal Level (T1 Interfaces Only)
With T1 interfaces, you can configure the level of the transmit signal. As the distance between the ends of a T1-carrier line increases, so does attenuation, or loss in signal strength. Long cables (which are defined as cables longer than 655 feet) must send stronger signals and boost these signals with repeaters to overcome attenuation.
When two devices are connected at close proximity, the opposite problem can occur: a strong signal can cause the line to become too “hot.”
The Line Build Out (lbo) command allows the T1 interface to take cable length into account when setting the signal strength. The longer the cable, the stronger the signal needs to be. For short cables, you can set the LBO lower, so that the interface artificially attenuates a T1 output signal, thereby simulat-ing a degraded signal.
There are two commands for configuring LBO:
Syntax: lbo long <value>
Syntax: lbo short <value>
The command you use depends on the distance between the T1 equipment. This distance is measured in cable length. If the cable is longer than 655 feet, you use the lbo long command. If the cable is shorter than 655 feet, you use the lbo short command.
lbo long Command. If you are configuring LBO for a T1 interface connected by a cable that is longer than 655 feet, use the following command:
Syntax: lbo long <value>
4-18
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
Replace <value> with one of the following numbers, which are in decibels (db):
■ -22.5
■ -15
■ -7.5
■ 0
You should set the LBO to avoid overloading a receiver’s circuits. For sensitive interfaces or for interfaces that are connected with a long cable but separated by a short distance, use the more negative values to prevent the line from becoming too hot. For example, two units in close proximity should be configured for the maximum attenuation of -22.5 dB:
ProCurve(config-t1 1/1)# lbo long -22.5
To configure LBO for a long cable to -7.5, enter:
ProCurve(config-t1 1/1)# lbo long -7.5
The default setting for LBO is 0 db.
lbo short Command. If the cable that connects the T1 interface is less than 655 feet long, use the following command:
Syntax: lbo short <value>
Replace <value> with the actual length of the cable, in feet, that separates the two devices. You can enter a number between 0 and 655. For example, if the ProCurve Secure Router is 500 feet of cable away from the other device, you would enter:
ProCurve(config-t1 1/1)# lbo short 500
Based on the number of feet between the two units, the ProCurve Secure Router will set an appropriate signal level.
Set the FDL (T1 Interfaces Only)
T1-carrier lines that use the ESF frame format support an out-of-band channel that is used to transmit performance-monitoring and maintenance informa-tion about the line. The facility data link (FDL) channel allows the transmis-sion of monitoring and maintenance flags such as the yellow alarm signal.
4-19
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
If used on a T1-carrier line, the FDL channel must conform to one of the following standards:
■ ANSI T1.403 standard
■ ATT TR 54016 standard
By default, the T1 interfaces on the ProCurve Secure Router use the ANSI standard.
If your public carrier tells you to change this setting, use the following command:
Syntax: fdl [ansi | att | none]
For example, to configure FDL to use the ATT standard, enter:
ProCurve(config-t1 1/1)# fdl att
Use the no form of this command to return to the default value.
If your service provider does not use FDL, you should deactivate the FDL channel by entering:
ProCurve(config-t1 1/1)# fdl none
Activate the E1 or T1 Interface
By default, all physical interfaces on the ProCurve Secure Router are shut down. You must activate the E1 or T1 interface. From the E1 or T1 interface configuration mode context, enter:
Syntax: no shutdown
After you enter this command, the status of the interface will change from down to administratively up.
By default, the ProCurve Secure Router displays a message on the CLI when the status of an interface changes. For example, when you enter no shutdown to activate the E1 interface, you receive this message:
INTERFACE_STATUS.e1 1/1 changed state to administratively up
4-20
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
If you have connected the interface to either to the wall jack or the external CSU, the interface will try to establish the Physical Layer of the WAN connec-tion. If the E1 or T1 interface successfully establishes that Physical Layer, another message should be displayed:
INTERFACE_STATUS.e1 1/1 changed state to up
or
INTERFACE_STATUS.t1 1/1 changed state to up
These messages are part of the event-history log and can help you quickly determine if an interface is functional. However, you can suppress these messages if, for example, you feel they disrupt your efforts to configure the router. Move to the enable mode context and enter:
ProCurve# no events
To return to the default setting, enter:
ProCurve# events
N o t e The events display should not be confused with event-history, which is a collection of all logs of interface events, as well as other logs. To display this information, enter the show event-history command from the global config-uration mode context.
If the status of the interface does not change to up, you may need to trouble-shoot the connection, as explained in “Troubleshooting E1 and T1 WAN Connections” on page 4-30.
If the interface is up, you must configure the appropriate Data Link Layer protocol for the connection, as described in Chapter 6: Configuring the Data
Link Layer Protocol for E1, T1, and Serial Interfaces.
Threshold Commands
When you configure and activate an E1- or T1-carrier line, line error thresholds are enabled by default. When a threshold is reached, an events notification is displayed on the router’s CLI.
4-21
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
Table 4-4 lists the default settings for line error thresholds.
Table 4-4. Threshold Commands
To set a line error threshold, enter the following command from the E1 or T1 interface configuration mode context:
Syntax: threshold [BES | CSS | DM | ES | LCV | LES | PCV | SEFS | SES | UAS] [15Min | 24Hr] <number of errors>
Use the 15Min option to set the thresholds for 15-minute intervals. Use the 24Hr option to set the threshold for 24-hour intervals. The time period for these intervals is based on the past 15 minutes or 24 hours at any given moment, not on set 15 minute or 24 hour blocks of time. By default, both 15 minute and 24 hour thresholds are set.
Types of Line Errors
The ProCurve Secure Router reports 10 types of line errors. Each line error type has its own error triggers. Table 4-5 lists the line errors that the ProCurve Secure Router reports and the triggers for each of these line errors.
Setting Description 15-Minute Default
24-Hour Default
BES Bursty Errored Seconds 10 100
CSS Controlled Slip Seconds 1 4
DM Degraded Minutes 1 4
ES Errored Seconds 65 648
LCV Line Code Violations 13340 133400
LES Line Errored Seconds 65 648
PCV Path Coding Violations 72 691
SEFS Severely Errored Framing Seconds 2 17
SES Severely Errored Seconds 10 100
UAS Unavailable Seconds 10 10
4-22
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
Table 4-5. Events That Trigger Line Errors
Error Type Triggers
BES 1-320 Path Coding Violations (PCV)
CSS Controlled Slip Seconds (CSS)
DM Bit Error Rate (BER) between .000001 and .001
ES ESF and CRC4:– PCV– Out Of Frame (OOF)– CSS– Alarm Indication Signal (AIS)
D4 or E1:– PCV– Out of Frame – CSS– AIS– BPV
LCV Bipolar Violations (BPVs) and Excessive Zeros (EXZs)
LES • Seconds with BPVs or EXZs or Loss Of Signal (LOS)• Seconds with Line Code Violations (LCVs)
PCV E1/D4 frame synchronization errors
CRC4 or ESF checksum error
SEFS • OOF• LOS
SES • ESF errors:– 320+ PCVs– OOF– AIS
• CRC errors:– Severely Errored Seconds (SES)– 832+PCVs
• E1 framing 2048+ LCVs
4-23
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
The following is a list of the line errors and a brief description of each.
BES. A Bursty Errored Second (BES) is a one-second time period with between one and 320 Path Coding Violation (PCV) events, no Severely Errored Framing Seconds (SEFS) defects, and no detected incoming Alarm Indication Signal (AIS) defects.
CSS. A Controlled Slip Second (CSS) is a one-second interval containing one or more controlled slips. A controlled slip is the replication or deletion of the payload bits in a DS1 or E1 frame. This problem may be caused by a difference between the timing of the interface sending and the interface receiving the signal.
DM. A Degraded Minute (DM) is a one-minute interval with a bit error rate (BER) that is higher than .000001. The one-minute intervals are derived by removing severely errored seconds (SESs) from the total time and then consecutively grouping the remaining seconds into blocks of 60.
ES. An Errored Second (ES) is a one-second period with one or more errored blocks or bit errors. For T1-carrier lines that use ESF and E1-carrier lines that use CRC4, one of the following occurs during the one-second period:
■ one or more PCVs
■ one or more Out of Frame (OOF) defects (seven or more consecutive errored framing patterns)
■ one or more CSSs
■ an AIS defect
For carrier lines that use D4 and E1 framing, Bipolar Violations (BPVs) also trigger an ES.
LCV. A Line Code Violation (LCV) occurs when a carrier line experiences either BPVs (when using AIM) or excessive zeros (EXZ) (when using HDB3 or B8ZS). A BPV is an error in which an interface receives two pulses of the
• D4 errors:– Framing error– OOF– 1544+ LCVs
UAS • 10+ SESs• Line failure + SES
Error Type Triggers
4-24
Configuring E1 and T1 InterfacesProCurve Secure Router Modules
same polarity without an intervening pulse of the opposite polarity. An EXZ is the occurrence of any zero string length equal to or greater than three for B3ZS or greater than four for HDB3. LCVs usually signal a mismatch in line coding type. For example, the local interface uses AIM, but the remote endpoint uses HDB3.
LES. A Line Errored Second (LES) occurs if one or more of the following are detected in a one-second time interval:
■ LCVs (that is, one or more BPVs or EXZs)
■ LOS
The LES count lists the number that have occurred.
PCV. A PCV is caused by a frame synchronization bit error in a D4 or E1 frame. If a T1-carrier line uses ESF or if an E1-carrier line uses CRC4, a PCV is an error detected by the CRC.
SEFS. The number of seconds during which an OOF or LOS occurred.
SES. For a T1-carrier line using ESF, a Severely Errored Second (SES) is one-second time interval during which one of the following occurs:
■ 320 or more PCVs
■ one or more OOF defects
■ an AIS
For an E1-carrier line using CRC4, an SES occurs in one of the following is detected during a one-second interval:
■ 832 or more PCVs
■ one or more OOF defects
For a T1-carrier line using D4 frame formatting, an SES is a second with at least one framing error, OOF defect, or 1544 or more LCVs.
For an E1-carrier line, an SES is caused by 2048 or more LCVs in a second.
UAS. Unavailable Seconds (UAS) are calculated by counting the number of seconds that the interface is unavailable. An E1 or T1 interface becomes unavailable after ten contiguous SESs or the onset of the condition that led to the failure. If the condition leading to the failure was immediately preceded by one or more contiguous SESs, then the UAS are counted from the onset of these SESs.
4-25
Configuring E1 and T1 InterfacesViewing Information about E1 and T1 Interfaces
To return a threshold to its default setting, enter this command from the global configuration mode context:
Syntax: no thresholds [BES | CSS | DM | ES | LCV | LES | PCV | SEFS | SES | UAS] [15Min | 24Hr]
For example, to return the 15-minute SES threshold to its default setting of 10, enter:
ProCurve(config)# no threshold SES 15Min
To return all thresholds to their default setting, enter:
ProCurve(config)# no thresholds
Viewing Information about E1 and T1 Interfaces
To view status or configuration information about a E1 or T1 interface, you can use the show commands listed in Table 4-6.
Table 4-6. show Commands
Command Explanation
show interfaces displays information about all the interfaces—active or inactive—on the ProCurve Secure Router
show interface <interface> <slot>/<port> [realtime | performance-statistics]
displays information about a specific physical interface
show running-config displays all of the settings that you have configured for the ProCurve Secure Router
show running-config verbose displays the entire running-config, including the settings that you have configured and the default settings that you have not altered
show running-config interface <interface> <slot>/<port> displays the settings that you have configured for a particular physical interface
show running-config interface <interface> <slot>/<port> verbose
displays the entire running-config for a particular interface, including the settings you configured and the default settings that you have not altered
4-26
Configuring E1 and T1 InterfacesViewing Information about E1 and T1 Interfaces
show interfaces Command
You can use the show interfaces <interface> <slot>/<port> command to view detailed information about the status of the E1 or T1 interface. For example, if you want to view the status of the E1 1/1 interface, enter the following command from the enable mode context:
ProCurve# show interfaces e1 1/1
Figure 4-7 shows the results of this command for an E1 interface. In this example, the E1 interface has been configured, but the Data Link Layer protocol has not.
Figure 4-7. show interface E1
e1 1/1 is UP Receiver has no alarms E1 coding is HDB3, framing is E1 Clock source is internal No network loopbacks Last clearing of counters never loss of frame : 1, last occurred 00:01:55 loss of signal : 0 AIS alarm : 0 Remote alarm : 0
Timeslot Status: 01234567890123456789012345678901 F------------------------------- Status Legend: '-' = Timeslot is unallocated 'N' = Timeslot is dedicated (nailed) 'F' = Timeslot is dedicated for framing
Line Status: -- No Alarms --
5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec Current Performance Statistics: 8 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 2 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 8 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes
TDM group 1, line protocol is not set Encapsulation is not set
Physical Layer is up
No Data Link Layer protocol is configured.
Channel assignments are not displayed correctly until the Data Link Layer protocol is configured.
Settings for line coding, frame format, and clock source
4-27
Configuring E1 and T1 InterfacesViewing Information about E1 and T1 Interfaces
The first line indicates whether the interface is up or down. The second line lists alarms, if there are any. The next two lines show current configurations for line coding, framing, and clock source. For T1 interfaces, the FDL type and the line build out settings are also listed. If the line is in loopback, this information is listed as well.
The channels are listed as a series of digits: for an E1 interface, the channels are listed as 0-9, 0-9, 0-9, and 1. As shown in Figure 4-7, the first channel 0 is reserved for framing. For a T1 interface, the channels are listed as 1-9, 0-9, and 0-4.
Underneath the digits, a series of Ns or dashes indicate how the channels are being used. Channels marked with N are dedicated to the E1- or T1-carrier line. Channels that are marked by a – are not being used.
Although the E1 interface shown in Figure 4-7 has been configured to use channels 1-31, these channels do not appear to be allocated to the line. The channel assignment is not displayed correctly until you properly configure the Data Link Layer protocol. After the protocol is configured for the E1 or T1 interface, the show interfaces command will indicate that the channels are allocated. (For more information, see Chapter 6: Configuring the Data Link
Layer Protocol for E1, T1, and Serial Interfaces.)
If you are configuring an E1 interface for an E1 + G.703 module, the channels that you do not allocate to the E1 interface are marked with a D and are allocated to the G.703 interface. Likewise, if you are configuring a T1 interface for a T1 + DSX-1 module, the channels that you do not assign to the T1 interface are marked with a D and allocated to the DSX-1 module.
N o t e By default, all channels are allocated to the G.703 or DSX-1 interface until you change this configuration. For more information about allocating channels to the G.703 or DSX-1 interface, see Chapter 9: Configuring the E1 + G.703 and
T1 + DSX-1 Modules.
As Figure 4-7 shows, the section under the channel assignment displays the line status and informs you of any alarms.
show running-config Command
To check all of the settings that have been entered for the E1 or T1 interface, enter the following command:
Syntax: show running-config
4-28
Configuring E1 and T1 InterfacesViewing Information about E1 and T1 Interfaces
This command displays the configuration that you have entered for the entire router. You must then scroll through the running-config until you locate the appropriate E1 or T1 interface.
To save time, you can enter the following command from the enable mode context:
Syntax: show running-config interface <interface> <slot>/<port>
For example, if you want to display the commands that you have entered for the E1 1/1 interface, enter:
ProCurve# show running-config interface e1 1/1
Figure 4-8 shows the output for a sample network.
Figure 4-8. show running-config <interface> <slot>/<port>
According to this display, the network administrator has entered only three commands for this E1 interface:
ProCurve(config-e1 1/1)# clock source internalProCurve(config-e1 1/1)# tdm-group 1 timeslots 1-31ProCurve(config-e1 1/1)# no shutdown
show running-config verbose Command
To view all of the settings—the commands you have entered and the default settings—for an interface, enter the following command from the enable mode context:
Syntax: show running-config interface <interface> <slot>/<port> verbose
For example, to view all of the settings for the E1 1/1 interface, enter:
ProCurve# show running-config interface e1 1/1 verbose
Figure 4-9 shows the verbose output for a sample network. Compare this output with the output shown in Figure 4-8.
interface e1 1/1 clock source internal tdm-group 1 timeslots 1-31 speed 64 no shutdown
This output shows only the commands that you have manually entered.
4-29
Configuring E1 and T1 InterfacesTroubleshooting E1 and T1 WAN Connections
Figure 4-9. show running-config <interface> <slot>/<port> verbose
Troubleshooting E1 and T1 WAN Connections
Troubleshooting problems with WAN connections is a two-step process:
1. Check the Physical Layer:
a. Check whether the E1 or T1 interface is up or down.
b. Check for alarms.
c. Check the configurations to ensure that you are using the correct settings.
d. Check the cabling and the connections.
2. Check the logical layer:
a. Check to ensure that a Data Link Layer protocol has been defined and is bound to the E1 or T1 interface.
b. Check the configurations to ensure that you are using the correct settings.
This chapter provides information about troubleshooting the Physical Layer. For information about troubleshooting the Data Link Layer, see Chapter 6:
Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.
interface e1 1/1 description no framing crc4 clock source internal coding hdb3 lbo long 0 remote-loopback sa4tx-bit 0 loop-alarm-detect remote-alarm rai alias snmp trap link-status no ts16 no shutdown
This is the default setting; the E1-carrier line is using the E1 frame format.
4-30
Configuring E1 and T1 InterfacesTroubleshooting E1 and T1 WAN Connections
You should start by troubleshooting the physical interface because it must be up before the logical connection can be established. You can quickly check the LEDs on the front of the ProCurve Secure Router to determine the status of a physical interface. Locate the LED that corresponds to the slot in which the E1 or T1 module is installed. (See Figure 4-10.)
Figure 4-10. Use the Stat LED to Check the Status of a Physical Interface
Table 4-7 shows the possible color of the stat LED, lists the meaning, and outlines the action you might take next.
Table 4-7. Check the LEDs
LEDs for slot 1 LEDs for slot 1
Color Meaning Action
No light No module is installed, or the interface is not activated.
• Ensure you are checking the LED for the slot in which the E1 or T1 module is installed.
• Enter the show interface <interface> <slot>/<port> command to determine if you need to activate the interface.
• If the line is administratively down, enter no shutdown.
Red Interface is activated, but there are alarms.
• Use the show interface <interface> <slot>/<port> command to determine what alarms are being reported.
• Check the configuration.• Check the connections and the cable itself.
Yellow The interface is in loopback mode
• Cancel the loopback, or call your public carrier and ask for the loopback to be canceled.
Green The Physical Layer is up.
• Enter the show interface <interface> <slot>/<port> command to ensure that you have configured the correct Data Link Layer protocol for the line.
• Ensure that you have configured the correct channels for the connection.• Check the status of the logical interface and follow the troubleshooting steps
for the protocol you are using.
4-31
Configuring E1 and T1 InterfacesTroubleshooting E1 and T1 WAN Connections
The color of the lights and a more detailed explanation are provided below.
No Light
If no light appears, ensure that you are checking the LED that corresponds to the slot in which the E1 or T1 module is installed, as shown in Figure 4-10.
Next, view the status of the E1 or T1 interface by entering:
ProCurve# show interfaces <interface> <slot>/<port>
If the E1 or T1 interface is administratively down, move to the appropriate interface configuration mode context and enter no shutdown. For example, you might enter:
ProCurve(config-e1 1/1)# no shutdown
The status of the interface should change.
Red Light
If the LED is red, the interface is administratively up, but it is receiving alarms. View the status of the interface by entering:
ProCurve# show interface <interface> <slot>/<port>
Note any alarms that are being reported. (See Figure 4-11.)
4-32
Configuring E1 and T1 InterfacesTroubleshooting E1 and T1 WAN Connections
Figure 4-11. Using the show interfaces Command to Troubleshoot Problems
The most common alarms and some possible solutions are listed in Table 4-8.
e1 1/1 is DOWN Encapsulation is not set Transmitter is sending remote alarm Receiver has loss of signal, loss of frame E1 coding is HDB3, framing is E1 Clock source is internal No network loopbacks Last clearing of counters never loss of frame : 1, current duration 00:00:54 loss of signal : 1, current duration 00:00:53 AIS alarm : 0 Remote alarm : 0
Timeslot Status: 01234567890123456789012345678901 FNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN Status Legend: '-' = Timeslot is unallocated 'N' = Timeslot is dedicated (nailed) 'F' = Timeslot is dedicated for framing
Line Status: -- LOS -- LOF -- Tx LOF --
5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec Current Performance Statistics: 10 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 56 Severely Errored Frame Seconds 56 Unavailable Seconds, 0 Path Code Violations 1 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes
TDM group 1, line protocol is DOWN Encapsulation PPP (ppp 1) 0 packets input, 0 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame 0 abort, 0 discards, 0 overruns
If the interface is down, look for reported alarms
Check configuration settings: line coding and framing
4-33
Configuring E1 and T1 InterfacesTroubleshooting E1 and T1 WAN Connections
Table 4-8. Alarms and Their Possible Causes
Check the Configuration. Review your configuration and ensure that you have entered the settings that match those used by your public carrier. In addition to checking the line coding and frame format, check:
■ channels dedicated, or “nailed,” to the interface
■ clock source
■ line protocol, or the Data Link Layer protocol
Resolve any problems, such as incompatible line coding or loss of synchroni-zation due to conflicting clock sources. If a line protocol is not listed, you must configure a logical interface (the Data Link Layer), and then you must bind the E1 or T1 interface to that logical interface.
Check the Hardware. If the configuration of the E1 or T1 interface appears to be correct, but the E1 or T1 interface is still down, examine the hardware. Is the cable attached correctly? Is the cable bad? Use a different cable to see if this makes a difference. Try looping the signal back through the interface to determine whether the source of the problem is the interface on the ProCurve Secure Router or the other end of the link.
Yellow Light
If one of the IT staff initiated a loopback test, enter the appropriate command to cancel it. From the E1 or T1 interface configuration mode context, enter:
E1 Syntax: no loopback remote
T1 Syntax: no loopback remote [line {fdl | inband} | payload]
E1 and T1 Syntax: no loopback network [line | payload]
Alarm Possible Cause Possible Solutions
LOS—loss of signal
• You may be using a different type of line coding than that used by the public carrier.
• The cable connection may be loose.• The cable may be bad.
• Check all the settings, including the setting for line coding.
• Check the connections to ensure that the cable is plugged securely into the E1 or T1 port on one end and the CSU or wall-jack at the other end.
• Substitute a different cable.
LOF—loss of frame
• You may be using a different type of frame format than that used by the public carrier.
• The cable connection may be loose.• The cable may be bad.
• Check the setting for frame format.• Check the connections to ensure that the cable is
plugged securely into the E1 or T1 port on one end and the CSU or wall-jack at the other end.
• Substitute a different cable.
4-34
Configuring E1 and T1 InterfacesTroubleshooting E1 and T1 WAN Connections
If the loopback was not initiated on the ProCurve Secure Router, your public carrier is testing the line. Call your public carrier to have the loopback canceled or to determine the reason for the loopback test.
Green Light
If the stat LED for the physical interface is green but the WAN connection is down, you should still check the configuration for the E1 or T1 interface. In some cases, the physical connection may be established even though there is a problem with the configuration.
For example, the router and the public carrier’s equipment may be able to establish the Physical Layer connection even though the channels configured on the E1 or T1 interface do not match the channels that the public carrier has configured for the connection. When the Data Link Layer protocol tries to establish its connection, however, the connection fails. Although the problem appears to be with the Data Link Layer, it is actually a configuration problem with the E1 or T1 interface.
If the E1 or T1 interface is up and the configuration appears to be correct, you should begin troubleshooting the logical interface. For tips on troubleshooting PPP, Frame Relay, or High-Level Data Link Control (HDLC), see Chapter 6:
Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.
Viewing Performance Statistics
The show interface command provides two options for physical interfaces:
■ performance-statistics
■ realtime
The performance-statistics option displays interval snapshots of errors occurring on the connection. You can view snapshots of all 15-minute intervals in the past 24 hours, or you can specify that the Secure Router OS display:
■ a summary of the total statistics over the last 24 hours
■ a specific 15-minute interval or a range of specific intervals
To view performance statistics, enter:
Syntax: show interfaces <interface> <slot>/<port> performance-statistics [Total-24-hour | <range of intervals>]
4-35
Configuring E1 and T1 InterfacesTroubleshooting E1 and T1 WAN Connections
For example, to view performance statistics accumulated on the T1 1/1 interface over all 15-minute intervals in the past 24 hours, enter:
ProCurve# show interfaces t1 1/1 performance-statistics
To view only certain 15-minute intervals, replace <range of intervals> with numbers between 1 and 96. The intervals are numbered from the interval that occurred 24 hours earlier (1) to the present interval (96). For example, enter:
ProCurve# show interface t1 1/1 performance statistics 32-34
Figure 4-12 shows the output for a T1 interface that is experiencing no errors.
Figure 4-12. Viewing Performance Statistics for a Physical Interface
To end the output, enter Ctrl+C.
To view the output for the show interfaces command in real-time, enter:
Syntax: show interface <interface> <slot>/<port> realtime
For example, to view real-time information for the T1 1/1 interface, enter:
ProCurve# show interface t1 1/1 realtime
Figure 4-13 shows the type of information that is displayed.
Interval 32 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes Interval 33 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes Interval 34 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes
4-36
Configuring E1 and T1 InterfacesQuick Start
Figure 4-13. Viewing the show interfaces Output in Real-Time
To end the output and return to troubleshooting the router, enter Ctrl+C.
Quick Start
This section provides the commands you must enter to quickly configure an E1 or T1 interface on the ProCurve Secure Router. Only a minimal explanation is provided.
If you need additional information about any of these options, see “Contents” on page 4-1 to locate the section and page number that contains the explanation you need.
--------------------------------------------------------------------t1 1/1 is UP Receiver has no alarms T1 coding is B8ZS, framing is ESF Clock source is through t1 1/2, FDL type is ANSI Line build-out is 0dB No remote loopbacks, No network loopbacks Acceptance of remote loopback requests enabled Tx Alarm Enable: rai Last clearing of counters never loss of frame : 1, last occurred 00:10:27 loss of signal : 1, last occurred 00:10:41 AIS alarm : 0 40 Remote alarm : 0
DS0 Status: 123456789012345678901234 NNNNNNNNNNNNNNNNNNNNNNNN Status Legend: '-' = DS0 is unallocated 'N' = DS0 is dedicated (nailed)
Line Status: -- No Alarms --(OUTPUT TRUNCATED)-------------------------------------------------- Exit - 'Ctrl-C', Freeze - 'f', Resume - 'r'
Instructions for pausing or ending the output
4-37
Configuring E1 and T1 InterfacesQuick Start
Configuring an E1 or T1 Interface
Before you begin to configure an E1 or T1 interface, you should know the settings that you must enter for the following:
■ number of channels used
■ line coding
■ frame format
■ clock source
Your public carrier should provide you with this information.
To configure the E1 or T1 interface, complete these steps:
1. If you are configuring an E1 interface, use unshielded twisted pair (UTP) cabling with RJ-48C connectors to connect the E1 port on the ProCurve Secure Router to the external CSU provided by your public carrier. If you are configuring a T1 interface, use UTP cabling with RJ-48C connectors to connect the T1 port to the wall jack provided by your public carrier.
2. Establish a terminal session with the ProCurve Secure Router. You are automatically at the basic mode context.
ProCurve>
3. Move to the enable mode context. If you have configured a password for the enable mode context, enter the password.
ProCurve> enablePassword:
4. Move to the global configuration mode context.
ProCurve# configure terminal
5. Move to the E1 or T1 interface configuration mode context.
Syntax: interface <interface> <slot>/<port>
For example, if you are configuring a one-port E1 or T1 module that is installed in slot one, enter:
ProCurve(config)# interface e1 1/1
or
ProCurve(config)# interface t1 1/1
6. Create a TDM group and assign it the number of channels used for this connection.
Syntax: tdm-group <number> timeslots <range of numbers>
4-38
Configuring E1 and T1 InterfacesQuick Start
For example, to assign the E1 or T1 interface all the channels, enter:
ProCurve(config-e1 1/1)# tdm-group 1 timeslots 1-31
or
ProCurve(config-t1 1/1)# tdm-group 1 timeslots 1-24
7. Configure the line coding. For E1 interfaces, use the following syntax:
Syntax: coding [ami | hdb3]
ProCurve(config-e1 1/1)# coding ami
HDB3 is the default setting for E1 interfaces.
For T1 interfaces, use the following syntax:
Syntax: coding [ami | b8zs]
ProCurve(config-t1 1/1)# coding ami
B8ZS is the default setting for T1 interfaces.
8. Configure the frame format for the E1- or T1-carrier line. For E1-carrier lines, use the following syntax:
Syntax: framing crc4
If your public carrier is using E1 framing format, do not enter a framing command. E1 framing is the default setting for E1 interfaces. If your PTT is using CRC4, change the frame format.
ProCurve(config-e1 1/1)# framing crc4
If you need to change the frame format back to E1, enter:
ProCurve(config-e1 1/1)# no framing crc4
For T1 interfaces, use the following syntax to configure the framing:
Syntax: framing [d4 | esf]
ProCurve(config-t1 1/1)# framing d4
The default setting for T1 framing is ESF.
9. Configure the clock source setting.
Syntax: clock source [internal | line | through]
ProCurve(config-e1 1/1)# clock source line
or
ProCurve(config-t1 1/1)# clock source line
4-39
Configuring E1 and T1 InterfacesQuick Start
Table 4-9 shows the default settings for the clock source on each type of E1 or T1 module.
Table 4-9. Default clock source settings for E1 and T1 modules
10. For T1 interfaces only, configure the line build out (lbo). If the cable connecting the T1 interface to the wall jack is longer than 655 feet, use the following lbo command:
Syntax: lbo long <value>
Replace <value> with one of the following numbers, which are in decibels (db):
• -22.5
• -15
• -7.5
• 0
If the cable connecting the T1 interface to the wall jack is shorter than 655 feet, use the following lbo command:
Syntax: lbo short <value>
Replace <value> with the actual number of feet. For example, if the cable is 100 feet, enter:
ProCurve(config-t1 1/1)# lbo short 100
11. Activate the interface.
ProCurve(config-e1 1/1)# no shutdown
or
ProCurve(config-t1 1/1)# no shutdown
Module Port Default Clock Source
One-port E1 or T1 module 1 line
Two-port E1 or T1 module 12
linethrough
E1 + G.703 moduleT1 + DSX-1 module
12
linethrough
Eight-port module 1–8 line
4-40
Configuring E1 and T1 InterfacesQuick Start
12. View the status of the E1 or T1 interface.
ProCurve(config-e1 1/1)# do show interface e1 1/1
or
ProCurve(config-t1 1/1)# do show interface t1 1/1
N o t e The do command enables you to enter enable mode commands (such as show commands) from any context.
By default, the ProCurve Secure Router immediately notifies you that the interface is administratively up. It will take a few moments to establish the E1 or T1 connection, however. When the connection goes up, the ProCurve Secure Router displays another message at the command line interface (CLI), reporting that the line is up. If you want to disable this reporting function, enter no events from the enable mode context.
You must now configure the Data Link Layer protocol for the E1 or T1 interface. For information about configuring this protocol, see Chapter 6:
Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.
4-41
Configuring E1 and T1 InterfacesQuick Start
4-42
5
Configuring Serial Interfaces for E1- and T1-Carrier Lines
Contents
Using the Serial Module for E1- or T1-Carrier Lines . . . . . . . . . . . . . . . . . . 5-3
Elements of an E1- or T1-Carrier Line . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Connecting Your Premises to the Public Carrier’s Central Office: the Local Loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
External or Built-in CSU/DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Serial Module for the ProCurve Secure Router . . . . . . . . . . . . . . . . . . . 5-7
Standards Supported by the Serial Module . . . . . . . . . . . . . . . . . . 5-7
Serial Interface: Configuring the Physical Layer . . . . . . . . . . . . . . . . . . . . . 5-8
Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Serial Interface Configuration Mode Context . . . . . . . . . . . . . . . . . . . 5-12
Configuring the Interface for the Appropriate Cable . . . . . . . . . . . . . 5-12
Configuring the Clock Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Inverting et-clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Inverting txclock or rxclock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Activating the Serial Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
Configuring the Data Link Layer Protocol . . . . . . . . . . . . . . . . . . . . . . 5-14
Viewing Information about the Serial Interface . . . . . . . . . . . . . . . . . . . . . 5-15
show interfaces serial Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
show running-config interface Command . . . . . . . . . . . . . . . . . . . . . . 5-16
View All the WAN Connections Configured on the Router . . . . . . . . 5-17
5-1
Configuring Serial Interfaces for E1- and T1-Carrier LinesContents
Troubleshooting a Serial Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
Checking the LED for the Serial Module . . . . . . . . . . . . . . . . . . . . . . . 5-18
No Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
Red Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
Yellow Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20
Green Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
Solving a Specific Problem: the Line Between the Serial Module and the CSU/DSU Keeps Going Down . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
Configure a Serial Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
5-2
Configuring Serial Interfaces for E1- and T1-Carrier LinesUsing the Serial Module for E1- or T1-Carrier Lines
Using the Serial Module for E1- or T1-Carrier Lines
When companies require dedicated, secure point-to-point wide area network (WAN) connections, one of the available solutions is a leased E1- or T1-carrier line. With an E1- or T1-carrier line, the connection is always active. Because there is no dial-up process, data can be immediately transmitted at any time.
In Europe, Australia, South America, and Asia, Public Telephone and Tele-graph (PTT) authorities offer E1-carrier lines, which provide 2.048 Mbps bandwidth. In the United States, Canada, and in some areas of Japan, telcos offer T1-carrier lines, which provide 1.544 Mbps bandwidth.
N o t e In Japan, PTTs offer T1-carrier lines and sometimes E1-carrier lines for data. For traditional analog voice, these PTTs offer J1-carrier lines. (J1 lines are outside the scope of this Basic Configuration and Management Guide.)
Elements of an E1- or T1-Carrier Line
All WAN connections, including E1- and T1 carrier lines, consist of three basic elements:
■ the physical transmission media, such as the cabling, switches, routers, and other infrastructure required to create and maintain the connection
■ electrical signaling specifications for generating, transmitting, and receiv-ing signals through the various transmission media
■ Data Link Layer protocols, which provide logical flow control for moving data between the peers (the devices at either end of a WAN connection)
Physical transmission media and electrical specifications are part of the Physical Layer (or Layer 1) of the Open Systems Interconnection (OSI) model, and Data Link Layer protocols are part of the Data Link Layer (or Layer 2). (See Figure 5-1.)
5-3
Configuring Serial Interfaces for E1- and T1-Carrier LinesUsing the Serial Module for E1- or T1-Carrier Lines
Figure 5-1. Physical and Data Link Layers of the OSI Model
When you configure the ProCurve Secure Router to support an E1 or T1 WAN connection, you must configure:
■ the Physical Layer
■ the Data Link Layer, which is also called the logical layer
Connecting Your Premises to the Public Carrier’s Central Office: the Local Loop
In the United States and Canada, the network that provides the infrastructure for T1-carrier lines is called the public switched telephone network (PSTN). In all other countries, PTT authorities provide the infrastructure for WAN connections.
When you lease an E1- or T1-carrier line, your LAN must be connected to the public carrier’s nearest central office (CO). All of the telecommunications infrastructure that is used to connect your LAN to the CO is collectively called the local loop. Because the CO may be located miles away from your premises, this telecommunications infrastructure may include repeaters, as well as switches, cable, and connectors. (See Figure 5-2.)
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
1
2
3
4
5
6
7
PPPFrame RelayHDLC
E1- and T1-carrier lines
5-4
Configuring Serial Interfaces for E1- and T1-Carrier LinesUsing the Serial Module for E1- or T1-Carrier Lines
Figure 5-2. Local Loop
All carrier lines require the same basic components on the local loop, although the components may differ slightly in form and design. (See Figure 5-2.) These components are listed below:
■ CSU/DSU—The Channel Service Unit/Digital Service Unit (CSU/DSU) has two purposes: The DSU accepts traffic from the router and translates it from the signaling format used on the LAN to the format necessary for transmission on the WAN. The CSU then generates the signal to be sent across the WAN (or regenerates the signal for transmission across the LAN).
■ Demarc—A line of demarcation, or demarc, separates your wiring and equipment from the public carrier’s wiring and equipment. As a general rule, you own, operate, and maintain the wiring and equipment on your side of the demarc, and the public carrier owns, operates, and maintains the wiring and equipment on its side of the demarc.
■ Network interface unit (NIU)—The NIU automatically maintains the WAN connection and enables public carrier employees to perform simple man-agement tasks from a remote location. The NIU is usually located outside the subscriber’s premises so that public carrier employees can always access it. In the United States and Canada, the NIU is commonly referred to as the smart jack.
■ Wire span—Because public carrier networks were originally designed to carry analog voice calls, copper wire is still the most common physical transmission medium used on the local loop. Because copper wire has a limited capacity to carry signals, local loops that use copper wire are the slowest, least capable component of the WAN connection.
Wire span
Router (DTE)
Demarc
CSU/DSU
Network Interface Unit (Smart Jack)
Public Carrier’s CO
Repeater OCU
Office Channel Unit(PTT’s CSU)
LAN
5-5
Configuring Serial Interfaces for E1- and T1-Carrier LinesUsing the Serial Module for E1- or T1-Carrier Lines
■ Repeater—A repeater receives, amplifies, and retransmits the digital signal so that the signal is always strong enough to be read. The distance between repeaters depends on the type of connection, including the transmission media used. For example, for a T1 connection over unshielded twisted pair (UTP) wiring, the distance between repeaters is one mile or less.
■ Office channel unit (OCU)—Located at the CO, the OCU performs the same function at the public carrier’s site that the CSU performs at each subscriber’s site: it generates the signal to be sent—either to a subscriber’s premises or to the public carrier network.
Although you will never see most of these components, having a basic under-standing of the local loop can help you work with your public carrier to troubleshoot problems if your E1- or T1-carrier line ever goes down.
In addition, two of these components directly affect your E1 or T1 WAN connection: the demarc and the CSU/DSU. The demarc determines for which part of the E1 or T1 WAN connection you are responsible. Again, this becomes important if your E1- or T1-carrier line ever goes down and you have to work with the public carrier to identify and fix the problem.
The CSU/DSU is important because its form and design not only determines which ProCurve Secure Router module you purchase but also which settings you must configure for the E1- or T1-carrier line.
External or Built-in CSU/DSU
Your public carrier determines the type of CSU/DSU that will be used for your WAN connection. There are three options:
■ The public carrier provides the CSU/DSU and installs it on your premises.
■ The public carrier provides the CSU but not the DSU.
■ The public carrier does not provide the CSU/DSU.
In Europe, Australia, South America, and Asia (except Japan), the PTT author-ity will provide both the CSU/DSU or just the CSU. In the United States and Canada, public carriers will either provide the entire CSU/DSU, or they will not provide either the CSU or the DSU.
5-6
Configuring Serial Interfaces for E1- and T1-Carrier LinesUsing the Serial Module for E1- or T1-Carrier Lines
Serial Module for the ProCurve Secure Router
The ProCurve Secure WAN serial modules are used when the public carrier provides an external CSU/DSU for an E1- or T1-carrier line. (See Figure 5-2 on page 5-5.) ProCurve Networking offers two serial modules:
■ one-port narrow module
■ eight-port, or octal, wide module
If your company is the United States or Canada and your public carrier does not provide an external CSU/DSU, you must purchase and use a T1 module. If your company is in another country and the public carrier provides only a CSU, you must purchase and use an E1 module. (For instructions on configuring these modules, see Chapter 4: Configuring E1 and T1
Interfaces.)
Standards Supported by the Serial Module
The ProCurve Secure Router serial modules are standards based. Specifically, they support the following standards:
■ U.S. Federal Communications Commission (FCC) Part 15 Class A
■ Norme Européenne EN55022 Class A—EN is also referred to as European Standards.
■ EN55024, EN61000-3-2, EN61000-3-3
■ European Telecommunications Standards Institute (ETSI) TBR 1 and ETSI TBR 2
■ EN60950
■ UL/CUL 60950
■ Australian Standard/New Zealand Standard (AS/NZS) 60950
■ International Electrotechnical Commission (IEC) 60950
■ International Organization for Standardization (ISO) 4903 (X.21)
■ Comité Consultatif International Téléphonique et Télégraphique (CCITT) V.35 Synchronous (V.35)
5-7
Configuring Serial Interfaces for E1- and T1-Carrier LinesSerial Interface: Configuring the Physical Layer
Serial Interface: Configuring the Physical Layer
Because the external CSU/DSU manages timing, framing, and signaling for the E1- or T1-carrier line, the serial interface does not have to perform these functions. Consequently, you do not need to configure options to control these functions. As a result, the serial interface requires only minimal configuration.
Making the Physical Connection
To connect the serial module to the CSU/DSU, you will need one of the following cables. (See Figure 5-3.)
■ V.35 cable
■ X.21 cable
■ EIA 530 cable
Figure 5-3. The Serial Module Connects Directly to an External CSU/DSU.
The serial module ships with either a V.35 cable or an X.21 cable.
N o t e ProCurve Networking does not currently provide an EIA 530 cable.
Wire span
Router (DTE)
Demarc
CSU/DSU
NIU(Smart Jack)
Public Carrier’s CO
Repeater OCU
Office Channel Unit(public carrier’s CSU)
LAN
Serial V.35, X.21, or EIA 530 cable
5-8
Configuring Serial Interfaces for E1- and T1-Carrier LinesSerial Interface: Configuring the Physical Layer
If you are not sure which type of cable you have, this chapter provides illustrations of the three cable connectors. For example, Figure 5-4 shows the pinouts for ProCurve Networking’s implementation of the V.35 cable connec-tor and lists how each pin is used.
Figure 5-4. ProCurve Networking’s V.35 Cable Connector
M/34 (“34-pin M-block“) connector pinout
Pin Signal/Circuit Name
A UnusedB Signal GroundC RTS_A, Request to Send AD CTS_A, Clear to Send AE DSR_A, Data Set Ready AF DCD_A, Data Carrier Detect AH DTR_A, Data Terminal Ready AJ UnusedK TM_A, Test Mode AL UnusedN UnusedN UnusedP TD_A, Send Data AR RD_A, Receive Data AS TD_B, Send Data BT RD_B, Receive Data BU ETC_A, Terminal Timing AV RCLK_A, Receive Timing AW ETC_B, Terminal Timing BX RCLK_B, Receive Timing BY TCLK_A, Send Timing AAA TCLK_B, Send Timing B
M, Z, BB through FF, and MM are reserved for future international standardization, HH through LL are reserved for country-specific standards
V.35
5-9
Configuring Serial Interfaces for E1- and T1-Carrier LinesSerial Interface: Configuring the Physical Layer
Figure 5-5 shows the pinouts for ProCurve Networking’s implementation of the X.21 cable connector and lists how each pin is used.
Figure 5-5. ProCurve Networking’s X.21 Cable Connector
1 8
9 15
X.21
DB-15 (DA-15) X.27-compatible connector pinout
Pin Signal/Circuit Name
1 Unused2 TD_A, Transmit A3 RTS_A, Request to Send A4 RD_A, Receive Data A5 CTS_A, Clear to Send A6 RCLK_A, Receive Timing A7 Unused8 Signal Ground9 TD_B, Transmit Data B10 RTS_B, Request to Send B11 RD_B, Receive Data B12 CTS_B, Clear to Send B13 RCLK_B, Receive Timing B14 Unused15 Reserved for future international use
5-10
Configuring Serial Interfaces for E1- and T1-Carrier LinesSerial Interface: Configuring the Physical Layer
If you have an EIA 530 cable that you purchased from another vendor, the ProCurve Secure Router supports it. You can also use Figure 5-6, which shows the pinouts for EIA 530, to create this type of connector.
Figure 5-6. Connector for an EIA 530 Cable
Whichever cable you use, the serial module supports up to 10 Mbps.
1 13
14 25
DB-25
DB-25 connector pinout
Pin Signal/Circuit Name
1 Shield2 TD_A, Transmitted Data A3 RD_A, Received Data A4 RTS_A, Request to Send A5 CTS_A, Clear to Send A6 DCR_A, DCE Ready A7 Signal Ground8 RLSD_A, Received Line Signal Detector A9 RSECTC_B, Receiver Signal Element Timing (DCE Source) B10 RLSD_B, Received Line Signal Detector B11 TSETT_B, Transmitter Signal Element Timing (DTE Source) B12 TSETC_B, Transmitter Signal Element Timing (DCE Source) B13 CTS_B, Clear to Send B14 TD_B, Transmitted Data B15 TSETC_A, Transmitter Signal Element Timing (DCE Source) A16 RD_B, Received Data B17 RSETC, Receiver Signal Element Timing (DCE Source) A18 LL, Local Loopback19 RTS_B, Request to Send B20 DTR_A, DTE Ready A21 RL, Remote Loopback22 DCR_B, DCE Ready B23 DTR_B, DTE Ready B24 TSETT_A, Transmitter Signal Element Timing (DTE Source) A25 TM, Test Mode
5-11
Configuring Serial Interfaces for E1- and T1-Carrier LinesSerial Interface: Configuring the Physical Layer
Serial Interface Configuration Mode ContextTo begin configuring the serial interface for the E1 or T1 connection, you must access the appropriate configuration mode context. In the ProCurve Secure Router command line interface (CLI), move to the global configuration mode context and enter:
Syntax: interface serial <slot>/<port>
On the ProCurve Secure Router, the interface for each physical port is identi-fied by its slot number and port number. The possible slot numbers for the serial module are:
■ 1 = dl narrow option module slot 1
■ 2 = dl narrow option module slot 2
■ 3 = dl wide option, or octal, module slot 3 (ProCurve Secure Router SR7203dl only)
For narrow option module slots, there is only one possible port number: 1.
For example, if the serial module is in slot 1, enter:
ProCurve(config)# interface serial 1/1
For the octal serial module, eight port numbers are possible. For example, if you are configuring port 6, enter:
ProCurve(config)# interface serial 3/6
After you enter the command, the ProCurve Secure Router prompt should indicate that you are at the serial interface configuration mode context:
ProCurve(config-ser 3/6)#
Configuring the Interface for the Appropriate CableBecause the V.35, X.21, and EIA 530 connectors transmit and receive signals across different pins, you must configure the serial interface to use the appropriate signaling so that it can communicate with the CSU/DSU. From the serial interface configuration mode context, enter the following command to configure the interface for the appropriate cable:
Syntax: serial-mode [EIA530 | V35 | X21]
For example, if you are using an X.21 cable, enter:
ProCurve(config-ser 1/1)# serial-mode X21
The default setting is V35.
5-12
Configuring Serial Interfaces for E1- and T1-Carrier LinesSerial Interface: Configuring the Physical Layer
Configuring the Clock Source
The serial interface must have a clock source to synchronize the transmission of data. The clock source for the serial interface is called the external transmit reference clock (et-clock). By default, the source for et-clock is set to txclock, which means that the serial interface takes the clock from the transmit signal.
If you need to configure the clock source for the serial line, enter the following command from the serial interface configuration mode context:
Syntax: et-clock-source <source>
There are two possible sources:
■ txclock, the default setting
■ rxclock, which specifies that the serial interface should take the clock from the receive signal
Your public carrier should tell you which setting to use.
Inverting et-clock
If the cable that connects the serial module to the CSU/DSU is long, it may cause a phase shift in the data transmitted. If this happens, you must invert et-clock by entering:
ProCurve(config-ser 1/1)# invert etclock
After you enter this command, the serial module inverts et-clock in the data stream before transmitting it.
To return et-clock to its default setting, enter:
ProCurve(config-ser 1/1)# no invert etclock
Inverting txclock or rxclock
If the cable that connects the serial module to the CSU/DSU is long, the CSU/DSU may be configured to invert the transmit clock. You must then configure the serial interface so that it can receive the inverted clock. Enter one of the following commands:
Syntax: invert txclockSyntax: invert rxclock
5-13
Configuring Serial Interfaces for E1- and T1-Carrier LinesSerial Interface: Configuring the Physical Layer
If you enter the invert txclock command, the serial interface will invert the transmit clock that is taken from the data stream. The serial interface inverts the transmit clock before it transmits a signal.
If you enter the invert rxclock command, the serial interface will look for an inverted receive clock in the data it receives from the CSU/DSU.
Activating the Serial Interface
To activate the serial interface, enter the following command from the serial interface configuration mode context:
ProCurve(config-ser 1/1)# no shutdown
The serial interface should now be activated, and the physical interface should be ready for data transfer.
By default, the ProCurve Secure Router immediately notifies you that the interface is administratively up. It will take a few moments to establish the serial connection, however. When the connection goes up, the ProCurve Secure Router displays another message at the CLI, reporting that the serial interface is up. If you want to disable this reporting function, enter no events from the enable mode context.
Configuring the Data Link Layer Protocol
You must configure the serial interface to use the same Data Link Layer protocol that your public carrier is using. For information about configuring the protocol, see Chapter 6: Configuring the Data Link Layer Protocol
for E1, T1, and Serial Interfaces.
5-14
Configuring Serial Interfaces for E1- and T1-Carrier LinesViewing Information about the Serial Interface
Viewing Information about the Serial Interface
You can view information about the E1- and T1-carrier line associated with the serial interface, and you can view the configuration settings that have been entered for the serial interface.
show interfaces serial Command
To view information about the serial interface and the carrier line associated with it, enter the following command from the enable mode context:
Syntax: show interfaces serial <slot>/<port>
You can also use the do command to enter this command from any context (except the basic mode context). For example, from the global configuration mode context, enter:
ProCurve(config)# do show interfaces serial 2/1
This command displays information about the serial interface in slot two. (See Figure 5-7.)
Figure 5-7. show interfaces serial Command
The first line reports the status of the interface. The status will be one of the following:
■ up
■ administratively down
■ down
ser 2/1 is UP, line protocol is UP Encapsulation FRAME-RELAY IETF (fr 1) Transmit clock source is TCLK DCD=up DSR=up DTR=up RTS=up CTS=up 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 4624 packets input, 0 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 701 frame 8 abort, 0 discards, 0 overruns 4803 packets output, 0 bytes, 0 underruns
Data Link Layer protocol (logical interface)
Status of interface
5-15
Configuring Serial Interfaces for E1- and T1-Carrier LinesViewing Information about the Serial Interface
If the interface is administratively down, you must enter no shutdown from the serial interface configuration mode context to activate it. If the interface is down, you should begin troubleshooting the problem, as explained in “Troubleshooting a Serial Connection” on page 5-17.
show running-config interface Command
To view the configuration for the serial interface, enter the following com-mand from the enable mode context:
Syntax: show running-config interface serial <slot>/<port>
This command displays only the options that you have configured for the serial interface. If you want to view the entire configuration, including the default settings that are being applied to the interface, include the verbose option:
Syntax: show running-config interface serial <slot>/<port> verbose
Figure 5-7 shows the difference between the output of the show running-
config interface serial 2/1 command and the show running-config inter-
face serial 2/1 verbose commands.
Figure 5-8. show running-config interface serial Commands
ProCurve# show running-config interface serial 2/1Building configuration...
interface ser 2/1 no shutdown
ProCurve# show running-config interface serial 2/1 verboseBuilding configuration...
interface ser 2/1 description et-clock-source txclock no ignore dcd no invert txclock no invert rxclock no invert etclock serial-mode V35 alias snmp trap link-status no shutdownend
Displays all the commands that affect the interface—including both default settings and the settings that were entered
Only one command was entered
5-16
Configuring Serial Interfaces for E1- and T1-Carrier LinesTroubleshooting a Serial Connection
View All the WAN Connections Configured on the Router
If your ProCurve Secure Router is providing several WAN connections for your company, you may want to view a list of these connections. The show
connections command provides a quick view of all the connections on the router. As Figure 5-9 shows, this command lists the logical interface and the physical interface for each connection.
You enter the show connections command from the enable mode context.
Figure 5-9. show connections Command
Troubleshooting a Serial Connection
When you troubleshoot a serial interface, you should isolate the problem to determine if it is a problem with the Physical Layer or the Data Link Layer. Follow this standard process for troubleshooting WAN connections:
1. Check the Physical Layer.
a. Check whether the serial interface is up or down.
b. Check the configurations to ensure that you are using the correct settings.
c. Check the cabling, the connections, and other hardware.
d. Check the CSU/DSU settings and compare these settings against those used for the serial interface.
ProCurveSR7203dl#show connectionsDisplaying all connections...Conn Id From To-----------------------------------------------------------1 ppp 1 t1 1/1, tdm-group 12 fr 1 t1 3/1, tdm-group 13 fr 2 ser 2/1 Serial interface with Frame
Relay as the Data Link Layer protocol
5-17
Configuring Serial Interfaces for E1- and T1-Carrier LinesTroubleshooting a Serial Connection
2. Check the logical layer.
a. Check to ensure that a Data Link Layer protocol has been defined and is bound to the serial interface.
b. Check the configurations to ensure that you are using the correct settings.
This chapter explains how to troubleshoot the Physical Layer. For information about the Data Link Layer, see Chapter 6: Configuring the Data Link Layer
Protocol for E1, T1, and Serial Interfaces.
Checking the LED for the Serial Module
To determine the status of the serial interface, you can quickly check the LED for the slot where the serial module is installed. Table 5-1 shows the possible status of the LED, lists the meaning for this status, and outlines the action you might take next.
Table 5-1. Check the LEDs
Color Meaning Action
no light No module is installed, or the interface is not activated.
• Use the show interfaces serial <slot>/<port> command to determine if you need to activate the interface.
• If the line is administratively down, enter no shutdown.
red Interface is activated, but there are alarms. • Use the show interfaces serial <slot>/<port> command to determine what alarms are being reported.
yellow The interface is in loopback mode. • Contact the public carrier to cancel the loopback test. Loopback commands are not available from the serial interface configuration mode context.
green The Physical Layer is up. • Enter the show interfaces serial <slot>/<port> command to ensure that you have configured the correct protocol for the line. (The protocol is the logical interface.)
• Check the status of the logical interface and follow the troubleshooting steps for the protocol you are using.
5-18
Configuring Serial Interfaces for E1- and T1-Carrier LinesTroubleshooting a Serial Connection
No Light
Ensure that you are checking the LED that corresponds to the slot where the serial module is installed. Next, view the status of the serial interface by entering:
ProCurve# show interfaces serial <slot>/<port>
If the serial interface is administratively down, move to the serial interface configuration mode context and enter:
ProCurve(config-ser 1/1)# no shutdown
The status of the interface should change.
Red Light
If the LED is red, the interface is administratively up, but it is receiving alarms. View the status of the serial interface by entering:
ProCurve# show interfaces serial <slot>/<port>
Figure 5-10 shows a serial interface that is down.
Figure 5-10. Using the show interfaces serial Command to Troubleshoot the Serial Interface
Some possible problems and solutions are listed below:
■ The router is not receiving a signal from the CSU/DSU.
• Verify that you have configured the correct serial-mode setting for the cable that you are using. For example, if you are using an X.21 cable, verify that you have configured serial-mode X21 for the interface.
• Check the connections to make sure that the cable is not loose.
ser 2/1 is down, line protocol is DOWN Encapsulation is not set Transmit clock source is TCLK DCD=up DSR=up DTR=down RTS=down CTS=up 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame 0 abort, 0 discards, 0 overruns 0 packets output, 0 bytes, 0 underrunss
5-19
Configuring Serial Interfaces for E1- and T1-Carrier LinesTroubleshooting a Serial Connection
• If you have an extra X.21, V.35, or EIA 530 cable, try using that cable to connect the serial module to the CSU/DSU.
• Check the LEDs on the CSU/DSU and ensure that it is up. The CSU/DSU may be turned off, or it may have experienced a hardware failure.
■ The serial module is misconfigured.
• Compare the list of settings that you received from your public carrier with the settings configured on the serial module. To view both the settings you have entered and the default settings for the interface, enter the following command. (See Figure 5-11.)
ProCurve# show running-config interface serial <slot>/<port> verbose• Correct any settings so that the configuration for the serial module
matches that used on CSU/DSU.
Figure 5-11. Viewing the Output for the show running-config interface serial verbose Command
■ The public carrier is experiencing a problem. For example, the carrier line may be down between the CSU/DSU and the CO, or the line may not be properly connected to the CSU/DSU.
• Contact your public carrier. You should be prepared to explain the settings that are configured on the serial interface and to answer questions about the troubleshooting steps you have taken.
Yellow Light
A yellow light indicates a loopback test. Because you cannot initiate a loop-back test from the serial interface configuration mode context, you must contact your public carrier to cancel the loopback test or to determine why it was issued.
interface ser 2/1 description et-clock-source txclock no ignore dcd no invert txclock no invert rxclock no invert etclock serial-mode V35 alias snmp trap link-status no shutdown
5-20
Configuring Serial Interfaces for E1- and T1-Carrier LinesTroubleshooting a Serial Connection
Green Light
If the serial interface is up, you should begin troubleshooting the logical interface. See Chapter 6: Configuring the Data Link Layer Protocol for E1,
T1, and Serial Interfaces.
Solving a Specific Problem: the Line Between the Serial Module and the CSU/DSU Keeps Going Down
If the line between the serial module and the CSU/DSU keeps going down, you may want to configure the router to ignore data carrier detected (DCD) signals. Serial cables supported by the ProCurve Secure Router consist of 26 leads. Each lead either:
■ transmits a specific signal from the router to the CSU/DSU
■ receives a specific signal from the CSU/DSU
The router transmits the following signals to the CSU/DSU:
■ data terminal ready (DTR)
■ request to send (RTS)
The router receives these signals from the CSU/DSU:
■ clear to send (CTS)
■ data carrier detected (DCD)
■ data set ready (DSR)
■ test-mode (TM)
Using these signals, the ProCurve Secure Router and the CSU/DSU negotiate data transfer and signal each other to control data flow. If the CSU/DSU drops the CTS signal, the ProCurve Secure Router stops sending data. In turn, if the ProCurve Secure Router must pause incoming data, it drops RTS, and the CSU/DSU holds the data stream until it once again receives RTS.
The ProCurve Secure Router follows set protocols for dealing with inserted and dropped signals. You can, however, reconfigure the router to respond to dropped signals in different ways. For example, by default, when the serial interface loses the DCD signal, it does not attempt to reestablish a connection.
You can configure the serial interface to ignore the DCD status and continue trying to make a connection without the DCD signal. To do so, enter the following command from the serial interface configuration mode context:
ProCurve(config-ser 1/1)# ignore dcd
5-21
Configuring Serial Interfaces for E1- and T1-Carrier LinesQuick Start
To return the interface to the default setting, enter:
ProCurve(config-ser 1/1)# no ignore dcd
Quick Start
This section provides the commands you must enter to quickly configure a serial module on the ProCurve Secure Router. Only a minimal explanation is provided.
If you need additional information about any of these options, check “Con-tents” on page 5-1 to locate the section that contains the explanation you need.
Configure a Serial Interface
To configure a serial interface, complete the following steps:
1. Use a V.35 or X.21 cable to connect the serial module to the external Channel Service Unit/Digital Service Unit (CSU/DSU). (The serial module also supports the EIA 530 cable if you have one available from another vendor.)
2. Establish a terminal session with the ProCurve Secure Router. You are automatically at the basic mode context.
ProCurve>
3. Move to the enable mode context. If you have configured a password for the enable mode context, enter the password.
ProCurve> enablePassword:
4. Move to the global configuration mode context.
ProCurve# configure terminal
5. Move to the serial interface configuration mode context.
Syntax: interface serial <slot>/<port>
ProCurve(config)# interface serial 1/1
5-22
Configuring Serial Interfaces for E1- and T1-Carrier LinesQuick Start
6. Configure the interface for the cable that you used to connect the serial module to the CSU/DSU. The default setting is V35.
Syntax: serial-mode [EIA530 | V35 | X21]
For example, to configure the serial interface to use an X.21 cable, enter:
ProCurve(config-ser 1/1)# serial-mode X21
7. Activate the serial interface.
ProCurve(config-ser 1/1)# no shutdown
By default, the ProCurve Secure Router immediately notifies you that the interface is administratively up. It will take a few moments to establish the serial connection, however. When the connection goes up, the ProCurve Secure Router displays another message at the command line interface (CLI), reporting that the line is up. If you want to disable this reporting function, enter no events from the enable mode context.
8. View the status of the serial interface.
ProCurve(config-ser 1/1)# do show interface ser 1/1
N o t e The do command enables you to enter enable mode commands (such as show commands) from any context (except the basic mode context).
You must now configure the Data Link Layer protocol for the serial interface as explained in Chapter 6: Configuring the Data Link Layer Protocol for E1,
T1, and Serial Interfaces.
5-23
Configuring Serial Interfaces for E1- and T1-Carrier LinesQuick Start
5-24
6
Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
Contents
Configuring the Logical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
PPP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Establishing a PPP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Creating a PPP Interface on the ProCurve Secure Router . . . . . . 6-6
Configuring an IP Address for the WAN Connection . . . . . . . . . . 6-8
Activating the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
Binding the Physical Interface to the Logical Interface . . . . . . . 6-10
PPP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
Settings Explained in Other Chapters . . . . . . . . . . . . . . . . . . . . . . 6-18
Frame Relay Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19
Packet-Switching Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20
Components of a Frame Relay Network . . . . . . . . . . . . . . . . . . . . 6-21
DLCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22
Create the Frame Relay Interface . . . . . . . . . . . . . . . . . . . . . . . . . 6-23
Activate the Frame Relay Interface . . . . . . . . . . . . . . . . . . . . . . . . 6-25
Define the Signaling Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25
Define the Frame Relay Signaling Type . . . . . . . . . . . . . . . . . . . . 6-26
Configure Frame-Relay Counters . . . . . . . . . . . . . . . . . . . . . . . . . 6-26
Create the Frame Relay Subinterface . . . . . . . . . . . . . . . . . . . . . . 6-28
Assign a DLCI to the Frame Relay Subinterface . . . . . . . . . . . . . 6-28
Configure the IP Address for the WAN Connection . . . . . . . . . . 6-29
Set the CIR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-33
Set the EIR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-34
Bind the Physical Interface to the Logical Interface . . . . . . . . . . 6-35
Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-36
Settings Explained in Other Chapters . . . . . . . . . . . . . . . . . . . . . . 6-38
6-1
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesContents
Configuring HDLC as the Data Link Layer Protocol . . . . . . . . . . . . . . 6-39
Create the HDLC Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39
Activate the HDLC Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41
Configure an IP Address for the WAN Connection . . . . . . . . . . . 6-41
Bind the Physical Interface to the Logical Interface . . . . . . . . . . 6-43
Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-44
Settings Explained in Other Chapters . . . . . . . . . . . . . . . . . . . . . . 6-46
Example Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-46
Checking the Status of Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 6-53
View the Status of Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-53
Viewing the Status of PPP Interfaces . . . . . . . . . . . . . . . . . . . . . . 6-53
Viewing the Status of Frame Relay Interfaces and Subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-55
Viewing the Status of HDLC Interfaces . . . . . . . . . . . . . . . . . . . . . 6-57
Viewing Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . 6-57
Troubleshooting Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58
Troubleshooting the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58
Troubleshooting PPP Authentication . . . . . . . . . . . . . . . . . . . . . . 6-62
Troubleshooting the Frame Relay Interface . . . . . . . . . . . . . . . . . . . . 6-65
Troubleshooting HDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-69
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-70
PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-70
PPP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-71
Requiring the Peer to Authenticate Itself . . . . . . . . . . . . . . . . . . . 6-72
Authenticating to a Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-72
Frame Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-73
HDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-75
6-2
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Configuring the Logical Interface
As outlined in Chapter 4: Configuring E1 and T1 Interfaces, all WAN connections—including E1- and T1-carrier lines—require both a Physical Layer and a Data Link Layer. (See Figure 6-1.) The Physical Layer encom-passes:
■ the transmission media and other infrastructure required to create and maintain the WAN connection
■ the electrical signaling specifications for generating, transmitting, and receiving signals through the various transmission media
The Data Link Layer provides logical flow control for transmitting data between the peers of a WAN connection.
Figure 6-1. Data Link Layer Is Layer 2 in the OSI module.
The ProCurve Secure Router supports the following Data Link Layer protocols for E1, T1, and serial interfaces:
■ Point-to-Point Protocol (PPP), including Multilink PPP (MLPPP)
■ Frame Relay, including Multilink Frame Relay (MLFR)
■ High-Level Data Link Control (HDLC)
For more information about MLPPP and MLFR, see the Advanced Manage-
ment and Configuration Guide, Chapter 2: Increasing Bandwidth.
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
1
2
3
4
5
6
7
PPPFrame RelayHDLC
E1, T1, or serial
6-3
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
PPP Overview
PPP is a suite of protocols, rather than just a single protocol. (See Figure 6-2.) The PPP suite includes several types of protocols:
■ link control protocol (LCP)
■ authentication protocols
■ network control protocols (NCPs)
■ PPP
Each type of protocol has a specific role in establishing and maintaining a PPP connection
Figure 6-2. Protocols in the PPP Suite
Establishing a PPP Connection
When two peers try to establish a PPP connection, they must exchange protocols in the following order:
1. LCP
2. Authentication protocol
3. NCP
4. PPP
Link Control Protocols
LQR DTP
LEX BAP
LCP
Network Control Protocols
IPCP BCP
ECP CSCP
LLDPCP LEXCP
ATCP CCP
BACP SNACP
SDCP IPXCPAuthentication
Protocols
PAP CHAP
EAP PPP
1
2
4
3
ProCurve Secure Router supports the protocols that are underlined.
6-4
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Exchanging an authentication protocol is optional.
Understanding how a PPP session is established can help you troubleshoot problems if they occur. (See Figure 6-3.)
Figure 6-3. Establishing a PPP Link
Link Establishment. Two PPP peers exchange LCP frames to establish, configure, and test the WAN link. These frames allow the peers to determine if the link can accommodate the data they want to transfer. The LCP frames also contain a field called the configuration option. Configuration options inform the peer desired settings for the link such as the size of the PPP datagrams that will be sent and their degree of compression.
The two peers negotiate these settings. If the LCP frames do not contain a particular configuration option field, the peers use the default configuration for that option.
Authentication Protocol. If authentication is configured, the two peers authenticate the link. Although authentication is optional, the peers pass through this phase whether or not authentication is chosen.
PPP supports several authentication protocols:
■ Password Authentication Protocol (PAP)
■ Challenge Handshake Authentication Protocol (CHAP)
■ Extensible Authentication Protocol (EAP)
The ProCurve Secure Router supports PAP and CHAP.
1. Link establishmentLCP
2. Authentication (optional) PAP, CHAP, or EAP
3. Negotiation of Network Layer protocols NCP: IPCP, BCP, and so on
4. Session established PPP
ProCurve Secure Router
ProCurve Secure Router
6-5
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
NCP. PPP uses an NCP to enable the exchange of Network Layer protocols—such as IP—across a WAN link. As Figure 6-2 shows, there is a specific NCP for each support Network Layer protocol. For example, the NCP for IP is IP Control Protocol (IPCP), and the NCP for IPX (which is a legacy Novell NetWare protocol) is IPX Control Protocol (IPXCP).
The ProCurve Secure Router supports the following NCPs:
■ IP Control Protocol (IPCP)
■ Bridging Control Protocol (BCP)
■ Link-Layer Discovery Protocol (LLDP) Control Protocol (LLDPCP)
In order to exchange Network Layer protocols, the NCP must be in an “opened” state.
PPP. PPP frames carry the actual information being transferred over the WAN link. In PPP terminology, this information is called a datagram.
After the two peers successfully exchange LCP frames, authenticate the link (if authentication is configured), and negotiate the Network Layer protocol, a PPP session is established. The peers can then exchange PPP datagrams.
Creating a PPP Interface on the ProCurve Secure Router
To begin configuring PPP for an E1, T1, or serial interface, you must create a logical interface. From the global configuration mode context, enter:
Syntax: interface <interface> <number>
Replace <interface> with ppp and replace <number> with any number between 1 and 1024. Each PPP interface you configure on the router must have a unique number.
For example, if you are configuring the first PPP interface on the router, enter:
ProCurve(config)# interface ppp 1
The router prompt indicates that you have entered the PPP 1 interface configuration mode context:
ProCurve(config-ppp 1)#
You can enter the ? help command to display the commands available from this configuration mode context.
ProCurve(config-ppp 1)# ?
6-6
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Table 6-1 shows the main settings that you must configure for an E1, T1, or serial interface connection that uses PPP.
Table 6-1. Options for Configuring an E1, T1, or Serial Interface with PPP
Interface Configuration Mode Context
Command Explanation Page
e1 • tdm-group <number> timeslots <range of numbers>
• coding [ami | hdb3]• frame format [e1 | crc4]• clock source [internal | line |
through]• no shutdown
• defines the number of channels used for the E1 connection
• defines the line coding• defines the frame format• defines the clock source, or timing, for the
connection• activates the interface
4-10
t1 • tdm-group <number> timeslots <range of numbers>
• coding [ami | b8zs]• frame format [esf | d4]• clock source [internal | line |
through]• lbo long <value> | lbo short <value>• no shutdown
• defines the number of channels used for the T1 connection
• defines the line coding• defines the frame format• defines the clock source, or timing, for the
connection• sets the level of the transmit signal• activates the interface
4-10
serial • serial-mode [EIA530 | V35 | X21]
• et-clock-source [txclock | rxclock]
• no shutdown
• configures the serial interface to support the appropriate cable
• configures the serial interface to take the clock from the transmit signal (txclock) or from the receive signal, (rxclock)
• activates the interface
5-12
ppp • ip address <A.B.C.D> [<subnet mask> | </prefix length>]
or• ip address negotiatedor• ip unnumbered <interface>
• no shutdown
• assigns a static IP address to the PPP interface
• configures the PPP interface to negotiate an IP address from its peer
• configures the PPP interface to use the IP address assigned to another interface
• activates the interface
6-8
global configuration or interface configuration
• bind <number> <physical interface> <slot>/<port> [<tdm-group number>] ppp <interface number>
• binds the physical interface to the PPP interface
• requires a tdm-group number for T1 and E1 interfaces (but not for serial interfaces)
6-10
6-7
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
The PPP settings are described in the sections that follow. (For information about E1 and T1 interface settings, see Chapter 4: Configuring E1 and T1
Interfaces. For information about serial interface settings, see Chapter 5:
Configuring Serial Interfaces for E1- and T1-Carrier Lines.)
Configuring an IP Address for the WAN Connection
You configure the IP address for the E1 or T1 WAN connection on the PPP interface rather than on the physical interface. There are several ways to assign an IP address to the PPP interface:
■ assign a static IP address
■ configure the PPP interface to negotiate an IP address with its PPP peer
■ configure the PPP interface as an unnumbered interface
N o t e If the PPP interface is part of a bridge and IP routing is disabled, you can configure the PPP interface as a Dynamic Host Configuration Protocol (DHCP) client.
Configure a Static IP Address. To assign the PPP interface a static IP address, enter the following command from the PPP interface configuration mode context:
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
For example, you might enter:
ProCurve(config-ppp 1)# ip address 10.1.1.1 255.255.255.252
For subnet mask, you can enter the complete subnet mask or the classless inter-domain routing (CIDR) notation. For example, you might enter:
ProCurve(config-ppp 1)# ip address 10.1.1.1 /30
Configure a Negotiated IP Address. If you are using your WAN connec-tion for Internet access, your Internet Service Provider (ISP) may want you to configure the PPP interface so that it negotiates the IP address with the ISP’s router. From the PPP interface configuration mode context, enter:
Syntax: ip address negotiated [no-default]
Include the no-default option if you do not want the router to accept a default route from the PPP peer that is providing the IP address.
6-8
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Configure the PPP Interface as an Unnumbered Interface. To con-serve IP addresses on your network, you may want to create the PPP interface as an unnumbered interface. When you assign a logical interface on the router an IP address, that IP address cannot overlap with the IP addresses that are assigned to other logical interfaces. As a result, each interface that has an IP address represents an entire subnet. Depending on the subnetting scheme you use, this could use more IP addresses than you can spare.
You can configure the PPP interface (and other interfaces on the ProCurve Secure Router) as an unnumbered interface. The PPP interface will then use the IP address of another interface—the interface you specify. The Secure Router OS uses the IP address of the specified interface when sending route updates over the unnumbered interface.
Before configuring the PPP interface as an unnumbered interface, you should be aware of a potential disadvantage: If the interface to which the IP address is actually assigned goes down, the PPP interface will be unavailable as well. For example, suppose you configure the PPP 1 interface as an unnumbered interface that takes its IP address from the Ethernet 0/1 interface. If the Ethernet 0/1 interface goes down, the PPP 1 interface will also be unavailable.
To minimize the chances that the interface with the IP address will go down, you can assign the IP address to a loopback interface, which typically does not go down.
To configure the PPP interface as an unnumbered interface, enter the follow-ing command from the PPP interface configuration mode context:
Syntax: ip unnumbered <interface>
Valid interfaces include:
■ Ethernet interfaces and subinterfaces
■ Frame Relay subinterfaces
■ other PPP interfaces
■ HDLC interfaces
■ loopback interfaces
■ Asynchronous Transfer Mode (ATM) subinterfaces
■ demand interfaces
6-9
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
For example, you would enter the following commands to configure a loop-back interface and then configure the PPP 1 interface to use the IP address assigned to that loopback interface:
ProCurve(config)# interface loopback 1ProCurve(config-loop 1)# ip address 10.1.2.2 /30ProCurve(config-loop 1)# interface ppp 1ProCurve(config-ppp 1)# ip unnumbered loopback 1
N o t e You do not have to enter no shutdown to activate a loopback interface. The status of a loopback interface changes to up after you enter the interface
loopback <interface number> command.
Activating the PPP Interface
To activate the PPP interface, enter the following command from the PPP interface configuration mode context:
ProCurve(config-ppp 1)# no shutdown
Although the PPP interface is activated, its status will not change to up until it is bound to a physical interface. It can then begin to negotiate a PPP session with its peer, and if that negotiation is successful, the status of the PPP interface will change to up.
Binding the Physical Interface to the Logical Interface
On the ProCurve Secure Router, you must bind the physical interface to the logical interface so that the router knows which Data Link Layer protocol to use for that WAN connection. When you bind a physical interface to a logical interface, the two are considered a single interface bind group.
From the global configuration mode context, enter:
Syntax: bind <bind number> <physical interface> <slot>/<port> [<tdm-group number>] <logical interface> <logical interface number>
You can also enter this command from the PPP interface configuration mode context.
Replace <bind number> with a number that is globally significant. That is, each bind command you enter on the router must have a unique bind number.
6-10
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Replace <physical interface> with the type of WAN connection, such as E1, T1, or serial. Replace <slot> and <port> with the correct numbers to identify this interface’s location on the ProCurve Secure Router.
If you are binding an E1 or T1 interface to the PPP interface, replace <TDM-
group number> with the TDM group number you created on the E1 or T1 interface. If you are binding a serial interface to the PPP interface, omit this option.
N o t e You do not include a TDM group number when binding a serial interface to a logical interface because the serial interface does not use TDM groups.
Replace <logical interface> with ppp and replace < logical interface num-
ber> with the number you assigned to this interface. For example, if you want to bind the E1 1/1 interface or the T1 1/1 interface to the PPP 1 interface, enter:
ProCurve(config)# bind 1 e1 1/1 1 ppp 1
or
ProCurve(config)# bind 1 t1 1/1 1 ppp 1
If you want to bind the serial 1/1 interface to the PPP 1 interface, enter:
ProCurve(config)# bind 1 ser 1/1 ppp 1
To see an example configuration that uses PPP, see “Example Networks” on page 6-46.
PPP Authentication
You can increase the security of your WAN by requiring the PPP peer at the other end of the link to vouch that it is, indeed, the authorized router at the remote site. You can also configure the router to provide its own authentica-tion information. Many Internet service providers (ISPs) require authentica-tion so that they grant service only to subscribers who have paid for it.
The ProCurve Secure Router supports two authentication protocols for PPP:
■ PAP
■ CHAP
PAP. PAP is the simplest possible authentication scheme. It requires a two-way message exchange. One peer sends the password previously agreed upon to the other peer, which is called the authenticator. The authenticator looks up the password in its database. If the password matches, the authenticator
6-11
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
returns an authentication acknowledge. The two peers can then send NCPs to negotiate the Network Layer protocols. If this negotiation is successful, the PPP session is established.
With PAP, the two peers authenticate only once, and the username and password are sent in clear text across the connecting private circuit. Because PAP sends the password directly over the wire, anyone capable of tapping into the wire can intercept it.
CHAP. CHAP solves the security problem of PAP by hashing the password and sending the hash value instead of the password over the wire. CHAP follows the process shown in Figure 6-4:
1. The authenticator challenges the peer.
2. The peer combines its password with a string of text and calculates a hash value using the Message Digest 5 (MD5) algorithm. (The password is irreversibly encrypted.) The peer sends the hash value to the authenticator.
3. The authenticator knows both the agreed-upon string of text and the peer’s password. The authenticator performs the same hashing calcula-tion and compares its hash value to the hash value sent by the peer.
4. If the hash values match, the authenticator acknowledges the peer, and the peers proceed to exchange NCPs. If the hash values do not match, the authenticator continues to issue challenges until the peer returns a match-ing hash value or runs out of retry attempts.
Because the encryption prevents hackers from hijacking a password, CHAP provides increased security. In addition, CHAP requires peers to reauthen-ticate themselves from time to time.
6-12
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Figure 6-4. CHAP Process
When you configure CHAP on the ProCurve Secure Router, you only need to set the password. The router automatically sends the hostname for the user-name and computes the hash value.
Requiring a Peer to Authenticate Itself. When you configure PPP authentication on the ProCurve Secure Router, you must first choose whether you want to use PAP or CHAP. To require authentication, you must:
■ enable PAP or CHAP on the connection
■ set the peer’s username and password
You configure authentication for an individual PPP connection. Move to the logical interface for the connection and specify the type of authentication:
Syntax: ppp authentication [chap | pap]
For example, if you want to use CHAP for the PPP 1 interface, enter:
ProCurve(config-ppp 1)# ppp authentication chap
N o t e Both sides of the connection do not have to require authentication. However, if both sides require authentication, they must use the same protocol. If your peer requires authentication, you must set the username and password the router will send. (These are distinct from the username and password that the router accepts.) See “Setting a PAP Username and Password” on page 6-14 and “Setting a CHAP Username and Password” on page 6-15.
Calculate hash
Challenge1
Peer
2
Compares hash values
Hash3
Acknowledge4
Authenticator
Calculate hash
6-13
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
You must add the password you have agreed upon for the peer to the PPP database. The PPP database for each connection is separate and distinct from the global username and password database and the databases of other PPP connections. Because the database is for a point-to-point connection, it stores only one username and password. You manage the database for a PPP con-nection from its logical interface configuration mode context.
To set the username and password that the ProCurve Secure Router accepts from a peer, enter the following command from the global configuration mode context:
Syntax: username <username> password <password>
For example, you might enter:
ProCurve(config-ppp 1)# username SiteB password procurve
For CHAP, the username should be the hostname of the peer.
Authenticating to a Peer. The device at the other end of a PPP connection may require the ProCurve Secure Router to authenticate itself. To configure the local router, you must:
■ configure which authentication protocol to use
■ set the username and password
The authentication protocol must match that requested by the peer. If you do not know which protocol the peer is using, you can view the debug messages and look for PAP or CHAP. From the enable mode context, enter:
ProCurve# debug ppp authentication
You specify the authentication protocol with the same command that you enter to configure the username and password that the ProCurve Secure Router sends the PPP peer. The company or ISP that is requiring PPP authen-tication should provide you with the username and password, which are case sensitive.
Setting a PAP Username and Password. To configure PAP authentica-tion information for a WAN connection, you must move to the configuration mode context for the logical interface that provides the Data Link Layer for the connection. To set the username and password that the router will send in clear text over the wire, enter:
Syntax: ppp pap sent-username <username> password <password>
6-14
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
For example, you might enter:
ProCurve(config-ppp 1)# ppp pap sent-username SiteA password procurve
N o t e PAP will be used only to authenticate this WAN connection. You do not have to actually enable the PAP protocol. It is perfectly acceptable for the local router to authenticate itself to a peer without requiring that peer to authen-ticate itself in turn.
Setting a CHAP Username and Password. You configure the router to authenticate itself from the PPP interface configuration mode context for the connection. For CHAP, you only have to set the password that the router will hash and send encrypted to the peer. Enter:
Syntax: ppp chap password <password>
The peer or ISP should provide this password. For example:
ProCurve(config-ppp 1)# ppp chap password procurve
The router automatically sends its hostname for its username. Make sure that this hostname actually matches that by which the peer identifies your router. (This can be particularly important when authenticating to an ISP.) If neces-sary, you can override the hostname with a different username by entering:
Syntax: ppp chap hostname <username>
For example, you might enter:
ProCurve(config-ppp 1)# ppp chap hostname ProcurveA
Recording PPP Authentication Information. If you are configuring PPP authentication, you may want to print Table 6-2 and enter the information for your router.
Table 6-2. PPP Authentication Worksheet
Option Your Setting
PPP interface number
authentication protocol
Are you requiring the peer to authenticate itself?
Yes/No
peer username
6-15
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
This worksheet will help you enter the PPP authentication command for your router.
Additional Settings
Depending on your company’s WAN environment, you may want to configure other settings on the PPP interface.
Configure a Secondary IP Address for the Interface. You can config-ure a secondary IP address on an interface if the interface supports more than one subnet. For example, the LAN you connect to an Ethernet interface may require more IP addresses than the primary subnet can provide.
N o t e When using secondary IP addresses, avoid routing loops by verifying that all devices on the network segment are configured with secondary IP addresses on the secondary subnet.
From the PPP interface configuration mode context, enter:
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length> secondary
Replace <A.B.C.D> with the secondary IP address and replace <subnet mask> with the corresponding subnet mask. Instead of specifying a subnet mask, you can replace </prefix length> with the CIDR notation. Finally, include the secondary option.
For example, you might enter:
ProCurve(config-ppp 1)# ip address 192.168.115.1 255.255.255.0 secondary
You can include an unlimited number of secondary IP addresses.
To remove a secondary IP address, enter:
Syntax: no ip address <A.B.C.D> <subnet mask | /prefix length> secondary
peer password
Are you authenticating to the peer? Yes/No
local router’s username
local router’s password
Option Your Setting
6-16
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Set the MTU. The maximum transmission unit (MTU) defines the largest size that a PPP frame can be. If a frame exceeds this size, it must be fragmented. By default, the MTU for PPP interfaces is 1500 bytes. To change this setting, enter:
Syntax: mtu <size>
Replace <size> with a number between 64 and 1520.
For most environments, you should leave the MTU at 1500. In some cases, however, you may need to adjust the MTU size. For example, you need to evaluate MTU size if:
■ The interface is connected to another router that uses a different MTU size.
■ The interface is used in a PPP over Ethernet (PPPoE) environment. (For more information about PPPoE, see Chapter 7: ADSL WAN Connections.)
If two PPP peers use different MTU sizes, this mismatch can affect transmis-sions and routing. For example, if the PPP peer has a smaller MTU and your router sends a frame that exceeds that size, the PPP peer will have to fragment the frame. If the frame is tagged with the “do not fragment” field, then the router cannot forward the frame.
If you have enabled Open Shortest Path First (OSPF) routing on the ProCurve Secure Router, you should be especially careful when setting the MTU. OSPF routers cannot become adjacent if their MTU sizes do not match. You should ensure that the MTU on the router at the far-end of the PPP connection is using the same MTU as the router you are configuring.
You may also need to configure the MTU for PPPoE. When two devices initiate a PPPoE session, they negotiate an MTU of 1492 bytes because the payload of an Ethernet frame cannot exceed 1500 bytes. With the overhead created by PPP, the PPPoE frame is 1500 bytes.
Typically, the two PPPoE devices will negotiate the MTU size of 1492. If there are problems, however, you may need to manually configure the MTU.
Adding a Description. You can add a description to the PPP interface if you want to document information about it. For example, if you have configured multiple PPP interfaces, you may want to document how each PPP interface is being used. To create a description, enter:
Syntax: description <line>
6-17
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Replace <line> with a phrase up to 80 characters. For example, you might enter:
ProCurve(config-ppp 1)# description WAN link to Denver office
This description is displayed only when you enter the show running-config
command. From the enable mode context, enter:
ProCurve# show running-config
You must then scroll through the running-config to find the interface ppp 1
heading. To view only the running-config for the PPP 1 interface, enter:
ProCurve# show running-config interface ppp 1
Configuration information such as the following is displayed:
interface ppp 1 description WAN link to Denver office ip address 192.168.1.1 255.255.255.0 bind 1 ser 1/1 ppp 1 no shutdown
Settings Explained in Other Chapters
In addition to configuring these settings for the PPP interface, you can:
■ assign access control policies (ACPs) or access control lists (ACLs) to the PPP interface
■ assign crypto maps to enable virtual private networks (VPNs)
■ configure settings for routing protocols
■ enable bridging
Table 6-3 lists additional configurations that you can enter from the PPP interface and the page number where you find information about those configurations.
6-18
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Table 6-3. Additional Configuration Settings for the PPP Interface
Frame Relay Overview
For companies that can accept lower transmission speeds during peak usage times, Frame Relay provides a more affordable WAN solution than a dedicated E1- or T1-carrier line. Frame Relay can run over a variety of physical WAN connections, including E1- and T1-carrier lines. Whatever the physical WAN connection is, Frame Relay allocates bandwidth on that connection dynami-cally. As a result, public carriers provide a subscriber with bandwidth only when that subscriber requires it.
Frame Relay cuts costs both for public carriers and subscribers because it minimizes idle bandwidth: Public carriers can allocate the same bandwidth to multiple subscribers, and subscribers do not pay for bandwidth that they do not use.
When companies purchase Frame Relay service, they negotiate a Service Level Agreement (SLA) that specifies a Committed Information Rate (CIR), the amount of bandwidth they can use. The CIR is contractually guaranteed bandwidth, rather than physically guaranteed as with dedicated E1- or T1-carrier lines. If Frame Relay carriers do not provide the CIR, however, they can be fined. Consequently, carriers usually ensure that the bandwidth stipu-lated in the CIR is available to the customer. (See Figure 6-5.)
Settings Configuration Guide
Page Number
access controls to filter incoming and outgoing traffic Advanced 5-18, 5-37
bridging Basic 10-6
VPNs Advanced 8-46
routing commands for OSPF, RIP, or BGP Advanced 13-1
quality of service settings Advanced 7-28
6-19
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Figure 6-5. A Frame Relay Network Dynamically Allocates Bandwidth.
Packet-Switching Network
Frame Relay transfers data through multiple nodes in a shared network using packet switching. Frame Relay divides data into frames, and each frame travels through the network individually, passing from one Frame Relay switch to another in a non-fixed path, until the frames are reassembled at their destination.
Although frames can take multiple and variable paths through a shared network, two routers, which are identified by administratively assigned circuit IDs, define the fixed endpoints to a permanent virtual circuit (PVC). In a Frame Relay network, a PVC is a logical connection between two sites. (See Figure 6-6.)
Router
Frame Relay switch
Router
Frame Relay switch
Frame Relay switch
Subscriber 1
Subscriber 2
Public Carrier’s COFrame Relay
over T1
Frame Relayover T1
Transmitting an average of 768 Kbps with bursts to 900 Kbps
Transmitting an average of 640 Kbps with bursts to 832 Kbps
6-20
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Figure 6-6. A PVC Connects Two Endpoints in the Frame Relay Network.
Components of a Frame Relay Network
The Frame Relay network consists of several components, each of which has a specific role.
■ user, or data terminal equipment (DTE)
■ network, or data communications equipment (DCE)
■ network-to-network interfaces (NNI)
■ user-to-network interfaces (UNI)
When you configure Frame Relay on the ProCurve Secure Router, you must define the role that the router will perform in the Frame Relay network. (See Figure 6-7.)
Router
Frame Relay switch
Router
Frame Relay switch
Frame Relay switch
Subscriber 1
Subscriber 2
Public Carrier’s COFrame Relay
over T1
Frame Relayover T1
PVC between Subscriber 1 and Subscriber 2
PVC between Subscriber 1 and Subscriber 2
6-21
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Figure 6-7. Components in a Frame Relay Network
DTE. The DTE receives data from the LAN in the form of multiple protocol packets and encapsulates each packet into a Frame Relay frame. The header of such a frame is called the Data Link Connection Identifier (DLCI) and contains the frame’s ultimate destination.
You can configure the DTE to manage congestion and maintain quality of service. For example, the DTE can manipulate the actual size of each frame sent through the network. It also can buffer and fragment packets to reserve bandwidth for particular circuits and ensure quality of service for time-sensitive packets such as voice applications.
DCE. in a Frame Relay network, the DCE is the Frame Relay switch, which establishes and maintains the Frame Relay connection. After receiving frames from the DTE, the DCE converts these frames into signals supported by the physical media of the network. The DCE also reads the DLCI on incoming packets, checks its switch lookup table, and then forwards data to the appro-priate outgoing port—which leads to the correct virtual endpoint.
UNI. UNIs connect the DTE to the DCE and provide access to the Frame Relay network.
NNI. NNIs connect a DCE to a DCE, using bidirectional signaling. That is, NNIs connect one Frame Relay switch to another.
DLCI
As mentioned earlier, the DTE marks each outgoing frame with a DLCI, a 10-bit field in the Address Field of the Frame Relay header. The switch reads the DLCI to determine the appropriate PVC endpoint to which to send the frame. DLCIs are locally, not globally, significant. (See Figure 6-8.)
UNI: DTE to DCE
NNI: DCE to DCE
Router (DTE)
Frame Relay Switch (DCE)
Frame Relay Switch (DCE)
Frame Relay Switch (DCE)
Router (DTE)
Router (DTE)UNI
NNI
UNI
UNI
NNI
6-22
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
The 10-bit field enables 1024 possible DLCI numbers, but some are reserved for special purposes:
■ 0 signals Annex A and D
■ 1-15 and 1008-1022 are reserved
■ 1023 signals the Link Management Interface (LMI)
The remaining 976 DLCI numbers between 16 and 1007 are available to users. Your Frame Relay service provider will assign you a DLCI.
Figure 6-8. The DLCI Identifies the PVC Endpoint.
Create the Frame Relay Interface
To begin configuring Frame Relay as the Data Link Layer protocol for an E1, T1, or serial interface, you must create a logical interface. From the global configuration mode context, enter:
Syntax: interface <interface> <number>
Replace <interface> with frame-relay; you can also use the shortcut fr. Replace <number> with any number between 1 and 1024. Each Frame Relay interface that you create on the router must have a unique number.
For example, if you are configuring the first Frame Relay interface on the router, you might enter:
ProCurve(config)# interface frame-relay 1
The router prompt indicates that you have entered the proper interface configuration mode context:
ProCurve(config-fr 1)#
Each Frame Relay switch keeps a table of PVC endpoints and their DLCI.
Router (DTE) Frame Relay Switch (DCE)
Router (DTE)
Router (DTE)UNI
UNIUNI
DLCI 17
DLCI 18
DLCI 16
6-23
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
From this configuration mode context, you can enter the ? help command to display the commands available from this configuration mode context.
ProCurve(config-fr 1)# ?
Table 6-4 shows the main settings that you must configure for an E1, T1, or serial interface that uses Frame Relay.
Table 6-4. Frame Relay Configuration Options
Interface Configuration Mode Context
Command Description Page
e1 • tdm-group <number> timeslots <range of numbers>
• coding [ami | hdb3]• frame format [e1 | crc4]• clock source [internal | line | through]
• no shutdown
• defines the number of channels used for the E1 connection
• defines the line coding• defines the frame format• defines the clock source, or timing,
for the connection• activates the interface
4-10
t1 • tdm-group <number> timeslots <range of numbers]
• coding [ami | b8zs]• frame format [esf | d4]• clock source [internal | line | through]• no shutdown
• defines the number of channels used for the T1 connection
• defines the line coding• specifies frame format• defines the clock source• activates the interface
4-10
serial • serial-mode [EIA530 | V35 | X21]
• et-clock-source [txclock | rxclock]
• no shutdown
• configures the serial interface to support the appropriate cable
• configures the serial interface to take the clock from the transmit signal, txclock, or from the receive signal, rxclock
• activates the interface
5-12
frame-relay interface
• no shutdown• frame-relay intf-type [dte | dce | nni]• frame-relay lmi-type [ansi | auto | cisco |
none | q933a]
• activates the interface• defines the signaling role as user,
network, or both• defines Frame Relay signaling type
6-25
6-24
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
The Frame Relay settings are described in the sections that follow.
Activate the Frame Relay Interface
You must activate the Frame Relay interface. From the Frame Relay interface configuration mode context, enter:
ProCurve(config-fr 1)# no shutdown
Define the Signaling Role
You must configure the signaling role that the ProCurve Secure Router will fulfill in the Frame Relay network. With few exceptions, the ProCurve Secure Router will function as the user, or DTE, and consequently, this is the default setting.
However, the other options are available if you should ever need to change the signaling role. For example, if you are setting up a test WAN to determine if your applications will run over a Frame Relay connection, you may need to configure the router as a DCE.
frame-relay subinterface
• frame-relay interface-dlci <dlci>• ip address <A.B.C.D> <subnet mask | /prefix
length>or• ip address dhcp {client-id [ethernet 0/
<port> | HH:HH:HH:HH:HH:HH:HH] | hostname <word>}
• ip address dhcp [hostname <word> | no-default-route | no-domain-name | no-nameservers]
or• ip unnumbered <interface>
• defines the DLCI for the PVC• defines a static IP address for the
interface
• configures the Frame Relay subinterface as a DHCP client
• configures the Frame Relay as an unnumbered interface, which takes its IP address from another interface
6-28
global configuration or interface configuration
• bind <number> <physical interface> <slot>/<port> [<tdm-group number>] Frame Relay <interface number>
• binds the physical interface to the logical interface
• requires tdm-group number for E1 and T1 interfaces (but not for serial interfaces)
6-35
Interface Configuration Mode Context
Command Description Page
6-25
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
To configure the signaling role, enter the following command from the Frame Relay interface configuration mode context:
Syntax: frame-relay intf-type [dte | dce | nni]
Define the Frame Relay Signaling Type
You must configure the Frame Relay interface to use the same signaling type that your Frame Relay service provider uses. From the Frame Relay interface configuration mode context, enter:
Syntax: frame-relay lmi-type [ansi | auto | cisco | none | q933a]
Table 6-5 maps the Frame Relay signaling type to the setting that you must enter for the frame-relay lmi-type command.
Table 6-5. Frame Relay Signaling
For example, to set the signaling type to auto, enter the following command from the Frame Relay interface configuration mode context:
ProCurve(config-fr 1)# frame-relay lmi-type auto
The default setting is ansi.
Configure Frame-Relay Counters
The Frame Relay counters monitor status polls sent and received, track errors, and change the endpoint’s signaling status from up to down, depending on the number of errors counted within a set frame of events. Although you can tailor the counter settings to your system, most applications do not require special settings, so you should keep the default settings.
Signaling type Option Complete Command
Annex D ansi frame-relay lmi-type ansi
detect signaling type from incoming message
auto frame-relay lmi-type auto
Cisco LMI cisco frame-relay lmi-type cisco
no signaling (disables signaling role as well)
none frame-relay lmi-type none
Annex A q933a frame-relay lmi-type q933a
6-26
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Table 6-6 lists the Frame Relay counters, the possible settings, and the polls that each one controls.
Table 6-6. Frame Relay Counters
You can use the no command to return counters to their default settings.
Frame Relay Counter Possible Settings
Default Setting
Description
frame-relay lmi-n391dce <polls> 1-255 6 Configure how many link integrity polls occur in between the full-status polls. Configure this setting for the DCE endpoint.
frame-relay lmi-n391dte <polls> 1-255 6 Configure how many link integrity polls occur between the full status polls. Configure this setting for the DTE endpoint.
frame-relay lmi-n392dce <threshold> 1-10 3 Configure an error threshold number for the DCE. If the error threshold is met, the signaling status is changed to down, which indicates a service-affecting condition. This condition is cleared after this number of consecutive error-free N393 events are received.
frame-relay lmi-n392dte <threshold> 1-10 3 Configure an error threshold number for the DTE. If the error threshold is met, the signaling status is changed to down, which indicates a service-affecting condition. This condition is cleared after this number of consecutive error-free N393 events are received.
frame-relay lmi-n393dce <counter> 1-10 4 Configure the LMI- monitored event counter for the DCE endpoint.
frame-relay lmi-n393dte <counter> 1-10 4 Configure the LMI- monitored event counter for the DTE endpoint.
frame-relay lmi-t391dte <seconds> 5-30 seconds 10 seconds Set the T391 signal-polling timer for the DTE endpoint.
frame-relay lmi-t392dce <seconds> 5-30 seconds 10 seconds Set the T392 polling-verification timer for the DCE endpoint.
6-27
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Create the Frame Relay Subinterface
You must create a Frame Relay subinterface for each PVC that you want to establish through this Frame Relay interface. To create a Frame Relay sub-interface, enter the following command from the global configuration context or from the Frame Relay interface configuration mode context:
Syntax: interface frame-relay <number.subinterface number>
Replace the first number in <number.subinterface number> with the number of the Frame Relay interface that you have already configured. Then replace subinterface number with any number between 16 to 1007. Using the same number as the subinterface’s DLCI can help you keep track of the subinterface and troubleshoot any errors.
For example, if your public carrier has assigned your company a DLCI of 16, enter:
ProCurve(config-fr 1)# interface frame-relay 1.16
You are then moved to the Frame Relay subinterface configuration mode context, which is reflected in the router prompt:
ProCurve(config-fr 1.16)#
From the Frame Relay subinterface configuration mode context, you can configure a variety of settings for the connection, including the MTU size and excess burst rate. However, to initially establish the sublink, you only need to assign it a DLCI.
Assign a DLCI to the Frame Relay Subinterface
The Frame Relay service provider assigns each PVC endpoint a DLCI on the Frame Relay switch, and the switch maintains a table of each DLCI so that it can pass traffic through an outbound port uniquely associated with a specific peer. Your Frame Relay service provider should tell you the DLCI for the PVC.
To assign the DLCI to the Frame Relay interface, enter the following command from the Frame Relay subinterface configuration mode context:
Syntax: frame-relay interface-dlci <DLCI>
Replace <DLCI> with a valid DLCI number, ranging from 16 to 1007. You must assign a different DLCI to each PVC established on the same router.
6-28
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
For example, if the Frame Relay service provider assigned your company a DLCI of 16, enter:
ProCurve(config-fr 1.16)# frame-relay interface-dlci 16
Configure the IP Address for the WAN Connection
You configure the IP address for the WAN connection on the Frame Relay subinterface, rather than on the physical interface or the Frame Relay inter-face. There are several ways to assign an IP address to the Frame Relay subinterface:
■ assign a static IP address
■ configure the Frame Relay subinterface as a DHCP client
■ configure the Frame Relay subinterface as an unnumbered interface
Configuring a Static IP Address. From the Frame Relay subinterface con-figuration mode context, enter:
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
For <subnet mask>, you can enter the complete subnet mask or replace </prefix length> with the CIDR notation. For example, you might enter:
ProCurve(config-fr 1.16)# ip address 10.10.2.1 /30
Configure the Frame Relay Subinterface as a DHCP Client. Your Frame Relay service provider may want to dynamically assign your router an IP address for each Frame Relay PVC. To enable a Frame Relay subinterface to use DHCP to obtain an IP address, use one of the following commands:
Syntax: ip address dhcp {client-id [ethernet 0/<port number> | HH:HH:HH:HH:HH:HH:HH] | hostname <word>}
Syntax: ip address dhcp [hostname <word> | no-default-route | no-domain-name | no-nameservers]
In addition to enabling the DHCP client for the Frame Relay subinterface, this command allows you to configure the settings shown in Table 6-7.
6-29
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Table 6-7. Default Settings for the DHCP Client
Before you enable the DHCP client, you must decide whether or not you want to configure the settings listed in Table 6-7, and you must then include the settings in the same command that you enter to enable the DHCP client. After you enable the DHCP client, it immediately begins to search for a DHCP server and negotiate a lease. You cannot impose settings on that lease after it is established.
Accepting the Default Settings . If you want to use default DHCP settings for the Frame Relay subinterface, you can simply enter:
ProCurve(config-fr 1.16)# ip address dhcp
The DHCP client on the Frame Relay subinterface will immediately begin to send DHCP discovery message to find a DHCP server. When a DHCP server responds, the client will negotiate an IP address.
The DHCP client will send DHCP discovery messages whether or not the Frame Relay subinterface is activated or a valid connection has been estab-lished. It will continue to send DHCP discovery messages until a DHCP server responds.
You should ensure that the DHCP client receives an IP address so that these discovery messages do not consume router resources or bandwidth on your Frame Relay link. To determine whether the Frame Relay subinterface has been assigned an IP address, enter the following command from the enable mode context:
ProCurve# show interface frame-relay <number.subinterface number>
Option Use Default Setting
client-id configures the client identifier displayed in the DHCP server’s table
media type and interface’s MAC address
hostname configures the hostname displayed in the DHCP server’s table
router hostname
no-default-route specifies that the DHCP client should not accept the default route obtained through DHCP
accept default route from the DHCP server
no-domain-name specifies that the DHCP client should not accept the domain name included with the other lease settings that the DHCP server sends
accept the domain name setting from the DHCP server
no-nameservers specifies that the DHCP client should not accept the DNS setting included with the other lease settings that the DHCP server sends
accept DNS settings from the DHCP server
6-30
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Configuring a Client Identifier. By default, the Secure Router OS popu-lates the client identifier with the media type and the interface’s media access control (MAC) address. You can specify that the DHCP client uses the MAC address of an Ethernet port, or you can change the client identifier to a customized MAC address.
To configure a client identifier when you enable the DHCP client, enter:
Syntax: ip address dhcp client-id [ethernet 0/<port number> | HH:HH:HH:HH:HH:HH:HH]
When you configure the client identifier, you can also configure a hostname, as explained in the next section.
Configuring a Hostname. The Secure Router OS uses the hostname con-figured for the router as the Frame Relay subinterface’s default DHCP client hostname. If you want to override this hostname when you enable the DHCP client, enter the following command:
Syntax: ip address dhcp hostname <word>
For example, you might want to specify that the hostname is RouterB. In this case, you would enter:
ProCurve(config-fr 1.1)# ip address dhcp hostname RouterB
When you specify the hostname, you can also configure a client identifier at the same time, as shown below.
ProCurve(config-fr 1.1)# ip address dhcp client-id ethernet 0/1 hostname RouterB
If you enter this command, the DHCP client will use the MAC address of the Ethernet 0/1 interface as its client identifier, and it will use the hostname RouterB.
Alternatively, you can specify the hostname and configure the client to ignore the settings received from the DHCP server. These commands are described in the following sections.
Overriding Settings Received from the DHCP Server. If the DHCP server is configured to provide a default-route, a domain name, or a domain name system (DNS) server, the DHCP client for the Frame-Relay subinterface will accept and use these settings. If you do not want to use any or one of these settings, enter the appropriate option when you enable the DHCP client:
Syntax: ip address dhcp [hostname <word> | no-default-route | no-domain-name | no-nameservers]
6-31
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
For example, if you do not want the DHCP client to use the default route and name server settings that it receives from the DHCP server, enter:
ProCurve(config-fr 1.1)# ip address dhcp no-default-route no-nameservers
Changing a Setting for the DHCP Client. If you want to change a setting for the DHCP client, you must first disable the client. Then you can enter the command to enable the client with the setting that you want to change.
Before you disable the client, you should release the IP address obtained through DHCP. This will prevent the DHCP server from holding the IP address and allow it to assign the IP address to another client.
Releasing or Renewing an IP address. If you want to manually force the Frame Relay subinterface to release or renew an IP address, enter these commands from the Frame Relay subinterface configuration mode context:
ProCurve(config-fr 1.1)# ip dhcp release
ProCurve(config-fr 1.1)# ip dhcp renew
Remove the DHCP Client Setting. If you decide that you no longer want the Frame-Relay subinterface to be a DHCP client, enter:
ProCurve(config-fr 1.1)# no ip address dhcp
Configure the Frame Relay Subinterface as an Unnumbered
Interface. To conserve IP addresses on your network, you may want to create the Frame Relay subinterface as an unnumbered interface. When you assign a logical interface on the router an IP address, that IP address cannot overlap with the IP addresses assigned to other logical interfaces. As a result, each interface that has an IP address represents a subnet. Depending on the subnetting scheme you use, this could use more IP addresses than you can spare.
You can configure the Frame Relay subinterface as an unnumbered interface that uses the IP address assigned to another interface. The Secure Router OS uses the IP address of the specified interface when sending route updates over the unnumbered interface.
Before configuring the Frame Relay subinterface as an unnumbered interface, you should be aware of a potential disadvantage: If the interface to which the IP address is actually assigned goes down, the Frame Relay subinterface will be unavailable. For example, suppose you configure Frame Relay 1.16 as an
6-32
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
unnumbered interface that takes its IP address from the Ethernet 0/1 interface. If the Ethernet 0/1 interface goes down, the Frame Relay 1.16 subinterface will be unavailable as well.
To minimize the chances of the interface with the IP address going down, you can assign the IP address to a loopback interface, which typically does not go down.
To configure a Frame Relay subinterface as an unnumbered interface, enter the following command from the Frame Relay subinterface configuration mode context:
Syntax: ip unnumbered <interface>
Valid interfaces include:
■ Ethernet interfaces and subinterfaces
■ other Frame Relay subinterfaces
■ PPP interfaces
■ HDLC interfaces
■ loopback interfaces
■ Asynchronous Transfer Mode (ATM) subinterfaces
■ demand interfaces
For example, you would enter the following commands to configure a loop-back interface and then configure the Frame Relay 1.16 subinterface to use the IP address assigned to that loopback interface:
ProCurve(config)# interface loopback 1ProCurve(config-loop 1)# ip address 10.1.1.1 /30ProCurve(config-loop 1)# interface fr 1.16 ProCurve(config-fr 1.16)# ip unnumbered loopback 1
N o t e You do not have to enter no shutdown to activate a loopback interface. The status of a loopback interface changes to up after you enter the interface
loopback <interface number> command.
Set the CIR
You can configure the CIR for the Frame Relay link using the frame-relay bc command. As explained earlier, the CIR is the bandwidth that your Frame Relay service provider guarantees your company.
6-33
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
The CIR is calculated from the Bc, which is the maximum number of bits that the Frame Relay carrier guarantees to forward during a certain interval of time (T). The CIR is equal to Bc/T.
You should set a Bc for each Frame Relay subinterface to ensure that the PVC does not exceed its CIR. Some Frame Relay service providers may charge your company extra if your company consistently transmits over its CIR.
The industry standard is to calculate the time interval as 1 second. As a result, the Bc is essentially the CIR. To set the CIR, enter the following command from the Frame Relay subinterface configuration mode context:
Syntax: frame-relay bc <committed burst value>
Replace <committed burst value> with your CIR expressed in bits. You can set a Bc between 0 and 4,294,967,294 bps.
For example, you might enter:
ProCurve(config-fr 1.1)# frame-relay bc 256000
Set the EIR
When your company negotiated a SLA, the terms of that agreement probably allowed for a burst rate on the Frame Relay connection. This burst rate is called the Excess Information Rate (EIR), which defines the maximum amount of traffic your company is allowed to send over its CIR.
The Be sets the maximum number of bits that the router can transmit during T. Just as Bc is equal to the CIR, Be is equal to the EIR. Be determines the rate at which the ProCurve Secure Router can burst data above the CIR when there is no congestion on the Frame Relay network.
N o t e If you enter a value for the frame-relay bc command, you should also configure a burst rate for the Frame Relay link. Otherwise, the link will be limited to the bandwidth you specified in the frame-relay bc command.
Together, the frame-relay bc and the frame-relay be commands define the amount of bandwidth you can use on the Frame Relay link. The sum of the values you specify for these two commands should be greater than 8000.
To configure the EIR for the Frame-Relay link, enter:
Syntax: frame-relay be <excessive burst value>
6-34
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Replace <excessive burst value> with a burst rate, expressed in bits. You can set a Be between 0 and 4,294,967,294 bps.
For example, you might enter:
ProCurve(config-fr 1.1)# frame-relay be 64000
Discard Eligible (DE) Bit. After a PVC reaches its CIR, the Frame Relay switch marks each packet with a Discard Eligible (DE) bit. For example, if a PVC’s Bc is 1.0 Mb, its Be is 1.5 Mb, and it is transmitting traffic at full capacity, then Frame Relay switch will set the DE bit on the last 500 kilobytes of packets. If the Frame Relay network becomes congested, the Frame Relay switch first drops the packets that are marked with the DE bit.
Bind the Physical Interface to the Logical Interface
On the ProCurve Secure Router, you must bind the physical interface to the logical interface so that the router knows which Data Link Layer protocol to use for that WAN connection. When you bind a physical interface to a logical interface, the two are considered a single interface bind group.
You bind the physical interface to the Frame Relay interface, not to individual subinterfaces. In this way, various PVCs can use any available bandwidth on the physical connection to burst data past their CIR. You can enter the bind command from the global configuration mode context or from the Frame Relay interface configuration mode context:
Syntax: bind <bind number> <physical interface> <slot>/<port> [<tdm-group number>] <logical interface> <logical interface number>
The <bind number> is globally significant. That is, each bind command you enter on the router must have a unique bind number.
Replace <physical interface> with E1, T1, or serial. The <slot> and <port> pinpoint this interface’s location on the ProCurve Secure Router and distin-guish multiple lines of the same type from each other.
If you are binding the Frame Relay interface to an E1 or T1 interface, replace <tdm-group number> with the TDM group you created when you configured that interface. If you are binding the serial interface to the Frame Relay interface, you do not include this option.
In this instance, the <logical interface> is Frame Relay, and the <logical
interface number> refers to the number you assigned to this interface.
6-35
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
For example, if you want to bind the E1 1/1 interface to the Frame Relay 1 interface, enter:
ProCurve(config)# bind 1 e1 1/1 1 fr 1
N o t e You bind the physical interface to the Frame Relay interface (not to the subinterface).
If you want to bind the serial 1/1 interface to the Frame Relay 1 interface, enter:
ProCurve(config)# bind 1 ser 1/1 fr 1
N o t e When you bind a serial interface to the Frame Relay interface, you do not include a TDM group number because the serial interface does not use TDM groups.
To see an example configuration that uses Frame Relay, see “Example Net-works” on page 6-46.
Additional Settings
Depending on your company’s WAN environment, you may want to configure other options on the Frame Relay interface or subinterface.
Configure a Secondary IP Address for the Subinterface. You can con-figure a secondary IP address on the Frame Relay subinterface. Enter:
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length> secondary
Replace <A.B.C.D> with secondary IP address and specify a subnet mask using the <subnet mask> option or the </prefix length> option. Finally, include the secondary option.
For example, you might enter:
ProCurve(config-fr 1.1)# ip address 192.168.115.1 255.255.255.252 secondary
To remove the secondary IP address, enter:
Syntax: no ip address <A.B.C.D> <subnet mask | /prefix length> secondary
You can include an unlimited number of secondary IP addresses.
6-36
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Set the MTU. The MTU defines the largest size that a frame can be before it must be fragmented. The MTU size on the Frame Relay subinterface should match the MTU used by the remote router and the intervening network devices. Although you can match the MTU on your Frame Relay interface with that used by your public carrier’s equipment, you cannot ensure that all the intervening network devices will use the same MTU. To avoid any problems that may occur if an intervening network device is using a small MTU size, you may want to enable Frame Relay fragmentation. For more information about Frame Relay fragmentation, see the Advanced Management and Configura-
tion Guide, Chapter 7: Setting Up Quality of Service.
N o t e If you have enabled Open Shortest Path First (OSPF) routing on the ProCurve Secure Router, you should take special care when setting the MTU. OSPF routers cannot become adjacent if their MTU sizes do not match.
By default, the MTU for Frame Relay subinterfaces is 1500 bytes. To change this setting, enter the following command from the Frame Relay subinterface configuration mode context:
Syntax: mtu <size>
Replace <size> with a number between 64 and 1520.
Adding a Description. You can add a description to a Frame Relay interface or subinterface if you want to document information about it. For example, if you have multiple PVCs configured on a Frame Relay interface, you may want to document the other end point of each PVC. In this case, you would enter the following command at the Frame Relay subinterface configuration mode context:
Syntax: description <line>
Replace <line> with a phrase up to 80 characters. For example, you might enter:
ProCurve(config-fr 1.16)# description WAN link to London office
This description is displayed when you enter the show running-config command. From the enable mode context, enter:
ProCurve# show running-config
You can also view the description by entering:
ProCurve# show running-config interface fr 1.16
6-37
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
This command displays the running-config settings for only the Frame Relay 1.16 subinterface, as shown below:
interface fr 1.16 frame-relay interface-dlci 16 description WAN link to London office ip address 192.168.1.1 255.255.255.0 no shutdown
Settings Explained in Other Chapters
In addition to configuring these settings for Frame Relay, you can:
■ assign ACPs or ACLs to control access to the Frame Relay subinterface
■ enable bridging
■ assign crypto maps to enable VPNs
■ configure settings for routing protocols
■ configure Quality of Service (QoS) settings
Table 6-8 lists additional configurations that you can enter from the Frame Relay interface and subinterface and the page number where you can find information about those configurations.
Table 6-8. Additional Configurations for the Frame Relay
Settings Apply to Frame Relay Interface or Subinterface
Configuration Guide Page
access controls to filter incoming and outgoing traffic
Frame Relay subinterface Advanced 5-18, 5-37
bridging Frame Relay subinterface Basic 10-6
VPNs Frame Relay subinterface Advanced 8-46
routing commands for OSPF, RIP, or BGP Frame Relay subinterface Advanced 13-1
QoS settings Frame Relay interface Advanced 7-28
6-38
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
Configuring HDLC as the Data Link Layer Protocol
One of the oldest Data Link Layer protocols for a WAN, HDLC actually predates the PC. Although it was developed for a mainframe environment, which includes primary and secondary devices, HDLC has been updated for use in the PC environment. However, some functionality and terminology have survived from its early use, as evidenced by its modes of operation.
HDLC has three modes of operation:
Normal Response Mode (NRM). A secondary device can transmit only when the primary device specifically instructs it to do so.
Asynchronous Response Mode (ARM). A secondary device can initiate a transmission; however, the primary device controls the establishment and termination of the link.
Asynchronous Balanced Mode (ABM). Devices at both ends of a connec-tion are configured to be both primary and secondary devices and can establish a link, transmit data without permission, and terminate a link.
When you configure the ProCurve Secure Router to use HDLC for an E1 or T1 connection, it operate in ABM.
HDLC uses three different types of frames:
■ Unnumbered frames establish a link.
■ Supervisory frames carry error and flow control information.
■ Information frames carry the Network Layer packets across the WAN link.
Create the HDLC Interface
To begin configuring HDLC as the Data Link Layer protocol for an E1, T1, or serial interface, you must create a logical interface. From the global configura-tion mode context, enter:
Syntax: interface <interface> <number>
Replace <interface> with HDLC and replace <number> with any number between 1 and 1024. Each HDLC interface you configure on the router must have a unique number.
For example, if you are configuring the first HDLC interface on the router, you could enter:
ProCurve(config)# interface hdlc 1
6-39
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
The router prompt indicates that you have entered the appropriate interface configuration mode context:
ProCurve(config-hdlc 1)#
From this configuration mode context, you can enter the ? help command to display the commands available from this configuration mode context.
ProCurve(config-hdlc 1)# ?
Table 6-9 shows the main settings that you must configure for an E1, T1, or serial interface that uses HDLC.
Table 6-9. Options for Configuring an E1, T1, or Serial Interface with HDLC
Interface Configuration Mode Context
Command Explanation Page
e1 • tdm-group <number> timeslots <range of numbers>
• coding [ami | hdb3]• frame format [e1 | crc4]• clock source [internal | line | through]
• no shutdown
• defines the number of channels used for the E1 connection
• defines the line coding• defines the frame format• defines the clock source, or timing,
for the connection• activates the interface
4-10
t1 • tdm-group <number> timeslots <range of numbers>
• coding [ami | b8zs]• frame format [esf | d4]• clock source [internal | line | through]
• lbo long <value> | lbo short <value>• no shutdown
• defines the number of channels used for the T1 connection
• defines the line coding• defines the frame format• defines the clock source, or timing,
for the connection• sets the level of the transmit signal• activates the interface
4-10
serial • serial-mode [EIA530 | V35 | X21]
• et-clock-source [txclock | rxclock]
• no shutdown
• configures the serial interface to support the appropriate cable
• configures the serial interface to take the clock from the transmit signal, txclock, or from the receive signal, rxclock
• activates the interface
5-12
6-40
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
The HDLC settings are described in the sections that follow.
Activate the HDLC Interface
You must activate the HDLC interface. From the HDLC interface configuration mode context, enter:
ProCurve(config-hdlc 1)# no shutdown
Although the HDLC interface is activated, its status will not change to up until it is bound to a physical interface. It can then begin to negotiate an HDLC session, and if that negotiation is successful, the status of the HDLC interface will change to up.
Configure an IP Address for the WAN Connection
You configure the IP address for the WAN connection on the HDLC interface, rather than on the physical interface. There are two ways to assign an IP address to the HDLC interface:
■ assign a static IP address
■ configure the HDLC interface as an unnumbered interface
Assign a Static IP Address. To assign the HDLC interface an IP address, enter the following command from the HDLC interface configuration mode context:
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
hdlc • no shutdown• ip address <A.B.C.D> <subnet mask | /
prefix length>or• ip unnumbered <interface>
• activates the interface• assigns a static IP address to the
HDLC interface
• configures the HDLC interface to use the IP address assigned to another interface
6-41
global configuration or interface configuration
• bind <number> <physical interface> <slot>/<port> [<tdm-group number>] hdlc <interface number>
• binds the physical interface to the logical interface
• requires the tdm-group number for E1 and T1 interfaces, but not for serial interfaces
6-43
Interface Configuration Mode Context
Command Explanation Page
6-41
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
You can replace <subnet mask> with the complete subnet mask, or you can replace </prefix length> with the CIDR notation. For example, you might enter:
ProCurve(config-hdlc 1)# ip address 10.1.1.1 /24
Configure the HDLC Interface as an Unnumbered Interface. To con-serve IP addresses on your network, you may want to create the HDLC interface as an unnumbered interface. When you assign a logical interface an IP address, that IP address cannot overlap with the IP addresses assigned to other logical interfaces on your network. As a result, each interface that has an IP address represents an entire subnet. Depending on the subnetting scheme you use, this could use more IP addresses than you can spare.
You can configure the HDLC interface (and other interfaces on the ProCurve Secure Router) as an unnumbered interface. The HDLC interface will then use the IP address of another interface—the interface you specify. The Secure Router OS uses the IP address of the specified interface when sending route updates over the unnumbered interface.
Configuring the HDLC interface as an unnumbered interface has a potential disadvantage: If the interface to which the IP address is actually assigned goes down, the HDLC interface will be unavailable as well. For example, suppose you configure the HDLC 1 interface as an unnumbered interface that takes its IP address from the Ethernet 0/1 interface. If the Ethernet 0/1 interface goes down, the HDLC 1 interface will also be unavailable.
To minimize the chances of the interface with the IP address going down, you can assign the IP address to a loopback interface, which typically does not go down.
To configure the HDLC interface as an unnumbered interface, enter the following command from the HDLC interface configuration mode context:
Syntax: ip unnumbered <interface>
Valid interfaces include:
■ ATM subinterfaces
■ Ethernet interfaces and subinterfaces
■ Frame Relay subinterfaces
■ loopback interfaces
■ PPP interfaces
■ demand interfaces
6-42
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
For example, you would enter the following commands to configure a loop-back interface and then configure the HDLC 1 interface to use the IP address assigned to that loopback interface:
ProCurve(config)# interface loopback 1ProCurve(config-loop 1)# ip address 192.168.5.1 /24ProCurve(config-loop 1)# interface hdlc 1ProCurve(config-hdlc 1)# ip unnumbered loopback 1
N o t e You do not have to enter no shutdown to activate a loopback interface. The status of a loopback interface changes to up after you enter the interface
loopback command.
Bind the Physical Interface to the Logical Interface
On the ProCurve Secure Router, you must bind the physical interface to the logical interface so that the router knows which Data Link Layer protocol to use for that WAN connection. When you bind a physical interface to a logical interface, the two are considered a single interface bind group.
You can enter the bind command from the global configuration mode context or the HDLC interface configuration mode context:
Syntax: bind <bind number> <physical interface> <slot>/<port> [<tdm-group number>] <logical interface> <logical interface number>
You can also enter the bind command from the HDLC interface configuration mode context.
Replace <bind number> with a number that is globally significant. That is, each bind command you enter on the router must have a unique bind number.
Replace <physical interface> with E1, T1, or serial. Replace <slot> and <port> with the numbers that identify the physical interface’s location on the ProCurve Secure Router.
If you are binding the HDLC interface to an E1 or T1 interface, include the <tdm-group number> that you created when you configured the E1 or T1 interface. If you are binding the HDLC interface to a serial interface, you do not include this option.
Replace <logical interface> with hdlc and the <logical interface number> with the number you assigned to this interface.
6-43
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
For example, if you want to bind the T1 2/1 interface to the HDLC 1 interface, enter:
ProCurve(config)# bind 1 t1 2/1 hdlc 1
If you want to bind the serial interface to the HDLC interface, enter:
ProCurve(config)# bind 1 serial 1/1 hdlc 1
N o t e If you are binding a serial interface to the HDLC interface, you do not include the TDM group number because you do not use TDM groups on a serial interface.
Additional Settings
Depending on your company’s WAN environment, you may want to configure other options on the HDLC interface.
Configure a Secondary IP Address for the Interface. You can config-ure a secondary IP address on the HDLC interface. From the HDLC interface configuration mode context, enter:
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length> secondary
Replace <A.B.C.D> with secondary IP address and specify a subnet mask using the <subnet mask> option or the </prefix length> option. Finally, include the secondary option.
For example, you might enter:
ProCurve(config-hdlc 1)# ip address 192.168.5.1 255.255.255.252 secondary
You can include an unlimited number of secondary IP addresses.
To remove the secondary IP address, enter:
Syntax: no ip address <A.B.C.D> <subnet mask | /prefix length> secondary
Set the MTU. The MTU defines the largest size that a frame can be. If a frame exceeds the size limit, it must be fragmented. For best results, the MTU size on the HDLC interface should match the MTU used by the remote router.
6-44
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface
N o t e If you have enabled Open Shortest Path First (OSPF) routing on the ProCurve Secure Router, you should take special care when setting the MTU. OSPF routers cannot become adjacent if their MTU sizes do not match.
By default, the MTU for HDLC interfaces is 1500 bytes. To change this setting, enter the following command from the HDLC interface configuration mode context:
Syntax: mtu <size>
Replace <size> with a number between 64 and 1520.
Add a Description. You can add a description to the HDLC interface if you want to document information that will be displayed in the running-config. From the HDLC interface configuration mode context, enter:
Syntax: description <line>
Replace <line> with a phrase up to 80 characters. For example, you might enter:
ProCurve(config-hdlc 1)# description WAN link to Saratoga Street office
This description is displayed only when you enter the show running-config command. From the enable mode context, enter:
ProCurve# show running-config
You must then scroll through the entire running-config to find the interface
hdlc heading. To view only the running-config for the HDLC interface, enter:
ProCurve# show running-config interface hdlc 1
This command displays the running-config settings for only the HDLC inter-face, as shown below:
interface hdlc 1 description WAN link to Saratoga Street office ip address 192.168.1.1 255.255.255.0 bind 1 e1 1/1 1 hdlc 1 no shutdown
6-45
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesExample Networks
Settings Explained in Other Chapters
In addition to configuring these settings for an HDLC interface, you can:
■ assign ACPs or ACLs to control access to the HDLC interface
■ enable bridging
■ assign crypto maps to enable VPNs
■ configure settings for routing protocols
■ configure QoS settings
Table 6-10 lists additional configurations that you can enter from the HDLC interface and the page number where you find information about those configurations.
Table 6-10. Additional Configurations for the HDLC Interface
Example Networks
This section outlines examples of E1- and T1-carrier lines that use PPP, Frame Relay, and HDLC as the Data Link Layer protocol. It also provides examples of WANs that are using PPP authentication.
Example 1. Figure 6-9 shows a company’s WAN that includes a connection between two offices in London. Because this company needed a constant, reliable connection between these two offices, they leased an E1-carrier line for both the Seething Lane and Chelsea Harbor offices. The Data Link Layer protocol is PPP.
The company also required a connection to its Paris office. For this connec-tion, the company negotiated an SLA with a Frame Relay service provider.
Settings Configuration Guide
Page
access controls to filter incoming and outgoing traffic Advanced 5-18, 5-37
bridging Basic 10-6
VPNs Advanced 8-46
routing commands for OSPF, RIP, or BGP Advanced 13-1
QoS settings Advanced 7-28
6-46
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesExample Networks
Finally, the company set up an Asymmetric Digital Subscriber (ADSL) line to a local Internet Service Provider (ISP). Through this connection, the com-pany’s employees can access the Internet. (For information about ADSL, see Chapter 7: ADSL WAN Connections.)
Figure 6-9. Example WAN Using E1-Carrier Lines with PPP and Frame Relay
Figure 6-10 shows the configuration for the E1, PPP, and Frame Relay inter-faces, as they appear in the running-config for Router B, the router for the London Chelsea Harbor office.
Router B
E1 with PPP
192.168.1.1
London Chelsea Harbor
InternetRouter
ISP
Router A
London Seething Lane
Office
Router C
Paris
E1 with Frame Relay 10.1.1.1 /30
ADSL2+ Annex B with PPPoE
Frame Relay Network
E1 with Frame Relay
6-47
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesExample Networks
Figure 6-10. Running-Config for Router B in Example 1
Because the company is using default settings for line coding (HDB3) and frame format (E1) on the E1-carrier lines, the network administrator did not enter these settings. Consequently, they are not listed when you enter the following command from the enable mode context:
ProCurve# show running-config
To view all of the configuration settings—including the default settings—you must enter:
ProCurve# show running-config verbose
Example 2. The WAN shown in Figure 6-11 is for a U.S.-based company that has three offices: The main office is in Atlanta, and the two branch offices are in San Francisco and London. To connect the San Francisco office to the Atlanta office, the company leased a T1-carrier line for each office and are using HDLC as the Data Link Layer protocol. The two offices are exchanging confidential information and wanted a dedicated connection with the full bandwidth of a T1-carrier line.
interface e1 1/1 tdm-group 1 timeslots 1-31 speed 64 no shutdown!interface e1 1/2 clock source through tdm-group 1 timeslots 1-31 speed 64 no shutdown!interface fr 1 point-to-point frame-relay intf-type dte frame-relay lmi-type q933a no shutdown bind 2 e1 1/2 1 frame-relay 1!interface fr 1.16 point-to-point frame-relay interface-dlci 16 frame-relay bc 1600000 frame-relay be 128000 ip address 10.1.1.1 255.255.255.252!interface ppp 1 ip address 192.168.1.1 255.255.255.0 no shutdown bind 1 e1 1/1 1 ppp 1
6-48
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesExample Networks
To connect the Atlanta office to the London office, the company chose Frame Relay, which allows them to cross country borders at a more affordable cost than dedicated T1-and E1-carrier lines.
The company uses ADSL for its Internet connection at the Atlanta office. (For information about ADSL, see Chapter 7: ADSL WAN Connections.)
Figure 6-11. Example WAN Using Carrier Lines with HDLC and Frame Relay
Figure 6-12 shows the configurations for the T1, HDLC, and Frame Relay interfaces, as they appear in the running-config for the Atlanta router.
Router
T1 with HDLC
10.1.1.1 /30
Atlanta
InternetRouter
ISP
Router
San Francisco Router
London
T1 with Frame Relay
10.5.5.1 /30
Frame Relay Network
E1 with Frame Relay
ADSL Annex A
6-49
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesExample Networks
Figure 6-12. Running-Config for the Atlanta Router in Example 2
Because the company is using default settings for line coding (B8ZS) and frame format (ESF) on the T1-carrier lines, the network administrator did not enter these settings. Consequently, they are not listed when you enter the following command from the enable mode context:
ProCurve# show running-config
To view all of the configuration settings—including the default settings—you must enter:
ProCurve# show running-config verbose
Example 3: Two Routers Authenticating Each Other with PAP. In this example, the router at Site A (hostname Local) and the router at Site B (hostname Remote) authenticate each other with PAP. Local’s password is XXX, and Remote’s password is YYY. (See Figure 6-13.)
interface t1 1/1 lbo short 550 tdm-group 1 timeslots 1-24 speed 64 no shutdown!interface t1 1/2 clock source through lbo short 550 tdm-group 1 timeslots 1-24 speed 64 no shutdown!interface fr 1 point-to-point frame-relay intf-type dte frame-relay lmi-type ansi no shutdown bind 2 t1 1/2 1 frame-relay 1!interface fr 1.104 point-to-point frame-relay interface-dlci 104 ip address 10.5.5.1 255.255.255.252!interface hdlc 1 ip address 10.1.1.1 255.255.255.252 no shutdown bind 1 t1 1/1 1 hdlc 1
6-50
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesExample Networks
You would configure Local as follows:
1. Access the PPP interface configuration mode context:
Local(config)# interface ppp 1
2. Configure the router to authenticate Remote with PAP:
Local(config-ppp 1)# ppp authentication pap
3. Set Remote’s username and password:
Local(config-ppp 1)# username Remote password YYY
4. Set the router’s own PAP username and password:
Local(config-ppp 1)# ppp pap sent-username Local password XXX
Figure 6-13. Routers Authenticating Each Other
Remote would then be configured in the same way:
1. Access the PPP interface configuration mode and configure the router to authenticate Local with PAP:
Remote(config)# interface ppp 1Remote(config-ppp 1)# ppp authentication pap
2. Set Local’s username and password:
Remote(config-ppp 1)# username Local password XXX
3. Set the router’s own PAP username and password:
Remote(config-ppp 1)# ppp pap sent-username Remote password YYY
Example 4: One Peer Requesting CHAP. Both routers do not have to require authentication. For example, only Local could request Remote to authenticate itself using CHAP. The commands would be as follows for Local:
Local(config)# interface ppp 1Local(config-ppp 1)# ppp authentication chapLocal(config-ppp 1)# username Remote password YYY
PPP database:username Remote password YYY
Remote
YYY
LocalXXX
PPP database:username Local password XXX
6-51
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesExample Networks
Remote would be configured as follows:
Remote(config)# interface ppp 1Remote(config-ppp 1)# ppp chap password YYY
Example 5: CHAP Authentication to an ISP. In this example, the ISP has provided an ID (ID-GIVEN-BY-ISP) and password (PWD-GIVEN-BY-ISP) to be used when authenticating through CHAP. (See Figure 6-14.)
Figure 6-14. Authentication to an ISP
You would configure the router being authenticated as follows:
1. Access the PPP interface:
ProCurve(config)# interface ppp 1
2. Configure the ID given by the ISP to override the local hostname.
ProCurve(config-ppp 1)# ppp chap hostname ID-GIVEN-BY-ISP
3. Set the password given by the ISP:
Remote(config-ppp 1)# ppp chap password PWD-GIVEN-BY-ISP
ISP assigned hostname
LocalISP assigned password Internet
6-52
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesChecking the Status of Logical Interfaces
Checking the Status of Logical Interfaces
After you configure the physical and logical interfaces and bind them together, the ProCurve Secure Router should be able to exchange data with the device at the other end of the WAN connection.
View the Status of Interfaces
To view the status of the logical interface you have bound to the E1, T1, or serial interface, you can use show commands. Table 6-11 lists the show commands that you can use to view information about interfaces.
Table 6-11. show Commands for Logical Interfaces
Viewing the Status of PPP Interfaces
For example, if you want to view the status of the PPP 1 interface, enter the following command from the enable mode context:
Syntax: show interface ppp 1
Figure 6-15 shows the results of this command for a sample network.
Command Explanation
show interfaces displays information about all the interfaces—active or inactive—on the ProCurve Secure Router
show interface <interface> <number> [realtime] displays information about a specific logical interface
show running-config displays all of the settings that you have configured for the ProCurve Secure Router
show running-config verbose displays the entire running-config, including the default settings
show running-config interface <interface> <number>
displays the settings that you have configured for a particular interface
show running-config interface <interface> <number> verbose
displays the entire running-config for a particular interface, including the default settings
6-53
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesChecking the Status of Logical Interfaces
Figure 6-15. show interface ppp <number>
This command displays a report about the logical interface’s status, including information such as:
■ whether the interface is up or down
■ whether the physical link bound to the logical interface is up or down
■ whether the LCP is opened
■ endpoint settings
■ errors
■ queuing method
■ available bandwidth
■ the negotiated NCP and whether it is opened
■ IP address
■ peer IP address
ppp 1 is UP Configuration: Keep-alive is set (10 sec.) No multilink MTU = 1492 No authentication IP is configured 192.168.1.20 255.255.255.0 Link thru atm 1.1 is UP; LCP state is OPENED, negotiated MTU is 1492 Receive: bytes=20296, pkts=2727, errors=0 Transmit: bytes=27728, pkts=2214, errors=0 5 minute input rate 208 bits/sec, 0 packets/sec 5 minute output rate 112 bits/sec, 0 packets/sec Bundle information Queueing method: fifo HDLC tx ring limit: 0 Output queue: 0/1/200/0 (size/highest/max total/drops) IP is UP, IPCP state is OPENED Address=192.168.1.20 Mask=255.255.255.0 Peer address=192.168.1.1 IP MTU=1492, Bandwidth=896 Kbps LLDPCP State is STOPPED
Status of interface
No authentication is configured
Status of NCP
Negotiated MTU
IP address of PPP peer
IP address
6-54
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesChecking the Status of Logical Interfaces
Viewing the Status of Frame Relay Interfaces and Subinterfaces
For Frame Relay, you can view the status of both the interface and the subinterface. To view information about the Frame Relay interface, enter the following command from the enable mode context:
Syntax: show interface frame-relay <number>
Figure 6-16 shows the results of this command for a sample network.
Figure 6-16. show interface frame-relay <number>
With this command, you can view the Frame Relay signaling role and signaling type, and you can view the information about packet discards or errors.
You can view this information in real-time by adding this option when you enter the show command:
Syntax: show interface frame-relay <number> realtime
Figure 6-17 shows the results of this command for a sample network.
fr 1 is UP Configuration: Signaling type is AUTO, signaling role is USER Multilink disabled Polling interval is 10 seconds, full inquiry interval is 6 polling intervals Link information: 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 8 bits/sec, 0 packets/sec BW 1984 Kbit Queueing method: weighted fair HDLC tx ring limit: 2 Output queue:0/1/100/64/0 (size/highest/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Available Bandwidth 1488 kilobits/sec 0 packets input, 0 bytes 1 pkts discarded, 0 error pkts, 0 unknown protocol pkts 25 packets output, 334 bytes 1 tx pkts discarded, 0 tx error pkts
Status of interface
signaling type and role
6-55
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesChecking the Status of Logical Interfaces
Figure 6-17. show interface frame-relay <number> realtime
The Secure Router OS will continue to refresh this display with current information until you enter Ctrl+C to end the display.
To view information about the Frame Relay subinterface, enter the following command from the enable mode context:
Syntax: show interface frame-relay <number.subinterface number>
Figure 6-18 shows the results of this command for a sample network.
Figure 6-18. show interface frame-relay <number.subinterface number>
As Figure 6-18 shows, you can view the status of the Frame Relay subinterface, the IP address, the DLCI, the MTU size, and the average utilization.
-------------------------------------------------------------------fr 1 is UP Configuration: Signaling type is ANSI, signaling role is USER Multilink disabled Polling interval is 10 seconds, full inquiry interval is 6 polling intervals Link information: 5 minute input rate 24 bits/sec, 0 packets/sec 5 minute output rate 8 bits/sec, 0 packets/sec BW 1984 Kbit Queueing method: weighted fair HDLC tx ring limit: 2 Output queue:0/1/428/64/0 (size/highest/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Available Bandwidth 1488 kilobits/sec 44 packets input, 915 bytes 1 pkts discarded, 0 error pkts, 0 unknown protocol pkts 23 packets output, 322 bytes 1 tx pkts discarded, 0 tx error pktsExit - 'Ctrl-C', Freeze - 'f', Resume - 'r'
fr 1.1 is Active Ip address is 10.10.10.1, mask is 255.255.255.252 Interface-dlci is 104 MTU is 1500 bytes, BW is 128000 Kbit (limited) Average utilization is 92%
Status of interface
DLCI
Utilization
6-56
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesChecking the Status of Logical Interfaces
Viewing the Status of HDLC Interfaces
To view information about the HDLC interface, enter the following command from the enable mode context:
Syntax: show interface hdlc <number>
Figure 6-19 shows the results of this command for a sample network.
Figure 6-19. show interface hdlc <number>
Viewing Configuration Information
You can view the running-config for a logical interface by entering the follow-ing command from the enable mode context:
Syntax: show running-config interface <interface> <number>
Replace <interface> with the logical interface and replace <number> with the number you used to create that interface. For example, to view the running-config for an HDLC interface, enter:
ProCurve# show running-config interface hdlc 1
Figure 6-20 shows the results of this command for a sample network.
Figure 6-20. show running-config interface hdlc <number>
hdlc 1 is UP Configuration: Keep-alive is set (10 sec.) IP is configured 10.1.1.1 255.255.255.252 Link information: Receive: bytes=6896, pkts=65, errors=0, broadcast=22 Transmit: bytes=8158, pkts=79, errors=0, broadcast=29 5 minute input rate 184 bits/sec, 0 packets/sec 5 minute output rate 216 bits/sec, 0 packets/sec IP is UP Address=10.1.1.1 Mask=255.255.255.252 IP MTU=1500, Bandwidth=1984 Kbps
Status of interface
IP address
MTU and bandwidth
interface hdlc 1 ip address 10.1.1.1 255.255.255.252 no shutdown bind 1 e1 1/1 1 hdlc 1
6-57
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces
Troubleshooting Logical Interfaces
If the physical interface is up but the logical interface is not, the steps you take to troubleshoot the problem vary, depending on the Data Link Layer protocol you are using. This section is organized into three sections:
■ troubleshooting the PPP interface
■ troubleshooting the Frame Relay interface and subinterface
■ troubleshooting the HDLC interface
N o t e Enter the show and debug commands described in this troubleshooting section from the enable mode context. You can also access these commands from any configuration mode context by adding do to the beginning of the command.
Troubleshooting the PPP Interface
The first tool in troubleshooting a logical interface is the show interfaces command. From the enable mode context, enter the following command to check the status of a PPP interface that is bound to the E1, T1, or serial interface:
Syntax: show interfaces ppp <number>
6-58
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces
Figure 6-21. show interface ppp <number>
If the PPP interface is down, you should recheck the configuration to see if there are any errors. (See Figure 6-21.) You should also ensure that you have bound the physical interface to the PPP interface. If you have entered a bind command, it should be displayed when you enter show running-config
interface ppp <number> from the enable mode context.
You should then determine if all steps for establishing a PPP session were completed successfully. The output for the show interface ppp command provides basic information about different PPP protocols, and you can use this information to determine if these PPP protocols were exchanged. If you want more detailed information to troubleshoot the PPP session, you can use debug commands, which are explained later in this section.
LCP State. When you enter show interfaces ppp command, the status report will indicate whether the LCP state is opened, initial, or starting.
■ If the LCP is opened, the ProCurve Secure Router was able to exchange LCP packets with its peer.
■ If the LCP is in the initial state, the ProCurve Secure Router has not yet succeeded in establishing a link with the peer.
■ If the LCP state is starting, the PPP interface is attempting to reopen a link that has been lost.
ppp 2 is DOWN Configuration: Keep-alive is set (10 sec.) No multilink MTU = 1500 No authentication IP is configured 15.1.1.1 255.0.0.0 Link thru ser 2/1 is DOWN; LCP state is INITIAL Receive: bytes=0, pkts=0, errors=0 Transmit: bytes=0, pkts=0, errors=0 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec Bundle information Queueing method: weighted fair HDLC driver does not support quality-of-service, or is not cross-connected Output queue: 0/0/-1512133286/64/0 (size/highest/max total/threshold/drops) Conversations 0/0/0 (active/max active/max total) Available Bandwidth 0 kilobits/sec
6-59
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces
If the LCP status is not opened, you may need to double-check your configu-ration settings with your public carrier. For example, the carrier may have allocated a different number of DS0 channels to the physical line. You will need to reconfigure the physical interface to the correct number of DS0 channels. The public carrier may also be using a different Data Link Layer protocol.
NCP State. If the router has been able to exchange LCPs and has success-fully passed through the authentication phase, the show interfaces ppp command displays:
■ the type of NCP the router is using
■ the status of the NCP
Figure 6-22. Using the show interface ppp Command to Check the NCP
In Figure 6-22, PPP is using IPCP as the NCP. If the NCP is not open, it cannot encapsulate one or both of the two peers’ network protocols. Verify that both ends of the connection are using viable upper-layer protocols.
Debug Commands. You can also isolate problems by examining frames coming through the PPP interface in real time. You can use this information to track the establishment of the PPP session and determine when and why the connection is not established.
ppp 1 is UP Configuration: Keep-alive is set (10 sec.) No multilink MTU = 1500 No authentication IP is configured 10.1.1.1 255.255.255.252 Link thru t1 1/1 is UP; LCP state is OPENED, negotiated MTU is 1500 Receive: bytes=870, pkts=68, errors=0 Transmit: bytes=1070, pkts=48, errors=0 5 minute input rate 24 bits/sec, 0 packets/sec 5 minute output rate 24 bits/sec, 0 packets/sec Bundle information Queueing method: weighted fair HDLC tx ring limit: 2 Output queue: 0/1/400/64/0 (size/highest/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Available Bandwidth 1536 kilobits/sec IP is DOWN, IPCP state is CLOSED LLDPCP State is OPENED
Check the status of NCP
6-60
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces
N o t e Debug commands are processor intensive.
Table 6-12 lists the debug commands you can use to monitor PPP interfaces.
Table 6-12. Debug commands for PPP Interfaces
For example, if the status of the NCP is stopped, you may want to enter the
debug ppp negotiations command. You should be able to see each stage in the process of establishing a PPP connection. Figure 6-23 shows the debug messages when a PPP connection is established successfully.
Command Explanation
debug ppp verbose displays detailed information about all PPP frames as they arrive on or are sent from the PPP interface
debug ppp errors displays error messages relating to PPP
debug ppp negotiation displays events relating to link negotiation; shows if link protocols are able to open; reveals when negotiations between two PPP peers fail
debug ppp authentication displays real-time messages relating to PAP and CHAP
undebug all turns off debug messages
6-61
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces
Figure 6-23. debug ppp negotiation
Troubleshooting PPP Authentication
If you are troubleshooting a PPP connection and you notice that the LCP state is continually going up and down, it is possible that one or both of the peers cannot authenticate themselves. You can view debug authentication messages to determine whether the local or the remote router has failed to authenticate itself. When troubleshooting PAP, you can also view the usernames and passwords the routers are sending.
To monitor the PPP authentication process, enter the following command from the enable mode context:
ProCurve# debug ppp authentication
Troubleshooting PAP. If you are using PAP authentication, look for mes-sages such as those shown in Figure 6-24.
2005.08.12 17:51:01 PPP.NEGOTIATION PPPrx[e1 1/1] LCP: Conf-Ack ID=33 Len=16 ACCM(00000000) MAGIC(d418e92e)2005.08.12 17:51:02 PPP.NEGOTIATION PPPrx[e1 1/1] LCP: Conf-Req ID=188 Len=16 ACCM(00000000) MAGIC(2656e0ba)2005.08.12 17:51:02 PPP.NEGOTIATION PPPtx[e1 1/1] LCP: Conf-Ack ID=188 Len=16 ACCM(00000000) MAGIC(2656e0ba)2005.08.12 17:51:02 PPP.NEGOTIATION PPPFSM: layer up, Protocol=c0212005.08.12 17:51:02 PPP.NEGOTIATION e1 1/1: LCP up2005.08.12 17:51:02 PPP.NEGOTIATION PPPtx[e1 1/1] LLDPCP: Conf-Req ID=1 Len=42005.08.12 17:51:02 PPP.NEGOTIATION PPPtx[e1 1/1] IPCP: Conf-Req ID=1 Len=10 IP (10.1.1.1)2005.08.12 17:51:02 PPP.NEGOTIATION PPPrx[e1 1/1] LCP: Identification MAGIC(2656e0ba) Msg(A04)2005.08.12 17:51:02 PPP.NEGOTIATION PPPrx[e1 1/1] IPCP: Conf-Req ID=1 Len=22 IP(10.3.3.2) PriDNS(0.0.0.0) SecDNS(0.0.0.0)2005.08.12 17:51:02 PPP.NEGOTIATION PPPtx[e1 1/1] IPCP: Conf-Rej ID=1 Len=16 PriDNS(0.0.0.0) SecDNS(0.0.0.0)2005.08.12 17:51:02 PPP.NEGOTIATION PPPrx[e1 1/1] LCP: ProtoRej (82cc)2005.08.12 17:51:02 PPP.NEGOTIATION PPPrx[e1 1/1] IPCP: Conf-Ack ID=1 Len=10 IP(10.1.1.1)2005.08.12 17:51:02 INTERFACE_STATUS.ppp 1 changed state to up2005.08.12 17:51:02 PPP.NEGOTIATION PPPrx[e1 1/1] IPCP: Conf-Req ID=2 Len=10 IP(10.3.3.2)2005.08.12 17:51:02 PPP.NEGOTIATION PPPtx[e1 1/1] IPCP: Conf-Ack ID=2 Len=10 IP(10.3.3.2)2005.08.12 17:51:02 PPP.NEGOTIATION PPPFSM: layer up, Protocol=80212005.08.12 17:51:02 PPP.NEGOTIATION ppp 1: IPCP up
LCP successful
NCP successful
6-62
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces
Figure 6-24. PAP Authentication Messages
The Authen-Req message is the message the authenticating peer sends with its username and password. If you see such a message marked with PPPtx, you know that your router is attempting to authenticate itself to the remote endpoint. The PeerID and Password fields are the values that this router sends as its username and password. When the interface receives an Authen-Nak, as shown above, the peer has rejected these values.
In this example, the interface has not been configured to send a password. You would need to obtain the correct username and password from your peer and configure them in the PPP interface configuration mode context.
When the local router is the authenticator, you can check the debug messages for the username and password the remote router is sending. Because PAP does not use encryption, the password will be readable in plain text. (See Figure 6-25.)
Figure 6-25. Finding the Peer’s PAP Password
If you recognize the PeerID as that of a legitimate endpoint and the password seems correct, make sure that the username and password in the PPP data-base have been entered correctly. Enter show run interface ppp <interface number> and look for username and password. Otherwise, contact the remote site and inform it that it is sending the wrong password.
ProCurve# debug ppp authentication2005.07.08 09:03:44 PPP.AUTHENTICATION PPPtx[t1 1/1] PAP: Authen-Req ID=1 Len=10 PeerID(Local) Password()2005.07.08 09:03:44 PPP.AUTHENTICATION PPPrx[t1 1/1] PAP: Authen-Nak ID=1 Len=5 Message()
The local router is attempting to authenticate itself.
The remote router rejects the password.
ProCurve# debug ppp authentication
2005.07.08 09:03:44 PPP.AUTHENTICATION PPPrx[t1 1/1] PAP: Authen-Req ID=1 Len=10 PeerID(Remote) Password(procurve)
Peer’s username Peer’s password
6-63
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces
When a peer successfully authenticates itself, the authenticator returns an Authen-Ack:
2005.07.08 09:05:08 PPP.AUTHENTICATION PPPtx[t1 1/1] PAP: Authen-Ack ID=1 Len=10 Message(Hello)
N o t e Usernames and passwords are case-sensitive.
Troubleshooting CHAP. If you are using CHAP authentication, look for messages such as those shown in Figure 6-26.
Figure 6-26. CHAP Authentication Messages
The Challenge message indicates which router requires the other to authenti-cate itself. In this example, the router with the hostname Local authenticates Remote. (The PPPtx also indicates that the local router transmits the chal-lenge.) The Failure message indicates that Remote could not correctly identify itself.
View the running config for the interface (show run int ppp <interface number>) and look for miskeyed passwords.
If the local router cannot authenticate itself, check the ppp chap hostname and ppp chap password. If they seem correct, contact the remote site or ISP and explain your problem.
If the remote router cannot authenticate itself, check the ppp username and password in the running config, which may have been miskeyed. If they are correct, contact the remote site and inform the network administrator that the router is sending the wrong authentication information.
N o t e Usernames and passwords are case sensitive.
ProCurve# debug ppp authentication
2005.07.08 08:59:02 PPP.AUTHENTICATION PPPtx[t1 1/1] CHAP: Challenge ID=1 Len=28 ValLen=16 Name(Local)
2005.07.08 08:59:02 PPP.AUTHENTICATION PPPrx[t1 1/1] CHAP: Response ID=1 Len=25 ValLen=16 Name(Remote)
2005.07.08 08:59:02 PPP.AUTHENTICATION PPPtx[t1 1/1] CHAP: Failure ID=1 Len=4 Message()
Peer’s hostname
6-64
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces
Incompatible Authentication Protocols. If you do not receive any PPP authentication debug messages at all, the local and remote routers may be requesting different authentication protocols. In this case, the LCP state will not come up because the peers cannot negotiate the authentication option.
You could test this theory by debugging PPP negotiation events and looking for a Conf-Nak message. This message indicates that one of the peer’s must refuse an option proposed by the other.
C a u t i o n PPP debug messages are processor intensive: peers exchange LCP frames again and again in an attempt to negotiate the session. If the router is currently supporting network traffic, debugs can compromise its functions. When you suspect that authentication is keeping a connection from going up, you can simply try changing the type of authentication you require or send. If the PPP connection then goes up (or if PPP authentication debug messages appear), you know that incompatible authentication protocols were at least partially at fault.
In Figure 6-27, the local router requires PAP, but the remote router is config-ured for CHAP.
Figure 6-27. Debugs for Incompatible Authentication Protocols
Troubleshooting the Frame Relay Interface
When you troubleshoot the Frame Relay connection, you should first check the Frame Relay interface and then check the Frame Relay subinterface. From the enable mode context, enter the following command to check the status of a Frame Relay interface that is bound to the E1, T1, or serial interface:
Syntax: show interface frame-relay <number>
ProCurve# debug ppp negotiation
2005.07.08 09:11:12 PPP.NEGOTIATION PPPrx[t1 1/1] LCP: Conf-Req ID=74 Len=20 ACCM(00000000) AP(PAP)MAGIC(da5bf7de)
2005.07.08 09:11:12 PPP.NEGOTIATION PPPtx[t1 1/1] LCP: Conf-Nak D=74 Len=9 AP(CHAP)
Peer requires PAP
Peer requests PAP, but the local router requires CHAP
Message from the peer
6-65
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces
If the interface is administratively down, you need to activate it. From the Frame Relay interface configuration mode context, enter no shutdown.
If the interface is down, check your configuration and ensure that you are using the same Frame Relay signaling type as your Frame Relay carrier. Ensure that you have entered the correct bind command to bind this interface to the physical interface that is providing the connection.
If the Frame Relay interface is up, check the status of the Frame Relay subinterface. From the enable mode context, enter:
Syntax: show interface frame-relay <number.subinterface number>
If the status of the Frame Relay subinterface is “deleted,” the DLCI that you entered does not match the DLCI that the provider is using. Recheck the DLCI with your Frame Relay service provider. If the status of the Frame Relay subinterface is “inactive,” check the IP address and other configuration settings.
Table 6-13 shows the commands that you can use to troubleshoot a Frame Relay interface.
Table 6-13. show and debug Commands for Troubleshooting Frame Relay
View LMI Statistics. From the enable mode context, enter:
ProCurve# show frame-relay lmi
Examine the polling information.
■ “Num Status Enq. Sent” indicates the number of polls that the interface has sent. By default, the interface sends out one poll every 10 seconds.
■ “Num Status Msgs Rcvd” indicates the number of polls that the interface has received from the other end of the connection. If the other endpoint is using typical Frame Relay settings, the interface should receive one poll every 10 seconds.
Command Explanation
show frame-relay lmi displays LMI (signaling) type and information about LMI messages and updates
show frame-relay pvc displays TX and RX status messages and the DLCI state
debug frame-relay lmi displays LMI messages in real-time
undebug all turns off debug messages
6-66
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces
■ “Num Update Status Rcvd” indicates the number of full status reports the interface has received. By default, the interface receives one full status report every six polls, or one every 60 seconds.
■ “Num Status Timeouts” indicate the number of times the signal has been lost. When the router misses three out of four polls, it takes down the connection. When the interface continually sends out polls for which it does not receive a reply, the link has a problem, such as:
• Signaling-type mismatch—Steadily incrementing status timeouts sig-nal mismatched signaling-types. Check the signaling type listed in the LMI statistics as “LMI Type” and verify that it matches that of the service provider.
• DS0 channel mismatch—If you double-check your Data Link Layer configurations but cannot discover what is causing the problem, you may want to recheck the physical interface, even if its status is up. Mismatched channels might not cause a problem until you attempt to transmit data across a link. Use the show interface command for the physical interface and check that you have dedicated the same num-ber of channels to the carrier line as your service provider. Use the tdm-group command to establish the correct number of channels for the interface.
• DLCI error—If you have configured the wrong DLCI number for the Frame Relay interface, the Frame Relay connection cannot be estab-lished. Double-check the DLCI to ensure that you are using the correct setting.
Displaying the PVC Status. You can view PVC statistics to monitor the connection end-to-end and check for problems with traffic congestion and dropped packets. From the enable mode context, enter:
ProCurve# show frame-relay pvc
The CLI displays information about each Frame Relay port, including how many active, inactive, and deleted connections it has established. Table 6-14 shows possible PVC status terms and explains what each one means.
6-67
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces
Table 6-14. Status of the PVC
Information about each PVC is listed under the sublink’s DLCI and subinter-face numbers. Check the settings listed in Table 6-15.
Table 6-15. Checking the Frame Relay Settings
View LMI Messages. To receive real-time messages, enter the following command from the enable mode context:
ProCurve# debug frame-relay lmi
Status of the PVC Explanation
active The PVC is functional, end-to-end, from the local router to the switch and then to the far-end router
inactive The PVC is functional from the router to the Frame Relay switch. The other side of the connection is not configured or is down.
deleted The PVC was announced to the Frame Relay switch but was then deleted. This status appears if the DLCI on the router does not match the DLCI configured for this PVC at the Frame Relay switch.
Status of the PVC Explanation
DLCI Misconfiguring the DLCI can prevent traffic from reaching its destination. Verify that the sublink’s DLCI is valid. You should configure a unique DLCI in a separate subinterface for each site to which you want to make a Frame Relay connection.
dropped packets The interface may drop more packets when the Frame Relay network is congested or when the two endpoints of a PVC use different amounts of bandwidth.
FECN/BECN packets
The endpoint that is transmitting data sends forward explicit congestion notification (FECN) packets when the receiver is sending too many requests for data. When its queues fill, the endpoint that is receiving data sends backward explicit congestion notification (BECN) packets to request the source to stop sending so many packets. Endpoints use these messages to minimize the number of dropped packets.
A large number of incoming FECN and BECN packets indicate that the other end of the circuit cannot transmit and receive data as quickly as this interface. This discrepancy can lead to dropped packets.
DE packets When the interface bursts data across the PVC at rates beyond its CIR, the excess packets are marked with the DE bit. If the network becomes congested, these packets will be the first to be dropped.
6-68
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces
The CLI displays events dealing with the establishment and negotiation of connec-tion as they occur. You can then determine when and why problems occur.
LMI statistics report on the LMI messages that are exchanged between the Frame Relay DTE and the DCE. The DCE uses LMI messages to advertise its DLCI. In addition, the LMI messages serve as a local keepalive, indicating that the interface is receiving polls from the other end of the connection.
Clear Counters. If you view the LMI statistics, you will see a running count of polls sent and received, including those incremented before the interface began having a problem. Because you are not interested in how many polls the interface was receiving when it was functioning properly, you should reset the counters to isolate the problem. To reset all counters associated with a Frame Relay interface, enter the following command from the enable mode context:
Syntax: clear counters frame-relay <number>
After you clear the counters, you can reproduce the problem and then view the LMI statistics to check whether the interface is receiving polls.
Troubleshooting HDLC
You should begin troubleshooting the HDLC interface by entering the show
interface hdlc command. From the enable mode context, enter:
Syntax: show interface hdlc <number>
Replace <number> with the number you assigned the HDLC interface.
If the HDLC interface is administratively down, enter no shutdown from the HDLC interface configuration mode context. If the HDLC interface is down, check the running-config to ensure that the HDLC interface is bound to the correct physical interface. From the enable mode context, enter:
Syntax: show running-config interface hdlc <number>
Debug HDLC. You can view real-time events about the HDLC interface by entering:
Syntax: debug hdlc [errors | verbose]
Use the errors option to view statistics and messages about protocol errors. Use the verbose option to increase the level of detail provided in the debug messages.
6-69
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesQuick Start
To disable the hdlc debug messages, enter one of the following commands from the enable mode context:
ProCurve# no debug hdlc [errors | verbose]
or
ProCurve# undebug all
Quick Start
After you configure the physical connection—the E1, T1, or serial interface—you must configure the Data Link Layer protocol that controls the data being transmitted across the WAN link. The ProCurve Secure Router supports the following Data Link Layer protocols for E1, T1, and serial interfaces:
■ Point-to-Point Protocol (PPP)
■ Frame Relay
■ High-Level Data Link Control (HDLC)
This section provides the commands you must enter to quickly configure the Data Link Layer protocol for an E1, T1, or serial interface. Only a minimal explanation is provided.
If you need additional information about any of these options, see “Contents” on page 6-1 to locate the section and page number that contains the explana-tion you need. (For information about E1 or T1 interface, see Chapter 4:
Configuring E1 and T1 Interfaces. For information about serial interfaces, see Chapter 5: Configuring Serial Interfaces for E1- and T1-Carrier Lines.)
PPP
To configure PPP for an E1, T1, or serial interface, complete these steps:
1. From the global configuration mode context, create a PPP interface.
Syntax: interface <interface> <number>
For example, you might enter:
ProCurve(config)# interface ppp 1
6-70
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesQuick Start
2. Set a static IP address.
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
For example, you might enter:
ProCurve(config-ppp 1)# ip address 10.1.1.1 /24
3. Activate the PPP interface
ProCurve(config-ppp 1)# no shutdown
4. Bind the physical interface to the logical interface.
Syntax: bind <number> <physical interface> <slot>/<port> [<tdm-group number>] <logical interface> <logical interface number>
For example, to bind the T1 interface to the PPP interface, enter:
ProCurve(config-ppp 1)# bind 1 t1 1/1 1 ppp 1
To bind the serial interface to the PPP interface, enter:
ProCurve(config-ppp 1)# bind 1 ser 1/1 ppp 1
N o t e If you are binding a serial interface to the PPP interface, you do not include the TDM group number because you do not use TDM groups on a serial interface.
5. View the status of the PPP interface.
ProCurve(config-ppp 1)# do show interface ppp 1
PPP Authentication
If you are configuring PPP authentication, you may want to print Table 6-16 and enter the information for your router.
Table 6-16. Quick Start Worksheet
Parameter Your Setting
PPP interface number
authentication protocol
Are you requiring the peer to authenticate itself?
Yes/No
peer username
peer password
6-71
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesQuick Start
Requiring the Peer to Authenticate Itself
1. Move to the PPP interface for the connection whose endpoint you want to authenticate. From the global configuration mode context, enter:
Syntax: interface ppp <interface number>
2. Choose the authentication type:
Syntax: ppp authentication [chap | pap]
3. Enter the peer’s username and password. If you are using CHAP, the username should be the peer’s hostname:
Syntax: username <username> password <password>
For example, if the peer’s hostname is Remote and the password is procurve, enter:
ProCurve(config-ppp 1)# username Remote password procurve
Authenticating to a Peer
1. Move to the PPP interface for the connection whose endpoint requires the router to authenticate itself. From the global configuration mode context, enter:
Syntax: interface ppp <interface number>
2. Determine whether the peer uses PAP or CHAP authentication.
3. For PAP, enter the username and password you have agreed upon for the
local router:
Syntax: ppp pap sent-username <username> password <password>
For example, you might enter:
ProCurve(config-ppp 1)# ppp pap sent-username Local password procurve
4. For CHAP, enter the password you have agreed upon for the local router:
Syntax: ppp chap password <password>
Are you authenticating to the peer? Yes/No
local router’s username
local router’s password
Parameter Your Setting
6-72
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesQuick Start
5. For CHAP, enter a username only if it is different from the router’s hostname:
Syntax: ppp chap hostname <username>
For example, you might enter:
ProCurve(config-ppp 1)# ppp chap hostname ProCurveA
Frame Relay
Before you begin to configure the Frame Relay interface, you should know the settings that you must enter for the following:
■ Frame Relay signaling role:
• user, or data terminal equipment (DTE)
• network, or data communications equipment (DCE)
• both, or network-to-network interfaces (NNI)
■ Frame Relay signaling type, which is referred to as the link management interface (LMI)
■ data link connection identifier (DLCI)
■ your negotiated committed information rate (CIR), which is configured as your Bc
■ your negotiated excess information rate (EIR), which is configured as your Be.
Your public carrier should provide you with this information.
N o t e With few exceptions, you will configure the signaling role as DTE. However, the other options are available if you need to change the setting for any reason. For example, you may want the router to act as a DCE in a test WAN environment.
To configure Frame Relay for an E1, T1, or serial interface, complete these steps:
1. From the global configuration mode context, create a Frame Relay inter-face.
Syntax: interface <interface> <number>
ProCurve(config)# interface frame-relay 1
6-73
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesQuick Start
2. Define the signaling role for the Frame Relay interface. The default setting is dte, or user.
Syntax: frame-relay intf-type [dce | dte | nni]
ProCurve(config-fr 1)# frame-relay intf-type dte
3. Define the signaling type (the LMI). The default setting is ansi, or Annex D.
Syntax: frame-relay lmi-type [ansi | auto | cisco | none | q933a]
For example, to set the signaling type to auto, enter:
ProCurve(config-fr 1)# frame-relay lmi-type auto
4. Activate the Frame Relay interface.
ProCurve(config-fr 1)# no shutdown
5. Create a Frame Relay subinterface for each permanent virtual circuit (PVC). Enter any number from 16 to 1007 for the sublink number. Using the same number as the subinterface’s DLCI will help you keep track of and troubleshoot the sublink.
Syntax: interface frame-relay <number.subinterface number>
ProCurve(config-fr 1)# interface frame-relay 1.103
6. Assign the subinterface a DLCI.
Syntax: frame-relay interface-dlci <DLCI>
ProCurve(config-fr 1.103)# frame-relay interface-dlci 103
7. Assign the interface a static IP address.
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
ProCurve(config-fr 1.103)# ip address 10.1.1.1 /24
8. Configure a CIR.
Syntax: frame-relay bc <committed burst value>
Replace <committed burst value> with your CIR expressed in bytes. For example, you might enter:
ProCurve(config-fr 1.1)# frame-relay bc 128000
9. Set the excessive burst rate.
Syntax: frame-relay be <excessive burst value>
Replace <excessive burst value> with a burst rate, expressed in bytes. For example, you might enter:
ProCurve(config-fr 1.1)# frame-relay be 64000
6-74
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesQuick Start
N o t e Together, the frame-relay bc command and the frame-relay be command define the amount of bandwidth you can use on the Frame Relay link. The sum of the values you specify for these two settings should be greater than 8000.
10. Bind the physical interface—the E1, T1, or serial interface—to the Frame Relay interface. From the global configuration mode context, enter:
Syntax: bind <number> <physical interface> <slot> /<port> [<tdm-group number>] <logical interface> <logical interface number>
For example, to bind the E1 1/1 interface to the Frame Relay 1 interface, enter:
ProCurve(config)# bind 1 e1 1/1 1 fr 1
To bind the serial 1/1 interface to the Frame Relay 1 interface, enter:
ProCurve(config)# bind 1 ser 1/1 fr 1
N o t e If you are binding a serial interface to the Frame Relay interface, you do not include the TDM group number because you do not use TDM groups on a serial interface.
11. View the status of the Frame Relay interface and subinterface. From the enable mode context, enter:
ProCurve# show interface fr 1ProCurve# show interface fr 1.103
HDLC
To configure HDLC for an E1, T1, or serial interface, complete these steps:
1. From the global configuration mode context, create an HDLC interface.
Syntax: interface <interface> <number>
ProCurve(config)# interface hdlc 1
2. Enter the IP address.
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
ProCurve(config-hdlc 1)# ip address 10.1.1.1 /24
3. Activate the HDLC 1 interface
ProCurve(config-hdlc 1)# no shutdown
6-75
Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesQuick Start
4. Bind the physical interface—the E1, T1, or serial interface—to the logical interface.
Syntax: bind <number> <physical interface> <slot>/<port> [<tdm-group number>] <logical interface> <logical interface number>
For example, to bind the E1 1/1 interface to the HDLC 1 interface, enter:
ProCurve(config-hdlc 1)# bind 1 e1 1/1 1 hdlc 1
To bind the serial 1/1 interface to the HDLC 1 interface, enter:
ProCurve(config-hdlc 1)# bind 1 ser 1/1 hdlc 1
N o t e If you are binding a serial interface to the HDLC interface, you do not include the TDM group number because you do not use TDM groups on a serial interface.
5. View the status of the HDLC interface. From the enable mode context, enter:
ProCurve# show interface hdlc 1
6-76
7
ADSL WAN Connections
Contents
ADSL Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
ADSL Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
ADSL2 and ADSL2+: Enhancing Transmission Speeds . . . . . . . . 7-5
READSL: Supporting Greater Distances . . . . . . . . . . . . . . . . . . . . . 7-6
Elements of an ADSL Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
ADSL Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
ADSL Annex A and Annex B: Sharing the Line with Analog or ISDN Voice Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8
ADSL Splitters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
ADSL Without Splitters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10
ADSL Modules for the ProCurve Secure Router . . . . . . . . . . . . . . . . . . . . 7-11
Configuring the ADSL Interface: the Physical Layer . . . . . . . . . . . . . 7-12
Accessing the ADSL Interface Configuration Mode Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12
Activating the ADSL Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13
Defining the Training Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13
Setting the SNR-Margin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15
Monitoring the SNR-Margin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16
Manually Forcing Retraining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16
Configuring the Data Link Layer for the ADSL Connection . . . . . . . 7-17
Creating the ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
Activating the ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
Configuring a Subinterface for each PVC . . . . . . . . . . . . . . . . . . . . . . 7-18
Creating the Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18
Activating the ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19
Configuring the VPI/VCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19
7-1
ADSL WAN ConnectionsContents
Defining the ATM Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20
Assigning the ATM Subinterface an IP Address . . . . . . . . . . . . . . 7-20
OAM Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-26
Bind the ADSL Interface to the ATM Interface . . . . . . . . . . . . . . . . . . 7-27
Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27
PPPoE Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28
Two Phases for Establishing a PPPoE Session . . . . . . . . . . . . . . . . . . 7-29
Discovery Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29
PPP Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-31
Creating the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32
Assigning an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-33
Binding the ATM Subinterface to the PPP Interface . . . . . . . . . . . . . 7-33
Identifying the Access Concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . 7-34
Identifying PPPoE Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-35
PPPoA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-35
Creating the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37
Assigning an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37
Binding the ATM Subinterface to the PPP Interface . . . . . . . . . . . . . 7-38
Routed Bridged Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-39
Viewing the Status and Configuration of Interfaces . . . . . . . . . . . . . . . . . 7-41
Viewing the Status of the ADSL Interface . . . . . . . . . . . . . . . . . . . . . . 7-41
Viewing the Status of the ATM Interface and Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-44
Troubleshooting the ADSL Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-46
Troubleshooting the ADSL Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 7-46
Identifying the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-46
debug interface adsl events Command . . . . . . . . . . . . . . . . . . . . . 7-47
Troubleshooting the ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-48
Troubleshooting the ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . 7-49
debug atm oam Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-49
Troubleshooting PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-50
Troubleshooting the PPPoE Discovery Process . . . . . . . . . . . . . 7-50
show pppoe Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-51
Clear a PPPoE Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-52
debug pppoe client Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-52
Troubleshooting the PPP Link Establishment Process . . . . . . . . . . . 7-52
7-2
ADSL WAN ConnectionsContents
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-54
Configure the Physical Layer: the ADSL Interface . . . . . . . . . . . . . . . 7-54
Configure the Data Link Layer: the ATM Interface and Subinterface 7-56
Configure ATM Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-56
Configure RBE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-58
Configure PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-59
Configure PPPoA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-61
7-3
ADSL WAN ConnectionsADSL Overview
ADSL Overview
Digital Subscriber Line (DSL) technologies provide high-speed wide area network (WAN) connections—typically for a lower cost than older WAN technologies such as E1- or T1-carrier lines. A variety of DSL technologies have been developed, and these technologies are sometimes collectively referred to as x-type DSL, or xDSL. The “x” is replaced with one to three letters that represent a particular type of DSL, such as:
■ ADSL, or asymmetric DSL
■ HDSL, or high bit-rate DSL
■ SHDSL, or single wire HDSL
■ READSL, or reach extended ADSL
■ VDSL, or very high bit-rate DSL
The various types of xDSL operate at different speeds. They also differ in how much bandwidth is dedicated to upstream and downstream transmissions. Downstream refers to the traffic being sent from the public carrier’s central office (CO) to the customer’s premises, as shown in Figure 7-1. Upstream refers to the traffic being sent from the customer’s premises to the public carrier’s CO.
Figure 7-1. Upstream and Downstream Transmissions
If a DSL technology transmits data at the same speed both upstream and downstream, it is symmetric. If a DSL technology provides different transmis-sion speeds for upstream and downstream, it is asymmetric.
Public Carrier’s Central Office (CO)
Customer’s Premises
WAN router
LAN Downstream
Upstream
7-4
ADSL WAN ConnectionsADSL Overview
With asymmetric DSL technologies, the transmission speed for downstream is higher than the transmission speed for upstream. This makes asymmetric DSL technologies ideal for Internet use because users typically download more data from the Internet than they upload. Asymmetric DSL technologies are also well-suited for video-on-demand or high-definition television (HDTV).
ADSL Technologies
Asymmetric DSL (ADSL) has emerged as one of the most widely used DSL technologies. ADSL provides an end-to-end digital connection between the source device and the destination device. Like an E1- or T1-carrier line, ADSL is a leased private line and is always available.
ADSL service is usually provided through a partnership between an Internet service provider (ISP) and a public carrier. (The public carrier is frequently called the ADSL service provider.) The ISP provides the connection to the Internet, and the public carrier provides the ADSL connection to the customer.
ADSL2 and ADSL2+: Enhancing Transmission Speeds
Originally providing transmission speeds of up to 8 Mbps downstream and 1.544 Mbps upstream, ADSL has been enhanced twice:
■ ADSL2 offers up to 12 Mbps downstream and 1.544 Mbps upstream.
■ ADSL2+ provides up to 25 Mbps downstream and 1.544 Mbps upstream.
The maximum available bandwidth for either downstream or upstream depends on factors such as:
■ Distance between the customer’s premises and the public carrier’s CO—The greater the distance, the slower the transmission rate.
■ Line quality—The more noise on the line, the slower the transmission rate.
As Table 7-1 shows, to qualify for ADSL or ADSL2, customers can be a maximum of 5.49 to 5.67 km from the public carrier’s CO. For ADSL2+, customers can be only 1.52 km away from the CO. If a company or home is too far away from the public carrier’s CO, ADSL is not even an option.
Table 7-1. Distance Supported by ADSL, ADSL2, and ADSL2+
Type of ADSL Distance from CO
ADSL 3.66 km to 5.49 km (12,000 to 18,000 feet)
ADSL2 3.84 to 5.67 km (12,600 to 18,600 feet)
ADSL2+ 1.52 km (5,000 feet)
7-5
ADSL WAN ConnectionsADSL Overview
READSL: Supporting Greater Distances
To make ADSL available to more customers, reach extended ADSL2 (READSL) was developed to support greater distances between a customer’s premises and the public carrier’s CO. (READSL is an ADSL2 or ADSL2+ technology, which is sometimes called READSL and sometimes called READSL2.) According to CommsDesign.com, READSL extends the reach of ADSL “up to 2500 ft., allowing ADSL systems to reach as far as 20,000 ft.” (Marcus Tzannes, “RE-ADSL2: Helping Extend ADSL’s Reach,” May 13, 2003.)
Currently, READSL2+ is designed to share the local loop with POTS traffic, just as ADSL Annex A does.
Elements of an ADSL Connection
All WAN connections, including ADSL connections, consist of three basic elements:
■ the physical transmission media, such as the cabling, switches, routers, and other infrastructure required to create and maintain the connection
■ electrical signaling specifications for generating, transmitting, and receiv-ing signals through the various transmission media
■ Data Link Layer protocols, which provide logical flow control for moving data between WAN peers (the devices at either end of a WAN connection)
Physical transmission media and electrical specifications are part of the Physical Layer (or Layer 1) of the Open Systems Interconnection (OSI) model, and Data Link Layer protocols are part of the Data Link Layer (or Layer 2). (See Figure 7-2.)
Figure 7-2. Physical and Data Link Layers of the OSI Model
Physical Layer
Data link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
1
2
3
4
5
6
7
ATM
ADSL
7-6
ADSL WAN ConnectionsADSL Overview
When you configure an ADSL connection, you must configure both the Phys-ical Layer and the Data Link Layer (which is also called the Logical Layer). The Physical Layer is, of course, ADSL. The Data Link Layer protocol is Asynchronous Transfer Mode (ATM).
ADSL Infrastructure
When you purchase an ADSL connection, your company’s premises must be connected to the public carrier’s nearest CO. All of the telecommunications infrastructure that is used to connect your company’s premises to the CO is collectively called the local loop.
ADSL uses modulation to increase the speed at which data can be transmitted over the plain copper wire that is used for most local loops. Once the ADSL traffic reaches the public carrier’s CO, it is sent to a DSL Access Multiplexer (DSLAM) and then routed over the regional broadband, or packet, network. (See Figure 7-3.) Traffic transmitted over E1- and T1-carrier lines, on the other hand, is sent to a voice switch before being transmitted through the public carrier network.
Figure 7-3. The ADSL Network
The regional broadband network is connected to the Internet. (See Figure 7-4.)
Public Carrier’s Central OfficeCustomer’s Premises
WAN router
DSLAMLocal loop
Regional broadband
network
Public carrier
networkLAN Voice or
ISDN switch
ATM
ATM
ATM
7-7
ADSL WAN ConnectionsADSL Overview
Figure 7-4. ADSL Connection to the Internet
Moving high-speed WAN connections onto a separate network infrastructure alleviates a serious problem for most public carriers: congestion in the tradi-tional public carrier network. With the increasing popularity of the Internet, more and more businesses and residential users are connecting to the Internet through the public carrier network, which is not built to handle the high-volume caused by many Internet connections.
ADSL Annex A and Annex B: Sharing the Line with Analog or ISDN Voice Traffic
ADSL is designed to share the local loop with analog voice or Integrated Services Digital Network (ISDN) traffic used for either voice or fax transmis-sions. (ADSL cannot share the local loop with an ISDN WAN connection, which is used to transmit data.) To share the local loop, ADSL devices reserve the bottom frequencies for analog voice and ISDN traffic. (See Figure 7-5.)
In the ADSL standards, support for analog voice is called ADSL over Plain Old Telephone Service (POTS), or ADSL Annex A. The customer’s existing tele-phone equipment can continue to send voice traffic over the same pair of wires that carry ADSL traffic.
Central OfficeCustomer’s Premises
WAN router DSLAMLocal loop
Regional broadband
network
LAN
Internet
Internet core router
Broadband switch (ATM)
Broadband access server
Other DSLAMs
7-8
ADSL WAN ConnectionsADSL Overview
Customers who have ISDN equipment such as telephones and fax machines can continue using this equipment while moving their Internet or WAN con-nection to ADSL. Support for ISDN is called ADSL over ISDN, or ADSL Annex B, and is common in countries such as Germany where ISDN is popular.
Figure 7-5. ADSL with POTS or ADSL with ISDN
ADSL Splitters
Because ADSL supports analog voice or ISDN traffic, the local loop is a shared medium. In an ADSL Annex A environment, telephones send analog voice over the local loop, and the WAN router sends digital data. At the CO, the analog voice must be transmitted to the voice switch and then routed over the public carrier network. The digital data, on the other hand, must be transmitted to the DSLAM and then routed over the regional broadband network. At the customer’s premises, the analog voice must be sent to the telephones, and the digital data must be sent to the WAN router.
To separate the analog voice from the ADSL data, a POTS splitter is installed at both the customer’s premises and the public carrier’s CO. The POTS splitter filters the traffic at both ends of the local loop and ensures that the analog voice and the ADSL traffic are sent to the appropriate device at each location.
In an ADSL Annex B environment, ISDN equipment and the WAN router transmit data over the local loop. At the CO, the ISDN traffic must be trans-mitted to the ISDN switch and then routed over the public carrier network. The ADSL data must be transmitted to the DSLAM and then routed over the regional broadband network. At the customer’s premises, the ISDN data must be sent to the ISDN equipment, and the ADSL data must be sent to the WAN router.
0 .14 MHz 2.2 MHz
ISDN DownstreamUpstream
DownstreamPOTS Upstream
ADSL with ISDN
ADSL with POTS
7-9
ADSL WAN ConnectionsADSL Overview
To separate the ISDN data from the ADSL data, an ISDN splitter is installed at both the customer’s premises and the CO. This splitter ensures that each type of traffic is transmitted to the appropriate device at each location. (See Figure 7-6.)
Figure 7-6. ADSL Network
ADSL Without Splitters
ADSL Lite, or G.lite, was developed to provide a low-cost, no-hassle WAN connection. Instead of the up to 8 Mbps downstream transmission rate of ADSL, ADSL Lite provides just 1 Mbps downstream. The upstream rate is only 512 Kbps, rather than the 1.544 Mbps offered by ADSL.
In addition to the low cost, subscribers receive the following advantages:
■ No splitter—No splitter is required at the customer’s premises. Instead, ADSL Lite uses a microfilter, which is easy to install. Typically, the microfilter is a small device that is attached on the wire that connects the DSL modem to the wall jack at the customer’s premises.
■ Easy installation—With ADSL Lite, no modifications need to be made to the local loop, so the customer does not have to wait for a service call from the local carrier. After the DSL modem and the microfilter are plugged in, the installation is complete.
Central OfficeCustomer’s Premises
WAN router DSLAMLocal loop
Splitter
Regional broadband
network
Splitter
LAN
Internet
Internet core router
Broadband switch (ATM)
Broadband access server
Other DSLAMs
Voice or ISDN switch
Voice or ISDN traffic is sent to the voice or ISDN switch
ADSL traffic is sent to the DSLAM
7-10
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
ADSL Modules for the ProCurve Secure Router
ProCurve Networking offers two ADSL modules:
■ ADSL2+ Annex A module for ADSL over POTS
■ ADSL2+ Annex B module for ADSL over ISDN
ADSL2+ Annex A modules are used primarily in the United States and Canada. ADSL2+ Annex B modules are used in Europe, South America, Asia (except Japan), and Australia.
N o t e Japan uses ADSL Annex C. Currently, the ProCurve Secure Router does not support ADSL Annex C.
The ProCurve ADSL2+ Annex A and Annex B modules support standards for ADSL, ATM, Point-to-Point Protocol over Ethernet (PPPoE), and PPP over ATM (PPPoA). (See Table 7-2.)
Table 7-2. Standards Supported by the ADSL Modules
ADSL Module ADSL Standards ATM Standards PPPoA and PPPoE
ADSL2+ Annex A (ADSL over POTS)
• International Telecommunica-tions Union (ITU) G.992.1 Annex A (G.dmt)
• ITU G.992.2 Annex A (G.lite)• ITU G.992.3 Annex A ADSL2
(G.dmt.bis)• ITU G.992.3 Annex L READSL2• ITU G.992.5 Annex A ADSL2+• ANSI T1.413 Issue 2
• Multiple Protocol over AAL5 (Request for Comments [RFC] 2684)
• ATM Forum UNI 3.1/4.0 PVC• ATM Class of Service (UBR)• ATM F5 OAM
• PPP over ATM AAL5 (RFC 2364)
• PPP over Ethernet (RFC 2516)
ADSL2+ Annex B (ADSL over ISDN)
• ITU G.992.1 Annex B (G.dmt)• ITU G.992.3 Annex B ADSL2
(G.dmt.bis)• ITU G.992.5 Annex B ADSL2+
• Multiple Protocol over AAL5 (RFC 2684)
• ATM Forum UNI 3.1/4.0 PVC• ATM Class of Service (UBR)• ATM F5 OAM
• PPP over ATM AAL5 (RFC 2364)
• PPP over Ethernet (RFC 2516)
7-11
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
Configuring the ADSL Interface: the Physical Layer
To connect the ADSL interface on the front panel of the ProCurve Secure Router to the wall jack provided by your service provider, you use unshielded twisted pair (UTP) ribbon cable with RJ-11 connectors.
N o t e In some countries, the ADSL service provider supplies the customer premises equipment (CPE), which requires an RJ-45 connector.
You must then configure the physical interface for the ADSL connection.
Accessing the ADSL Interface Configuration Mode Context
To begin configuring the ADSL module that will provide the WAN connection, you must access the appropriate configuration mode context. Move to the global configuration mode context and enter:
Syntax: interface <interface> <slot>/<port>
When you are configuring an ADSL interface, you replace <interface> with adsl.
On the ProCurve Secure Router, each physical interface is identified by its slot number and port number.
The possible slot numbers for ADSL modules are:
■ 1 = dl option module slot 1
■ 2 = dl option module slot 2
For ADSL modules, the port number is always one. For example, if the ADSL module is located in slot one, enter.
ProCurve(config)# interface adsl 1/1
The router prompt indicates that you have entered the proper interface configuration mode context:
ProCurve(config-adsl 1/1)#
From the configuration mode context, you can enter the ? help command to display the commands available from this configuration mode context.
ProCurve(config-adsl 1/1)# ?
The settings that you must configure in order to establish an ADSL WAN connection are explained in the following sections.
7-12
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
Activating the ADSL Interface
By default, all interfaces on the ProCurve Secure Router are shutdown. You must activate the ADSL interface. From the ADSL interface configuration mode context, enter:
ProCurve(config-adsl 1/1)# no shutdown
A message is displayed at the CLI, indicating that the interface is now admin-istratively up. Messages such as this are displayed by default. To disable these messages, enter the following command from the enable mode context:
ProCurve# no events
To enable these messages again, enter:
ProCurve# events
Defining the Training Mode
Like other ADSL routers and modems, the ProCurve Secure Router must go through a training phase. During the training phase, the ADSL interface and the DSLAM evaluate the quality of the line and identify the best way to use the available bandwidth to achieve the highest transmission rate possible.
After the training phase, the ProCurve Secure Router and the DSLAM establish an ADSL connection and exchange Physical Layer signaling. This phase of the connection is called showtime. Although the two devices have established a physical connection, they have not yet begun to exchange ATM cells or to communicate at the Data Link Layer.
You must select the standard that the ADSL interface uses during the training mode. Table 7-3 lists the training mode options, the standards on which each one is based, and a brief description.
7-13
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
Table 7-3. Training Modes Supported by the ProCurve Secure Router
Table 7-4 shows which options are supported by the ADSL2+ Annex A module and which options are supported by the Annex B module. As you can see, the ADSL2+ Annex A module supports all the options listed. The ADSL2+ Annex B module, on the other hand, supports ADSL2, ADSL2+, and G.DMT. The ADSL2+ Annex B module also supports the Multi-Mode option, but when this option is used with this module, only three training modes are possible: ADSL2, ADSL2+, and G.DMT. (In future versions of the Secure Router OS, additional training modes will be supported by the ADSL2+ Annex B module.)
Command Option Standard Description
training-mode ADSL2 ITU G.922.3 ADSL2 (G.dmt.bis)
Trains the interface for the ADSL2 transmission rate. This mode requires a splitter at both the user’s and the public carrier’s premises to divide traffic between voice and data lines.
training-mode ADSL2+ ITU G.922.5 ADSL2+ Trains the interface for the ADSL2+ transmission rate. This mode requires a splitter at both the user’s and the public carrier’s premises to divide traffic between voice and data lines.
training-mode G.DMT ITU G.992.1 (G.dmt) Trains the interface in the full-rate ANSI standard. This mode requires a splitter at both the user’s and the public carrier’s premises to divide traffic between voice and data lines.
training-mode G.LITE ITU G.922.2 (G.lite) Supports the splitterless ANSI standard with a smaller bandwidth than the full-rate ANSI standard.
training-mode Multi-Mode Automatically detects the appropriate configuration and conforms to the standard used by the DSLAM. This is the default setting.
training-mode READSL2 ITU G.992.3 Annex L READSL2
Trains the interface to use READSL2.
training-mode T1.413 ANSI T1.413 Issue 2 Supports lower-speed connections than the full-rate ANSI standard.
7-14
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
Table 7-4. Training Modes Supported by the ProCurve Secure Router
To define the training mode, enter the following command from the ADSL interface configuration mode context.
Syntax: training-mode [ADSL2 | ADSL2+ | G.DMT | G.LITE | Multi-Mode | READSL2 | T1.413]
For example, to set the training mode for ADSL2, enter:
ProCurve(config-adsl 2/1)# training-mode ADSL2
The default setting for both the ADSL2+ Annex A module and the ADSL2+ Annex B module is Multi-Mode.
Setting the SNR-Margin
Because ADSL connections are affected by line interference, you must specify the level at which the quality of the signal on the ADSL line is acceptable. This quality of the signal is determined by the signal-to-noise ratio (SNR) margin.
The SNR margin is calculated logarithmically. An SNR margin of 15 means the signal is approximately 5.6 times stronger than background noise, while a signal with an SNR margin of 1 is only marginally stronger than the background noise.
Because transmission speeds on ADSL lines are affected by line interference, you want to maximize the signal and minimize the background noise. When you narrow the signaling band to maximize the signal, however, you also decrease the transmission rate.
Command Option ADSL2+ Annex A ADSL2+ Annex B
training-mode ADSL2 Yes Yes
training-mode ADSL2+ Yes Yes
training-mode G.DMT Yes Yes
training-mode G.LITE Yes No
training-mode Multi-Mode Yes Yes
training-mode READSL2 Yes No
training-mode T1.413 Yes No
7-15
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
Determining the minimum SNR margin is a compromise: the higher the SNR margin, the slower the transmission rate. However, if you set the SNR margin too low, the line may go down, or your data may be garbled.
To set the SNR margin, enter the following command from the ADSL config-uration mode context:
Syntax: snr-margin <margin>
Replace <margin> with a number between 1 and 15 decibels (db).
For example, if you want to set the SNR margin to 4, enter:
ProCurve(config-adsl 2/1)# snr-margin 4
Monitoring the SNR-Margin
You can enable monitors to ensure that the minimum SNR is maintained on the line during both the ADSL training and the ADSL showtime phases. These monitors periodically check the line to ensure that the SNR margin does not fall below your setting.
To enable the monitors, enter the following command from the ADSL config-uration mode context:
Syntax: snr-margin [showtime-monitor | training-monitor]
For example, to enable the showtime monitor, enter:
ProCurve(config-adsl 2/1)# snr-margin showtime-monitor
Manually Forcing Retraining
After you configure the ADSL interface options, you can force the ADSL interface to retrain itself. From the ADSL interface configuration mode context, enter:
ProCurve(config-adsl 2/1)# retrain
When the line reaches an acceptable SNR margin, its status will change to up.
7-16
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
Configuring the Data Link Layer for the ADSL Connection
You can configure the ADSL line with ATM as the Data Link Layer, or you can configure ADSL with either PPPoE or PPPoA. No matter which option you use, however, your configuration will include ATM, and you will need to configure both an ATM interface and an ATM subinterface.
Creating the ATM Interface
To begin configuring ATM for an ADSL connection, you must create a logical interface. From the global configuration mode context, enter:
Syntax: interface <interface> <number>
Replace <interface> with atm and replace <number> with any number between 1 and 1024. Each ATM interface you configure on the router must have a unique number.
For example, if you are configuring the first ATM interface on the router, you might enter:
ProCurve(config)# interface atm 1
The router prompt indicates that you have entered the appropriate interface configuration mode context:
ProCurve(config-atm 1)#
You can then enter the ? help command to display the commands available from this configuration mode context.
ProCurve(config-atm 1)# ?
Activating the ATM Interface
By default, all logical interfaces on the ProCurve Secure Router are shutdown, so you must activate the ATM interface. From the ATM interface configuration mode context, enter:
ProCurve(config-atm 1)# no shutdown
7-17
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
Configuring a Subinterface for each PVC
You must configure an ATM subinterface to define the endpoint of the ADSL connection. By default, each ATM interface supports up to 16 permanent virtual circuits (PVCs), so you can create a maximum of 16 subinterfaces on each ATM interface.
Configuring a subinterface involves the following basic steps:
1. Create the ATM subinterface.
2. Activate the ATM subinterface.
3. Assign the subinterface a virtual path identifier (VPI) and virtual channel identifier (VCI).
4. Set the encapsulation type.
5. Assign an IP address to the ATM subinterface.
If you are configuring PPPoE or PPPoA for the ADSL connection, you will need to complete some additional steps. You will also need to assign the IP address to the PPP interface, rather than to the ATM subinterface.
These are the basic steps for configuring the ATM subinterface, but you can configure other settings (such as quality of service, access controls, and backup settings) for the subinterface as well.
Creating the Subinterface
From the global configuration mode context or the ATM interface configura-tion mode context, enter:
Syntax: interface <interface> <number.subinterface number>
Replace <interface> with atm, and replace <number> with the number of the ATM interface you created previously. Then replace <subinterface> with a number between 1 and 65535.
For example, if you want to configure the ATM 1.1 subinterface, enter:
ProCurve(config-atm 1)# interface atm 1.1
7-18
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
Activating the ATM Subinterface
By default, all subinterfaces on the ProCurve Secure Router are shut down. You must activate the ATM subinterface. From the ATM interface configura-tion mode context, enter:
ProCurve(config-atm 1.1)# no shutdown
Configuring the VPI/VCI
ATM networks are fundamentally connection-oriented, which means that a logical connection must be set up across the ATM network before any data can be transmitted. After this connection is set up, there is only one possible path for cells to take, so they cannot be received in the wrong order.
ATM setup standards define two types of ATM connections. (See Figure 7-7.)
■ Virtual path (VP)—Identified by a virtual path identifier (VPI)
■ Virtual channel (VC)—Identified by the VPI and a virtual channel identifier (VCI)
VPIs and VCIs are established during the ATM connection setup phase. These values are carried in the headers of ATM cells to facilitate ATM cell switching.
Figure 7-7. The VPI/VCI
Your public carrier will provide the VPI and VCI values for your ADSL connection. From the ATM subinterface configuration mode context, set the VPI/VCI by entering:
Syntax: pvc <vpi>/<vci>
Replace <vpi> with the number that your ADSL service provider gave you for the VPI. The VPI can be a number between 0 and 255. Replace <vci> with the unique number that your service provider has assigned to this connection. If you establish more than one subinterface on an ATM interface, each subinter-face will have a unique VCI. The VCI can be a number between 32 and 65535.
Virtual path (VP)
Virtual path (VP)
Transmission path Virtual channels (VC)
Virtual channels (VC)
7-19
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
For example, to assign the ATM subinterface a VPI/VCI of 0/33, enter:
ProCurve(config-atm 1.1)# pvc 0/33
Defining the ATM Encapsulation
The ATM Data Link Layer for the ADSL connection includes these sublayers:
■ the ATM adaptation layer (AAL), which is called Layer 2-1
■ the point-to-point layer, which is referred to as Layer 2-2
You must configure the adaptation layer by specifying an encapsulation type. Enter one of the following commands to enable the encapsulation type specified by your service provider:
Syntax: encapsulation aal5snap
or
Syntax: encapsulation aal5mux [ip | ppp]
The default setting is aal5snap, which establishes an encapsulation type that supports the Link Layer Control/Sub-Network Access Protocol (LLC/SNAP). AAL5 LLC/SNAP encapsulation works with any type of protocol for the ADSL connection: bridging, PPPoA, PPPoE, and IP with and without bridging.
Use the aal5mux encapsulation setting for multiplexed virtual circuits. You must then specify a protocol for each subinterface to use: IP or PPP.
If your service provider is using PPPoE, you must set the encapsulation to aal5snap or aal5mux ppp, as shown below:
ProCurve(config-atm 1.1)# encapsulation aal5snap
or
ProCurve(config-atm 1.1)# encapsulation aal5mux ppp
Assigning the ATM Subinterface an IP Address
If you are configuring just ATM as the Data Link Layer protocol, you assign the IP address to the ATM subinterface. If you are configuring PPPoE or PPPoA, you assign the IP address to the PPP interface.
7-20
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
If you are configuring the IP address on the ATM subinterface, you can configure:
■ a static IP address
■ the ATM subinterface as a DHCP client
■ the ATM subinterface as an unnumbered interface
Configuring a Static Address. To assign the ATM subinterface a static IP address, use the following command syntax:
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
For example, you might enter:
ProCurve(config-atm 1.1)# ip address 10.1.1.1 255.255.255.0
Because the ProCurve Secure Router supports Classless Inter-Domain Rout-ing (CIDR) notations, you could also enter:
ProCurve(config-atm 1.1)# ip address 10.1.1.1 /24
N o t e You must include a space between the IP address and the / symbol in front of the prefix length.
Configuring the ATM Subinterface as a DHCP Client. Your service provider may want you to configure the ATM subinterface as a DHCP client. To enable the DHCP client for the ATM subinterface, use one of the following commands:
Syntax: ip address dhcp [client-id {<ethernet 0/<port> | HH:HH:HH:HH:HH:HH:HH} | hostname <word>]
Syntax: ip address dhcp [hostname <word> | no-default-route | no-domain-name | no-nameservers]
In addition to enabling the DHCP client, these commands allow you to configure the settings shown in Table 7-5.
7-21
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
Table 7-5. Default Settings for the DHCP Client
Before you enable the DHCP client, you must decide whether or not you want to configure the settings listed in Table 7-5, and you must then include the settings in the same command you enter to enable the DHCP client. After you enable the DHCP client, it immediately begins to search for a DHCP server and negotiate a lease. You cannot impose settings on that lease after it is established.
Accepting the Default Settings. If you want to use all of the default DHCP settings for ATM subinterface, you can simply enter:
ProCurve(config-atm 1.1)# ip address dhcp
The DHCP client on the ATM subinterface will immediately begin to send DHCP discovery messages to find a DHCP server. When a DHCP server responds, the client will negotiate an IP address.
The DHCP client will send DHCP discovery messages whether or not the ATM subinterface is activated or a valid connection has been established. It will continue to send DHCP discovery messages until a DHCP server responds.
You should ensure that the DHCP client receives an IP address so that these requests do not consume router resources or bandwidth on your ADSL link. To determine if the ATM subinterface has been assigned an IP address, enter:
ProCurve(config-atm 1.1)# do show int atm 1.1
Option Meaning Default Setting
client-id configures the client identifier displayed for this interface in the DHCP server’s table
media type and interface’s MAC address
hostname configures the hostname displayed for this interface in the DHCP server’s table
router hostname
no-default-route specifies that the DHCP client should not accept the default route obtained through DHCP
accept default route from the DHCP server
no-domain-name specifies that the DHCP client should not accept the domain name included with the other lease settings sent by the DHCP server
accept the domain name setting from the DHCP server
no-nameservers specifies that the DHCP client should not accept the Domain Name System (DNS) setting included with the other lease settings sent by the DHCP server
accept DNS settings from the DHCP server
7-22
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
N o t e The do command allows you to enter enable mode commands from any context (except the basic mode context).
Configuring a Client Identifier. By default, the Secure Router OS populates the client identifier with the media type and the interface’s media access control (MAC) address. You can specify that the DHCP client uses the MAC address of an Ethernet port, or you can configure a customized client identifier.
To configure a client identifier when you enable the DHCP client, enter:
Syntax: ip address dhcp client-id [ethernet 0/<port> | HH:HH:HH:HH:HH:HH:HH]
In the same command in which you configure the client identifier, you can also configure a hostname, as explained in the next section.
Configuring a Hostname. The Secure Router OS uses the router’s host-name as the ATM subinterface’s default DHCP client hostname. If you want to override this name when you enable the DHCP client, enter the following command:
Syntax: ip address dhcp hostname <word>
For example, you might want to specify that the hostname is RouterB. In this case, you would enter:
ProCurve(config-atm 1.1)# ip address dhcp hostname RouterB
You can also configure a client identifier at the same time as the hostname, as shown below.
ProCurve(config-atm 1.1)# ip address dhcp client-id ethernet 0/1 hostname RouterB
If you enter this command, the DHCP client will use the MAC address of the Ethernet 0/1 interface as its client identifier. The DHCP client will also use the hostname RouterB.
Alternatively, you can specify the hostname and configure the client to ignore the settings received from the DHCP server. These commands are described in the following sections.
7-23
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
Overriding Settings Received from the DHCP Server. If the DHCP server is configured to provide a default route, a domain name, or the IP address of a domain name system (DNS) server, the DHCP client for the ATM subinterface will accept and use these settings. If you do not want to use one or more of these settings, enter the appropriate options when you enable the DHCP client:
Syntax: ip address dhcp [hostname <word> | no-default-route | no-domain-name | no-nameservers]
For example, if you do not want the DHCP client to use the default gateway and DNS name server addresses that it receives from the DHCP server, enter:
ProCurve(config-atm 1.1)# ip address dhcp no-default-route no-nameservers
Changing a Setting for the DHCP Client. If you want to change a setting for the DHCP client, you must first disable the client. Then you can enter the command to enable the client with the setting that you want to change.
Before you disable the client, you should release the IP address obtained through DHCP. This will prevent the DHCP server from holding the IP address and allow it to assign the IP address to another client.
Releasing or Renewing an IP address. If you want to manually force the ATM subinterface to release or renew an IP address, enter these commands from the ATM subinterface configuration mode context:
ProCurve(config-atm 1.1)# ip dhcp releaseProCurve(config-atm 1.1)# ip dhcp renew
Removing the DHCP Client Setting. If you decide that you no longer want the ATM subinterface to be a DHCP client, enter:
ProCurve(config-atm 1.1)# no ip address dhcp
Configuring the ATM Subinterface as an Unnumbered Interface. To conserve IP addresses on your network, you may want to create the ATM subinterface as an unnumbered interface. When you assign the ATM subinter-face an IP address, that IP address cannot overlap with the IP addresses assigned to other interfaces on your network. As a result, each interface that has an IP address represents an entire subnet. Depending on the subnetting scheme you use, this could use more IP addresses than you can spare.
7-24
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
You can configure the ATM subinterface as an unnumbered interface. The ATM subinterface will then use the IP address of the interface you specify. The Secure Router OS uses the IP address of the specified interface when sending routing updates over the unnumbered interface.
Before configuring the ATM subinterface as an unnumbered interface, you should be aware of a potential disadvantage: if the interface to which the IP address is actually assigned goes down, the ATM subinterface will be unavail-able. For example, suppose you configure the ATM 1.1 subinterface as an unnumbered interface that takes its IP address from an Ethernet interface. If the Ethernet interface goes down, the ATM 1.1 subinterface will be unavailable as well.
To minimize the chances of the ATM subinterface becoming unavailable, you can assign the IP address to a loopback interface, which typically does not go down.
To configure the ATM subinterface as an unnumbered interface, enter the following command from the ATM subinterface configuration mode context:
Syntax: ip unnumbered <interface>
Valid interfaces from which the ATM subinterface can takes its address include:
■ other ATM subinterfaces
■ demand interfaces
■ Ethernet interfaces or subinterfaces
■ Frame Relay subinterfaces
■ HDLC interfaces
■ loopback interfaces
■ PPP interfaces
If you configure an Ethernet interface to support virtual LANs (VLANs), you can specify an Ethernet subinterface.
For example, you would enter the following commands to configure a loop-back interface and then to configure the ATM 1.1 subinterface to use the IP address assigned to that loopback interface:
ProCurve(config)# interface loopback 1ProCurve(config-loop 1)# ip address 10.1.1.1 /24ProCurve(config-loop 1)# interface atm 1.1ProCurve(config-atm 1.1)# ip unnumbered loopback 1ProCurve(config-atm 1.1)# no shut
7-25
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
N o t e You do not have to enter no shutdown to activate a loopback interface. The status of a loopback interface automatically changes to up after you enter the interface loopback <number> command.
OAM Settings
By default, an activated ATM interface sends F5 Operation, Administration, and Maintenance (OAM) cells over a reserved VCI to monitor the ATM link and ensure that is open from end-to-end. The oam retry command enables you to configure the OAM settings that the ProCurve Secure Router OS uses to determine if a PVC is up or down.
Syntax: oam retry <up-count> <down-count> <retry-frequency>
The <up-count> option determines the number of consecutive, end-to-end F5 OAM loopback cell responses that the ADSL interface must receive before the Secure Router OS changes a PVC connection state to up.
Replace <up-count> with a number between 1 and 255. The default setting is 3.
The <down-count> option determines the number of consecutive, end-to-end F5 OAM loopback cell responses that the ATM subinterface must miss before the Secure Router OS changes the PVC state to down.
Replace <down-count> with a number between 1 and 255. The default setting is 5.
The <retry-frequency> option determines the frequency (in seconds) at which the ADSL interface transmits F5 OAM loopback cells when verifying a PVC state change. Replace <retry-frequency> with a number of seconds between 1 and 600. The default setting is 1 second.
The value you specify for the <retry-frequency> option is used only when the Secure Router OS is verifying a change in the state of a PVC. To configure the time delay between OAM loopback cells for all other circumstances, you enter this command from the ATM subinterface configuration mode context:
Syntax: oam-pvc managed <frequency>
This command determines the number of seconds the Secure Router OS waits between transmitting OAM loopback cells. The range is 0 to 600 seconds, and the default setting is 1 second.
7-26
ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router
For example, to configure the Secure Router OS to wait 4 seconds between transmitting OAM loopback cells, enter:
ProCurve(config-atm 1.1)# oam-pvc managed 4
Bind the ADSL Interface to the ATM Interface
When you configure WAN connections on the ProCurve Secure Router, you must bind the physical interface to the logical interface. For ADSL WAN connections, you must bind the ADSL interface to the ATM interface. Enter the following command from the global configuration mode context:
Syntax: bind <number> <physical interface> <slot number>/<port number> <logical interface> <logical interface number>
You can also enter this command from the ATM interface configuration mode context.
For example, if you want to bind the ADSL 1/1 interface to the ATM 1 interface, enter:
ProCurve(config)# bind 1 adsl 1/1 atm 1
The ATM interface may take a few minutes to establish a connection. To view the status of the ATM interface and subinterface, enter:
ProCurve(config)# do show interface atm 1ProCurve(config)# do show interface atm 1.1
N o t e The do command allows you to enter enable mode commands (such as show commands) from any context (except the basic mode context).
If you need to configure PPPoE for your ADSL connection, see “PPPoE Overview” on page 7-28. If you need to configure PPPoA for your ADSL connection, see “PPPoA Overview” on page 7-35.
Additional Settings
In addition to configuring the settings to enable and establish the ADSL connection, you can configure settings such as access controls on the ATM subinterfaces. Table 7-6 lists additional configurations that you can enter from the ATM interface and subinterface and the page number where you can find information about those configurations.
7-27
ADSL WAN ConnectionsPPPoE Overview
Table 7-6. Additional Configurations for the ATM Interface or Subinterface
PPPoE Overview
Your service provider may use PPPoE for several reasons:
■ Each host can use its own protocol stack, enabling each user to continue using a familiar interface.
■ The service provider can control access, track usage, provide services, and bill for usage on a per-user basis, rather than on a per-site basis.
■ The service provider can use PPP authentication to ensure that the hosts requesting access to network services are authorized to use those services.
If an individual user is using ADSL with PPPoE to connect from his or her home to the service provider, that user must load a PPPoE client on his workstation. For a company environment, the PPPoE client is frequently configured on the router establishing the ADSL connection. In this case, the users on the company’s LAN do not have to run a PPPoE client on their workstation.
To implement PPPoE, the service provider must set up an access concentrator, or access server. This access concentrator negotiates the PPPoE session with the client—which is, in this case, the ProCurve Secure Router. (See Figure 7-8.)
Settings Apply to ATM Interface or Subinterface
Configuration Guide Page
access controls to filter incoming and outgoing traffic
ATM subinterface Advanced 5-18, 5-37
bridging ATM subinterface Basic 10-6
VPNs ATM subinterface Advanced 8-46
routing commands for OSPF, RIP, or BGP ATM subinterface Advanced 13-1
quality of service settings ATM interface Advanced 7-28
7-28
ADSL WAN ConnectionsPPPoE Overview
Figure 7-8. Access Concentrator for PPPoE Access
Two Phases for Establishing a PPPoE Session
To establish a PPPoE session, the client and the access concentrator must successfully complete two phases:
■ discovery phase
■ PPP session
Discovery Phase
During the discovery phase, the PPPoE client must find an access concentra-tor, obtain the access concentrator’s Ethernet MAC address, and learn the session ID that the access concentrator assigns this PPPoE session. If the PPPoE client fails to obtain any of this information, the discovery phase fails, and the PPPoE session is not established.
The PPPoE discovery phase includes four steps, as shown in Figure 7-9.
Central OfficeCustomer’s Premises
Router DSLAMLocal loop
Splitter
Regional broadband
network
Splitter
LAN
Broadband switch (ATM)
Access concentrator
Other DSLAMs
Negotiates PPPoE session with router
Negotiates PPPoE session with access concentrator
7-29
ADSL WAN ConnectionsPPPoE Overview
Figure 7-9. Discovery Stage for Negotiating a PPPoE Session
Step 1. The PPPoE client broadcasts a PPPoE Active Discovery Initiation (PADI) frame to locate the available access concentrators. This frame con-tains at least one service name tag, which specifies the service that the PPPoE client is requesting. As outlined in RFC 2516, the PADI frame (including the PPPoE header) cannot be larger than 1484 bytes.
Step 2. The available access concentrators that can provide the service (or services) specified in the PADI frame send a PPPoE Active Discovery Offer (PADO) frame to the Ethernet MAC address of the PPPoE client. This frame contains the name of the access concentrator and the service name tag that was included in the PADI frame from the PPPoE client. In addition, the PADO frame may include information about other services available from the access concentrator.
Step 3. If the PPPoE client receives a PADO frame from more than one access concentrator, it reviews the offers and selects one, based on either name or services offered. For example, the PPPoE client may be configured to accept the offer from a particular access concentrator. In this case, the client makes the selection based on access concentrator name. Alternatively, the PPPoE client may be configured to accept the offer based on the services offered.
After making the selection, the PPPoE client sends a unicast frame called a PPPoE Active Discovery Request (PADR) to the MAC address of the access concentrator it selected. This frame contains the service name tag of the service the PPPoE client is requesting.
1. PPPoE client broadcasts a PADI (initiation) frame
2. Access concentrator sends a PADO (offer) frame
3. PPPoE client sends a PADR (request) frame
4. Access concentrator sends a (PADS) confirmation frame
RouterAccess
concentrator
Discovery Stage
If negotiation is successful, PPP session begins
Goal: Learn session ID and peer’s Ethernet MAC address
7-30
ADSL WAN ConnectionsPPPoE Overview
Step 4. When the access concentrator receives the PADR frame, it checks the service name tag. If it accepts the service name tag, the access concentrator generates a unique session ID. It includes this ID and the service name tag in a PPPoE Active Discovery Session-confirmation (PADS) frame and sends this frame to the PPPoE client.
If the access concentrator rejects the service name tag included in the PADR, it sends a PADS frame that includes a service-name error tag and a session ID of 0x0000. This signals to the PPPoE client that the access concentrator cannot provide that service.
PPP Session
After the PPPoE client receives the PADS frame, the PPP session begins, and the two devices begin exchanging frames in the customary sequence for PPP. The devices exchange the PPP frames in the order shown in Figure 7-10.
Figure 7-10. Establishing a PPP Session
Step 1. The devices exchange link control protocol (LCP) frames to estab-lish, configure, and control the link.
Step 2. If the devices are configured for authentication, they use one of the following protocols to verify that they are establishing a session with the correct PPP peer: Password Authentication Protocol (PAP), Challenge Hand-shake Authentication Protocol (CHAP), or Extensible Authentication Proto-col (EAP). Exchanging authentication frames is optional.
The ProCurve Secure Router supports PAP and CHAP. For more information about configuring PPP authentication on the ProCurve Secure Router, see “PPP Authentication” on page 6-71 in Chapter 6: Configuring the Data Link
Layer Protocol for E1, T1, and Serial Interfaces.
1. Link establishmentLCP
2. Authentication (optional) PAP, CHAP, or EAP
3. Negotiation of network layer protocols NCP: IPCP, BCP, IPXCP, and so on
4. Session established PPP
Router
Access concentrator
7-31
ADSL WAN ConnectionsPPPoE Overview
Step 3. The devices use network control protocol (NCP) frames to enable the exchange of Network Layer protocols, such as IP, across the link.
Step 4. The devices use PPP frames to transmit the actual data.
(For more information about establishing a PPP session, see Chapter 6:
Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.)
During the process of establishing a PPP session, the devices will also nego-tiate the maximum receive unit (MRU) size. For PPPoE, the negotiated MRU cannot be larger than 1492 bytes because Ethernet has a maximum payload size of 1500 bytes. The PPPoE header is 6 bytes, and the PPP protocol ID is 2 bytes. With this overhead of 8 bytes, the PPP MTU cannot be larger than 1492 bytes.
Creating the PPP Interface
To configure PPPoE, you first configure the ADSL interface, the ATM inter-face, and the ATM subinterface. (These instructions begin with “Configuring the ADSL Interface: the Physical Layer” on page 7-12.) When configuring the ATM subinterface, you must set the encapsulation to aal5snap or aal5mux
ppp, as shown below:
Syntax: encapsulation aal5snap
or
Syntax: encapsulation aal5mux [ip | ppp]
Your service provider should tell you which encapsulation to use.
Setting the encapsulation type configures the ATM adaptation layer (which is called Layer 2-1). When you use PPPoE, you must also configure the ATM point-to-point layer (which is called Layer 2-2). To configure this layer, you create a PPP interface and then bind this interface to the ATM subinterface.
To create a PPP interface, move to the global configuration mode context and enter:
Syntax: interface <interface> <number>
Replace <interface> with ppp and replace <number> with a number to distinguish this PPP interface from other PPP interfaces created on the router.
7-32
ADSL WAN ConnectionsPPPoE Overview
Assigning an IP Address
Because you are configuring a PPP interface on top of the ATM subinterface, the PPP interface handles the IP address. Rather than configuring an IP address on the ATM subinterface, you configure the IP address on the PPP interface.
You can configure a static IP address, or you can configure the PPP interface to negotiate an IP address from the service provider’s access concentrator. To assign the PPP interface a static IP address, enter the following command from the PPP interface configuration mode context:
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
Replace <A.B.C.D> with the IP address. To specify a subnet mask, replace <subnet mask> with the subnet mask or replace </prefix length> with the CIDR notation.
To configure the PPP interface to negotiate an IP address, enter:
Syntax: ip address negotiated
If you need to configure authentication protocols for the connection, see “PPP Authentication” on page 6-71 of Chapter 6: Configuring the Data Link Layer
Protocol for E1, T1, and Serial Interfaces.
Binding the ATM Subinterface to the PPP Interface
To finish defining the point-to-point layer for the ADSL connection, you must bind the ATM subinterface to the PPP interface. Enter the following command from either the global configuration mode context or the PPP interface configuration mode context:
Syntax: bind <bind number> atm <interface number.subinterface number> ppp <inter-face number> pppoe-client
Replace <bind number> with a bind number that you have not yet used on the ProCurve Secure Router. Enter the interface numbers for the ATM sub-interface and PPP interface that you want to bind together. Include the pppoe-
client option to enable the PPPoE client to establish a PPPoE session with the service provider’s access concentrator.
7-33
ADSL WAN ConnectionsPPPoE Overview
You can enter the show running-config command from the enable mode context to ensure that you have entered the two bind commands that are required for an ADSL connection that uses PPPoE. Figure 7-11 shows a sample running-config for an ADSL interface, ATM interface, ATM subinterface, and PPP interface.
Figure 7-11. Using the show running-config Command to Check the Two bind Commands Required for PPPoE
Identifying the Access Concentrator
You can configure the name of the access concentrator with which the Secure Router OS should establish a PPPoE session. Your service provider may ask you to configure this setting if there are multiple access concentrators and the service provider wants you to establish a connection with a particular one. You may also want to configure this option to ensure that the ProCurve Secure Router establishes a PPPoE session only with your service provider’s access concentrator.
From the PPP interface configuration mode context, enter:
Syntax: pppoe ac-name <name>
Replace <name> with a text string of up to 255 characters that corresponds to the AC-Name Tag as defined in RFC 2516. The AC value may be a combination of trademark, model, and serial ID information (or simply the MAC address of the access concentrator).
interface adsl 2/1 snr-margin 6 no shutdown!interface atm 1 point-to-point no shutdown bind 3 adsl 2/1 atm 1!interface atm 1.1 point-to-point no shutdown pvc 0/35!interface ppp 3 ip address 10.1.1.1 255.255.255.252 no shutdown bind 4 atm 1.1 ppp 3 pppoe-client
Bind the ADSL interface to the ATM interface
Bind the ATM subinterface to the PPP interface
7-34
ADSL WAN ConnectionsPPPoA Overview
If you do not include this field, any access concentrator is acceptable. By default, no access concentrator is specified.
Identifying PPPoE Services
You can also control which PPPoE session offer the Secure Router OS accepts by specifying the PPPoE services that are required. From the PPP interface configuration mode context, enter:
Syntax: pppoe service-name <name>
Replace <name> with a text string of up to 255 characters that identifies the service-name tags outlined in RFC 2516. If you need to configure the Secure Router OS to select an access concentrator by service name, your service provider will give you the service name to enter.
By default, no service names are specified.
PPPoA Overview
Like PPPoE, PPPoA provides several advantages to service providers, includ-ing the following:
■ Service providers can control access, track usage, provide services, and bill for usage on a per-user basis, rather than on a per-site basis.
■ Service providers can use PPP authentication to ensure that the hosts requesting access to network services are authorized to use those ser-vices.
■ Service providers can build a scalable infrastructure because they can terminate a large number of PPP sessions through one access concentrator.
After the ADSL physical connection is established, the router will try to establish a PPP connection with an access concentrator on the other side of the DSLAM. The two devices will begin exchanging frames in the customary sequence for PPP.
PPP peers exchange PPP frames in the order shown in Figure 7-12.
7-35
ADSL WAN ConnectionsPPPoA Overview
Figure 7-12. Establishing a PPP Session
Step One. The devices exchange link control protocol (LCP) frames to establish, configure, and control the link.
Step Two. If the devices are configured for authentication, they use one of the following protocols to verify that they establish the PPP session with the correct peer: Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or Extensible Authentication Protocol (EAP). Exchanging authentication frames is optional.
The ProCurve Secure Router supports PAP and CHAP. For more information about configuring PPP authentication on the ProCurve Secure Router, see “PPP Authentication” on page 6-71 in Chapter 6: Configuring the Data Link
Layer Protocol for E1, T1, and Serial Interfaces.
Step Three. The devices use network control protocol (NCP) frames to enable the exchange of Network Layer protocols, such as IP, across the link.
Step Four. The devices use PPP frames to transmit the actual data.
(For more information about establishing a PPP session, see Chapter 6:
Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.)
1. Link establishmentLCP
2. Authentication (optional) PAP, CHAP, or EAP
3. Negotiation of network layer protocols NCP: IPCP, BCP, IPXCP, and so on
4. Session established PPP
Router
Access concentrator
7-36
ADSL WAN ConnectionsPPPoA Overview
Creating the PPP Interface
To configure PPPoA, you configure the ADSL interface, the ATM interface, and the ATM subinterface. (These instructions begin with “Configuring the ADSL Interface: the Physical Layer” on page 7-12.) When configuring the ATM subinterface, you must set the encapsulation to aal5snap or aal5mux ppp, as shown below:
Syntax: encapsulation aal5snap
or
Syntax: encapsulation aal5mux [ip | ppp]
Your service provider should tell you which encapsulation to use.
The encapsulation setting configures the ATM adaptation layer (which is called Layer 2-1). When you use PPPoA, you must also configure the ATM point-to-point layer (which is called Layer 2-2). To configure this layer, you create a PPP interface and then bind this interface to the ATM subinterface.
To create a PPP interface, move to the global configuration mode context and enter:
Syntax: interface <interface> <number>
Replace <interface> with ppp and replace <number> with a number to distinguish this PPP interface from other PPP interfaces on the router.
Assigning an IP Address
Because you are configuring a PPP interface on top of the ATM subinterface, the PPP interface handles the IP address. Rather than configuring an IP address on the ATM subinterface, you configure the IP address on the PPP interface.
You can configure a static IP address, or you can configure the PPP interface to negotiate an IP address from the service provider’s access concentrator.
To assign the PPP interface a static IP address, enter the following command from the PPP interface configuration mode context:
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
To configure the PPP interface to negotiate an IP address, enter:
Syntax: ip address negotiated
7-37
ADSL WAN ConnectionsPPPoA Overview
If you need to configure authentication protocols for the connection, see “PPP Authentication” on page 6-71 in Chapter 6: Configuring the Data Link Layer
Protocol for E1, T1, and Serial Interfaces.
Binding the ATM Subinterface to the PPP Interface
To finish defining the point-to-point layer for the ADSL connection, you must bind the ATM subinterface to the PPP interface. Enter the following command from either the global configuration mode context or the PPP interface configuration mode context:
Syntax: bind <bind number> atm <number.subinterface number> ppp <number>
Replace <bind number> with a bind number that you have not yet used on the ProCurve Secure Router. Enter the interface numbers for the ATM sub-interface and PPP interface that you want to bind together.
You can enter the show running-config command from the enable mode context to ensure that you have entered the two bind commands that are required for an ADSL connection that uses PPPoA. Figure 7-13 shows a section of the running-config relating to an ADSL interface, ATM interface, ATM subinterface, and PPP interface.
Figure 7-13. Using the show running-config Command to Check the Two bind Commands Required for PPPoA
interface adsl 2/1 snr-margin 5 no shutdown!interface atm 1 point-to-point no shutdown bind 1 adsl 2/1 atm 1!interface atm 1.1 point-to-point no shutdown pvc 0/33!interface ppp 1 ip address 10.1.1.1 255.255.255.252 no shutdown bind 2 atm 1.1 ppp 1
Bind the ADSL interface to the ATM interface
Bind the ATM subinterface to the PPP interface
7-38
ADSL WAN ConnectionsRouted Bridged Encapsulation
Routed Bridged Encapsulation
Some DSLAMs use routed bridged encapsulation (RBE) to route IP over bridged Ethernet traffic. RBE is sometimes referred to as “half bridging,” because it provides some of the advantages of bridging combined with some of the advantages of routing.
With RBE, the ADSL service provider uses an aggregation device to establish a bridge with the customer’s ADSL modem—in this case, the ProCurve Secure Router. (See Figure 7-14.) With RBE, however, the router forwards packets based on the Layer 3, or IP, header. In a pure bridging environment, the router would use the Layer 2 header to forward packets.
When a device sends a packet that must be transmitted on the ATM subinter-face, the router disregards the Layer 2 header and uses the Layer 3 header to forward the packet. Likewise, when packets are received on the ATM subinter-face, the ProCurve Secure Router examines the IP header. It then consults its internal tables and identifies the MAC address associated with that IP address and places that MAC address in the Layer 2 frame. If the ProCurve Secure Router does not know the MAC address, it sends an Address Resolution Protocol (ARP) frame to request that information.
ADSL service providers use RBE because it minimizes the configuration required at the customer’s premises. It also provides better security than pure bridging environments because each customer’s ADSL device establishes a point-to-point connection with the service provider’s aggregation device. This point-to-point connection also eliminates broadcast storms that are typical in pure bridging environments.
7-39
ADSL WAN ConnectionsRouted Bridged Encapsulation
Figure 7-14. RBE Environment
To configure RBE, complete the steps for configuring the ADSL interfaces as explained in “Configuring the ADSL Interface: the Physical Layer” on page 7-12. Then configure the ATM interface as explained in “Configuring the Data Link Layer for the ADSL Connection” on page 7-17 and configure the ATM subinter-face as described in “Configuring a Subinterface for each PVC” on page 7-18.
When you configure the ATM subinterface, you must enter an additional command. From the ATM subinterface configuration mode context, enter:
ProCurve(config-atm 1.1)# atm routed-bridged ip
Figure 7-15 shows the running-config for an ADSL connection that is using RBE.
Figure 7-15. Running-config for an ADSL Connection That Is Using RBE
Central OfficeCustomer’s Premises
Router DSLAMLocal loop
Splitter
Regional broadband
network
Splitter
LAN
Broadband switch (ATM)
Aggregation device
Other DSLAMs
Establishes Ethernet bridge with ProCurve Secure Router
interface adsl 2/1 snr-margin 6 training-mode G.DMT no shutdown
interface atm 1 point-to-point no shutdown bind 2 adsl 2/1 atm 1
interface atm 1.1 point-to-point no shutdown pvc 0/33 encapsulation aal5snap atm routed-bridged ip ip address 10.1.1.1 255.255.255.252 bandwidth 896
RBE is configured on the ATM subinterface.
7-40
ADSL WAN ConnectionsViewing the Status and Configuration of Interfaces
Viewing the Status and Configuration of Interfaces
You can view information about all of the interfaces that are used to create the ADSL connection.
Viewing the Status of the ADSL Interface
To view the status of the ADSL interface, enter:
Syntax: show interfaces adsl <slot>/<port>
Replace <slot> with the slot where the ADSL interface is installed, and replace <port> with 1.
Figure 7-16 shows the output from this command for a sample network if the ADSL connection is up. The first line of the display reports the status of the ADSL interface and the line protocol—the logical interface to which you have bound the ADSL interface.
7-41
ADSL WAN ConnectionsViewing the Status and Configuration of Interfaces
Figure 7-16. show interfaces adsl Command
The “Link Status” indicates the training mode standard. If the ADSL interface has established the Physical Layer, the “Line Type” and “Line Length” fields will be populated with information about that particular ADSL connection. In Figure 7-16, for example, the “Line Type” is Fast, and the “Line Length” is 933 feet.
!adsl 2/1 is UP, line protocol is UP Link Status Up G.DMT Line Type Fast Line Length 933 ft
Downstream Upstream Line Rate 8128 kbps 896 kbps Current margin 10.0 dB 8.0 dB Attenuation 1.0 dB 0.0 dB Power 0 dBm 12 dBm Prev Rate 0 kbps 0 kbps Actual Delay 0 msecs 0 msecs Loss of Framing Seconds 0 0 Loss of Signal Seconds 0 0 Loss of Power Seconds 0 0 Errored Seconds 0 0 Line Inits 1 N/A Rx Blocks 7443 7443 Tx Blocks 7443 7443 Corrected Blocks 0 0 UncorrectedBlocks 0 0 Last Failure NONE Last Failure Time N/A
DMT Bits Per Bin 000: 0 0 0 0 0 0 0 A B B C C B B B B 010: A A A B B B B B A A A 9 9 8 7 0 020: 0 2 4 5 7 7 8 9 9 A A A B B B B 030: C B C C C C C C C C C C C B B B 040: 0 B B B B B B B B B B B B B B B 050: B B B B B B B B B B B B B B B B 060: B B B B B B B B B A A A A A A A 070: A A A A A A A A A A A A A A A A 080: A A A A A A A A A A A A A A A A 090: A A A A A A 9 9 9 9 9 9 9 9 9 9 0A0: 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 0B0: 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 0C0: 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 0D0: 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 0E0: 9 9 8 9 9 8 9 9 9 9 9 9 9 9 9 9 0F0: 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9
Status of physical and logical interface
Training mode used
Actual downstream and upstream rates
One indicator of line condition
Watch for steadily incre-menting losses or errors
7-42
ADSL WAN ConnectionsViewing the Status and Configuration of Interfaces
Next, the output from the show interfaces adsl command displays the downstream and upstream transmission rates for the connection. This section of the output also reports the attenuation on the line and any framing, signaling, and power losses, as well as error seconds.
To view the commands that have been entered to configure the ADSL inter-face, use the following enable mode command:
Syntax: show running-config interface adsl <slot>/<port>
For example, if the ADSL interface is in slot two, port one, enter:
ProCurve# show running-config interface adsl 2/1
This command displays the running-config for just the ADSL 2/1 interface. In the configuration shown in Figure 7-17, only two commands were entered: the snr-margin and the no shutdown commands. For this network, the default setting for training-mode was used.
Figure 7-17. show running-config interface adsl Command
The output from the show running-config interface adsl command will not include default settings that were not entered manually from the CLI or configured through the Web browser interface. To view all the settings for an ADSL interface—those entered manually and the default settings—include the verbose option, as shown below:
Syntax: show running-config interface adsl <slot>/<port> verbose
For example, to view all the settings for the ADSL 2/1 interface, enter:
ProCurve# show running-config interface adsl 2/1 verbose
Figure 7-18 shows the verbose output for the same interface shown in Figure 7-17.
interface adsl 2/1 snr-margin 5 no shutdown
Displays the commands entered for this interface
7-43
ADSL WAN ConnectionsViewing the Status and Configuration of Interfaces
Figure 7-18. show running-config interface adsl verbose Command
Viewing the Status of the ATM Interface and Subinterface
To view the status of the ATM interface, enter the following command from the enable mode context:
Syntax: show interfaces atm <number>
Replace <number> with the unique number that you assigned the ATM interface. For the ATM 1 interface, enter:
ProCurve# show interfaces atm 1
Figure 7-19 shows the output from this command for a sample network. As you can see, this command displays the status of the interface and the number of virtual circuits active on the interface.
Figure 7-19. show interfaces atm Command
To view the status of the ATM subinterface, enter the following command from the enable mode context:
Syntax: show interfaces atm <number.subinterface number>
interface adsl 2/1 description "" alias "" snr-margin 5 training-mode Multi-Mode no shutdown
Displays all the settings for the interface, including defaults
atm 1 is UP, line protocol is UP BW 896 Kbit/s 16 maximum active VCCs, 16 VCCs per VP, 1 current VCCsQueueing strategy: Per VC Queueing 5 minute input rate 58120 bits/sec, 0 packets/sec 5 minute output rate 58200 bits/sec, 0 packets/sec 10007 packets input, 2520900 bytes 0 pkts discarded, 0 error pkts, 0 unknown protocol pkts 60024 cells received, 0 OAM cells received 10062 packets output, 2524900 bytes 0 tx pkts discarded, 0 tx error pkts 60123 cells sent, 0 OAM cells sent
Interface is up
Number of virtual circuits
7-44
ADSL WAN ConnectionsViewing the Status and Configuration of Interfaces
Replace <number.subinterface number> with the unique number and subinterface number that you assigned the ATM interface. For the ATM 1.1 subinterface, enter:
ProCurve# show interfaces atm 1.1
Figure 7-20 shows the output from this command for a sample network. As you can see, this command displays the status of the interface and settings such as the ATM encapsulation, the IP address, and the MTU size. The interface shown in Figure 7-20 is configured to use RBE.
Figure 7-20. show interface atm Command for the Subinterface
To view the configuration settings entered for the ATM interface or subinter-face, enter the appropriate command from the enable mode context:
Syntax: show running-config interface atm <number> [verbose]
or
Syntax: show running-config interface atm <number.subinterface number> [verbose]
To view all of the configuration settings for the ATM interface or subinterface, include the verbose option at the end of these commands.
atm 1.1 is Active ATM Routed Bridge Encapsulation: IP Ip address is 192.168.1.20, mask is 255.255.255.0 MTU is 1500 bytes Encapsulation is AAL5 Encapsulation method is SNAP VC tx ring limit: 2 Output Queue: 0/1/200/0 (size/highest/max total/drops) 10007 packets input, 2881152 bytes 10066 packets output, 2886240 bytes 60024 cells input, 60130 cells output 0 OAM cells input, 0 OAM cells output AAL5 CRC errors : 0 AAL5 SAR Timeouts : 0 AAL5 Oversized SDUs : 0 AAL5 length violations : 0
Interface is up
ATM encapsulation
Interface is configured for RBE
7-45
ADSL WAN ConnectionsTroubleshooting the ADSL Connection
Troubleshooting the ADSL Connection
When troubleshooting WAN connections, you should try to isolate the prob-lem and determine if the problem is occurring on the physical interface or the logical interface. With an ADSL WAN connection, you should begin trouble-shooting the ADSL interface.
Troubleshooting the ADSL Interface
Your first tool in troubleshooting is always the show command. To trouble-shoot the ADSL interface, enter the following command from the enable mode context:
Syntax: show interfaces adsl <slot>/<port>
Replace <slot> with the slot where the ADSL interface is installed, and replace <port> with 1.
If the status of the physical interface is administratively down, you should activate it by entering no shutdown from the ADSL interface configuration mode context. If the physical interface is down, you must fix a problem on the Physical Layer level.
Identifying the Problem
You should first check the ADSL configurations. The interface readout indi-cates the training-mode standard next to “Link Status.” Verify that this stan-dard matches that used by your service provider. If you have configured the interface to use a different training mode than that used by the service provider, the physical connection cannot be established.
In Figure 7-21, for example, the show interfaces adsl command shows that the Physical Layer and the Data Link Layer are down. In this case, the training mode set on the router did not match the training mode set on the DSLAM. The “Training” setting was reported as unknown.
7-46
ADSL WAN ConnectionsTroubleshooting the ADSL Connection
Figure 7-21. show interfaces adsl Command
If the signal attenuation is high, you may want to adjust the SNR margin setting. The interface may have shut itself down because the line could not support the SNR margin at the limit you set. You may want to increase the SNR margin and see if the ADSL interface can establish and maintain the connection over time.
If the ADSL configuration settings appear to be correct, you should check the physical links for disconnected or bad cables. If you have another UTP ribbon cable, try using it to connect the ADSL interface to the wall jack.
debug interface adsl events Command
In addition to viewing information about the ADSL interface, you can view events related to the ADSL connection in real time. From the enable mode context, enter:
Syntax: debug interface adsl events
adsl 2/1 is DOWN, line protocol is DOWN Link Status Training UNKNOWN Line Type Line Length 0 ft
Downstream Upstream Line Rate 0 kbps 0 kbps Current margin 0.0 dB 0.0 dB Attenuation 0.0 dB 0.0 dB Power 0.0 dB 0.0 dB Prev Rate 0 kbps 0 kbps Actual Delay 0 msecs 0 msecs Loss of Framing Seconds 0 0 Loss of Signal Seconds 0 0 Loss of Power Seconds 0 0 Errored Seconds 0 0 Line Inits 0 N/A Rx Blocks 0 0 Tx Blocks 0 0 Corrected Blocks 0 0 UncorrectedBlocks 0 0 Last Failure NONE Last Failure Time N/A
DMT Bits Per Bin 000:
The training mode does not match the training mode used by the DSLAM
7-47
ADSL WAN ConnectionsTroubleshooting the ADSL Connection
Figure 7-22 shows the debug commands for a connection that was established successfully.
Figure 7-22. Debug Output When a Connection Was Established Successfully
You can use the debug information to pinpoint when and why the line goes down.
N o t e Debug commands are bandwidth intensive.
To turn off debugging, enter:
Syntax: no debug interface adsl events
Troubleshooting the ATM Interface
If the physical interface is up but the line protocol is down, you will need to troubleshoot the logical interface. Use the show interfaces atm command to examine the status and configuration of the ATM interface. From the enable mode context, enter:
Syntax: show interfaces atm <number>
2005.08.09 19:02:40 ADSL.EVENTS Current DSL state: ATU_RIDLE2005.08.09 19:02:40 INTERFACE_STATUS.adsl 2/1 changed state to down2005.08.09 19:02:54 ADSL.EVENTS Current DSL state: GDMT_NEGO2005.08.09 19:02:54 ADSL.EVENTS Current DSL state: GDMT_ACKX2005.08.09 19:02:55 ADSL.EVENTS Current DSL state: ATU_RECT2005.08.09 19:02:57 ADSL.EVENTS Current DSL state: ATU_RSEGUE12005.08.09 19:03:01 ADSL.EVENTS Current DSL state: ATU_RMSGS12005.08.09 19:03:01 ADSL.EVENTS Current DSL state: ATU_RRATES22005.08.09 19:03:01 ADSL.EVENTS Current DSL state: ATU_RREVERB52005.08.09 19:03:02 ADSL.EVENTS Current DSL state: ATU_RSHOWTIME2005.08.09 19:03:02 INTERFACE_STATUS.adsl 2/1 changed state to up
Negotiating to use the G.DMT training mode
Connection is established
7-48
ADSL WAN ConnectionsTroubleshooting the ADSL Connection
The output from this command shows the status of the logical interface as well as the information shown in Table 7-7.
Table 7-7. Information Displayed by the show interfaces atm Command
The readout also displays the number of frames received and discarded, and it lists errors. Check the number of OAM cells sent to look for problems in the end-to-end ATM connection.
Troubleshooting the ATM Subinterface
From the enable mode context, enter the appropriate show interfaces command to troubleshoot specific ATM sublinks:
Syntax: show interfaces atm <number.subinterface number>
Examine the subinterface for problems across a particular connection. For example, a subinterface can be Active or Inactive, depending on whether this virtual end-to-end link is currently active. An inactive ATM connection can be caused by a failed ADSL line (in which case, you would need to resolve Physical Layer problems), by a misconfigured VPI/VCI, or by a problem at the remote endpoint.
You can view information such as the encapsulation method (MUX for multi-plexed circuits or SNAP for circuits that use LLC/SNAP protocol). You can also view output queues and bytes in and out. Check OAM cells to diagnose problems with the end-to-end connection.
debug atm oam Command
You can use the debug atm oam command to display OAM frames for a PVC, identified by an ATM virtual circuit descriptor (VCD).
Information Meaning
<number> maximum active VCC displays the maximum number of virtual channels, or connection paths, this interface can carry over the bandwidth allocated to it
<number> VCC per VP reports how many of these channels can be linked through a single virtual path
<number> current VCCs reports how many virtual circuits are currently established on this interface
7-49
ADSL WAN ConnectionsTroubleshooting the ADSL Connection
Syntax: debug atm oam <interface number.subinterface number> [loopback {end-to-end | segment} {<LLID>}]
Replace <interface number.subinterface number> with the subinterface ID for the PVC. This command displays the OAM frames for a specific PVC.
Include the loopback option to configure an OAM loopback. You have two choices when configuring a loopback: end-to-end or segment.
You can optionally replace <LLID> with a 16-byte hexidecimal OAM loop-back location ID (LLID).
To disable the display of OAM frames, use the no form of the command you entered.
Troubleshooting PPPoE
If the PPPoE negotiation fails and a PPPoE session is not established, you must first verify that the ADSL interface, the ATM interface, and ATM subinter-face are up. You should check the status of each interface, and if any one of the interfaces is down, follow the steps for troubleshooting that particular interface.
Troubleshooting the PPPoE Discovery Process
After you ensure that the ADSL interface, the ATM interface, and the ATM subinterface are up, you should check the status of the PPP interface that is bound to the ATM subinterface. From the enable mode context, enter:
Syntax: show interfaces ppp <interface number>
If the other interfaces are up and the PPP interface is down, either the PPPoE discovery process failed, or the PPP link establishment process failed. You should begin to focus on the PPPoE negotiation process and determine where the failure is occurring. To begin troubleshooting the process, move to the enable mode context and enter:
Syntax: debug pppoe client
If you included the pppoe-client option when you entered the command to bind the ATM subinterface to the PPP interface, the PPPoE client will contin-ually try to establish a PPPoE session, and debug messages will be displayed at the CLI. You can compare these messages to the PPPoE discovery process to identify the cause of the problem.
7-50
ADSL WAN ConnectionsTroubleshooting the ADSL Connection
For example, if the PPPoE client keeps sending PADI frames but does not receive any PADO frames, you know that for some reason the access concen-trator is not responding. If the ADSL interface, the ATM interface, and the ATM subinterface are up, you should call your service provider and report the problem. The service provider will need to ensure that the access concentrator is up and the configuration is correct.
Figure 7-23 shows other possible debug messages that may occur. In this example, the PPPoE client on the ProCurve Secure Router went through the entire negotiation process but could not “open PPPoE session.” The cause of this problem was a configuration problem on the access concentrator.
Figure 7-23. Debug Messages for the PPPoE Client
N o t e Debug commands are processor intensive.
Stopping the Debug Messages. Enter one of the following commands from the enable mode context to end the debug messages:
Syntax: no debug pppoe client
or
Syntax: undebug all
After successfully negotiating a PPPoE session, the ProCurve Secure Router begins the process of establishing a PPP session. For information about troubleshooting this process, see “Troubleshooting the PPP Link Establish-ment Process” on page 7-52.
show pppoe Command
To view all of the PPPoE settings, enter the following command from the enable mode context:
Syntax: show pppoe
2005.07.20 17:05:10 PPPOE.CLIENT Sending PADR: Xid = 0xe34b02542005.07.20 17:05:10 PPPOE.CLIENT Processing PADS Message2005.07.20 17:05:10 PPPOE.CLIENT PADS: Session Id Rcvd = 02005.07.20 17:05:10 PPPOE.CLIENT PADS: Access Concentrator Error: AC: Cannot open PPPoE session.
Negotiation failed at final step
7-51
ADSL WAN ConnectionsTroubleshooting the ADSL Connection
Figure 7-24 shows the output from this command.
Figure 7-24. Viewing PPPoE Settings
Clear a PPPoE Connection
If you are having problems with a PPPoE connection or if you need to change some configurations for the connection, you can clear the connection. From the enable mode context, enter:
Syntax: clear pppoe <interface id>
Replace <interface id> with the number of the PPP interface that you bound to the ATM subinterface. For example, if you bound the PPP 3 interface to the ATM subinterface, enter:
ProCurve# clear pppoe 3
debug pppoe client Command
You can display all events related to the PPPoE client in real-time. From the enable mode context, enter:
Syntax: debug pppoe client
Troubleshooting the PPP Link Establishment Process
If you are using PPPoE or PPPoA, you must ensure that the PPP session is established. From the enable mode context, enter:
Syntax: show interfaces ppp <interface number>
ppp 1Outgoing Interface: eth 0/1Outgoing Interface MAC Address: 00:A0:C8:00:85:20Access-Concentrator Name Requested: FIRST VALIDAccess-Concentrator Name Received: 13021109813703-LRVLGSROS20W_IFITLAccess-Concentrator MAC Address: 00:10:67:00:1D:B8Session Id: 64508Service Name Requested: ANYService Name Available:PPPoE Client State: Bound (3)Redial retries: unlimitedRedial delay: 10 seconds
7-52
ADSL WAN ConnectionsTroubleshooting the ADSL Connection
When you view the status of the PPP interface, you must ensure that both the interface and the Network Layer protocol are up. For example, Figure 7-25 shows a PPP interface that is up. However, the user cannot send traffic over the link. If you look more closely at Figure 7-25, you can see the reason: the Network Layer protocol—IP—is down.
Figure 7-25. The PPP interface is up, but IP is down.
To determine why IP is down, use the debug ppp commands. Table 7-8 lists the debug commands you can use to monitor PPP interfaces.
Table 7-8. debug ppp Commands
ppp 1 is UP Configuration: Keep-alive is set (10 sec.) No multilink MTU = 1492 No authentication IP is configured 192.168.1.20 255.255.255.0 Link thru atm 1.1 is UP; LCP state is OPENED, negotiated MTU is 1492 Receive: bytes=3596, pkts=442, errors=0 Transmit: bytes=3508, pkts=292, errors=0 5 minute input rate 624 bits/sec, 1 packets/sec 5 minute output rate 496 bits/sec, 1 packets/sec Bundle information Queueing method: fifo HDLC tx ring limit: 0 Output queue: 0/1/200/0 (size/highest/max total/drops) IP is DOWN, IPCP state is REQSENT LLDPCP State is REQ SENT
First, make sure the interface is up
Next, ensure that IP is up
Command Explanation
debug ppp verbose displays detailed information about all PPP frames as they arrive on the PPP interface
debug ppp errors displays error messages relating to PPP
debug ppp negotiations displays events relating to link negotiation; shows if links protocols are able to open; and reveals when negotiations between two PPP peers fail
debug ppp authentication displays real-time messages relating to PAP and CHAP
undebug all turns off debug messages
7-53
ADSL WAN ConnectionsQuick Start
Quick Start
This section provides the commands you will need to quickly configure an Asymmetric Digital Subscriber Line (ADSL) WAN connection on the ProCurve Secure Router. Only a minimal explanation is provided.
If you need additional information about any of these options, see “Contents” on page 7-1 to locate the section and page number that contains the explana-tion you need.
Configure the Physical Layer: the ADSL Interface
Before you begin to configure the ADSL interface, you should know the settings that you must enter for the following:
■ signal-to-noise ratio (SNR) margin
■ training mode
Your service provider should tell you the settings you need to enter.
To configure the ADSL interface, complete these steps:
1. Use ribbon cabling with RJ-11 connectors to connect the ADSL port on the ProCurve Secure Router to the wall jack provided by your service provider.
2. Establish a terminal console session or Telnet session with the ProCurve Secure Router.
ProCurve>
3. Move to the enable mode context. If you have configured a password for the enable mode context, enter that password when you are prompted to do so.
ProCurve> enablePassword:
4. Move to the global configuration mode context.
ProCurve# configure terminal
7-54
ADSL WAN ConnectionsQuick Start
5. Access the ADSL interface configuration mode context.
Syntax: interface adsl <slot>/1
For example, if the ADSL module is in slot two, enter:
ProCurve(config)# interface adsl 2/1
6. Activate the interface.
ProCurve(config-adsl 2/1)# no shutdown
7. Set the SNR margin.
Syntax: snr-margin <margin>
Replace <margin> with 1-15, which refers to decibels. For example, your service provider may tell you to set the SNR margin to 6.
ProCurve(config-adsl 1)# snr-margin 6
8. Define the training mode. The default setting is Multi-Mode. For a list of settings supported by the ADSL2+ Annex A module and the ADSL2+ Annex B module, see Table 7-9 on page 7-56.
Syntax: training-mode [ADSL2 | ADSL2+ | G.DMT | G.LITE | Multi-Mode | READSL2 | T1.413]
ProCurve(config-adsl 2/1)# training-mode multi-mode
N o t e If you want to use a default setting, it is not necessary to enter the command.
9. Manually retrain the interface
ProCurve(config-adsl 2/1)# retrain
Retraining may take a minute. The ADSL interface will go down and then back up.
10. View the status of the ADSL interface.
ProCurve(config-adsl 2/1)# do show interface adsl 2/1
N o t e The do command enables you to enter enable mode commands (such as show commands) from any context (except the basic mode context).
7-55
ADSL WAN ConnectionsQuick Start
Table 7-9. Training Modes Supported by the ProCurve Secure Router
Configure the Data Link Layer: the ATM Interface and Subinterface
Before you configure the Data Link Layer for the ADSL connection, you must know the settings that you should enter for the following:
■ Data Link Layer protocol
• Asynchronous Transfer Mode (ATM) only
• point-to-point protocol (PPP) over Ethernet (PPPoE)
• PPP over ATM (PPPoA)
• routed bridged encapsulation (RBE)
■ virtual path identifier/virtual channel identifier (VPI/VCI)
■ ATM encapsulation
■ IP address
• static IP address
• unnumbered interface
• IP address negotiated with the service provider’s router
Your service provider should tell you which settings to enter.
Configure ATM Only
1. From the global configuration mode context, create the ATM interface.
Syntax: interface <interface> <number>
Command Option ADSL2+ Annex A ADSL2+ Annex B
training-mode ADSL2 Yes Yes
training-mode ADSL2+ Yes Yes
training-mode G.DMT Yes Yes
training-mode G.LITE Yes No
training-mode Multi-Mode Yes Yes
training-mode READSL2 Yes No
training-mode T1.413 Yes No
7-56
ADSL WAN ConnectionsQuick Start
Replace <interface> with atm, and replace <number> with a unique number for this ADSL connection. For example, to create ATM 1 interface, enter:
ProCurve(config)# interface atm 1
2. Activate the interface.
ProCurve(config-atm 1)# no shutdown
3. Create a subinterface for each permanent virtual circuit (PVC). ATM interfaces on the ProCurve Secure Router can support up to 16 PVCs.
Syntax: interface atm <number.sublink number>
ProCurve(config-atm 1)# interface atm 1.1
4. Configure a VPI/VCI for the subinterface.
Syntax: pvc <vpi>/<vci>
For example, if your service provider assigns you a VPI/VCI of 0/33, enter:
ProCurve(config-atm 1.1)# pvc 0/33
5. Define the ATM encapsulation. The default setting is aal5snap.
Syntax: encapsulation aalsnap
or
Syntax: encapsulation aal5mux [ip | ppp]
For example, to set the encapsulation to multiplexed AAL5 that encapsu-lates the packet at the IP header, enter:
ProCurve(config-atm 1.1)# encapsulation aal5mux ip
6. Configure an IP address.
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
For example, to set the IP address to 10.1.1.1 /24, enter:
ProCurve(config-atm 1.1)# ip address 10.1.1.1 /24
7. Bind the physical interface—the ADSL interface—to the logical interface.
Syntax: bind <number> <physical interface> <slot>/<port> <logical interface> <logical interface number>
ProCurve(config-atm 1)# bind 1 adsl 2/1 atm 1
8. View the status of the ATM interface and subinterface.
ProCurve(config-atm 1)# do show interface atm 1
ProCurve(config-atm 1)# do show interface atm 1.1
7-57
ADSL WAN ConnectionsQuick Start
N o t e The do command allows you to enter enable mode commands (such as show commands) from any context (except the basic mode context).
Configure RBE
Your ADSL service provider may ask you to configure the ATM subinterface to use routed RBE, which routes IP over bridged Ethernet traffic. RBE is sometimes referred to as “half bridging,” because it provides some of the advantages of bridging and some of the advantages of routing.
To use RBE, complete the steps for configuring ATM as outlined in “Configure ATM Only” on page 7-56. When you configure the ATM subinterface, you need to enter one additional command:
ProCurve(config-atm 1.1)# atm routed-bridged ip
When you view the running-config, this command should be listed under the ATM subinterface, as shown in Figure 7-26.
Figure 7-26. Viewing the Running-config for an ADSL Connection Using RBE
interface adsl 2/1 snr-margin 6 training-mode G.DMT no shutdown
interface atm 1 point-to-point no shutdown bind 2 adsl 2/1 atm 1
interface atm 1.1 point-to-point no shutdown pvc 0/33 encapsulation aal5snap atm routed-bridged ip ip address 10.1.1.1 255.255.255.252 bandwidth 896
RBE is configured on the ATM subinterface.
7-58
ADSL WAN ConnectionsQuick Start
Configure PPPoE
If your service provider wants you to configure PPPoE for your ADSL connec-tion, complete these steps:
1. Create the ATM interface.
Syntax: interface atm <number>
ProCurve(config)# interface atm 1
2. Activate the interface.
ProCurve(config-atm 1)# no shutdown
3. Create a subinterface for each PVC. ATM interfaces on the ProCurve Secure Router can support up to 16 PVCs.
Syntax: interface atm <number.sublink number>
ProCurve(config-atm 1)# interface atm 1.1
4. Configure a VPI/VCI for the subinterface. For example, if your service provider assigns you a VPI/VCI of 0/33, you would enter:
Syntax: pvc <vpi>/<vci>
ProCurve(config-atm 1.1)# pvc 0/33
5. Define the ATM encapsulation. For PPPoE, you must set the encapsula-tion at aal5snap or aal5mux ppp. The default setting is aal5snap.
ProCurve(config-atm 1.1)# encapsulation aal5snap
Syntax: encapsulation aal5snap
or
Syntax: encapsulation aal5mux [ip | ppp]
6. Bind the physical interface—the ADSL interface—to the logical interface.
Syntax: bind <number> <physical interface> <slot>/<port> <logical interface> <logical interface number>
ProCurve(config-atm 1)# bind 1 adsl 2/1 atm 1
7. View the status of the ATM interface and subinterface.
ProCurve(config-atm 1)# do show interface atm 1
ProCurve(config-atm 1)# do show interface atm 1.1
7-59
ADSL WAN ConnectionsQuick Start
N o t e The do command allows you to enter enable mode commands (such as show commands) from any context (except the basic mode context).
8. Create the PPP interface.
Syntax: interface ppp <number>
ProCurve(config)# interface ppp 1
9. Configure a static IP address or configure the interface to negotiate the IP address with the service provider’s router.
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
or
Syntax: ip address negotiated
For example, to assign the PPP interface a static IP address of 10.1.1.1 /24, enter:
ProCurve(config-ppp 1)# ip address 10.1.1.1 /24
10. Bind the PPP interface to the ATM subinterface.
Syntax: bind <bind number> atm <number.subinterface number> ppp <number> pppoe-client
ProCurve(config-ppp 1)# bind 2 atm 1.1 ppp 1 pppoe-client
11. View the status of the PPP interface.
ProCurve(config-ppp 1)# do show interface ppp 1
12. View the running-config to ensure that you have entered two bind com-mands: one to bind the ADSL interface to the ATM interface and one to bind the ATM subinterface to the PPP interface. (See Figure 7-27.) Enter:
ProCurve(config-ppp 1)# do show running-config
7-60
ADSL WAN ConnectionsQuick Start
Figure 7-27. Using the show running-config Command to Check the Two bind Commands Required for PPPoE
Configure PPPoA
If your service provider wants you to configure PPPoA for your ADSL connec-tion, complete these steps:
1. Create the ATM interface.
Syntax: interface atm <number>
ProCurve(config)# interface atm 1
2. Activate the interface.
ProCurve(config-atm 1)# no shutdown
3. Create a subinterface for each PVC. ATM interfaces on the ProCurve Secure Router can support up to 16 PVCs.
Syntax: interface atm <number.sublink number>
ProCurve(config-atm 1)# interface atm 1.1
4. Configure a VPI/VCI for the subinterface. For example, if your service provider assigns you a VPI/VCI of 0/33, you would enter:
Syntax: pvc <vpi>/<vci>
ProCurve(config-atm 1.1)# pvc 0/33
interface adsl 2/1 snr-margin 6 no shutdown!interface atm 1 point-to-point no shutdown bind 3 adsl 2/1 atm 1!interface atm 1.1 point-to-point no shutdown pvc 0/35!interface ppp 3 ip address 10.1.1.1 255.255.255.252 no shutdown bind 4 atm 1.1 ppp 3 pppoe-client
Bind the ADSL interface to the ATM interface
Bind the ATM subinterface to the PPP interface
7-61
ADSL WAN ConnectionsQuick Start
5. Define the ATM encapsulation. For PPPoA, you must set the encapsula-tion at aal5snap or aal5mux ppp. The default setting is aal5snap.
Syntax: encapsulation aal5snap
or
Syntax: encapsulation aal5mux [ip | ppp]
For example, to use aal5snap, enter:
ProCurve(config-atm 1.1)# encapsulation aal5snap
6. Bind the physical interface—the ADSL interface—to the logical interface.
Syntax: bind <number> <physical interface> <slot>/<port> <logical interface> <logical interface number>
ProCurve(config-atm 1)# bind 1 adsl 2/1 atm 1
7. View the status of the ATM interface and subinterface.
ProCurve(config-atm 1)# do show interface atm 1
ProCurve(config-atm 1)# do show interface atm 1.1
N o t e The do command allows you to enter enable mode commands (such as show commands) from any context (except the basic mode context).
8. Create the PPP interface.
Syntax: interface ppp <number>
ProCurve(config)# interface ppp 1
9. Configure an IP address or configure the interface to negotiate the IP address with the service provider’s router.
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
or
Syntax: ip address negotiated
ProCurve(config-ppp 1)# ip address 10.1.1.1 /24
10. Bind the PPP interface to the ATM subinterface.
Syntax: bind <bind number> atm <number.subinterface number> ppp <number>
ProCurve(config-ppp 1)# bind 2 atm 1.1 ppp 1
11. View the status of the PPP interface.
ProCurve(config-ppp 1)# do show interface ppp 1
7-62
ADSL WAN ConnectionsQuick Start
View the running-config to ensure that you have entered two bind com-mands: one to bind the ADSL interface to the ATM interface and one to bind the ATM subinterface to the PPP interface. (See Figure 7-28.) Enter:
ProCurve(config-ppp 1)# do show running-config
Figure 7-28. Using the show running-config Command to Check the Two bind Commands Required for PPPoA
interface adsl 2/1 snr-margin 5 no shutdown!interface atm 1 point-to-point no shutdown bind 1 adsl 2/1 atm 1!interface atm 1.1 point-to-point no shutdown pvc 0/33!interface ppp 1 ip address 10.1.1.1 255.255.255.252 no shutdown bind 2 atm 1.1 ppp 1
Bind the ADSL interface to the ATM interface
Bind the ATM subinterface to the PPP interface
7-63
ADSL WAN ConnectionsQuick Start
7-64
8
Configuring Demand Routing for Primary ISDN Modules
Contents
Overview of ISDN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Elements of an ISDN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
The Local Loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
ISDN Interfaces: Connecting Equipment to the ISDN Network . . . . . 8-8
Line Coding for ISDN BRI Connections . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
ISDN Data Link Layer Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
LAPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10
Q.931 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11
Call Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11
ProCurve Secure Router ISDN Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13
Primary ISDN Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
Using Demand Routing for ISDN Connections . . . . . . . . . . . . . . . . . . . . . . 8-16
Define the Traffic That Triggers the Connection . . . . . . . . . . . . . . . . 8-18
Specifying a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19
Defining the Source and Destination Addresses . . . . . . . . . . . . . 8-20
Configuring the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22
Creating the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23
Configuring an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-24
Matching the Interesting Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
Specifying the connect-mode Option . . . . . . . . . . . . . . . . . . . . . . 8-29
Associating a Resource Pool with the Demand Interface . . . . . . 8-30
Defining the Connect Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-30
Specify the Order in Which Connect Sequences Are Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32
Configure the Number of Connect Sequence Attempts . . . . . . . 8-33
Configure Settings for the Recovery State . . . . . . . . . . . . . . . . . . 8-33
8-1
Configuring Demand Routing for Primary ISDN ModulesContents
Understanding How the connect-sequence Commands Work . . 8-35
Configuring the idle-timeout Option . . . . . . . . . . . . . . . . . . . . . . . 8-37
Configuring the fast-idle Option . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38
Defining the caller-number Option . . . . . . . . . . . . . . . . . . . . . . . . 8-38
Defining the called-number Option . . . . . . . . . . . . . . . . . . . . . . . . 8-39
Configuring the Hold Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39
Configuring the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40
Accessing the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40
Configuring the ISDN Signaling (Switch) Type . . . . . . . . . . . . . . 8-41
Configuring a SPID and LDN for ISDN BRI U Modules . . . . . . . 8-42
Configuring an LDN for BRI S/T Modules . . . . . . . . . . . . . . . . . . . 8-43
Activating the Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43
Caller ID Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43
Configuring the ISDN Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-44
Creating an ISDN Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-44
Assigning BRI Interfaces to the ISDN Group . . . . . . . . . . . . . . . . 8-44
Assigning the ISDN Group to a Resource Pool . . . . . . . . . . . . . . 8-45
Configuring the incoming-accept-number . . . . . . . . . . . . . . . . . . 8-45
Configuring a Static Route for the Demand Interface . . . . . . . . . . . . 8-46
Example of a Successful Demand Interface Call . . . . . . . . . . . . . . . . 8-48
MLPPP: Increasing Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-50
Configuring MLPPP for Incoming Calls . . . . . . . . . . . . . . . . . . . . 8-50
Configuring MLPPP for Demand Interfaces . . . . . . . . . . . . . . . . . 8-51
Example of MLPPP with Demand Routing . . . . . . . . . . . . . . . . . . 8-52
Configuring PPP Authentication for an ISDN Connection . . . . . . . . 8-53
Enabling PPP Authentication for All Demand Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-54
Configuring PAP Authentication for a Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-54
Configuring CHAP Authentication for a Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-54
Configuring the Username and Password That the Router Expects to Receive . . . . . . . . . . . . . . . . . . . . . . . 8-55
Configuring Peer IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-55
Example of Demand Routing with PAP Authentication . . . . . . . . . . 8-55
Setting the MTU for Demand Interfaces . . . . . . . . . . . . . . . . . . . . . . . 8-56
8-2
Configuring Demand Routing for Primary ISDN ModulesContents
Configuring an ISDN Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-57
Using Call Types and Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-59
Default ISDN Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-60
Viewing Information about Demand Routing . . . . . . . . . . . . . . . . . . . . . . . 8-61
Viewing the Status of the Demand Interface . . . . . . . . . . . . . . . . . . . . 8-61
Viewing a Summary of Information about the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-63
Viewing the Status of the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . 8-64
Viewing Demand Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-66
Viewing the Resource Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-67
Show the Running-Config for the Demand Interface . . . . . . . . . . . . . 8-67
Troubleshooting Demand Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-68
Checking the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-68
Checking the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-69
Checking the ACL That Defines the Interesting Traffic . . . . . . . . . . . 8-71
Troubleshooting the ISDN Connection . . . . . . . . . . . . . . . . . . . . . . . . 8-72
Test Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-73
Line Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-75
Troubleshooting with Loopbacks . . . . . . . . . . . . . . . . . . . . . . . . . 8-75
Troubleshooting PPP for the ISDN Connection . . . . . . . . . . . . . . . . . 8-75
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-76
8-3
Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections
Overview of ISDN Connections
Integrated Services Digital Network (ISDN) connections are point-to-point dial-up connections that can handle both voice and data over a single line. ISDN provides WAN connections at a lower cost than dedicated WAN connec-tions such as E1- or T1-carrier lines. Like telephone calls, ISDN connections incur costs only when the connection is established.
To establish and maintain the connection through the public carrier network, ISDN connections are divided into two types of channels:
■ bearer (B)
■ data (D)
B channels carry voice and data over the connection and transmit data at 56 or 64 Kbps. The D channel maintains the connection and transmits the signaling and call-control information at 16 or 64 Kbps.
Two types of ISDN connections are available:
■ ISDN Basic Rate Interface (BRI)
■ ISDN Primary Rate Interface (PRI)
ISDN BRI provides two 64-Kbps B channels and one 16 Kbps D channel. If you bond or multilink the two B channels in a ISDN BRI connection, the total transmission rate is 128 Kbps. (Multilinking the two channels is discussed in more detail later in this chapter.)
PRI ISDN, on the other hand, provides 23 B channels and 1 D channel in North America and Japan and 30 B channels and 1 D channel in Europe, Asia (except Japan), Australia, and South America. (When PRI includes 30 B channels, channel 0 is used to maintain synchronization and is not counted as either a B or D channel.) The transmission rates for PRI ISDN match the transmission rates for an E1- or T1-carrier line. In North America and Japan, PRI ISDN provides 1.544 Mbps. In other areas, PRI ISDN provides 2.048 Mbps.
In an ISDN connection, the B channels are treated independently. They can be used for simultaneous voice and data; in other words, you can talk on the phone and surf the Web at the same time. For example, if you have an ISDN BRI connection, you can use both channels for data only, or you can use each channel to connect to a different remote office.
The ProCurve Secure Router currently supports ISDN BRI connections. Consequently, this chapter focuses on ISDN BRI.
8-4
Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections
Elements of an ISDN Connection
All WAN connections, including ISDN lines, consist of three basic elements:
■ the physical transmission media, such as the cabling, switches, routers, and other infrastructure required to create and maintain the connection
■ electrical signaling specifications for generating, transmitting, and receiv-ing signals through the various transmission media
■ Data Link Layer protocols, which provide logical flow control for trans-mitting data between the two WAN peers (devices at either a connection)
Physical transmission media and electrical specifications are part of the Physical Layer (Layer 1) of the Open Systems Interconnection (OSI) model, and Data Link Layer protocols are part of the Data Link Layer (Layer 2). (See Figure 8-1.)
Figure 8-1. Physical and Data Link Layers of the OSI Model
When you configure an ISDN WAN connection, you must configure both the Physical Layer and the Data Link Layer (which is also called the Logical Layer).
The Local Loop
Like other WAN technologies, ISDN connections are provided through public carrier networks. When you lease an ISDN line, your company’s equipment must be connected to your public carrier’s nearest central office (CO). All of the telecommunications infrastructure—such as repeaters, switches, cable, and connectors—that connects a subscriber’s premises to the CO is referred to as the local loop.
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
1
2
3
4
5
6
7
PPPHDLCATMFrame Relay
ISDN
8-5
Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections
Because public carrier networks were originally designed to carry analog voice calls, copper wire is the most common physical transmission medium used on the local loop. Copper wire has a limited signal-carrying capacity, making local loops that use copper wire the slowest, least capable component of a WAN connection. ISDN, like DSL, was designed to maximize the limited capability of local loop copper wiring.
ISDN provides integrated voice and data services by means of a fully digital local loop. ISDN is a local-loop-only technology. When ISDN traffic reaches the public carrier’s nearest CO, it is converted for transport through the existing public carrier infrastructure.
On the local loop, ISDN requires at least Category 3 (CAT 3) unshielded twisted pair (UTP) cabling. The number of wires required depends on the ISDN service: ISDN BRI requires two wires, or one twisted pair. PRI ISDN requires four wires, or two twisted pairs.
The local loop is divided into two sections by a line of demarcation (demarc), which separates your company’s wiring and equipment from the public car-rier’s wiring and equipment. (See Figure 8-2.) As a general rule, your company owns, operates, and maintains the wiring and equipment on its side of the demarc, and the public carrier owns, operates, and maintains the wiring and equipment on its side of the demarc. For ISDN connections, the position of the demarc varies, depending on which ISDN equipment the public carrier provides.
Figure 8-2. ISDN Network
Wire span
Network Interface Unit (Smart Jack)
Public Carrier’s CO
RepeaterISDN
Switch
Demarc(North America)
Demarc (outside North America)
NT2 NT1
TE1(Router)
S interface
T interface
Uinterface
Terminal adapter
TE2
R interface
8-6
Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections
In addition to wire and the demarc, the local loop for an ISDN connection includes:
■ ISDN switch—At the public carrier’s CO, the ISDN switch multiplexes and de-multiplexes channels on the twisted pair wiring of the local loop. It provides the physical and electrical termination for the ISDN line and then forwards the data onto the public carrier’s network.
■ Repeater—A repeater receives, amplifies, and retransmits the digital signal so that the signal is always strong enough to be read. Because ISDN lines use 2B1Q coding, which operates at a lower frequency range than T1 or E1 encoding, repeaters are only required every 5.49 km (18,000 feet). In contrast, T1 or E1 encoding requires a repeater approximately every 1.6 km (1 mile or 5,280 feet).
■ Network Interface Unit (NIU)—The NIU automatically maintains the WAN connection and enables public carrier employees to perform simple management tasks from a remote location. The NIU is usually located outside the subscriber’s premises so that public carrier employees can always access it. (The NIU is commonly referred to as the “smart jack” in North America.)
■ Network Termination (NT) 1—The NT1 provides the physical and electri-cal termination for the ISDN line. It monitors the line, maintains timing, and provides power to the ISDN line. In Europe and Asia, public carriers supply the NT1. In North America, however, the subscriber provides the NT1. In fact, many ISDN vendors are now building the NT1 directly into ISDN equipment such as routers.
■ NT2—PRI ISDN also requires an NT2, which provides switching functions and data concentration for managing traffic across multiple B channels. In many regions, the NT1 and NT2 are combined into a single device, which is called an NT12 (NT-one-two) or just NT.
■ Terminal equipment (TE) 1—TE1 devices are ISDN-ready devices and can be connected directly to the NT1 or the NT2. TE1 devices include routers, digital phones, and digital fax machines.
■ TE2—TE2 devices do not support ISDN and cannot connect directly to an ISDN network. TE2 devices require a terminal adapter (TA) to convert the analog signals produced by the TE2 device into digital signals that can be transmitted over an ISDN connection. TE2 devices include analog telephones and analog fax machines.
■ Terminal adapter (TA)—A TA allows you to connect a TE2 device to an ISDN network.
8-7
Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections
ISDN Interfaces: Connecting Equipment to the ISDN Network
ISDN supports both RJ-11 and RJ-45 connectors. Public carriers typically install an RJ-45 jack to connect the subscriber’s premises to the local loop.
You can add equipment at four interface points on the subscriber’s side of an ISDN network:
■ U interface
■ T interface
■ S interface
■ R interface
These interfaces define the mechanical connectors, the electrical signals, and the protocols used for connections between the ISDN equipment.
U Interface. The U interface provides the connection between the local loop and NT1. For ISDN BRI, the U interface is one twisted pair. For PRI ISDN, the U interface is two twisted pairs.
Because public carriers in Europe and Asia provide the NT1, these regions do not use the U interface. In regions that support the U interface, there can be only one U interface on the ISDN network.
T Interface. The T interface is used to connect the NT1 to the NT2. This interface is a four-wire connection, or two twisted pair. Each pair handles the traffic sent in one direction.
In the United States and Canada, the T interface—along with the NT1 and NT2—is often built into an ISDN device such as a router. In other regions, the T interface is the first interface at the subscriber’s premises.
S Interface. The S interface is used to connect the NT2 or the NT1 to the TE1 or TA. This interface is a four-wire connection, or two twisted pair.
On an ISDN BRI connection, all of the TEs or TAs connected to the S interface must take turns transmitting traffic. Because the S interface is a shared medium, the TEs and TAs must be able to detect collisions. PRI ISDN does not support multiple TEs at the S interface.
The S and T interfaces are often combined as the S/T interface.
8-8
Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections
R Interface. The R interface is used to connect a TE2 device to the TA. Because there are no standards for the R interface, the vendor providing the TA determines how the TA connects to and interacts with the TE2.
Line Coding for ISDN BRI Connections
To provide higher transmission rates on ordinary telephone wire, ISDN BRI uses a compressed encoding scheme called 2B1Q. Essentially, this transmis-sion scheme uses four signal levels, each of which encode one quaternary symbol. A single quaternary symbol, in turn, represents two bits.
The two encoded bits can have up to four different values, each expressed as a different voltage level on the transmission line, as shown in Table 8-1.
Table 8-1. 2B1Q Compressed Line Encoding Scheme
Note that zero voltage is not a valid signal level.
In addition to compressing data, 2B1Q operates in full duplex mode, allowing data to be transmitted simultaneously in both directions on the local loop.
ISDN Data Link Layer Protocols
As mentioned earlier, the signaling information used to create and maintain ISDN connections is transmitted over the D channel. The ITU Telecommuni-cations Standardization Sector (ITU-T) has defined two protocols for ISDN signaling. These protocols operate at Layer 2 (Data Link Layer) and Layer 3 (Network Layer) of the OSI model:
■ Q.921, which is also called Link Access Procedure for D channel (LAPD)
■ Q.931
Binary Quartenary Symbol Line Voltage
00 -3 -2.5
01 -1 -0.833
10 +3 +2.5
11 +1 +0.833
8-9
Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections
ISDN also supports the following B-channel Data Link Layer protocols:
■ Point-to-Point (PPP)
■ High-Level Data Link Control (HDLC)
■ Frame Relay
LAPD
LAPD establishes the ISDN connection between two endpoints. Exchanged over the D channel, LAPD frames provide the addressing for the dial-up connection, including the service access point identifier (SAPI) and the ter-minal endpoint identifier (TEI). The SAPI identifies the ISDN service associ-ated with the signaling frame, and the TEI identifies the TE on the subscriber’s ISDN line. In addition, LAPD provides error checking and call control.
LAPD frames consist of six main fields. (See Figure 8-3).
Figure 8-3. LAPD Frame Format
Flag. The flag field is one octet and always has a value of 0x7E.
Address Field. The address field is two octets: In the first octet, the first six bits define the SAPI. The seventh bit is the Command/Response bit (C/R), which designates a command frame or a response frame. The LAPD frame is a command frame:
■ when the LAPD frame is from the user and the C/R bit is set to one
■ when the frame is from the network and the C/R bit is set to zero,
Other values designate a response frame. The eighth bit is the first address extension bit and is always set to zero.
LAPD frame structure
Flag Control field Information FCS FlagAddress field
SAPI
8 7 6 5 4 3 2 1
TEI
C/R EA1
EA2
8-10
Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections
In the second octet, the first seven bits designate the connection’s TEI. TEIs can be assigned statically or dynamically. A statically assigned TEI will have a value between 0 to 63; dynamically assigned TEI range from 64 to 126. A value of 127 designates a broadcast connection meant for all TEs. The eighth bit is the second address extension bit and is always set to one.
Control Field. The third field of an LAPD frame is the control field, which can be either one to two octets. This field identifies the type of frame and contains sequence numbers, control features, and error tracking. The control field identifies the frame as one of the following:
■ supervisory frame
■ unnumbered frame
■ information frame
Information Field. The fourth field of an LAPD frame varies in length and contains the frame’s data payload and information. The information field often contains encapsulated Q.931 packets.
FCS Field. The fifth field is the frame check sequence (FCS), which contains a CRC checksum of the address, control, and payload fields.
Flag. The sixth field is a one-octet flag, which signals the end of the frame.
Q.931
The subscriber’s ISDN devices and the public carriers devices exchange Q.931 frames to establish, control, and terminate an ISDN call. Q.931 packets are encapsulated in the LAPD frame in the information field.
Call Process
When an ISDN call is placed, the devices go through a procedure to ensure that the connection is made. A basic knowledge of this procedure can help you troubleshoot your ISDN connection. (See Figure 8-4).
8-11
Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections
Figure 8-4. ISDN Call Setup Process
Placing a Call. When you use your telephone to place a call, you pick up the phone and get a dialtone, which signals that the phone and voice switch are ready. After you dial a number, your telephone, the public carrier’s voice switches, and the receiving phone must exchange frames to establish the connection.
Similarly, when an ISDN modem initiates a connection to another modem, the calling modem, the public carrier’s switches, and the receiving modem, must exchange D channel frames. The following is the procedure when placing an ISDN call:
1. The calling modem is activated and sends a SETUP to the switch.
2. If the ISDN switch is available and ready, it sends a CALL PROC to the caller and a SETUP to the receiver.
Connected
Setup1
ISDN
Switch
pick up and dial
Caller Receiver
Call Process Setup2
Alerting3
Phone rings
Alerting4
Connect5
pick up the phone
Connect6
Connect_ack7
Connect_ack8
9
8-12
Configuring Demand Routing for Primary ISDN ModulesProCurve Secure Router ISDN Modules
3. The receiver gets the SETUP. If the receiver is available and ready, it rings the phone and sends an ALERTING message to the switch.
4. The switch forwards the ALERTING to the caller.
5. The receiving ISDN modem sends a CONNECT message to the switch.
6. The switch forwards the CONNECT message to the caller.
7. The caller sends a CONNECT_ACK to the switch.
8. The switch forwards the CONNECT_ACK to the receiver.
9. The call is now connected.
ProCurve Secure Router ISDN Modules
ProCurve Networking offers two types of ISDN modules:
■ narrow modules for primary WAN connections
■ backup modules for backup WAN connections
Like other narrow modules, the primary ISDN modules fit into the narrow slots on the front of the ProCurve Secure Router. The backup ISDN modules, on the other hand, snap onto the top of narrow modules before those modules are installed into the ProCurve Secure Router. Each narrow module contains a backup port that is enabled for use when a backup module is snapped into place. In fact, the two-port ISDN primary modules contain a backup port, which means you can install a backup module on top of the ISDN primary module.
Both primary and backup ISDN modules provide ISDN BRI connections. However, there are some differences between the modules that may deter-mine which type of modules you purchase for your company’s WAN. Some of these differences are listed in Table 8-2.
8-13
Configuring Demand Routing for Primary ISDN ModulesProCurve Secure Router ISDN Modules
Table 8-2. Differences Between Primary and Backup ISDN Modules
N o t e Demand routing is supported with the J.04.01 release of the Secure Router operating system (OS).
Both primary and backup ISDN modules use PPP as the Data Link Layer protocol for the WAN connection and support PPP authentication. This chapter describes how to configure and manage ISDN connections established through the primary ISDN modules. For more information about backup modules, see the Advanced Management and Configuration Guide, Chapter 3: Configuring Backup WAN Connections.
ISDN Module Hardware Requirements
Applications Activation Method Increasing Bandwidth
primary uses one narrow slot on the ProCurve Secure Router
primary or backup WAN connection between two offices that exchange data periodically and need a low-cost WAN solution
established only when traffic that you identify as “interesting” needs to be transmitted across the connection
supports Multilink PPP (MLPPP), which can aggregate multiple B channels across different ISDN lines
backup does not use a narrow slot; installed on top of any narrow module, enabling the use of the backup port on the module
• backup for two locations that must maintain a persistent WAN connection
• backup for two locations that require high availability
two activation methods:• persistent backup
connection, which is established immediately when the primary connection fails and maintained until the primary connection is re-established
• demand routing connection, which is established when two conditions are met:– primary WAN
connection fails– traffic you identify
as “interesting” needs to be transmitted across the connection
• supports channel bonding with another ProCurve Secure Router when you configure a persistent backup connection
• does not support channel bonding with demand routing
8-14
Configuring Demand Routing for Primary ISDN ModulesProCurve Secure Router ISDN Modules
Primary ISDN Modules
For primary WAN connections, ProCurve Networking currently offers two types of modules:
■ ISDN BRI U module—used in the United States and Canada
■ ISDN BRI S/T module—used in all other countries
Both of these ISDN modules support the following standards:
■ National ISDN-1—Defined in the mid 1990s by the National Institute of Standards and Technology (NIS) and Bellcore (now called Telcordia), National ISDN-1 outlines a common set of options that ISDN manufactur-ers and public carriers must provide.
■ Northern Telecom Digital Multiplex System (DMS)-100—DMS-100 is another standard for transmitting voice and data over an ISDN line.
■ AT&T 5ESS—AT&T switches use Lucent signaling.
In addition, the ISDN BRI S/T module supports:
■ Euro-ISDN—Also called Normes Européennes de Télécommunication 3 (NET3), Euro-ISDN was defined in the late 1980s by the European Com-mission so that equipment manufactured in one country could be used throughout Europe.
N o t e Because the two-port ISDN modules have a single TDM clock, you cannot use one module to connect to two separate service providers. If you lease ISDN lines from two different service providers, you will need to use two separate ISDN modules—either 2 two-port ISDN modules or 1 two-port ISDN module and one ISDN backup module.
Table 8-3 lists the supported ISDN switches, the classifications, and electrical standards for each ISDN module.
8-15
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Table 8-3. Supported ISDN Standards
Using Demand Routing for ISDN Connections
When you lease an ISDN line, you pay only for the time when the connection is established. If no one is sending traffic that must be transmitted over the dial-up WAN connection, you do not want the connection to be up. However, as soon as a user sends data that must be transmitted over the dial-up WAN connection, you want that connection to be established immediately.
When you purchase primary ISDN modules for the ProCurve Secure Router, you configure demand routing to manage the ISDN connection so that when traffic is sent from one site to another the dial-up connection is established. For example, you might lease an ISDN line to connect a branch office to the main office. When a workstation at the branch office sends a packet that must be forwarded to the main office, demand routing triggers the ISDN connection and ensures that the traffic is forwarded across the established link. If no more traffic is transmitted from the branch office to the main office, demand routing ensures that the ISDN connection is terminated until it is required again. (See Figure 8-5.) If you configure demand routing correctly, you can minimize the amount your company pays for its ISDN connection.
Type Switch Types Classifications Electrical
ISDN BRI S/T module • National ISDN-1• Northern Telecom DMS-
100• AT&T 5ESS• DSS1 ETSI Euro-ISDN
• ACIF S031• ETSI TBR 3• EN 60950• IEC 60950• AS/NZS 60950• V.54 loopback support
• FCC Part 15 Class A• EN 55022 Class A• EN 55024• EN 61000-3-2• EN 61000-3-3
ISDN BRI U module • National ISDN-1• Northern Telecom DMS-
100• AT&T 5ESS
• ACTA/FCC Part 68• IC CS-03• UL/CUL 60950• V.54 loopback support
• FCC Part 15 Class A• EN 55022 Class A• EN 55024• EN 61000-3-2• EN 61000-3-3
8-16
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Figure 8-5. Using Demand Routing to Establish Dial-Up Connections for Primary and Backup Interfaces
Demand routing can also be used for backup dial-up connections, ensuring that they are established only when the primary interface is down and traffic must be transmitted to another site. (For more information about using demand routing for backup dial-up connections, see the Advanced Manage-
ment and Configuration Guide, Chapter 3: Configuring Backup WAN
Connections.)
Branch Office C
Branch Office B
Branch Office A
192.168.1.0
ISDN connection to Branch Office A triggered by traffic with destination address 192.168.4.0 /24
Edge Switch
Edge Switch
Edge Switch
192.168.2.0
Core Switch
Core Switch
Edge Switch
Edge Switch
Main Router
Backup ISDN connection to Branch Office B triggered only when primary interface goes down and traffic with destination address 192.168.5.0 /24 or 192.168.6.0 /24 is forwarded to demand interface
192.168.4.0SwitchRouter A
192.168.5.0Switch
192.168.6.0SwitchRouter B
ISDN connection to Branch Office C triggered only when traffic with destination address 192.168.7.0 /24 or 192.168.8.0 /24 is forwarded to demand interface
192.168.7.0Switch
192.168.8.0SwitchRouter C
Frame Relay over E1
ISDN connection
ISDN connection
Backup connection
8-17
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
To configure demand routing for a primary ISDN module, you must complete the following steps:
1. Create an extended access control list (ACL) to define the traffic that will trigger the dial-up connection.
2. Configure a demand interface.
3. Configure the BRI interface.
4. Configure an ISDN group.
5. Create a static route to the far-end network.
Define the Traffic That Triggers the Connection
When configuring demand routing, you must define the interesting traffic—the traffic that triggers, or activates, the WAN connection. For example, if you are configuring demand routing for an ISDN connection between the main office and a branch office, the interesting traffic would be the packets destined for the branch office. (See Figure 8-6.)
Figure 8-6. Connection Triggered When Interesting Traffic Is Received on a Router Interface
To: 10.4.4.23From: 10.2.2.5
Main Router Office Router
Switch
10.1.1.0 10.4.4.0
10.2.2.0
Main Router Office Router
Switch
To: 10.4.4.23From: 10.2.2.5
Connection triggered
10.1.1.0 10.4.4.0
ACL configured on Main Router:
ip access-list extended OfficeConnection
permit ip 10.1.1.0 0.0.0.255 10.4.4.0 0.0.0.255
permit ip 10.2.2.0 0.0.0.255 10.4.4.0 0.0.0.255
10.2.2.0
8-18
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
To define the interesting traffic, you create an extended ACL. The ProCurve Secure Router will use this ACL to identify and select traffic that triggers a dial-up connection.
From the global configuration mode context, enter:
Syntax: ip access-list extended <listname>
Replace <listname> with an alphanumeric descriptor that is meaningful to you. The listname is case sensitive.
After you enter this command, you are moved to the extended ACL configu-ration mode context, as shown below:
ProCurve(config-ext-nacl)#
You can now enter permit statements to define the traffic that will trigger the dial-up connection. Use the following command syntax:
Syntax: [permit | deny] <protocol> <source address> <source port> <destination address> <destination port> [log | log-input]
You must specify a <protocol>, <source address>, and <destination address>. However, the following are optional:
■ <source port> for TCP or UDP traffic
■ <destination port> for TCP or UDP traffic
■ [log | log-input]
Specifying a Protocol
When you create a permit or deny statement for an extended ACL, you must always specify a protocol. Valid protocols include:
■ AHP
■ ESP
■ GRE
■ ICMP
■ IP
■ TCP
■ UDP
You can also specify the number of the protocol. Valid numbers include any number between 0 and 255.
8-19
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
For demand routing, you might want to create an ACL that selects all of the traffic to a particular subnet. In this case, you should specify ip as the protocol.
Defining the Source and Destination Addresses
When you create an extended ACL, you must configure both a source and a destination address for each entry. You specify the source address first and then you specify the destination address.
To specify the source address and the destination address, use the following syntax:
[any | host {<A.B.C.D> | <hostname>} | <A.B.C.D> <wildcard bits>]
Table 8-4 lists the options you have for specifying both the source address and the destination address.
Table 8-4. Options for Specifying Source and Destination Addresses in an ACL
For example, you may want any traffic to the far-end network to trigger the dial-up connection. If the far-end network has a network address of 192.168.115.0 /24, enter:
ProCurve(config-ext-nacl)# permit ip any 192.168.115.0 0.0.0.255
If you want any outbound traffic from a particular network segment to trigger a dial-up connection, enter:
ProCurve(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 any
You might want the IP traffic from a specific host to a specific destination to trigger an ISDN connection. In this case, enter:
ProCurve(config-ext-nacl)# permit ip host 192.168.1.1 host 192.168.115.100
Using Wildcard Bits. You use wildcard bits to permit or deny a range of IP addresses. Wildcard bits determine which bits in the specified address the Secure Router OS should match to a packet and which address bits it should ignore. When you enter wildcard bits, you use a 0 to indicate that the Secure
Option Meaning
any match all hosts
host [<A.B.C.D> | <hostname>] specify a single IP address or a single host
<A.B.C.D> <wildcard bits> specify a range of IP addresses
8-20
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Router OS should match the corresponding bit in the IP address. You use a 1 to indicate that the Secure Router OS should ignore the corresponding bit in the IP address. In other words, the Secure Router OS does not have to match that bit.
For example, you might enter:
ProCurve(config-ext-nacl)# deny ip any 192.115.1.0 0.0.0.255
Essentially, you use the wildcard bits to specify the subnet that you want the Secure Router OS to match for a particular packet field (such as the source address). For example, if you enter 192.115.1.90 with the wildcard bits 0.0.0.255, the Secure Router OS will not match any address bits in the fourth octet of the IP address. The Secure Router OS will match incoming packets to the IP subnet address 192.115.1.0 /24 (because it will not match the bits in the fourth octet). (See Figure 8-7.)
Figure 8-7. Understanding Wildcard Bits
Implicit “Deny Any” Entry. Each ACL includes an implicit “deny any” entry at the end of the list. If a packet does not match any entry in the ACL you create, it matches the implicit “deny any” entry.
When you configure an ACL to select interesting traffic, you should permit at least one host. Otherwise, you will, in effect, prevent the dial-up connection from becoming active.
Log. Include the log option if you want the Secure Router OS to log a message:
■ when debug access-list is enabled for this ACL
■ when a packet matches this ACL
For example, a log will be generated when a packet triggers the dial-up connection.
Ignore the last two address bits in the fourth octet
192.168.1.0 0.0.0.31
192.168.1.0 0.0.0.255
128 68 32 16 8 4 2 1
0 0 0 0 0 0 1 1
0 0 0 1 1 1 1 1
1 1 1 1 1 1 1 1
192.168.1.0 0.0.0.3Ignore last five address bits in the fourth octet
Do not match address bits in the fourth octet
8-21
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Exit the ACL. After you have finished creating the ACL, enter exit to return to the global configuration mode context, as shown below:
ProCurve(config-ext-nacl)# exitProCurve(config)#
After you create the ACL, you must apply it to the demand interface. In fact, the ACL will have no effect until you apply it to the demand interface. (For more information about configuring ACLs, see the Advanced Management
and Configuration Guide, Chapter 5: Applying Access Control to Router
Interfaces.)
Configuring the Demand Interface
You must create a demand interface for each router to which the ProCurve Secure Router will connect through a dial-up connection. The demand inter-face provides the Data Link Layer for the physical dial-up interface.
Like other logical interfaces such as Frame Relay or PPP, the demand interface controls the logical functions for the WAN connection. In many ways, you configure the demand interface as you do any other logical interface. For example, you assign the demand interface an IP address. From this interface, you apply the ACL that defines the interesting traffic that triggers the dial-up WAN connection. You can also apply other ACLs or an access control policy (ACP) to this interface if you want to block certain traffic from being transmitted over the connection.
The demand interface is different from other logical interfaces, however. For one thing, the demand interface is not bound to a specific physical interface or interfaces. Instead, the demand interface is associated with a pool of physical interfaces.
The demand interface must also handle its status differently: it must always be up, whether or not the physical dial-up interface associated with the demand interface is up. Because the demand interface cannot actually be up if the Physical Layer is down, it “spoofs” an up state. As a result, the demand interface can be listed as a directly connected interface in the router’s routing table, even when the dial-up interface is not in use.
Because the demand interface spoofs an up state, you can add routes to networks reached through the dial-up connection managed by the demand interface. The demand interface is the forwarding interface for these routes.
8-22
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
When the ProCurve Secure Router detects traffic that must be routed through a demand interface, it processes the extended ACL applied to the demand interface to define the interesting traffic. If the traffic matches that ACL, the router attempts to establish the ISDN connection.
After the physical ISDN connection is established, the ProCurve Secure Router uses PPP to set up the Data Link Layer. To ensure that only authorized routers establish ISDN connections to your router, you should configure PPP authentication for the dial-up connection.
To configure the demand interface, complete the following steps:
1. Create a demand interface.
2. Configure an IP address for the demand interface.
3. Apply the ACL that defines interesting traffic to the demand interface.
4. Specify whether the demand interface can originate a call, answer a call, or both.
5. Create a resource pool.
6. Configure instructions for placing a call by entering connect-sequence commands.
7. Configure timers, caller, and hold queue settings (optional).
8. Configure caller settings (optional).
9. Configure PPP authentication (optional but recommended).
You must complete steps 1-6. Steps 7-9 are optional.
Creating the Demand Interface
To create a demand interface and access the demand interface configuration mode context, enter the following command from the global configuration mode context:
Syntax: interface demand <number>
Replace <number> with a number between 1 and 1024 for this demand interface. You should configure a different demand interface for each connec-tion to a remote site or device, and each demand interface must have a unique number.
8-23
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Like loopback interfaces, demand interfaces do not have to be activated. That is, you do not have to enter no shutdown. After you create the demand interface, its status automatically changes to administratively up. The demand interface will begin spoofing an up status after you configure an IP address for it.
Shut Down the Demand Interface. You may need to shut down the demand interface. For example, you may need to shut down the interface to correct a configuration setting or to troubleshoot a problem with the ISDN line. Enter:
ProCurve(config-demand 1)# shutdown
To activate the interface again, enter:
ProCurve(config-demand 1)# no shutdown
Configuring an IP Address
Because the demand interface uses PPP as the Date Link Layer protocol, you have several options for setting up an IP address: you can assign the demand interface a static IP address, you can configure it to negotiate the IP address from its PPP peer, or you can configure it as an unnumbered interface.
Configure a Static IP Address. To assign the demand interface a static IP address, enter:
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
For example, you might enter:
ProCurve(config-demand 1)# ip address 10.10.10.1 255.255.255.252
or
ProCurve(config-demand 1)# ip address 10.1.1.1 /30
Configure a Negotiated IP Address. If you want the demand interface to negotiate an IP address with its PPP peer, enter the following command from the demand interface configuration mode context:
Syntax: ip address negotiated
8-24
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Configure the Demand Interface as an Unnumbered Interface. To conserve IP addresses on your network, you may want to create the demand interface as an unnumbered interface. When you assign a logical interface on the router an IP address, that IP address cannot overlap with the IP addresses assigned to other logical interfaces. As a result, each interface that has an IP address represents an entire subnet. Depending on the subnetting scheme you use, you may not have enough IP addresses to assign to each active interface on your router.
To conserve IP addresses, you may want the demand interface to use the IP address of another interface. However, if the interface to which the IP address is actually assigned goes down, the demand interface will be unavailable as well. Because there is little chance that a loopback interface will go down, you may want to assign the IP address to a loopback interface.
To configure the demand interface as an unnumbered interface, enter the following command from the demand interface configuration mode context:
Syntax: ip unnumbered <interface ID>
Valid interfaces from which the demand interface can takes its address include:
■ Ethernet interfaces and subinterfaces
■ Frame Relay subinterfaces
■ PPP interfaces
■ loopback interfaces
■ Asynchronous Transfer Mode (ATM) subinterfaces
For example, you would enter the following commands to configure a loop-back interface and then configure the demand 1 interface to use the IP address assigned to that loopback interface:
ProCurve(config)# interface loopback 1ProCurve(config-loop 1)# ip address 192.168.115.1 /24ProCurve(config-loop 1)# interface demand 1ProCurve(config-demand 1)# ip unnumbered loopback 1
Spoofing. After you configure an IP address for the demand interface, its status should change to “up (spoofing),” and it should be listed as a directly connected interface in the routing table. To check the status of the demand interface, use the do command to enter a show command from the demand interface configuration mode context:
ProCurve(config-demand 1)# do show interface demand 1
8-25
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
To view the routing table, enter:
ProCurve(config-demand 1)# do show ip route
Figure 8-8 shows a routing table that includes demand interface 1, a directly connected interface.
Figure 8-8. Routing Table That Includes a Demand Interface
Matching the Interesting Traffic
To finish defining the interesting traffic that will trigger a dial-up connection, you must associate the ACL you created with the demand interface. From the demand interface configuration mode context, enter:
Syntax: match-interesting [list | reverse list] <listname > [in | out]
Include the list option if you want the ProCurve Secure Router to use standard matching logic for the ACL. That is, the router will try to match the packet’s source address to the source address that is defined in the extended ACL. Likewise, the router will try to match the packet’s destination address with the destination address that is defined in the extended ACL.
Include the reverse list option if you want the ProCurve Secure Router to use reverse matching logic when processing the ACL. The ProCurve Secure Router will use the ACL to match traffic that is transmitted in the opposite direction, eliminating the need to create another ACL for the traffic inbound on the WAN connection. The router will try to match the packet’s source address with the destination address that is defined in the ACL. The router will then try to match the packet’s destination address with the source address that is defined in the ACL.
Replace <listname> with the ACL that you created to define the interesting traffic. You can specify only extended ACLs.
Including in or out is optional. By default, the ProCurve Secure Router uses the ACL you specify to check both incoming and outgoing traffic. If you do not specify a direction, outbound traffic is matched to the specified ACL, and inbound traffic is matched to the reverse of the ACL.
C 10.2.2.0/30 is directly connected, ppp 1C 10.3.3.0/30 is directly connected, demand 1C 192.168.20.0/24 is directly connected, eth 0/1
8-26
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
If you include the in option when you enter the match-interesting command, the ProCurve Secure Router will check only the traffic received on the demand interface. If you include the out option, the router will check only the traffic transmitted from the interface.
For example, suppose that you configured the Branch ACL to select traffic from the local network destined to a branch office network. If you want both traffic outbound to the branch office and inbound from the branch office to trigger the dial-up connection, apply the Branch ACL to demand 1 interface:
ProCurve(config-demand 1)# match-interesting list Branch
When you view the demand interface in the running-config, you will see two commands, even though you entered only one. (See Figure 8-9.)
Figure 8-9. The match-interesting Command as Displayed in the Running-Config
Entering the following two commands would accomplish the same thing:
ProCurve(config-demand 1)# match-interesting list Branch outProCurve(config-demand 1)# match-interesting reverse list Branch in
N o t e After you configure demand routing, you should monitor usage of the dial-up connection to determine if you have correctly configured the ACL to select interesting traffic. To avoid any problems when the bill for the dial-up connection arrives, ensure that the connection is being triggered only when you want it to be. To minimize costs, you may need to change the ACL by further limiting the traffic that triggers the connection.
Applying an ACP or Another ACL to the Demand Interface. In addition to using an ACL to determine which traffic triggers a dial-up connection, you can use ACLs to control incoming traffic and outgoing traffic on that connection. You have two options for controlling traffic:
■ You can apply ACLs directly to the demand interface. If you choose this option, you can apply one ACL directly to the interface to control incoming traffic, and you can apply another ACL directly to the interface to control outgoing traffic. (For best practices, you typically apply an extended ACL closest to the source of incoming traffic so that you do not waste the router’s processing time on traffic that will ultimately be discarded.)
interface demand 1 match-interesting list Branch out match-interesting reverse list Branch in
8-27
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
■ You can apply an access control policy (ACP) to the demand interface. ACPs control incoming traffic and can contain multiple ACLs.
You use the ip access-group command to apply ACLs directly to the demand interface, or you use the access-policy command to apply an ACP to the demand interface. (For more information about using ACLs separately or in combination with ACPs, see Chapter 5: Applying Access Control to Router
Interfaces.) The ProCurve Secure Router will match traffic to the ACLs or the ACP to control access to an already-active backup connection. However, the connection will only be triggered by traffic that matches the ACL that you specify in the match-interesting list command.
Because you can configure one ACL to trigger the dial-up connection and another ACL to control access to the dial-up connection, you can allow certain types of traffic to use a connection only when it is already established. For example, if you apply an ACL for outbound traffic to the demand interface, the router will match traffic destined out the demand interface against this list first. If the router determines that a packet is allowed, it will then check the ACL specified with the match-interesting list command to determine if the packet should trigger the backup connection. If the packet is not defined as interesting traffic, the ProCurve Secure Router will not attempt to establish the connection. However, if the connection is already established, the router will transmit packets that are permitted by the ACL, but not selected as interesting traffic, over the ISDN link. These packets will not reset the idle timer for the demand interface. (The idle timer determines how long the dial-up connection will remain connected in the absence of interesting traffic. When the router receives interesting traffic, it resets the idle timer. For more information about timers, see “Configuring the idle-timeout Option” on page 8-37 and “Configuring the fast-idle Option” on page 8-38.)
For example, suppose two nodes at a remote site need to communicate with a server at a local site. One node is specified in the ACL that triggers the connection, but the other node is not. The first node’s communication will keep the link active until it has completed its transfer of data and the idle timer has expired. If the idle timer expires when the second node is communicating with the server, the connection will be terminated because the second node’s traffic does not match the ACL specified in the match-interesting list command.
In addition to applying an ACL to control outbound traffic, you can apply an ACL for inbound traffic or an ACP to the demand interface. In this case, the ACL or the ACP will filter inbound traffic to your network over the backup connection. If the router determines that a packet is allowed, it will forward
8-28
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
the packet. However, the router will reset the dial-up connection’s idle timer only if the packet also matches the ACL specified with the match-interesting reverse list command.
Specifying the connect-mode Option
You can control whether the demand interface can be used to originate a call, answer a call, or both. From the demand interface configuration mode context, enter:
Syntax: connect-mode [originate | answer | either]
Table 8-5 shows each option and when you would use it. The default setting is either.
Table 8-5. Options for the connect-mode Command
No matter what you configure as interesting traffic, the connect-mode com-mand controls whether or not the demand interface can originate or answer a call. When the demand interface receives outbound interesting traffic, it will originate a connection only if the connect mode you configured for the demand interface allows it to originate a call.
If a demand interface receives outbound interesting traffic and a dial-up connection is already established on this interface, the ProCurve Secure Router resets the idle timer on the connected link. (The idle timer determines how long the ISDN connection can remain up if no traffic is transmitted over it.) The router also resets the idle timer when it receives inbound interesting traffic through the demand interface.
If you want the demand interface to originate a call when it receives interesting traffic, you must set the connect-mode to originate or either. You could also configure the demand interface so that an ACL selects outbound traffic (match-interesting list <listname>) but the connect-mode command is set to answer. In this mode, the outbound traffic will not trigger a connection, but it will keep the connection up after the demand interface answers a call.
Option Explanation
originate The demand interface can make calls but cannot answer them.
answer The demand interface can answer calls but cannot make them.
either The demand interface can make calls and answer them.
8-29
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
N o t e Currently, it is not possible to have outbound traffic that will originate a call but not keep the link up. Because the match-interesting command controls both the traffic that triggers a connection and the traffic that resets the idle timer, any outbound interesting traffic that initiates a connection also keep the link up.
To return the connect-mode to its default setting of either, enter:
ProCurve(config-demand 1)# no connect-mode
Associating a Resource Pool with the Demand Interface
Rather than using a bind command to create a persistent, one-to-one connec-tion between the demand interface and a physical interface, you use the resource pool command to link the demand interface to one or multiple ISDN BRI interfaces. The resource pool command creates a resource pool and associates it with a particular demand interface. Each demand interface can be associated with only one resource pool.
To create a resource pool and associate it with the demand interface, enter:
ProCurve(config-demand 1)# resource pool <poolname>
Replace <poolname> with the name of the resource pool that contains the physical interfaces that this demand interface will use to originate or answer connections.
This resource pool is empty until you assign members to it. For primary ISDN connections, you will assign an ISDN group to the resource pool. You must be at the configuration mode context for the ISDN group. (For more information, see “Configuring the ISDN Group” on page 8-44.)
Defining the Connect Sequence
You must configure a connect sequence to specify:
■ the telephone number that the demand interface dials to connect to the other site
■ the type of dial-up connection to establish
When the ProCurve Secure Router detects interesting traffic and no connec-tions are currently established to carry this traffic, it uses a connect sequence to try to establish a connection. This process is called an activation attempt.
8-30
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
You can configure more than one connect sequence for a demand interface. For example, you may want to configure more than one connect sequence if the main office has more than on ISDN line. Then, if one ISDN line is in use, the ProCurve Secure Router can dial another line to establish a connection. You may also want to configure more than one connect sequence to connect to a different router at the main office. Then if one router at the main office is down, the router at a branch office can still connect to the main office.
To configure a connect sequence, enter the following command from the demand interface configuration mode context:
Syntax: connect-sequence <sequence-number> dial-string <string> [<resource-type>] [busyout-threshold <value>]
Replace <sequence-number> with a number between 1 and 65535 to identify this set of connection instructions.
Replace <string> with the telephone number that the demand interface should dial to make the connection.
Replace <resource-type> with one of the options listed in Table 8-6. The option you enter will limit this connection to a particular type of dial-up connection.
Table 8-6. Defining a Resource Type for a Connect Sequence
Because you are setting up a connect sequence for an ISDN connection, you should enter the forced-isdn-64k or forced-isdn-56k options, depending on the speed of the B channel. Your service provider should tell you which option to use.
Option Description
isdn-64k Any dial resource can be used, but if ISDN is used, the call must be placed using a 64-Kbps channel.
isdn-56k Any dial resource can be used, but if ISDN is used, the call must be placed using a 56-Kbps channel.
forced-analog Only analog resources can be used. (This option is used when you configure demand routing with a backup analog line.)
forced-isdn-64k Only ISDN resources can be used, and the call must be placed using a 64-Kbps channel.
forced-isdn-56k Only ISDN resources can be used, and the call must be placed using a 56-Kbps channel.
8-31
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Specifying the busyout-threshold <value> is optional. Include a value to specify the maximum number of times the ProCurve Secure Router will try this connect sequence in a single call attempt. If you specify 0, the ProCurve Secure Router will make an unlimited number of attempts. If you specify any other number, the ProCurve Secure Router will skip this connect sequence after it reaches the maximum number. (Depending on your configuration, the ProCurve Secure Router may cycle through the list of connect sequences more than once in its attempt to establish a connection. For more information, see “Configure the Number of Connect Sequence Attempts” on page 8-33.)
There is no default connect sequence. If you do not enter at least one connect-
sequence command, the demand interface will not be able to originate a dial-up connection.
Deleting a Connect Sequence. To delete a connect sequence entry, enter the following command from the demand interface configuration mode context:
Syntax: no connect-sequence <sequence-number>
Specify the Order in Which Connect Sequences Are Used
If you enter more than one connect-sequence command, you can configure the order in which each connect sequence is used. From the demand interface configuration mode context, enter:
Syntax: connect-order [sequential | last-successful | round-robin]
Table 8-7 lists each option with a brief description.
Table 8-7. Options for Processing the Connect Sequences
The default setting is sequential.
Option Description
sequential Process each connect sequence in numerical order, starting with the lowest number and ending with the highest number.
last-successful Process the last-successful connect sequence first. If that connect sequence is not successful, process those remaining in numerical order, starting with the lowest number and ending with the highest number.
round-robin First, process the connect sequence that follows the last-successful connect sequence. If that connect sequence fails, process the next highest sequence. (If no connection has been made, process the first connect sequence.)
8-32
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Returning to the Default Connect Sequence Processing Order. To return the connect-order command to its default setting of sequential, enter:
ProCurve(config-demand 1)# no connect-order
Configure the Number of Connect Sequence Attempts
You can limit the number of times that the ProCurve Secure Router processes the connect sequences configured for a demand interface if it is unable to establish a connection. The router will process the connect sequences in the order you specify (with the connect-order command). If the router processes all of the connect sequences and is unable to establish a connection, the router has made one connect sequence attempt. (Note that in one attempt, the router can retry a particular connect sequence as many times as specified for that connect sequence’s busyout-threshold setting.) The router then repeats the process until it reaches the number that you have specified in the connect-
sequence attempts command.
From the demand interface configuration mode context, enter:
Syntax: connect-sequence attempts <value>
Replace <value> with the number of times the ProCurve Secure Router will cycle through the connect sequences specified for a demand interface. You can specify a number between 0 and 65535. The default setting is 1. Specifying 0 places no limit on the number of attempts.
Configure Settings for the Recovery State
When the ProCurve Secure Router tries to establish a connection, one of the following conditions will result:
A BRI Interface Is Available, and the Call Is Connected. If the ProCurve Secure Router successfully establishes a physical connection (Layer 1), it will begin to negotiate a PPP session with the far-end router.
No BRI Interfaces Are Available. If no BRI interface in the associated resource pool is available for use, the ProCurve Secure Router places all interfaces in the resource pool in fast-idle mode, which decreases the amount of time an interface can remain idle before the router disconnects the ISDN connection. The router then monitors the BRI interfaces until one becomes
8-33
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
available. If a BRI interface becomes available, the ProCurve Secure Router uses that interface to dial a connect-sequence. At the same time, the router cancels the fast-idle mode for the resource pool. (For more information about fast-idle mode, see “Configuring the fast-idle Option” on page 8-38.)
A BRI Interface Is Available, But the Call Fails. if a BRI interface is available and the ProCurve Secure Router attempts to establish a connection, the call may fail for a number of reasons: a busy signal, no answer, connection timeout, and so on. When a connection attempt fails, the router increments the failure count for that connect sequence and then tries to use the next connect sequence to establish a dial-up connection. The busyout-threshold
option determines the number of times the ProCurve Secure Router processes a particular connect sequence during each connect sequence attempt.
For example, if connect sequence 10 has a busyout-threshold of 3 and connect sequence 11 has a busyout-threshold of 2, the router will process connect sequence 10 three times and connect sequence 11 twice (alternating between the two sequences). If, at the end of the five total attempts, the router cannot establish a connection, it has made one connect sequence attempt.
If the router reaches the maximum number of connect sequence attempts, the ProCurve Secure Router will, by default, change the status of the demand interface to “DOWN (recovery active).” The router will remove the IP address from the demand interface and any associated routes from the routing table. No interesting traffic will be forwarded to the demand interface. If you have configured an alternate route for traffic, the ProCurve Secure Router will activate and use that route.
While the demand interface is in this recovery active state, the ProCurve Secure Router will periodically process the connect sequences and try to establish a dial-up connection. If the router can successfully establish a connection, it will change the status of the demand interface to up, reinstate the routes through the interface, and begin forwarding interesting traffic to the demand interface.
However, if the ProCurve Secure Router cannot establish a connection, it will, by default, continue to try the connect sequences every 120 seconds. You can change the default settings for the recovery mode: you can configure how often the ProCurve Secure Router attempts to establish a connection and the number of attempts it makes in the recovery mode. From the demand interface configuration mode context, enter:
Syntax: connect-sequence interface-recovery retry-interval <seconds> max-retries <number>
8-34
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Replace <seconds> with the number of seconds you want the demand interface to wait between connect sequence attempts. You can specify a number between 1 and 65535. The default setting is 120 seconds.
Replace <number> with a number between 0 and 65535. If you specify 0, the ProCurve Secure Router will continue to try to establish a connection until it is successful or you clear the interface. The number you specify overrides the connect-sequence attempts setting while the demand interface is in recov-ery mode. The default setting is 0, or unlimited. That is, the demand interface remains in recovery mode until it successfully establishes a call or until you shutdown the interface.
To disable the recovery mode, enter the following command from the demand interface configuration mode context:
ProCurve(config-demand 1)# no connect-sequence interface-recovery
Understanding How the connect-sequence Commands Work
Before you configure all the settings for connect sequences, you should understand how these settings interrelate. For example, consider the con-figuration shown in Figure 8-10:
Figure 8-10. Connection Instructions for a Demand Interface
The resource pool for this demand interface contains two BRI interfaces. If interesting traffic is forwarded to this demand interface, the ProCurve Secure Router will first process connect sequence 10 (because the connect-order is sequential). If the BRI interface is available, the ProCurve Secure Router will try to call 5551212. (See Figure 8-11.)
interface demand 1 connect-order sequential connect-sequence attempts 3 connect-sequence 10 dial-string 5551212 forced-isdn-64k busyout-threshold 3 connect-sequence 20 dial-string 5552222 forced-isdn-64k busyout-threshold 1 connect-sequence interface-recovery retry-interval 60 max-retries 5 resource pool Pool
8-35
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Figure 8-11. Trying to Establish an ISDN Connection
If the ISDN connection is not established, the ProCurve Secure Router will try to process connect sequence 20. Because the busyout-threshold setting is 1, the ProCurve Secure Router will try this connection only once. If the second connect sequence is unsuccessful, the ProCurve Secure Router will try connect sequence 10 up to two more times (for a total of three times).
connect-sequence 10 dial-string 5551212 forced-ISDN-64k busyout-threshold 3
connect-sequence 20 dial-string 5552222 forced-ISDN-64k busyout-threshold 1
connect-mode either
connect-order sequential
1. Check connect-order.
Processing connect-sequences
2. Process connect-sequence 2, based on connect-order.
3. Check connect-mode. Can the interface answer or originate a call?
4. Was the call successful? Yes = PPP session begins No = process connect-sequence 20
5. Was the call for connect-sequence 20 successful? Yes = PPP session beginsNo = process connect-sequence 10 up to three times or until a call is successful
6. Based on connect-sequence attempts command, repeat steps 2 through 5 until a call is successful or a maximum of two more times.
7. If the demand interface cannot successfully establish a call, the router puts it into the recovery state.
8. In the recovery state, the demand interface attempts to establish a connection every 60 seconds. Based on the configuration, it tries a maximum of five times. If the interface is not successful, its status changes to down.
connect-sequence attempts 3
connect-sequence interface-recovery retry-interval 60 max-retries 5
8-36
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
If the ProCurve Secure Router processes all of the connect sequences and cannot establish a dial-up connection, the connect sequence attempt fails. For the configuration shown in Figure 8-10, the ProCurve Secure Router will cycle through the connect sequences three times. That is, it will attempt to call 5551212 (connect sequence 10) up to nine times in total and 5552222 (connect sequence 20) up to three times in total.
If all three attempts are unsuccessful, the ProCurve Secure Router will change the status of the demand interface to down (recovery active). Further, the router will remove the demand interface’s IP address and any routes referenc-ing the interface (allowing any routes with higher administrative distances to take their place).
In 60 seconds, the ProCurve Secure Router will try to process the connect sequences again (although the demand interface will remain in recovery active mode). That is, the router will call 5551212 once, 5552222 once, and then 5551212 twice again. If that attempt is unsuccessful, the ProCurve Secure Router will try again in 60 seconds. Based on the configuration in Figure 8-10, the ProCurve Secure Router will try up to five times or until a connection is successful.
If all the connection attempts made during the recovery active mode are unsuccessful, the ProCurve Secure Router will change the status of the demand interface to down (recovery failed) until you take some action to intervene. (See “Troubleshooting Demand Routing” on page 8-68.) If a connec-tion is successful, the ProCurve Secure Router will change the status of the demand interface to up (connected), activate the IP address for the interface, and reinstate any routes to the interface.
Configuring the idle-timeout Option
You can configure the amount of time that the demand interface remains up in the absence of interesting traffic. From the demand interface configuration mode context, enter:
Syntax: idle-timeout <seconds>
Replace <seconds> with a number between 1 and 2147483. (The range is 1 second to more than 596 hours.)
The default setting is 120 seconds.
8-37
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Configuring the fast-idle Option
You can assign BRI interfaces to more than one resource pool. For example, you might want to assign backup interfaces to more than one resource pool because it would be unlikely that two primary interfaces would go down at the same time. If at all possible, however, ProCurve Networking recommends that you design resource pools and the connect sequences to avoid contention for BRI interfaces—especially for primary BRI interfaces.
If all the BRI interfaces in a resource pool are in use and the ProCurve Secure Router needs to establish another connection, the fast-idle option determines the number of seconds that the existing ISDN connections will remain up in the absence of interesting traffic. Because BRI interfaces are in contention, the fast-idle option drastically reduces the time the demand remains up when it is not in use.
To configure this setting, enter the following command from the demand interface configuration mode context:
Syntax: fast-idle <seconds>
Replace <seconds> with a number between 1 and 2147483. (The range is 1 second to more than 596 hours.)
The default setting is 20 seconds.
To return the option to the default setting, enter:
ProCurve(config-demand 1)# no fast-idle
Defining the caller-number Option
When an ISDN call is established, the calling party supplies a Calling Line ID (CLID). If you configure a caller-number, the demand interface will check the CLID when it receives calls. If the CLID matches one of the numbers that you have specified, the demand interface will answer the call. If the number does not match a number, the interface will not answer the call.
You can enter multiple caller-number commands, allowing the BRI interface to accept calls from different remote offices or devices.
From the demand interface configuration mode context, enter:
Syntax: caller-number <CLID>
8-38
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Replace <CLID> with the calling party’s telephone number.
By default, the caller-number list does not include any numbers so all calls are accepted.
Defining the called-number Option
You can also configure the Dialed Number Identification Service (DNIS) that the demand interface provides when answering a call. From the demand configuration mode context, enter:
Syntax: called-number <DNIS>
Replace <DNIS> with the telephone number that you want the BRI interface to provide when answering or making a call. This command allows the router to provide the same caller ID to a remote peer no matter which physical interface it uses to make the connection.
You can enter multiple called-number commands. By default, no number is specified for the called-number command.
Configuring the Hold Queue
When the ProCurve Secure Router detects interesting traffic, it begins to hold these packets in a queue while it tries to set up a dial-up connection. When the connection is established, the ProCurve Secure Router transmits all the packets in the hold queue.
You can configure the maximum number of interesting packets that the router keeps in the hold queue and the length of time the packets are held while a connection is being made. From the demand interface configuration mode context, enter:
Syntax: demand-hold-queue <packets> timeout <seconds>
Replace <packets> with a number between 0 and 200. Replace <seconds>
with a number between 0 and 255.
By default, the ProCurve Secure Router holds 200 packets for 3 seconds. If the number of packets received before the connection is established exceeds 200 packets or if the connection is not established within 3 seconds, the ProCurve Secure Router empties the hold queue. However, emptying the hold queue does not terminate an activation attempt.
8-39
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Configuring the BRI Interface
To configure the BRI interface, you need the following information from your service provider:
■ ISDN signaling (switch) type
■ assigned telephone numbers (LDNs)
■ service profile IDs (SPIDs), if you are located in the United States or Canada
You should have this information available before you begin configuring the BRI interface. You must then complete the following steps:
1. Access the BRI interface configuration mode context.
2. Specify the ISDN switch type.
3. Assign the BRI interface a SPID and LDN if you are using a BRI U interface module.
4. Assign the interface an LDN if you are using a BRI S/T interface.
5. Activate the BRI interface.
Accessing the BRI Interface
To access the BRI interface configuration mode context, enter:
Syntax: interface <interface> <slot>/<port>
Replace <interface> with bri.
On the ProCurve Secure Router, each physical interface is identified by its slot number and port number.
The possible slot numbers for a primary ISDN interface are:
■ 1 = dl option module slot 1
■ 2 = dl option module slot 2
The port number you enter depends on the location of the module you are configuring. Each of the ProCurve ISDN modules has three ports: two ISDN BRI ports (ports 1 and 2) and a backup ISDN BRI port (port 3). For more information about backup ports, see the Advanced Management and Configuration Guide, Chapter 3: Configuring Backup WAN Connections.
8-40
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
For example, if the ISDN module is located in slot 1 and you are configuring the interface for port 2, enter.
ProCurve(config)# interface bri 1/2
The prompt should indicate that you have entered the appropriate interface configuration mode context:
ProCurve(config-bri 1/2)#
Configuring the ISDN Signaling (Switch) Type
The ProCurve Secure Router ISDN module supports the AT&T 5ESS, Northern DMS-100, Euro NET3, and National ISDN-1 standards. You must configure the BRI interface to use the ISDN signaling that your public carrier uses. The signaling type does not necessarily have to be that of the ISDN switch’s manufacturer. For example, a Lucent switch can implement National ISDN-1 signaling. Your public carrier should inform you which signaling method it uses.
To set the signaling type, enter the following command from the BRI interface configuration mode context:
Syntax: isdn switch-type [basic-5ess | basic-dms | basic-net3 | basic-ni]
ProCurve(config-bri 1/2)# isdn switch-type basic-5ess
Table 8-8 lists the command syntax for specifying each signaling type.
Table 8-8. ISDN Signaling Types
The default settings are:
■ ISDN BRI U modules, isdn switch-type basic-5ess
■ ISDN BRI S/T modules, isdn switch-type basic-net3
Signaling Type Command Syntax
National ISDN-1 isdn switch-type basic-ni
Euro ISDN isdn switch-type basic-net3
Northern Telecom DMS-100 isdn switch-type basic-dms
Lucent/ATT 5ESS isdn switch-type basic-5ess
8-41
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
If your public carrier is using the default signaling type, you do not have to enter the isdn switch-type command. You can simply accept the default setting.
Configuring a SPID and LDN for ISDN BRI U Modules
In North America, some ISDN switches require a SPID to identify each TE on the subscriber’s premises and to determine the types of services that the TE can access. A SPID is typically a 14-digit number that includes the interface’s 10-digit telephone or local directory number (LDN) and a two- to four-digit identifier. This identifier specifies the type of service on the line (data or voice). If the public carrier’s switch requires a SPID, you must specify it when you set up your ISDN equipment.
If you are configuring a router for an ISDN connection in North America, enter the following command to set the SPID:
Syntax: isdn spid1 <SPID1>
Some public carriers assign two SPIDs to ISDN connections that use both channels. You must set the second SPID in order for the second B channel to properly receive data. You set the second SPID using the isdn spid2 command:
Syntax: isdn spid2 <SPID2>
You can set a SPID and an LDN in one command. Enter:
Syntax: isdn spid1 <SPID1> <LDN1>
For example, you might enter:
ProCurve(config-bri 1/3)# isdn spid1 70455511110101 5555551111
Similarly, you can set a second LDN at the same time that you set the second SPID.
ProCurve(config-bri 1/3)# isdn spid2 70455511120101 5555551112
Alternatively, you can set an LDN using a separate command.
Syntax: isdn ldn1 <LDN1>Syntax: isdn ldn2 <LDN2>
8-42
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
N o t e You can set LDNs using the isdn ldn1, isdn ldn2, isdn spid1, or isdn spid2 commands. The router uses whatever LDN1 or LDN2 value that was most recently entered using one of these commands.
Configuring an LDN for BRI S/T Modules
The LDN is the PTT or PSTN number that the remote peer calls to reach the BRI interface and establish the WAN link. You must set the LDN in order for the interface to answer calls.
Setting the LDN. Enter the LDN with the isdn ldn1 command:
Syntax: isdn ldn1 <LDN>
For example, you might enter:
ProCurve(config-bri 1/2)# isdn ldn1 5555551111
You can also set a secondary LDN using the isdn ldn2 command:
ProCurve(config-bri 1/1)# isdn ldn2 5555552222
If you are configuring an ISDN line that uses SPIDs (typically a North American ISDN line), you can set the SPID at the same time that you set the LDN.
Activating the Interface
The BRI interface must be manually activated. From the BRI interface configuration mode context, enter:
Syntax: no shutdown
Caller ID Options
If you configure the ProCurve Secure Router to accept ISDN calls from certain numbers, the router checks each incoming call’s caller ID to ensure it matches your list of acceptable numbers. You can override an incoming call’s caller ID using the caller-id override option. Enter:
Syntax: caller-id override [always <number> | if-no-cid <number>]
Replace <number> with the phone number that you want to use to override the incoming caller id number. The always option replaces the caller ID for all incoming calls with the number you specify. The if-no-cid option uses the specified number only when an incoming call does not have a caller ID.
8-43
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Configuring the ISDN Group
When you configure demand routing for a primary ISDN connection, you must configure an ISDN group by completing the following steps:
1. Create an ISDN group.
2. Assign BRI interfaces to the group.
3. Make the ISDN group a member of a resource pool.
4. Configure an incoming-accept-number.
Creating an ISDN Group
From the global configuration mode context, enter:
Syntax: isdn-group <number>
Replace <number> with a number between 1 and 255 to uniquely identify this ISDN group.
You are moved to the ISDN group configuration mode context, as shown below:
ProCurve(config-isdn-group 1)#
From here, you can assign primary BRI interfaces to the group, and you can make this group a member of a resource pool. You can also configure the maximum and minimum number of links for an MLPPP connection. (This is explained in “MLPPP: Increasing Bandwidth” on page 8-50.)
Assigning BRI Interfaces to the ISDN Group
To assign a BRI interface to the ISDN group, enter the following command:
Syntax: connect bri <slot>/<port>
Replace <slot> and <port> with the numbers that identify where the BRI interface is installed. You can assign multiple BRI interfaces to the ISDN group. For example, you might enter:
ProCurve(config-isdn-group 1)# connect bri 2/1ProCurve(config-isdn-group 1)# connect bri 2/2
8-44
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Assigning the ISDN Group to a Resource Pool
To use the ISDN group for demand routing, you must make the group a member of a resource pool. The resource pool must be associated with at least one demand interface.
From the ISDN group configuration mode context, enter:
Syntax: resource pool-member <poolname>
For example, if the resource pool is called Branch, enter:
ProCurve(config-isdn-group 1)# resource pool-member Branch
N o t e The ISDN group can be a member of only one resource pool.
Configuring the incoming-accept-number
You can control which calls the BRI interfaces in the ISDN group accept. From the ISDN group configuration mode context, enter:
Syntax: incoming-accept-number <number>
Replace <number> with the number that should be accepted for this ISDN group. The number you enter should match the digits that populate the called party information element (IE) received on the BRI interface answering the call.
You can use the wildcard characters listed in Table 8-9 to specify a range of numbers.
Table 8-9. Wildcard Characters for incoming-accept-number
Table 8-10 provide some examples of using wildcard characters.
Wildcard Characters Explanation
X Matches any single digit between 0 and 9
N Matches any single digit between 2 and 9
$ Matches any number (multiple numbers)
[ ] Matches any digit in the list. For example, if you enter [2,4,6] the ProCurve Secure Router matches only 2, 4, and 6. If you enter [4-6,8] the ProCurve Secure Router matches 4, 5, 6, and 8.
8-45
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Table 8-10. Examples of Using Wildcard Characters to Specify incoming-accept-number
Using wildcard characters is especially useful if your company uses ISDN hunt groups and all the ISDN interfaces are assigned to the same ISDN group. ISDN hunt groups bundle multiple ISDN interfaces with unique LDNs together into a single group at the public carrier’s CO. When the public carrier’s CO receives a call to any of the LDNs assigned to the ISDN interfaces in the hunt group, the public carrier’s switch sends the call to the first available ISDN interface. The ISDN group, therefore, must be able to accept calls to multiple LDNs. You can use wildcard characters to create a single entry that matches several numbers.
If the number for the BRI interface that is trying to establish a call does not match the incoming-accept-number, the call will be rejected.
Configuring a Static Route for the Demand Interface
As explained earlier, the demand interface spoofs an up status, allowing you to create static routes to the far-end network connected through the dial-up interface. To configure a static route to a far-end network, you must enter the following information:
■ destination address and subnet mask
■ next-hop address or forwarding interface
By default, the administrative distance for a static route is 1 and the metric is 0.
Types of incoming-accept-numbers Pattern
calls for a particular U.S. or Canadian area code 916$
calls for two numbers—such as 555-1111 and 555-1112 555-111[1,2]
calls for a group of numbers—such as the numbers between 555-1000 and 555-2000
555-[1,2]XXX
8-46
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
N o t e ProCurve Networking recommends that you use static routes for ISDN con-nections, rather than a dynamic routing protocol. Because routing protocols regularly exchange updates, these updates frequently initiate the ISDN con-nection, resulting in higher cost for your company’s ISDN line. (If you want to send routing updates over the ISDN link, you can configure the ACL that defines interesting traffic so that it does not include routing updates. You can then apply an ACL or ACP to the demand interface to allow the routing updates if the ISDN connection is already established. For more information, see “Applying an ACP or Another ACL to the Demand Interface” on page 8-27.)
You can view the type of information the ProCurve Secure Router stores in its routing table by entering the following command from the enable mode context:
ProCurve# show ip route
Figure 8-12 shows the type of information that is displayed.
Figure 8-12. Routing Table with Static Routes
To configure a static route, enter the following command from the global configuration mode context:
Syntax: ip route <destination A.B.C.D> <subnet mask | /prefix length> <next hop A.B.C.D | forwarding interface ID>
Replace <destination A.B.C.D> with the IP address for the far-end network. For example, the far-end network might be network 192.168.7.0. Next, either specify the complete subnet mask (such as 255.255.255.0) or enter the prefix length (such as /24). Then, specify the forwarding interface as demand <number>. To configure a route to network 192.168.7.0 /24 through demand interface 1, enter:
ProCurve(config)# ip route 192.168.7.0 /24 demand 1
ProCurve# show ip routeC 10.2.2.0/30 is directly connected, ppp 1C 10.3.3.0/30 is directly connected, demand 1C 192.168.20.0/24 is directly connected, eth 0/1S 192.168.30.0/24 [1/0] via 10.2.2.2, ppp 1S 192.168.7.0/24 [1/0] via 0.0.0.0, demand 1
8-47
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
For more information about configuring static routes, see “Static Routing” on page 11-9 of Chapter 11: IP Routing—Configuring Static Routes.
After you have configured the static route, you should test your configuration to ensure that the ISDN connection is triggered by the appropriate traffic. (For example, you can use the extended ping command to simulate a packet that matches the criteria for interesting traffic.) If the ISDN connection is not established successfully, you should check your configuration. Enter show
running-config from the enable mode context and look for any obvious configuration errors. If you do not immediately find a problem, see “Trouble-shooting Demand Routing” on page 8-68.
Example of a Successful Demand Interface Call
Figure 8-13 shows the successful establishment of an ISDN connection using the demand interface.
8-48
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Figure 8-13. Successful Demand Interface Call Setup
When a packet is received on the router, it goes through several processes before it is finally forwarded across a WAN connection. If fast caching is enabled, the router takes a moment to check the fast-cache table. In this example, all traffic to the 192.168.1.0 network has a fast-cache route through the demand 1 interface. The router matches the incoming packet with this route and forwards it to the demand interface. (If the packet did not match an entry in the fast-cache table, the router would match it a route in its standard routing table.)
Allowed?
connect-sequence 2
No
ACL Match?
Drop packet
Yes
Router
permit ip any 192.168.2.0 0.0.0.255
permit ip any 192.168.1.0 0.0.0.255
Fast-cache Table
192.168.1.0/24 demand 1
Resource Pool Pool 1
ISDN group 1bri 2/1bri 2/2
Yes int bri 2/1
connect-sequence 2 dial-string 10997161683
forced-ISDN-64k
connect-sequence 4 dial-string 10995555683
forced-ISDN-64k
Successfully Place Call and Establish Connection
To: 192.168.1.29
connect-modeeither
Resource Available?
Yes
Demand Interface
connect-order?
sequential
8-49
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
After the packet has been sent to the demand interface, the router checks the fields in the packet’s IP header (such as source and destination address) against the match-interesting list ACL. If the packet does not match the list, the router drops it. If the packet does match, the demand interface checks its resource pools.
The demand interface searches for the first available interface in its resource pool. In this example, the first resource in resource pool Pool1 is ISDN group 1. Within the ISDN group, the first interface is BRI 2/1. If the BRI 2/1 interface is available, the demand interface begins checking its connect sequences for one that matches with the BRI interface resource.
If a connect sequence is found that permits the demand interface to use the BRI resource interface, the demand interface next checks the connect mode configuration.
If the connect mode is set to the originate or either options, the demand interface places a call through the BRI resource interface. If the call connects, the demand interface can then forward the packet through the BRI interface toward its destination.
MLPPP: Increasing Bandwidth
If you are configuring demand routing for a primary BRI interface, you can aggregate multiple B channels to increase bandwidth. Specifically, you use multilink PPP (MLPPP) to aggregate the multiple channels. To configure MLPPP for BRI interfaces, you must:
1. Enable MLPPP for incoming calls.
2. Enable MLPPP for the demand interface that is managing the BRI inter-faces that you want to aggregate.
3. Configure the minimum and maximum channels for the ISDN group.
Configuring MLPPP for Incoming Calls
To enable the negotiation of MLPPP for incoming calls, enter the following command from the global configuration mode context:
ProCurve(config)# data-call multilink
To disable MLPPP for incoming calls, enter:
ProCurve(config)# no data-call multilink
By default, MLPPP is disabled for incoming calls.
8-50
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Configuring MLPPP for Demand Interfaces
To enable MLPPP, enter the following command from the demand interface configuration mode context:
ProCurve(config-demand 1)# ppp multilink
By default, MLPPP is not enabled.
Configuring the Maximum Number of Interfaces. You can configure the maximum number of interfaces that the demand interface can aggregate for an MLPPP connection. From the demand interface configuration mode context, enter:
Syntax: ppp multilink maximum <interfaces>
Replace <interfaces> with a number between 1 and 8. If MLPPP is enabled for the demand interface, the default value for the maximum number of interfaces is 8.
N o t e The ppp multilink maximum command does not affect the number of links used when an interface answers a call, only when it originates a call.
Configuring the MLPPP Interleave. If you configure quality of service (QoS) for the dial-up connections established through the demand interface, you may also want to enable MLPPP interleave. Certain types of high-priority packets may be adversely affected if they are transmitted over an MLPPP connection. If interleave is enabled, the demand interface handles high-priority packets differently. When the demand interface receives a high-priority packet, it encapsulates the packet as PPP (rather than MLPPP) and sends it on the next available link.
To enable MLPPP interleave, enter:
ProCurve(config-demand 1)# ppp multilink interleave
N o t e If the MTU for the demand interface is lower than the size of the high-priority packet, the demand interface will drop the packet.
8-51
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Configuring MLPPP Fragmentation. When a packet is to be transmitted across an MLPPP connection, the demand interface divides the packet into fragments of equal length. If possible, the number of fragments equals the number of active links in the MLPPP and are transmitted simultaneously over each link. Fragmentation may also be controlled by the MTU setting of the demand routing interface.
To enable fragmentation for MLPPP, enter the following command from the demand interface configuration mode context:
ProCurve(config-demand 1)# ppp multilink fragmentation
Configuring the Minimum and Maximum Channels. When you config-ure MLPPP for primary BRI interfaces, you must configure the minimum and maximum number of B channels that can be aggregated into a single MLPPP connection. Aggregated channels belong to BRI interfaces that are in the same ISDN group, so you specify the minimum and maximum numbers from an ISDN group configuration mode context. Enter:
Syntax: min-channels <number>Syntax: max-channels <number>
Although the range for <number> is between 1 and 255, the actual number of channels you can enter is limited by the number of BRI interfaces assigned to the ISDN group. For example, if the ISDN group includes two BRI inter-faces, the highest number of channels that can be used is 4 (two channels from each interface.)
Example of MLPPP with Demand Routing
Figure 8-14 shows an example configuration of MLPPP configured for a demand interface.
8-52
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Figure 8-14. MLPPP Configuration for Demand Routing
Configuring PPP Authentication for an ISDN Connection
If you want to ensure that only authorized peers establish a PPP connection with the demand interfaces on the ProCurve Secure Router, you can configure PPP authentication. The ProCurve Secure Router supports Password Authen-tication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) for PPP authentication.
N o t e To protect your WAN, ProCurve Networking strongly recommends that you enable PPP authentication for the ISDN connection.
interface bri 2/1 isdn ldn1 968483940096 no shutdown!interface bri 2/2 isdn ldn1 978484540055 no shutdown!interface demand 1 idle-timeout 240 resource pool Pool match-interesting list Call out match-interesting reverse list Call in connect-sequence 1 dial-string 9633333 forced-isdn-64k busyout-threshold 3 connect-sequence 2 dial-string 9634444 forced-isdn-64k busyout-threshold 3 connect-sequence interface-recovery retry-interval 120 max-retries 0 ip address 10.1.1.1 255.255.255.0 ppp multilink ppp multilink maximum 2 no shutdown!isdn-group 1 min-channels 4 max-channels 4 resource pool-member Pool connect bri 2/1 connect bri 2/2!ip access-list extended Call permit ip any 192.168.2.0 0.0.0.255!ip route 192.168.2.0 255.255.255.0 demand 1
MLPPP enabled
channels
8-53
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Enabling PPP Authentication for All Demand Interfaces
You must configure the PPP authentication protocol that the router uses for inbound calls. To configure the authentication protocol that the demand interfaces expect to receive for inbound calls, enter the following command from the global configuration mode context:
Syntax: data-call authentication protocol [chap | pap]
Include either the chap option or the pap option, depending on which PPP authentication protocol you want to use to authenticate peers.
You should also specify which authentication protocol the demand interfaces send to authenticate themselves to a peer when answering a call. From the global configuration mode context, enter:
ProCurve(config)# data-call sent authentication protocol [chap | pap]
By default no authentication protocol is specified for demand interfaces.
Disabling the Authentication Protocol. To disable the global setting for the PPP authentication protocol that is used for demand routing interfaces, enter:
ProCurve(config)# no data-call authentication protocolProCurve(config)# no data-call sent authentication protocol
Configuring PAP Authentication for a Demand Interface
If you want to use PAP as the authentication protocol, you must configure the username and password that the ProCurve Secure Router sends when the far-end router requests authentication information from a demand interface. From the demand interface configuration mode context, enter:
Syntax: ppp pap sent-username <username> password <password>
Configuring CHAP Authentication for a Demand Interface
If you want to use CHAP, you must configure the password that the ProCurve Secure Router sends when the far-end router requests authentication infor-mation from a demand interface. From the demand interface configuration mode context, enter:
Syntax: ppp chap password <password>
8-54
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
When you replace <password>, ensure that you are using the same settings that are configured on the far-end router.
The username that is sent is the hostname of the router. If necessary, you can override this username with this demand interface configuration command:
Syntax: ppp chap hostname <hostname>
Configuring the Username and Password That the Router Expects to Receive
You must also configure the username and password that the ProCurve Secure Router expects to receive from the far-end router. From the demand interface configuration mode context, enter:
Syntax: username <username> password <password>
For example, you might enter:
ProCurve(config-demand 1)# username SiteB password procurve
For CHAP, the username should be the hostname of the peer.
Configuring Peer IP Address
You can also configure the IP address of the PPP peer for the dial-up WAN connection. From the demand interface configuration mode context, enter:
Syntax: peer default ip address <A.B.C.D>
Replace <A.B.C.D> with the IP address of the far-end router.
Example of Demand Routing with PAP Authentication
Figure 8-15 shows a demand routing configuration that uses PAP authentica-tion. The data-call commands enable PAP authentication for all demand interfaces configured on the router. The ppp authentication pap command enables PAP for the demand interface. The username command establishes the username and password that the PPP peer will submit to the ProCurve Secure Router. The ppp pap sent command configures the username and password that the ProCurve Secure Router will send its peer.
8-55
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Figure 8-15. Using PAP Authentication with Demand Routing
Setting the MTU for Demand Interfaces
When establishing a link, PPP peers must agree on how much data can be contained in the information field of PPP frames. The value that communi-cates this frame size is called the maximum receive unit (MRU). To increase
data-call authentication protocol papdata-call sent authentication protocol pap!interface bri 2/1 isdn ldn1 968483940096 no shutdown!interface bri 2/2 isdn ldn1 978484540055 no shutdown!interface demand 1 idle-timeout 240 resource pool Pool match-interesting list Call out match-interesting reverse list Call in connect-sequence 1 dial-string 9633333 forced-isdn-64k busyout-threshold 3 connect-sequence 2 dial-string 9634444 forced-isdn-64k busyout-threshold 3 connect-sequence interface-recovery retry-interval 120 max-retries 0 ip address 10.1.1.1 255.255.255.0 ppp authentication pap ppp multilink ppp multilink maximum 2 username procurve password procurve ppp pap sent-username procurve password procurve no shutdown!!isdn-group 1 min-channels 4 max-channels 4 resource pool-member Pool connect bri 2/1 connect bri 2/2!ip access-list extended Call permit ip any 192.168.2.0 0.0.0.255!ip route 192.168.2.0 255.255.255.0 demand 1
data-call commands to enable PAP authentication
PAP configured for this demand interface
username and password that the demand interface expects to receive from its PPP peer
username and password that the demand interface sends to its PPP peer
8-56
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
or decrease the value of the MRU, a PPP peer sets the MRU configuration option in the Link Control Protocol (LCP). (LCP is one of the protocols in the PPP suite. LCP is used to establish and control the PPP connection.)
To control the MRU that is negotiated between the two PPP peers, you configure the maximum transmission unit (MTU), which defines the largest size for a frame that the router can send over the connection. By default, demand interfaces (which use PPP) have an MTU of 1500 bytes. If a frame exceeds the MTU, it must be fragmented.
To successfully negotiate a PPP session, the two peers should be using the same MTU.
To configure the MTU for all PPP connections used with demand routing, enter:
ProCurve(config)# data-call mtu <number>
Replace <number> with a value between 64 and 1520.
To disable this setting for interfaces used with demand routing, enter:
ProCurve(config)# no data-call mtu
Configuring an ISDN Template
Some companies may want to use an ISDN template to encode the caller-
number and called-number for inbound and outbound calls. This template allows you to configure the prefix and call type globally.
N o t e Entering this command is optional; an ISDN template is not required for demand routing.
To create an ISDN template, enter the following command from the global configuration mode context:
Syntax: isdn-number-template <template id> prefix <prefix> [abbreviated | international | national | network-specific | subscriber | unknown} <pattern>
Replace <template id> with a number between 1 and 255.
Replace <prefix> with the expected prefix for the call type. If you do not want to specify a prefix, leave this option blank by entering double quotation marks (“”). Do not enter a space between the quotation marks. If you want to specify
8-57
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
a prefix, you can enter unlimited-length strings of 0s and 1s. For example, for international calls made from within the United States, you might enter a prefix of 011.
Specify a call type by entering one of the options listed in Table 8-11.
Table 8-11. Options for Call Type
Use the options in Table 8-12 to specify a <pattern> for the call type.
Call Type Explanation
abbreviated Specifies abbreviated (bits 110) in the Type of Number octet. This option is used primarily for private ISDN network applications, and the implementation is network-dependent.
international Specifies international (bits 001) in the Type of Number octet. This option is used for calls destined outside the national calling area.
national Specifies national (bits 010) in the Type of Number octet. This option is used for calls inside the national calling area. That is, the calls do not cross an international local access and transport area (LATA).
network-specific Specifies network-specific (bits 011) in the Type of Number octet. This option is used for calls that require special access to a private network. Because the prefix that must be stripped off once access to the network has been gained, the dialing prefix is removed.
subscriber Specifies Subscriber (bits 100) in the Type of Number octet. This option is used for intra-LATA calls (local calls). By default, the area code is removed for these calls.
unknown Specifies Unknown (bits 000) in the Type of Number octet. This option is used if the actual types of the number are not known. Unknown numbers are assumed to have no prefix, and the entire dialed number is used.
8-58
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
Table 8-12. Characters for Call Patterns
For example, if you want to create a pattern for U.S. local calls, you would enter NXX-XXXX. The N wildcard specifies that the first number can be between 2 and 9. Each X can be any number between 0 and 9.
Other examples of using wildcard characters are listed in Table 8-13.
Table 8-13. Using Characters for Call Pattern
Using Call Types and Patterns
Call types and patterns are interdependent, as explained below:
International. If you specify the international call type, the prefix is removed. For example, an international call from within the United States consists of 011-N$. The international prefix is 011, and N$ represents the digits necessary for routing the call at the destination. You would enter:
ProCurve(config)# isdn-number-template 1 prefix 011 international N$
Valid Characters Explanation
0-9 Match exact digit only
X Match any single digit between 0 and 9
N Match any single digit between 2 and 9
M Match any single digit between 1 and 8
$ Match any number
[ ] Match any digit in the list. For example, if you enter [1,4,6] the ProCurve Secure Router matches only 1, 4, and 6. If you enter [1-3,5] the ProCurve Secure Router matches 1, 2, 3, and 5.
Incoming Numbers That Should Be Accepted Pattern
calls from one U.S. or Canadian area to another NXX-NXX-XXXX
calls from one country to another N$
calls for a particular U.S. or Canadian area code 916$
calls for two numbers—such as 555-1111 and 555-1112 555-111[1,2]
calls for a group of numbers—such as the numbers between 555-1000 and 555-2000
555-[1,2]XXX
8-59
Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections
When the called party information element (IE) is created for this call, the router removes the prefix and places the N$ digits in the Number Digits field.
National. For national calls, the dialing prefix is removed. For example, a call from one U.S. LATA to another uses the format 1-NXX-NXX-XXXX. The U.S. prefix is 1, and NXX-NXX-XXXX represents the 10-digit number necessary for routing the call. When the router creates the called party IE for this call, it removes the prefix and places the NXX-NXX-XXXX digits in the Number Digits field.
Network-Specific. If you specify the network-specific call type, the ProCurve Secure Router removes the prefix for the call when it prepares the called party IE. For example, if the router is making a call to 700-N$, the dialing prefix is 700 and N$ represents the digits necessary for routing the call at the destination. The ProCurve Secure Router removes the prefix and places the N$ in the Number Digits field.
Subscriber. The ProCurve Secure Router also removes the prefix if you specify the subscriber call. For example, if the router is making a call to 916-555-1212, it would remove the 916 prefix and place 555-1212 in the Number Digits field. For areas with mandatory 10-digit dialing, you should enter a blank prefix to ensure that all ten digits are passed to the Number Digits field.
Default ISDN Template
By default, there is one isdn-number-template entry:
isdn-number-template 0 prefix “” subscriber 911
This entry allows you to make emergency calls within the United States.
8-60
Configuring Demand Routing for Primary ISDN ModulesViewing Information about Demand Routing
Viewing Information about Demand Routing
You can use show commands to view different aspects of your demand routing configuration. For example, you can view the status of a demand interface and any dial-up connections that are established through a demand interface. Table 8-14 lists the show commands for demand routing.
Table 8-14. show Commands for Demand Routing
Viewing the Status of the Demand Interface
To view the status of the demand interface, enter the following command from the enable mode context:
Syntax: show interfaces demand <number>
For example, to view the status of demand interface 1, enter:
ProCurve# show interfaces demand 1
Command Description
show interface demand <number> displays the status of the demand interface
show demand interface demand <number>
displays a summary of information about the demand interface, including the timers, state, physical interface in use (if connection is up), last outgoing call, and last incoming call
show interface <dial-up interface> <slot>/<port>
displays status of physical interface
show demand sessions displays information about existing dial-up connections established through demand routing
show demand resource pool <pool name>
lists the resources assigned to the resource pool and the demand interface associated with the resource pool
show running-config displays the current configuration
show running-config interface demand <number>
displays the current configuration for a demand interface
8-61
Configuring Demand Routing for Primary ISDN ModulesViewing Information about Demand Routing
Figure 8-16 shows the results of this command if demand interface 1 is spoofing its up status and a dial-up connection has not been established. In addition to showing the status of the interface, this command displays settings for the following commands:
■ connect-mode
■ resource pool
■ connect-sequence
■ idle-timeout
■ fast-idle
■ ip address
Figure 8-16. Viewing the Status of the Demand Interface When a Dial-Up Connection Has Not Been Established
If a connection has been established through the demand interface, the show
interfaces demand 1 command shows:
■ the number of seconds until the ISDN connection is terminated
■ the number of frames in and out
■ the traffic that triggered the connection (the interesting traffic)
■ the amount of time the connection has been up
■ the BRI interface and channel through which the connection was established
Demand 1 is UP (Spoofing) Configuration: Keep-alive is set (10 sec.) Admin MTU = 1500 Mode: Either, 1 dial entries, idleTime = 120, fastIdle = 20 Resource pool Pool No authentication configured IP address 10.10.10.1 255.255.255.252 Recovery enabled, interval = 60, max-retries = 5 Connect Sequence: Successes = 1, Failures = 0 Seq DialString Technology Successes Busys NoAnswers NoAuths InUse 1 9634444 IsdnForced 1 0 0 0 Current values: Local IP address 10.10.10.1, Peer IP address 0.0.0.0 Queueing method: weighted fair Output queue: 0/1/428/64/0 (size/highest/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Available Bandwidth 48 kilobits/sec Bandwidth=64 Kbps
Demand interface is spoofing its up status; a dial-up connection is not actually established
Information configured in the connect sequence: dial-string (the number the interface will call) and technology
Resource poolconnect-mode, idle time, and fast idle
8-62
Configuring Demand Routing for Primary ISDN ModulesViewing Information about Demand Routing
Figure 8-17 provides the results of the show interfaces demand 1 command when an ISDN connection has been established.
Figure 8-17. Viewing the Status of the Demand Interface When an ISDN Connection Is Established
Viewing a Summary of Information about the Demand InterfaceTo view a summary of information about the demand interface, enter:
Syntax: show demand interfaces demand <number>
This command displays:
■ settings for the idle-timeout and fast-idle
■ state of the dial-up connection
■ traffic that triggered the dial-up connection
■ time until disconnect
■ last incoming and outgoing call
Demand 1 is UP (connected) Configuration: Keep-alive is set (10 sec.) Admin MTU = 1500 Mode: Either, 1 dial entries, idleTime = 120, fastIdle = 20 Resource pool Pool1 No authentication configured IP address 10.1.1.1 255.255.255.252 Recovery enabled, interval = 120 Connect Sequence: Successes = 1, Failures = 0 Seq DialString Technology Successes Busys NoAnswers NoAuths InUse 1 9631111 ISDNForced 1 0 0 0 YES Current values: Local IP address 10.1.1.1, Peer IP address 10.2.2.2 Seconds until disconnect: 36 Interesting pkt: ICMP: src=192.168.1.1 dest=192.168.6.1 Queueing method: weighted fair Output queue: 0/1/428/64/0 (size/highest/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Available Bandwidth 48 kilobits/sec Bandwidth=0 Kbps Link through ISDN Group 1:Ch 0(bri 2/1), Uptime 0:01:40 IN: Octets 1064, Frames 44, Errors 0 OUT: Octets 1063, Frames 44, Errors 0 Last called num 9631111
A dial-up connection has been established
connect sequence in use
Resource pool
connect-mode, idle time, and fast idle
Time until disconnect
Physical dial-up interface used to make the connection; length of time connection has been established
Traffic that triggered connection
8-63
Configuring Demand Routing for Primary ISDN ModulesViewing Information about Demand Routing
As Figure 8-18 shows, this command also lists multiple channels if MLPPP is configured for the ISDN connection.
Figure 8-18. Summary Information for Demand 1 Interface
Viewing the Status of the BRI Interface
To view the status of a BRI interface that is associated with the demand interface, enter:
Syntax: show interface bri <slot>/<port>
Replace <slot> with the slot number in which the backup module is installed, and replace <port> with the appropriate port number.
For example, to view the status of the BRI 2/1 interface, enter:
ProCurve# show interface bri 2/1
This command reports the status of the BRI interface and the status of the line. The status of the BRI interface should always be up, indicating that it is either available to make a connection or it is already maintaining a connection. If the BRI interface is down, you must bring it up, or it will not be able to place or receive any calls.
The line status indicates whether or not the BRI interface has established a connection. If the interface has not established a connection, the line status should be “ready,” as shown in Figure 8-19.
demand 1Idle timer (120 secs), Fast idle timer (20)Dialer state is data link layer upDial reason: ip (s=192.168.1.23, d=192.168.2.23)Link thru 1_0(bri 2/1.1) is upTime until disconnect 106Last outgoing callLast incoming callLink thru 1_1(bri 2/1.2) is upTime until disconnect 106Last outgoing callLast incoming call
Number of active calls = 2
MLPPP is enabled
8-64
Configuring Demand Routing for Primary ISDN ModulesViewing Information about Demand Routing
Figure 8-19. Viewing the Status of a BRI Interface
In addition to displaying status information, the show interfaces bri com-mand lists settings such as the ISDN switch signaling type, LDN, and SPID (if a SPID is configured) so you can use this command to verify that these settings are configured correctly.
If your public carrier requires a SPID, double-check to see if you were assigned one or two SPIDs. When you use both B channels, public carriers using National ISDN and Northern Telecom DMS-100 switching sometimes require you to configure a SPID for each channel.
Figure 8-20 shows the results of entering the show interfaces bri command for a BRI interface that is in use. If the BRI interface is in use, you can view packet statistics and errors for the ISDN connection. (For information about other line status settings, see “Checking the Demand Interface” on page 8-68.)
bri 1/1 is UP Line status: ready Caller ID will be used to route incoming calls Caller ID normal Switch protocol: Net3 Euro ISDN SPID 1 n/a, LDN 1 9631111 SPID 2 n/a, LDN 2 n/a B1 - Idle B2 - Idle D - Allocated 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame 0 abort, 0 discards, 0 overruns 0 packets output, 0 bytes, 0 underruns
Interface activated but not providing connection
Number at which the local router can be reached
8-65
Configuring Demand Routing for Primary ISDN ModulesViewing Information about Demand Routing
Figure 8-20. Viewing the Status of a BRI Interface That Is in Use
Viewing Demand Sessions
You can view all of the dial-up connections currently established through demand routing. From the enable mode context, enter:
ProCurve# show demand sessions
The sessions are listed in the order in which they were established. (See Figure 8-21.) For each session, this command lists:
■ demand interface through which the connection was established
■ IP address of the demand interface and the far-end router
■ interesting traffic that triggered the connection
■ number of links for each session if MLPPP is enabled
■ BRI interfaces through which the links were established
■ connection time
■ idle-timeout setting
bri 1/2 is UP Line status: connected Caller ID will be used to route incoming calls Caller ID normal Switch protocol: Net3 Euro ISDN SPID 1 n/a, LDN 1 9631111 SPID 2 n/a, LDN 2 n/a 5 minute input rate 112 bits/sec, 0 packets/sec 5 minute output rate 112 bits/sec, 0 packets/sec 155 packets input, 8467 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame 0 abort, 0 discards, 0 overruns 157 packets output, 8408 bytes, 0 underruns
8-66
Configuring Demand Routing for Primary ISDN ModulesViewing Information about Demand Routing
Figure 8-21. Viewing Demand Sessions
Viewing the Resource Pool
You can view which interfaces or ISDN groups have been assigned to a particular resource pool. You can also view which demand interfaces use the pool. (See Figure 8-22.) From the enable mode context, enter:
ProCurve# show demand resource pool <poolname>
Figure 8-22. Viewing a Resource Pool
Show the Running-Config for the Demand Interface
To check your demand routing configuration, you must view the entire running-config file. From the enable mode context, enter:
ProCurve# show running-config
You must then scroll through the file to find the various commands you entered for demand routing.
To view the configuration of just the demand interface, enter:
ProCurve# show running-config interface demand <number>
Session 1Interface demand 1Local IP address = 10.1.1.1Remote IP address = 10.2.2.1Remote Username =Dial reason: ip (s=192.168.1.23, d=192.168.2.23)Link 1 Dialed number = Resource interface = 1_0(bri 2/1.1), Multilink Connect time: 0:1:28 Idle Timer: 120Link 1 Dialed number = Resource interface = 1_1(bri 2/1.2), Multilink Connect time: 0:1:28 Idle Timer: 120
Connection is through channel 1 and channel 2 on the BRI 2/1 interface (bri 2/1.1 and bri 2/1.2)
Pool backup Resources: 1_0, 1_1, bri 1/3 Demand Interfaces: demand 1
8-67
Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing
Figure 8-23 shows the running-config for a demand interface that is configured to use MLPPP and PPP authentication.
Figure 8-23. Viewing the Running-Config for a Demand Interface
Troubleshooting Demand Routing
After you configure demand routing, you should test your configuration to ensure that it is working correctly. Is the right traffic triggering the connection, and can the BRI interface successfully establish a connection to the far-end router? Are your settings for the idle-timeout and the fast-idle sufficient for your WAN environment?
Checking the Demand Interface
The first step you should take to check your configuration is also the first step you should take to troubleshoot demand routing. You should ensure that the demand interface and its associated BRI interfaces are ready to make a connection.
Use the show interfaces demand command to view the status of the demand interface, which should be up (spoofing). If the demand interface is down, ensure that you have assigned it a valid IP address. If you configured the demand interface as an unnumbered interface, make sure that the interface with the actual IP address is up.
interface demand 1 idle-timeout 240 resource pool Pool match-interesting list Call out match-interesting reverse list Call in connect-sequence 1 dial-string 9633333 forced-isdn-64k busyout-threshold 3 connect-sequence 2 dial-string 9634444 forced-isdn-64k busyout-threshold 3 connect-sequence interface-recovery retry-interval 120 max-retries 0 ip address 10.1.1.1 255.255.255.0 ppp authentication pap ppp multilink ppp multilink maximum 2 username procurve password procurve ppp pap sent-username procurve password procurve no shutdown
8-68
Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing
If the demand interface went down because it could not establish a connection during the recovery mode, its status will be down (recovery failed). In this case, you must identify the problem causing the failure and then you must clear the connection so that the status of the demand interface returns to up (spoofing). Until then, the demand interface cannot establish an ISDN connection.
To clear the ISDN connection, shut down the demand interface. From the demand interface configuration mode context, enter:
ProCurve(config-demand 1)# shutdown
To re-activate the interface, enter:
ProCurve(config-demand 1)# no shutdown
Checking the BRI Interface
To ensure that the status of the BRI interface is up and the line status is ready, enter the following command from the enable mode context:
ProCurve# show interface bri <slot>/<number>
If the BRI interface is administratively down, enter no shutdown to activate it.
When you activate the BRI interface, it exchanges a series of messages with the ISDN switch at the CO. First, the BRI interface and the switch complete a handshaking process to bring up the Physical Layer. Then the ISDN switch polls the line for terminal equipment identifiers (TEIs), which identify the ISDN line.
The TEI #1 identifies the first B channel, and the TEI #2 identifies the second. The BRI interface sends the LDNs and/or SPIDs configured for the channels (SPID1 for the TEI #1 and SPID2 for the TEI #2). After the switch receives the correct SPIDs or LDNs, the ISDN line goes up.
When you enter the show interfaces bri command, the line status indicates the point at which the handshaking process breaks down. For example, in Figure 8-24 the ISDN switch is attempting to get the BRI interface’s SPID1.
8-69
Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing
Figure 8-24. Troubleshooting a BRI Interface
Table 8-15 lists the possible designations for the line status and the steps you might take to change the status.
Table 8-15. BRI Line Status
bri 1/2 is DOWN Line status: getting TEI #1 Caller ID will be used to route incoming calls Caller ID normal Switch protocol: AT&T 5ESS SPID 1 25655522220101, LDN 1 5552222 SPID 2 n/a, LDN 2 n/a 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1115 packets input, 0 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame 0 abort, 0 discards, 0 overruns 1117 packets output, 0 bytes, 0 underruns
The switch at the CO cannot identify the interface.
Check the SPID and LDN
Status Meaning Next Best Step
disconnected The interface is up but has disconnected from the peer. Settings on the demand interface may be preventing the call from connecting. For example, the peer’s caller ID does not match number specified with the calling-number command.
This status may indicate that an unauthorized peer tried to connect to your router. If the peer is authorized, however, check the settings on the BRI interface or demand interface and change them as needed to allow the connection. Also, check the configuration on the peer to ensure that its settings allow a connection to this BRI interface.
deactivated The interface may be up or down. The CO has deactivated the interface. The BRI interface may be in the process of communicating with the switch at the CO.
Check with your service provider.
layer 1 down There is no activity on the ISDN line.
Check the physical hardware, including the cabling and wall jack.
getting TEI #1 The switch cannot identify the BRI interface.
• Check for a miskeyed SPID1 and/or LDN.• Verify that the isdn switch-type setting matches the
public carrier’s signaling type.
8-70
Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing
Miskeyed SPIDs and LDNs are the most common problems. Try reentering the SPID and, if necessary, reloading the router so that the BRI interface will be forced to re-initiate the handshaking process. Or enter maintenance reset to reset the port hardware.
Remember, however, that the wrong configuration for the switch-type can also cause the status to remain at “getting TE1 #1” or “getting TE1 #2.” The switch-type depends on the type of ISDN signaling the public carrier institutes on the line, which depends on its software, not necessarily on the switch’s manufacturer.
Checking the ACL That Defines the Interesting Traffic
If the demand interface is up, you should ensure that the interesting traffic actually triggers the ISDN connection. Check the routing table to ensure that the demand interface is listed as a directly connected interface and that the route you entered for the far-end network lists the demand interface as the forwarding interface. From the enable mode context, enter:
ProCurve# show ip route
If the route is correct, you can send some traffic to the far-end network to determine if the ACL is triggering ISDN traffic. Even a simple ping command should start the demand routing process (as long as the ping matches the ACL—for example, you may need to use the extended ping commands to set the source address for the ping to a local network address). Before you send the sample traffic, enable debugging for demand routing. From the enable mode context, enter:
ProCurve# debug demand-routing
If you have configured your ACL correctly, debug messages for demand routing should appear immediately. If no messages appear, you may have configured the ACL incorrectly. Double-check the permit statement you con-figured, and ensure that you applied the ACL to the demand interface. To check this information, enter the show running-config command from the enable mode context.
getting TEI #2 The switch cannot identify the BRI interface (second B channel).
• Check for a miskeyed SPID2 and/or LDN.• If you should not have to enter a second SPID, the
interface may be configured for the wrong signaling type.
TEI #2 OKGetting SPID #2
The switch is having trouble bringing the interface up.
• Try resetting the connection. You may need to reload the router, if possible.
Status Meaning Next Best Step
8-71
Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing
If you can troubleshoot the problem after business hours (when you will not inadvertently interrupt the flow of traffic to other interfaces), you may want to change the ACL to select all traffic from any source to any destination. The ACL should then trigger the ISDN connection. You can then begin to narrow the scope of the ACL to limit the traffic selected.
Troubleshooting the ISDN Connection
If the interesting traffic triggers the ISDN connection, the ProCurve Secure Router will find the appropriate connect-sequence command to process (based on your configuration) and try to establish a connection. If the router is unable to establish this connection, you will need to monitor the call setup.
The Secure Router OS provides a number of ISDN debug commands, which are listed in Table 8-16.
Table 8-16. debug Commands for ISDN
N o t e Debug functions are processor intensive. The debug isdn commands in par-ticular display a high volume of messages to the CLI.
Some of the debug isdn commands display numerous messages, which are displayed too quickly to read. You will probably need to stop the messages and review them to determine the problem. For example, Figure 8-25 shows a small portion of the debug messages displayed as a call connects.
Command Description
debug isdn cc-ie displays information about the ISDN call control
debug isdn cc-messages displays call control messages
debug isdn endpoint displays events related to ISDN endpoints
debug isdn events displays information about ISDN events
debug isdn group display errors and messages related to ISDN groups
debug isdn interface displays ISDN interface events
debug isdn l2-formatted displays Layer 2 formatted messages
debug isdn l2-messages displays Layer 2 message
debug isdn resource-manager displays resource manager errors and messages
debug isdn verbose display all errors and messages
8-72
Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing
Figure 8-25. Viewing ISDN debug Messages
Test Calls
You can also set up a test call to test the ISDN circuit. When you initiate a test call, you connect the two endpoints through an ISDN call without setting up a Data Link Layer connection; test calls only connect at the Physical Layer. When you initiate a test call, the ProCurve Secure Router assigns the BRI interface to ISDN group 0 for the duration of the call.
2005.10.08 11:23:09 L2_MSG BRI 2/1 Recd = 02 FF 03 08 01 01 05 A1 04 02 88 90 18 01 89 6C2005.10.08 11:23:09 L2_MSG BRI 2/1 0C 21 80 30 30 30 39 36 33 31 31 31 31 70 08 C12005.10.08 11:23:09 L2_MSG BRI 2/1 39 36 33 33 33 33 332005.10.08 11:23:09 L2_FMT BRI 2/1 =============================================2005.10.08 11:23:09 L2_FMT BRI 2/1 Recd = Sapi:00 C/R:C Tei:7F2005.10.08 11:23:09 L2_FMT BRI 2/1 Ctl:UI2005.10.08 11:23:09 L2_FMT BRI 2/1 Prot:08 CRL:1 CRV:00012005.10.08 11:23:09 L2_FMT BRI 2/1 M - 05 SETUP2005.10.08 11:23:09 L2_FMT BRI 2/1 IE - A1 SENDING COMPLETE Len=02005.10.08 11:23:09 L2_FMT BRI 2/1 IE - 04 BEARER CAPABILITY Len=22005.10.08 11:23:09 L2_FMT BRI 2/1 88 Xfer Cap.:UNRESTRICTED DIG.2005.10.08 11:23:09 L2_FMT BRI 2/1 90 Xfer Rate:64k2005.10.08 11:23:09 L2_FMT BRI 2/1 IE - 18 CHANNEL ID Len=12005.10.08 11:23:09 L2_FMT BRI 2/1 89 Basic Rate2005.10.08 11:23:09 L2_FMT BRI 2/1 Intfc ID:IMPLICIT2005.10.08 11:23:09 L2_FMT BRI 2/1 Pref/Excl:EXCLUSIVE2005.10.08 11:23:09 L2_FMT BRI 2/1 D-Chan Indicated:NO2005.10.08 11:23:09 L2_FMT BRI 2/1 Chan. Sel:B12005.10.08 11:23:09 L2_FMT BRI 2/1 IE - 6C CALLING PARTY # Len=122005.10.08 11:23:09 L2_FMT BRI 2/1 21 Numb. Type:NATIONAL2005.10.08 11:23:09 L2_FMT BRI 2/1 Numb. Plan:ISDN/Telephony2005.10.08 11:23:09 L2_FMT BRI 2/1 80 Presentation:ALLOWED2005.10.08 11:23:09 L2_FMT BRI 2/1 Ph.# 00096311112005.10.08 11:23:09 L2_FMT BRI 2/1 IE - 70 CALLED PARTY # Len=82005.10.08 11:23:09 L2_FMT BRI 2/1 C1 Numb. Type:SUBSCRIBER2005.10.08 11:23:09 L2_FMT BRI 2/1 Numb. Plan:ISDN/Telephony2005.10.08 11:23:09 L2_FMT BRI 2/1 Ph.# 96333332005.10.08 11:23:09 CC_MSG BRI 2/1 CC>>Host: 01 000b SETUP_IND2005.10.08 11:23:09 CC_IE BRI 2/1 ie: 00 04 04 80 88 80 902005.10.08 11:23:09 CC_IE BRI 2/1 ie: 00 18 04 80 81 80 812005.10.08 11:23:09 CC_IE BRI 2/1 ie: 00 6C 0E 82 81 80 80 30 30 30 39 36 33 31 31 31 312005.10.08 11:23:09 CC_IE BRI 2/1 ie: 00 70 09 84 81 39 36 33 33 33 33 332005.10.08 11:23:09 EP BRI 2/1 Incoming call :'9633333' from '0009631111'.2005.10.08 11:23:09 CC_MSG BRI 2/1 Host>>CC: 01 000b CALL_PROCEEDING_REQ2005.10.08 11:23:09 EP BRI 2/1 Incoming call to '9633333' accepted2005.10.08 11:23:09 L2_MSG BRI 2/1 Sent = FC FF 03 0F 11 25 01 FF
8-73
Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing
To set up a test call, enter the following from the BRI interface configuration mode context:
Syntax: test-call [dial <number> | answer | hangup]
To enter test call mode, enter:
ProCurve(config- bri 2/1)# test-call answer
This command configures the router to receive test calls.
To dial a test call, enter:
Syntax: test-call dial <number>
Replace <number> with the LDN of the ISDN interface you want to connect to. Enter the LDN without using any special characters. For example, you may enter:
ProCurve(config-bri 2/1)# test-call dial 15555551212
The router will then make a call. Once the test call is connected, the routers will exchange keepalives every 10 seconds.
To disconnect the test call and free the allocated BRI channels, enter:
Syntax: test-call hangup [channels <channel range>]
Entering the hangup option disconnects the entire ISDN test call. You can also hang up a single B channel by using the hangup channels option and specifying on which channel or channels you want to terminate the connec-tion. For example, if you want to hang up both B channels but leave the D channel connected, enter:
ProCurve(config-bri 2/1)# test-call hangup channels 1,2
or
ProCurve(config-bri 2/1)# test-call hangup channels 1-2
To hang up a specific channel, enter the number of the B channel you want to disconnect. For example, if you wanted to hang up channel B2, you would enter:
ProCurve(config-bri 2/1)# test-call hangup channel 2
Test calls allow you to check the physical ISDN connection, end to end, between the calling router and the receiving router.
8-74
Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing
Line Maintenance
You can also perform some basic maintenance on your ISDN line. Enter:
Syntax: maintenance [restart-d | reset]
Use the restart-d option to reset and restart the D channel. This may help in cases where there is a problem in the call process and one of the channels becomes hung.
Use the reset option to reset the port hardware. Occasionally the port interface may get into a loop if the disconnect process isn’t completed before the connection is lost. To reset all the channels and the port hardware, enter:
ProCurve(config-bri 1/1)# maintenance reset
Troubleshooting with Loopbacks
A loopback call tests the ability of the router to initiate and terminate an ISDN call, verifying that the ISDN circuit is up and running. To test and diagnose your ISDN lines, you can set loopbacks using the following commands:
Syntax: loopback network [b1 | b2 | both]Syntax: loopback local [b1 | b2 | all]
Use the network option to set a loopback toward the switch. This tests that the line between your router and the switch is operational. Use the local option to set a loopback within your local network. This tests whether there is a problem within your LAN that is preventing the connection.
You can specify which B channel you want to test using the b1, b2, and both options. Using the b1 or b2 options sets up a loopback call using the channel you specified and the D channel. To test both B channels and the D channel, enter the all option.
Troubleshooting PPP for the ISDN Connection
Because PPP is the Data Link Layer for dial-up connections, you may need to troubleshoot the negotiation of a PPP session or PPP authentication (if you have configured authentication for the connections). Table 8-17 lists the debug commands you can use to monitor PPP interfaces.
8-75
Configuring Demand Routing for Primary ISDN ModulesQuick Start
Table 8-17. debug Commands for PPP Interfaces
Quick Start
This section provides the commands you must enter to quickly configure demand routing for:
■ an ISDN BRI U module
■ an ISDN BRI S/T module
Only a minimal explanation is provided. If you need additional information about any of these options, check “Contents” on page 8-1 to locate the section that contains the explanation you need.
When you configure demand routing, you will need to enter information about your ISDN connection as well as information about the far-end network. You can use Table 8-18 to record this information before you begin to configure demand routing for the ISDN connection.
Table 8-18. Configuration Settings
Command Explanation
debug ppp verbose displays detailed information about all PPP frames as they arrive on the PPP interface
debug ppp errors displays error messages relating to PPP
debug ppp negotiations displays events relating to link negotiation; shows if link protocols are able to open; reveals when negotiations between two PPP peers fail
debug ppp authentication displays real-time messages relating to PAP and CHAP
undebug all turns off debug messages
Setting Description Your Setting
interface bri <slot>/<port> specifies the location of the ISDN module and the port you are configuring
isdn switch-type [basic-5ess | basic-ni | basic-dms | basic-net3]
specifies the ISDN signaling that the service provider implements on the line
isdn ldn1 <number>isdn ldn2 <number>
specifies the telephone number (or numbers) for ISDN BRI modules
8-76
Configuring Demand Routing for Primary ISDN ModulesQuick Start
1. Enter the global configuration mode context:
ProCurve> enPassword:ProCurve# configure terminal
2. Create an access control list (ACL) to define the interesting traffic.
a. From the global configuration mode context, enter:
Syntax: ip access-list [standard |extended] <listname>
For example, you might enter:
ProCurve(config)# ip access-list extended Callb. From the ACL configuration mode context, configure permit or deny
entries. Enter:
Syntax: [permit | deny] <protocol> <source address> <source port> <destination address> <destination port> [log | log-input]
Replace <protocol> with one of the following: – AHP– ESP– GRE – ICMP– IP– TCP– UDP
isdn spid1 <number> <ldn1> isdn spid2 <number> <ldn2>
specifies the telephone number and identifiers for each TE on the line; used for ISDN BRI U modules
connect-sequence <sequence-number> dial-string <string> [<resource-type>] [busyout-threshold <value>]
specifies:• number to call to establish a
connection (dial-string <string>)• type of connection to establish
(<resource-type>—ISDN 64 Kbps or ISDN 56 Kbps)
• number of times to call the number if a connection cannot be made (busyout-threshold <value>)
ip route <destination A.B.C.D> <subnet mask | /prefix length> <next hop A.B.C.D | forwarding interface ID>
specifies the route to the far-end network
Setting Description Your Setting
8-77
Configuring Demand Routing for Primary ISDN ModulesQuick Start
To specify the source and destination address, use the following:
Syntax: [any | host <A.B.C.D> | <A.B.C.D> <wildcard bits>]
For example, you might want to specify that the interesting traffic is the IP traffic from any source to network 192.168.115.0 /24. You use wildcard bits to specify a range of addresses. Enter:
ProCurve(config-ext-nacl)# permit ip any 192.168.115.0 0.0.0.255c. After configuring the entries for the ACL, enter:
ProCurve(config-ext-nacl)# exit
3. Configure the demand interface.
a. Create the demand interface by entering:
ProCurve(config)# interface demand <number>
Replace <number> with a number between 1 and 1024 for this demand interface. Each demand interface must have a unique number.
b. Assign the demand interface an IP address:
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
For example, you might enter:
ProCurve(config-demand 1)# ip address 10.10.10.1 255.255.255.252
or
ProCurve(config-demand 1)# ip address 10.1.1.1 /30c. Associate the ACL you created with the demand interface. From the
demand interface configuration mode context, enter:
Syntax: match-interesting [list | reverse list] <listname > [in | out]
Include the list option if you want the ProCurve Secure Router to use standard matching logic for the ACL. Include the reverse list option if you want the ProCurve Secure Router to use reverse matching logic when processing the ACL. In this case, the router will try to match the packet’s source address with the destination address that is defined in the ACL. The router will then try to match the packet’s destination address with the source address that is defined in the ACL.
Replace <listname> with the ACL that you created to define the interesting traffic. You can specify only extended ACLs.
8-78
Configuring Demand Routing for Primary ISDN ModulesQuick Start
Including in or out is optional. By default, the ProCurve Secure Router uses the ACL you specify to check both incoming and outgoing traffic. If you do not specify a direction, outbound traffic is matched to the specified ACL, and inbound traffic is matched to the reverse of the ACL.
For example, if you want to apply the Branch1 ACL to the demand 1 interface, enter:
ProCurve(config-demand 1)# match-interesting list Branch1
The router will allow both traffic outbound to and inbound from the networks specified in the Branch1 ACL to trigger the dial-up connection.
d. Create a resource pool and associate it with the demand resource. Enter:
ProCurve(config-demand 1)# resource pool <poolname>
Replace <poolname> with the name of the resource pool that this demand routing interface will use to originate or answer connections.
e. Configure a connect sequence to specify: – the telephone number that the demand interface dials to connect
to the other remote peer– the type of dial-up interface used to establish the connection
Enter the following command from the demand interface configura-tion mode context:
Syntax: connect-sequence <sequence-number> dial-string <string> [<resource-type>] [busyout-threshold <value>]
Replace <sequence-number> with a number between 1 and 65535 to identify this set of connection instructions.
Replace <string> with the telephone number that the demand interface should dial to make the connection.
Replace <resource-type> with one of the options listed in Table 8-19. The option you enter will limit this connection to a particular type of dial-up connection.
8-79
Configuring Demand Routing for Primary ISDN ModulesQuick Start
Table 8-19. Defining a Resource Type for a Connect Sequence
4. Configure the BRI interface.
a. To access the BRI interface configuration mode context, enter:
Syntax: interface bri <slot>/<port>
For example, you might enter:
ProCurve(config)# interface bri 1/1b. Set the ISDN signaling (switch) type if your service provider is not
using the default setting for your ISDN. For the ISDN BRI U module, the default setting is isdn switch-type basic-5ess. For the ISDN BRI S/T modules, the default setting is isdn switch-type basic-net3. If your service provider is using a different ISDN signaling type, enter:
Syntax: isdn switch-type [basic-5ess | basic-ni | basic-dms | basic-net3]
Table 8-20 lists the command syntax for each signaling type.
Table 8-20. ISDN Signaling Types
Option Description
isdn-64k Any dial resource can be used, but if ISDN is used, the call must be placed using a 64-Kbps channel.
isdn-56k Any dial resource can be used, but if ISDN is used, the call must be placed using a 56-Kbps channel.
forced-analog Only analog resources can be used. (This option is used when you configure demand routing for a backup analog line.)
forced-isdn-64k Only ISDN resources can be used, and the call must be placed using a 64-Kbps channel.
forced-isdn-56k Only ISDN resources can be used, and the call must be placed using a 56-Kbps channel.
Signaling Type Command Syntax
National ISDN-1 isdn switch-type basic-ni
Euro ISDN isdn switch-type basic-net3
Northern Telecom DMS-100 isdn switch-type basic-dms
Lucent/ATT 5ESS isdn switch-type basic-5ess
8-80
Configuring Demand Routing for Primary ISDN ModulesQuick Start
c. Set the LDN. (If your public carrier has assigned you a SPID, skip this step and go to the next step.) Otherwise, enter:
Syntax: isdn ldn1 <number>
Replace <number> with the LDN phone number assigned to the ISDN line you are configuring. For example, you might enter:
ProCurve(config-bri 1/1)# isdn ldn1 5555551212d. Set the SPID and LDN. If your public carrier has assigned you a SPID,
you should set the SPID and the LDN at the same time. Enter:
Syntax: isdn spid1 <number> <ldn1>
For example, you might enter:
ProCurve(config-bri 1/1)# isdn spid1 12355512120101 5551212e. Activate the interface. Enter:
ProCurve(config-bri 1/1)# no shutdown
5. Configure an ISDN group.
a. Create an ISDN group by enter the following command from the global configuration mode context:
Syntax: isdn-group <number>
Replace <number> with a number between 1 and 255 to uniquely identify this ISDN group.
b. Assign a BRI interface to the ISDN group. Enter:
Syntax: connect bri <slot>/<port>
Replace <slot> and <port> with the numbers that identify where the BRI interface is installed. You can assign multiple BRI interfaces to the ISDN group. For example, you might enter:
ProCurve(config-isdn-group 1)# connect bri 2/1ProCurve(config-isdn-group 1)# connect bri 2/2
c. Assign the ISDN group to a resource pool. From the ISDN group configuration mode context, enter:
Syntax: resource pool-member <poolname>
For example, if the resource pool is called Branch, enter:
ProCurve(config-isdn-group 1)# resource pool-member Branch
N o t e The ISDN group can be a member of only one resource pool.
8-81
Configuring Demand Routing for Primary ISDN ModulesQuick Start
d. To control which calls the BRI interfaces in the ISDN group accept, enter the following command from the ISDN group configuration mode context:
Syntax: incoming-accept-number <number>
For example, you might enter:
ProCurve(config-isdn-group 1)# incoming-accept-number 5551212
You can use the wildcard characters listed in Table 8-9 to specify a range of numbers.
Table 8-21. Wildcard Characters for incoming-accept-number
6. Create a static route to the far-end network. From the global configuration mode context, enter:
Syntax: ip route <destination A.B.C.D> <subnet mask | /prefix length> <next hop A.B.C.D | forwarding interface ID>
Replace <destination A.B.C.D> with the IP address for the far-end network. For example, the far-end network might be network 192.168.7.0 /24. Then, either specify the complete subnet mask (such as 255.255.255.0) or enter the prefix length (such as /24). Finally, specify the forwarding interface as demand <number>.
For example, to configure a route to network 192.168.7.0 /24 through demand interface 1, enter:
ProCurve(config)# ip route 192.168.7.0 /24 demand 1
For more information about configuring static routes, see “Static Routing” on page 11-9 in Chapter 11: IP Routing—Configuring Static Routes.
Wildcard Characters Explanation
X Matches any single digit between 0 and 9
N Matches any single digit between 2 and 9
$ Matches any number (multiple numbers)
[ ] Matches any digit in the list. For example, if you enter [2,4,6] the ProCurve Secure Router matches only 2, 4, and 6. If you enter [4-6,8] the ProCurve Secure Router matches 4, 5, 6, and 8.
8-82
9
Configuring the E1 + G.703 and T1 + DSX-1 Modules
Contents
Using an E1- or T1-Carrier Line for Data and Voice . . . . . . . . . . . . . . . . . . . 9-3
Drop-and-Insert Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Standards Supported by the Drop-and-Insert Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Configuring the E1 + G.703 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Configuring the E1 Interface for Data Communications . . . . . . . . . . . 9-5
Assigning Channels to the E1 Interface . . . . . . . . . . . . . . . . . . . . . 9-5
Setting the Clock Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Accessing the G.703 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Configuring Line Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Configuring Frame Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
Enabling TS16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
Activating the Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
Checking the Status of the G.703 Interface . . . . . . . . . . . . . . . . . . . . . 9-10
Viewing Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
Troubleshooting the G.703 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12
Alarms or Errors That Will Not Clear . . . . . . . . . . . . . . . . . . . . . . 9-12
Yellow Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
Interface Is Accruing Errored Seconds and Clock Slips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
Configuring the T1 + DSX-1 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
Configuring the T1 Interface for Data Communications . . . . . . . . . . 9-14
Assigning Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14
Setting the Clock Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15
9-1
Configuring the E1 + G.703 and T1 + DSX-1 ModulesContents
Accessing the T1 Interface for the DSX-1 Port . . . . . . . . . . . . . . . . . . 9-16
Configuring Line Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16
Configuring Frame Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17
Setting the Line Length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18
Configuring Signaling Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18
Activating the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-19
Checking the Status of the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . 9-19
Viewing Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20
Troubleshooting the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20
Alarms or Errors That Will Not Clear . . . . . . . . . . . . . . . . . . . . . . 9-20
Yellow Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21
Interface Is Accruing Errored Seconds and Clock Slips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21
Configuring the E1 + G.703 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22
Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22
Configuring the E1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22
Configuring the G.703 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23
Configuring the T1 + DSX-1 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-24
Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . 9-24
Assigning the Channels to the T1 Interface . . . . . . . . . . . . . . . . . 9-24
Configuring the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25
9-2
Configuring the E1 + G.703 and T1 + DSX-1 ModulesUsing an E1- or T1-Carrier Line for Data and Voice
Using an E1- or T1-Carrier Line for Data and Voice
You may be able to lower your data communications and telephone costs by leasing an E1 or T1-carrier line and using some of the bandwidth for data and some of the bandwidth for TDM (or traditional) voice. You will then have an affordable WAN solution or Internet connection, and depending on your existing telephone setup, you may have additional phone lines as well. This solution is particularly attractive for small-to-medium businesses (SMBs).
Drop-and-Insert Modules
If you want to use your E1- or T1-carrier line for both data and voice, you must purchase and install a drop-and-insert module for the ProCurve Secure Router. These modules are called drop-and-insert modules because they pass, or drop, some of the bandwidth from the E1- or T1-carrier line into a private branch exchange (PBX).
Two drop and insert modules are available for the ProCurve Secure Router:
■ E1 + G.703 module
■ T1 + DSX-1 module
If you live in Europe, South America, Australia, or Asia (except Japan), and can lease an E1-carrier line for your WAN connection, you should purchase and install the E1 + G.703 module. If you live in the United States or Canada, and can lease a T1-carrier line for your WAN connection, you should purchase and install the T1 + DSX-1 module. If you live in Japan, you will need to check with your Public Telephone and Telegraph (PTT) authority because many PTTs in Japan offer T1-carrier lines for data. For voice, however, these PTTs offer J1-carrier lines.
Standards Supported by the Drop-and-Insert Modules
The E1 + G.703 and T1 + DSX-1 modules are standards-based. Specifically, they support the standards listed in Table 9-1.
9-3
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module
Table 9-1. Standards Supported by ProCurve Drop-and-Insert Modules
Configuring the E1 + G.703 Module
The E1 + G.703 module has:
■ an E1 port
■ a G.703 port
The E1 port handles the data communications. The G.703 port receives all the channels from the E1-carrier line that are not mapped for data and drops these channels into a PBX. When you configure an E1 + G.703 module, you must configure it to synchronize the data transfer between the public carrier, the two ports (or interfaces), and the PBX. You must also configure which channels are dropped into the PBX.
Making the Physical Connection
Like other ProCurve Networking E1 modules, the E1 port on E1 + G.703 modules include a built-in Digital Service Unit (DSU). You use unshielded twisted pair (UTP) cabling with RJ-48C connectors to connect the E1 interface to the Channel Service Unit (CSU) provided by your public carrier. (For more information about the DSU or CSU and other public carrier equipment used in an E1 connection, see Chapter 4: Configuring E1 and T1 Interfaces.)
Module Standard
E1 + G.703 • International Telecommunications Union (ITU) G.703, ITU-T G.704 (CRC-4), ITU-T G.823, and ITU-T G.797
• FCC Part 15 Class A, Norme Europeenne (EN) 55022 Class, EN 55024, EN 61000-3-2, EN 61000-3-3 (EN is also referred to as European Standards.)
• ACIF S016, ETSI TBR 12/TBR 13• EN 60950 and Australian Standard/New Zealand Standard (AS/NZS)
60950
T1 + DSX-1 • T1 Interface: AT&T Pub 62411• ESF Format Interface: TR 194• ESF Performance Monitoring: TR 54016, ANSI T1.403• FCC Part 15 Class A, EN 55022 Class A• ACTA/FCC Part 68, IC CS-03, UL/cUL 60950, IEC 60950
9-4
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module
You connect the G.703 port to the PBX using crossover UTP cabling with RJ-48C connectors.
Configuring the E1 Interface for Data Communications
The first step in configuring the E1 + G.703 module is to configure the E1 interface that will handle data. Two settings for the E1 interface directly affect the G.703 interface:
■ channel assignment
■ clock source
Assigning Channels to the E1 Interface
When you configure the E1 interface, you assign the E1 interface a certain number of channels that will be “nailed” to that interface. By default, any channels that you do not assign to the E1 interface are passed to the G.703 interface.
An E1-carrier line includes a total of 32 channels: one channel is used to maintain the connection, the other 31 channels can be used for data or voice. When you divide these channels between the E1 interface and the DSX-1 interface, you must create two groups of contiguous channels. Typically, you will reserve channel 16 and all subsequent channels for the G.703 interface.
You assign the channels to the E1 interface using the tdm-group command. The remaining channels are automatically assigned to the G.703 interface.
To assign channels 1–15 to the E1 interface, move to the E1 interface config-uration mode context and enter the tdm-group command:
Syntax: tdm-group <number> timeslots <range of numbers>
ProCurve(config-e1 1/1)# tdm-group 1 timeslots 1-15
If you view the status of the E1 interface (after you bind the physical interface to the logical interface using the bind command), you will see that channels 1–15 are “nailed” to that interface, while channels 16–31 are assigned to the G.703 interface. (See Figure 9-1.)
Enter show interface e1 <slot>/<port> at the enable mode context prompt:
ProCurve# show interface e1 1/1
9-5
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module
N o t e If you have not yet entered a bind command to join the physical interface to the logical interface, the channel assignment will not be displayed correctly.
Figure 9-1. Viewing the Channel Assignments for the E1 and G.703 Interfaces
After you ensure that the channel assignments are correct, you will need to configure the settings for the G.703 interface.
e1 1/1 is UP Receiver has no alarms E1 coding is HDB3, framing is E1 Clock source is line No network loopbacks Last clearing of counters never loss of frame : 0 loss of signal : 0 AIS alarm : 0 Remote alarm : 0
Timeslot Status: 01234567890123456789012345678901 FNNNNNNNNNNNNNNNDDDDDDDDDDDDDDDD Status Legend: '-' = Timeslot is unallocated 'N' = Timeslot is dedicated (nailed) 'D' = Timeslot is allocated to G703 drop port 'F' = Timeslot is dedicated for framing
Line Status: -- No Alarms --
5 minute input rate 120 bits/sec, 0 packets/sec 5 minute output rate 120 bits/sec, 0 packets/sec Current Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes
TDM group 1, line protocol is UP Encapsulation PPP (ppp 1) 74 packets input, 4622 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 66 input errors, 24 CRC, 42 frame 0 abort, 0 discards, 0 overruns 127 packets output, 5554 bytes, 0 underruns
Channels 1-15 are “nailed” to the E1 interface.
Channels 16-31 are allocated to the G.703 interface.
9-6
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module
Setting the Clock Source
The other setting that directly affects the G.703 interface is the clock source. Each narrow ProCurve Secure Router module can have only one clock source. For E1 + G.703 modules, you set the clock source on the E1 interface that is used for data. By default, the clock source for this E1 interface is line. With this setting, the E1 interface takes its timing from the public carrier’s equip-ment. The G.703 interface, in turn, takes its clock from the E1 interface.
You may want the E1 + G.703 module to take timing from the PBX rather than from the public carrier’s equipment. To change the clock source setting for the E1 interface to through, enter:
ProCurve(config-e1 1/1)# clock source through
For detailed information about configuring other settings for the E1 interface, see Chapter 4: Configuring E1 and T1 Interfaces.
Accessing the G.703 Interface
The ProCurve Secure Router treats the G.703 port as an E1 interface. Because it is the second port of the E1 + G.703 module, you access the G.703 interface by entering the following command from the global configuration mode context:
Syntax: interface e1 <slot>/2
For example, if the E1 + G.703 module is installed in slot 1, enter:
ProCurve(config)# interface e1 1/2
From this configuration mode context, you can begin to configure the G.703 interface.
Configuring Line Coding
You configure the line coding for the G.703 interface just as you would for an E1 interface. The settings you select must match those used by the PBX.
■ Alternate mark inversion (AMI)
■ High-Density Bipolar order of 3 (HDB3)
9-7
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module
AMI uses alternating positive and negative voltage (referred to as alternating polarity, or bipolarity) to represent logical ones, and zero voltage to represent logical zeros. Because AMI uses zero voltage for logical zeros, it can cause synchronization loss between peers at each end of a WAN connection when a data stream contains a long string of logical zeros.
Although HDB3 is based on AMI, HDB3 prevents synchronization loss by limiting the number of consecutive zeros in a data stream to four. HDB3 replaces the zeros with three logical zeros and a violation bit with the same polarity as the last AMI logical one detected.
HDB3 is the most common line-coding scheme used in E1-carrier lines and is the default setting for all E1 interfaces on the ProCurve Secure Router.
To configure the line coding, use the following command:
Syntax: coding [ami | hdb3]
For example, to configure the coding option to ami, you would enter:
ProCurve(config-e1 1/2)# coding ami
Because HDB3 is the default setting, you do not have to enter the coding command if your PBX uses HDB3.
Configuring Frame Format
E1 interfaces on the ProCurve Secure Router support two frame formats:
■ E1
■ Cyclic Redundancy Check 4 (CRC4)
In the E1 frame format, a channel (or timeslot) is called a TS, and the 32 channels are numbered TS0 to TS31. Two channels are used to establish and maintain synchronization and signaling; specifically, TS0 is used for synchro-nization, error detection, and alarms, and TS16 is used for signaling. The other channels are used to transmit data or voice.
CRC4 is based on the E1 frame format but includes additional error detection. A checksum bit is included in all even E1 frames with CRC4 format: frame numbers 0, 2, 4, 6, 8, 10, 12, and 14. A total of 8 checksum bits are used.
9-8
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module
Although E1 interfaces, including those for the G.703 port, support two frame formats, only one option is listed if you enter the following command from the E1 interface configuration mode context:
ProCurve(config-e1 1/2)# framing ?
Only CRC4 is listed.
By default, the frame format is E1. If your public carrier is using the E1 frame format, you simply accept the default setting; you do not have to enter a framing command.
However, if your public carrier is using the CRC4 frame format, enter:
Syntax: framing crc4
ProCurve(config-e1 1/2)# framing crc4
To return to the E1 frame format, enter:
ProCurve(config-e1 1/2)# no framing
Enabling TS16
TS16 is used when there is a requirement to pass through “signaling” information in a non-proprietary manner. Two types of signaling are used for E1-carrier lines that carry voice—Channel Associated Signaling (CAS) and Common Channel Signaling (CCS). ProCurve Secure Routers support only CAS. For example, they will “split” an E1-carrier line into channels 1-15 and channels 17-31. Typically, this is not an issue because a vast majority of E1 circuits use CAS rather than CCS. (See Bradley Dunsmore and Toby Skandier, Telecommunications Technologies Reference [ISBN 1587050366], p. 155.)
Enter the following command to enable the ProCurve Secure Router to check timeslot 16 for the multiframes it receives on the G.703 interface:
ProCurve(config-e1 1/2)# ts16
The only time there is a signaling requirement and you do not need to configure TS16 is when the signaling is “out-of-band,” or out of the E1 circuit. In this situation, the signaling must be handled by a separate circuit or some propri-etary method that your PBX devices use. In other words, if a router allows the mapping of channels 18-31 to the PBX and allows for 18 to accomplish signaling, then the PBXs on both side of the E1-carrier line must know they are to communicate on this channel for signaling.
9-9
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module
Activating the Interface
All interfaces on the ProCurve Secure Router are administratively down by default and must be activated. From the E1 interface configuration mode context, enter:
ProCurve(config-e1 1/2)# no shut
Checking the Status of the G.703 Interface
After you assign the correct number of channels to each interface and then configure the G.703 interface, the connection between the G.703 port and your PBX should come up. You can use the show commands listed in Table 9-2 to view both the status and the configuration information for the G.703 interface.
Table 9-2. show Commands
For example, to check the status of the G.703 interface, enter:
ProCurve# show interfaces e1 <slot>/2
If you are not in the enable mode context, you can use the do command and enter:
Syntax: do show interfaces e1 <slot>/2
Command Explanation
show interfaces displays information about all the interfaces—active or inactive—on the ProCurve Secure Router
show interface <interface> <slot>/<port> displays information about a specific physical
show running-config displays all of the settings that you have configured for the ProCurve Secure Router
show running-config verbose displays the entire running-config, including the default settings
show running-config interface <interface ID>
displays the settings that you have configured for a particular interface
show running-config interface <interface ID> verbose
displays the running-config for a particular interface, including the default settings
9-10
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module
Figure 9-2 shows the output when you enter this command. The first line reports whether the interface is up or down. The first block of text indicates the current configurations for the interface, such as line coding and framing. It also reports any alarms.
The second block of text under “Current Performance Statistics” displays errors. If the number of errors is steadily incrementing, you should check your configuration.
Figure 9-2. show interface e1 Command for the G.703 Port
Viewing Configuration Information
To view the settings that have been entered on the ProCurve Secure Router, enter:
ProCurve# show running-config
N o t e Use the do command to enter root commands (such as show commands) from outside the enable mode context.
You must then browse through the output to find the G.703 interface. To view only the running-config for the G.703 interface, enter:
Syntax: show running-config interface e1 <slot>/2
Figure 9-3 shows the running-config for both the E1 and G.703 interfaces.
e1 1/2 is UP Receiver has no alarms E1 coding is HDB3, framing is E1MF No network loopbacks Last clearing of counters never loss of frame : 0 loss of signal : 0 AIS alarm : 0 Remote alarm : 0 Line Status: -- No Alarms --
Current Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes
No channel assignments are displayed here for the G.703 interface
To view channel assignments for this interface, enter:
show interface e1 <slot>/1
MF (in E1MF) indicates that the TS16 option has been enabled on the G.703 interface
9-11
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module
Figure 9-3. show running-config Command for the E1 and G.703 Interfaces
To view all the settings for the E1 or G.703 interfaces, add the verbose option to the show command:
Syntax: show running-config interface e1 <slot>/2 verbose
Troubleshooting the G.703 Interface
If the G.703 interface is down, you should first check your configuration settings and ensure that they match the settings used on your PBX. In particular, check:
■ Line coding—Is the PBX using AMI or HDB3?
■ Frame format—Is the PBX using E1 or CRC4?
■ Channels—Are the channels allocated correctly for the E1 interface and the G.703 interface?
You can use the show commands described in the previous section to check the configuration settings for the G.703 interface.
If the settings you have configured match those configured on the PBX, you must isolate the problem. Is the problem with the PBX or the G.703 interface?
Alarms or Errors That Will Not Clear
If you are unable to clear alarms or errors in the ProCurve Secure Router OS, the device at the other end of the connection may be causing the problem. To isolate the problem, disconnect the cable from the PBX and loop the G.703 interface back on itself using an external cable. If the unit goes out of alarm, the PBX is at fault. If the unit stays in alarm, use another cable. If the router now goes out of alarm, the cable is obviously the problem.
ProCurveSR7102dl# show running-config interface e1 1/1interface e1 1/1 tdm-group 1 timeslots 1-15 speed 64 no shutdown
ProCurveSR7102dl#show running-config interface e1 1/2interface e1 1/2 no framing crc4 no shutdown
Channel assignments are listed under the E1 <slot>/1 interface
9-12
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module
Yellow Alarm
A yellow alarm indicates that the G.703 interface is receiving signals from a PBX that is in red alarm. The PBX may not be capable of handling the signal that the interface is sending to it. If this problem occurs, recheck the config-uration on the PBX and verify that the cable is good.
Interface Is Accruing Errored Seconds and Clock Slips
If the PBX is not at fault, the problem may be with the synchronization. To detect synchronization problems, view the G.703 interface status using the show interfaces command. When you view the status report, you should not see steadily increasing errors. Clock slips indicate that the hosts on either end of the line are unable to properly synchronize their signals.
Check the clock source setting on both the E1 interface and the G.703 interface. Each module can have only one clock source. If the E1 interface is configured to take the clock source from the line, the G.703 interface must have the clock source setting of through. If, on the other hand, the G.703 interface is configured to take the clock source from the line—the PBX—the E1 interface should have a clock source setting of through.
Configuring the T1 + DSX-1 Module
The T1 + DSX-1 module has:
■ a T1 port
■ a DSX-1 port
The T1 port handles the data communications. The DSX-1 port receives all the channels from the T1-carrier line that are not mapped for data and drops these channels into a PBX. When you configure a T1 + DSX-1 module, you must configure it to synchronize the data transfer between the public carrier, the two ports (or interfaces), and the PBX. You must also configure which channels are dropped into the PBX.
Making the Physical Connection
The T1 port on the T1 + DSX-1 module includes a built-in CSU/DSU. You use UTP cabling with RJ-48C connectors to connect the T1 interface to the wall jack provided by your public carrier. (For more information about the CSU/DSU and
9-13
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module
other public carrier equipment used in a T1 connection, see Chapter 4:
Configuring E1 and T1 Interfaces.) You connect the DSX-1 interface to the PBX, using a crossover cable with an RJ-48C connector.
Configuring the T1 Interface for Data Communications
The first step in configuring the DSX-1 drop-and-insert module is to configure the T1 interface that will handle data. Two settings for the T1 interface directly affect the DSX-1 interface:
■ channel assignment
■ clock source
Assigning Channels
When you configure the T1 interface, you assign it a certain number of channels that will be “nailed” to that interface. By default, any channels that you do not assign to the T1 interface are passed to the DSX-1 interface.
A T1-carrier line includes a total of 24 channels. When you divide these channels between the T1 interface and the DSX-1 interface, you must create two groups of contiguous channels.
For example, you could assign channels 1-12 to the T1 interface. Channels 13-24 are then automatically assigned to the DSX-1 module. To assign channels to the T1 interface, move to the T1 interface configuration mode context and enter the tdm-group command:
Syntax: tdm-group <number> timeslots <range of numbers>
ProCurve(config-t1 1/1)# tdm-group 1 timeslots 1-12
If you view the status of the T1 interface (after you configure a logical interface and bind it to the T1 interface), you will see that channels 1-12 are marked with an N. This means that they are “nailed,” or assigned, to the T1 interface. The channels assigned to the DSX-1 interface are marked with a D. (See Figure 9-4.)
N o t e If you have not yet entered a bind command to bind the T1 interface to a logical interface, the channel assignments will not be displayed correctly.
9-14
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module
Figure 9-4. Viewing the Channel Assignments for the T1 and DSX-1 Interfaces
Setting the Clock Source
Each narrow ProCurve Secure Router module can have only one clock source. For T1 + DSX-1 modules, you configure the clock source on the line that is used for data. By default, the clock source for this T1 interface is line. With this setting, the T1 interface takes its timing from the public carrier’s equip-ment. The DSX-1 interface, in turn, takes its clock from the T1 interface.
t1 2/1 is UP Receiver has no alarms T1 coding is B8ZS, framing is ESF Clock source is through t1 2/2, FDL type is ANSI Line build-out is 0dB No remote loopbacks, No network loopbacks Acceptance of remote loopback requests enabled Tx Alarm Enable: rai Last clearing of counters never loss of frame : 0 loss of signal : 0 AIS alarm : 0 Remote alarm : 1, last occurred 00:01:57
DS0 Status: 123456789012345678901234 NNNNNNNNNNNNDDDDDDDDDDDD Status Legend: '-' = DS0 is unallocated 'N' = DS0 is dedicated (nailed) 'D' = DS0 is allocated to DSX port
Line Status: -- No Alarms --
5 minute input rate 16 bits/sec, 0 packets/sec 5 minute output rate 16 bits/sec, 0 packets/sec Current Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 3 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 1 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes
TDM group 1, line protocol is UP Encapsulation PPP (ppp 2) 22 packets input, 714 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame
Channels 1-12 are “nailed” to the T1 interface.
Channels 13-24 are allocated to the DSX-1 interface.
Clock source is set to through
9-15
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module
You may want the T1 + DSX-1 module to take its timing from the PBX rather than from the public carrier’s equipment. To change the clock source for the T1 interface to through, enter:
ProCurve(config-t1 1/1)# clock source through
For detailed information about configuring T1 interfaces, see Chapter 4:
Configuring E1 and T1 Interfaces.
Accessing the T1 Interface for the DSX-1 Port
The ProCurve Secure Router treats the DSX-1 port as a T1 interface. Because it is the second port of the T1 + DSX-1 module, you access the DSX-1 interface by entering the following command from the global configuration mode context:
Syntax: interface t1 <slot>/2
For example, if the T1 + DSX-1 module is in slot 1, enter:
ProCurve(config)# interface t1 1/2
You will need to configure the DSX-1 interface to match the settings used by the PBX to which it connects. Both ends of the connection must use the same methods of coding data and dividing it into frames.
As with any T1 interface, you will also need to set the transmit signal level. This setting depends on the distance between the interface and the equipment to which it connects. Properly configuring the signal level compensates for attenuation across distant connections and keeps the signal from becoming “too hot” across short cables.
Finally, you will need to set the signaling mode to determine how the ProCurve Secure Router carries signaling information for the DS0 channels.
Configuring Line Coding
You must configure the DSX-1 interface to use the same line coding that your PBX uses:
■ Alternate Mark Inversion (AMI)
■ Bipolar 8-Zero Substitution (B8ZS)
9-16
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module
In AMI, zero voltage represents logical zeros, and alternating positive and negative voltage represent logical ones, thus maintaining a net zero voltage across the line. AMI has at least one drawback: a long string of logical zeros can result in hosts losing synchronization.
When eight or more consecutive logical zeros are received, B8ZS addresses the synchronization problem by inserting two bipolar violations in the fourth and seventh positions of the 8-bit string, which creates a timing mark. Because B8ZS eliminates the synchronization problems, it has become the standard line coding used on T1-carrier lines. Consequently, B8ZS is the default setting on the ProCurve Secure Router, although the router supports both AMI and B8ZS.
To configure the line coding, enter the following command from the T1 configuration mode context:
Syntax: coding [ami | b8zs]
For example, to configure the T1 interface to use AMI, enter:
ProCurve(config-t1 1/2)# coding ami
Configuring Frame Format
You must also configure the T1 interface to use the same frame format as that used by the PBX:
■ D4
■ ESF
D4 framing combines 12 DS0 frames into a single superframe. The ESF standard multiplexes 24 DS0 frames into an extended superframe.
The ESF format has essentially replaced the D4 framing standard because it frees up bits that can be used to maintain the connection. Due to its popularity, ESF is the default setting for T1 modules on the ProCurve Secure Router.
To configure the frame format, enter the following command from the T1 configuration mode context:
Syntax: framing [d4 | esf]
For example, to configure the T1 interface to use D4, enter:
ProCurve(config-t1 1/2)# framing d4
9-17
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module
Setting the Line Length
The ProCurve Secure Router uses transmission line length to determine which voltage to use for data transfer. The greater the distance between equipment, the stronger the signal must be to counteract attenuation. You configure how long the cable is, and the Secure Router OS establishes the proper signal level. Enter:
Syntax: line-length [<0-655> | -7.5]
You can specify the length of the cable up to 655 feet, or you can fix the signal output at -7.5 dB. Use the -7.5 setting to prevent the line becoming too hot.
Use the no command to return the line-length setting to its default setting of 0 db.
Configuring Signaling Mode
Use the signaling-mode commands to control how the ProCurve Secure Router transmits signaling information for traffic carried on the DSX-1 inter-face. You use the following command to set the signaling mode:
Syntax: signaling-mode [message-oriented | none | robbed-bit]
Message-oriented signaling sets only channel 24 to clear channel signaling. In other words, one channel is reserved for signaling data, and the other 23 carry voice applications. Use this mode for QSIG installations. Enter:
ProCurve(config-t1 1/2)# signaling-mode message-oriented
Set the signaling-mode to none to configure all channels as clear channels. Use this signaling-mode for data-only transmissions or for PBXs that use Integrated Services Digital Network (ISDN) telephone equipment. To config-ure the DSX-1 interface to use all channels as clear channels, enter:
ProCurve(config-t1 1/2)# signaling-mode none
The signaling-mode none command is different from the no signaling-
mode command, which returns the interface to the default setting of robbed-bit signaling.
Robbed-bit signaling takes a bit from the extended frame to use for transmit-ting signaling information. You should use this signaling mode when you want to use your DSX-1 line for voice-over applications. Enter:
ProCurve(config-t1 1/2)# signaling-mode robbed-bit
9-18
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module
Activating the DSX-1 Interface
By default, all interfaces on the ProCurve Secure Router are administratively down. To activate the interface, enter:
ProCurve(config-t1 1/2)# no shutdown
Checking the Status of the DSX-1 Interface
To check the status of the DSX-1 interface, enter the following command from the enable mode context:
Syntax: show interfaces t1 <slot>/2
Figure 9-5 shows the output for a sample DSX-1 interface.
Figure 9-5. show interface t1 Command for the DSX-1 Port
The first line in the output tells you whether the interface is up or down. The first block of text indicates the current configurations for the interface, including line length and signaling mode, as well as line coding and framing.
The second block of text, headed “Current Performance Statistics,” displays errors. Steadily incrementing errors indicate that you need to resolve prob-lems with the configuration.
t1 2/2 is UP Receiver has no alarms T1 coding is B8ZS, framing is ESF Line length is 55 feet Signaling mode: robbed bit No remote loopbacks, No network loopbacks Tx Alarm Enable: rai Last clearing of counters never loss of frame : 0 loss of signal : 0 AIS alarm : 0 Remote alarm : 0 Line Status: -- No Alarms --
Current Performance Statistics: 5 Errored Seconds, 0 Bursty Errored Seconds 5 Severely Errored Seconds, 5 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 1 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes
No channel assignments are displayed here for the DSX-1 interface
To view channel assignments for this interface, enter:
show interface t1 <slot>/1
9-19
Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module
Viewing Configuration Information
To view the settings that have been entered on the ProCurve Secure Router, enter:
ProCurve# show running-config
You must then browse through the output to find the DSX-1 interface. To view only the running-config for the DSX-1 interface, enter:
ProCurve# show running-config interface t1 <slot>/2
Figure 9-6 shows the running-config for both the T1 and DSX-1 interfaces.
Figure 9-6. show running-config Command for the T1 and DSX-1 Interfaces
To view all the settings (including default settings) for the T1 interface or DSX-1 interface, add the verbose option to the show command:
ProCurve# show running-config interface t1 <slot>/2 verbose
Troubleshooting the DSX-1 Interface
To troubleshoot a DSX-1 interface, you must first isolate the problem. Is the problem with the PBX? With the DSX-1 interface? With the T1 interface? Or is the problem with the public carrier’s equipment?
Alarms or Errors That Will Not Clear
When you are unable to clear alarms or errors in the Secure Router OS, the device at the other end of the cable is often at fault. To isolate the problem, disconnect the cable from the PBX and loop the DSX-1 interface back on itself using an external cable. If the unit goes out of alarm, you know that the PBX is at fault.
ProCurveSR7102dl# show running-config interface t1 2/1interface t1 2/1 clock source through tdm-group 1 timeslots 1-12 speed 64 no shutdown
ProCurveSR7102dl#show running-config interface t1 2/2interface t1 2/2 signaling-mode none no shutdown
Channel assignment is listed under the E1 <slot>/1 interface
9-20
Configuring the E1 + G.703 and T1 + DSX-1 ModulesQuick Start
If the unit stays in alarm, change the cable. If the router now goes out of alarm, again, you know that the cable, and not the interface, is the problem.
Troubleshoot connections between the T1 interface and the wall jack in the same way.
Yellow Alarm
A yellow alarm indicates that although the DSX-1 is receiving signals, the PBX is in red alarm. The PBX may not be capable of handling the signal that the interface is sending to it. Try lowering the signal output, either by setting a shorter line length or by configuring the signal at -7.5 decibels.
Interface Is Accruing Errored Seconds and Clock Slips
If, on the other hand, the PBX or CSU is not at fault, you might have a problem with synchronization. You can detect this problem by using the show inter-
faces command to view the DSX-1 interface status. When you view the output, you should not see steadily increasing errors. Clock slips indicate that the ends of the line are unable to properly synchronize their signals.
Check the clock source setting for both interfaces on the T1 + DSX-1 module. If the DSX-1 interface is taking the clock from the PBX, change the clock source to the through option for the T1 interface that controls port 1 on the T1 + DSX-1 module.
Quick Start
This section provides the commands you must enter to quickly configure a G.703 interface or a DSX-1 interface on the ProCurve Secure Router. Only a minimal explanation is provided.
If you need additional information about any of these options, see “Contents” on page 9-1 to locate the section and page number that contains the explana-tion you need.
9-21
Configuring the E1 + G.703 and T1 + DSX-1 ModulesQuick Start
Configuring the E1 + G.703 Module
Making the Physical Connection
1. Use unshielded twisted pair (UTP) cabling with RJ-48C connectors to connect the E1 interface to the CSU provided by your Public Telephone and Telegraph (PTT) authority.
2. Use crossover UTP cabling with RJ-48C connectors to connect the G.703 interface to the PBX.
Configuring the E1 Interface
When you configure a G.703 module, you first configure the E1 interface to handle data communications. As part of this configuration, you assign the number of channels that you will use for data to the E1 interface, and the remaining channels are automatically assigned to the G.703 interface.
In addition, you can configure the clock source (rather than simply accepting the default setting of line). For an E1 + G.703 module, the clock source is set only on the E1 interface.
To assign the channels to the E1 interface, complete these steps:
1. From the global configuration mode context, enter the following command:
Syntax: interface e1 <slot>/1
Replace <slot> with the slot number in which the module is installed. For example, if the module is in slot one, enter:
ProCurve(config)# interface e1 1/1
2. Use the following command to create a TDM group and assign it the number of channels used for data.
Syntax: tdm-group <number> timeslots <range of numbers>
When you divide channels between the E1 interface and the G.703 inter-face, you must create two groups of contiguous channels. Typically, you will reserve channel 16 and all subsequent channels for the G.703 inter-face. Enter:
ProCurve(config-e1 1/1)# tdm-group 1 timeslots 1-15
The remaining channels—in this case, channels 16-31—are automatically assigned to the G.703 interface.
9-22
Configuring the E1 + G.703 and T1 + DSX-1 ModulesQuick Start
3. If you want the E1 + G.703 module to take its clock source from the PBX, enter:
ProCurve(config-e1 1/1)# clock source through
This chapter includes only the steps for configuring the E1 interface that directly affects the G.703 interface. After you enter the tdm-group com-mand, you must configure the other settings for the E1-carrier line: you must then configure the Data Link Layer protocol and bind the physical interface to the logical interface. For detailed information about configuring the E1 interface for data communications, see Chapter 4:
Configuring E1 and T1 Interfaces.
Configuring the G.703 Interface
1. Access the E1 interface for the G.703 port:
Syntax: interface e1 <slot>/2
For example, if the E1 + G.703 module is in slot 1, enter
ProCurve(config)# interface e1 1/2
2. Configure the line coding. You should match the line coding used on your PBX:
Syntax: coding [ami | hdb3]
The default setting is HDB3.
For example, to configure the line coding as AMI, enter:
ProCurve(config-e1 1/2)# coding ami
3. Configure frame format. If your PBX uses the E1 frame format, you do not need to enter any commands because this is the default setting. If your PBX uses the CRC4 frame format, enter:
Syntax: framing crc4
ProCurve(config-e1 1/2)# framing crc4
4. Configure TS16 signaling.
ProCurve(config-e1 1/2)# ts16
5. Activate the G.703 interface.
ProCurve(config-e1 1/2)# no shutdown
9-23
Configuring the E1 + G.703 and T1 + DSX-1 ModulesQuick Start
Configuring the T1 + DSX-1 Module
Making the Physical Connection
1. Use UTP cabling with RJ-48C connectors to connect the T1 interface to the wall jack provided by your public carrier.
2. Use crossover UTP cabling with RJ-48C connectors to connect the DSX-1 interface to the PBX.
Assigning the Channels to the T1 Interface
When you configure a DSX-1 interface, you first configure the T1 interface to handle the data communications. As part of this configuration, you assign the number of channels that you will use for data to the T1 interface, and the remainder of the channels are automatically passed to the DSX-1 module.
In addition, you can configure the clock source (rather than simply accepting the default setting of line). For a T1 + DSX-1 module, the clock source is set only on the T1 interface.
To assign the channels to the T1 interface, complete these steps:
1. From T1 interface configuration mode context, enter the following command:
Syntax: interface t1 <slot>/1
Replace <slot> with the slot number where the T1 module is housed. For example, if the T1 module is in slot 1, enter:
ProCurve(config)# interface t1 1/1
2. When you divide channels between the T1 interface and the DSX-1 inter-face, you must create two groups of contiguous channels. Use the follow-ing command to create a TDM group and assign it the number of channels used for data.
Syntax: tdm-group <number> timeslots <range of numbers>
For example, if you want to use channels 1-12 for data, enter:
ProCurve(config-t1 1/1)# tdm-group 1 timeslots 1-12
3. Configure the clock source for the interface. By default the clock source for the interface is through. To configure the T1 + DSX-1 interface to take the timing from the PBX, enter:
ProCurve(config-t1 1/2)# clock source line
9-24
Configuring the E1 + G.703 and T1 + DSX-1 ModulesQuick Start
This chapter includes only the T1 configuration steps that directly affect the DSX-1 interface. You must configure the other settings for the T1-carrier line, configure the Data Link Layer protocol, and bind the physical interface to the logical interface. For detailed information about configuring the T1 interface for data communications, see Chapter 4: Configuring E1 and T1 Interfaces.
Configuring the DSX-1 Interface
1. Access the T1 interface for the DSX-1 module:
Syntax: interface t1 <slot>/2
For example, if the T1 + DSX-1 module is in slot 1, enter
ProCurve(config)# interface t1 1/2
2. Configure the line coding to match the coding used by the PBX. The default setting is B8ZS.
Syntax: coding [ami | b8zs]
For example, to configure the T1 interface to use the coding ami option, enter:
ProCurve(config-t1 1/2)# coding ami
3. Configure the frame format. The default setting is ESF.
Syntax: framing [d4 | esf]
For example, to configure the T1 interface to use D4, enter:
ProCurve(config-t1 1/2)# framing d4
4. Enter the cable length setting so that the Secure Router OS can establish the proper signal level. Enter:
Syntax: line-length <cable length>
Replace <cable length> with -7.5 or the length of the cable in feet, up to 655 feet.
5. Configure the signaling mode:
Syntax: signaling-mode [message-oriented | none | robbed-bit]
6. Activate the interface
ProCurve(config-t1 1/2)# no shutdown
9-25
Configuring the E1 + G.703 and T1 + DSX-1 ModulesQuick Start
9-26
10
Bridging—Transmitting Non-IP Traffic or Merging Two Networks
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3
Transmitting Non-IP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Merging Two Remote Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Configuring Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
Configuring a Bridge Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6
Assigning an Interface to the Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6
Disabling IP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Viewing the Bridge Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
Troubleshooting Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10
Configuring Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12
STP BPDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12
STP States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13
RSTP Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14
RSTP and STP Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17
Configuring RSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17
Determining Which Device Becomes Root: Setting the Router’s Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-18
Determining Which Links Are Chosen: Setting Link Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-18
Setting Interface Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19
Altering Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-22
Configuring STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23
Using the BPDU Filter to Disable STP or RSTP . . . . . . . . . . . . . . . . 10-23
10-1
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksContents
Troubleshooting Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24
Testing Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24
Addressing Common Spanning Tree Problems . . . . . . . . . . . . . . . . . 10-25
Slow Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27
Incorrect Path Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-28
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29
10-2
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksOverview
Overview
The ProCurve Secure Router can function as a bridge as well as a router. A bridge, like a switch, is a Layer 2 device that operates at the Data Link Layer of the Open Systems Interconnection (OSI) model. A bridge connects two or more LAN segments together. Bridges and switches also minimize traffic on network segments by breaking up traffic areas, reducing data transmission delays, and increasing the efficiency of the network. A bridged network can provide traffic management by reducing collisions and limiting the amount of bandwidth wasted with unnecessary transmissions when routing is not necessary.
Each device connected by a bridge must be on the same logical network because Layer 2 devices translate and filter only hardware (MAC) addresses. Bridges and switches make forwarding and filtering decisions based on these MAC addresses; upper-Layer protocols—such as IP—are transparent to them.
Bridges can be categorized as either local or remote (see Figure 10-1). Local bridges provide connectivity for multiple LAN segments in one area. A remote bridge, on the other hand, connects LAN segments in different areas. Because remote bridges must connect geographically distant LAN segments, they have special design considerations, including the buffering of the LAN-to-WAN connection speed variation.
Figure 10-1. Local and Remote Bridges
LANSegment 1
172.16.0.0/16 172.16.0.0/16
Local bridge
LANSegment 2
Remote bridge
LANSegment 3
Local bridge
LANSegment 4
Remote bridge
10-3
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksOverview
The ProCurve Secure Router supports bridging using the IEEE 802.2 stan-dards. You would configure a ProCurve Secure Router to act as a remote bridge to allow it to:
■ transmit non-IP traffic
■ merge two remote networks
Transmitting Non-IP Traffic
The ProCurve Secure Router only routes IP traffic. If one or more of the networks in a WAN use a different Layer 3 protocol, you must configure the router to bridge this traffic. The router will simply pass the traffic through interfaces in the bridge group without examining or modifying the Layer 3 header.
Layer 3 protocols that must be bridged include:
■ NetBIOS
■ IPX
■ AppleTalk
■ DecNet
Merging Two Remote Networks
When you configure the ProCurve Secure Router to act as a bridge, you extend a LAN through WAN connections. In essence, the WAN becomes a single LAN. The distance between the bridges does not matter; they connect segments of a single network.
However, practically, LAN connections transmit at much higher speeds than WAN connections. As you design your network, you should take this difference into account. While flooding messages between remote segments is logically equivalent to flooding them between local segments, sending messages to a remote segment costs more in terms of time and relative bandwidth as well as money.
Spanning Tree Protocol
When you configure the ProCurve Secure Router as a bridge, it loses its routing capabilities. Like a switch, it must run a spanning tree protocol to eliminate loops and respond to network topology changes. Bridged interfaces on the ProCurve Secure Router automatically run rapid spanning tree protocol (RSTP), IEEE 802.1W. If necessary, you can alter the default spanning tree settings. See “Configuring Spanning Tree” on page 10-11.
10-4
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Bridging
Configuring Bridging
You configure the ProCurve Secure Router to function as a bridge by assigning logical interfaces to be part of a bridge group. For example, you could assign the Ethernet interface and the Point-to-Point Protocol (PPP) interface to a bridge group, or you could assign the Ethernet interface and the Frame Relay subinterface to a bridge group.
When the router receives a packet on a bridged interface, it floods the packet out all interfaces in the bridge group. The router also stores the source MAC address of the packet in a bridge table, together with the interface from which it received the packet. When a packet arrives destined for that address, the router then knows through which interface to forward it. In this way, the router gradually learns how to forward traffic and contain packets.
Figure 10-2. Bridging Example
In Figure 10-2, networks at sites A, B, and C use IPX. The sites connect through a Frame Relay network. When configuring bridging for the traffic between these sites, you would assign the Ethernet interface and Frame Relay subinter-faces to the same bridge group. When Router A receives a packet from a local host on its Ethernet interface, it searches its bridge table for the entry corresponding to its destination MAC address. It then transmits it out the correct Frame Relay subinterface, leaving the IPX header unexamined and intact. Router B receives the packet on its Frame Relay subinterface and transmits it out its Ethernet interface. The network at site B can now process the IPX packet.
IPX LAN
Router AFrame Relay Router B
Router C
IPX LAN
IPX LAN
Bridge Table
00:10:4B:A0:DF:8F FR 1.16MAC address:
00:10:4B:A0:DF:8F17
16
10-5
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Bridging
To configure bridging, you must:
■ configure a bridge group
■ assign interfaces to the bridge group
■ disable IP routing, if you are bridging IP traffic
N o t e The ProCurve Secure Router does not both route and bridge IP traffic. If you want to bridge IP traffic, you must disable IP routing.
However, the router can route IP traffic and bridge non-IP traffic at the same time. It can even route IP traffic and bridge non-traffic IP traffic on the same Frame Relay or ATM interface. For example, you could configure Frame Relay subinterface 1.101 as part of a bridge group for non-IP traffic, but route IP traffic through Frame Relay subinterface 1.102.
Configuring a Bridge Group
You create bridge groups from the global configuration mode context. When you create the bridge, you must specify that it uses IEEE:
Syntax: bridge <group number> protocol ieee
The group number can be between 1 and 255. For example:
ProCurve(config)# bridge 1 protocol ieee
Assigning an Interface to the Bridge
You configure bridging on Data Link Layer interfaces. Typically, you will assign both LAN and WAN interfaces to the bridge group.
LAN interfaces include:
■ Ethernet interfaces
When you enable 802.1Q encapsulation on an Ethernet interface, you can no longer assign it to a bridge group; the interface can now carry traffic for multiple VLANs and you cannot bridge traffic between different VLANs.
WAN interfaces on which you can configure bridging include:
■ PPP interfaces
■ High-level Data Link Control (HDLC) interfaces
■ Frame Relay subinterfaces
■ Asynchronous Transfer Mode (ATM) subinterfaces
10-6
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Bridging
If you want to configure bridging between more than one switch, remember to assign both Ethernet interfaces to the bridge group. If the router is acting as a remote bridge to more than one remote site (for example, the headquar-ters router in the Frame Relay network shown in Figure 10-2), you should assign all WAN interfaces to the bridge.
You can also assign only WAN interfaces to a bridge, although you probably would not use this application. In this case, the router would simply act as a corridor between remote sites.
To assign an interface to a bridge group:
1. Move to the logical interface configuration mode context:
ProCurve(config)# int ppp 1
2. Assign the interface to the bridge group:
Syntax: bridge-group <group number>
For example:
ProCurve(config-ppp 1)# bridge-group 1
N o t e Only one interface in the bridge group should have an IP address. You should remove all IP addresses from other interfaces before configuring the bridge.
N o t e Remember that every host in a bridged network must be on the same subnet.
If you want to bridge traffic between hosts on multiple subnets, you can change the subnet mask so that all hosts are on the same subnet. You could also enable a different bridge group on interfaces connecting to different subnet. However, in the second case these subnets will not communicate between each other unless a different device supports routing between the subnets.
Disabling IP Routing
The router cannot both route and bridge IP traffic. You must disable IP routing when the router acts as a remote bridge to join two sites using addresses on the same IP network.
Enter the following command to disable IP routing:
ProCurve(config)# no ip routing
10-7
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Bridging
Rather than use the router as a bridge in this situation, you could use variable-length subnetting to divide the network into two subnets. This solution works when the sites include contiguous, evenly divided addresses. For example, in Figure 10-3 an organization uses network 192.168.1.0 /24. Site A uses addresses 192.168.1.1 through 192.168.1.127 and Site B uses addresses 192.168.1.128 through 192.168.1.254. You could divide the subnet into subnets 192.168.1.0 /25 and 192.168.1.128 /25.
Figure 10-3. Variable-Length Subnetting
Viewing the Bridge Table
The ProCurve Secure Router stores information about how to forward bridged packets in a bridge table. To view the bridge table, move to the enable mode context and enter:
Syntax: show bridge <group number>
For example:
ProCurve# show bridge 1
N o t e You must either enter show commands from the enable mode context or add do to the command. For example, to view the bridge table from the global configuration mode context, you would enter do show bridge.
The bridge table contains MAC addresses for hosts in the bridged network and the interface through which the router connects to these hosts. It also displays the age of the entry and the number of frames transmitted to and received from the host. (See Figure 10-4.)
192.168.1.128 - 192.168.1.254
Router A
Site A 192.168.1.0 /25
Router B
192.168.1.1 - 192.168.1.127
Site B 192.168.1.128 /25
10-8
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Bridging
Figure 10-4. Viewing a Bridge Table
You can also view specific portions of the bridge table. Use the commands shown in Table 10-1.
If necessary, you can manually add a host to the bridge table with this global configuration mode context command:
Syntax: mac address-table static <mac address> bridge <group number> <interface ID>
Identify the host by its MAC address and enter the number of the bridge group and the forwarding interface.
Table 10-1. Viewing Portions of the Bridge Table
Display Hosts Connected Through Command Syntax
a specific bridge group show bridge <group number>
a specific Ethernet interface show bridge ethernet <slot>/<port>
a specific PPP interface show bridge ppp <interface number>
a specific Frame Relay subinterface show bridge frame-relay <subinterface number>
a specific HDLC interface show bridge hdlc <interface number>
ProCurveSR7102dl# show bridge 1Bridge Group 1:
Total of 1024 station blocks, 1024 freeCode: P - permanent
Address Action Interface Age RX count TX count00:10:4B:A0:DF:8F forward fr 1.16 2 41 1000:D0:59:24:43:B5 forward eth 0/1 0 8 0
Host can be reached through this interface
Host identified by MAC address
Packets received from and sent to the host
10-9
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksTroubleshooting Bridging
Troubleshooting Bridging
When traffic is not able to reach its destination, follow this standard trouble-shooting process:
1. Check the Physical Layer:
a. If the Stat LED for the carrier line’s module slot is green, the physical line is up. Move to the second step.
b. If the Stat LED for the line is red, the physical line is down. Check for bad cables, then for configuration mismatches. (For more detailed instructions, see “Troubleshooting an Ethernet Interface” on page 3-24, “Troubleshooting E1 and T1 WAN Connections” on page 4-30, “Troubleshooting a Serial Connection” on page 5-17, or “Trouble-shooting the ADSL Connection” on page 7-46.)
2. Check the Data Link Layer:
a. View the status of logical interfaces, including Ethernet interfaces. For example:
ProCurve# show interface frame-relay 1b. If the interface is up, move to step 3.
c. If the interface is down, follow the troubleshooting tips in “Trouble-shooting an Ethernet Interface” on page 3-24, “Troubleshooting Log-ical Interfaces” on page 6-58, or “Troubleshooting the ATM Interface” on page 7-48.
3. Check that all interfaces that should be members of a bridge group are members. View the running-config for the interface and look for the bridge group number:
ProCurve# show run int eth 0/1
4. If an interface refuses to join a bridge group, try removing other interfaces from the group (enter no bridge-group <group number> from the interface configuration mode context). Then configure the Ethernet inter-face to join the bridge group first.
5. If you are using the bridge to connect remote sites using addresses on the same subnet, you should disable IP routing. Verify that IP routing has been disabled:
ProCurve# show running-config
10-10
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree
6. Verify that all hosts participating in a bridge group are on the same subnet. You can also try viewing the bridge table. If the table does not show entries for an interface, this is a good hint that the devices on the other end of that connection are on a different subnet.
7. The bridge runs more smoothly if you remove IP addresses from every interface in the bridge except one. For example, you can assign only the Ethernet interface an IP address. Enter show ip interfaces and verify that WAN interfaces in the bridge group do no have IP addresses.
Configuring Spanning Tree
When the router acts as a bridge, it automatically enables Rapid Spanning Tree Protocol (RSTP), or IEEE 802.1W. RSTP eliminates network loops and is fully backwards compatible with Spanning Tree Protocol (STP), or IEEE 802.D.
The router only supports RSTP and STP when it acts as a bridge. The following interfaces join the spanning tree when they join a bridge group:
■ Ethernet interfaces
■ Frame Relay subinterfaces
■ ATM subinterfaces
Often, the router will be able to run RSTP adequately without additional configuration: the default settings match most WAN topologies.
You can configure spanning tree functions on the router in order to:
■ raise the router’s priority for being elected root device
■ change the cost of a connection
■ connect the router to an edge device
■ connect the router to a hub
■ have the router run STP
Configuring spanning tree on a WAN router is usually simpler than configuring it on a switch. A switch might provide many connections—some redundant, some necessary, some faster, some slower, some to end users, some to another switch, some to a hub. The ProCurve Secure Router typically has fewer connections—and these only to other routers and switches—and is part of few or no loops. Therefore, you need not understand STP and RSTP in great technical depth.
10-11
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree
The overview provides a brief background in STP and RSTP for those who want to learn more about how the protocols function.
Overview
Network devices in a Data Link Layer network, such as bridges and switches, run STP or RSTP. Bridged interfaces on the ProCurve Secure Router also participate in the spanning tree protocol. The protocol helps devices to generate a loopless topology.
Unlike routers, switches do not time out messages. Loops in a network topol-ogy can lead to duplicated messages and broadcast storms, which can bring a network down. However, the redundant links that cause loops can also be desirable: they protect against loss of connectivity when a connection fails.
STP allows network devices to generate a shared loopless topology, blocking all redundant links. However, if active connections fail, redundant links can become active for as long as the original path is down.
RSTP is now the spanning tree standard. It improves convergence time to less than one second and is the recommended implementation.
STP BPDUs
Devices running STP send and listen for configuration bridge protocol data units (BPDUs) to determine the spanning tree topology. Each BPDU includes:
■ the identifier (priority plus MAC address) of the source port
■ the identifier of the root device
■ the cost between the source port and root device
Using these BPDUs, each device can determine:
■ Which device is root—The root is the device from which the tree topology originates. All ports on the root must remain active. When STP is originally implemented, each device believes that it is the root. In the initial exchange of BPDUs, the device with the lowest identifier is elected root. You can ensure that a router interface is elected by lowering its priority number.
■ Which switch provides the local device the best connection to the root—This switch becomes the device’s designated switch.
■ Which port provides the best connection to the designated switch—This becomes the root port.
10-12
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree
A device then marks the following ports for activation (forwarding frames):
■ the root port
■ designated ports—which connect to devices that consider the local device as their designated switch (and ports that connect to end users)
All other ports become inactive.
The root device periodically sends BPDUs. If the router is root, these BPDUs will consume some bandwidth. Other devices only send topology change notification BPDUs (TCN BPDUs).
When a device receives a TCN BPDU, it re-evaluates which ports are marked for activation. If necessary, it transmits its own TCN BPDU, informing other devices on the change. The port (or ports) through which the device transmits a BPDU is not necessarily the one that received the BPDU that prompted the change.
Devices determine which ports process BPDUs, learn information about the network topology, forward BPDUs, and forward network traffic according to the ports’ STP state.
STP States
STP includes the following port states:
■ disabled
■ blocking
■ listening
■ learning
■ forwarding
In a stable network, all ports are in either the forwarding or blocking state. Only ports in the forwarding state forward frames. Ports in the blocking state are not considered part of the network topology.
N o t e When using STP, it is important to understand the difference between disabled and blocking ports. Neither type forwards frames or learns addresses. Neither processes or transmits BPDUs. However, blocking ports receive BPDUs, while disabled ports do not. If you disable a port, it will not participate in STP at all.
10-13
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree
When a change in network topology makes STP determine that a new port must become active, the port first passes through the listening and learning states. (When STP is initially enabled and devices exchange configuration BPDUs, all ports move through the listening and learning states until STP determines whether they should become blocked or forwarding ports.)
In the listening state, the port processes BPDUs to determine whether it is indeed the best connection to the root. If within 15 seconds it does not receive a BPDU advertising a better connection, the port enters the learning state.
In the learning state, the port begins to transmit BPDUs as well as receive them. This notifies other active ports of its presence, and the learning port becomes part of the network topology. The port also listens for frames to build up its address database. After 15 seconds, it enters the forwarding state and begins to forward traffic. (If the port receives a better BPDU than it can transmit during this interval, it returns to blocking.)
As you can see, the process of a port moving from blocked to forwarding can be quite lengthy. A network running STP usually takes a minute to converge after a link failure, and the network outage during this delay is not acceptable for many environments.
RSTP Improvements
RSTP can reduce convergence time to less than 1 second.
RSTP does not always force ports to go through the listening and learning states and removes the distinction between blocked and disabled ports.
RSTP speeds convergence by:
■ defining new roles for certain ports:
• edge ports
• backup ports
• alternate ports
• ports on a point-to-point connection
■ using sync to activate point-to-point ports
■ immediately purging old information
New Roles. In RSTP, edge ports immediately become forwarding ports; they must forward frames because they are the only connection to the end client. You can configure ports on the ProCurve Secure Router to be edge ports
10-14
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree
(although this is not a typical application for the router). Important configu-rations for edge ports are BPDU guards and filters which keep the router from receiving BPDUs from user software or rogue devices.
Blocking ports are divided into backup and alternate ports. Backup ports provide a redundant connection to the root through a different device. Alter-nate ports provide a redundant connection to the root through the same device. If the root port goes down, alternate ports are allowed to move rapidly into the forwarding state.
Ports on a point-to-point connection can use the rapid sync method to move into the forwarding state. On the ProCurve Secure Router, ports will almost always be on point-to-point connections. You can configure this setting, or you can leave the interface at its default auto setting, which defines full-duplex interfaces as point-to-point ports.
Sync. STP assumes that devices best decide which ports to activate by collecting a great deal of information about the network. Therefore, it sets conservative timers for listening for TCN BPDUs. Ports were forced to spend 30 seconds passing through the listening and learning phases before they could begin to forward user traffic.
Many devices now connect through point-to-point connections rather than through shared media. RSTP relies on the fact that the single neighbor at the other end can refuse to activate a link if it has a better connection. Rather than wait 30 seconds collecting information, a port can start forwarding user traffic after a single rapid exchange with its neighbor.
10-15
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree
Figure 10-5. Asserting Sync
When network topology changes, devices assert sync to propagate new paths in an ordered flow from devices closer to the root to devices further from the root. A device sends a BDPU to a neighbor on a potential designated port. The BPDU has a proposal flag set, which requests that the two ports immediately transition to the forwarding state. If the neighbor determines that this BPDU is best (the transmitting port is closest to the root), it replies with an agreement BPDU. The neighbor also asserts sync: it makes the port on which it received the BPDU its root port and shuts down all other ports except edge ports.
The neighbor then sends its own proposal BPDUs through the blocked ports. If a neighboring device determines that the connection is best, it brings up its port as root port and continues the process. Otherwise, it sends a non-acknowledgement, and ports on both sides of the link enter the blocking state.
In this way, topology changes propagate rapidly from the root through to edge nodes.
Blocking
Reject
Designated Root
Designated
Root
Root
Designated
RootDesignatedBridge ARoot bridge
Bridge B
Bridge ARoot bridge
Bridge B
Sync
Sync
Sync2. A new link is added.
1. The network is stable.
Root
Blocking
Reject
Designated Root
Designated
Root
Root
Designated
RootDesignatedBridge ARoot bridge
Bridge B
Bridge ARoot bridge
Bridge B
Sync
Sync
Sync2. A new link is added.
1. The network is stable.
Root
10-16
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree
For example, in Figure 10-5, a connection is added between Bridge B and the root. The root bridge first asserts sync with Bridge B. Bridge B blocks its connection to Bridge A. Bridge B attempts to assert sync with Bridge A, but Bridge A rejects the offer because it has a better connection to the root. The link between Bridge A and Bridge B remains blocked.
Immediate Purging. In STP, when devices receive a TCN BPDU withdraw-ing an entry, they set the timer for the entry in the database to short. Only when this timer expires do they flush the entry. In RSTP, devices purge old informa-tion as soon as they receive a BPDU indicating a topology change.
RSTP and STP Compatibility
RSTP is designed to be compatible with STP. Even if the LAN is using STP, you should enable RSTP on your router. RSTP automatically detects ports con-nected to non-RSTP devices and communicates with those devices using 802.1D STP BPDU packets.
Because RSTP is so much more efficient at establishing the network path, it is highly recommended that all your network devices be updated to support RSTP.
Configuring RSTP
RSTP is automatically activated on these interfaces when they act as bridge ports:
■ Ethernet interfaces
■ Frame Relay subinterfaces
■ ATM subinterfaces
You should typically run a spanning tree protocol on these interfaces to prevent the router from handling more traffic than it must. PPP and HDLC interfaces do not participate in the spanning tree.
For most networks, RSTP runs smoothly without any further configuration. However, you can also:
■ set the router’s priority to influence the election of the root device
■ set link cost to influence the selection of a link
■ set roles for interfaces
■ alter timers
10-17
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree
Determining Which Device Becomes Root: Setting the Router’s Priority
Spanning tree bridges elect the device with the lowest ID as the root. A bridge’s ID consists of its priority value plus its MAC address. By default, all interfaces on the router have a priority of 32,768 (the standard default setting). Unless you alter the priority setting, the switch with the lowest MAC address becomes root.
Default settings, then, leave much to chance. A relatively unimportant device may become root for an entire WAN. Your organization’s IT staff should agree on a hub router to become root for the bridged WAN. Lower this router’s priority with this global configuration mode command:
Syntax: spanning-tree priority <value>
Valid values are from 0 to 63535. Remember that lower values grant higher priority.
Determining Which Links Are Chosen: Setting Link Cost
A BPDU includes the cost of the connection from the source of the BPDU to the root device. Devices calculate this cost from the cost of all intervening links. A device chooses which interface to make its root port according to which interface receives the BPDU with the lowest cost.
A WAN router may have several connections with widely varying link speeds—for example, a 100-Mbps connection to a switch and 3.0-Mbps connection carried on two T1-carrier lines to a Frame Relay network. Assigning a higher cost to the low-speed connection allows the router to take this discrepancy into account when calculating best paths.
The Secure Router OS automatically calculates path cost from bandwidth, and this setting is usually adequate. However, you may also want to consider the monetary cost of link. If you are using a connection as a redundant link, you should raise its cost to keep the router from choosing it as its primary link.
To change the cost of connection, move to the logical interface configuration mode context for that link. Enter this command:
Syntax: spanning-tree path-cost <value>
Valid values are from 1 to 63,535. Remember to raise the cost for lower-speed or redundant connections.
10-18
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree
Another way to force the router to choose one connection over another is to set the port priority. The router only uses this value to choose between two interfaces that have equal cost connections to the root. To set a logical interface’s port priority, enter:
Syntax: spanning-tree port-priority <value>
Valid values are between 1 and 255. Remember that lower values grant higher priority to the connection. You can only enter values in increments of 16.
Setting Interface Roles
RSTP allows you to define special characteristics for certain ports. These categories speed convergence. Edge ports immediately begin to forward frames. Point-to-point interfaces use sync for rapid activation. (See the “RSTP Improvements” on page 10-14 for more information.)
It is important that interfaces be set to the proper role so that the router can capitalize on RSTP improvements. The ProCurve Secure Router automatically assigns interfaces the roles that they will almost always play.
Interfaces automatically determine whether they are on point-to-point or shared media connections according to the duplex setting. However, if the router connects to a hub, you can manually force the connecting interface to the shared media role.
If the router connects to an end device, you should configure edge port settings.
Configuring an Edge Port. The edge port designation allows interfaces that connect to end devices to immediately enter the forwarding state. This prevents applications on the end device from timing out while they wait for their default gateway to come up. Currently, you will almost always connect your ProCurve Secure Router to a core switch or comparable device, so the edge port option is disabled by default.
However, the ProCurve Secure Router does support edge port capabilities. You can enable these capabilities either globally or on an individual interface. Use the commands shown in Table 10-2.
10-19
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree
Table 10-2. Defining Edge Ports
This global configuration mode command defines all interfaces assigned to a bridge group as edge ports:
Syntax: spanning-tree edgeport default
The default setting is no spanning-tree edgeport default. In the default setting, interfaces do not act as edge ports. Generally, you should leave this global setting and simply override it for the interface that connects to the end device.
N o t e The command to enable an Ethernet interface to act as an edge port is slightly different from the command to enable Frame Relay or ATM subinterfaces to act as edge ports.
To override the global setting for Ethernet interfaces, move to the Ethernet configuration mode context and enter:
Syntax: spanning-tree edgeport [enable | disable]
Enter the command with the enable option to allow the interface to act as an edge port. If you have configured a global setting that defines all interfaces as edge ports, the disable option overrides this setting.
Function Command Syntax CLI Context
define all spanning tree interfaces on the router as edge ports
spanning-tree edgeport default global configuration mode
define all spanning tree interfaces on the router as non-edge ports (default setting)
no spanning-tree edgeport default global configuration mode
enable an Ethernet interface to act as an edge port (overrides global setting)
spanning-tree edgeport enable Ethernet interface configuration mode
prevent an Ethernet interface from acting as an edge port (overrides global setting)
spanning-tree edgeport disable Ethernet interface configuration mode
enable a Frame Relay or ATM subinterface to act as an edge port (overrides global setting)
spanning-tree edgeport Frame Relay or ATM subinterface configuration mode
prevent a Frame Relay or ATM subinterface from acting as an edge port (overrides global setting)
no spanning-tree edgeport Frame Relay or ATM subinterface configuration mode
10-20
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree
To enable Frame Relay and ATM subinterfaces to act as edge ports, move to the logical interface configuration mode context and enter:
Syntax: spanning-tree edgeport
When the global setting defines all interfaces as edge ports by default, use the no form of the command to disable the edgeport setting on the individual subinterface.
You should consider implementing the BPDU guard on edge ports. End devices should not participate in the spanning tree. However, a user running software that implements STP or RSTP can join spanning tree and disrupt the network. If the default priority setting on the user software is low, the end device can even become the root. The BPDU guard prevents the router interface from receiving BPDU messages from the end device. It also prevents the interface from being connected to an unauthorized switch.
You configure the BPDU guard on an individual logical interface with this command:
Syntax: spanning-tree bpduguard [enable | disable]
Use the enable option to activate the guard.
You can also configure the BPDU guard on all interfaces from the global configuration mode context:
Syntax: spanning-tree edgeport bpduguard default
You can then override this setting for an individual interface by entering this form of the command from the interface configuration mode context:
ProCurve(config-fr 1.1)# spanning-tree bpduguard disable
Configuring an Interface for a Point-to-Point Versus a Shared
Connection. RSTP must know whether an interface uses a point-to-point or shared connection to implement sync.
Point-to-point interfaces use sync to rapidly transition from discarding to forwarding frames. One interface sends a BPDU proposing that it become the neighbor’s designated switch. If the neighbor agrees, both interfaces become immediately active.
Interfaces on shared media, which reach more than one neighbor on the same connection, cannot exchange sync BPDUs to activate a connection.
10-21
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree
By default, the ProCurve Secure Router uses the auto option to determine the connection type. RSTP assumes that full-duplex interfaces are point-to-point and half-duplex interfaces are shared.
If, for whatever reason, you must override this setting, move to the logical interface’s configuration mode context and enter this command:
Syntax: spanning-tree link-type [auto | point-to-point | shared]
For example, the Ethernet interface 0/1 connects to a hub. Enter:
ProCurve(config-eth 0/1)# spanning-tree link-type shared
Altering Timers
C a u t i o n You should not alter spanning tree timers unless you have a great deal of experience working with spanning tree.
You configure the timers from the global configuration mode context. Use the commands shown in Table 10-3.
Table 10-3. Spanning Tree Timers
Forward Timer. The forwarding interval determines how long a device waits to forward BPDUs. With STP, this setting determines how long the device stays first in the listening and then in the learning stage.
Hello Timer. Interfaces periodically transmit hellos. If an interface misses three hellos, neighbors assume the connection is down and send out TCN BPDUs to this effect. Take care when altering this timer because incompatible settings can cause devices to believe a connection is down when it is not.
Timer Function Default Range Command Syntax
forward timer minimum time between forwarding BPDUs
15 seconds 4 to 30 spanning-tree forward-time <seconds>
hello timer time between hellos 2 seconds 0 to 10 spanning-tree hello-time <seconds>
maximum age timer how long a BPDU remains valid
20 seconds 6 to 40 spanning-tree max-age <seconds>
10-22
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree
Maximum Age Timer. BPDUs include a maximum age timer. Devices dis-card information received from a BPDU when this timer expires. With STP, the timer determines how long a device will wait to receive information about a connection from the root before assuming the connection is down.
Configuring STP
It is highly recommended that you implement RSTP, which can reduce net-work convergence time from more than a minute to less than a second. RSTP is fully compatible with STP, so the router can use it even when some devices on the local network only run STP. When an interface detects STP BPDUs, the router implements STP on that interface. (RSTP improvements will not be enabled for that segment of the network.)
However, the ProCurve Secure Router does support STP, if, for whatever reason, you decide to implement it.
To configure STP, you must:
■ change the spanning tree version to STP
Move to the global configuration mode context and enter this command:
ProCurve(config)# spanning-tree mode stp
Syntax: spanning-tree mode [stp | rstp]
You can also:
■ set the router’s priority to influence the election of the root device
■ set link cost to influence the selection of a link
■ alter STP timers
You configure these options exactly as you would for RSTP. See “Determining Which Device Becomes Root: Setting the Router’s Priority” on page 10-18, “Determining Which Links Are Chosen: Setting Link Cost” on page 10-18, and “Altering Timers” on page 10-22. When deciding on the root device, remember that it will be the only device to periodically flood BDPU.
Using the BPDU Filter to Disable STP or RSTP
The BPDU filter prevents interfaces from receiving and transmitting BPDUs. With it, you can remove the entire router from the spanning tree or you can remove a single interface.
10-23
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksTroubleshooting Spanning Tree
In a test environment, the filter keeps all connections up so that you can test them.
C a u t i o n You should not use the global BPDU filter on a live network.
When you enable the filter from the global configuration mode context, the filter applies to all interfaces on the router. Enter this command:
Syntax: [no] spanning-tree edgeport bpdufilter default
To configure a interface to override the global BPDU filter, move to its interface configuration mode context and enter this command:
Syntax: spanning-tree bpdufilter [enable | disable]
The enable option removes the interface from the spanning tree. The disable option enables an interface to run a spanning tree protocol on a router that blocks it globally. Because the router should always run RSTP or STP, you will very rarely use this option.
Troubleshooting Spanning Tree
This section describes how to test and troubleshoot the router’s spanning tree functions.
N o t e You must enter show and debug commands from the enable mode context or preface the command with do.
Testing Spanning Tree
You can run spanning tree debug commands to test a router’s spanning tree functions. (Generally, you will not use these debug commands in a live network.) You can view debug messages to verify that:
■ the router chooses the correct primary connection
■ appropriate interfaces move quickly into the forwarding state
■ when a connection goes down, the network converges within one or two seconds
The syntax for the debug commands is shown in Table 10-4.
10-24
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksTroubleshooting Spanning Tree
Table 10-4. Spanning Tree debug Commands
The debug spanning-tree events command displays messages dealing with reconvergence when the network topology changes. When you enter the debug spanning-tree command with one of the bpdu options, the terminal displays a message every time an interface sends or receives a BPDU, or both.
C a u t i o n The debug spanning-tree events and debug spanning-tree bpdu commands are particularly draining on the processor.
You can also use the BPDU debug commands to determine whether interfaces are actually participating in the spanning tree. If interfaces are not receiving BPDUs at all, you should check the running-config for an inadvertently applied BPDU guard or filter.
Addressing Common Spanning Tree Problems
Problems with spanning tree include slow convergence and routers selecting the wrong primary connection.
Some problems may be caused by other switches on the local network.
You can view information that will help you troubleshoot with this enable mode command:
Syntax: show spanning-tree [<bridge group number>] [realtime]
View Command Syntax
general messages debug spanning-tree general
messages when configuration changes occur debug spanning-tree config
periodic hellos and messages when a change in topology occurs
debug spanning-tree events
all BPDUs received debug spanning-tree bpdu receive
all BPDUs transmitted debug spanning-tree bpdu transmit
all BPDUs transmitted and received debug spanning-tree bpdu all
10-25
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksTroubleshooting Spanning Tree
You enter the command without any options to view the following spanning tree information for all bridge groups:
■ root ID
■ timers
■ bridge ID
■ interfaces:
• role
• status
For example, Figure 10-6 displays the spanning tree instance for bridge group 1.
Figure 10-6. Viewing Spanning Tree Information
When the router supports more than one bridge, you may want to view only the information for the bridge group in question. Enter the command with the bridge group number.
ProCurve# show spanning-tree STP 0 Bridge Group 1 Spanning Tree enabled protocol ieee 802.1w (Rapid Spanning-Tree) Root ID Priority 32768 Address 00:12:79:05:25:b0 Cost 19 Port 1 (eth 0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32768 Address 00:12:79:05:25:d4 Aging Time 300
Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- -----------------------eth 0/1 Root FWD 19 128.1 P2pfr 1.1 Altn BLK 651 128.2 P2p
Currently the Frame Relay subinterface 1.1 provides a redundant connection to the root and cannot forward frames
10-26
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksTroubleshooting Spanning Tree
You can enter the command with the realtime option to view periodic updates of the spanning tree information without re-entering the command. The CLI displays the information in a new screen. You can exit the screen by pressing Ctrl+C. You can also pause and restart the display of the updates. (See Figure 10-7).
Figure 10-7. Viewing Real-Time Spanning Tree
Slow Convergence
The best way to solve slow convergence is to update all network devices from STP to RSTP.
When a router running RSTP connects to an STP device, it automatically runs STP on that interface. If you have recently updated network devices to RSTP, you may need to force connecting router interfaces to stop running STP. Use this enable mode command:
Syntax: clear spanning-tree detected-protocol [interface ethernet <slot>/<port>]
--------------------------------------------------------------------STP 0 Bridge Group 1 Spanning Tree enabled protocol ieee 802.1w (Rapid Spanning-Tree) Root ID Priority 32768 Address 00:12:79:05:25:b0 Cost 651 Port 2 (fr 1.1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32768 Address 00:12:79:05:25:d4 Aging Time 300
Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- -----------------------fr 1.1 Desg LIS 651 128.2 P2p--------------------------------------------------------------------Exit - 'Ctrl-C', Freeze - 'f', Resume - 'r'
Return to the command line Stop and start the refresh
10-27
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksTroubleshooting Spanning Tree
You can force the entire router to return to RSTP by simply entering clear
spanning-tree detected-protocol. Or you can force the single interface that connects to the updated device. For example:
ProCurve# clear spanning-tree detected-protocol interface eth 0/1
Relatively slow convergence with RSTP may be caused by incorrectly config-ured point-to-point interfaces. View the status for each bridged interface and make sure that it is using full duplex. The router should automatically assign it the point-to-point role. If necessary, force this role by entering this command in the logical interface configuration mode context:
ProCurve(config-fr 1.1)# spanning-tree link-type point-to-point
Incorrect Path Selection
Devices may choose paths that seem illogical for several reasons:
■ an end device or rogue device has been elected root
■ connections are configured with an inappropriate cost
■ a guard or filter has been applied to an interface
When an interface connects to an end device, enable the BPDU guard so that the router refuses BPDUs from it. Otherwise, software running on the device may cause it to be elected root. (You can view what device has actually been elected root with the show spanning-tree command.)
The router selects the primary connection according to which connection provides the lowest-cost link to the root. The show spanning-tree command displays which interfaces are active (status = FWD). You can force the router to select a specific connection by lowering its cost.
You can also assign two equivalent connections the same cost, but still have the router choose one as primary and one as redundant. Simply lower the port priority for the primary connection. (See “Determining Which Links Are Chosen: Setting Link Cost” on page 10-18.) Again, the show spanning-tree command displays the cost and priority for each interface in the bridge.
If an interface is not participating in the spanning tree, check the running-config for guards or filters that may have been inadvertently assigned to it. Also view the global spanning tree configuration and make sure that the global BPDU guard and/or filter has not been applied.
10-28
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksQuick Start
Quick Start
This section provides the commands you must enter to quickly configure the router to bridge traffic. Only a minimal explanation is provided.
If you need additional information about any of these options, see “Contents” on page 10-1 to locate the section that contains the explanation you need.
1. If you are using the bridge to extend a subnet to a remote site, move to the global configuration mode context and disable routing.
ProCurve(config)# no ip routing
2. Create a bridge group.
Syntax: bridge <group number> protocol ieee
3. Assign the Ethernet interface(s) to the bridge group from its interface configuration mode context.
Syntax: bridge-group <group number>
4. Assign the WAN interface(s) to the bridge group. You can assign PPP and HDLC interfaces and Frame Relay and ATM subinterfaces to a bridge. Enter the following command from the logical interface configuration mode context:
Syntax: bridge-group <group number>
For example:
ProCurve(config)# interface frame-relay 1.1
ProCurve(config-fr 1.1)# bridge-group 1
5. If necessary, remove IP addresses from the WAN interfaces. For example:
ProCurve(config-ppp 1)# no ip address 10.1.1.1 /30
The ProCurve Secure Router automatically implements RSTP on bridged Ethernet interfaces and Frame Relay and ATM subinterfaces. Usually, you will not need to make any further configurations. However, you can complete any of the following steps:
1. If so desired, change the spanning tree version from RSTP to STP. (RSTP is fully compatible with STP.) Move to the global configuration mode context and enter:
Syntax: spanning-tree mode [rstp | stp]
10-29
Bridging—Transmitting Non-IP Traffic or Merging Two NetworksQuick Start
2. If so desired, change the router’s priority for becoming the root of the spanning tree.
Syntax: spanning-tree priority <value>
The value can be from 0 to 63535.
3. If so desired, configure the cost of the connections on the router from the logical interface for the connection.
Syntax: spanning-tree path-cost <value>
The cost can be from 1 to 63535. A higher cost lowers the chance that the connection will be chosen. For example:
ProCurve(config-fr 1.1)# spanning-tree path-cost 60000
4. If a router interface connects to an edge device, configure the interface as an edge port and enable the BPDU guard. Move to the logical interface and enter:
ProCurve(config-eth 0/1)# spanning-tree edgeport enableProCurve(config-eth 0/1)# spanning-tree bpduguard enable
For Frame Relay and ATM subinterfaces enter:
ProCurve(config-fr 1.1)# spanning-tree edgeportProCurve(config-fr 1.1)# spanning-tree bpduguard enable
10-30
11
IP Routing—Configuring Static Routes
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
Network Addresses and Subnet Masks . . . . . . . . . . . . . . . . . . . . . 11-4
Classful Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5
CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6
Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7
Destination Network Address and Subnet Mask . . . . . . . . . . . . . 11-7
Next-Hop Address and Forwarding Interface . . . . . . . . . . . . . . . 11-8
Administrative Distance and Metric . . . . . . . . . . . . . . . . . . . . . . . 11-8
Other Information Stored in a Route . . . . . . . . . . . . . . . . . . . . . . . 11-9
Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9
Dynamic Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
Static Routing Versus Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . 11-10
Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11
Fast Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12
Configuring Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13
Configuring a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-14
Configuring a Floating Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . 11-16
Configuring a Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17
Configuring a Route through the Null Interface . . . . . . . . . . . . . . . . 11-18
Configuring Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-20
Enabling Fast Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-22
11-1
IP Routing—Configuring Static RoutesContents
Troubleshooting Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23
Monitoring the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23
Using the Routing Table to Troubleshoot Static Routing . . . . . 11-25
Monitoring Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26
Clearing Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-27
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30
Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30
Connecting Simple Remote Sites . . . . . . . . . . . . . . . . . . . . . . . . . 11-30
Routing Traffic to an ISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-31
11-2
IP Routing—Configuring Static RoutesOverview
Overview
Unlike a simple switch, a router can route a packet from one network to another. When the ProCurve Secure Router receives a packet, it matches the packet’s destination address to a route in its routing table. This route specifies the interface through which the router must forward the packet in order for the packet to reach its destination.
This chapter describes the ProCurve Secure Router’s routing table and explains how to add static routes to this table. In this chapter you will also learn how to configure a default route. In a small network with a single WAN connection, static and default routes provide the simplest and most reliable configuration for IP routing.
The ProCurve Secure Router also supports several routing protocols that allow the router to discover routing information from other routers. You should implement at least one of these protocols when your network has a large or complicated topology. Chapter 13: IP Routing—Configuring RIP,
OSPF, BGP, and PBR in the Advanced Management and Configuration
Guide describes how to configure these protocols.
Before configuring routing, you should understand the basics of IP addressing and networks. You should also understand how a router uses its routing table to forward traffic.
IP Addressing
Devices route packets by looking at their Layer 3 headers, typically their IP headers. (Currently, the ProCurve Secure Router only routes IP traffic.)
A packet’s IP header contains a field for its source address and a field for its destination address. The router reads the destination IP address to determine where it should forward the packet.
An IP address is a field that uniquely identifies a host or device in the Internet or other network. In IP version 4 (IPv4) this field is 32 bits. A 32-bit IP address divides into four 8-bit octets. Typically, you will see IP addresses written in digital form. Therefore, IP address 11000000.10101000.000101101.01100011 is usually written as 192.168.45.99.
11-3
IP Routing—Configuring Static RoutesOverview
Unlike MAC addresses, IP addresses are not permanent or hardware specific. A host can change its address, and it can receive a temporary address from a server. However, public IP addresses must be unique and globally significant. (Otherwise, hosts could never be certain that data would arrive at the desti-nation they intended.) Certain IP addresses are reserved for private networks; these addresses are locally significant and can be used by any number of different private organizations.
Networks
A network is a group of hosts that share a network address. Traffic between these hosts can be forwarded by bridges or switches. However, when a packet must be sent into a new network—that is, when its source and destination have different network addresses—the packet must be routed.
Network Addresses and Subnet Masks
A network address is the first part of a host’s IP address. The second part of the IP address uniquely identifies the host within that network.
A subnet mask defines which bits identify the network and which identify the individual host. The subnet mask consists of 32 bits—first, a string of contin-uous ones; then, a string of continuous zeros.
All bits in the IP address that correspond with a one in the subnet mask are network bits; all bits that correspond with a zero are the host bits. (See Figure 11-1.)
Networks can be of varying sizes, depending on how many bits are allocated for the network address and how many for the host address. The greater the number of network bits, the fewer the addresses the network contains. (Because most of the bits define the network, there are fewer bits in which to store different addresses on that network.)
The first address (all zero host bits) in every network is reserved for identifying the network, and the last address (all one host bits) for broadcasting.
11-4
IP Routing—Configuring Static RoutesOverview
Figure 11-1. Subnet Masks
Classful Networks
In the early days of IP addressing, routing protocols did not always use subnet masks. The address itself needed to identify which bits were network bits and which host bits. Classful networks met this need. The first four bits of a classful IP address identified how many octets belonged to the network address.
Classful network addresses always end evenly at the end of an octet:
■ Class A networks have 8-bit network addresses. They are identified by a 0 in the first bit. Therefore, the 126 class A networks range from 1.0.0.0 to 126.0.0.0. (127.0.0.0 is reserved for loopback and 0.0.0.0 for default routes.) Each class A network can accommodate up to 16,777,214 hosts.
■ Class B network addresses always start with 10 in the first two bits, which indicates that the network has a 16-bit network address. The 16,384 class B networks range from 128.0.0.0 to 191.255.0.0. Each network can accom-modate up to 65,534 hosts.
■ Class C networks have 24-bit network addresses and always start with 110 in the first three bits. The 2,097,252 class C networks range from 192.0.0.0 to 223.255.255.0. Each class C network can accommodate up to 254 hosts.
■ Class D networks have 32-bit network addresses and always include 1110 in the first four bits. These networks are used for multicasting and range from 224.0.0.0 to 239.255.255.255.
You might notice that this schema leaves networks beginning with 1111 undefined. Such networks are called Class E networks and have not been assigned a specific function.
Host Address
AND
Subnet Mask
=
Network Address
10101100 00010000 10000100 01100011
11111111 11111111 00000000 00000000
172.16.0.0
10101100 00010000 00000000 00000000
172.16.132.99 255.255.0.0
11-5
IP Routing—Configuring Static RoutesOverview
CIDR
Classful networks condense more information into fewer bits: a router can resolve an address into its network and host bits without a 32-bit subnet mask. However, classful networks do not use IP addresses efficiently. Class C networks only provide addresses for 254 hosts, while Class B networks provide addresses for 65,534.
Many organizations need more addresses than a Class C network provides, but fewer than a Class B network does. Using Class C networks, an organiza-tion must request another network every time it needs more addresses. However, if the organization requests a Class B network so that it will have sufficient addresses, it usually wastes the vast majority of these addresses.
Most IP routers today support Classless Inter-Domain Routing (CIDR), which allows network administrators to define networks of any size. CIDR typically uses a prefix length instead of a subnet mask; the number in the prefix is the number of network bits in the address. For example, a network address with the subnet mask 255.255.0.0 has a /16 prefix length.
Network administrators can subdivide classful networks into smaller, variable-length networks by changing the prefix length.
For example, your organization is using the Class B network 172.16.0.0. Your organization needs at least six subnets, each with at least 500 hosts. With future expansion, your organization will need ten subnets. You round this number up to the nearest power of two and decide to divide the network into sixteen subnets. You calculate that each of the sixteen subnets can hold 4,094 hosts, which more than meets your organization’s requirements.
To subdivide the network, you add one bit to the prefix length for every time you divide the network in half. For example, half of a /16 network is a /17 network, a fourth of a /16 network is a /18 network, and so forth. Sixteen is 24, so in the scenario outlined above, you would divide the 16-bit network four times, into sixteen 20-bit subnets:
■ 172.16.0.0 /20 (255.255.240.0)
■ 172.16.16.0 /20
■ 172.16.32.0 /20
■ 172.16.48.0 /20
■ ...
■ 172.16.240.0 /20
11-6
IP Routing—Configuring Static RoutesOverview
When you use prefix lengths in this way, the bit length becomes, in a sense, part of the address. 172.16.0.0 /20 is a different network than 172.16.0.0 /16. The second is the network address for the entire class B network, while the first is a network that includes only hosts from 172.16.0.1 to 172.16.15.254.
Therefore, when you define routes to variable-length subnets, you must always be careful to specify the correct bit length. If a router thinks that it knows a route to network 172.16.0.0 /16 when the route should actually be to 172.16.0.0 /20, it may misroute traffic to the other fifteen 20-bit networks in the 172.16.0.0/16 range.
Routing Table
A routing table stores the following information for each network that the router knows how to reach:
■ destination network address
■ subnet mask
■ next-hop address
■ forwarding interface
■ metric
■ administrative distance
Destination Network Address and Subnet Mask
The destination network address and subnet mask identify the route. When a router receives a packet, it matches the packet’s destination IP address to a network address in the routing table. The subnet mask defines how many bits the router examines when matching the two addresses. For example, a routing table entry for 172.16.0.0 with a subnet mask 255.255.0.0 refers to all packets destined to IP addresses of which the first 16 bits are 172.16.
If a packet matches more than one entry, the router uses the more-specific route (the route with a longer subnet mask), which it assumes is more accurate for that packet.
The subnet mask condenses the routing table: an individual router’s table need not include a separate entry for each host or subnet in the 172.16.0.0/16 network when the next hop to all these destinations is the same. Routers nearer a particular destination may include more specific entries that allow them to forward traffic to individual networks that have been subdivided from a larger network.
11-7
IP Routing—Configuring Static RoutesOverview
Next-Hop Address and Forwarding Interface
A route’s next-hop address and forwarding interface instruct the router how to forward packets that match the destination address for the route.
The next-hop address is the address of the next directly-connected device en route to the destination address. The router determines the forwarding interface for the route by looking up, in its routing table, the interface that connects to the next-hop address. (Because the next-hop address should be a directly connected device, the routing table will automatically include this information.)
Only a forwarding interface is absolutely necessary for a route. When you add a static route to the routing table, you can specify a forwarding interface instead of a next-hop address. The next-hop address is then listed as 0.0.0.0.
Administrative Distance and Metric
A router may learn more than one route to the same destination. The router compares the administrative distances and metrics of identical routes to select the single best route that it will add to its routing table. (You can also enable the router to select more than one best route. See “Load Sharing” on page 11-11.)
The ProCurve Secure Router uses administrative distance to compare routes learned by different routing protocols or methods. The ProCurve Secure Router uses metrics to compare routes learned by the same routing protocol. That is, each routing protocol used on a router has its own database of routes. When a routing protocol knows more than one route to a destination, it selects the route with the lowest metric as its best route. The router then compares the best routes of each method and selects the route with the lowest administrative distance.
A route’s administrative distance indicates how reliable the router considers the method through which it discovered the route. The lower the administrative distance the more trustworthy the route.
If you are only using static routes, you generally do not need to worry about administrative distance. However, if you are using static routing in conjunc-tion with a routing protocol, you should understand how the ProCurve Secure Router uses administrative distance to choose between identical routes learned using different methods. The ProCurve Secure Router always selects the route with the lower administrative distance. For example, statically configured routes have a default administrative distance of 1, while Routing Information Protocol (RIP) routes have a default administrative distance of 120. When the router knows an identical RIP and static route, it only adds the static route to the routing table.
11-8
IP Routing—Configuring Static RoutesOverview
A route’s metric is the cost of sending traffic on that route and can be based on various criteria:■ number of hops to the destination
■ link conditions:
• bandwidth
• delay
• reliability
■ organization policies
• monetary cost
• autonomous systems through which the packet must travel
Number of hops and bandwidth are among the most common criteria for computing a route’s metric.
Each routing protocol has its own method for computing a route’s metric. The protocol compares the metric of identical routes to determine the best route. The protocol chooses the route with the smallest metric.
Other Information Stored in a Route
Routing tables can also include information such as:
■ route type—whether the destination subnet is directly attached or remote
■ source of the route—directly connected, statically configured, or discov-ered with a routing protocol
■ route age
■ maximum transmission unit (MTU) over the link used in the route
The ProCurve Secure Router tracks all of these parameters. When you view your router’s routing table, you can see the route type and source of the route.
A routing table should, most importantly, provide reliable routes that get traffic to its destination. Ideally, routes should also minimize congestion and delay. One of your must important tasks when configuring your ProCurve Secure Router is to construct a routing table with reliable best routes.
Static Routing
The most straightforward method for constructing a routing table is static routing. Static routes are routes that you manually add to the routing table. When you enter a static route, you specify the destination network address and subnet mask and either the next-hop address or forwarding interface for that destination.
11-9
IP Routing—Configuring Static RoutesOverview
Dynamic Routing Protocols
Routers can also construct their routing tables using dynamic routing proto-cols. The ProCurve Secure Router supports three routing protocols, each of which it can use alone or in conjunction with the others:
■ RIP versions 1 and 2
■ Open Shortest Path First (OSPF) version 2
■ Border Gateway Protocol (BGP) version 4
See Chapter 13: IP Routing—Configuring RIP, OSPF, BGP, and PBR in the ProCurve Secure Router Advanced Management and Configuration Guide to learn how to configure these protocols.
Static Routing Versus Dynamic Routing
Static routing is secure because it provides you the tightest control over traffic flow: you determine exactly which connection the router uses to forward traffic to each destination. Static routing is also relatively reliable (although it does open room for human error).
On a router in a small network with a single exit to a remote site or the Internet, static routing is effective and simple to configure.
However, as a network expands, configuring all the necessary static routes can become more and more complicated and time-consuming. Ensuring that all routes remain accurate can also unduly burden an IT staff. Every time you want to add a connection or change a route, you must configure the change on every router in the network. Routers do not automatically respond to a failed connection, so traffic can be misrouted.
Dynamic routing can provide reliable routes. OSPF selects routes according to fairly sophisticated criteria, such as link state and bandwidth, and BGP, though complicated to configure, can take an organization’s policies into account when selecting routes. What is the best route at one moment may not always be the best route, and dynamic routing protocols can track these changes. Dynamic routing also adapts well to changes in network topology, such as node failures and network expansion.
On the other hand, routing protocols consume bandwidth and CPU processes; routers must exchange updates and calculate the best routes. A router that has been carelessly configured may send updates to unauthorized devices, opening a security vulnerability. However, a well-designed network eliminates many of these problems.
11-10
IP Routing—Configuring Static RoutesOverview
You should not implement a dynamic routing protocol on a demand interface that is used with a dial-up connection because the routing updates may keep the line up longer than is necessary, costing your organization money. Instead, configure a static route that uses the demand interface as the forwarding interface. If you are using the dial-up connection for backup, you can configure a floating static route. (See “Configuring a Floating Static Route” on page 11-16.)
You can use static routing in conjunction with one or more dynamic routing protocols. A static route will always supersede a discovered route because static routes have low administrative distance. Table 11-1 shows the default administrative distance for the various types of routes that the ProCurve Secure Router can learn. As you can see, besides routes to directly connected networks, static routes are considered to be the most reliable.
Table 11-1. Hierarchy of Routes (Most Trusted to Least Trusted)
Load Sharing
Typically, a routing table can only include one best route for each destination. If you enter more than one route to the same destination, the router will only add this route to its routing table if the first route that you entered is removed or if the forwarding interface for this route goes down. However, the ProCurve Secure Router can also implement load sharing, which enables it to activate up to routes to the same destination. This option enables the router to use redundant connections to the same remote site.
When you enable load sharing, the router can place up to six routes to the same destination in its active routing table. The routes must all have the same metric and administrative distance; otherwise, only the route with the lowest values will be selected.
Route Type Default Administrative Distance
directly connected 0
static 1
BGP • 20 for external routes• 200 for internal and local routes
OSPF 110
RIP v1 and v2 120
11-11
IP Routing—Configuring Static RoutesOverview
The router can share traffic over the routes based on destination, assigning traffic destined to some hosts to one route and traffic destined to other hosts to another route. In this case, the traffic may not be exactly balanced over the multiple connections, but the more sessions the router supports, the more evenly balanced the traffic will be.
The router can also share the traffic in a round-robin manner, alternating between the routes every time it routes a new packet to the destination network. Configuring the router to load share in this way, however, can cause packets to arrive at the destination out of order and is not generally recommended.
Fast Caching
One of a router’s tasks is to forward the packets it receives with a minimum of delay. However, the router must also accurately route packets, and looking up routes takes time and processing power. When a router uses process switching, it considers route lookup to be no more important than any other process and forces packets to wait in a queue until it finishes other tasks. When CPU usage spikes, packets can be delayed longer than acceptable.
Fast caching, or fast-switching cache, is designed to speed processing of packets that follow often-used routes. In addition to the routing table, the router keeps a fast-cache table, which contains entries for recently received packets. A fast-cache entry includes the destination address and the forward-ing interface. When the router receives a packet, the CPU postpones other tasks to immediately check the fast-cache table for a matching entry. If the router finds a matching entry, it rewrites the packet’s header and forwards it to the appropriate interface. (See Figure 11-2.) If the router does not find a match in the fast-cache table, it sends the packet to the appropriate queue to await processing. When the router processes these packets, it checks the routing table to determine where the packets should be forwarded.
On the ProCurve Secure Router, you can enable fast caching for individual interfaces. However, if you enable the firewall, the ProCurve Secure Router uses process switching because firewall features can require extensive com-putations. For example, the firewall must check packets for known cyber attacks, ensure packet integrity, track connections, and determine if packets match access control lists (ACLs).
11-12
IP Routing—Configuring Static RoutesConfiguring Static Routes
Figure 11-2. Fast Caching Versus Process Switching
Configuring Static Routes
Overview
A static route is a route that you add manually to a routing table. You can construct a router’s entire table manually. (The table will also automatically include directly connected networks with a metric and an administrative distance of zero.)
When you use static routing in exclusion of other routing protocols, the router will not share its routing table with other routers. This means that the hosts serviced by this router will only be able to reach a destination if you add an entry for that destination. In large and complicated networks, configuring static routing can be prohibitively time-consuming and cumbersome. How-ever, in a relatively uncomplicated environment with few subnets, you can quickly configure the necessary routes while maintaining tight control over your network.
Static routing is best suited for networks that have:
■ a simple topology and a single router at each site
■ a single destination for traffic—for example, to an Internet service pro-vider (ISP)
■ only one path for IP traffic
InternetRouter
InternetRouter
Fast-cache table
Queue
Fast caching
Process switching
11-13
IP Routing—Configuring Static RoutesConfiguring Static Routes
You can use static routing with dynamic routing. In this case, you supplement routes discovered through various protocols with manually added routes. You can configure the router to advertise these routes using a routing protocol, or you can keep the routes private. (See Chapter 13: IP Routing—Configuring
RIP, OSPF, BGP, and PBR in the Advanced Management and Configuration
Guide to learn how to configure a routing protocol.)
For example, you can run a routing protocol, but configure a static default route. (See “Configuring a Default Route” on page 11-17.)
Configuring a Static Route
When you configure a static route, you must enter the following information:
■ destination address and subnet mask
■ next-hop address or forwarding interface
By default, the administrative distance for a static route is 1 and the metric 0. You can view the kind of information the ProCurve Secure Router stores in its routing table in Figure 11-3.
Figure 11-3. Routing Table with Static Routes
The destination address is the network address for the destination subnet. The subnet mask indicates how long this network address is. (The ProCurve Secure Router also allows you to enter a prefix length instead of a subnet mask.) When the router looks for a route that matches a packet’s destination, it only compares the bits specified by the subnet mask.
ProCurve# show ip routeC 10.2.2.0/30 is directly connected, ppp 1C 10.3.3.0/30 is directly connected, ppp 2C 192.168.20.0/24 is directly connected, eth 0/1S 192.168.30.0/24 [1/0] via 10.2.2.2, ppp 1S 0.0.0.0/0 [1/0] via 10.3.3.2, ppp 2 Forwarding interface
Administrative distance
Metric Next-hop address
11-14
IP Routing—Configuring Static RoutesConfiguring Static Routes
Figure 11-4. Prefix Lengths with Static Routing
You add routes to the routing table from the global configuration mode context. Enter this command:
Syntax: ip route <destination network A.B.C.D> <subnet mask | /prefix length> <next hop A.B.C.D | forwarding interface ID> [<administrative distance>]
Specifying administrative distance is optional. By default, static routes have an administrative distance of 1 and are considered to be more reliable than any other routes (except those to directly connected networks).
You should make the network address and subnet as short possible for the next-hop address to still be valid for all matching packets. For example, to configure a route to network 10.1.3.0 /24 on Router A shown in Figure 11-4, you could enter a route to the entire 10.1.0.0 /16 network:
ProCurve(config)# ip route 10.1.0.0 255.255.0.0 10.1.1.2
You would have to configure a more specific route to network 10.1.3.0 /24 on Router B:
ProCurve(config)# ip route 10.1.3.0 255.255.255.0 10.1.30.2
For point-to-point connections, instead of the next-hop IP address, you can specify the forwarding interface (for example, PPP 1 or Frame Relay 1.103). It is often a good idea to specify the forwarding interface rather than the next-hop address, particularly when connecting to an external network, because IP addresses can change without notice.
The route in the routing table includes the forwarding interfaces, but allows any next-hop neighbor that connects to the interface. See Figure 11-5.
Router A Router B
Routing table
10.1.0.0/16 B
Router C
10.1.2.0/24
Router D
10.1.3.0/24
Routing table
10.1.2.0/24 C10.1.3.0/24 D
10.1.1.2 10.1.20.2
10.1.30.2
10.2.8.0/24
11-15
IP Routing—Configuring Static RoutesConfiguring Static Routes
Figure 11-5. Static Route with a Forwarding Interface
Configuring a Floating Static Route
When the router has a redundant connection to a network, it needs two routes to that network, one of which uses the primary interface as the forwarding interface and one of which uses the redundant interface. However, the routing table can only include a single active route to a particular network. (See “Configuring Load Sharing” on page 11-20 for an exception to this rule.)
You can configure a floating static route that uses the redundant, or backup interface, and that will only appear if the forwarding interface for the primary route goes down. You configure the floating static route by assigning it a higher administrative distance than that for the primary route.
For example, your router can reach remote site 192.168.115.0 /24 through the PPP 1 interface. If this connection goes down, it can reach the remote site through the backup PPP 2 interface. Configure the routes as follows:
ProCurve(config)# ip route 192.168.115.0 /24 ppp 1ProCurve(config)# ip route 192.168.115.0 /24 ppp 2 2
You can also configure a floating static route that only appears when a route discovered using a routing protocol becomes invalid and is removed from the routing table. Simply, specify an administrative distance in the floating static route that is higher than that for the protocol.
For example, your router has learned a route to network 192.168.115.0 /24 by running OSPF on the PPP 1 interface. The router uses an ISDN module for backup. Configure a floating static route through the demand interface that will only appear if the PPP 1 interface fails:
ProCurve(config)# ip route 192.168.115.0 /24 demand 1 120
ProCurve# show ip routeC 10.2.2.0/30 is directly connected, ppp 1C 10.3.3.0/30 is directly connected, ppp 2C 192.168.20.0/24 is directly connected, eth 0/1S 192.168.30.0/24 [1/0] via 10.2.2.2, ppp 1S 0.0.0.0/0 [1/0] via 0.0.0.0, ppp 2 Forwarding interface
Administrative distance
Metric Next-hop address not specified
11-16
IP Routing—Configuring Static RoutesConfiguring Static Routes
Because OSPF routes have an administrative distance of 110, specify 120 for the floating static route’s administrative distance. (Refer to Table 11-1 on page 11-11 for the administrative distance of various routing protocols.)
Configuring a Default Route
A default route is a special static route that applies to all traffic. Typically, when the router receives a packet that it does not know how to forward, it drops it. A default route allows the router to forward all such packets toward the destination most likely to be able to route them.
To configure a default route, enter a route to a destination address of all zeros with an all-zero subnet mask. The all-zero subnet mask indicates to the router that a packet’s IP address does not have to match any of the destination address bits in order for the route to be valid. Because the router always matches traffic to the most specific route, it will only use the default route for traffic that would otherwise be dropped.
To configure the default route, move to the global configuration mode context and enter this command:
Syntax: ip route 0.0.0.0 [0.0.0.0 | /0] <next hop A.B.C.D | forwarding interface ID> [<administrative distance>]
The ProCurve Secure Router allows you to enter the default route in CIDR notation.
Instead of configuring a route to a default next-hop address, you can configure a default forwarding interface. A default route is often used to forward external traffic. In this case, specifying the WAN interface as the default forwarding interface can be a good idea so that the default remains valid no matter what IP address the remote router has.
For example, your router connects to the Internet with a PPP connection. You could configure the following default route for all external traffic:
ProCurve(config)# ip route 0.0.0.0 0.0.0.0 ppp 1
Default routes can be especially useful for routers with a single point-to-point WAN connection. If necessary, add static routes for any local subnets that are not directly connected to the Ethernet ports. (Directly connected networks are automatically added.) Then add a default route for all other traffic through the WAN interface.
11-17
IP Routing—Configuring Static RoutesConfiguring Static Routes
For example, to configure Router A shown in Figure 11-6, you would enter:
ProCurve(config)# ip route 192.168.10.0 /24 192.168.12.2ProCurve(config)# ip route 0.0.0.0 /0 ppp 1
Figure 11-6. Default Routing
Default routes are used with dynamic routing as well as static routing. For example, OSPF stub routers in an OSPF network do not receive many of the OSPF link state advertisements (LSAs). This keeps the protocol’s overhead down and stub router memory uncluttered with routes that are not needed. Instead, stub routers can receive a default route for all external traffic.
Configuring a Route through the Null Interface
When the router matches a packet to a route through the null interface, it drops the packet. You can use the null interface to force the router to drop certain traffic.
To configure a null route, enter this command from the global configuration mode context:
Syntax: ip route <A.B.C.D> <subnet mask | /prefix length> null 0 [<administrative distance>]
You might configure a route through the null interface in order to drop traffic to network addresses that do not yet exist in your network.
InternetRouter A
192.168.10.0 /24
PPP 1
192.168.1.0 /24
Router B192.168.12.2
11-18
IP Routing—Configuring Static RoutesConfiguring Static Routes
For example, an organization has allocated the address space 192.168.20.0 /24 to a remote site. However, currently the site is only using half of the addresses. Network management have divided the network into two /25 subnets and left the second subnet (192.168.20.128 /25) unused. You can prevent the local router from forwarding traffic across the WAN link that will only dropped by the remote router. Enter this command:
ProCurve(config)# ip route 192.168.20.128 /25 null 0
You could also use a null route in order to force the router to:
■ drop traffic to destinations that you have determined to be unauthorized
However, a better way to control traffic is to use an ACL or an ACP. (See Chapter 5: Applying Access Control to Router Interfaces of the Advanced
Management and Configuration Guide.)
■ advertise a route not included in its routing table
When a router uses a routing protocol, its routing table must include a route in order to advertise that route. You could configure a null route if you wanted the router to advertise a route, but not to forward traffic using that route. (For more information on this topic, see “Advertising Local Networks” on page 13-71 in Chapter 13: IP Routing—Configuring RIP,
OSPF, BGP, and PBR of the Advanced Management and Configuration
Guide.)
11-19
IP Routing—Configuring Static RoutesConfiguring Load Sharing
Configuring Load Sharing
Your ProCurve Secure Router may have more than one connection to the same remote site or to the Internet. However, a router can typically select a single best route for a destination; without further configuration, traffic destined to the site will travel over only one of the connections.
For example, your router provides a connection to one ISP through its PPP 1 interface. For redundancy, you connect the router to a second ISP through the PPP 2 interface. You configure a default route through PPP 1. All Internet traffic is carried over this WAN connection, and the redundant connection is unused unless the first connection fails—not a cost-effective solution.
Load sharing allows the router to place up to six routes to the same destination in its routing table. (See Figure 11-7.) The routes must have the same metric and administrative distance. When load-sharing is implemented, the router will sends some traffic over one route and some traffic over the other route.
To enable load sharing, enter this command from the global configuration mode context:
Syntax: ip load-sharing [per-destination | per-packet]
You can configure the router to balance traffic:
■ per destination
■ per packet
When the router balances traffic per destination, it assigns packets to routes based on the packets’ source and destination addresses. That is, when the router must forward a packet to a destination for which multiple routes exit, it hashes the packet’s source and destination and, according to this value, assigns the packet to a route. (The router performs the hash function such that a source and destination can only resolve to as many different values as routes are available in the routing table.) Therefore, per-destination load sharing does not balance traffic exactly equally; two successive packets may be sent over the same route, even if they have different source and destination addresses. Packets in the same session always take the same route because they have the same source and destination address. The more traffic that the router supports, the more evenly it will balance the traffic.
11-20
IP Routing—Configuring Static RoutesConfiguring Load Sharing
When the router balances traffic per packet, it sends each new packet over each route in turn. Although this option balances traffic more exactly, it is not generally recommended. Because each successive packet takes a different route, packets may arrive at the destination out of order.
Figure 11-7. Routing Table with Load Sharing
After enabling load sharing, add the multiple static routes. For example, enter:
ProCurve(config)# ip route 0.0.0.0 /0 ppp 1ProCurve(config)# ip route 0.0.0.0 /0 ppp 2ProCurve(config)# ip route 0.0.0.0 /0 ppp 3
The routing table can hold up to six routes for the same destination. If you enter more than six routes, then the router will learn the extra routes, but not add them to the routing table. If you delete one of the routes in the routing table, or if the forwarding interface for one of these routes fails, then one of the extra routes will take its place.
Codes: C - connected, S - static, R - RIP, O - OSPF, B - BGP IA - OSPF inter area, N1 - OSPF NSSA external type 1 N2 - OSPF NSSA external type 2, E1 - OSPF external type 1 E2 - OSPF external type 2
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S 0.0.0.0/0 [1/0] via 0.0.0.0, ppp 1 [1/0] via 0.0.0.0, ppp 2 [1/0] via 0.0.0.0, ppp 3C 10.1.1.0/30 is directly connected, ppp 1C 10.1.1.1/32 is directly connected, ppp 1C 10.1.1.4/30 is directly connected, ppp 2C 10.1.1.5/32 is directly connected, ppp 2C 10.1.1.8/30 is directly connected, ppp 3C 10.1.1.9/32 is directly connected, ppp 3C 192.168.50.0/24 is directly connected, eth 0/1C 192.168.51.0/24 is directly connected, eth 0/2
Multiple static routes
11-21
IP Routing—Configuring Static RoutesEnabling Fast Caching
Enabling Fast Caching
The ProCurve Secure Router can route incoming packets using either:
■ process switching
■ fast caching
A router using process switching:
■ places packets in a queue to await processing
■ looks up routes in the routing table, which contains all routes
A router using fast caching:
■ interrupts other processes to serve packets immediately
■ looks up routes in the fast-cache table, which contains only recently-used routes
Fast caching is a valuable tool for speeding packets through the router and maintaining quality of service (QoS).
By default, fast caching is enabled on:
■ Ethernet interfaces
■ Point-to-Point Protocol (PPP) interfaces
■ Frame Relay subinterfaces
Although fast caching is not enabled on Asynchronous Transfer Mode (ATM) subinterfaces by default, ATM subinterfaces also support it.
You can disable fast caching on specific interfaces. If you disable fast caching, the ProCurve Secure Router will use process switching. With process switch-ing, the router places all packets in the appropriate queue, where they wait until the router can process them.
You enable and disable fast caching for individual interfaces. One interface can use fast caching and another interface can use process switching.
To enable or disable fast caching on an interface, you must first move to the configuration mode context for that interface. Then enter this command:
Syntax: [no] ip route-cache
11-22
IP Routing—Configuring Static RoutesTroubleshooting Static Routing
For example:
ProCurve(config)# int eth 0/1ProCurve(config-eth 0/1)# no ip route-cache
N o t e Fast caching is forcibly disabled when you use the following processes:
■ the ProCurve Secure Router OS firewall
■ any firewall processes, such as ACLs and ACPs
■ policy based routing (PBR)
If you enable the firewall, the ProCurve Secure Router must use process switching because firewall features require the router to make more-extensive computations than simple route determination, including checks for attacks and packet filtering according to an access policy. Similarly, PBR requires the router to screen packets to determine whether to route them according to a route map or according to the routing table.
To optimize packet switching for firewall processes, the ProCurve Secure Router uses a separate table so that it does not have to check long ACLs each time it receives a packet. This table speeds up firewall computations.
Troubleshooting Static Routing
When you receive reports that traffic is not reaching its destination, first attempt to ping the destination from the router to verify that a host or other network node is not the root of the problem. If the ping confirms that the router cannot reach the destination, next view the routing table.
N o t e The show and debug commands described in the following sections are enable mode commands. You can also enter the commands from configuration mode contexts by adding the do option.
Monitoring the Routing Table
To view the routing table, enter this enable mode command:
Syntax: show ip route
11-23
IP Routing—Configuring Static RoutesTroubleshooting Static Routing
The screen displays the destinations to which the router can route traffic. (See Figure 11-8.) For each destination, the routing table also records:
■ the method the router used to discover the route
• B—BGP
• C—directly connected
• O—OSPF
• R—RIP
• S—entered manually (static)
■ the administrative distance—the trustworthiness of the route, used to choose between two identical routes discovered through different methods
■ the metric—the cost for the route
■ the next-hop address
■ the forwarding interface
Figure 11-8. Routing Table
You can also view specific portions of the routing table. Use the commands in Table 11-2.
ProCurve#show ip routeCodes: C - connected, S - static, R - RIP, O - OSPF, B - BGP IA - OSPF inter area, N1 - OSPF NSSA external type 1 N2 - OSPF NSSA external type 2, E1 - OSPF external type 1 E2 - OSPF external type 2
Gateway of last resort 192.168.128.1
C 10.1.1.0/30 is directly connected, ppp 1C 10.1.1.1/32 is directly connected, ppp 1C 10.2.2.0/30 is directly connected, ppp 2C 10.2.2.1/32 is directly connected, ppp 2R 172.16.1.0/24 [120/1] via 10.1.1.1, ppp 1R 172.16.3.0/24 [120/1] via 10.1.1.1, ppp 1R 172.16.4.0/24 [120/1] via 10.1.1.1, ppp 1O 192.168.65.0/24 [110/51] via 10.2.2.1, ppp 2
O 192.168.72.0/24 [110/51] via 10.2.2.1, ppp 2O 192.168.100.0/24 [110/51] via 10.2.2.1, ppp 2C 192.168.128.0/24 is directly connected, eth 0/1C 192.168.129.0/24 is directly connected, eth 0/2
OSPF route Administrative distance
Next-hop and forwarding interface
Cost
11-24
IP Routing—Configuring Static RoutesTroubleshooting Static Routing
Table 11-2. Viewing the Routing Table
Using the Routing Table to Troubleshoot Static Routing
Several problems can prevent the router from using static routes to forward traffic to its destination correctly:
■ You have not added a route to the destination.
■ The router cannot use the route.
■ The route to the destination is faulty.
Enter the show ip route command to determine what route, if any, the router is using to forward traffic to the destination in question.
When the routing table does not include a route for the destination, you should try adding the route. If adding new static routes on each new device become too cumbersome, you can configure a dynamic routing protocol. See Chapter
13: IP Routing—Configuring RIP, OSPF, BGP, and PBR in the Advanced
Management and Configuration Guide.
Even if you have configured a static route for a destination, you may not see that route when you enter the show ip route command. The routing table only displays the routes that the router can use to forward packets. The router may know routes that it is not using because:
■ the forwarding interface is down
■ the router knows an identical route with a smaller metric or administrative distance
■ the router knows an identical route with the same metric and administra-tive distance and load sharing is not enabled
Table Section Command Syntax
directly connected routes show ip route connected
statically entered routes show ip route static
BGP show ip route bgp
RIP show ip route rip
OSPF show ip route ospf
routes displayed in table format show ip route table
the number of routes stored in the routing table
show ip route summary
11-25
IP Routing—Configuring Static RoutesTroubleshooting Static Routing
If a static route will not appear in the routing table, verify that the associated forwarding interface is up. If necessary, troubleshoot that interface. If you have configured a next hop address for the static route, you should check the routing table to ensure that it includes a route to that next hop.
If you want the router to use more than one route to the same destination, you must enable load sharing with the ip load-sharing command.
If you see a route to the destination that hosts cannot reach, several problems could be causing traffic to be misrouted:
■ Another router en route to the destination cannot route the traffic—In this case, you should use the traceroute command to pinpoint the router that is not forwarding the traffic. (See “Monitoring Routes” on page 11-26.) Remember that in order for a ping to be successful, routers must also know a route back to the source of the ping. You should always make sure that routes are two-way: the local router knows routes to remote destina-tions, and remote routers know routes to the local networks.
■ The route in the local routing table is invalid—Check for miskeyed information such as the wrong interface number for the forwarding interface. You must remove the route before re-entering the route with the correct information. (When you configure more than one static route to the same destination, the router automatically assigns the second route a higher administrative distance. Therefore, if you fail to remove the faulty route, your correction will not take affect.)
■ Your router’s routing table includes the correct route, but it also includes a more-specific, incorrect route. For example, the router may have dis-covered a more-specific route using a routing protocol. See “Clearing Routes” on page 11-27 to learn how to remove dynamic routes from the table. See Chapter 13: IP Routing—Configuring RIP, OSPF, BGP,
and PBR in the Advanced Management and Configuration Guide to learn how to troubleshoot routing protocols.
Monitoring Routes
You can monitor the route that packets actually take through the network by using the traceroute command. Enter the command followed by the destina-tion address for the route you want to trace:
Syntax: traceroute <A.B.C.D>
The router sends out a series of pings with steadily incrementing TTLs, so that each successive ping reaches one hop closer to the destination. The router records the addresses of the routers that return the pings, thus building up a list of every hop between itself and the destination. (See Figure 11-9.)
11-26
IP Routing—Configuring Static RoutesTroubleshooting Static Routing
Figure 11-9. Traceroute Command
Tracing routes allows you to monitor actual traffic flow (although in a neces-sarily limited fashion). When traffic does not reach its destination, you can determine which network node cannot forward it. You can then troubleshoot the device with the problem.
When traffic can take more than one route through a network, you can use the traceroute command to discover which path routers have selected. If you determine that routers are using high-cost paths unnecessarily, you can make adjustments accordingly. For example, you can configure a routing protocol, such as OSPF, that takes link cost into account. Or you can configure PBR to allow the router to forward traffic over different paths depending on certain characteristics of the traffic. (See Chapter 13: IP Routing—Configuring RIP,
OSPF, BGP, and PBR in the Advanced Management and Configuration
Guide.)
Clearing Routes
In addition to the routes that you add to your router’s routing table, your router may learn routes using a dynamic routing protocol. If your router has learned unreliable routes, you can clear them using this command:
Syntax: clear ip route [* | <A.B.C.D> <subnet mask | /prefix length>
You can enter *, which clears all routes, or the destination for the specific route you want to remove.
ProCurveSR7102dl#traceroute 192.168.100.2Type CTRL+C to abort.Tracing route to 192.168.100.2 over a maximum of 30 hops
1 2ms 2ms 2ms 10.1.1.2 2 4ms 4ms 4ms 10.2.2.1 3 4ms 5ms 4ms 192.168.100.2
Next hop—directly connected neighbor
Destination
11-27
IP Routing—Configuring Static RoutesTroubleshooting Static Routing
N o t e Clearing a route is not necessarily enough to solve a problem. Unless you address the reason that the router learned the inaccurate route, the router may only learn the inaccurate route again.
If your router should not be receiving dynamic routes at all, then you should enter these commands:
ProCurve(config)# no router ripProCurve(config)# no router ospfProCurve(config)# no router bgp <AS>
If your do want your router to use a routing protocol in addition to static routes, you should troubleshoot the routing protocol as described in Chapter
13: IP Routing—Configuring RIP, OSPF, BGP, and PBR in the Advanced
Management and Configuration Guide.
The clear command only removes learned routes. To clear a static route, you must enter the no form of the command you used to enter it:
Syntax: no ip route <destination A.B.C.D> <subnet mask | /prefix length> <next hop A.B.C.D | forwarding interface ID>
Remember that, unlike the clear ip route command, the no ip route command is entered from the global configuration mode context.
11-28
IP Routing—Configuring Static RoutesTroubleshooting Static Routing
Figure 11-10. Clearing Routes
For example, your router has the routes in the routing table shown in Figure 11-10. The routes to 192.168.65.0 /24 and 172.168.0.0 /16 are faulty and you want to clear them. The first is a learned route, so you enter:
ProCurve# clear ip route 192.168.65.0 /24
The second is a static route, so you move to the global configuration mode context and enter:
ProCurve(config)# no ip route 172.168.0.0 /16 ppp 1
ProCurve#show ip routeCodes: C - connected, S - static, R - RIP, O - OSPF, B - BGP IA - OSPF inter area, N1 - OSPF NSSA external type 1 N2 - OSPF NSSA external type 2, E1 - OSPF external type 1 E2 - OSPF external type 2
Gateway of last resort 192.168.128.1
C 10.1.1.0/30 is directly connected, ppp 1C 10.1.1.1/32 is directly connected, ppp 1C 10.2.2.0/30 is directly connected, ppp 2C 10.2.2.1/32 is directly connected, ppp 2S 172.16.0.0/16 [1/0] via 10.1.1.1, ppp 1R 172.16.3.0/24 [120/1] via 10.1.1.1, ppp 1R 172.16.4.0/24 [120/1] via 10.1.1.1, ppp 1O 192.168.65.0/24 [110/51] via 10.2.2.1, ppp 2
C 192.168.128.0/24 is directly connected, eth 0/1C 192.168.129.0/24 is directly connected, eth 0/2
Faulty route
Misconfigured route
11-29
IP Routing—Configuring Static RoutesQuick Start
Quick Start
This section provides the commands you must enter to quickly configure static routes.
Only a minimal explanation is provided. If you need additional information about any of these options, check “Contents” on page 11-1 to locate the section that contains the explanation you need.
Static Routing
Static routing may be good solution for your WAN if:
■ you are connecting remote sites that each only have one router
■ the router only needs to route traffic to an ISP
■ only one path is available to forward IP traffic
Connecting Simple Remote Sites
1. Configure a route to the remote network using the remote router’s WAN IP address as the next-hop address:
Syntax: ip route <destination network A.B.C.D> <subnet mask | /prefix length> <next hop A.B.C.D | forwarding interface ID>
For example:
ProCurve(config)# ip route 192.168.3.0 /24 10.2.2.1
You can alternatively specify the connecting WAN interface on the local router as the forwarding interface:
ProCurve(config)# ip route 192.168.3.0 /24 ppp 1
For Frame Relay connections, use the Frame Relay subinterface for the PVC you want to use as the forwarding interface.
It can be a good idea to use the logical interface as the reference for the route because IP addresses could change.
2. If necessary, add a route to another remote network.
11-30
IP Routing—Configuring Static RoutesQuick Start
Routing Traffic to an ISP
Configure a default route to the ISP router:
ProCurve(config)# ip route 0.0.0.0 /0 ppp 1
Syntax: ip route 0.0.0.0 /0 <subnet mask | /prefix length> <next hop A.B.C.D | forward-ing interface ID>
Again, you should specify the WAN interface as the forwarding interface so that the route is still valid even if the IP address changes.
11-31
IP Routing—Configuring Static RoutesQuick Start
11-32
12
Domain Name System (DNS) Services
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
Host and Domain Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
Host Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
Authoritative and Caching Name Servers . . . . . . . . . . . . . . . . . . . . . . 12-4
DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4
ProCurve Secure Router DNS Support . . . . . . . . . . . . . . . . . . . . . . . . . 12-5
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
Static DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7
Custom DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7
Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8
Enabling DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8
Adding an Entry to the Router’s Host Table . . . . . . . . . . . . . . . . . . . . 12-9
Specifying DNS Server Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10
Enabling the Router to Act as a Name Server . . . . . . . . . . . . . . . . . . 12-10
Troubleshooting DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11
Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11
Debugging DNS Server Activity . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11
Debugging DNS Client Activity . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14
Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15
Opening an Account with DynDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16
Configuring the Interface’s IP Address . . . . . . . . . . . . . . . . . . . . . . . . 12-16
Setting a Dynamic Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16
Specifying a Static Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17
Activating the Dynamic DNS Client . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17
Special Considerations for Configuring Custom DNS . . . . . . . . . . . 12-18
12-1
Domain Name System (DNS) ServicesContents
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-19
Configuring the ProCurve Secure Router as a DNS Client . . . . . . . 12-19
Configuring the ProCurve Secure Router as a Name Server . . . . . . 12-20
Configuring a Dynamic DNS Client on a ProCurve Secure Router Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20
12-2
Domain Name System (DNS) ServicesOverview
Overview
Domain Name System (DNS) is the Internet protocol for translating domain names or hostnames into IP addresses. The hostname is the familiar, alpha-numeric name for a host on the Internet (for example, www.hp.com), and the IP address is the 32-bit address that machines use to reach each other. DNS allows users to enter more readily memorable and intuitive hostnames rather than IP addresses. It also allows a host to keep the same hostname even if it changes its IP address.
Host and Domain Names
The domain name of a single host is also called a hostname. A hostname is typically made up of at least three domain levels. For example, the top-level domain of www.hp.com is “com.” The Internet is divided into hundreds of top-level domains. The most common include com, gov, org, and two-letter codes for every country.
There are millions of first-level domains (hp, in our example), each designating an organization. When you want to reserve a domain name, you work through the proper channel for your top-level domain. The top-level organization ensures that every first-level domain in the top-level domain is unique.
The second (or third or fourth) domain level refers to the specific machine. For example, www often identifies a domain’s Web server. An organization can subdivide its domain, so a hostname might include four or more levels.
Host Tables
In the very early days of the Internet, Stanford Research Institute’s Network Information Center (SRI-NIC) maintained a single host table mapping all hostnames in the Internet to their IP addresses. Individual network adminis-trators would download new entries to their name servers. However, as the Internet exploded with new domains, SRI-NIC simply could not manage all the new entries, nor could name servers hold them all.
DNS distributes host tables throughout many DNS servers or name servers. The host table is divided into many zones, and each name server only holds the information for a few zones. Every organization maintains the host table for its own domain on its name server or servers. It is up to the organization to keep its own information accurate and up to date.
12-3
Domain Name System (DNS) ServicesOverview
This system diffuses domain records throughout the Internet. Hosts anywhere on the Internet can still reach each other because name servers can query each other for the hostnames they cannot translate.
Authoritative and Caching Name Servers
Most name servers function as an authoritative server for one or several zones and as a caching server for all other zones. A name server’s host table includes entries for all hosts in the zones on which it is authoritative. When a client requests the IP address for one of these hosts, the authoritative server can immediately provide it. The server caches the most recently requested entries for hosts in other zones. It has received these entries from other servers through a query process.
DNS Queries
When a server receives a request to translate a hostname that is not in its host table or cache, it runs its resolver and queries its root server. Root servers know the addresses for the top-level name servers, which in turn know the addresses for the name servers of their first-level domains. These servers provide IP addresses for hosts in their domain. (See Figure 12-1 for an example of a DNS query.)
Caching addresses speeds up the query process. Clients are constantly requesting .com addresses. A name server will hold the top-level name server’s address in its cache, instead of having to query its root server for it each time a client requests an address ending in .com.
12-4
Domain Name System (DNS) ServicesOverview
Figure 12-1. DNS Queries
Similarly, when a client accesses several hosts in the same first-level domain, the DNS server caches the IP address for the first-level domain server.
ProCurve Secure Router DNS Support
The ProCurve Secure Router can function as an authoritative name server for hosts in your domain. The router stores a host table with the entries for local hosts. It can also act as a caching server. When the ProCurve Secure Router runs DNS proxy, it can ask another server to resolve clients’ queries for hostnames not in its own table.
In addition, the ProCurve Secure Router can run a DNS client for itself. The DNS client lets you enter hostnames instead of IP addresses for ping, traceroute, and other troubleshooting commands. When the router acts as a client, it can look up names for itself in its host table. It can also send DNS requests to its external DNS servers.
Root server
Top-level
server
DNS server
DNS server
DNS server
Organization A
Organization B
Organization C
Request for www.C.com
Request for .com
Request for C.com
12-5
Domain Name System (DNS) ServicesOverview
Dynamic DNS
Your device’s IP address may change, and such changes are not always under your control. For example, your router may receive a dynamic address from your Internet service provider (ISP). When a device’s address changes, DNS servers will no longer be able to resolve its hostname, and customers will not be able to access the device.
In order to map a dynamic IP address with a static hostname, you should register with an organization that provides dynamic DNS services.
The ProCurve Secure Router supports a client that is compatible with Dynamic Networking Services, Inc. (www.dyndns.org), or DynDNS. The client runs on a router interface. It automatically notifies DynDNS whenever the interface’s IP address changes, and DynDNS propagates the change throughout its system of DNS servers.
DynDNS provides several types of services:
■ Dynamic DNSSM
■ Static DNSSM
■ Custom DNSSM
Depending on the service you select, you can register a hostname in one of the domains provided by DynDNS or in your own domain.
Dynamic DNS
Dynamic DNS is a free service that allows you to map dynamic addresses to up to five hostnames. You must register hostnames in one of 68 set domains. (See http://www.dyndns.org/services/dns/dyndns/domains.html for a list of available domains.)
The client running on the ProCurve Secure Router interface automatically updates DynDNS when the interface’s IP address changes. (If DynDNS does not receive at least one update every 35 days, it deletes the hostname.) DynDNS provides five globally redundant DNS servers to ensure that your hostname will always resolve.
Dynamic DNS is primarily designed for private users. For commercial appli-cations, you should probably purchase an account upgrade or Custom DNS.
12-6
Domain Name System (DNS) ServicesOverview
Static DNS
You can use Static DNS to register a device with a free hostname in one of the domains used with Dynamic DNS. Static DNS provides many of the same services as Dynamic DNS, but it is tailored for devices whose IP addresses rarely change. When you use Static DNS, new information takes longer to propagate; however, DynDNS maintains a device’s hostname even when the device does not send an update within 35 days.
Static DNS may be a good solution for you when:
■ your device’s IP address rarely changes
■ you want to assign the device a static, easy-to-remember hostname, but you do not want to purchase a domain name
Custom DNS
You can use Custom DNS with both static and dynamic IP addresses. Custom DNS provides all the features of Dynamic DNS, with several additions.
With Custom DNS, you can map a dynamic IP address to a hostname in nearly any domain. (Exceptions include domains in alternate roots; see http://
www.dyndns.org/services/dns/custom/supported-domains.html for more information.) You can also use your own domain, over which you have com-plete control. You can purchase the domain name from another organization or from DynDNS.
You can configure various hostnames in the domain. You can also specify various subdomains, which can point to the same IP address or different IP addresses.
You can configure Custom DNS using DynDNS’s standard or expert interface. The standard interface automatically provides services such as having www.yourdomain.com point to the same address as yourdomain.com.
12-7
Domain Name System (DNS) ServicesConfiguring DNS
Configuring DNS
The extent to which you enable DNS functions on the ProCurve Secure Router depends on whether you want the router to simply be able to run the DNS client or to act as a name server for your organization.
If you only want the router to act as a DNS client, you must:
■ enable DNS (which is enabled by default)
■ specify at least one external DNS server
You can also:
■ add entries for local hosts to the router’s host table
If you want the router to act as a name server for hosts in your network, you must:
■ enable DNS (which is enabled by default)
■ specify at least one external DNS server
■ add entries for local hosts to the router’s host table
■ enable DNS proxy
Enabling DNS
The ProCurve Secure Router automatically supports DNS. You can turn DNS on and off with the following global configuration mode command:
Syntax: [no] ip domain-lookup
This command enables the DNS client on the router. You can input Web addresses instead of IP addresses for applications such as ping, Telnet, and traceroute, and the router will either translate the names itself using its host table or query its primary DNS server.
In order for the router to translate hostnames for itself, you must add entries for hosts in its domain to its host table.
In order for the router to resolve the names of hosts outside its domain, you must specify the IP address of the DNS server it should query.
The router will only act as a name server for connected hosts if you enable DNS proxy. (See “Enabling the Router to Act as a Name Server” on page 12-10.)
12-8
Domain Name System (DNS) ServicesConfiguring DNS
Adding an Entry to the Router’s Host Table
DNS distributes the now overwhelmingly vast host table throughout many name servers. Network administrators maintain entries for their own domains, which keeps the table accurate and under control. You manage only the small section of the table on which you are an expert. You should configure the host table on your ProCurve Secure Router only with entries for hosts on its own network.
If the router is acting as a Dynamic Host Configuration Protocol (DHCP) server, the Secure Router OS automatically adds the router’s clients to the host table. If the router is acting as an authoritative server for its own network, you should also manually add entries for any devices with a static address that users may need to access such as your organization’s Web and email servers. Do not add entries for external hosts or any other host for which the router can get information from other servers.
To add a hostname to the table, enter:
Syntax: ip host <hostname> <A.B.C.D>
For example:
ProCurve(config)# ip host www 192.168.1.25
A hostname can be any combination of numbers and letters under 256 char-acters. However, the hostname cannot constitute a valid IP address. Use the
no form of this command to remove names from the hostname table.
Do not include the domain name for hostnames. Instead, you should specify your organization’s domain name as the default name the router uses to resolve hostnames. Enter:
Syntax: ip domain-name <domain name>
Do not include the initial period that separates an unresolved name from the domain name. For example:
ProCurve(config)# ip domain-name procurve.com
If you enable DNS proxy, the router can also use the default domain name when forwarding requests. If the external name server cannot resolve a query, the router appends the default domain name to the original query and resends the request.
12-9
Domain Name System (DNS) ServicesConfiguring DNS
Specifying DNS Server Addresses
No single DNS server contains the entire host table for every host on the Internet. In order for the Internet to do its job—to allow a host in one location to access a host in any other location—name servers must be able to query each other about the many hosts not in their own tables.
You must specify at least one external name server for the router. This can be a root server, or it can be a DNS server in your organization’s WAN that knows how to reach the root server. The router will contact this server:■ to resolve hostnames for the router (when the router is acting as a DNS
client)
■ to resolve hostnames for connected hosts (when the router is running DNS proxy)
To configure the address for the router’s DNS server, enter:
Syntax: ip name-server <A.B.C.D> <secondary server A.B.C.D>
You may enter addresses for up to six servers (separate each with a space). The ProCurve Secure Router will first send DNS requests to the first address listed. For example, enter three:
ProCurve(config)# ip name-server 10.1.1.1 10.2.2.2 10.3.3.3
Use the no form of the command to remove a server from the list.
Enabling the Router to Act as a Name Server
The router will automatically act as a server for itself (for example, when you ping a device by its hostname) as long as DNS lookup is enabled. To enable the ProCurve Secure Router to act as a name server for connected hosts, enter:
ProCurve(config)# ip domain-proxy
When the ProCurve Secure Router receives a request from a client to translate a hostname, it follows this process:
1. It checks its local host table for a matching entry. (See “Adding an Entry to the Router’s Host Table” on page 12-9 to learn how to create this table.) If it finds a match, it sends the IP address stored for the host to the client.
2. If it does not find a match, it forwards the request to an external DNS server. (See “Specifying DNS Server Addresses” on page 12-10.) When the router receives a reply, it forwards it to the client.
3. If the external server cannot resolve the name, the router appends the default domain name (if configured) and resends the request.
12-10
Domain Name System (DNS) ServicesTroubleshooting DNS
Troubleshooting DNS
When the ProCurve Secure Router cannot correctly resolve domain names, you can monitor DNS error messages to pinpoint the source of the problem.
You should be able to interpret DNS messages well enough to track the DNS process and determine where problems arise.
C a u t i o n Enabling DNS debug messages can seriously compromise the network as the router is forced to debug the many DNS requests arriving from clients.
Before enabling debug messages, you can check for some of the most common problems described in the next section.
You should also determine that all connections are up and that hosts can ping each other. In other words, you should be certain that basic connectivity is not the root of the problem.
Process
First, determine whether the router is acting as a DNS client or a DNS server. Then activate the corresponding debug messages.
The ProCurve Secure Router acts as a DNS server when it:
■ receives DNS requests from hosts on its network
■ checks its host table for a matching entry
■ forwards queries to an external DNS server
■ forwards the IP address for a hostname to a DNS client
The ProCurve Secure Router acts as a DNS client when it:
■ sends a query to an external name server on its own behalf
Debugging DNS Server Activity
To monitor the router’s activity as it receives, forwards, and responds to DNS requests, enter the following enable mode context command:
ProCurve# debug ip dns-proxy
12-11
Domain Name System (DNS) ServicesTroubleshooting DNS
N o t e You can also start displaying the debug messages from any mode context with the do command.
Then, have the DNS client again attempt to access the host. Track the router’s activity. It should pass through the steps shown in Table 12-1. Determine where the process breaks down and troubleshoot the problem accordingly.
Table 12-1. DNS Proxy Process
Step IP.DNS PROXY Messages Likely Problem If The Message Does Not Appear
Likely Problem If The Message Repeats
1. The router receives a request to translate a hostname.
Received request from <DNS client>
DNS proxy is not enabled. The router cannot resolve the hostname. (See Steps 2, 3, and 5 for possible causes.)
2. If the hostname is in the local host table, the router sends its IP address to the client.
Serving reply for “<hostname>” from host database: <host A.B.C.D>
The host table does not include the hostname.
——
3. If the hostname is not in the table, the router queries its own DNS server.
Forwarding query for “<hostname>” to <DNS A.B.C.D>
You have not specified at least one external DNS server.
• The external server cannot translate the hostname.
• The router cannot reach the external server.
4. If the server can translate the name, the router forwards the response to the client.
• Received response from server
• Transmitting response to <DNS client>
• The external server cannot translate the hostname.
• The router cannot reach the external server.
——
5. If the server cannot translate the name, the router appends the default domain name to the request and resends it.
Forwarding query for “<hostname>.<default domain name>” to <DNS server A.B.C.D>
You have not configured a default domain name.
• The external server cannot translate the hostname.
• The router cannot reach the external server.
6. If the server can translate the name, the router forwards the response to the client.
• Received response from server
• Transmitting response to <DNS client>
• The external server cannot translate the hostname.
• The router cannot reach the external server.
——
12-12
Domain Name System (DNS) ServicesTroubleshooting DNS
Host Table Does Not Include a Hostname. If necessary, add an entry to the host table. You can view the current entries in the running-config. Look for a miskeyed entry. Delete the faulty entry from the host table before adding the correct entry. (It is very easy to edit an entry in the Web browser interface; see Chapter 14: Using the Web Browser Interface for Basic Configuration
Tasks.)
Often, however, the local host table does not contain the entry for a host because it should not. The router only should have local hostnames in its host table. The router should be able to communicate with external name servers to receive IP addresses for hosts outside its own domain.
No External DNS Server. If the debug messages indicate that the router is not forwarding queries, you should specify an IP address for at least one DNS server. (See “Specifying DNS Server Addresses” on page 12-10.)
Forwarding Debug Message Repeats. If, on the other hand, you continu-ally receive the Forwarding query... message, the router either cannot reach the DNS server or the server cannot translate the hostname.
If the server cannot translate the name, there is little you can do beyond adding another DNS server in hopes that it will provide better service. It is also quite possible that the hostname is invalid.
If the server consistently fails to translate hostnames, you should remove it from the system by entering no ip name-server <server A.B.C.D>. (Find the address in the running-config.)
However, before writing hostnames and servers off, you should determine that the router is actually reaching the server. Verify that the connection is up and attempt to ping the server. (Tips for bringing up an interface can be found in Chapter 3: Configuring Ethernet Interfaces, Chapter 4: Configuring E1 and
T1 Interfaces, Chapter 5: Configuring Serial Interfaces for E1- and T1-Car-
rier Lines, Chapter 6: Configuring the Data Link Layer Protocol for E1, T1,
and Serial Interfaces, and Chapter 7: ADSL WAN Connections.) If the router cannot reach the server, verify that it knows a route to the server’s subnet (enter show ip route). You can learn how to add a static route and trouble-shoot routing protocols in Chapter 11: IP Routing—Configuring Static
Routes.
No Default Domain Name. Also, check that the router is appending a default domain name to resent queries and that this domain name is correct. See “Adding an Entry to the Router’s Host Table” on page 12-9 to learn how to configure the default domain name.
12-13
Domain Name System (DNS) ServicesTroubleshooting DNS
Debugging DNS Client Activity
DNS client activity deals only with the DNS requests the router makes on its own behalf. (The router always checks its own host table first. If it finds a match, no debug messages appear.)
To monitor DNS client messages, move to the enable mode context and enter:
ProCurve# debug ip dns-client
Real-time debug messages tracking the ProCurve Secure Router’s DNS client activity will display. For example, if you try to ping a hostname that the ProCurve Secure Router cannot find in its hostname table, the following message appears:
DNS: CLIENT Transmitting query packet for <hostname>
If this message does not appear, then you have not specified an IP address for the external server and should do so. (See “Specifying DNS Server Addresses” on page 12-10.)
The command line interface (CLI) should next display this message:
DNS: CLIENT Received query response
If you do not receive this message, the external DNS server cannot resolve the hostname. It is possible that the hostname is not valid. It is also possible that the DNS server address has been miskeyed and is not that of a valid name server. Find the address the router is contacting in the running-config (enter show running-config and look for ip name-server <A.B.C.D>).
Before deleting the address and entering a new one, ping the server and verify that the router can reach it. If the server does not reply, the server may be down or the router’s connection to the server may be down. The Stat LED for the interface through which the router reaches the DNS server should be green. See Chapter 3: Configuring Ethernet Interfaces, Chapter 4: Config-
uring E1 and T1 Interfaces, Chapter 5: Configuring Serial Interfaces for
E1- and T1-Carrier Lines, Chapter 6: Configuring the Data Link Layer
Protocol for E1, T1, and Serial Interfaces, and Chapter 7: ADSL WAN Con-
nections for tips on troubleshooting a connection.
Also verify that the route table includes a route to the server’s subnet. See Chapter 11: IP Routing—Configuring Static Routes for more information about the route table.
12-14
Domain Name System (DNS) ServicesConfiguring Dynamic DNS
If the interface can reach the server, but the server consistently fails to translate hostnames, you should remove the server. If necessary, specify a new one. You can specify up to six DNS servers.
Configuring Dynamic DNS
When an interface has a dynamic IP address—for example, when your ISP provides its address—you should register its hostname with a dynamic DNS service provider. Dynamic DNS keeps track of the static hostname and ensures that, even when the associated device’s IP address changes, the hostname resolves to the correct address.
The ProCurve Secure Router supports a client that is compatible with Dynamic Networking Services, Inc., or DynDNS.
The dynamic DNS client on the ProCurve Secure Router can request one of these three levels of service:
■ Dynamic DNSSM
■ Static DNSSM
■ Custom DNSSM
Dynamic DNS and Static DNS are currently free services. Dynamic DNS allows you to map a dynamic address to a static hostname in one of 68 domains. Static DNS provides much the same services, but for devices whose IP addresses rarely change. DynDNS provides both these services for up to five hostnames.
You can purchase Custom DNS for a complete DNS solution. Custom DNS grants you control over an entire domain name: either one that you purchase from DynDNS or one that you have already purchased from another organi-zation. You can also configure subdomains and map them to the same IP address or different IP addresses.
You should visit www.dyndns.org for more information about these services.
The following router interfaces can register for dynamic DNS services:
■ Ethernet interfaces
■ Ethernet subinterfaces (VLAN interfaces)
■ Point-to-Point Protocol (PPP) interfaces
■ High-level Data Link Control (HDLC) interfaces
■ Frame Relay subinterfaces
■ Asynchronous Transfer Mode (ATM) subinterfaces
12-15
Domain Name System (DNS) ServicesConfiguring Dynamic DNS
You must complete three steps to configure a DynDNS service for a router interface:
1. Open an account with DynDNS.
2. Configure the logical interface’s IP address.
3. Activate the dynamic DNS client.
Opening an Account with DynDNS
You should first register with DynDNS for a hostname. Visit the Web site at www.dyndns.org and create an account. Select either the static or dynamic option. DynDNS will guide you through the process of selecting a domain from the 68 that it supports.
If you select the custom service, you can lease your own domain name.
N o t e DynDNS allows you to map a wildcard hostname to the address. You should use this option, for example, to allow users to access the same device by entering yourdomain.com or www.yourdomain.com.
Configuring the Interface’s IP Address
On the ProCurve Secure Router, move to the configuration mode context for the interface whose IP address you want to map to the static hostname.
The interface must have an IP address to run the dynamic DNS client. If you have not already done so, configure the IP address.
Setting a Dynamic Address
When using Dynamic DNS, this address is generally a dynamic address—for example, one obtained using DHCP. Interfaces using Custom DNS can also have a dynamic address.
Enter:
Syntax: ip address dhcp [hostname <word> | no-default-route | no-domain-name | no-nameservers]
When you activate the DHCP client on an interface, you can optionally enter a hostname for the interface, which your ISP may advertise to its DNS servers. You can request that your ISP accept the hostname that you will register with
12-16
Domain Name System (DNS) ServicesConfiguring Dynamic DNS
DynDNS. You would then enter that hostname for the hostname option. See Chapter 13: Dynamic Host Configuration Protocol (DHCP) for more infor-mation on configuring a DHCP client.
You can configure a PPP interface to take a dynamic address from a service provider with this interface configuration mode command:
Syntax: ip address negotiated [no-default]
See Chapter 6: Configuring the Data Link Layer Protocol for E1, T1, and
Serial Interfaces for more information on configuring IP addresses for logical interfaces.
Specifying a Static Address
If you selected the Static DNS service, you should assign the interface a static address. An interface that uses Custom DNS can also have a static address, if you so choose.
From the Ethernet or logical interface configuration mode context, enter:
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
See Chapter 6: Configuring the Data Link Layer Protocol for E1, T1, and
Serial Interfaces for more information on configuring IP addresses for logical interfaces.
Activating the Dynamic DNS Client
You should now activate the client that automatically updates DynDNS when the interface’s dynamic IP address changes. Use this command, entered from the interface configuration mode context:
Syntax: dynamic-dns [dyndns | dyndns-custom | dyndns-static] <hostname> <user-name> <password>
Select the dyndns option for the Dynamic DNS service, the dyndns-static option for the Static DNS service, and the dyndns-custom option for Custom DNS. Enter the hostname you have selected for the router interface. Then enter the username and password that you established when creating your DynDNS account.
For example:
ProCurve(config-atm 1.1)# dynamic-dns dyndns procurve admin secret
12-17
Domain Name System (DNS) ServicesConfiguring Dynamic DNS
Special Considerations for Configuring Custom DNS
Custom DNS expands the services provided by Dynamic and Static DNS. For example:
■ You control your own domain name, which you may already possess or which you may purchase from DynDNS.
■ You can turn your hostname into a subdomain, which is handled by your own DNS servers.
■ You can customize the TTL for hostnames, depending on whether the device has a static, pseudo-static, or dynamic IP address.
When you open your account, the DynDNS standard interface will guide you through setting up these services. (Experienced users can use the expert interface.)
N o t e If you purchased your domain name from a different organization, you must tell that organization to use DynDNS’s DNS servers to resolve hostnames in your domain. DynDNS will instruct you how to do so.
12-18
Domain Name System (DNS) ServicesQuick Start
Quick Start
This section provides the commands you must enter to quickly configure the ProCurve Secure Router to act as:
■ a DNS client
■ a proxy name server
It also shows you how to configure a router interface to run a client that updates a dynamic DNS service when the interface’s IP address changes.
Only minimal explanation is provided. If you need additional information about any of these options, check “Contents” on page 12-1 to locate the section that contains the explanation you need.
Configuring the ProCurve Secure Router as a DNS Client
1. The router automatically acts as a DNS client. If this function has been turned off, you can re-enable it from the global configuration mode context.
Syntax: ip domain-lookup
2. Specify IP address(es) for the router’s name server(s) from the global configuration mode context.
Syntax: ip name-server <A.B.C.D> <secondary A.B.C.D>
You can enter up to six name servers.
3. If so desired, add entries for devices on the network to the local host table. Enter this command from the global configuration mode context:
Syntax: ip host <hostname> <A.B.C.D>
For example:
ProCurve(config)# ip host www 192.168.3.25
4. Configure a default domain name for the router.
Syntax: ip domain-name <domain name>
For example:
ProCurve(config)# ip domain-name procurve.com
12-19
Domain Name System (DNS) ServicesQuick Start
Configuring the ProCurve Secure Router as a Name Server
1. Enable DNS proxy from the global configuration mode context:
Syntax: ip domain-proxy
2. Add entries for static devices on the network to the local host table.
Syntax: ip host <hostname> <A.B.C.D>
For example:
ProCurve(config)# ip host www 192.168.3.25
3. Configure a default domain name for the router.
Syntax: ip domain-name <domain name>
For example:
ProCurve(config)# ip domain-name procurve.com
4. Specify IP address(es) for the DNS server(s) to which the router should forward requests it cannot translate.
Syntax: ip name-server <A.B.C.D> <secondary A.B.C.D>
You can specify up to six DNS servers.
Configuring a Dynamic DNS Client on a ProCurve Secure Router Interface
These interfaces can run the Dynamic DNS client:
■ Ethernet interfaces
■ Ethernet subinterfaces (VLAN interfaces)
■ PPP interfaces
■ HDLC interfaces
■ Frame Relay subinterfaces
■ ATM subinterfaces
1. From the global configuration mode context, move to the correct inter-face configuration mode context.
Syntax: interface <interface ID>
For example:
ProCurve(config)# interface atm 1.1
12-20
Domain Name System (DNS) ServicesQuick Start
2. If you have not already done so, configure the interface’s IP address:
a. To configure a dynamic IP address for an Ethernet interface, Frame Relay subinterface, or ATM subinterface, enter:
Syntax: ip address dhcp [hostname <word> | no-default-route | no-domain-name | no-nameservers]
b. To configure a dynamic IP address for a PPP interface, enter:
Syntax: ip address negotiated [no-default]c. To configure a static address, enter:
Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>
3. Activate the dynamic DNS client.
Syntax: dynamic-dns [dyndns | dyndns-custom | dyndns-static] <hostname> <username> <password>
Select dyndns if you have registered for Dynamic DNS, dyndns-custom if you have registered for Custom DNS, and dyndns-static if you have registered for Static DNS.
Enter the interface’s hostname. Enter the username and password for your account with DynDNS.
For example:
ProCurve(config-atm 1.1)# dynamic-dns dyndns-custom procurve admin secret
12-21
Domain Name System (DNS) ServicesQuick Start
12-22
13
Dynamic Host Configuration Protocol (DHCP)
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
DHCP Request Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
The ProCurve Secure Router as a DHCP Server . . . . . . . . . . . . . . . . . 13-4
The ProCurve Secure Router as a DHCP Client . . . . . . . . . . . . . . . . . 13-5
DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6
Configuring a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6
Excluding Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7
Creating a DHCP Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7
Specifying the Network Address and Subnet Mask . . . . . . . . . . . 13-8
Specifying the Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9
Changing a Pool’s Lease Time . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-10
Specifying DNS, WINS, and Other Servers . . . . . . . . . . . . . . . . . 13-11
Specifying a Domain Name for the Subnet . . . . . . . . . . . . . . . . . 13-12
Specifying a Bootfile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-12
Configuring Parent and Child Pools . . . . . . . . . . . . . . . . . . . . . . . . . . 13-13
Example DHCP Pool Configuration . . . . . . . . . . . . . . . . . . . . . . 13-14
Assigning a Fixed Address to a Host through a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-14
Configuring DHCP Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-15
Configuring the DHCP Server’s Ping Settings . . . . . . . . . . . . . . . . . . 13-17
Managing and Troubleshooting the DHCP Server . . . . . . . . . . . . . . . . . . 13-18
Viewing DHCP Client Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-19
Monitoring the DHCP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-19
Clients Unable to Receive a DHCP Address . . . . . . . . . . . . . . . . 13-20
Client Receiving the Wrong Fixed DHCP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-21
13-1
Dynamic Host Configuration Protocol (DHCP)Contents
Configuring a Router Interface as a DHCP Client . . . . . . . . . . . . . . . . . . 13-21
Configuring a Dynamic Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-22
Setting an Interface’s Client ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-23
Setting the Interface’s Hostnatme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-24
Preventing the Interface from Taking Other Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-24
Configuring a Static Hostname for an Interface with a Dynamic Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-25
Managing and Troubleshooting the DHCP Client . . . . . . . . . . . . . . . . . . 13-26
Viewing the Interface’s Lease . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-26
Releasing and Renewing Dynamic Addresses . . . . . . . . . . . . . . . . . . 13-27
Monitoring DHCP Client Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-27
Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-30
Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-32
Configuring a DHCP Server for a Network . . . . . . . . . . . . . . . . . . . . 13-33
Assigning a Fixed DHCP Address to a Single Host . . . . . . . . . . . . . . 13-34
Configuring a Router Interface as a DHCP Client . . . . . . . . . . . . . . . 13-36
13-2
Dynamic Host Configuration Protocol (DHCP)Overview
Overview
Every computer or device that connects to the Internet or to an IP network needs an IP address. Most users do not have the expertise to configure an IP address, subnet mask, and gateway. In addition, whenever a computer changes its location in the network, it must receive a new address. Somehow, the address assigned to each device and the addresses that are still available must both be tracked. Most companies do not have the time, resources, or staff to devote to managing such configurations. In addition, networks operate with a finite number of IP addresses. It is most efficient for a host to reserve an address only when it is using it.
Dynamic Host Configuration Protocol (DHCP) enables hosts on an IP net-work, called DHCP clients, to lease a temporary IP address from a DHCP server. The server can also issue other configurations to the client that help it function on the network (such as the addresses of Domain Name System [DNS] and Windows Internet Naming Service [WINS] servers). This protocol helps reduce administrative overhead on an IP-based network.
The ProCurve Secure Router can act as a DHCP server for hosts on directly connected subnets. Router interfaces can also act as DHCP clients and receive a dynamic address from a directly connected DHCP server.
DHCP Request Process
Understanding the basics of DHCP will help you understand and remember how to configure a DHCP pool. If you can track the DHCP process, you will also find it much easier to troubleshoot the router’s DHCP activity.
The DHCP request process breaks down into four steps (see Figure 13-1):
1. The client broadcasts a DHCPDISCOVER packet, requesting an IP address and other configurations.
2. The server responds with a DHCPOFFER, which includes an available network address.
3. The client sends a DHCPREQUEST, accepting the offer and requesting the complete configuration from the server.
13-3
Dynamic Host Configuration Protocol (DHCP)Overview
4. The server responds with a DHCPACK, which includes:
• the agreed-upon network address
• a default gateway
• a lease time
• the address of one or more DNS servers (optional)
• the address of one or more WINS servers (optional)
Figure 13-1. DHCP Request Process
Depending on how you configure the ProCurve Secure Router, the router can act as the DHCP server and/or one of its interfaces can act as a DHCP client. (However, an interface that acts as a DHCP client cannot also act as a server.)
The ProCurve Secure Router as a DHCP Server
A router that also functions as a DHCP server is particularly useful for a small-to-medium site at which all subnets connect to the WAN router. The ProCurve Secure Router can connect to up to two switches on its Ethernet ports.
Requests IP address and other options
DHCPDISCOVER1
ProCurve Secure Router
DHCP clients DHCP server
Offers IP address
DHCPOFFER2
Accepts offer and asks for its configuration
DHCPREQUEST3
Responds with committed IP address
and other options
DHCPPACK4
13-4
Dynamic Host Configuration Protocol (DHCP)Overview
Figure 13-2. ProCurve Secure Router DHCP Server
You should configure one DHCP pool for each subnet. For the default gateway, you would specify the IP address of the Ethernet interface through which the router connects to the subnet. (See Figure 13-2.)
The switches may also connect to several VLANs. In this case, you would configure VLAN support on the Ethernet interfaces. (See Chapter 3: Config-
uring Ethernet Interfaces.) You would then create a DHCP pool for each VLAN.
A WAN interface can also act as a server for DHCP clients. However, usually the router at the remote site or a DHCP server would act as the remote network’s server. On the other hand, when you bridge two remote sites, one router should act as a DHCP server for all clients in the network.
The ProCurve Secure Router as a DHCP Client
Some service providers require their subscribers to lease a dynamic address from them. In particular, Frame Relay service providers often require their customers to use DHCP when connecting to their network. Each permanent virtual circuit (PVC) endpoint receives an IP address only when it needs it. This allows the service provider to conserve the limited number of IP addresses it owns. Internet service providers (ISPs) also often require sub-scribers to receive an IP address and other configurations from them.
You must configure the interface that connects to such a provider to act as a DHCP client.
Router
LAN 1 192.168.1.0 /24
LAN 2 192.168.2.0 /24
Switch
Switch Eth 0/1
Eth 0/2
13-5
Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server
Ethernet interfaces can also be DHCP clients on the connected subnet. Usually, however, it is a good idea to assign network nodes a static address.
Interfaces on the ProCurve Secure Router that can take a dynamic address are:
■ Ethernet interfaces
■ Frame Relay subinterfaces
■ Asynchronous Transfer Mode (ATM) subinterfaces
■ Point-to-Point Protocol (PPP) interfaces (only when bridging traffic)
DHCP Relay
Rather than acting as the server for connected DHCP clients, the router can run DHCP relay, which allows hosts on one subnet to receive configurations from a server on a different subnet. The router receives DHCP packets from clients and forwards them to a remote server on behalf of the clients. Similarly, it receives the committed IP addresses from the server and forwards them to the clients.
Configuring a DHCP Server
You configure the ProCurve Secure Router to act as a DHCP server by configuring a DHCP pool for each connecting subnet. The pool specifies the subnet’s address and default gateway. It can also include other configurations such as a DNS server address.
To configure the router as a DHCP server, you must:
1. Exclude static addresses from DHCP.
2. Create a DHCP pool:
a. Specify the network address and subnet mask.
b. Define the default gateway.
c. Specify DNS and WINS (NetBIOS) server addresses—You should specify at least one DNS server.
Optionally:
■ For a DHCP pool, you can:
• change the lease time
• specify a domain name for clients on a subnet
13-6
Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server
■ You can also:
• configure a parent pool from which child pools import global settings
• assign a fixed DHCP address to a single client
• configure ping settings for the DHCP server
Excluding Static Addresses
Certain IP addresses in your network may be statically assigned to specific hosts: for example, the router itself, the Ethernet interface, DNS and Web servers, and switches. Often administrators reserve an entire block of addresses for such devices. You must exclude all statically defined addresses from the pool of addresses the router assigns clients.
To specify that a range of addresses cannot be assigned to DHCP clients, move to the global configuration mode context and enter the following command:
Syntax: ip dhcp-server excluded-address <first A.B.C.D> [<last A.B.C.D>]
For example, your organization uses the first ten addresses on a subnet for routers and switches and the second ten for servers. You enter:
ProCurve(config)# ip dhcp-server excluded-address 192.168.1.1 192.168.1.20
You can also exclude a single address:
ProCurve(config)# ip dhcp-server excluded-address 192.168.1.254
Use the no form of this command to remove an IP address from the restricted list.
Creating a DHCP Pool
You should create a DHCP pool for each subnet that connects directly to the ProCurve Secure Router and for which you want the router to act as a DHCP server.
Use the following command to create the pool:
Syntax: ip dhcp-server pool <poolname>
Assign the pool an alphanumeric name meaningful within your network. For example:
ProCurve(config)# ip dhcp-server pool LAN1
13-7
Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server
The command line interface (CLI) displays Configuring New Pool “<pool-name>” and moves you into the DHCP server pool configuration mode context.
You can also edit a pool with the same command. The CLI displays Configuring Existing Pool “<poolname>”.
You can create multiple DHCP server address pools to provide configurations to different segments of the network. If the subnets are contiguous, you can create a parent pool with global settings for all subnets and separate child pools, each with settings particular to an individual subnet. (See “Configuring Parent and Child Pools” on page 13-13.)
From the DCHP server address pool configuration mode context, you configure:
■ subnet address
■ default gateway address
■ lease time
■ DNS server addresses
■ WINS server addresses
■ domain name
Every pool must include a subnet address, default gateway, and lease time. You can accept the default lease time (1 day), but you must configure the subnet address and default gateway. You should also configure at least one DNS server.
Specifying the Network Address and Subnet Mask
You assign a subnet to the DHCP server address pool by specifying the network address and subnet mask:
Syntax: network <network A.B.C.D> <subnet mask | /prefix length>
For example, to specify a private Class C subnet:
ProCurve(config-dhcp)# network 192.168.1.0 255.255.255.0
The DHCP server on the ProCurve Secure Router supports Classless Inter-Domain Routing (CIDR) addresses, so you can enter a bit length for the network address rather than a subnet mask. For example, your organization may have divided the Class B network 172.16.0.0 into sixteen subnets, includ-ing 172.16.32.0 /20 and 172.16.48.0 /20. For the first DHCP pool, you would enter:
ProCurve(config-dhcp)# network 172.16.32.0 /20
13-8
Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server
See the overview in Chapter 11: IP Routing—Configuring Static Routes for more information on network addresses, subnet masks, and prefix lengths.
N o t e If you do not specify a subnet mask or prefix length, the server will use the class A, B, or C natural mask associated with the network address. If your LAN does use CIDR network addresses, take care to indicate the correct prefix length; otherwise hosts may end up with an address on the wrong subnet.
Specifying the Default Gateway
A client’s default gateway is the address on its network to which it sends all traffic. The gateway knows how to route and service the traffic. The ProCurve Secure Router acts as the gateway device for the subnets connected through its interfaces.
A DHCP pool’s default gateway, or default router, is the interface through which the clients for the pool connect. This interface is almost always an Ethernet interface. (Although nothing technically prohibits a WAN interface from being a default gateway, it usually has an address on a different network from hosts on a LAN. Even when it does not, it almost always makes more sense to have the Ethernet interface be the gateway for local hosts and a remote device the gateway for clients on the remote network.)
You specify a pool’s default gateway by entering the connected interface’s IP address in the DHCP pool configuration mode context:
Syntax: default-router <A.B.C.D> [<secondary A.B.C.D>]
Another device on the network, such as a second router interface, router, or a routing switch, may also be able to route traffic for the client. You may add an optional address for this secondary device. For example:
ProCurve(config-dhcp)# default-router 192.168.1.1 192.168.1.10
N o t e Addresses for both the primary and secondary gateway must be on the subnet defined for the pool using the network command.
13-9
Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server
Changing a Pool’s Lease Time
Whenever a DHCP server sends a DCHPACK message to a client with its committed IP address and other network configurations, the server includes a lease time. This time puts a limit on how long the client can reserve the address. Temporary leases allow networks to satisfy multiple users with a limited pool of IP addresses. They also allow users to change addresses painlessly as the users change location in the network. Typically, active clients periodically request to keep their addresses before the lease expires so that data transmission is not interrupted.
The default lease time for DHCP pools on the ProCurve Secure Router is one day. This setting suits many environments, allowing clients to keep configu-rations throughout the workday, but also making it easy for a client to receive a new address when it changes location in the network.
However, subnets for various kinds of users require different lease times. For example, a subnet that provides public access computers, which are randomly used by many different people, may need a shorter lease time. Try not to set the lease shorter than necessary because DHCP exchanges consume band-width and router processing resources.
You can configure an individual lease time for each DHCP pool established on the router, according to your organization’s policies. For example, you can set a lease time of 1 hour. From the configuration mode context of the pool, enter:
Syntax: lease <days> <hours> <minutes>
The Secure Router OS always sets the first number entered as the number of days for the lease, the second as hours, and the third as minutes. You must enter a zero to indicate that you are skipping a number. For example, to set a lease time of 15 minutes, enter:
ProCurve(config-dhcp)# lease 0 0 15
You do not have to input zeroes after the last significant number. For example, a lease time of 30 days is specified as:
ProCurve(config-dhcp)# lease 30
See your ProCurve SROS Command Line Interface Reference Guide for valid ranges for lease time.
13-10
Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server
Specifying DNS, WINS, and Other Servers
DHCP clients often need other configurations besides an IP address. The DHCP server can also issue addresses to clients for the devices that provide various services for the subnet.
DNS Server. A DNS server tracks the IP addresses associated with specific hostnames. It translates a hostname into its IP address in response to requests from DNS clients. Clients need a DNS server so that users can enter hostnames to reach other hosts and browse the Internet. You should designate at least one DNS server for the DHCP client by entering the following command:
Syntax: dns-server <A.B.C.D> [<second A.B.C.D>]
You may specify an optional secondary DNS server by adding a second IP address. For example:
ProCurve(config-dhcp)# dns-server 192.168.1.25 15.3.1.20
WINS (NetBIOS) Server. A WINS server maps computers’ NetBIOS names to IP addresses. It ensures that hosts on the same network do not have the same hostname, and it performs DNS-type services for hosts with dynamic addresses. When a computer changes location in the network, the WINS server automatically updates the entry for its hostname with its new DHCP address.
If your private network uses NetBIOS, you should give the DHCP client the address of the WINS server. Enter:
Syntax: netbios-name-server <A.B.C.D> [<second A.B.C.D>]
You may specify IP addresses for up to two WINS servers.
Other Servers. You can also assign clients a Trivial File Transfer Protocol (TFTP) server and a Network Time Protocol (NTP) server.
Clients download config and software files from TFTP servers.
NTP servers ensure that all clients’ clocks are synchronized, which can be very important for some organizations. If the NTP server is in a different timezone than the DHCP clients, you must set a timezone offset. The range for the offset is -12 to 12. For example, to set an offset for a server 2 hours ahead of the local router, enter timezone-offset -2.
13-11
Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server
Enter these commands:
Syntax: tftp-server <A.B.C.D>Syntax: ntp-server <A.B.C.D>Syntax: timezone-offset <-12 to 12>
Specifying a Domain Name for the Subnet
If your organization wants users to have the organization’s domain name, you should configure the DHCP server to issue this name with the IP address. Specify the domain name for the subnet from the configuration mode context of the corresponding DHCP server pool:
Syntax: domain-name <domain name>
Do not include the period before the name. For example:
ProCurve(config-dhcp)# domain-name procurve.com
Specifying a Bootfile
DHCP clients that do not store the correct boot software on an internal flash drive can receive a bootfile from a TFTP server. If your ProCurve Secure Router serves as the DHCP server for such clients, it should notify these clients:
■ which bootfile to use
■ the address for the TFTP server
Enter this command from the DHCP pool configuration mode context to specify the boot file:
Syntax: bootfile <filename>
Enter the name of a file exactly as it is stored on the TFTP server.
You must also specify the address of the TFTP server. From the DHCP pool configuration mode context, enter this command:
Syntax: tftp-server <A.B.C.D>
For example, enter:
ProCurve(config-dhcp)# bootfile ClientBoot.bizProCurve(config-dhcp)# tftp-server 192.168.1.15
13-12
Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server
Configuring Parent and Child Pools
If your ProCurve Secure Router supports contiguous subnets, you can config-ure a single parent pool for the range of subnets. In this pool, you would specify settings that apply to all of the subnets, such as domain name, DNS servers, WINS servers, and lease time.
You would then configure child pools, each of which would have its own subnet address and default gateway. The other settings would be automati-cally imported from the parent pool, saving you time and minimizing oppor-tunities for miskeying a server address.
When you configure a parent pool, you specify the range of subnets by entering the network address bits the subnets have in common followed by the (now shorter) prefix length.
Figuring out the exact number of bits that two subnets have in common involves converting from decimal to binary and can be complicated. The simplest method is to use the address and bit length for the last common octet.
For example, you want to configure a parent pool for subnets 192.168.1.0 /24 and 192.168.2.0 /24. The parent pool network address could be 192.168.0.0 /16.
However, you should be careful using this method, especially when your network uses variable-length subnets.
Figure 13-3. Example DHCP Pool Configuration
192.168.1.0 /24Gateway
192.168.1.1
192.168.2.0 /24Gateway
192.168.2.1
192.168.0.0 /16DNS servers
WINS serversLease
Router ALAN 1
192.168.1.0 /24
LAN 1 192.168.2.0 /24
Parent pool
Child poolChild poolWINS server
DNS server
DNS server
13-13
Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server
You do not specify a default router for a parent pool.
You configure the child pools just as you do any DHCP pool, but you only have to configure the subnet address and default router. If you alter a setting, such as the lease time, the configuration in the child pool overrides that in the parent pool.
Example DHCP Pool Configuration
In Figure 13-3, a router connects to two subnets. The figure also shows the network’s DNS and WINS servers. This LAN reserves addresses 1 to 29 on each subnet for various network devices, such as routers, switches, and servers. To configure this router to act as a DHCP server for its local subnets, you would complete these steps:
1. Exclude static addresses:
ProCurve(config)# ip dhcp-server excluded-address 192.168.1.1 192.168.1.29ProCurve(config)# ip dhcp-server excluded-address 192.168.2.1 192.168.2.29
2. Create the parent pool with global settings:
ProCurve(config)# ip dhcp-server pool ParentProCurve(config-dhcp)# network 192.168.0.0 /16ProCurve(config-dhcp)# dns-server 192.168.1.25 192.168.2.23ProCurve(config-dhcp)# netbios-name-server 192.168.2.26ProCurve(config-dhcp)# lease 0 12
3. Create the child pools, each with its own subnet and default gateway:
ProCurve(config-dhcp)# ip dhcp-server pool LAN1ProCurve(config-dhcp)# network 192.168.1.0 /24ProCurve(config-dhcp)# default-router 192.168.1.1ProCurve(config-dhcp)# ip dhcp-server pool LAN2ProCurve(config-dhcp)# network 192.168.2.0 /24ProCurve(config-dhcp)# default-router 192.168.2.1
Assigning a Fixed Address to a Host through a DHCP Server
Certain devices should almost always be given static addresses so that routes remain accurate, the network design logical and consistent, and the traffic flow uninterrupted. However, sometimes such a device is also required to take a dynamic address from a DHCP server. You can configure the router to assign a fixed DHCP address to this device.
13-14
Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server
Also, when you want to assign a particular host a permanent address, some-times it is better to configure this address through a server, rather than through whatever application is on the host. DHCP automatically tracks addresses so that two devices are not inadvertently given the same address.
To assign a fixed address to a single host:
1. Create a new DHCP server pool with a name indicative of the host.
2. Identify the fixed-address host by its MAC address:
Syntax: hardware-address <MAC address>
For example:
ProCurve(config-dhcp)# hardware-address d2:17:04:91:11:50
3. Specify the IP address for the host. The router automatically assigns the address with its natural mask. If your organization uses variable-length subnetting, make sure to include the subnet mask or prefix length for the host’s subnet:
Syntax: host <A.B.C.D> <subnet mask | /prefix length>
4. Specify the default gateway:
Syntax: default-router <A.B.C.D>
5. Configure other settings such as DNS and WINS servers and a domain name. (See “Specifying DNS, WINS, and Other Servers” on page 13-11). You can also assign the client a name:
Syntax: client-name <name>
For example:
ProCurve(config-dhcp)# client-name LAN2Switch
Configuring DHCP Scopes
The ProCurve Secure Router supports VLAN tagging so that it can receive traffic from more than one VLAN on the same Ethernet interface. Therefore, the ProCurve Secure Router might receive DHCP requests from clients on different subnets on the same physical interface.
You can configure a separate DHCP scope to accommodate each VLAN. Simply configure the DHCP pool with the VLAN’s network address just as you would configure a typical DHCP pool.
13-15
Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server
After you enable 802.1Q encapsulation (for VLAN tagging) on the Ethernet interface, you can configure Ethernet subinterfaces. You assign the subinter-faces a VLAN ID and an IP address. To configure the DHCP scope, you simply specify that IP address as the default router of the DHCP pool configured for the VLAN.
These are the only configurations that you must make on the ProCurve Secure Router. You can add options for the server addresses and lease time in the same way that you would for any pool. (You would also configure the connect-ing switch to pass DHCP packets from hosts on a specific VLAN to the address of the corresponding Ethernet subinterface on the router. This configuration ensures that clients receive an address on the correct subnet.)
Figure 13-4. DHCP Scopes with VLANs
In Figure 13-4, Router A connects to Switch B on its Ethernet 0/1 interface. Switch B connects to hosts in VLANs 101 and 102. You enable VLAN tagging on the router so that traffic to both VLANs can be carried over the same cable. You configure IP address 192.168.1.1 /24 on Ethernet subinterface 0/1.1 and IP address 192.168.2.1 /24 on Ethernet subinterface 0/1.2.
You would configure the DHCP scopes as follows:
1. Enable VLAN tagging:
ProCurve(config)# interface eth 0/1ProCurve(config-eth 0/1)# encapsulation 802.1qProCurve(config-eth 0/1)# no shutdown
10.2.1.0 /24Gateway10.2.1.1
10.3.1.0 /24Gateway10.3.1.1
Router A
VLAN 10110.2.1.0/24
VLAN 10210.3.1.0/24
Scope 2Scope 1
Switch B
Eth 0/1.1 10.2.1.1
Eth 0/1.2 10.3.1.1
13-16
Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server
2. Configure the VLAN interfaces:
ProCurve(config-eth 0/1)# interface eth 0/1.1ProCurve(config-eth 0/1.1)# description Scope 1 interfaceProCurve(config-eth 0/1.1)# vlan-id 101ProCurve(config-eth 0/1.1)# ip address 10.2.1.1 255.255.255.0ProCurve(config-eth 0/1.1)# no shutdownProCurve(config-eth 0/1.1)# interface eth 0/1.2ProCurve(config-eth 0/1.2)# description Scope 2 interfaceProCurve(config-eth 0/1.2)# vlan-id 102ProCurve(config-eth 0/1.2)# ip address 10.3.1.1 255.255.255.0ProCurve(config-eth 0/1.2)# no shutdown
3. Reserve addresses for the VLAN interfaces and other servers by excluding them from DHCP:
ProCurve(config)# ip dhcp excluded-address 10.2.1.1 10.2.1.20ProCurve(config)# ip dhcp excluded-address 10.3.1.1 10.3.1.20
4. Configure a DCHP pool for each VLAN, and set the IP address of the default router to that of the corresponding VLAN interface:
ProCurve(config)# ip dhcp-server pool Scope1ProCurve(config-dhcp-pool)# network 10.2.1.0 255.255.255.0ProCurve(config-dhcp-pool)# default-router 10.2.1.1ProCurve(config-dhcp-pool)# ip dhcp-server pool Scope2ProCurve(config-dhcp-pool)# network 10.3.1.0 255.255.255.0ProCurve(config-dhcp-pool)# default-router 10.3.1.1
Configuring the DHCP Server’s Ping Settings
The DHCP server sends ping packets to verify that an address is available before assigning it to a DHCP client. You can configure two settings for DHCP server pings:
■ Timeout—This determines how long the DHCP server waits for a reply to a ping.
■ Ping packet count—The DHCP server pings an address without result this many times before assigning the address to a requesting client.
By default, the router times out a ping after 500 ms and pings an address twice before assuming it is available.
Ping settings apply to DHCP on the router as a whole, not to individual DHCP pools. You configure them from the global configuration mode context.
13-17
Dynamic Host Configuration Protocol (DHCP)Managing and Troubleshooting the DHCP Server
To change the timeout setting, enter:
Syntax: ip dhcp-server ping timeout <milliseconds>
The valid range is from 10 to 1000 ms.
To change the ping packet count, enter:
Syntax: ip dhcp-server ping packets <count>
The count can be from 0 to 100.
For example, enter:
ProCurve(config-dhcp)# ip dhcp-server ping timeout 700ProCurve(config-dhcp)# ip dhcp-server ping packets 5
If you do not want the router to use ping packets to check that an address is available, enter 0 for the ping packet count.
N o t e You should not rely on the DHCP server’s ping functions to exclude IP addresses that are permanently assigned to devices. If these devices go down, the DHCP server will assume the IP addresses assigned to these devices are available and assign them to clients, which can lead to many problems. A client that takes a server’s address, for example, can congest a network as devices send it requests it cannot fulfill. A client that takes a router address will not be able to route traffic. Always use the ip dhcp-server excluded-address
command to exclude statically assigned addresses.
Managing and Troubleshooting the DHCP Server
As you troubleshoot DHCP functions, you will enter show and debug com-mands. You can enter these commands either from the enable mode context or from configuration mode contexts. If you enter one of these commands from a configuration mode context, you must add do to the command. For example:
ProCurve(config-dhcp)# do show ip dhcp-server binding
13-18
Dynamic Host Configuration Protocol (DHCP)Managing and Troubleshooting the DHCP Server
Viewing DHCP Client Bindings
The ProCurve Secure Router stores a table of DHCP bindings. In this table, you can view the IP addresses for all active DHCP clients served by the router. This can be helpful for troubleshooting. For example, you can ping a work-station to see if it can respond. Or you can zero-in on a host that is flooding a network with messages.
To view the bindings for all DHCP clients supported by the router, enter:
ProCurve# show ip dhcp-server binding
The table displays:
■ IP Address—the committed IP address
■ Client ID—usually a MAC address
■ Lease Expiration—date and time the lease for the address expires
■ Client Name—the user-selected name on the computer or device
Figure 13-5 shows an example of the information that displays when you enter the show ip dhcp-server binding command.
Figure 13-5. Viewing DHCP Clients Supported by the Router
Monitoring the DHCP Process
When troubleshooting a router’s DHCP functions, it is often helpful to track the DHCP process. (To review this process, refer to “DHCP Request Process” on page 13-3.)
You can view DHCP messages as they arrive on the interface by entering:
ProCurve# debug ip dhcp-server
ProCurveSR7102dl# show ip dhcp-server bindingIP Address Client Id Lease Expiration Client Name172.16.1.4 01:00:50:04:91:ee:19 Aug 27 2004 3:04 PM HunterPC172.16.2.28 01:00:01:02:51:c9:f6 Aug 27 2004 3:26 PM ShanePC172.16.1.7 01:00:10:4b:a0:df:0a Aug 27 2004 3:28 PM TreyPC
User-selected name on the computer or device
Client’s MAC address
13-19
Dynamic Host Configuration Protocol (DHCP)Managing and Troubleshooting the DHCP Server
C a u t i o n Debug messages can tie up the router’s processor. Therefore, you should be very cautious about using them in a live network. You should begin by troubleshooting the host experiencing the problem and rule out a connectivity problem.
In a large network, you should not use DHCP debug messages to fix a problem for a single host. The router may be flooded with DHCP messages from other hosts, and displaying them all could potentially compromise network performance.
DHCP messages generally break down into the steps of the DHCP request process. You can look for a message that repeats several times to determine where the process begins to break down.
View Table 13-1 for a quick guide to what steps you should take when you see a debug message repeat again and again.
Table 13-1. DHCP Debug Messages
Clients Unable to Receive a DHCP Address
If the router continually receives the “Processing Discover Message” event, it is having difficulty preparing an offer for the client. One of the most common reasons for this difficulty is that the server cannot find an available IP address. It is possible that all available addresses are being used (view the DHCP client bindings by entering show ip dhcp-server binding). However, it could be that the default router for the pool is not on the same subnet as the network address, which prevents the router from finding a valid IP address.
View the running-config (show run) and look for the DHCP pool for the clients unable to get an address. This is the pool whose default router is the interface to which the client connects. The address for the network should match the network bits in the default router address.
Repeated Message Possible Problem Best Next Step
Processing Discover message
• There are no addresses available.
• The default gateway is on the wrong subnet.
• Check the DHCP client bindings.
• Check settings for the pool.
Server sent an Offer to the Client
The client will not accept the address and configurations.
Troubleshoot the host.
13-20
Dynamic Host Configuration Protocol (DHCP)Configuring a Router Interface as a DHCP Client
A router interface must have its primary address on the subnet specified in the pool in order to respond to requests. You should also check that the DHCP network matches the address for the connecting router interface.
Client Receiving the Wrong Fixed DHCP Address
If a host is unable to get the fixed address you configured for it in a single host DHCP pool, or if it receives an address from a different pool, check the running-config. Make sure that you have not excluded the fixed address.
Configuring a Router Interface as a DHCP Client
Your service provider may require the router to receive an address from one of its DHCP servers. For example, some Frame Relay providers conserve IP addresses by only assigning them to a PVC endpoint when the PVC is open and active. In this case, you must configure the WAN interface that connects to the provider as a DHCP client.
Ethernet interfaces can also be DHCP clients. For example, the interface could take an address from a server on the local network. When possible, it is a good idea to assign network devices static addresses. However, DHCP does auto-matically track IP addresses assigned to devices as well as which addresses are still available, relieving IT staff of this task. You can configure the DHCP server to assign the Ethernet interface a fixed DHCP address.
Interfaces that receive a DHCP address can receive other configurations, too. This is particularly useful for interfaces that connect to the Internet. For example, an ATM subinterface can receive the address for a DNS server.
To learn about assigning various types of IP addresses to interfaces, see Chapter 3: Configuring Ethernet Interfaces, Chapter 6: Configuring the
Data Link Layer Protocol for E1, T1, and Serial Interfaces, Chapter 7: ADSL
WAN Connections, and Chapter 8: Configuring Demand Routing for Pri-
mary ISDN Modules.
To configure an interface as a DHCP client, you must:
■ configure the interface with a dynamic address
13-21
Dynamic Host Configuration Protocol (DHCP)Configuring a Router Interface as a DHCP Client
You can also:
■ set the interface’s client ID
■ set the interface’s hostname
■ enable the interface to take configurations other than the IP address
Configuring a Dynamic Address
You enable the DHCP client on an individual interface. Interfaces that can act as DHCP clients are:
■ Frame Relay subinterfaces
■ ATM subinterfaces
■ Ethernet interfaces
■ PPP interfaces (only when bridging traffic)
Move to the appropriate interface configuration mode context and enter one of these commands:
Syntax: ip address dhcp [hostname <name> | no-default-route | no-domain-name | no-nameservers]Syntax: ip address dhcp [client-id {<ethernet <slot>/<port> | HH:HH:HH:HH:HH:HH:HH} | hostname <name>]
You can enter this command without any options to initiate the client with the default client ID and host name:
ProCurve(config-fr 1.101)# ip address dhcp
You will learn more about adding options to the command in “Setting an Interface’s Client ID” on page 13-23, “Setting the Interface’s Hostnatme” on page 13-24, and “Preventing the Interface from Taking Other Configurations” on page 13-24.
N o t e As soon as you enable the DHCP client with this command, the interface sends a Discover message to the server and attempts to take a dynamic address. If you want to configure any of the options discussed below, you must add these options to the command before entering it. Otherwise, the interface will have already received its configurations; you will have to release the address, disable the DHCP client (by entering no ip address dhcp), and re-enter the command with the optional settings.
13-22
Dynamic Host Configuration Protocol (DHCP)Configuring a Router Interface as a DHCP Client
Setting an Interface’s Client ID
DHCP servers use client identifiers to index their database of address bind-ings. This database maps clients to their temporary IP addresses and other configurations. A client sends its identifier in its Discover messages. Each client on a subnet must use a unique client identifier. Because MAC addresses are by definition unique, they are most commonly used.
The Secure Router OS automatically populates the client identifier for an interface with the interface’s media type and MAC address. Typically, you should assume that the server accepts this type of ID and not alter it.
You can, however, have a WAN interface use an Ethernet interface’s MAC address. For example, you might want to identify the router using a single MAC address. If your organization later purchases a different module to connect to the provider, you can receive the same IP address. When you configure the interface to take a dynamic address, enter this command:
Syntax: ip address dhcp client-id ethernet <slot>/<port>
You can alternatively manually enter a hexadecimal string for the client identifier.
The client identifier does not have to be based on a MAC address, although it almost always is. In the past, some administrators opted for customized identifiers so that a user could receive the same address even after changing network hardware. You can use a unique identifier instead of a MAC address for this same purpose: you can change how you connect to a service provider without having to negotiate a new address.
Your service provider should inform you what type of identifier it uses. You can then agree upon a unique identifier for your interface, if necessary.
You enter a customized ID as a hexadecimal number or a text string (which the router converts to a hexadecimal value):
Syntax: ip address dhcp client-id [<HH:HH:HH:HH:HH:HH:HH> | <text string>]
If you enter a hexadecimal number, you must enter seven numbers separated by colon delimiters. For example:
ProCurve(config-atm 1.102)# ip address dhcp client-id 0f:ff:ff:ff:ff:ff:ff
13-23
Dynamic Host Configuration Protocol (DHCP)Configuring a Router Interface as a DHCP Client
Setting the Interface’s Hostnatme
If necessary, you can change the hostname for the single interface only. For example, you could register for a hostname with a dynamic DNS service. (See Chapter 12: Domain Name System (DNS) Services.) You could then ask your ISP to advertise this hostname, which you specify with the following command:
Syntax: ip address dhcp hostname “<name>”
You should put quotation marks around the hostname. For example:
ProCurve(config-fr 1.101)# ip address dhcp hostname “procurve”
N o t e Remember that you must override client identifiers and hostnames at the same time that you enable the DHCP client. For example:
ProCurve(config-fr 1.101)# ip address dhcp client-id eth 0/1 hostname “procurve”
Preventing the Interface from Taking Other Configurations
One of the advantages for an interface that receives a DHCP address is that it can receive other configurations as well. This can be particularly useful for connections to the Internet. The interface can receive an IP address and DNS server address at the same time.
Interfaces running the DHCP client can receive these configurations:
■ a default route
■ a domain name
■ a DNS server
However, the seeming advantage also poses risks. For example, when a router has more than one WAN connection, the default route should not always be to the server providing the temporary address. Some organizations prefer to control their own settings for routing, domain names, and DNS, rather than relying on a remote or foreign device.
If you want to prevent the interface from taking configurations other than an IP address, you must do so before you activate the DHCP client.
13-24
Dynamic Host Configuration Protocol (DHCP)Configuring a Router Interface as a DHCP Client
Move to the interface configuration mode context. Then enter the ip address
dhcp command with the keyword for the configuration that you do not want the router to accept:
Syntax: ip address dhcp [no-default-route | no-domain-name | no-name-servers]
To disable more than one configuration, string the keywords together in the same command. For example, enter:
ProCurve(config-fr 1.1)# ip address dhcp no-default-route no-domain-name
N o t e You must trust the DHCP server and be absolutely clear on what configura-tions it will send the interface. An incorrect domain name and default route could disrupt the entire network.
If the interface has already received configurations that it should not have, you must release the address. Enter no ip address dhcp, and re-enter the command with the keywords to reject the configurations.
Configuring a Static Hostname for an Interface with a Dynamic Address
Your organization may have a device behind the ProCurve Secure Router that remote users should be able to reach. For example, customers may need to access your Web server.
Often, a Web server’s address is linked to the public IP address on a router interface using Network Address Translation (NAT). If the router’s interface changes IP address, the entry for the Web server in the DNS servers’ host tables will no longer be correct. Users will no longer be able to reach the device.
When an interface receives a dynamic IP address from an ISP, its IP address may change relatively frequently or without warning. In this situation, you should run dynamic DNS on the router interface to ensure that customers can always reach a device when they enter its hostname.
The ProCurve Secure Router supports a client that works with Dynamic Networking Services, Inc. (DynDNS). After you register a hostname with DynDNS, the dynamic DNS client automatically informs DynDNS whenever the associated interface’s IP address changes. DynDNS propagates the change throughout its DNS servers so that you do not lose connectivity with your customers.
See Chapter 12: Domain Name System (DNS) Services to learn how to configure dynamic DNS.
13-25
Dynamic Host Configuration Protocol (DHCP)Managing and Troubleshooting the DHCP Client
Managing and Troubleshooting the DHCP Client
You should carefully monitor interfaces with dynamic addresses to ensure that they have an address and are using the proper configurations.
Viewing the Interface’s Lease
To view the active DHCP client leases on the router, enter:
ProCurve# show ip dhcp-client lease
The CLI displays all interfaces with dynamic addresses. For each interface, it lists:
■ Temp IP address—the dynamic address
■ DHCP lease server
■ Lease—total time for the lease
■ Temp default gateway address
■ Client ID—typically, based on the MAC address
■ Primary DNS server
Figure 13-6 shows an example of a DHCP lease for an Ethernet 0/1 interface.
Figure 13-6. Viewing Dynamic Configurations for Router Interfaces
If you see that the interface has received a configuration that it should not have, such as a default route, you will have to restart the DHCP client. Follow these steps:
1. Move to the configuration mode context for the DHCP client interface:
ProCurve(config)# interface frame-relay 1.101
ProCurve# show ip dhcp-client leaseInterface: Ethernet 0/1 Temp IP address: 192.168.10.2, Mask: 255.255.255.0 DHCP Lease server: 192.168.10.1, State: Bound (3) Lease: 86400 seconds Temp default gateway address: 192.168.10.1 Temp Primary DNS: 10.1.1.1 Temp Secondary DNS: 0.0.0.0 Client-ID: 01:00:12:79:05:25:B0
Default routeName servers
13-26
Dynamic Host Configuration Protocol (DHCP)Managing and Troubleshooting the DHCP Client
2. Turn off the DHCP client:
ProCurve(config)# no ip address dhcp
This command disables the DHCP client on the interface, which then immediately sends a message to release its DHCP-assigned address.
3. Re-enter the ip address dhcp command with the keywords for preventing the interface from taking optional configurations. For example:
ProCurve(config)# ip add dhcp no-default-route no-domain-name no-name-servers
Releasing and Renewing Dynamic Addresses
You can force an interface to give up the address it has received from a server. Move to the interface configuration mode context for the DCHP client inter-face and enter:
ProCurve(config-eth 0/1)# ip dhcp release
N o t e Take care when releasing an address; you could inadvertently lock yourself out of the router. If you are managing the ProCurve Secure Router with a Telnet or Web connection through that interface, your session will be immediately terminated. You will not be able to reconnect until a DHCP server issues another IP address to the interface.
You should then force the interface to request a new address:
ProCurve(config-eth 0/1)# ip dhcp renew
Alternatively, you can configure a static address on the interface.
You should only have to manually force the interface to renew its lease after releasing an address. The DHCP client will periodically request to keep its address so that data flow is not disrupted.
Monitoring DHCP Client Activity
If the interface will not take a dynamic address, you should track the DHCP request process to determine what is going wrong. (For more information on this process, refer to “DHCP Request Process” on page 13-3.)
To view real-time DHCP client messages, enter:
ProCurve# debug ip dhcp-client
13-27
Dynamic Host Configuration Protocol (DHCP)Managing and Troubleshooting the DHCP Client
C a u t i o n Debug messages can tie up the router’s processor and compromise the net-work’s functions. Therefore, you should take care when using them with active networks.
Before you run debug messages, you should verify that the interface is up and double-check your client ID.
Scan the debug messages. The interface should produce debug messages such as those shown in Figure 13-7:
Figure 13-7. An Interface Successfully Receiving a Dynamic Address
When the DHCP client’s state is “Bound,” the interface has received the address. The client sets two timers, which expire before the lease does. When these timers expire, the client requests to keep its address.
Usually, problems with the DHCP client occur after sending a Discover message. The server does not return an Offer message, and so the interface continues sending out Discover message after Discover message. The state toggles between “Selecting” and “Init.”
Causes for this condition include:
■ the interface is down
■ the interface’s client identifier does not match that expected by the DHCP server
■ the server has no available addresses
ProCurve# debug ip dhcp-client2005.07.08 19:15:23 DHCP.CLIENT Loading timer 1 with 1 seconds2005.07.08 19:15:23 DHCP.CLIENT Loading timer 2 with 3 2005.07.08 19:15:24 DHCP.CLIENT Timer 1 Expired2005.07.08 19:15:24 DHCP.CLIENT Sending Discover Message: Xid = 346817642005.07.08 19:15:24 DHCP.CLIENT Loading timer 1 with 3 seconds2005.07.08 19:15:24 DHCP.CLIENT Current State = Selecting2005.07.08 19:15:25 DHCP.CLIENT Processing Offer Message: Xid = 346817642005.07.08 19:15:25 DHCP.CLIENT Sending Request Message: Xid = 346817642005.07.08 19:15:25 DHCP.CLIENT Loading timer 1 with 2 seconds2005.07.08 19:15:25 DHCP.CLIENT Current State = Requesting2005.07.08 19:15:25 DHCP.CLIENT Processing Ack Message: Xid = 346817642005.07.08 19:15:25 DHCP.CLIENT Loading timer 1 with 43200 seconds2005.07.08 19:15:25 DHCP.CLIENT Loading timer 2 with 64800 seconds2005.07.08 19:15:25 DHCP.CLIENT Current State = Bound
13-28
Dynamic Host Configuration Protocol (DHCP)Managing and Troubleshooting the DHCP Client
An individual interface does not have to be up with an active network link for the router to run the DHCP client. Before looking for problems with the DHCP client configuration, make sure that the interface is up with the show inter-
faces command.
If the status is “administratively down,” move to the configuration mode context for the interface and enter no shutdown. If the status is down, troubleshoot the interface. (See Chapter 3: Configuring Ethernet Interfaces, Chapter 4: Configuring E1 and T1 Interfaces, Chapter 5: Configuring Serial
Interfaces for E1- and T1-Carrier Lines, Chapter 6: Configuring the Data
Link Layer Protocol for E1, T1, and Serial Interfaces, Chapter 7: ADSL WAN
Connections, and Chapter 8: Configuring Demand Routing for Primary
ISDN Modules.)
You can also try pinging the DHCP server to test connectivity.
Once you have determined that the interface can actually reach the DHCP server, you should troubleshoot the client configuration.
You can view the client ID in the configuration for the client interface (by entering, for example, show run int fr 1.100). If you are using a customized identifier, you can try returning to the default MAC address. For example, enter:
ProCurve(config-eth 0/1)# no ip add dhcpProCurve(config-eth 0/1)# ip add dhcp
If the default ID does not work, you should check with the service provider or other entity administering the DHCP server to find out what identifier it expects from the router.
If the problem is at the service provider’s end, then you will have to wait for your ISP to resolve the problem.
13-29
Dynamic Host Configuration Protocol (DHCP)Configuring DHCP Relay
Configuring DHCP Relay
DHCP relies on clients being able to reach a server by broadcasting a request. The DHCP request is limited by being broadcast to the application port for DHCP (the BOOTPS port, 67). Limited broadcasts propagate only throughout the local subnet. If the client is not on the same subnet as the server, the broadcast will not reach the server.
However, your network does not need a separate DHCP server on each subnet (or VLAN). You can configure network devices to forward DHCP requests from directly connected hosts to a server on a different network. This function is sometimes called DHCP relay.
Often a switch will perform DHCP relay for the local hosts. However, if your router may receive DHCP requests from hosts, you should configure it to forward these requests to the appropriate DHCP server. For example, the router may need to forward DHCP requests to a remote server so that hosts at a site that does not have a DHCP server can receive IP addresses and other necessary configurations.
To enable DHCP relay, you configure the router to forward packets received on the DHCP application port to a helper address.
N o t e You cannot configure the router to forward DHCP requests if the router itself is acting as a DHCP server.
To configure the router to forward DHCP packets, move to the global config-uration mode context and enter this command:
Syntax: ip forward-protocol udp bootps
Next, set the address of the helper address. The helper address is the address of the DHCP server or a device on the same subnet as the server. Set this address from the configuration mode context of the interface that connects to the clients:
Syntax: ip helper-address <A.B.C.D>
13-30
Dynamic Host Configuration Protocol (DHCP)Configuring DHCP Relay
You can set different helper addresses for different interfaces. For example, if your LAN uses different servers for different subnets, you could configure the router to forward DHCP requests received on one Ethernet (or VLAN) interface to one address and requests received on another interface to a different address.
For example:
ProCurve(config)# interface eth 0/1ProCurve(config-eth 0/1)# ip helper-address 10.1.1.1ProCurve(config-eth 0/1)# interface eth 0/2ProCurve(config-eth 0/2)# ip helper-address 10.2.1.1
The router does not simply forward the DHCP packets. It also examines them, checks their validity, and adds any appropriate changes, such as the IP address of the interface that received the packets. The remote server uses this address to determine from which pool it should select the IP address that it offers to the client.
For example, an Ethernet interface with the IP address 192.168.1.1 /24 receives a DHCP packet and forwards it to a remote server. The server searches its database for a DHCP pool for the 192.168.1.0 /24 network and returns an offer for IP address 192.168.1.36 to the local router at 192.168.1.1. The local router then forwards this offer to the client.
13-31
Dynamic Host Configuration Protocol (DHCP)Quick Start
Quick Start
This section provides the commands you must enter to quickly configure:
■ the router to act as a DHCP server for a subnet
■ the router to assign a fixed DHCP address to a single host
■ a router interface to act as a DHCP client
Only a minimal explanation is provided. If you need additional information about any of these options, check “Contents” on page 13-1 to locate the section that contains the explanation you need.
Table 13-2. DHCP Server Settings
Configurations Parameters Your Setting
network’s static IP addresses
first address in range
last address in range
other static address
parent pool for a range of subnets (optional)
pool name
range of subnets and prefix length for range
DHCP pool for a subnet pool name
subnet address and mask (or prefix length)
default gateway
servers primary DNS server
secondary DNS server
primary WINS (NetBIOS) server
secondary WINS (NetBIOS) server
TFTP server
NTP server
13-32
Dynamic Host Configuration Protocol (DHCP)Quick Start
Figure 13-8. Example DHCP Network
Configuring a DHCP Server for a Network
If you so choose, you can print and fill out Table 13-2 and refer to it while configuring the DHCP server on your router.
Figure 13-8 illustrates a simplified example of a router acting as a DHCP server for two local networks.
1. Move to the global configuration mode context and exclude all static address on DHCP subnets.
Syntax: ip dhcp-server excluded <A.B.C.D>
You can also exclude a range of addresses.
Syntax: ip dhcp-server excluded <first A.B.C.D> <last A.B.C.D>
2. If you are configuring DHCP for a range of subnets, create a parent DHCP server pool from the global configuration mode context. Otherwise, move to step 5.
Syntax: ip dhcp-server pool <parent poolname>
other configurations lease in days, hours, and minutes
domain name
timezone offset
Configurations Parameters Your Setting
RouterLAN 1
192.168.32.0 /19
LAN 2 192.168.64.0 /19
.1
.1
13-33
Dynamic Host Configuration Protocol (DHCP)Quick Start
3. Specify the range of subnets for the parent pool.
Syntax: network <network A.B.C.D> <subnet mask | /prefix length>
For example:
ProCurve(config-dhcp)# network 192.168.0.0 /16
4. Specify optional global settings such as DNS servers, WINS servers, and lease time.
Syntax: dns-server <A.B.C.D> <secondary server A.B.C.D>Syntax: netbios-name-server <WINS server A.B.C.D> <secondary server A.B.C.D>Syntax: lease <days> <hours> <minutes>Syntax: tftp-server <A.B.C.D>Syntax: ntp-server <A.B.C.D>Syntax: timezone-offset <-12 to 12>Syntax: domain-name <domain>
5. Create a DHCP server pool for an individual subnet.
ProCurve(config)# ip dhcp-server pool <poolname>
6. Specify the subnet address and subnet mask for the pool.
Syntax: network <network A.B.C.D> <subnet mask | /prefix length>
Use a prefix length for variable length networks. For example:
ProCurve(config-dhcp)# network 192.168.32.0 /19
7. Specify the default gateway.
Syntax: default-router <gateway A.B.C.D>
For example:
ProCurve(config-dhcp)# default-router 192.168.32.1
8. If you did not do so in a parent pool, specify a primary DNS server.
Syntax: dns-server <A.B.C.D>
9. You can also configure settings such as addresses for other servers and lease time. See step 4. (The settings in the pool with the most specific network address override settings in any parent pool.)
Assigning a Fixed DHCP Address to a Single Host
If you so choose, you can print and fill out Table 13-3 and refer to it while configuring the pool for the single host.
13-34
Dynamic Host Configuration Protocol (DHCP)Quick Start
Table 13-3. Settings for Assigning a Host a Fixed Address
1. Move to the global configuration mode context and create a DHCP client pool for the host.
Syntax: ip dhcp-server pool <poolname>
2. Identify the host by its MAC address.
Syntax: hardware-address <MAC address>
For example:
ProCurve(config-dhcp)# hardware-address d2:17:04:91:11:50
3. Specify the IP address for the host, including its subnet mask. If your organization uses variable-length subnetting, be particularly careful to enter the correct subnet mask or prefix length.
Syntax: host <fixed A.B.C.D> <subnet mask | /prefix length>
4. Specify the default gateway.
Syntax: default-router <gateway A.B.C.D>
Configuration Parameter Your Setting
host DHCP Pool pool name
host MAC address
fixed IP address
default gateway IP address
servers primary DNS server
secondary DNS server
primary WINS (NetBIOS) server
TFTP server
NTP server
other configurations lease in days, hours, and minutes
client name
domain name
timezone offset
13-35
Dynamic Host Configuration Protocol (DHCP)Quick Start
5. Configure other necessary settings such as servers and a domain name. You can also assign the client a name.
Syntax: dns-server <DNS server A.B.C.D> <secondary DNS server A.B.C.D>Syntax: netbios-name-server <WINS server A.B.C.D> <secondary WINS server A.B.C.D>Syntax: lease <days> <hours> <minutes>Syntax: tftp-server <TFTP server A.B.C.D>Syntax: ntp-server <NTP server A.B.C.D>Syntax: timezone-offset <-12 to 12>Syntax: client-name <name>Syntax: domain-name <name>
Configuring a Router Interface as a DHCP Client
The following interfaces can take dynamic addresses:
■ Ethernet interfaces
■ Frame Relay subinterfaces
■ ATM subinterfaces
■ bridged PPP interfaces
You call fill in the settings for the interface on your router in Table 13-4.
Table 13-4. DHCP Client Settings
1. Move to the interface configuration mode context. For example:
ProCurve(config) int fr 1.101
Configuration Parameter Your Setting
interface • <slot>/<port> (for Ethernet)
• subinterface number (for Frame Relay or ATM)
• interface number (for bridged PPP)
hostname
client ID
13-36
Dynamic Host Configuration Protocol (DHCP)Quick Start
2. Configure the router to take a dynamic address from a server.
Syntax: ip address dhcpa. For a default configuration, simply enter the command without any
options. For example:
ProCurve(config-fr 1.101)# ip address dhcpb. You may not want the interface to take its default gateway, domain
name, or DNS servers from the DHCP server. In this case, enter the ip address dhcp command with one or more of the following options:
Syntax: ip address dhcp [hostname <name> | no-default-route | no-domain-name | no-nameservers]
c. You should usually accept the default ID generated from the inter-face’s MAC address. However, you can configure a customized client ID. You can also configure a hostname for the interface that is differ-ent from the router’s hostname. Enter the ip address dhcp command with one of these options:
Syntax: ip address dhcp [client-id {<ethernet <slot>/<port> | HH:HH:HH:HH:HH:HH:HH} | hostname <name>]
For example, enter:
ProCurve(config-fr 1.101)# ip address dhcp client-id 0f:ff:ff:ff:ff:ff:ff
13-37
Dynamic Host Configuration Protocol (DHCP)Quick Start
13-38
14
Using the Web Browser Interface for Basic Configuration Tasks
Contents
Configuring Access to the Web Browser Interface . . . . . . . . . . . . . . . . . . 14-4
Enabling Access to the Web Browser Interface . . . . . . . . . . . . . . . . . 14-4
Managing Files, Firmware, Boot Software, and the AutoSynch™ Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5
The AutoSynch™ Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7
Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-10
Reboot Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13
Telnet to Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-14
Enabling IP Services on the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-15
Web Access Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-17
Configuring Passwords to Control Management Access to the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-18
Encrypting All the Passwords 18
Configuring a Local User List: Passwords for Web, SSH, and FTP Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-19
Configuring an Enable Mode Password . . . . . . . . . . . . . . . . . . . . . . . 14-21
Configuring a Password for Telnet Access . . . . . . . . . . . . . . . . . . . . 14-22
Configuring a Password for Console Access . . . . . . . . . . . . . . . . . . . 14-23
Configuring a Password for SSH Access . . . . . . . . . . . . . . . . . . . . . . 14-24
Configuring a Password for HTTP Access . . . . . . . . . . . . . . . . . . . . . 14-25
Configuring a Password for FTP Access . . . . . . . . . . . . . . . . . . . . . . 14-26
Using the AAA Subsystem to Control Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-27
Configuring Authentication Using a RADIUS Server . . . . . . . . 14-28
Configuring Authentication Using a TACACS+ Server . . . . . . . 14-29
14-1
Using the Web Browser Interface for Basic Configuration TasksContents
Configuring Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-31
IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-32
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-33
Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-34
Ethernet Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-34
Releasing/Renewing a DCHP IP Address . . . . . . . . . . . . . . . . . . . . . . 14-34
Configuring PPPoE for the Ethernet Interface . . . . . . . . . . . . . . . . . 14-35
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-37
Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-37
View Statistics for the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . 14-38
Configuring E1 and T1 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-39
Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-42
Configuring a Serial Interface for an E1- or T1-Carrier Line . . . . . . . . . 14-44
Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-46
Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-46
Configure PPP as the Data Link Layer Protocol . . . . . . . . . . . . . . . . 14-47
IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-48
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-49
Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-49
Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-50
PPP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-50
Requiring a Peer to Authenticate Itself to the Local Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-50
Configuring the Local Router to Authenticate Itself to a Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-51
Configure Frame Relay as the Data Link Layer Protocol . . . . . . . . . 14-52
Configure a Permanent Virtual Circuit (PVC) . . . . . . . . . . . . . . 14-54
Configure IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-56
Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-56
Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-56
Configure HDLC as the Data Link Layer Protocol . . . . . . . . . . . . . . 14-58
IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-59
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-59
Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-60
14-2
Using the Web Browser Interface for Basic Configuration TasksContents
Configuring ADSL Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-61
Configure an ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-63
Configure the ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-63
Configuring ATM Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-66
Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-68
Configuring PPPoE or PPPoA for the ADSL Connection . . . . . . . . 14-68
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-70
Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-70
View Statistics for the PPP Interface . . . . . . . . . . . . . . . . . . . . . . 14-70
ISDN Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-71
E1 + G.703 and T1 + DSX-1 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-74
Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-76
Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-77
Configuring Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-77
Configuring the Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . 14-80
Viewing a Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-81
Setting Global Spanning Tree Parameters . . . . . . . . . . . . . . . . . 14-82
Configuring Spanning Tree Settings for Individual Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-84
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-86
Configuring a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-86
Configuring a Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-88
DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-89
Configuring DNS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-89
Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-91
Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-94
Configuring a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-94
Configuring a DHCP Pool for a Subnet . . . . . . . . . . . . . . . . . . . . 14-95
Assigning a Single Host a Fixed Address . . . . . . . . . . . . . . . . . . 14-97
Configuring an Interface as a DHCP Client . . . . . . . . . . . . . . . . . . . . 14-98
Configuring UDP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-100
14-3
Using the Web Browser Interface for Basic Configuration TasksConfiguring Access to the Web Browser Interface
Configuring Access to the Web Browser Interface
You can use the Web browser interface to configure interfaces on your router. To access the Web browser interface, you must first use the command line interface (CLI) to enable the HTTP server on the ProCurve Secure Router and to configure a username and password for HTTP access.
You must also configure at least one interface on the ProCurve Secure Router and establish a connection through which you can send HTTP traffic. For example, if you want to access the router from a workstation on your WAN, you must configure the Ethernet interface and establish a connection between it and your LAN. (For information about setting up an Ethernet interface, see Chapter 3: Configuring Ethernet Interfaces.)
Enabling Access to the Web Browser Interface
From the global configuration mode context, enter:
ProCurveSR7102dl(config)# ip http server
If you want to use Secure Sockets Layer (SSL) to protect the communication between your PC and the router, enter:
ProCurveSR7102dl(config)# ip http secure-server
You must then configure a username and password, which will also be used for HTTP, Secure Shell (SSH), and FTP access. From the global configuration mode context, enter:
Syntax: username <username> password <password>
Both the username and password can be an alphanumerical string up to 30 characters in length. In addition, both are case-sensitive.
After configuring the ProCurve Secure Router for HTTP access, open an Internet browser and enter the IP address assigned to the router interface through which you want to establish a HTTP session. For example, if you want to access the router from your LAN and the IP address of the Ethernet 0/1 interface is 192.168.1.1, you would enter: http://192.168.1.1.You will be prompted to enter the username and password that you configured for HTTP access.
14-4
Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function
Managing Files, Firmware, Boot Software, and the AutoSynch™ Function
In the Utilities section of the Web browser interface, you can do basic file management tasks, manage the AutoSynch function, and set the router’s firmware and boot software using the Web browser interface.
The Utilities section of the Web browser interface includes five subsections:
■ AutoSynch
■ Configuration
■ Firmware
■ Reboot Unit
■ Telnet to Unit
The AutoSynch section allows you to enable the AutoSynch technology and force synchronization. For more information about AutoSynch functions, see Chapter 1: Overview.
The Configuration section allows you to create and manage configuration files.
In the Firmware section, you can configure the router’s primary and backup firmware files, view the drive space used and free on the router’s internal flash and compact flash memories, upload, and delete firmware files.
The Reboot Unit section provides two options for rebooting the router: save and reboot or reboot without saving.
The Telnet to Unit section opens a terminal session software on your PC and begins to negotiate a Telnet session between your PC and the router.
The AutoSynch™ Feature
1. To manage the AutoSynch feature in the Web browser interface, click Utilities > AutoSynch in the left navigation bar. The AutoSynch Mode window is displayed. From this window, you can enable the AutoSynch function, force synchronization, and troubleshoot AutoSynch operation.
2. To enable the AutoSynch technology, click the AutoSynch Mode box.
3. Click Apply. This will signal the AutoSynch function to begin synchronization efforts.
14-5
Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function
N o t e The AutoSynch function is a feature that allows the router to maintain exact, up-to-date copies of the boot code and startup-config files on the router’s internal flash and a mounted compact flash card. The AutoSynch feature is not available for routers without a mounted compact flash card.
AutoSynch technology will work only if you have a copy of the router’s boot code file (SROS.BIZ) and a startup-config file on your compact flash card.
Figure 14-1. AutoSynch Window
4. When the AutoSynch function is enabled, you can force synchronization by clicking the AutoSynch button in the AutoSynch Execute window. The following dialog box is displayed:
“You are about to activate AutoSynch. Continue?”
5. Click the OK button. The boot code file and the startup-config file will be coped from internal flash to compact flash, and synchronization will begin.
14-6
Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function
The AutoSynch Status window displays AutoSynch messages, such as the current synchronization status of the software (SROS.BIZ) file and startup-config file and any AutoSynch error messages. For a list of AutoSynch error messages and troubleshooting methods, see Chapter 1: Overview.
Configuration
The configuration section supports basic configuration file management.
Startup-Config. The Startup-Config section allows you to set the primary and secondary startup-config files. The startup-config file contains your router’s saved configurations. If you have more than one startup configuration on internal flash or compact flash, you can set the router to boot from file you want and from the location you specify.
Figure 14-2. Startup Config Window
When the ProCurve Secure Router boots, it looks for the boot code software on the internal flash. After the ProCurve Secure Router locates the boot code and begins to boot, it looks on compact flash for a valid startup-config file. If the router cannot find a valid startup-config on compact flash, it looks on the internal flash memory for a valid file.
1. To set the primary startup config file, click the pull-down menu. A list of configuration files on the internal flash memory (and compact flash if installed) is displayed.
2. Click the file you want the router to use to boot.
14-7
Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function
3. To set the secondary startup config file, click the desired configuration file from the pull-down menu.
4. To save these changes to the running-config file, click Apply.
N o t e If the AutoSynch function is enabled, the primary and backup startup-config files and locations are automatically set and cannot be changed.
Save-Config. The Save-Config window allows you to save the running-config file to the startup-config file. The current configurations will be saved, and the router can then boot with these configurations after it is powered down.
Click the Save button. If the AutoSynch feature is enabled, the running-config is saved as startup-config on both the internal flash memory and the compact flash card.
Figure 14-3. Save Config
Download Config. The Download Config section allows you to save the startup-config to a file on your PC. This feature is particularly useful when you must configure several routers with similar settings and you need to edit the configuration to tailor it to another router.
Figure 14-4. Download Config
1. Click the Download button. The File Download window with the Open, Save, Cancel, and More Info buttons is displayed. The file is automatically named <hostname>-<date>.cfg. For example, if you configured your router’s hostname as HQRouter and today’s date were May 5, 2007, the filename would be HQRouter-05-05-2007.cfg.
14-8
Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function
2. Click Save. The Save As dialog box is displayed.
3. Locate the folder where you want to save the file and click Save.
After you have downloaded the configuration file onto your PC, you can open and edit it in a text editor program such as Notepad.
Upload Config. The Upload Config section allows you to upload a configu-ration file from your PC.
Figure 14-5. Upload Config
1. Click the Browse . . . button next to the Select File box and choose the file you want to upload.
2. Select either Flash or CFlash to specify the destination location for the file.
3. To upload the file, click the Upload button at the bottom of the window. The file is uploaded to your router.
Delete Config File. If you have an old or outdated configuration file or if you need the room on your router’s flash or cflash memory, you can delete the file.
14-9
Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function
Figure 14-6. Delete Config File
1. In the Delete Config File section, use the pull-down menu to display all the files on flash and cflash and select the file you want to delete.
2. Click the Delete button to erase the file. A confirmation dialog box is displayed.
3. Click OK to delete the file.
For information about advanced file management functions such as renaming uploading or downloading files, see Chapter 1: Overview.
Firmware
The Firmware section allows you to manage Secure Router OS files. You can select the Secure Router OS file that is loaded when the ProCurve Secure Router. You can also upload new OS files and delete old files.
Be careful when setting and managing router firmware; setting the wrong file may prevent your router from booting with the proper configuration or even from booting at all.
Set Primary/Backup Firmware. The Secure Router OS, or firmware, files have the .biz extension. The primary firmware file is always named SROS.BIZ. From the Web browser interface, you can select the firmware file that the router loads when it is booted.
1. Click Utilities > Firmware in the left navigation bar. The Set Primary /
Backup Firmware window is displayed.
14-10
Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function
Figure 14-7. Set Primary/Backup Firmware
2. Use the pull-down menu for the Primary Firmware box to select the file you want for your primary firmware. This file should be cflash SROS.BIZ.
3. To set the backup firmware, use the pull-down menu for the Backup
Firmware box to select the file you want for your backup software. This file should be SROS.BIZ.
This window also shows the current memory statistics for the internal flash and cflash drives. The Flash memory statistics are displayed as the bytes used / the total memory and the drive space free. The CFlash memory statistics are displayed below the Flash statistics in the same format.
It is always a good idea to keep track of the amount of memory you have available when saving multiple configurations to your router. For information about deleting files, see “Delete Config File” on page 14-9.
14-11
Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function
Upload Firmware. This section allows you to upload boot code and OS updates to your router. To get these updates, go to www.procurve.com and download the new firmware files to your PC.
Figure 14-8. Upload Firmware
1. To upload the file from your PC or terminal to the router, click the Browse
button next to the Select Firmware File: box.
N o t e All firmware files have a .biz extension.
2. After you’ve selected the new firmware file, select either Flash or CFlash to specify the router memory location you are saving the file to.
3. Click the Upload button.
Delete Firmware. This window allows you to delete old firmware versions. Firmware files are usually the largest files in memory, and if you need to free up memory for configuration files, you may want to delete older firmware.
14-12
Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function
Figure 14-9. Delete Firmware
1. Use the pull-down menu for the Delete Firmware box to select the file that you want to delete.
2. Click the Delete button.
C a u t i o n Deleting the current firmware version or deleting all firmware from the router’s memory may prevent the router from booting. Be very careful when deleting your router’s firmware. You may want to keep a backup copy of the current firmware version.
Reboot Unit
After you have uploaded new firmware or done some configuration work, you may need to reboot the router to make the changes active.
Figure 14-10.Reboot Unit
14-13
Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function
1. Click the Save and Reboot button to save a copy of the current configura-tion to a startup-config file. If you are running the AutoSynch feature, a copy is saved to both internal flash and compact flash. This option allows you to keep the current configuration and reboot the router.
C a u t i o n If you have made changes to the Ethernet or WAN interface that you are using to access the Web browser interface, or if you have made changes to any security policies, saving and rebooting may lock you out of the router.
2. Click the Reboot (Do Not Save) button to immediately reboot the router without keeping any changes made to the configuration since the last save. If you have made experimental changes to the router or if you have made changes that are causing operation problems, you may want to reboot the router and have it revert to a previous working configuration.
Telnet to Unit
The Telnet section opens up a Telnet session between your router and your PC. To successfully establish a Telnet session to your router, you first need to configure the router to accept Telnet access.
1. Set an enable mode password.
a. On the left panel of the Web browser interface, click Passwords >
Service Authentication.
b. Click the Enable Password tab.
c. Select Use Password and enter an enable password. Enter the pass-word again in the Confirm Password box.
d. Click Apply.
2. Set a Telnet password.
a. Click the Telnet password tab.
b. Select Use Password and enter the password in the box. Re-enter the password int he Confirm Password box.
3. In the left navigation bar, click Telnet to Unit. The PC will open a terminal session and begin to establish a Telnet session.
4. When the terminal session software begins, it will prompt you for a password. Enter the Telnet/SSH/Console password.
5. The session software will display the CLI in the basic mode context. To enter the enable mode context, enter enable. When the router prompts you for the enable mode password, enter the password you configured. From this Telnet session, you can configure the router using the CLI.
14-14
Using the Web Browser Interface for Basic Configuration TasksEnabling IP Services on the Router
Enabling IP Services on the Router
In the IP Services section, you can enable or disable the following servers on the router:
■ Simple Network Management Protocol (SNMP)
■ FTP
■ TFTP
■ HTTP
■ HTTPS
■ Secure Copy
You can also configure settings for the Web browser interface.
In addition to enabling these servers, you must configure passwords for them so that users can access the router. To configure passwords for management access, see “Configuring Passwords to Control Management Access to the Router” on page 14-18.
1. Click System > IP Services in the left navigation bar. The IP Services
Enable/Disable window is displayed.
14-15
Using the Web Browser Interface for Basic Configuration TasksEnabling IP Services on the Router
Figure 14-11. IP Services Enable/Disable
2. To enable the router as an SNMP Server, click the box.
3. To enable the router as an FTP Server, click the box.
4. To enable the router as a TFTP server, click the box.
5. To access the Web browser interface, you enabled the router’s HTTP Server from the CLI. To disable the HTTP Server, click the box.
C a u t i o n Disabling the HTTP Server will cause the Web browser interface to stop functioning.
6. To change the HTTP Server Port, enter the desired port number in the box. The default port is 80.
7. To enable the HTTPS Server, click the box.
14-16
Using the Web Browser Interface for Basic Configuration TasksEnabling IP Services on the Router
8. To change the HTTPS Server Port, enter the desired port number in the box. The default is 443.
9. To enable the router’s Secure Copy Server, click the box.
10. To make the changes effective, click Apply. If you want to return to the previously configured settings, click Cancel to reset to the defaults.
Web Access Configuration
By default, the timeout for the HTTP server is 10 minutes. If your HTTP connection to the router is inactive for 10 minutes, you must log in again to use the Web browser interface.
Figure 14-12.Web Access Configuration
1. To change the Inactivity Timeout, enter the number of hours, minutes, and seconds in the boxes.
2. You can set the maximum number of concurrent connections to the Web browser interface by entering the number in the Max Sessions: box.
3. To make the changes effective, click Apply. Click Cancel to reset to the previously configured settings.
14-17
Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router
Configuring Passwords to Control Management Access to the Router
The ProCurve Secure Router uses usernames and passwords to control man-agement access to the router. In addition to configuring usernames and passwords for each access method, you can enable the Authentication, Autho-rization, and Accounting (AAA) subsystem, which allows you to configure multiple access methods in case an access method fails. The AAA subsystem also supports RADIUS servers for authentication and TACACS+ servers for authentication, authorization, and accounting.
Encrypting All the Passwords
You can encrypt all passwords that you establish on the ProCurve Secure Router. These include
■ enable mode password
■ telnet and console line passwords
■ passwords for SSH, HTTP, and FTP access
■ passwords in the router’s local username database
The Secure Router OS can perform an MD5 hashing function on these pass-words so that they are encrypted in the running-config and when they are sent over the line.
To enable password encryption globally, complete these steps:
1. Select Passwords under System in the lefthand navigation bar.
2. Check the Encryption Enabled box in the Password Encryption window. See Figure 14-13.
14-18
Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router
Figure 14-13. Add/Modify/Delete Users Window
Configuring a Local User List: Passwords for Web, SSH, and FTP Access
When you configured the router for HTTP or HTTPS access, you entered a username and password. You can use this username and password to access the ProCurve Secure Router through Secure Shell (SSH) and FTP.
All of the usernames and passwords that you configure using the username command from the global configuration mode context in the CLI are stored in the local user list. The Web browser interface simplifies management of this local user list. You can view all of the usernames and passwords that have been configured in the local user list, and you can add or delete usernames and passwords.
14-19
Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router
1. To view the local user list from the Web browser interface, select Pass-
words in the left navigation bar. The Add/Modify/Delete Users window is displayed, and the usernames that have been configured are listed under the Modify/Delete User heading.
Figure 14-14. Add/Modify/Delete Users Window
2. To add a new user, enter the username in the space provided.
3. Enter the password for the username in the Password box.
4. Re-enter the password in the Confirm Password box.
5. Click Add. The username is now listed under the Modify/Delete User heading.
6. To remove a username, select it and click Delete.
14-20
Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router
Configuring an Enable Mode Password
To configure an enable mode password, complete these steps:
1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.
2. Select the Enable tab.
Figure 14-15. Configuring a Password for the Enable Mode
3. Select Use password and then enter and confirm the password you want to use.
4. If you want to use a RADIUS or TACACS+ server to control enable mode access, then you must enable the AAA subsystem. See “Using the AAA Subsystem to Control Management Access” on page 14-27 for instructions on configuring these options.
5. Click Apply.
14-21
Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router
Configuring a Password for Telnet Access
To configure a password for Telnet access, complete these steps:
1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.
2. Select the Telnet tab.
Figure 14-16. Configuring Passwords for Telnet Access
3. Select the Use local user list option if you want to use the usernames and passwords configured in this list for Telnet access.
4. Select the Use password option if you want to configure a separate password for Telnet access.
5. If you want to use a RADIUS or TACACS+ server to control Telnet access, then you must enable the AAA subsystem. See “Using the AAA Subsystem to Control Management Access” on page 14-27 for instructions on config-uring these options.
6. Click Apply.
14-22
Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router
Configuring a Password for Console Access
To configure a password for console access, complete these steps:
1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.
2. Select the Console tab.
Figure 14-17. Configuring Passwords for Console Access
3. Select the Use local user list option if you want to use the usernames and passwords configured in this list for console access.
4. Select the Use password option if you want to configure a separate password for console access.
5. If you want to use a RADIUS or TACACS+ server to control console access, then you must enable the AAA subsystem. See “Using the AAA Subsystem to Control Management Access” on page 14-27 for instructions on configuring these options.
6. Click Apply.
14-23
Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router
Configuring a Password for SSH Access
To configure a password for SSH access, complete these steps:
1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.
2. Select the SSH tab.
Figure 14-18. Configuring Passwords for SSH Access
3. Select the Use local user list option if you want to use the usernames and passwords configured in this list for SSH access. (This is the default option.)
4. If you want to use a RADIUS or TACACS+ server to authenticate users attempting to initiate an SSH session with the router, then you must enable the AAA subsystem. See “Using the AAA Subsystem to Control Manage-ment Access” on page 14-27 for instructions on configuring these options.
5. Click Apply.
14-24
Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router
Configuring a Password for HTTP Access
To configure a password for Web access, complete these steps:
1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.
2. Select the HTTP tab.
Figure 14-19. Configuring Passwords for Web Access
3. Select the Use local user list option if you want to use the usernames and passwords configured in this list for access to the router’s Web server. (This is the default setting.)
4. If you want to use a RADIUS or TACACS+ server to control access to the Web browser, then you must enable the AAA subsystem. See “Using the AAA Subsystem to Control Management Access” on page 14-27 for instructions on configuring these options.
5. Click Apply.
14-25
Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router
Configuring a Password for FTP Access
To configure a password for FTP access, complete these steps:
1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.
2. Select the FTP tab.
Figure 14-20. Configuring Passwords for FTP Access
3. Select the Use local user list option if you want to use the usernames and passwords configured in this list for FTP access. (This is the default setting.)
4. If you want to use a RADIUS or TACACS+ server to control FTP access, then you must enable the AAA subsystem. See “Using the AAA Subsystem to Control Management Access” on page 14-27 for instructions on config-uring these options.
5. Click Apply.
14-26
Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router
Using the AAA Subsystem to Control Management Access
Authentication, authorization, and accounting (AAA) is an industry standard for controlling:
■ which users can access a system (authentication)
■ what they can do once they are granted access (authorization)
■ what is recorded about their activities (accounting)
The AAA subsystem on the ProCurve Secure Router currently supports authentication using a remote Remote Authentication Dial-In User Service (RADIUS) server. The ProCurve Secure Router also supports authentication, authorization, and accounting using a remote TACACS+ server.
When you enable the AAA subsystem, you can specify a list of authentication methods for each type of access. If one authentication method fails, the ProCurve Secure Router will allow the user to try another access method.
The ProCurve Secure Router has specific criteria for failure:
■ Line and enable passwords fail if there are no line or enable passwords configured.
■ RADIUS and TACACS+ servers fail if the ProCurve Secure Router cannot reach the server on the network.
■ The local user list fails if the given user is not in the database.
For example, if you configure the authentication methods with RADIUS as the first option and the RADIUS server goes down, the AAA subsystem tries the next authentication method you configured. If you listed the local user list after the RADIUS server, the AAA subsystem will use that authentication method next.
However, if a user enters the wrong username or the wrong password for a particular username, the user failed to authenticate to the router; the access method did not fail. In this case, the user will be denied access to the router.
You can use the Web browser interface to specify the RADIUS and TACACS+ servers that the ProCurve Secure Router can contact. You can also configure authentication using RADIUS or TACACS+ from the Web browser interface. However, you must configure authorization and accounting using TACACS+ from the CLI.
14-27
Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router
Configuring Authentication Using a RADIUS Server
If you want to use a RADIUS server to authenticate users who access the router, you must enable the AAA subsystem.
1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.
2. In the Service Authentication section, select AAA Mode Enabled.
3. Click Apply to enable the AAA subsystem.
4. Configure the settings for a RADIUS server.
a. Select the Radius tab.
Figure 14-21. Configure the Settings for a RADIUS Server
b. For Address, enter the IP address of the RADIUS server.
c. For Shared Key, enter the shared key. Re-enter the key to confirm it.
d. For Username, enter and confirm the username that the router should use to authenticate itself to the RADIUS server.
14-28
Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router
e. For TCP Port, accept the default port unless the RADIUS server is operating on a different port.
f. For Retries, configure the number of attempts that the ProCurve Secure Router will make to contact the RADIUS server.
g. For Timeout, configure the number of seconds that the ProCurve Secure Router will wait to receive a reply from the RADIUS server.
h. Click Apply to save the settings for the RADIUS server.
5. Select the tab for the type of access you want to configure:
• Enable Password
• Telnet
• Console
• SSH
• HTTP
• FTP
6. Select the Use remote RADIUS server option.
7. Click Apply to save your settings.
Configuring Authentication Using a TACACS+ Server
If you want to use a TACACS+ server to authenticate users who access the router, you must enable the AAA subsystem.
1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.
2. In the Service Authentication section, select AAA Mode Enabled.
3. Click Apply to enable the AAA subsystem.
4. Configure the settings for a TACACS+ server.
a. Select the TACACS+ tab.
14-29
Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router
Figure 14-22. Configure the Settings for a TACACS+ Server
b. For Address, enter the IP address of the TACACS+ server.
c. For Shared Key, enter the shared key. Re-enter the key to confirm it.
d. For TCP Port, accept the default port unless the TACACS+ server is operating on a different port.
e. For Retries, configure the number of attempts that the ProCurve Secure Router will make to contact the TACACS+ server.
f. Click Apply to save the settings for the TACACS+ server.
5. Select the tab for the type of access you want to configure:
• Enable Password
• Telnet
• Console
• SSH
• HTTP
• FTP
6. Select the Use remote TACACS+ server option.
7. Click Apply to save your settings.
14-30
Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces
Configuring Ethernet Interfaces
To configure an Ethernet interface from the Web browser interface, complete the following steps. If you need more information about any of the options, see Chapter 3: Configuring Ethernet Interfaces.
1. Click Physical Interfaces in the left navigation bar.
2. Select the Ethernet port you want to configure (eth 0/1 or eth 0/2). The Configuration for Ethernet window is displayed.
Figure 14-23. Configuration for Ethernet Window
3. If you want to document information about this Ethernet interface, enter an alphanumeric string up to 80 characters in the Description box.
4. Click the Enable box and then click Apply at the bottom of the window to activate the Ethernet interface immediately. You can also complete the Ethernet configuration before clicking Apply.
14-31
Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces
5. Use the pull-down menu to configure the Speed/Duplex setting:
a. To select an automatically negotiated connection, select Auto.
b. To specify a 10 Mbps connection with half-or full-duplex, select 10Mbps/half or 10Mbps/full.
c. To specify a connection at 100 Mbps using a half- or full-duplex setting, select 100Mbps/half or 100Mbps/full.
6. The factory-set MAC Address for the Ethernet interface is displayed beneath the Speed/Duplex box. If you want to keep the MAC address of the router’s interfaces uniform, you can enable MAC Address Masquerade by clicking the box. Then, enter the desired MAC address, in hexadecimal, in the boxes provided.
7. Configure supplicant information if the Ethernet interface connects to a network that requires 802.1X authentication.
a. Click the Supplicant box. Supplicant Username and Supplicant
Password boxes are displayed.
b. In these boxes, enter the username and password required to allow the router to access the 802.1X network. (For more information about the router functioning as an 802.1X client, see “Port Authentication” on page 2-40.)
8. The Interface Mode pull-down allows you to choose IP routing or PPP over Ethernet (PPPoE). The default setting is IP Routing. If you select PPPoE and then click Apply, the PPPoE Configuration window is dis-played. If you want to configure PPPoE for this interface, see “Configuring PPPoE for the Ethernet Interface” on page 14-35.
9. Click Apply to save the changes you have made to the startup-config.
IP Settings
The IP Settings section allows you to configure the IP address and dynamic Domain Name System (DNS) settings for the Ethernet interface.
14-32
Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces
Figure 14-24.IP Settings Section
10. Use the pull-down menu to configure the Address Type:
• None—Select this setting if you intend to set up a bridge group with the Ethernet interface.
• Static—Select this setting if you want to configure a static IP address. The boxes to enter the IP address and subnet mask are displayed, so that you can enter the appropriate address for the Ethernet interface.
• DHCP—Select this setting to configure the interface as a Dynamic Host Configuration Protocol (DHCP) client.
• Unnumbered—To set up the Ethernet interface with the same IP address as another interface, click the Unnumbered option. The Interface box is displayed.
Use the pull-down menu for the Interface box to select the appropri-ate interface. The menu will display any ATM subinterfaces, Frame-Relay subinterfaces, HDLC interfaces, loopback interfaces, and PPP interfaces that are already configured.
Dynamic DNS
11. Configure dynamic DNS, if needed. For more information about dynamic DNS, see “Configuring Dynamic DNS” on page 14-91.
a. For Dynamic DNS, use the pull-down menu to select DynDNS.org,
DynDNS.org Static, or DynDNS.org Custom. Choose the service for which you registered with DynDNS.org. Additional boxes are dis-played, allowing you to configure information about your account with DynDNS.org.
14-33
Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces
b. For Dynamic DNS Hostname, enter the hostname you are registering for the interface.
c. For Dynamic DNS Username, enter the username for your company’s account with DynDNS.org.
d. For Dynamic DNS Password, enter the password for your company’s account with DynDNS.org.
Secondary IP Settings
12. To set secondary IP addresses for your Ethernet interface, click Add a
new Secondary IP Address. Then enter the IP address and subnet mask in the boxes provided.
13. Click Apply to save your configurations.
Ethernet Interface Statistics
You can view status information about the Ethernet interface at the bottom of the Ethernet Configuration window. This display provides basic informa-tion; for a more comprehensive readout, access the CLI and enter show
interface ethernet 0/<port> at the enable mode context.
Releasing/Renewing a DCHP IP Address
If the Ethernet interface receives its IP address from a DHCP server, the first line of the Status for Ethernet section reports the DHCP address state. If the interface has successfully received an address, this should display “Bound.” Next to “Bound” are the words Release and Renew highlighted in blue.
14. To release the current IP address, click Release.
15. To receive an IP address, click Renew. When the interface receives an address, the DHCP field should display “Bound.”
16. To clear the current statistics, click the Clear Statistics button.
17. This section does not display realtime information. To get updates, click the Continuous Refresh button. Click the Stop Updates button to end the continuous refresh.
C a u t i o n Clicking the Continuous Refresh button requires the router to send continuous updates. This consumes bandwidth and consumer router resources.
14-34
Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces
Figure 14-25.Status for Ethernet Interface
Configuring PPPoE for the Ethernet Interface
To configure PPPoE, complete the following steps:
1. Access the Configuration for Ethernet window, select PPPoE for the Interface Mode, and click Apply. The PPPoE Configuration for “ppp
<interface number>” window displays.
2. Enter a description if you need to document information about PPPoE settings. This information will be displayed in the running-config under the appropriate PPP interface heading.
3. Click the Enabled box to activate the PPP interface.
4. For most environments, accept the default setting of 1500 for the MTU. The ProCurve Secure Router OS will negotiate an MTU of 1492 with the PPP peer. If the two peers fail to negotiate an MTU of 1492, you may need to set the MTU manually.
5. Select Default Peer Address if you want to configure the IP address of the PPP peer.
14-35
Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces
Figure 14-26.PPPoE for the Ethernet Interface
6. If you want to configure PPP authentication, see “PPP Authentication” on page 14-50.
7. Configure IP settings. For Address Type select one of the following.
• None—Select this setting if you intend to set up a bridge group with the PPP interface.
• Static—Select this setting if you want to configure a static IP address. The boxes to enter the IP address and subnet mask are displayed, so that you can enter the appropriate address for the PPP interface.
• Negotiated—Select this setting if you want the PPP interface to negotiate an IP address from your service provider. Select Default
Route if you want to configure the interface to receive a default gateway from the peer.
• Unnumbered—To set up the PPP interface with the same IP address as another interface, click the Unnumbered option. The Interface box is displayed.
Use the pull-down menu for the Interface box to select the appropri-ate interface. The menu will display any ATM subinterfaces, Frame-Relay subinterfaces, HDLC interfaces, loopback interfaces, and PPP interfaces that are already configured.
14-36
Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces
Figure 14-27.Configure IP Settings
Dynamic DNS
8. Configure dynamic DNS, if needed. For more information about dynamic DNS, see “Configuring Dynamic DNS” on page 14-91.
a. For Dynamic DNS, use the pull-down menu to select DynDNS.org,
DynDNS.org Static, or DynDNS.org Custom. Additional boxes are displayed, allowing you to configure information about your account with DynDNS.org.
b. For Dynamic DNS Hostname, enter the hostname required to register the interface’s IP address.
c. For Dynamic DNS Username, enter the username for your company’s account with DynDNS.org.
d. For Dynamic DNS Password, enter the password for your company’s account with DynDNS.org.
Secondary IP Settings
9. To configure secondary IP addresses for the PPP interface, click Add a
new Secondary IP Address. Then enter the IP address and subnet mask in the boxes provided.
10. Click Apply to activate your configurations.
14-37
Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces
View Statistics for the PPP Interface
Status information is displayed at the bottom of the Configuration PPPoE window. After you apply your changes, the PPP Link State will be “starting,” indicating that the ProCurve Secure Router OS is trying to establish a PPP connection with its peer. Ensure that the PPP Link State is eventually “up.” For information about troubleshooting PPPoE, see “Troubleshooting PPPoE” on page 7-50.
This readout is not in real-time. To update the readout to the current statistics, click the Continuous Refresh button. To stop continuous refresh, click the Stop Updates button. To reset the statistics, click the Clear Statistics button.
Figure 14-28.View Statistics for PPPoE
14-38
Using the Web Browser Interface for Basic Configuration TasksConfiguring E1 and T1 Interfaces
Configuring E1 and T1 Interfaces
When you set up an E1- or T1-carrier line, you must configure the Physical Layer and the Data Link Layer. This section explains how to configure the Physical Layer—the E1 or T1 interface—if you have purchased:
■ an E1 module that includes a built-in Digital Service Unit (DSU)
■ a T1 module that includes a built-in Channel Service Unit (CSU)/DSU
If your public carrier provides an external CSU/DSU, see “Configuring a Serial Interface for an E1- or T1-Carrier Line” on page 14-44.
When you configure the E1 or T1 interface, you must configure the same settings that your public carrier’s equipment uses. If you need additional information about any of the options, see Chapter 4: Configuring E1 and T1
Interfaces.
1. In the left navigation bar of the Web browser interface, select Physical
Interfaces. The interfaces for all of the modules installed in the router are listed on the Physical Interfaces window.
Figure 14-29.Physical Interfaces Window
2. Select the E1 or T1 interface that you want to configure. The Configura-
tion for the <interface> <slot>/<port> window is displayed.
14-39
Using the Web Browser Interface for Basic Configuration TasksConfiguring E1 and T1 Interfaces
Figure 14-30. Configuration for E1 Interface Window
3. Enter a description in the Description box if you want to document information about the E1 or T1 interface. This information will be dis-played in the running-config under the appropriate interface heading.
4. To activate the interface, select the Enable box and then click Apply at the bottom of the window.
14-40
Using the Web Browser Interface for Basic Configuration TasksConfiguring E1 and T1 Interfaces
5. Configure the clock source for the interface in the Clocking pull-down menu.
• Select line if you want the interface to take its timing from the public carrier’s equipment.
• Select internal if you want the interface to provide the timing for the connection.
• Select through if you have a module with more than one E1 or T1 port and you want this interface to take its timing from the other interface. (See Chapter 4: Configuring E1 and T1 Interfaces for more informa-tion about clock sources and when to use the through setting.)
6. Set the frame format to match your service provider’s settings:
• If you are configuring an E1 interface, use the pull-down menu to select E1 or CRC4. E1 is the default setting.
• If you are configuring a T1 interface, click ESF or D4. ESF is the default setting.
N o t e Select the TS16 box to enable TS16 signaling only if you are configuring the G.703 interface for an E1 + G.703 module. For more information, see “E1 + G.703 and T1 + DSX-1 Modules” on page 14-74.
7. Use the Coding pull-down menu to configure the coding to match your service provider’s settings:
• If you are configuring an E1 interface, use the pull-down menu to select HDB3 or AMI. HDB3 is the default setting.
• If you are configuring a T1 interface, use the pull-down menu to select B8ZS or AMI. B8ZS is the default setting.
8. If you are configuring a T1 interface, use the pull-down menu to set the facility data link (FDL). The default setting is ANSI. You can also select ATT or None.
9. If you are configuring an E1 interface, you can set the Sa4Tx-Bit to 0 or 1. The default setting is 0.
10. In the Data DS0s field, configure the channels for the connection. This setting must match the channels configured on your service provider’s equipment, or the Data Link Layer protocol cannot establish a connection.
• If you are leasing the entire E1-carrier line, set the timeslots to 1 to 31.
• If you are leasing the entire T1-carrier line, set the timeslots to 1 to 24.
14-41
Using the Web Browser Interface for Basic Configuration TasksConfiguring E1 and T1 Interfaces
11. Accept the default setting of 64 Kbps for the DS0 speed unless your public carrier tells you to change this setting. Typically, you will change the setting only if you are leasing a T1-carrier line and are using the D4 frame format. In this case, use the pull-down menu to select 56 Kbps.
12. Select the Data Link Layer protocol for this interface—PPP, Frame Relay, or High-level Data Link Control (HDLC)—and click Apply. The <Protocol> Configuration Settings window is displayed.
• If your WAN connection is using PPP, see “Configure PPP as the Data Link Layer Protocol” on page 14-47.
• If your WAN connection is using Frame Relay, see “Configure Frame Relay as the Data Link Layer Protocol” on page 14-52.
• If your WAN connection is using HDLC, see “Configure HDLC as the Data Link Layer Protocol” on page 14-58.
N o t e If you are using PPP or Frame Relay, you can configure a multilink connection. For instructions on configuring this multilink, see Chapter 2: Increasing
Bandwidth in the Advanced Management and Configuration Guide.
Status Information
After you configure the Data Link Layer protocol, a new Data Link Layer section is displayed on the E1 or T1 configuration window. You can now access the configuration window for the Data Link Layer protocol from the E1 or T1 configuration window.
Status information is displayed at the bottom of the E1 or T1 configuration window. This readout is not in real-time. To update the readout to the current statistics, click the Continuous Refresh button. To end continuous refresh, click the Stop Updates button. To reset the statistics, click the Clear Statistics button.
14-42
Using the Web Browser Interface for Basic Configuration TasksConfiguring E1 and T1 Interfaces
Figure 14-31. Status for E1 Interface
C a u t i o n Clicking the Continuous Refresh button requires the router to send continuous updates, consuming bandwidth and router resources.
14-43
Using the Web Browser Interface for Basic Configuration TasksConfiguring a Serial Interface for an E1- or T1-Carrier Line
Configuring a Serial Interface for an E1- or T1-Carrier Line
If your public carrier provided you with an external CSU/DSU, you purchased a serial module for the ProCurve Secure Router. When you set up an E1- or T1-carrier line, you must configure the Physical Layer and the Data Link Layer. This section explains how to configure the Physical Layer—the serial inter-face. If you need additional information about any of the options, see Chapter
4: Configuring E1 and T1 Interfaces.
1. In the left navigation bar of the Web browser interface, select Physical
Interfaces. The interfaces for all of the modules installed in the router are listed on the Physical Interfaces window.
2. Select the serial interface that you want to configure. The Configuration
for Serial <port number>/<slot number> window is displayed.
Figure 14-32. Configuration for Serial Window
14-44
Using the Web Browser Interface for Basic Configuration TasksConfiguring a Serial Interface for an E1- or T1-Carrier Line
3. Enter a string of up to 80 characters in the Description field if you want to document information about this interface.
4. Select the Enable box to activate the interface.
5. For Mode, select V.35 or X.21, depending on the type of cable you are using to connect the serial module to the external CSU/DSU. The default setting is V.35. If you want to use an EIA 530 cable from another vendor, the ProCurve Secure Router supports this setting from the CLI. For more information, see Chapter 5: Configuring Serial Interfaces for E1- and
T1-Carrier Lines.
6. Configure the clock settings.
a. For TX Clock, accept the default setting of Normal or select Invert if the router is a long distance from the CSU/DSU.
b. For Rx Clock, accept the default setting of Normal or select Invert if the router is a long distance from the CSU/DSU.
c. For ET Clock, accept the default setting of Normal or select Invert if the router is a long distance from the CSU/DSU.
d. For ET Clock Source, accept the default setting of Tx Clock or select Rx Clock if your public carrier tells you to change this setting.
7. For Encapsulation, select the Data Link Layer protocol that your public carrier is using. The <Protocol> Configuration Settings window is dis-played.
• If your WAN connection is using PPP, see “Configure PPP as the Data Link Layer Protocol” on page 14-47.
• If your WAN connection is using Frame Relay, see “Configure Frame Relay as the Data Link Layer Protocol” on page 14-52.
• If your WAN connection is using HDLC, see “Configure HDLC as the Data Link Layer Protocol” on page 14-58.
N o t e If you are using PPP or Frame Relay, you can configure a multilink connection. For instructions on configuring this multilink, see the Advanced Management
and Configuration Guide: “Configuring MLPPP” on page 14-18 or “Configuring MLFR” on page 14-20.
14-45
Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
Status Information
Status information is displayed at the bottom of the Configuration for Serial window. This readout is not in real-time. To update the readout to the current statistics, click the Continuous Refresh button. To end continuous refresh, click the Stop Refreshing button. To reset the statistics, click the Clear
Statistics button.
Figure 14-33. Status for Serial Interface
C a u t i o n Clicking the Continuous Refresh button requires the router to send continuous updates, consuming bandwidth and router resources.
Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
This section explains how to configure the Data Link Layer protocol for an E1, T1, or Serial interface. You should configure the physical interface to use the same Data Link Layer protocol that your public carrier is using:
■ For PPP, see “Configure PPP as the Data Link Layer Protocol” below.
■ For Frame Relay, see “Configure Frame Relay as the Data Link Layer Protocol” on page 14-52.
■ For HDLC, see “Configure HDLC as the Data Link Layer Protocol” on page 14-58.
If you need additional information about any of the options, see Chapter 6:
Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.
14-46
Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
Configure PPP as the Data Link Layer Protocol
The following steps explain the initial configuration of PPP as the Data Link Layer protocol. It is assumed that you have configured the Physical Layer—the E1, T1, or serial interface—and you have selected PPP as the Data Link Layer protocol. As a result, the PPP Configuration window is displayed.
Figure 14-34. PPP Configuration Window
1. From the PPP Configuration window, enter a string of text up to 80 characters in the Description box if you want to record information about the PPP interface. This description will be displayed in the running-config.
2. Select the Enabled box to activate the interface.
3. If you do not want the interface to use Weighted Fair Queuing (WFQ), click the box to deselect it. For more information about WFQ, see “Configuring WFQ” on page 14-45 in the Advanced Management and
Configuration Guide.
4. For most environments, you will accept the default MTU of 1500. If you need to adjust the MTU, however, enter the new value in the MTU box.
5. Verify that the PPP interface is bound to the correct physical interface.
14-47
Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
6. If you have not set a QoS Policy, None is displayed for its QoS policy. To create a QoS policy, see “Configuring Quality of Service” on page 14-44 in the Advanced Management and Configuration Guide.
7. To configure the IP address of the PPP peer, select the Default Peer IP
Address box, and enter the IP address in the boxes provided.
8. To configure authentication, see “PPP Authentication” on page 14-50.
IP Settings
9. For Address Type select one of the following.
• None—Select this setting if you intend to set up a bridge group with the PPP interface.
• Static—Select this setting if you want to configure a static IP address. The boxes to enter the IP address and subnet mask are displayed, so that you can enter the appropriate address for the PPP interface.
• Negotiated—Select this setting if you want the PPP interface to negotiate an IP address from your service provider. Select Default
Route if you want to configure the interface to receive a default gateway from the peer.
• Unnumbered—To set up the PPP interface with the same IP address as another interface, click the Unnumbered option. The Interface box is displayed.
Use the pull-down menu for the Interface box to select the appropri-ate interface. The menu will display any ATM subinterfaces, Frame-Relay subinterfaces, HDLC interfaces, loopback interfaces, and PPP interfaces that are already configured.
14-48
Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
Figure 14-35. IP Settings
Dynamic DNS
10. Configure dynamic DNS, if needed. For more information about dynamic DNS, see “Configuring Dynamic DNS” on page 14-91.
a. For Dynamic DNS, use the pull-down menu to select DynDNS.org,
DynDNS.org Static, or DynDNS.org Custom. Additional boxes are displayed, allowing you to configure information about your account with DynDNS.org.
b. For Dynamic DNS Hostname, enter the hostname required to register the interface’s IP address.
c. For Dynamic DNS Username, enter the username for your company’s account with DynDNS.org.
d. For Dynamic DNS Password, enter the password for your company’s account with DynDNS.org.
Secondary IP Settings
11. To configure secondary IP addresses for your PPP interface, click Add a
new Secondary IP Address. Then enter the IP address and subnet mask in the boxes provided.
12. Click Apply to activate your configurations.
14-49
Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
Status Information
Status information is displayed at the bottom of the Configuration PPP window. After you apply your changes, the PPP Link State will be “starting,” indicating that the ProCurve Secure Router OS is trying to establish a PPP connection with its peer. Ensure that the PPP Link State is eventually “up.” For information about troubleshooting PPP, see “Troubleshooting the PPP Interface” on page 6-58.
PPP Authentication
The ProCurve Secure Router supports to authentication protocols for PPP: Password Authentication Protocol (PAP) and Challenge Handshake Authen-tication Protocol (CHAP).
When a ProCurve Secure Router asks a peer to authenticate itself using PAP, the peer sends its password in clear text over the wire. The first router matches the password to the password in its PPP database.
CHAP is more secure becomes the actual password does not cross the wire, where anyone could intercept it. The peer that is authenticating itself hashes its password and sends the hash value to the challenging peer instead. The challenger, who has the password stored in its PPP database, performs the same hash function. It compares the result with the value it received from the peer.
Both peers must use the same protocol.
You can configure the ProCurve Secure Router to require authentication from a peer, or to authenticate itself to a peer, or both.
Requiring a Peer to Authenticate Itself to the Local Router
1. Select Physical Interfaces under System in the left navigation bar.
2. Choose the logical interface for the connection whose remote endpoint you want to authenticate. (It must, of course, be a PPP interface.)
3. You will enter the PPP Config window. Move to Authentication Settings in the PPP configuration for “ppp <interface number>” window.
14-50
Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
Figure 14-36. Configuring Two-Way PAP Authentication
4. In the pull-down menu for Peer Authentication Type, select PAP or CHAP.
5. Enter the remote endpoint’s username and password in the Peer Username
and Peer Password fields. For example, in Figure 14-36, the peer’s user-name is RouterB and its password is YYY. For CHAP the username should be the peer’s hostname.
6. Click Apply.
7. You also configure the local router to authenticate itself to the peer although this is not necessary. (See “Configuring the Local Router to Authenticate Itself to a Peer” on page 14-51.)
Configuring the Local Router to Authenticate Itself to a Peer
1. Select System > Physical Interfaces.
2. Choose the logical interface for the connection whose remote endpoint requires the router to authenticate itself (for example, your ISP).
3. You will enter the PPP Config window. Move to Authentication Settings in the PPP configuration for “ppp <interface number>” window.
14-51
Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
Figure 14-37. Configuring the Local Router to Authenticate Itself
4. In the pull-down menu for Sent Authentication Type, select PAP or CHAP. The protocol must match that requested by the peer. If you do not know the protocol your peer is using, you will either have to contact the peer or view PPP debug messages in the CLI. (See “PPP Authentication” on page 6-11.)
5. Enter the local router’s username and password in the Sent Username
and Sent Password fields. If you are using CHAP, you only have to enter a username if it is different from the router’s hostname.
6. Click Apply.
Configure Frame Relay as the Data Link Layer Protocol
The following steps explain the initial configuration of Frame Relay as the Data Link Layer protocol. It is assumed that you have configured the Physical Layer—the E1, T1, or serial interface—and you have selected Frame Relay as the Data Link Layer protocol. As a result, the Frame Relay Configuration
window is displayed.
14-52
Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
Figure 14-38. Frame Relay Configuration Window
1. From the Frame Relay Configuration window, enter a string of text up to 80 characters in the Description box if you want to record information about the WAN connection. This information will be displayed in the running-config.
2. Select the Enabled box to activate the interface.
3. Use the pull-down menu to select the Link Management Protocol that your Frame Relay service provider is using:
• ansi (Annex D)
• cisco (Group of Four)
• none
• q933a (Annex A)
• auto
The default setting is ansi.
4. Weighted Fair Queuing (WFQ) is enabled by default. If you do not want the interface to use WFQ, click the box to deselect it. For more informa-tion about WFQ, see “Configuring WFQ” on page 14-45 in the Management
and Configuration Guide.
14-53
Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
5. Use the pull-down menu to select the Frame Relay’s signaling role:
• If this interface is acting as Data Terminal Equipment, select Connect
to a switch (DTE). For most environments, you will select this setting.
• If this device is acting as Data Communications Equipment, select Act
like a switch (DCE).
• If this Frame Relay interface will act as both DTE and DCE, select Both.
6. Verify that the Frame Relay interface is bound to the correct physical interface. The Physical Interface field displays the interface <slot>/<port> that is connected to the logical Frame Relay interface that you are configuring.
7. If you have not set a QoS Policy, this Frame Relay interface will display None for its QoS policy. For instructions on setting a QoS policy, see “Configuring Quality of Service” on page 14-44 in the Advanced Manage-
ment and Configuration Guide.
8. Click Apply to activate the settings.
Configure a Permanent Virtual Circuit (PVC)
The Configured Permanent Virtual Circuits section allows you to create and display PVCs for this WAN connection.
Figure 14-39. Configured Permanent Virtual Circuits Section
9. To create and configure a PVC, click the Add button. The Configuration
window is displayed.
14-54
Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
Figure 14-40.Configuration for Frame Relay Subinterface Window
1. Enter a string of text up to 80 characters in the Description box if you want to record information about the Frame Relay subinterface. This description will be displayed in the running-config under the appropriate interface heading.
2. Set the FRF.12 fragment threshold by entering the size in the Fragment box.
3. Set the committed burst rate in the BC box.
4. Set the excess burst rate in the BE box.
5. In the DLCI Number box, enter the DLCI that your Frame Relay service provider assigned you. This number must be between 16 and 992.
14-55
Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
Configure IP Settings
6. Configure the IP settings for the Frame Relay subinterface.
• None—Select this setting if you intend to set up a bridge group with the Frame Relay subinterface.
• Static—Select this setting if you want to configure a static IP address. The boxes to enter the IP address and subnet mask are displayed, so that you can enter the appropriate address for the Frame Relay subinterface.
• DHCP—Select this setting to configure the subinterface as a Dynamic Host Configuration Protocol (DHCP) client.
• Unnumbered—To set up the Frame Relay subinterface with the same IP address as another interface, click the Unnumbered option. The Interface box is displayed.
Use the pull-down menu for the Interface box to select the appropri-ate interface. The menu will display any ATM subinterfaces, Frame-Relay subinterfaces, HDLC interfaces, loopback interfaces, and PPP interfaces that are already configured.
Configure Dynamic DNS
7. Configure dynamic DNS, if needed. For more information about dynamic DNS, see “Configuring Dynamic DNS” on page 14-91.
a. For Dynamic DNS, use the pull-down menu to select DynDNS.org,
DynDNS.org Static, or DynDNS.org Custom. Additional boxes are displayed, allowing you to configure information about your account with DynDNS.org.
b. For Dynamic DNS Hostname, enter the hostname required to register the interface’s IP address.
c. For Dynamic DNS Username, enter the username for your company’s account with DynDNS.org.
d. For Dynamic DNS Password, enter the password for your company’s account with DynDNS.org.
8. Click Apply to activate your settings.
9. Repeat steps 9-17 for each PVC you need to configure for the Frame Relay interface.
Status Information
10. To view information about the Frame Relay subinterface, scroll to the bottom of the Configuration for Frame Relay subinterface window.
14-56
Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
Figure 14-41. Statistics for Frame Relay Subinterface
11. Reset statistics by clicking the Clear Statistics button.
12. Get continuous updates by clicking the Continuous Refresh button. To stop the continuous updates, click the Stop Refreshing button.
13. To view status information about the Frame Relay interface and LMI status, return to the Frame Relay Configuration window and scroll to the bottom of the window.
Figure 14-42.Statistics for Frame Relay Interface
14-57
Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
Configure HDLC as the Data Link Layer Protocol
The following steps explain the initial configuration of HDLC as the Data Link Layer protocol. It is assumed that you have configured the Physical Layer—the E1, T1, or serial interface—and you have selected HDLC as the Data Link Layer protocol. As a result, the HDLC Configuration window is displayed.
Figure 14-43.HDLC Configuration Window
1. Enter a description in the Description box if you want to record some information about the HDLC interface. This information will be displayed in the interface’s running-config.
2. Click the Enabled box to activate the interface.
3. If you do not want the interface to use Weighted Fair Queuing, click the box to deselect it. For more information about WFQ, see “Configuring Quality of Service” on page 14-44 in the Advanced Management and
Configuration Guide.
4. For most environments, you will accept the default MTU of 1500. If you need to adjust the MTU, however, enter the new value in the MTU box.
14-58
Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
5. Verify that the HDLC is bound to the proper physical interface by checking the Physical Interface field.
6. If you have not set a QoS Policy, this HDLC interface will display None for its QoS policy. To set a QoS policy, see “Configuring Quality of Service” on page 14-44 in the Advanced Management and Configuration Guide.
IP Settings
7. Configure IP Settings.
• None—Select this setting if you intend to set up a bridge group with the HDLC interface.
• Static—Select this setting if you want to configure a static IP address. The boxes to enter the IP address and subnet mask are displayed, so that you can enter the appropriate address for the HDLC interface.
• DHCP—Select this setting to configure the HDLC interface as a DHCP client.
• Unnumbered—To set up the HDLC interface with the same IP address as another interface, click the Unnumbered option. The Interface box is displayed.
Use the pull-down menu for the Interface box to select the appropri-ate interface. The menu will display any ATM subinterfaces, Frame-Relay subinterfaces, HDLC interfaces, loopback interfaces, and PPP interfaces that are already configured.
Dynamic DNS
8. Configure dynamic DNS, if needed. For more information about dynamic DNS, see “Configuring Dynamic DNS” on page 14-91.
a. For Dynamic DNS, use the pull-down menu to select DynDNS.org,
DynDNS.org Static, or DynDNS.org Custom. Additional boxes are displayed, allowing you to configure information about your account with DynDNS.org.
b. For Dynamic DNS Hostname, enter the hostname required to register the interface’s IP address.
c. For Dynamic DNS Username, enter the username for your company’s account with DynDNS.org.
d. For Dynamic DNS Password, enter the password for your company’s account with DynDNS.org.
9. Click Apply to activate your settings.
14-59
Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
Status Information
You can also check the HDLC interface statistics in the Status for “hdlc
<interface>” section. To reset the statistics, click the Clear Statistics button. To get real-time updates, click Continuous Refresh. To stop continuous refresh, click the Stop Refreshing button.
Figure 14-44. Status for HDLC Interface
14-60
Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces
Configuring ADSL Interfaces
To configure the ProCurve Secure Router to support an Asymmetric Digital Subscriber Line (ADSL), complete the following steps. If you need more information about any of the ADSL or Asynchronous Transfer Mode (ATM) options, see Chapter 7: ADSL WAN Connections.
1. From the left navigation bar, click Physical Interfaces. The Physical
Interfaces window is displayed.
Figure 14-45.Physical Interfaces Window
2. From the list of physical interfaces that are listed, click the ADSL interface that you want to configure. The Configuration for ADSL window is displayed.
14-61
Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces
Figure 14-46.Configuration for ADSL Window
3. Enter a description for the interface if you want to document information about the ADSL connection. The description is displayed when you view the running-config file.
4. Click the Enable box to activate the ADSL interface.
5. Use the pull-down menu to select the Training Mode that your ADSL service provider is using.
6. Select the Showtime-Monitor if you want to monitor the signal-to-noise ratio (SNR)-margin after the physical connection has been established.
7. Select the Training-Monitor if you want to monitor the SNR-margin during the training phase.
8. In the box provided for the SNR-Margin, enter the SNR margin in decibels.
9. The ADSL Version displays the type of ADSL module installed in the router and information about the modules boot ROM and firmware.
10. Select ATM as the encapsulation.
11. Click Apply to save your changes to the startup-config. The Configuration
for “atm <interface>” window is displayed. (See Figure 14-47.)
14-62
Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces
Configure an ATM Interface
Figure 14-47.Configuration for ATM Interface Window
12. Enter a description if you want to document information about the ATM interface.
13. Click the Enabled box to activate the ATM interface.
14. Click Apply to save your changes to the startup-config.
Configure the ATM Subinterface
15. In the Configured Permanent Virtual Circuits section, click the Add button to begin configuring the permanent virtual circuit (PVC). The Configuration for “atm <subinterface>” window is displayed.
14-63
Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces
Figure 14-48. Configuration for ATM Subinterface Window
16. Click the Enabled box to activate the subinterface.
17. For PVC, enter the virtual path identifier (VPI) in the first box, and enter the virtual channel identifier (VCI) in the second box. For example, if your ADSL service provider assigned you a VPI/VCI of 0/33, you would enter 0 in the first box and 33 in the second box.
18. For Interface Mode, use the pull-down menu to select one of the following:
• IP routing, if you are configuring just ATM as the Data Link Layer protocol
• PPPoE client, if you are configuring PPPoE for the ADSL interface
• PPP, if you are configuring PPPoA
19. If your ADSL service provider uses routed bridged encapsulation (RBE), select the Routed-Bridge IP box.
20. To configure the ATM encapsulation method, quality of service (QoS) settings, and Operation, Administration, and Maintenance (OAM) set-tings, click the Advanced Configuration box at the top of the Configura-
tion for ATM Subinterface window. The Advanced Configuration section is displayed.
14-64
Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces
Figure 14-49. Advanced Configuration Section
21. Configure Fair-Queue, Fair-Queue Threshold, and Hold-Queue settings if you want to configure QoS on this interface. For more information about QoS, see“Configuring Quality of Service” on page 14-44 in the Advanced
Management and Configuration Guide.
22. Select Managed OAM-PVC to manage the Operation, Administration, and Maintenance (OAM) cells. These cells are sent over a reserved VCI to monitor the ATM link, ensuring that is open from end-to-end. After you select the Managed OAM-PVC option, you can then configure:
• OAM Retry Up-Counts—determines the number of consecutive, end-to-end F5 OAM loopback cell responses that the ADSL interface must receive before the Secure Router OS changes a PVC connection state to up. For this option, configure a number between 1 and 255. The default setting is 3.
• OAM Down-Counts—determines the number of consecutive, end-to-end F5 OAM loopback cell responses that are not received before the Secure Router OS changes the PVC state to down. Specify a number between 1 and 255. The default setting is 5.
• OAM Retry Frequency—determines the frequency (in seconds) at which the ADSL interface transmits F5 OAM loopback cells when verifying a PVC state change. Specify a number of seconds between 1 and 600. The default setting is 1 second.
14-65
Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces
• OAM PVC Frequency—determines the time delay between OAM loopback cells. This setting is used unless the router is verifying a PVC state change (in which case it uses the OAM retry frequency setting). Specify a number between 0 to 600 seconds. The default setting is 1 second.
23. Select the encapsulation setting that your ADSL service provider is using:
• aalsnap
• aalmux ip
• aalmux ppp
24. Click Apply to save your settings to the startup-config.
If you are configuring just ATM as the Data Link Layer protocol, continue with “Configuring ATM Only” on page 14-66. If you are configuring PPPoE or PPPoA, you must configure a PPP interface. See “Configuring PPPoE or PPPoA for the ADSL Connection” on page 14-68.
Configuring ATM Only
25. After you select IP routing, a new section called IP Settings, is displayed.
Figure 14-50.IP Settings Section
14-66
Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces
26. For Address Type, use the pull-down menu to select:
• None—Select None if you want this interface to be part of a bridge.
• Static—Select Static if you want to configure a fixed IP address for the interface. When new fields are displayed, enter an IP address and subnet mask.
• DHCP—Select DHCP if your ADSL service provider wants you to receive an IP address from its DHCP server.
27. Configure dynamic DNS, if needed. For more information about dynamic DNS, see “Configuring Dynamic DNS” on page 14-91.
a. For Dynamic DNS, use the pull-down menu to select DynDNS.org,
DynDNS.org Static, or DynDNS.org Custom. Additional boxes are displayed, allowing you to configure information about your account with DynDNS.org.
b. For Dynamic DNS Hostname, enter the hostname required to register the interface’s IP address.
c. For Dynamic DNS Username, enter the username for your company’s account with DynDNS.org.
d. For Dynamic DNS Password, enter the password for your company’s account with DynDNS.org.
28. Click Apply to save your configuration.
Figure 14-51. Configuring Dynamic DNS in the IP Settings Section
14-67
Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces
Status Information
You can view information about both the ATM interface and subinterface. To view information about the ATM interface, move to the Configuration for
“atm <interface>” window and scroll to the bottom of the window. Likewise, you can view the status of the ATM subinterface by scrolling to the bottom of the Configuration for “atm <subinterface>” window.
Configuring PPPoE or PPPoA for the ADSL Connection
After you select PPPoE Client or PPP as the Interface Mode for the ATM subinterface, a PPP configuration screen is displayed. (See Figure 14-52.) You must then configure the PPP interface:
1. Enter a description if you need to document information about the PPP interface. This information will be displayed in the running-config under the appropriate PPP interface heading.
2. Click the Enabled box to activate the PPP interface.
3. For most environments, you can accept the default setting of 1500 for the MTU. If you selected the PPPoE Client setting for the ATM Interface Mode, the ProCurve Secure Router OS will automatically negotiate an MTU of 1492 with the PPP peer. If the two peers fail to negotiate an MTU of 1492, you may need to set the MTU manually.
4. Select Default Peer Address if you want to configure the IP address of the PPP peer.
5. If you want to configure PPP authentication, see “PPP Authentication” on page 14-50.
14-68
Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces
Figure 14-52.PPPoE Configuration Window
6. Configure IP settings. For Address Type select one of the following.
• None—Select this setting if you intend to set up a bridge group with the PPP interface.
• Static—Select this setting if you want to configure a static IP address. The boxes to enter the IP address and subnet mask are displayed, so that you can enter the appropriate address for the PPP interface.
• Negotiated—Select this setting if you want the PPP interface to negotiate an IP address from your service provider.
14-69
Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces
• Unnumbered—To set up the PPP interface with the same IP address as another interface, click the Unnumbered option. The Interface box is displayed.
Use the pull-down menu for the Interface box to select the appropri-ate interface. The menu will display any ATM subinterfaces, Frame-Relay subinterfaces, HDLC interfaces, loopback interfaces, and PPP interfaces that are already configured.
7. Select Default Route if you want this interface to provide the default route for the router.
Dynamic DNS
8. Configure dynamic DNS, if needed. For more information about dynamic DNS, see “Configuring Dynamic DNS” on page 14-91.
a. For Dynamic DNS, use the pull-down menu to select DynDNS.org,
DynDNS.org Static, or DynDNS.org Custom. Additional boxes are displayed, allowing you to configure information about your account with DynDNS.org.
b. For Dynamic DNS Hostname, enter the hostname required to register the interface’s IP address.
c. For Dynamic DNS Username, enter the username for your company’s account with DynDNS.org.
d. For Dynamic DNS Password, enter the password for your company’s account with DynDNS.org.
Secondary IP Settings
9. To configure secondary IP addresses for the PPP interface, click Add a
new Secondary IP Address. Then enter the IP address and subnet mask in the boxes provided.
10. Click Apply to activate your configurations.
View Statistics for the PPP Interface
Status information is displayed at the bottom of the PPP configuration win-dow. After you apply your changes, the PPP Link State will be “starting,” indicating that the ProCurve Secure Router OS is trying to establish a PPP connection with its peer. Ensure that the PPP Link State is eventually “up.” For information about troubleshooting PPPoE, see “Troubleshooting PPPoE” on page 7-50. For information about troubleshooting PPP, see “Troubleshoot-ing the PPP Interface” on page 6-58.
14-70
Using the Web Browser Interface for Basic Configuration TasksISDN Modules
ISDN Modules
The two-port ISDN modules provide basic rate interface (BRI) ISDN for a primary WAN connection. Each ISDN line can provide up to two 64 Kbps channels. You can aggregate multiple channels for a single ISDN connection. (However, you must configure the aggregation from the CLI.)
The ISDN BRI S/T module provides an interface to connect the router to Network Termination 2 (NT2) or NT1 equipment. This module is used in areas outside of North America.
The ISDN BRI U module provides an interface to connect the router to a Network Interface Unit (NIU), or smart jack. This module is used in North America.
Complete these steps to configure the physical interfaces on the ISDN module:
1. In the left navigation bar of the Web browser interface, select Physical
Interfaces. The interfaces for all of the modules installed in the router are listed on the Physical Interfaces window.
2. The ports on the ISDN module are listed as BRI interfaces. Select the BRI interface that you want to configure. The Configuration for the BRI
<slot>/<port> window is displayed.
14-71
Using the Web Browser Interface for Basic Configuration TasksISDN Modules
Figure 14-53. Configuration for a BRI Interface
3. Enter a description in the Description box if you want to document information about the BRI interface. This information will be displayed in the running-config under the appropriate interface heading.
4. To activate the interface, select the Enable box.
5. If you want the BRI interface to replace the caller ID of incoming calls with a different number, select the Caller Id Override box. Enter the number that replaces incoming numbers in the Override Number field.
6. Select the ISDN signaling used by your service provider from the Switch-
Type pull-down menu.
7. Enter the local directory number (LDN) for the ISDN line in the LDN1 field.
8. If your service provider has assigned this line a secondary LDN, enter it in the LDN2 field.
9. In North America, service providers assign ISDN lines Service Profile Identifiers (SPIDs). Enter your line’s primary SPID in the SPID1 field. If the line has been assigned a secondary SPID, enter it in the SPID2 field.
10. Click Apply.
ISDN connections on the ProCurve Secure Router use demand routing for the Data Link Layer. You must configure demand routing from the CLI.
14-72
Using the Web Browser Interface for Basic Configuration TasksISDN Modules
After you activate the BRI interface, you can view its status. Scroll to the Status for BRI window. The Line Status indicates whether the interface is up or down and whether it currently active. You can view the B1 State, B2 State, and D-Channel State to determine which channels are currently active. You can also view statistics for inbound and outbound packets and for errors.
Click the Continuous Refresh button to view the statistics in real-time. Click the Stop Refreshing button to freeze the display.
C a u t i o n Clicking the Continuous Refresh button requires the router to send continuous updates. This consumes bandwidth and may create a security issue.
The line status for the BRI interface shown in Figure 14-54 is “Disabled;” the interface has not succeeded in negotiating with the ISDN switch to bring up the line.
Figure 14-54. Viewing the BRI Interface’s Status
You can use the options in the Maintenance window to troubleshoot a BRI interface:
■ Occasionally, a BRI interface may enter a loop if it does not complete the call disconnect process. Select the Reset option and click Apply to reset the port hardware.
14-73
Using the Web Browser Interface for Basic Configuration TasksE1 + G.703 and T1 + DSX-1 Modules
■ You can restart the D-channel by selecting the Restart-d option and clicking Apply. For example, you might need to restart the D-channel if a problem occurs during the call process.
E1 + G.703 and T1 + DSX-1 Modules
The E1 + G.703 and the T1 + DSX-1 modules allow you to use some channels of a carrier line for data and some channels for analog voice. When you configure one of these modules, you should first configure the E1 or T1 interface that will be used for data. As part of this configuration, you must assign the channels that will be used for data to the E1 or T1 interface. The remaining channels are then automatically assigned to the G.703 or DSX-1 interface.
When you configure the E1 or T1 interface, you set the clock source for the entire module. If you set the clock source to line, the module will take its timing from the public carrier’s equipment that is attached to the E1 or T1 interface. If you set the clock source to through, the module will take its timing from the PBX that is attached to the G.703 or DSX-1 interface.
For more information about E1 or T1 settings, see “Configuring E1 and T1 Interfaces” on page 14-39.
In the Secure Router OS, the G.703 interface is referred to as an E1 interface. Specifically, it is the interface for port 2 in the slot where the E1 + G.703 module is installed. For example, if the E1 + G.703 module is installed in slot 2, the G.703 interface is E1 2/2.
The DSX-1 interface is referred to as a T1 interface. It is the interface for port 2 in the slot where the T1 + DSX-1 module is installed. For example, if the T1 + DSX-1 module is installed in port 1, the DSX-1 interface is T1 1/2.
However, to avoid confusion between the interfaces used for data and the interfaces used for analog voice, these instructions will use the terms G.703
interface and DSX-1 interface.
14-74
Using the Web Browser Interface for Basic Configuration TasksE1 + G.703 and T1 + DSX-1 Modules
When you configure the G.703 or DSX-1 interface, the settings you enter should match those used by your private branch exchange (PBX). To configure the G.703 or DSX-1 interface from the Web browser interface, complete the following steps:
1. From the left navigation bar, click Physical Interfaces. The Physical
Interfaces window is displayed.
2. Select the G.703 or DSX-1 interface. The configuration window for that interface is displayed.
Figure 14-55.Configuration Window for G.703 Interface
3. Enter a description in the Description box if you want to document information about the G.703 or DSX-1 interface. This information will be displayed in the running-config under the appropriate interface heading.
14-75
Using the Web Browser Interface for Basic Configuration TasksE1 + G.703 and T1 + DSX-1 Modules
4. To activate the interface, select the Enable box.
5. Ignore the clock source because you set the clock source for this module on the E1 or T1 interface.
6. Set the frame format:
• If you are configuring a G.703 interface, use the pull-down menu to select E1 or CRC4. E1 is the default setting.
• If you are configuring a DSX-1 interface, click ESF or D4. ESF is the default setting.
7. Select the TS16 box to enable TS16 signaling if you are configuring a G.703 interface. For more information about this setting, see Chapter 9:
Configuring the E1 + G.703 and T1 + DSX-1 Modules.
N o t e By default, the signaling-mode setting for the DSX-1 interface is set to robbed-bit. If you need to change this setting, you must enter the command from the CLI. You must also adjust the line-length setting from the CLI. For information about these settings, see Chapter 9: Configuring the E1 + G.703
and T1 + DSX-1 Modules.
8. Use the pull-down menu to configure the coding:
• If you are configuring a G.703 interface, use the pull-down menu to select HDB3 or AMI. HDB3 is the default setting.
• If you are configuring a DSX-1 interface, use the pull-down menu to select B8ZS or AMI. B8ZS is the default setting.
9. Ignore the Data DS0s field because you configure channels for the E1 or T1 interface and the remaining channels are assigned to the G.703 or DSX-1 interface.
10. Click Apply to save your configurations.
Status Information
Status information is displayed at the bottom of the configuration for the G.703 or DSX-1 window. This readout is not in real-time. To update the readout to the current statistics, click the Continuous Refresh button. To end continuous refresh, click the Stop Updates button. To reset the statistics, click the Clear
Statistics button.
14-76
Using the Web Browser Interface for Basic Configuration TasksBridging
Bridging
You can configure the router to act as a remote bridge so that it can:
■ bridge non-IP protocols
■ bridge two sites using addresses on the same subnet
The ProCurve Secure Router automatically implements Rapid Spanning Tree Protocol (RSTP), or IEEE 802.1w on all bridged interfaces. Bridges and switches run RSTP to eliminate loops from the network topology.
Configuring Bridging
You configure a bridge by assigning interfaces to it. These interfaces then act like bridge ports. They learn the MAC addresses for frames so that they can properly forward frames received on other bridged interfaces.
To configure bridging, complete the following steps:
1. If you are configuring the router to bridge two remote segments of the same subnet, you must set the default gateway and disable IP routing before configuring the bridge:
a. In the left navigation bar under Router/Bridge, select Default Gate-
way. Enter the IP address for the router’s default gateway. This address should either be a router interface or a unit that knows how to reach the router; otherwise, you will lock yourself out of the Web browser interface. Click Apply.
b. Under Router/Bridge in the left navigation bar, select Routing. Uncheck the IP Routing box. Click Apply.
14-77
Using the Web Browser Interface for Basic Configuration TasksBridging
Figure 14-56. Disabling Routing
2. In the left navigation bar, select Bridging under Router/Bridge.
3. Enter a number between 1 and 255 in the Bridge Number box in the Add/
Modify/Delete Bridge window.
4. Click Add.
14-78
Using the Web Browser Interface for Basic Configuration TasksBridging
Figure 14-57. Configuring a Bridge
5. The Assign Interfaces to a Bridge window displays all Ethernet and logical interfaces on the router. (For Frame Relay and ATM, it displays subinterfaces.) For each interface that should participate in the bridge, select the bridge group from the pull-down menu. (You should assign at least two interfaces to every bridge.)
6. Click Apply.
14-79
Using the Web Browser Interface for Basic Configuration TasksBridging
Figure 14-58. Viewing the Bridge Table
A bridge group on ProCurve Secure Router listens for frames from connected hosts. It stores the frame’s source MAC address with the interface on which the frame arrived in a bridge table. The bridge will then only send frames through the interface that connects to the host to which the frames are destined, rather than flood the frames through all interfaces.
You can view the bridge table at the bottom of the window. This table includes the MAC addresses of connected hosts with their forwarding interface. For example, in Figure 14-58 the router knows to forward frames destined to 00:01:03:20:C0:F9 through the Ethernet 0/2 interface.
You can manually add a host by entering its MAC address in the corresponding fields of the MAC Forwarding Entries window. Select the forwarding inter-face from the Interface pull-down menu.
Configuring the Spanning Tree Protocol
Typically, RSTP will run on your WAN without any further configurations. However, you can:
■ view information about the spanning tree
■ configure the router to run the legacy version, STP, rather than RSTP
■ change the router’s bridge priority
■ alter spanning tree timers
■ configure properties for individual interfaces
14-80
Using the Web Browser Interface for Basic Configuration TasksBridging
Viewing a Spanning Tree
RSTP and STP prune connections in a looped topology. All nodes participating in the same bridge group generate a shared, loopless topology. You can view information about this topology, called a spanning tree instance. Follow these steps:
1. In the left navigation bar, select Spanning Tree under Router/Bridge.
2. Scroll down to the Spanning Tree Properties window and select the Spanning Tree Instance that you want to view.
3. A window, such as that displayed in Figure 14-59, will display information which you can view to determine:
• Which network device is root
• Which interfaces are forwarding packets
• Which interfaces have been disabled—For example, in Figure 14-59 the Frame Relay 1.102 subinterface provides a redundant connection to the root, so its role is “Blocking” and it does not forward packets.
• Which interface role each interface is playing—Root ports are on the best path to the root device. Designated ports connect to root ports on neighbors further from the root. Edge ports connect to end devices. For example, in Figure 14-59 the Ethernet 0/2 interface connects the local device to the root and the Ethernet 0/1 interface provides a connection to the root for a connected network.
The Spanning Tree Properties “STP <instance number>” window dis-plays information about the root bridge in the Root ID column and the local device in the Bridge ID column. For example, in Figure 14-59, the root is identified by its MAC address 00:12:79:05:25:D4, and it is connected to the local router through the Ethernet 0/2 interface.
The Spanning Tree Port Information “STP <instance number>” window displays information about the interfaces on the local router, including their role in the spanning tree, whether they are forwarding packets, and the cost for their connection.
14-81
Using the Web Browser Interface for Basic Configuration TasksBridging
Figure 14-59.Viewing a Spanning Tree
Setting Global Spanning Tree Parameters
You set the spanning tree protocol version, router’s bridge priority, and spanning tree timers in the Spanning Tree window.
1. Select Spanning Tree under Router/Bridge in the left navigation bar.
2. RSTP is fully backwards compatible with STP. When an RSTP interface detects an STP message, it automatically implements STP. You should generally run RSTP, which reduces convergence time from about a minute to less than a second.
However, if, for whatever reason you decide to use STP, select Legacy STP
(802.1d) from the Spanning Tree Mode pull-down menu.
14-82
Using the Web Browser Interface for Basic Configuration TasksBridging
Figure 14-60. Configuring Spanning Tree Properties
3. Bridges elect the device with the lowest bridge ID (priority plus MAC address) root. You can manipulate which device becomes root by chang-ing devices’ priorities. Enter a number between 0 and 65535 in the Bridge
Priority field. For example, enter 0 to ensure that the local router becomes root. In Figure 14-60, the priority has been set to 0 to ensure that it becomes root. (The default priority is 32768.)
C a u t i o n Only alter timers if you have a great deal of experience working with spanning tree protocols. Otherwise, you could slow convergence or cause interfaces to toggle between forwarding and blocked states.
4. Enter times for the forward delay, hello, and maximum age timers in the corresponding fields. Click Apply.
The Restore Factory Defaults button returns the timers and STP version to their defaults. The Reset button returns to the settings that were established the last time you clicked Apply.
14-83
Using the Web Browser Interface for Basic Configuration TasksBridging
Table 14-1. Spanning Tree Timers
Configuring Spanning Tree Settings for Individual Interfaces
You can manually configure settings such as cost for the connection for each bridged interface.
1. Select Spanning Tree from the left navigation bar.
2. Scroll to the Spanning Tree Properties window and select the Spanning
Tree Instance.
3. Select the interface that you want to configure from the Spanning Tree
Port Information window that displays.
4. The Spanning Tree Port Information window will display. (See Figure You can then alter certain settings:
a. You can alter the port priority for the connection. A lower priority increases the connection’s chance of being selected. (Priority only comes into account when two connections have the same cost.) Select the priority from the ID pull-down menu.
b. RSTP allows point-to-point interfaces to assert sync to rapidly transi-tion to the forwarding state. Interfaces automatically determine whether they are on point-to-point or shared connections by their duplex setting.
Timer Function Default Range
hello time Each forwarding interface periodically transmits BPDU hellos. If neighbors miss three hellos from an interface, they assume the connection is down and send out TC BPDU to this effect. Take care when altering this timer as incompatible settings can cause devices to believe a connection is down when it is not.
2 seconds 0 to 1,000,000
max age The device discards information from a BPDU when its maximum age timer expires.With STP, the timer determines how long a device will wait to receive information on a connection from the root before assuming the connection is down.
20 seconds 6 to 40
forward delay The device waits this interval before forwarding BPDU. With STP, this setting determines how long the device stays first in the listening and then in the learning stage.
15 seconds 4 to 30
14-84
Using the Web Browser Interface for Basic Configuration TasksBridging
If necessary, you can override this setting and manually set the connection type. Select Forced Point-to-Point or Forced Shared from the Link Type Configuration pull-down menu.
If you leave this setting at the default Automatically determined, then the Link Type displays the setting used on the interface.
Figure 14-61.Spanning Tree Options on an Interface
c. Edge ports connect directly to end devices. RSTP allows such inter-faces to immediately begin forwarding packets so that applications on the user device do not timeout.
To configure an interface to be an edge port, select Enabled from the Edge Port Configuration. You can then check the BPDU Guard box to prevent the end device from joining the spanning tree.
d. The Secure Router OS automatically calculates a cost for each con-nection based on its bandwidth. You can alter this cost by selecting Specify from the Cost pull-down menu. Then enter a cost between 1 and 200,000,000 in the field that appears.
14-85
Using the Web Browser Interface for Basic Configuration TasksRouting
Routing
The ProCurve Secure Router stores routes in a route table, which it uses to route traffic from one network to another. Each route includes:
■ destination IP address and subnet mask
■ administrative distance—the reliability of the route
■ metric—the cost of reaching the destination
■ next hop address or forwarding interface
■ type—how the router learned the route
The router automatically adds directly connected networks to its route table. It must learn routes to all other networks to which it will forward traffic. A router can learn:
■ static routes, which you add manually
■ dynamic routes, which it discovers using a routing protocol
This section explains how to configure static routing.
Configuring a Static Route
Static routing can be a good solution for your network when your network has:
■ a simple topology and a single router at each site
■ a single destination for traffic—for example, to an ISP
■ only one path for IP traffic
Follow these steps to add a static route:
1. In the left navigation bar, select Route Table under Router/Bridge.
2. The Add a Static Route to the Route Table window will display. Enter the destination network’s IP address and subnet mask in the Destination
Address and Destination Mask fields.
3. Specify how the router will forward packets that arrive for this destination in the Gateway field.:
a. You can configure a next hop address, which is the address of a router that is one hop closer to the destination than the local router. Select Address and enter this address.
14-86
Using the Web Browser Interface for Basic Configuration TasksRouting
b. You can alternatively specify the local interface through the router will forward traffic destined to the destination network. Select Interface and choose the forwarding interface from the pull-down menu.
This option has several advantages, particularly when you are connecting to an ISP router:– You do not need to know the IP address of the connecting router.– The route will remain valid even if the connecting router changes
its IP address.
Figure 14-62.Adding a Static Route
4. If so desired, you can configure an administrative distance for the route. Enter the distance in the Administrative Distance field.
A router can learn routes in many different ways. A route’s administrative distance informs the router how reliable the route is. When the router knows more than one route to a destination, it chooses the route with the lowest administrative distance. By default, static routes have an adminis-trative distance of 1. When you configure more than one static route to
14-87
Using the Web Browser Interface for Basic Configuration TasksRouting
the same destination (for example, one through a primary connection and one through a backup connection), you should assign the route with lower priority a higher administrative distance. The router will only add the second route if the first route becomes unavailable.
5. Click Add.
6. The Route Table window displays all routes that the router is currently using to forward traffic, including any static routes. You can delete a static route by clicking the Delete button to its right.
Configuring a Default Route
A default route is a special static route. It is a route to network 0.0.0.0 0.0.0.0. The all-zero subnet mask ensures that all traffic matches this route. When a packet arrives en route to a destination to which the router does not know a more specific route, it uses the default route rather than dropping the packet.
For example, your network connects to the Internet through PPP interface 1 only. Rather than learning routes to all external networks from the ISP router, the router can simply forward all external traffic (that is, traffic for which it does not know another route) through the PPP interface.
Configure a default route as you would any other static route:
1. In the left navigation bar, select Route Table under Router/Bridge.
2. Enter 0.0.0.0 in the Destination Address field and 0.0.0.0 in the Destination
Mask field.
3. It is often a good idea to use a forwarding interface as the gateway rather than a next hop address. In this way, the route remains valid even if the peer router’s IP address changes. Select Interface and choose the forward-ing interface from the pull-down menu.
14-88
Using the Web Browser Interface for Basic Configuration TasksDNS Services
Figure 14-63. Configuring a Default Route
DNS Services
The ProCurve Secure Router automatically acts as a DNS client. You must, however, specify the address for its DNS server or servers. You can also:
■ add entries to the router’s host table for any local hosts whose addresses the router should be able to resolve on its own
■ enable DNS proxy so that the router can act as a name server for clients
■ configure dynamic DNS so that an interface with a dynamic address will automatically update its dynamic DNS service provider when its address changes
Configuring DNS Support
To configure DNS support in the Web browser interface, you should follow this process:
1. In the left navigation bar, select Hostname/DNS under System.
2. If you have not already done so, you can change the router’s hostname. Enter a name that is significant for your network in the Host Name field.
14-89
Using the Web Browser Interface for Basic Configuration TasksDNS Services
3. Enter your network’s domain name in the Domain field.
4. The Enable DNS Lookup box should be checked. If it is not, select it. This allows the router to act as a DNS client, look up its own requests in the local host table, and sent its own DNS requests to an external server.
Figure 14-64. Configuring DNS Settings
5. Enter the IP address for the DNS server to which the router should send queries in the Primary DNS IP Address field. You can enter the address for an optional additional server in the Secondary DNS IP Address field.
6. If you want to enable the router to act as a name server for clients and to forward their queries to an external DNS server, click the Enable DNS
Proxy box.
14-90
Using the Web Browser Interface for Basic Configuration TasksDNS Services
Figure 14-65. Configuring the Local Host Table
7. Configure the router’s local host table:
a. In the Add/Modify/Delete DNS Host Entries window, enter a host-name and the corresponding IP address. The host should be in the router’s default domain, so you do not need to include the domain name. Click Add.
b. The host table automatically includes all of the router’s DHCP clients. (For example, in Figure 14-65, the entry labeled “Dynamic” is a DHCP client.) You can edit or remove the entries for these clients, as well as any entries that you have entered manually. Click the hostname. The interface automatically populates the correct fields with the host’s information. Edit the entry and click Modify.
c. To remove an entry entirely, click the Delete button to its right.
8. Click Apply.
Configuring Dynamic DNS
Networks change, and so may an interface’s IP address. When you connect your router to an ISP, the ISP may require it to receive a dynamic address. The ISP can change this address at any time.
14-91
Using the Web Browser Interface for Basic Configuration TasksDNS Services
Your customers may need to access devices on your network, such as Web servers, whose addresses are linked to the dynamic public address. However, if this address changes, the hostname stored in DNS servers throughout the Internet will no longer match the device’s actual IP address.
To allow your customers to always use the same hostname to access a device with a dynamic address, you should receive a static hostname from a dynamic DNS service provider. The ProCurve Secure Router supports dynamic DNS with Dynamic Networking Services, Inc., also called DynDNS.
1. Before activating dynamic DNS on an interface, you should go to www.dyndns.org and open an account.
a. When you open an account, you will select a username and password.
b. You will also select a service type. DynDNS currently provides Dynamic and Static DNS services free of charge. If you select Dynamic or Static DNS, you must place the router in one of the 68 domains provided by DynDNS.
Dynamic and Static DNS grant much the same services; however, Static DNS is designed for an interface with an address that does not change or rarely changes.
If you purchase Custom DNS services, you can use your own domain name (either pre-existing or purchased from DynDNS). For more information on the various services, see Chapter 12: Domain Name
System (DNS) Services or the DynDNS Web site at www.dyndns.org.
c. When you open the account, you will also specify the domain name the router interface will use.
14-92
Using the Web Browser Interface for Basic Configuration TasksDNS Services
Figure 14-66.Configuring Dynamic DNS in the Configuration Window for an IP Interface
2. Return to the Web browser interface.
3. Click IP Interfaces under Router/Bridge in the left navigation bar. (If you have not yet configured the logical interface for the connection to the Internet, you must do so. See “Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces” on page 14-46 or “Configuring Ethernet Interfaces” on page 14-31. The interface must also have an IP address, whether a dynamic address assigned by a connecting device or a static address.)
4. The configuration window for the interface will display.
5. By default, Dynamic DNS is disabled. To enable the interface to report to DynDNS when its IP address changes, click the arrow in the Dynamic
DNS box. From the pull-down menu that displays, choose the service for which you have registered:
a. Choose DynDNS.org if you have selected Dynamic DNS services.
b. Choose DynDNS.org Static if you have selected Static DNS services.
c. Choose DynDNS.org Custom if you have selected Custom DNS services.
14-93
Using the Web Browser Interface for Basic Configuration TasksDynamic Host Configuration Protocol
6. Enter the hostname for the device in the Dynamic DNS Hostname box.
7. Enter the username and password you created for your DynDNS account in the Dynamic DNS Username and Dynamic DNS Password boxes.
Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol (DHCP) allows hosts, acting as DHCP clients, to receive temporary configurations (such as an IP address, default gateway, and various server addresses) from a DHCP server. DHCP eases configuration and ensures that every device receives a unique address on the proper network. DHCP also conserves IP addresses by assigning them tem-porarily to active hosts only.
The ProCurve Secure Router can act as a DHCP server. Ethernet interfaces, bridged PPP interfaces, and Frame Relay and ATM subinterfaces can also act as DHCP clients.
Configuring a DHCP Server
You can configure the DHCP server to distribute configurations to an entire connected subnet. You can also configure it to assign a fixed address to a single host.
You create DHCP pools with the configurations that the router will issue to clients. Each pool must include:
■ a network address and subnet mask
■ a default gateway
■ a DNS server
■ a lease time
The pool can also include:
■ a secondary DNS server
■ primary and secondary NetBIOS Windows Internet Naming Service (WINS) servers
■ a TFTP server
■ an NTP server
14-94
Using the Web Browser Interface for Basic Configuration TasksDynamic Host Configuration Protocol
Configuring a DHCP Pool for a Subnet
Complete these steps:
1. Under System in the left navigation bar, select DHCP Server.
2. You should exclude all IP addresses permanently assigned to devices (such as routers, switches, and servers). Scroll to the second window in the window, (Optional) Add/Delete DHCP Excluded Ranges.
Figure 14-67. Excluding Static Addresses from DHCP Pools
3. Enter the first IP address in the range of excluded addresses in the Start
IP Address field. Enter the last address in the range in the End IP Address
field. If you want to exclude only one address, enter it in the Start IP
Address field and leave the End IP Address field blank. Click Add.
4. You can repeat step 3 to configure multiple ranges of excluded addresses.
5. Move to the Add/Modify/Delete DHCP Server Pool window at the top of the window and create the pool:
a. Under Add New DHCP server pool, enter a name in the Pool Name
box that is significant for the subnet or group of users. Click Add.
b. You can also modify an existing pool. The interface displays existing pools under Modify/Delete DHCP server pool. For each pool it lists the name and network address. To edit the pool, click the name.
6. You will move to the DHCP Pool “<poolname>” window.
14-95
Using the Web Browser Interface for Basic Configuration TasksDynamic Host Configuration Protocol
Figure 14-68.Required Configurations for a DHCP Pool
7. Click the Required Configuration tab:
a. Under IP Addresses, select Assign IP addresses to all DHCP clients
on a subnet and complete the Subnet Address and Subnet Mask fields.
b. Under DHCP Options, enter the address for the Default Gateway. This address must be on the subnet specified for the Subnet Address and is typically the router interface that connects to the clients. If you are configuring a DHCP pool (or scope) for a VLAN, the default gateway address should be the IP address on the Ethernet subinter-face associated with that VLAN.
c. Enter the IP address for the DNS server that the client should use in the Primary DNS field under DHCP Options.
d. The default lease is 1 day. You can alter this time according to your organization’s policies. Enter the lease time in days, hours, and min-utes in the Lease Time field.
8. Click Apply.
14-96
Using the Web Browser Interface for Basic Configuration TasksDynamic Host Configuration Protocol
Figure 14-69. Optional Configurations for a DHCP Pool
9. Click the Optional Configuration tab to specify optional configurations that the router should send to clients, including:
• domain name
• addresses for:– secondary DNS server– primary WINS server (WINS servers translate NetBIOS names to
DHCP IP addresses)– secondary WINS server– TFTP server– NTP server
• timezone offset—used if the NTP server and client are in different timezones
10. Click Apply.
Assigning a Single Host a Fixed Address
Sometimes you may want to assign a host a fixed address through a DHCP server. For example, a device that is required to receive its address from a server may also need the stability of a static address to ensure that traffic is forwarded normally.
14-97
Using the Web Browser Interface for Basic Configuration TasksDynamic Host Configuration Protocol
Figure 14-70. Assigning a Fixed Address to a Single Host
Follow the process outlined in “Configuring a DHCP Pool for a Subnet” on page 14-95. However, in step 7a, select Reserve a fixed address for a single
host. Then enter the host’s MAC address and the IP address you wish to assign it. Also enter the subnet mask for the network for the IP address.
Configuring an Interface as a DHCP Client
Some service providers, particularly ISPs, require you to take configurations from them. These configurations can include:
■ a temporary IP address
■ a default route
■ a DNS server address
■ a domain name
14-98
Using the Web Browser Interface for Basic Configuration TasksDynamic Host Configuration Protocol
You can configure the following router interfaces to receive a dynamic address from a service provider or other DHCP server:
■ Ethernet interfaces
■ Frame Relay subinterfaces
■ ATM subinterfaces
■ bridged PPP interfaces
You can prevent the router from receiving a default route, DNS server address, or domain name from the external DHCP server, but you must do so from the CLI. See Chapter 13: Dynamic Host Configuration Protocol (DHCP).
These instructions assume that you have already created the logical interface by selecting the encapsulation method for the physical interface. If you have not done so, see “Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces” on page 14-46. Stop before you assign the logical interface an IP address and return to this section.
Figure 14-71. Enabling the DHCP Client on an Interface
To configure the interface to receive a dynamic address, follow these steps:
1. In the left navigation bar, select IP Interfaces under Router/Bridge.
2. In the IP Interfaces window that appears, select the interface that you want to take the dynamic address. The Configuration window for that interface displays.
3. Scroll to the IP Settings section. Select DHCP from the Address Type pull-down menu.
4. Click Apply.
14-99
Using the Web Browser Interface for Basic Configuration TasksConfiguring UDP Relay
Configuring UDP Relay
You can configure the ProCurve Secure Router to forward packets destined to certain UDP ports to a helper address. For example, your LAN may include a DHCP server in only one of its VLANs. If your router will be routing between the VLANs, it might receive DHCP discover requests from some clients. You could configure the router to forward these requests to your network’s DHCP server.
Follow these steps to configure UDP relay:
1. Select UDP Relay from the lefthand navigation bar.
2. Move to the IP Helper Address window.
3. Enter the IP address of the server to which the router should forward packets in the IP Helper Address fields.
4. From the Interface pull-down menu, select the interface on which the router will receive the packets that need to be forwarded.
5. Click Add.
6. If necessary, configure the helper address for a different interface. Repeat steps 3 through 5.
Figure 14-72. Configuring the Helper Address for UDP Relay
7. Move to the UDP Forward Protocol window.
14-100
Using the Web Browser Interface for Basic Configuration TasksConfiguring UDP Relay
8. Select the protocol for the packets that you want the router to forward from the UDP Protocol pull-down menu. For example, you could select bootps (67) to configure the router to forward DHCP requests.
9. Click Add.
10. You can specify multiple protocols by repeating steps 8 and 9.
Figure 14-73. Configuring the Helper Address for UDP Relay
14-101
Using the Web Browser Interface for Basic Configuration TasksConfiguring UDP Relay
14-102
A
Appendix A: Configuring the Router to Boot from Compact Flash
Updating the Boot Process
If your router was shipped before July 2005, your router can be updated to boot, by default, from compact flash. Follow these steps:
1. Update the router Boot ROM to version J02_02A.biz or later.
2. Load and boot from the updated Boot ROM file (J02_02A.biz or later).
3. Make any necessary changes to the router’s configuration and save the running-config file.
ProCurve>ProCurve> enableProCurve# write memory
You now have a current startup-config in flash.
4. Rename the current software file to SROS.BIZ. The file name must be in
all capital letters.
Syntax: copy flash J0X_0X.biz flash SROS.BIZ
ProCurve# copy flash J03_01.biz flash SROS.BIZ
5. Copy the SROS.BIZ file and the startup-config file to compact flash. If you are not currently using a compact flash card, go to step 6.
Syntax: copy flash startup-config cflash startup-configSyntax: copy flash J0X_0X.biz cflash SROS.BIZ
6. Change the primary boot path to boot from compact flash first, and from flash as a backup.
ProCurve# configure terminalProCurve(config)# boot system cflash SROS.BIZ flash SROS.BIZProCurve(config)# boot config cflash startup-config flash startup-config
A-1
Appendix A: Configuring the Router to Boot from Compact FlashUpdating the Boot Process
A-2
B
Appendix B: Glossary
Numeric
2B+D 2 Bearer + 1 Data. A method for describing channel designations in ISDN lines. Bearer channels transmit data and voice. Data channels are reserved for signaling information and call control. See also ISDN.
2B1Q 2 Bits 1 Quaternary. A compressed encoding scheme used by BRI ISDN that provides for two bits to be encoded into one quaternary signal. 2B1Q can transmit up to 5.49 km with few signal losses. As a result, 2B1Q requires fewer repeaters on the local loop than E1- and T1-carrier lines require. 2B1Q operates in full-duplex mode.
3DES Triple DES. A well-known public encryption standard that encrypts informa-tion multiple times (encrypts, decrypts, and encrypts again). Each phase uses a 56-bit key, making the total key length 168 bits. This 168-bit key provides 2168 or approximately 3.741e+50 possible combinations. IPSec, the industry standard for VPNs, supports 3DES. See also IPSec and VPN.
10Base-T A standard line-hardware type that uses a twisted-pair cable with maximum lengths of 100 meters. Cables in the 10Base-T system connect with RJ-45 connectors and operate up to 10 Mbps using baseband transmission methods.
100Base-T A standard line-hardware type that operates at 100 Mbps and uses baseband transmission methods based on the older Ethernet standard.
A
AAA Authentication, Authorization, and Accounting. AAA is used to control net-work access and enforce security policies. Authentication refers to the process of confirming each user’s identity and is accomplished through the use of passwords, keys, and often a Remote Authentication Dial-in User Service (RADIUS) or TACACS+ server. Authorization ensures that the authenticated user can access only the network resources to which that user has rights. Accounting refers to the process of collecting information about how resources are used. The collected information can then be used for trend analysis, billing, or auditing. For more information about AAA, see Request for Comments (RFC) 2989 (at http://www.ietf.org/rfc/rfc2989.txt).
B-1
Appendix B: Glossary
AAL Asynchronous Transfer Mode (ATM) Adaptation Layer. The AAL is the interface between the higher layer protocols and the ATM layer. When relaying information it receives from the higher layer protocols, the AAL segments the data into ATM cells. When relaying information it receives from the ATM layer, the AAL reassembles the payload into a format the higher layers can understand. This process is called Segmentation and Reassembly (SAR). Different classes of AAL have been defined to support different types of traffic or services: AAL1, AAL2, AAL3/4, and AAL5. See also AAL5.
AAL5 ATM Adaptation Layer 5. AAL5 supports services with varying bit rate demands. It offers low bandwidth overhead and simpler processing require-ments in exchange for reduced bandwidth capacity and error-recovery capability. AAL5, is used for IP and WAN applications. See also AAL.
ABM Asynchronous Balance Mode. ABM designates a type of HDLC connection, where devices at both ends of a connection are configured to be both primary and secondary devices. Both devices can establish a link, transmit data without permission, and terminate the link. See also NRM, ARM.
ABR Area Border Router. In an network running the open shortest path first (OSPF) routing protocol, an ABR is a router in the network backbone that has interfaces in more than one area. ABRs are responsible for generating a summary advertisement of the range of networks in a connected stub area, as well as for distributing summary advertisements for others areas to routers in the stub area so that these routers can forward inter-area traffic. ABRs receives traffic from routers in stub areas and routes the traffic through the network backbone to the destination area.
ACK Acknowledge, one of the Transport Control Protocol (TCP) flags, used by one peer to acknowledge that it has received a TCP packet from another peer. ACKs help to maintain TCP’s reliability in initiating, managing, and terminating sessions. For example, setting TCP packets’ ACK flag is part of the three-way handshake used to establish a session between a server and a client. Because TCP requires a peer to receive an acknowledge before continuing the process, peers can be sure that they have successfully exchanged necessary information with a legitimate peer.
ACL Access Control List. An ACL selects packets according to values in their IP headers, including protocol, source and destination IP address, and source and destination port. Routers compare packets that arrive an interface against ACLs to determine whether the packet needs special handling. For example, an ACL applied to a quality of service (QoS) map can select traffic for a low-latency queue. An ACL can also be used to select traffic for policy-based routing (PBR), for network address translation (NAT), or for a virtual private network (VPN) connection.
B-2
Appendix B: Glossary
ACP Access Control Policy. An ACP filters the traffic that arrives on an interface, either dropping the traffic selected by an ACL or allowing that traffic to pass.
Address and
Control Field
Compression
An LCP option that allows peers to compress the address and control fields in PPP frames and thus minimize overhead. These fields have static values and are easily compressed.
ADPCM Adaptive Differential Pulse Code Modulation. A technique for converting sound or analog information to binary information by taking frequent samples of the sound and expressing the value in binary terms. Used to convert analog so that it can be sent over DS0, E0, and J0 channels.
ADSL Asymmetric Digital Subscriber Line. A form of DSL that runs on a single pair of wires. Like DSL, ADSL supports the two-way transmission of data over voice lines. However, ADSL is asymmetrical: more bandwidth is reserved for downstream traffic, so data transfer speeds are quicker than upstream data transfer speeds.
ADSL2 ADSL with improved modulation, signal processing and initialization. ADSL2 has faster downstream rates, supports longer distances over the local loop, and uses less power than ADSL. ADSL2 can run on existing ADSL equipment.
ADSL2+ ADSL2 with double the downstream speed and the ability to increase the upstream speed. ADSL2+ doesn’t suffer from the crosstalk problem of ADSL2. ProCurve supports ADSL2+, which provides up to 25 Mbps downstream and 1.5 Mbps upstream data rates. ADSL2+ also reserves channels for analog voice on the local loop (Annex A) or for digital voice over ISDN (Annex B).
AES Advanced Encryption Standard. One of the encryption algorithm used by IPSec to transform data sent over a VPN tunnel. AES is a symmetric algorithm, which means that the encryption key is the same of the decryption key, and it works on multiple OSI Layers simultaneously. A block-cipher, AES supports 128-, 192-, and 256-bit keys.
AF Assured Forwarding. In a Frame Relay network, AF is a DiffServ PHB group that allows delivery of packets in up to four independently forwarded traffic classes. These classes are denoted as AF1, AF2, AF3, and AF4. For more information on Assured Forwarding, see RFC 2597 (at http://www.ietf.org/rfc/
rfc2597.txt).
Aggressive Mode A mode of Internet Key Exchange (IKE) that compresses the six exchanges typically necessary for negotiating an IKE Security Association (SA) into only three exchanges. Because peers must send their authentication data before exchanges are encrypted, aggressive is less secure, though quicker and less processor-intensive than main mode. See also IKE.
B-3
Appendix B: Glossary
AH Authentication Header. One of the IPSec protocols that can encapsulate packets sent over a VPN tunnel. AH uses authentication algorithms to ensure the integrity of the packet contents. AH authenticates the entire IPSec packet, including the delivery IP header. See also IPSec.
ALG Application Level Gateway. A protocol that acts as a proxy server between a trusted client behind a firewall and an untrusted client. ALGs analyze and filter packets at the OSI Application Layer and provide applications the special services that they need to function through a firewall. Each application must have its own ALG.
AMI Alternate Mark Inversion. A line-coding scheme used with T1 and E1 connec-tions. Logical zeros are transmitted as zero voltage, and logical ones are transmitted as pulses with alternating polarity.
Analog A continuously varying electrical sinusoidal signal. This signal type is used for voice or data transmission.
ANI Automatic Number Identification. A service that provides the receiver of a telephone call with the number of the calling phone. Also known as Caller ID.
ANSI American National Standards Institute. An organization that fosters the devel-opment of technology standards in the United States. For more information on ANSI, visit the ANSI Web site at http://www.ansi.org/.
AO/DI Always On/Dynamic ISDN. A form of ISDN connection that allows the BRI D channel to be used for a low-speed data connection. Because the D channel is always active, this connection is considered always on.
Application Layer Layer 7 of the OSI model. This layer supports application services for file transfers, e-mail, and other network software services. Telnet and FTP are applications that work at the Application Layer.
ARCFour A symmetric encryption algorithm supported by IP Security (IPSec), the industry standard for virtual private networks (VPNs). ARCFour is a stream cipher that supports keys ranging from 8 to 2048 bits in length.
ARM Asynchronous Response Mode. ARM designates a type of High-Level Data-Link Control (HDLC) connection between a primary and secondary device, during which the secondary device can initiate a transmission, but the primary device controls the establishment and termination of the link. See also HDLC.
ARP Address Resolution Protocol. A Network Layer Ethernet protocol used to convert a network IP address into a physical address. A host that wants to obtain a physical address broadcasts an ARP request onto the TCP/IP network.
B-4
Appendix B: Glossary
The host on the network that has this IP address replies with its physical hardware address. Most often used in Ethernet networks using IPv4. For more information about ARP, see RFC 826 (at http://www.ietf.org/rfc/rfc0826.txt).
ARPANET Advanced Research Projects Agency NETwork. The world’s first operational packet-switching network composed of mostly educational entities. ARPA-NET was a precursor to the Internet.
AS Autonomous system. A network, or group of networks, controlled by a single organization.
ASP Application Service Provider. A company that offers software applications to individuals or enterprises from centralized data centers over the Internet.
Asynchronous A method of data transmission that allows devices to send data at non-predetermined intervals by preceding and ending each packet with a start bit and stop bit.
AT Command Set Hayes Attention Commands. AT commands are modem commands, prefaced by the characters “AT” in the command line code, which control the modem’s dialing, timers, error handling, and tests.
ATCP AppleTalk Control Protocol. A network control protocol (NCP) in the Point-to-Point Protocol (PPP) suite, ATCP is used to exchange AppleTalk packets over a WAN link. See also NCP.
ATM Asynchronous Transfer Mode. A cell relay network protocol that encodes data traffic into small, fixed-sized cells instead of variable sized packets. These cells are 53 bytes—48 bytes of data and 5 bytes of header information. ATM enables the high-speed transfer of voice, video, images, graphics, and data through public and private networks. For more information about ATM, see RFC 2225 (at http://www.mfaforum.org/tech/atm_specs.shtml).
Authentication The process of confirming a device’s or a user’s identity before granting a network connection. Authentication can be implemented through the use of passwords or keys. A RADIUS or TACACS+ server can handle authentication for the entire network.
Authentication
Protocols
Protocols that allow the peers in a connection to verify each other’s identity. In the PPP protocol suite, authentication protocols include PAP, CHAP, and EAP. See also CHAP, EAP, PAP, and PPP.
B-5
Appendix B: Glossary
B
BACP Bandwidth Allocation Control Protocol. An NCP in the PPP protocol suite that manages the BAP config option. BACP frames determine which peer will be favored in the event of a simultaneous submission. Because it is an NCP used in establishing a PPP connection, BACP frames must be exchanged before any BAP (LCP) frames are exchanged. For more information about BACP, see RFC 2125 (at http://www.ietf.org/rfc/rfc2125.txt) See also BAP, LCP, and NCP.
Bandwidth The amount of data that can flow through a set of transmission lines at a given time. Bandwidth is usually measured in the number of bits per second.
BAP Bandwidth Allocation Protocol. A link-management protocol that can be used with MLPPP. BAP configures, maintains, and terminates individual links in a multilink environment. For more information about BAP, see RFC 2125 (at http://www.ietf.org/rfc/rfc2125.txt). See also MLPPP.
BECN Backward Explicit Congestion Notification. A device in a Frame Relay net-work sets the BECN to notify the sending device (DTE) that it cannot receive data at the rate that the sending device is transmitting it. The sending DTE (usually a router) can then attempt to slow the traffic by buffering frames. See
also Frame Relay.
BER Bit Error Rate. In any kind of data transmission, the BER is the ratio of bits that have errors relative to the total number of bits received in a transmission. The BER is usually expressed as 10 to a negative power. For example, a transmission might have a BER of 10 to the minus six, meaning that out of 1,000,000 bits transmitted, one bit was in error.
BERT Bit Error Rate Test. A procedure or device that measures the BER for a given transmission.
BGP Border Gateway Protocol. A protocol for exchanging routing information between gateway host routers in an autonomous network system. Routers on the Internet use BGP to route data. BGP routers maintain RIBs and routing updates, and can also determine the best routes to other devices. For more information about BGP, see RFC 1771 (at http://www.ietf.org/rfc/rfc1771.txt). See also Routing Information Base.
B-ISDN Broadband Integrated Services Digital Network. An ISDN standard for trans-mitting simultaneous voice, video, and data over fiber optic lines.
Blowfish A symmetric encryption algorithm supported by IPSec, the industry standard for VPNs. Blowfish is many times faster than DES and supports key lengths up to 448 bits. See also DES, IPSec, and VPN.
B-6
Appendix B: Glossary
BNC Connectors Bayonet Neill Concelman connectors. Also called British Naval Connector, or Bayonet Nut Connector. A type of connector used with coaxial cables such as the RG-58 A/U cable that is used in 10Base-2 Ethernet systems. The basic BNC connector is a male connector, which is placed at each end of a cable. This connector has a center pin connected to the center cable conductor and a metal tube connected to the outer cable shield. A rotating ring outside the tube locks the cable in place.
BONDING Bandwidth ON Demand INteroperability Group. An organization that created and raised awareness about the bonding protocol, which is used for aggregat-ing ISDN channels and links. See also ISDN.
Boot The process of loading and executing the software and commands required to begin device operation.
bps Bits per second. In data communications, bps is a common measure of data speed for computer modem and transmission carriers. As the term implies, the speed in bps is equal to the number of bits transmitted or received each second.
BRI Basic Rate Interface. An ISDN network interface consisting of two 64 kbps bearer (B) channels and one 16 kbps signaling (D) channel. The B channels carry data, voice, or video traffic. The D channel is used to set up calls on the B channels and carry packet data. A single BRI connection provides a total of 128 Kbps of data across a twisted pair telephone cable. See also ISDN.
BU Backup. A failover power mechanism that allows a system to keep running in the event of a power failure. This term can also be used to describe a retrievable copy of data that allows the recovery of important work in the event of an equipment failure.
Burstiness Sporadic or sudden high usage of bandwidth.
B8ZS Bipolar 8-Zero Substitution. A line coding scheme used to maintain logical-one density on a T1-carrier line circuit. When a string of 8 zeros is detected, B8ZS inserts two deliberate bipolar violations that replace the 4th and 7th consecutive zero bits. These bipolar violations act as timing bits to prevent synchronization loss. See also T1-carrier line.
C
C-bit Parity A framing format for E3- and T3-carrier lines. C-bit parity creates a block of unmultiplexed data that uses the C-bit to signal framing.
B-7
Appendix B: Glossary
CA Certificate Authority. A trusted third-party that verifies the identity of two parties that want to communicate with one another. CAs are responsible for generating, distributing, and revoking digital authentication certificates. Veri-Sign is an example of a CA.
CAP Carrierless Amplitude/Phase. An ADSL modulation technique that divides the available bandwidth into three channels: analog voice over 0-4 kHz, upstream traffic over 25-160 kHz, and downstream traffic over 240 kHz-1.5 MHz. By creating three widely separated channels, CAP minimizes interference between the channels on one line and different lines. See also ADSL and DMT.
CAR Committed Access Rate. A QoS mechanism for policing traffic. You can set the classification for packets, limit the bandwidth according to the traffic classification, and then set parameters for how traffic is to be handled in the event that congestion matches or exceeds the set rate limit. See also QoS.
CAST-128 Carlisle Adams and Stanford Tavares -128. A symmetric encryption algorithm supported by IPSec, the industry standard for VPNs. CAST-128 is a block cipher with a varying key size up to 128 bits. See also IPSec and VPN.
CBQ Class-Based Queuing. A QoS mechanism that is used to avoid traffic conges-tion across a WAN line. CBQ is an open packet-scheduling algorithm that enables different queues to be set up for different traffic classes. Bandwidth can then be statically assigned to each queue. See also QoS.
CBR Constant Bit Rate. A quality of service mechanism that specifies a constant data output rate. CBR is useful for streaming multimedia content on limited capacity channels because the maximum bit rate matters, rather than the average bit rate. CBR could take advantage of all of the capacity. See also QoS.
CCP Compression Control Protocol. Part of the PPP suite, CCP configures, enables, and disables data compression algorithms on both ends of a point-to-point link. For more information about CCP, see RFC 1962 (at http://www.ietf.org/
rfc/rfc1962.txt).
CCITT Consultative Committee for International Telegraph and Telephone. The CCITT, now known as the International Telecommunications Union–Telecom-munications Services Sector (ITU-T), is an international body that fosters cooperative standards for telecommunications equipment and systems.
CDMA Code Division Multiple Access. A digital cellular technology that uses spread-spectrum techniques. CDMA does not assign a specific frequency to each user. Instead, every channel uses the full available spectrum, spreading the signal over the entire available bandwidth. Multiple calls are overlaid over each other on the channel, and each one is assigned a unique sequence code.
B-8
Appendix B: Glossary
CEPT Conference of European Postal and Telecommunications. A standardizing body. For more information about CEPT, see the CEPT website at http://
www.cept.org.
CEPT Hierarchy The signal hierarchy used with E-carrier lines. See also E1-carrier line and E-3 carrier line.
Table 2-1. CEPT signal hierarchy
Certificate See Digital Certificate.
Channelized A circuit that is created by multiplexing and demultiplexing voice and/or data using analog or digital techniques.
CHAP Challenge Handshake Authentication Protocol. An authentication protocol that is supported by PPP. With CHAP, the authenticator challenges the peer. The peer creates a hash value from its pre-shared password and a string of text. The authenticator also creates a hash value. The authenticator compares the hash values. If they match, authentication succeeds, and the link is established. For more information about CHAP, see RFC 2759 (at http://
www.ietf.org/rfc/rfc2759.txt). See also PAP and PPP.
CIDR Classless Inter-Domain Routing. An IP addressing scheme that replaces the older system based on A, B, and C classful addresses. With CIDR, a single IP address can be used to designate many unique IP addresses. A CIDR IP address resembles a normal IP address except that it ends with a slash followed by a number called the IP network prefix, which specifies how many addresses are included in the CIDR address. Lower numbers include more addresses. An IP network prefix of /12, for example, can be used to specify 1,048,576 former Class C addresses. CIDR addresses reduce the size of routing tables and make more IP addresses available within organizations. For more information about CIDR, see RFC 1519 (at http://www.ietf.org/rfc/rfc1519.txt).
Physical carrier
DSD EO multiple E1 multiple Transmission rate
— E0 1 — 64 Kbps
E1 E1 32 — 2.048 Mbps
E2 E2 128 4 8.448 Mbps
E3 E3 512 16 34.368 Mbps
E4 E4 2048 64 139.264 Mbps
E5 E5 8192 256 565.148 Mbps
B-9
Appendix B: Glossary
Cipher Text Encrypted data.
CIR Committed Information Rate. For Frame Relay networks, the CIR is the bandwidth that the carrier guarantees to be available for a particular PVC under normal circumstances. Typically, the CIR is specified in the Frame Relay SLA. See also EIR, Frame Relay, PVC, and SLA.
Circuit-Level
Gateways
This type of firewall operates at the OSI Session Layer. Circuit-level gateways monitor TCP handshakes between packets from trusted clients or servers to untrusted hosts (and vice versa) to determine whether a requested session is legitimate. The session is legitimate only if the SYN flags, ACK flags, and sequence numbers involved in the TCP handshakes are logical.
Clear Text Unencrypted text.
CLEC Competitive Local Exchange Carrier. In the United States and Canada, a CLEC is a company that competes with the already established local telephone business by providing its own network and switching. The term distinguishes new or potential competitors from established local exchange carriers. The existence of CLECs arises from the Telecommunications Act of 1996, which was intended to promote competition among both long-distance and local phone service providers.
CLI Command Line Interface. The interface that allows an administrator to enter line commands to interact with and configure the router.
CO Central Office. The service provider’s office to which a subscriber’s home and business lines are connected through the local loop. The CO has equipment that can switch calls locally or to long-distance carrier phone offices.
Coaxial Cable This cable consists of a center wire that is surrounded by insulation, which is encased in a grounded shield of braided wire. The shield minimizes electrical and radio frequency interference.
Compression The process of reducing information size or transmission bulk without affecting information content.
Configure To define the parameter values that allow network equipment to run in the manner required for a particular environment.
Console A terminal attached to a minicomputer, network device, or mainframe that is used to configure and monitor the status of the system.
CoS Class of Service. A method of managing traffic in a network by grouping similar types of traffic together and treating each group as a class with its own level of service priority. See also QoS.
B-10
Appendix B: Glossary
CPE Customer Premises Equipment. The public carrier access equipment that a customer must purchase and maintain. This equipment is not maintained or owned by the Local Exchange Carrier. Some examples of this equipment are CSU/DSUs, modems and telephones.
CRC Cyclic Redundancy Checking. A method of checking for errors in data that is transmitted between two devices. The sending device applies a 16- or 32-bit polynomial to data, appends the resulting cyclic redundancy code to the data, and then sends the data. The receiving device applies the same polynomial to the data and checks the results against the appended results. If the two do not match, an error has occurred during the transmission.
CRC4 A framing format supported by a separate framing channel in E1 technology. CRC4 is based on the E1 frame format but includes additional error detection. A checksum bit is included in all even frames: frames 0, 2, 4, 6, 8, 10, 12, and 14. A total of 8 checksum bits is used. See also E1 frame format.
Crossover Cable Also called a null-modem cable. A specially designed cable that allows a user to connect two computers directly to each other via their communications (RS-232) ports.
Crypto Map In a ProCurve Secure Router environment, a crypto map defines parameters for the IKE and IPSec SA negotiation for a VPN. See also IKE, IPSec, SA and VPN.
CSS Controlled Slip Second. An error designation that describes a one-second interval containing one or more controlled slips. A controlled slip is the replication or deletion of the payload bits of a DS1 or E1 frame, and may be caused by a difference between the timing of a synchronous receiving terminal and the received signal.
CSU Channel Service Unit. Used in carrier-line connections, the CSU is a device that provides signal generation/regeneration. A CSU provides local loop equal-ization, transient protection, isolation, and Central Office (CO) loopback testing capability. In the United States and Canada, the CSU is sometimes provided in conjunction with the DSU and referred to as the CSU/DSU. See
also DSU.
CVoDSL Channelized Voice over DSL. An ADSL feature that eliminates the need to use IP or ATM to encapsulate voice. CVoDSL is transmitted directly to the voice switch at the public carrier’s CO.
B-11
Appendix B: Glossary
D
D4 A superframe format used on T1-carrier lines. The D4 frames consists of 12 193-bit frames combined into a single superframe.
DACS Digital Access and Cross-connect System (US). In the United States, a DACS is a telecommunications device used to route T1-carrier lines. A DACS uses D3/D4 framing to cross-connect any T1 DS0 channel (or a complete T1-carrier line) in the system with any other T1 DS0 channel or line also in the system. DACS can also be used with SONET.
DACS Digital Access Carrier System (UK). A digital system in the UK that provides two subscriber lines over one copper twisted pair wire. DACS works by digitizing the analog signal and sending the combined digital information for both lines over the same copper pair between the exchange and the pole. The cost of the DACS equipment is significantly less than the cost of installing additional copper pairs; however, the maximum speed of an analog modem is reduced on a line that uses DACS. This is because DACS involves an additional conversion between analog and digital signaling.
Data Link Layer Layer 2 of the OSI model. At this layer, data frames are encoded and decoded into bits. The Data Link Layer is divided into two sublayers: The Media Access Control (MAC) layer and the Logical Link Control (LLC) layer. The MAC sublayer controls how a computer on the network gains access to the data and permission to transmit it. The LLC layer controls frame synchronization, flow control, and error checking. See also OSI.
Data Link Layer
Protocols
A protocol that operates at the Data Link Layer of a network. Data Link Layer Protocols provide service for Network Layer operations.
DBU Dial Back-Up. DBUs provide connection recovery and dial-up redundant connectivity in case a primary WAN connection circuit fails.
DB/E-9 A nine-pin serial connector with a roughly trapezoidal (D) shape. This connector is often used for serial interfaces.
B-12
Appendix B: Glossary
D-sub 9 connector
DB-25 A 25-pin D-shaped serial connector. This connector is often used with printer serial cables and serial connections.
DB-25 connector
DCE Data Communications Equipment. A device that communicates with a DTE device. In a Frame Relay network, the DCE is the Frame Relay switch, which establishes and maintains the Frame Relay connection. When the DCE receives frames from the DTE, it converts the frames into signals supported by the physical media of the Frame Relay network. The DCE also reads the DLCI on incoming packets, checks its switch lookup table, and then forwards data to the appropriate outgoing port—which leads to the correct virtual endpoint. See also DTE.
DE bit Discard Eligibility bit. A Frame Relay header mark indicating that a particular frame may be discarded in preference to other frames if congestion occurs. When a subscriber exceeds the CIR, the packets transmitted over the CIR are marked with the DE bit. See also CIR.
Decryption The process of decoding data that has been encrypted. Decryption requires a string of characters, called a key, and an algorithm.
Dedicated Circuits A WAN access circuit that is reserved for the use of a single subscriber. When the bandwidth is not in use, it remains idle.
1 5
6 9
D-sub 9 male D-sub 9 female
5 1
9 6
1 13
14 25
DB-25 male DB-25 female
13 1
25 14
B-13
Appendix B: Glossary
Demarc Point of demarcation. The point at which the public carrier’s network ends and the subscriber’s local network begins.
DES Data Encryption Standard. DES is a published encryption algorithm that uses a 56-bit symmetric key to encrypt data in 64-bit blocks. IPSec, the industry standard for VPNs, supports 3DES. See also 3DES, IPSec, and VPN.
DHCP Dynamic Host Configuration Protocol. A protocol that allows network admin-istrators to set up a server that manages IP addresses, automatically assigning IP addresses to devices on the network. For more information about DHCP, see RFC 2131 (at http://www.ietf.org/rfc/rfc2131.txt).
Diffie-Hellman A secure method for generating a unique, shared key without sending it over the connection and thus rendering it vulnerable to interception. Each host selects a private value, which is then modified (using prime number modulation) into a public value. Hosts exchange the public values. Each uses the other’s public value and their own private value to compute a new value. The computation function is such that these values will be the same.
DiffServ Differentiated Services. A QoS mechanism for classifying traffic and determin-ing forwarding behavior. The DiffServ protocol redefines the Type of Service (ToS) field in the IPv4 header as the Differentiated Services (DS) field. With DiffServ, traffic can be assigned to one of 63 different traffic classes, and each traffic class is granted service based on the priority assigned to its DiffServ value. For more information about DiffServ uses and values, see RFC 3260 (at http://www.ietf.org/rfc/rfc3260.txt).
Digital
Certificates
An electronic document that contains a public key and is digitally signed by a third-party issuer such as a CA. Digital certificates are used for network authentication. They contain the certificate holder’s name, a serial number, the expiration dates, and a copy of the certificate holder’s public key (used for encrypting and decrypting messages). See also CA.
Digital Signal
Hierarchies
Hierarchies that determine the combinations of channels that compose the bandwidths for an E-, J-, or T-carrier line. In Europe, Asia (except Japan), South America, and Australia, the CEPT hierarchy is used. In Japan, the J-carrier signal hierarchy is used for voice transmissions. In the United States and Canada, the DSX hierarchy is used.
DLC Digital Loop Carrier. Equipment that bundles a number of individual phone line signals into a single multiplexed digital signal. This signal includes local traffic moving between a CO and a business complex or other outlying service area. See also CO.
B-14
Appendix B: Glossary
DLCI Data Link Connection Identifier. In a Frame Relay network, the DLCI is a 10-bit field within the address field that specifies the PVC path that a particular frame takes. DLCIs have only local significance; the value is changed at each switch. DLCI values can be from 0 to 1023. Values 16-991 are reserved for subscribers to assign to virtual circuits. DLCI values of 0 and 1023 are reserved for use by Frame Relay management protocols.
DMT Discrete MultiTone. The standard ADSL modulation technique. Bandwidth is divided into 256 subchannels (bins) of approximately 4 kHz each. In Annex A, subchannels 1-6 are reserved for analog voice. In Annex B, subchannels 1-30 are reserved for ISDN traffic. The rest of the subchannels are used for ADSL data except for channel 0 and channel 256, which cannot be used for analog voice or data. See also ADSL and CAP.
DMZ De-Militarized Zone. A small subnetwork between a trusted internal network and an untrusted external network. The DMZ is placed to provide an additional layer of security and separation between the two networks.
DN Directory Number. The telephone number assigned to an ISDN receiver.
DNIS Dialed Number Identification Service. A telephone service that provides the caller’s number to the call receiver. DNIS is a common feature of 800 and 900 lines. If there are multiple 800 or 900 lines for the same company, DNIS tells which number was called.
DNS Domain Name System. A system that translates URLs to their associated IP addresses and communicates this information throughout the Internet. DNS allows users to enter a URL, which is much easier to remember than an IP address, into their Internet browsers while providing a way for network devices to find and reconcile the URL with its Internet IP address. For more information, see RFC 3696 (at http://www.ietf.org/rfc/rfc3696.txt).
Domain Name The URL name associated with a particular IP address (or group of IP addresses).
DoS Denial of Service. A type of attack designed to disable a server or network service by bombarding it with service requests. DoS attacks prevent legitimate users from accessing the resource.
DSA Digital Signature Algorithm. A U.S. government standard for creating and verifying secure digital signatures. Digital signatures authenticate electronic documents. One such document is a digital certificate, which peers in a VPN use to authenticate each other.
B-15
Appendix B: Glossary
DSCP Differentiated Services Code Point. Six bits in the DiffServ header that can be set with values that define up to 63 traffic classes. For more information about DSCP values and usage, see RFC 2983 (at http://www.ietf.org/rfc/rfc2983.txt). See also DiffServ.
DSL Digital Subscriber Line. A broadband technology, DSL provides high-speed WAN connections over existing local loops. Two types of DSL technologies are available: symmetric DSL, which dedicates the same amount of data to upstream and downstream transmissions, and asymmetric DSL, which dedicates most of the available bandwidth to downstream transmissions.
DSLAM Digital Subscriber Line Access Multiplexer. A network device, usually at a service provider’s central office (CO), that receives signals from multiple customer DSL connections and puts the signals on the high-speed infrastructure backbone using multiplexing techniques.
DS0 Digital Signal Zero. DS0 is a digital channel operating at 64 Kbps, the amount of bandwidth required to transmit a single analog voice call through a digital telecommunications network. DS0 is the fundamental unit of bandwidth—the fundamental channel—in all copper-based T-, E-, and J-carrier systems. In E-carrier systems, DS0 is called E0, and in J-carrier systems, DS0 is called J0. However, the basic signal is virtually identical in all three carrier systems.
DS1 Digital Signal at the First Level. A bipolar signal combination of 24 DS0s that is transmitted at 1.544 Mbps. Also called T1.
DSU Digital Service Unit. The DSU accepts data from the router at the customer’s premises and translates it from the signaling format used on the LAN to the format necessary for transmission on the WAN. In the United States and Canada, the public carrier may provide the DSU in conjunction with the CSU. In this case, it is referred to as the CSU/DSU.
DSS Digital Signature Standard. A DSA used to create digital signatures, which authenticate electronic documents such as digital certificates. DSS creates and verifies a digital signature using a pair of asymmetric keys. The private key in the pair, which is known only by the signer, transforms and “signs” the certificate. The public key, which can be distributed to any host, verifies the signature.
DSX Hierarchy Digital Signal X. The signal hierarchy used with T-carrier systems.
B-16
Appendix B: Glossary
Table 2-2. Digital Signal X (DSX) hierarchy
DSX-1 Digital Signal X-1. A 1.544 Mbps T1 connection.
DTE Data Terminal Equipment. A device that controls data flowing to or from a computer. On a Frame Relay network, the DTE receives data from the LAN in the form of multiple protocol packets and encapsulates each packet into a Frame Relay frame. The header of such a frame is called the Data Link Connection Identifier (DLCI) and contains the frame’s ultimate destination. See also DCE.
DTMF Dual Tone Multi-Frequency. The signal to the phone company that is generated when ordinary telephone touch keys are pressed. In the United States, this is known as “touch-tone” dialing.
DVB Digital Video Broadcasting. A suite of internationally accepted, open standards for digital television maintained by the DVB Project, an industry consortium with more than 300 members. The DVB standards use current, existing satellite, cable and terrestrial infrastructures.
DVMRP Distance Vector Multicast Routing Protocol. An OSI Layer 3 multicast routing protocol for use within a single AS. DVMRP generates a multicast routing table and forwards packets accordingly. It uses Internet Group Management Protocol (IGMP) messages to exchange information with other routers. For more information, see RFC 1075 (at http://www.ietf.org/rfc/rfc1075.txt).
DWDM Dense Wavelength Division Multiplexing. A technology that puts data from different sources together on fiber optic. Each signal is carried on its own separate light wavelength, and up to 80 (and theoretically more) separate wavelengths or channels of data can be multiplexed into a lightstream trans-mitted on a single optical fiber. In a system with each channel carrying 2.5 Gbps, up to 200 billion bits can be delivered per second by the optical fiber.
Physical carrier
DSD DSX interface DSO multiple T1 multiple Transmission rate
— DS0 — 1 — 64 Kbps
T1 DS1 DSX-1 24 — 1.544 Mbps
T2 DS2 DSX-2 96 4 6.312 Mbps
T3 DS3 DSX-3 672 28 44.736 Mbps
T4 DS4 DSX-4 4032 168 274.176 Mbps
T5 DS5 DSX-5 8064 336 560.160 Mbps
B-17
Appendix B: Glossary
DWDM is also sometimes called Wave Division Multiplexing (WDM). For information about IP over optical networks, see RFC 3717 (at http://
www.ietf.org/rfc/rfc3717.txt).
E
E0 The base bandwidth multiple of E-carrier systems. E0 channels can transmit at up to 64 Kbps.
E1-carrier line Provides a dedicated WAN connection. This multiplexed carrier-line includes 32 E0 channels for a total bandwidth of 2.048 Mbps. E-1 carrier lines are offered in Europe, Asia, Australia, and South America. (In Japan, PTTs offer J-carrier lines for voice and T1- or E1-carrier lines for data.) See also PTT.
E1 frame format A frame format used for E1-carrier lines. In the E1 frame format, a channel (or timeslot) is called a TS, and the 32 channels are numbered TS0 to TS31. Two channels are used to establish and maintain synchronization and signal-ing: Specifically, TS0 is used for synchronization, error detection, and alarms, and TS16 is used for signaling. The other channels are used to transmit data
E3-carrier line A carrier line that includes 512 E0 channels (or 16 E1 channels) for a total transmission rate of 34.368 Mbps.
EAP Extensible Authentication Protocol. A protocol that allows PPP to use authen-tication protocols that are not part of the PPP suite. For more information about EAP, see RFC 3748 (at http://www.ietf.org/rfc/rfc3748.txt). See also CHAP, PAP, and PPP.
eBGP External Border Gateway Protocol. A BGP routing protocol that allows exter-nal route broadcasting to routers in other Autonomous Systems. See also BGP.
Echo Cancellation In digital voice transmissions over packet-based networks, echo cancellation is a technique that filters unwanted signals called “echoes.” Echoes are usually generated by background noise or hybrid/acoustic noise.
ECP Encryption Control Protocol. An NCP in the PPP suite that allows you to configure options for encrypting PPP datagrams. ECP is responsible for negotiating and managing the use of encryption on a PPP link. For more information about ECP, see RFC 1968 (at http://www.ietf.org/rfc/rfc1968.txt). See also NCP and PPP.
EGP Exterior Gateway Protocol. The first exterior LAN routing protocol used on the Internet. EGP’s basic functions are to identify neighbors and share reach-ability information, poll neighbors to determine if they’re still available, and advertise system information. Because EGP cannot determine the best route
B-18
Appendix B: Glossary
to send WAN traffic, BGP replaced it as the routing protocol for the Internet. For more information about EGP, see RFC 827 (at http://www.ietf.org/rfc/
rfc0827.txt). See also BGP.
EIR Excess Information Rate. In a Frame Relay network, the EIR is the bandwidth, in excess of the CIR, that the carrier attempts to deliver when the virtual circuit is not congested. This rate is not guaranteed and is delivered on a best-effort basis. See also CIR and Frame Relay.
Line Encoding A binary format for data transmission over a carrier-line. E-carrier systems use HDB3 and AMI line encoding schemes; T-carrier systems use the B8ZS and AMI line encoding schemes.
Encryption Scrambling data in such a way that it can be unscrambled only through the application of the appropriate key.
Encryption
Control Protocol
See ECP.
Endpoint
Discriminator
In a MLPPP connection, the endpoint discriminator allows the router to determine whether an incoming packet is part of an already established multilink bundle or part of a new bundle. Aggregated links in a multilink bundle share the same endpoint discriminator. See also MLPPP.
ESF Extended Superframe Format. Used on T-carrier lines, ESF combines 24 consecutive 193-bit frames into an extended superframe. ESF uses the 193rd bit to provide maintenance and diagnostic functions.
ESP Encapsulating Security Payload. An IPSec security protocol that encrypts the packet payload before transmission. ESP can also provide limited authentica-tion services for the packet payload only. For more information about ESP, see RFC 2406 (at http://www.ietf.org/rfc/rfc2406.txt). See also IPSec and VPN.
ETSI European Telecommunications Standards Institute. A standardization organi-zation composed of equipment makers and network operators. For more information about ETSI, visit the Web site at http://www.etsi.org/.
F
FDL Facility Data Link. In T-carrier lines that use the ESF frame format, this out-of-band channel is used to transmit line diagnostics information. See also ESF.
FDM Frequency Division Multiplexing. A telecommunications technique in which numerous voice channels are combined for transmission on a single physical line. Each channel is assigned a different frequency (subchannel) spaced four kHz apart and the composite signal is transmitted over the line. Modern telecommunications systems using digital signaling and TDM instead of FDM.
B-19
Appendix B: Glossary
FECN Forward Explicit Congestion Notification. The DTE sending data can set this bit to indicate that the network is experiencing congestion and the destination DTE should stop sending so many requests for data. See also Frame Relay and BECN.
Fiber Optics An optical transmission medium consisting of thin, plastic or glass strands that reflect light pulses within their interior core all along their length. Fiber optics can provide a great deal of bandwidth.
Fiber Optic
Carrier Network
A network that supports fiber optic voice and data transmission.
Field A space allocated in a protocol header or packet for a particular item of information.
FIFO First In First Out. A queuing method that sends packets over a line strictly according to the order in which they were received. FIFO does not require the receiver to reassemble out-of-order packets because packets always arrive in order.
Firewall A security device that establishes a barrier between a trusted and an untrusted network. The firewall contains designated network traffic within a specified area and protects the interior network from unauthorized traffic. Depending on its type, the firewall may screen packets at the Network, Session, or Application Layer, or some combination of these layers. For example, a firewall can be programmed to drop certain kinds of external traffic destined to the private network or to monitor TCP sessions and ensure that they are legitimate.
Flash A solid-state electronic memory device that does not lose information when no longer connected to a power source.
FQDN Fully-Qualified Domain Name. An FQDN is a domain name that includes both a hostname and domain name. For example, www.ProCurve.com is a fully-qualified domain name. The hostname is www, and ProCurve is the domain name within the top-level domain, com.
FRAD Frame Relay Assembler/Disassembler. A generic name for a device that encapsulates packets in Frame Relay headers to prepare them for transmis-sion across a Frame Relay network. (The device also decapsulates incoming packets.) The router or other DTE that connects to the Frame Relay network usually includes the FRAD.
B-20
Appendix B: Glossary
Frame A packet of information that has been encapsulated by a Data Link Layer protocol. Each Data Link Layer protocol defines a frame header, which includes the information that the receiver needs to process the frame and recover the data in the encapsulated packet. Devices must use the same data link layer protocol in order to exchange frames.
Frame Formatting The format that a Physical Layer protocol gives to frames sent across a carrier line. Frame formatting defines how a device transmits bits over multiplexed carrier lines so that the device at the other end of the link can Frames are run through several protocols, each of which format the frame to fit protocol specifications. Protocols may encapsulate already encapsulated frames, creating protocol stacks that must be stripped one at a time to recover the data being transmitted.
Frame Relay An OSI Data Link Layer (Layer 2) protocol. Frame Relay supports data transfer over WAN connections such as T1- and E1-carrier lines. Frame Relay is packet switching technology, which means that a service provider switches packets from multiple customers over the same physical lines. Permanent virtual circuit (PVC) connects one network device to another, ensuring that packets are switched to the correct location. For more information on Frame Relay, see RFC 2427 (at http://www.ietf.org/rfc/rfc2427.txt). See also DCE, DTE, and PVC.
FRF Frame Relay Forum. A standards body that merged with the MPLS forum to become the MPLS and Frame Relay Alliance.
FRTS Frame Relay Traffic Shaping. FRTS uses priority queueing or custom framing and is a quality-of-service traffic-shaping mechanism. High-priority-queue data is transmitted before low-priority data. Custom framing allows the queues to take turns.
FSAN Full Service Access Network Group. A standards group.
FT1 Fractional T1. A portion of a T1 circuit. A full T1 circuit has a capacity of 1.544 Mbps and is composed of twenty-four (24) 64 kbps channels. A customer may save money by leasing only a portion of the full circuit. A fractional T1 can only be configured in increments of 64 Kbps (one channel).
FTP File Transfer Protocol. An OSI Layer 7 protocol that transfers files between computers, which can use widely differing operating systems. For more information on FTP, see RFC 959 (at http://www.ietf.org/rfc/rfc0959.txt).
FTTB Fiber-To-The-Building. Refers to the installation of fiber optic cable directly to a building.
B-21
Appendix B: Glossary
FTTC Fiber-To-The-Curb. Refers to the installation of fiber optic cable directly to the curbs near homes or businesses. Fiber optic cable, which provides much greater transmission speeds than copper wiring, is already used for much of the POTS long-distance infrastructure. By decreasing the time it takes data to travel from a customer to the customer’s provider, FTTC would greatly increase individual users’ data-transmission speeds.
FTTH Fiber-To-The-Home. Refers to the installation of high-speed fiber optic cable, rather than copper cable, directly to the home.
FX Foreign eXchange. A telephone service, using VoIP technology, that allows a user to have a number with an exchange that is not the normal exchange for the user’s geographic area.
FXO Foreign Exchange Office. A VoIP telephone interface, usually a standard analog telephone, that receives calls over POTS. The FX0 generates the on-hook and off-hook indicators used to signal a loop closure at the FXO’s end of the circuit. The FXO must be connected to the FSX interface.
FXS Foreign Exchange Station. A VoIP telephone device that provides battery power, sends the dial tone, and generates ringing voltage for the FXO. The FXO plugs directly into the FXS to provide telephone service for the VoIP device.
F5 OAM F5 Operation And Maintenance. ATM devices send OAM cells over an ATM link to monitor the link. F5 OAM cells verify that an ATM link is open from end-to-end.
G
GRE Generic Routing Encapsulation. A Layer 2 protocol that can encapsulate many types of OSI Layer 2 or Layer 3 protocols and place them in IP packets. Routers can use GRE to tunnel packets, such as multicast packets, that could other-wise be sent over the Internet. Routers can also use GRE to create virtual point-to-point links through an IP network. For more information on GRE, see RFC 2784 (at http://www.ietf.org/rfc/rfc2784.txt).
GS Ground Start. A method by which a device signals a switch to start a call. An on-hook condition begins as a completed circuit. An off-hook condition opens a circuit by grounding a 2600-Hz tone, informing the switch to provide dial tone. See also LS.
GTS Generic Traffic Shaping. A QoS traffic-shaping mechanism. GTS reduces con-gestion for outbound traffic by constraining specified traffic to a particular bit rate. Certain types of traffic can be shaped to meet downstream requirements,
B-22
Appendix B: Glossary
eliminating bottlenecks in topologies with data rate mismatches. GTS is supported by Data Link Layer protocols like Ethernet, SMDS, and Frame Relay. GTS uses WFQ as the method for shaping the traffic. See also WFQ and QoS.
GUI Graphical User Interface. A user interface that substitutes graphics for characters or text for ease of use.
H
Hash A number generated by running a string of text through an algorithm. The hash is substantially smaller than the text itself and—because algorithms transform data in such a way that it is extremely unlikely that some other text will produce the same hash value—unique.
H-channel An ISDN PRI channel technology developed to offer high transmission speeds of up to 135 Mbps. Because H channels allow bits to be sent and received in the same order, they eliminate the delay of reassembling bits.
HDB3 High Density Bipolar order of 3. A line encoding scheme. HDB3 limits the number of consecutive logical zeros in a data stream so that devices so not lose synchronization. HDB3 transforms a stream of four logical zeros into three zero signals and a violation bit of the same polarity as the last logical one detected. HDB3 is the predominant line encoding scheme used in E-carrier lines.
HDLC High-level Data Link Control. A Data Link Layer protocol suite used by network nodes to initiate, maintain, and terminate data transfer. HDLC, which was originally used for signaling between mainframes and dumb terminals, requires devices on either end of a link to be designated as either a primary or secondary device. The HDLC transmission mode determines which devices can transmit and receive data, and establish and terminate the link. See also ABM, ARM, and NRM.
HDSL High bit rate DSL. A type of symmetric xDSL. HDSL eliminates the need for repeaters and employs a 2B1Q modulation technique across the same type of cabling used with metallic T1 delivery systems. Typically, rather than offering HDSL to customers as a DSL option, service providers use HDSL to provide the local loop connection for dedicated T1/E1 carrier lines. HDSL has some distinct disadvantages: it requires two pairs of wires and does not support analog voice.
HDSL2 An improvement over HDSL that allows service providers to deliver full T1 or E1 over a single twisted pair of wires. Also known as G.SHDSL or SHDSL. HDSL2 is a symmetric xDSL and, like HDSL, does not support analog voice.
B-23
Appendix B: Glossary
HFC Hybrid Fiber Coax. A telecommunication technology in which fiber optic cable and coaxial cable are used in different portions of a network to carry broadband content (such as video, data, and voice). The service provider installs fiber optic cable from their distribution center to serving nodes located close to business and residential users. From these nodes, copper coaxial cable brings the line to individual businesses and homes.
HMAC Hashed Message Authentication Code. The hash value for a packet, generated by running the packet through a cryptographic hash function in combination with a secret key. The IPSec AH protocol generates an HMAC for a packet so that a VPN peer can verify the packet’s authenticity and the integrity of its data. A protocol can use any iterative cryptographic hash function to calculate the HMAC. AH uses MD5 or SHA-1. For more information on HMAC, see RFC 2104 (at http://www.ietf.org/rfc/rfc2104.txt).
Host Any machine or computer that is connected to a network. Each host in a network should have a unique network address.
HSSI High Speed Serial Interface. A serial interface typically used to connect a LAN device to a device with a higher-speed WAN connection. HSSI operates at up to 52 Mbps and connects devices that are less than 50 feet apart.
HTTP HyperText Transfer Protocol. The protocol used by the World Wide Web. HTTP defines how messages are formatted and transmitted and what actions Web servers and browsers should take in response to various commands. For more information about HTTP, see RFC 2616 (at http://www.ietf.org/rfc/
rfc2616.txt).
I
IANA Internet Assigned Numbers Authority. IANA controls numbers for protocols, assigns the Country Code Top Level Domains (such as, .uk for the United Kingdom or .de for Germany), and maintains the IP addresses allotted to various purposes or organizations.
ICMP Internet Control Message Protocol. ICMP is part of the IP suite. The operating systems of computers that use IP as their network protocol chiefly use ICMP to send error messages—indicating, for instance, that a requested service is not available or that a host or router could not be reached. For more information, see RFC 792 (at http://www.ietf.org/rfc/rfc0792.txt).
ICV Integrity Check Value. A checksum that authenticates every part of a packet except the authentication field. Both AH and ESP use the ICV as part of the IPSec standard authentication process.
B-24
Appendix B: Glossary
IDEA International Data Encryption Algorithm. A symmetric encryption algorithm supported by IPSec. IDEA, which is a block cipher, is a fast 3DES equivalent.
IDSL ISDN DSL. A ISDN DSL service that uses 2B1Q but unlike traditional ISDN is always on. IDSL is backward compatible with ISDN equipment and can transmit and receive data up to 144 Kbps.
IEC InterExchange Carrier. A long-distance public carrier. See IXC.
IEEE Institute of Electrical and Electronics Engineers. An organization composed of engineers, scientists, and students. The IEEE is best known for developing standards, such as the LAN 802 standards, for the computer and electronics industry. For more information on IEEE, visit their Web site at http://
www.ieee.org/.
IETF Internet Engineering Task Force. A large international community of network designers, operators, vendors, and researchers concerned with developing Internet architecture and maintaining the smooth operation of the Internet. The IETF is responsible for publishing RFCs. For more information on IETF, visit their Web site at http://www.ietf.org/.
IKE Internet Key Exchange. An IPSec protocol used to negotiate an IPSec SA (a VPN tunnel between two peers) in a protected manner. In its first phase, IKE establishes security parameters for a preliminary security association, the IKE SA. IKE also authenticates the peer before opening the IKE SA. In IKE phase 2, peers exchange secure, encrypted messages over the IKE SA. These mes-sages negotiate the security parameters and encryption and authentication keys for the permanent IPSec SA. For more information on IKE, see RFC 2409 (at http://www.ietf.org/rfc/rfc2409.txt).
IKE mode config Before opening an IPSec SA between a remote peer and a network gateway device, IKE mode config can send configurations to the remote peer. These configurations include a local network IP address, as well as the addresses of DNS and WINS servers.
ILEC Incumbent Local Exchange Carrier. A telephone company in the United States that was providing local service in a specific geographic area when the Telecommunications Act of 1996 was enacted. ILECs include the former Bell operating companies, grouped into Regional Bell Operating Companies (RBOCs), that had been created when the Bell System was broken up by a 1983 consent decree.
Interface A boundary across which two independent entities or systems meet and communicate.
B-25
Appendix B: Glossary
IP Internet Protocol. A Network Layer (Layer 3) protocol that controls how packets of data are addressed and routed from one device to another. IP is the network protocol used on the Internet, as well as in many private networks. Each host on the Internet has at least one IP address that uniquely identifies it. For more information, see RFC 791 (at http://www.ietf.org/rfc/rfc0791.txt).
IPCP IP Control Protocol. An NCP in the PPP suite. Peers that are establishing a PPP session exchange IPCP frames to signal that PPP frames will encapsulate IP packets. IPCP frames also negotiate configuration options for the IP packets. IPCP uses the same exchange mechanism as the PPP Link Control Protocol (LCP). For more information on IPCP, see RFC 1332 (at http://
www.ietf.org/rfc/rfc1332.txt).
IP Precedence A value within the IP header used to grant certain packets priority over other packets. A higher IP precedence value in a packet’s header requests better QoS for that packet. The type of service actually granted to the packet depends on the QoS mechanisms configured in a network. IP precedence is often used with WFQ—packets in a traffic flow with a higher precedence receive rela-tively more bandwidth—or with LLQ—the packet receives priority handling instead of being sent to the end of the queue on each network node. For more information on the IP Precedence field in the IP header, see RFC 1812 (at http:/
/www.ietf.org/rfc/rfc1812.txt).
IPSec IP Security. A set of protocols that supports the secure exchange of packets at the IP layer. For example, devices can use IPSec to establish a virtual private network (VPN) through an untrusted IP network such as the Internet. The VPN connection, secure by IPSec, can connect remote sites or provide indi-vidual remote users access to the private network through their Internet connections. For more information on IPSec, see RFC 2401 (at http://
www.ietf.org/rfc/rfc2401.txt).
IPv4 Internet Protocol version 4. The Internet addressing scheme currently in use. IPv4 uses four octets (32 bits) of address space, which means that it provides 232 addresses. An IPv4 IP address is typically represented as four digital numbers, each representing one octet. Every host on the Internet must have a unique IP address, but because of the way IPv4 addresses were distributed as large blocks of addresses in a classful network, there are not enough free IP addresses to meet growing demand.
IPv6 Internet Protocol version 6. The emerging Internet addressing scheme. IPv6 addresses are 128 bits in length, typically denoted as eight two-digit hex numbers followed by a CIDR notation prefix length.
B-26
Appendix B: Glossary
IPX Internetwork Packet eXchange. A Layer 3 networking protocol used in Novell NetWare operating system environments. Like UDP/IP, IPX is a datagram protocol used for routing packets in connectionless communications. For more information on IPX use in Ethernet networks, see RFC 1132 (at http://
www.ietf.org/rfc/rfc1132.txt).
IPXCP Internetwork Packet eXchange Control Protocol. An NCP in the PPP protocol suite. Peers establishing a PPP session exchange IPXCP to negotiate options for the IPXCP packets that will be encapsulated in PPP frames. For more information on IPXCP, see RFC 1552 (at http://www.ietf.org/rfc/rfc1552.txt).
ISDN Integrated Services Digital Network. A type of circuit-switched telephone network system designed to allow devices to send voice and data digitally over ordinary telephone copper wires. More broadly, ISDN is a set of protocols for establishing and tearing down circuit-switched connections and for providing advanced call features to an end user. An ISDN connection is divided into two types of channels: bearer (B) channels, which transmit voice and data over the line, and data (D) channels, which transmit signals for controlling, setting up, and disconnecting the call. Each B channel supports data transfer rates of 64 Kbps. BRI ISDN provides two B channels; PRI ISDN supports up to T1 (24 B channels) or E1 (30 B channels) bandwidth. See also BRI and PRI.
ISO International Standards Office. The group responsible for setting CCITT/ITU standards for the transmission of digital voice and data over ordinary telephone copper wire, as well as over other media.
ISP Internet Service Provider. A company that provides individuals and businesses access to the Internet and other related services such as website building and virtual hosting. An ISP owns and maintains the equipment and the telecom-munication lines that allow it to have a Point of Presence (POP) on the Internet for the geographic area served.
ITU-T International Telecommunications Union-Telecommunications Standardiza-tion Sector. An international body created to foster cooperative standards for telecommunications equipment and systems. For more information on ITU-T, see their website at http://www.itu.int/.
IXC Inter eXchange Carriers. A telephone company that provides connections between local exchanges in different geographic areas. IXCs provide interlocal access and transport service as described in the Telecommunications Act of 1996. In the United States, IXCs include long-distance telecom carriers like Sprint, AT&T and MCI.
B-27
Appendix B: Glossary
J
Japanese
Hierarchy
A digital signal hierarchy used in Japan for voice transmission. A J0 line is defines a one channel. The Japanese hierarchy closely matches the T-carrier system.
Table 2-3. Japanese digital signal hierarchy
J1 The base bandwidth multiple of J-carrier systems. J1-carrier systems consist of 24 J0 channels with a maximum transmission rate of 1.544 Mbps. The J1 standard is used for voice transmissions only.
K
Kbps Kilobits per second. One thousand bits per second. A measure of bandwidth on a data transmission medium. Higher bandwidths are more conveniently expressed in Megabits per second (Mbps or millions of bits per second) or in Gigabits per second (Gbps, or billions of bits per second).
Key In cryptography, a key is a unique value or string of text that is combined with data when that data is run through an encryption or hash algorithm. In order to decrypt or dehash the data, a device must apply the correct key to the transformed data. With symmetric keys, the same key encrypts and decrypts (or hashes and dehashes) data. With asymmetric keys, a private key trans-forms data and a public key reverses the transformation. The length of a key generally determines how difficult it will be to decrypt the data.
KS Key System. A key system is essentially a scaled-down PBX. Key systems typically have one unit, either an attendant phone or a separate box, that acts as controller over a limited number of lines (usually about 4) for a limited number of extensions (as many as 20).
Physical carrier
DSD J0 multiple J1 multiple Transmission rate
— J0 1 — 64 Kbps
J1 J1 24 — 1.544 Mbps
J2 J2 96 4 6.312 Mbps
J3 J3 480 30 32.064 Mbps
J4 J4 5760 240 397.200 Mbps
B-28
Appendix B: Glossary
L
LAN Local Area Network. A group of computers and associated devices within a small geographic area that share a common communications line. The com-puters also often the resources of a single server or set of servers.
LAPD Link Access Procedure for D-channel. An ISDN Data Link Layer protocol that operates over the D channel. LAPD provides ISDN call control and setup.
LATA Local Access and Transport Area. A term used in the United States to describe a geographic area covered by one or more local exchange carriers (LECs).
LBO Line Build Out. The level of attenuation, signal strength, and impedance on a line. When a signal is sent over a long distance, it can degrade. You can adjust the LBO on a T1 line to maximize the signal clarity and coherence. On ProCurve Secure Router, LBO is usually specified by cable length for shorter connections and by level of attenuation, in decibels, for longer connections.
LCP Link Control Protocol. Part of the PPP suite. LCP frames are used to establish, negotiate options for, and maintain the link between peers. LCP frames must successfully establish before peers can exchange PPP frames that encapsulate actual data. For more information on the PPP LCP, see RFC 1570 (at http://
www.ietf.org/rfc/rfc1570.txt).
LDAP Lightweight Directory Access Protocol. A set of protocols that allow a host to access and lookup information in information directories. LDAP should even-tually make it possible for almost any application running on virtually any computer platform to obtain public directory information such as hosts’ email addresses and public keys. For more information on LDAP, see RFC 2251 (at http://www.ietf.org/rfc/rfc2251.txt).
LDN Local Directory Number. The number listed in the phone directory. The LDN is used to establish a dial-up connection, such as an ISDN connection.
LEC Local Exchange Carrier. The term for a public telephone company in the United States that provides local service. The LEC can be either one of the Bell operating companies or an independent company.
LED Light Emitting Diode. A light, often mounted on the front of a device and used to convey information about the status of the device to the user. Users can interpret different LED colors (red, yellow, green) and behaviors (flashing, steady, off) to troubleshoot the device.
Link Quality
Reporting
See LQR.
B-29
Appendix B: Glossary
Line The hardware that connects two devices. Materials for lines include fiber optic, coaxial, and phone-grade twisted pair cables.
LLC/SNAP Logical Link Control/Subnetwork Access Protocol. An 8-byte packet encap-sulation header added by the WAN router to outgoing Ethernet or ATM traffic. The LLC/SNAP header enables devices in a connectionless network to send frames to the devices that can switch them to their destination. The LLC header is three bytes; it set SNAP as both the Source Service Access Point (SSAP) and the Destination Service Access Point (DSAP) protocol. The 5-byte SNAP header follows with a 3-byte organization code and a 2-byte code that indicates the data type (for example, IP).
LLDP Link Layer Discovery Protocol. LLDP provides a standard method for Ethernet network devices (such as switches, routers, and wireless LAN access points) to advertise information about themselves to other nodes on the network and to store the information they discover from other nodes.
LLQ Low-Latency Queuing. A QoS mechanism that places high-priority traffic in a special queue that is served first with a set amount of bandwidth.
LMI Local Management Interface. LMI is a set of enhancements to the basic Frame Relay specifications. It provides global addressing, virtual circuit status messages, and multicasting capabilities.
LMP Link Management Protocol. In a multilink WAN connection, LMP is a protocol that allows multiple carrier-lines to be treated as a single data link. Among other functions, LMP verifies the physical connectivity of lines in the link and localizes link failures for protection/restoration purposes. For more informa-tion on LMP, see the IETF Internet draft at http://www.ietf.org/internet-
drafts/draft-ietf-ccamp-lmp-10.txt/.
Local Loop The connection between a subscriber’s premises and the public carrier’s nearest central office (CO). The local loop includes telecom infrastructure devices such as repeaters, switches, cable, and connectors.
Loopback A loopback channel is a communications channel with only one endpoint. A signal sent on the loopback channel simply returns to the interface that sent it. The loopback function serves to test the line.
LQR Link Quality Report. An LCP link-configuration protocol that monitors how many frames are being dropped over a link. LQR is part of the PPP suite.
LS Loop Start. A method of signaling a switch that it should start a call. An on-hook conditions consists of an open circuit. An off-hook phone condition completes a closed circuit, which informs the switch to provide dial tone. See
also GS.
B-30
Appendix B: Glossary
LSA Link-state advertisement (LSA). Packet sent by an OSPF router advertising its connections to a network or to another router. OSPF routers use LSAs to generate an OSPF database with the topology of the entire OSPF network. See
also OSPF.
L2F Layer 2 Forwarding. A tunneling protocol developed by Cisco Systems. L2F is similar to the PPTP protocol developed by Microsoft; it enables organizations to set up VPNs that tunnel packets between private sites through the Internet.
L2TP Layer 2 Tunneling Protocol. An IETF standard based on PPTP and Cisco’s L2F protocol. L2TP is an extension of the PPTP used by ISPs to enable the operation of a VPN over the Internet. L2TP uses IPSec to authenticate and encrypt IP packets and PPP to encapsulation the packets; L2TP itself routes the PPP packet through the IP network. For more information on L2TP, see RFC 2661 (at http://www.ietf.org/rfc/rfc2661.txt).
M
MAC Media Access Control. The MAC layer is lowest Data Link sublayer, and it interfaces directly with the network medium. A MAC address is a hardware address that uniquely identifies each node of a network.
Main Mode An IKE security mode in which peers exchange three pairs of messages (six total) to negotiate the IKE SA. Because peers generate encryption and authen-tication keys to secure packets before they exchange authentication informa-tion, IKE main mode provides endpoint anonymity. IKE main mode is therefore slower, but much more secure than aggressive mode. See also IKE and Aggressive Mode. See also IKE.
Magic Number A number added to an outgoing frame to enable a device to detect loopback links. A magic number is a random number that the sending peer assigns to the packet. If the sending peer receives a packet with an unchanged magic number, it detects a loopback condition.
MAN Metropolitan Area Network. A network that interconnects users with com-puter resources in a geographic area or region larger than that covered by a large local area network, but smaller than the area covered by a wide area network. A MAN typically extends as far as 50 kilometers and operates at speeds between 1 Mbps and 200 Mbps.
Mbps Megabits bits per second (a million bits per second). The measure of band-width on a data transmission medium such as twisted-pair copper cable, coaxial cable, or optical fiber line.
B-31
Appendix B: Glossary
MD5 Message Digest 5. A hash algorithm used to create digital signatures. MD5 is a one-way hash function, which transforms and condenses data into a fixed string of digits called a message digest. A variety of protocols, including AH and ESP, use MD5 to check a message’s data integrity as well as authenticate the sender. The ProCurve Secure Router uses MD5 transformation to encrypt various system passwords.
Mediation An old style or legacy system still used in the telecom world. This term refers to the conversion of various telephone properties into a standard Call Detail Record (CDR) format.
MFR Multilink Frame Relay. See MLFR.
MIB Management Information Base. An SNMP object. The MIB is a database list of objects and is used to manage entities (such as routers and switches) in an SNMP-enabled network. Objects in the MIB are defined using Abstract Syntax Notation One (ASN.1). The database is hierarchical (tree structured) and entries are addressed through object identifiers. See also SNMP.
MIPS Millions of Instructions Per Second. A general measure of computing perfor-mance and, by implication, the amount of work a computer can do. Generally, this refers to the number of instructions that can be processed by the CPU in a given second.
MLFR MultiLink Frame Relay. A Frame Relay protocol that bundles multiple carrier-lines together, which allows faster transmission speeds. FRF.15 supports MLFR end-to-end on a PVC without CO support: both ends of the link must support MLFR and use the same number of carrier-lines. FRF.16.1 requires CO support but offers many advantages over FRF.15: the bundle of carrier-lines can support more than one PVC and endpoints do not have to use the same number of carrier-lines.
MLPPP Multilink PPP. A line-aggregation protocol that bundles multiple T1 or E1 lines into a single data link, which greatly increases throughput. MLPPP fragments and reassembles frames sent over separate channels in the multilink connec-tion. For more information on Multilink PPP, see RFC 1990 (at http://
www.ietf.org/rfc/rfc1990.txt).
MOSPF Multicast Open Shortest Path First. A multicast Layer 3 routing protocol based on OSPF. This protocol allows the router to build a multicast forwarding table for each local group using the additional information included in the MOSPF messages. For more information on MOSPF, see RFC 1585 (at http://
www.ietf.org/rfc/rfc1585.txt).
MP Multilink PPP. See MLPPP.
B-32
Appendix B: Glossary
MPLS Multiprotocol Label Switching. A process that allows packets to be routed according to their pre-defined labels instead of according to their IP addresses and routing protocol table entries. Incoming packets are assigned a label by a label edge router (LER). Packets are forwarded along a label switch path (LSP), on which each label switch router (LSR) makes forwarding decisions based solely on the contents of the label. At each hop, the LSR strips off the existing label and applies a new label which tells the next hop how to forward the packet. An LSP can cross multiple Layer 2 transports such as ATM, Frame Relay or Ethernet. Because MPLS forwards packets based on configured LSPs, rather than on IP addresses, it supports the routing of packets with private IP addresses through a public network. For more information on MPLS, see RFC 2702 (at http://www.ietf.org/rfc/rfc2702.txt).
MPPE Microsoft Point-to-Point Encryption. An encryption algorithm that uses RSA RC4 and 40- or 128-bit keys to secure data transmitted across a WAN tunnel. For more information on MPPE, see RFC 3078 (at http://www.ietf.org/rfc/
rfc3078.txt).
MPPP Multilink Point-to-Point Protocol. See MLPPP.
MRRU Maximum Receive Reconstructed Unit. An LCP configuration option used with MLPPP connections. The MRRU specifies the maximum size of a reas-sembled frame that can be sent over a link. The default value is 1500 octets. A device sets a value in an LCP frame’s MRRU field to indicate to the peer that it wants to establish an MLPPP connection. See also LCP, MLPPP, and PPP.
MRU Maximum Receive Unit. An LCP option that communicates the maximum frame size to be sent over the PPP connection. The default value is 1500 octets. See also LCP and PPP.
MTBF Mean Time Between Failures. A measure of how reliable a hardware product or component is. For most components, the measure is typically in thousands or even tens of thousands of hours between failures.
MTU Maximum Transmission Unit. The largest unit of data that can be sent across a given medium.
Multilink Frame
Relay
See MLFR.
Multimode Fiber Optical fiber that is designed to carry multiple light rays or groups of light rays (modes) concurrently, each at a slightly different reflection angle within the optical fiber core. Multimode fiber transmission is used for relatively short distances because the modes tend to disperse over longer lengths.
B-33
Appendix B: Glossary
Multiplexing Combining and transmitting multiple signals over a single channel. Also known as “muxing.” The most important type of multiplexing for data transfer is time-division multiplexing (TDM), which is used with digital signals. See
also TDM.
Multiplexer Also known as a MUX. A communications device that multiplexes (combines) signals from multiple sources for transmission over a single medium.
M13 Multiplex 1-to-3. A device that converts 28 T1 inputs into a single T3 output.
N
NAT Network Address Translation. An application created to ease conserve IP addresses. NAT acts as a gateway between a two networks, translating IP addresses used in one network to different IP addresses known within another network. Typically, NAT translates many private network addresses to one or a few public IP addresses. For more information on NAT, see RFC 3022 (at http://www.ietf.org/rfc/rfc3022.txt).
NAT D NAT Discovery. Packets exchanged during IKE phase 1 that include hashes of devices’ source and destination IP addresses and ports. Devices attempting to create a VPN connection can exchange NAT D packets to determine whether and where NAT is used between them. In this case, peers must use a NAT-traversal (NAT T) over the VPN connection. See also NAT T.
NAT T NAT Traversal. Provides address and port translation for packets traveling through an IPSec VPN. Because NAT alters information in a packet’s IP header, it can cause the packet to fail IPSec security checks. NAT T encapsulates packets in a UDP/IP header with the translated IP address, leaving the IPSec packet untouched. For more information on NAT Traversal and NAT Discov-ery, see RFC 3947 (at http://www.ietf.org/rfc/rfc3947.txt).
NCP Network Control Protocol. A group of protocols within the PPP suite. NCPs carry information about how to manage higher-level protocols, primarily Network Layer (Layer 3) protocols. Each Network Layer protocol that can be encapsulated in a PPP frame has a separate NCP with its own configuration options. When establishing a PPP session, peers exchange the NCP for the Network Layer protocol used by the packets that they will send across the link. See also IPCP, IPXCP, PPP, and SNACP.
NEBS Network Equipment Building Standards. A set of technical requirements designed to make central office equipment and switches error proof. These requirements cover spatial, hardware, interface, thermal, fire resistance, han-dling and transportation, earthquake and vibration, airborne contaminants, grounding, acoustical noise, illumination, EMC, and ESD requirements. NEBS
B-34
Appendix B: Glossary
testing is required for vendors who wish to sell equipment to the Regional Bell Operating Companies (RBOCs) and the Competitive Local Exchange Carriers (CLECs). Level 3 testing is the most stringent level of testing.
Network A generic term describing computers that are interconnected and can com-municate with each other. Used more specifically, a network divides hosts into groups that can communicate without a router. A packet sent from one host to another host in the same network can be switched to its destination according to information in the Layer 2 header. A packet sent to a host in a different network must be routed by a device (such as a router) that can read the packet’s Layer 3 header. In telecommunications, a network usually refers to infrastructure that provides voice and data transmission to users.
Network Layer Layer 3 of the OSI model. This layer provides switching and routing protocols that control how packets are moved from node to node to their destinations. Routing and forwarding are functions of this layer, as well as addressing, internetworking, error handling, congestion control, and packet sequencing.
NEXT Near End Crosstalk. An error condition that can occur when connectors are attached to twisted pair cabling. NEXT is usually caused by crossed or crushed wire pairs and occurs when the conductors inside the wires become exposed. Two conductors only need to be close enough that the radiating signal from one of the wires is able to interfere with the signal traveling on the other wire for the connection to have a crosstalk problem.
NIC Network Interface Card. Hardware that grants a computer the ability to access the network. A NIC is identified by a MAC address.
NIU Network Interface Unit. Also known as the smart jack in the United States. The NIU automatically maintains the WAN connection and allows public carrier employees to perform simple management tasks remotely. The NIU is past the subscriber’s line of demarc and is part of the public carrier’s equipment.
NNI Network-to-Network Interface. A standard that defines the interface between two ATM or Frame Relay switches. Sometimes, however, the interface between a switch in a private network and a switch in a public interface is defined as a user-to-network interface (UNI). See also UNI.
NOC Network Operations Center. A place from which a telecommunications net-work is supervised, monitored, and maintained. Enterprises with large net-works and large network service providers typically have an NOC.
NRM Normal Response Mode. In an HDLC connection between two devices, a secondary device may only transmit when the primary device expressly instructs it to do so. See also HDLC, ABM, ARM.
B-35
Appendix B: Glossary
NT1 Network Termination 1. A device at the physical and electrical termination of the ISDN line. The NT1 monitors the line, maintains timing, and provides power to the ISDN line. This device is purchased and maintained by the subscriber.
NT12 Network Termination 1 2. A device that functions as both an NT1 and an NT2 device.
NT2 Network Termination 2. A device required for PRI ISDN. The NT2 provides switching functions and manages traffic across the multiple B channels.
NVRAM Non-Volatile Random Access Memory. A data-storage medium that retains memory when powered down.
O
OAM Operations, Administration, and Maintenance. OAM ATM cells are sent over a VCI to maintain the link. OAM cells are divided into five levels, and the functions of each level are separate from those of each other level. See also F5 OAM.
OC-1 Optical Carrier-1. In the Synchronous Digital Hierarchy, OC-1 is the base multiple for SONET systems and transmits as 51.84 Mbps.
OC-N Optical Carrier Level N. The fundamental transmission rates for SONET, where N=1 (51.84 Mbps), 3 (155.52 Mbps), 12 (622 Mbps), 24 (1.244 Gbps), 48 (2.488 Gbps) or 192 (9.953 Gbps).
OCU Office Channel Unit. A Central Office (CO) device that is used for direct handling of 56K and 64K DDS services. The OCU is usually a special card incorporated into multiplexers at the CO.
OCUDP Office Channel Unit Data Port. A CO device that provides signal conversion from the transmission rates on the customer side of the local loop to a single DS0 time slot. It provides the interface between Switched 56/64K or DDS interfaces and the telecom infrastructure.
Option Parameters or variables supported by a protocol. For example, the PPP LCP protocol includes options for whether or not peers will use LQR, magic numbers, protocol-field compression, address and control field compression, or an authentication protocol. The MRU option specifies the maximum size for packets sent over the connection.
OS Operating System. A system of software that performs basic tasks, such as recognizing input from the keyboard, sending output to the display screen, keeping track of files and directories, and controlling peripheral devices. For
B-36
Appendix B: Glossary
large systems, the operating system ensures that different programs and users running at the same time do not interfere with each other. The operating system is also responsible for security, ensuring that unauthorized users do not access the system.
OSI Open Systems Interconnection. Developed in 1982, the OSI was a joint effort between ITU-T and ISO to create industry standards for network connections. The OSI model was developed to allow for multi-vendor interoperability and describes seven layers of connectivity.
Figure 2-1. The OSI model
OSPF Open Shortest Path First. A link-state routing protocol typically used within larger networks. OSPF is an interior gateway protocol (IGP), which means that it is used within a single AS. OSPF routers advertise the cost of their connections to networks and to other routers so that they can compile a topology of the network as a whole. Each router then generates a route to each network in the AS. Routers select best routes according to link cost, which is typically based on inverse bandwidth. OSPF is preferred over RIP, an older routing protocol. For more information on OSPF, see RFC 2328 (at http:/
/www.ietf.org/rfc/rfc2328.txt). See also AS, LSA, and RIP.
OUI Organization Unique Identifier. A designation purchased from the IEEE for a network-connected device. The OUI is a 48-bit unique MAC address that specifies a single, specific piece of hardware on your network.
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
1
2
3
4
5
6
7
B-37
Appendix B: Glossary
P
Packet A block of data encapsulated within one or more protocol headers. These headers provide information about the packet’s application and about how the packet is to be handled and routed as it travels through the network. A packet that has been encapsulated within a Data Link Layer protocol is called a frame or a cell (ATM).
Packet-filtering
Firewall
Firewall software that has been configured to screen incoming and outgoing packets at the Network Layer (Layer 3). Packet-filtering firewalls pass or drop packets based on the content of their TCP/IP headers. For example, a firewall may be configured to drop all packets from a certain source or using a certain application.
PAP Password Authentication Protocol. An authentication protocol that is part of the PPP suite. Because PAP authenticates hosts by transmitting unencrypted ASCII passwords over the network, PAP is considered insecure. See also CHAP and EAP.
Password A secret string of characters that allows a user to access a computer or other protected material. Passwords on the ProCurve Secure Router can be plain-text or encrypted using MD5.
PAT Port Address Translation. A NAT technology that allows hosts with multiple private IP addresses to share a single public IP address. PAT maps each host in the LAN to the same global IP address, but to a unique UDP or TCP port number. Return traffic is sent to that port, so it can be forwarded to the correct host.
Payload The data that is encapsulated into a packet and transmitted over a network.
PBR Policy-based Routing. A technique that allows a router to make routing decisions based on policies set by the network administrator instead of purely on destination address. For more information on types of PBR, see RFC 1104 (at http://www.ietf.org/rfc/rfc1104.txt).
PBX Private Branch eXchange. A telephone exchange system that operates on-site and is maintained and owned by the customer.
PCM Pulse Code Modulation. A technique for digitizing analog signals (such audio or voice signals) by periodically sampling the analog signal and converting the signal’s amplitude to a digital value. PCM samples the signal 8000 times a second; each sample is represented by 8 bits for a total of 64 Kbps. PCM is used in T-, E-, and J-carrier systems.
B-38
Appendix B: Glossary
PDP Policy Decision Point. In QoS-managed systems, a PDP is a server that makes policy decisions. This server has global knowledge of network policies and is consulted by the network devices (like routers) that enforce the policies.
PEM Format Privacy-Enhanced Mail Format. Base64-encoded data surrounded by header lines. Some digital certificates use this format.
PEP Policy Enforcement Point. In QoS-managed systems, a PEP is a device on which policy decisions are carried out—usually a network node like a router or a switch.
PFC Protocol Field Compression. A PPP configuration option that allows routers to agree that they will compress the PPP protocol field into a single octet. See
also LCP and PPP.
PFS Perfect Forward Secrecy. A key-establishment protocol used for establishing secure VPN communications—for example, through an IPSec SA. PFS ensures that each new encryption key generated to secure the VPN tunnel does not rely on any previous key. If one encryption key is compromised, only data encrypted by that specific key is compromised.
PHB Per Hop Behavior. A quality of service designation. PHBs define what type of service labeled with a particular DiffServ value should receive. PHB can define such parameters as how much absolute or relative bandwidth is allocated to a certain type of traffic and which traffic is dropped first if a network becomes congested. For information on PHB identification codes, see RFC 3140 (at http://www.ietf.org/rfc/rfc3140.txt). See also DiffServ.
Physical Layer Layer 1 of the OSI model. This layer conveys the bit stream through the network at the electrical and mechanical level. It includes a line’s physical media and defines standards such as those for signaling and frame formatting. Ethernet and ATM are protocols with physical layer components.
PKI Public Key Infrastructure. A system of digital certificates, CAs, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction. PKI enables users to privately exchange data using a public infrastructure, like the Internet, by managing keys and certificates. A user obtains a public and private key pair from a trusted CA. The user authenticates itself with a certificate, which includes its identifica-tion information, public key, and a CA signature. The user can authenticate messages with its private key. See also CA, digital certificates, and DSS.
B-39
Appendix B: Glossary
PON Passive Optical Network. A system that brings optical fiber cabling and signals all or most of the way to the end user using passive equipment, which saves power and cost. Depending on where the PON terminates, the system can be described as Fiber-To-The-Curb (FTTC), Fiber-To-The-Building (FTTB), or Fiber-To-The-Home (FTTH). See also FTTC, FTTB, or FTTH.
POP Point of Presence. An access point to the Internet. Your ISP or online service provider has at least one POP on the Internet. A POP usually includes routers, digital/analog call aggregators, servers, and, frequently, Frame Relay or ATM switches.
Port The point of physical connection between a device and a circuit. The port’s signaling capacity determines the greatest amount of data that can be trans-mitted over the connection at any given time.
POTS Plain Old Telephone Service. A term used to describe the analog, voice-only telephone service in the local loop.
PPP Point-to-Point Protocol. A suite of Data Link Layer protocols. PPP connects two peers in an end-to-end link. To establish a PPP session, the two peers must exchange frames, in order, from at least three protocols: LCP, an NCP, and PPP. As its name suggests, PPP is typically used for Internet connections originating from a dial-up line or a high-speed modem. For more information on PPP, see RFC 1661 (at http://www.ietf.org/rfc/rfc1661.txt).
PPPoA Point-to-Point Protocol over ATM. A Data Link Layer network protocol that encapsulates PPP frames in ATM AAL5 cells. PPPoA offers standard PPP features such as authentication, encryption, and compression for cable modem, DSL, or ADSL connections. If used as the connection encapsulation method on an ATM-based network, PPPoA can slightly reduce overhead (around 0.58%) in comparison to PPPoE. For more information on PPPoA, see RFC 2364 (at http://www.ietf.org/rfc/rfc2364.txt).
PPPoE Point-to-Point Protocol over Ethernet. A Data Link Layer network protocol that encapsulates PPP frames inside Ethernet frames. It is used mainly to allow multiple users on an Ethernet network to connect to an ISP using the same cable modem or DSL connection. PPPoE offers standard PPP features such as authentication, encryption, and field compression. For more informa-tion on PPPoE, see RFC 2516 (at http://www.ietf.org/rfc/rfc2516.txt).
PPTP Point-to-Point Tunneling Protocol. A protocol that allows organizations to extend their own corporate network through private “tunnels” over the Inter-net. PPTP encapsulates PPP frames and creates a tunnel for them to travel across the IP network. For more information on PPTP, see RFC 2637 (at http:/
/www.ietf.org/rfc/rfc2637.txt).
B-40
Appendix B: Glossary
Presentation
Layer
Layer 6 of the OSI model. This layer is responsible for the delivery and formatting of information to the Application Layer for further processing or display. This layer deals with issues such as how strings are represented. It also formats and encrypts data to be sent across a network, providing freedom from compatibility problems. Layer 6 is sometimes called the syntax layer.
PRI Primary Rate Interface. A type of ISDN service offered by public carriers that consists of one 64-Kbps D channel, and 23 64 Kbps B channels in North America or 30 64 Kbps B channels in all other countries. The B channels carry data, voice, or video traffic. The D channel is used to carry packet data and to set up and maintain calls on the B channels.
Preshared Key A preshared key is an alphanumeric character string agreed upon by two parties in advance. In IKE negotiations, peers can exchange a preshared key that is between 8 and 255 characters in length to authenticate each other before opening the IKE SA.
Protocol A set of standard rules required to send mutually-coherent information over a communications channel. Each layer of the OSI model can include many different protocols. For example, Data Link Layer protocols include (among others) Ethernet, Frame Relay, PPP, and ATM, and these protocols dictate how links between hosts on a network are initiated, maintained, and terminated.
Protocol Field
Compression
See PFC.
PSTN Public Switched Telephone Network. The public network that provides switched digital/analog voice and data services to customers.
PTT Public Telephone and Telegraph. State-owned and regulated companies, pri-marily in Europe, that provide telecom services.
Public Carrier A generic term used to describe the public entity that provides telephone services, as well as data communications services like DSL and ISDN. The public carrier may be private or government-owned.
PVC Permanent Virtual Circuit. A logical connection between two nodes. A PVC is a virtual circuit established for repeated use between the same data terminal equipment (DTE). Like a dedicated physical connection, a PVC is an always-open connection between two endpoints. However, the actual physical path that frames take over the PVC may vary. PVCs are used in Frame Relay networks, where each PVC is identified by a DLCI and in ATM networks, where each PVC is identified by a VCI/VPI.
B-41
Appendix B: Glossary
Q
QoS Quality of Service. The “quality” of the packet forwarding service provided to a packet. A value set in the packet’s ToS field can request a specific level of QoS. QoS mechanisms regulate and manage traffic across a WAN link to lower latency for high-priority packets and to increase the quality and speed of data transmissions. QoS mechanisms include queuing methods, buffering, drop-ping of excess traffic, and traffic shaping. For more information on current QoS architecture, see RFC 2990 (at http://www.ietf.org/rfc/rfc2990.txt). See also DiffServ, FRTS, GTS, IP precedence, LLQ, and WFQ.
QSIG Q SIGnaling. An channel-signaling protocol based on ISDN Q.931 standards and used by many digital PBXs. QSIG is used for to establish and release calls and to control many call features.
R
R-interface In an ISDN network connection, the R interface connects the TE2 to the TA.
RADIUS Remote Authentication Dial-In User Service. An AAA protocol that allows a server to store all the security information for a network in a single, central database. The server stores and manages user information so that it can authenticate these users. The server also maps users to the services that they are allowed to access. For more information on RADIUS, see RFC 2865 (at http://www.ietf.org/rfc/rfc2865.txt).
RADSL Rate Adaptive DSL. By using DMT modulation, RADSL can adapt to varying line conditions to maximize the transmission speed on a particular line. Since standard ADSL also does this, there is little difference between RADSL and ADSL.
RAL Ringer Approximated Loading. See REN.
RAS Remote Access Server. A server that is dedicated to handling users that are not on a LAN but need remote access to it. The remote access server allows users to gain access to files and print services on the LAN from a remote location.
RBOC Regional Bell Operating Companies. The United States’ Regional telephone companies (or their successors) that were created as a result of the breakup of American Telephone and Telegraph Company (AT&T, known also as the Bell System) by a United States Federal Court consent decree on December 31, 1983. The seven original RBOCs were Ameritech, Bell Atlantic, BellSouth, NYNEX, Pacific Bell, Southwestern Bell, and US West. Each of these
B-42
Appendix B: Glossary
companies owned at least two Bell operating companies. The BOCs were given the right to provide local phone service while AT&T was allowed to retain its long distance service. The RBOCs and their constituent BOCs are LECs.
RBS Robbed-Bit Signaling. A signaling standard used by T-carrier lines. The least significant bit in the 6th and 12th frame (of a SuperFrame T1) and the 18 and 24th frame (of an Extended SuperFrame T1) are “robbed” and used as signaling bits.
RC5 Rivest Cipher 5. A symmetric encryption algorithm supported by IPSec. RC5 is a block cipher with variable key length up to 2040 bits.
READSL Reach Extended ADSL. A form of ADSL that is delivered over very long twisted pairs and provides DSL service to rural areas. Most commonly available in France.
REN Ringer Equivalency Number, also called Ringer Approximated Loading (RAL). An arbitrary number that denotes the telephone ringer loading on the line. A ringer equivalency number of 1 represents the loading effect of a single “traditional” telephone ringing circuit. Modern telephone equipment may have a REN significantly lower than 1. For example, you may have a cordless phone with a REN equivalency of .35, and attached to the same line you have another older phone with a REN of 1. The total REN is the sum of all RENs on the line. The total REN on one line must not exceed 5 in the United States, or 4 in the UK on BT lines.
Repeater An electronic device that receives weak or low-level signals and retransmits them with a higher signal level so that the signal can cover longer distances without degradation.
RFC Request For Comment. The core method of publishing Internet specifications. RFCs are a series of technical documents submitted to IETF and published on the Internet. An Internet Document can be submitted to the IETF by anyone, but the IETF decides whether the document becomes an RFC. Even-tually, if it gains enough interest, the RFC may evolve into an Internet standard.
RIB Routing Information Base. In BGP, the RIB is a database table of entries that identifies a destination address, the next hop to which packets should be forwarded to reach that destination, and the routing metric. The metric is used to determine the best route for a particular packet or class of packets; it may be based on characteristics of a route, such as its delay properties or its expected error rate. The RIB may contain information about more than one next hop to the same destination if it is important to be able to send packets over different paths. See also BGP.
B-43
Appendix B: Glossary
RIP Routing Information Protocol. A routing protocol that manages routing infor-mation within a self-contained network such as a LAN or an interconnected group of LANs. RIP is an older routing protocol, best suited for smaller networks, that selects best routes based on lowest hop count. For more information on RIP, see RFC 2453 (at http://www.ietf.org/rfc/rfc2453.txt).
RJ-11 Registered Jack 11. A four- or six-wire connector used primarily to connect telephone equipment in the United States. RJ-11 connectors are also used to connect some types of local-area networks (LANs), although RJ-45 connectors are more common.
RJ-11 Connector
RJ-45 Registered Jack 45. A modular 8-wire jack/connector used with copper cable having four twisted pairs.
1 6
1 6
RJ-11 Connector
Pin Description
1–2 Unused3 Ring4 Tip5–6 Unused
B-44
Appendix B: Glossary
WAN/LAN connector
RJ-48C Registered Jack 48C. A miniature 8-position keyed jack/connector used with cable having four twisted-pairs. The connector itself is slightly smaller than the RJ-45 and is often used for T1 or E1 connections.
T1 Carrier-line connector
RMON Remote MONitoring. A standard that allows administrators to monitor and manage network equipment remotely. RMON enables various network moni-tors and console systems to exchange network monitoring data using SNMP and MIBs.
1 8
1 8
RJ-45 connector—uses two twisted pairs
Pin T=tip, R=ring, P=pair
1 TX1, transmit positive2 TX2, transmit negative3 RX1, receive positive4 —5 —6 RX2, receive negative7 —8 —
1 8
1 8
RJ-48C connector—uses pins 1, 2, 4, and 5
Pin T=tip, R=ring, P=pair
1 R (transmit data toward DTE)2 T (transmit data toward DTE)3 —4 R1 (receive data from DTE)5 T1 (receive data from DTE)6 —7 —8 —
B-45
Appendix B: Glossary
Router A device that forwards data packets from one network to another. A router connects at least two different networks. A WAN router often connects LANs to WANs or to an ISP. A router uses a packet’s Layer 3 header to determine the route over which it should send it. The router uses its routing table, which can be configured manually or generated using routing protocols, to determine the best routes for forwarding packets.
RPS Redundant Power Source. A power source that becomes active should the primary power source fail. The RPS ensures the router’s continued operation during a power outage or other power service interruption.
RSA Rivest-Shamir-Adleman. A public-key, or digital signature, encryption technol-ogy developed by RSA Data Security, Inc. The RSA algorithm is based on the fact that there is no efficient way to factor very large numbers. Deducing an RSA key, therefore, requires an extraordinary amount of computer processing power and time. RSA supports keys between 1024 and 2048 bits in length. RSA keys can be used for signing digital certificates.
RSVP Resource reSerVation Protocol. An NCP in the PPP protocol suite that enables Internet applications to request differing QoS for various data flows. RSVP works with routing protocols to provide IP networks with the capability to support differing application types. For more information on RSVP, see RFC 2205 (at http://www.ietf.org/rfc/rfc2205.txt).
S
S-interface The connection from the TE1 or TA to the NT2 in an ISDN network. The S-interface uses a four-wire/two twisted pair connection. The S- and T-interfaces are often combined into the S/T-interface.
SA Security Association. In IPSec, the SA defines the tunnel, or secure VPN connection, between two peers. The SA includes information for managing the tunnel, such as encryption and authentication keys for securing data and an SPI for identifying the SA. If IKE is used to negotiate the SA, then a preliminary SA, called the IKE SA, is established so that the permanent SA, called the IPSec SA, can be negotiated securely. If both AH and ESP are used to secure IPSec packets, then each protocol must use a separate SA.
SAPI Service Access Point Identifier. A standardized value in LAPD frames that identifies the ISDN service associated with the signaling frame.
SC-connector A square-like fiber optic connector with a push-pull latching mechanism that provides quick insertion and removal while also ensuring a positive connection.
B-46
Appendix B: Glossary
Figure 2-2. SC connector
SCEP Simple Certificate Enrollment Protocol. A Cisco protocol that, used with LDAP, streamlines the process of acquiring a certificate from a CA. SCEP allows network devices to be issued certificates automatically in a scalable manner.
SCSI Small Computer Systems Interface. A parallel interface standard for attaching peripheral devices to computers.
SDH Synchronous Digital Hierarchy. The signal hierarchy for fiber optic networks outside of North America and Japan. SDH is a standard technology for synchronous data transmission on optical media. Both SDH and SONET technologies provide faster and less-expensive network interconnection than traditional Plesiochronous Digital Hierarchy equipment. See also SONET.
SDLC Synchronous Data Link Control. The exclusive transport protocol for an SNA network. A version of HDLC.
SDSL Symmetric DSL. A single-pair version of HDSL. SDSL is based on ISDN with 2B1Q, but is a symmetric DSL. SDSL provides bandwidth for downstream and upstream traffic of up to 2.3 Mbps each. SDSL standards are not interoperable and vary with the carrier.
Serial A connection between two devices over which information is transferred FIFO, one bit at a time.
Session Layer Layer 5 of the OSI model. This layer establishes, manages and terminates connections between applications. The Session Layer sets up, coordinates, and terminates conversations, exchanges, and dialogues between the applica-tions at each end. It allows information on different streams, perhaps origi-nating from different sources, to be properly combined. In particular, the Session Layer deals with synchronization issues.
SHA-1 Secure Hash Algorithm 1. A hash algorithm that produces a 160-bit message digest, SHA-1 is improves on MD5, an earlier, still widely-used hash function. In an IPSec VPN, AH can use SHA-1 to authenticate a packet.
B-47
Appendix B: Glossary
SHDSL Symmetric High Bit Rate DSL. SHDSL provides a guaranteed level of high symmetric bandwidth and low interference with other telecommunications services. SHDSL is a single-wire HDSL and is also called G.SHDSL. SHDSL provides a higher transmission speed than HDSL2 or SDSL over longer dis-tances. SHDSL is adaptive and has the capability to determine the highest possible transmission speed when initialized.
Showtime For ADSL, the time after the training phase during which the router and the DSLAM establish an ADSL connection and exchange physical-layer packets. At this point, the two devices have not yet begun to exchange ATM cells or to communicate at the Data Link Layer.
Single Mode Fiber Optical fiber that carries data using a single ray (or mode) of light. Single mode fiber is used for long-distance signal transmission.
SIP Session Initial Protocol. An Application Layer control protocol that hosts use to establish sessions for exchanging packets with multimedia data. SIP enables such features as audio/videoconferencing, interactive gaming, and call forwarding to be deployed over IP networks. It also enables service providers to integrate basic IP telephony services with Web, e-mail, and chat services. Although, in theory, SIP is a user-to-user protocol, in practice, SIP relies on proxy and register servers, which help the user initiating a session to find the intended remote user. For more detailed information on SIP, see RFC 3261 (at http://www.ietf.org/rfc/rfc3261.txt)
SLA Service Level Agreement. A Frame Relay contract between the subscriber and service provider that specifies the amount of bandwidth that a PVC is guaran-teed (the CIR) when the network is congested. The SLA can also specify such parameters as how far past the CIR traffic is allowed to burst when the network is not congested (the EIR).
SMART Jack Self-Monitoring, Analysis, and Reporting Technology jack. An access port to public carrier services. The smart jack is usually owned and maintained by the service provider. See NIU.
SMB Small-to-Medium Business. Typically, a company with fewer than 250 employees.
SMDS Switched Multimegabit Data Service. A type of high-speed packet-switched data communications service that operates at T1 or T3 speeds. SMDS uses the SIP protocol to encapsulate packets into cells for transport.
SNA Systems Network Architecture. IBM’s proprietary mainframe-to-terminal networking architecture. Developed and implemented in the 1970s, SNA maps to all seven layers of the OSI model.
B-48
Appendix B: Glossary
SNACP SNA Control Protocol. An NCP in the PPP protocol suite that is used to establish a point-to-point connection between hosts sending SNA packets. For more information on SNACP, see RFC 2043 (at http://www.ietf.org/rfc/rfc2043.txt).
SNMP Simple Network Management Protocol. An Application Layer protocol that supports the exchange of management information between network devices. An SNMP network consists of agents, managed devices, and network-manage-ment systems. Hierarchically organized information about network devices is stored in and accessed from a management information base (MIB). For more information on SNMP, see RFC 1157 (at http://www.ietf.org/rfc/rfc1157.txt).
SNR Signal-to-Noise Ratio. The ratio of the amplitude of a desired analog or digital data signal to the amplitude of noise in a transmission channel. The SNR measures the quality of a transmission channel or of an audio signal over a network channel. ADSL devices periodically measure a line’s SNR to determine whether the line needs to be taken down and retrained.
SONET Synchronous Optical NETwork. The ANSI standard for synchronous data transmission on optical media. The equivalent international standard is SDH. Complementary standards set by SDH and ANSI allow digital networks to interconnect internationally. The standards also allow existing transmission systems to take advantage of optical media through tributary attachments. SONET is backward compatible with T-carrier lines. See also SDH.
Table 2-4. SONET and SDH digital hierarchies
SPI Security Parameters Index. An arbitrary value that uniquely identifies an SA; the SPI is used by VPN peers to match packets to keys contained in that SA. Peers agree up the SPI when they negotiate the IPSec SA. When a peer secures a packet to be sent over an IPSec SA, it adds the corresponding SPI to the packet’s ESP or AH header. When a device receives a packet over a VPN tunnel, it reads the packet’s SPI to determine which keys to use to authenticate and decrypt the packet.
SONET STS designator
SONET OCX designator
SDH STM designator
Line rate (Mbps)
Overhead rate (Mbps)
Payload rate (Mbps)
STS-1 OC-1 — 51.840 1.728 50.112
STS-3 OC-3 STM-1 155.520 5.184 150.336
STS-12 OC-12 STM-4 622.080 20.736 601.344
STS-48 OC-48 STM-16 2488.320 82.944 2405.376
STS-192 OC-192 STM-64 9953.280 331.776 9621.504
B-49
Appendix B: Glossary
SPID Service Profile IDentifications. A unique identifier used to identify a particular ISDN line and the service and features that line provides. The SPID is generally a 10+ digit number that includes the LDN.
Splitter A splitter electronically isolates the lower frequencies of the telephone signal from the higher frequencies of the DSL signals. Typically, the CO contains the splitter. Splitters are also used to run dedicated wiring for a DSL signal because they physically isolate the DSL wiring from the POTS wiring.
SROS Secure Router Operating System. The operating system that allows a user to configure the ProCurve Secure Router.
SSH Secure SHell. A program/network protocol that allows a user to log into another computer over a network, execute commands in the remote machine’s OS, and move files from one machine to another. SSH provides strong authentication. It secures communications over insecure channels and can be used when tunneling. For more information on SSH, see the Internet Draft at http://www.free.lp.se/fish/rfc.txt/.
SSL Secure Sockets Layer. SSL is protocol for securing the transmission of mes-sages over the Internet. SSL works by using asymmetric keys to encrypt message data.
SS7 Signaling System 7. SS7 is a type of out-of-band signaling that supports the call-establishment, billing, routing, and information-exchange functions of the PSTN. It is used to set up and tear down the vast majority of telephone calls.
ST Connector A fiber-optic cable connector that uses a bayonet plug and socket. The ST connector was the first de-facto standard connector for most commercial fiber optic wiring.
Figure 2-3. ST connector
Stateful
Inspection
Firewall
A firewall that screens incoming traffic on several OSI layers. The stateful-inspection firewall monitors each session to make sure that it is legitimate. Stateful-inspection firewalls also use an advanced packet-filtering technology
B-50
Appendix B: Glossary
to detect suspicious activity and to drop packets prohibited by an organization’s policies. Many network security experts recommend stateful-inspection as the most trusted firewall technology.
S/T Interface A common way of referring to either S or T Interfaces, which are often combined in ISDN connections. This interface connects TE1 or a TA directly to a PRI ISDN NT2 device or a BRI ISDN NT1 device. ISDN devices outside of North America usually provide an S/T interface to communicate with the service provider, which supplies the NT2 and/or NT1.
STM STatistical Multiplexing. A method that service providers use to multiplex packets and send the datagrams FIFO. Statistical multiplexing is similar to time-division multiplexing (TDM), except that rather than arbitrarily assigning a time slot to each signal, each signal is assigned a slot according to priority and need. Statistical multiplexing ensures that timeslots will not be wasted, but it consumes time and processes.
STP Shielded Twisted Pair. A kind of copper wiring where each twisted pair is covered in an insulating tube. The covering is designed to protect the wire from electromagnetic interference and functions as a ground. This extra protection, however, limits the wire’s flexibility.
Straight-through
Cable
A cable that has each internal twisted pair of wires connected to the same pin number at each end.
SVC Switched Virtual Circuit. A temporary physical circuit that is created when a connection is established and that is relinquished after the connection is terminated. The connection path is different each time the subscriber con-nects. This connection is most often used for dial-up WAN access like ISDN lines.
SYN Synchronize. One of the TCP flags, used when initiating a session to set the first sequence number for the packets that will be transmitted during the session. A circuit-level gateway monitors packets with SYN-flags to determine whether a requested session is legitimate.
Synchronous
Transmission
A method of data transmission that allows bits to be sent in a continuous stream; the beginning of one character is contiguous with the end of the preceding one. The separation of characters requires the receiver to maintain synchronization with a master timing source.
B-51
Appendix B: Glossary
T
T-interface Connects the NT1 to the NT2 in an ISDN network. The T-interface is a four-wire/two twisted pair connection. Outside North America, the T-interface is the first interface at the subscriber’s premises.
T1-carrier line A carrier-line that carries speech or data at the DS-1 rate. T1 lines operate with 24 DS0 channels of 64 Kbps each for a total of 1.544 Mbps bandwidth.
T3 A digital carrier signal designed to transmit speech or data at the DS-3 rate. T3 lines transmit data with 28 multiples of T1 bandwidth (1.544 Mbps each) for a total of 44.736 Mbps.
TA Terminal Adapter. A device that converts TE2 analog signals into ISDN-ready digital signals.
TACACS+ A client/server protocol that transports data between a TACACS+ client and server. The TACACS+ server contains a database of information on network hosts and users. It provides a client authentication at the client’s request. TACACS+ can also provide a client authorization to access certain network applications, and TACACS+ can log, or account, for clients’ activity. TACACS+ allows independent handling of the aspects of AAA. For more information on the original TACACS protocol, see RFC 1492 (at http://www.ietf.org/rfc/
rfc1492.txt). See also AAA.
TCP Transmission Control Protocol. An OSI Transport Layer protocol that is part of the IP protocol suite. TCP allows applications on networked hosts to create connections to one another over which they can exchange data. TCP guaran-tees reliable and in-order data delivery. TCP also distinguishes data for multi-ple, concurrent applications (e.g. a web server and an email server) running on the same host. TCP protocols include, among many others, HTTP, email, and SSH. For more information on TCP, see RFC 793 (at http://www.ietf.org/
rfc/rfc0793.txt).
TDM Time Division Multiplexing. A type of digital multiplexing that allows multiple signals to share the same physical line. TDM interleaves pulses representing bits from different channels into a bit stream. Each DS0/E0 channel receives an equal slice of time in a rotating, repeated sequence. The receiving device can derive the two or more channels from the bit stream.
TEI Terminal Endpoint Identifier. A field in an LAPD signaling frame that identifies the terminal endpoint on the subscriber’s ISDN line. TEIs can be statically or automatically assigned.
Telco American slang for the telephone company.
B-52
Appendix B: Glossary
Telnet TELephone NETwork. A TCP/IP protocol/program. The purpose of the Telnet Protocol is to provide a fairly general, bi-directional, 8-bit byte-oriented com-munications facility. It is typically used to provide user-oriented command line login sessions between hosts on the Internet. The name “Telnet” came about because the protocol was designed to emulate a single terminal attached to the other computer. For more information about the Telnet protocol, see RFC 854 (at http://www.ietf.org/rfc/rfc0854.txt).
TE1 Terminal Equipment 1. Equipment that can be directly connected to the ISDN line (often using an S/ T Interface). Examples include ISDN phones, routers, ISDN computers, digital phones, and digital fax machines.
TE2 Terminal Equipment 2. ISDN equipment that requires a connection to a TA before being connected to the NT1 or NT2. Examples are PCs with EIA 232 interfaces and analog telephones and fax machines.
TFTP Trivial File Transfer Protocol. A protocol that uses UDP to transmit and receive files and provides no security features. TFTP is often used by servers to boot diskless workstations, X-terminals, and routers. It can also be used as a file server. For more information about TFTP, see RFC 1350 (at http://
www.ietf.org/rfc/rfc1350.txt).
Timeslot A placeholder for network traffic; a window of time that can be reserved for a particular transmission. Because channels in T1/E1 connections use TDM, channels are considered timeslots since each channel gets an equal amount of time to transmit.
ToS Type of Service. An 8-bit header field in IPv4 packets, which allows you to mark traffic for special handling. Two standards define how the ToS field defines traffic: IP precedence, the original standard for using this field, and DiffServ. For more information about the ToS field in the IP header, see the RFC 791 on IP (at http://www.ietf.org/rfc/rfc0791.txt). See also IP precedence and DiffServ.
Transform Set A combination of security protocols, algorithms, and other settings that will be applied to IPSec-protected traffic. During the IPSec SA negotiation, the VPN peers agree to use a particular transform set when protecting a particular data flow. See also SA.
Transport Layer Layer 4 of the OSI model. The purpose of the Transport Layer is to provide transparent data transfer between end users. This layer is also responsible for end-to-end error recovery and flow control.
Tunnel A virtual point-to-point connection in which data is encrypted and encapsu-lated at one endpoint for secure transmission across a public or untrusted network, and de-encapsulated and decrypted at the receiving endpoint.
B-53
Appendix B: Glossary
U
UBR Unspecified Bit Rate. An ATM bandwidth-allocation service that does not guarantee any throughput levels and uses only available bandwidth. UBR is often used when transmitting data that can tolerate delays.
U-interface In an ISDN connection, the U-interface is the connection between the local loop and NT1. For BRI ISDN, the U-interface is one twisted pair. For PRI ISDN, the U-interface is two twisted pairs. There is only one U-interface on an ISDN network.
UDP User Datagram Protocol. A stateless protocol that is part of the IP protocol suite. Using UDP, programs on network computers can send datagrams to one another. UDP does not provide the reliability and ordering guarantees that TCP does; datagrams may arrive out of order or go missing without notice. However, UDP is faster and more efficient for many lightweight or time-sensitive programs. For more information about UDP, see RFC 768 (at http://
www.ietf.org/rfc/rfc0768.txt).
UNI User to Network Interface. A term used in ATM and Frame Relay networks, UNI is the interface between the ATM or Frame Relay end user and a private ATM/Frame Relay switch. It also can represent the interface between a private ATM/Frame Relay switch and the public carrier ATM/Frame Relay network.
UTP Unshielded Twisted Pair. A common form of wiring in which two conductors are wound around each other for the purposes of canceling out electromag-netic interference, which can cause crosstalk. The number of twists per meter make up part of the specification for a given type of cable. The greater the number of twists, the more crosstalk is reduced. UTP is an unshielded form of twisted pair wiring and is the primary wire type for telephone usage. UTP is also common for computer networking, especially in patch cables or temporary network connections.
V
VBR Variable Bit Rate. A quality of service setting. VBR encoding varies the amount of output data in each time segment based on the complexity of the input data in that segment. The goal is to maintain constant quality instead of maintaining a constant data rate. VBR is preferred for storage (as opposed to streaming) because it makes better use of storage space. See also CBR.
VC Virtual Circuit. A circuit or path between points in a network that appears to be a discrete, physical path, but is not. The VC is actually a managed pool of circuit resources from which specific circuits are allocated, as needed, to meet traffic requirements.
B-54
Appendix B: Glossary
VCI Virtual Channel Identifier. A 16-bit field in an ATM cell’s header that identifies the cell’s next destination. The VCI is similar to the DLCI in a Frame Relay network.
VDSL Very high bit rate DSL. VDSL runs on fiber optic, providing extremely high-speed WAN connections. VDSL is ideal for HDTV and supports data, video, and voice transmissions simultaneously. VDSL can transmit data symmetrically or asymmetrically.
VLAN Virtual Local Area Network. The IEEE 802.1Q standard enables you to group users by logical function rather than by physical location. By creating VLANs on switches, you can segment networks into smaller broadcast domains, enhance network security, and simplify network management.
VP Virtual Path. In an ATM connection, the VP is a bundle of virtual channels that have the same endpoint.
VPI Virtual Path Identifier. An eight-bit field in the ATM header that identifies the virtual path through an ATM network to which the packet belongs.
VPN Virtual Private Network. A virtual point-to-point connection that transfers data over the public telecommunication infrastructure while maintaining privacy through the use of a tunneling protocol and security procedures. A VPN has comparable security with a system of owned or leased lines that can only be used by one company. For more information about VPNs, see RFC 2764 (at http://www.ietf.org/rfc/rfc2764.txt). See also IPSec.
VRRP Virtual Router Redundancy Protocol. VRRP is a protocol that allows routers to work together to ensure hosts always have a default gateway. Instead of designating a single default gateway router, VRRP defines a group of routers as one “virtual router,” which acts as the default gateway to the hosts. The group of routers are set up in a hierarchy where a subordinate router may take over as master router in the event of a master router failure. For more information about VRRP, see RFC 3768 (at http://www.ietf.org/rfc/rfc3768.txt).
V.35 An ITU standard for high-speed synchronous data exchange. In the United States and Canada, V.35 is the interface standard most public carriers use to connect routers to a standalone CSU/DSU.
W
WAN A high-speed network within a wide geographical area (usually larger than a city or metropolitan area) that shares data, programs, or equipment.
B-55
Appendix B: Glossary
WFQ Weighted Fair Queue. A queuing mechanism where the administrator is able to create multiple queues for different traffic classes and assign a “weight” value to each queue in proportion to its traffic priority level. See also QoS.
Wildcard Bits Wildcard bits use reverse logic to allow the user to specify bits within an IP address that must match (0) and that do not need to match (1).
WRED Weighted Random Early Discard. A quality of service congestion-avoidance mechanism. WRED begins to discard packets before the queue reaches full capacity in order to slow TCP traffic. Packets to be dropped are chosen according to assigned traffic classes and priorities, and the dropped packets signal the TCP server to slow the transmission rate. See also QoS.
X
X-Authentication Between phase one and phase two of IKE negotiations, X-authentication is the process of authenticating the host that is originating the transmission to the network. IKE normally authenticates only the WAN gateway.
xDSL X-type DSL. A term that collectively refers to the different types of DSL.
X.21 A type of physical and electrical interface that uses two types of circuits: balanced (X.27N.1 1) and unbalanced (X.26N.10). CCITT X.21 uses the DB-15 connector. The physical interface between the DTE and the local PTT-supplied DCE is defined in ITU-T recommendation X.21. The DCE provides a full-duplex, bit-serial, synchronous transmission path between the DTE and the local service provider. It can operate at data rates from 600 bps to 64 Kbps.
X509 An ITU-T standard for defining digital certificates. X509 is the signing system used for SSL. See also PKI.
Sources
AIInet at www.aiinet.com/documents/html/aiconnect/m/config/10x/glossary.htm/
Answers.com at http://www.answers.com/
BCR’s Guild to Important Abbreviations and Acronyms in Data Communica-tions and Networking
Business Communications Review: January 2000–August 2000 issues.
CertCities.com at http://www.certcities.com/
DSLReports.com at http://www.dslreports.com/faq/6114/
B-56
Appendix B: Glossary
Fastforward Networks. Multimedia Terms (Handbook for MultiMediaCom 2000)
IETF RFCs at http://www.ietf.org/
Inclusive.com at http://www.inclusive.com/mmr/prodtypes/pbx.htm/
Intelligent Network 2000: Comprehensive Report
International Engineering Consortium. Digital Subscriber Line 2000: Compre-hensive Report.
Iona.com at http://www.iona.com/support/docs/manuals/orbix/ 33/html/orbixsslcxx33_pguide/Validating_Certificates_C++.html/
Javvin.com at http://www.javvin.com/protocolAAL.html/
mpirical.com at http://www.mpirical.com/
The MPLS Resource Center at http://mplsrc.com/
msdn.microsoft.com/
Networksorcery.com at http://www.networksorcery.com/
Newton’s Telecom Dictionary, 2000
Webopedia at http://www.webopedia.com/
Whatis.com at http://www.whatiscom
Wikipedia at http://www.wikipedia.com/
B-57
Appendix B: Glossary
B-58
Master Index
B = Basic Management and Configuration GuideA = Advanced Management and Configuration GuideNumerics100Base-T cable … B:3-210Base-T cable … B:3-22B1Q line coding, for BRI ISDN … B:8-9, A:3-7, A:3-9802 Slow Protocol frame … A:12-3802.1Q
encapsulation … B:3-18support for … B:3-15tag … B:3-15
802.1X protocol … B:2-40
AAAA subsystem
accounting … B:2-25assigning named list … B:2-26named list for … B:2-25
advantages of … B:2-15authentication
assigning named list … B:2-20banner … B:2-21configuring … B:2-16failure message … B:2-21named list for enable mode … B:2-16named list for management access … B:2-18prompts … B:2-21
authorization … B:2-23assigning named list … B:2-24enabling for console line … B:2-24named list for … B:2-23
configuring through CLI … B:2-14configuring through Web browser
interface … B:14-27criteria for failure … B:2-19debug command for … B:2-35enabling … B:2-15RADIUS server … B:2-27TACACS server … B:2-31troubleshooting … B:2-35using with Xauth … A:8-50, A:8-51
AAL … B:7-20AAL5SNAP … B:7-20
ABM … B:6-39access control
AAA subsystem … B:2-14ACLs and ACPs … A:5-4management access to router … B:2-4
access policy sessionsclearing … A:5-54viewing … A:5-52
accountingwith AAA subsystem … B:2-25
ACLaction taken … A:5-34applying directly to interface … A:5-6applying to interface … A:5-18clear counters … A:5-56command syntax … A:5-8creating … A:5-8debug … A:5-56defined … A:5-4deleting … A:5-18descriptive tag … A:5-17different from ACP … A:5-5editing … A:5-17entry order … A:5-15examples … A:5-23extended
command syntax for entry … A:5-11defined … A:5-7destination address … A:5-12destination port … A:5-13for demand routing … B:8-19, A:3-18implicit "deny any" … B:8-21log option … B:8-21, A:5-15packet bits … A:5-15permit entry … A:5-11source address … A:5-12source port … A:5-13specify protocol … A:5-12
for FTP access … A:5-21for HTTP access … A:5-21for NAT … A:6-8
many-to-one … A:6-9one-to-one … A:6-10, A:6-12
Index – 1
for VPN trafficapplying to crypto map … A:8-38, A:8-45configuring … A:8-35matching an outgoing packet … A:8-22restricting traffic … A:8-36troubleshooting … A:8-75
implicit deny any … A:5-10processing entries in … A:5-15QoS … A:7-13
CBWFQ … A:7-23LLQ … A:7-38packet marking … A:7-45
standardcommand syntax for entry … A:5-9defined … A:5-7deny entry … A:5-9, A:5-11log … A:5-11specifying source address … A:5-9
troubleshooting … A:5-54viewing … A:5-49
ACPACL
as traffic selector … A:5-35configure … A:5-26extended … A:5-31standard … A:5-28
assign to interface … A:5-37, A:6-15command syntax for … A:5-35configuring with Web browser interface … A:14-30configuring, for NAT … A:6-13creating … A:5-35defined … A:5-4different from ACL … A:5-5editing … A:5-36entry
command syntax for … A:5-36importance of order … A:5-38
examples of … A:5-46flow chart … A:5-42for Telnet access … A:5-22implicit “discard all” … A:5-35logging matches … A:4-26monitoring connections … A:6-20processing … A:5-38summary of action taken … A:5-41traffic flow through interface … A:5-43
viewing … A:5-49active sessions … A:5-52for NAT … A:6-16statistics … A:5-53, A:6-18
administrative distancedefault, for OSPF … B:13-36default, for static and dynamic routes … B:11-11,
B:13-11in floating static route … B:11-16selecting routes based on … B:11-8setting, for BGP routes … B:13-105specifying … B:11-15
ADSLADSL Lite … B:7-10ADSL2 … B:7-5ADSL2+ … B:7-5Annex A … B:7-8, B:7-9Annex B … B:7-8, B:7-9distance supported … B:7-5downstream traffic … B:7-4DSLAM … B:7-7elements of, connection … B:7-6infrastructure … B:7-7READSL2 … B:7-6See also ADSL interfaceshowtime … B:7-13splitterless … B:7-10splitters … B:7-9upstream traffic … B:7-4
ADSL interfaceaccessing … B:7-12activating … B:7-13binding to ATM interface … B:7-27configuring through CLI … B:7-12configuring through Web browser
interface … B:14-61Data Link Layer for … B:7-7, B:7-17debug commands … B:7-47force retraining … B:7-16port number … B:7-12See also ADSLslot number … B:7-12SNR-Margin … B:7-15SNR-margin monitors … B:7-16training mode … B:7-13, B:7-15troubleshooting … B:7-46viewing status of … B:7-41
2 – Index
ADSL moduleADSL2+ Annex A … B:7-11ADSL2+ Annex B … B:7-11supported standards … B:7-11
AF … A:7-22DiffServ values … A:7-22DSCP … A:7-22
AF traffic classes … A:7-8, A:7-9DiffServ values … A:7-9subclasses … A:7-9, A:7-21
AHauthenticating a packet … A:8-6finding algorithm used by peer … A:8-84header … A:8-5incompatibility with NAT-T … A:8-32manually defining key for … A:8-67, A:8-68specifying algorithm for … A:8-41, A:8-65
ALGconfiguring … A:4-18definition of … A:4-7FTP … A:4-19H.323 … A:4-19PPTP … A:4-20SIP … A:4-19supported by ProCurve Secure Router … A:4-8
algorithm … A:8-6See also encryption algorithm and hash algorithm
analog backup … A:3-5See also modem interface and backup
application-level gatewaySee ALG
area border routerSee OSPF, ABR
ARM … B:6-39AS
definition of … B:13-7routing between … B:13-7, B:13-65with OSPF … B:13-35
ASBRSee OSPF, ASBR
assured forwardingSee AF
asymmetric DSLSee ADSL
Asynchronous Balanced Mode … B:6-39Asynchronous Response Mode … B:6-39ATM adaptation layer … B:7-20
ATM interfaceactivating … B:7-17binding to ADSL interface … B:7-27configuring through Web browser
interface … B:14-63creating … B:7-17subinterface
AAL configuration … B:7-20activating … B:7-19as a DHCP client … B:7-21as an unnumbered interface … B:7-24binding to PPP for PPPoA … B:7-38binding to PPP for PPPoE … B:7-33configuring … B:7-18creating … B:7-18debug commands … B:7-49IP address … B:7-20OAM … B:7-26PVC … B:7-18, B:7-19RBE … B:7-40troubleshooting … B:7-49viewing status of … B:7-44VPI/VCI … B:7-19
troubleshooting … B:7-48troubleshooting OAM … B:7-49viewing status of … B:7-44
attack checking … A:4-6, A:4-9Denial of Service … A:4-10drop packets … A:4-9enabling firewall … A:4-14logging attacks … A:4-26optional checks … A:4-15reflexive traffic … A:4-12, A:4-16SYN-flood attack check … A:4-16types of attacks … A:4-9, A:4-14WinNuke attack check … A:4-15
authenticationfailure of AAA methods … B:2-19RADIUS server … B:2-27TACACS+ server … B:2-31with AAA subsystem … B:2-16
Authentication HeaderSee AH
authorizationwith AAA subsystem … B:2-23
auto MDIX, Ethernet ports … B:3-2autonomous system
See AS
Index – 3
AutoSynch™ … B:1-34configuring with Web browser interface … B:14-5,
A:14-5enabling … B:1-60, A:1-19troubleshooting … B:1-70
BB channel for ISDN … B:8-4backup
choices for configuring … A:3-11, A:3-14demand routing for … A:3-12
See also demand routingfailover conditions … A:3-11LEDs … B:1-25module … B:1-19persistent backup connections … A:3-14
backup call modes … A:3-62described … A:3-14dial list … A:3-63dial-up process … A:3-60example of … A:3-17floating static route for … A:3-67IP address for PPP interface … A:3-56monitoring dial-up … A:3-87multiple … A:3-69PPP authentication … A:3-56PPP interface … A:3-55primary connection settings … A:3-58troubleshooting … A:3-84viewing dial list … A:3-86
basic mode context … B:1-36clear commands … B:1-39commands … B:1-39show commands … B:1-41
BGP … B:13-65, B:13-104advantages … B:13-65advertising a network … B:13-71, B:13-170clear session … B:13-164compared to RIP and OSPF … B:13-9configuration examples … B:13-106configuration tasks … B:13-68, B:13-70default administrative distance … B:13-11enabling … B:13-70exterior gateway protocol … B:13-7intervals … B:13-106load balancing … B:13-74, B:13-76, B:13-84
local AS … B:13-73advertising external traffic … B:13-170viewing … B:13-167
messages … B:13-68multihoming … B:13-67, B:13-82
troubleshooting … B:13-172neighbor … B:13-68
configuration … B:13-72neighbor ID … B:13-72, B:13-167troubleshooting … B:13-166viewing … B:13-162, B:13-168
policies, examples of … B:13-81prefix list … B:13-78
applying to an interface … B:13-81discarding or allowing routes … B:13-80entry order with … B:13-80example configuration … B:13-85filtering routes … B:13-79load balancing with … B:13-84naming … B:13-80network address … B:13-80prefix length, specifying … B:13-80prohibiting advertisement of external
traffic … B:13-82troubleshooting … B:13-165
remote AS … B:13-73route maps … B:13-86
applying policies to inbound routes … B:13-102
applying to neighbor … B:13-104communities, deleting … B:13-103controlling routes neighbor
advertises … B:13-94entry in … B:13-87filtering inbound routes … B:13-100load balancing … B:13-96routes advertised … B:13-89
route summaries … B:13-105router ID … B:13-72soft reconfiguration … B:13-104troubleshooting … B:13-162
common problems … B:13-172binding
ADSL interface to ATM … B:7-27ADSL interface to ATM interface … B:7-27ATM subinterface to PPP interface … B:7-33,
B:7-38
4 – Index
multiple carrier lines to Frame Relay interface … A:2-10
multiple carrier lines to PPP interface … A:2-6physical interface to Frame Relay
interface … B:6-35physical interface to HDLC interface … B:6-43physical interface to PPP interface … B:6-10
Boink attack … A:4-9Bonk attack … A:4-9boot
code … B:1-30updating … B:1-59
error messages … A:1-25using to troubleshoot configurations … A:1-26
bootstrap mode context … B:1-66commands … B:1-67
bootup process … B:1-30Border Gateway Protocol
See BGPBRI backup interface
demand routingactivating … A:3-41caller ID … A:3-42configuring … A:3-37LDN for BRI S/T … A:3-39resource pool member … A:3-41SPID for BRI U … A:3-40switch type … A:3-38
line status … A:3-72persistent backup connection
activating interface … A:3-49bonding channels … A:3-50, A:3-64caller ID … A:3-53configuring … A:3-47LDN for BRI S/T … A:3-48SPID for BRI U … A:3-49switch type … A:3-48
See also BRI primary interfacetest calls … A:3-83troubleshooting … A:3-70
BRI ISDNlocal loop … B:8-5, A:3-7
BRI primary interfaceaccessing … B:8-40activating … B:8-43assigning to ISDN group … B:8-44caller ID options … B:8-43configuring … B:8-40
LDN for BRI S/T module … B:8-43line maintenance … B:8-75See also BRI backup interfacesignaling (switch) type … B:8-41SPID and LDN for BRI U module … B:8-42test calls … B:8-73troubleshooting … B:8-69viewing status of … B:8-64
bridge table … B:10-5, B:10-11viewing … B:10-8, B:10-9
bridgingbridge group configuration … B:10-6, B:10-7configuring … B:10-5interfaces … B:10-7IP addresses with … B:10-7overview … B:10-3protocol … B:10-4, B:10-6QoS … A:7-25, A:7-40, A:7-48remote … B:10-3
disabling IP routing … B:10-7, B:10-10merging remote networks … B:10-4
tableSee bridge table
troubleshooting … B:10-10valid interfaces … B:10-6
broadband network, regional … B:7-7
CCA
certificate … A:8-56loading … A:8-58
profile … A:8-57, A:8-58role in IKE authentication … A:8-10SCEP … A:8-56, A:8-57selecting … A:8-55submitting self certificate request to … A:8-59
cable100Base-T … B:3-210Base-T … B:3-2Category 3 … B:1-14Category 5 … B:1-14crossover … B:9-14EIA 530 … B:5-11for DSX-1 … B:9-14for G.703 … B:9-5serial … B:1-10, B:1-13UTP for E1 or T1 connection … B:4-7
Index – 5
UTP ribbon … B:7-12V.35 … B:5-9X.21 … B:5-10
callISDN, setup process … B:8-12
caller IDcaller-number … B:8-38, A:3-36overriding … B:8-43, A:3-42
CBWFQ … A:7-11, A:7-18, A:7-19bandwidth allocating … A:7-26, A:7-27class defining … A:7-20
bridged traffic … A:7-25IP header … A:7-22RTP … A:7-25ToS value … A:7-21UDP port … A:7-25
example configuration … A:7-29percent versus remaining percent … A:7-27, A:7-56,
A:7-68with multilinks … A:7-28, A:7-29
central officeSee CO
certificate authoritySee CA
certificate revocation listSee CRL
Challenge Handshake Authentication ProtocolSee CHAP
Channel Service Unit/Digital Service UnitSee CSU/DSU
channelsE1- and T1-carrier lines … B:4-12FDL, for T1 interface … B:4-19for E1 interface … B:4-12for ISDN … B:8-4for T1 interface … B:4-13
CHAPexample configuration … B:6-51for backup interfaces … A:3-43for primary ISDN interfaces … B:8-53hashing … B:6-12password … B:6-14, B:6-15password, case-sensitive … B:6-64troubleshooting … B:6-64username (hostname) … B:6-13, B:6-15username, case-sensitive … B:6-64
Chargen attack … A:4-9
CIDRDHCP pool … B:13-8, B:13-9IP address for ATM subinterface … B:7-21IP address for Frame Relay subinterface … B:6-29IP address for HDLC interface … B:6-42IP address for PPP interface … B:6-8notation … B:11-6static route … B:11-14
CIRFrame Relay … B:6-19setting … B:6-33
class-based weighted fair queuingSee CBWFQ
CLI … B:1-5accessing … B:1-10editing commands … B:1-64, A:1-13events displayed in … B:1-51file management using the copy command … A:1-15help tools … B:1-64, A:1-12initial access … A:1-9IP address convention … B:1-7, A:1-5prompt convention … B:1-6, A:1-4using to set up Web browser interface
access … B:1-11, A:1-10client ID
interface as DHCP client … B:13-23viewing, for DHCP client … B:13-19
client-to-site VPNIKE mode config … A:8-47IKE mode for … A:8-28NAT-T with … A:8-31peer ID
in crypto map … A:8-44in IKE policy … A:8-26in remote ID list … A:8-34
specifying traffic for … A:8-38, A:8-48Xauth with … A:8-49
clock sourcefor E1 interface … B:4-17for primary BRI interface … B:8-15for serial interface … B:5-13for T1 interface … B:4-17
COADSL distance and service … B:7-5ADSL infrastructure … B:7-4local loop … B:5-4of public carrier … B:4-4
6 – Index
commandsbasic mode … B:1-39clear commands … B:1-39, B:1-44clear event-history … A:4-25clock … B:1-45configure … B:1-46copy … B:1-46, A:1-15do … B:1-66, A:1-14editing … B:1-64, A:1-13enable mode … B:1-43erase … B:1-50events … B:1-51exit … B:1-66, A:1-15global configuration mode … B:1-60help … B:1-64, A:1-12no … B:1-66, A:1-14reload … B:1-51reload in … B:1-72show … A:1-20show event-history … A:4-25show tech … B:1-57show, list of … B:1-51syntax conventions for … B:1-5write … B:1-56
communitiesBGP … B:13-95
community listfor route map … B:13-88
compact flashadvantages of booting from … B:1-32configuring, card … B:1-33file transfer with … B:1-81slot location … B:1-28troubleshooting … B:1-70
configuration fileediting using a text editor … B:1-73, A:1-24running-config … B:1-30startup-config … B:1-30transfer using
compact flash … B:1-81console port … B:1-76TFTP … B:1-78
connect sequencefor demand interface … B:8-30, A:3-28
connectorRJ-11 … B:7-12, B:8-8RJ-45 … B:3-2, B:8-8RJ-48C … B:4-7, B:9-14
consoleconfiguring password through Web browser
interface … B:14-23establishing a terminal session with … A:1-9file transfer with … B:1-76password for … B:2-5port … B:1-13terminal session with … B:1-10
contextbasic mode … B:1-35, B:1-36bootstrap mode … B:1-66enable mode … B:1-35, B:1-36global configuration mode … B:1-36, B:1-37,
B:1-46, B:1-60counters
clear ACL … A:5-56clearing Frame Relay counters … B:6-69clearing interface counters … B:1-39Frame Relay … B:6-26, B:6-69
CRC4 frame format … B:4-15CRL
deleting … A:8-64importing manually … A:8-61managing … A:8-64
crypto mapapplying to an interface … A:8-46associating with IKE policy … A:8-44creating … A:8-43IKE, configuring with … A:8-42manual keying
configuration tasks … A:8-65, A:8-67example configuration … A:8-69setting session key … A:8-67, A:8-68setting SPI … A:8-68transform set … A:8-65, A:8-66
peer ID, setting … A:8-43processed by router … A:8-20transform set, specifying … A:8-44viewing … A:8-71, A:8-86
CSUexternal … B:4-7purpose of … B:4-5, B:5-5
CSU/DSUbuilt into router … B:4-7external … B:4-7purpose of … B:1-16, B:4-5, B:5-5
Index – 7
DD channel
ISDN … B:8-4LAPD transmitted over … B:8-10
D4 frame format … B:4-16data communications equipment … B:6-21Data Link Layer
ATM … B:7-17configuring through Web browser
interface … B:14-46for backup … A:3-11Frame Relay … B:6-19HDLC … B:6-39LLDP … A:12-2PPP … B:6-6purpose of … B:4-3, B:5-3Q.921, or LAPD … B:8-9Q.931 … B:8-9
data terminal equipment … B:6-21DCE … B:6-21DE bit … B:6-35debug commands … B:1-49
ADSL … B:7-47ATM OAM … B:7-49BGP … B:13-163crypto ike … A:8-74crypto ipsec … A:8-74crypto pki … A:8-74DHCP client … B:13-27, B:13-28DHCP server … B:13-19, B:13-20DNS client … B:12-14DNS proxy … B:12-11, B:12-12Ethernet … B:3-25Frame Relay … B:6-66, B:6-68, A:2-16HDLC … B:6-69IKE messages … A:8-78, A:8-79, A:8-81interface tunnel … A:9-13ISDN … B:8-72, A:3-81LLDP … A:12-9, A:12-11OSPF … B:13-153PPP … B:6-60, A:2-13, A:2-15PPP authentication … B:6-14, B:6-62PPP for PPPoE … B:7-53PPPoE … B:7-50RIP … B:13-151spanning tree … B:10-24VPN … A:8-74VPN debug messages … A:8-76
default routeconfiguring … B:11-17receiving from a DHCP server … B:13-24with dynamic routing … B:11-18with OSPF … B:13-35, B:13-51
demand interfaceACL for interesting traffic … B:8-27, A:3-24ACL to control access to … B:8-27, A:3-25answer/originate call … B:8-29, A:3-26called-number … B:8-39, A:3-36caller-number … B:8-38, A:3-36configuration summary … B:8-63, A:3-77connect sequence … B:8-30, A:3-27connect sequence attempts … B:8-33, A:3-30connect-order … B:8-32, A:3-29creating … B:8-23, A:3-21establishing an ISDN call … B:8-48fast-idle option … B:8-38, A:3-35hold queue … B:8-39, A:3-36idle-timeout option … B:8-37, A:3-34inter-relationship of connect-sequence
commands … B:8-35, A:3-32IP address … B:8-24, A:3-22MLPPP … B:8-50MLPPP fragmentation … B:8-52MLPPP interleave … B:8-51MTU … B:8-56, A:3-46PPP authentication … B:8-54, A:3-43recovery state … B:8-33, A:3-30resource pool … B:8-30, A:3-27spoofing up state … B:8-22, A:3-23static route … B:8-46static route, floating … A:3-42troubleshooting … B:8-68, A:3-79viewing information about … B:8-61, A:3-80viewing resource pool … B:8-67, A:3-78viewing running-config for … B:8-67, A:3-79
demand routingbackup connections
configuring … A:3-17connection instructions … A:3-32example … A:3-13, A:3-16initiating … A:3-12
8 – Index
primary ISDN modules … B:8-16configuration steps … B:8-18connection instructions … B:8-30example … B:8-53initiating … B:8-26ISDN groups … B:8-44
viewing sessions … B:8-66, A:3-78demarc
carrier line … B:4-5ISDN connections … B:8-7, A:3-7location for carrier lines … B:5-5
demultiplexing channels … B:4-12Denial of Service attack … A:4-16designated router
See OSPF, DRDHCP
clientSee DHCP client
configuring through Web browser interface … B:14-94
excluded addresses … B:13-7, B:13-18overview … B:13-3pool
See DHCP poolrelay … B:13-6, B:13-30request process … B:13-3, B:13-4, B:13-19scope for VLAN … B:13-5, B:13-16server
See DHCP server … B:13-4DHCP client
ATM subinterface as … B:7-21Ethernet interface as … B:3-5Frame Relay subinterface as … B:6-29interface as … B:13-5
activating … B:13-21, B:13-22client ID … B:13-23hostname for … B:12-16receiving optional configurations … B:13-21,
B:13-24releasing address … B:13-27renewing address … B:13-27troubleshooting … B:13-26, B:13-27, B:13-28valid interfaces … B:13-6viewing lease … B:13-26
viewing connected clients … B:13-19DHCP pool
child … B:13-13creating … B:13-7
default gateway … B:13-9example configuration … B:13-14lease time … B:13-10multiple … B:13-8network address … B:13-8parent … B:13-13single fixed address … B:13-14, B:13-21VLAN … B:13-15
DHCP serverclient names in host table … B:12-9configuring router as … B:13-5, B:13-6functions … B:13-3ping settings … B:13-17, B:13-18troubleshooting … B:13-18viewing client bindings … B:13-19
Diffie-Hellman keyautomatic generation with IKE … A:8-9, A:8-64key lengths … A:8-67PFS group for … A:8-46specifying group for IKE SA … A:8-24, A:8-29
DiffServ … A:7-5, A:7-7, A:7-10AF mapping … A:7-9CBWFQ classes … A:7-10, A:7-21DSCP marking … A:7-10, A:7-43, A:7-48
See also packet markingIP precedence mapping … A:7-8, A:7-10, A:7-17LLQ values … A:7-10, A:7-37WFQ mapping … A:7-10, A:7-16, A:7-17
digital certificateadvantages … A:8-55CA certificate … A:8-56configuring with Web browser interface … A:14-93CRL … A:8-64deleting … A:8-63keys used with … A:8-10loading CA certificate … A:8-59obtaining automatically … A:8-57, A:8-59obtaining manually
configuring profile … A:8-58importing self certificate … A:8-61loading CA certificate … A:8-59requesting self certificate … A:8-60
overview … A:8-54peer ID for peer that uses … A:8-34See also CA and CRLstandards … A:8-29, A:8-55viewing … A:8-62
digital signal zero … B:4-12
Index – 9
Digital Subscriber LineSee DSL
Discard Eligible Bit … B:6-35DLCI … B:6-22
assigning to Frame Relay subinterface … B:6-28DNS … B:12-8
clientenabling … B:12-8functions … B:12-5troubleshooting … B:12-14
configuration tasks … B:12-8host table … B:12-3
See host tableoverview … B:12-3proxy
See DNS proxyserver
See DNS serversupport on ProCurve Secure Router … B:12-5
DNS proxy … B:12-8default domain name for … B:12-9enabling … B:12-10external DNS server for … B:12-10troubleshooting … B:12-11, B:12-12
DNS server … B:12-3configuring through Web browser
interface … B:14-89external, specifying … B:12-10, B:12-13in DHCP pool … B:13-11in IKE mode config pool … A:8-48receiving from a DHCP server … B:13-24, B:13-26router as … B:12-10
See also DNS proxydo command … B:1-66domain name
default … B:12-9definition … B:12-3DHCP pool, in … B:13-12
DRSee OSPF, DRSee PIM-SM, DR
drop-and-insert moduledescription of … B:9-3DSX-1 interface
assigning channels to T1 interface … B:9-14setting clock source on T1 interface … B:9-15viewing configuration of … B:9-20
DSX-1 modulephysical connection … B:9-13supported standards … B:9-3
G.703 interfaceassigning channels to E1 interface … B:9-5setting clock source on E1 interface … B:9-7viewing configuration of … B:9-11
G.703 modulephysical connection … B:9-4supported standards … B:9-3
DS0 … B:4-12DSCP
See DiffServDSL
description of … B:7-4types of … B:7-4
DSL access multiplexerSee DSLAM
DSLAM … B:7-7, B:7-9RBE … B:7-39training phase with ADSL interface … B:7-13
DSUbuilt into router … B:4-7purpose of … B:4-5, B:5-5
DSX-1 interfaceaccessing … B:9-16activating … B:9-19checking the status of … B:9-19configuring … B:9-13
frame format … B:9-17line coding … B:9-16line length … B:9-18signaling mode … B:9-18
configuring through Web browser interface … B:14-74
T1 interfaceassigning channels … B:9-14setting the clock source … B:9-15
troubleshootingaccruing errored seconds and clock
slips … B:9-21alarms or errors that will not clear … B:9-20yellow alarm … B:9-21
DSX-1 modulephysical connection to … B:9-13standards supported … B:9-4
DTE … B:6-21
10 – Index
duplex settingfor Ethernet interface … B:3-10
dynamic DNS … B:12-15, B:13-25activating the client … B:12-16, B:12-17configuration tasks … B:12-16overview … B:12-6, B:12-15services
Custom DNS … B:12-7, B:12-16, B:12-17, B:12-18
Dynamic DNS … B:12-6, B:12-16Static DNS … B:12-7, B:12-17
EE1 + G.703
See G.703 interface and drop-and-insert moduleE1 frame format … B:4-15E1 interface
activating … B:4-20binding
to Frame Relay interface … B:6-35to HDLC interface … B:6-43to PPP interface … B:6-11
channels for … B:4-12clock source … B:4-17configuration mode context for … B:4-11configuring through CLI … B:4-10configuring through Web browser
interface … B:14-39Data Link Layer
Frame Relay … B:6-23HDLC … B:6-39PPP … B:6-6
example Frame Relay configuration … B:6-47example PPP configuration … B:6-46, B:6-47frame format … B:4-15line coding … B:4-14line errors … B:4-22port number … B:4-11slot number … B:4-11speed for channel … B:4-13threshold commands … B:4-22troubleshooting … B:4-30viewing configuration of … B:4-28viewing status of … B:4-26
E1 modulestandards supported … B:4-8with built-in DSU … B:4-8
E1-carrier line2.048 Mbps bandwidth … B:4-332 channels … B:4-12analog voice on … B:4-3elements of … B:4-3external CSU … B:4-7for analog voice … B:9-3local loop … B:4-4serial interface for … B:5-3with G.703 interface … B:9-3
eBGP multihop … B:13-75EIA 530 cable … B:5-11enable mode context … B:1-36
AAA named list for … B:2-16clear commands … B:1-44commands … B:1-43configuring password through Web browser
interface … B:14-21password … B:2-4show commands … B:1-51
encryptionSee also ESPspecifying algorithms for … A:8-40with IPSec … A:8-6
encryption algorithmdefinition of … A:8-6for IKE SA … A:8-29for IPSec SA … A:8-41minimum key lengths for … A:8-67
error messageAutoSynch™ … B:1-70bootup … B:1-74, B:1-75DSX-1 … B:9-20Ethernet … B:3-24, B:3-25for serial interface … B:5-15for unsupported commands … B:1-39G.703 … B:9-12logging priority … A:4-26, A:4-30SafeMode … B:1-62, A:1-22thresholds for E1 … B:4-22thresholds for T1 … B:4-22
ESF frame format … B:4-16ESP
authenticating a packet … A:8-6default algorithms (VPN Wizard) … A:8-87encrypting a packet … A:8-6finding algorithm used by peer … A:8-83header … A:8-5
Index – 11
manually defining key for … A:8-67, A:8-68specifying algorithm for … A:8-41, A:8-65with NAT-T … A:8-32without encryption … A:8-42
et-clock setting … B:5-13Ethernet frame
setting maximum size of … B:3-11Ethernet interface
accessing … B:3-3activating … B:3-4as DHCP client … B:3-5configuring through CLI … B:3-3configuring through Web browser
interface … B:14-31debug commands … B:3-25description for … B:3-12duplex settings … B:3-11IP address … B:3-5MTU … B:3-11speed settings … B:3-10subinterface
for VLANs … B:3-18IP address … B:3-19viewing configurations for … B:3-21viewing status of … B:3-19VLAN ID … B:3-18
summary of settings … B:3-13troubleshooting … B:3-24unnumbered interface … B:3-9viewing configuration of … B:3-21viewing status of … B:3-19VLAN support … B:3-15
Ethernet portsauto MDIX … B:3-2connection speeds … B:1-14LED … B:1-26number of … B:1-14, B:3-2slot number … B:3-3
event-history, displaying … B:3-25events
displaying … B:1-51logging … A:4-12messages, disabling … B:3-4
exit command … B:1-66extended authentication
See Xauth
Ffair queuing
See WFQfast caching … B:11-12, B:11-22, A:7-10
disabled … B:11-23disabled with PBR … B:13-125
FDL channel … B:4-19FIFO … A:7-10, A:7-11, A:7-17, A:7-31
packet threshold … A:7-18file management
copy command … B:1-46erase command … B:1-50with Web browser interface … B:14-7, A:14-7write command … B:1-56
firewallALGs, configuring … A:4-18application-level gateway … A:4-7, A:4-9attack checking … A:4-6, A:4-9, A:4-14blocking attacks … A:4-9circuit-level gateway … A:4-8
as proxy server … A:4-6explained … A:4-5illustration of … A:4-7
configuring with Web browser interface … A:14-21enabling … A:4-14packet-filtering … A:4-8
definition of … A:4-4illustration of … A:4-5
purpose of … A:4-3reflexive traffic check … A:4-16stateful-inspection … A:4-4, A:4-6, A:4-8
timeouts … A:4-21stealth mode … A:4-17SYN-flood attack check … A:4-16WinNuke attack check … A:4-15
firmwaremanagement of … B:1-46
floating static route … B:11-16Fraggle attack … A:4-9frame
802 Slow Protocol … A:12-3Frame Relay … A:7-51
fragmentation … A:7-51, A:7-54, A:7-64, A:7-68
header size … A:7-34GRE … A:9-2headers … A:7-32, A:7-35IP … A:9-2
12 – Index
IP header … A:7-6, A:7-19, A:7-22, A:7-34RTP compression … A:7-34
LAPD … B:8-10LLDP … A:12-3MLFR
flag … A:7-34header … A:7-34, A:7-64
MLPPPflag … A:7-34header … A:7-34
PPPoE … B:7-29PADI … B:7-30PADO … B:7-30PADR … B:7-30PADS … B:7-31
QoS frames per second … A:7-33RTP header … A:7-34UDP header … A:7-34VoIP … A:7-51, A:7-58, A:7-61
frame formatCRC4 … B:4-15D4 … B:4-16E1 … B:4-15E1 interface … B:4-15ESF … B:4-16T1 interface … B:4-16
Frame Relay … B:6-19Be … A:7-53, A:7-54CIR … B:6-19, A:7-52, A:7-54DCE … B:6-21DE … A:7-53DLCI … B:6-22DTE … B:6-21EIR … A:7-53FRF.12 … A:2-8, A:7-5, A:7-12, A:7-51, A:7-54
See also Frame Relay fragmentationLMI … B:6-23network components … B:6-21NNI … B:6-21PVC … B:6-20, A:7-50PVC endpoint … B:6-22rate limiting … A:7-50, A:7-51, A:7-52SLA … B:6-19, B:6-34UNI … B:6-21VoIP QoS … A:7-51
Frame Relay fragmentation … A:7-12, A:7-34, A:7-51, A:7-54configuring … A:7-64
fragment size … A:7-54packet header size … A:7-34
Frame Relay interfaceactivating … B:6-25binding to physical interface … B:6-35configuring through CLI … B:6-23configuring through Web browser
interface … B:14-52counters … B:6-26debug commands … B:6-66example configuration … B:6-46, B:6-49LMI statistics … B:6-66show commands … B:6-53, B:6-66signaling role … B:6-25signaling type … B:6-26subinterface
as a DHCP client … B:6-29CIR … B:6-33creating … B:6-28DE bit … B:6-35description … B:6-37DLCI for … B:6-28EIR … B:6-34IP address … B:6-29MTU … B:6-37secondary IP address … B:6-36unnumbered interface … B:6-32
summary of main settings … B:6-24troubleshooting … B:6-65, A:2-13
clearing counters … B:6-69LMI messages … B:6-68LMI statistics … B:6-66PVC status … B:6-67
FRF.12See Frame Relay fragmentation
FTPACL to control access … A:5-21ALG for … A:4-19configuring password through Web browser
interface … B:14-19, B:14-26controlling, access … B:2-13local user list … B:2-10traffic through a firewall … A:4-5
FTP serverenabling through the Web browser
interface … B:14-15, A:14-15full-duplex
Ethernet interface settings … B:3-11
Index – 13
GG.703 interface
accessing … B:9-7activating … B:9-10checking the status of … B:9-10configuring … B:9-4
frame format … B:9-8line coding … B:9-7TS16 … B:9-9
configuring through Web browser interface … B:14-74
E1 interfaceassigning channels … B:9-5setting clock source … B:9-7
show commands … B:9-10troubleshooting … B:9-12
accruing errored seconds and clock slips … B:9-13
alarms or errors that will not clear … B:9-12yellow alarm … B:9-13
TS16 … B:9-9G.703 module
physical connection … B:9-4standards supported … B:9-4
G.lite … B:7-10gateway
application-level … A:4-7circuit-level … A:4-5
Generic Routing EncapsulationSee GRE
global configuration mode context … B:1-37commands … B:1-60interface configuration mode context … B:1-37line configuration mode context … B:1-38router configuration mode context … B:1-38
GRE … A:9-2advantages and disadvantages of … A:8-13checksum verification … A:9-12encapsulation … A:9-5tunnel configuration … A:9-4, A:9-5, A:9-7
See also tunneltunneling … A:9-5
advantages and disadvantages of … A:9-3multicasts … A:9-9routing updates … A:9-8
VPN overlay … A:8-13
HH.323 … A:7-35, A:7-58, A:7-62
ALG for … A:4-19half-duplex
Ethernet interface settings … B:3-11hash algorithm
definition … A:8-6for IKE SA … A:8-29for IPSec SA … A:8-41key length for … A:8-67
HDLCABM … B:6-39ARM … B:6-39NRM … B:6-39
HDLC interfaceactivating … B:6-41binding to physical interface … B:6-43configuring through CLI … B:6-39configuring through Web browser
interface … B:14-58description … B:6-45example configuration … B:6-49IP address … B:6-41MTU … B:6-44secondary IP address … B:6-44show commands … B:6-53troubleshooting … B:6-69unnumbered interface … B:6-42
HDSL … B:7-4help
? command … B:1-64tools for CLI … B:1-64, A:1-12
helper addressfor UDP forwarding … B:13-30
high-priority queuingSee LLQ
host tableadding an entry … B:12-9, B:12-13altering an entry … B:12-13dynamic hosts, adding … B:12-9queries to … B:12-10, B:12-12
hostnameadding to local table … B:12-9definition … B:12-3interface … B:12-16, B:13-24LLDP message, in … A:12-4preventing LLDP advertisement of … A:12-13setting router hostname … B:1-60
14 – Index
static hostname with dynamic address … B:13-25See also dynamic DNS
viewing neighbors’ … A:12-5wildcard … B:12-16
HTTP serverACL to control access … A:5-21enabling … B:2-11enabling through Web browser interface … B:14-15local user list … B:2-10
HTTPS serverenabling … B:2-11enabling through web browser interface … B:14-15,
A:14-15local user list … B:2-10
IICMP
flood … A:4-9session timeout … A:4-21
IEEEbridging support … B:10-4, B:10-6See also bridging
IEEE 802.1Q standard … B:3-15IEEE 802.1w
See RSTPIEEE 802.D
See STPIGMP … A:10-6, A:10-7, A:10-8
downstream interface … A:10-8, A:10-12, A:10-13, A:10-21, A:10-22
enabling on interface … A:11-29interval … A:10-16multicasting agent
configuring … A:10-13description … A:10-5
proxy … A:10-8, A:10-9, A:10-14, A:10-22enabling on downstream interface … A:10-14
queryaltering interval … A:10-16description … A:10-6
report … A:10-6show commands … A:10-20troubleshooting … A:10-19upstream interface … A:10-12, A:10-15version … A:10-7, A:10-13, A:10-21
IKEadvantages … A:8-64
authentication information, needed for … A:8-19authentication methods … A:8-10Diffie-Hellman key generation … A:8-9monitoring … A:8-76, A:8-78
phase 2 … A:8-84negotiating IPSec SA … A:8-8phase 1
description of … A:8-8monitoring … A:8-77security proposals … A:8-29settings for … A:8-12, A:8-15
phase 2description of … A:8-12monitoring … A:8-77settings for … A:8-13, A:8-16
troubleshooting … A:8-78, A:8-79comparing IKE policies … A:8-80, A:8-82comparing IPSec policies … A:8-82viewing peer’s IPSec policies … A:8-83viewing security parameters … A:8-81
XauthSee Xauth
IKE attribute policyconfiguring … A:8-28, A:8-29
IKE mode … A:8-26aggressive
definition … A:8-11specifying … A:8-27
default … A:8-26initiate, specifying … A:8-27main … A:8-34
definition … A:8-11specifying … A:8-27with client-to-site VPN … A:8-28, A:8-34
respond, specifying … A:8-27IKE mode config
applying pool to IKE policy … A:8-49pool configuration … A:8-48viewing a pool … A:8-71
IKE policycompatibility with peer … A:8-80configuring … A:8-23, A:8-24default … A:8-26example configuration … A:8-29, A:8-30for multiple peers … A:8-25peer ID … A:8-24processed by router … A:8-20viewing … A:8-71
Index – 15
IKE SAclearing … A:8-71compatibility with peer … A:8-80, A:8-82configuring security parameters for … A:8-23default settings … A:8-16, A:8-29definition … A:8-8lifetime … A:8-29security parameters for … A:8-15, A:8-29specifying peer ID … A:8-24viewing … A:8-70
interesting trafficdefining, for backup with demand routing … A:3-18,
A:3-23defining, for demand routing … B:8-18
interfaceADSL … B:7-12applying ACL to … A:5-18assigning a QoS map to … A:7-28, A:7-42, A:7-49assigning ACP to … A:5-37ATM … B:7-17BRI … B:8-40, A:3-38, A:3-47demand … B:8-23, A:3-20E1 … B:4-10, B:9-5
G.703 … B:9-7Ethernet … B:3-2Frame Relay … B:6-23HDLC … B:6-39helper address for UDP applications … B:13-30loopback
tunnel source … A:9-6modem … A:3-38, A:3-51numbering convention … B:1-22passive, with RIP … B:13-26PPP … B:6-6, A:7-15PPP, for PPPoE … B:7-32R, for ISDN … B:8-9, A:3-9router numbering convention … A:1-5S, for ISDN … B:8-8, A:3-9serial … B:5-3T, for ISDN … B:8-8, A:3-9T1 … B:4-10, B:9-14
DSX-1 … B:9-16tunnel … A:9-4, A:9-13
filtering traffic … A:9-11IGMP … A:9-9PIM-SM … A:9-9sending routing updates … A:9-8
U, for ISDN … B:8-8, A:3-9
internal flash memorySee memory
IP addressACL … A:7-23, A:7-38, A:7-46ATM subinterface … B:7-20bridge group … B:10-7CBWFQ … A:7-19, A:7-69compared to hostname … B:12-3definition … B:11-3demand interface … A:3-22DHCP subnet … B:13-8dynamic
IKE mode with … A:8-27interface … B:13-21releasing and renewing interface’s dynamic
address … B:13-27See also DHCP clientSee also dynamic DNSstatic hostname with … B:12-6, B:12-15,
B:13-25Ethernet interface … B:3-5Ethernet subinterface … B:3-19excluding from DHCP … B:13-7fixed DHCP address … B:13-14Frame Relay subinterface … B:6-29GRE … A:9-4HDLC interface … B:6-41helper address for UDP packets … B:13-30LLQ … A:7-36, A:7-38network address … B:11-4notation convention … B:1-7PPP backup interface … A:3-56PPP interface … B:6-8PPP interface, for PPPoE … B:7-33QoS map … A:7-20routing according to … B:11-7SIP … A:7-60ToS … A:7-43, A:7-45tunnel … A:9-4, A:9-7VPN peer’s, specifying … A:8-24WFQ … A:7-11, A:7-14
IP precedence … A:7-5, A:7-6, A:7-7, A:7-37CBWFQ value … A:7-7, A:7-21LLQ priority … A:7-7TOS setting … A:7-48WFQ value … A:7-7, A:7-15, A:7-16
16 – Index
IP Security (IPSec)configuring a VPN using … A:8-15definition of … A:8-4Diffie-Hellman key
key length … A:8-67specifying group for … A:8-46
encryption algorithmpurpose … A:8-6specifying … A:8-40
hash algorithmpurpose … A:8-6specifying … A:8-40
header … A:8-5IKE with … A:8-8mode
specifying … A:8-42transport … A:8-5tunnel … A:8-5
module for … A:8-14protocols … A:8-5
See also AH and ESPSee also VPN, crypto map, IKE, and transform setVPN tunnel … A:8-7
IP spoofing attack … A:4-9IPSec SA
clearing … A:8-71configuring with IKE
advantages … A:8-8tasks … A:8-15, A:8-23
definition of … A:8-7manual keying
crypto map configuration … A:8-65, A:8-67example configuration … A:8-69key length … A:8-67other crypto map configurations … A:8-68setting session key … A:8-67, A:8-68setting SPI … A:8-68transform set … A:8-65, A:8-66
security parameterscompatibility with peer … A:8-82configuring … A:8-40configuring in crypto map … A:8-44, A:8-45configuring in transform set … A:8-40default settings … A:8-87finding peer’s using debug
commands … A:8-83overview … A:8-16viewing … A:8-85
viewing … A:8-71
ISDNand ADSL … B:7-9backup methods using … A:3-11BRI transmission rates … B:8-4, A:3-9call setup … B:8-12channels … B:8-4, A:3-6characteristics of … B:8-4, A:3-5Data Link Layer … B:8-9, A:3-12, A:3-55elements of, connection … B:8-5, A:3-7establishing a connection … B:8-36line coding for BRI … B:8-9PRI … B:8-4R interface … B:8-9, A:3-9S interface … B:8-8, A:3-9switch … B:8-7, A:3-7switch type for … B:8-41, A:3-39T interface … B:8-8, A:3-9U interface … B:8-8, A:3-9
ISDN backup moduleBRI S/T … A:3-9BRI U … A:3-9
ISDN groupassigning BRI interface to … B:8-44assigning to resource pool … B:8-45configuring … B:8-44creating … B:8-44
ISDN primary moduleBRI S/T … B:8-15BRI U … B:8-15supported standards … B:8-15
JJ1-carrier line … B:4-3Jolt attack … A:4-9Jolt2 attack … A:4-9
Kkey
definition of … A:8-6manually specifying for VPN tunnel … A:8-68
Index – 17
LLAN
connecting router to … B:3-2Land attack … A:4-9LAPD … B:8-10
frames … B:8-10LBO
setting, for T1 interfaces … B:4-18LDN
backup ISDN connection (demand routing) … A:3-39
persistent backup connections … A:3-48primary ISDN modules … B:8-43viewing LDN for peer … A:3-87
LEDbackup … B:1-25, A:3-71Ethernet … B:1-26fault … B:1-23power … B:1-23Stat … B:1-24troubleshooting E1 or T1 interface using … B:4-31troubleshooting serial interface using … B:5-18Tx and Rx … B:1-25wide slot … B:1-25
Line Build Out … B:4-18line coding
for E1 interface … B:4-14for T1 interface … B:4-14
Link Management Interface … B:6-23link state advertisement
See OSPF, LSALLDP … A:12-2
detailed information, viewing … A:12-6enabling and disabling … A:12-12, A:12-13frame format … A:12-3message
information in … A:12-3monitoring … A:12-9viewing complete … A:12-10
neighbor, viewing … A:12-5, A:12-7timers
setting … A:12-14viewing … A:12-11
LLQ … A:7-6, A:7-11, A:7-31bandwidth guarantee … A:7-41, A:7-42bridged traffic … A:7-40CBWFQ … A:7-20, A:7-30IP header value … A:7-38
RTP … A:7-38ToS value … A:7-37
LMI … B:6-23statistics, viewing … B:6-66
local loopADSL … B:7-7
broadband network … B:7-7DSLAM … B:7-7splitters … B:7-9
carrier lineCSU/DSU … B:4-5demarc … B:4-5NIU … B:4-5office channel unit … B:4-6repeater … B:4-6structure of … B:4-4wire span … B:4-5
demarc … B:5-5ISDN … B:8-5, A:3-7
interfaces for connecting equipment … B:8-8ISDN switch … B:8-7, A:3-7NIU … B:8-7, A:3-8NT1 … B:8-7, A:3-8NT2 … B:8-7, A:3-8repeater … B:8-7, A:3-7TA … B:8-7, A:3-8TE1 … B:8-7, A:3-8TE2 … B:8-7, A:3-8
serial interfaceNIU … B:5-5repeater … B:5-6structure of … B:5-4
local user list … B:2-10encrypting passwords … B:2-11
loggingACP matches … A:4-26attacks … A:4-26events … A:4-12, A:4-23, A:4-24forwarding to email address … A:4-29forwarding to syslog server … A:4-27priority level … A:4-24
logical interfaceATM … B:7-17demand interface … B:8-23, A:3-20for persistent backup connection … A:3-54Frame Relay … B:6-19HDLC … B:6-39PPP … B:6-6
18 – Index
loopback interfaceeBGP multihop with … B:13-75, B:13-166load balancing with … B:13-74OSPF router ID … B:13-41
low-latency queuingSee LLQ
LSASee OSPF, LSA
MMAC address
LLDP message, in … A:12-4viewing neighbors’ … A:12-5
management accessconfiguring policies to control … A:14-39
match command … A:7-25dscp … A:7-45ip rtp … A:7-38, A:7-47list … A:7-40, A:7-46match list … A:7-25protocol bridge … A:7-41, A:7-48QoS map options … A:7-20, A:7-37, A:7-70
memoryinternal flash size … B:1-29types of … B:1-29
MLFRbinding multiple carrier lines to Frame Relay
interface … A:2-10bundle ID … A:2-11, A:2-18CBWFQ … A:7-28configuring with Web browser interface … A:14-20enabling … A:2-9QoS … A:7-28, A:7-34, A:7-64
per-call bandwidth … A:7-61troubleshooting … A:2-16understanding … A:2-8
MLPPPbinding multiple carrier lines to PPP
interface … A:2-6CBWFQ … A:7-28configuring … A:2-3configuring with Web browser interface … A:14-18enabling … A:2-6example of, with demand routing … B:8-52for demand interface … B:8-50fragmentation … B:8-52header … A:2-5
interleave … B:8-51LCP options for … A:2-5MRRU … A:2-5, A:2-15QoS … A:7-28, A:7-34session … A:2-5troubleshooting … A:2-15
modem interfacedemand routing
configuring … A:3-37countrycode … A:3-40resource pool-member … A:3-41
persistent backup connectionsactivating interface … A:3-52countrycode … A:3-51
troubleshooting … A:3-74using for a console session … A:3-53
moduleADSL2+ … B:1-18ADSL2+ Annex A … B:7-11ADSL2+ Annex B … B:7-11backup … B:1-19
installing … A:3-10standards supported … A:3-10
E1 … B:1-16, B:4-8E1+G.703 … B:9-4IPSec VPN … B:1-27, A:8-14, A:8-23ISDN primary … B:1-18, B:8-13list of modules … B:1-15T1 … B:1-17, B:4-9T1+DSX-1 … B:9-13wide slot … B:1-20
MPLSused by ISP … B:13-66
MRRU … A:2-5, A:2-16MTU
for demand interface … B:8-56, A:3-46for Ethernet interface … B:3-11for Frame Relay subinterface … B:6-37for HDLC interface … B:6-44for PPP interface … B:6-17OSPF concerns with … B:13-158routing table, in … B:11-9tunnel keys … A:9-14
Index – 19
multicast routing table(*, G) entry … A:11-7, A:11-8, A:11-49(S, G) entry … A:11-8, A:11-11, A:11-13, A:11-49flags … A:11-49, A:11-50, A:11-52
RP-bit … A:11-50SPT-bit … A:11-13, A:11-14
incoming interface … A:11-4, A:11-10, A:11-52monitoring … A:11-48, A:11-51null incoming interface … A:11-58outgoing interface list … A:11-4, A:11-53SG entry … A:11-7
multicasting … A:10-3, A:10-11adding router stack … A:10-16addresses … A:10-4applications of … A:10-2downstream interface
configuring … A:10-13description … A:10-12
enabling IP routing … A:10-11forwarding
downstream … A:10-14helper address … A:10-11, A:10-12, A:10-14,
A:10-15, A:10-21, A:10-22, A:10-24setting of … A:10-11
host group … A:10-4, A:10-6, A:10-16, A:10-20multicast stub routing … A:10-10route table … A:10-22routing protocols … A:10-7show commands … A:10-20troubleshooting … A:10-19, A:10-20tunneling traffic through Internet … A:10-15upstream interface
configuring … A:10-15description … A:10-12
multihomingtroubleshooting … B:13-172with BGP … B:13-67, B:13-82
multi-netted environment … A:4-16protecting … A:4-12See also reflexive traffic … A:4-16
multiplexing channels … B:4-12
Nnamed list
accounting … B:2-25authentication … B:2-18authorization … B:2-23
NATACL … A:6-8ACP … A:6-13
assign to interface … A:6-15many-to-one … A:6-13one-to-one … A:6-14port translation … A:6-14
compatibility with a VPN … A:8-31configuring … A:6-7configuring ACL for many-to-one … A:6-9many-to-one … A:6-2one-to-one … A:6-5one-to-one, with port translation … A:6-6troubleshooting … A:6-20with PAT … A:6-3
NAT Discovery (NAT-D) … A:8-31NAT-Traversal (NAT-T)
correct IPSec protocol for … A:8-32enabling … A:8-31, A:8-32NAT-D packet … A:8-31router performance … A:8-32version … A:8-32
neighborsviewing LLDP information … A:12-5viewing LLDP information, real time … A:12-7
Nestea attack … A:4-9network interface unit
See NIUNetwork Termination 1 … B:8-7, A:3-8Network Termination 2 … B:8-7, A:3-8network-to-network interface … B:6-21Newtear attack … A:4-9NIU … B:5-5
carrier line … B:4-5ISDN connection … B:8-7, A:3-8
NNI … B:6-21no command … B:1-66Normal Response Mode … B:6-39NRM … B:6-39NT1 … B:8-7, A:3-8NT2 … B:8-7, A:3-8null interface … B:11-18
20 – Index
OOAM
debug commands for … B:7-49settings … B:7-26
office channel unitcarrier line … B:4-6
Open Shortest Path FirstSee OSPF
Open Systems Interconnection modelSee OSI model … B:4-4
Opentear attack … A:4-9Operation, administration, and maintenance (OAM)
See OAMOSI model
circuit-level gateway and … A:4-5displayed … B:4-4, B:5-4, B:8-5layers used in WAN connection … B:4-4, B:8-5packet-filtering firewall and … A:4-4
OSPFABR … B:13-31
area configuration on … B:13-42, B:13-50LSAs with … B:13-34, B:13-35route summaries … B:13-44troubleshooting … B:13-160
advertising a network … B:13-42, B:13-51, B:13-56area … B:13-31
configuration … B:13-36, B:13-42example configuration … B:13-32, B:13-37,
B:13-38, B:13-49minimizing overhead … B:13-29
as an interior gateway protocol … B:13-7ASBR
default route … B:13-51route summaries … B:13-52
authentication … B:13-29, B:13-60problems with … B:13-159
compared to RIP and BGP … B:13-9configuration tasks … B:13-39, B:13-40configuring with Web browser
interface … A:14-116default administrative distance … B:13-11DR … B:13-31
LSAs with … B:13-34priority for … B:13-57
example configuration … B:13-61intervals … B:13-58, B:13-59, A:14-123
LSA … B:13-30, B:13-34intervals for … B:13-58types … B:13-33, B:13-34, B:13-35
multicast routing, with … A:11-28network backbone or area 0 … B:13-33, B:13-43overview … B:13-29route summaries
ABR configuration … B:13-44, B:13-47advantages of … B:13-45ASBR configuration … B:13-52problems with … B:13-160, B:13-161
router ID … B:13-34, B:13-41stub area … B:13-32, B:13-34, B:13-43, B:13-44total stub area … B:13-33, B:13-35, B:13-44
LSAs with … B:13-34troubleshooting … B:13-153, B:13-156, B:13-160
problems router ID … B:13-159
Ppacket marking
example configuration … A:7-49LLQ … A:7-42selecting traffic … A:7-44
bridged traffic … A:7-48IP header … A:7-45RTP … A:7-47
ToS value setting … A:7-45, A:7-48PAP
clear text … B:6-12example configuration … B:6-50finding peer’s password … B:6-63for backup interfaces … A:3-43for primary ISDN interfaces … B:8-53password … B:6-14password, case-sensitive … B:6-64troubleshooting … B:6-62username … B:6-14username, case-sensitive … B:6-64
passwordCHAP … B:6-15configuring through Web browser
interface … B:14-19console … B:2-5enable mode … B:2-4encrypting all … B:2-11local user list … B:2-10PAP … B:6-14Telnet … B:2-8
Index – 21
Password Authentication ProtocolSee PAP
PATwith NAT … A:6-3
PBR … B:13-123applying route map to router traffic … B:13-142assigning route map to interface … B:13-142configuration examples … B:13-142default routes … B:13-138don’t fragment bit … B:13-141implementation
application … B:13-130payload size … B:13-135source … B:13-127traffic priority … B:13-132
marking packets with QoS value … B:13-139route map … B:13-125selecting traffic … B:13-126setting the routing policy … B:13-136troubleshooting … B:13-173uses for … B:13-123
PEM … A:8-59, A:8-61perfect forward secrecy
See PFSpermanent virtual circuit
See PVCPFS
default setting … A:8-87specifying group … A:8-46
PHB … A:7-8, A:7-10assured forwarding … A:7-8, A:7-9, A:7-21, A:7-22class-selector … A:7-8, B:13-134default … A:7-8expedited forwarding … A:7-9, A:7-48IP Precedence … A:7-8marking traffic … A:7-45, A:7-48
Physical Layerof OSI model … B:4-4of WAN connection … B:5-3purpose of … B:8-5
PIM-SM … A:11-3asserts … A:11-26, A:11-27, A:11-58configuration examples … A:11-40, A:11-45configuration tasks … A:11-28DR … A:11-3, A:11-14DR, viewing … A:11-55enabling on interface … A:11-29IGMP, with … A:11-8, A:11-29
join/prunes … A:11-18, A:11-19, A:11-61periodic … A:11-24, A:11-38triggered … A:11-22, A:11-23
monitoring … A:11-48, A:11-54, A:11-55, A:11-56, A:11-61
multi-access networks, special considerations with … A:11-26, A:11-36, A:11-39
null incoming interface … A:11-59pruning a connection … A:11-14, A:11-21, A:11-58receiver joins after source … A:11-16register … A:11-10, A:11-25RP
See RPRP tree … A:11-4, A:11-8
(*, G) entry, with … A:11-7joining … A:11-8, A:11-15using permanently … A:11-36
SP tree … A:11-5, A:11-7SP tree, disabling … A:11-36switching to an SP tree … A:11-9, A:11-23
edge router … A:11-12, A:11-13receiver joins after … A:11-16threshold for … A:11-35threshold, viewing … A:11-55
timers … A:11-37, A:11-38, A:11-39, A:11-51troubleshooting … A:11-48, A:11-54, A:11-55,
A:11-56, A:11-61unicast routing, with … A:11-7, A:11-28, A:11-32,
A:11-60ping command … B:1-36
default … B:1-40extended options … B:1-40
ping of death attack … A:4-9PKI
debug command … A:8-74definition … A:8-55
policy-based routing See PBR
port authentication … B:2-40port number
backup modules … A:3-38, A:3-47E1+G.703 module … B:9-4Ethernet interface … B:3-3for ADSL interfaces … B:7-12for DSX-1 … B:9-16for G.703 … B:9-7for serial interface … B:5-12ISDN interface … B:8-44T1+DSX-1 module … B:9-13
22 – Index
port translation … A:6-14port-mapping table … A:6-3POTS
and ADSL … B:7-9power source, redundant … B:1-29PPP
authentication for demand interface … B:8-53LCP … A:2-4NCP … A:2-4phases … B:6-5, A:2-4See also PPP Authenticationsession … B:6-5suite of protocols … B:6-4
PPP authentication … B:6-11configuring through Web browser
interface … B:14-50demand routing … A:3-43determining protocol … B:6-14, B:6-65peer password … B:6-14peer username … B:6-14persistent backup connection … A:3-56See also PAP and CHAPtroubleshooting … B:6-62
PPP backup interfaceconfiguring … A:3-55
PPP interface See also PPPoA and PPPoEactivating … B:6-10binding physical interface to … B:6-10bridging … B:13-6configuring through Web browser
interface … B:14-47creating … B:6-6debug authentication … B:6-14debug commands … B:6-60, A:2-13description for … B:6-17DHCP client on … B:13-6example configuration … B:6-46for PPPoE … B:7-31IP address … B:6-8MTU … B:6-17negotiated IP address … B:6-8secondary IP address … B:6-16show commands … B:6-53summary of settings … B:6-7troubleshooting … B:6-58, A:2-13unnumbered interface … B:6-9
PPPoA … B:7-11binding ATM subinterface to PPP
interface … B:7-38configuring … B:7-37IP address … B:7-37PPP interface for … B:7-37troubleshooting PPP … B:7-52
debug commands … B:7-53understanding … B:7-35
PPPoE … B:7-11binding ATM subinterface to PPP
interface … B:7-33description of … B:7-28discovery phases … B:7-29IP address … B:7-33MTU size … B:6-17PPP interface for … B:7-32setting access concentrator name … B:7-34setting PPPoE service name … B:7-35show command … B:7-51troubleshooting … B:7-50troubleshooting PPP … B:7-52
debug commands … B:7-53PPTP
ALG for … A:4-20preshared key
adding to VPN remote ID list … A:8-32for VPN … A:8-10viewing VPN … A:8-71
Privacy Enhanced Mail … A:8-59, A:8-61ProCurve Secure Router
models … B:1-5product documentation … B:1-7Protocol Independent Multicast-Sparse Mode
See PIM-SMPSTN … B:4-4, B:5-4PTT authorities … B:4-3, B:5-3public carrier
central office of … B:4-4, B:5-4, A:3-7See also local loop
public key infrastructureSee PKI
public switched telephone network … B:4-4, B:5-4Public Telephone and Telegraph authorities … B:4-3,
B:5-3PVC
ATM … B:7-18Frame Relay subinterface for … B:6-28
Index – 23
QQ.931 … B:8-11QoS
CBWFQ … A:7-11, A:7-18configuration wizard … A:14-47configuring with Web browser interface … A:14-44data packets … A:7-4Ethernet … A:7-55
example configuration … A:7-57FIFO … A:7-10Frame Relay … A:7-50, A:7-51
example configuration … A:7-54rate limiting … A:7-52
FRF.12 … A:7-12, A:7-51high-priority traffic … A:7-4LLQ … A:7-11, A:7-31maps
See QoS mapmatch command
dscp … A:7-37ip rtp … A:7-25list … A:7-37precedence … A:7-37
mechanisms … A:7-5monitoring … A:7-64
managing queues … A:7-66QoS maps … A:7-65
OSPF … A:7-5SIP … A:7-59Telnet … A:7-4ToS field … A:7-6
DiffServ … A:7-7IP precedence … A:7-6PHBs … A:7-8
ToS marking … A:7-43VoIP … A:7-4WFQ … A:7-11, A:7-14
QoS map … A:7-12, A:7-13configuring … A:7-20, A:7-44deleting … A:7-66entry order … A:7-12forced inactive … A:7-67
match command … A:7-70dscp … A:7-45, A:7-61ip rtp … A:7-38, A:7-47, A:7-61list … A:7-40, A:7-46, A:7-63, A:7-70precedence … A:7-45protocol bridge … A:7-25, A:7-41, A:7-48,
A:7-70ToS marking … A:7-13viewing … A:7-65
queuemonitoring … A:7-66subqueue … A:7-14, A:7-16, A:7-66
queuinglow-latency
See LLQ … A:7-6weighted fair
See WFQ
RR interface … B:8-9, A:3-9RADIUS server
authentication … B:2-18configuring through Web browser
interface … B:14-28defining … B:2-27defining group … B:2-29global settings … B:2-30troubleshooting … B:2-36Xauth with … A:8-50, A:8-52
RAM … B:1-29rapid spanning tree protocol
See RSTPrate limiting
Ethernet … A:7-55, A:7-68Frame Relay … A:7-50, A:7-52, A:7-63
RBE … B:7-39configuring … B:7-40example environment … B:7-40
READSL … B:7-4, B:7-6real-time transport protocol
See RTPrebooting router
with Web browser interface … B:14-13, A:14-13redundant power source … B:1-29reflexive traffic … A:4-10, A:4-12
attack check … A:4-16illustration of … A:4-12, A:4-17
24 – Index
reload command … A:5-37reload in command … B:1-72rendezvous point
See RPrepeater … B:5-6
carrier line … B:4-6ISDN connection … B:8-7, A:3-7
resource pool … A:3-27assigning ISDN group … B:8-45for demand interface … B:8-30viewing … B:8-67, A:3-78
RIPadvertising a network … B:13-21advertising a non-RIP network … B:13-23as an interior gateway protocol … B:13-7compared to OSPF and BGP … B:13-9compatibility between versions … B:13-14,
B:13-151configuration options … B:13-18configuring with Web browser
interface … A:14-113default administrative distance … B:13-11default intervals … B:13-18overview … B:13-12passive interface … B:13-26poison reverse … B:13-15, B:13-17redistributing routes
connected … B:13-23OSPF … B:13-24static … B:13-24
route summarization … B:13-24split horizon … B:13-15, B:13-17timing intervals … B:13-17triggered updates … B:13-15, B:13-17troubleshooting … B:13-151updates … B:13-15version … B:13-13version for an interface … B:13-20version, configuring … B:13-20
RJ-11 connector … B:7-12, B:8-8RJ-45 connector … B:3-2, B:8-8RJ-48C connector … B:4-7, B:9-14route maps
applying policies to inbound routes … B:13-102applying to neighbor … B:13-104controlling routes advertised … B:13-89controlling routes neighbor advertises … B:13-94creating … B:13-86
deleting communities from … B:13-103entry in … B:13-87filtering inbound routes … B:13-100filtering routes
AS path … B:13-93community … B:13-91network address … B:13-90
load balancing … B:13-96, B:13-98routed bridged encapsulation
See RBErouter management
configuration files … B:1-30, B:1-33contexts … B:1-35controlling access … B:2-4rebooting using reload … B:1-51remote access … B:2-6saving changes … B:1-33software updates … B:1-8
routingadministrative distances … B:13-11advantages of routing protocols … B:13-10clearing routes … B:11-27, B:13-149comparing routing protocols … B:13-9configuring through Web browser
interface … B:14-88disadvantages of routing protocols … B:13-10dynamic … B:11-10dynamic routing
Layer 2 devices with … A:12-2floating static route … B:11-16monitoring routes … B:11-26non-IP traffic … B:10-4RIP updates … B:13-15See also PBRstatic
See static routetunneling updates … A:8-14, A:9-8, B:13-23,
B:13-152updates
BGP … B:13-70, B:13-163OSPF … B:13-39, B:13-57
Routing Information ProtocolSee RIP
routing tableinformation included in … B:11-7, B:11-9matching packet to route … B:11-7multicast
See multicast routing table
Index – 25
OSPF … B:13-157viewing … B:11-23, B:11-24, B:13-146, B:13-147with routing protocols … B:13-7
routing, dynamic routingSee RIP, OSPF, and BGP
RP … A:11-3, A:11-6RP set … A:11-17selecting … A:11-17, A:11-30, A:11-62set
See RP setSP tree, joining … A:11-10, A:11-26, A:11-35,
A:11-50static … A:11-17, A:11-18supporting all groups … A:11-31supporting specific groups only … A:11-31,
A:11-32RP set
configuring … A:11-32, A:11-67troubleshooting … A:11-62
RPS … B:1-29RSTP
BPDU … B:10-12BPDU guard … B:10-21compatibility with STP … B:10-17configuration tasks … B:10-11, B:10-17connection type … B:10-15, B:10-21disabling … B:10-23edge port … B:10-14, B:10-19improvements over STP … B:10-14link cost … B:10-18, B:10-28overview … B:10-4priority for becoming root … B:10-18sync … B:10-15timers … B:10-22troubleshooting … B:10-24, B:10-25valid interfaces … B:10-11viewing the spanning tree … B:10-25, B:10-26
RTP … A:7-25, A:7-34, A:7-38, A:7-47compression … A:7-34cRTP … A:7-34
running-config … B:1-30
SS interface … B:8-8, A:3-9SA … A:8-7
See also IKE SA and IPSec SASafeMode … B:1-61
SAPI … B:8-10saving changes … B:1-56SCEP … A:8-56, A:8-57secure copy server
enabling … B:2-13secure router operating system
See SROSsecurity
AAA subsystem … B:2-14accounting … B:2-25ACL … A:5-5ACP … A:5-25authorization … B:2-23console password … B:2-5enable mode password … B:2-4encrypting passwords … B:2-11local user lists … B:2-10management access … B:2-4RADIUS server … B:2-27remote access … B:2-6show users … B:2-14TACACS+ server … B:2-31Telnet password … B:2-8
security parameter indexSee SPI
self certificatedefinition … A:8-56importing manually … A:8-61requesting … A:8-59
serial interfaceaccessing … B:5-12activating … B:5-14binding
to Frame Relay interface … B:6-35to HDLC interface … B:6-43to PPP interface … B:6-11
clock source … B:5-13configuring … B:5-12configuring through Web browser
interface … B:14-44Data Link Layer
Frame Relay … B:6-23HDLC … B:6-39PPP … B:6-6
rxclock, inverting … B:5-14serial-mode setting … B:5-12
26 – Index
troubleshooting … B:5-17problem with line going down … B:5-21solutions to problems … B:5-19
txclock, inverting … B:5-13viewing configuration of … B:5-16
serial modulecable shipped with … B:5-8connecting to CSU/DSU … B:5-8for E1- carrier lines … B:5-3for T1-carrier line … B:5-3port number … B:5-12slot number … B:5-12standards supported … B:5-7used with external CSU/DSU … B:5-7
service access point identifier … B:8-10Service Level Agreement … B:6-19service level agreement
and EIR … B:6-34session initiation protocol
See SIPSHDSL … B:7-4show command … A:7-65
basic mode context … B:1-41bridge table … B:10-8crypto ike … A:8-72crypto ipsec … A:8-72crypto map … A:8-72DHCP client binding table … B:13-18DHCP lease on router interface … B:13-26enable mode commands … B:1-51event-history … A:4-25Frame Relay … A:2-14interfaces
ADSL … B:7-41ATM … B:7-44BRI … B:8-64, A:3-71demand … B:8-61, A:3-75DSX-1 … B:9-19E1 … B:4-27, B:9-5E1 for G.703 … B:9-13Ethernet … B:3-19G.703 … B:9-10modem … A:3-74T1 … B:4-27T1 for DSX-1 … B:9-19tunnel … A:9-13
ip access-lists … A:8-72LLDP activity … A:12-8
LLDP neighbors … A:12-6, A:12-7LLDP neighbors, real time … A:12-7LLDP timers … A:12-11logical interfaces … B:6-53persistent backup … A:3-85PPPoE … B:7-51qos map … A:7-65qos map interface … A:7-65queue … A:7-66routing table … B:11-23running-config
DSX-1 … B:9-20G.703 … B:9-11
show connections … B:5-17show tech … B:1-57, A:1-20spanning tree … B:10-25verbose option … B:1-54
showtimefor ADSL … B:7-13monitor for ADSL … B:7-16
signalingelectrical, for WAN connection … B:4-3
Simple Certificate Enrollment Protocol … A:8-56, A:8-57
SIP … A:7-50, A:7-58, A:7-60ALG for … A:4-19configuring … A:7-59definition … A:7-59destination port … A:7-62enabling, services … A:7-59
site-to-site VPNIKE mode for … A:8-27peer ID in crypto map … A:8-43peer ID in IKE policy … A:8-24peer ID in remote ID list … A:8-33specifying traffic for … A:8-37Xauth with … A:8-49
SLA … B:6-19and EIR … B:6-34
slotnarrow … B:1-14supported modules … B:1-15wide … B:1-20
slot numberfor ADSL interfaces … B:7-12for backup BRI interfaces … A:3-37, A:3-47for backup modem interfaces … A:3-37for BRI interfaces … B:8-40
Index – 27
for E1 interfaces … B:4-11for Ethernet interfaces … B:3-3for serial interface … B:5-12for T1 interfaces … B:4-11
smart jack … B:4-5for ISDN … A:3-8
Smurf attack … A:4-9SNMP … A:12-2
support … B:1-61enabling through Web browser
interface … B:14-15viewing neighbors’ management agent … A:12-5
SNR-margin … B:7-15monitoring … B:7-16
softwaredownloading updates … B:1-8, A:1-7transfer … B:1-76transfer using
compact flash … B:1-81TFTP … B:1-78
spanning tree protocolSee RSTPSee STP
speedEthernet connection settings … B:3-10
SPIdisplaying … A:8-71manually setting … A:8-67, A:8-68matching packets to VPN tunnel … A:8-22role in IPSec SA … A:8-7
SPIDdemand routing … A:3-40persistent backup connection … A:3-49troubleshooting problems with … A:3-73
spoofingdemand interface … A:3-23
SROSand AutoSynch™ technology … B:1-34basic mode … B:1-36boot code … B:1-30enable mode … B:1-36global configuration mode … B:1-37hierarchy … B:1-34managing with Web browser interface … A:14-10software … B:1-30version
viewing neighbors’ … A:12-5
SSHconfiguring password through Web browser
interface … B:14-19, B:14-24lines … B:2-12local user list … B:2-10
startup-config … B:1-30static route … B:11-9
advantages and disadvantages of … B:11-10applications … B:11-13configuring … B:11-13, B:11-14, B:11-15deleting … B:11-28, B:13-150floating … B:11-16
demand routing … A:3-42persistent backup connections … A:3-67
for demand interface … B:8-46null interface, through … B:11-18redistributing … B:13-56redistributing through RIP … B:13-24troubleshooting … B:11-23
stealth mode … A:4-17STP
BPDU … B:10-12configuration tasks … B:10-11, B:10-23configuring through Web browser
interface … B:14-80disabling … B:10-23link cost … B:10-18, B:10-28overview … B:10-4priority for becoming root … B:10-18states … B:10-13timers … B:10-22troubleshooting … B:10-24, B:10-25valid interfaces … B:10-11viewing the spanning tree … B:10-25, B:10-26
subinterfaceATM … B:7-18, A:7-17Ethernet … B:3-18Frame Relay … B:6-28, A:7-54
Syndrop attack … A:4-9SYN-flood
attack … A:4-9, A:4-10attack check … A:4-16
syslog serverforwarding logs to … A:4-27
28 – Index
TT interface … B:8-8, A:3-9T1 + DSX-1
See DSX-1 interface and drop-and-insert module … B:9-13
T1 interfaceactivating … B:4-20binding
to Frame Relay interface … B:6-35to HDLC interface … B:6-43to PPP interface … B:6-11
channels for … B:4-13clock source … B:4-17configuration mode context for … B:4-11configuring through CLI … B:4-10configuring through Web browser
interface … B:14-39Data Link Layer
Frame Relay … B:6-23HDLC … B:6-39PPP … B:6-6
FDL channel … B:4-19frame format … B:4-16LBO … B:4-18line coding … B:4-14line errors … B:4-22port number … B:4-11slot number … B:4-11speed for channel … B:4-13threshold commands … B:4-22troubleshooting … B:4-30viewing configuration of … B:4-28viewing status of … B:4-26
T1 modulestandards supported … B:4-9with built-in CSU/DSU … B:4-9
T1-carrier line1.544 Mbps bandwidth … B:4-324 channels … B:4-12analog voice on … B:4-3CSU/DSU in router … B:4-7elements of … B:4-3external CSU/DSU … B:4-6for analog voice … B:9-3local loop … B:4-4serial interface for … B:5-3with DSX-1 interface … B:9-3
TA … B:8-7, A:3-8
TACACS+ serveraccounting … B:2-25authentication … B:2-18authorization … B:2-23clear statistics … B:2-38defining … B:2-31global settings … B:2-34group of … B:2-33troubleshooting … B:2-37Xauth with … A:8-50, A:8-52
Targa attack … A:4-9TCP
attacks … A:4-10session timeout … A:4-21, A:4-22
TDMused in carrier lines … B:4-12
TE1 … B:8-7, A:3-8TE2 … B:8-7, A:3-8TearDrop attack … A:4-9TEI … B:8-10Telnet … A:5-21
ACL to control access … A:5-22configuring access to … B:2-8configuring password through Web browser
interface … B:14-22password for … B:2-8QoS … A:7-4, A:7-40using local user list for access … B:2-13
terminal adapter … B:8-7, A:3-8terminal endpoint identifier … B:8-10terminal equipment 1 … B:8-7, A:3-8terminal equipment 2 … B:8-7, A:3-8TFTP
enabling support through Web browser interface … A:14-15
file transfer with … B:1-78server, specifying in DHCP pool … B:13-11support, enabling through Web browser
interface … B:14-15threshold
E1 … B:4-21T1 … B:4-21
time division multiplexing … B:4-12timeout
application … A:4-22protocol … A:4-21session … A:4-21
Index – 29
timersLLDP
setting … A:12-14viewing … A:12-11
ToS … A:7-5, A:7-6, A:7-7, A:7-37assured forwarding … A:7-9bits … A:7-7CBWFQ … A:7-19classifying traffic … A:7-21definition … A:7-6DiffServ … A:7-7, A:7-9IP precedence … A:7-6, A:7-8LLQ … A:7-36, A:7-42, A:7-71marking … A:7-43, A:7-45, A:7-48, A:7-61values … A:7-8, A:7-9, A:7-20, A:7-37
viewing … A:7-65VoIP … A:7-47WFQ … A:7-11
traceroute command … B:1-36, B:11-26traffic
filtering with ACL … A:5-5filtering with ACP … A:5-25interesting, for backup with demand
routing … A:3-23traffic shaping
Ethernet … A:7-56, A:7-68, A:7-73Frame Relay … A:7-52, A:7-55, A:7-63See also rate limiting
training phaseADSL … B:7-13
training-monitorfor ADSL … B:7-16
transform setalgorithms, specifying … A:8-40tunnel mode … A:8-42viewing … A:8-71, A:8-86
transmission media … B:4-3troubleshooting
AAA subsystem … B:2-35ACL … A:5-54ACL for demand routing … B:8-71, A:3-80ACP … A:5-54ADSL interface … B:7-46ATM interface … B:7-48ATM subinterface … B:7-49AutoSynch™ … B:1-70BGP … B:13-162BRI backup interfaces … A:3-70
bridging … B:10-10CHAP … B:6-64compact flash performance … B:1-70debug commands … B:1-49debug isdn commands … B:8-72, A:3-81demand routing … B:8-68, A:3-79DHCP client … B:13-26DHCP server … B:13-18DNS … B:12-11DSX-1 interface … B:9-20E1 interface … B:4-30Ethernet interface … B:3-24events command … B:1-51firewall … A:4-13, A:4-25, A:4-29Frame Relay interface … B:6-65G.703 interface … B:9-12GRE … A:9-13HDLC interface … B:6-69IKE … A:8-76IPSec … A:8-73MLFR … A:2-16MLPPP … A:2-15multilinks … A:2-12OSPF … B:13-153persistent backup connection … A:3-90PIM-SM … A:11-48, A:11-56PPP authentication … B:6-62PPP interface … B:6-58PPPoE … B:7-50QoS … A:7-67RADIUS server … B:2-36RIP … B:13-151routing … B:13-146serial interface … B:5-17static routing … B:11-23T1 interface … B:4-30TACACS+ server … B:2-37tunnel … A:9-13VPN … A:8-73with reload in command … B:1-72
TS16configuring … B:9-9description … B:9-9
tunnel … A:8-4, A:9-4configuring with Web browser
interface … A:14-104destination … A:9-4, A:9-5, A:9-6, A:9-8IP address … A:9-4, A:9-7
30 – Index
key … A:9-7multicast … A:10-15See also VPN tunnelsource … A:9-4, A:9-5troubleshooting … A:9-13
Twinge attack … A:4-9type of service
See ToS
UU interface … B:8-8, A:3-9UDP
forwarding DHCP … B:13-30session timeout … A:4-21, A:4-22
UNIfor Frame Relay … B:6-21
unnumbered interfaceATM subinterface as … B:7-24Ethernet interface as … B:3-9Frame Relay subinterface as … B:6-32HDLC interface as … B:6-42PPP interface as … B:6-9
updatingboot code … B:1-59
usersviewing, accessing router … B:2-14
user-to-network interfacesFrame Relay … B:6-21
VV.35 cable … B:5-9VCI … B:7-19VDSL … B:7-4
See also ADSLverbose option
for show commands … B:1-54videoconferencing
ALG for … A:4-19virtual channel identifier … B:7-18virtual path identifier … B:7-18virtual private network
See VPNvirtual routing and forwarding
used by ISP … B:13-66VLAN
DHCP scopes … B:13-5, B:13-15, B:13-16
enabling support for … B:3-17ID for Ethernet subinterface … B:3-18IP address for Ethernet subinterface … B:3-19routing, traffic … B:3-16support for … B:3-15tagging … B:3-15
VLAN trunkingSee VLAN, tagging
VoIPALG for … A:4-19bandwidth for … A:7-31, A:7-32packets … A:7-33QoS … A:7-4
example configuration … A:7-57Frame Relay … A:7-51LLQ … A:7-38packet marking … A:7-47, A:7-62signaling traffic … A:7-45, A:7-62
VPI … B:7-19VPN
applying crypto map to interface … A:8-46client-to-site … A:8-4configuration
overview … A:8-15tasks … A:8-23with Web browser interface … A:14-59wizard … A:14-60
GRE tunnel … A:8-13IPSec module for … A:8-14module … B:1-27, A:8-23monitoring … A:8-70multiple sites … A:8-45peer
See VPN peerSee also client-to-site VPN, crypto map, IKE, IP Se-
curity (IPSec), site-to-site VPNsite-to-site … A:8-4traffic
defining in a crypto map … A:8-45defining in an ACL … A:8-35, A:8-37example configuration … A:8-39restricting hosts … A:8-36
troubleshooting … A:8-73comparing policies … A:8-80, A:8-84debugging IKE … A:8-82permitting all traffic … A:8-75returning policies to defaults … A:8-86
tunnel … A:8-4
Index – 31
VPN peeradding to remote ID list … A:8-32associating with IPSec policies … A:8-35dynamic peer
IKE initiate mode with … A:8-27peer ID in crypto map … A:8-44peer ID in IKE policy … A:8-25
IDspecifying … A:8-17types … A:8-18, A:8-33with IKE main mode … A:8-34
mobile userspeer ID in crypto map … A:8-44peer ID in IKE policy … A:8-26problems with IKE main mode … A:8-28See also IKE mode config and Xauth
static peerpeer ID in crypto map … A:8-43peer ID in IKE policy … A:8-24
viewing remote ID list … A:8-71VPN tunnel … A:8-4, A:8-7
See also IP Security (IPSec)
WWAN connection
dedicated … B:4-3elements of … B:4-3, B:5-3view active … B:5-17
Web browser interface … B:1-5, B:1-10AAA subsystem … B:14-27accessing … B:1-11, B:14-4, A:1-10ACPs … A:14-30ADSL interface … B:14-61ATM interface … B:14-63AutoSynch™ … B:14-5, A:14-5bridging … B:14-77certificates … A:14-93default route … B:14-88description … A:1-9DHCP … B:14-94DNS server … B:14-89DSX-1 interface … B:14-74E1 interface … B:14-39enable mode password … B:14-21enabling access to … A:14-4enabling IP services … B:14-15Ethernet interface … B:14-31
file management … B:14-7, A:14-7firewall … A:14-21Frame Relay interface … B:14-52G.703 interface … B:14-74HDLC interface … B:14-58IP services … A:14-15LLDP … A:14-108managing Secure Router OS … B:14-10, A:14-10MLFR … A:14-20MLPPP … A:14-18organization of … B:1-12, A:1-11OSPF … A:14-116passwords … B:14-19PPP authentication … B:14-50PPP interface … B:14-47QoS … A:14-44QoS wizard … A:14-47RADIUS server … B:14-28RIP … A:14-113serial module … B:14-44spanning tree protocol … B:14-80static route … B:14-86T1 … B:14-39TACACS+ server … B:14-29tunnels … A:14-104VPN wizard … A:14-60
weighted fair queuingSee WFQ
WFQ … A:7-11, A:7-14conversation subqueue … A:7-11, A:7-14, A:7-15
packet threshold … A:7-18, A:7-66enabling … A:7-17queue size … A:7-18shortcomings … A:7-15, A:7-16, A:7-22, A:7-47,
A:7-67weight … A:7-15
wildcard bitsACL for NAT … A:6-9in ACL … B:8-20, A:5-10
WinNukeattack … A:4-10, A:4-11optional firewall check … A:4-15
WINS serverDHCP pool, in … B:13-11in IKE mode config pool … A:8-48
wizardQoS … A:14-47
32 – Index
XX.21 cable … B:5-10Xauth
hostconfiguration tasks … A:8-53generic authentication … A:8-53OTP authentication … A:8-54RADIUS authentication … A:8-53
serverconfiguration tasks … A:8-50enabling … A:8-52local username database for … A:8-50RADIUS database for … A:8-50, A:8-51TACACS+ database for … A:8-50, A:8-51
Index – 33
Technical information in this documentis subject to change without notice.
© Copyright 2005.Hewlett-Packard Development Company, L.P.Reproduction, adaptation, or translationwithout prior written permission is prohibitedexcept as allowed under the copyright laws.
December 2005
Manual Part Number5991-3785