![D-Link DI-3660 [324/506] Basic theories of aaa](/img/pdf.png)
D-Link DI-3660 [324/506] Basic theories of aaa
![D-Link DI-3660 [324/506] Basic theories of aaa](/views2/1206859/page324/bg144.png)
Command Line Interface Reference Manual
324
l Multiple backup systems
6.1.1.1.2 Basic Theories Of AAA
AAA is designed to dynamically configure the types of authentication and authorization based on each line (user) or
service (eg. IP、IPX or VPDN). You can define the authentication and authorization types by creating method lists and
then apply these lists on a specific service or port.
6.1.1.1.3 List Of Methods
The list of authentication methods defines multiple methods used to authenticate a user. The administrator can configure
one or more protocols used for authentication in the method list, therefore, to ensure that you can have a backup
authentication method in case the former method fails. Firstly, list one method, if it doesn’t work out any response,
please select the second method on the methods list; This process will continue until the listed method successfully carries
out an authentication or use up the resource of authentication method list, in this case, the authentication turns out to be
fail.
Note: The later methods to attempt authentication are only used when the former ones don’t work. As long as
any part of ths authetication process fails— in other words, the response from the security server or local user
names database is to reject the user to access— the authentication process ends, andthere will be no more attempt
to proceed.
Figure 1 shows a typical AAA network configuration that includes four security servers: R1and R2 are RADIUS servers
and T1 and T2 are TACACS+ servers.
Figure 1
Suppose the system administrator has determined that all ports authenticate the PPP based connection with the same
authentication method in the security scheme: Firstly, connect R1 to learn the ralating authentication information, if R1
doesn’t respond, then connect R2, if R2 doesn’t respond, then T1, then T2. If all designated server don’t respond, the
authentication will be focused on the local user name database of the access server itself. When a remote user is
attempting to access the network by dial-up, the network server will demand the relative authentication info on R1, if the
user is authenticated to be legal, it will send a PASS reply to network access server, to enable the user to access the server;
If R1 answers FAIL message, the user will be turned down, the session terminated. If there’s no response from R1, the
network server will view it as a ERROR and try to find the authentication info on R2. This model will last in the rest of
the time until the user is accepted or rejected, or the termination of this session.
Note: Please remember that a FAIL response completely differs from an ERROR response. FAIL indicates that the
user has not met the criteria of a sucessful authentication that contained in the authentication database, and the
authentication ends up with a FAIL response. ERROR means that the security server has not responded to an
authentication query. Only if AAA detected ERROR will it choose the next authentication method defined in the
authentication methods list.
Содержание
- Command line interface 1
- Reference manual 1
- Router 1
- Port number 11
- Preparat i on 11
- Prepare for configuration 11
- Wic vic 11
- Cancel a command 12
- Command di rect ory 12
- Configure the pc terminal emulation program 12
- Default router ls 12
- Default router ls l 12
- Frame relay hdlc x 12
- Get hel p ls command and its 1 option can help to input the commands 12
- L command to display the 12
- Wic fic slot modules or interface cards please refer to hardware description 1 3 bef ore st art 12
- For example when deleting a configured static route please select the u option at prompt after inputting the ip command and then select route option finally input the parameter values of the route that you are about to delete 1 7 savi ng conf i gurat i on 13
- Configure system monitor status 14
- Fi l e syst em command 14
- Fi l e syst em commands 14
- Zmodem successfully receive 36 blocks 18370 bytes monitor 15
- Conf i gure et hernet i p address 16
- Conf i gure the def aul t rout e 16
- Manual l y boot from a fi l e 16
- Test net work connect i on by pi ng 16
- Interface configuration 17
- Overview 17
- I nt roduct i on of i nt erf ace conf i gurat i on 18
- Configure public configuration of interface 19
- Introduction of sub interface 19
- Close and restart interface 22
- Initialize and delete interface 22
- Configuring interface 23
- U undo d default q quit 00 full force full duplex operation 01 half force half duplex operation please input the code of command to be excute 0 1 input 1 choose the item half can set it into half duplex mode input 0 choose the item full can set it into full duplex mode input d or d it will come back to default settings 25
- Configuring e1 interface 28
- Clock external configure operation mode of e1 interface as dte that use synchronous signal of line 30
- Clock internal configure operation mode of e1 interface as dce that use internal synchronous signal of chip 30
- Command function 30
- Configure line code decode format of e1 interface as hdb3 30
- Configuring line clock of e1 interface if e1 interface is operated as synchronous interface two operation modes available for e1 that is of dte and dce it is need to choose line clock while two routers straight connected with e1 interfaces the two ports must be operated with dte and dce separately while router connects with exchange through e1 interface dce for exchange and dte for e1 interface of router default operation mode of e1 interface is dte 30
- Configuring line code decode format of e1 interface there are two formats of line code decode supported by e1 interface ami and hdb3 default setting is hdb3 30
- Configuring loopback transmission mode of e1 interface while in the mode of remot loop back transmission the message that received through the port will be return by e1 through the sending channel 30
- Line code ami configure line code decode format of e1 interface as ami 30
- Line code undo or line code hdb3 30
- Loop undo cancel the setting of remote loop back 30
- Loopback local configure the operation mode of e1 as remote loop back 30
- Bri is a kind of isdn interface which consists of a single d channel plus 2 b channels the d channel is used to set up b channels and signal alternation channel of the interface b channels are used to transfer data 33
- Command function 33
- Conf i gur at i on of bri i nt er f ace 33
- Configure dtu interface 33
- Configure the bri interface 33
- Configure the dtu interface 33
- Desi gnat i ng dtu i nt er f ace 33
- Enter the isdn bri interface 33
- I nt r oduct i on of bri i nt er f ace 33
- Slot is the slot number of bri controller group is the link number bri controller 33
- This command is used to set up a main workgroup and assign timeslots for the main workgroup all the timeslots can be assigned to b channel except 0 and 16 each timeslot is a correspondence of a b channel while each b channel is also a correspondence of a virtual 64k connection according to the protocol encapsulated by d channel you can t configure the d channel until you have set up a main workgroup and assigned timeslots for b channels the configurative method of entering the d channel is int serial slot port 15 after you enter the d channel 33
- This section describes how to configure the dtu interface 1750 2620 and 2630 series router support dtu interface detailed configurative steps are given below 33
- To configure the bri interface you must under the isdn bri configurative mode firstly 33
- You can encapsulate protocol set dial up group and set the dial up mapping of peer 33
- You can input the following command in global configurative mode to enter the dtu interface configurative mode 33
- 128000 64000 default 34
- Choose the item 26 of the interface paramter prompt it will display 34
- Command function 34
- Conf i gur i ng dtu i nt er f ace s l i nemode 34
- Conf i gur i ng speed of t he dtu i nt er f ace 34
- Configuring the modem interface 34
- Linemode lt set the dtu interface working in lt mode 34
- Linemode nt set the dtu interface working in nt mode 34
- Physical layer speed speed designate the interface speed 34
- Speed specification 34
- This section describes how to configure the modem interface it includes desi gnat i ng modem i nt er f ace 34
- You can input the following command in the global configurative mode to enter the modem interface configurative mode 34
- How t o connect wi t h v 92 modem or t hose t hat doesn t suppor t v 42bi s 35
- Input the command interface it will prompt 36
- Command 1 37
- Conf i gur i ng vi r t ual t empl at e and vi r t ual access i nt er f ace 37
- Conf i gur e t he tunnel i nt er f ace 38
- Example of interface configuring 39
- Configuring snmp list 40
- Exampl e of bri i nt er f ace conf i gur i ng 40
- Exampl e of pri i nt er f ace conf i gur i ng 40
- Change the parameter of trap running 43
- Cdp def aul t conf i gurat i on 45
- Configuring the cdp 45
- Set the cdp message interval and holdtime 46
- 23 pdp pdp configuration commands 24 physical layer configure physical layer parameters please input the code of command to be excute 0 32 23 key word u undo d default q quit 00 enable enable pdp on interface please input the code of command to be excute 0 0 0 47
- Enable cdp function 47
- Exampl e 1 47
- Exampl e of cdp conf i gur at i on 47
- Moni t or i ng and managi ng cdp 47
- Pl ease i nput t he code of command t o be excut e 0 1 0 wi l l you excut e i t y n y 47
- Show all the neighbor detected by cdp 47
- Show the traffic of cdp packet transmitted or received by router 47
- Directory of vty configuration 48
- In this configuration the straight back to back cable connected with s1 0 port if the connection is remote access through modem line dial should be configured before the command config async mode interactive example of vty configuration all the limitation of vty screen output lines will be canceled by following configuration prompt more will disappear 50
- Number of l i nes on screen 0 f or no pausi ng pl ease i nput t he code of command t o be excut e 0 0 0 pl ease i nput a di gi t al number 40 input number of l i nes wi l l you excut e i t y n y 50
- Cd config enter the global configurative mode 51
- Configuring rmon this chapter describes how to configure the rmon monitoring function on the d link router configure rmon alarm function user can configure the rmon alarm function through the command line or snmp network management application if you configure it through the snmp network management application you should also configure the snmp of router after enabling the alarm function the device can monitoring some statistics of the system the steps of configuring rmon alarm function is listed below 51
- F unct i on 51
- Step command 51
- Absolute is used to monitor the value of mib object directly delta is used to monitor the change of mib object value between two sample 52
- Add a rmon alarm item 52
- Cd back to management mode 52
- Eventnumber falling threshold value 52
- Eventnumber owner 52
- Index is the index of the items range from 1 to 65535 52
- Interval absolute delta rising threshold value 52
- Interval is the time interval of sample count in seconds its range is 1 4294967295 52
- Owner string can be used to describe some descriptive message of the alarm 52
- Rmon alarm index variable 52
- String 52
- Value is used to remark the limitation of creating an alarm the corresponding eventnumber represent the index of events which will occur when the limitation is meet 52
- Variable the object under monitoring of the mib it must be a useful mib object of the system and only those objects with the types of integer counter gauge or timeticks can be detected 52
- Write save the configuration 52
- After configuring an item of alarm device will get the oid value designated by variable every interval seconds and compare the value with former one according to the alarm type absolute or delta if the current value is larger and exceed the limitation designated by the rising threshold the event whose index is eventnumber will be induced if the eventnumber is 0 or the event table doesn t has an event whose index is eventnumber the event will not be induced vice versa if the oid designated by variable can not be get the alarm table status of this line will be set as invalid when the command rmon alarm is used many times to configure the same index of alarm item only the parameters of last time is available you can use the command no rmon alarm index to delete the alarm table whose index is index 53
- Cd config enter the global configurative mode 53
- Conf i gur i ng t he rmon event f unct i on 53
- Step command function 53
- The steps of configuring the rmon event are listed below 53
- Add a rmon event table 54
- Cd back to management mode 54
- Community is the group name 54
- Description is the descriptive information of the event 54
- Description string log 54
- Index is the index of the items its range is 1 65535 54
- Log means that a log message will be added to the log table whenever the event is induced 54
- Of the event 54
- Owner string 54
- Owner string can be used to describe some descriptive message 54
- Rmon event index 54
- Trap community 54
- Trap means that a trap is generated when the event is induced 54
- Write save the configuration 54
- After your configuring the rmon event when the rmon alarm is induced the evenlasttimesent region of the event item will be updated as the current sysuptime firstly if the event is configured with log attribute a message will be added into the log table if the event is configured with trap attribute then a trap will be send while the group name is community when the command rmon event is used many times to configure the same index of event item only the parameters of last time is available you can use the command no rmon event index to delete the event table whose index is index 55
- Cd back to global configurative mode 55
- Cd back to management mode 55
- Cd config enter the global configurative mode 55
- Conf i gur i ng col l ect i on f unct i on of t he rmon 55
- Enabl e t he col l ect i on f unct i on of t he i nt erf ace 55
- Ifid is id of the interface 55
- Iftype is the type of the interface 55
- Index is index of the collection items 55
- Interface iftype ifid enter the interface configurative mode 55
- Owner string is used to describe some descriptive message of the collection items 55
- Rmon collection group is used to monitoring the statistic information of each port the configuration steps of rmon collection function are given below 55
- Rmon collection stat index owner string 55
- Step command function 55
- Write save the configuration 55
- Configuring the rmon history function 56
- After being added a history table the device will get a collection from the designated interface every second seconds and add the result as an item to the ethernet history record table when the command rmon collection history index is used 58
- Alarm means that it will show the alarm items 58
- Command function 58
- Di spl ay t he rmon conf i gur at i on 58
- Event means that it will show the event items and items included in the log table which is created because of the event being induced 58
- History means that it will show the history items and the statistics acquired from the interface during some given time intervals 58
- Many times to configure an item with the same index only the parameters of last time is available you can use the command no rmon history index to delete the history item whose index is index note that it will occupy system resources if the bucket number is too large or the interval second is two small 58
- Show rmon alarm event statistics history display the configurative information of rmon 58
- Statistics means that it will show the statistic items and the statistics acquired from the interface 58
- You can use the command show to display the rmon configuration of the router 58
- Wans configuration 59
- Configuration task list 61
- Enable frame relay encapsulation on interface 62
- Encapsulation method command no is use for delete ports which include configuration of subinterface frame relay encapsulating protocol 62
- Encapsulation undo frame relay enable frame relay and specify the 62
- Frame relay configuration task 62
- Interface type number specify the interface and enter interface configuration mode 62
- Setp command task 62
- There are required basic steps you must follow to enable frame relay for your network in addition you can customize frame relay for your particular network needs and monitor frame relay connections the following sections outline these tasks required configuration encapsulate frame relay on interface configure dynamic or static address mapping following are optional configurations these configurations can be modified by the requirement of application configure lmi customerize configuration of network monitor and maintain the frame relay connection see the frame relay configuration example section at the end of this chapter for ideas of how to configure frame relay see the wan commands chapter for information about the frame relay commands 62
- To set frame relay encapsulation perform the following tasks beginning in interface configuration mode 62
- A static map links a specified next hop protocol address to a specified dlci static mapping removes the need for inverse arp requests when you supply a static map inverse arp is automatically disabled for the specified protocol on the specified dlci 63
- Command task 63
- Configure dynamic mapping 63
- Configure static mapping 63
- Configuring dynamic or static address mapping 63
- Delete specify 63
- Dynamic address mapping uses frame relay inverse arp to request the next hop protocol address for a specific connection given its known dlci responses to inverse arp requests are entered in an address to dlci mapping table on the router the table is then used to supply the next hop protocol address or the dlci for outgoing traffic 63
- Frame relay undo map ip address pvc dlci broadcast 63
- Inverse arp is enabled by default for all protocols it supports you can explicitly enable inverse arp if the protocol is supported on the other end of the connection see the disable or reenable frame relay inverse arp section later in this chapter for more information 63
- Inverse arp is opened to all protocols of all enabled network interfaces by default certainly if the physical interface is disabled the data packet cannot be transmitted and all inverse arp are unavailable because inverse arp is enabled by default for all protocols that it supports no additional command is required to configure dynamic mapping on an interface 63
- Note there is two kinds of encapsulation of cisco router the default cisco mode and the ietf rfc 1490 mode d link router is able to automatic identify and dynamic adapt these two kinds of encapsulations 63
- Will you excute it y n y 63
- You must configure static mapping if the router at the other end does not support inverse arp of frame relay to configure static mapping perform the following map command in interface configuration mode 63
- Exit quit the configuration mode 64
- Frame relay undo lmi type ansi bcisco q933a 64
- If the router is attached to a public data network pdn the lmi type must match the type used on the public network otherwise you can select an lmi type to suit the needs of your private frame relay network 64
- See the static frame relay configuration example at the end of this chapter for more information about examples of static frame relay configuration 64
- Set the lmi type 64
- Set the lmi type command no is use for restore the default configuration of lmi type 64
- Setp command task 64
- Straight configure the lmi 64
- The frame relay software supports the industry accepted standards of the local management interface lmi to configure the lmi complete the steps in the following sections the step in the first is required 64
- Write write the configuration 64
- You can be greatly simplifying the configuration for the open shortest path first ospf protocol by adding the optional broadcast keyword when doing this task 64
- You can set following three types of lmis on router ansi t1 17 annex d group of four rev 1 and itu t q 33 annex a of couse the lmi can be setted as none to do so perform the following command in interface configuration mode 64
- After the frame relay encapsulating completed the default lmi type is autosense this type is lmi of former 3000 series 65
- Command task 65
- For an example of how to set the lmi type see the pure frame relay dce example section later in this chapter 65
- Frame relay n391 number set a full status polling interval timer 65
- Frame relay n392 number set the error threshold counter 65
- Frame relay n393 number set the monitored event counter 65
- Frame relay t391 seconds 65
- Frame relay t392 seconds 65
- Set the polling intervals and timer 65
- Will you excute it y n y 65
- You can set various optional counters intervals and thresholds to fine tune the operation of your lmi dte and dce devices by performing the following commands 65
- Command task 66
- Configure a frame relay supported dte device dce switch or nni interface 66
- Configure frame relay switching 66
- Figure 2 frame relay switched network in figure 2 routers a b and c are frame relay dtes connected to each other via a frame relay network our implementation of frame relay switching allows our routers to be used as depicted in this frame relay network configure frame relay switching by following steps configure a frame relay supported dte device dce switch or nni interfacet configure the static route 66
- Frame relay intf type dce dte nni configure an interface type that supported by frame relay switch 66
- Frame relay switching is a means of switching packets based upon the dlci which can be looked upon as the frame relay equivalent of a mac address the switching is performed by configuring your router as a frame relay network there are two parts to a frame relay network a frame relay dte the router and a frame relay dce switch figure 2 illustrates this concept 66
- See the correlative contents in wan commands reference chapter for details about commands used to set the polling and timing intervals 66
- You can configure the dte device dce or nni interface dte is the default that supported by frame relay switch to do so perform the following command in global configuration mode 66
- Command task 67
- For an example of how to configure a dte device or dce switch see the section hybrid dte dce pvc switching example later in this chapter for an example of how to configure nni support see the section example of configuration about dce interface supported frame relay switch later in this chapter 67
- Frswitch undo in port in dlci out port out dlci delete configurestatic route of pvc 67
- Perform the following command in interface configuration mode to specify the route for pvc switching 67
- Specify the static route 67
- Will you excute it y n y 67
- Command task 68
- Configure frame relay subinterfaces 68
- Disable or reenable frame relay inverse arp 68
- For an example of how to specify a static route see the section example of configure frame relay switch later in this chapter 68
- Frame relay inverse arp enable inverse arp of frame relay 68
- Frame relay inverse arp is a method of searching dlci protocol address in frame relay networks inverse arp creates dynamic address mappings as contrasted with the frame relay map command which build static mappings see the section configure dynamic or static address mapping earlier in this chapter for more information inverse arp is enabled by default disable or reenable inverse arp in the following conditions disable inverse arp for a selected protocol and dlci pair when you know that the protocol is not supported on the other end of the connection reenable inverse arp for a protocol and dlci pair if equipment change and the protocol is then supported on the other end of the connection to enable or disable inverse arp perform the following command in interface configuration mode 68
- Frame relay undo inverse arp disable inverse arp of frame relay 68
- Please see the connect the frame relay subinterface for connect and define the frame relay subinterface perform the following configuring for difine the frame relay subinterface define frame relay subinterface specify the subinterface address please see the subinterface configuration example at the end of this chapter for examples of define the subinterface configuration 68
- Sub interface supports multiple logic interface or network interconnection on a physical interface that is it can associated multiple logic interfaces with a physical interface the logic ones share the parameters of physical interface though each has its parameters of data link layer and network layer of the iso 7 layered architecture frame relay subinterfaces provide a mechanism for supporting partially meshed frame relay networks most 68
- Understand frame relay subinterfaces 68
- Will you excute it y n y 68
- Define frame relay subinterfaces 69
- Encapsulation frame relay configure frame relay encapsulation on the serial interface 69
- Interface type number specify an interface 69
- Interface type number subinterface number multipoint point to point specify a subinterface 69
- Protocols assume transitivity on a logical network that is if station a can talk to station b and station b can talk to station c then station a should be able to talk to station c directly transitivity is true on lans but not on frame relay networks unless a is directly connected to c configuring frame relay subinterfaces ensures that a single physical interface is treated as multiple virtual interfaces this capability allows us to overcome split horizon rules packets received on one virtual interface can now be forwarded out another virtual interface even if they are configured on the same physical interface sub interfaces address the limitations of frame relay networks by providing a way to subdivide a partially meshed frame relay network into a number of smaller fully meshed or point to point sub networks each sub network is assigned its own network number and appears to the protocols as if it is reachable through a separate interface user can configure the following items on the w 69
- Setp command task 69
- To configure subinterfaces on a frame relay network perform the following command in global configuration mode 69
- Command purpose 70
- Configure dlci 70
- For frame relay subinterface the particular subinterface dlci value can be configured by set frame relay local dlci command if the main interface work in the dce mode the target end can be dynamic resolve through reverse arp or static mapping by map command 70
- Frame relay undo local dlci dlci cir speed delete specifydlci of subinterface 70
- Specify subinterface address 70
- Subinterfaces can be configured for multipoint or point to point communication there is no default 70
- Use following command to configure dlci value of subinterface 70
- Encapsulation examples 72
- Frame relay configuration examples 72
- Frame relay switching examples 72
- If you want to show the message of frame relay mapping or switching 72
- Static address mapping examples 72
- The first example that follows sets frame relay encapsulation at the interface encapsulation frame relay frame relay map 131 08 23 pvc 48 frame relay map 131 08 23 pvc 49 broadcast 72
- The following sections provide examples of how to configure static mapping router 1 interface s1 0 ip address 131 08 4 255 55 55 encapsulation frame relay frame relay intf type dce frame relay local_dlci 43 frame relay map 131 08 4 pvc 43 router 2 interface s1 0 ip address 131 08 4 255 55 55 encapsulation frame relay frame relay map 131 08 4 pvc 43 72
- The following sections provide several examples of configuring one or more routers as frame relay switches pvc switching configuration example in this example one router has two interfaces configured as dces the router switches frames from the incoming 72
- This section provides examples of frame relay configurations it includes the following sections 72
- Command function lapb parameter values or ranges default 77
- Lapb modulo and lapb k the lapb modulo determines the operating mode modulo 8 basic mode is widely available because it is required for all standard lapb implementations and is sufficient for most links modulo 128 extended mode can achieve greater throughput on high speed links that have a low error rate some satellite links for example by increasing the number of frames that can be transmitted before waiting for acknowledgment as configured by the lapb window parameter k by its design lapb s k parameter can be at most one less than the operating modulo modulo 8 links can typically send seven frames before an acknowledgment must be received modulo 128 links can set k to a value as large as 127 by default lapb links use the basic mode with a window whose size is 7 77
- Lapb n1 when connecting to an x 5 network use the n1 parameter value set by the network administrator this value is the maximum number of bits in a lapb frame which determines the maximum size of an x 5 packet when you are using lapb over leased lines the n1 parameter should be eight times the hardware maximum transmission unit mtu size plus any protocol overhead default value is highly recommended 77
- Minus 1 frames 7 77
- Table 1 lapb parameters 77
- X25 k window size set the window size k 2 modulo 77
- X25 mod modulus set the modulo 8 or 128 8 77
- X25 n1 bytes set the maximum bits per frame n1 137 1512 1500 77
- X25 n2 tries set the counter for sending frame n2 1 255 times 16 77
- X25 t1 seconds set the retransmittion timer t1 1 64 sec 3 77
- X25 t2 seconds set the hardware outage period t2 1 32 sec 0 77
- Command 78
- Configure an x 5 interface to configure an x 5 interface perform the tasks in the following sections 78
- Encapsulate the x 5 78
- Encapsulating the x 5 protocol 78
- Encapsulation x25 encapsulate x 5 78
- Lapb t2 the value of t2 of dte can be different from that of dce however they should inform each other if the t2 timer is expired the dte or dce must send a confirmation frame to the dte or dce of the partner before the partner s t1 timer expired for leased line circuits the t1 timer setting is critical because the design of lapb assumes that a frame has been lost if it is not acknowledged within period t1 the timer setting must be large enough to permit a maximum sized frame to complete one round trip on the link if the timer setting is too small the software will poll before the acknowledgment frame can return which may result in duplicated frames and severe protocol problems if the timer setting is too large the software waits longer than necessary before requesting an acknowledgment which reduces bandwidth for the examples of configuring the lapb t1 timer refer to typical lapb configuration examples 78
- Set the default flow control values 78
- Set the virtual circuit ranges 78
- Set the x 21 address 78
- Set the x 5 mode 78
- These tasks describe the parameters that are essential for correct x 5 behavior the first task is required the others might be required or optional depending on what the router is expected to do and on the x 5 network 78
- To configure x 5 complete the tasks in one or more of the following sections depending upon the x 5 application or task required for your network the interface datagram transport and routing tasks are divided into sections based generally on how common the feature is and how often it is used those features and parameters that are relatively uncommon are found in the additional sections lapb frame parameters can be modified to optimize x 5 operation as described earlier in this chapter default parameters are provided for x 5 operation however you can change the settings to meet the needs of your x 5 network or as defined by your x 5 service supplier d link also provides additional configuration settings to optimize your x 5 usage note if you connect a router to an x 5 network use the parameters set by your network administrator for the connection these parameters will typically be those described in the configure an x 5 interface and modify lapb protocol parameters sections also note th 78
- User must encapsulate the x 5 protocol in the interface configuration mode before configuring the x 5 78
- X 5 configuration task list 78
- A router using x 5 level 3 encapsulation can act as a dte or dce protocol device according to the needs of your x 5 service supplier to configure the mode of operation and one of these encapsulation types for a specified interface perform the following task in interface configuration mode 79
- Command function 79
- For an example of configuring x 5 dte operation see the section typical x 5 configuration example later in this chapter 79
- Set the virtual circuit ranges 79
- The x 5 protocol maintains multiple connections over one physical link between a dte and a dce these connections are called virtual circuits or logical channels lcs x 5 can maintain up to 4095 virtual circuits numbered 1 through 4095 you identify an individual virtual circuit by giving its logical channel identifier lci or virtual circuit number vcn many documents use the terms virtual circuit and lc vcn lcn and lci interchangeably each of these terms refers to the virtual circuit number an important part of x 5 operation is the range of virtual circuit numbers virtual circuit numbers are broken into two ranges listed here in numerically increasing order 1 permanent virtual circuits pvc 2 switched virtual circuits svc the switched virtual circuit svc can be established by the placement of an x 5 call much like a telephone network establishes a switched voice circuit when a call is placed note the itu t recommendation x 5 defines incoming and outgoing in relation to the dte or dce inter 79
- Wi l l you excut e i t y n y set the x 5 mode 79
- X25 interface dte dce set the x 5 mode 79
- 1024 0 80
- 4095 1024 80
- Command function range default 80
- Command task 80
- If your router does not originate or terminate calls but only participates in x 5 switching this task is optional however if the router is attached to a pdn you must set the interface x 21 address assigned by the x 5 network service provider to set the x 21 address perform the following task in interface configuration mode 80
- Note that the values for these parameters must be the same on both ends of an x 5 link for connection to a public data network pdn these values must be set to the values assigned by the network an svc range is unused if its lower and upper limits are set to 0 other than this use for marking unused ranges virtual circuit 0 is not available for an example of configuring virtual circuit ranges see the section virtual circuit ranges example later in this chapter 80
- Number 80
- Packet service 80
- Set t he x 121 addr ess 80
- Will you excute it y n y 80
- X25 address x121 address set the x 21 address 80
- X25 htc circuit number 80
- X25 pvc circuit number set the highest permanent virtual circuit 80
- Command 81
- Configure additional x 5 interface parameters 81
- Note because the x 5 protocol requires the dte and dce to have identical default maximum packet sizes and default window sizes changes made to the window and packet sizes when the interface is up are held until the x 5 protocol restarts the packet service 81
- Range default 81
- Set default flow control values 81
- Set default packet size to configure x 5 flow control values perform the following commands in interface configuration mode 81
- Set default window size 81
- Setting correct default flow control parameters of window size and packet size is essential for correct operation of the link because x 5 is a strongly flow controlled protocol however it is easy to overlook this task because many networks use standard default values mismatched default flow control values will cause x 5 local procedure errors evidenced by clear and reset events to configure flow control parameters complete the tasks in the following sections 81
- Will you excute it y n y 81
- X25 psize size set the packet size byte 128 256 512 1024 128 81
- X25 wsize packets set the window size 2 modulo 1 2 81
- An x 5 interface s x 21 address is used when it is the source or destination of an x 5 call the x 5 call setup procedure identifies both the calling source and the called destination x 21 addresses when an interface is the source of a call it encodes the interface x 21 address as the source address an interface determines that it is the destination of a received call if the destination address matches the interface s address d link s x 5 software can also route x 5 calls which involves placing and accepting calls but the router is neither the source nor the destination for these calls routing x 5 does not modify the source or destination addresses 82
- Command task 82
- Configure an interface alias address under st and nor mal x 25 addr ess 82
- Set the x 5 address 82
- Set the x 5 level 3 timers 82
- Set the x 5 level three timers 82
- Some x 5 applications have less common or special needs several x 5 parameters are available to modify the x 5 protocol behavior for these applications to configure less common x 5 interface parameters for these special needs perform the tasks in the following sections as needed 82
- To set the retransmission timers perform any of the following tasks in interface configuration mode 82
- Understand the normal x 5 address 82
- When establishing svcs x 5 uses addresses in the form defined by the itu t recommendation x 21 or simply an x 21 address an x 21 address has from zero to 15 digits because of the importance of addressing to call setup several interface addressing features are available for x 5 to configure the x 5 address perform the following tasks 82
- Will you excute it y n y for an example of setting the retransmission timers see the section ddn x 5 configuration example later in this chapter 82
- X25 t20 seconds set dte t20 reset request default value 180sec 82
- X25 t23 seconds set dte t23 clear request default value 180sec 82
- Mapping protocol addresses to x 21 addresses 83
- Set t he i nt er f ace al i as addr ess 83
- This section describes the x 5 single protocol and multiprotocol encapsulation options that are available and describes how to map protocol addresses to an x 21 address for a remote host this section also includes reference information about how protocols are identified encapsulation is a cooperative process between the router and another x 5 host because x 5 hosts are reached with an x 21 address the router must have a means to map a host s protocols and addresses to its x 21 address each encapsulating x 5 interface must be configured with the relevant datagram parameters for example an interface that encapsulates ip will typically have an ip address you must also establish the x 21 address of an encapsulating x 5 interface using the x25 address interface configuration command this x 21 address is the address that encapsulation calls are directed to this is also the source 83
- Thus preserving the addresses specified by the source host routed switched x 5 simply connects the logical x 5 channels to complete the x 5 virtual circuits which are switched between zero or more routed x 5 links 83
- Wi l l you excut e i t y n y set x 5 transport 83
- X 5 support is most commonly configured as a transport for datagrams across an x 5 network datagram transport or encapsulation is a cooperative effort between two hosts communicating across an x 5 network you configure datagram transport by establishing a mapping on the encapsulating interface between the far host s protocol address for example ip address and its x 21 address perform the tasks in the following sections as necessary to complete the x 5 configuration for your network needs 83
- You can supply alias x 21 addresses for an interface this allows the interface to act as the destination host for calls having a destination address that is neither the interface s address nor the null address local processing for example ip encapsulation can be performed only for incoming calls whose destination x 21 address matches the serial interface or alias of the interface to configure an alias perform the following task in global configuration mode 83
- Add delete a x 21 address mapping to virtue circuit 85
- Command task 85
- Conf i gur e addi t i onal x 25 r out i ng f eat ur es 85
- Ebackup means the address mapping is an enhance backup type note multi protocol mapping especially configured with broadcast can cause particularly large communication load which need more queues windows and virtue circuits user can configure the ospf through the command broadcast refer to the chapter x 5 and lapb commands for the description of command map 85
- Mappi ng t he dest i nat i on x 121 addr ess t o l ogi c vi r t ue i nt er f ace 85
- Set the encapsulation for virtue circuit idle time 85
- Set thex 5 negotiation parameters 85
- The software of d link router has the capability of configuring additional x 5 routing features to configure the x 5 routing features perform the tasks in the following sections 85
- This chapter illustrates how to make a remote pc access the local network through the x 5 network by configuring the router firstly the remote computer access the pstn or directly access x 5 network through normal dialing mode the network supplier transfer the call to x 5 network through pad packet assembler disassembler if the local router is configured to map the destination x 21 address to the logic virtue interface it will response the call and transfer the call to the ppp which will perform the authentication registration authorization and so on the remote computer can access the local network if it pass the authenticaiton use the following command in the configuration mode 85
- Translate undo x25 x121 address virtual template 85
- Virtual template interface number 85
- Wi l l you excut e i t y n y 85
- Command 86
- Configure the x 5 negotiation parameters 86
- Key word u undo d default q quit 29 snmp modify snmp interface parameters 30 x25 set parameters for x 5 please input the code of command to be excute 0 30 30 02 cwla call with without local address 03 dbit use dbit mode or not 86
- Set the encapsulation for virtue circuit idle time 86
- The router will clear its switching virtue circuit after a idle period of time to set the idle time use the following command in the interface configuration mode 86
- X 5 software provides commands which support configuration of x 5 negotiation parameters and allow d bit settings to set supported x 5 negotiation parameters use the command given below in interface configuration mode 86
- X25 idle seconds set the idle time for clearing the virtue circuit range 0 2147483647 default 100 sec 86
- X25 undo cwla x 5 call request packet with a host address 86
- X25 undo dbit set to use the d bit setting whether or not 86
- X25 undo nps enable disable packet length negotiation 86
- X25 undo nws enable disable packet window size negotiation 86
- 15 nps enable disable packet size negotiation 16 nui set network user identity 17 nws enable disable window size negotiation please input the code of command to be excute 0 26 03 choose 03 15 17 02 respectively to implement the configuration 87
- Configure the x 5 tcp switching parameters 87
- Rfc1006 transparent user set the switching packet format 87
- User can configure the x 5 tcp switching parameters with the following command in interface configuration mode this function is not in the formal version but only provided in some probational version 87
- Will you excute it y n y 87
- X25 undo tcp iso address line set the iso extension address used by x25 tcp in the interface 87
- X25 undo tcp pkt format 87
- X25 undo tcp user data line set the user data utilized by x25 tcp in the interface 87
- Command t ask 88
- Configure pvc switching between x 5 interfaces 88
- Configure svc switching between x 5 interface 88
- D link router can be used as x 5 switch it includes pvc switching and svc switching the two interfaces used for pvc switching must has untapped pvc in configuration mode user can use the following commands to set the local pvc switching 88
- Set a svc interface addressing 88
- The two connected interface must have valid pvc permanent virtue circuit if user want to configure the switching table 88
- Will you excute it y n y 88
- X25switch undo connect port1 port1_pvc_no port2 port2_pvc_no set the pvc switching 88
- X25switch undo default destination x121addr default port 88
- Configuring a pvc xot interface addressing 89
- Configuring the xot switching between x 5 interfaces 89
- Set a pvc xot interface addressing 89
- Set a svc xot interface addressing 89
- X25switch undo xot pvc local interface local pvc remote interface remote pvc remote ip address source interface 89
- X25switch undo xot svc x 21 address remote ip address source interface 89
- Configuring a svc xot interface addressing 90
- Configuring the x 5 tcp switching gateway 91
- D link router can implement the datagram switching between x 5 and tcp ip user the following command in configuration mode 91
- Set a mapping between the source ip address and destination pvc address configure the local and remote tcp monitor interface 91
- Set a mapping between the source ip address and destination x 21 address configure the local and remote tcp monitor interface 91
- Translate undo tcp ip ip address pvc intr1 pvc 1 lport locport rport remport backup intr2 pvc 2 91
- Translate undo tcp ip ip address svc intr1 x121address1 lport locport rport remport backup intr2 x121address2 91
- Clear x25 port vc number clear svc 92
- Debug undo lapb 92
- Debug undo x25 events normal raw xot serial debug the x25 internal events and datagram 92
- Debug undo x25 tcp data event list debug the events data receiving and transmitting link status of x25 tcp 92
- Debug x25 undo xot debug the setup of xot 92
- Iframes sframes uframes raw serial debug the lapb frames 92
- Show interface serial number display the operation statistic of interfaces 92
- Show x25 display the x 5 interface address mapping 92
- Show x25switch display the x 5 switching table 92
- The specifications are given below 1 clear svc 92
- To monitor and maintain the x 5 and lapb use the following commands in configuration mode 92
- Wi l l you excut e i t y n y monitoring and maintaining the lapb and x 5 92
- Display the x 5 switching table 93
- Show the address mapping of an x 5 interface 93
- Debug the lapb frames 94
- Debug the setup process of xot 94
- Debug the x25 internal events and datagram 94
- 1 network requirements 95
- 2 figure 95
- 3 configuration steps 95
- Debug the events data receiving and transmitting link status of x25 tcp 95
- Link two router through the back to back serial interface directly 95
- The following sections provide examples to help you understand how to configure lapb and x 5 for your network 95
- This chapter will introduce some typical x 5 configuration examples to make you understand more about the tasks and contents related with x 5 of d link router note that the content after the is not a part of the command but only a remark 95
- Typical lapb configuration example in the following example the frame size n1 window size k and maximum retransmission n2 parameters retain their default values the encapsulation interface configuration command sets dce operation to carry a single protocol ip by default the lapb t1 interface configuration command sets the retransmission timer to 4 seconds for a link with a long delay or slow connecting dte device 95
- Typical x 5 configuration example 95
- X 5 and lapb configuration examples 95
- 1 network requirement 96
- 2 figure 96
- 3 configuration steps 96
- Configuring router a c onf i guri ng t he i nt erf ace i p address 96
- Connecting the router to x 5 public packet network 96
- Router a b c are connected to the same x 5 network to communicate with each other as the following figure the configurations are the ip address of these routers are 168 73 4 168 73 4 and 168 73 4 routers x 21 address assigned by the network are 30561001 30561002 30561003 the standard receiving and transmitting window size supported by the packet network are both 5 96
- Set the interface as x 5 interface and set it operates in dce mode 96
- Set the interface as x 5 interface and set it operates in dte mode 96
- Conf i guri ng rout er b1 97
- Conf i gur i ng x 25 tcp swi t chi ng exampl es 98
- Conf i gure rout er c1 98
- Conf i guri ng rout er b1 98
- Conf i guri ng rout er b2 98
- Conf i guri ng rout er c2 98
- After you connect to a remote x 5 device you can clear the connection by using the following commands 102
- Clear a call 102
- Clr clear the virtual call 102
- Ctrl p from the remote host escape back to the local router pad mode 102
- Ctrl p from x 8 mode escape back to pad mode 102
- Customerize local x parameter 102
- Pad address enter x 8 mode 102
- Par display the current x pad parameters 102
- Par verify that the new pad parameter was set correctly 102
- Set parameter number new value change the value of a parameter 102
- Step command purpose 102
- To set an x pad parameter from a local terminal use the following commands beginning in exec mode or user mode 102
- Command function 103
- Command purpose 103
- Input the following commands in the interface configurative mode 103
- Monitor x 5 pad connection 103
- Show x25 to display currently opened x 5 connecting information 103
- The router 103
- This configuration can limit the source x121 address accessing the router 103
- This information includes current status of virtual circuit 4 x 5 pad access limitation 103
- To display currently opened connecting information use the following exe mode command 103
- Will you excute it y n y 103
- X25 map pad x121addr configuring the source x121 address for the static useful pad to access 103
- X25 pad access enable the pad access limitation the configuration will be checked by using the item configured by the upper command if it has not been configured all the pad access will be forbidden 103
- Pad signal examples 104
- The following example configures parameter 9 from 0 to 1 which adds one byte after the carriage return this setting is performed from a local terminal using the set parameter number new value pad command signal 104
- The following examples is to clear a connection with a remote x 5 host router a disconnecting from router b using the x 8 mode clr command 104
- The following examples show two ways to make a call to a remote x 5 host over a serial line the remote host s interface address is 123456 router a calls router b using the pad 123456 exec command 104
- X customization examples 104
- Configuring ppp task list 105
- Command purpose 108
- Defines the authentication methods supported and the order in which they are used 108
- Encapsulation ppp enables ppp encapsulation on an interface 108
- Ppp authentication chap ms chap pap word default callin 108
- To enable chap or pap authentication on an interface configured for ppp encapsulation use the following command in to enable chap or pap authentication on an interface configured for ppp encapsulation use the following command in interface configuration mode 108
- To specify the password to be used in chap or pap caller identification use the following command in global configuration mode 108
- To use chap or pap you must perform the following tasks 1 enable ppp encapsulation 2 enable chap or pap on the interface 3 for chap configure host name authentication and the secret or password for each remote system with which authentication is required to enable ppp encapsulation use the following command in interface configuration mode 108
- Will you excute it y n y 108
- Command purpose 109
- In cbcp the side that launching the dial is caller the side that receiving the dial is answerer during the lcp negotiation if both sides aggree to apply the cbcp thus the cbcp will be run after the authentication period during the callback period answerer sends callback request and list the callback options that can be received by caller while caller responsing by callback response the request options will be listed if callback response that returns from caller is legality and can be received by answerer then answerer will respons by callback ack caller will enter the period of link termination and prepare to receive the call after received callback ack if you need to use cbcp caller need to be configured with config ppp callback request cbcp if the telephone number is specified by caller you should configure set dialer caller xx except configure config ppp callback accept if the need no callback the telephone number of callback need not to be configured by answerer if the telephone nu 109
- Make sure this password does not include spaces or underscores 109
- Start callback control protoccol cbcp 109
- Username name password secret configures identification 109
- Will you excute it y n y 109
- Answerer set dialer called xx xx xx should be configured to use cbcp protocol you must perform the following tasks step 1 enalbe ppp encapsulation 110
- Command purpose 110
- Dialer caller xx configure the callback telephone number that specified by caller 110
- Encapsulation ppp enalbe ppp on interface 110
- Ppp callback accept configure to start the receiving of cbcp negotiation on answerer 110
- Ppp callback request cbcp configure to start cbcp negotiation on caller 110
- Step 2 step 2 configure cbcp on this interface 110
- Step 3 configure callback telephone number 110
- Configure the telephone number on answerer that the number is specified by caller or specified by answerer or select one from answerer provided numbers by caller 111
- Configuring the callback dialstring designated by caller on the caller called 111
- User xx password xx callback dialstring xx dialer called xx xx xx 111
- Interface type number specifies the interface and enters interface configuration mode 113
- Peer default config ip addrpool pool name specifies the address pool for the interface to use 113
- Command purpose 114
- Creates one or more local ip address pools 114
- Interface type number specifies the interface and enters interface configuration mode 114
- Ip local pool poolname begin ip address ip address number 114
- Peer default config ip addr ip address specifies the specified address 114
- To define an ip address for a specified interface use the following commands 114
- Command purpose 115
- Configuring multilink ppp 115
- Disabling or reenabling peer host routes 115
- Peer neighbor route reenables creation of neighbor routes 115
- Peer undo neighbor route disables creation of neighbor routes 115
- The d link router automatically creates neighbor routes by default that is it automatically sets up a route to the peer address on a point to point interface when the ppp ipcp negotiation is completed to disable this default behavior or to reenable it once it has been disabled use the following commands in interface configuration mode 115
- The multilink ppp feature provides load balancing functionality over multiple wan links the d link implementation of the multilink ppp supports the fragmentation and packet sequencing specifications in rfc 1717 the multilink ppp allows packets to be fragmented and the fragments to be sent at the same time over multiple point to point links to the same remote address the multiple links come up in response to a defined dialer load threshold the load can be calculated on inbound traffic outbound traffic or on either as needed for the traffic between the specific sites the multilink ppp provides bandwidth on demand and reduces transmission latency across wan links the multilink ppp is designed to work over the following types of single or multiple interfaces 115
- Will you excute it y n y 115
- Config encap ppp enables ppp encapsulation 116
- Configuring multilink ppp on dialing line 116
- Dialer rotary group number includes the interface in a specific dialer group 116
- For example to configure multilink ppp on synchronous interfaces firstly your interface msut supports dialer and ppp encapsulation and then you configure a dialer interfaces to support ppp encapsulation and multilink ppp to configure a synchronous interface use the following commands beginning in global configuration mode 116
- Interface async number specifies an asynchronous interface 116
- Ip undo address specifies no ip address for the interface 116
- Line dial enables dialing on the interface 116
- Step command purpose 116
- Synchronous or asynchronous serial interfaces 2 bri interfaces 3 pri interfaces 116
- Dialer load threshold load specifies the dialer load threshold for bringing up additional wan links 118
- For example 118
- Interface dialer number define a dialer rotary group 118
- Ip undo address specifies no ip address for the interface 118
- Ppp multi link enable multilink ppp 118
- Repeat these steps for additional synchronous interfaces if it s needed note to configure set dialer rotary group interface the ppp configuration will automatic synchronize with corresponding dialer interface to configure a dialer interface use the following commands beginning in global configuration mode 118
- Step command purpose 118
- Configuring mlp on a single isdn bri interface 119
- Encapsulation ppp enable ppp encapsulation 119
- Interface bri number define an interface 119
- Ip addr ip address mask secondary specify an appropriate protocol address 119
- Step command purpose 119
- To enable mlp on a single isdn bri interface you are not required to define a dialer rotary group separately because isdn interfaces are dialer rotary groups by default to configure an isdn bri interface use the following commands beginning in global configuration mode 119
- Configure dialer map 120
- Dialer group group number controls access to this interface by adding it to a dialer access group 120
- Dialer idle timeout seconds optional specifies a dialer idle timeout 120
- Dialer load threshold load specifies the dialer load threshold for bringing up additional wan links 120
- Dialer map protocol next hop address name hostname broadcast dial string isdn subaddress 120
- For example 120
- Ppp authentication pap chap ms chap optional enables ppp authentication 120
- Ppp multi link enable multilink ppp 120
- Configure dialer map 123
- Configuring mlp on multiple isdn bri interfaces 123
- Dialer group group number controls access to this interface by adding it to a dialer access group 123
- Dialer idle timeout seconds optional specifies the dialer idle timeout period 123
- Dialer load threshold load configure the maximum load threshold specified by the dialer 123
- Dialer map protocol next hop address name hostname broadcast dial string isdn subaddress 123
- Encapsulation ppp enable ppp encapsulation 123
- Interface dialer number define an interface 123
- Ip address ip address mask specify an appropriate ip address 123
- Ppp authentication pap chap ms chap optional enables ppp authentication 123
- Ppp multilink enable multilink ppp 123
- Step command purpose 123
- To enable mlp on multiple isdn bri interfaces set up a dialer rotary interface and configure it for multilink ppp then configure the bri interfaces separately and add them to the same rotary group to set up the dialer rotary interface use the following commands 123
- Dialer idle timeout seconds optional sets the dialer idle timeout period 127
- Dialer load threshold load configure the maximum load threshold of dialer 127
- Dialer rotary group number adds the interface to the dialer rotary group 127
- Encapsulation ppp enable ppp encapsulation 127
- Interface bri number specifies an interfaces 127
- Ip undo addr do not configure ip address 127
- Step command purpose 127
- To configure the bri interfaces to belong to the dialer rotary group use the following commands beginning in global configuration mode 127
- Repeat steps 1 through 6 for configure other bri interfaces 128
- Configure multilink ppp on dsl 129
- Define multilink group interface 129
- Enable multilink ppp 129
- Note to configure set dialer rotary group interface the ppp configuration will automatic synchronize with corresponding dialer interface 129
- Optional designate enddisc type 129
- Optional enable ppp authentication 129
- Specify appropriate ip address 129
- To configure mutlilink ppp on multiple dsl interfaces you must establish a multilink group interface with default configuration that is of multilink ppp then independently configure each dsl interface and associate into the same multilink group configuration of establishing multilink group interface as below 129
- 19 ip ip configuration commands 20 mtu set the interface mtu 131
- Add the interface to multilink group 131
- Configure the dsl interface belong to multilink group as below 131
- Default router config interface 00 fastethernet fastethernet interface 01 serial serial interface 131
- Define an interface 131
- Do not configure ip address 131
- Enable ppp encapsulation 131
- Please input the code of command to be excute 0 18 u 131
- Please input the code of command to be excute 0 32 19 key word u undo d default q quit 00 access group specify access control for packets 131
- Please input the code of command to be excute 0 9 1 please input a interface name s0 1 input the interface name will you excute it y n y key word u undo d default q quit 131
- Multilink ppp on dsl interface example 134
- Use virtual template to configure multilink 134
- Command purpose 137
- Configuring hdlc task list 137
- Enable hdlc encapsulation 137
- Enable slip encapsulation 137
- Encapsulation hdlc enable hdlc encapsulation 137
- Encapsulation slip enable slip encapsulation 137
- Hdlc confiureation task list 137
- Hdlc protocol provides the method that encapsulate the network layer protocol information on point to point connection this protocol can be configured on the following types of physical interface isdn synchronous serial interface 137
- Implementation information 137
- Implementing the following configuration in the interface configurative mode 137
- To configure the hdlc on serial interface include isdn perform the following task in interface configuration mode enable hdlc encapsulation 137
- To encapsulate the ip packet encapsulate the slip protocol on serial line 137
- Conf i gur i ng wan per f or mance implementation information 145
- Configuring the enable of global fast switch 145
- Fast swi t ch conf i gur at i ve t ask l i st 145
- I p overvi ew 146
- I p sect i on of net wor k pr ot ocol conf i gur at i on 146
- Interior gateway protocols 146
- Ip routing protocol 146
- Select a routing protocol 146
- Assign an ip addresses to a network interface 147
- Conf i gure i p addressi ng 147
- Exterior gateway protocols 147
- Ip addressing task list 147
- A mask identifies the network section in an ip address 148
- Assign multiple ip addresses to a network interface 148
- Ip address ip address mask configure master ip address of the interface 148
- Not e not e i f any rout er on a net work segment uses a secondary address al l ot her rout ers on t hat same segment 148
- Not e not e we onl y support net work masks ordered by net work oct et and cont i nuousl y set begi nni ng f rom t he t i pt op bi t 148
- Other additional and optional tasks will be introduced in the following sections other additional and optional tasks will be introduced in the following sections assign multiple ip addresses to a network interface enable ip processing on a serial interface 148
- Command task 149
- Enable ip processing on a serial interface 149
- Ip unnumbered type number enable ip process function on a serial or tunnel interface without configuring any ip address 149
- Must al so conf i gure secondary addresses of t he same net work segment 149
- Not e ip routing protocols sometimes treat secondary addresses differently when sending routing updates 149
- Note note using an unnumbered serial line between different major networks requires special care any routing protocol running on the link should be configured to advertise none information about subnets 149
- To assign multiple ip addresses to a network interface you should select to assign multiple ip addresses to a network interface you should select ip option in configuring prompt and it will list all arguments 149
- To enable ip processing on an unnumbered serial interface perform the following command in interface configuration to enable ip processing on an unnumbered serial interface perform the following command in interface configuration mode 149
- An example of how to configure serial interfaces can be found in the serial interface configuration example section at the end of the chapter 150
- Configure address resolution 150
- The ip implementation allows you to control ip address resolution and some other functions the following sections describe how to configure address resolution establish address resolution map host names to ip addresses establish address resolution an ip device can have both a local address which uniquely identifies the device on its local segment or lan and a network address which identifies the network the device belongs to the local address is more properly known as a data link address because it is contained in the data link layer part of the packet header and is read by data link devices the more technically inclined will refer to local addresses as mac addresses because the media access control mac sublayer within the data link layer processes addresses for the layer to communicate with a device on ethernet for example the router first must determine the 48 bit mac or local data link address of that device the process of determining the local data link address from an ip address i 150
- To enable ip process function on an unnumbered interface you should select ip option in the configuring prompt and it will list all arguments 150
- Arp and other address resolution protocols provide a dynamic mapping between ip addresses and media addresses because most hosts support dynamic address resolution you generally do not need to specify static arp cache entries if you do need to define them you can do so globally doing this task installs a permanent entry in the arp cache the router uses this entry to translate 32 bit ip addresses into 48 bit hardware addresses in addition you can also specify the router to reply to arp requests instead of other hosts maybe you do not wish the arp table live permanently here you can configure the live time of arp table the following two tables list the tasks to provide static mapping between ip addresses and media address 151
- Arp ip address hardware address globally associate an ip address with a media hardware address in the arp cache 151
- Arp ip address hardware address set alias 151
- Arp timeout seconds set the length of time an arp cache entry will stay in the cache 151
- Command task 151
- Def i ne a st at i c arp cache 151
- Enable proxy arp 151
- Specify that the router respond to arp requests as if it were the owner of the specified ip address 151
- Use the following command to configure timeout of the arp item in arp buffer 151
- Command task 152
- Conf i gur e a rout e pr ocess as far as you have got before here you can configure one or more route protocol according to your request route protocol provides topology information in internet configuration of ip route protocol such as bgp rip and ospf will 152
- Enabl e pr oxy arp 152
- Ip host name address statically associate a host name with an ip address 152
- Ip proxy arp enable arp on the proxy interface 152
- Map a host name to an ip addresse map a host name to an ip addresse each unique ip address can have a host name associated with it the router maintains a cache of host name to address mappings for use by the command telnet ping etc to assign host names to addresses perform the following command in global configuration mode 152
- The router uses proxy arp as defined in rfc 1027 to help hosts with no knowledge of routing determine the media addresses of hosts on other networks or subnets for example if the router receives an arp request for a host that is not on the same interface as the arp request sender and if the router has all of its routes to that host through other interfaces then it generates a proxy arp reply packet giving its own local data link address the host that sent the arp request then sends its packets to the router which forwards them to the intended host proxy arp is enabled by default to enable proxy arp select ip option in configuring prompt then select option proxy arp 152
- To display the arp timeout value being used on a particular interface use the show interfaces command use the show arp command to examine the contents of the arp cache to remove all nonstatic entries from the arp cache use the privileged command clear arp cache 152
- Be introduced in latter documents configure broadcasting message processing a broadcast message destined for all hosts on a particular physical network network hosts recognize broadcasts by special addresses broadcasts are heavily used by some protocols including several important internet protocols control of broadcast messages is an essential part of the ip network administrator s job the system supports directed broadcast i e broadcast destined for a special network broadcast to all the subnets of a network dose not supported by the system several early ip implementations do not use the current broadcast address standard instead they use the old standard which calls for all 0 instead of all 1 to indicate broadcast address our system can identify and accept messages in both forms allow translation from directed broadcast to physical broadcast forward udp broadcast packets and protocols allow translation from directed broadcast to physical broadcast by default ip directed broadcast pa 153
- Command task 153
- Forward udp broadcast packets network hosts occasionally use udp broadcasts to determine address configuration and name information if such a host is on a network segment that does not include a server udp broadcasts are normally not forwarded you can remedy this situation by configuring the interface of your router to forward certain classes of broadcasts to a helper address you can have more than one helper address per interface 153
- Ip directed broadcast access list name enable translation from directed broadcast to physical broadcast on an interface 153
- Command task 154
- Detect and maintain ip addressing perform the following tasks to detect and maintain the network clear caches tables and databases display system and network statistics 154
- Ip forward protocol udp port specify which protocols will be forwarded over which ports 154
- Ip help address address enable forwarding and specify the destination address for forwarding udp broadcast packets 154
- To specify which protocols will be forwarded perform the following command in global configuration mode 154
- You can specify a udp destination port to control which udp services are forwarded current default forward destination port is the udp packets of netbios name service port 137 to enable forwarding and to specify the destination address perform the following command in interface configuration mode 154
- Conf i guri ng net work address transl at i on nat task li st 156
- Input value of the amount of translation items 180
- Please input the code of command to be excute 0 1 0 input 0 prompt is as below please input a digital number please input a string input timeout value there are mostly three methods to restrict the amount of nat connections you can implement these three methods through executing following commands in global configure mode 180
- Timeout in seconds 01 never never timeout 180
- Configure dhcp client 184
- An exampl e of obt ai ni ng an i p f or an et her net i nt er f ace 187
- Enable dhcp server service disable dhcp server service configure icmp inspect parameters configure saving database parameters configure dhcp server address pool configure dhcp server address pool parameters monitor dhcp server clean dhcp server information 187
- Assigned for client 191
- Configure the client id used for 191
- Configure the dns server address assigned for client 191
- Configure the domain name 191
- Configure the hardware address used for matching client 191
- Configure the host address of address pool for manual allocation 191
- Configure the host name used for manual allocating to client 191
- Configure the lease time of address assigned for client 191
- Configure the netbios name server address assigned for client 191
- In the prompt select 17 option prompt is as below 00 a b c d network number 191
- Matching client 191
- Please input the code of command to be excute 0 0 0 input 0 selecta b c d option prompt is as below please input a ip address input ip 191
- You can use t hi s command t o conf i gure t he dns server address assi gned f or cl i ent 191
- You can use t hi s command t o conf i gure t he domai n name assi gned f or cl i ent 191
- You can use t hi s command t o conf i gure t he host address of address pool f or manual al l ocat i on 191
- You can use t hi s command t o conf i gure t he host name used f or manual al l ocat i ng t o cl i ent 191
- You can use t hi s command t o conf i gure t he l ease t i me of address assi gned f or cl i ent 191
- You can use t hi s command t o conf i gure t he net bi os name server address assi gned f or cl i ent 191
- You can use this command to configure the client id used for matching client 191
- You can use this command to configure the hardware address used for matching client 191
- 00 al i as al i as f or command 192
- 06 dhcpd dhcp server i nf ormat i on 192
- 18 i p i p i nf ormat i on 192
- Allocating information 192
- Clean current packet statistics of the dhcp server 192
- Clean dhcp server information to cl ean current address al l ocat i ng i nf ormat i on of t he dhcp server pl ease execut e t he f ol l owi ng command i n management di rect ory 192
- Clean the specified address 192
- Monitor dhcp server to exami ne t he i nf ormat i on of current address al l ocat i ng i nf ormat i on of t he dhcp server pl ease execut e t he f ol l owi ng commands i n management di rect ory 192
- Pl ease i nput t he code of command t o be excut e 0 20 6 i nput 6 sel ect dhcpd opt i on prompt i s as bel ow 00 bi ndi ng dhcp address bi ndi ngs 01 st at i st i c dhcp server st at i st i cs pl ease i nput t he code of command t o be excut e 0 1 192
- Pl ease i nput t he code of command t o be excut e 0 45 18 i nput 18 sel ect i p opt i on prompt i s as bel ow 00 access l i st s li st i p access l i st s 192
- To cl ean current packet st at i st i cs of t he dhcp server pl ease execut e t he f ol l owi ng command i n management di rect ory 192
- To exami ne current packet st at i st i cs of t he dhcp server pl ease execut e t he f ol l owi ng command i n management di rect ory 192
- Configure ip service task list 193
- Fi l t er i p packet s task li st 203
- Filter ip packets 203
- Packet filtering helps control packet movement through the network such control can help limit network traffic and restrict network use by certain users or devices to permit or deny packets from crossing specified interfaces d link provides access lists you can use access lists in the following ways 203
- To control the transmission of packets on an interface 203
- To control virtual terminal line access 203
- To restrict contents of routing updates this section summarizes how to create ip access lists and how to apply them an ip access list is a sequential collection of permission and forbiddance conditions that apply to ip addresses the d link ios software tests addresses against the conditions in an access list one by one the first match determines whether the software accepts or rejects the address because the software stops testing conditions after the first match the order of the conditions is critical if no conditions match the software rejects the address the two main tasks involved in using access lists are as follows 1 create an access list by specifying an access list number or name and access conditions 2 apply the access list to interfaces follwing chapters describe the handling of the two tasks in detail 203
- Configure ri p task li st 208
- Configure beigrp dynamic route protocol 217
- Rip configuration examples 217
- Adj ust t he bei grp 218
- Appl y of f set l i st t o adj ust rout i ng met ri cs 218
- Met ri cs 218
- Met ri c 222
- Met ri cs 222
- Select select 222
- In the directory of configuring beigrp routing select 223
- Configuring ospf 235
- Configuring ospf task list 235
- Ospf configuration task list 235
- Ospf over demand circuit rfc 1793 235
- The d link router ospf implementation 235
- Enabling ospf 236
- Configuring ospf interface parameters 237
- Configuring ospf over different physical networks 238
- Configuring your ospf network type 238
- Ospf classifies different media into the following three types of networks by default 1 broadcast networks ethernet token ring and fddi 2 nonbroadcast multiaccess nbma networks switched multimegabit data service smds frame relay and x 5 3 point to point networks high level data link control hdlc ppp you can configure your network as either a broadcast or an nbma network x 5 and frame relay provide an optional broadcast capability that can be configured in the map to allow ospf to run as a broadcast network refer to the x25 map and frame relay map command descriptions in the wide area networking command reference publication for more detail 238
- You have the choice of configuring your ospf network type as either broadcast or nbma regardless of the default media type using this feature you can configure broadcast networks as nbma networks when for example you have routers in your network that do not support multicast addressing you also can configure nbma networks such as x 5 frame relay and smds as broadcast networks this feature saves you from needing to configure neighbors as described in the section configuring ospf for nonbroadcast networks later in this chapter configuring nbma multiaccess networks as either broadcast or nonbroadcast assumes that there are virtual circuits vcs from every router to every router or fully meshed network this is not true for some cases for example because of cost constraints or when you have only a partially meshed network in these cases you can configure the ospf network type as a point to multipoint network routing between two routers not directly connected will go through the router that h 238
- Configuring point to multipoint broadcast networks 239
- Step command purpose 240
- Because there might be many routers attached to an ospf network a designated router is select ed for the network it is necessary to use special configuration parameters in the designated router select ion if broadcast capability is not configured these parameters need only be configured in those devices that are themselves eligible to become the designated router or backup designated router in other words routers with a nonzero router priority value to configure routers that interconnect to nonbroadcast networks use the following command in router configuration mode 241
- Command purpose 241
- Configure a router interconnecting to nonbroadcast networks 241
- Configuring ospf for nonbroadcast networks 241
- Neighbor ip address priority number poll interval seconds 241
- You can specify the following neighbor parameters as required 1 priority for a neighboring router 2 nonbroadcast poll interval 3 reachable neighbor interface on point to multipoint nonbroadcast networks you now use the config neighbor command to identify neighbors assigning a cost to a neighbor is optional in the previous versions some customers were using point to multipoint on nonbroadcast media such as classic ip over atm so their routers could not dynamically discover their neighbors this feature allows the config neighbor command to be used on point to multipoint interfaces on any point to multipoint interface broadcast or not the router assumed the cost to each neighbor was equal the cost was configured with the config ip ospf cost command in reality the bandwidth to each neighbor is different so the cost should differ with this feature you can configure a separate cost to each neighbor this feature applies to point to multipoint interfaces only to treat the interface as point to 242
- Configure an interface as point to multipoint for nonbroadcast media 243
- Exit enter global configuration mode 243
- Ip ospf network point to multipoint non broadcast 243
- Neighbor ip address cost number 243
- Repeat step 4 for each neighbor 243
- Router ospf process id configure an ospf routing process and enter router configuration mode 243
- Specify an ospf neighbor and optionally assign a cost to the neighbor 243
- Step command purpose 243
- Configuring ospf area parameters 244
- 03 range summari ze ls_sum_net border rout ers onl y 245
- Area area id range address mask specify an address range for route of summarization 245
- Command purpose 245
- Configuring route summarization in ospf area 245
- This feature causes a single summary route to be advertised to other areas by an abr in ospf an abr will advertise networks in one area into another area if the network numbers in an area are assigned in a way such that they are contiguous you can configure the abr to advertise a summary route that covers all the individual networks within the area that fall into the specified range to specify an address range use the following command in router configuration mode 245
- An administrative distance is a rating of the trustworthiness of a routing information source such as an individual router or a group of routers numerically an administrative distance is an integer between 0 and 255 in general the higher the value is the lower the trust rating is an administrative distance of 255 means the routing information source cannot be trusted at all and should be ignored ospf uses three different administrative distances intra area inter area and external routes within an area are intra area routes to another area are inter area and routes from another routing domain learned via redistribution are external the default distance for each type of route is 110 to change any of the ospf distance values use the following command in router configuration mode 248
- Change the ospf distance values of intra area inter area and external route 248
- Command purpose 248
- Configure the ospf administrative distances 248
- Distance ospf intra area dist1 inter area dist2 external dist3 248
- Chongqing configuration 251
- Guangzhou configuration 251
- Ospf point to multipoint nonbroadcast example 251
- Basic ospf configuration example for internal router abr and asbrs the following example illustrates the assignment of four area ids to four ip address ranges in the example ospf routing process 109 is initialized and four ospf areas are defined 10 0 2 3 and 0 areas 10 0 2 and 3 mask specific address ranges while area 0 enables ospf for all other networks 253
- The following example illustrates a simple ospf configuration that enables ospf routing process 9000 attaches ethernet 0 to area 0 and redistributes rip into ospf and ospf into rip 253
- Complex ospf configuration for abr examples the following example configuration accomplishes several tasks in setting up an abr these tasks can be split into two general categories 1 basic ospf configuration 2 route redistribution the specific tasks outlined in this configuration are detailed briefly in the following descriptions figure 25 illustrates the network address ranges and area assignments for the interfaces 255
- Router b 255
- Router c 255
- Bgp overview 257
- Configure bgp task li st 257
- D link bgp implementation 257
- In bgp each route consists of a reachable destination network or prefix a list of autonomous systems that information has passed through called the autonomous system path and a list of other path attributes d link supports rfc1771 defined bgp versions 4 the primary function of a bgp system is to exchange network reachability information with other bgp systems including information about the list of autonomous system paths this information can be used to construct a graph of autonomous system connectivity from which routing loops can be pruned and with which autonomous system level policy decisions can be enforced bgp version 4 supports classless interdomain routing cidr which lets you reduce the size of your routing tables by creating aggregate routes resulting in supernets cidr eliminates the concept of network classes within bgp and supports the advertising of ip prefixes cidr routes can be carried by open shortest path first ospf enhanced igrp eigrp and intermediate system to interm 257
- Rip on netwrok 192 68 0 257
- This chapter describes how to configure border gateway protocol bgp for a complete description of the bgp commands in this chapter refer to the bgp commands chapter the border gateway protocol as defined in rfcs 1163 1267 and 1771 is an exterior gateway protocol egp it allows you to set up an interdomain routing system that provides the loop free exchange of routing information between autonomous systems this section will describe following contents 257
- Adjusting bgp timers 259
- Compare the meds from different autonomous systems route for information on configuring features that apply to multiple ip routing protocols such as redistributing routing information see the chapter configuring ip routing protocol independent features configuring basic bgp features the tasks described in this section are for configuring basic bgp features 259
- Configure bgp interactions with igps 259
- Configure bgp neighbors 259
- Configure bgp route filtering base on port 259
- Configure bgp route filtering by neighbor 259
- Configure bgp soft reconfiguration 259
- Configure multi hop exterior peer groups 259
- Configuring a route reflector 259
- Configuring bgp weights 259
- Configuring self administration system confederation 259
- Disable next hop processing on bgp updates enable bgp routing select ion to enable bgp routing select ion using the following commands beginning in global configuration mode 259
- Disabling peer group 259
- Enable a bgp routing process which places you in router configuration mode flag a network as local to this autonomous system and enter it to the bgp table 259
- Enabling bgp routing select ion 259
- Reset bgp connections 259
- Router bgp autonomous system network network number masklen route map route map name 259
- Setting bgp route administrative distance 259
- Step command purpose 259
- Configure bgp neighbors 260
- Configure bgp soft reconfiguration 261
- Reset bgp connections 261
- Between bgp and igps 262
- Clear ip bgp clear ip bgp address 262
- Command purpose 262
- Commands in exec mode to reset bgp connections 262
- Configure 262
- If your autonomous system will be passing traffic through it from another autonomous system to a third autonomous system it is very important that your autonomous system be consistent about the routes that it advertises for example if your bgp were to advertise a route before all routers in your network had learned about the route through your igp your autonomous system could receive traffic that some routers cannot yet route to prevent this from happening bgp must wait until the igp has propagated routing information across your autonomous system this causes bgp to be synchronized with the igp synchronization is enabled by default in some cases you do not need synchronization if you will not be passing traffic from a different autonomous system through your autonomous system or if all routers in your autonomous system will be running bgp you can disable synchronization disabling this feature can allow you to carry fewer routes in your igp and allow bgp to converge more quickly to disa 262
- Reset all bgp connections reset a particular bgp connection 262
- Synchronizatio 262
- Synchronization undo disable synchronization between bgp and an igp 262
- Configuring bgp weights 263
- Configure the bgp route filtering based on neighbor 264
- Configure the bgp route filtering based on port 268
- Prompt i s as bel ow 271
- Apply route mapping 272
- Neighbor ip address peer group name route map access list name in out 272
- St ep2 272
- Prompt i s as bel ow 273
- Bgp configuration example 283
- In the following example route map freddy marks all paths originating from autonomous system 690 with a multi exit discriminator med metric attribute of 127 the second permit clause is required so that routes not matching autonomous system path list 1 will still be sent to neighbor 1 283
- Sections below supply examples of bgp configuration examples of bgp route map the following example shows how you can use route maps to modify incoming data from a neighbor any route received from 140 22 that matches the filter parameters set in autonomous system access list 200 will have its weight set to 200 and its local preference set to 250 and it will be accepted 283
- The following example shows how you can use route maps to modify incoming data from the ip forwarding table 283
- Bgp neighbor configuration examples in the following example a bgp router is assigned to autonomous system 109 and two networks are listed as originating in the autonomous system then the addresses of three remote routers and their autonomous systems are listed the first router listed is in a different autonomous system the second neighbor command specifies an internal neighbor with the same autonomous system number and the third neighbor command specifies a neighbor on a different autonomous system 284
- Bgp route filtering base on port example the following is an example of bgp path filtering by neighbor the routes from port e1 o will be filtered by access list ac1 284
- Examples of bgp route filtering by neighbor the following is an example of bgp path filtering by neighbor the routes that pass as path access list 1 will get weight 100 only the routes that pass as path access list 2 will be sent to 193 2 0 similarly only routes passing access list 3 will be accepted from 193 2 0 284
- Examples of route filtering through prefix list following example denies default route 0 0 284
- Following example allows routes matching prefix 35 8 284
- Following example filters routes from all ports through using prefix list filter prefix to filter network number as well as using access list filter gateway to filter gateway address 284
- Following example filters routes from port s1 0 through using access list filter network to filter network number as well as using access list filter gateway to filter gateway address 284
- Bgp aggregate route examples the following examples show how you can use aggregate routes in bgp either by redistributing an aggregate route into bgp or by using the conditional aggregate routing feature in the following example the redistribute static command is used to redistribute aggregate route 193 285
- Following example allows all routes 285
- Following example allows route whose prefix length larger than 8 and less than 24 in the whole address space 285
- Following example denies all routes of net 10 8 if the mask of a class net 10 8 is less than or equal to 32 bits it will deny all routes 285
- Following example denies route whose mask length larger than 25 in net 204 0 24 285
- Following example denies route whose prefix length larger than 25 in net 192 8 285
- Following example denies route whose prefix length larger than 25 in the whole address space 285
- In following configuration router will filter routes from all ports except of route whose prefix is in the range of 8 24 285
- In following example bgp process will only accept prefix length from 8 to 24 285
- The following are examples of other prefix list configurations following example allows route whose prefix length not larger than 24 in net 192 8 285
- Examples of bgp route reflector configuration the following is an example of route reflector rta rtb rtc and rte belong to the same autonomous system as200 rta acts as route reflector rtb and rtc are route reflector clients rte is a common ibgp neighbor rtd belongs to as100 and sets up a ebgp connection with rta configuration is as following 1 rta configuration 286
- Rtb configuration 286
- The following configuration creates an aggregate entry in the bgp routing table when there is at least one specific route that falls into the specified range the aggregate route will be advertised as coming from your autonomous system and has the atomic aggregate attribute set to show that information might be missing 286
- The following example not only creates the aggregate route for 193 but will also suppress advertisements of more specific routes to all neighbors 286
- Bgp as confederation example the following is a configuration of autonomous system confederation rta rtb and rtc are in ibgp connections and belong to private as 65010 rte belongs to private as 65020 rte builds interior ebgp connection with rta in as confederation as65010 and as65020 buildup an as confederation whose number is as200 rtd belongs to autonomous system as100 rtd builds ebgp connection with as200 through rta 287
- Rta configuration 287
- Rtc configuration 287
- Rtd configuration 287
- Rte configuration 287
- Rtb configuration 288
- Rtc configuration 288
- Rtd configuration 288
- Rte conf i gurat i on 288
- Examples of bgp community route map this section includes three examples of using route maps of bgp community in the first example route map set community is used for outbound updates getting to neighbor 171 9 32 0 special community attribute no export is set on routes passing access list aaa other routes will be advertised normally this special community attribute will automatically forbid bgp session parts in as200 to advertise this route to as outside 289
- In the second example route map set community is used for outbound updates getting to 171 9 32 0 all routing configurations generated by as 70 will add the community attribute value 200 into current values other routes will be advertised normally 289
- In the third example we will set med of a route from neighbor 171 9l 32 5 and set local priority according to community attribute value of this route those meds of routes matching community list com1 will be configured to be 8000 these routes maybe have other attributes the local priorities of routes transmitting community list com2 are configured to be 500 the local priorities of other routes are cofigured to be 50 therefore local priorities of the left routes of neighbor 171 9 32 5 are 50 289
- Configure rsvp 290
- How to enable rsvp in ip phone module 291
- Use rsvp assistant configuration commands 291
- How to configure tos and precedence for rsvp flow 292
- Command purpose 293
- How to use access list in rsvp module 293
- If this command is configured only the rsvp request of host conforming to access list will be accepted otherwise it will be denied 293
- Ip rsvp neighbor access list name 293
- Ip rsvp precedence conform exceed precedence value 293
- Ip rsvp tos conform exceed tos value this command can be used to configure tos of reservation flow 293
- This command can be used to configure precedence of reservation flow 293
- When user configures rsvp on router he is entitled to use access list to allow or deny some hosts or routers to communicate with local router use command below in interface configuration state to complete this function 293
- St art mul t i cast group rout e 296
- St art mul t i cast group f unct i on on t he port 297
- St art pi m dm 297
- Exampl e of change i gmp versi on 298
- Configure igmp querier interval 299
- Example of configure igmp query interval 299
- Choose the 17th option in the parameter clew notify 300
- Conf i gure i gmp max response t i me 300
- Exampl e of conf i guri ng i gmp queri er i nt erval 300
- For igmp router port protocol version 2 other querier existance interval could be configured by the following command 300
- Igmp static configuration 302
- Last member query interva 302
- 00 access group speci f y access cont rol f or packet s 9 mrout e cache forward mul t i cast packet usi ng mrout e cache pl ease i nput t he code of command t o be excut e 0 22 9 sel ect 9 opt i on conf i rm i t 306
- Disable multicast fast forwarding you can use to configure the port enabling multicast fast forwarding and use to disable this function 306
- I p pi m dm hel l o i nt erval 306
- I p pi m dm st at e ref resh ori gi nat i on i nt erval 306
- I p pi m dm st at e ref resh ori gi nat i on i nt erval 307
- I p pi m dm versi on 307
- I p undo pi m dm st at e ref resh di sabl e 307
- Versi on 307
- I p mul t i cast boundary 308
- I p pi m dm nei ghor f i l t er 308
- Cl ear i p mrout e pi m dm group source 309
- Cl ear i p pi m dm i nt erf ace 309
- Command function 310
- Configure ip multicast flow control 312
- I p mul t i cast r at e l i mi t i n gr oup l i st access l i st 1 sour ce l i st access l i st 2 nkbps 312
- Conf i gur e i p mul t i cast hel per 313
- I p mul t i cast r at e l i mi t out gr oup l i st access l i st 1 sour ce l i st access l i st 2 kbps 313
- Command function 318
- Aaa overview 323
- Aaa security service 323
- Benefits of using aaa 323
- Conf i gure aaa 323
- Basic theories of aaa 324
- List of methods 324
- Configuration process 325
- Examples of methods list 325
- List of aaa authentification methods 325
- Default routera config aaa 326
- Figure 1 suppose the system administrator has determined that all ports authenticate the ppp based connection with the same authentication method in the security scheme firstly connect r1 to learn the ralating authentication information if r1 doesn t respond then connect r2 if r2 doesn t respond then t1 then t2 if all designated server don t respond the authentication will be focused on the local user name database of the access server itself 326
- In order to realize this the system admin needs to input the following command aaa default authentication ppp radius local 326
- In this example default is the name of the method list the protocols included in this method list are listed after the name in the order they are to be queried the default list is automatically applied to all interfaces when a remote user is attempting to access the network by dial up the network server will demand the relative authentication info on r1 if the user is authenticated to be legal it will send a pass reply to network access server to enable the user to access the server if r1 answers fail message the user will be turned down the session terminated if there s no response from r1 the network server will view it as a error and try to find the authentication info on r2 this model will last in the rest of the time until the user is accepted or rejected or the termination of this session it is important to remember that a fail response completely differs from an error response fail indicates that the user has not met the criteria of a sucessful authentication that contained in t 326
- Aaa authenticatio 328
- Aaa authentication methods description 328
- Apply the methods list to a specific port or line if necessary apply the methods list to a specific port or line if necessary 328
- Command 328
- Command must match that in the 328
- Define the authentication methods list with aaa authentication command 328
- General configuration process of aaa authentification 328
- In this example 328
- Is the name of the method list and the protocols included in this method list are listed after the name in the order in which they are to be performed after the creation of method list the list will be applied on the appropriate port note that the method list name in a 328
- Ppp authenticatio 328
- To configure aaa authentication you need to finish the following configuration process if you are using a security server please configure the security protocol parameters like 328
- Aaa authenticatio 329
- Aaa authentication logi 329
- Aaa default authentication login list name method1 method2 create a global authentication list 329
- Command used in login these lists are applied with the circuit configuration command 329
- Command using whatever login method creat one or more lists of authentication methods in 329
- Enter the config mode of a certain line 329
- Line aux console tty vty line number ending line number 329
- Login authenticatio 329
- Login default authentication list name apply the authentication list to one or more lines 329
- Step command purpose 329
- Use aaaconfiguration login authentication the aaa security service facilitates a variety of login authentication methods you will have to start aaa authentication with 329
- When configuring please use the commands below starting from the global configuration directory 329
- Aaa default authentication login radius note since the keyword none enables any uesr that has logged in to successfully pass the authentication you shall have to keep this keyword as the backup method following table lists the currently supported login authentication methods 330
- Aaa default authentication login tacacs none 330
- Aaa default authentication login enable 331
- Aaa default authentication login line 331
- Aaa default authentication login local 331
- Aaa default authentication login radius 331
- 2 3 2 use aaa to pr oceed ppp aut hent i f i cat i on 332
- Aaa default authentication login tacacs 332
- Aaa default authentication ppp list name method1 method2 332
- Before you can use tacacs as the login authentication method you need to configure tacacs service for more information refer to the configuring tacacs chapter 332
- Enter interface configuration mode for the interface to which you want to apply the authentication list 332
- Interface interface type number 332
- Login authentication using tacacs use the aaa authentication login command with the tacacs method keyword to specify tacacs as the login authentication method for example to specify tacacs as the method of user authentication at login when no other method list has been defined enter the following command 332
- Many users access network access servers through dialup via async or isdn the aaa security services facilitate a variety of authentication methods for use on serial interfaces running ppp use the config aaa authentication ppp command to start aaa authentication no matter which of the supported ppp authentication methods you decide to use to configure aaa authentication methods for serial lines using ppp use the following commands in global configuration directory 332
- Ppp default authentication chap pap chap pap pap chap list name 332
- Step command purpose 332
- Aaa default authentication ppp local 333
- With aaa authentication ppp command you can create one or more lists of authentication methods that are used when a user begins to run ppp these lists are applied using the ppp authentication line configuration command to create a default list use the default parameter followed by the methods you want used in default situations for example to specify the local username database as the default method for user authentication enter the following 333
- Aaa authentication ppp command the keyword local is used to designate to authenticate with a local username database for instance if you want to designate the local username databse as the authentication method on a ppp line without using other methods you can input the following conmmand line aaa default authentication ppp local 334
- Aaa authentication ppp command the keyword radius is used to designate radius to authenticate for instance if you want to designate the local username databse as the authentication method on a ppp line without using other methods you can input the following conmmand line aaa default authentication ppp radius 334
- Aaa default authentication ppp local keyword list name is to name any string in a created 334
- Aaa default authentication ppp tacacs none 334
- Tacacs 334
- Aaa default authentication enable method1 method2 335
- Aaa default authentication ppp tacacs 335
- Before use tacacs as the authentication method you need to enable communication with the tacacs service for more information refer to the configure tacacs chapter 6 335
- Command purpose 335
- Initiate password authentication when a user is enterring the priority level 335
- Initiate password protection when enter a priority level 335
- Tacacs 335
- The keyword method refers to the actual list of methods the authentication algorithm tries in the sequence entered 335
- To specify tacacs as the authentication method for use on interfaces running ppp for example to specify tacacs as the method of user authentication when no other method list has been defined enter the following 335
- Use the config aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged exec command level you can specify up to four authentication methods the additional methods of authentication are used only if the previous method returns an error not if it fails to specify that the authentication succeed even if all methods return an error specify none as the final method in the command line use the following command in global configuration mode 335
- While use radius as the authentication method you need to configure the radius service for more information refer to the configure radius chapter ppp authentication using tacacs use the config aaa authentication ppp command with the keyword 335
- Change the string to prompt inputting the password 336
- Password 336
- When configured enable authentication method as the remote authentication i e configured group group restrict radius or tacacs as the keywords the usernames that respectively use radius and tacacs to authenticate are different the following is the introduction for each type 336
- A local authentication system based on the username can be created for the following situations to provide a tacacs like username and encrypted password authentication system for networks that cannot support tacacs to provide special case logins such as access list verification no password verification autocommand execution at login to establish the local authentication database perform the following command in the global configuration mode 337
- Establish a database of local user name authentification 337
- Example 337
- Examples of aaa authentificationconfiguration 337
- Examples of radius authentification 337
- Aaa authentication login radius login radius loca 338
- The following example creates the same authentication algorithm for pap but calls the method list test list instead of default 338
- Conf i gure radi us 339
- Radius overview 339
- Radius configuration steps 340
- Radius protocol operation 340
- Example 341
- Radius deadtime minutes 341
- Radius retransmit retries 341
- Radius timeout seconds specify the number of seconds a router waits for a reply to a radius request before retransmitting the request 341
- Specify the number of minutes that marked a radius server as dead which is not responding to authentication requests 341
- Specify the number of times the router transmits each radius request to the server before giving up default is 2 341
- Step command purpose 341
- To customize communication between the router and the radius server use the following optional radius global configuration commands 341
- Command purpose 342
- Configure router to use vendor specific radius attributes the internet engineering task force ietf draft standard specifies a method for communicating vendor specific information between the network access server and the radius server by using the vendor specific attribute attribute 26 vendor specific attributes vsas allow vendors to support their own extended attributes not suitable for general use for more information about vendor ids and vsas refer to rfc 2138 remote authentication dial in user service radius to configure the network access server to recognize and use vsas use the following command in global configuration mode 342
- Example example 342
- Radius vsa send authentication enable the network access server to recognize and use vsas as defined by radius ietf attribute 26 342
- 3 3 conf i gur e radi us aut ent i cat i on 343
- 3 4 conf i gur e radi us aut hor i z at i on 343
- 3 5 conf i gur e radi us account i ng 343
- Radius authentication examples 343
- Radius configuration examples 343
- Radius examples in aaa application 343
- Configuretacacs directory 344
- Command purpose 346
- Preferred servers to specify a tacacs host use the following command in global configuration mode 346
- Specify the ip address and correlative attribute of tacacs server 346
- Tacacs server ip address single connection multi connection port integer timeout integer key string 346
- After you have identified the tacacs daemon and defined an associated tacacs encryption key you need to define 347
- Command purpose 347
- Not e you must conf i gur e t he s ame key on t he tacacs ser ver f or encr ypt i on t o be successf ul 6 3 3 3 speci f y tacacs aut hent i cat i on 347
- Tacacs key keystring set the encryption key to match that used on the tacacs server 347
- Use the key string argument to specify an encryption key for encrypting and decrypting all traffic note specifying the encryption key with the tacacs server command overrides the default key set by the global configuration config tacacs server key command specifying the timeout value with the tacacs server command overrides the global timeout value set with the config tacacs server timeout command you can use this command to enhance security on your network by uniquely configuring individual tacacs connections 6 set tacacs encryption key to set the tacacs authentication key and encryption key use the following command in global configuration mode 347
- Use the port integer argument to specify the tcp port number to be used when making connections to the tacacs server the default port number is 49 347
- Use the single connection keyword to specify single connection this is more efficient because it allows the server to handle a higher number of tacacs operations the multi connection keword means multiple tcp connection 347
- Use the timeout integer argument to specify the period of time in seconds the router will wait for a response from the server 347
- Using the tacacs server command you can also configure the following options 347
- Configure i psec 350
- Command purpose 353
- Determine whether or not to accept requests for ipsec security associations on behalf of the requested data flows when processing ike negotiation from the ipsec peer if you want certain traffic to receive one combination of ipsec protection for example authentication only and other traffic to receive a different combination of ipsec protection for example both authentication and encryption you need to create two different crypto access lists to define the two different types of traffic these different access lists are then used in different crypto map entries which specify different ipsec policies later you will associate the crypto access lists to particular interfaces when you configure and apply crypto map sets to the interfaces to create crypto access lists use the following command in global configuration mode 353
- Ensuring that access lists are compatible with ipsec ike uses udp port 500 the ipsec esp and ah protocols use protocol numbers 50 and 51 ensure that your access lists are configured so that protocol 50 51 and udp port 500 traffic is not blocked at interfaces used by ipsec 6 creat crypto access lists crypto access lists are used to define which ip traffic will be protected by crypto and which traffic will not be protected by crypto these access lists are not the same as regular access lists which determine what traffic to forward or block at an interface crypto access lists associated with ipsec crypto map entries have four primary functions 353
- Indicate the data flow to be protected by the new security associations specified by a single permit entry when initiating negotiations for ipsec security associations 353
- Ip access list extended name 然后使用 permit 和 deny 命令设置访问规则 permit protocol source source mask destination destination mask 353
- Process inbound traffic in order to filter out and discard traffic that should have been protected by ipsec 353
- Select outbound traffic to be protected by ipsec permit protect 353
- Specifies which ip packets will be encrypting protected 353
- Crypto access list tips using the permit keyword causes all ip traffic that matches the specified conditions to be protected by crypto using the policy described by the corresponding crypto map entry using the deny keyword prevents traffic from being protected by crypto in the context of that particular crypto map entry in other words it does not allow the policy as specified in this crypto map entry to be applied to this traffic if this traffic is denied in all of the crypto map entries for that interface then the traffic is not protected by crypto the crypto access list you define will be applied to an interface after you define the corresponding crypto map entry and apply the crypto map set to the interface different access lists must be used in different entries of the same crypto map set these two tasks are described in following sections however both inbound and outbound traffic will be evaluated against the same outbound ipsec access list therefore the access list s criteria is 354
- Using the any keyword in crypto access lists when you create crypto access lists using the any keyword could cause problems d link discourages the use of the any keyword to specify source or destination addresses the any keyword in a permit statement is discouraged when you have multicast traffic flowing through the ipsec interface the any keyword can cause multicast traffic to fail the permit any any statement is strongly discouraged as this will cause all outbound traffic to be protected and all protected traffic sent to the peer specified in the corresponding crypto map entry and will require protection for all inbound traffic 354
- Crypto ipsec transform set 355
- Define transform sets a transform set represents a certain combination of security protocols and algorithms during the ipsec security association negotiation the peers agree to use a particular transform set for protecting a particular data flow you can specify multiple transform sets and then specify one or more of these transform sets in a crypto map entry during ipsec security association negotiations with ike the peers search for a transform set that is the same at both peers when such a transform set is found it is selected and will be applied to the protected traffic as part of both peers ipsec security associations with manually established security associations there is no negotiation with the peer so both sides must specify the same transform set if you change a transform set definition the change is only applied to crypto map entries that reference the transform set the change will not be applied to existing security associations but will be used in subsequent negotiations to 355
- Defines a transform set and perform this command into the crypto transform configuration mode 355
- Exit exits the crypto transform configuration mode 355
- Mode tunnel transport 355
- Optional changes the mode associated with the transform set the mode setting is only applicable to traffic whose source and destination addresses are the ipsec peer addresses it is ignored for all other traffic all other traffic is in tunnel mode only 355
- Step command purpose 355
- Transform set name 355
- Transform type transform1 355
- Transform2transform3 configure transform type 355
- Ah md5 hmac ah with the md5 esp des esp with the des esp md5 hmac esp with the md5 356
- Ah transform esp encryption transform esp authentication transorm 356
- Following table shows allowed transform combinations 356
- Select transform for transform set allowed transform combinations 356
- Transform description transform description transform description 356
- Configure an ipsec access list this access list determines which traffic should be protected by ipsec and which traffic should not be protected by ipsec security in the context of this crypto map entry 361
- Crypto map map name seq num 361
- Ipsec isakmp 361
- Match address access list name 361
- Repeat these steps to create additional crypto map entries as required creat crypto map entries that used ike to create crypto map entries that will use ike to establish the security associations use the following commands starting in global configuration mode 361
- Set peer ip address specifies the address of ipsec peer this is the address to which ipsec protected traffic should be forwarded 361
- Set transform set transform set name1 configure transform sets no more than six crypto map 361
- Specifies the crypto map entry to create or modify perform this command into the crypto map configuration mode 361
- Step command purpose 361
- Exit exits crypto map configuration mode and return to global configuration mode 362
- Optional specifies a security association lifetime for the crypto map entry 362
- Optional specifies that ipsec should ask for perfect forward secrecy when requesting new security associations for this crypto map entry or should demand pfs in requests received from the ipsec peer 362
- Set pfs group1 group2 362
- Set security association lifetime seconds seconds 或 set security association lifetime kilobytes kilobytes 362
- Transform set name2 transform set name6 entries can be specified highest priority first 362
- Apply the same crypto map set to more than one interface 6 ipsec configuration example the following example shows a minimal ipsec configuration where the security associations will be established via ike for more information about ike see the configure ike chapter define an ipsec access list config ip access list extended aaa config permit ip 130 30 255 55 131 31 255 55 define transform set crypto ipsec transform set one config transform type esp des esp sha hmac a crypto map specifies the ipsec access list and transform set and specifies where the protected traffic is sent the ipsec 365
- Command purpose 365
- Crypto map map name applies a crypto map set to an interface 365
- Repeat these steps to create additional crypto map entries as required 6 apply crypto map sets to interfaces you need to apply a crypto map set to each interface through which ipsec traffic will flow applying the crypto map set to an interface instructs the router to evaluate all the interface s traffic against the crypto map set and to use the specified policy during connection or security association negotiation on behalf of traffic to be protected by crypto to apply a crypto map set to an interface use the following command in interface configuration mode 365
- About ike 366
- Configuring internet key exchange security protocol 366
- Overview 366
- Ike configuration steps 367
- Additional configuration required for ike policies additional configuration required for ike policies pre shared keys authentication method if you specify pre shared keys as the authentication method in a policy you must configure these pre shared keys configure pre shared keys to specify the shared keys at ipsec each peer note that a given pre shared key is shared between two peers at each peer you could specify the same key to specify pre shared keys at a peer use the following commands in global configuration mode 372
- Crypto isakmp key keystring peer address at the local peer specify the shared key to be used with a particular remote peer 372
- Crypto isakmp key keystring peer address at the remote peer specify the shared key to be 372
- If you do not specify a value for a parameter the default value is assigned not e the def aul t pol i cy and t he def aul t val ues f or conf i gured pol i ci es do not show up i n t he conf i gurat i on when you i ssue a show runni ng command i nst ead t o see t he def aul t pol i cy and any def aul t val ues wi t hi n conf i gur ed pol i ci es use t he show cr ypt o i sakmp pol i cy command 372
- Step command purpose 372
- Used with the local peer 372
- Clear ike connection optional if you want you can clear existing ike connections to clear ike connections use the following commands in exec mode 373
- Clear isakmp connection 373
- Show crypto isakmp sa view existing isakmp sa 373
- Step command purpose 373
- After ike configuration is complete you can configure ipsec ipsec configuration is described in the configuring ipsec chapter 374
- Command purpose 374
- Debug crypto isakmp display debug messages about ike events 374
- Ike configuration examples 374
- Show crypto isakmp policy view the parameters for each configured ike policy 374
- Show crypto isakmp sa view all current ike security associations 374
- This example creates two ike policies with policy 10 as the highest priority policy 20 as the next priority and the existing default priority as the lowest priority it also creates a pre shared key to be used with the remote policies whose ip address is 192 68 374
- Troubleshoot ike optional to assist in ike troubleshooting use the following commands in exec mode 374
- What to do next 374
- In the above example encryption des of policy 10 would not appear in the written configuration because this is the default value for the encryption algorithm parameter if the show crypto isakmp policy command is issued with this configuration the output would be as follows 375
- Lifetime 86400 seconds 375
- End to end qos models 376
- Qos overvi ew 376
- What is qos 376
- Qos queueing algorithms 377
- Configure qos 379
- Default router config interface key word u undo d default q quit 00 fastethernet fastethernet interface 01 ethernet ethernet interface 02 serial serial interface 03 async asynchronous interface 04 null null interface 05 loopback loopback interface 06 tunnel tunnel interface 07 dialer dialer interface 379
- Qos link efficiency mechanisms 379
- Qos queueing configuration 379
- Qos signalling 379
- 08 multilink multilink group interface 09 virtual template virtual template interface 10 virtual tunnel virtual tunnel interface please input the code of command to be excute 0 10 0 380
- Default router config policy map key word u undo d default q quit 00 word policy map name please input the code of command to be excute 0 0 0 381
- Key word u undo d default q quit 00 word policy map name please input the code of command to be excute 0 0 0 381
- Please input a string name 381
- Service policy 381
- Will you excute it y n y 381
- Class key word u undo d default q quit 00 word class map name please input the code of command to be excute 0 0 0 please input a string name 382
- Kilo bits per second please input the code of command to be excute 0 0 0 please input a string 100 382
- Will you excute it y n y 382
- Random det ec 385
- Displaying the information of the interface queue 395
- Qos display 395
- Displaying the customed queueing configuratio 396
- Display the priority queueing configuratio 397
- Display the class map configuration 398
- Configure rtp header compression protocol 401
- Specify the total bytes that must be sent for every queue 401
- The need to save bandwidth 401
- Command description 402
- Enable crtp on a serial interface 402
- Frames every time in g 29 call then the payload is 20 bytes adding 4 bytes ppp link layer encapsulation the payload ratio is only 31 5 percents using rtp header compression crtp and ignoring the udp check sum these headers can be compressed to 2 bytes adding 4 bytes ppp link layer encapsulation the payload ratio is 76 2 percents there is a very big gap between them note crtp should not be used on links greater than 2 mbps 402
- Ip rtp header compression cisco format iphc format passive enable crtp 402
- The optional parameter cisco format which specifies ipcp to adopt packets with d link format when crtp is applied to ppp links is a default value if you include the passive keyword which specifies ipcp to adopt packets with d link format when crtp is applied to ppp links the software compresses outgoing rtp packets only if incoming rtp packets on the same interface are compressed the key word iphc format specifies ipcp to adopt packets with rfc2509 format when crtp is applied to ppp links 402
- To enable crtp header for serial encapsulations ppp use the following command in interface configuration mode you to enable crtp header for serial encapsulations ppp use the following command in interface configuration mode you must enable compression on both ends of a serial connection 402
- Change the maximum number of crtp connections 404
- Command description 404
- Crtp will locally keep the structure storage connecting information for each specified transmitting address if the specified connecting number is not enough these structures can not provide correspondence for simultaneously running multi rtp conversations and affect the quality of compression 404
- Ip rtp compression connections number specify the maxumun number of local crtp connections 404
- 4 di spl ay crtp compressi on i nf ormat i on 405
- Command description 405
- Show ip rtp header compression type number detail display crtp compression imformation 405
- 5 crtp debuggi ng 406
- Command description 406
- You must use the command in global configuraion mode 406
- Debug config ip rtp header compression display the information of the received and transformed crtp packets information 407
- 1 ctcp conf i gurat i on st eps there are a f ew st eps t o conf i gure ctcp 408
- 2 about ctcp 408
- Configure ctcp tcp i p header compressi on prot ocol 408
- Command description 409
- Crtp is applied to ppp links however if the opposite terminal ppp implementation support only ctcp of rfc1144 ipcp of rfc1144 can be used in the same but if you apply ctcp on fr and hdlc link cisco format will adopt ctcp of rfc1144 iphc format will adopt ctcp of rfc2507 and passive show our ctcp is determinded by ctcp message format that sent by opposite terminal 409
- Enable ctcp on a serial line 409
- Ip tcp header compression cisco format iphc format passive enable ctcp 409
- The optional parameter the optional parameter cisco format is a default value which specifies ipcp to adopt packets with cisco format when the i phc f ormat crtp is applied to ppp links else the ipcp packet format is rfc1144 if you include the passive keyword the software compresses outgoing rtp packets only if incoming rtp packets on the same interface are compressed when the crtp is applied to ppp links ipcp will adopt the cisco format packet if crtp is i phc f ormat else the ipcp will adopt rfc1144 f ormat packet the key word iphc format specifies ipcp to adopt packets with rfc2509 format when 409
- To enable ctcp header for serial encapsulations ppp use the following command in interface configuration mode you must enable compression on both ends of a serial connection 409
- 4 change the maxi mum number of ctcp connect i ons 411
- Command description 411
- Ctcp will locally keep the structure storage connecting information for each specified transmitting address if the ctcp will locally keep the structure storage connecting information for each specified transmitting address if the specified connecting number is not enough these structures can not provide correspondence for simultaneously running multi tcp conversations and affect the quality of compression 411
- Ip tcp compression connections number specify the maximum number of ctcp connections supported on local interface 411
- 5 di spl ay ctcp compressi on i nf ormat i on 412
- Command description 412
- Show ip tcp header compression type number detail display ctcp information 412
- You must use the command in interface configuration mode 413
- 6 ctcp debuggi ng 414
- Command description 414
- Debug ip tcp header compression display the information of the received and transformed ctcp packets information 414
- About dialer 415
- Configuring ddr 415
- Ddr conf i gurat i on command l i st global configuration command interface dialer number 415
- Dialer configuration tasks 415
- Sof t ware conf i gurat i on of di al er 415
- Configuring an interface to send and receive calling 416
- Configuring the dialer method line dial 416
- Dialer group number dialer rotary group number dialer string dialer string dialer load threshold enable_threshold disable_threshold dialer enable timeout seconds dialer idle timeout seconds dialer fast idle seconds dialer priority number dialer dtr 416
- Enter physical interface configuration mode 416
- Send call to an interface and accept call from the one in command to send call to an interface and accept call from the one you can perform the configuration tasks below with ppp encapsulation 416
- Configuring ip address ip address ip address net mask 417
- Configuring dialer map dialer map next hop address name hostname broadcast dialer string 418
- Configuring dialer map dialer map next hop address name hostname broadcast dialer string 420
- Configuring dialer with dialer interface 420
- Configuring ip address ip address ip address net mask 420
- Configuring ip address to the dialer rotary group 420
- Configuring several dialer maps list 420
- Configuring the dialer method line dial 420
- Define dialer interface corresponding to the dialer the command is interface dialer number 420
- Enter physical interface configuration mod 420
- Send calls to several interfaces and accept calls from them in command to send calls to several interfaces and accept calls from them you can perform the configuration tasks below 420
- Configuring dialer map dialer map next hop address name hostname broadcast dialer string 421
- Attach the physical interface to dialer rotary group enter the physical interface dialer rotary group dialer interface parameter dialer interface is the dialer interface bound by the physical interface 423
- The physical interface in the dialer rotary group will use the ip address of the dialer interface 423
- Cust omi ze t he ddr net work 424
- Set line idle time to specify the amount of time a line will stay idle before it is disconnected by ddr set the line idle time dialer idle timeout seconds 424
- Set idle time for busy interfaces when an interface has set up a link another interface is need to set up a new link with it that s called competition if the line idle time exceeds the specified amount of time the current call is disconnected by ddr 425
- Set dialer timeout to set the minimum length of time an interface stays down before it is available to dial again after a line is disconnected or fails set line down time dialer enable timeout seconds 426
- Set wait time of carrying interface data set wait time of carrying interface data dialer wait for carrier time seconds 426
- Access control to a ddr interface you can specify the packet filtering function of the ddr interface the user can divide the packet through the ddr interface into two kinds by access control valid packet valid packet is the packet has passed the access control when the ddr interface receives a valid packet ddr sends the packet out through the line and clears the idle timeout if the corresponding line is connected otherwise ddr sends call out invalid packet the packet hasn t passed the access control when the ddr interface receives an invalid packet ddr sends the packet out through the line and doesn t clear the idle timeout if the corresponding line is connected otherwise ddr discards the packet without sending call out 6 set the physical interface priority of dialer rotary group the using sequense of the interfaces is determined by the priority of itself the lowest 255 the highest the default value is 0 specify the priority of the physical interface in the dialer rotary group dialer p 427
- Specify the threshold value of the dialer rotary group after the threshold value is specified ddr will monitor the flow of the interface when the flow exceeds the threshold and there is an usable interface in the dialer group the interface will be turned on to add the bandwidth of the dialer group when the flow under the threshold the redundant interfaces will be disconnected automatically if the physical interface is configured priority the interface turned on or disconnected is determined according to the priority the highest priority interface will be chosen when the interface is active and lowest priority interface will be chosen when the interface is inactive specify the threshold value of the dialer rotary group dialer load threshold enable threshold disable threshold 427
- Create a dialer hold queue to the dialer interface the packets destined for ddr interface are discarded if no connection exists after creating hold queue the packets 428
- Dialer dtr 428
- Specify the dtr method as the dialer method you can directly activate the dialer when the dtr signal is valid in the dte specify the dtr as the dialer method 428
- Display the ddr interface information show dialer interface type number 429
- Monitoring and maintaining the dialer connection 429
- Won t be discarded before the connection is created specify the dialer hold queue to the dialer interface dialer hold queue packet number 429
- Configuring dialer rotary groups example 430
- Dai l er conf i gurat i on exampl e 430
- The example below defines the dialer interface and attaches the serial1 1 and serial1 2 to dialer interface 430
- The example of dialing to multiple points 430
- Script configuration example 431
- I nt er f ace backup conf i gur at i on 433
- I nt er f ace backup conf i gur at i on t ask l i st 433
- L aunch backup f unct i on and sel ect t he backup i nt er f ace 433
- R eal i z at i on i nf or mat i on 433
- L aunch i nt er f ace backup dal ay 434
- Pl ease i nput a i nt erf ace name f 0 0 434
- Launch flow equilibrium backup when t he act ual f l ow of pri mary i nt erf ace exceeds t he percent t hreshol d t he backup i nt erf ace wi l l be act i vat ed ent eri ng worki ng st at us however when t he rat i o of t he pri mary and backup i nt erf ace act ual f l ow wi t h pri mary i nt erf ace bandwi dt h i s l ower t han set t i ng t hreshol d t he backup i nt erf ace wi l l be di sact i vat ed and ent er backup st at us 436
- Pl ease i nput a i nt erf ace name f 0 0 436
- Interface backup configuration example 438
- Pl ease i nput a i nt erf ace name f 0 0 439
- About voice 441
- About voice application 441
- Dial peers 441
- Numbering scheme the st andard pstn i s basi cal l y a l arge ci rcui t swi t ched net work i t uses a speci f i c numberi ng scheme whi ch compl i es t o t he i tu t e 164 recommendat i ons i n d li nk s voi ce i mpl ement at i ons numberi ng schemes are conf i gured usi ng t he conf i g dest i nat i on pat t ern command for numberi ng d li nk provi des t he concret e suggest i on pl ease ref er t o t he descri pt i on of command conf i g dest i nat i on pat t ern 9 analog versus digital 442
- Voice port 442
- Voice primer 442
- Codecs 443
- Mean opinion score 443
- End to end delay 444
- Jitter 444
- About qos 445
- Qos signalling 445
- About dsp sensi ng swi t ch si gnal l i ng t one 446
- Configure 446
- Out of band rsvp signalling is used to indicate that a particular qos service is desired for a particular traffic classification d linkip telephone equipment provides ip precedence and rsvp each voice packet will be marked corresponding identifier please see the correlative documents for complete information of qos signalling 446
- Dial peer terminato 448
- Configure the replace of voip dial peer 452
- Configure voice port 452
- Troubleshooting tips 452
- Validation tips 452
- E m port special configure 453
- Fxo port special configure 453
- 通用配置 command 453
- Pstn gateway access using fxo connection 455
- Use ip connection to connect two fxo 456
- Configuration in using e m connection 458
- Bypass fax 459
- Configure dialing replacer 459
- T38 fax 459
- Rtp fax 460
- Configure voice gateway configure voice gatekeeper 461
- Configure gatekeeper 462
- Configure gateway 462
- Examine ip address and gatekeeper of the gateway use the command show getekway to confirm the voice gateway on the devices have been properly configured use these debug commands debug voip event asn debug voip event ras debug voip event gw configure voice over ip gatekeeper 462
- Examine tips 462
- Example of voice gateway and gatekeeper configuration configure voice over ip gateway 462
- Troubleshooting tips 462
- Examine gatekeeper ip and information use command show gatekeeper to examine that the gatekeeper have been properly configured on these devices use debug command debug voip event asn debug voip event ras debug voip event gw example of voip gateway and gatekeeper configure 463
- Examine tips 463
- Troubleshooting tips 463
- Directly dial the called number first dial access service number and then dial the called number 464
- Conf i gur e access number 465
- Conf i gur e di al f l ow as wel l as concer ned par amet er s 9 8 configure dial flow 465
- Conf i gur e i vr car d phone 465
- First dial access service number then input number password peer and finally input called number 465
- Conf i gur e i vr di r ect aut hent i cat i on mode 467
- Conf i gur e i vr one di al mode 467
- Conf i gur e i vr r ecor d mode 467
- Conf i gure t he pl ayi ng posi t i on of t he f i l e 468
- Enabl e radi us aut hent i cat i on 469
- Enabl e radi us cost i ng 469
- Examine tips 469
- Troubl eshoot i ng ti ps 469
- Examples of ivr costing authentication 470
- Before configuring dlsw you should first get some knowledge of dlsw which is helpful data link switching is a new protocol of channel or encapsulation it can encapsulate the frames from logical link control type1 or type2 of sna and netbios system and make it get across non sna network dlsw resolved the limitation that llc2 designed based on lan can t transmit in wan dlsw offers a series of solutions for the transition of sna networks to tcp ip 474
- Command purpose 474
- Configure dlsw 474
- Configure dlsw task list 474
- How to use dlsw configuration commands 474
- I bm net wor ki ng conf i gur at i on 474
- Networks dlsw is designed to replace the former various channel protocol that established by multiple network developers while developing the dlsw module the developers considered the ibm large computer and its proprietary sna network structure system that widely applied by bank system dlsw module will follow the international standard of dlsw and compatible with cisco router dlsw 474
- This command is used to configure the dlsw local peer to appoint the local ip address the no argument is used to cancel the configuration 474
- This command is used to configure the port list applying the list number in dlsw remote peer command can filter the dlsw message the no argument is used to cancel the configuration 474
- This command is used to configure the remote peer to set up tcp passage a router can be configured with multiple remote peers the no argument is used to cancel the configuration 474
- You can process dlsw debug with the offered configuration commands including dlsw local configuration dlsw remote configuration dlsw reachable and unreachable resource configuration static mac address configuration and the dlsw bridge group configuration this will function largely to your dlsw testing configure the following commands in global configuration state 474
- By implement this command it ll display 475
- By implement this command it ll display the information of dlsw buffer including the local buffer and remote buffer 475
- Cancel the configuration 475
- Command purpose 475
- How to use the function of showing dlsw 475
- The no argument is used to 475
- The various information about remote dlsw 475
- This command is used to configure the dlsw bridge group the no argument is used to cancel the configuration 475
- Use commands below in management state and local configuration state 475
- User can have more understanding about various status which happen during the dlsw capability exchange by displaying the information of dlsw capability 475
- User will know the current status information of all the circuit by displaying dlsw virtue circuit 475
- Configuring llc2 476
- Llc2 conf i gurat i on task li st 476
- Ret urn t o def aul t val ue 477
- Cancel t he conf i gurat i on 479
- Cancel t he conf i gurat i on 480
- Cancel t he conf i gurat i on 481
- L l c2 ack del ay t i me seconds 482
- Ack frame sent by router can t be received during 800 ms the delay timer will be active and then ack will be sent out select the iic2 commands from the interface commands of the global configuration list all iic2 selection as fellow 484
- Select the iic2 commands from the interface commands of the global configuration list all iic2 selection as fellow 484
- You can configure the number of llc2 frames received before the ack in this example at the time 0 two information frames are received it doesn t reach the max number 3 so the ack frames are not sent if set the 484
- After the router being set as sdlc station user can use the following commands in interface configuration mode to set the dlsw feature 485
- Configure the router as sdlc primary or secondary station 485
- Establishing an sdlc station for dlsw support 485
- Input 10 item display 485
- Pl ease i nput t he code of command t o be excut e 0 4 3 i nput 3 sel ect sdl c i t em st ep2 sel ect 28 i t em f rom l i st i ng di spl ay 485
- Sdlc configuration task list 485
- Sdlc defines two types of network nodes primary and secondary primary nodes poll secondary nodes in a predetermined order secondaries then send if they have outgoing data when configured as primary and secondary nodes our devices are established as sdlc stations 485
- Set the encapsulation of the serial interface as sdlc 485
- Set the interface role 485
- Set the mac address of the serial interface 485
- Specify the destination address to set up a inter connection between sdlc and llc 485
- Step 1 step 1 enter the configuration ports select 11 item display 485
- The sdlc tasks described in this section configure the router as an sdlc station this is in contrast to a router configured for sdlc transport where the device is not an sdlc station but passes sdlc frames between two sdlc stations across a mixed media multiprotocol environment the first task is required you accomplish it with the appropriate set of commands for your network needs the remaining tasks are optional you can perform them as necessary to enhance sdlc performance 485
- Enable the primary station to send data to and receive data from the polled secondary station 486
- Sdlc two way simultaneous mode allows a primary sdlc link station to achieve more efficient use of a full duplex serial line with two way simultaneous mode the primary link station can send data to one secondary link station while there is a poll outstanding two way simultaneous mode works on the sdlc primary side only on a secondary link station it responds to a poll from the primary station sdlc two way simultaneous mode operates in either a multidrop link environment or point to point link environment in a multidrop link environment a two way simultaneous primary station is able to poll a secondary station and receive data from the station and send data i frames to other secondary stations in a point to point link environment a two way simultaneous primary station can send data i frames to the secondary station although there is a poll outstanding as long as the window limit is not reached to configure two way simultaneous mode use either of the following commands in interface confi 486
- Set the sdlc as two way simultaneous mode 486
- The default sdlc role is primary when you want to configure a sdlc multipoint link the type of physical units which don t has the xid in the sdlc command is pu 21 which is also a default value refer to the chapter dlsw configuration for more dlsw configuration commands 486
- Configure sdlc timer and retry counts 487
- Configure the amount of sdlc frames and information frames 487
- Control the amount of time the software waits for a reply 487
- Prohibit the primary stations from sending data to the polled secondary station 487
- Set the number of times the software will retry an operation that has timed out 487
- When an sdlc station sends a frame it waits for an acknowledgment from the receiver indicating that this frame has been received you can modify the time the router allows for an acknowledgment before resending the frame you can also determine the number of times that a software resends a frame before terminating the sdlc session by controlling these values you can reduce network overhead while continuing to check transmission of frames to set the sdlc timer and retry counts use one or both of the following commands in interface configuration mode 487
- You can set the maximum size of an incoming frame and set the maximum number of information frames or window size the router will receive before sending an acknowledgment to the sender by using higher values you can reduce network overhead to set the amount of sdlc frame and information frame use any of the following commands in interface configuration mode 487
- Control the buffer size 488
- Select 28 item from listing display 488
- Set how many times a primary station will poll a secondary station 488
- Set the local window size of the router 488
- Set the maximum number of packets held in queue before transmitting 488
- Set the maximum size of an incoming frame 488
- You can control the buffer size on the router the buffer holds data that is pending transmission to a remote sdlc station this command is particularly useful in the case of the sdllc media translator which allows an llc2 speaking sna station on a token ring to communicate with an sdlc speaking sna station on a serial link the frame sizes and window sizes on token rings are often much larger than those acceptable for serial links and serial links are often slower than token rings to control backlogs that can occur during periods of high data transfer from the token ring to the serial line use the following command in interface configuration mode on a per address basis 488
- By default sdlc interfaces operate in full duplex mode to configure an sdlc interface for half duplex mode use the following command in interface configuration mode 489
- Configure an sdlc interface for half duplex mode 489
- Control polling of secondary stations 489
- Half duplex mode 489
- Sdlc poll limit value count set how many times a primary station will poll a secondary station 489
- Sdlc poll pause timer milliseconds set the length of time the router pauses between sending each poll frame to secondary stations on a single serial interface 489
- Select 28 item from listing display 489
- To retrieve default polling values for these operations use the def forms of these commands 489
- You can control the intervals at which the router polls secondary stations the length of time a primary station can send data to a secondary station and how often the software polls one secondary station before moving on to the next station keep the following points in mind when using these commands secondary stations cannot transmit data until they are polled by a primary station increasing the poll pause timer increases the response time of the secondary stations decreasing the timer can flood the serial link with unneeded polls requiring secondary stations to spend wasted cpu time processing them increasing the value of the poll limit allows for smoother transactions between a primary station and a single secondary station but can delay polling of other secondary stations to control polling of secondary stations use one or more of the following commands in interface configuration mode 489
- Select 28 item from listing display 490
- Select 28 item from listing display select 28 item from listing display 490
- Set the largest i frame size that can be sent or received by the designated sdlc station 490
- Set the largest sdlc information frame size generally the router and the sdlc device with which it communicates should support the same maximum sdlc i frame size the larger this value the more efficient the line usage thus increasing performance after the sdlc device has been configured to send the largest possible i frame you must configure the router to support the same maximum i frame size the default is 265 bytes the maximum value the software can support must be less than the value of the llc2 largest frame value defined when setting the largest llc2 i frame size to set the largest sdlc i frame size use the following command in interface configuration mode 490
- Specify the xid value the exchange of identification xid value you define on the router must match that of the idblk and idnum system generation parameters defined in vtam on the token ring host to which the sdlc device will be communicating note configuring the xid value will affect the attribute of the interface if the xid value is configured it means that the device connected with the interface is pu 2 the configuration of xid value must be performed after the interface has been shundown to specify the xid value use the following command in interface configuration mode 490
- Specify the xid value to be associated with the sdlc station 490
- Configuration examples the following sections provide sdlc configuration examples sdlc two way simultaneous mode configuration example sdlc configuration for dlsw example half duplex configuration example sdlc configuration example 1 1 sdlc configuration example 1 2 sdlc two way simultaneous mode configuration example the following configuration defines serial interface 0 as the primary sdlc station with two sdlc secondary stations c1 and c2 attached to it through a modem sharing device two way simultaneous mode is enabled config interface serial 0 config encap sdlc primary config sdlc address c1 config sdlc address c2 sdlc simultaneous full datamode the network for this configuration is shown in figure 126 figure 126 two sdlc secondary stations attached to a single serial interface through a modem sharing device 491
- Display sdlc station configuration information 491
- Input show command display 491
- Monitor sdlc stations to monitor the configuration of sdlc stations to determine which sdlc parameters need adjustment use the following command in exec mode 491
- Accept dialin set vpdn group as lns di al mode 494
- Command function 494
- Create vpdn group 494
- Key word key word q quit 00 accept_dialin vpdn accept dialin group configuration 01 chinese help message in chinese 02 chmem change memory of system 03 connect open a outgoing connection 04 default restore default configuration 05 disconnect discoonect an existing outgoing network connect ion 06 domain initiate a tunnel based on domain name 07 english help message in english 08 exit exit quit 09 force local chap force a chap challenge to be instigated locally 10 help description of the interactive help system 494
- Set vpdn group as lns dial mode 494
- Vpdn configuration task list 494
- Vpdn group group_number create vpdn group 494
- Vpdn module encapsulation 494
- Pr ot ocol bi ndi ng 495
- Set vpdn gr oup as lac di al mode 495
- Set vpdn group as lac di al mode 495
- Set lac domain name 496
- Set remote lns connected with lac ip address 496
- Will you excute it y n y key word u undo d default q quit 00 l2tp use l2tp protocol please input the code of command to be excute 0 0 0 select l2tp protocol please input a string l2tp will you excute it y n y 496
- Set remote lac tunnel name connected with lns 497
- Set vpdn group l ocal t unnel name 497
- Set vpdn group local tunnel name 497
- Lcp renegotiate lns and client 498
- Reconfirm lns and client 498
- Clone configured source interface on lns workgroup 499
- Set vpdn group source ip address 499
- Tunnel authentication 499
- Set tunnel password 500
- Set time interval of sending hello diagram 501
- Set tunnel accepting window size 501
- Display vpdn group 502
- Set l2tp property hidden 502
- Display l2tp event information 503
- Display l2tp packet information 504
- Display the mistake during l2tp transferring 504
- Configuration example 505
Похожие устройства
- D-Link DI-707 Инструкция по эксплуатации
- D-Link DI-714P+ Инструкция по эксплуатации
- D-Link DI-LB604 Инструкция по эксплуатации
- Acer ACP 45 USB port replicator Инструкция по эксплуатации
- Acer Aspire 1200 Инструкция по эксплуатации
- Acer Aspire 1350 Инструкция по эксплуатации
- Acer Aspire 1360 Инструкция по эксплуатации
- Acer Aspire 1420P Инструкция по эксплуатации
- Acer Aspire 1425P Инструкция по эксплуатации
- Acer Aspire 1430 Инструкция по эксплуатации
- Acer Aspire 1430Z Инструкция по эксплуатации
- Acer Aspire 1450 Инструкция по эксплуатации
- Acer Aspire 1500 Инструкция по эксплуатации
- Acer Aspire 1510 Инструкция по эксплуатации
- Acer Aspire 1520 Инструкция по эксплуатации
- Acer Aspire 1551 Инструкция по эксплуатации
- Acer Aspire 1600 Инструкция по эксплуатации
- Acer Aspire 1610 Инструкция по эксплуатации
- Acer Aspire 1620 Инструкция по эксплуатации
- Acer Aspire 1640 Инструкция по эксплуатации